Slashdot Mirror
US Homeland Security to Support Open Source
An anonymous reader writes "CNET is reporting that the US Department of Homeland Security is extending its support to open source software. The DHS will be giving Stanford University, Coverity, and Symantec a $1.24 million grant to improve the security of open source software. From the article: 'The Homeland Security Department grant will be paid over a three-year period, with $841,276 going to Stanford, $297,000 to Coverity and $100,000 to Symantec, according to San Francisco-based technology provider Coverity, which plans to announce the award publicly on Wednesday.' It's nice that our tax dollars are being used for the right stuff."
HEAD ASPLODE
Symantec? Open source?? Where?!
At least the department of homaland security isn't wasteing all of thier money. I know, mod me down for posting flamebait.
quis custodiet ipsos custodes
I would like to see the fork BIND takes under DHS. Out the applications listed, BIND must be the most formidable for securing and utilizing in a secure enviroment. This could be a boon for the overall reliability of the internet.
One ring to bind them - should probably have more fiber and less rings in their diet.
Where's the conspiracy here? Is it a good thing that DHS is supporting open source? Boy, I can't wait til the talking heads get ahold of this.
"The money is going to provide them with things they need to fix the bugs, which is bug reports. That is a lot better than they have now, which is nothing," While a agree with Engler's comment here, I also have to wonder, without proper funding to fix these bugs, what good will it do? And if a list of bugs and exploits comes out on well used Open Source Software, without the means to fix them, and these lists are leaked, it could create havoc.
The real story seems to be that the money is granted to develop and test source code analysis tools, with Stanford doing development and Symantec testing. Seems like a potentially good way to catch human errors in coding. Instant feedback for the sloppy coder would be nice.
I understand that most open source is written by people who care and are either college students or white collar workers who have time either at work (employer consenting), or at home if they have little family life.
But, I think a little squirt of the green will help to encourage those who permit this behaviour of the programmers to feel a little bit better and increase the likelyhood of permitting if not encourage such behaviour in the future.
http://pack.google.com/pack_installer_required.htm l
If Google can convince Symantic to give away their software, perhaps the next logical leap would be for Google to convince them to create an open source security suite... Or at least contribute to the laundrylist of FOSS designed for such a thing.
I'm glad the government is supporting the open source initiative. However, when I see that the Department of Homeland Security is getting involved in something I always wonder what is their angle? Are they really attempting to harden Open Source or do they have a more nefarious objective? Sure, Open Source would be hard to co-opt but would it be impossible?
:D
anyway, my two cents as an Anonymous Coward so the DHS has to do a (very) little work to find me
IMHO, anyone that thinks this will improve anything is completely naive. All this will serve to do is improve the lifestyles of the overly affluent.
I've yet to personally see one good thing come from these excessive pay outs to big business or big education. The majority of such funding is spent creating and then supporting the lavish lives of the leisure class.
The rich play, the poor pay.
...Satan supporting the bible.
Don't believe anything I say. I crash test crack pipes for a living.
You mean a whole 1.24 million dollars. Talk about pushing the budget.
There are no loopholes. It's either legal or it's not.
What has Symantec to do with OSS?
Surely there is a group/company more appropriate than Symantec to scrub for bugs?!?
"Consider how lucky you are that life has been good to you so far. Alternatively, if life hasn't been good to you so far
Most open source, in terms of sheer number of projects or lines of code? Probably. But in terms of usage?
The major open-source projects have got corporate backing now. Linux, for instance? Lots of work being done on that by IBM, in addition to the employees of the likes of Red Hat or SuSE. Similarly, I believe AOL has been backing Mozilla lately, and the number of old-skool Unix utilities that contain copyrights of the University of California is enormous - after all, they wrote BSD.
It's not just anarchist hackers now. Open source has gone commercial in a really big way.
Real Daleks don't climb stairs - they level the building.
... this is another step in the right direction. Love them or hate them, this is a Good Thing®.
My image today is "impress." Sounds about right.
>It's nice that our tax dollars are being used for the right stuff."
I guess it'll trickle down from commercial organisations to poor people...
At least the department of homaland security isn't wasteing all of thier money.
