Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security Software The Almighty Buck Linux

US Homeland Security to Support Open Source 186

An anonymous reader writes "CNET is reporting that the US Department of Homeland Security is extending its support to open source software. The DHS will be giving Stanford University, Coverity, and Symantec a $1.24 million grant to improve the security of open source software. From the article: 'The Homeland Security Department grant will be paid over a three-year period, with $841,276 going to Stanford, $297,000 to Coverity and $100,000 to Symantec, according to San Francisco-based technology provider Coverity, which plans to announce the award publicly on Wednesday.' It's nice that our tax dollars are being used for the right stuff."
This discussion has been archived. No new comments can be posted.

US Homeland Security to Support Open Source

Comments Filter:
  • Symantec? (Score:5, Insightful)

    by Anonymous Coward on Wednesday January 11, 2006 @07:26AM (#14444825)
    Symantec? Open source?? Where?!
    • Re:Symantec? (Score:4, Insightful)

      by killmenow ( 184444 ) on Wednesday January 11, 2006 @07:39AM (#14444872)
      I'll add to this...
      The DHS will be giving Stanford University, Coverity, and Symantec a $1.24 million grant to improve the security of open source software.
      I fail to see how giving Symantec money will improve the security of anything unless we're talking about securities...as in Symantec stock. Once upon a time the name Norton prepended was a good sign. I am not trying to troll or incite flames, but I find Symantec (and McAfee for that matter) sorely wanting these days. I would be leery of running anything with their name attached to it on one of my boxes.

      At least they only get $100,000 and the bulk goes to Standford.
      • What Occurred to me when I read that is the part about Symantec being a Commercial Software company...They don't release ANYTHING as Open Source, do they?
        (If I'm right) Money well spent...Yeah, right-
        • Exactly. The article is also extremely condescending towards open source in general:

          The effort will help put open-source development on a par with commercial software efforts, Park said. "The open-source community does not have access to those kinds of tools, so we are trying to correct that to some extent," he said.

          Yeah, great. So instead of remedying the problem with a one time contribution to form an open source code checking project they pump even more money into a commercial closed-source product

      • Maybe they will use the money to improve the security of Symantec products? I have removed Norton from 3 customer computers this week due to several variants of the virii that specificly attack Norton. There code is as sloppy as M$.
        • And twice as bloated.

          Not really sure what Symantec could add to open source...Maybe put some work into an antivirus that works on linux natively, which would be closed source, and cost 65 dollars, and sit on the shelves for a year because no one who runs linux would buy a symantec product to run on it.

          Defintely a testament to their marketing department though, that their name is "associated" with security to the degree that the government just randomly gives them grants.
        • Symantec Norton Antivirus is just shit. Completely. What I find most repugnant about it is that even its own internal features that relate to itself don't work. For example, even with the enterprise version, I regularly see it stop updating. You have to reinstall the fucker to get it to work again. And, have you ever manually uninstalled NAV? There's like 300 registry keys, literally. Maybe more. But, instead of supplying a removal tool, they just give you some really sketchy instructions on manual removal.
      • Peter Norton should sue Symantec for defamation of character.
    • Re:Symantec? (Score:5, Interesting)

      by KiloByte ( 825081 ) on Wednesday January 11, 2006 @07:42AM (#14444888)
      Don't underestimate Symantec's relations with Open Source.

      They are big. They are strong. They are all negative.

      Symantec is known for its FUD campaigns in order to hawk their anti-virus software. They do everything they can to fool people into believing that viruses are as prevalent in the rest of the world as they are in Windows.

      Thus, I believe that a dollar given to Symantec is worse than a dollar ripped apart.
      • Re:Symantec? (Score:5, Interesting)

        by $rtbl_this ( 584653 ) on Wednesday January 11, 2006 @07:57AM (#14444954)

        They are all negative.

        Not all of them. We use Symantec's IDS and AV/anti-spam appliances, both of which are just i386 linux boxes with some proprietary software and a candy-coated front-end. Just because their marketing folk badmouth open source software doesn't mean that their technical staff don't see the advantages.

