US Homeland Security to Support Open Source

An anonymous reader writes "CNET is reporting that the US Department of Homeland Security is extending its support to open source software. The DHS will be giving Stanford University, Coverity, and Symantec a $1.24 million grant to improve the security of open source software. From the article: 'The Homeland Security Department grant will be paid over a three-year period, with $841,276 going to Stanford, $297,000 to Coverity and $100,000 to Symantec, according to San Francisco-based technology provider Coverity, which plans to announce the award publicly on Wednesday.' It's nice that our tax dollars are being used for the right stuff."

Symantec?

[Anonymous Coward]

Symantec? Open source?? Where?!

Re:Symantec?

[killmenow]

I'll add to this...

The DHS will be giving Stanford University, Coverity, and Symantec a $1.24 million grant to improve the security of open source software.

I fail to see how giving Symantec money will improve the security of anything unless we're talking about securities...as in Symantec stock. Once upon a time the name Norton prepended was a good sign. I am not trying to troll or incite flames, but I find Symantec (and McAfee for that matter) sorely wanting these days. I would be leery of running anything with their name attached to it on one of my boxes.

At least they only get $100,000 and the bulk goes to Standford.

Re:Symantec?

[Zzootnik]

What Occurred to me when I read that is the part about Symantec being a Commercial Software company...They don't release ANYTHING as Open Source, do they?
(If I'm right) Money well spent...Yeah, right-

Re:Symantec?

[Directrix1]

Exactly. The article is also extremely condescending towards open source in general:

The effort will help put open-source development on a par with commercial software efforts, Park said. "The open-source community does not have access to those kinds of tools, so we are trying to correct that to some extent," he said.

Yeah, great. So instead of remedying the problem with a one time contribution to form an open source code checking project they pump even more money into a commercial closed-source product

Re:Symantec?

[BCW2]

Maybe they will use the money to improve the security of Symantec products? I have removed Norton from 3 customer computers this week due to several variants of the virii that specificly attack Norton. There code is as sloppy as M$.

Re:Symantec?

[SatanicPuppy]

And twice as bloated.

Not really sure what Symantec could add to open source...Maybe put some work into an antivirus that works on linux natively, which would be closed source, and cost 65 dollars, and sit on the shelves for a year because no one who runs linux would buy a symantec product to run on it.

Defintely a testament to their marketing department though, that their name is "associated" with security to the degree that the government just randomly gives them grants.

Re:Symantec?

[geminidomino]

Not really sure what Symantec could add to open source...

That's simple.

Make software exclusively for Windows.

Re:Symantec?

[drinkypoo]

Symantec Norton Antivirus is just shit. Completely. What I find most repugnant about it is that even its own internal features that relate to itself don't work. For example, even with the enterprise version, I regularly see it stop updating. You have to reinstall the fucker to get it to work again. And, have you ever manually uninstalled NAV? There's like 300 registry keys, literally. Maybe more. But, instead of supplying a removal tool, they just give you some really sketchy instructions on manual removal.

Symantec and Norton

[sconeu]

Peter Norton should sue Symantec for defamation of character.

Re:Symantec?

[KiloByte]

Don't underestimate Symantec's relations with Open Source.

They are big. They are strong. They are all negative.

Symantec is known for its FUD campaigns in order to hawk their anti-virus software. They do everything they can to fool people into believing that viruses are as prevalent in the rest of the world as they are in Windows.

Thus, I believe that a dollar given to Symantec is worse than a dollar ripped apart.

Re:Symantec?

[$rtbl_this]

They are all negative.

Not all of them. We use Symantec's IDS and AV/anti-spam appliances, both of which are just i386 linux boxes with some proprietary software and a candy-coated front-end. Just because their marketing folk badmouth open source software doesn't mean that their technical staff don't see the advantages.

Re:Symantec?

