Forwarded from: security curmudgeon <jericho@private> To: InfoSec News <isn@private>, ip@private Cc: stephen@private [Editorial note: Due to a little technological error at this end, ISN is going out a little late, also I have about six pro and con mails about SANS I need to cut and paste, then I will kill this thread, any future mails can go directly to Stephen Northcutt. - WK] SANS may be a non-profit but that doesn't mean the organization's employees work for free. Those who are full-time with SANS get paid for their work - and they are paid very well. While there may be some dispute regarding SANS and their reliance on "volunteer work", let's not forget they have chosen not to pay certain speakers in the past despite previously agreeing to do so. Also interesting is the timing of Northcutt's email. It seems just as he wants CERT out of SANS' turf, the SANS diary gets updated with information about the latest and greatest threat received from a conference call full of government, & military folks, including some from CERT. Despite their teeth-gnashing, they are certainly benefitting from their CERT relationship. The course Northcutt is referring to is a Carnegie Mellon Software Engineering Institute course (CM SEI), that receives government funding. He argues that due to said government funding, CERT shouldn't be able to provide training if a commercial organization provides the same or similar service. Following this "logic", CERT advisories and bulletins should stop since several commercial outfits provide the same service. The CERT VU/KB vulnerability database should go away since there are other free and commercial VDBs being maintained. I'm sure this wouldn't have any adverse effects on the security community at all. Plain and simple, Northcutt's complaint is shallow & selfish. If a person wants general security training, what are they going to search for? "Security Training" - which brings up SANS as the first result. I don't know if things have changed since the post, but searching for "SANS Training" gets a link to giac.org first, sans.org second. Is this really an issue? And is the real complaint the supposed violation of OMB A 76 Or is this a concern over your next paycheck, Mr. Northcutt? As it stands, SANS offers classes for as much as US$2,645 for five days of training. If you have only ten students in class, that is $26,450 incoming. Remove instructor fee, equipment cost and room rental and that is still a significant amount of money. If SANS isn't using a paid instructor (or they do, and opt not to pay them), SANS must make a killing on this training: SANS also offers a Volunteer Program through which, in return for acting as an important extension of SANS' conference staff, volunteers may attend classes at no cost. Volunteers are most definitely expected to pull their weight and the educational rewards for their doing so are substantial. Add to the above general hypocrisy from SANS, and it's nearly impossible not to laugh at Northcutt's letter. Let's look at another letter from Northcutt in the wake of the "Code Red" worm: http://www.attrition.org/errata/sec-co/sans02.html SANS Instructors, Jason Fossen and Eric Cole are available during the next few weeks to teach a special one-day course on Securing IIS. We haven't determined pricing yet, but it would be inappropriate to try to capitalize off of this attack. This is blatant ambulance chasing, something that seems more reprehensible than anything CERT has done with a few google ad-words. Jericho Security Curmudgeon ps: Does anyone else find the fact that "sans" in French means "without" or "lacking" - somewhat ironic? _________________________________________ ISN mailing list Sponsored by: OSVDB.org - For 15 cents a day, you could help feed an InfoSec junkie! (Broke? Spend 15 minutes a day on the project!)
This archive was generated by hypermail 2b30 : Wed Jun 30 2004 - 10:18:15 PDT