I agree. This will promote OSS and help reduce the costs of our Government. So what's the problem with what the parent said?
They have coders working for them now?!
OSS? What is it? Does it mean that Symantec will produce/improve OSS software and all related patents that will be registered (thanks to your taxes) will be released to public too?
Or is it that you sponsor OSS but proprietary software and further patnet vault of privately held corporations?
Is it good to "sponsor" privately held company in the field where it figths with conmpetition?
Well, I've got to get back to work. When I stop rowing, the slave ship just goes in circles.
The tech behind what they are doing seems pretty neat. How long before we have software writing bugfree software? How much farther behind that (with hardware keeping up) is true heuristical AI?
Jaysyn
There is a war going on for your mind.
Ok, so this is a grant. Does it mean that any software developed as a result of this grant will be open-sourced, and publicly available to all, free of charge? If not (and everything indicates that it won't be), I'd say, someone has a well-placed friend and got free money to develop their own proprietary software. Yeah, it will scan major open source softwares, and yeah, the database will be public (?), but then the tools from the grant money are still proprietary.
I thought only China has "guanxi" problem?
Ditto. Macaffee is even worse.
Jaysyn
There is a war going on for your mind.
$1.2 Million doesn't seem like a whole lot, I hate to say. .01% of the investment behind Vista, and probably .05% of the investment behind security in Vista.
Yes, it is a statement that DHS is supporting open source, but that's about it.
That represents like
In any case, I hope they spend it well.
Considering that about 50% of the money going to Stanford goes
to 'overhead', that leaves enough for about 3 FT programmers over the 3 year period.
3 FT programmers over 3 years (maybe 4 if you get them cheap), is a literal drop in the bucket.
Again, MS spends more on MSDN Channel 9 than this.
New Title "DHS pisses away 100 grand"
Ubuntu: If at first you don't succeed, blindly slap a sudo in front of it
last time i checked, most of linux and its accompanying OSS was written in the C programming language.
are they proposing building a 'i think know what you meant' version on lint or something?
if they can do this, then they deserve the wolf prize, and the nobel prize and some new prize.
kind of reminds me of a project i saw (run by an standard cs grad-student no less), to automatically convert C libraries into web services.
they got a little bit stuck when the moved passed integers and had to deal with pointers
The money going to Stanford will certainly be put to good use, and I don't know anything about Coverity, but why would we give money to Symantec? They're ostensibly a (private) "security" company, and seem to be raking in money, so why do they need grant money? I don't know about anyone else, but outside of Norton Antivirus I don't see what Symantec really has to do with security these days. Most people I've spoken to find products like Zone Alarm better than the Symantec offerings for end-user firewalls. It just seems like they're more of a one-trick pony - Windows antivirus - so why would they even be considered for "Open Source Security"?
rooooar
The list of open-source projects that Stanford and Coverity plan to check for security bugs includes Apache, BIND, Ethereal, KDE, Linux, Firefox, FreeBSD, OpenBSD, OpenSSL and MySQL, Coverity said.
Most of them need a lot of work. However why do I get the feeling that when they get to OpenBSD, they will realise that:
1. The version of Apache OpenBSD are maitaining will be the best to focus on, instead of Apache proper.
2. BIND really needs a good going over.
3. Ethereal ditto.
4. KDE ditto.
5. Linux should not be used, as it is beyond economical repair.
6. Firefox needs a good going over.
7. FreeBSD has awesome performance but is very worthy of a good security audit.
8. MySQL was a mistake and PostgreSQL should have been chosen.
9. and OpenBSD should get the wide scale recognition it deserves and take the position which Linux has been fraudulently occupying for far too long.
Stanford is also the home of the Meta-level Compilation (MC) project, a useful auditing tool for trusted build agents.
Now that Microsoft is getting into the signiture and behavour based antivirus industry, maybe Symantic could turn its patten matching technology to checking source code instead of binaries.
I'd love to have array bounds checking and built in to the compiler, so it would complain when I leave a loop unbounded.
But things like race conditions in a multithreaded app, abuse of least privilege, or other runtime errors seem more difficult.
The cynic in me says that it's Symantec doing it, so they'll make a product you have to leave runnning all the time to be "secure". They're just doing the testing part, though. Besides, what would they call it, Symantec Antisecurity?
