Domain: sardonix.org
Stories and comments across the archive that link to sardonix.org.
Comments · 18
-
Re:Thankless task indeed . . ."... get kicked off DARPA funding too?" Sardonix was not "kicked off DARPA funding." The contract spent its alloted budget and ended. IMHO, the most interesting result to come out of Sardonix, apart from there being more talk than action in security auditing
:-/ was this paper:"Timing the Application of Security Patches for Optimal Uptime". Steve Beattie, Seth Arnold, Crispin Cowan, Perry Wagle, Chris Wright, and Adam Shostack. Presented at the USENIX 16th Systems Administration Conference (LISA2002), Philadelphia, PA, December 2002. Postscript. or ugly PDF.
Crispin
----
Crispin Cowan, Ph.D.
CTO, Immunix Inc. -
Augment, Not "Replace"The
/. story says that Sardonix "aspired to replace the Linux security review process. This is not true, and it doesn't even say that in Poulsen's article. Sardonix sought to augment existing software auditing practices, trying to give more credit to people doing the work, and more clearly document the work done. Sardonix was also about open source software in general, and not the Linux kernel in particular.Crispin
----
Crispin Cowan, Ph.D.
CTO, Immunix Inc. -
Augment, Not "Replace"The
/. story says that Sardonix "aspired to replace the Linux security review process. This is not true, and it doesn't even say that in Poulsen's article. Sardonix sought to augment existing software auditing practices, trying to give more credit to people doing the work, and more clearly document the work done. Sardonix was also about open source software in general, and not the Linux kernel in particular.Crispin
----
Crispin Cowan, Ph.D.
CTO, Immunix Inc. -
Re:If a project falls....
Marketing! The magic word:
Sardonix web site (Why isn't this on the front page?)
List of vulnerabilities
Subscribe to the Mailing list
Become an auditor
Audited programas
Unaudited programs
(Yes, I just linked the left menu in wwww.sardonix.org . Isn't that what marketing is all about after all?)
Guys, this is important. This needs to be promoved everywhere. I'm thinking of translating their website - some spanish people can help?
It's NOT that bored. It CAN'T be that bored. Hell, there're dozens of guys discussing where in the window you should put a fucking button in the gnome/kde lists as we speak. This looks much more fun/useful to me. -
Re:If a project falls....
Marketing! The magic word:
Sardonix web site (Why isn't this on the front page?)
List of vulnerabilities
Subscribe to the Mailing list
Become an auditor
Audited programas
Unaudited programs
(Yes, I just linked the left menu in wwww.sardonix.org . Isn't that what marketing is all about after all?)
Guys, this is important. This needs to be promoved everywhere. I'm thinking of translating their website - some spanish people can help?
It's NOT that bored. It CAN'T be that bored. Hell, there're dozens of guys discussing where in the window you should put a fucking button in the gnome/kde lists as we speak. This looks much more fun/useful to me. -
Re:If a project falls....
Marketing! The magic word:
Sardonix web site (Why isn't this on the front page?)
List of vulnerabilities
Subscribe to the Mailing list
Become an auditor
Audited programas
Unaudited programs
(Yes, I just linked the left menu in wwww.sardonix.org . Isn't that what marketing is all about after all?)
Guys, this is important. This needs to be promoved everywhere. I'm thinking of translating their website - some spanish people can help?
It's NOT that bored. It CAN'T be that bored. Hell, there're dozens of guys discussing where in the window you should put a fucking button in the gnome/kde lists as we speak. This looks much more fun/useful to me. -
Re:If a project falls....
Marketing! The magic word:
Sardonix web site (Why isn't this on the front page?)
List of vulnerabilities
Subscribe to the Mailing list
Become an auditor
Audited programas
Unaudited programs
(Yes, I just linked the left menu in wwww.sardonix.org . Isn't that what marketing is all about after all?)
Guys, this is important. This needs to be promoved everywhere. I'm thinking of translating their website - some spanish people can help?
It's NOT that bored. It CAN'T be that bored. Hell, there're dozens of guys discussing where in the window you should put a fucking button in the gnome/kde lists as we speak. This looks much more fun/useful to me. -
Re:If a project falls....
Marketing! The magic word:
Sardonix web site (Why isn't this on the front page?)
List of vulnerabilities
Subscribe to the Mailing list
Become an auditor
Audited programas
Unaudited programs
(Yes, I just linked the left menu in wwww.sardonix.org . Isn't that what marketing is all about after all?)
Guys, this is important. This needs to be promoved everywhere. I'm thinking of translating their website - some spanish people can help?
It's NOT that bored. It CAN'T be that bored. Hell, there're dozens of guys discussing where in the window you should put a fucking button in the gnome/kde lists as we speak. This looks much more fun/useful to me. -
Re:If a project falls....
Marketing! The magic word:
Sardonix web site (Why isn't this on the front page?)
List of vulnerabilities
Subscribe to the Mailing list
Become an auditor
Audited programas
Unaudited programs
(Yes, I just linked the left menu in wwww.sardonix.org . Isn't that what marketing is all about after all?)
Guys, this is important. This needs to be promoved everywhere. I'm thinking of translating their website - some spanish people can help?
