Slashdot Mirror


DARPA-Funded Linux Security Hub Withers

mAriuZ writes "Initially funded by a grant from the Pentagon's DARPA, the Sardonix project aspired to replace the Linux security review process with a public website that meticulously tracks which code has been audited for security holes, and by whom. As conceived by Crispin Cowan, Sardonix was to attract volunteer auditors by automatically ranking them according to the amount of code they've examined, and the number of security holes they've found. Auditors would lose points if a subsequent audit by someone else turned up bugs they missed. ... In the end, though, nobody showed up."

11 of 281 comments (clear)

  1. never heard of it! by Anonymous Coward · · Score: 5, Interesting

    Well, maybe they needed a little more exposure, eh?

    I'm a sysadmin that secures plenty of mission-critical Linux (and FreeBSD) boxes, and I *thought* I kept on top of all the security news, I'd never heard of this project!

    Oh well! Try try again...

  2. Thankless task indeed . . . by Mysteray · · Score: 5, Interesting
    Two years after its hopeful launch, a U.S.-backed research project aimed at drawing skilled eyeballs to the thankless task of open-source security auditing is prepared to throw in the towel.

    It does seem to be a thankless task. For a new guy on a project, criticizing the leaders' work doesn't seem a good way to gain influence. For an old contributor, you might feel compelled to add functionality the userbase is demanding.

    Interestingly, the OpenBSD project has put a lot of effort into auditing, and they also have a reputation of being somewhat, um, "grouchy". I wonder if there's some correlation?

  3. No reason to play the NSA game... by Saeed+al-Sahaf · · Score: 4, Interesting
    As conceived by Crispin Cowan, Sardonix was to attract volunteer auditors by automatically ranking them according to the amount of code they've examined, and the number of security holes they've found. Auditors would lose points if a subsequent audit by someone else turned up bugs they missed. ... In the end, though, nobody showed up.

    Perhaps this is because for most of the (incredibly smart) people who make contributions to Linux kernel development, it's not about points? Now if they had attached MONEY value to those points, maybe the result would have been different; I mean at least SOME motivation to play the NSA game.

    --
    "Who are in control, they are not in control of anything - they don't even control themselves!" - Glen Beck
  4. If a project falls.... by RedLeg · · Score: 4, Interesting
    If a project fails, and nobody's ever even heard of it, has it really failed?

    I know Crispin Cowan personally, and I have never heard of this project! Maybe some of the DARPA funding should have gone to advertising, publicity, or (God forbid) Marketing?

  5. Securityfocus batting .500 by AndroidCat · · Score: 5, Interesting
    I guess they couldn't decide how to spell Cris Cowan/Cowen's last name so they alternated.

    They should have a volunteer review process to catch spelling mistakes...

    --
    One line blog. I hear that they're called Twitters now.
  6. Re:Really? by Jason+Earl · · Score: 3, Interesting

    The free market beat them to the punch. Why play for Sardonix "street-cred" when you can start your own security company. Most security companies do a fair share of the advertising on the existing security mailing lists.

    Besides which, the Linux Kernel Mailing Lists already purport to do the same thing. You think that the Linux kernel hackers don't think that they are already creating secure code? By the time a security bug gets through the LKML's brutal peer review the chances that some outsider gunning for "street cred" is going to find it is essentially nil. Why join Sardonix when you can pile right in to the LKML?

  7. Definition of root word tells all. by mikeophile · · Score: 3, Interesting
    Sardonic

    sardonic (sar-dnk) adj.

    Scornfully or cynically mocking.

    See Synonyms at sarcastic.

  8. Project remit: appropriation increase? by Lucius+Sour · · Score: 3, Interesting

    A lot of government and military projects have the sole purpose of attracting money to, or showing deference to whatever fashioanble political/buzzword compliant initiative that has sway that week. This isn't news to slashdotters, I know, but I wonder what real hopes the project had, or was it one of those "impress the boss and get a cheque to swell the department" projects. It seems that's the way things work in the government service and industry these days. Whatever happened to doing the bloody job?

    --

    Hands up everyone who refuses to obey orders.

  9. Re:Too low profile by AndroidCat · · Score: 4, Interesting

    Perhaps the seven responses to the original story should have been a tipoff that raising visibility of the project would have been a good idea. (Of course, that would have risked coming on too strong.)

    --
    One line blog. I hear that they're called Twitters now.
  10. It never helped me get started by bluGill · · Score: 4, Interesting

    I visited the site a few times, but didn't see anything to help me get started. Just some "we need to get project X reviewed". Then a complex point system that sounded motivating, but didn't do anything.

    I just wanted to get started. All they said was "read this code and look for problems". No duh, but how about some examples. Some help. I'd learn much more if 30 people read one file, each commented on it, and I could read them all. Once I learn to think of everything 30 people think of (who have expirence reading code) I'll do some more on my own. Nothing gets me started though. I'm an okay programer (better than most really, but that isn't saying much considering the typical programer I've seen), and I need to learn how to do this. How do expert code reviewers think?

    I just got back from wineconf, Alexander personally reads every single line that is commited to Wine. I know it can be done, but I need expirence before I could possibly do that, and noone bootstraps me to get the expirence.

    I understand this is a hard thing. I've developed before, and I can't document my code any better than anyone else. They made it their stated goal to help me, but then never did anything useful.

  11. Shoe's On The Other Foot by Dark+Bard · · Score: 3, Interesting

    Very interesting attitude. I've gotten into several very heated exchanges on Slashdot concerning copyrights. The universal answer was copyright laws favor the artists too much and they should do it out of love and there's nothing wrong with downloading music and movies for free even if it robs the artist. I was given the pious example of people writing open source code for free. I was never given an example of how they were suppose to feed themselves while they worked for free. Now I hear code writers should aways be paid for their work even if it's for the benefit of all. Feels different when the shoes on the other foot. If all intellectual property should be free why aren't code writers working for free and working at the local 7 eleven to pay their bills? I realize no one wants to hear this and I'm sure this post will get a low mod because it's tradition to kill the messenger but you can't have it both ways. Everyone has a right to earn a living and working for free or giving away your work ain't going to pay the bills. I'm thrilled people write open source code for free. Artist often work for free and work a disturbing number of unpaid hours. The hardest thing for an artist is generally getting some one to pay for their work in the first place. Free market basically works, inspite of a few bumps. Change the law and allow people to go into a famer's field and pick the crops without paying and see how quick people give up on farming. Sorry there's no difference.