September 22, 2020

Leaks From CERT's "Good Guys" List

Brian McWilliams at Wired News reports on the leakage of unreleased security alerts from the government-funded CERT coordination center. Three secret alerts sent to members of CERT’s “good guys” club (known as the Information Security Alliance, or ISA) were reposted onto the open “Full Disclosure” mailing list.

The person who did this may have violated a contractual agreement to keep the information secret. If so, the release can be condemned on that basis.

In any case, this incident teaches us some valuable lessons. First, the idea of releasing vulnerability information only to a large set of “good guys” doesn’t work in practice. What’s to stop a malicious person from joining the club? And remember, a serious bad guy wouldn’t release the information to the public but would exploit it himself, or release it only to his malicious friends.

Ironically, one of the secret alerts that was leaked was little more than an abstract of a paper published recently by Stanford University researchers. Given CERT’s non-profit, public-good mission, it’s hard to see why CERT did not release this report to the public, given that the information on which it was based had already been released (and even discussed on Slashdot).

It’s worth noting that, having set up a system where it is paid to deliver security secrets to the ISA membership, CERT has an economic incentive to manufacture secrets or to increase their perceived value to ISA members by withholding the secrets from the public for longer than necessary. I have no reason to accuse CERT of doing this systematically, but its handling of the Stanford paper does raise questions.