Please create an account to participate in the Slashdot moderation system

 


Forgot your password?
Close
typodupeerror
×
Bug

CERT To Charge For 'Timely Alerts' 67

Posted by timothy from the how-timely-is-timely? dept.
thrillbert writes: "There is a story at c|net about how CERT is going to start charging anywhere from $2,500 to $70,000 for security alerts (depending on the size of the organization). They claim that subscribers are going to receive the alerts up to 45 days before anyone else does. However, from personal experience, I know that CERT is usually 60 days behind in releasing their 'alerts'. I have seen postings in BugTraq at least 2 months before I ever got a CERT advisory. And in the advisories I have received, I have never seen CERT giving credit to the bug hunters who found the vulnerability. I wonder if they are planning on compensating the bug hunters whose advisories they recycle." And as mr.nicholas puts it, pointing to an AP story, "Looks like a Federally funded services is trying to go private."
This discussion has been archived. No new comments can be posted.

CERT To Charge For 'Timely Alerts' More

CERT To Charge For 'Timely Alerts'

Comments Filter:
  • While PBS is funded in a hybrid fashion, they don't give out better service to the donators than they do to the non-payers. If I only watch PBS once a week or so, then I feel justified in not giving them donations because they already get some of my money in the form of federal funds. Now, If I was an avid viewer deeply interested in quilting, civil war re-enactments, 27 different cooking shows, and teletubbies, then I'd probably give them more money beyond just the little bit they get from taxes. PBS serves only one purpose to me - a vehicle for British humor. Since they don't do much of that on our local station anymore, I don't have a reason to give them money. (Okay, so they do Keeping up Apperances still, but that isn't what I'd categorize as "humor".)

    Where am I going with this? Well, CERT isn't proposing something like that. They're proposing keeping the information hidden until later unless you donate to them. But if I don't know what the CERT is putting out, I don't know if I need it or not, so I don't know if I want to buy it or not.

    The problem with selling information is that you don't know if it's worth the price until after you have it already. You can't take it out for a test drive. Once you give out information, you can't make someone forget it afterward.

  • Re:And why on Earth not? (Score:5)

    by DunbarTheInept ( 764 ) on Thursday April 19, 2001 @12:03PM (#278704) Homepage
    Why Not? Because CERT aren't the ones finding the bugs. Individuals are sending them bug reports to publish, knowing that they are doing a service by dissemating that information. Once CERT starts charging, their volunteer army will dry up very fast.

    Besides that, they are federally funded. Either leave it public, or stop spending my tax money on it if it wants to run itself like a private business.

  • i.e:
    "My" Linux distro has found an important security hole and has made a patch. (insinuating not the other distro ;-)

  • Jesus, why on Earth can't these people charge for a timely and useful service they provide to people? Is there really anything wrong with... making money! Come on, this isn't Cuba people, and providing a service, especially a real-time service like bug notifications and security updates that require significant technical expertise, cost money to run. Technical people do seem to need large sums of cash before they'll move their pizza-bloated backsides after all.

    And as for the complaining about delayed advisories. Simply put, CERT spend their time validating what they produce rather than posting at the first opportunity. This is why they are the top resource for security people online, and why amateur offerings like BugTraq don't get the same recognition from serious organisations.

    Honestly, shame on /. for running such a biased story slamming CERT. We're in a free market economy, and expecting things for free is tantamount to socialism. And we all know how that has worked, don't we :)

  • Dumb (Score:1)

    by joe_fish ( 6037 )
    So I guess we should all be hoping that the crackers/carders don't have enough money to spend on the fees to join CERT. - Clearly the idea kind of breaks down if we are selling sploits to the bad guys before we tell the good guys how to fix the problem they didn't know they had.

    So lets hope the .coms have more money to spare then the carders. ;-)

    But then again this news is about as relevant as CERT is themselves these days.

