Carl Malamud: Internet Talk Radio, flame of the Internet. This is Geek of the Week and we’re talk­ing to Barbara Fraser, who is a man­ag­er at the Computer Emergency Response Team, the CERT. Welcome to Geek of the Week, Barbara.

Barbara Fraser: Oh, thanks. It’s my plea­sure to be here. 

Malamud: Why don’t we start with what a CERT is.

Fraser: CERT is the Computer Emergency Response Team Coordination Center. We’re locat­ed at the Software Engineering Institute at Carnegie Mellon University. And that’s in Pittsburgh, Pennsylvania.

Malamud: And what do you do?

Fraser: We were formed by DARPA in 1988 in response to the Morris Worm inci­dent. There was a post-mortem meet­ing after that, and a lot of rec­om­men­da­tions came out of that meet­ing, one of which was to form a coor­di­na­tion cen­ter that could assist sites when secu­ri­ty inci­dents occurred. So ini­tial­ly, most of our activ­i­ty did involve respond­ing to secu­ri­ty inci­dents. A site that was expe­ri­enc­ing a secu­ri­ty prob­lem could call us as a resource as far as how to han­dle it, how to fig­ure out what hap­pened, and how to fix it.

Malamud: So you have a bunch of very expert sys­tems man­agers sit­ting there and just wait­ing for phone calls? And do they— What do these peo­ple do? Do they put up net­work secu­ri­ty plans for peo­ple? Do they go to the IETF and come up with new protocols?

Fraser: Oh gee. Let’s see, we do a lot of that. All of those things. But right now our orga­ni­za­tion has both that reac­tive aspect to it. So we have an inci­dent response group who does that day-to-day answer­ing of the hot­line, and answer­ing email, and inter­act­ing with sites when secu­ri­ty prob­lems occur. Some por­tion of that effort also involves let­ting sites knows that they prob­a­bly have a secu­ri­ty inci­dent. So some­times in the process of inves­ti­gat­ing a secu­ri­ty prob­lem we’ll dis­cov­er sites that don’t know that they too are involved. That’s our reac­tive work. 

There are oth­er aspects to secu­ri­ty that we’re also involved with in a more proactive fash­ion. So, we’re inter­est­ed in the train­ing and edu­ca­tion par­tic­u­lar­ly of sys­tem admin­is­tra­tors, and also their man­agers. So in order for sys­tem admin­is­tra­tors to be able to get the resources they need to address secu­ri­ty prob­lems, you have to get buy-in at the man­age­ment lev­el. So right now we focus a lot of our atten­tion on both of those audiences. 

Malamud: So what’s an exam­ple of a reac­tive sit­u­a­tion? When might you get a phone call? 

Fraser: Oh, we might get a call phone call, some­body notices maybe there’s an entry in a log file that says that they had a tel­net con­nec­tion from a site that they don’t expect to have a con­nec­tion from. And they’ll take a look at it and it looked like there was a logon, and if they go check with the per­son whose user ID was used, they, Well no I was­n’t in Timbuktu at that point time. No it was­n’t me that made that con­nec­tion.” So they’ll have some indi­ca­tion that there was a secu­ri­ty breach at their site.

Malamud: And what do you do then?

Fraser: We will work with the site, with a sys­tem or net­work admin­is­tra­tor at the tech­ni­cal lev­el in which they need assis­tance. Now, it’s inter­est­ing, we see every­thing. Sometimes peo­ple will just let us know about a secu­ri­ty inci­dent because they want us to have the larg­er pic­ture. They’ll say, Well, we had this break-in. It came from such and such a place. We’ve tak­en care of every­thing but we want­ed you to know about it and oh by the way, would you go check with that site from which it came and let them know that they may have a secu­ri­ty prob­lem and work with them?

