Slashdot Mirror
US Homeland Security to Support Open Source
An anonymous reader writes "CNET is reporting that the US Department of Homeland Security is extending its support to open source software. The DHS will be giving Stanford University, Coverity, and Symantec a $1.24 million grant to improve the security of open source software. From the article: 'The Homeland Security Department grant will be paid over a three-year period, with $841,276 going to Stanford, $297,000 to Coverity and $100,000 to Symantec, according to San Francisco-based technology provider Coverity, which plans to announce the award publicly on Wednesday.' It's nice that our tax dollars are being used for the right stuff."
Symantec? Open source?? Where?!
I would like to see the fork BIND takes under DHS. Out the applications listed, BIND must be the most formidable for securing and utilizing in a secure enviroment. This could be a boon for the overall reliability of the internet.
One ring to bind them - should probably have more fiber and less rings in their diet.
"The money is going to provide them with things they need to fix the bugs, which is bug reports. That is a lot better than they have now, which is nothing," While a agree with Engler's comment here, I also have to wonder, without proper funding to fix these bugs, what good will it do? And if a list of bugs and exploits comes out on well used Open Source Software, without the means to fix them, and these lists are leaked, it could create havoc.
The real story seems to be that the money is granted to develop and test source code analysis tools, with Stanford doing development and Symantec testing. Seems like a potentially good way to catch human errors in coding. Instant feedback for the sloppy coder would be nice.
...Satan supporting the bible.
Don't believe anything I say. I crash test crack pipes for a living.
You mean a whole 1.24 million dollars. Talk about pushing the budget.
There are no loopholes. It's either legal or it's not.
What has Symantec to do with OSS?
Surely there is a group/company more appropriate than Symantec to scrub for bugs?!?
"Consider how lucky you are that life has been good to you so far. Alternatively, if life hasn't been good to you so far
Most open source, in terms of sheer number of projects or lines of code? Probably. But in terms of usage?
The major open-source projects have got corporate backing now. Linux, for instance? Lots of work being done on that by IBM, in addition to the employees of the likes of Red Hat or SuSE. Similarly, I believe AOL has been backing Mozilla lately, and the number of old-skool Unix utilities that contain copyrights of the University of California is enormous - after all, they wrote BSD.
It's not just anarchist hackers now. Open source has gone commercial in a really big way.
Real Daleks don't climb stairs - they level the building.
At least the department of homaland security isn't wasteing all of thier money.
I agree. This will promote OSS and help reduce the costs of our Government. So what's the problem with what the parent said?
While I normally am suspicious of almost everything done by DHS, I do see this as a good thing. It seems like a good start, anyway. If only we could get them to put the other 99.997% of their budget (based on their 2005 budget) behind Open Source...
"Teleporting Rodents with D-Cell Battery Displacement" theory -- IgnoramusMaximus (692000)
They have coders working for them now?!
OSS? What is it? Does it mean that Symantec will produce/improve OSS software and all related patents that will be registered (thanks to your taxes) will be released to public too?
Or is it that you sponsor OSS but proprietary software and further patnet vault of privately held corporations?
Is it good to "sponsor" privately held company in the field where it figths with conmpetition?
Well, I've got to get back to work. When I stop rowing, the slave ship just goes in circles.
Ok, so this is a grant. Does it mean that any software developed as a result of this grant will be open-sourced, and publicly available to all, free of charge? If not (and everything indicates that it won't be), I'd say, someone has a well-placed friend and got free money to develop their own proprietary software. Yeah, it will scan major open source softwares, and yeah, the database will be public (?), but then the tools from the grant money are still proprietary.
I thought only China has "guanxi" problem?
Where's the conspiracy here?
Wait for it, wait for it!
Is it a good thing that DHS is supporting open source?
They are not supporting open source. They are supporting commercial code which can be applied against open source code.
The open soure developers and their code base are left to go scratch.
KFG
And: This could be a boon for open-source security, said Stacey Quandt, an analyst with Aberdeen Group. "The benefit for open source is that it enables it to be up to date with commercial technology innovation," she said.
Your point FTFA"Why does the DHS think it is worthwhile to pay for bugs to be found, but has made no provision to pay for them to be fixed?"
I agree that it's kind of shitty that money isn't going to OSS. Then again, they're getting free security checking that'll can be applied and distributed for free. Hopefully, someone in Gov. will see the light and spend some money on OSS to have the security holes fixed. Donations to th OSS organizations affected by the screening?
Stanford is also the home of the Meta-level Compilation (MC) project, a useful auditing tool for trusted build agents.
Now that Microsoft is getting into the signiture and behavour based antivirus industry, maybe Symantic could turn its patten matching technology to checking source code instead of binaries.
As far it concerns me I deeply distrust all "security companies" since this little incident.
ich bin der musikant
mit taschenrechner in der hand
kraftwerk
I can just see the article they will write:
The unsafe Linux, wich we reported on before is nearing its end. In a last struggle to survive, the Heimat Security steps in, because the Linux comunity is unable to solve the security leaks themselves. The testing will be done by Symantec with closed source as to guarantee the quality open source themselves is unable to give.
This was a broadcast from the Heimat Security Newspaper aproved press.
Keep out nation free by suporting the companies that will fight for your real freedom. The freedom to consume.
