Slashdot Mirror

← Back to Stories (view on slashdot.org)

CERT To Charge For 'Timely Alerts'

Posted by timothy on from the how-timely-is-timely? dept.

thrillbert writes: "There is a story at c|net about how CERT is going to start charging anywhere from $2,500 to $70,000 for security alerts (depending on the size of the organization). They claim that subscribers are going to receive the alerts up to 45 days before anyone else does. However, from personal experience, I know that CERT is usually 60 days behind in releasing their 'alerts'. I have seen postings in BugTraq at least 2 months before I ever got a CERT advisory. And in the advisories I have received, I have never seen CERT giving credit to the bug hunters who found the vulnerability. I wonder if they are planning on compensating the bug hunters whose advisories they recycle." And as mr.nicholas puts it, pointing to an AP story, "Looks like a Federally funded services is trying to go private."

7 of 67 comments (clear)

  1. Re:And why on Earth not? by DunbarTheInept · · Score: 5
    Why Not? Because CERT aren't the ones finding the bugs. Individuals are sending them bug reports to publish, knowing that they are doing a service by dissemating that information. Once CERT starts charging, their volunteer army will dry up very fast.

    Besides that, they are federally funded. Either leave it public, or stop spending my tax money on it if it wants to run itself like a private business.

    --

    Don't label something "offtopic" unless you know the topic well enough to tell what's on topic.

  2. Re:And why on Earth not? by Col.+Klink+(retired) · · Score: 5

    > why on Earth can't these people charge for a timely and useful service

    Well, the first question is whether or not they *pay* for the information in the first case. As they don't even credit their sources, it's questionable whether the bug hunters are gonna get a cut of this money.

    The second reason is that CERT is federally funded. CERT was founded to provide security alerts to the government, and the government has (and continues) to pay them. Since I've paid my taxes, I've already paid them for this information.

    --

    -- Don't Tase me, bro!

  3. Hmmmm by Kope · · Score: 4
    CERT has become less and less important as things like Bugtraq have become more prevelant. However, CERT does have the advantage of having their alerts represent an authoritative statement of risk. That is valuable to any number of different companies that want or need to have documentation to back up their policies. CERT carries more weight than Bugtraq does, even if it isn't as timely.

    That being the case, I imagine that they will find that their pricing structure is just too damn high, if the article is right about those prices. I can't imagine companies paying $70k a year for the service of validating information that the company already possesses from other sources. Particularly given the rapidity with which many companies are now trying to respond to Bugtraq posted bugs. It used to be Sun, HP, CISCO and the other big players didn't do jack unless CERT published their bugs. But that has changed over the years. Now a Bugtraq posted vulnerability will almost always get a vendor patch fairly quickly. (Often not quick enough for some, but still, faster than they used to be!) So who is going to pay 70k for validation of information that the vendors will likely have already claimed to be valid?! I think a flat price of a few thousand a year for anyone interested would be much more realistic.

  4. TrecTools.com by augustz · · Score: 4
    They are free to charge...

    but what if a group started developing intrusion tools targeted at CERT alerts. All of a sudden, certs alerts would be like opening the doors to thousands of script kiddies everywhere who would find a whole bunch of easy GUI tools available for their use every time CERT released an alert.

    It'll be interesting to see how this pans out....

  5. Isn't CERT a government agency? by Glowing+Fish · · Score: 4

    Isn't CERT a government agency? Isn't it charging for updates somewhat akin to having to tip the fire department extra to get to your house before it burns down?

    --
    Hopefully I didn't put any [] around my words.
  6. Plagarism and Credit and CERT by Zeinfeld · · Score: 4
    CERT used to be notorious for not giving credit. I had a blazing row with their sysop over email on Bugtraq on the topic. Amongst the 'excuses' for not crediting the discoverers of the bugs was that 'they are mostly private individuals and not academic authors'.

    Needless to say this struck me as a bit off since a private consultant has a much bigger need to get credit for their work than a tenured academic and every bit as much right.

    I sent a registered letter to the Director of CERT telling him that if I saw another similar complaint of not giving credit in an alert on Bugtraq I would make a formal complaint to the CMU board of plagarism. Shortly thereafter the alerts started to give credits. If they have slipped call CMU and complain.

    Security types tend to be very smart and very paranoid, why the CERT git thought plagarising their work would be a good plan is beyond me.

    CERT are entirely dependent on the quality of the information they are provided. The main complaint of CERT is that they have in the past waited to long for the vendor to put out a fix to issue an alert. Restricted publication of early alerts could be a good way to put vendors feet to the fire without full disclosure.

    --
    Looking for an Information Security student project suggestion?
    Try http://dotcrimeManifesto.com/
  7. Re:And why on Earth not? by osorronophris · · Score: 5

    CERT is federally funded. At least *part* of the idea was to provide a timely list of security problems to anyone at *no cost*.