Maybe you missed this news last week amid all the hubbub about the Slammer worm: Security researcher Next Generation Security Software Ltd. (NGS) said it will stop sharing information with the CERT Coordination Center, the government-funded clearinghouse that tracks viruses, worms and other security problems. So what? Well, when NGS finds a security hole, it will notify its clients and the software vendor, but not CERT. Which sounds pretty selfish of NGS -- until you consider whom CERT was passing the information along to.
That would be some of NGS's competitors and potential clients. And they've typically been getting the information before CERT notifies the public about a security problem.
Here's how it works: When a bug chaser like NGS finds a security problem, the company warns its clients (who pay for the service) and the vendor involved (who has to fix it). Then the bug chaser tells CERT, so CERT can confirm the problem and prepare its own alert. The public isn't usually told for 45 days, so the vendor has time to develop a patch.
At least that's how it's supposed to work. But since April 2001, CERT has also made vulnerability reports immediately available to the Internet Security Alliance, a CERT-sponsored group whose member companies pay dues ranging from US$3,000 to US$70,000 per year. None of that money goes to the bug chasers; it all goes to CERT.
While that fact isn't a secret, it wasn't widely known. At least the people at NGS didn't know that when they gave away their best stuff to CERT, CERT was selling it on the side. No wonder NGS wasn't happy when it finally realized what was going on.
The upshot? CERT loses early access to a major bug chaser's work. Now CERT will find out about NGS's research when NGS issues an advisory, like the rest of us.
And IT people lose confidence in CERT as the clearinghouse for the most up-to-date, comprehensive IT security information.
But it gets worse. It turns out other bug chasers already knew what NGS just found out. They've been withholding their security research from CERT, too. They just haven't made a big deal about it.
So, at a time when worms, viruses and other threats are rising, CERT's usefulness as a source for security information is collapsing.
And in exchange for this loss in credibility, what does CERT get? A few million dollars.
I prefer full disclosure of security holes, so IT shops can make their own best security decisions. But I also understand that security researchers have to make a living by selling what they've worked hard to discover. They can't afford to give it away to their competition.
Which means IT shops now face a choice. We can become clients of one or more security research outfits, if we really need that level of security information. Or we can make do with the bulletins coming from individual security companies and patches issued by vendors. But we can no longer assume CERT is the place to go for the best information.
CERT has a choice, too. CERT can keep passing along vulnerability reports to the Internet Security Alliance -- guaranteeing that CERT won't get most information from bug chasers.
Or CERT can restore its credibility by killing that program and finding another way to get the few million dollars it currently generates. Maybe the money could come from the government's new homeland security budget. That would be a cheap way of making the nation's IT infrastructure safer.
Or maybe it could be donated, no strings attached, by some high-tech billionaire -- say, a chief software architect who feels directly responsible for the kinds of security messes that CERT should be helping to clean up. It would be good PR, and at a few million a year, dirt cheap.
Bill wouldn't even miss it.