Slashdot Mirror
CERT To Charge For 'Timely Alerts'
thrillbert writes: "There is a story at c|net about how CERT is going to start charging anywhere from $2,500 to $70,000 for security alerts (depending on the size of the organization). They claim that subscribers are going to receive the alerts up to 45 days before anyone else does. However, from personal experience, I know that CERT is usually 60 days behind in releasing their 'alerts'. I have seen postings in BugTraq at least 2 months before I ever got a CERT advisory. And in the advisories I have received, I have never seen CERT giving credit to the bug hunters who found the vulnerability. I wonder if they are planning on compensating the bug hunters whose advisories they recycle." And as mr.nicholas puts it, pointing to an AP story, "Looks like a Federally funded services is trying to go private."
Where am I going with this? Well, CERT isn't proposing something like that. They're proposing keeping the information hidden until later unless you donate to them. But if I don't know what the CERT is putting out, I don't know if I need it or not, so I don't know if I want to buy it or not.
The problem with selling information is that you don't know if it's worth the price until after you have it already. You can't take it out for a test drive. Once you give out information, you can't make someone forget it afterward.
Don't label something "offtopic" unless you know the topic well enough to tell what's on topic.
Besides that, they are federally funded. Either leave it public, or stop spending my tax money on it if it wants to run itself like a private business.
Don't label something "offtopic" unless you know the topic well enough to tell what's on topic.
i.e: ;-)
"My" Linux distro has found an important security hole and has made a patch. (insinuating not the other distro
-- "Life is easier since I have excluded JonKatz stories from my homepage"
Jesus, why on Earth can't these people charge for a timely and useful service they provide to people? Is there really anything wrong with... making money! Come on, this isn't Cuba people, and providing a service, especially a real-time service like bug notifications and security updates that require significant technical expertise, cost money to run. Technical people do seem to need large sums of cash before they'll move their pizza-bloated backsides after all.
And as for the complaining about delayed advisories. Simply put, CERT spend their time validating what they produce rather than posting at the first opportunity. This is why they are the top resource for security people online, and why amateur offerings like BugTraq don't get the same recognition from serious organisations.
Honestly, shame on /. for running such a biased story slamming CERT. We're in a free market economy, and expecting things for free is tantamount to socialism. And we all know how that has worked, don't we :)
So lets hope the .coms have more money to spare then the carders. ;-)
But then again this news is about as relevant as CERT is themselves these days.
DWR is Ajax for Java
So perhaps the National Weather Service can offset some of their costs by offering hurricane warnings 30 minutes earlier to those that pay.
Considering the cost of weather forecasts (launching enough satellites to monitor the entire planet + clusters of computers to run the models) versus the cost of running a bug database (a computer + MySQL + bandwidth + volunteer bug hunters), I'd say that the price of a severe weather warning should be significantly more than CERT's measly $70K.
-- Don't Tase me, bro!
That being the case, I imagine that they will find that their pricing structure is just too damn high, if the article is right about those prices. I can't imagine companies paying $70k a year for the service of validating information that the company already possesses from other sources. Particularly given the rapidity with which many companies are now trying to respond to Bugtraq posted bugs. It used to be Sun, HP, CISCO and the other big players didn't do jack unless CERT published their bugs. But that has changed over the years. Now a Bugtraq posted vulnerability will almost always get a vendor patch fairly quickly. (Often not quick enough for some, but still, faster than they used to be!) So who is going to pay 70k for validation of information that the vendors will likely have already claimed to be valid?! I think a flat price of a few thousand a year for anyone interested would be much more realistic.
Yeah, what the heck is up with PeopleSoft? The schools here in Wisconsin are migrating to it as well. I talked to people on the migration team and they don't have a single good word to say about it. They would much rather leave their finantials and class management software on their IBM mainframe where it belongs. They seem to spend all their time tracking down obscure but fatal bugs in the server software and the client. All I see them do is applying fixes and recompiling COBOL. And last I checked they were months behind on the fixes. They have tried to talk to PeopleSoft tech support but everyone at the PeopleSoft help desk appear to be idiots.
This was last year so they have probably completed their integration by now but they would probably be happier and more efficient with the same old app running on the IBM.
