Slashdot Mirror
EU To Give Free Security Audits To Apache HTTP Server and Keepass (softpedia.com)
An anonymous reader writes: The European Commission announced on Wednesday that its IT engineers would provide a free security audit for the Apache HTTP Server and KeePass projects. The two projects were selected following a public survey that included several open-source projects deemed important for both the EU agencies and the wide public.
The actual security audit will be carried out by employees of the IT departments at the European Commission and the European Parliament. This is only a test pilot program that's funded until the end of the year, but the EU said it would be looking for funding to continue it past its expiration date in December 2016.
The actual security audit will be carried out by employees of the IT departments at the European Commission and the European Parliament. This is only a test pilot program that's funded until the end of the year, but the EU said it would be looking for funding to continue it past its expiration date in December 2016.
EU to give taxpayer funded security audits.
I used to use Apache server years ago, now I prefer nginx. But what is this KeepAss thing?
You can't handle the truth.
The actual security audit will be carried out by employees of the IT departments at the European Commission and the European Parliament
Damn, they are quite desperate to *seem* to be doing something useful. But yet again the bureaucrats think themselves the solution, to want to grow their departments and "fiefdoms", NOT! If they wanted to do something useful the European Commission would fund some top ranked Universities within the EU to do the audit.
Public IT is definitely who should not be responsible for this kind of testing
Public IT is definitely who should not be responsible for this kind of testing
Absolutely, private IT should do it, in particular Hillary's private IT. After all there is no evidence they were ever hacked. :-)
Hey, I'm an European, and I welcome this. Apache is widely used, and it's security is for the common good. At the very least, this is a step in the right direction. The only downside I can think of, is that Apache is already heavily scrutinized by both static analyzers and 'real human being' audits, so it this particular choice may be of limited use. Still, a mayor step forward in my opinion.
I agree. While they might find something, they will not have the skills to come up with a good final verdict and recommendations. Really good IT Security people (needed for this) will not work for a government bureaucracy in the first place, far too boring.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
They are responsible of their own systems so why not to tender out a security inspection service contract, or buy it from their own service suppliers as an extra? If the job is below 200000EUR they have a lot of options how to do it. A secure vehicle for a commissioner will cost more than that, so why not securing the critical points of the office at lower cost as well?
There are professional organizations that handle this kind of testing as their bread and butter. The IT depts of the Commission and Parliament are not ones that inspired much confidence in their ability to provide robust security audits.
Is there a government on the planet that hasn't already audited Apache multiple times?
If there were any real holes left there would be a LOT more breakins everywhere around the world than we see now.
Something else is going on here.
Absolutely, private IT should do it, in particular Hillary's private IT. After all there is no evidence they were ever hacked.
I hacked her server. I know, it's hard to believe, right?
But here's the proof:
I found an email that said, "I let Benghazi happen because I hated them. Let them die."
Then another one, "Top security? I personally mail these things to Putin, I'm such an evil person."
Then another one, "I love Bill."
Then, "Hey Don, let's get this plan started. I can't lose with you running!" Not sure who Don is, probably Knuth. I heard he was a track star or something.
There it is. I hacked Hillary's server and gave you the proof. If you don't believe me, it's because you're one of the sheep.
Yet another password saver program which is easily defeated by Tempest and many side channel attacks.
Don't store your passwords on anything which requires electricity. You can talk shit now but you'll thank me later.
I think if they find something it will be the low hanging fruit and provide a false sense of security.
Public survey is a terrible way to choose projects to audit.
The people doing the audit aren't experts with a record of success in auditing software projects, they're existing employees of EU bureaucracy IT departments.
They don't have funding to complete the project.
They'll have 100 bureaucrats surfing porn all day on 200k EUR tax free salaries, they won't deliver anything because funding ran out, and there will be no accountability, either for the porn surfers, or the people who commissioned the project in the first place.
Political body to use existing employees with no expertise or track record of auditing software, to perform a partial audit of two projects chosen at random (by public ballot), because there's not enough money for a full audit.
