Slashdot Mirror

← Back to Stories (view on slashdot.org)

US Homeland Security to Support Open Source

Posted by ScuttleMonkey on from the read-the-grant-carefully dept.

An anonymous reader writes "CNET is reporting that the US Department of Homeland Security is extending its support to open source software. The DHS will be giving Stanford University, Coverity, and Symantec a $1.24 million grant to improve the security of open source software. From the article: 'The Homeland Security Department grant will be paid over a three-year period, with $841,276 going to Stanford, $297,000 to Coverity and $100,000 to Symantec, according to San Francisco-based technology provider Coverity, which plans to announce the award publicly on Wednesday.' It's nice that our tax dollars are being used for the right stuff."

18 of 186 comments (clear)

  1. Symantec? by Anonymous Coward · · Score: 5, Insightful

    Symantec? Open source?? Where?!

    1. Re:Symantec? by killmenow · · Score: 4, Insightful
      I'll add to this...
      The DHS will be giving Stanford University, Coverity, and Symantec a $1.24 million grant to improve the security of open source software.
      I fail to see how giving Symantec money will improve the security of anything unless we're talking about securities...as in Symantec stock. Once upon a time the name Norton prepended was a good sign. I am not trying to troll or incite flames, but I find Symantec (and McAfee for that matter) sorely wanting these days. I would be leery of running anything with their name attached to it on one of my boxes.

      At least they only get $100,000 and the bulk goes to Standford.
    2. Re:Symantec? by KiloByte · · Score: 4, Interesting

      Don't underestimate Symantec's relations with Open Source.

      They are big. They are strong. They are all negative.

      Symantec is known for its FUD campaigns in order to hawk their anti-virus software. They do everything they can to fool people into believing that viruses are as prevalent in the rest of the world as they are in Windows.

      Thus, I believe that a dollar given to Symantec is worse than a dollar ripped apart.

      --
      The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
    3. Re:Symantec? by $rtbl_this · · Score: 4, Interesting

      They are all negative.

      Not all of them. We use Symantec's IDS and AV/anti-spam appliances, both of which are just i386 linux boxes with some proprietary software and a candy-coated front-end. Just because their marketing folk badmouth open source software doesn't mean that their technical staff don't see the advantages.

      --
      "Are you being weird, or sarcastic?" said Emma. I said I didn't know because I get the two feelings mixed up.
  2. BIND by ehaggis · · Score: 4, Interesting

    I would like to see the fork BIND takes under DHS. Out the applications listed, BIND must be the most formidable for securing and utilizing in a secure enviroment. This could be a boon for the overall reliability of the internet.

    --
    One ring to bind them - should probably have more fiber and less rings in their diet.
    1. Re:BIND by gormanly · · Score: 4, Funny

      And you trust the DHS to map domain names to IP addresses better than they do with city names and geography ?

  3. Good Start by Artie+Dent · · Score: 5, Interesting

    "The money is going to provide them with things they need to fix the bugs, which is bug reports. That is a lot better than they have now, which is nothing," While a agree with Engler's comment here, I also have to wonder, without proper funding to fix these bugs, what good will it do? And if a list of bugs and exploits comes out on well used Open Source Software, without the means to fix them, and these lists are leaked, it could create havoc.

  4. Source code analysis tools by grimJester · · Score: 5, Interesting

    The real story seems to be that the money is granted to develop and test source code analysis tools, with Stanford doing development and Symantec testing. Seems like a potentially good way to catch human errors in coding. Instant feedback for the sloppy coder would be nice.

  5. Wow. by Capt+James+McCarthy · · Score: 4, Funny

    You mean a whole 1.24 million dollars. Talk about pushing the budget.

    --
    There are no loopholes. It's either legal or it's not.
  6. Not necessarily so... by meringuoid · · Score: 4, Informative
    I understand that most open source is written by people who care and are either college students or white collar workers who have time either at work (employer consenting), or at home if they have little family life.

    Most open source, in terms of sheer number of projects or lines of code? Probably. But in terms of usage?

    The major open-source projects have got corporate backing now. Linux, for instance? Lots of work being done on that by IBM, in addition to the employees of the likes of Red Hat or SuSE. Similarly, I believe AOL has been backing Mozilla lately, and the number of old-skool Unix utilities that contain copyrights of the University of California is enormous - after all, they wrote BSD.

