Slashdot Mirror

← Back to Stories (view on slashdot.org)

DARPA-Funded Linux Security Hub Withers

Posted by michael on from the unglamorous-work dept.

mAriuZ writes "Initially funded by a grant from the Pentagon's DARPA, the Sardonix project aspired to replace the Linux security review process with a public website that meticulously tracks which code has been audited for security holes, and by whom. As conceived by Crispin Cowan, Sardonix was to attract volunteer auditors by automatically ranking them according to the amount of code they've examined, and the number of security holes they've found. Auditors would lose points if a subsequent audit by someone else turned up bugs they missed. ... In the end, though, nobody showed up."

6 of 281 comments (clear)

  1. Let's be honest by Anonymous Coward · · Score: 5, Insightful

    Auditing is boring. If you've got the skills to audit, you'd probably be much happier writing the code yourself.

  2. Still A Good Idea by Naked+Chef · · Score: 5, Insightful

    Whose time may eventually come. Part of the problems is, as the article mentions, the "Bugtraq" mentality - people are only interested in the flashy big bugs, not the little ones that "only" increase stability. The other problem seems to simply be one of logistics, which the web site apparently didn't sort out. People are already doing this, on a smaller scale. How to get it into a single group under this Sardonix name without duplicating effort? Still difficult. I'd look for it again, in another form, in a few years :)

  3. Doomed from the start by realmolo · · Score: 5, Insightful

    Here's what they were asking for: WANTED- Extremely experienced Linux coders, familiar with all aspects of security, to verify others undocumented code, so that the federal government doesn't have to do it themselves. Salary starts at 0 dollars per year. Benefits include- No health care No 401k

  4. geek.paranoia++; by RalphBNumbers · · Score: 5, Insightful

    So they wanted people to do possibly the most tedious and unpleasant task in software engineering, over and over, for free, outside of the established (and frankly much more interesting, because they usually involve something besides solitary code reviewing) channels, and they're supprised they didn't get a flood of volunteers?

    Not to mention the job is thankless, it's an infinite loop of paranoia and nit-picking.

    code.insecure = true;
    While(code.insecure) {
    geek.paranoia++;
    geek.review(code);
    }

    --
    "The worst tyrannies were the ones where a governance required its own logic on every embedded node." - Vernor Vinge
  5. Re:Classic misdirection by NixLuver · · Score: 5, Insightful
    Hrm... So you assert that SELinux fixes trivial security issues in order to encourage users to select Linux (less secure) over OpenBSD (more secure), and all this without introducing any trojan code into SELinux.

    The question I have is this: If there are hundreds of invisible exploits in the SELinux kernel, how are we to know that the same situation doesn't exist in OpenBSD?

    Furthermore, how are we to be certain that OpenBSD (oft touted as the most secure OS in the world, and I'll certainly grant it's one of the most secure out of the box OS's I've ever seen) isn't some clandestine creation of the NSA created to lull paranoid psychotics into believing that they were secured against intrusion?

    --
    Thinking outside my Head
  6. Augment, Not "Replace" by Crispin+Cowan · · Score: 5, Insightful
    The /. story says that Sardonix "aspired to replace the Linux security review process. This is not true, and it doesn't even say that in Poulsen's article. Sardonix sought to augment existing software auditing practices, trying to give more credit to people doing the work, and more clearly document the work done. Sardonix was also about open source software in general, and not the Linux kernel in particular.

    Crispin
    ----
    Crispin Cowan, Ph.D.
    CTO, Immunix Inc.