-- Remember: Wherever you go, there you are!
but what if a group started developing intrusion tools targeted at CERT alerts. All of a sudden, certs alerts would be like opening the doors to thousands of script kiddies everywhere who would find a whole bunch of easy GUI tools available for their use every time CERT released an alert.
It'll be interesting to see how this pans out....
This from the website that brought you "Voices from the Hellmouth", all without thinking about compensating the people who posted the comments that made up the content of the book.
Just in passing, imagine actually receiving a copy of that book as a gift.
"Umm... yeah. Thanks. Slashdot comments on paper. Just what I needed."
deus does not exist but if he does
"Microsoft to charge for Windows updates."
What, like the one from Windows 95 to Windows 98?
:/
(IIRC, all the components of that were freely downloadable, but that didn't stop a massive marketing push to sell it at full price...)
deus does not exist but if he does
If CERT wants to go private and charge $2500 to $70,000 for timely alerts, then the US Government should sign up at $70,000.
Since the government current pays CERT $3,500,000 each year, I say that entitles us taxpayers to FREE UP-TO-DATE alerts.
CERT can't have it both ways. They can piss off if they want to use my tax dollars and give me nothing in return.
The implication here is that CERT notifies government agencies 45 days before they notify the public (which is why CERT advisories always seem to be extremely late to anyone reading bugtraq). The suggestion here is that they're going to start letting companies buy into the original notification round, a full month and a half before they announce it to everyone else.
Ideology breeds Hypocrisy. Just how much is up to you.
No offense, but SMBRelay's been out for a couple of weeks.
That said, if you were subtly looking to make a point about paying for what you should already know if you're keeping your eyes open, good show.
Easy does it!
This comment has been submitted already, 276865 hours , 59 minutes ago. No need to try again.
2. Along the same lines as above, this "service" is only "valuable" if it really does provide "early" information. All it takes is one mischievous (or pissed) net admin who gets the early releases from his boss at one of these companies, and the information would be released to everyone, regardless of whether the prescribed interval has passed or not. So... how does this "service" protect the security of the companies who pay for it, either, now that anybody and their brother among their customer base could be a potential security threat? Will the companies that sign on have to sign agreements or waivers to promise not to tell anyone about the security holes CERT tells them about? And if so... how screwed up is that??
Incidentally, the copyrights on CERT advisories are held by Carnegie Mellon University, unless I'm mistaken. Does a cut of the proceeds to this go to them? If so (being a CMU grad myself), well, okay then. :-)
One more thing, the ISA has a FAQ (which doesn't address any of the above).
Sorry, you're wrong. The U.S. Postal Service has not received any federal money for a good many years now. It is entirely self-funded.
Whether that will continue is in doubt, since the USPS's profits are steadily declining as the years go by, but at least for the time being...
"Destroy science and religion. Science would re-emerge exactly the same; but not religion." - Penn Jillette, paraphrased
I realize that this is all highly speculative, and your own views may prevent you from seeing the reason in my comments, but I shall not hold that a gainst you, as each is entitled to their own opinion, their own viewpoint, and yes --their own prejudice.
May goatse.cx live forever in the minds of those unfortunate enough to have the experience without ample protection.
Unless they patent the advisories.
Hmm..
Actually, I just walked in to SEI two days ago for a job interview. I had to sign in and get a visitor's pass; that's it.
Not to defend this strategey, but the post office is federally funded, and they charge for their services too.
I'd rather that corporations pay for it than my tax dollars. =)
The alerts that go to the Air Force base that my father works at arrive about a week after I learn about the same security problems from other sources, usually from /..
Hmmm... do you also get the public CERT releases? I've never compared the times that items on Slashdot appear in the CERT Advisory emails. Other people in this discussion have suggested the difference is like a month.
--
Some people have a way with words, and some people, um, thingy.
If they're behind, and they try to charge, nobody will use them.
... solution to follow.
According to the articles linked to from the story, the stuff on their site and the emails are intentionally behind. Right now, only the government gets immediate notification of security concerns. The information is then delayed atleast 45 days before it is released elsewhere.
Perhaps they're at risk of loosing their Federal funding and want to sell the service they've been exclusively selling to the government to the public.