  • Re:So is the national weather service... (Score:3)

    by Col. Klink (retired) ( 11632 ) on Thursday April 19, 2001 @05:36PM (#278708)
    So perhaps the National Weather Service can offset some of their costs by offering hurricane warnings 30 minutes earlier to those that pay.

    Considering the cost of weather forecasts (launching enough satellites to monitor the entire planet + clusters of computers to run the models) versus the cost of running a bug database (a computer + MySQL + bandwidth + volunteer bug hunters), I'd say that the price of a severe weather warning should be significantly more than CERT's measly $70K.

  • Re:And why on Earth not? (Score:5)

    by Col. Klink (retired) ( 11632 ) on Thursday April 19, 2001 @11:59AM (#278709)
    > why on Earth can't these people charge for a timely and useful service

    Well, the first question is whether or not they *pay* for the information in the first case. As they don't even credit their sources, it's questionable whether the bug hunters are gonna get a cut of this money.

    The second reason is that CERT is federally funded. CERT was founded to provide security alerts to the government, and the government has (and continues) to pay them. Since I've paid my taxes, I've already paid them for this information.

  • Hmmmm (Score:4)

    by Kope ( 11702 ) on Thursday April 19, 2001 @11:50AM (#278710)
    CERT has become less and less important as things like Bugtraq have become more prevelant. However, CERT does have the advantage of having their alerts represent an authoritative statement of risk. That is valuable to any number of different companies that want or need to have documentation to back up their policies. CERT carries more weight than Bugtraq does, even if it isn't as timely.

    That being the case, I imagine that they will find that their pricing structure is just too damn high, if the article is right about those prices. I can't imagine companies paying $70k a year for the service of validating information that the company already possesses from other sources. Particularly given the rapidity with which many companies are now trying to respond to Bugtraq posted bugs. It used to be Sun, HP, CISCO and the other big players didn't do jack unless CERT published their bugs. But that has changed over the years. Now a Bugtraq posted vulnerability will almost always get a vendor patch fairly quickly. (Often not quick enough for some, but still, faster than they used to be!) So who is going to pay 70k for validation of information that the vendors will likely have already claimed to be valid?! I think a flat price of a few thousand a year for anyone interested would be much more realistic.

  • Yeah, what the heck is up with PeopleSoft? The schools here in Wisconsin are migrating to it as well. I talked to people on the migration team and they don't have a single good word to say about it. They would much rather leave their finantials and class management software on their IBM mainframe where it belongs. They seem to spend all their time tracking down obscure but fatal bugs in the server software and the client. All I see them do is applying fixes and recompiling COBOL. And last I checked they were months behind on the fixes. They have tried to talk to PeopleSoft tech support but everyone at the PeopleSoft help desk appear to be idiots.

    This was last year so they have probably completed their integration by now but they would probably be happier and more efficient with the same old app running on the IBM.

  • TrecTools.com (Score:4)

    by augustz ( 18082 ) on Thursday April 19, 2001 @01:04PM (#278712)
    They are free to charge...

    but what if a group started developing intrusion tools targeted at CERT alerts. All of a sudden, certs alerts would be like opening the doors to thousands of script kiddies everywhere who would find a whole bunch of easy GUI tools available for their use every time CERT released an alert.

    It'll be interesting to see how this pans out....

  • Re:And why on Earth not? (Score:3)

    by angst_ridden_hipster ( 23104 ) on Thursday April 19, 2001 @12:28PM (#278713) Homepage Journal
    Come on, this isn't Cube people...

    I guess I know where you're posting from... but you can't say the same for all of us ;)

    I think that if there were actually a free market (and, even in the good ol' US of A, there ain't nothin' of the sort), we'd see the market correct itself. Unfortunately, as we've seen with companies like Network Solutions, the transition of Government-funded organizations into corporations yields the worst of both worlds: monopolistic bureaucracies with horrible customer service.

    Unlike Network Solutions, though, you'll find that the security industry won't be a monopoly. The alternatives will step up to fill the void, and CERT will find itself without subscribers. In fact, this has already begun with professional security firms like securityfocus.com who use public resources like BugTraq to provide high-speed responses.

