Slashdot Mirror
CERT To Charge For 'Timely Alerts'
thrillbert writes: "There is a story at c|net about how CERT is going to start charging anywhere from $2,500 to $70,000 for security alerts (depending on the size of the organization). They claim that subscribers are going to receive the alerts up to 45 days before anyone else does. However, from personal experience, I know that CERT is usually 60 days behind in releasing their 'alerts'. I have seen postings in BugTraq at least 2 months before I ever got a CERT advisory. And in the advisories I have received, I have never seen CERT giving credit to the bug hunters who found the vulnerability. I wonder if they are planning on compensating the bug hunters whose advisories they recycle." And as mr.nicholas puts it, pointing to an AP story, "Looks like a Federally funded services is trying to go private."
Where am I going with this? Well, CERT isn't proposing something like that. They're proposing keeping the information hidden until later unless you donate to them. But if I don't know what the CERT is putting out, I don't know if I need it or not, so I don't know if I want to buy it or not.
The problem with selling information is that you don't know if it's worth the price until after you have it already. You can't take it out for a test drive. Once you give out information, you can't make someone forget it afterward.
Don't label something "offtopic" unless you know the topic well enough to tell what's on topic.
Besides that, they are federally funded. Either leave it public, or stop spending my tax money on it if it wants to run itself like a private business.
Don't label something "offtopic" unless you know the topic well enough to tell what's on topic.
Jesus, why on Earth can't these people charge for a timely and useful service they provide to people? Is there really anything wrong with... making money! Come on, this isn't Cuba people, and providing a service, especially a real-time service like bug notifications and security updates that require significant technical expertise, cost money to run. Technical people do seem to need large sums of cash before they'll move their pizza-bloated backsides after all.
And as for the complaining about delayed advisories. Simply put, CERT spend their time validating what they produce rather than posting at the first opportunity. This is why they are the top resource for security people online, and why amateur offerings like BugTraq don't get the same recognition from serious organisations.
Honestly, shame on /. for running such a biased story slamming CERT. We're in a free market economy, and expecting things for free is tantamount to socialism. And we all know how that has worked, don't we :)
So perhaps the National Weather Service can offset some of their costs by offering hurricane warnings 30 minutes earlier to those that pay.
Considering the cost of weather forecasts (launching enough satellites to monitor the entire planet + clusters of computers to run the models) versus the cost of running a bug database (a computer + MySQL + bandwidth + volunteer bug hunters), I'd say that the price of a severe weather warning should be significantly more than CERT's measly $70K.
-- Don't Tase me, bro!
That being the case, I imagine that they will find that their pricing structure is just too damn high, if the article is right about those prices. I can't imagine companies paying $70k a year for the service of validating information that the company already possesses from other sources. Particularly given the rapidity with which many companies are now trying to respond to Bugtraq posted bugs. It used to be Sun, HP, CISCO and the other big players didn't do jack unless CERT published their bugs. But that has changed over the years. Now a Bugtraq posted vulnerability will almost always get a vendor patch fairly quickly. (Often not quick enough for some, but still, faster than they used to be!) So who is going to pay 70k for validation of information that the vendors will likely have already claimed to be valid?! I think a flat price of a few thousand a year for anyone interested would be much more realistic.
Yeah, what the heck is up with PeopleSoft? The schools here in Wisconsin are migrating to it as well. I talked to people on the migration team and they don't have a single good word to say about it. They would much rather leave their finantials and class management software on their IBM mainframe where it belongs. They seem to spend all their time tracking down obscure but fatal bugs in the server software and the client. All I see them do is applying fixes and recompiling COBOL. And last I checked they were months behind on the fixes. They have tried to talk to PeopleSoft tech support but everyone at the PeopleSoft help desk appear to be idiots.
This was last year so they have probably completed their integration by now but they would probably be happier and more efficient with the same old app running on the IBM.