        • "We use Symantec's IDS and AV/anti-spam appliances, both of which are just i386 linux boxes with some proprietary software"

          And therein lies the rub. Since I am paying Symantec with my tax dollars does that mean the results of their work will be open sourced and freely available, or will it be a proprietary product for which I have to pay a second time?

          burnin
      • It could be funny to watch.

        Either Symantec will report lots of bugs they find and thus help improve the quality of open source or they will do nothing to improve it and, by reporting nothing, they will be stating FOSS is at least as secure as their own products.

        Or they could also report lots of false bugs and get discredited by this.
    • Yeah, the last thing I want is my entire linux system bogged down or networking rendered inoperable by symantec wares.
    • I just want to welcome our new open source security overlord...! Wait? What? Symantec you say? Welcome our new ... mu ha ha ha ... mu ha ha ha ...
    • "It's nice that our tax dollars are being used for the right stuff."
       
      Our dollars are perhaps being used for better purposes than usual (paying college buddy contractors for needless work (though actually.. don't rule that out here)), but it definitely isn't "the right stuff." Maybe I'm too much of a staunch libertarian.
  • BIND (Score:5, Interesting)

    by ehaggis ( 879721 ) on Wednesday January 11, 2006 @07:33AM (#14444850) Homepage Journal
    I would like to see the fork BIND takes under DHS. Out the applications listed, BIND must be the most formidable for securing and utilizing in a secure enviroment. This could be a boon for the overall reliability of the internet.
    • Re:BIND (Score:5, Funny)

      by gormanly ( 134067 ) on Wednesday January 11, 2006 @07:43AM (#14444893)
      And you trust the DHS to map domain names to IP addresses better than they do with city names and geography [0xdeadbeef.com] ?
  • Where's the conspiracy here? Is it a good thing that DHS is supporting open source? Boy, I can't wait til the talking heads get ahold of this.

    • I'd like to know what Symantec has to do with open source, though. Maybe its just pity money since their software sucks.
    • by kfg ( 145172 ) on Wednesday January 11, 2006 @08:02AM (#14444973)
      Where's the conspiracy here?

      Wait for it, wait for it!

      Is it a good thing that DHS is supporting open source?

      They are not supporting open source. They are supporting commercial code which can be applied against open source code.

      The open soure developers and their code base are left to go scratch.

      KFG
      • by IAAP ( 937607 ) on Wednesday January 11, 2006 @08:14AM (#14445018)
        FTFA: Programmers working on the Linux operating system, Apache Web server, BIND Internet infrastructure software and Firefox browser, for example, will be able to fix security vulnerabilities flagged by the system before their code becomes part of a released application or operating system.

        And: This could be a boon for open-source security, said Stacey Quandt, an analyst with Aberdeen Group. "The benefit for open source is that it enables it to be up to date with commercial technology innovation," she said.

        Your point FTFA"Why does the DHS think it is worthwhile to pay for bugs to be found, but has made no provision to pay for them to be fixed?"

        I agree that it's kind of shitty that money isn't going to OSS. Then again, they're getting free security checking that'll can be applied and distributed for free. Hopefully, someone in Gov. will see the light and spend some money on OSS to have the security holes fixed. Donations to th OSS organizations affected by the screening?

        • The really funny bit is the article talks about expensive source code analysis tools that commercial companies often use...

          Well I can assure you from many years walking through the door of software companies, that proper software checks are rarely run in private industry. If you are lucky the programmer will deal with the compiler warnings for a quiet life.

          Still it is good someone is looking, wonder what David Wheeler could have done with the money?
      • They are supporting commercial code which can be applied against open source code.