    (I am not affiliated with any of the named companies except as a service consumer)
    bukra fil mish mish
    -
    Monitor the Web, or Track your site!

  • This from the website that brought you "Voices from the Hellmouth", all without thinking about compensating the people who posted the comments that made up the content of the book.

    Just in passing, imagine actually receiving a copy of that book as a gift.

    "Umm... yeah. Thanks. Slashdot comments on paper. Just what I needed."
  • "Microsoft to charge for Windows updates."

    What, like the one from Windows 95 to Windows 98?

    :/

    (IIRC, all the components of that were freely downloadable, but that didn't stop a massive marketing push to sell it at full price...)
  • >This is why they are the top resource for >security people online, and why amateur offerings >like BugTraq don't get the same recognition from
    >serious organisations

    Top resource for security people online? WTF are you talking about? If security people only followed CERT they'd be rooted in the first 2 months it takes CERT to post an advisory. Bugtraq is the top resource, or one of them, for security people who are competent enough to figure out wether or not an exploit or possible bug applies to them.

  • CERT spend their time validating what they produce rather than posting at the first opportunity. This is why they are the top resource for security people online, and why amateur offerings like BugTraq don't get the same recognition from serious organisations.



    Hooey.


    I am a security professional (I get paid for writing IDS signatures) and traditionally CERT would be the LAST place I would expect to find out about a vulnerability. It's changed dramatically in the last six months, though. They've even scooped bugtraq once or twice.



    Now we know why they've picked up the pace. Expect to see them become a dotcom and go public.



  • Why Not? Because CERT aren't the ones finding the bugs. Individuals are sending them bug reports to publish, knowing that they are doing a service by dissemating that information. Once CERT starts charging, their volunteer army will dry up very fast. Besides that, they are federally funded. Either leave it public, or stop spending my tax money on it if it wants to run itself like a private business.

    I can imagine CERT becoming like PBS. They get some gov't funding, but also need public support. When they need money, they run fundraisers, pumping out all the good and useful alerts in the middle. When they don't need money, they don't run the fundraisers, and they pump out "Microsoft Windows ME for Children!" how-tos.
    --

  • Who would pay 70k?

    Why a large company that might want a person on the board.

    An once a large corp. has somebody on the board they could (in theory) slow the releases of certain warnings.

  • Fine. US Gov should pay $70000, then. (Score:3)

    by beej ( 82035 ) on Thursday April 19, 2001 @12:23PM (#278720) Homepage Journal
    If CERT wants to go private and charge $2500 to $70,000 for timely alerts, then the US Government should sign up at $70,000.

    Since the government current pays CERT $3,500,000 each year, I say that entitles us taxpayers to FREE UP-TO-DATE alerts.

    CERT can't have it both ways. They can piss off if they want to use my tax dollars and give me nothing in return.
  • The implication here [tbo.com] is that CERT notifies government agencies 45 days before they notify the public (which is why CERT advisories always seem to be extremely late to anyone reading bugtraq). The suggestion here is that they're going to start letting companies buy into the original notification round, a full month and a half before they announce it to everyone else.
  • No offense, but SMBRelay's been out for a couple of weeks.
    That said, if you were subtly looking to make a point about paying for what you should already know if you're keeping your eyes open, good show.

  • Two questions (Score:3)

    by BobGregg ( 89162 ) on Thursday April 19, 2001 @12:00PM (#278723) Homepage
    1. The primary reason CERT usually delays releasing security holes to the public is so that government agencies can know about them before they become widely known as exploits. How will their selling this information to corporations affect the security of those government agencies? Was this even a concern in their decision? Isn't that their primary reason for *existing*?

