DARPA-Funded Linux Security Hub Withers

mAriuZ writes "Initially funded by a grant from the Pentagon's DARPA, the Sardonix project aspired to replace the Linux security review process with a public website that meticulously tracks which code has been audited for security holes, and by whom. As conceived by Crispin Cowan, Sardonix was to attract volunteer auditors by automatically ranking them according to the amount of code they've examined, and the number of security holes they've found. Auditors would lose points if a subsequent audit by someone else turned up bugs they missed. ... In the end, though, nobody showed up."

Classic misdirection

[corebreech]

This reminds me of NSA's SELinux, a ploy to get everybody to pass over an OS built with security foremost in mind (like OpenBSD) and rush instead into one for which the NSA no doubt has hundreds if not thousands of pre-programmed exploits.

I'll bet you that's where half of their supercomputer time goes. Iterating across the domain of all possible inputs against Windows and stock Linux distributions, looking for all the holes.

How does DARPA game Sardonix? By controlling the rankings and emphasizing simple or known security holes while concealing or obscuring those for which federal exploits stand at the ready.

It would be a great idea, but only if somebody else was running it.

Re:Classic misdirection

[tealover]

What size tin-hat do you wear? You might want to try a larger size.

Re:Classic misdirection

[Introspective]

I don't think so. The NSA released SELinux as source code, it has been reviewed by many people and adopted into the 2.6 kernel. It would be rather difficult to sneak in "hundreds if not thousands of pre-programmed exploits" into the Linux kernel.

Check the FAQ

Re:Classic misdirection

[corebreech]

I never said they "sneaked" anything into the code. I only suggest that they are aware that Linux is an easier OS for them to root than others, like the aforementioned OpenBSD.

They don't have to touch the code, in fact, for exactly the reasons you offer, it is best that they don't. But that doesn't mean they can't use their considerable CPU resources to catalog its vulnerabilities.

Re:Classic misdirection

Tin is a bit expensive and difficult to find these days; I would recommend using aluminum foil.

Re:Classic misdirection

[corebreech]

What size blinders do you wear?

It's so incredible, with all the evidence of government deceit and treachery all around us that we would still have people giving them the benefit of the doubt!

Power corrupts, and absolute power corrupts absolutely, and our government is as close to wielding absolute power as anyone ever has.

And you want to trust them to coordinate auditing open-source software? I can't imagine a more naive posture to take!

Re:Classic misdirection

[tealover]

Where's the misdirection then?

If they have such considerable resources that they can catalog all the vulnerabilities of Windows and Linux systems, why go through the charade? They can just perform their calculcations heind the scene.

You sound like a typical paranoid nerd.

Re:Classic misdirection

[tealover]

It's so incredible, with all the evidence of government deceit and treachery all around us that we would still have people giving them the benefit of the doubt!

I know! It's very exciting, isn't it!


Power corrupts, and absolute power corrupts absolutely, and our government is as close to wielding absolute power as anyone ever has.

I know! Who knows, they may even invent a device that allows them to maintain communictation even in the event of a nuclear war, allowing them to continue to assemble and attack some more !

And you want to trust them to coordinate auditing open-source software? I can't imagine a more naive posture to take!

Tell me about it! Letting them get their hands on Open-Source software where everyone can look at and review the code ! It's downright scary !

Re:Classic misdirection

[NixLuver]

Hrm... So you assert that SELinux fixes trivial security issues in order to encourage users to select Linux (less secure) over OpenBSD (more secure), and all this without introducing any trojan code into SELinux.

The question I have is this: If there are hundreds of invisible exploits in the SELinux kernel, how are we to know that the same situation doesn't exist in OpenBSD?

Furthermore, how are we to be certain that OpenBSD (oft touted as the most secure OS in the world, and I'll certainly grant it's one of the most secure out of the box OS's I've ever seen) isn't some clandestine creation of the NSA created to lull paranoid psychotics into believing that they were secured against intrusion?

Re:Classic misdirection

[corebreech]

So you assert that SELinux fixes trivial security issues...

I never asserted anything of the kind. SELinux is about implementing access control, which has little if anthing to do with enhancing the kind of security being discussed here, i.e., getting root.

: If there are hundreds of invisible exploits in the SELinux kernel, how are we to know that the same situation doesn't exist in OpenBSD?

OpenBSD has made a big deal about auditing its code, looking for all the potential vulnerabilities. Linux tends to be more focused on utility and performance. There may indeed (probably are) exploits they are aware of in OpenBSD, but since so much more focus in placed on security, their expectations may be that the window of opportunity is closing.

Furthermore, how are we to be certain that OpenBSD (oft touted as the most secure OS in the world, and I'll certainly grant it's one of the most secure out of the box OS's I've ever seen) isn't some clandestine creation of the NSA created to lull paranoid psychotics into believing that they were secured against intrusion?

The question you should be asking yourself is why organizations like the NSA and DARPA, which are after all dedicated to eavesdropping and intelligence gathering, would want to spend time and resources making the computer systems of target nations more secure.

Re:Classic misdirection

Actually the question you should be asking yourself, that if OpenBSD is so secure, why isn't it trusted to run www.openbsd.org?

(Perhaps that's because despite the vaunted "auditing", OBSD is still largely ancient 1980s C code that was never designed with security in mind, and it's realworld exploitability is not significantly less than Linux or any other Unix.)

Re:Classic misdirection

[Muggins+the+Mad]

So you assert that SELinux fixes trivial security issues...

I never asserted anything of the kind. SELinux is about implementing access control, which has little if anthing to do with enhancing the kind of security being discussed here, i.e., getting root.

But access control is very much related to stopping exploits. A good set of access controls (SELinux or LIDS or RSBAC or the like) means that when, say, apache gets exploited, the attacker can't do any real damage and certainly can't fork a command shell.

It means that when your mail client gets exploited through an attachment type hole, the executed attachment can't access your address book or send mail itself. All good stuff.

It also means that very few programs need to be run as root thus providing even fewer avenues for the attacker to use.

- Muggins the Mad

Re:Classic misdirection

[DinosaurNeal]

How do you know that the NSA is only supporting Linux so that you will suspect them of malicious intent and therefore making it more likely that you will use FreeBSD which the NSA actually has critical exploits for.

You've fallen right into their trap.

You've fell victim for one of the classic blunders. The most famous is never get involved in a land war in Asia.
But only slightly less well known is this never go in against a Sicilian when (FreeBSD) death is on the line.

Re:Classic misdirection

Funny, yes, informative, no.
This moderator's hat is not of tin, not of aluminum, but ass.
-1 Offtopic

Re:Classic misdirection

[Jason+Earl]

Beautiful.

Re:Classic misdirection

[NixLuver]

I never asserted anything of the kind. SELinux is about implementing access control, which has little if anthing to do with enhancing the kind of security being discussed here, i.e., getting root.

Well, this would indicate to me that you have no idea what issues SELinux might or might not address. Perhaps you should research the topics of your closely held opinions somewhat. From the FAQ:

It [SELinux] has no concept of a "root" super-user, and does not share the well-known shortcomings of the traditional Linux security mechanisms (such as a dependence on setuid/setgid binaries).

I would say this rather soundly addresses the concept of "getting root", wouldn't you?

Linux tends to be more focused on utility and performance.

This is exactly the situation that SELinux hopes to address, isn't it?

The question you should be asking yourself is why organizations like the NSA and DARPA, which are after all dedicated to eavesdropping and intelligence gathering, would want to spend time and resources making the computer systems of target nations more secure.

Come on, that one is too easy... the security of the parent system has absolutely nothing to do with the security of an isolated data stream - i.e., email, instant messenger, http, ftp - you name it. SELinux also does little to address the security of daemons like, say, MySQL - it simply isolates the components so that a compromise of the apache code doesn't translate to a compromise of the system.

There is also the fact that the NSA and DARPA don't have to work to compromise our security - after all, the RIAA and MPAA may engineer us into a government-controlled cryptographic system with government (or copyright holder!) held keys - for Intellectual Properties enforcement, of course.

Re:Classic misdirection

Let me guess... win+++NO CARRIER

Re:Classic misdirection

[cduffy]

The question you should be asking yourself is why organizations like the NSA and DARPA, which are after all dedicated to eavesdropping and intelligence gathering, would want to spend time and resources making the computer systems of target nations more secure.

Perhaps because their mission also includes improving the information security of their own nation?

Re:Classic misdirection

Hi, Corebreech.

Re:Classic misdirection

[Otter]

I don't know what shit is worth these days.

Ok, that has to be the most uninformative post ever to rake in an Informative. I do know what it's worth. Gimme Score: 5!

By the way, doesn't anyone understand the difference between "DARPA-funded" and having Donald Rumsfeld whisper orders in your ear while you code?

Re:Classic misdirection

[corebreech]

I would say this rather soundly addresses the concept of "getting root", wouldn't you?

No, I wouldn't. I was using the term "getting root" as a slang for entering a system. We're dealing with semantics here. SELinux wants to say there is no root, but it really doesn't matter what they call it, there are still accounts and the same exploits that lead to the compromising of one acccount can cascade into the compromising of other accounts.

the security of the parent system has absolutely nothing to do with the security of an isolated data stream

Of course it does. Buffer-overflow exploit? Hello?

I think what I needed to communicate better here is the method by which the NSA goes about discovering these exploits. Unless you are going to take the position that the NSA does not care about acquiring techniques to infiltrate computer systems, then you have to acknowledge that they are likely going to put a good deal of resources behind the problem.

Now, if I were in charge of this project, and I had ready access to the kind of enormous CPU power at their disposal, the first thing I would do is prepare an emulator that would allow target OS's to be loaded and against which many cycles are spent looking for combinations of input that expose holes, like buffer-overflow, that provide access to a process. Once that exploit is catalogued, I can iteratively work from within that process looking for the exploit that allows for access to some other process via whatever IPC mechanism available. Provided that the resources are there, most (even if not all) available exploits could be catalogued, and methods of attack extrapolated. And I would have those resources since this project can be easily demonstrated to be in interests of national security.

The toy understanding of security issues evident here and elsewhere really doesn't apply. We're not talking about defending a system against some script kiddie. It's a different class of problem altogther.

There is also the fact that the NSA and DARPA don't have to work to compromise our security...

It really comes down to whether or not you believe the NSA/DARPA would make this technology a priority. If you believe they would, that is, if you can appreciate the potential for intelligence gathering such a technique would yield, then I think you'd also have to agree that they probably wouldn't want to sit still and hope and wait for the RIAA/MPAA to do as you say.

I mean, to me, *that* is what is implausible.

Re:Classic misdirection

Hi, Corebreech

Re:Classic misdirection

[corebreech]

Well obviously that isn't true for the NSA. If it were, we wouldn't have had to waste all that time on the encryption debate.