[burnin1965]

"We use Symantec's IDS and AV/anti-spam appliances, both of which are just i386 linux boxes with some proprietary software"

And therein lies the rub. Since I am paying Symantec with my tax dollars does that mean the results of their work will be open sourced and freely available, or will it be a proprietary product for which I have to pay a second time?

burnin

Re:Symantec?

[rbanffy]

It could be funny to watch.

Either Symantec will report lots of bugs they find and thus help improve the quality of open source or they will do nothing to improve it and, by reporting nothing, they will be stating FOSS is at least as secure as their own products.

Or they could also report lots of false bugs and get discredited by this.

Re:Symantec?

[lanswitch]

would not be surprised that they are costing most companies more money over time then a virus running rampart in their network...
 
Could be true. But I would prefer the occasional problem with the virusscanner (on server or workstation), than one virus running wild over a network without protection.

Re:Symantec?

[ncc74656]

Viruses isn't nearly as common even for Windows as Symantec & co would like us to belive.

My inbox would disagree with you on that...or it would, if I didn't have anti-spam software circular-filing most of the inbound worms.

Re:Symantec?

[budgenator]

Most of the time you just sort of know when something is virus-infected and don't mess with it, or do a manual scan with clamwin. We've never had a virus that wasn't in our guest account for many years using common-sense, a hardware router, adaware/M$ anti-spy and clamwin and regualr updates is all it takes for people with a clue. The clueless are hopeless and no amount of technology will compensate.

Re:Symantec?

[Jason Straight]

Yeah, the last thing I want is my entire linux system bogged down or networking rendered inoperable by symantec wares.

Re:Symantec?

[hritcu]

I just want to welcome our new open source security overlord...! Wait? What? Symantec you say? Welcome our new ... mu ha ha ha ... mu ha ha ha ...

Re:Symantec?

[Breakfast Pants]

"It's nice that our tax dollars are being used for the right stuff."
 
Our dollars are perhaps being used for better purposes than usual (paying college buddy contractors for needless work (though actually.. don't rule that out here)), but it definitely isn't "the right stuff." Maybe I'm too much of a staunch libertarian.

BIND

[ehaggis]

I would like to see the fork BIND takes under DHS. Out the applications listed, BIND must be the most formidable for securing and utilizing in a secure enviroment. This could be a boon for the overall reliability of the internet.

Re:BIND

[gormanly]

And you trust the DHS to map domain names to IP addresses better than they do with city names and geography [0xdeadbeef.com] ?

Re:BIND

[bill_mcgonigle]

BIND is infamous for having security problems in both the server code and client libraries.

You're thinking of Bind 8. Stop using that. Bind 9 is pretty good, though obviously not perfect as it's written in C and on the network. The only remote exploit against Bind 9 has been via the OpenSSL library.

Why do people continue to use BIND instead of alternatives?

Dynamic DNS, TSIG (or any DNSSEC) and views.

Re:BIND

[51mon]

There have been security issues noted with the DJB DNS code. Mostly he used integers for pointers, which throws up issues on systems where the two aren't identical, not that he is the only C programmer to muddle different integer types.

But DJBs code is very tight, it also implements the bare minimum of the DNS standards, and isn't meaningfully maintained, and he made bizarre comments and requirements on the licence.

So the rest of the us use BIND 9 because it is proper free software, professionally written A

Err wait a second.

[lisany]

Where's the conspiracy here? Is it a good thing that DHS is supporting open source? Boy, I can't wait til the talking heads get ahold of this.

Re:Err wait a second.

[CreepingDeath]

I'd like to know what Symantec has to do with open source, though. Maybe its just pity money since their software sucks.

Re:Err wait a second.

[Inaffect]

I'd like to know what Symantec has to do with open source, though. Maybe its just pity money since their software sucks.

They're going to make our computers open source when somebody in the govt writes Magic Lantern 2.
http://slashdot.org/yro/01/11/28/173201.shtml [slashdot.org]

Re:Err wait a second.

[doctormetal]

I'd like to know what Symantec has to do with open source, though. Maybe its just pity money since their software sucks.