Also, I have never gotten a CERT advisory that didn't say how to fix the problem. Perhaps this earlier notification will simply be that there is a problem
--
Some people have a way with words, and some people, um, thingy.
Once more, properly formatted:
... solution to follow.
If they're behind, and they try to charge, nobody will use them.
According to the articles linked to from the story, the stuff on their site and the emails are intentionally behind. Right now, only the government gets immediate notification of security concerns. The information is then delayed atleast 45 days before it is released elsewhere.
Perhaps they're at risk of loosing their Federal funding and want to sell the service they've been exclusively selling to the government to the public.
Also, I have never gotten a CERT advisory that didn't say how to fix the problem. Perhaps this earlier notification will simply be that there is a problem
--
Some people have a way with words, and some people, um, thingy.
So the money they'll take in isn't just targeted to pay the hard-working folks checking security holes, it seems.
CERT will still post their normal advisories just as they always have (late and free). The only difference is that now you can get them much sooner if you have a few grand burning a hole in your pocket.
--
CERT isn't getting the bugs reports any earlier than before. They're always waited insane amounts of time before releasing them. Now you can get them soon after they do if you feel you have too much money lying around.
--
Hey, don't even joke about PeopleSoft! The Virginia Community College System is moving to PeopleSoft and I'm fortunate *cough*choke*gag* enough to be involved in the move. What were they smoking!? When I first found out about the move, I searched the 'net for more info about them. The only information I could find about them was about the lawsuits pending against them. And they're suprised when it doesn't work!?
--
I think it is more like having to pay to park my car at a national park that is funded by taxes.
Oh wait... doesn't it cost 20 bucks to see the Grand Canyon?
I figure today's load is due to some idiot's "FP" perl script.
"Population 1,656"
"0" offtopic my ass! CERT is housed at Carnegie-Mellon U. Who was Carnegie? A Robber barron. And what is CERT doing? Gouging the public for a serivce that is a day (or forty-five) late and thousands of dollars short. Geez, give moderatorship to some folks and it goes to their head.
"Population 1,656"
They are no more a government agency than NSI was when they were rippin' us off for domain registrations. They are a non-academic branch of Carnegie-Mellon U. They are an organization with a federal contract and federal funding. But they aren't federalies.
"Population 1,656"
If they're behind, and they try to charge, nobody will use them. The problem *should* fix itself. :)
As a side note, Slashdot is laggin' bad. The trolls reload the front page one too many times?
Isn't CERT a government agency? Isn't it charging for updates somewhat akin to having to tip the fire department extra to get to your house before it burns down?
Hopefully I didn't put any [] around my words.
Uuh. Wait a minute
If a bugtraq poster uses the copyleft?
Question Reality
I wonder if they are planning on compensating the bug hunters whose advisories they recycle
This from the website that brought you "Voices from the Hellmouth", all without thinking about compensating the people who posted the comments that made up the content of the book.
I live in Pittsburgh, and if you want to get into CERT it is a very big pain. Because it's funded mainly by the government, you need to get security checks and such and you can't just walk in or anything to try and get a job. I would like if they started charging for this and went off of government funding, as this seems like a really neat place to work. I think the main consumers for CERT will be corporations that can spring for the money, because they would rather have something "offical" coming from a fairly large sized company rather than coming from a rouge company named BugTraq. Most of us don't really use CERT rather corporations tend to because they feel using a real company is safer and will soon be willing to charge for this feature.
MS already does charge for updates. For example, Win95, service pack 5 is called Windows ME.
-- We all get heavier as we get older because there's a lot more information in our heads.
Same rules could apply... include an ISO format string (YYYY-MM-DD HH:MM:SS) in the body of your post, times in EST and a Slashdot T-Shirt goes to the winner.
We might have to invent a rule such as "The official time will be taken as the time on the header added by the first mailserver the message goes through" to avoid CERT getting wind of it and setting their system clocks back a year, and winning, but I'm sure the powers that be could agree on a fair system. :)
A funnier competition would be "how many passwords are cracked as a result of SMBRelay before CERT gets around to posting it" of course, but I can imagine that would be somewhat more difficult to judge :) Either way, if word about the competion gets around, we'll have made our point.
