Common Vulnerabilities and Exposures database funding ending

From The Register

The 25-year-old CVE program plays a huge role in vulnerability management. It is responsible overseeing the assignment and organizing of unique CVE ID numbers, such as CVE-2014-0160 and CVE-2017-5754, for specific vulnerabilities, in this case OpenSSL’s Heartbleed and Intel’s Meltdown, so that when referring to particular flaws and patches, everyone is agreed on exactly what we’re all talking about.

It is used by companies big and small, developers, researchers, the public sector, and more as the primary system for identifying and squashing bugs. When multiple people find the same hole, CVEs are useful for ensuring everyone is working toward that one specific issue.

 

It basically works like this: When an individual researcher or an organization discovers a new bug in some product, a CVE program partner — there are currently a few hundred across 40 countries — is asked to assess the vulnerability report and assign a unique CVE identifier for the flaw if and as necessary.

The program is sponsored, and largely funded by the Cybersecurity and Infrastructure Security Agency, aka CISA, under the umbrella of the US Department of Homeland Security. It appears MITRE has been paid roughly $30 million since 2023 to run CVE and associated programs.

 

This funding ended last week. Keeping developers informed about vulnerabilities in a central location is a national security issue as well as a business issue. If your product is exploited and costs you money as a business owner is one thing, but if the thing that was exploited was a tool that other companies use as well, then the exploit could be expanded and impact huge swaths of the U.S. economy, see Heartbleed.

The TSA Is Terrible at Everything

Reason.com takes a look at a bunch of TSA stats, including a heavily redacted document regarding security breaches →

The article pulls out some interesting data from a report compiled by the Republican staff of the House Committee on Oversight and Government Reform and House Committee on Transportation and Infrastructure. Here are a few highlights:

  • 85 percent of the approximately 5,700 items of major transportation security equipment currently warehoused had been stored for longer than six months; 35 percent of the equipment had been stored for more than one year. One piece of equipment had been in storage more than six years—60 percent of its useful life.
  • TSA had 472 carry-on baggage screening machines warehoused, more than 99 percent of which have remained in storage for more than nine months; 34 percent of the machines have been stored for longer than one year.
  • TSA possessed 1,462 explosive trace detectors in storage, each purchased at a cost of $30,000. Of those devices, 492 had been in storage for longer than one year.

We should be utterly dumbfounded by these numbers. Not because we want the technology implemented, but because the equipment was bought in the first place. It equates to the TSA being given a blank check to shop in the billionaire’s version of SkyMall, all while not being completely honest about security breaches.

Even more disturbing is that even though these numbers and a series of “groping” incidents have made the news, the TSA continues to expand their reach. There are reports of TSA pat downs and bag searches taking place at McCormick Station in Chicago during the NATO summit.

I am not sure any of this is going to stop until a number of people in office put their foot down. The TSA seems less concerned with traveler safety and more concerned about the newest, fanciest equipment and which order to put people through the nude-o-scope. The goal is to make travel safer. If the TSA has lost sight of that goal, then it’s time for us to move on, shutter the TSA, and figure out a better way of performing the single task at hand.

Education and the Silent Trillion

Behind all of the healthcare debates and save-face moments lies another policy proposal that is quietly making its way through the House. The Obama administration is proposing to increase its current 20% share of the student-loan origination market to 80% by July 1, 2010 and letting the remaining public sector 20% just fade away.

For decades, federally backed student loans were the most common way to borrow for college. Money was raised in the private sector, loans made and the private institutions paid a fee to the government for each loan. In return, the government covered most of the defaults which in turn, allowed the private lenders to make a regulated return. All of that changed in 2007 when Congress legislated a return so low that no private lender could make a profit holding the assets.

The administration is claiming that this will save $87 billion but there are discrepancies that the Congressional Budget Office says really only mean $47 billion in savings. Long story short, be prepared for the default rates to skyrocket and for more students to suffer as they come out of college and realize missing a single payment could cost them dearly.

Education for all! [that can afford it]