I could see it being true for DARPA, but then, if they were really interested in improving the information security of the U.S., then why renege on the grants/funding for OpenBSD, an OS that is frequently reputed to be one of the--if not the most--secure OS's out there?

I guess it comes down to this: do you trust your government?

Re:Classic misdirection

[NixLuver]

No, I wouldn't. I was using the term "getting root" as a slang for entering a system. We're dealing with semantics here. SELinux wants to say there is no root, but it really doesn't matter what they call it, there are still accounts and the same exploits that lead to the compromising of one acccount can cascade into the compromising of other accounts.

Way to dodge! Unfortunately, 'getting root' has a very specific meaning. Compromising a user account with an ID other than 0 is NOT 'getting root', no matter how much you would like it to be for the purpose of the current discussion. And you obviously didn't read the FAQ I linked to. The compromise of a given account doesn't extend to another account - that's the whole purpose of the system.

Of course it does. Buffer-overflow exploit? Hello?

Think very carefully, and I'm certain you'll be able to grasp this one. A 'buffer overflow exploit' compromises the system that is an endpoint for a network, not the data stream between that system and another. An 'isolated data stream' is what one might capture with a sniffer - eavesdropping - and the security of that stream has to do with ecryption, not the operating system that generated the stream.

It's nice to know that you're not in charge of our national computer resources. Let me explain.

It makes absolutely no difference if you compromise a system, if the data is encrypted appropriately. I assure you that the vast majority of 'secrets' that the NSA might acquire by compromising systems is encrypted. Hell, I'm pretty sure that I don't have anything the NSA might be interested in, but many documents in my home dir are encrypted with GnuPG.

Regardless, no, I don't really believe that the NSA is spending the bulk of its resources locating exploits in common desktop operating systems. I believe that the bulk of the computing resources possessed by the NSA are probably involved in data mining and visualization activities. Searching databases of oil consumption, food consumption, weather patterns, airline traffic patterns, money movements... combining and recombining, presenting different visualizations and comparisons, watching for underlying patterns.

Re:Classic misdirection

Think very carefully, and I'm certain you'll be able to grasp this one.

I'm sorry I wasted my time on you.

Re:Classic misdirection

[cduffy]

Well obviously that isn't true for the NSA.

Err, actually, it is. Remember, this is a governmental organization; there's quite a bit of left hand/right hand disconnect.

I could see it being true for DARPA, but then, if they were really interested in improving the information security of the U.S., then why renege on the grants/funding for OpenBSD, an OS that is frequently reputed to be one of the--if not the most--secure OS's out there?

Eh? So they fund something for a while, and then they stop, and from this you infer that the thing that they were once funding is contrary to their mission? There are lots of possible reasons for the change in funding decisions; perhaps you should look for publicly available transcripts rather than engaging in unfounded speculation.

And people accuse me of wearing a tin-foil hat. Jeesh.

Re:Classic misdirection

[anthonyrcalgary]

I'm tired of seeing this.

They get free hosting and bandwidth from the U of Alberta. The U of Alberta uses Solaris.

Re:Classic misdirection

[anthonyrcalgary]

Theo made some very public statements about US foreign policy.

Re:Classic misdirection

www.openbsd.org is hosted at the University of Alberta, which provides hardware and bandwidth the OpenBSD project otherwise could not afford. The University chooses what software runs on the University's computers, and the University likes Solaris.

Re:Classic misdirection

[hangareighteen]

The question you should be asking yourself is why organizations like the NSA and DARPA, which are after all dedicated to eavesdropping and intelligence gathering, would want to spend time and resources making the computer systems of target nations more secure.

I would say it's a strech to call the Defence Advanced Research Projects Agency an organization dedicated to eavesdropping and intelligence gathering. Their entire purpose is simply to research things that might be useful to the Department of Defence; however, I will grant you that a large part of what the DoD does is intelligence gathering and eavesdropping -- but it's part of their job, and they don't really shy away from telling the citizens that. On top of all that, if you're going to be so overly paranoid about government involvement in public projects, then why in the hell are you using the internet anyways? It began its life as a DARPA project, as research into self-healing networks.

Also, the NSA isn't dedicated to eavesdropping or intelligence gathering. If you read their original charter, it seems that it was originally created to help organize and distribute intelligence information gathered from the various intelligence agencies working for the US. That isn't all they do either, as this country has changed and their existence become more widely known, their role has changed somehwat as well. Specifically, they also play a role in securing this country (meaning it's citizens, businesses and government) from foreign attack, espionage, and intelligence gathering/manipulation. They are, after all, the National Security Agency.

So, as part of the ideal of securing the nation, they decided that it would be a good idea to make a highly securable operating system available to the public (meaning it's citizens, businesses and government) for free. Given that, it's not too hard to see why they chose Linux as their candidate: It's already available freely, it's already somewhat securely designed, and already implements a unix-style user-based security model. Not only that, but they realized for the system to be truly secure, that it's source code and thus it's development also had to be open to the public and freely available.

I don't think there is any doubt that the NSA has been entirely up front with everyone on this. If it weren't the case, there is no way that the SELinux security model would be included in Linux today, and I don't see any directives from the Ministry Of Coding demanding it's implementation. On the other point, the DARPA was just throwing around some research money (it's what they do best) and decided that this project might turn out something useful; they were wrong, but it didn't really seem as if they had any opportunity for misdirection anyways.

Re:Classic misdirection

[Endive4Ever]

Yes, and the interesting and (off topic) sidenote is that back when tinfoil was actually used, before aluminium foil, the tin was cheaper than the aluminum. Until modern methods of refining aluminum ore (using large amounts of electricity) were developed, Aluminum in metallic form was extremely rare. It was more rare than Gold, and there are 'crown jewels' in Europe set in Aluminum as a consequence.

Now the situation is reversed: aluminum is cheap, and tin is more scare, and reserved for things like solder alloys, etc.

Re:Classic misdirection

[Endive4Ever]

Both SELinux and OpenBSD are about more than a kernel. In the case of OpenBSD (and all the freenix BSD projects, for that matter) there is a defined and structured core source tree. It covers much, much more than just the kernel, and it's all controlled and tracked under CVS by a central organization.

NetBSD, for instance, can be downloaded in source form as a source tree in a set of tarballs. Then you can expand the source tree and run 'make' on the whole tree, ending up with 'ls' 'make' 'cat' and the like. A binary 'base' install of NetBSD for any particular architecture is a 60-80 meg download. You want things like emacs, you bring that in seperate from the base system.

Most common Linux 'distributions' on the other hand, have whatever mixed codebase of 'userland' code the distro maintainer chooses to throw in the mix.

SELinux, one would hope, would be closer to Open/Free/NetBSD in including a core, audited base userland. The point in having a 'secure' kernel withers away, to be honest, once init(8) starts running, if you don't have a secured userland codebase.

Re:Classic misdirection

[Endive4Ever]

Actually, I don't know that a 'paper trail' has been established connecting Mr. DeRaadt's comments to the loss of funding. The OpenBSD conference was only sponsored through an intermediary, and the intermediary was the one who lost the funding.

But the kind of people who make 'public statements about US foreign policy' are the kind of people who relish getting a response from said US agencies. It's not surprising that a lot of noise was made by Mr. DeRaadt after the funding was cut, for whatever reason it was cut.

Re:Classic misdirection

Hey, look out, there's a hole in your tin foil hat, and its the one I use to regularly exploit OpenBSD!!!!

HAHA! You are teh suck!!!! HAHA!

Re:Classic misdirection

[TeraCo]

Not sorry enough.

Re:Classic misdirection

[addaon]

Me too!

Re:Classic misdirection

One would be good enough.

Re:Classic misdirection

[doctor1]

This cracked me up... I followed a link for "About Sardonix" and I saw at the bottom if it's page this line:

Sardonix.org is a community resource. It is managed by the Immunix team at WireX , and funded by the CHATS program at DARPA.

I tried following the link to "CHATS" to see what it was all about, and I get a "page cannot be found" message. Not to sound too paranoid, but it's pretty sneaky to hide someting in plain sight. ;^)

Do you think I'll get any Sardonix points for pointing out a dead link on their web-site?... I didn't think so either.

If a tree falls in a forrest...

[Zeinfeld]

If there is a bug in the kernel and nobody notices it, can we still flame Microsoft?

Re:If a tree falls in a forrest...

What is a forrest ?

Re:If a tree falls in a forrest...

[rampant+mac]

"If a tree falls in a forrest.."

I'm hoping a fucking Sequoia lands on this thread.

Re:If a tree falls in a forrest...

[Zeinfeld]

What is a forrest ?

Thats just the r I left out of the referer field reappearing, must have hit a wormhole in space or something.

Re:If a tree falls in a forrest...

[mattjb0010]

What is a forrest ?

It's like a box of chocolates.

Re:If a tree falls in a forrest...

[orthogonal]

What is a forrest ?

The guy who played Dr. McCoy on Star Trek.

Re:If a tree falls in a forrest...

that would be The Forrest

Re:If a tree falls in a forrest...

You never know how they will spell it?

Re:If a tree falls in a forrest...

[t0ny]

If there is a bug in the kernel and nobody notices it, can we still flame Microsoft?

Why not? Debian users still do it.

Re:If a tree falls in a forrest...

[jimhill]

No, that was _d_ Forrest. The OP wanted to know what _a_ forrest was...

Really?

[Limburgher]

NOBODY showed up? I would think having a high Sardonix rating would be a nice piece of "hacker-street-cred", like a low /. ID number, or running Linux on a beowulf cluster of 286s.

Re:Really?

[alexandre]

So, next time i get an interview i should mention my /. ID ? :-)

Re:Really?

[Jason+Earl]

The free market beat them to the punch. Why play for Sardonix "street-cred" when you can start your own security company. Most security companies do a fair share of the advertising on the existing security mailing lists.

Besides which, the Linux Kernel Mailing Lists already purport to do the same thing. You think that the Linux kernel hackers don't think that they are already creating secure code? By the time a security bug gets through the LKML's brutal peer review the chances that some outsider gunning for "street cred" is going to find it is essentially nil. Why join Sardonix when you can pile right in to the LKML?

Re:Really?

[Lehk228]

yes

Re:Really?

[Saeed+al-Sahaf]

Holy shit. 53? Your prospective boss should bow down! I assumed that most of the first 1000 where DEAD by now...

Re:Really?

[Coventry]

Heck, I'm in the 3k range and I thought the first 100 (or so) uids were test uids from when they made and tested the system before rolling it... I've NEVER seen one before.

Re:Really?

[rampant+mac]

"NOBODY showed up? I would think having a high Sardonix rating would be a nice piece of "hacker-street-cred"

This isn't Compton.