Dave
What will happen to those of us who are running our own individual servers without CERT advisories? Granted they aren't usually the first people to release advisories for bugs (as has already been noted), they are still a very important resource to the security community as a whole. This move implies that non-profit organizations and individuals aren't as important to the security of the web community as the commercial members who can afford to pay. Obviously, this should not be the case. Nobody should be penalized by having an insecure server just because they couldn't pay a stupid money-grubbing company's fee.
Charging for security information is a very bad idea. Say a bug is discovered with one of your client's products, client knows about the bug first and asks for you to delay mentioning it for a while or to soften the blow.
If the customer where worth $70k to you, would you deny them that request?
By charging for these alerts you have a conflict of interest. Personally, I would never trust security from a for-profit business. As a result, there are a lot of security sites that have lost my trust because they've gone commercial.
Paul Anderson
"I drank WHAT?!" -- Socrates
... the next step being they stop accepting ALL federal money, and generate all the money they need as any other private business.
"And like that
My .02,
My .02,
zencode
iactivist.org/jason
Needless to say this struck me as a bit off since a private consultant has a much bigger need to get credit for their work than a tenured academic and every bit as much right.
I sent a registered letter to the Director of CERT telling him that if I saw another similar complaint of not giving credit in an alert on Bugtraq I would make a formal complaint to the CMU board of plagarism. Shortly thereafter the alerts started to give credits. If they have slipped call CMU and complain.
Security types tend to be very smart and very paranoid, why the CERT git thought plagarising their work would be a good plan is beyond me.
CERT are entirely dependent on the quality of the information they are provided. The main complaint of CERT is that they have in the past waited to long for the vendor to put out a fix to issue an alert. Restricted publication of early alerts could be a good way to put vendors feet to the fire without full disclosure.
Looking for an Information Security student project suggestion?
Try http://dotcrimeManifesto.com/
$2,500 is nothing when you consider how much it would cost to 'clean up' after a major security breach. I doubt many larger companies will have a problem with forking over $70k.
Douglas Adams
1952-2001 :(
Pay out the nose for archaic information you can get almost anywhere else? It's nice to see the dotcom business model of exclusive, up to the minute information for free turned totally on its ear. But I'll bet they make a lot of money...this is the kind of thing the average I-went-to-school-for-computers-and-all-I-got-was-a -lousy-MCSE IS Manager wets himself over (ours has a poster talking about different hacker techniques, including the popular "social engineering" methods such as "The Lady In Red" and "Lost Password." It also warns the reader to be careful of email viruses and activeX DoS attacks when visiting hacker websites like the Hacker's Layer and L0pht heavy industries).
Hey freaks: now you're ju
I see no problem with CERT charging people for information, what I think about this is pretty straightfoward...
If a company is going to dish out mega bucks for this service, it could be part of a business write off of some sorts, which if this is the case, its a good move.
On the other hand, CERT isn't as up-to-date with advisories as is Security Focus, which is FREE. So if companies are as stated looking to save money its a bad move, since the information is already freely posted on other security forums.
What I find slightly disturbing is, now I question whether security incidents will not be reported because someone is not a paying customer of CERT, which is totally shady.
Will CERT's new venture withhold information which could hinder the security of products?... Only time will tell...
AntiOffline Advisories (no charge)
360 degrees of Karma
looks as if the next addition to norton utilities will be CERT...
The FBI and NIPC have also started a system called Infraguard, which is designed to be a bridge to the private sector. It's a pretty recent development.
-Keslin, the naked nerd girl
-Keslin, the naked nerd girl
I will be mirroring bugtraq soon and selling subscriptions for $10k/yr, no matter how big the organization is. Pass this on to any of those MCSE types you know. Thanks.
--
The way this is going, what bright idea are we going to see next?
I can see it now...
"Microsoft to charge for Windows updates."
"Dynamix/Sierra to charge for Tribes 2 patches."
"DoubleClick to charge for banner ads."
I fail to see the relevance of these comments, obviously most of you are in agreement that bugtraq is, at the least, coming out with the bugs at the same time, possibly before hand. If CERT decides to charge, it really doesn't affect any of us, because there are still free alternatives, which most of you read anyways.
We must hispanically speaking learn not be systemlogically misunderestimated by these risks. Why come can't become CERT charge companies for there services when in harshified realityisms security should not be pro bono.