Slashdot Mirror

← Back to Stories (view on slashdot.org)

DARPA-Funded Linux Security Hub Withers

Posted by michael on from the unglamorous-work dept.

mAriuZ writes "Initially funded by a grant from the Pentagon's DARPA, the Sardonix project aspired to replace the Linux security review process with a public website that meticulously tracks which code has been audited for security holes, and by whom. As conceived by Crispin Cowan, Sardonix was to attract volunteer auditors by automatically ranking them according to the amount of code they've examined, and the number of security holes they've found. Auditors would lose points if a subsequent audit by someone else turned up bugs they missed. ... In the end, though, nobody showed up."

14 of 281 comments (clear)

  1. If a tree falls in a forrest... by Zeinfeld · · Score: 5, Funny

    If there is a bug in the kernel and nobody notices it, can we still flame Microsoft?

    --
    Looking for an Information Security student project suggestion?
    Try http://dotcrimeManifesto.com/
  2. never heard of it! by Anonymous Coward · · Score: 5, Interesting

    Well, maybe they needed a little more exposure, eh?

    I'm a sysadmin that secures plenty of mission-critical Linux (and FreeBSD) boxes, and I *thought* I kept on top of all the security news, I'd never heard of this project!

    Oh well! Try try again...

  3. Let's be honest by Anonymous Coward · · Score: 5, Insightful

    Auditing is boring. If you've got the skills to audit, you'd probably be much happier writing the code yourself.

  4. Still A Good Idea by Naked+Chef · · Score: 5, Insightful

    Whose time may eventually come. Part of the problems is, as the article mentions, the "Bugtraq" mentality - people are only interested in the flashy big bugs, not the little ones that "only" increase stability. The other problem seems to simply be one of logistics, which the web site apparently didn't sort out. People are already doing this, on a smaller scale. How to get it into a single group under this Sardonix name without duplicating effort? Still difficult. I'd look for it again, in another form, in a few years :)

  5. Thankless task indeed . . . by Mysteray · · Score: 5, Interesting
    Two years after its hopeful launch, a U.S.-backed research project aimed at drawing skilled eyeballs to the thankless task of open-source security auditing is prepared to throw in the towel.

    It does seem to be a thankless task. For a new guy on a project, criticizing the leaders' work doesn't seem a good way to gain influence. For an old contributor, you might feel compelled to add functionality the userbase is demanding.

    Interestingly, the OpenBSD project has put a lot of effort into auditing, and they also have a reputation of being somewhat, um, "grouchy". I wonder if there's some correlation?

  6. Securityfocus batting .500 by AndroidCat · · Score: 5, Interesting
    I guess they couldn't decide how to spell Cris Cowan/Cowen's last name so they alternated.

    They should have a volunteer review process to catch spelling mistakes...

    --
    One line blog. I hear that they're called Twitters now.
  7. Re:Really? by alexandre · · Score: 5, Funny

    So, next time i get an interview i should mention my /. ID ? :-)

  8. Re:Classic misdirection by Introspective · · Score: 5, Informative

    I don't think so. The NSA released SELinux as source code, it has been reviewed by many people and adopted into the 2.6 kernel. It would be rather difficult to sneak in "hundreds if not thousands of pre-programmed exploits" into the Linux kernel.

    Check the FAQ

  9. Re:Really? by Saeed+al-Sahaf · · Score: 5, Funny

    Holy shit. 53? Your prospective boss should bow down! I assumed that most of the first 1000 where DEAD by now...

    --
    "Who are in control, they are not in control of anything - they don't even control themselves!" - Glen Beck
  10. Doomed from the start by realmolo · · Score: 5, Insightful

    Here's what they were asking for: WANTED- Extremely experienced Linux coders, familiar with all aspects of security, to verify others undocumented code, so that the federal government doesn't have to do it themselves. Salary starts at 0 dollars per year. Benefits include- No health care No 401k

  11. geek.paranoia++; by RalphBNumbers · · Score: 5, Insightful

    So they wanted people to do possibly the most tedious and unpleasant task in software engineering, over and over, for free, outside of the established (and frankly much more interesting, because they usually involve something besides solitary code reviewing) channels, and they're supprised they didn't get a flood of volunteers?

    Not to mention the job is thankless, it's an infinite loop of paranoia and nit-picking.

    code.insecure = true;
    While(code.insecure) {
    geek.paranoia++;
    geek.review(code);
    }

    --
    "The worst tyrannies were the ones where a governance required its own logic on every embedded node." - Vernor Vinge
  12. Re:Classic misdirection by NixLuver · · Score: 5, Insightful
    Hrm... So you assert that SELinux fixes trivial security issues in order to encourage users to select Linux (less secure) over OpenBSD (more secure), and all this without introducing any trojan code into SELinux.

    The question I have is this: If there are hundreds of invisible exploits in the SELinux kernel, how are we to know that the same situation doesn't exist in OpenBSD?

    Furthermore, how are we to be certain that OpenBSD (oft touted as the most secure OS in the world, and I'll certainly grant it's one of the most secure out of the box OS's I've ever seen) isn't some clandestine creation of the NSA created to lull paranoid psychotics into believing that they were secured against intrusion?

    --
    Thinking outside my Head
  13. Re:Really? by wrmrxxx · · Score: 5, Funny

    I'm always sure to mention mine. Has got me some really interesting job offers...

  14. Augment, Not "Replace" by Crispin+Cowan · · Score: 5, Insightful
    The /. story says that Sardonix "aspired to replace the Linux security review process. This is not true, and it doesn't even say that in Poulsen's article. Sardonix sought to augment existing software auditing practices, trying to give more credit to people doing the work, and more clearly document the work done. Sardonix was also about open source software in general, and not the Linux kernel in particular.

    Crispin
    ----
    Crispin Cowan, Ph.D.
    CTO, Immunix Inc.