    2. Along the same lines as above, this "service" is only "valuable" if it really does provide "early" information. All it takes is one mischievous (or pissed) net admin who gets the early releases from his boss at one of these companies, and the information would be released to everyone, regardless of whether the prescribed interval has passed or not. So... how does this "service" protect the security of the companies who pay for it, either, now that anybody and their brother among their customer base could be a potential security threat? Will the companies that sign on have to sign agreements or waivers to promise not to tell anyone about the security holes CERT tells them about? And if so... how screwed up is that??

    Incidentally, the copyrights on CERT advisories are held by Carnegie Mellon University, unless I'm mistaken. Does a cut of the proceeds to this go to them? If so (being a CMU grad myself), well, okay then. :-)

    One more thing, the ISA has a FAQ [isalliance.org] (which doesn't address any of the above).

  • Sorry, you're wrong. The U.S. Postal Service has not received any federal money for a good many years now. It is entirely self-funded.

    Whether that will continue is in doubt, since the USPS's profits are steadily declining as the years go by, but at least for the time being...
  • Essentially, money exchanges hands --which is a good thing for the economy most of the time. As for the quality of service, only those paying for it can aptly testify to it's merits. Who knows, maybe it' ll have free dilbert comics or back issues of playboy attached. Or maybe all subscribers get a l33t mailbox @cert. The rest of us, those of us who's prejudice prevents us from evaluating the service to be rolled out, will simply live in blissful lack of priviledge. We will instead have to resort to bug reports put together by a bunch of volunteers... with no dilbert comics , and no free pr0n.

    I realize that this is all highly speculative, and your own views may prevent you from seeing the reason in my comments, but I shall not hold that a gainst you, as each is entitled to their own opinion, their own viewpoint, and yes --their own prejudice.

    May goatse.cx live forever in the minds of those unfortunate enough to have the experience without ample protection.

  • Unless they patent the advisories.

  • Hmm..
    Actually, I just walked in to SEI two days ago for a job interview. I had to sign in and get a visitor's pass; that's it.
  • Not to defend this strategey, but the post office is federally funded, and they charge for their services too.

    I'd rather that corporations pay for it than my tax dollars. =)
  • The alerts that go to the Air Force base that my father works at arrive about a week after I learn about the same security problems from other sources, usually from /..

    Hmmm... do you also get the public CERT releases? I've never compared the times that items on Slashdot appear in the CERT Advisory emails. Other people in this discussion have suggested the difference is like a month.

    --
  • If they're behind, and they try to charge, nobody will use them.

    According to the articles linked to from the story, the stuff on their site and the emails are intentionally behind. Right now, only the government gets immediate notification of security concerns. The information is then delayed atleast 45 days before it is released elsewhere.

    Perhaps they're at risk of loosing their Federal funding and want to sell the service they've been exclusively selling to the government to the public.

    Also, I have never gotten a CERT advisory that didn't say how to fix the problem. Perhaps this earlier notification will simply be that there is a problem ... solution to follow.

    --
  • Once more, properly formatted:

    If they're behind, and they try to charge, nobody will use them.

    According to the articles linked to from the story, the stuff on their site and the emails are intentionally behind. Right now, only the government gets immediate notification of security concerns. The information is then delayed atleast 45 days before it is released elsewhere.


    Perhaps they're at risk of loosing their Federal funding and want to sell the service they've been exclusively selling to the government to the public.

    Also, I have never gotten a CERT advisory that didn't say how to fix the problem. Perhaps this earlier notification will simply be that there is a problem ... solution to follow.

    --
  • According to that TBO article [tbo.com], the ISA is going to be putting effort into lobbying Congress on such issues as privacy regulation...

    So the money they'll take in isn't just targeted to pay the hard-working folks checking security holes, it seems.

  • CERT will still post their normal advisories just as they always have (late and free). The only difference is that now you can get them much sooner if you have a few grand burning a hole in your pocket.


    --
  • CERT isn't getting the bugs reports any earlier than before. They're always waited insane amounts of time before releasing them. Now you can get them soon after they do if you feel you have too much money lying around.