The IT depts of the Commission and Parliament are not ones that inspired much confidence in their ability to provide robust security audits.
It is not just about competence, but also conflict of interest. We need robust security to protect us from governments. It is foolish to trust those same governments to verify the security they are trying to circumvent.
Remember working for an EU institution is not just well paid but tax free as well, and sometimes even a diplomatic status. They might need to hire but they rarely have trouble getting talent.
Public IT is definitely who should not be responsible for this kind of testing
Remember the debate after heart bleed... We were all asking ourselves how come nobody invested in security auditing for openssl.
We all took this infrastructure project for given. For the public sector to invest in some open source infrastructure projects is not a bad idea.
I'm not suggesting that the public sector review everything, but for the public sector to identify and invest in a few heavily re-used open source projects is not bad idea. It's like public sector investment in roads and other infrastructure.
In some spaces (and IT security is one of those), you need to offer more than good compensation and benefits to get and retain really good people. You need to offer interesting work and I seriously doubt they can do this.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Not necessarily, it depends on their goals.
Looks like they want to keep a strong IT capable of doing effective security audits for them on demand, but the workload is not constant. Projects like this are a great idea. You do something "pro bono", actually useful for you and your society. At the same time you keep the team funded, ready for when you need them more. And, most importantly - you keep them busy doing their actual job, the best form of training there is.
Sure, it would be a problem if a condition of the auditing was that nobody else was allowed to audit the code. If memory serves, Apache does that open source thing. I also missed the part where the EU will be given permission to commit code without any review. I guarantee you that any incidents of polonium poisoning or multiple bullet wounds that occur among Apache project staff will not be due to natural causes.
eu officials are going to verify whether apache and keepass still have the exploits in them that they're expecting and none that they aren't.
Looks like they want to keep a strong IT capable of doing effective security audits for them on demand, but the workload is not constant.
And University researchers are unavailable, unwilling to answer the occasional call?
You do something "pro bono", actually useful for you and your society.
Supporting your EU universities and sponsoring research for professors and students does not benefit society?
At the same time you keep the team funded, ready for when you need them more.
So the internal team is bloated and short on work, but the department/fiefdom must be preserved?
And, most importantly - you keep them busy doing their actual job, the best form of training there is.
What makes you think any of this is related to the IT staff's day-to-day work, is within the staff's field of expertise, etc? The person who connects the EUMP's printer to the wifi network may not be the best capable person to analyze malware. All IT jobs/tasks are not equivalent.
;-)
"Have you tried turning it off and then back on again?"
... analyze malware ...
"analyze malware and their software's vulnerability and exploitability to it" I should have written.
If they wanted to do something useful the European Commission would fund some top ranked Universities within the EU to do the audit.
And why do you think it is better? You don't think the assigned IT department employees are competent?
Universities may not be better at this job. It is not research, it is an audit. An audit is a tedious process where you check that the security best practices are followed, that the code follows some standards, that only safe crypto is used, etc... The goal is not to find new ways to attack the code, rather it is to make sure that the code isn't vulnerable to existing attacks.
A university can tell you that the lock you are using and that everyone thought was unbreakable may be cracked in 2 years. An auditor will tell you that the window is opened.
If they wanted to do something useful the European Commission would fund some top ranked Universities within the EU to do the audit.
And why do you think it is better? You don't think the assigned IT department employees are competent? Universities may not be better at this job. It is not research, it is an audit. An audit is a tedious process where you check that the security best practices are followed, that the code follows some standards, that only safe crypto is used, etc
Do you know what research is? It is often a tedious process of going through lots of information to check all the details and to spot errors/inconsistencies/surprises.
The goal is not to find new ways to attack the code, rather it is to make sure that the code isn't vulnerable to existing attacks. A university can tell you that the lock you are using and that everyone thought was unbreakable may be cracked in 2 years. An auditor will tell you that the window is opened.
Speaking as someone who did security research while at the University, you are ill-informed.