              1.2M for a program that scans the codebase for the words "bomb", "terrorism" and "Al Quaeda"...
  • Good Start (Score:5, Interesting)

    by Artie Dent ( 929986 ) on Wednesday January 11, 2006 @07:35AM (#14444859) Homepage
    "The money is going to provide them with things they need to fix the bugs, which is bug reports. That is a lot better than they have now, which is nothing," While a agree with Engler's comment here, I also have to wonder, without proper funding to fix these bugs, what good will it do? And if a list of bugs and exploits comes out on well used Open Source Software, without the means to fix them, and these lists are leaked, it could create havoc.
    • And if a list of bugs and exploits comes out on well used Open Source Software, without the means to fix them, and these lists are leaked, it could create havoc.

      I can see your point but I am a big believer in full disclosure. We all know from experience that MS's "Security by obscurity" doesn't work well. If there are bugs in OSS then people will find them, the nature of Open code.

      Now IMHO malware writers *do* comb through OSS looking for bugs to exploit. If a bunch of malware writers are finding exploits a
    • "The money is going to provide them with things they need to fix the bugs, which is bug reports. That is a lot better than they have now, which is nothing,"

      While a agree with Engler's comment here, I also have to wonder, without proper funding to fix these bugs, what good will it do? And if a list of bugs and exploits comes out on well used Open Source Software, without the means to fix them, and these lists are leaked, it could create havoc.


      I'd just like to rephrase one thing you ask a little:

      witho
    • While a agree with Engler's comment here, I also have to wonder, without proper funding to fix these bugs, what good will it do?

      If money fixed bugs, Windows would be rock solid, no?

      Pouring funding into Open Source sounds like the road to migration away from Redmond's licensing fees.

    • (I hope this post isn't moderated as flamebait. I love Open Source Software, but there are serious problems in our community which need to be addressed. I am not an outsider attacking OSS to destroy, but a community member pointing out shortcomings to help preserve and improve it.)

      Do most Open Source projects even do anything with bug reports?

      Other than:

      1. Ignore them.
      2. Claim they are not bugs, but features.
      3. Claim they are valid "design decisions".
      4. Say they'll get around to fixing bugs when they are do
      • 5. Say it won't be fixed. Bugzilla has a "WONTFIX" status which is used quite often.
        as apposed to propietry vendors who won't even admit it exists in the first place.

        one big big problem is its nearly impossible to debug what you can't eaasilly reproduce. i've had 100% cpu bugs that took weeks of real life usage to appear for some users and that we never managed to reproduce under controlled conditions. we added (a LOT) more checking to the code and also moved to a more recent freepascal (freepascal 1.0.x us
  • by grimJester ( 890090 ) on Wednesday January 11, 2006 @07:37AM (#14444868)
    The real story seems to be that the money is granted to develop and test source code analysis tools, with Stanford doing development and Symantec testing. Seems like a potentially good way to catch human errors in coding. Instant feedback for the sloppy coder would be nice.
    • I'd love to have array bounds checking and built in to the compiler, so it would complain when I leave a loop unbounded.

      But things like race conditions in a multithreaded app, abuse of least privilege, or other runtime errors seem more difficult.

      The cynic in me says that it's Symantec doing it, so they'll make a product you have to leave runnning all the time to be "secure". They're just doing the testing part, though. Besides, what would they call it, Symantec Antisecurity?

    • but that's what Coverity does for a living - I assume that what's really going on here is that DHS is paying someone to run Coverity over stuff (people who already have access to it at work probably ought to be feeding any spare code that's lying around through it anyway - with your boss's permission of course)
  • I understand that most open source is written by people who care and are either college students or white collar workers who have time either at work (employer consenting), or at home if they have little family life.

    But, I think a little squirt of the green will help to encourage those who permit this behaviour of the programmers to feel a little bit better and increase the likelyhood of permitting if not encourage such behaviour in the future.
    • by meringuoid ( 568297 ) on Wednesday January 11, 2006 @07:45AM (#14444901)
      I understand that most open source is written by people who care and are either college students or white collar workers who have time either at work (employer consenting), or at home if they have little family life.

      Most open source, in terms of sheer number of projects or lines of code? Probably. But in terms of usage?