You're not going to go on an interview and throw up your Linux "signs."

Slackware beeyotch. Represent.

apt-get 4 life, thug.

Werd.

Re:Really?

[polymath69]

So, next time i get an interview i should mention my /. ID ?

Not with a UID that low, dude. That only tells your prospective employer, "I spend way too much time cruising the Internet instead of working."

Re:Really?

[caluml]

Only 187 comments though, and 2 5s and a 3 in the last 24 :)

Re:Really?

[Saint+Stephen]

I have a 9000's uid that I forgot the password for and no longer have the email. Any chance I can use it?

I'd like to see Slashdot ID counter vs. time graph. I came to the party late.

Re:Really?

[wrmrxxx]

I'm always sure to mention mine. Has got me some really interesting job offers...

Re:Really?

I assumed that most of the first 1000 where DEAD by now...
No, AIDS usually takes YEARS!

Re:Really?

[An+Onerous+Coward]

Repeatedly.

Re:Really?

[Ziviyr]

No doubt resurrected by the ID# polling ritual we performed earlier.

Re:Really?

[RollingThunder]

Nah, they're all in hiding because they're being hunted by the United Nations Transitional Authority troops, aided by Subarashii.

Wait, that's the First Hundred, not the first thousand. /redmars

Re:Really?

[identity0]

Nay, the First Ones are alive still - they journeyed to the Uncharted Lands, to return once again when the land is in peril once again from the Shadow Realm...

Re:Really?

[Avada+Kedavra]

Has anyone tried to sell really low ID's on Ebay?

Re:Really?

[Darmox]

Unless you're the guy that bought the account on E-Bay :)
(or rather, one of the accounts on ebay. It seems that a lot have made it.)

Re:Really?

[Kelvin]

Naw, some of us are still around

Coincidentally enough, I even work for Crispin. :)

Re:Really?

[Zak3056]

I'm always sure to mention mine. Has got me some really interesting job offers...

Any of them from NineNine or autopr0n by any chance? :)

Re:Really?

God it's been years since I thought of that book. Ooh wait, that was lat night in my dreams having sex with Hiroku(SP?) in 0G.

Mmm. Aries.

Tim

Re:Really?

[dave1212]

So, next time i get an interview i should mention my /. ID ? :-)

Probably not, but if you do, make sure to fix the link in your sig!

Re:Really?

[Gumby]

Slashdot was running with id's for some time (year?) and then they had some kind of database schema change around 1998 and flushed all the users - So that day everybody had to re-signup.

Re:Really?

Interesting...All of the users with 3 digit UID's and most of the users with 4 digit UID's have few to no fans and very few friends.

Anyone care to hypothesize (sp..too lazy to check) why?

From a very quick glance it seems that some of them are fairly active with recent journal entries etc. /me debates making this post slightly longer and unchecking Post Anonymously....naaaa. I'll try'n watch the thread and reply though

Re:Really?

[Daengbo]

Hey, at my last interview, I met angkor, and we talked about Slashdot for some time. I didn't mention my UID, though, because I lurked from sometime in early 1998 until I registered with this bad boy about ?four years ago?

Re:Really?

[Christopher+Bibbs]

I wouldn't if I were you. ;)

Re:Really?

[davidu]

I see dead people...

-davidu

Re:Really?

[10am-bedtime]

outtakes from the "Great Unseen Movies" vault...

"woah, you were the one who hacked the IRS db?!"

"no, actually, i had to find and fix that bug. damn EBCDIC."

"oh, well... never mind."

Re:Really?

[ohzero]

If you're starting ANY company in ANY space right now, and can raise Series-A, I applaud you. The days of throwing together a group of smart people to "start an company" are way long gone unless all of the people in it are .com retirees or otherwise well-to-do. The NSA does however fund some commercial operations ;-).

Re:Really?

[alexandre]

My friend has the original 69, but dont be jealous, you got 3! :D

Re:Really?

[Anonymous+Brave+Guy]

At my last job interview, we were discussing general background in computing for a minute, and I mentioned being karma-capped on Slashdot as a joke (made sense in context). That was followed immediately by a knowing smile from one of my interviewers, and shortly afterwards by a job offer. :-)

DARPA "funded" !?

[gtrubetskoy]

Our model is: review a whole body of code, eventually finding no bugs, and receive a deeper level of appreciation from people who use the code.

I'm sorry, appreciation does not pay bills.

Re:DARPA "funded" !?

I'm sorry, appreciation does not pay bills.

Really? A big portion of the Open Source business is predicated upon this.

Re:DARPA "funded" !?

[gtrubetskoy]

Really? A big portion of the Open Source business is predicated upon this.

The key distinction is whose initiative it is: I can do something nice for you, seeking nothing but a thank you. But it doesn't mean that you can now ask me to do something and expect that it will cost you a mere thank you.

Re:DARPA "funded" !?

[orthogonal]

I'm sorry, appreciation does not pay bills.

Really? A big portion of the Open Source business is predicated upon this.

As someone who has done a small amount of OS coding, I think the motivation really is to scratch one's own itch.

The OS work I'm doing right now is to adapt software to my specific needs. Of course, I recognize that others may have the same itch, so I release the code.

Because I value craftsmanship in its own right, I also attempt to make it usable for someone other than me (by using standard GUI interfaces, clearly labelling GUI stuff, etc.).

It's not appreciation I'm looking for, it's software that better meets my needs. Because copying software is essentially free, once I have something working for me, it's easy for me to give you a copy too.

Re:DARPA "funded" !?

[Seahawk91]

Multi-billion dollar budget and this is for the "bragging rights". Please!!!! If they let go a few crumbs as a prize for .... say, $100k at the end of the year for the best ranked.... you could not beat the takers off with a stick.

Just my two cents...since Darpa won't give me $100k...or 2 dollars. I want my two dollars.

Re:DARPA "funded" !?

>I'm sorry, appreciation does not pay bills.

Then the whole Linux model is doomed.

never heard of it!

Well, maybe they needed a little more exposure, eh?

I'm a sysadmin that secures plenty of mission-critical Linux (and FreeBSD) boxes, and I *thought* I kept on top of all the security news, I'd never heard of this project!

Oh well! Try try again...

Re:never heard of it!

[AndroidCat]

It's been a story on Slashdot (2002) at least once. And I remember it being mentioned in a thread in another story last year--mind you, that's only because Crispin's name jumped out at me. (Like the time Tanya Huff did something nasty to him in one of her books. ;)

Re:never heard of it!

Have to say, I agree... If I'd heard of this puppy I'd have been there. Note to others... If you want people to play in your OSS sandbox, make sure you tell us that it exists! (I note that even the Slashdot article didn't link directly to Sardonix)

Re:never heard of it!

[KlomDark]

Uh, see the first sentence "We have just announced the Sardonix source code security auditing portal." in the original post???

Try CLICKING on the word "Sardonix" (In the original 2002 article) and see where that takes you. Fuck man, some people...

Let's be honest

Auditing is boring. If you've got the skills to audit, you'd probably be much happier writing the code yourself.

Re:Let's be honest

or you could always go the Open BSD route:

theo$ sed 's/^/\#/g' /etc/inetd.conf >> /tmp
theo$ mv /tmp/inetd.conf /etc/inetd.conf
theo$ echo "No r3m0t3 h0l3 in 30nS"
theo$ awk /\#/'{print $1,$2}' /etc/inetd.conf < gpg -s tradesekrits.asc
theo$ echo "ey3 j4m th3 k1ng 0f s3kur1ty and my p3n1s is sm4ll"

Re:Let's be honest

[Saeed+al-Sahaf]

Ah yes. Spout esoteric code, make many Karma points.

Re:Let's be honest

[Mysteray]

What the AC in post #8154783 seemed to be trying to say is that the leader of the OpenBSD project turned off network-accessible services in the default install, is not forthcoming with the details of these security-related modifications, and acts in a self-promotional manner.

I don't actually agree with this characterization of OpenBSD; I'm simply trying to provide a translation for the curious. I don't think the AC is using stunningly effective debate technique, either.

Re:Let's be honest

[Saeed+al-Sahaf]

Thanks for the translation. I've been very tempted by FreeBSD, I've noticed that many of the high-duty porn servers use it, must be a reason.

Re:Let's be honest

[bluGill]

Not nessicarly. I know a number of programers who read code to learn how it works. They aren't auditing directly, just looking to see how/if they can use something in their own code. Programers are lazy, if they can use someone else's debuged work they will.

There is far too much code to write, without wasting time re-inventing the wheel.

Re:Let's be honest

[Mr2cents]

Auditing is boring.

Don't forget we live in a world where people collect stamps..

Re:Let's be honest

[Endive4Ever]

People 'collect stamps' as historical relics. I, for instance, collect coins. I am not an 'investor' so I don't collect anything that is very valuable. I prefer small copper coins. I favor British Empire farthings. You can get an early 18th century British farthing for several US dollars. I like them for the history, and often I prefer 'well worn' coins to the shiny new ones that sat in collector's cabinet for centuries.

It might seem 'boring' to people whose idea of fun is going out to night clubs and listening to droning repetitive loud music, but then......

Re:Let's be honest

[Endive4Ever]

The first time I tried OpenBSD, it was after quite some time using NetBSD, and Slackware before that. I couldn't get OpenBSD to do ANYTHING on the network. I had come up out of the Slackware culture of opennes where everything was turned on by default (Slackware previous to 4.0 was VERY open and insecure by default). The challange of the OpenBSD security tightness was a 'challange' that helped me learn yet more.

Honestly, for fooling around on home subnets, I think the 'openess' is a good thing. A newcomer should be able to plug together the network and get machines talking to each other, before having to dig in and learn how it's working. But that's coming from me, somebody who 'cut his teeth' on networking in the days of the 1.2 Linux kernel, by throwing Slackware on the 386sx boxes with 3c503 cards in them that I paid $3 a pound (!) at a surplus store. It was what I could afford at the time and fooling around with them, I learned a lot.

I wouldn't know how people would have that sort of 'fun' today with the drum-tight defaults that most distributions ship with these days.

Re:Let's be honest

Actually, I find reading and debugging other people's code to be really fascinating. The creative part of writing code is all good and stuff, but sometimes I just want to sit back and jam on bugs for a bit. Auditing code for security flaws is just part and parcel of all that. I suppose I get a thrill out of making the code more perfect; code I could write myself would obviously be non-perfect on the first pass.

Re:Let's be honest

The only place for a wide open distribution in these days of continuous automated scanning and exploits, script kiddies, etc., is behind an air tight firewall, which most people dont' have, or on their own network not connected to the internet.

Using an open server on the internet today is asking to be owned in about 10 mninutes, and becoming a conduit for crackers, spam, porn, and other nastiness.