Or, it could be the case that the indi­vid­ual has nev­er man­aged a Unix sys­tem before. And they don’t even know what log files to look at. They don’t have any notion of sys­tem con­fig­u­ra­tion of what it should be. Perhaps they’re export­ing all their file sys­tems to the world. Perhaps they’re export­ing write­able root par­ti­tions. They could have a host.equiv file that has a plus in it, indi­cat­ing that they would­n’t trust any host by that name. 

There’s any num­ber of things that hap­pen. It’s real­ly inter­est­ing, some­times we…I can tell you a lit­tle anec­do­tal sto­ry. We had a call one time from a site that was being hit from anoth­er site, and they asked us if we would please go inter­face with that oth­er site. We did. And we had nev­er dealt with the site before so we con­tact­ed the NIC to find out who the net­work con­tact was for that site. Gave him call on the tele­phone. And said we have rea­son to believe that you may have prob­lems with three of your com­put­ers there. 

Oh I’m sor­ry, we don’t have any computers.”

Kinda hit your­self upside the head and say hmm, this is the net­work admin­is­tra­tor contact?

Yes yes, I’m the net­work administrator.”

And you have no computers.”

No, we don’t have any computers.”

Well we stepped back, and took a look at the host­names and said, well, what about these hostnames?” 

Oh! Well, that first one you men­tioned is our Sun over there in the corner.”

So, in this case it was a ter­mi­nol­o­gy prob­lem, you know—

Malamud: A very…basic ter­mi­nol­o­gy problem.

Fraser: A very basic ter­mi­nol­o­gy prob­lem. But the sto­ry gets worse, because they said, Well we only have one of em.” Well we had three host­names. We indi­cat­ed how to send a bell sig­nal to the key­board to some of the oth­er sys­tems, and they were able to locate the sec­ond one. They nev­er did find the third one in their sys­tem setup. 

Further that night, after dis­cussing the prob­lems with them they said, Well, we’ll take our­selves off the net.” Because it was the week­end, they did­n’t have time to clean up the sys­tem then, and they want­ed to stop the use of their host as a launch­ing pad for these down­stream sites. 

Well in the mid­dle of the night we get a call from the down­stream site again say­ing, Hey, I thought you said they took them­selves off the net­work. We’re being hammered.”

Well we get back on the phone with the site in ques­tion. And they said, Oh yes, we def­i­nite­ly took our­selves off the net­work. We turned off all the modems, and we turned off our monitors.”

Course the attacks were com­ing in over their Ethernet cables, and they did­n’t even think about dis­con­nect­ing them. So, that’s prob­a­bly an extreme case of whom we’re deal­ing with with a site that real­ly is very novice at sys­tem and net­work admin­is­tra­tion. And we just try to sit back and help them at the lev­el that they need.

Malamud: Do you then try to track where those attacks are com­ing from. Are you guys detec­tives as well?

Fraser: It’s impor­tant to know we are not the Internet police. I can’t empha­size that enough. As far as track­ing them, what we will do is if we were work­ing with a site, when you look in their logs hope­ful­ly there will be logs and they haven’t been wiped away by the intrud­er because that also hap­pens. You can get some indi­ca­tion of where the con­nec­tions came in from, and where they were going to. That’s if they’re com­ing in via the Internet. 

It’s a lit­tle more dif­fi­cult if they came in through a dial-in modem. There’s a lot of red tape you have to go through in order to trace tele­phone num­bers and things like that. We don’t actu­al­ly do those traces. We dis­cuss things with the sites. They indi­cate to us whether or not they’re try­ing to trace the intrud­er. And we can give them point­ers of peo­ple to call, the appro­pri­ate agen­cies to call that might be involved. We don’t get into the mid­dle of it. We just help facil­i­tate putting the right peo­ple in con­tact with each other.

Malamud: If you’ve iden­ti­fied an intrud­er do you let the rest of the Internet know about it? Do you pub­lish a ten most-wanted list or do you put out advi­sories that say Watch out for those guys in the Netherlands?”

