CERT Rides the Short Bus

CERT Rides the Short Bus
Wed May 17 13:44:30 MDT 2000
Brian Martin (jericho@attrition.org)

One of the resources Attrition.org provides is mirroring defaced web pages. One of the related services is running three mail lists revolving around defaced web pages. We offer three different mail lists to accomodate people wishing to stay abreast of the latest defacements:

	defaced - this list receives one piece of mail per domain hacked
		  and spans all TLDs regardless of country.

	defaced-gm - this list receives on piece of mail for each .gov
		  or .mil domain defaced. this caters to law enforcement,
		  security personnel, etc.

	defaced-alpha - this list contains the same traffic as
		  'defaced-gm', but sends it to alpha-numeric pagers. this
		  list caters to law enforcement.

The Attrition defacement mirror is fairly high profile. Articles from almost every online publication ranging from the New York Times to MSNBC to Slashdot have linked to our mirrors to show their readers what was defaced or list other defacements by the same individual. There are currently over one thousand subscribers to the various lists mentioned above, with more joining every day.

Despite this high profile resource that is directly related to computer crime, intrusion incidents and 'hacking' statistics, one of the most well known computer crime organizations is just catching wind of us. CERT was originally the Computer Emergency Response Team (www.cert.org) which tracks computer intrusions, hacking incidents and web page defacements. In doing so, they are essentially the government's answer to generating statistics and responding to computer crime.

Almost six months after the creation of these mailing lists, even longer after the creation of the defacement mirror, CERT finally subscribes to one of the three lists. Rather than subscribe to 'defaced' to learn about ALL web page defacements, this CERT employee opted to subscribe to 'defaced-gm' to learn about government/military sites being defaced.

Perhaps it is just me, but when you have a site like Attrition offering these lists to everyone for free, it might be prudent to use those resources. In generating statistics or tracking computer crime, why leave out a bulk of the defacements that are occuring and only look at gov/mil?

Does this hint that CERT is not interested in the masses any longer? That only government and military sites deserve their attention? That lowly .com, .net or .edu people aren't worthy of their attention? Ironic coming from a group based out of Carnegie Mellon University.

One of the reasons Attrition stands out is that web defacers will report their crimes to us. Obviously, they will not run to CERT or law enforcement and do the same. Does this not seem like the perfect resource for both to use? Juding from the amount of gov/mil subscribers to both lists, it seems that law enforcement has figured it out pretty quick. Yet CERT has not.

Who funds CERT?

   The CERT/CC is funded primarily by the U.S. Department of Defense and a
   number of Federal civil agencies. Other funding comes from the private
   sector.  As part of the Software Engineering Institute, some funds come
   from the primary sponsor of the SEI, the Office of the Under Secretary
   of Defense for Acquisition and Technology.

My tax dollars help fund CERT. Great. There is nothing more discouraging than seeing a citizen funded organization not using free resources at their disposal. Resources that would help them in their mission statement and be more effective at what they do. With organizations like CERT wearing blinders, computer criminals are a bit safer.