Raise your children as if you were teaching them to raise your grandchildren, because you are.
This is payback for Symantec Antivirus NOT disinfecting the Magic Lantern virus.
As far it concerns me I deeply distrust all "security companies" since this little incident.
ich bin der musikant
mit taschenrechner in der hand
kraftwerk
but quite political.
This is just a jesture, nothing more. Symantec has had its head up it's tail for so long it thinks thats what the world looks like.
Leave it to the government to spend money just to make a statement that could possibly have more negative ramifications than positive. If there is no game plan or drive to a specific goal opponents will be more successfull at blowing the results in another direction. This does smack of a feeble attempt by a do-gooder(s).
I can just see the article they will write:
The unsafe Linux, wich we reported on before is nearing its end. In a last struggle to survive, the Heimat Security steps in, because the Linux comunity is unable to solve the security leaks themselves. The testing will be done by Symantec with closed source as to guarantee the quality open source themselves is unable to give.
This was a broadcast from the Heimat Security Newspaper aproved press.
Keep out nation free by suporting the companies that will fight for your real freedom. The freedom to consume.
(Go on. Mod me down. I have Karma to burn.)
Don't fight for your country, if your country does not fight for you.
This is not news.
The US government and the military in particular has required documentation of every function and procedure of software they use, down to what it does and how it does it. Using open source software with freely available source code isn't much of a stretch.
Many moons ago, in fact, Microsoft was forced to remove the easter eggs from Windows XP because the military wouldn't touch it if it had undocumented functions - even frivilous ones.
The last thing Symantec can afford is the proliferation of secure operating systems.
They'd do better offering money to Linux/*BSD kernel development or the Mozilla Foundation (for instance).
So, if they'll improve a computer program that spots errors in code (which I suppose will benefit all, not just OSS), will they be able to develope a computer program to fix the errors? Of does that already exist?
We'll need the puny humans for what, exactly, again? Oh, that's right, to build the hardware...
"We are all geniuses when we dream"
- E.M. Cioran
FWIW, Coverity is a spin-off of Dawson Engler's work at Stanford.
"Many feel that there seems to be some kind of back-patting going on between **Beatles-Beatles** and ScuttleMonkey"
cmdrTaco explained this yesterday by the fact the ScuttleMonkey works the night shift which is the timeframe BB submited most all his articles.
This also explains why the last 6 stories have been posted by SM.
how would THAT be news?
Why didn't they just use the version of Linux that the NSA wrote?
It seems logical to me that if Symantic wants to be involved with "Open Source" that they should become open source first.
4 ,39165825,00.htm
Then maybe the open sourse community can help them with some of their problems like this one:
"Symantec has admitted its flagship consumer security application, Norton AntiVirus 2005, has a security vulnerability that allows certain types of malicious script to infect a user's personal computer with a virus."
http://www.zdnet.com.au/news/security/0,200006174
This has been another valuable and informative opinion from:
Catahoula!
... will be swiftly gobbled up as their "cost" to produce a simple paper saying that everyone needs to keep running Windows and not even think about open source stuff. (It won't be mentioned at all that the real reason they wish for everyone to keep running Windows is because all Windows' insecuritties is their primary cash cow.
It's nice that our tax dollars are being used for the right stuff.
It might just be me, but Symantec getting my tax dollars is far from the way I imagined it being spent on "the right stuff".
What exactly is the DHS getting in return for their investment? You know the government NEVER invests money in something if there's nothing in it for them. Think 'backdoor'.
It takes just a moment and an action to destroy. It takes some time and thought to create.
Then MSFT will start calling their contacts on the K Street Project. They'll turn around and contact their Republican buddies on the staffs of key legislators and committee members and I bet by this time next week Homeland Security will be "re-examining" their approach to open source.
That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
Maybe this money would be better spent by paying the developers of the major applications, or hiring new developers to work on them. A major part of their job descriptions would be securing and vetting patches for the software they're working on.
I'd think this would improve security greatly, and speed up development in general.