Not long ago there was a guy arrested driving down the wrong way on a one way street with no pants on. He was making use of unsecured wireless hot spots to surf for kiddie porn.

Unsecured anything is not the way to go today.

Re:Let's be honest

[Endive4Ever]

My point was, I think, that I was learning networking on my own small intranet. At the time, the only connection I had to the Internet was over a modem dialup.

Certainly a firewall, and layers of stuff like NAT are necessary today. I challange the notion that everything some guy does at home on a private network behind a firewall needs to be 'secured' though. Many people have fast connections to the 'net that are very blocked off by the way their ISP delivers, i.e PPPOE and through a 'modem' that has built in NAT. Mine certainly is pretty inpenetrable that way. Which sucks at times, but if you want a machine 'online' running services you colocate a box somewhere and THAT is secured.

Re:Let's be honest

Not long ago there was a guy arrested driving down the wrong way on a one way street with no pants on. He was making use of unsecured wireless hot spots to surf for kiddie porn.

Damn, was there a law he DIDN'T BREAK?

Re:Let's be honest

[Permission+Denied]

or you could always go the Open BSD route:

OpenBSD is a proper noun with no space in it.

sed 's/^/\#/g' /etc/inetd.conf >> /tmp

I believe that's supposed to be:

sed 's/^/\#/g' /etc/inetd.conf > /tmp/inetd.conf

In older variants of Unix, what you did would have been allowed and it would have corrupted the directory entries for /tmp.

awk /\#/'{print $1,$2}' /etc/inetd.conf < gpg -s tradesekrits.asc

That's completely incorrect. You're attempting to redirect two programs' i/o using file descriptor redirection. When you have two commands, you need a pipe. If you think about it, the reads/writes won't be synchronized, so you need some kernel mechanism to buffer the i/o: this is a pipe, fifo or socket.

Anyway, this still won't work as gpg does an isatty() on stdin when it asks for a password and then reopens the console if necessary. This is assuming you wanted the awk output as the password, as one can't really tell what you're intending to do. Also, the ".asc" extension means ascii-armored, so you want to use the "-a" flag. You're also confusing what "-s [filename]" means: "filename" is the input in this case.

Perhaps what you wanted is:

awk /\#/'{print $1,$2}' /etc/inetd.conf | gpg -a -s -o tradesekrits.asc -

Although this isn't very meaningful on any level if you examine the output of the awk command. Combined with the awkward shell quoting, I'm forced to assume your awk command doesn't do what you intend it to do. Perhaps you don't know what you're trying to say?

Re:Let's be honest

[ChaosDiscord]

Auditing is boring.

You know what else is boring? Proofreading. And yet Distributed Proofreaders manages to get about 5,000 pages of text proofread every day! The key is making it easy so that a little bit of my time can be useful. It also helps to get some popularity. I'd repeatedly heard about the distributed Proofreaders, but this is the first I've heard about Sardonix. Now that I've heard about it, it sounds interesting, next time I decide to proof a page or two for Distributed Proofreaders I'll take a look to see if I can help with Sardonix.

Still A Good Idea

[Naked+Chef]

Whose time may eventually come. Part of the problems is, as the article mentions, the "Bugtraq" mentality - people are only interested in the flashy big bugs, not the little ones that "only" increase stability. The other problem seems to simply be one of logistics, which the web site apparently didn't sort out. People are already doing this, on a smaller scale. How to get it into a single group under this Sardonix name without duplicating effort? Still difficult. I'd look for it again, in another form, in a few years :)

Re:Still A Good Idea

[Jeremiah+Cornelius]

Yeah...

Too bad that the real work to be done here was largeley undertaken previously by the "Kernel Janitors". This is a genuinely community-based effort, designed EXACTLY to remediate the less-than-glorious issues within existing kernel trees.

And, Hey!

They are training aspiring kernel developers, who can hone their skills and become intimately familiar with kernel internals by contributing in a meaningful way! Even if it's just repairing bad use of whitespace...

Re:Still A Good Idea

[perlchild]

I'd look for it again, in another form, in a few years :)

I will too, most likely somewhere in Europe or Australia, or maybe Canada, backed by private enterprise, not an organisation that's part of the Americian Politico-military complex. (Not that public funds couldn't be involved, but government control in this paranoid age doesn't seem likely to me.

Re:Still A Good Idea

[BiggerIsBetter]

"...under this Sardonix name..."

Well, there's your problem. Nobody is particularly interested in making a name for Crispin-whoever through working their arse off on unglamorous bugs. People are quite happy to work under their own names and on the existing projects.

Re:Still A Good Idea

[Kor49]

Well, the devil is in the details. And most open-source projects are lacking in that regard. You have to find a better way to make people read someone else's design over and over for fun and for free than just some karma points on a website.

And when the idea doesn't pick up, you have to find a better way to motivate people than by bashing the bugtraq mentality, Mr.Cowan.

People are interested in big bugs because they hurt the most. And when a bug is found and fixed, it's a definite improvement. Some piece of code reviewed and found OK by a bunch of people is not "definitely" more secure (albeit it's a good thing). So don't be surprised by people's reaction.

Re:Still A Good Idea

[Rheingold]

As a former employee of WireX, I can tell you there was little government control--It was a grant-funded project by a company that does a lot of security projects funded by DARPA. The control was effective to the degree that the government approved the grant proposal and did enough follow-up to make sure the requirements for the proposal were fulfilled; it's not as if there were NSA guys standing around in black suits watching what we did (at least, none in the open that I saw).

Re:Still A Good Idea

[Endive4Ever]

Somebody needs to tell those Kernel Janitors that their webpage doesn't resize properly. I'm running Mozilla, and the tables on the page are set up so that unless I full-screen the browser window on my 1024x768 display, some of it spills off the screen. And there's no horizontal scrollbar for whatever reason.

I hope that isn't a joke page, laid out so poorly, because if it is, IHBT.

Re:Still A Good Idea

Tracking and fixing bugs is like living in Hell with a panoramic view of the Heavens. Producing new stuff is what we developers really like, not fixing what the morons in Heaven didn't know how to write.

Thankless task indeed . . .

[Mysteray]

Two years after its hopeful launch, a U.S.-backed research project aimed at drawing skilled eyeballs to the thankless task of open-source security auditing is prepared to throw in the towel.

It does seem to be a thankless task. For a new guy on a project, criticizing the leaders' work doesn't seem a good way to gain influence. For an old contributor, you might feel compelled to add functionality the userbase is demanding.

Interestingly, the OpenBSD project has put a lot of effort into auditing, and they also have a reputation of being somewhat, um, "grouchy". I wonder if there's some correlation?

Re:Thankless task indeed . . .

Didn't OpenBSD get kicked off DARPA funding too?

Re:Thankless task indeed . . .

[Mysteray]

Didn't OpenBSD get kicked off DARPA funding too?

Hmm, you're right it did. I don't think there was an official reason given, but many attribute it to the OpenBSD leader saying less-than-supportive things about American military policy.

Or I suppose it could be that DARPA simply doesn't want people to have genuinely secure software. But that would be a conspiracy theory, wouldn't it?

Re:Thankless task indeed . . .

The only conspiracy is that people think OpenBSD is "genuinely secure software".

I would prefer that the government invest their money in advanced research rather than BSD 4.4 patching efforts.

Re:Thankless task indeed . . .

Interestingly, OpenBSD also don't have any documentation as to what it is exactly they are doing with their audit.

They talk a good game but let's face it, if you don't run any services on any platform it's about as secure as an OpenBSD install is out of the box. That's not exactly securing the code through audit, it's just locking down a box.

I like what they are saying they are doing but I have no idea what it is they are changing or why those changes make OpenBSD any more secure than anything else. Now if they had a set of documents explaining what it is that they were looking at and fixing and shared some information so that other developers could learn from the mistakes of others it would be more commendable. Throw on to that the attitude of the developers and you've got a real party.

Re:Thankless task indeed . . .

[Mysteray]

<offtopic>Your comments are discussion-worthy! Why post as an AC? I've been reading /. since at least 1998, but never got around to signing up and commenting properly. I'm glad I finally did, but I could have had bragging rights with one of those low UIDs if I had registered earlier.<offtopic>

Anyway, I see these comments often enough so I suppose they merit some response. I'm not sure I'm the one to do it, but anyway . . .

Interestingly, OpenBSD also don't have any documentation as to what it is exactly they are doing with their audit.

People from GNU/Linux land are often not familiar with the structure of the BSD codebase. With GNU/Linux, tar or ls, for example, will have an "upstream maintainer" such as the FSF. When a distribution finds a bug in one of those utilities, it really is important to report it upstream so they can fix it for everyone.

The BSD codebase was handed down as a single unit from Berkeley. Literally, the kernel, tar, and ls build in the same source tree. A small number of groups that formed to maintain this newly-freed source tree split off from each other (often with ugly disagreements). Berkeley wasn't interested in performing coordinating functions as an "upstream maintainer".

So the OpenBSD group doesn't have anyone more "authoritative" than themselves to report changes and fixes to. What they do instead is make every source change available via CVS. You can even subscribe to an email changelist if you want to. The other BSDs are free to (and often do) track these changes.

They talk a good game but let's face it, if you don't run any services on any platform it's about as secure as an OpenBSD install is out of the box. That's not exactly securing the code through audit, it's just locking down a box.

There is still the IP stack and packet filtering code that needs to be secure. There have been significant attacks on those in the past for many OSes. BTW, wouldn't you prefer that things come turned off by default, so you don't have to worry about "locking it down" in the first place? I just re-installed Debian the other day, and it had ports open to notify others of changes to my filesystem (something called fam, just in case I wanted to setup a fileserver). Probably there was some authentication on it, but the point is that I don't remember asking if it was ok to be on in the first place.

I know this may seem old-fashioned in the days of personal UNIX workstations, but local exploits are a concern for many systems. Often this can make the difference between a denial-of-service and a full rooting of a server.

I like what they are saying they are doing but I have no idea what it is they are changing or why those changes make OpenBSD any more secure than anything else. Now if they had a set of documents explaining what it is that they were looking at and fixing and shared some information so that other developers could learn from the mistakes of others it would be more commendable. Throw on to that the attitude of the developers and you've got a real party.

For all the accusations of OpenBSD being self-promoting, I don't think they spend a lot of time trying to explain their work to non-programmers. As they are working for free for their own interests, I can sympathize with them not verbosely explaining every source-code change in layman's terms. I trust them not to hide a bug that would clearly be exploitable, but at the same time, I don't think they need to do more than silently fix those that probably aren't. I can understand that someone not fluent in C could fail to see what the benefit to, say, eliminating sprintf would be. As a professional software developer, I have looked at their work and I believe it has great merit.