It has been contracted out to a consultancy (who might sub-contract?), as the Pirate Party MEP who started this project reports: https://juliareda.eu/2016/07/eu-audits-keepass-apache/
And University researchers are unavailable, unwilling to answer the occasional call?
As someone who has worked for many, many years at a european university (part-time) I'm strongly sceptical about the ability of university staff to do this exact kind of work well. Not to mention the grad students, who will likely be assigned the actual work. Also, it hardly seems like something universities should really do.
By the way, do you have any idea how long this "occasional" call would take? This is EU, with all the regulations. Weeks to prepare the call. At least a month for the call, preferably at least two. A few months for the review and grant agreement preparation. Typically 8-12 months total. Alternative? Public tender. Also months, but not so many. But how do you make sure you can trust the company? It's the era of globalization, if you want to know whether software from eg. a US/russian company is secure (as in some real chance of detecting NSA/FSB modifications), last thing you want is a european branch of another company with ties there. Difficult to ensure with a public tender.
Solution? Have your own small but good team that can do this in less time than a tender or call would take.
Supporting your EU universities and sponsoring research for professors and students does not benefit society?
Yes it does. So, fund it! Pushing routine work like this on us limits our ability to do new things which is the essence of "research". And we will take any work that is called "research" and offers money, that's how universities get money afterall.
I've done my share of work which should never have been given to a university. Routine software development, code review, testing, etc. Practically zero publishable results. Plus, universities do not give the same quality and warranty as a software company in this case. Still, this is a growing trend - throwing such tasks into "research programmes". Expected TRL is growing. Instead of building fascinating prototypes and leaving the conversion to product to spin-offs, universities waste time and talent doing routine work themselves (in consortia, to make things worse). But it's too tempting - instead of allocating budget for something, you just call it a research project and fund it from the science budget. Bingo!
So the internal team is bloated and short on work, but the department/fiefdom must be preserved?
So firefighters should only be recruited when there actually is an emergency? Some jobs have variable workloads, deal with it. And I would be careful with the word "bloat" not knowing how large the team is. For example, having two or three analysts in an organization of this size is hardly bloat.
What makes you think any of this is related to the IT staff's day-to-day work, is within the staff's field of expertise, etc? The person who connects the EUMP's printer to the wifi network may not be the best capable person to analyze malware. All IT jobs/tasks are not equivalent.
What makes you think this would be the same group that runs around installing printers? All IT jobs/tasks are not equivalent. This sort of pro-bono work is exactly a good way of keeping your team of 2-3 security audit guys away from such work and doing exactly what they were hired for. Yes, that team can formally be a part of your "IT services". No, it does not mean they have to be simple support guys with a new task, very much exceeding their competence level.
I bet you only say that because you're at a university and have been involved with security research at university.
I use KeePassX, but there's also KeePass 2 and some other forks. Which one exactly will be audited?
EU might not be perfect but it is a hell lot better than the alternative.
Sure, Apache or Keepass could pay some private institute to do the auditing, but any malicious government can pay the same institute ten times as much to claim that certain parts of the code are OK.
As someone who has worked for many, many years at a european university (part-time) I'm strongly sceptical about the ability of university staff to do this exact kind of work well. Not to mention the grad students, who will likely be assigned the actual work. Also, it hardly seems like something universities should really do.
The TrueCrypt audit suggests otherwise, portions were done by professors and grad students. And my experience in grad school long ago suggest otherwise as well. You do realize the occasional grad student actually has an interest in how things work, in poking and proving a system, considers computer security a good area to do their research in? Some of us actually even had some experience beyond homework assignments.
Some jobs have variable workloads, deal with it. And I would be careful with the word "bloat" not knowing how large the team is. For example, having two or three analysts in an organization of this size is hardly bloat.
If they have a security team of such a size I doubt their normal work has any massive downtime. Your suggested pro-bono work is just bureaucratic creep. There are governmental agencies far better qualified to do any such work than the EU Commission and Parliament.