Many conspiracy theories abound whenever anyone oustide the Open Source community contribute anything to the process. I do not believe bug reports are going to introduce "back doors" to the software that many of us use on a daily basis.
If you want a real conspiracy theory, or a Symantec angle in particular, think "Trusted Computing", Palladium. If they have never "studied" Open Source, they would not have a leg to stand on in saying that Open Source software is not to be trusted.
Do I believe the above? Not really. Simplest explanation would be that the DHS found a way to use the new buzz words "Open Source" as an excuse/reason to give money to private companies and universities. Take whatever good comes from it and use it. Take whatever bad comes of it and use it as a lesson. There is always something to be learned.
I only look human.
My mother is a halfling and my dad is an ogre, so that makes me an Ogreling
A team of 4-5 people could probably finish off the C standard library in a matter of months and make good progress on the more common daemons that are often run on Linux systems (Bind, apache, the various mail servers, etc) in the span of a year. The money DHS is spending on this would be more than enough to hire a team that size for a year to work on that.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
What's that you say? No, he's never lied before...
I can see giving the money to a school. However two Private companies!?!
Symantec with Revenue in the Billions doesn't need the 100k and coverity seems to be private company as well.
It pays to know people apparently
Remember the NSA tags in Microsoft code?
Just what kind of 'security' do we all think the Homeland Office is really interested in here? Keeping our ports plugged up nice and tight, or being able to do data eavesdropping on all those troublesome citizens who simply refuse to conform to the state doctrine by using corporate software? You know, to protect us from so-called, 'terrorists'.
If you make deals with the devil, you will lose.
-FL
I didn't even get past your *first point* before noticing a glaringly obvious lie of ommission.
"1979
November 4
Iranian radicals seize the US Embassy in Tehran, taking sixty-six American diplomats hostage. The crisis continues until 20 January 1981 when the hostages are released by diplomatic means."
You seem to have left out a little bogus prior art by the US/UK axis of maximum profits. Intentional? I would guess yes due to your taking the time to write or copy such a long piece.
I will give a very short Cliff's Notes reply now.
Iran had a democratically elected leader who wanted more of the oil profits to benefit Iran's people. whoops! This didn't fly with the oil goons, so they organized a coup complete with terrorist bombings and assasinations and had the shah of iran imposed on the people there. Eventually, his police state apparatus (SAVAK, no different from any other organized group of tortureres) got to be too much for the bulk of the folks in Iran, basically all the same stuff saddam was accused of lately, making it easy for islamic fundies to organize resistance. Extremely easy really. The shah gets sick and has to leave the nation to go get treatment, by that time the ayatollah khomeni was able to just walk in and take over. They seized those embassies looking for evidence of crimes against Iran by the shah and us intel agencies, and despite frantic shredding efforts by the US personnel, were able to carefully piece together shredded documents to *completely* prove their point to the international community. They had every right to do so, the US/UK oil and arms folks had openly declared war against the Iranina people with their installation of the Shah. In the meantime, over the next several months, US elections were getting ready, Carter tried a hostage rescue attempt but it failed due to technical reasons with the planes and helicopters and some bad luck due to weather and sandstorms, etc. The republicans in the background were shipping arms around the world and smuggling cocaine to fund the projects. They had a secret initiative directly to the "bad guy" mullahs and supplied them with replacement parts and additional arms, in exchange for them delaying release of the US hostages until AFTER the election, helping to insure a Reagan win, and pappy Bush, CIA honcho at the time, was in this up to his eyeballs. Then reagan gets in with pappy as VP (after more shenanigans at the convention to get pappy the VP nod, another story there on massive corruption and threats), then later he becomes prez. Oh ya, before that, a brainwashed young friend of the shrub crime family tried to whack Reagan when he was getting too uppity.
And so on.
I'll give you an A for effort on re arranging history to try and prove a point, but a D for content and an F for intentionally misleading people. I could go right down the list and point out quite a few instances of revisionism and ommission in your historical review of events and who "the bad guys" are. the US and UK combined corporate/intel/governmental goons have completely bloody and evil hands, it's not just all these other people deciding to attack western interests completely unprovoked. The amount of dictators installed and supported by these places intel agencies is in the dozens in the last century, and their victims are in the MILLIONS.
