Slashdot Mirror

← Back to Stories (view on slashdot.org)

CERT To Charge For 'Timely Alerts'

Posted by timothy on from the how-timely-is-timely? dept.

thrillbert writes: "There is a story at c|net about how CERT is going to start charging anywhere from $2,500 to $70,000 for security alerts (depending on the size of the organization). They claim that subscribers are going to receive the alerts up to 45 days before anyone else does. However, from personal experience, I know that CERT is usually 60 days behind in releasing their 'alerts'. I have seen postings in BugTraq at least 2 months before I ever got a CERT advisory. And in the advisories I have received, I have never seen CERT giving credit to the bug hunters who found the vulnerability. I wonder if they are planning on compensating the bug hunters whose advisories they recycle." And as mr.nicholas puts it, pointing to an AP story, "Looks like a Federally funded services is trying to go private."

15 of 67 comments (clear)

  1. Re:And why on Earth not? by DunbarTheInept · · Score: 5
    Why Not? Because CERT aren't the ones finding the bugs. Individuals are sending them bug reports to publish, knowing that they are doing a service by dissemating that information. Once CERT starts charging, their volunteer army will dry up very fast.

    Besides that, they are federally funded. Either leave it public, or stop spending my tax money on it if it wants to run itself like a private business.

    --

    Don't label something "offtopic" unless you know the topic well enough to tell what's on topic.

  2. Re:So is the national weather service... by Col.+Klink+(retired) · · Score: 3

    So perhaps the National Weather Service can offset some of their costs by offering hurricane warnings 30 minutes earlier to those that pay.

    Considering the cost of weather forecasts (launching enough satellites to monitor the entire planet + clusters of computers to run the models) versus the cost of running a bug database (a computer + MySQL + bandwidth + volunteer bug hunters), I'd say that the price of a severe weather warning should be significantly more than CERT's measly $70K.

    --

    -- Don't Tase me, bro!

  3. Re:And why on Earth not? by Col.+Klink+(retired) · · Score: 5

    > why on Earth can't these people charge for a timely and useful service

    Well, the first question is whether or not they *pay* for the information in the first case. As they don't even credit their sources, it's questionable whether the bug hunters are gonna get a cut of this money.

    The second reason is that CERT is federally funded. CERT was founded to provide security alerts to the government, and the government has (and continues) to pay them. Since I've paid my taxes, I've already paid them for this information.

    --

    -- Don't Tase me, bro!

  4. Hmmmm by Kope · · Score: 4
    CERT has become less and less important as things like Bugtraq have become more prevelant. However, CERT does have the advantage of having their alerts represent an authoritative statement of risk. That is valuable to any number of different companies that want or need to have documentation to back up their policies. CERT carries more weight than Bugtraq does, even if it isn't as timely.

    That being the case, I imagine that they will find that their pricing structure is just too damn high, if the article is right about those prices. I can't imagine companies paying $70k a year for the service of validating information that the company already possesses from other sources. Particularly given the rapidity with which many companies are now trying to respond to Bugtraq posted bugs. It used to be Sun, HP, CISCO and the other big players didn't do jack unless CERT published their bugs. But that has changed over the years. Now a Bugtraq posted vulnerability will almost always get a vendor patch fairly quickly. (Often not quick enough for some, but still, faster than they used to be!) So who is going to pay 70k for validation of information that the vendors will likely have already claimed to be valid?! I think a flat price of a few thousand a year for anyone interested would be much more realistic.

  5. TrecTools.com by augustz · · Score: 4
    They are free to charge...

    but what if a group started developing intrusion tools targeted at CERT alerts. All of a sudden, certs alerts would be like opening the doors to thousands of script kiddies everywhere who would find a whole bunch of easy GUI tools available for their use every time CERT released an alert.

    It'll be interesting to see how this pans out....

  6. Re:And why on Earth not? by angst_ridden_hipster · · Score: 3
    Come on, this isn't Cube people...

    I guess I know where you're posting from... but you can't say the same for all of us ;)

    I think that if there were actually a free market (and, even in the good ol' US of A, there ain't nothin' of the sort), we'd see the market correct itself. Unfortunately, as we've seen with companies like Network Solutions, the transition of Government-funded organizations into corporations yields the worst of both worlds: monopolistic bureaucracies with horrible customer service.

    Unlike Network Solutions, though, you'll find that the security industry won't be a monopoly. The alternatives will step up to fill the void, and CERT will find itself without subscribers. In fact, this has already begun with professional security firms like securityfocus.com who use public resources like BugTraq to provide high-speed responses.

    (I am not affiliated with any of the named companies except as a service consumer)
    bukra fil mish mish
    -
    Monitor the Web, or Track your site!

    --
    Eloi, Eloi, lema sabachtani?
    www.fogbound.net
  7. Fine. US Gov should pay $70000, then. by beej · · Score: 3

    If CERT wants to go private and charge $2500 to $70,000 for timely alerts, then the US Government should sign up at $70,000.

    Since the government current pays CERT $3,500,000 each year, I say that entitles us taxpayers to FREE UP-TO-DATE alerts.

