Slashdot Mirror
DARPA-Funded Linux Security Hub Withers
mAriuZ writes "Initially funded by a grant from the Pentagon's DARPA, the Sardonix project aspired to replace the Linux security review process with a public website that meticulously tracks which code has been audited for security holes, and by whom. As conceived by Crispin Cowan, Sardonix was to attract volunteer auditors by automatically ranking them according to the amount of code they've examined, and the number of security holes they've found. Auditors would lose points if a subsequent audit by someone else turned up bugs they missed. ... In the end, though, nobody showed up."
This reminds me of NSA's SELinux, a ploy to get everybody to pass over an OS built with security foremost in mind (like OpenBSD) and rush instead into one for which the NSA no doubt has hundreds if not thousands of pre-programmed exploits.
I'll bet you that's where half of their supercomputer time goes. Iterating across the domain of all possible inputs against Windows and stock Linux distributions, looking for all the holes.
How does DARPA game Sardonix? By controlling the rankings and emphasizing simple or known security holes while concealing or obscuring those for which federal exploits stand at the ready.
It would be a great idea, but only if somebody else was running it.
Is this truly the only Earth I can live on?
Well, maybe they needed a little more exposure, eh?
I'm a sysadmin that secures plenty of mission-critical Linux (and FreeBSD) boxes, and I *thought* I kept on top of all the security news, I'd never heard of this project!
Oh well! Try try again...
It does seem to be a thankless task. For a new guy on a project, criticizing the leaders' work doesn't seem a good way to gain influence. For an old contributor, you might feel compelled to add functionality the userbase is demanding.
Interestingly, the OpenBSD project has put a lot of effort into auditing, and they also have a reputation of being somewhat, um, "grouchy". I wonder if there's some correlation?
Perhaps this is because for most of the (incredibly smart) people who make contributions to Linux kernel development, it's not about points? Now if they had attached MONEY value to those points, maybe the result would have been different; I mean at least SOME motivation to play the NSA game.
"Who are in control, they are not in control of anything - they don't even control themselves!" - Glen Beck
I know Crispin Cowan personally, and I have never heard of this project! Maybe some of the DARPA funding should have gone to advertising, publicity, or (God forbid) Marketing?
They should have a volunteer review process to catch spelling mistakes...
One line blog. I hear that they're called Twitters now.
The free market beat them to the punch. Why play for Sardonix "street-cred" when you can start your own security company. Most security companies do a fair share of the advertising on the existing security mailing lists.
Besides which, the Linux Kernel Mailing Lists already purport to do the same thing. You think that the Linux kernel hackers don't think that they are already creating secure code? By the time a security bug gets through the LKML's brutal peer review the chances that some outsider gunning for "street cred" is going to find it is essentially nil. Why join Sardonix when you can pile right in to the LKML?
sardonic (sar-dnk) adj.
Scornfully or cynically mocking.
See Synonyms at sarcastic.
A lot of government and military projects have the sole purpose of attracting money to, or showing deference to whatever fashioanble political/buzzword compliant initiative that has sway that week. This isn't news to slashdotters, I know, but I wonder what real hopes the project had, or was it one of those "impress the boss and get a cheque to swell the department" projects. It seems that's the way things work in the government service and industry these days. Whatever happened to doing the bloody job?
Hands up everyone who refuses to obey orders.
Perhaps the seven responses to the original story should have been a tipoff that raising visibility of the project would have been a good idea. (Of course, that would have risked coming on too strong.)
One line blog. I hear that they're called Twitters now.
and yet no one shows. I guess we have to wait until someone finds something with negative intent before a bug is fixed.
Mod me down -50....I don't care anymore, my faith is lost.
It's true, people would rather write code than fix people's broken shit.
Rather than fixing borken code, why don't we teach some people how to write decent programs? Maybe put up some documentation of some common security flaws and how people could have avoided coming near them by structuring their code differently.
I know some code needs to be fixed, but lets face it, most people aren't willing to do it. There are a few unappreciated people out there who do this, and their job would be easier if people knew how to program better.
I'm not talking just about the kernel, for what I know the kernel is excellently structured. Most of the security holes stand in userland code and that's the area where most of the programmers who lack good programming skills are.
Sardonix got me interested in source code auditing, but I didn't like the reputation model. It's been more interesting to just do it; while so far I haven't found anything in the packages I've audited (and haven't bothered to report), it's taught me a lot about auditing in general and so I've found multiple vulnerabilities in various web packages I use both personally and professionally.
If you want to encourage source code auditing, then the current system needs to be mended just a bit: as long as researchers are disdained by vendors who don't want to give credit for the problem or even prosecute folks who were kind enough to let them know about the vulnerability of their software, then there's going to be a chilling effect. That's what leads to the disclosure impasse that many find themselves in: disclose to the vendor first and not get credit, or disclose to the public first and get criticized?
"You can never have too many elephants on your team."
I visited the site a few times, but didn't see anything to help me get started. Just some "we need to get project X reviewed". Then a complex point system that sounded motivating, but didn't do anything.
I just wanted to get started. All they said was "read this code and look for problems". No duh, but how about some examples. Some help. I'd learn much more if 30 people read one file, each commented on it, and I could read them all. Once I learn to think of everything 30 people think of (who have expirence reading code) I'll do some more on my own. Nothing gets me started though. I'm an okay programer (better than most really, but that isn't saying much considering the typical programer I've seen), and I need to learn how to do this. How do expert code reviewers think?
I just got back from wineconf, Alexander personally reads every single line that is commited to Wine. I know it can be done, but I need expirence before I could possibly do that, and noone bootstraps me to get the expirence.
I understand this is a hard thing. I've developed before, and I can't document my code any better than anyone else. They made it their stated goal to help me, but then never did anything useful.
Very interesting attitude. I've gotten into several very heated exchanges on Slashdot concerning copyrights. The universal answer was copyright laws favor the artists too much and they should do it out of love and there's nothing wrong with downloading music and movies for free even if it robs the artist. I was given the pious example of people writing open source code for free. I was never given an example of how they were suppose to feed themselves while they worked for free. Now I hear code writers should aways be paid for their work even if it's for the benefit of all. Feels different when the shoes on the other foot. If all intellectual property should be free why aren't code writers working for free and working at the local 7 eleven to pay their bills? I realize no one wants to hear this and I'm sure this post will get a low mod because it's tradition to kill the messenger but you can't have it both ways. Everyone has a right to earn a living and working for free or giving away your work ain't going to pay the bills. I'm thrilled people write open source code for free. Artist often work for free and work a disturbing number of unpaid hours. The hardest thing for an artist is generally getting some one to pay for their work in the first place. Free market basically works, inspite of a few bumps. Change the law and allow people to go into a famer's field and pick the crops without paying and see how quick people give up on farming. Sorry there's no difference.
Not nessicarly. I know a number of programers who read code to learn how it works. They aren't auditing directly, just looking to see how/if they can use something in their own code. Programers are lazy, if they can use someone else's debuged work they will.
There is far too much code to write, without wasting time re-inventing the wheel.
People 'collect stamps' as historical relics. I, for instance, collect coins. I am not an 'investor' so I don't collect anything that is very valuable. I prefer small copper coins. I favor British Empire farthings. You can get an early 18th century British farthing for several US dollars. I like them for the history, and often I prefer 'well worn' coins to the shiny new ones that sat in collector's cabinet for centuries.
It might seem 'boring' to people whose idea of fun is going out to night clubs and listening to droning repetitive loud music, but then......
---