      The major open-source projects have got corporate backing now. Linux, for instance? Lots of work being done on that by IBM, in addition to the employees of the likes of Red Hat or SuSE. Similarly, I believe AOL has been backing Mozilla lately, and the number of old-skool Unix utilities that contain copyrights of the University of California is enormous - after all, they wrote BSD.

      It's not just anarchist hackers now. Open source has gone commercial in a really big way.

      • But they didn't start out that way. Granted, Mozilla started out as on offshoot of netscape, but I think the code has now been pretty much rewriiten. And most people here know about the origins of Linux - IBM definately hasn't been on board from the start.

        I can see this as being a sort of business model for open source:
        1. Code something good
        2. Watch as it gets a decent userbase
        3. Get adopted by a larger company who will fund you to make changes they want to your software for a fraction of the cost of developin
  • by PFactor ( 135319 ) on Wednesday January 11, 2006 @07:42AM (#14444889) Journal
    ...Satan supporting the bible.

    • by waif69 ( 322360 )
      ...and he wouldn't? He is mentioned there enough times to use it for PR.
    • Hmm... last I looked, atheists didn't believe in Satan either, and Satan sort of requires a God to have rebelled against. So applying logic analysis:

      !Bible --> !Satan
      Satan --> Bible

      So actually, Satan would support the Bible. He'd just tell you to root for the adversary.
  • Wow. (Score:4, Funny)

    by Capt James McCarthy ( 860294 ) on Wednesday January 11, 2006 @07:42AM (#14444890) Journal
    You mean a whole 1.24 million dollars. Talk about pushing the budget.
    • You mean a whole 1.24 million dollars. Talk about pushing the budget
      Your snide comment misses the point. What was the scope of work proposed? Does 1.24 million support the work they intend to do? Saying they should spend more without a reason is dumb.
  • Symantec? (Score:4, Insightful)

    by marcushnk ( 90744 ) <senectus@@@gmail...com> on Wednesday January 11, 2006 @07:43AM (#14444892) Journal
    What has Symantec to do with OSS?
    Surely there is a group/company more appropriate than Symantec to scrub for bugs?!?
  • >It's nice that our tax dollars are being used for the right stuff."

    I guess it'll trickle down from commercial organisations to poor people...
  • by ettlz ( 639203 ) on Wednesday January 11, 2006 @07:50AM (#14444925) Journal
    They have coders working for them now?!
    • Actually, it's just a new honorary title for some of their marketing staff :-)
      • Actually, it's just a new honorary title for some of their marketing staff :-)

        That figures. I mean, no coder would ever produce something like Norton AntiVirus or Personal Firewall. People tend to commit suicide before the self-esteem gets that low.

        I'm really not sure I want their grues running amok all over Free code.

    • They have coders working for them now?!

      Symanted has always had programmers on staff. Lots of them.

      Who do you think writes all the viruses?

  • by Elixon ( 832904 ) on Wednesday January 11, 2006 @07:54AM (#14444940) Homepage Journal
    OSS? What is it? Does it mean that Symantec will produce/improve OSS software and all related patents that will be registered (thanks to your taxes) will be released to public too?

    Or is it that you sponsor OSS but proprietary software and further patnet vault of privately held corporations?

    Is it good to "sponsor" privately held company in the field where it figths with conmpetition?
    • From TFA:

      The list of open-source projects that Stanford and Coverity plan to check for security bugs includes Apache, BIND, Ethereal, KDE, Linux, Firefox, FreeBSD, OpenBSD, OpenSSL and MySQL, Coverity said.
  • The tech behind what they are doing seems pretty neat. How long before we have software writing bugfree software? How much farther behind that (with hardware keeping up) is true heuristical AI?

    Jaysyn
    • How long before we have software writing bugfree software?

            Man we don't even have PEOPLE writing bug free software... so picture the bug in the bug free software writer that introduces bugs....
  • by 2Bits ( 167227 ) on Wednesday January 11, 2006 @07:57AM (#14444955)
    Ok, so this is a grant. Does it mean that any software developed as a result of this grant will be open-sourced, and publicly available to all, free of charge? If not (and everything indicates that it won't be), I'd say, someone has a well-placed friend and got free money to develop their own proprietary software. Yeah, it will scan major open source softwares, and yeah, the database will be public (?), but then the tools from the grant money are still proprietary.