Maybe they are paid to stop creating software. That will improve security ;)

Re:Err wait a second.

[kfg]

Where's the conspiracy here?

Wait for it, wait for it!

Is it a good thing that DHS is supporting open source?

They are not supporting open source. They are supporting commercial code which can be applied against open source code.

The open soure developers and their code base are left to go scratch.

KFG

Re:Err wait a second.

[IAAP]

FTFA: Programmers working on the Linux operating system, Apache Web server, BIND Internet infrastructure software and Firefox browser, for example, will be able to fix security vulnerabilities flagged by the system before their code becomes part of a released application or operating system.

And: This could be a boon for open-source security, said Stacey Quandt, an analyst with Aberdeen Group. "The benefit for open source is that it enables it to be up to date with commercial technology innovation," she said.

Your point FTFA"Why does the DHS think it is worthwhile to pay for bugs to be found, but has made no provision to pay for them to be fixed?"

I agree that it's kind of shitty that money isn't going to OSS. Then again, they're getting free security checking that'll can be applied and distributed for free. Hopefully, someone in Gov. will see the light and spend some money on OSS to have the security holes fixed. Donations to th OSS organizations affected by the screening?

Re:Err wait a second.

[51mon]

The really funny bit is the article talks about expensive source code analysis tools that commercial companies often use...

Well I can assure you from many years walking through the door of software companies, that proper software checks are rarely run in private industry. If you are lucky the programmer will deal with the compiler warnings for a quiet life.

Still it is good someone is looking, wonder what David Wheeler could have done with the money?

Re:Err wait a second.

[Dunbal]

They are supporting commercial code which can be applied against open source code.

      1.2M for a program that scans the codebase for the words "bomb", "terrorism" and "Al Quaeda"...

Re:Err wait a second.

[Kelson]

1.2M for a program that scans the codebase for the words "bomb", "terrorism" and "Al Quaeda"...

Is that before or after the spell check?

Good Start

[Artie Dent]

"The money is going to provide them with things they need to fix the bugs, which is bug reports. That is a lot better than they have now, which is nothing," While a agree with Engler's comment here, I also have to wonder, without proper funding to fix these bugs, what good will it do? And if a list of bugs and exploits comes out on well used Open Source Software, without the means to fix them, and these lists are leaked, it could create havoc.

Re:Good Start

[just_another_sean]

And if a list of bugs and exploits comes out on well used Open Source Software, without the means to fix them, and these lists are leaked, it could create havoc.

I can see your point but I am a big believer in full disclosure. We all know from experience that MS's "Security by obscurity" doesn't work well. If there are bugs in OSS then people will find them, the nature of Open code.

Now IMHO malware writers *do* comb through OSS looking for bugs to exploit. If a bunch of malware writers are finding exploits a

Re:Good Start

[Ironsides]

"The money is going to provide them with things they need to fix the bugs, which is bug reports. That is a lot better than they have now, which is nothing,"

While a agree with Engler's comment here, I also have to wonder, without proper funding to fix these bugs, what good will it do? And if a list of bugs and exploits comes out on well used Open Source Software, without the means to fix them, and these lists are leaked, it could create havoc.

I'd just like to rephrase one thing you ask a little:

witho

Re:Good Start

[TallMatthew]

While a agree with Engler's comment here, I also have to wonder, without proper funding to fix these bugs, what good will it do?

If money fixed bugs, Windows would be rock solid, no?

Pouring funding into Open Source sounds like the road to migration away from Redmond's licensing fees.

OSS bug reports and bug fixing

[Frank T. Lofaro Jr.]

(I hope this post isn't moderated as flamebait. I love Open Source Software, but there are serious problems in our community which need to be addressed. I am not an outsider attacking OSS to destroy, but a community member pointing out shortcomings to help preserve and improve it.)

Do most Open Source projects even do anything with bug reports?