You can fool some of the people, but a lot of us have been covering this / researching this for decades and are completely hip to your FUD and disinformation campaigns.
All windows owners will be brought in for questioning. Do not be alarmed citizen, your deportation to an undisclosed location was in the EULA that came with the last windows update. Resistance is futile.
What other explenation is there for the key military units (the soldiers) being equipped with linux hardware and the NSA making Linux more secure?
The cleansing is about to begin.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
Chances are that they wouldn't want to put back doors in published source, particularly with all of the tracking of origins of patches in, at least, the Linux kernel this days.
It's not like the government will be the only people looking at the code, and the government generally doesn't want to publish clear documentation of domestic spying.
For that matter, the NSA is already a contributor to the Linux kernel, employs a maintainer (Stephen Smalley), and hosts a mailing list and web site on their module. But you can bet that a number of people review any changes they make.
Supporting the bible? He wrote it, you insensitive clod!
Life is a gift. And my Karma couldn't possibly be 'Positive'
It's not necessarily about overt control, (which I'm sure they would opt for if nobody was paying attention), so much as it is about placing rats and spooks in the workings so that influence can be exerted in some future way should the opportunities arise.
It's like making friends with addicts, bikers or mafia members. It's best to avoid contact altogether, or the next thing you know, you'll have crack deals going down in your living room.
-FL
Peter Norton should sue Symantec for defamation of character.
General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
(I hope this post isn't moderated as flamebait. I love Open Source Software, but there are serious problems in our community which need to be addressed. I am not an outsider attacking OSS to destroy, but a community member pointing out shortcomings to help preserve and improve it.)
Do most Open Source projects even do anything with bug reports?
Other than:
1. Ignore them.
2. Claim they are not bugs, but features.
3. Claim they are valid "design decisions".
4. Say they'll get around to fixing bugs when they are done adding features - e.g. they'll fix the root exploit to the FTP daemon after they add a 3D Open GL interface to it.
5. Say it won't be fixed. Bugzilla has a "WONTFIX" status which is used quite often.
6. Fix the bugs by wholesale destruction and replacement of whole sections of code, or even the whole code base - now you got all new bugs!
7. Claim the bug is in another piece of software or hardware and they're code is just the unfortunate victim.
8. Blame software patents, George Bush, Hurricane Katrina, Microsoft, little green men/women from Mars, sunspots, quantum time fluctuations or anything else for why they can't or won't fix it.
Just because it CAN be done, doesn't mean it should!
People are missing the point that it's not about the size of the grant, it's about the first steps of the US government to acknowledge that open source is an important part of our nation's infrastructure. The whole mission of the DHS is to protect our nation's security. It's nice that they value open source software enough to start a project to improve the security of OSS. Instead of saying that $1.24M is not enough, we should be thankful for each small step. Every little bit helps.
Even if they did detect the Sony rootkit, there's one key reason why Symantec shouldn't be chosen: It has zero experience with Unix security or Linux. Unix/Linux is fundamentally different than Windows in many ways. Picking Symantec to head Linux security is sort of like getting a chief mechanical engineer to be lead surgeon at a hospital. Sure there are a lot of mechanical aspects in the body and the engineer might see some places where things can be improved but the learning curve is huge. A much better choice would be Sun or IBM since both understand open source and both have solid Unix experience that spans decades.
The Department of Homeland Security is going to hide backdoors in Open Source code???
They're the government, they're not magicians!
Remember how quickly the Linux kernel "uid=0" instead of "uid==0" exploit was found?
They could instead compromise a binary of gcc and do a Ken Thompson type hack where it miscompiles itself and system software to add backdoors, although even then, people would notice the different binaries and the miscompilations.
But at least that would be possible.
Just because it CAN be done, doesn't mean it should!
You're missing the point.
All of those things can be done now, YET ARE STILL EASILY DETECTED.
Your points are shit, and you're an idiot for suggesting them.
Instead of choosing which software I want to pay for, the government now chooses which software I have to pay for?
You asked
"Am I missing something?"
The answer is yes, most of the population of readers here don't give a shit about submitters, and generally hate whiny fucks who make a point of crybabying about this issue.
