
RIP Cert.org - Angostura
https://www.riskbasedsecurity.com/2018/02/rip-cert-org-you-will-be-missed/
======
tptacek
CERT has always had a reputation that far outstripped its impact or
contributions, and has in general been a force working against public
disclosure. Serious vulnerability researchers have never relied on them, and
my definition of "never" goes back into the mid-1990s --- when CERT and FIRST
were really an activist effort to co-opt vulnerability research for the
interests of large vendors.

I'm sure good people work there now, and they'll be fine. If all of CERT's
public web presence goes away, I won't miss them.

~~~
anewhnaccount2
Okay, but what about people who _aren 't_ security researchers, who just want
to figure out if their distribution/vendor/self is running vulnerable
software?

~~~
tptacek
CERT was never good for that.

------
mysterypie
Purely speculation, but could this be a way for Carnegie Mellon University to
grab back the prestige that CERT gets even though it's CMU that operates CERT?
I've been aware of CERT for 20 years but never realized that it was a CMU
project. On the other hand, Stanford University gets prestige from lots of
things that use their name, even things like the Stanford Research Institute
that are no longer part of it. So maybe CMU will continue doing everything
that CERT did but with CMU's name at the helm.

~~~
old_haus
Perhaps.

VMU has been heavily involved in quite a bit of what has become mainstream in
federal government InfoSec. They were the ones who built out US-CERT
originally, they have had a hand in helping set up many of the CSIRT/SOC
operations within the federal government, and they continue to play a role in
helping train/evaluate these teams. Although I suspect that many people
outside of (gov) InfoSec are aware of this history.

------
__adh__
CERT's vulnerability coordination work did not go away.
[https://www.kb.cert.org/vuls/](https://www.kb.cert.org/vuls/) remains active.
So does [https://vuls.cert.org/confluence/](https://vuls.cert.org/confluence/)

The only thing that merged was www.cert.org got pulled into the broader
www.sei.cmu.edu web site.

(I work there.)

------
brian_herman
Why in the world wide web would anyone in their right mind do this?!

~~~
welder
> the site was apparently “deemed to be unnecessary”

------
tyler_larson
This first of all: never underestimate the nearsightedness and self-importance
of a university governance board.

------
blinkingled
> We were immediately curious if the CERT Vulnerability Notes Database would
> continue to operate, which Dormann confirmed that it would be. He went on to
> say that the site was apparently “deemed to be unnecessary” and expressed
> that he suspects the next phases would include that the “World forgets that
> CERT is a thing” and then “profit”.

It's unclear if the vulnerability database will continue to function in the
long term but so far it survives, it's just the website that's redirecting.

------
gnat
tl;dr: cert.org website closed, redirects into CMU's Software Engineering
Institute website which has been running it. No press releases about this, so
fears and conspiracies abound.

In the article, it says CERT.org costs $1.8B/y. How is that possible? That
sounds bogus to me -- the article doesn't link to the full FOIA response, so
it's hard to fact-check. The 2008 budget apparently earmarked $242M for CERT
<[http://www.zdnet.com/article/federal-budget-recommends-us-
ce...](http://www.zdnet.com/article/federal-budget-recommends-us-cert-
get-242-million/>). Anyone have more links to factcheck this statement?

~~~
Nelson69
SEI gets ~$1.8B/year from DHS. I doubt that's all for CERT.

~~~
doktrin
CERT is by far the largest 'department' in the SEI. I'm not sure exactly by
what margin, but they probably account for over 50% of the SEI.

Also the funding model isn't quite that straightforward. As an FFRDC they
receive a certain static amount every year (in the low millions) as some kind
of federal grant. Everything else is income from customer work like you'd find
at any other contractor. In terms of revenue, most of the big bucks probably
come from DoD and not DHS.

~~~
dgacmu
Also, the 1.8b was a maximum value, not a minimum or guaranteed spend.

------
jrochkind1
If important parts of internet infrastructure (broadly speaking) rely on
charitable donation of service, they're going to start going away, as the
internet is almost entirely commercialized. Or replaced by services 'donated'
by Amazon or Google instead.

------
anfilt
Wait why?

------
notacoward
I'm generally a blockchain hater, but it seems like distributing/maintaining
CVE information via something blockchain-ish would be pretty cool.

~~~
bastawhiz
IPFS would do the job equally well.

~~~
jlgaddis
What's wrong with, you know, the way we've been doing it for the last 25 years
or so?

Exactly what benefit does "but blockchain!" bring?

~~~
drdrey
I am guessing OP means it can't be deleted or taken down

~~~
macintux
Maybe, but the content isn’t really in danger, it presumably can be backed up,
and presumably already has.

What’s in danger is the work required to coordinate such efforts in the
future, and rubbing blockchain on it doesn’t help.

(I know you weren’t advocating it, I just get tired of people who don’t
understand the amount of effort that goes into “free” content.)