Fraser: Oh, I like that ten most-wanted list. No, we don’t— We would nev­er give away con­fi­den­tial infor­ma­tion. We basi­cal­ly don’t divulge site infor­ma­tion, people-type infor­ma­tion. And that’s one of our strengths, because peo­ple know that they can trust us, that we won’t divulge that type of sen­si­tive information. 

However, if we see a par­tic­u­lar MO being used wide­ly, then we would issue a CERT advi­so­ry describ­ing that MO, hope­ful­ly to assist sites and look­ing for signs of that type of intru­sion or intru­sive activ­i­ty at their site.

Malamud: You were formed in response to the Morris Worm. Let’s say anoth­er Morris Worm were to hap­pen. What would you do?

Fraser: I think that the com­mu­ni­ca­tion chan­nels are bet­ter now than they were then. One of the prob­lems dur­ing the Morris Worm was you had pock­ets of exper­tise, and it was a good old boys net­work. So that unless you knew one of the peo­ple in the know, then you did­n’t know any­one to call to get help. Right now, we are estab­lished and there are a num­ber of oth­er response teams that are estab­lished, and the infor­ma­tion on how to con­tact our groups is much more wide­ly known. So I believe that com­mu­ni­ca­tion would be much bet­ter now. 

Malamud: So you would prob­a­bly issue some form of an advi­so­ry, and proac­tive­ly get that infor­ma­tion out to sites that you know might be affect­ed? Is that what you would do, you would mail it out, you would also respond to phone calls com­ing in and…?

Fraser: That’s cor­rect. We would prob­a­bly try to get the infor­ma­tion out in a num­ber of dif­fer­ent ways, because obvi­ous­ly if you’re going to send it out on the Internet, if the Internet net­work itself is bogged down and the traf­fic can’t get through, then that presents anoth­er prob­lem. So we prob­a­bly would take care of—or try to look for oth­er ways to get infor­ma­tion out. We work close­ly with some mem­bers of the press. If it would be nec­es­sary we have a pub­lic rela­tions per­son at the Software Engineering Institute that is a liai­son for us. And I would guess that in a cir­cum­stance like that as soon as we had infor­ma­tion that we want­ed to get out, that per­haps we would work with this pub­lic rela­tions per­son to help us to find chan­nels in which to accom­plish that. 

Malamud: Now Morris was well-intentioned. He did­n’t mean it to get out of con­trol. What if some­body out there real­ly want­ed it to get out of con­trol? Could they call you up and find out what you’d found so far and then change their virus or bomb or what­ev­er it is they put on the net? How do you con­trol who gets your advisories? 

Fraser: Our advi­sories are pub­lic infor­ma­tion. We basi­cal­ly don’t put any­thing in an advi­so­ry that we would not be com­fort­able with every­one, basi­cal­ly, receiv­ing. As far as spe­cif­ic how-to infor­ma­tion, we don’t put that in an advisory.

Malamud: How does that get out to people?

Fraser: It does­n’t. The means on how to exploit a vul­ner­a­bil­i­ty is not some­thing that we would publish.

Malamud: What about when you go into a sys­tem and you find a vul­ner­a­bil­i­ty. You have to explain to peo­ple what that is, don’t you? Isn’t that part of the edu­ca­tion process, say­ing well look you know, you don’t wan­na leave a plus in an etc/host.equiv file? Does that some­how train the crack­er com­mu­ni­ty on things they should be look­ing for in oth­er systems?

Fraser: Well there cer­tain­ly is a bal­ance. What you just spoke about was a con­fig­u­ra­tion prob­lem. And When you think about vul­ner­a­bil­i­ties, they’re real­ly more than one type. You have con­fig­u­ra­tion prob­lems, and then you have prod­uct vul­ner­a­bil­i­ties where there might be say soft­ware bugs in some sec­tion of code. Those are a lit­tle bit more obscure. Certainly some of the things you said are the case. I mean, there are tools out there-COPS-that check for a lot of con­fig­u­ra­tion prob­lems. And we advo­cate the use of those tools.