Re:Thankless task indeed . . .

[Crispin+Cowan]

"... get kicked off DARPA funding too?" Sardonix was not "kicked off DARPA funding." The contract spent its alloted budget and ended. IMHO, the most interesting result to come out of Sardonix, apart from there being more talk than action in security auditing :-/ was this paper:

"Timing the Application of Security Patches for Optimal Uptime". Steve Beattie, Seth Arnold, Crispin Cowan, Perry Wagle, Chris Wright, and Adam Shostack. Presented at the USENIX 16th Systems Administration Conference (LISA2002), Philadelphia, PA, December 2002. Postscript. or ugly PDF.

Crispin
----
Crispin Cowan, Ph.D.
CTO, Immunix Inc.

Re:Thankless task indeed . . .

[Elwood+P+Dowd]

DARPA never offered funding to OpenBSD. They gave a big grant to Jonathan Smith, professor at the University of Pennsylvania. He's done a variety of (tepid, IMHO) research in software security and other fields. I'm quite curious why they chose to give him so much cash.

Anyway, after they offered him the money, he said yeah, thanks, your money would be best spent on OpenBSD. So Jonathan Smith was going to give it to Theo De Raadt.

Theo said some very mild things to the press, but it caught aflame and the checkbook didn't like the idea that they were giving so much money to a Canadian that was going to get so much attention.

If DARPA had wanted to give money to OpenBSD, they could do that anytime. They probably expected new research out of Jonathan Smith, not further development of an existing operating system.

Re:Thankless task indeed . . .

I don't know what is such a mystery to you.

They explain their philosophy, the source to their patches, the change logs, access to their bug tracking, and mailing list archives.

It is all linked from the front pages. What is so hard to figure out?

Re:Thankless task indeed . . .

[Richard_at_work]

Have a look at this. There is also a lot of email on misc@ telling users whats been discovered, what is being changed, what is being removed and what has been audited and why.

Re:Thankless task indeed . . .

[Tony-A]

They talk a good game but let's face it, if you don't run any services on any platform it's about as secure as an OpenBSD install is out of the box. That's not exactly securing the code through audit, it's just locking down a box.

Errrr, not exactly.
I'm far from being expert in such things, but OpenBSD seems to be designed for remote administration that must pass through hostile territory (man in the middle, etc). You're behind a firewall, but it's your enemy's firewall and he knows how to use it. You get a fast basic install on site. All the configuration and lockdown is done remotely in a context where the internet is friendly and the LAN is hostile.

There's a lot more to security than just not running vulnerable service.

Re:Thankless task indeed . . .

[Error27]

Nah... I've done a bit of auditing and it's no big deal to tell someone there is a mistake in the code somewhere. Mostly they just fix the problem or tell me I'm missing something.

I once got into a spat with a junior developer who didn't realize why what he was doing was wrong. In that case I phrased the problem as a question and said, "Won't this cause problems?" instead of saying that it was obviously wrong. We got into a big stupid discusion about whether it would or not and he ended up unconvinced.

It would have been better to just say straight out, "Probably you just did this without thinking but it's going to cause problems. Could you find some fix for that?"

OpenBSD is grouchy because the senior developers are grouchy.

No reason to play the NSA game...

[Saeed+al-Sahaf]

As conceived by Crispin Cowan, Sardonix was to attract volunteer auditors by automatically ranking them according to the amount of code they've examined, and the number of security holes they've found. Auditors would lose points if a subsequent audit by someone else turned up bugs they missed. ... In the end, though, nobody showed up.

Perhaps this is because for most of the (incredibly smart) people who make contributions to Linux kernel development, it's not about points? Now if they had attached MONEY value to those points, maybe the result would have been different; I mean at least SOME motivation to play the NSA game.

Re:No reason to play the NSA game...

Now if they had attached MONEY value to those points but that would go against the grain of things being 'open source' to a degree wouldn't you think. The result wouldn't have been different even if money were thrown around. Ever occur to you some might think of the following reasons: Not having to deal with big brother, not having to whore for a corporation being PAID by big brothers, not having the time to leave ONE LINUX project for another.

Money isn't everything you know.

My h3r0es

Re:No reason to play the NSA game...

[ealar+dlanvuli]

Yes, but attracting people to a project through mythical points is frankly not going to work.

Expecting people to do work for free because you're going to give them points is silly. If people were going to contribute to such a 'auditing' task in their spare time a OSS site to do it would already exist.

The only way to guarntee things will happen is money.

Re:No reason to play the NSA game...

[HiThere]

Not to mention, that these "points" would only be govt. points, not OSS points. It would give one a certain *kind* of status, but not one that most FOSS people eagerly seek.

They really either had no idea of how the community worked, or wanted the project to fail. It's so stupid an idea, that I almost believe the second option, but it's probably just cluelessness.

3 Easy steps

1. Get DARPA grant to start auditing project
2. Wait for auditors to show up
3. Keep waiting

Re:3 Easy steps

More like:
1. Get DARPA grant to start auditing project
2. PROFIT!!!!
3. Wait for auditors to show up
4. Keep waiting
5. ???????

If a project falls....

[RedLeg]

If a project fails, and nobody's ever even heard of it, has it really failed?

I know Crispin Cowan personally, and I have never heard of this project! Maybe some of the DARPA funding should have gone to advertising, publicity, or (God forbid) Marketing?

Re:If a project falls....

Maybe you should call him... y'now, make sure he's OK. If I was in the NSA, I'd be wondering just what happened to the grant money about now...

Re:If a project falls....

[diegocgteleline.es]

Marketing! The magic word:

Sardonix web site (Why isn't this on the front page?)
List of vulnerabilities
Subscribe to the Mailing list
Become an auditor
Audited programas
Unaudited programs

(Yes, I just linked the left menu in wwww.sardonix.org . Isn't that what marketing is all about after all?)

Guys, this is important. This needs to be promoved everywhere. I'm thinking of translating their website - some spanish people can help?

It's NOT that bored. It CAN'T be that bored. Hell, there're dozens of guys discussing where in the window you should put a fucking button in the gnome/kde lists as we speak. This looks much more fun/useful to me.

Re:If a project falls....

[Crispin+Cowan]

The project is not dead. You can still go there and submit an audit. We have no intention of turning it off, and if people want to contribute, we welcome that.

All the conspiracy theory noise on this topic is just a load of crap. DARPA didn't cut us off for any spooky reason, the contract just ended on schedule. I did my best to market the project to suitable audiences, but it never caught on. I'm still all for making it work, but I no longer have Federal money to pay for it, so its now all-volunteer.

Crispin
----
Crispin Cowan, Ph.D.
CTO, Immunix Inc.

Re:If a project falls....

[HiThere]

Think very seriously about why anyone would want to contribute at your site rather than somewhere else. I'm not a kernel coder of any sort, but if I were, then I would want my work to go where those I respected would see and appreciate it. "Points" awarded by some organization would only be valuable to the extent that those I respected for other reasons valued them.

Remember, the only thing that give a dollar it's value is that the government insists on being paid it's taxes in dollars. And everybody needs to pay taxes. So, basically, it's the threat to use force to collect it's taxes that make the dollar worth anything. You can use a dollar to buy bread because the guy you buy the bread from has to pay taxes to the govt.

Now lets look at those points. What gives them any value? Is there anything? Do they even look pretty? Do they help you get (or hold) a job? Do they enhance your standing in the community? (Which community? Is it one that many Linux hackers want to be a part of?) Etc.

I could be wrong, but these "points" seem to have no value of any sort. I'd get more value out of an insightful post on /. (and my score is maxed out).

Re:If a project falls....

[Crispin+Cowan]

Think very seriously about why anyone would want to contribute at your site rather than somewhere else. I'm not a kernel coder of any sort ...

Sardonix is not about the kernel per se. It is mostly about auditing applications, which is where most of the security vulnerabilities are.

Now lets look at those points. What gives them any value?

Their intended value was a objective assessment of the person's ability to audit code. They are not "awarded" by an organization, they are objectively computed by performance: how may packages or lines of code did you audit? How many bugs were subsequently found in code you audited? These metrics give people a real assessment of how good you are at auditing code.

Crispin
----
Crispin Cowan, Ph.D.
CTO, Immunix Inc.

Re:If a project falls....

[stevey]

I've been running a small audit for the past few months, mostly looking at low hanging fruit - but still in that time I've managed to have 17 advisories published.

Yet I've only recently come across your site and see there several audits which appear to show vulnerabilities but not any links to real advisories.

I think it's a worthwhile thing to do and spend several hours a week looking over code; but I've never found any volunteers either - it just isn't sexy enough for people I guess. (Apart from people who are being paid to do it, security companies and the like).

Re:If a project falls....

[diegocgteleline.es]

Wow, you put a lof of effort there in your "personal" project. The problem is, IMHO, there's no such "centralized" site where to look if a given program has been audited or not. That site could be very well the sardonix site - no need to "point" you if you don't want, I guess. At least, I guess Crispin could add a link to your site ;)

Securityfocus batting .500

[AndroidCat]

I guess they couldn't decide how to spell Cris Cowan/Cowen's last name so they alternated.

They should have a volunteer review process to catch spelling mistakes...

Re:Securityfocus batting .500

[MerlynEmrys67]

Of course you could just simply look on the web Crispin Cowan's Home Page

I chose his OGI Faculty page - you can choose your own

Since you know him personally

Has he recently made any large purchases? New computer? Car? House? DARPA money!

Re:DARPA "funded" !? SETI @ Home

[Mysteray]

I'm sorry, appreciation does not pay bills.

True, but also true of most work being done for Free & Open Source software.

Just look at how many people got seriously enthusiastic about their SETI @ Home rankings. That doesn't pay the bills either, and it uses real electricity.

If they could just find a way to tap into _that_ enthusiasm. Maybe all they need to do is put up a bightly-colored blinking screensaver whenever someone found a bug . . .

You are right

Your post was Classic misdirection. Also known as FUD.

Definition of root word tells all.

[mikeophile]

Sardonic

sardonic (sar-dnk) adj.

Scornfully or cynically mocking.

See Synonyms at sarcastic.

Easier steps

1) turn it over to Haliburton.

Re:Easier steps

HAHA that was a good one.

Doomed from the start

[realmolo]

Here's what they were asking for: WANTED- Extremely experienced Linux coders, familiar with all aspects of security, to verify others undocumented code, so that the federal government doesn't have to do it themselves. Salary starts at 0 dollars per year. Benefits include- No health care No 401k

Re:Doomed from the start

[bobthemuse]

In all seriousness, if this was a funded grant, why couldn't they afford to pay per-bug? Yes, that makes it more complicated, but much more enticing.

I wonder if there are any legal implications to this? Funding an OSS project in an indirect manner?