Other than:

1. Ignore them.
2. Claim they are not bugs, but features.
3. Claim they are valid "design decisions".
4. Say they'll get around to fixing bugs when they are do

Re:OSS bug reports and bug fixing

[petermgreen]

5. Say it won't be fixed. Bugzilla has a "WONTFIX" status which is used quite often.
as apposed to propietry vendors who won't even admit it exists in the first place.

one big big problem is its nearly impossible to debug what you can't eaasilly reproduce. i've had 100% cpu bugs that took weeks of real life usage to appear for some users and that we never managed to reproduce under controlled conditions. we added (a LOT) more checking to the code and also moved to a more recent freepascal (freepascal 1.0.x us

Source code analysis tools

[grimJester]

The real story seems to be that the money is granted to develop and test source code analysis tools, with Stanford doing development and Symantec testing. Seems like a potentially good way to catch human errors in coding. Instant feedback for the sloppy coder would be nice.

Buffer overflows are the easy part

[lheal]

I'd love to have array bounds checking and built in to the compiler, so it would complain when I leave a loop unbounded.

But things like race conditions in a multithreaded app, abuse of least privilege, or other runtime errors seem more difficult.

The cynic in me says that it's Symantec doing it, so they'll make a product you have to leave runnning all the time to be "secure". They're just doing the testing part, though. Besides, what would they call it, Symantec Antisecurity?

Re:Source code analysis tools

[taniwha]

but that's what Coverity does for a living - I assume that what's really going on here is that DHS is paying someone to run Coverity over stuff (people who already have access to it at work probably ought to be feeding any spare code that's lying around through it anyway - with your boss's permission of course)

Yeah, more money

[waif69]

I understand that most open source is written by people who care and are either college students or white collar workers who have time either at work (employer consenting), or at home if they have little family life.

But, I think a little squirt of the green will help to encourage those who permit this behaviour of the programmers to feel a little bit better and increase the likelyhood of permitting if not encourage such behaviour in the future.

Not necessarily so...

[meringuoid]

I understand that most open source is written by people who care and are either college students or white collar workers who have time either at work (employer consenting), or at home if they have little family life.

Most open source, in terms of sheer number of projects or lines of code? Probably. But in terms of usage?

The major open-source projects have got corporate backing now. Linux, for instance? Lots of work being done on that by IBM, in addition to the employees of the likes of Red Hat or SuSE. Similarly, I believe AOL has been backing Mozilla lately, and the number of old-skool Unix utilities that contain copyrights of the University of California is enormous - after all, they wrote BSD.

It's not just anarchist hackers now. Open source has gone commercial in a really big way.

Re:Not necessarily so...

[LordLucless]

But they didn't start out that way. Granted, Mozilla started out as on offshoot of netscape, but I think the code has now been pretty much rewriiten. And most people here know about the origins of Linux - IBM definately hasn't been on board from the start.

I can see this as being a sort of business model for open source:

1. Code something good
2. Watch as it gets a decent userbase
3. Get adopted by a larger company who will fund you to make changes they want to your software for a fraction of the cost of developin

This is like...

[PFactor]

...Satan supporting the bible.

Re:This is like...

[waif69]

...and he wouldn't? He is mentioned there enough times to use it for PR.

Re:This is like...

[Kelson]

Hmm... last I looked, atheists didn't believe in Satan either, and Satan sort of requires a God to have rebelled against. So applying logic analysis:

!Bible --> !Satan
Satan --> Bible

So actually, Satan would support the Bible. He'd just tell you to root for the adversary.

revisionism

[Anonymous Coward]

I didn't even get past your *first point* before noticing a glaringly obvious lie of ommission.

"1979
November 4
Iranian radicals seize the US Embassy in Tehran, taking sixty-six American diplomats hostage. The crisis continues until 20 January 1981 when the hostages are released by diplomatic means."

You seem to have left out a little bogus prior art by the US/UK axis of maximum profits. Intentional? I would guess yes due to your taking the time to write or copy such a long piece.

