CERT has always had a reputation that far outstripped its impact or contributions, and has in general been a force working against public disclosure. Serious vulnerability researchers have never relied on them, and my definition of "never" goes back into the mid-1990s --- when CERT and FIRST were really an activist effort to co-opt vulnerability research for the interests of large vendors.
I'm sure good people work there now, and they'll be fine. If all of CERT's public web presence goes away, I won't miss them.
Okay, but what about people who aren't security researchers, who just want to figure out if their distribution/vendor/self is running vulnerable software?
Purely speculation, but could this be a way for Carnegie Mellon University to grab back the prestige that CERT gets even though it's CMU that operates CERT? I've been aware of CERT for 20 years but never realized that it was a CMU project. On the other hand, Stanford University gets prestige from lots of things that use their name, even things like the Stanford Research Institute that are no longer part of it. So maybe CMU will continue doing everything that CERT did but with CMU's name at the helm.
VMU has been heavily involved in quite a bit of what has become mainstream in federal government InfoSec. They were the ones who built out US-CERT originally, they have had a hand in helping set up many of the CSIRT/SOC operations within the federal government, and they continue to play a role in helping train/evaluate these teams. Although I suspect that many people outside of (gov) InfoSec are aware of this history.
> We were immediately curious if the CERT Vulnerability Notes Database would continue to operate, which Dormann confirmed that it would be. He went on to say that the site was apparently “deemed to be unnecessary” and expressed that he suspects the next phases would include that the “World forgets that CERT is a thing” and then “profit”.
It's unclear if the vulnerability database will continue to function in the long term but so far it survives, it's just the website that's redirecting.
tl;dr: cert.org website closed, redirects into CMU's Software Engineering Institute website which has been running it. No press releases about this, so fears and conspiracies abound.
In the article, it says CERT.org costs $1.8B/y. How is that possible? That sounds bogus to me -- the article doesn't link to the full FOIA response, so it's hard to fact-check. The 2008 budget apparently earmarked $242M for CERT <http://www.zdnet.com/article/federal-budget-recommends-us-ce.... Anyone have more links to factcheck this statement?
No, it's more like 150mm per year from the DoD. the 1.8B number makes sense if you are talking about a decade worth of funding. They also get some funding from private industry.
Seems like not many people from the FFRDC community read or post on HN.
CERT is by far the largest 'department' in the SEI. I'm not sure exactly by what margin, but they probably account for over 50% of the SEI.
Also the funding model isn't quite that straightforward. As an FFRDC they receive a certain static amount every year (in the low millions) as some kind of federal grant. Everything else is income from customer work like you'd find at any other contractor. In terms of revenue, most of the big bucks probably come from DoD and not DHS.
If important parts of internet infrastructure (broadly speaking) rely on charitable donation of service, they're going to start going away, as the internet is almost entirely commercialized. Or replaced by services 'donated' by Amazon or Google instead.
It's not "but blockchain" so much as avoiding either logistical or trust dependency on a single entity. Blockchain has all sorts of problems and limitations, the idea of a working currency based on it is absolutely insane IMO, but it has these particular properties. So do more complex systems such as IPFS or Tahoe-LAFS or LOCKSS, but ... well, they're more complex. Other solutions such as simple mirroring don't necessarily solve the trust problem. Of the technologies currently available, blockchain seems like a pretty decent choice.
IPFS doesn't use a blockchain, which is why I suggested it. It allows content to be published permanently. If you wanted to keep the real, actual CERN homepage around, you only need to choose to propagate it from your node.
I'm sure good people work there now, and they'll be fine. If all of CERT's public web presence goes away, I won't miss them.