-- Remember: Wherever you go, there you are!
but what if a group started developing intrusion tools targeted at CERT alerts. All of a sudden, certs alerts would be like opening the doors to thousands of script kiddies everywhere who would find a whole bunch of easy GUI tools available for their use every time CERT released an alert.
It'll be interesting to see how this pans out....
If CERT wants to go private and charge $2500 to $70,000 for timely alerts, then the US Government should sign up at $70,000.
Since the government current pays CERT $3,500,000 each year, I say that entitles us taxpayers to FREE UP-TO-DATE alerts.
CERT can't have it both ways. They can piss off if they want to use my tax dollars and give me nothing in return.
The implication here is that CERT notifies government agencies 45 days before they notify the public (which is why CERT advisories always seem to be extremely late to anyone reading bugtraq). The suggestion here is that they're going to start letting companies buy into the original notification round, a full month and a half before they announce it to everyone else.
Ideology breeds Hypocrisy. Just how much is up to you.
2. Along the same lines as above, this "service" is only "valuable" if it really does provide "early" information. All it takes is one mischievous (or pissed) net admin who gets the early releases from his boss at one of these companies, and the information would be released to everyone, regardless of whether the prescribed interval has passed or not. So... how does this "service" protect the security of the companies who pay for it, either, now that anybody and their brother among their customer base could be a potential security threat? Will the companies that sign on have to sign agreements or waivers to promise not to tell anyone about the security holes CERT tells them about? And if so... how screwed up is that??
Incidentally, the copyrights on CERT advisories are held by Carnegie Mellon University, unless I'm mistaken. Does a cut of the proceeds to this go to them? If so (being a CMU grad myself), well, okay then. :-)
One more thing, the ISA has a FAQ (which doesn't address any of the above).
Sorry, you're wrong. The U.S. Postal Service has not received any federal money for a good many years now. It is entirely self-funded.
Whether that will continue is in doubt, since the USPS's profits are steadily declining as the years go by, but at least for the time being...
"Destroy science and religion. Science would re-emerge exactly the same; but not religion." - Penn Jillette, paraphrased
Not to defend this strategey, but the post office is federally funded, and they charge for their services too.
I'd rather that corporations pay for it than my tax dollars. =)
If they're behind, and they try to charge, nobody will use them.
... solution to follow.
According to the articles linked to from the story, the stuff on their site and the emails are intentionally behind. Right now, only the government gets immediate notification of security concerns. The information is then delayed atleast 45 days before it is released elsewhere.
Perhaps they're at risk of loosing their Federal funding and want to sell the service they've been exclusively selling to the government to the public.
Also, I have never gotten a CERT advisory that didn't say how to fix the problem. Perhaps this earlier notification will simply be that there is a problem
--
Some people have a way with words, and some people, um, thingy.
Once more, properly formatted:
... solution to follow.
If they're behind, and they try to charge, nobody will use them.
According to the articles linked to from the story, the stuff on their site and the emails are intentionally behind. Right now, only the government gets immediate notification of security concerns. The information is then delayed atleast 45 days before it is released elsewhere.
Perhaps they're at risk of loosing their Federal funding and want to sell the service they've been exclusively selling to the government to the public.
Also, I have never gotten a CERT advisory that didn't say how to fix the problem. Perhaps this earlier notification will simply be that there is a problem
--
Some people have a way with words, and some people, um, thingy.
CERT will still post their normal advisories just as they always have (late and free). The only difference is that now you can get them much sooner if you have a few grand burning a hole in your pocket.
--
CERT isn't getting the bugs reports any earlier than before. They're always waited insane amounts of time before releasing them. Now you can get them soon after they do if you feel you have too much money lying around.
--
Hey, don't even joke about PeopleSoft! The Virginia Community College System is moving to PeopleSoft and I'm fortunate *cough*choke*gag* enough to be involved in the move. What were they smoking!? When I first found out about the move, I searched the 'net for more info about them. The only information I could find about them was about the lawsuits pending against them. And they're suprised when it doesn't work!?
