From: Anonymous <nowhere@bsu-cs.bsu.edu> This question has come up a couple of times lately, and nobody seems to be talking. Does anyone know the budget size and sources for CERT? Is CERT 'officially' part of the government or do they operate independently? And could a FOIA request yield results, do you think?
I saw a message on this topic a couple of days ago where the poster speculated about NSA funding for CERT. I posted the following reply to the cypherpunks list then but I did not see it echoed to the list. Maybe the work being done for the ratings hoo-ha lost some of the postings. Anyhow here it goes again - my apologies if you've seen this already. Don't get too worried about CERT and its budget. I interviewed there - oh - around 18 months ago. This was prior to the sniffer fiascos and the sendmail-bug-of-the-week deluge. CERT had a section of the "Institute for Software Engineering" building which is a very nice building next to CMU. The CERT offices were kind of crowded and there were some partitions. Most of the staff had their own office, however. I noted which ones had window offices and stored it away. There were three! :-) The staff seemed to be all comp-sci grad student types. The main guy was your typical visionary professor type. Before I spoke with him he was interrupted by a call from someone at DARPA about their funding. I am certain that he was having trouble convincing his funders that the problems were growing and that CERT's budget should expand. I got the impression that continued funding of CERT was not a done deal and that even keeping the current level of funding was uncertain. My point - the funding was not substantial and it was not "reliable" funding. Their hardware was fairly recent but I did see a lot of "old soldier" type computer equipment still in service. There was mostly SUN, some DEC R4000 stuff, and maybe a microvaxII. Most definetly not NSA funded. It is funded by DARPA/USAF just like most old arpanet activity was. As I interviewed with nearly all of the staff I can say they are all most definetly comp-sci grad student types. Probably all working on MS or PHD over at CMU. I was intrigued by the types of questions that they asked me about. I was asked more questions about software engineering issues than about security issues. I got the impression that most of the staff had only a peripheral understanding of the technical weaknesses in the current installed base. I know that structured programming, relational databases, case tools, and AI are important but are they important in an OS security framework? (shrug) I asked them what got CERT started and they told me it was kind of put together informally after the morris internet worm holiday. I was surprised that they only seemed truely interested in SUN issues. I did not get the impression they were concerned about PC's on the net, VMS systems, or other platforms. Perhaps they all wanted to go to work for SUN later? :-) :-) Clearly other platforms can serve as vehicles for intrusion, and clearly they needed to be interested in anything with an ethernet plug on it. I was surprised by this - I still am. I was also surprised to find out that there were several organizations other than CERT executing the same functions for each government agency. I learned that there was one for the navy, the dod, the cia, and probably even the coast guard! :-) I wondered aloud about how much information these groups shared and I got the impression that the other groups might not have trusted CERT too much with good information. In other words there is probably a group that you guys should be worried about because they are deeper in the black and they don't trust the CERT guys either! :-) :-) I was surprised to see the level of calls that CERT was getting. I saw an endless stream of E-mail and phone calls. One staff member told me that they were averaging around 1400 E-mail messages a day!! Holy shit! Remember this was before sendmail/sniffer! It must be exploding "elm" up there right now. :-) :-) CMU had very good fringe benefits by the way. I had a real good time and the CERT staff treated me very well. The CMU campus was clean and pleasing to the eye. Just to show they are real computer people they took me to lunch at pizza hut. It was the first time I'd ever seen anybody use one of those "the club" things on their car wheel. :-) :-) Anyway I didn't get the position. On the one hand I thought it would be pretty neat but on the other hand I knew the problems they were going to have to deal with were only going to grow like crazy. I thought something big would happen but I didn't expect the hilarious level that the sendmail and /dev/nit problems would reach. The CERT guys have my sympathy. Maybe it was just my good luck working to bail me out again? I didn't get the impression that they were that up to speed on what could be done to either attack or defend OS security. I am sure they are getting a fast education in that. I am also certain they are getting a fast education in the politics of blame. I see a lot of people really hammering them for surpressing information or ignoring problems. I think we need to realize that they are a small staff and the internet is a mighty big ranch. Clearly they are overwhelmed. I am also certain that they are learning the politics of getting vendors off their butts to fix things. GROAN!! :-) :-) To top it all off they have to also specialize in the politics of getting continued funding. What a thankless task, so utterly unappreciated by the reckless drivers on the superhighway. :-) :-) I think we need a be kind to CERT-person-with-beeper-week where all hackers voluntarily stop what they are playing with. This week could begin the day prior to christmas eve and last until January 2. --------- I'd like a 250 Mhz 128 bit hybrid processor with 64 meg of 8 way interleaved memory, a 10 megabyte per second i/o channel, two 3 gig hard disks, two dat drives with compression, and a large diet coke. -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.3a mQCNAiz4FWMAAAEEALBCb7HZS7V4gbsp9yJ7Yty49jQ9wcgRhkLjNNgdyJbrJZCq 5/sv4Ljy/4AhVhjlJyZS8L3owS8l0ClZVzWw4/kO3KN7MPz4YPPR7+qIlPQVM0yv gWpJ43EZZ8b8cvAkE9HATCKWktY2ReRSX5DLnScDH/n5jivw+MD/UO8fURCVAAUR tCBNYXJrIEhpdHRpbmdlciA8YnVnc0BuZXRzeXMuY29tPg== =VbKi -----END PGP PUBLIC KEY BLOCK-----