In an e-mail released to a public security mailing list this week, David Litchfield took to task the nonprofit Computer Emergency Response Team (CERT) Coordination Center at Carnegie Mellon University. Litchfield, managing director of UK-based computer security company NGS Software, is now best known as the discoverer of the Microsoft SQL flaw used by the Slammer worm to ravage corporate networks last weekend.
In the e-mail, Litchfield wrote that his company would no longer submit information on security flaws to the CERT center. Such a submission, he wrote, is "an act of good faith" intended to give information technology administrators the information they need to patch their systems. But Litchfield said he felt "a betrayal of trust" because CERT had "leaked (the information) to certain organisations and government departments" before passing it on to IT workers.
"In submitting vulnerabilities to (CERT)...I do not expect the issue to be disclosed to any (but the usual) parties," he wrote in the e-mail message posted Monday to the Bugtraq mailing list. "I believe that choice remains with the discoverer (of the vulnerability) and the vendor of the software."
Vulnerability disclosure has been a heated issue for several years, and the CERT Coordination Center, an organisation created after the Morris Worm struck the Internet in 1988, has been a focus of some criticism for its policy of giving early warning to paid sponsors. Litchfield's criticism, however, is by far the most vocal to date.
"We have told them that we will provide them with the information as long as they don't tell others," Litchfield said in a Wednesday interview. "They have refused." Most security researchers feel that responsible disclosure policy includes working with the affected software's creator to fix the vulnerability and then release the flaw information at the same time that the company releases a patch.
Jeffrey Carpenter, manager of the CERT Coordination Center, said that the group was surprised by Litchfield's e-mail. Carpenter stressed that since the center founded the Internet Security Alliance for paying members more than two years ago, it has never hidden the fact that it informs ISA members of security issues.
"We have tried to take a reasoned, middle-of-the-road approach to vulnerability information," Carpenter said. "We do want critical-infrastructure and system operators to have a chance to take critical steps to defend their systems prior to a general release of information."
Carpenter also dismissed the security researcher's main concern: That companies who receive early information may leak details and place the security of the Internet in jeopardy.
"Members must sign a strong nondisclosure form," Carpenter said. "We specifically designed the agreement so that the only thing people are using the info for is protecting their own infrastructure."
But many other security firms have already started notifying the CERT center only when they are ready to release details of a flaw publicly.
Chris Rouland, director of vulnerability research for software company Internet Security Systems, said the company will release details to CERT only two days before they go public. To reach IT professionals about patching problems, the company now relies on the FBI's National Infrastructure Protection Center (NIPC) cybercrime warning capability.
"We deal with the NIPC because we have no concerns that they will predisclose," Rouland said. The NIPC's role in advanced warning will become part of the new Department of Homeland Security in March.
Internet Security Systems found itself on the other side of the equation last year when it failed to give an open-source group more than few hours of advanced notice of a flaw.
The care with which security researchers release information to the CERT Coordination Center has threatened the group's role as a central clearinghouse for security information, said Chris Wysopal, director of research and development for digital-security company @Stake.
"It is only when massive coordination needs to happen that people use CERT," Wysopal said. "If you look at the CERT advisories compared to two years ago, there are less with new information and more reports of (already) publicly disclosed vulnerabilities."
A dire pronouncement of CERT's failing relevance to a digital world that's suffering more and more attacks? Perhaps not. Even NGS Software's Litchfield said that despite his strongly worded e-mail, in the long run he hopes the situation can be remedied.
"Perhaps we have overreacted in anger," Litchfield said. "Perhaps it is short-term thinking to close that relationship, so we will have to see what can be done."
In your recent article regarding the UK analyst Mr. Litchfield complaining about Carnegie Mellon's bug clearing house organisation pre release of information regarding "Slammer" shows tremendous naiivete!
To quote the immortal bard "methinks he doth protest too much".
It is not that CM is selling the information, merely trying to forewarn major organisations like US Federal Government agencies, as an example, of great danger. This is their job! I would certainly be upset if they sat on critical information just to be "proper".
The recently emerged fact that the software vendor involved (Microsoft) was also struck by the worm makes one wonder why anyone would be so concerned about procedure in a situation like this.
Why doesn't Mr. Litchfield just grow up, and get his ego out of the way?