    I thought only China has "guanxi" problem?

  • New Title "DHS pisses away 100 grand"
  • by NZheretic ( 23872 ) on Wednesday January 11, 2006 @08:15AM (#14445028) Homepage Journal
    See Twelve Step TrustABLE IT : VLSBs in VDNZs From TBA [blogspot.com].

    Stanford is also the home of the Meta-level Compilation (MC) project [stanford.edu], a useful auditing tool for trusted build agents.

    Now that Microsoft is getting into the signiture and behavour based antivirus industry, maybe Symantic could turn its patten matching technology to checking source code instead of binaries.

  • by CaptainZapp ( 182233 ) * on Wednesday January 11, 2006 @08:25AM (#14445074) Homepage
    Being one of the companies not detecting the infamous Sony rootkit [wired.com] I'd be really interested to know why Symantec should be trusted for anything security related.

    As far it concerns me I deeply distrust all "security companies" since this little incident.

    • Not only did they miss the root-kit:

      "Symantec has admitted its flagship consumer security application, Norton AntiVirus 2005, has a security vulnerability that allows certain types of malicious script to infect a user's personal computer with a virus."

      http://www.zdnet.com.au/news/security/0,2000061744 ,39165825,00.htm [zdnet.com.au]



    • Even if they did detect the Sony rootkit, there's one key reason why Symantec shouldn't be chosen: It has zero experience with Unix security or Linux. Unix/Linux is fundamentally different than Windows in many ways. Picking Symantec to head Linux security is sort of like getting a chief mechanical engineer to be lead surgeon at a hospital. Sure there are a lot of mechanical aspects in the body and the engineer might see some places where things can be improved but the learning curve is huge. A much better c
  • Comment removed (Score:3, Insightful)

    by account_deleted ( 4530225 ) on Wednesday January 11, 2006 @08:34AM (#14445117)
    Comment removed based on user account deletion
    • They have a subscription at slashdot and saw that all the stories recently about security add up. WMF exploit used to install malware wich is also send via IM attacks coming from, wait for it, the middle east! What do all those stories have in common? They are about CLOSED SOURCE products. That is right, someone at washington made the connection CLOSED SOURCE is the tool of terrorists.

      All windows owners will be brought in for questioning. Do not be alarmed citizen, your deportation to an undisclosed locati

  • Oxymorons (Score:3, Insightful)

    by delire ( 809063 ) on Wednesday January 11, 2006 @08:36AM (#14445128)

    The last thing Symantec can afford is the proliferation of secure operating systems.

    They'd do better offering money to Linux/*BSD kernel development or the Mozilla Foundation (for instance).
  • So, if they'll improve a computer program that spots errors in code (which I suppose will benefit all, not just OSS), will they be able to develope a computer program to fix the errors? Of does that already exist?

    We'll need the puny humans for what, exactly, again? Oh, that's right, to build the hardware...

    • Build? I am sure you meant prepare the design for the automated tools that build hardware.

      I am fairly sure nobody is hand building much of what is in a computer.

      Asians have small hands but not that small. (It's a joke)
  • Open sourse (Score:2, Insightful)

    by catahoula10 ( 944094 )
    It seems logical to me that if Symantic wants to be involved with "Open Source" that they should become open source first.

    Then maybe the open sourse community can help them with some of their problems like this one:

    "Symantec has admitted its flagship consumer security application, Norton AntiVirus 2005, has a security vulnerability that allows certain types of malicious script to infect a user's personal computer with a virus."

    http://www.zdnet.com.au/news/security/0,2000061744 ,39165825,00.htm [zdnet.com.au]
  • Then MSFT will start calling their contacts on the K Street Project. They'll turn around and contact their Republican buddies on the staffs of key legislators and committee members and I bet by this time next week Homeland Security will be "re-examining" their approach to open source.
  • Maybe this money would be better spent by paying the developers of the major applications, or hiring new developers to work on them. A major part of their job descriptions would be securing and vetting patches for the software they're working on.