Malamud: What is COPS.

Fraser: COPS is a pro­gram writ­ten by Dan Farmer when he was at Purdue, and he con­tin­ues to enhance it. It basi­cal­ly takes a look at a lot of the fea­tures of poor con­fig­u­ra­tion issues on your sys­tem. It would check to see if you had say, accounts that had no pass­word. It would check for “+” in your host.equiv. It would check for the pres­ence of .rhost files. I can’t begin to list all of the things that it check for here. But it is a good way to take a quick look at your system. 

There’s anoth­er one, Tripwire, which is a new­er pub­lic domain soft­ware pack­age out there that is designed to help you pick up when maybe some of your soft­ware has been mod­i­fied. So that if you have a check­sum that you have for a par­tic­u­lar mod­ule and then you go back and see if the check­sum is the same tomor­row, say, it might alert you to that.

So there are a lot of tools out there that can help sys­tem admin­is­tra­tors more secure­ly con­fig­ure their systems.

Malamud: Now how does some­body go about learn­ing what those tools are? Do you have newslet­ters and things for the gen­er­al public?

Fraser: Not at this moment. That’s some­thing we’re play­ing with, actu­al­ly. I’d like to see us have a newslet­ter that came out quar­ter­ly or maybe twice a year, some­thing like that, that would give valu­able infor­ma­tion and point­ers to people. 

We have an anony­mous FTP archive site that we main­tain, and we try to keep infor­ma­tion about tools and cer­tain­ly all of our CERT advi­sories are archived there. We have quite a bit of infor­ma­tion and would encour­age peo­ple to go and select and take what­ev­er they find inter­est­ing to them.

Malamud: What’s the name of that site?

Fraser: It’s cert​.org. C E RT .org.

Malamud: That ought to be easy enough.

Fraser: Yeah, it’s pret­ty simple. 

Malamud: Now, you men­tioned you do a lot of proac­tive work. Does that include work­ing for exam­ple with­in the stan­dards com­mu­ni­ty? Are you out there push­ing for bet­ter secu­ri­ty in the Internet pro­to­cols? Are you push­ing for bet­ter secu­ri­ty in the host con­fig­u­ra­tions that ven­dors are selling?

Fraser: Oh, absolute­ly. We have a busi­ness pro­gram that we work with the ven­dors, both when we dis­cov­er a par­tic­u­lar prod­uct vul­ner­a­bil­i­ty we will let them know about it and will also work with them for the res­o­lu­tion of it. So they might come back with a solu­tion. We’ll test it to the best of our abil­i­ties. If it does­n’t meet up with what we were com­fort­able with we’ll go back to them and say, Well, this fix­es maybe cas­es A, B, and C but what about D, E, and F?” And we have a real good work­ing rela­tion­ship with quite a num­ber of ven­dors at this point in time. 

And actu­al­ly it used to be that they did­n’t want to admit that they had a secu­ri­ty prob­lem in their prod­uct. Now, we’re see­ing ven­dors come to us and say, We’d like to estab­lish a work­ing rela­tion­ship with you.”

Malamud: Do you cer­ti­fy these ven­dors or do some­thing [crosstalk] of that sort?

Fraser: Oh no. Not right now. No, we don’t do that. We do work, or lever­age off of that good rela­tion­ship to sug­gest to them changes. You men­tioned con­fig­u­ra­tion changes or default con­fig­u­ra­tion changes. So we might sug­gest to them that it’s our posi­tion we’d rather not see a “+” in the host.equiv file when it first comes up, as an example.

Sometimes sys­tem admin­is­tra­tors will set it up with cer­tain expec­ta­tions of the way that it will be used by the net. And then there was a cer­tain amount of activ­i­ty that they did­n’t expect or want, par­tic­u­lar­ly. Some of the FTP dae­mons that are out there right now don’t pro­vide enough log­ging and con­fig­u­ra­tion con­trol for some of those sys­tem admin­is­tra­tors to con­fig­ure it the way they would real­ly like to have it being used. 

