This is a very interesting article that touches on both storage and security. EMC's traditional method of "destroying" your data before they reclaim an array is VTOC'ing the drives, which isn't mentioned in any of the supporting articles. You might want to think twice about having EMC handle this in the future. I know dozens of companies who just hand their drives over to EMC when they are done an array and trust them to handle them properly. I've seen Symmetrix arrays sit on data center floor in unsecured areas for months. One particular Symmetrix array was involved in a law suit that could have been easily destroyed or the data manipulated.

• CNN article.
• CERT press release.
• Changes to CERT Advisories email.
• CNET article.

The traditional CERT Advisory list that you may be used to receiving will no longer be accepting additional subscribers and will be discontinued in March 2004. All new subscribers will be added to the US-CERT lists. This is a pretty good indication that CERT/CC, as we know it, has been taken over by the US Government despite what the FAQ section at the end of the CERT email may say. Carnegie Mellon may own the name, but they don't own the organization anymore.

Paragraphs six and seven in the CNN article have me greatly concerned. The fact that US-CERT would withhold the announcement of vulnerabilities until a patch or fix is available is ludicrous. In many cases, patches and fixes come days, weeks, or months after the vulnerability is discovered. In some case the vulnerability is never fixed. Does the US Government plan on imposing timelines on private companies to produce patches and fixes?

Work arounds always exist and most vulnerabilities can be avoided all together with the implementation of best practices. Two very simple things can help you avoid 99% of the vulnerabilities out there: anti-virus software and firewalls. Here’s an example, over the past three days my private email account at xlogs.net has receive probably three dozens emails with the MyDoom attachment. My email server doesn’t run any anti-virus software. I download those emails locally on my Mac where I do run avti-virus software and a firewall. My exposure, even without AV software on the server, is zero because I am not running the target platform where the emails end up. My work email is Outlook/Exchange which has been the target platform of these mass mailing worms. Since our IT shop use the services from MessageLabs, I have not received a single email with the MyDoom attachment at work. Other parts of our organization have not been so lucky.

My point is that by cutting the free flow of information and restricting announcements of risks and vulnerabilities, the US Government may be severely impacting the evolution of technology in the marketplace and unfairly imposing constraints on private companies.