    --
  • Hey, don't even joke about PeopleSoft! The Virginia Community College System is moving to PeopleSoft and I'm fortunate *cough*choke*gag* enough to be involved in the move. What were they smoking!? When I first found out about the move, I searched the 'net for more info about them. The only information I could find about them was about the lawsuits pending against them. And they're suprised when it doesn't work!?


    --
  • As a Canadian, I must state that our health care system is in shambles. It's a great setup for anyone who does not have any real medical needs aside from checkups and the infrequent hospital visit. However, for someone like me, who will probably be stuck in the medical system for the rest of my life, it flat out sucks. The federal government holds back health care funds if the province allows private clinics, yet hospitals refuse to do vital tests (MRIs, etc) because they are too expensive.

    So, with the lack of private clinics, I'm not *allowed* to opt to pay for the test just because some can't afford it. I'm to the point now where I will probably have no choice but to go to the US for treatment since our health care system won't allow me to pay for it here. It's a nice idea in theory, but in practice it flat out fails.

    Matt
  • I think it is more like having to pay to park my car at a national park that is funded by taxes.

    Oh wait... doesn't it cost 20 bucks to see the Grand Canyon?
  • I figure today's load is due to some idiot's "FP" perl script.
  • "0" offtopic my ass! CERT is housed at Carnegie-Mellon U. Who was Carnegie? A Robber barron. And what is CERT doing? Gouging the public for a serivce that is a day (or forty-five) late and thousands of dollars short. Geez, give moderatorship to some folks and it goes to their head.

  • Re:Isn't CERT a government agency? (Score:3)

    by uberdood ( 154108 ) on Thursday April 19, 2001 @11:51AM (#278740) Homepage
    They are no more a government agency than NSI was when they were rippin' us off for domain registrations. They are a non-academic branch of Carnegie-Mellon U. They are an organization with a federal contract and federal funding. But they aren't federalies.

  • Well... (Score:3)

    by Rura Penthe ( 154319 ) on Thursday April 19, 2001 @11:43AM (#278741)
    If they're behind, and they try to charge, nobody will use them. The problem *should* fix itself. :)

    As a side note, Slashdot is laggin' bad. The trolls reload the front page one too many times?

  • Isn't CERT a government agency? (Score:4)

    by Glowing Fish ( 155236 ) on Thursday April 19, 2001 @11:46AM (#278742) Homepage

    Isn't CERT a government agency? Isn't it charging for updates somewhat akin to having to tip the fire department extra to get to your house before it burns down?

  • Once CERT starts charging, their volunteer army will dry up very fast.

    Heh. Remember CDDB?

    I set any CDDBP-aware app I come across to use FreeDB [freedb.org].

    Any organization that rapes the enthusiasm of volunteers deserves to die a quick and painful death.

    --

  • Uuh. Wait a minute

    If a bugtraq poster uses the copyleft?

  • I wonder if they are planning on compensating the bug hunters whose advisories they recycle

    This from the website that brought you "Voices from the Hellmouth", all without thinking about compensating the people who posted the comments that made up the content of the book.

  • I live in Pittsburgh, and if you want to get into CERT it is a very big pain. Because it's funded mainly by the government, you need to get security checks and such and you can't just walk in or anything to try and get a job. I would like if they started charging for this and went off of government funding, as this seems like a really neat place to work. I think the main consumers for CERT will be corporations that can spring for the money, because they would rather have something "offical" coming from a fairly large sized company rather than coming from a rouge company named BugTraq. Most of us don't really use CERT rather corporations tend to because they feel using a real company is safer and will soon be willing to charge for this feature.
  • MS already does charge for updates. For example, Win95, service pack 5 is called Windows ME.

  • New Slashdot Competition idea (Score:3)

    by davejhiggins ( 188370 ) on Thursday April 19, 2001 @12:40PM (#278748) Homepage
    Following on from the hugely successful Guess when Mir will splash [slashdot.org] thread, why don't we have a competition to guess when the new, improved $70,000-per-year CERT mailing list will finally inform subscribers about the SMBRelay exploit just mentioned in an article on theregister [theregister.co.uk] posted a couple of hours ago? (Someone may even submit it to slashdot and have it accepted yet; the fact that WinNT lanman is insecure isn't really "news" for nerds any more but you never know).