I will give a very sho

Re:revisionism

[symbolic]

mullahs and supplied them with replacement parts and additional arms, in exchange for them delaying release of the US hostages until AFTER the election,

I watched a documentary (BBC?) ( http://video.google.com/videoplay?docid=8905191678 365185391&q=Iraq [google.com] ) on the activities in Fallujah, Iraq, and apparently this same tactic was used to ensure that no negative PR would come during the 2004 election. Even though everything was ready and in place, they purposely waited until AFTER the election (assuming a B

Wow.

[Capt James McCarthy]

You mean a whole 1.24 million dollars. Talk about pushing the budget.

Wow... but is it right?

[MyNameIsFred]

You mean a whole 1.24 million dollars. Talk about pushing the budget

Your snide comment misses the point. What was the scope of work proposed? Does 1.24 million support the work they intend to do? Saying they should spend more without a reason is dumb.

Re:Wow... but is it right?

[Frank T. Lofaro Jr.]

Does 1.24 million support the work they intend to do? Saying they should spend more without a reason is dumb.

You'll never make it in politics with THAT attitude. :)

Symantec?

[marcushnk]

What has Symantec to do with OSS?
Surely there is a group/company more appropriate than Symantec to scrub for bugs?!?

Socialism?

[Threni]

>It's nice that our tax dollars are being used for the right stuff."

I guess it'll trickle down from commercial organisations to poor people...

Wait... Symantec?

[ettlz]

They have coders working for them now?!

Re:Wait... Symantec?

[zazzel]

Actually, it's just a new honorary title for some of their marketing staff :-)

Re:Wait... Symantec?

[ettlz]

Actually, it's just a new honorary title for some of their marketing staff :-)

That figures. I mean, no coder would ever produce something like Norton AntiVirus or Personal Firewall. People tend to commit suicide before the self-esteem gets that low.

I'm really not sure I want their grues running amok all over Free code.

Re:Wait... Symantec?

[swillden]

They have coders working for them now?!

Symanted has always had programmers on staff. Lots of them.

Who do you think writes all the viruses?

OSS what does it mean?

[Elixon]

OSS? What is it? Does it mean that Symantec will produce/improve OSS software and all related patents that will be registered (thanks to your taxes) will be released to public too?

Or is it that you sponsor OSS but proprietary software and further patnet vault of privately held corporations?

Is it good to "sponsor" privately held company in the field where it figths with conmpetition?

Re:OSS what does it mean?

[Kelson]

From TFA:

The list of open-source projects that Stanford and Coverity plan to check for security bugs includes Apache, BIND, Ethereal, KDE, Linux, Firefox, FreeBSD, OpenBSD, OpenSSL and MySQL, Coverity said.

Precursor to AI?

[Jaysyn]

The tech behind what they are doing seems pretty neat. How long before we have software writing bugfree software? How much farther behind that (with hardware keeping up) is true heuristical AI?

Jaysyn

Re:Precursor to AI?

[Dunbal]

How long before we have software writing bugfree software?

      Man we don't even have PEOPLE writing bug free software... so picture the bug in the bug free software writer that introduces bugs....

Looks like someone has a well-placed friend

[2Bits]

Ok, so this is a grant. Does it mean that any software developed as a result of this grant will be open-sourced, and publicly available to all, free of charge? If not (and everything indicates that it won't be), I'd say, someone has a well-placed friend and got free money to develop their own proprietary software. Yeah, it will scan major open source softwares, and yeah, the database will be public (?), but then the tools from the grant money are still proprietary.

I thought only China has "guanxi" problem?

Re:Looks like someone has a well-placed friend

[Frank T. Lofaro Jr.]

Why would the NSA need a back door when there are so many holes in the Windows (pun intended)?

I mean, if there are 1000 ways to hack into Windows, why would the NSA need to have Microsoft make a 1001st way?

and $100,000 to Symantec

[kernelpanicked]

New Title "DHS pisses away 100 grand"

Potental Funding for Twelve Steps in TrustABLE IT!