Re:Doomed from the start

[Monkelectric]

Not only that, they dont understand one of the core motivations of an open source developer: self determination.

You know what I do all day at "work"? I write python code. Python happens to be my favorite language but I HATE GOD DAMNED DATABASE PROGRAMMING. Guess what though? It pays the bills :)

When i work on open source software, I want to do something I believe in or something I'm good at or something that I want to see done. Not something the NSA wants to see done, thats alot like "work" and alot less like a hobby :)

Re:Doomed from the start

What do you mean no benefits? You get points, man, points! Who doesn't want points?

geek.paranoia++;

[RalphBNumbers]

So they wanted people to do possibly the most tedious and unpleasant task in software engineering, over and over, for free, outside of the established (and frankly much more interesting, because they usually involve something besides solitary code reviewing) channels, and they're supprised they didn't get a flood of volunteers?

Not to mention the job is thankless, it's an infinite loop of paranoia and nit-picking.

code.insecure = true;
While(code.insecure) {
geek.paranoia++;
geek.review(code);
}

hmm.. quick to go ad-hominem

typical of *BSD users.. the *BSD operating systems have a lot of good things going for them, including security, but it all means nothing when almost their entire community is full of people like corebreech who wants to attack and smear anyone who doesn't agree with his views

Re:hmm.. quick to go ad-hominem

Where do you see that? I see where the other guy though went ad-hominem though.

Re:hmm.. quick to go ad-hominem

take a trip to the BSD section on Slashdot and see the reaction and moderations done to anyone who has any slight criticism of BSD. read the *BSD mailing lists and the reactions to anyone who just has a mere suggestion of doing something different. read the dialog between BSD developers and Matt Dillon.

TROLL

who is modding this up? its just a blatant attempt at discrediting Linux - as you can see form this other post from him.

Re:DARPA "funded" !? SETI @ Home

[gtrubetskoy]

If they could just find a way to tap into _that_ enthusiasm.

Ah give me a break!

As someone who has written open source software, I can tell you that there is no enthusiasm that you "tap into".

When you are an agency that is part of a department of the government whose budget is in the billions (or is it trillions?), no sane "enthusiast" is going to do jack for you for "appreciation", especially when you are a military organization...

But even if this wasn't DOD we were talking about, I find the assumption that people will perform valuable services for simple recognition just plain weird. People who think this way just don't get it - you want someone to do something for you, you pay for it.

When I feel like releasing code to the public is a good idea, I will do it, but don't think that I am some sort of an OSS monkey who jumps at every opportunity to work for free!

Maybe nobody took the idea seriously

[qtp]

And with a name like "Sardonix" who could blame them:

~$ dict -d wn sardonic
1 definition found

From WordNet (r) 2.0 (August 2003) [wn]:

sardonic
adj : disdainfully or ironically humorous; scornful and mocking;"his rebellion is the bitter, sardonic laughter of all great satirists"- Frank Schoenberner; "a wry pleasure to be...reminded of all that one is missing"- Irwin Edman [syn: {wry}]

How much?

Check out the size of the USs defence budget for 2005.

http://news.bbc.co.uk/1/hi/world/americas/344728 1. stm

Before you click, have a guess, and maybe post your results here?

Damn...

[qtp]

you beat me to it!

Curses! Foiled again.

Re:Anyone know...

now its tied 7-7...

Re:Anyone know...

Who gives a fuck? American football is a bunch of wussy pansies dry-humping each other on a field. stupid fags playing a stupid sport.

Too low profile

[adamsc]

I follow the security community pretty closely, monitor a fair number of techie news sites and otherwise try to stay aware of this sort of thing. The first I heard of the project was this story - I must have missed it the last time it was mentioned two years ago. Not many sites linked to sardonix.org after the initial news stories, either.

Re:Too low profile

[AndroidCat]

Perhaps the seven responses to the original story should have been a tipoff that raising visibility of the project would have been a good idea. (Of course, that would have risked coming on too strong.)

Project remit: appropriation increase?

[Lucius+Sour]

A lot of government and military projects have the sole purpose of attracting money to, or showing deference to whatever fashioanble political/buzzword compliant initiative that has sway that week. This isn't news to slashdotters, I know, but I wonder what real hopes the project had, or was it one of those "impress the boss and get a cheque to swell the department" projects. It seems that's the way things work in the government service and industry these days. Whatever happened to doing the bloody job?

Re:Really? Haha

[Venner]

I didn't create an account on slashdot until almost a year after I'd first started visiting and I have this horribly high UID to show for it. Who could have known that, years later, a low UID would be such a symbol of power, fear, and respect!

I'm glad I didn't have to say that in person; I couldn't possibly have kept a straight face :-)

NEWS FLASH: People would rather write than debug

[mcc]

Film at 11

competitive shit work

it's really boring shit work, so let's spice it up by making it competitive. Tommy, Jane, how fast can you clean your rooms?

Re:FOAD Sad news ... Stephen King dead at 56

Tell the truth!!! I am sobbing! He was my favorite author. Now you are trying to turn his death into a joke?

Isn't this OSS'a strongest arguement?

[no_nicks_available]

and yet no one shows. I guess we have to wait until someone finds something with negative intent before a bug is fixed.

Mod me down -50....I don't care anymore, my faith is lost.

Re:Isn't this OSS'a strongest arguement?

[Reteo+Varala]

The problem with that particular belief in Open Source, is the mistaken belief that pride is the highest motivator. It's not, it's the second-most important.

The primary motivation is the resolution of the writer's personal problem, whether it's a particular feature needed in an existing project, or some entirely new program, or the resolution of some kind of bug.

In all cases, it's to counter a very personal irritant in the software (or lack thereof). The people who get into OSS primarily for the fame/ego find themselves months later losing interest, because there's nothing there to keep them, if not for a more personal motivator; a problem to solve.

Think about it, this is the exact same difference between the "Skript kiddie" and the real hacker. The former may know some programming, but they don't really have the same motivation as the latter.

Apparently...

...people consider "Pentagon" and "Security" antonyms...

Re:Really? Haha

[Saeed+al-Sahaf]

Well, you obviously have low Karma judging by your intro score. So you speak you mind here , do you? (It's a JOKE!)

solution

[SHEENmaster]

#define While(x) while(!x)

I love sitting down and reviewing other's code.

[HeX86]

It's true, people would rather write code than fix people's broken shit.

Rather than fixing borken code, why don't we teach some people how to write decent programs? Maybe put up some documentation of some common security flaws and how people could have avoided coming near them by structuring their code differently.

I know some code needs to be fixed, but lets face it, most people aren't willing to do it. There are a few unappreciated people out there who do this, and their job would be easier if people knew how to program better.

I'm not talking just about the kernel, for what I know the kernel is excellently structured. Most of the security holes stand in userland code and that's the area where most of the programmers who lack good programming skills are.

Re:I love sitting down and reviewing other's code.

[stratjakt]

Noone writes perfect, bug free, unexploitable code. Exploits are found in code previously thought to be perfect.

There are some obvious things you can do, but on a sufficiently complex project, it's impossible to think of every possible use or misuse of the resulting code. Hell, some exploitable stuff is injected by the compiler.

Re:I love sitting down and reviewing other's code.

Good idea, why don't you get started and submit a slashdot story when you're done.

Re:Anyone know...

sounds like you're upset no one is dry-humping you.

Re:NEWS FLASH: People would rather write than debu

True, that's why there are so many pre-alpha level open source projects out there that never get off the ground. Open Source has a few big successes, but for the most part 90% of the projects are much worse than your average shareware app was 10 years ago. There's no skill involved, people slap together some shit in PHP and call it a project, etc. Open source sucks.

Re:Janet Jackson's tit

It was definitely hers and it was pierced. Anyone have pics or video?

Sardonyx is NOT a good name for this project.

[0x1337]

Who can blame the project for having failed, when it was named for the famous "stone of all bad" Sardonyx, i.e. Chtrag Sardius, the opposite of the Orb, or Chtrag Yaska?

Who 'lead' the project, Ctuchik The Grolim High Priest?

------>

Ok, ok... I'm a dork. Read David Eddings' "Belgariad" and "Malloreon" though - they make for a great read.

Sardonix had some value

[El+Volio]

Sardonix got me interested in source code auditing, but I didn't like the reputation model. It's been more interesting to just do it; while so far I haven't found anything in the packages I've audited (and haven't bothered to report), it's taught me a lot about auditing in general and so I've found multiple vulnerabilities in various web packages I use both personally and professionally.

If you want to encourage source code auditing, then the current system needs to be mended just a bit: as long as researchers are disdained by vendors who don't want to give credit for the problem or even prosecute folks who were kind enough to let them know about the vulnerability of their software, then there's going to be a chilling effect. That's what leads to the disclosure impasse that many find themselves in: disclose to the vendor first and not get credit, or disclose to the public first and get criticized?

Re:Sardonix had some value

Probably get sued rather than criticized.

Re:Janet Jackson's tit

http://webpages.charter.net/hiphophead/titty.mpg

It never helped me get started

[bluGill]

I visited the site a few times, but didn't see anything to help me get started. Just some "we need to get project X reviewed". Then a complex point system that sounded motivating, but didn't do anything.

I just wanted to get started. All they said was "read this code and look for problems". No duh, but how about some examples. Some help. I'd learn much more if 30 people read one file, each commented on it, and I could read them all. Once I learn to think of everything 30 people think of (who have expirence reading code) I'll do some more on my own. Nothing gets me started though. I'm an okay programer (better than most really, but that isn't saying much considering the typical programer I've seen), and I need to learn how to do this. How do expert code reviewers think?

I just got back from wineconf, Alexander personally reads every single line that is commited to Wine. I know it can be done, but I need expirence before I could possibly do that, and noone bootstraps me to get the expirence.

I understand this is a hard thing. I've developed before, and I can't document my code any better than anyone else. They made it their stated goal to help me, but then never did anything useful.

Re:It never helped me get started

that's spelled experience

Re:It never helped me get started

Things to look at (not complete):

1. Are names meaningful?
2. Are names easily remembered?
3. Are code conventions followed? They must be written somewhere and put under CVS.
4. Are comments good enough? Is there any explanation that needs to be written?
5. Are comments useful? Can they be removed without loosing information?
6. Do all valid inputs produce valid outputs?
7. Do invalid inputs produce valid error codes/exceptions?
8. Are error codes/exceptions handled gracefully by all callers?
9. Are there any memory or resource leaks?
10. Are all boundary conditions handled gracefully?
11. Are array boundaries handled correctly? Can there be array overruns?
12. Is there an automated unit test to verify the functionality?
13. Is this portable across the target environments?
14. Is this thread safe?
15. Are there any deadlock conditions?

