Slashdot Mirror
DARPA-Funded Linux Security Hub Withers
mAriuZ writes "Initially funded by a grant from the Pentagon's DARPA, the Sardonix project aspired to replace the Linux security review process with a public website that meticulously tracks which code has been audited for security holes, and by whom. As conceived by Crispin Cowan, Sardonix was to attract volunteer auditors by automatically ranking them according to the amount of code they've examined, and the number of security holes they've found. Auditors would lose points if a subsequent audit by someone else turned up bugs they missed. ... In the end, though, nobody showed up."
I don't think so. The NSA released SELinux as source code, it has been reviewed by many people and adopted into the 2.6 kernel. It would be rather difficult to sneak in "hundreds if not thousands of pre-programmed exploits" into the Linux kernel.
Check the FAQ
Too bad that the real work to be done here was largeley undertaken previously by the "Kernel Janitors". This is a genuinely community-based effort, designed EXACTLY to remediate the less-than-glorious issues within existing kernel trees.
And, Hey!
They are training aspiring kernel developers, who can hone their skills and become intimately familiar with kernel internals by contributing in a meaningful way! Even if it's just repairing bad use of whitespace...
"Flyin' in just a sweet place,
Never been known to fail..."
It's been a story on Slashdot (2002) at least once. And I remember it being mentioned in a thread in another story last year--mind you, that's only because Crispin's name jumped out at me. (Like the time Tanya Huff did something nasty to him in one of her books. ;)
One line blog. I hear that they're called Twitters now.
I follow the security community pretty closely, monitor a fair number of techie news sites and otherwise try to stay aware of this sort of thing. The first I heard of the project was this story - I must have missed it the last time it was mentioned two years ago. Not many sites linked to sardonix.org after the initial news stories, either.
What is a forrest ?
The guy who played Dr. McCoy on Star Trek.
Opinions on the Twiddler2 hand-held keyboard?
But access control is very much related to stopping exploits. A good set of access controls (SELinux or LIDS or RSBAC or the like) means that when, say, apache gets exploited, the attacker can't do any real damage and certainly can't fork a command shell.
It means that when your mail client gets exploited through an attachment type hole, the executed attachment can't access your address book or send mail itself. All good stuff.
It also means that very few programs need to be run as root thus providing even fewer avenues for the attacker to use.
- Muggins the MadWhat the AC in post #8154783 seemed to be trying to say is that the leader of the OpenBSD project turned off network-accessible services in the default install, is not forthcoming with the details of these security-related modifications, and acts in a self-promotional manner.
I don't actually agree with this characterization of OpenBSD; I'm simply trying to provide a translation for the curious. I don't think the AC is using stunningly effective debate technique, either.
http://webpages.charter.net/hiphophead/titty.mpg
The question you should be asking yourself is why organizations like the NSA and DARPA, which are after all dedicated to eavesdropping and intelligence gathering, would want to spend time and resources making the computer systems of target nations more secure.
Perhaps because their mission also includes improving the information security of their own nation?
Noone writes perfect, bug free, unexploitable code. Exploits are found in code previously thought to be perfect.
There are some obvious things you can do, but on a sufficiently complex project, it's impossible to think of every possible use or misuse of the resulting code. Hell, some exploitable stuff is injected by the compiler.
I don't need no instructions to know how to rock!!!!
"Timing the Application of Security Patches for Optimal Uptime". Steve Beattie, Seth Arnold, Crispin Cowan, Perry Wagle, Chris Wright, and Adam Shostack. Presented at the USENIX 16th Systems Administration Conference (LISA2002), Philadelphia, PA, December 2002. Postscript. or ugly PDF.
Crispin
----
Crispin Cowan, Ph.D.
CTO, Immunix Inc.
All the conspiracy theory noise on this topic is just a load of crap. DARPA didn't cut us off for any spooky reason, the contract just ended on schedule. I did my best to market the project to suitable audiences, but it never caught on. I'm still all for making it work, but I no longer have Federal money to pay for it, so its now all-volunteer.
Crispin
----
Crispin Cowan, Ph.D.
CTO, Immunix Inc.
Well, in regards to your Music Artists analogies, I believe the general consensus on Slashdot is not that they do not deserve money for their work, just that downloading the music on P2P is not hurting artists. Firstly, there's the old argument of those who wouldn't buy it anyway, and are thus not hurting anybody. However, consider this: For those who really like a certain band who happens to be signed under the RIAA, which option is more attractive?
/.'ers are against artists making money off their music. Just that they see the records labels as making that an inviable choice.
#1. Buy CD from the store. Cost, $20. The artist will get around 20c I believe. Then, the disc will not be able to be ripped or played on a computer without a struggle.
#2. Download the songs of the album off a P2P network. Mail the artist $5. Cost, $5.34. One is then free to do whatever you want with the music.
I know this diverged a bit from the topic, but I really don't think most
Music is the easier subject now but film will be getting hit harder and hard as downloading speeds become less of an issue. The artists have always gotten the short end of the stick in both industries, worse in music than film. Unfortunately the falling revenues have forced groups to look to touring as potentially their primary source of income. A lot of artist prefer not to tour due to it making it virtually impossible to have a life. They are having to look serious at touring now as an option. It's changing artists lives. If a direct sales system settles in it will benefit the artists in the end. Film is a different problem. Films are extremely expensive to make. Most want to see big budget films not the glorified home movies that could be made by most individuals. Ticket sales have been falling. Profits have gone up only because of rising ticket prices. They've basically hit the barrier of diminishing returns. The studios have already begun to defend their profit margins by taking productions out of country. If DVD sales and theatrical sales drop due to pirating they'll simply push harder on finding cheaper and cheaper foreign sources. It's absolutely hurting the artists and technicians more than the studios. On the average big budget effects film between 100 and 500 CG artists are hired. Most of those jobs will disappear in the US in the next ten years. In a perfect world when the profits drop the ones at the top would take the hit. In the real world the cuts start at the bottom.