[NZheretic]

See Twelve Step TrustABLE IT : VLSBs in VDNZs From TBA [blogspot.com].

Stanford is also the home of the Meta-level Compilation (MC) project [stanford.edu], a useful auditing tool for trusted build agents.

Now that Microsoft is getting into the signiture and behavour based antivirus industry, maybe Symantic could turn its patten matching technology to checking source code instead of binaries.

And why again is Symantec trustworthy ?

[CaptainZapp]

Being one of the companies not detecting the infamous Sony rootkit [wired.com] I'd be really interested to know why Symantec should be trusted for anything security related.

As far it concerns me I deeply distrust all "security companies" since this little incident.

Re:And why again is Symantec trustworthy ?

[catahoula10]

Not only did they miss the root-kit:

"Symantec has admitted its flagship consumer security application, Norton AntiVirus 2005, has a security vulnerability that allows certain types of malicious script to infect a user's personal computer with a virus."

http://www.zdnet.com.au/news/security/0,2000061744 ,39165825,00.htm [zdnet.com.au]

One more reason why not Symantec

[g2devi]

Even if they did detect the Sony rootkit, there's one key reason why Symantec shouldn't be chosen: It has zero experience with Unix security or Linux. Unix/Linux is fundamentally different than Windows in many ways. Picking Symantec to head Linux security is sort of like getting a chief mechanical engineer to be lead surgeon at a hospital. Sure there are a lot of mechanical aspects in the body and the engineer might see some places where things can be improved but the learning curve is huge. A much better c

Comment removed

[account_deleted]

Comment removed based on user account deletion

NAH they finally woken up

[SmallFurryCreature]

They have a subscription at slashdot and saw that all the stories recently about security add up. WMF exploit used to install malware wich is also send via IM attacks coming from, wait for it, the middle east! What do all those stories have in common? They are about CLOSED SOURCE products. That is right, someone at washington made the connection CLOSED SOURCE is the tool of terrorists.

All windows owners will be brought in for questioning. Do not be alarmed citizen, your deportation to an undisclosed locati

Oxymorons

[delire]

The last thing Symantec can afford is the proliferation of secure operating systems.

They'd do better offering money to Linux/*BSD kernel development or the Mozilla Foundation (for instance).

Automatic Code Error spotting

[MECC]

So, if they'll improve a computer program that spots errors in code (which I suppose will benefit all, not just OSS), will they be able to develope a computer program to fix the errors? Of does that already exist?

We'll need the puny humans for what, exactly, again? Oh, that's right, to build the hardware...

Re:Automatic Code Error spotting

[conteXXt]

Build? I am sure you meant prepare the design for the automated tools that build hardware.

I am fairly sure nobody is hand building much of what is in a computer.

Asians have small hands but not that small. (It's a joke)

Open sourse

[catahoula10]

It seems logical to me that if Symantic wants to be involved with "Open Source" that they should become open source first.

Then maybe the open sourse community can help them with some of their problems like this one:

"Symantec has admitted its flagship consumer security application, Norton AntiVirus 2005, has a security vulnerability that allows certain types of malicious script to infect a user's personal computer with a virus."

http://www.zdnet.com.au/news/security/0,2000061744 ,39165825,00.htm [zdnet.com.au]

This will last another few days

[HangingChad]

Then MSFT will start calling their contacts on the K Street Project. They'll turn around and contact their Republican buddies on the staffs of key legislators and committee members and I bet by this time next week Homeland Security will be "re-examining" their approach to open source.

Hire the OSS developers

[CrazedWalrus]

Maybe this money would be better spent by paying the developers of the major applications, or hiring new developers to work on them. A major part of their job descriptions would be securing and vetting patches for the software they're working on.

I'd think this would improve security greatly, and speed up development in general.

Want to Improve OSS Security?