(Go on. Mod me down. I have Karma to burn.)
Don't fight for your country, if your country does not fight for you.
The last thing Symantec can afford is the proliferation of secure operating systems.
They'd do better offering money to Linux/*BSD kernel development or the Mozilla Foundation (for instance).
It seems logical to me that if Symantic wants to be involved with "Open Source" that they should become open source first.
4 ,39165825,00.htm
Then maybe the open sourse community can help them with some of their problems like this one:
"Symantec has admitted its flagship consumer security application, Norton AntiVirus 2005, has a security vulnerability that allows certain types of malicious script to infect a user's personal computer with a virus."
http://www.zdnet.com.au/news/security/0,200006174
This has been another valuable and informative opinion from:
Catahoula!
A team of 4-5 people could probably finish off the C standard library in a matter of months and make good progress on the more common daemons that are often run on Linux systems (Bind, apache, the various mail servers, etc) in the span of a year. The money DHS is spending on this would be more than enough to hire a team that size for a year to work on that.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Amen, man. Here's a DHS security initiative that would have cost nothing: Switch to OpenBSD if security is a concern, and check periodically for security advisories.
This spending is just more pork barrel crap that will probably not accomplish anything and will just get pocketed by somebody. Security doesn't just get fixed with a couple million bucks and a year of coding, it's an ongoing long term process, and the #1 problem with security today is lack of education and/or indifference on security issues, NOT a lack of pork barrel spending.
I didn't even get past your *first point* before noticing a glaringly obvious lie of ommission.
"1979
November 4
Iranian radicals seize the US Embassy in Tehran, taking sixty-six American diplomats hostage. The crisis continues until 20 January 1981 when the hostages are released by diplomatic means."
You seem to have left out a little bogus prior art by the US/UK axis of maximum profits. Intentional? I would guess yes due to your taking the time to write or copy such a long piece.
I will give a very short Cliff's Notes reply now.
Iran had a democratically elected leader who wanted more of the oil profits to benefit Iran's people. whoops! This didn't fly with the oil goons, so they organized a coup complete with terrorist bombings and assasinations and had the shah of iran imposed on the people there. Eventually, his police state apparatus (SAVAK, no different from any other organized group of tortureres) got to be too much for the bulk of the folks in Iran, basically all the same stuff saddam was accused of lately, making it easy for islamic fundies to organize resistance. Extremely easy really. The shah gets sick and has to leave the nation to go get treatment, by that time the ayatollah khomeni was able to just walk in and take over. They seized those embassies looking for evidence of crimes against Iran by the shah and us intel agencies, and despite frantic shredding efforts by the US personnel, were able to carefully piece together shredded documents to *completely* prove their point to the international community. They had every right to do so, the US/UK oil and arms folks had openly declared war against the Iranina people with their installation of the Shah. In the meantime, over the next several months, US elections were getting ready, Carter tried a hostage rescue attempt but it failed due to technical reasons with the planes and helicopters and some bad luck due to weather and sandstorms, etc. The republicans in the background were shipping arms around the world and smuggling cocaine to fund the projects. They had a secret initiative directly to the "bad guy" mullahs and supplied them with replacement parts and additional arms, in exchange for them delaying release of the US hostages until AFTER the election, helping to insure a Reagan win, and pappy Bush, CIA honcho at the time, was in this up to his eyeballs. Then reagan gets in with pappy as VP (after more shenanigans at the convention to get pappy the VP nod, another story there on massive corruption and threats), then later he becomes prez. Oh ya, before that, a brainwashed young friend of the shrub crime family tried to whack Reagan when he was getting too uppity.
And so on.
I'll give you an A for effort on re arranging history to try and prove a point, but a D for content and an F for intentionally misleading people. I could go right down the list and point out quite a few instances of revisionism and ommission in your historical review of events and who "the bad guys" are. the US and UK combined corporate/intel/governmental goons have completely bloody and evil hands, it's not just all these other people deciding to attack western interests completely unprovoked. The amount of dictators installed and supported by these places intel agencies is in the dozens in the last century, and their victims are in the MILLIONS.
You can fool some of the people, but a lot of us have been covering this / researching this for decades and are completely hip to your FUD and disinformation campaigns.
(I hope this post isn't moderated as flamebait. I love Open Source Software, but there are serious problems in our community which need to be addressed. I am not an outsider attacking OSS to destroy, but a community member pointing out shortcomings to help preserve and improve it.)
Do most Open Source projects even do anything with bug reports?
Other than:
1. Ignore them.
2. Claim they are not bugs, but features.
3. Claim they are valid "design decisions".
4. Say they'll get around to fixing bugs when they are done adding features - e.g. they'll fix the root exploit to the FTP daemon after they add a 3D Open GL interface to it.
5. Say it won't be fixed. Bugzilla has a "WONTFIX" status which is used quite often.
6. Fix the bugs by wholesale destruction and replacement of whole sections of code, or even the whole code base - now you got all new bugs!
7. Claim the bug is in another piece of software or hardware and they're code is just the unfortunate victim.
8. Blame software patents, George Bush, Hurricane Katrina, Microsoft, little green men/women from Mars, sunspots, quantum time fluctuations or anything else for why they can't or won't fix it.
Just because it CAN be done, doesn't mean it should!