It's NOT that bored. It CAN'T be that bored. Hell, there're dozens of guys discussing where in the window you should put a fucking button in the gnome/kde lists as we speak. This looks much more fun/useful to me. -
Re:If a project falls....
Marketing! The magic word:
Sardonix web site (Why isn't this on the front page?)
List of vulnerabilities
Subscribe to the Mailing list
Become an auditor
Audited programas
Unaudited programs
(Yes, I just linked the left menu in wwww.sardonix.org . Isn't that what marketing is all about after all?)
Guys, this is important. This needs to be promoved everywhere. I'm thinking of translating their website - some spanish people can help?
It's NOT that bored. It CAN'T be that bored. Hell, there're dozens of guys discussing where in the window you should put a fucking button in the gnome/kde lists as we speak. This looks much more fun/useful to me. -
Sardonix?Not exactly what you are discussing but there was a lot of hoopla around Sardonix many months back and it doesn't appear WireX has done anything real with it yet. I'm on the mailing list and it sounds of crickets.
Another thing to remember is that there are decent references out there, some quite well known, that people could follow and use but simply don't (Viega's book, and number of HOWTOs, etc.).
In anycase, you might want to approach WireX and see what, if anything, can be done to resurrect Sardonix. Cheers, -Pk
-
Re:The obvious answer is...
-
Re:Two months? Get real.
OpenBSD defaults to several YEARS of code reviewing. Years between any security hole in the latest release. (Or more, does the openSSH hole count?)
FreeBSD has trusted BSD which has similear aims, plus some code that would be really nice to have.
Sardonix is trying to start a general project to do code reviews. Not really running yet, but good goals, I hope they work out.
Just a quick search of open source sites and code review reveals that most projects think highly of code reviews and encourage them.
And finially, the typical way to get into open source is to do start reading code, and then contribute when you can do something. One of the things you can do is find potential holes
None of the above is perfect. All are useful, and all go on all the time. Maybe Microsoft put in more work into theirs, but I remember openBSD which was just a better netBSD, and not secure. By fixing problems they got secrure. I've been a programer long enough to know that each fix has implications elsewhere. Microsoft might have solved a lot of problems, but my expirence is the first two months introduce more problems than they fix, it is only after fixing those new problems that you begine to make progress, and it takes months to get them all closed.
-
Sardonix: Auditing Open Source SoftwareThe Sardonix project is intended to address some of this problem. "Many eyes make bugs shallow" but only if many eyes are actually looking. Sardonix seeks to encourage source code review with an auditor rating system based on performance. Programs will also be rated, according to who has audited them. Naturally, we provide a set of resources for people to use in their auditing.
Wanna make security better? Come do something about it.
Crispin
----
Crispin Cowan, Ph.D.
Chief Scientist, WireX Communications, Inc.
Immunix: Security Hardened Linux Distribution
Available for purchase -
Sardonix: Auditing Open Source SoftwareThe Sardonix project is intended to address some of this problem. "Many eyes make bugs shallow" but only if many eyes are actually looking. Sardonix seeks to encourage source code review with an auditor rating system based on performance. Programs will also be rated, according to who has audited them. Naturally, we provide a set of resources for people to use in their auditing.
Wanna make security better? Come do something about it.
Crispin
----
Crispin Cowan, Ph.D.
Chief Scientist, WireX Communications, Inc.
Immunix: Security Hardened Linux Distribution
Available for purchase -
Sardonix: Auditing Open Source SoftwareThe Sardonix project is intended to address some of this problem. "Many eyes make bugs shallow" but only if many eyes are actually looking. Sardonix seeks to encourage source code review with an auditor rating system based on performance. Programs will also be rated, according to who has audited them. Naturally, we provide a set of resources for people to use in their auditing.
Wanna make security better? Come do something about it.
Crispin
----
Crispin Cowan, Ph.D.
Chief Scientist, WireX Communications, Inc.
Immunix: Security Hardened Linux Distribution
Available for purchase -
Sardonix: Auditing Open Source SoftwareThe Sardonix project is intended to address some of this problem. "Many eyes make bugs shallow" but only if many eyes are actually looking. Sardonix seeks to encourage source code review with an auditor rating system based on performance. Programs will also be rated, according to who has audited them. Naturally, we provide a set of resources for people to use in their auditing.
Wanna make security better? Come do something about it.
Crispin
----
Crispin Cowan, Ph.D.
Chief Scientist, WireX Communications, Inc.
Immunix: Security Hardened Linux Distribution
Available for purchase -
The fix is on the way
The author's point is correct - while any Open Source package may have been audited, it isn't neccesarily audited well or at all.
But flash-back to the recent announcement of the Sardonix Security Portal, which aims to be a central clearinghouse for tracking audits and auditors. The goal is to have a list of 1) what's been audited, 2) who audited it, and 3) what that particular auditor's track record is on other software - were holes found after they said it was clean?
Obviously this is a new project, and it's founded on the ashes of an earlier effort that didn't get much involvement, but it's a big step in the right direction and it's got DARPA funding. And it probably will do much better jobs with Open Source software than with Closed Source.