[Greyfox]

Start up the old auditing program again. Source code auditing is boring work, but another set of eyes going over the code with security in mind really does help a lot. Just go down every function in the C library and work your way out to common daemons and system utilities that usually run setuid. Maybe spend some quality time with common tools that access the internet like firefox, email clients, etc. Just read each function looking for buffer overflows and other ways it might be compromised, document what you find, write a test to try to crash it, submit patches to the original authors and publish your findings and tests on the web somewhere. That leaves you with a full set of security regression tests for every product you look at.

A team of 4-5 people could probably finish off the C standard library in a matter of months and make good progress on the more common daemons that are often run on Linux systems (Bind, apache, the various mail servers, etc) in the span of a year. The money DHS is spending on this would be more than enough to hire a team that size for a year to work on that.

Oh yes, let's allow Homeland officers leverage...

[Fantastic Lad]

into the workings of OS software.

Remember the NSA tags in Microsoft code?

Just what kind of 'security' do we all think the Homeland Office is really interested in here? Keeping our ports plugged up nice and tight, or being able to do data eavesdropping on all those troublesome citizens who simply refuse to conform to the state doctrine by using corporate software? You know, to protect us from so-called, 'terrorists'.

If you make deals with the devil, you will lose.

-FL

Re:Oh yes, let's allow Homeland officers leverage.

[iabervon]

Chances are that they wouldn't want to put back doors in published source, particularly with all of the tracking of origins of patches in, at least, the Linux kernel this days.

It's not like the government will be the only people looking at the code, and the government generally doesn't want to publish clear documentation of domestic spying.

For that matter, the NSA is already a contributor to the Linux kernel, employs a maintainer (Stephen Smalley), and hosts a mailing list and web site on their module. But

Drug dealers. . .

[Fantastic Lad]

For that matter, the NSA is already a contributor to the Linux kernel, employs a maintainer (Stephen Smalley), and hosts a mailing list and web site on their module. But you can bet that a number of people review any changes they make.

It's not necessarily about overt control, (which I'm sure they would opt for if nobody was paying attention), so much as it is about placing rats and spooks in the workings so that influence can be exerted in some future way should the opportunities arise.

It's like making frie

Re:Drug dealers. . .

[Kelson]

It's like making friends with addicts, bikers or mafia members. It's best to avoid contact altogether, or the next thing you know, you'll have crack deals going down in your living room.

Or worse, the entire Tour de France might stop by for dinner!

Re:Drug dealers. . .

[Creedo]

Bikers? I am a biker(I ride a motorcyle). A lot of my friends are bikers. None of us are drug dealing, outlaw, Hell's Angel types. I've seen more disregard for authority in my vintage scuba friends.

Ugh.

[Fantastic Lad]

Bikers? I am a biker(I ride a motorcyle). A lot of my friends are bikers. None of us are drug dealing, outlaw, Hell's Angel types. I've seen more disregard for authority in my vintage scuba friends.

What's with the hair-split patrol today? You're the third person to complain about something I've posted because of some silly semantic word play. Can you honestly tell me that you did not understand the point I was making?

-FL

Re:Ugh.

[Creedo]

You're the third person to complain about something I've posted because of some silly semantic word play

I understood your point perfectly. This is not about silly semantic word play. I am talking about the fact that you lump bikers in with addicts and the mafia, and you specifically say that it is "best to avoid contact altogether." Either you are trolling or you really do buy into that stupid stereotype.

What. . ?

[Fantastic Lad]

All of those things can be done now, YET ARE STILL EASILY DETECTED.

Your points are shit, and you're an idiot for suggesting them.

Well I certainly must be an idiot, because I can't understand what the heck you're talking about. Either that or you don't know how to communicate very well.

I don't know what 'things' you mean, and I don't know which 'shitty' points you are referring to. In the future, you might try both paraphrasing as well as actually attempting to explain your thoughts in such a manner that p

Department of Homeland Security are not magicians

[Frank T. Lofaro Jr.]

The Department of Homeland Security is going to hide backdoors in Open Source code???

They're the government, they're not magicians!

Remember how quickly the Linux kernel "uid=0" instead of "uid==0" exploit was found?