    Same rules could apply... include an ISO format string (YYYY-MM-DD HH:MM:SS) in the body of your post, times in EST and a Slashdot T-Shirt goes to the winner.

    We might have to invent a rule such as "The official time will be taken as the time on the header added by the first mailserver the message goes through" to avoid CERT getting wind of it and setting their system clocks back a year, and winning, but I'm sure the powers that be could agree on a fair system. :)

    A funnier competition would be "how many passwords are cracked as a result of SMBRelay before CERT gets around to posting it" of course, but I can imagine that would be somewhat more difficult to judge :) Either way, if word about the competion gets around, we'll have made our point.

    Dave

  • What will happen to those of us who are running our own individual servers without CERT advisories? Granted they aren't usually the first people to release advisories for bugs (as has already been noted), they are still a very important resource to the security community as a whole. This move implies that non-profit organizations and individuals aren't as important to the security of the web community as the commercial members who can afford to pay. Obviously, this should not be the case. Nobody should be penalized by having an insecure server just because they couldn't pay a stupid money-grubbing company's fee.

  • Re:And why on Earth not? (Score:3)

    by ZanshinWedge ( 193324 ) on Thursday April 19, 2001 @12:09PM (#278750)
    One, CERT isn't a private organization, they get tax money. Two, why buy something that's late and of inferior quality? Doesn't make a whole lot of sense.

    And, for the record, socialism has worked out pretty well. Just ask the developed world. Or hadn't you noticed the socialist aspects of all modern industrialized nations? Welfare, unemployment benefits, social security, government funded roadways, medicare, medicaid, government grants to college students, the list goes on and on. And in Europe and Canada they are even more socialist! With their nationalized health care and whatnot. The majority of the government budgets for all industrialized nations is for "socialist" programs.

    Communism however is a different ball of wax.

    Imagine that, a slashdot troll who doesn't know his ass from a hole in the ground.

  • Charging for security information is a very bad idea. Say a bug is discovered with one of your client's products, client knows about the bug first and asks for you to delay mentioning it for a while or to soften the blow.

    If the customer where worth $70k to you, would you deny them that request?

    By charging for these alerts you have a conflict of interest. Personally, I would never trust security from a for-profit business. As a result, there are a lot of security sites that have lost my trust because they've gone commercial.

  • Since I've paid my taxes, I've already paid them for this information.

    And since you've paid for assorted classified military research via your taxes, should you also have access to it?

  • ... the next step being they stop accepting ALL federal money, and generate all the money they need as any other private business.
  • I've retained my presence on the CERT mailing list merely for it's humor value.

    My .02,

  • That's right man, shame on /. Wouldn't want anyone to post stories you dont agree with, would we?

  • Plagarism and Credit and CERT (Score:4)

    by Zeinfeld ( 263942 ) on Thursday April 19, 2001 @03:53PM (#278756) Homepage
    CERT used to be notorious for not giving credit. I had a blazing row with their sysop over email on Bugtraq on the topic. Amongst the 'excuses' for not crediting the discoverers of the bugs was that 'they are mostly private individuals and not academic authors'.

    Needless to say this struck me as a bit off since a private consultant has a much bigger need to get credit for their work than a tenured academic and every bit as much right.

    I sent a registered letter to the Director of CERT telling him that if I saw another similar complaint of not giving credit in an alert on Bugtraq I would make a formal complaint to the CMU board of plagarism. Shortly thereafter the alerts started to give credits. If they have slipped call CMU and complain.

    Security types tend to be very smart and very paranoid, why the CERT git thought plagarising their work would be a good plan is beyond me.

