Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hacker Leaks Unreleased CERT Reports

Posted by chrisd on from the certain-errors-remain-tolerable dept.

Call Me Black Cloud writes "A hacker calling himself "Hack4Life" swiped 3 unpublished vulnerability reports from a company working with CERT and posted them to the Full Disclosure mailing list. A couple of days later, he did it again (while promising weekly leaks). Wired also has a story, including a link to one of the postings."

3 of 336 comments (clear)

  1. FD and Bugtraq by jmays · · Score: 5, Informative

    If you enjoy Bugtraq and can put up with the occasional flame war ... FD is an awesome list. FD Charter

    --
    KARMA TAG! You're it.
  2. Re:Maybe it's an inside job. by indiigo · · Score: 2, Informative

    Perhaps the DoD is on a different list, but the lists I was on I would get updates at least a day or two after known exploit, or nothing at all. I don't care about priorities, I need to know if a system I run is vulnerable, and It wasn't cutting it.

    --
    fslg503-985-8686503-985-8686503-985-8686503-985-86 8650 3-985-fdsg8686503-985-8686503-985-8686503-9
  3. Re:Well.... by Florian+Weimer · · Score: 4, Informative
    Unfortuneately, the reason the information was leaked is because CERT charges people to get early access to security problems like this...

    Note that isn't one of Slashdot's conspiracy theories. If you report something to CERT/CC for free, they sell it to their subscribers.

    Unfortunately, this process is not defined in a way that is transparent for those who contact CERT/CC. I've seen conflicting reports regarding the question whether this sharing is mandatory or optional, implicit or explicit. Not surprisingly, the CERT/CC website is not very helpful:

    We also send vulnerability information to others who can contribute to the solution and with whom we have a trusted relationship. In addition to vendors, this may include experts in the community, CERT/CC sponsors, and members of the Internet Security Alliance (including private sector organizations). We also send vulnerability information to sites that are part of critical infrastructures that we believe are at risk.
    (From the CERT/CC FAQ.)