[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

re: CERT funding




>From: Anonymous <[email protected]>
>This question has come up a couple of times lately, and nobody seems to
>be talking.
>Does anyone know the budget size and sources for CERT?  Is CERT
>'officially' part of the government or do they operate independently?
>And could a FOIA request yield results, do you think?

I saw a message on this topic a couple of days ago where the poster
speculated about NSA funding for CERT.  I posted the following reply
to the cypherpunks list then but I did not see it echoed to the list.
Maybe the work being done for the ratings hoo-ha lost some of the
postings.  Anyhow here it goes again - my apologies if you've seen
this already.

Don't get too worried about CERT and its budget.  I interviewed there
- oh - around 18 months ago.  This was prior to the sniffer fiascos and
the sendmail-bug-of-the-week deluge.

CERT had a section of the "Institute for Software Engineering" building
which is a very nice building next to CMU.  The CERT offices were kind of
crowded and there were some partitions.  Most of the staff had their own
office, however.  I noted which ones had window offices and stored it away.
There were three! :-)

The staff seemed to be all comp-sci grad student types.  The main guy was
your typical visionary professor type.  Before I spoke with him he was
interrupted by a call from someone at DARPA about their funding.  I am
certain that he was having trouble convincing his funders that the problems
were growing and that CERT's budget should expand.  I got the impression
that continued funding of CERT was not a done deal and that even keeping
the current level of funding was uncertain.

My point - the funding was not substantial and it was not "reliable" 
funding.  Their hardware was fairly recent but I did see a lot of
"old soldier" type computer equipment still in service.  There was
mostly SUN, some DEC R4000 stuff, and maybe a microvaxII.  Most definetly
not NSA funded.  It is funded by DARPA/USAF just like most old arpanet
activity was.

As I interviewed with nearly all of the staff I can say they are all
most definetly comp-sci grad student types.  Probably all working on
MS or PHD over at CMU.  I was intrigued by the types of questions that
they asked me about.  I was asked more questions about software 
engineering issues than about security issues.  I got the impression that
most of the staff had only a peripheral understanding of the technical
weaknesses in the current installed base.  I know that structured
programming, relational databases, case tools, and AI are important
but are they important in an OS security framework?  (shrug)

I asked them what got CERT started and they told me it was kind of put
together informally after the morris internet worm holiday.

I was surprised that they only seemed truely interested in SUN issues.
I did not get the impression they were concerned about PC's on the
net, VMS systems, or other platforms.  Perhaps they all wanted to go
to work for SUN later?  :-) :-)  Clearly other platforms can serve as
vehicles for intrusion, and clearly they needed to be interested in
anything with an ethernet plug on it.  I was surprised by this - I still
am.

I was also surprised to find out that there were several organizations
other than CERT executing the same functions for each government agency.
I learned that there was one for the navy, the dod, the cia, and probably
even the coast guard! :-)  I wondered aloud about how much information
these groups shared and I got the impression that the other groups might
not have trusted CERT too much with good information.  In other words
there is probably a group that you guys should be worried about because
they are deeper in the black and they don't trust the CERT guys either!
:-) :-)

I was surprised to see the level of calls that CERT was getting.  I
saw an endless stream of E-mail and phone calls.  One staff member
told me that they were averaging around 1400 E-mail messages a day!!
Holy shit!  Remember this was before sendmail/sniffer!  It must be
exploding "elm" up there right now. :-) :-)

CMU had very good fringe benefits by the way.  I had a real good time and
the CERT staff treated me very well.  The CMU campus was clean and pleasing
to the eye.  Just to show they are real computer people they took me to
lunch at pizza hut.  It was the first time I'd ever seen anybody use one
of those "the club" things on their car wheel. :-) :-)

Anyway I didn't get the position.  On the one hand I thought it would be
pretty neat but on the other hand I knew the problems they were going to
have to deal with were only going to grow like crazy.  I thought something
big would happen but I didn't expect the hilarious level that the sendmail
and /dev/nit problems would reach.  The CERT guys have my sympathy.  Maybe
it was just my good luck working to bail me out again?  

I didn't get the impression that they were that up to speed on what could
be done to either attack or defend OS security.  I am sure they are getting
a fast education in that.  I am also certain they are getting a fast
education in the politics of blame.  I see a lot of people really hammering
them for surpressing information or ignoring problems.  I think we need
to realize that they are a small staff and the internet is a mighty big
ranch.  Clearly they are overwhelmed.  I am also certain that they are
learning the politics of getting vendors off their butts to fix things.
GROAN!! :-) :-)  To top it all off they have to also specialize in the
politics of getting continued funding.  What a thankless task, so utterly
unappreciated by the reckless drivers on the superhighway. :-) :-)

I think we need a be kind to CERT-person-with-beeper-week where all hackers
voluntarily stop what they are playing with.  This week could begin the day
prior to christmas eve and last until January 2.
---------
I'd like a 250 Mhz 128 bit hybrid processor with 64 meg of 8 way interleaved
memory, a 10 megabyte per second i/o channel, two 3 gig hard disks, two dat
drives with compression, and a large diet coke.
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.3a

mQCNAiz4FWMAAAEEALBCb7HZS7V4gbsp9yJ7Yty49jQ9wcgRhkLjNNgdyJbrJZCq
5/sv4Ljy/4AhVhjlJyZS8L3owS8l0ClZVzWw4/kO3KN7MPz4YPPR7+qIlPQVM0yv
gWpJ43EZZ8b8cvAkE9HATCKWktY2ReRSX5DLnScDH/n5jivw+MD/UO8fURCVAAUR
tCBNYXJrIEhpdHRpbmdlciA8YnVnc0BuZXRzeXMuY29tPg==
=VbKi
-----END PGP PUBLIC KEY BLOCK-----