    It's not just anarchist hackers now. Open source has gone commercial in a really big way.

    --
    Real Daleks don't climb stairs - they level the building.
  7. Why "Flamebait"? by IAAP · · Score: 4, Informative
    We've all have heard about the wasteful spending by states and municipalites regarding the spending of money thrust upon them by Homeland Security. It's a matter that concerns both sides - a little. Homeland Security has become yet another avenue for pork barrel spending, and as a result, states are getting money that may not help the fight on terrorism. Senate

    At least the department of homaland security isn't wasteing all of thier money.

    I agree. This will promote OSS and help reduce the costs of our Government. So what's the problem with what the parent said?

  8. Wait... Symantec? by ettlz · · Score: 4, Funny

    They have coders working for them now?!

  9. OSS what does it mean? by Elixon · · Score: 4, Interesting

    OSS? What is it? Does it mean that Symantec will produce/improve OSS software and all related patents that will be registered (thanks to your taxes) will be released to public too?

    Or is it that you sponsor OSS but proprietary software and further patnet vault of privately held corporations?

    Is it good to "sponsor" privately held company in the field where it figths with conmpetition?

    --
    Well, I've got to get back to work. When I stop rowing, the slave ship just goes in circles.
  10. Looks like someone has a well-placed friend by 2Bits · · Score: 4, Insightful

    Ok, so this is a grant. Does it mean that any software developed as a result of this grant will be open-sourced, and publicly available to all, free of charge? If not (and everything indicates that it won't be), I'd say, someone has a well-placed friend and got free money to develop their own proprietary software. Yeah, it will scan major open source softwares, and yeah, the database will be public (?), but then the tools from the grant money are still proprietary.

    I thought only China has "guanxi" problem?

  11. Re:Err wait a second. by kfg · · Score: 4, Insightful

    Where's the conspiracy here?

    Wait for it, wait for it!

    Is it a good thing that DHS is supporting open source?

    They are not supporting open source. They are supporting commercial code which can be applied against open source code.

    The open soure developers and their code base are left to go scratch.

    KFG

  12. Re:Err wait a second. by IAAP · · Score: 4, Informative
    FTFA: Programmers working on the Linux operating system, Apache Web server, BIND Internet infrastructure software and Firefox browser, for example, will be able to fix security vulnerabilities flagged by the system before their code becomes part of a released application or operating system.

    And: This could be a boon for open-source security, said Stacey Quandt, an analyst with Aberdeen Group. "The benefit for open source is that it enables it to be up to date with commercial technology innovation," she said.

    Your point FTFA"Why does the DHS think it is worthwhile to pay for bugs to be found, but has made no provision to pay for them to be fixed?"

    I agree that it's kind of shitty that money isn't going to OSS. Then again, they're getting free security checking that'll can be applied and distributed for free. Hopefully, someone in Gov. will see the light and spend some money on OSS to have the security holes fixed. Donations to th OSS organizations affected by the screening?

  13. And why again is Symantec trustworthy ? by CaptainZapp · · Score: 5, Interesting
    Being one of the companies not detecting the infamous Sony rootkit I'd be really interested to know why Symantec should be trusted for anything security related.

    As far it concerns me I deeply distrust all "security companies" since this little incident.

    --
    ich bin der musikant

    mit taschenrechner in der hand

    kraftwerk

  14. Want to Improve OSS Security? by Greyfox · · Score: 5, Insightful
    Start up the old auditing program again. Source code auditing is boring work, but another set of eyes going over the code with security in mind really does help a lot. Just go down every function in the C library and work your way out to common daemons and system utilities that usually run setuid. Maybe spend some quality time with common tools that access the internet like firefox, email clients, etc. Just read each function looking for buffer overflows and other ways it might be compromised, document what you find, write a test to try to crash it, submit patches to the original authors and publish your findings and tests on the web somewhere. That leaves you with a full set of security regression tests for every product you look at.

    A team of 4-5 people could probably finish off the C standard library in a matter of months and make good progress on the more common daemons that are often run on Linux systems (Bind, apache, the various mail servers, etc) in the span of a year. The money DHS is spending on this would be more than enough to hire a team that size for a year to work on that.

    --

    I'm trying to teach myself to set people on fire with my mind... Is it hot in here?