Slashdot Mirror
US Homeland Security to Support Open Source
An anonymous reader writes "CNET is reporting that the US Department of Homeland Security is extending its support to open source software. The DHS will be giving Stanford University, Coverity, and Symantec a $1.24 million grant to improve the security of open source software. From the article: 'The Homeland Security Department grant will be paid over a three-year period, with $841,276 going to Stanford, $297,000 to Coverity and $100,000 to Symantec, according to San Francisco-based technology provider Coverity, which plans to announce the award publicly on Wednesday.' It's nice that our tax dollars are being used for the right stuff."
Symantec? Open source?? Where?!
What has Symantec to do with OSS?
Surely there is a group/company more appropriate than Symantec to scrub for bugs?!?
"Consider how lucky you are that life has been good to you so far. Alternatively, if life hasn't been good to you so far
While I normally am suspicious of almost everything done by DHS, I do see this as a good thing. It seems like a good start, anyway. If only we could get them to put the other 99.997% of their budget (based on their 2005 budget) behind Open Source...
"Teleporting Rodents with D-Cell Battery Displacement" theory -- IgnoramusMaximus (692000)
Ok, so this is a grant. Does it mean that any software developed as a result of this grant will be open-sourced, and publicly available to all, free of charge? If not (and everything indicates that it won't be), I'd say, someone has a well-placed friend and got free money to develop their own proprietary software. Yeah, it will scan major open source softwares, and yeah, the database will be public (?), but then the tools from the grant money are still proprietary.
I thought only China has "guanxi" problem?
Where's the conspiracy here?
Wait for it, wait for it!
Is it a good thing that DHS is supporting open source?
They are not supporting open source. They are supporting commercial code which can be applied against open source code.
The open soure developers and their code base are left to go scratch.
KFG
Stanford is also the home of the Meta-level Compilation (MC) project, a useful auditing tool for trusted build agents.
Now that Microsoft is getting into the signiture and behavour based antivirus industry, maybe Symantic could turn its patten matching technology to checking source code instead of binaries.
I can just see the article they will write:
The unsafe Linux, wich we reported on before is nearing its end. In a last struggle to survive, the Heimat Security steps in, because the Linux comunity is unable to solve the security leaks themselves. The testing will be done by Symantec with closed source as to guarantee the quality open source themselves is unable to give.
This was a broadcast from the Heimat Security Newspaper aproved press.
Keep out nation free by suporting the companies that will fight for your real freedom. The freedom to consume.
(Go on. Mod me down. I have Karma to burn.)
Don't fight for your country, if your country does not fight for you.
The last thing Symantec can afford is the proliferation of secure operating systems.
They'd do better offering money to Linux/*BSD kernel development or the Mozilla Foundation (for instance).
It seems logical to me that if Symantic wants to be involved with "Open Source" that they should become open source first.
4 ,39165825,00.htm
Then maybe the open sourse community can help them with some of their problems like this one:
"Symantec has admitted its flagship consumer security application, Norton AntiVirus 2005, has a security vulnerability that allows certain types of malicious script to infect a user's personal computer with a virus."
http://www.zdnet.com.au/news/security/0,200006174
This has been another valuable and informative opinion from:
Catahoula!
A team of 4-5 people could probably finish off the C standard library in a matter of months and make good progress on the more common daemons that are often run on Linux systems (Bind, apache, the various mail servers, etc) in the span of a year. The money DHS is spending on this would be more than enough to hire a team that size for a year to work on that.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Amen, man. Here's a DHS security initiative that would have cost nothing: Switch to OpenBSD if security is a concern, and check periodically for security advisories.
This spending is just more pork barrel crap that will probably not accomplish anything and will just get pocketed by somebody. Security doesn't just get fixed with a couple million bucks and a year of coding, it's an ongoing long term process, and the #1 problem with security today is lack of education and/or indifference on security issues, NOT a lack of pork barrel spending.
(I hope this post isn't moderated as flamebait. I love Open Source Software, but there are serious problems in our community which need to be addressed. I am not an outsider attacking OSS to destroy, but a community member pointing out shortcomings to help preserve and improve it.)
Do most Open Source projects even do anything with bug reports?
Other than:
1. Ignore them.
2. Claim they are not bugs, but features.
3. Claim they are valid "design decisions".
4. Say they'll get around to fixing bugs when they are done adding features - e.g. they'll fix the root exploit to the FTP daemon after they add a 3D Open GL interface to it.
5. Say it won't be fixed. Bugzilla has a "WONTFIX" status which is used quite often.
6. Fix the bugs by wholesale destruction and replacement of whole sections of code, or even the whole code base - now you got all new bugs!
7. Claim the bug is in another piece of software or hardware and they're code is just the unfortunate victim.
8. Blame software patents, George Bush, Hurricane Katrina, Microsoft, little green men/women from Mars, sunspots, quantum time fluctuations or anything else for why they can't or won't fix it.
Just because it CAN be done, doesn't mean it should!