They could instead compromise a binary of gcc and do a Ken Thompson type hack where it miscompiles itself and system software to add backdoors, although even then, people would notice the different binaries and the miscompilations.

But at least that would be possible.

right stuff???

[samantha]

Are folks daft enough to think tha having the equivalent of the Gestapo take an interest in what is near and dear to them is a Good Thing? The administration idea of software security is to lock down every thing possible against anf modification whatsoever lest some "cyber-terrorist" does something nasty.

If One Played Devil's Advocate...

[camperslo]

One might think the reason for their spending money on finding bugs but not spending money on fixing them was so they could be a few steps ahead of everyone in knowing ways into OSS systems.

These are the folks that hired an officer from doubleclick.net

Why?

[pvera]

Are they doing this because they understand that open source allows easier auditing for security issues? Or are they doing it because they are using open source just to save money?

What I find creepy is that the purpose of this initiative is to look for stuff on their own and then keep a database of bugs. Will this be so automated that nobody will actually look and check if maybe a new vulnerability should not be announced out in the open until the core developers of the affected item have had a chance to fi

Why "Flamebait"?

[IAAP]

We've all have heard [nationalreview.com] about the wasteful spending by states and municipalites regarding the spending of money thrust upon them by Homeland Security. It's a matter that concerns both sides - a little. Homeland Security has become yet another avenue for pork barrel spending, and as a result, states are getting money that may not help the fight on terrorism. Senate [senate.gov]

At least the department of homaland security isn't wasteing all of thier money.

I agree. This will promote OSS and help reduce the costs of our Government. So what's the problem with what the parent said?

Re:Sort of good..

[Bimo_Dude]

Looks like you're on the way to a +5 Flamebait (hehehe...)

While I normally am suspicious of almost everything done by DHS, I do see this as a good thing. It seems like a good start, anyway. If only we could get them to put the other 99.997% of their budget (based on their 2005 budget [whitehouse.gov]) behind Open Source...

Re:Sighmantec

[Jaysyn]

Ditto. Macaffee is even worse.

Jaysyn

Conspiracy Theories Abound

[Dareth]

Many conspiracy theories abound whenever anyone oustide the Open Source community contribute anything to the process. I do not believe bug reports are going to introduce "back doors" to the software that many of us use on a daily basis.

If you want a real conspiracy theory, or a Symantec angle in particular, think "Trusted Computing", Palladium. If they have never "studied" Open Source, they would not have a leg to stand on in saying that Open Source software is not to be trusted.

Do I believe the above? N

Re:And what are they getting in return?

[Kelson]

Increased security on apps and servers that they can use?

Re:OpenBSD

[vmalloc_]

Amen, man. Here's a DHS security initiative that would have cost nothing: Switch to OpenBSD if security is a concern, and check periodically for security advisories.

This spending is just more pork barrel crap that will probably not accomplish anything and will just get pocketed by somebody. Security doesn't just get fixed with a couple million bucks and a year of coding, it's an ongoing long term process, and the #1 problem with security today is lack of education and/or indifference on security issues, NOT

Re:OpenBSD

[Kelson]

MySQL was a mistake and PostgreSQL should have been chosen.

Are you saying PostgreSQL is in greater need of security scanning than MySQL is?

Re:OpenBSD

[temojen]

5. Linux should not be used, as it is beyond economical repair.

Care to back up that assertion?

8. MySQL was a mistake and PostgreSQL should have been chosen.

While I'd agree with you as far as database choice goes, they were not choosing a database to use, they were choosing a database for which a bug search would be most fruitful and benefit the most people. Given that most web hosting providers use MySQL, the bug search will impact a lot more people than a bug search of PostgreSQL.

Re:Why?

[Kelson]

Last I looked, the NSA hadn't hardened the apps, just the OS.

Re:analysis tools?

[chgros]

Are they proposing building a 'i think know what you meant' version on lint or something?
Not quite, but we're working on it :)
http://linuxbugs.coverity.com/ [coverity.com]