--
They are no more a government agency than NSI was when they were rippin' us off for domain registrations. They are a non-academic branch of Carnegie-Mellon U. They are an organization with a federal contract and federal funding. But they aren't federalies.
"Population 1,656"
If they're behind, and they try to charge, nobody will use them. The problem *should* fix itself. :)
As a side note, Slashdot is laggin' bad. The trolls reload the front page one too many times?
Isn't CERT a government agency? Isn't it charging for updates somewhat akin to having to tip the fire department extra to get to your house before it burns down?
Hopefully I didn't put any [] around my words.
I wonder if they are planning on compensating the bug hunters whose advisories they recycle
This from the website that brought you "Voices from the Hellmouth", all without thinking about compensating the people who posted the comments that made up the content of the book.
Same rules could apply... include an ISO format string (YYYY-MM-DD HH:MM:SS) in the body of your post, times in EST and a Slashdot T-Shirt goes to the winner.
We might have to invent a rule such as "The official time will be taken as the time on the header added by the first mailserver the message goes through" to avoid CERT getting wind of it and setting their system clocks back a year, and winning, but I'm sure the powers that be could agree on a fair system. :)
A funnier competition would be "how many passwords are cracked as a result of SMBRelay before CERT gets around to posting it" of course, but I can imagine that would be somewhat more difficult to judge :) Either way, if word about the competion gets around, we'll have made our point.
Dave
... the next step being they stop accepting ALL federal money, and generate all the money they need as any other private business.
"And like that
Needless to say this struck me as a bit off since a private consultant has a much bigger need to get credit for their work than a tenured academic and every bit as much right.
I sent a registered letter to the Director of CERT telling him that if I saw another similar complaint of not giving credit in an alert on Bugtraq I would make a formal complaint to the CMU board of plagarism. Shortly thereafter the alerts started to give credits. If they have slipped call CMU and complain.
Security types tend to be very smart and very paranoid, why the CERT git thought plagarising their work would be a good plan is beyond me.
CERT are entirely dependent on the quality of the information they are provided. The main complaint of CERT is that they have in the past waited to long for the vendor to put out a fix to issue an alert. Restricted publication of early alerts could be a good way to put vendors feet to the fire without full disclosure.
Looking for an Information Security student project suggestion?
Try http://dotcrimeManifesto.com/
Pay out the nose for archaic information you can get almost anywhere else? It's nice to see the dotcom business model of exclusive, up to the minute information for free turned totally on its ear. But I'll bet they make a lot of money...this is the kind of thing the average I-went-to-school-for-computers-and-all-I-got-was-a -lousy-MCSE IS Manager wets himself over (ours has a poster talking about different hacker techniques, including the popular "social engineering" methods such as "The Lady In Red" and "Lost Password." It also warns the reader to be careful of email viruses and activeX DoS attacks when visiting hacker websites like the Hacker's Layer and L0pht heavy industries).
Hey freaks: now you're ju
I see no problem with CERT charging people for information, what I think about this is pretty straightfoward...
If a company is going to dish out mega bucks for this service, it could be part of a business write off of some sorts, which if this is the case, its a good move.
On the other hand, CERT isn't as up-to-date with advisories as is Security Focus, which is FREE. So if companies are as stated looking to save money its a bad move, since the information is already freely posted on other security forums.
What I find slightly disturbing is, now I question whether security incidents will not be reported because someone is not a paying customer of CERT, which is totally shady.
Will CERT's new venture withhold information which could hinder the security of products?... Only time will tell...
AntiOffline Advisories (no charge)
360 degrees of Karma
The FBI and NIPC have also started a system called Infraguard, which is designed to be a bridge to the private sector. It's a pretty recent development.
-Keslin, the naked nerd girl
-Keslin, the naked nerd girl