Do you understand that? WE DO NOT CARE, STOP SPAMMING THE BOARD WITH THIS IDIOTIC TRIPE.
That "ton" of replies you mentioned was mostly the same two dozen or so bitches complaining. Calling the whiniest 3% a "ton" is stretching it. More like "a few isolated pricks".
Did you miss THAT?
I am so tired of people like you and this fucking stupid argument.
How pathetic are you that you follow me from topic to topic and waste all your mod points at once modding me down?
It's nice that our tax dollars are being used for the right stuff."
Says you. Why the FUCK should my money go to help open source software become 'more secure', whatever that means? What are the measurable goals? Why is this part of Homeland Security? Why is the presumption that nothing gets done unless government funds it? My experience leads me to believe that the reality is that when government funding is involved, things get done more slowly and with less positive results. For example: How long has the 'War on Some Drugs' been fought? How much progress has been made? Ditto the 'War on Illiteracy' and the 'War on Poverty'. So why should the 'Violent Struggle against Some Religious Fanatics' be any different?
http://xkcd.com/386/
Are folks daft enough to think tha having the equivalent of the Gestapo take an interest in what is near and dear to them is a Good Thing? The administration idea of software security is to lock down every thing possible against anf modification whatsoever lest some "cyber-terrorist" does something nasty.
One might think the reason for their spending money on finding bugs but not spending money on fixing them was so they could be a few steps ahead of everyone in knowing ways into OSS systems.
These are the folks that hired an officer from doubleclick.net
What's with the hair-split patrol today? You're the third person to complain about something I've posted because of some silly semantic word play. Can you honestly tell me that you did not understand the point I was making?
-FL
Your points are shit, and you're an idiot for suggesting them.
Well I certainly must be an idiot, because I can't understand what the heck you're talking about. Either that or you don't know how to communicate very well.
I don't know what 'things' you mean, and I don't know which 'shitty' points you are referring to. In the future, you might try both paraphrasing as well as actually attempting to explain your thoughts in such a manner that people who aren't you have some small hope of comprehending them.
-FL
Are they doing this because they understand that open source allows easier auditing for security issues? Or are they doing it because they are using open source just to save money?
..." or will somebody at least check these out before they go public?
What I find creepy is that the purpose of this initiative is to look for stuff on their own and then keep a database of bugs. Will this be so automated that nobody will actually look and check if maybe a new vulnerability should not be announced out in the open until the core developers of the affected item have had a chance to fix it?
Say this automated system finds a buffer overflow issue in Apache, will this just post an automated message that says "Apache 2.0.x has a buffer overflow if you do this:
Pedro
----
The Insomniac Coder
If opensource is good enough for big business, then why not the government? As long as everhting is kept up-to-date. But I think a more intersting topic to debate would be - Who is going to protect the US from the Department of Homeland security?
SO: Why isn't there FOSS source scanning tools? Or are there?
(And why cannot SlashDot users use the subject line a bit more creatively than "Re: Re: Reply: Re: irrelevant"???)
<shout>
MOD PARENTS UP!!!
MOD PARENTS UP!!!
MOD PARENTS UP!!!
</shout>
Just found on Google News here and elsewhere. Symantec has been using a rootkit with SystemWorks. Maybe Symantec is supposed to be developing an easier way to rootkit *nix?
If you want your life to be different, live it differently.
1) Problem: there are not enough security problems in OSS s/w (compared with popular propriatory s/w.)
2) Look for bugs, report them to CERT but do not offer to help fix them.
3) Symantec et. al. profit.
The DHS will be giving Stanford University, Coverity, and Symantec a $1.24 million grant to improve the security of open source software.
.deb, .rpm or just compile them ourselves. However, there would probably be no documentation but on the bright-side I'm sure a few theme songs would come out of it.
Why don't they just give the whole-enchilada to Theo and get the hell out of his way. I'm sure in about 7 years we would end up with some FANTASTIC security applications that we would have to steal from the ports tree and make into
All-in-all I think it is a safer bet with Theo (de Raadt) at least we would know that the money is being spent on the project with the exception of occasional six-pack of cold beer and X tablets. As for Symantec I don't trust that the money will be properly spent on the project.