Malamud: So for exam­ple not being able to write into a temp space. I’ve noticed that occa­sion­al­ly— We had a sys­tem called Bruno which was serv­ing the ITU stan­dards. And the temp space was write­able, and we found very quick­ly some crack­ers found that and used it to upload soft­ware and use it as a bul­letin board. In fact some file names were names like does any­one have a copy of the lat­est Lotus”; that’s a long file name. Is that the types of prob­lems you’re allud­ing to in—?

Fraser: Yeah, that’s one of the prob­lems. Another one is that if they sim­ply use it as a place to store files they can con­sume all your disk space, regard­less of what the con­tent of those files are. So we want to be an advo­cate for the sys­tem admin­is­tra­tor so that we can help him do his job, bet­ter, in the way he needs to do it. And the rea­son I’m danc­ing around these words is that this is an inter­na­tion­al com­mu­ni­ty, and what is right and prop­er for me might not be the same thing that’s right and prop­er for some­one in some dif­fer­ent coun­try. So we don’t want to point fin­gers, rather we just want to give sys­tem admin­is­tra­tors the tools that they need in order to do the job for their constituency. 

Malamud: Now many of the tools we’ve been talk­ing about are fix­es, they’re not fun­da­men­tal changes to the Internet archi­tec­ture, which was designed with­out secu­ri­ty in mind, many would say. Are there some stan­dards moves out there like pub­lic key encryp­tion that you view as more fun­da­men­tal, that we need to have?

Fraser: Yeah. I think that there is move­ment to increase the lev­el of secu­ri­ty with­in the Internet, basi­cal­ly. Certainly the PSRG is work­ing in that direction. 

Malamud: What is the PS

Fraser: I’m not a mem­ber of the— 

Malamud: What is that?

Fraser: Privacy Security and Research Group. I believe that’s cor­rect. And they’re work­ing on a secu­ri­ty archi­tec­ture. You’ll have to talk to one of the mem­bers there for more detailed infor­ma­tion. But it’s a move in the right direc­tion to pro­vide guid­ance and a frame­work so that pro­to­col devel­op­ers can see if their pro­to­cols that they’re devel­op­ing fit cor­rect­ly with­in the secu­ri­ty frame­work for the Internet.

There’s an IP secu­ri­ty work­ing group that is attempt­ing to intro­duce some lev­el of encryp­tion at the IP lev­el. Something like that I think has a very def­i­nite niche out there. 

Privacy-enhanced mail is new to the envi­ron­ment but it pro­vides the pri­va­cy, the integri­ty, and authen­ti­ca­tion that we need out there so that for instance, we would like to sign all of our CERT advi­sories. So if you receive an advi­so­ry from us, you can be assured that it came from us, and Furthermore that it has­n’t been changed in tran­sit. So things like that are real­ly going to help.

Malamud: Privacy-enhanced mail depends on a pub­lic key archi­tec­ture, which in the cur­rent instan­ti­a­tion depends on on the RSA algo­rithms, which in the US are patent­ed, out­side the US they aren’t. Are we going to be able to come up with a glob­al secu­ri­ty archi­tec­ture and still deal with things like export con­trol poli­cies? Are those two fun­da­men­tal­ly at odds?

Fraser: I believe we have to. We have to resolve the prob­lems because we all need a secu­ri­ty archi­tec­ture that’s out there. It’s impor­tant to remem­ber that it’s not just the US that has export con­trol. Probably every coun­try out there has some state­ment con­cern­ing export con­trol. In the specifics of PEM—privacy-enhanced mail—I believe there are sev­er­al a com­pat­i­ble imple­men­ta­tions that are going on in the world, right now. So, as long as those com­pat­i­ble ver­sions can exist in the var­i­ous coun­tries, that should help us bridge that export problem.