Bussines plan

[Maljin+Jolt]

1. Read some router code
2. Document all critical security vulnerabilities
3. Do not report any bugs
4. ???
5. Profit!

Shoe's On The Other Foot

[Dark+Bard]

Very interesting attitude. I've gotten into several very heated exchanges on Slashdot concerning copyrights. The universal answer was copyright laws favor the artists too much and they should do it out of love and there's nothing wrong with downloading music and movies for free even if it robs the artist. I was given the pious example of people writing open source code for free. I was never given an example of how they were suppose to feed themselves while they worked for free. Now I hear code writers should aways be paid for their work even if it's for the benefit of all. Feels different when the shoes on the other foot. If all intellectual property should be free why aren't code writers working for free and working at the local 7 eleven to pay their bills? I realize no one wants to hear this and I'm sure this post will get a low mod because it's tradition to kill the messenger but you can't have it both ways. Everyone has a right to earn a living and working for free or giving away your work ain't going to pay the bills. I'm thrilled people write open source code for free. Artist often work for free and work a disturbing number of unpaid hours. The hardest thing for an artist is generally getting some one to pay for their work in the first place. Free market basically works, inspite of a few bumps. Change the law and allow people to go into a famer's field and pick the crops without paying and see how quick people give up on farming. Sorry there's no difference.

Re:Shoe's On The Other Foot

[StarCat76]

Well, in regards to your Music Artists analogies, I believe the general consensus on Slashdot is not that they do not deserve money for their work, just that downloading the music on P2P is not hurting artists. Firstly, there's the old argument of those who wouldn't buy it anyway, and are thus not hurting anybody. However, consider this: For those who really like a certain band who happens to be signed under the RIAA, which option is more attractive?

#1. Buy CD from the store. Cost, $20. The artist will get around 20c I believe. Then, the disc will not be able to be ripped or played on a computer without a struggle.

#2. Download the songs of the album off a P2P network. Mail the artist $5. Cost, $5.34. One is then free to do whatever you want with the music.

I know this diverged a bit from the topic, but I really don't think most /.'ers are against artists making money off their music. Just that they see the records labels as making that an inviable choice.

Re:Shoe's On The Other Foot

[HiThere]

The trouble with choice 2 is that even with good intentions, you probably won't do it.
It's just too easy to procrastinate after you have what you wanted.

That said, I think you overestimate what the RIAA pays the average artist. (Not what they claim to pay them, but they do funny things with accounting. And they won't let anyone check their books. Well, not without a lawsuit, and getting plenty of time to make things look right.)

Re:Shoe's On The Other Foot

[Dark+Bard]

Music is the easier subject now but film will be getting hit harder and hard as downloading speeds become less of an issue. The artists have always gotten the short end of the stick in both industries, worse in music than film. Unfortunately the falling revenues have forced groups to look to touring as potentially their primary source of income. A lot of artist prefer not to tour due to it making it virtually impossible to have a life. They are having to look serious at touring now as an option. It's changing artists lives. If a direct sales system settles in it will benefit the artists in the end. Film is a different problem. Films are extremely expensive to make. Most want to see big budget films not the glorified home movies that could be made by most individuals. Ticket sales have been falling. Profits have gone up only because of rising ticket prices. They've basically hit the barrier of diminishing returns. The studios have already begun to defend their profit margins by taking productions out of country. If DVD sales and theatrical sales drop due to pirating they'll simply push harder on finding cheaper and cheaper foreign sources. It's absolutely hurting the artists and technicians more than the studios. On the average big budget effects film between 100 and 500 CG artists are hired. Most of those jobs will disappear in the US in the next ten years. In a perfect world when the profits drop the ones at the top would take the hit. In the real world the cuts start at the bottom.

Re:Shoe's On The Other Foot

[dwpro]

what you are referencing is not the point of what I read above. Some of us like to contribute, but the contribution is a very delicate thing. We don't want to feel obligated or like we've been tricked/coerced into doing it. Also, there is the factor of need. I would gladly fix the computer/code of a kid in an orphanage, but not for my aunt who feels like I should since I am her kin, or for someone who can obviously afford it. As for the music argument...yes, you must be right, music will cease to exist when people cannot make money off of the reproduction of it. The farmer analogy is terrible...but lets go with it...I would venture to say that some farmers would still grow them, just to get the satisfaction of helping people/people appreciating what they do, or out of love of the art of farming. I say, bring on the end of music as we know it...just to see what happens

Re:Shoe's On The Other Foot

[CodeBuster]

The problem with this is human nature and economics. People who would normally pay for the work under the framework you have outlined have a disinsentive to do so because of what economists call the "freerider" problem. It is possible to download the song and NOT pay and this option becomes more attractive as more people choose to do just that. That is why National Public Radio has so much trouble finding people willing to donate and why Steven King was unable to finish the Internet Novel "The Plant." Good people, even if they intend to pay, will often behave differently when nobody is watching and "everyone is doing it". That is the reason why goods and services that benefit us but upon which we can "freeride" are generally provided by the government with our tax dollars because that is the only proven reliable way to get everyone to pay their fair share.

Note: I am not in favor of nationalizing the music business and I am generally suspicious of government regulation, ownership, and control. However, the freerider problem explains why the so called "street performer" protocol for compensating artists does not work.

Re:Shoe's On The Other Foot

[alienmole]

Extremist positions on both sides are silly. But here's the simple difference in this particular case: a particular service was wanted, and was essentially put out to tender, with requirements, etc. Only problem is, the pay was zero, and even the attempt at payment in terms of peer acknowledgment was flubbed badly. So there's no incentive to do it.

The case with artists, whether they produce music, paintings, or code, is different. I doubt anyone is suggesting that Superbowl commercials be produced free of charge by volunteers. That's business, and it's paid for. But that's not the motivation for producing art. Those motivations are different, and they don't really have anything to do with money - someone producing art or code for money is not an artist or a hacker, they're a commercial resource, an economic agent.

The organizers of this project didn't understand open source or free software at all - or at least, the person who named it (sardonically) perhaps understood it, but those who pushed it to fruition did not.

This is not a question of the shoe being on the other foot, it's a case of people not knowing that they're trying to force the foot into entirely the wrong kind of shoe.

Change the law and allow people to go into a famer's field and pick the crops without paying and see how quick people give up on farming. Sorry there's no difference.

See, you're doing it again. No-one grows hundreds of hectares of corn for the fun or love of it - they do it for commercial reasons. A closer analogy would be someone who grows corn for their family and friends. But the difference is that they have physical and economic limits on how much of the corn they can produce. No such limits exist for software, so someone doing it for reasons other than primarily commercial can distribute an unlimited amount of the stuff.

All this doesn't even touch on the fact that a lot of open source isn't done for fun or love but from quite pragmatic reasons - it just makes sense to make some kinds of code public, and benefit from others' contributions, where each person contributes for their own reasons, which can't really be forced in one direction or another.

The problem here is just that people stuck in the if-it's-free-there-must-be-something-wrong mindset have failed to recognize the huge range of things that motivate humans, other than money. Their attempts to fit these behaviors into naive but familiar little boxes, like the laughable point system that the Sardonix project came up with, are doomed to failure until they really understand what they're dealing with.

OK, now someone mod me up. I want my karma points, dammit! ;)

Re:Shoe's On The Other Foot

[Dark+Bard]

I completely agree. Ultimately what happens is the options become more limited. Less music will be availible and fewer films will be made concentrating the wealth even more. It's already happened in the film industry. The shift from a theater based economy to a video tape/DVD based one drastically reduced production. It originally caused a boom in the 80s but by the end of the 80s the video stores decided to limit the number of independent and lower budget films and focas on higher profit big budget films. By this point it had become nearly impossible to get a proper theatrical release for a smaller film so they were shut out. At first it was hard to get anything made for over three mill. It then dropped to one mill and now the target is under 500 grand. The direction is for under 100 grand for independent films. Trust me you can't do much for under a 100 grand. Yes there are films made for more than these numbers but most loose money or make very little. It's a lot of risk for little return so the numbers keep dropping. Depend on cable? Most channels are paying between 8 grand and 500 grand. Those paying at the high end want all rights. If you make a film for 500 grand it doesn't leave much profit. If it cost more you loose. Yes the major players, the HBOs and such, are paying more but just for high budget or popular films. Blockbuster recently decided to radically downsize what few independents they buy now. HBO is concentrating on made for cable TV series. Markets are drying up fast with foreign countries starting to focas on locally produced reality TV. The industry can't take a lot more hits. Everyone can choose not to support the film industry but I continually hear complaints about a lack of options from consumers. Video is the last hold out for independents. If it ceases to be viable most will dry up and what you'll be left with is what the studios choose to produce. Legally Blonde 6 or how about Friday the 13th Part 20? Don't laugh you could see both films. The trend is in that direction because they've largely run out of ideas and don't want outsiders taking work away from the insiders. Ultimately the consumers are hurting themselves. That free CD or DVD may be fun for now but in the end it will limit what is availible and by reducing competition it will hurt quality.

Re:Shoe's On The Other Foot

Do you have an Enter key?
Format your fucking posts please.

Re:Shoe's On The Other Foot

[4of12]

A lot of artist prefer not to tour due to it making it virtually impossible to have a life.

I don't mean to sound hard-hearted, but most of the rest of us would prefer not to have to slug it out in the working world either because work obligations make it very difficult to have a life.

I encourage everyone to help cut out the middle-men that take more than they give; instead of buying an expensive CD go out and see music performed live the way it was meant to be.

Likewise, see a stage production with live actors instead of going to the big screen to see big explosions.

Re:Shoe's On The Other Foot

[resinman]

If all intellectual property should be free why aren't code writers working for free and working at the local 7 eleven to pay their bills?

Being paid is one thing, raping the customer and the artist through price gouging and just plain theft is another.

Why gouge the customer for a distribution chain that is inefficient and obsolete. The artist should get paid for their creation enough to pay their bills like the rest of us.

Eben Moglen explains it this way, "If you could feed everyone on earth at the cost of baking one loaf and pressing a button, what would be the moral case for charging more for bread than some people could afford to pay?"

Don't charge me $20.00 US for a CD with 10 tunes on it when the artist gets paid .03 cents per tune and tell me it is for distribution costs, when I can download the same 10 tunes for free and burn a CD for 50 cents.

Re:OT: Janet Jackson's breast

[bigjnsa500]

See?....just what I said before.

spend your mod points on me!

[msg1825]

Linuxers are acne-covered dateless red commie cheapskates.

Re:spend your mod points on me!

[Mongo222]

It's ok, I'm sure that you can find work as a ditch digger, or stocking shelves at Walmart. It was only a matter of time before we got tired of Microsoft's crap and left them behind. It's not the end of the world, I'm sure you have some sort of skill the world needs.

