[ISN] Re: Stephen Northcutt needs your help

[InfoSec News]

Forwarded from: security curmudgeon <jericho at attrition.org>
To: InfoSec News <isn at attrition.org>, ip at v2.listbox.com
Cc: stephen at sans.org

[Editorial note: Due to a little technological error at this end, ISN 
is going out a little late, also I have about six pro and con mails 
about SANS I need to cut and paste, then I will kill this thread, 
any future mails can go directly to Stephen Northcutt.  - WK]
  

SANS may be a non-profit but that doesn't mean the organization's
employees work for free. Those who are full-time with SANS get paid
for their work - and they are paid very well.

While there may be some dispute regarding SANS and their reliance on
"volunteer work", let's not forget they have chosen not to pay certain
speakers in the past despite previously agreeing to do so.

Also interesting is the timing of Northcutt's email. It seems just as
he wants CERT out of SANS' turf, the SANS diary gets updated with
information about the latest and greatest threat received from a
conference call full of government, & military folks, including some
from CERT. Despite their teeth-gnashing, they are certainly
benefitting from their CERT relationship.

The course Northcutt is referring to is a Carnegie Mellon Software
Engineering Institute course (CM SEI), that receives government
funding. He argues that due to said government funding, CERT shouldn't
be able to provide training if a commercial organization provides the
same or similar service. Following this "logic", CERT advisories and
bulletins should stop since several commercial outfits provide the
same service. The CERT VU/KB vulnerability database should go away
since there are other free and commercial VDBs being maintained. I'm
sure this wouldn't have any adverse effects on the security community
at all.

Plain and simple, Northcutt's complaint is shallow & selfish. If a
person wants general security training, what are they going to search
for? "Security Training" - which brings up SANS as the first result. I
don't know if things have changed since the post, but searching for
"SANS Training" gets a link to giac.org first, sans.org second. Is
this really an issue? And is the real complaint the supposed violation
of OMB A 76 Or is this a concern over your next paycheck, Mr.
Northcutt?

As it stands, SANS offers classes for as much as US$2,645 for five
days of training. If you have only ten students in class, that is
$26,450 incoming. Remove instructor fee, equipment cost and room
rental and that is still a significant amount of money. If SANS isn't
using a paid instructor (or they do, and opt not to pay them), SANS
must make a killing on this training:

   SANS also offers a Volunteer Program through which, in return for
   acting as an important extension of SANS' conference staff, 
   volunteers may attend classes at no cost. Volunteers are most 
   definitely expected to pull their weight and the educational 
   rewards for their doing so are substantial.

Add to the above general hypocrisy from SANS, and it's nearly
impossible not to laugh at Northcutt's letter. Let's look at another
letter from Northcutt in the wake of the "Code Red" worm:

   http://www.attrition.org/errata/sec-co/sans02.html

   SANS Instructors, Jason Fossen and Eric Cole are available during 
   the next few weeks to teach a special one-day course on Securing 
   IIS.

   We haven't determined pricing yet, but it would be
   inappropriate to try to capitalize off of this attack.

This is blatant ambulance chasing, something that seems more
reprehensible than anything CERT has done with a few google ad-words.


Jericho
Security Curmudgeon

ps: Does anyone else find the fact that "sans" in French means
"without" or "lacking"  - somewhat ironic?