    CERT can't have it both ways. They can piss off if they want to use my tax dollars and give me nothing in return.

  8. Two questions by BobGregg · · Score: 3
    1. The primary reason CERT usually delays releasing security holes to the public is so that government agencies can know about them before they become widely known as exploits. How will their selling this information to corporations affect the security of those government agencies? Was this even a concern in their decision? Isn't that their primary reason for *existing*?

    2. Along the same lines as above, this "service" is only "valuable" if it really does provide "early" information. All it takes is one mischievous (or pissed) net admin who gets the early releases from his boss at one of these companies, and the information would be released to everyone, regardless of whether the prescribed interval has passed or not. So... how does this "service" protect the security of the companies who pay for it, either, now that anybody and their brother among their customer base could be a potential security threat? Will the companies that sign on have to sign agreements or waivers to promise not to tell anyone about the security holes CERT tells them about? And if so... how screwed up is that??

    Incidentally, the copyrights on CERT advisories are held by Carnegie Mellon University, unless I'm mistaken. Does a cut of the proceeds to this go to them? If so (being a CMU grad myself), well, okay then. :-)

    One more thing, the ISA has a FAQ (which doesn't address any of the above).

  9. Re:Isn't CERT a government agency? by uberdood · · Score: 3

    They are no more a government agency than NSI was when they were rippin' us off for domain registrations. They are a non-academic branch of Carnegie-Mellon U. They are an organization with a federal contract and federal funding. But they aren't federalies.

    --
    "Population 1,656"
  10. Well... by Rura+Penthe · · Score: 3

    If they're behind, and they try to charge, nobody will use them. The problem *should* fix itself. :)

    As a side note, Slashdot is laggin' bad. The trolls reload the front page one too many times?

  11. Isn't CERT a government agency? by Glowing+Fish · · Score: 4

    Isn't CERT a government agency? Isn't it charging for updates somewhat akin to having to tip the fire department extra to get to your house before it burns down?

    --
    Hopefully I didn't put any [] around my words.
  12. New Slashdot Competition idea by davejhiggins · · Score: 3
    Following on from the hugely successful Guess when Mir will splash thread, why don't we have a competition to guess when the new, improved $70,000-per-year CERT mailing list will finally inform subscribers about the SMBRelay exploit just mentioned in an article on theregister posted a couple of hours ago? (Someone may even submit it to slashdot and have it accepted yet; the fact that WinNT lanman is insecure isn't really "news" for nerds any more but you never know).

    Same rules could apply... include an ISO format string (YYYY-MM-DD HH:MM:SS) in the body of your post, times in EST and a Slashdot T-Shirt goes to the winner.

    We might have to invent a rule such as "The official time will be taken as the time on the header added by the first mailserver the message goes through" to avoid CERT getting wind of it and setting their system clocks back a year, and winning, but I'm sure the powers that be could agree on a fair system. :)

    A funnier competition would be "how many passwords are cracked as a result of SMBRelay before CERT gets around to posting it" of course, but I can imagine that would be somewhat more difficult to judge :) Either way, if word about the competion gets around, we'll have made our point.

    Dave

  13. Re:And why on Earth not? by ZanshinWedge · · Score: 3
    One, CERT isn't a private organization, they get tax money. Two, why buy something that's late and of inferior quality? Doesn't make a whole lot of sense.

    And, for the record, socialism has worked out pretty well. Just ask the developed world. Or hadn't you noticed the socialist aspects of all modern industrialized nations? Welfare, unemployment benefits, social security, government funded roadways, medicare, medicaid, government grants to college students, the list goes on and on. And in Europe and Canada they are even more socialist! With their nationalized health care and whatnot. The majority of the government budgets for all industrialized nations is for "socialist" programs.

    Communism however is a different ball of wax.

    Imagine that, a slashdot troll who doesn't know his ass from a hole in the ground.

  14. Plagarism and Credit and CERT by Zeinfeld · · Score: 4
    CERT used to be notorious for not giving credit. I had a blazing row with their sysop over email on Bugtraq on the topic. Amongst the 'excuses' for not crediting the discoverers of the bugs was that 'they are mostly private individuals and not academic authors'.

    Needless to say this struck me as a bit off since a private consultant has a much bigger need to get credit for their work than a tenured academic and every bit as much right.

    I sent a registered letter to the Director of CERT telling him that if I saw another similar complaint of not giving credit in an alert on Bugtraq I would make a formal complaint to the CMU board of plagarism. Shortly thereafter the alerts started to give credits. If they have slipped call CMU and complain.

    Security types tend to be very smart and very paranoid, why the CERT git thought plagarising their work would be a good plan is beyond me.

    CERT are entirely dependent on the quality of the information they are provided. The main complaint of CERT is that they have in the past waited to long for the vendor to put out a fix to issue an alert. Restricted publication of early alerts could be a good way to put vendors feet to the fire without full disclosure.

    --
    Looking for an Information Security student project suggestion?
    Try http://dotcrimeManifesto.com/
  15. Re:And why on Earth not? by osorronophris · · Score: 5

    CERT is federally funded. At least *part* of the idea was to provide a timely list of security problems to anyone at *no cost*.