Malamud: What about things like Pretty Good Privacy, PGP? Now, does that help solve our secu­ri­ty prob­lems on the Internet? Is that a move towards a bet­ter security?

Fraser: Well I think the intent behind the peo­ple that devel­op PGP was to give yeah, some pri­va­cy with­in the mail com­mu­ni­ty they’re [indis­tinct] it around. Of course there are some prob­lems with that, too, from a licens­ing or—

Malamud: Oh, there’s def­i­nite intel­lec­tu­al prop­er­ty issues [crosstalk] at stake there.

Fraser: Yes, right. Intellectual— Exactly. And for that rea­son, until those kinds of prob­lems are resolved I don’t know how it could be wide­ly accept­ed. In an offi­cial capac­i­ty, certainly.

Malamud: You know, some peo­ple have crit­i­cized the IAB for exam­ple for try­ing to put in place a secu­ri­ty archi­tec­ture that’s so good that it’s tak­en too long, and the result is that we have no secu­ri­ty at all. Do you have any…views on that? I mean, are we mov­ing in the right direction?

Fraser: Well, I see the gap between PC capa­bil­i­ties and say work­sta­tion capa­bil­i­ties is nar­row­ing. I mean, as your oper­at­ing sys­tems are becom­ing more sophis­ti­cat­ed on the PC—so look at Windows NT—I haven’t had a chance to look at it too close­ly myself yet, but it cer­tain­ly is one of those tech­nolo­gies that we at CERT are going to be look­ing at because it’s going to be wide­ly deployed out there. Or at least that’s what the press would have us believe at this point time. So, I believe that the capa­bil­i­ties of the low end are com­ing up.

Malamud: Part of secu­ri­ty is tech­ni­cal, but part of it is also pol­i­cy, and defin­ing what you can do and what you can’t do on the net­work. How are we address­ing those types of issues, what the laws are, and what the moral basis is? I mean, is it okay to repeat­ed­ly try to tel­net into some­body’s host?

Fraser: Well that’s a tough prob­lem, Carl, because the Internet isn’t…doesn’t reside in just a sin­gle admin­is­tra­tive domain. There is no sin­gle body that con­trols or can dic­tate pol­i­cy for all of the Internet. At one lev­el you can think about the Internet as just being a high­way to all the var­i­ous dif­fer­ent loca­tions. And if you think about it… I can’t even remem­ber who it was that used this anal­o­gy but I liked it. You could have a bur­glar dri­ving down the street in front of your house and it’s okay for him to be doing that. It’s when he tries to break into your home, or does break into your home that prob­lems arise. 

I don’t know how we’re going to resolve that—there’s a lot of ques­tions. People would like to restrict it or to say that there is some pol­i­cy of good behav­ior in order to be able to access the Internet. But I think that on a real­is­tic basis that’s very dif­fi­cult to achieve because of the multi­na­tion­al, mul­ti­juris­dic­tion­al, many dif­fer­ent laws That gov­ern us. 

Malamud: Should it be on a country-by-country basis? Should the US Congress defin­ing whether repeat­ed tel­net attempts are a break-in attempt or not?

Fraser: Aw gee, I had­n’t thought about that one. Um…

Malamud: Because in the phys­i­cal world you can walk down the side­walk and look in the win­dow, but you can’t walk in the door, right. And the ques­tion is, [crosstalk] when I try to tel­net in what— 

Fraser: Well that’s in the US.

Malamud: Exactly, in the US. And we have dif­fer­ent laws in dif­fer­ent coun­tries on what is acceptable.

Fraser: Right

Malamud: Should we be doing the same thing in the Internet? Should we have dif­fer­ent sets of laws depend­ing on which host you hap­pen to be on? Say, Well, this is a US host, I bet­ter be careful.” 