    CERT are entirely dependent on the quality of the information they are provided. The main complaint of CERT is that they have in the past waited to long for the vendor to put out a fix to issue an alert. Restricted publication of early alerts could be a good way to put vendors feet to the fire without full disclosure.

  • $2,500 is nothing when you consider how much it would cost to 'clean up' after a major security breach. I doubt many larger companies will have a problem with forking over $70k.
  • Pay out the nose for archaic information you can get almost anywhere else? It's nice to see the dotcom business model of exclusive, up to the minute information for free turned totally on its ear. But I'll bet they make a lot of money...this is the kind of thing the average I-went-to-school-for-computers-and-all-I-got-was-a -lousy-MCSE IS Manager wets himself over (ours has a poster talking about different hacker techniques, including the popular "social engineering" methods such as "The Lady In Red" and "Lost Password." It also warns the reader to be careful of email viruses and activeX DoS attacks when visiting hacker websites like the Hacker's Layer and L0pht heavy industries).

  • I see no problem with CERT charging people for information, what I think about this is pretty straightfoward...

    If a company is going to dish out mega bucks for this service, it could be part of a business write off of some sorts, which if this is the case, its a good move.

    On the other hand, CERT isn't as up-to-date with advisories as is Security Focus, which is FREE. So if companies are as stated looking to save money its a bad move, since the information is already freely posted on other security forums.

    What I find slightly disturbing is, now I question whether security incidents will not be reported because someone is not a paying customer of CERT, which is totally shady.

    Will CERT's new venture withhold information which could hinder the security of products?... Only time will tell...

    AntiOffline Advisories [antioffline.com] (no charge)

  • looks as if the next addition to norton utilities will be CERT...

  • Re:And why on Earth not? (Score:5)

    by osorronophris ( 318023 ) on Thursday April 19, 2001 @11:49AM (#278761)
    CERT is federally funded. At least *part* of the idea was to provide a timely list of security problems to anyone at *no cost*.
  • The closest thing to CERT in a government agency that I know of is the FBI's National Infrastructure Protection Agency, or NIPC [nipc.gov]. They exist primarily to protect critical government infrastructure, but that obviously has a lot to do with private systems as well.

    The FBI and NIPC have also started a system called Infraguard [fbi.gov], which is designed to be a bridge to the private sector. It's a pretty recent development.

    -Keslin [keslin.com], the naked nerd girl

  • Ah... yea... And we do. We've paid for that military research, and we pay for soldiers to take that research and utilize it to protect us. I'd have to say, that would be access to it.
  • Undoubtedly the people who subscribe to this service are like the MCSE weenies where I work. They have this belief that if something costs a lot of money, it must be good. Mmmm... yeah. Can you say peoplesoft?

    I will be mirroring bugtraq soon and selling subscriptions for $10k/yr, no matter how big the organization is. Pass this on to any of those MCSE types you know. Thanks.

    --

  • It's proper to refer to it as 'Bitmap' Utilities.

    Peter Norton hasn't been anything but a bitmap on the box in ages.
  • The way this is going, what bright idea are we going to see next?

    I can see it now...

    "Microsoft to charge for Windows updates."

    "Dynamix/Sierra to charge for Tribes 2 patches."

    "DoubleClick to charge for banner ads."
  • I suppose I should've left the U in updates capitalized. I wasn't referring to changes in the version numbering, I was referring to those stupid little patches they release to plug holes in the system. How about this: "Microsoft to charge for future DirectX revisions."
  • I fail to see the relevance of these comments, obviously most of you are in agreement that bugtraq is, at the least, coming out with the bugs at the same time, possibly before hand. If CERT decides to charge, it really doesn't affect any of us, because there are still free alternatives, which most of you read anyways.
  • We must hispanically speaking learn not be systemlogically misunderestimated by these risks. Why come can't become CERT charge companies for there services when in harshified realityisms security should not be pro bono.

Slashdot Top Deals

Enzymes are things invented by biologists that explain things which otherwise require harder thinking. -- Jerome Lettvin

Close