Face it, you are geek COMMIES

;

;

Face it, you are geek COMMIES, at least most here are.

;

;

Re:Face it, you are geek COMMIES

[jcuervo]

Face it, you are geek COMMIES, at least most here are.

Darl reads slashdot??!

Story of my Life

[Dareth]

Sigh, Too old to be new, too new to be OldSchool!

I have a pretty low ICQ # too... wonder what it is??? I don't seem to remember.. must be old age.

Damn kids... always going on about how "OLD SCHOOL" they are. How many of them walked 10 miles to a university lab to have access to a VT-100 terminal... oh well was for mudding ... not like I was addicted to IRC or some stupid shit like that. : )

Re:Story of my Life

[Endive4Ever]

When I was in High School I didn't have a terminal at home. All I could do from home was call up the modem pool phone number that we used at school (on the 110 baud ASR-33 teletypes) and whistle into the phone. If you whistled in a warbling fashion you could get the modem to respond with modulated warbling.

True life story, by the way.

A few years later the adventures involved trying to find a fast DecWriter on the University campus (a fast DecWriter was a terminal that would print to fanfold paper at 1200 baud or faster).

Augment, Not "Replace"

[Crispin+Cowan]

The /. story says that Sardonix "aspired to replace the Linux security review process. This is not true, and it doesn't even say that in Poulsen's article. Sardonix sought to augment existing software auditing practices, trying to give more credit to people doing the work, and more clearly document the work done. Sardonix was also about open source software in general, and not the Linux kernel in particular.

Crispin
----
Crispin Cowan, Ph.D.
CTO, Immunix Inc.

Re:Augment, Not "Replace"

How difficult was it to get involved?

I ask because many "community" project set up with funding tend to require people
to jump in with both feet. The real community projects are very loosely organised
and people get involved as little or as much as they like... lots of people
start out dipping their toes, and get slowly drawn in.

That's not OSS's strongest argument

[TrentC]

Why do you assume that no bug fixing or code auditing was being done outside of this apparently obscure government-funded project no one heard of?

"OSS's strongest argument", as you put it, is that people who use the code will find the bugs, fix the bugs, and share the fixes. I fix a bug that may affect you, you fix a bug that may affect me, we both benefit; so does the guy that hasn't run into either bug yet.

But Crispin Cowan scratches his head because the few people who heard of his project thought coming up with an effective scoring system was more challenging, interesting, or sexy than signing up to do someone else's programming shit-work for free and have their work critiqued and graded?

And he wonders why his project was a failure?

Jay (=

Re:That's not OSS's strongest argument

Of course, the thing about the above mentioned OSS method is that there is real proof that you fixed my bug, or I fixed yours, other than "works for me" and there definitely isn't usually an audit to see that the combination of our two bug fixes didn't create an obscure boundry condition that completely hoses the program.

Of course, its rarer than hens teeth that commercial software does that kind of checking either, so I wouldn't call that OSS's Achilles heel.

A real code auditor is very much the goose that lays the golden eggs. When you find somebody with that bent and level of rigor, you give him all rewards he deserves and Yoohoo Chocolate drink he wants, and thank your lucky stars. By their very nature though, they do not tend to be the kind of people that obsess about their Slashdot karma (or any other bogus "status" meter that might exist.)

Thats The Linux Credo..For For "Free" As In "Dumb

and you folks wonder why tech jobs are going to India and China?

Dont work for "free" as in "dumb"

Duh

In failure...

Lies much public attention?

They probably got more attention when it was announced they were a failure than all the previous time they've existed, combined.

Solution: Prizeorama

They should offer prizes - a free car - a holiday,inclusive entertainment package, whatever. If you can't afford to pay people properly, then you can at least pander to base greed, and the excitement of 'Winning'.
Picture a few scantilly clad girls, with a byline '3rd Prize'. Glamorize and sex things up.

Reading their site...

With a comment like this:

While the site is not yet active or functional, a mock-up of the general layout and organization of the site has been posted.

on their website, how can they be surprised that hardly anyone is using it?

Not really.

[lysium]

Your faith was naive from the start, then. Boring drudge-code has never been OSS's speciality. Big name sponsors like IBM pay coders to do specific tasks that no one else is willing (or has the expertise) to do; why the hell would anyone do shit work for the government for free?

My friend's hobby is cooking. Should I expect him to come over and make dinner for me every night, because I assume he will enjoy it?

=========

informative?

Wow, even 13-year-old boys moderate slashdot now. Sad.

I don't think so...

[Ayanami+Rei]

I didn't even know what the hell it was until right now! Wouldn't be worth much anykinda-cred.

That's probably why no one used it. Hmm.

Re:Really? Haha

[Bob+Uhl]

'Horribly high uid'? Take a look at mine--and to think that I was actively reading and posting to Slashdot before it even had accounts. I was lazy, and figured that I didn't need the benefits an account offered. I forget, now, what it was that made me actually bother to sign up. All I know is that my uid is so high that even small children laugh at me:-)

A few reasons why...

[slamb]

There are a few reasons why this project never took off:

First, they widely advertised it and then took forever to get the site going. I think most people had forgotten about it or given up on it by that point. And then they never publicized it again. (Specifically, it was initially slashdotted on 6 Feb 2002. On 13 Oct 2002, a message on the Sardonix mailing list mentioned that it had been mostly live for a couple weeks, and that the point system still wasn't online. No wider announcement.)

Second, all the packages listed there for review were fairly well-respected blocks of code written by skilled coders. Consequently, most of the reviews were of the form "yup, this code essentially looks good". They were also extremely large projects, so people said "I didn't do a full review; I just tried this automated tool". It doesn't really mesh up with what he said in the article:

Cowen believes Sardonix was a casualty of security community culture, which he says rewards researchers who find clever or splashy holes in a program, but not for making software more secure. "The Bugtraq model is: find a bug, win a prize -- a modest amount of fame," says Cowen. "Our model is: review a whole body of code, eventually finding no bugs, and receive a deeper level of appreciation from people who use the code.

"It seems the Sardonix lesson is people don't want to play this game, they want to play the Bugtraq game."

There was no "making software more secure [...] eventually finding no bugs"; I don't think anyone ever really found a significant bug through this project.

If they had targeted lots of small projects on freshmeat (like web stuff - PHP, mod_perl, JSP/servlet, etc.), it would have been much more interesting. Those projects have all kinds of security bugs. They could have taught the people in question some good security practices and actually accomplished what they set out to do. Maybe they would have eventually branched out into certifying these infrastructure projects, but it wasn't a good initial goal.

Lastly, who knows they did with that DARPA funding. Plenty of open source projects with no funding do much more impressive works than that website, and in much less time, too.

Re:DARPA "funded" !? SETI @ Home

... I find the assumption that people will perform valuable services for simple recognition just plain weird. People who think this way just don't get it - you want someone to do something for you, you pay for it.

When I feel like releasing code to the public is a good idea, I will do it, but don't think that I am some sort of an OSS monkey who jumps at every opportunity to work for free!


I agree. But this also means that many people in the Linux / OSS community at large are ultimately selling a bill of goods to their managers with the party line of "Linux is free! Support is free! Just send mail to this list and ...", not to mention the "many eyes" theory.

There may be many people willing to help, but to count on the kindness of strangers for mission critical functions is foolish.

Re:Really? Haha

[Reteo+Varala]

Please, us low-number posters are people, too! We just want to be friends!

Can't we all just... get along?

OpenBSD backlash?

[cpghost]

Maybe people in the security community didn't forget about DARPA's decision not to fund OpenBSD anymore. It doesn't pay to mix politics with research...

MS nsakey

At least on Windows they call it nsakey so we don't have to guess!

google it

code audits

[Tom]

This is then the 3rd or 4th Linux code audit project to fail. (I was a participant in 2 others)

Why? Because auditing code is

* difficult and tricky
* unrewarding
* lots of hard work

It simply isn't something you want to do unless you are as passionate and fanatic about your project as the OpenBSD guys are.

This kind of flies in the face of free software

[iamacat]

Because in commercial, closed-source companies people do review other people's code and hold bug hunts for critical modules. I guess some people would do the unpleasent work anyway, because they want Linux to succeed. But, according to Sardonix, this goes about as far as worker's cometition is socialist countries.

I wonder what RMS would say about this.

Bad use of whitespace ...

[Aceticon]

You just gave me an angle into making me world famous.

By artistically using an GIF to ASCII converter, some tastefull erotic images, C comments and an appropriatly named include file in the Linux kernel source tree (io.h?) ... i will be the first to merge porn and open source OS development.

That will give me a place in history!!!

Similar project

[Big+Nothing]

There's already a similar project out there, one with significant success. It's called OpenBSD.

Re:Really? Haha

[manavendra]

damn, i shouldn't even dare participating then... guess the yet-to-be-born further /. 'ers would scowl at me :-s

OB History Channel Quip

never get involved in a land war in Asia

Oh, I don't know, the Mongols seemed to do pretty well. I guess you just have to live there.

Re:OB History Channel Quip

[DinosaurNeal]

Its a quote from The Princess Bride. Wallace Shawn said it to Cary Elwes.

Who trusts who?? Sardonic remark...

[Lucifugue]

Who trusts who?? Sardonic remark...

The DOD auditing linux code? Indirectly?

Seems to me the perfect way to blanket a trojan horse in hiding... Just have your people participate and lie...
All those foreign governements not using Microsoft software...

Who watches the watchman?

Slashdot is not the borg

[ChaosDiscord]

Very interesting attitude. I've gotten into several very heated exchanges on Slashdot concerning copyrights. The universal answer was copyright laws favor the artists too much and they should do it out of love and there's nothing wrong with downloading music and movies for free even if it robs the artist.

No, the universal answer is that life is complicated and no one knows everything. As a result in a large group of people (like, say, Slashdot), you'll get a wide variety of opinions, some on each extreme end and some more more nuanced opinions. If you think Slashdot is hypocritical then world politics must completely baffle you.

Any argument accusing Slashdot on the whole of hypocracy or holding inconsistent opinions simply shows how disconnected you are.

Change the law and allow people to go into a famer's field and pick the crops without paying and see how quick people give up on farming. Sorry there's no difference.

It's a good think you apologized, since it's a completely inappropriate analogy. A better analogy would be if people could purchase food from a farmer, take the seeds in that food, and grow their own copy of the food. Oh, wait, they can do that.

In general once I purchase something from you I have the right to do with it as I will. Copyright adds this unusual twist that the original creator can limit my actions with the thing that I purchased. It's entirely unlike traditional property law. I'm in favor of copyright, I think it can be a very good thing. But to suggest that copyright is just a form of physical property law is stupid.

slashtdot seems slow?

having problems