Fraser: I guess I just don’t know. I haven’t giv­en it enough log on that par­tic­u­lar thing. I just know that there’s a tremen­dous and vast resource, and it would real­ly sad­dened me if we did things that restrict­ed it so much that peo­ple could no longer take advan­tage of the vast resources there are out there.

Malamud: Many of our stan­dards of behav­ior have kind of arisen as net­work lore, as to what you can do and what you can’t do. We’re begin­ning to for­mal­ize with groups like the Internet Society. Is the Internet Society the new inter­na­tion­al United Nations for the Internet? Do we need some­one think­ing about those types of issues?

Fraser: I sup­pose you always need some­body think­ing about those types of issues. I’m not sure that—again, that they would have any abil­i­ty to enforce. Because again, you’ve got the multi­na­tion­al boundaries.

Malamud: Are you an inter­na­tion­al body, the CERT?

Fraser: At some lev­el, I think of our­selves as being inter­na­tion­al. From a fund­ing basis we are fund­ed total­ly by ARPA right now, which is the Advanced Research Projects Agency with­in the US. But they look on us as being a very…neu­tral orga­ni­za­tion from the stand­point that we’re not in the back pock­et of any par­tic­u­lar ven­dor or any par­tic­u­lar indus­try. And we do work inter­na­tion­al­ly with who­ev­er has a problem.

Malamud: Is there a poten­tial con­flict of inter­est with your fund­ing com­ing from ARPA? Can you be the neu­tral secu­ri­ty advi­sor and also be fund­ed strict­ly by a par­tic­u­lar gov­ern­ment agency? Do you see any con­flict there?

Fraser: It has­n’t been a prob­lem, in practice.

Malamud: Are you look­ing to oth­er sources of fund­ing, or do you see ARPA as just…this is a good way to con­tin­ue oper­at­ing, let’s say? Are you try­ing to become an Internet Society, or a mul­ti­ven­dor CERT board, or some­thing of that sort?

Fraser: Well I think we always have to look to the future to see if…you know, to keep our doors open basi­cal­ly, for oth­er avenues of fund­ing. We do reside at Carnegie Mellon University and as such we will always main­tain a non­prof­it sta­tus. You would­n’t see us going com­mer­cial, at all. That just would­n’t be the thing to do.

Malamud: You won’t be sell­ing those advisories.

Fraser: No.

Malamud: We found a worm. How much are you will­ing to bid for that information.”

Fraser: No. Yeah. We’re able to do things on a cost recov­ery basis, which does bring in some rev­enue from oth­er sources. cer­tain­ly. It’s like you said, it has­n’t been a problem. 

Malamud: Is there an email address peo­ple can send to if they want more infor­ma­tion about the CERT?

Fraser: Definitely. It’s a very sim­ple one. It’s cert@​cert.​org.

Malamud: Well there you go. This has been Geek of the Week. We’ve been talk­ing to Barbara Fraser from the CERT. Thanks a lot.

Fraser: No, thank you.

Malamud: This is Internet Talk Radio, flame of the Internet. You’ve been lis­ten­ing to Geek of the Week. You may copy this pro­gram to any medi­um, and change the encod­ing, but may not alter the data or sell the con­tents. To pur­chase an audio cas­sette of this pro­gram, send mail to radio@​ora.​com.

Support for Geek of the Week comes from Sun Microsystems. Sun, the net­work is the com­put­er. Support for Geek of the Week also comes from O’Reilly & Associates, pub­lish­ers of the Global Network Navigator, your online hyper­text mag­a­zine. For more infor­ma­tion, send mail to info@​gnn.​com. Network con­nec­tiv­i­ty for the Internet Multicasting Service is pro­vid­ed by MFS DataNet and by UUNET Technologies.

Executive Producer for Geek of the Week is Martin Lucas. Production Manager is James Roland. Rick Dunbar and Curtis Generous are the sysad­mins. This is Carl Malamud for the Internet Multicasting Service, town crier to the glob­al village.