Slashdot Mirror
DARPA-Funded Linux Security Hub Withers
mAriuZ writes "Initially funded by a grant from the Pentagon's DARPA, the Sardonix project aspired to replace the Linux security review process with a public website that meticulously tracks which code has been audited for security holes, and by whom. As conceived by Crispin Cowan, Sardonix was to attract volunteer auditors by automatically ranking them according to the amount of code they've examined, and the number of security holes they've found. Auditors would lose points if a subsequent audit by someone else turned up bugs they missed. ... In the end, though, nobody showed up."
Our model is: review a whole body of code, eventually finding no bugs, and receive a deeper level of appreciation from people who use the code.
I'm sorry, appreciation does not pay bills.
Auditing is boring. If you've got the skills to audit, you'd probably be much happier writing the code yourself.
Whose time may eventually come. Part of the problems is, as the article mentions, the "Bugtraq" mentality - people are only interested in the flashy big bugs, not the little ones that "only" increase stability. The other problem seems to simply be one of logistics, which the web site apparently didn't sort out. People are already doing this, on a smaller scale. How to get it into a single group under this Sardonix name without duplicating effort? Still difficult. I'd look for it again, in another form, in a few years :)
Your post was Classic misdirection. Also known as FUD.
Here's what they were asking for: WANTED- Extremely experienced Linux coders, familiar with all aspects of security, to verify others undocumented code, so that the federal government doesn't have to do it themselves. Salary starts at 0 dollars per year. Benefits include- No health care No 401k
So they wanted people to do possibly the most tedious and unpleasant task in software engineering, over and over, for free, outside of the established (and frankly much more interesting, because they usually involve something besides solitary code reviewing) channels, and they're supprised they didn't get a flood of volunteers?
Not to mention the job is thankless, it's an infinite loop of paranoia and nit-picking.
code.insecure = true;
While(code.insecure) {
geek.paranoia++;
geek.review(code);
}
"The worst tyrannies were the ones where a governance required its own logic on every embedded node." - Vernor Vinge
The question I have is this: If there are hundreds of invisible exploits in the SELinux kernel, how are we to know that the same situation doesn't exist in OpenBSD?
Furthermore, how are we to be certain that OpenBSD (oft touted as the most secure OS in the world, and I'll certainly grant it's one of the most secure out of the box OS's I've ever seen) isn't some clandestine creation of the NSA created to lull paranoid psychotics into believing that they were secured against intrusion?
Thinking outside my Head
Ah give me a break!
As someone who has written open source software, I can tell you that there is no enthusiasm that you "tap into".
When you are an agency that is part of a department of the government whose budget is in the billions (or is it trillions?), no sane "enthusiast" is going to do jack for you for "appreciation", especially when you are a military organization...
But even if this wasn't DOD we were talking about, I find the assumption that people will perform valuable services for simple recognition just plain weird. People who think this way just don't get it - you want someone to do something for you, you pay for it.
When I feel like releasing code to the public is a good idea, I will do it, but don't think that I am some sort of an OSS monkey who jumps at every opportunity to work for free!
Crispin
----
Crispin Cowan, Ph.D.
CTO, Immunix Inc.
I would say it's a strech to call the Defence Advanced Research Projects Agency an organization dedicated to eavesdropping and intelligence gathering. Their entire purpose is simply to research things that might be useful to the Department of Defence; however, I will grant you that a large part of what the DoD does is intelligence gathering and eavesdropping -- but it's part of their job, and they don't really shy away from telling the citizens that. On top of all that, if you're going to be so overly paranoid about government involvement in public projects, then why in the hell are you using the internet anyways? It began its life as a DARPA project, as research into self-healing networks.
Also, the NSA isn't dedicated to eavesdropping or intelligence gathering. If you read their original charter, it seems that it was originally created to help organize and distribute intelligence information gathered from the various intelligence agencies working for the US. That isn't all they do either, as this country has changed and their existence become more widely known, their role has changed somehwat as well. Specifically, they also play a role in securing this country (meaning it's citizens, businesses and government) from foreign attack, espionage, and intelligence gathering/manipulation. They are, after all, the National Security Agency.
So, as part of the ideal of securing the nation, they decided that it would be a good idea to make a highly securable operating system available to the public (meaning it's citizens, businesses and government) for free. Given that, it's not too hard to see why they chose Linux as their candidate: It's already available freely, it's already somewhat securely designed, and already implements a unix-style user-based security model. Not only that, but they realized for the system to be truly secure, that it's source code and thus it's development also had to be open to the public and freely available.
I don't think there is any doubt that the NSA has been entirely up front with everyone on this. If it weren't the case, there is no way that the SELinux security model would be included in Linux today, and I don't see any directives from the Ministry Of Coding demanding it's implementation. On the other point, the DARPA was just throwing around some research money (it's what they do best) and decided that this project might turn out something useful; they were wrong, but it didn't really seem as if they had any opportunity for misdirection anyways.
First, they widely advertised it and then took forever to get the site going. I think most people had forgotten about it or given up on it by that point. And then they never publicized it again. (Specifically, it was initially slashdotted on 6 Feb 2002. On 13 Oct 2002, a message on the Sardonix mailing list mentioned that it had been mostly live for a couple weeks, and that the point system still wasn't online. No wider announcement.)
Second, all the packages listed there for review were fairly well-respected blocks of code written by skilled coders. Consequently, most of the reviews were of the form "yup, this code essentially looks good". They were also extremely large projects, so people said "I didn't do a full review; I just tried this automated tool". It doesn't really mesh up with what he said in the article:
There was no "making software more secure [...] eventually finding no bugs"; I don't think anyone ever really found a significant bug through this project.
If they had targeted lots of small projects on freshmeat (like web stuff - PHP, mod_perl, JSP/servlet, etc.), it would have been much more interesting. Those projects have all kinds of security bugs. They could have taught the people in question some good security practices and actually accomplished what they set out to do. Maybe they would have eventually branched out into certifying these infrastructure projects, but it wasn't a good initial goal.
Lastly, who knows they did with that DARPA funding. Plenty of open source projects with no funding do much more impressive works than that website, and in much less time, too.