    I'd think this would improve security greatly, and speed up development in general.
  • by Greyfox ( 87712 ) on Wednesday January 11, 2006 @09:56AM (#14445573) Homepage Journal
    Start up the old auditing program again. Source code auditing is boring work, but another set of eyes going over the code with security in mind really does help a lot. Just go down every function in the C library and work your way out to common daemons and system utilities that usually run setuid. Maybe spend some quality time with common tools that access the internet like firefox, email clients, etc. Just read each function looking for buffer overflows and other ways it might be compromised, document what you find, write a test to try to crash it, submit patches to the original authors and publish your findings and tests on the web somewhere. That leaves you with a full set of security regression tests for every product you look at.

    A team of 4-5 people could probably finish off the C standard library in a matter of months and make good progress on the more common daemons that are often run on Linux systems (Bind, apache, the various mail servers, etc) in the span of a year. The money DHS is spending on this would be more than enough to hire a team that size for a year to work on that.

  • into the workings of OS software.

    Remember the NSA tags in Microsoft code?

    Just what kind of 'security' do we all think the Homeland Office is really interested in here? Keeping our ports plugged up nice and tight, or being able to do data eavesdropping on all those troublesome citizens who simply refuse to conform to the state doctrine by using corporate software? You know, to protect us from so-called, 'terrorists'.

    If you make deals with the devil, you will lose.


    -FL

    • Chances are that they wouldn't want to put back doors in published source, particularly with all of the tracking of origins of patches in, at least, the Linux kernel this days.

      It's not like the government will be the only people looking at the code, and the government generally doesn't want to publish clear documentation of domestic spying.

      For that matter, the NSA is already a contributor to the Linux kernel, employs a maintainer (Stephen Smalley), and hosts a mailing list and web site on their module. But
      • For that matter, the NSA is already a contributor to the Linux kernel, employs a maintainer (Stephen Smalley), and hosts a mailing list and web site on their module. But you can bet that a number of people review any changes they make.

        It's not necessarily about overt control, (which I'm sure they would opt for if nobody was paying attention), so much as it is about placing rats and spooks in the workings so that influence can be exerted in some future way should the opportunities arise.

        It's like making frie
        • It's like making friends with addicts, bikers or mafia members. It's best to avoid contact altogether, or the next thing you know, you'll have crack deals going down in your living room.

          Or worse, the entire Tour de France might stop by for dinner!
        • Bikers? I am a biker(I ride a motorcyle). A lot of my friends are bikers. None of us are drug dealing, outlaw, Hell's Angel types. I've seen more disregard for authority in my vintage scuba friends.
          • Bikers? I am a biker(I ride a motorcyle). A lot of my friends are bikers. None of us are drug dealing, outlaw, Hell's Angel types. I've seen more disregard for authority in my vintage scuba friends.

            What's with the hair-split patrol today? You're the third person to complain about something I've posted because of some silly semantic word play. Can you honestly tell me that you did not understand the point I was making?


            -FL

            • You're the third person to complain about something I've posted because of some silly semantic word play

              I understood your point perfectly. This is not about silly semantic word play. I am talking about the fact that you lump bikers in with addicts and the mafia, and you specifically say that it is "best to avoid contact altogether." Either you are trolling or you really do buy into that stupid stereotype.
    • The Department of Homeland Security is going to hide backdoors in Open Source code???

      They're the government, they're not magicians!

      Remember how quickly the Linux kernel "uid=0" instead of "uid==0" exploit was found?

      They could instead compromise a binary of gcc and do a Ken Thompson type hack where it miscompiles itself and system software to add backdoors, although even then, people would notice the different binaries and the miscompilations.

      But at least that would be possible.
  • Are folks daft enough to think tha having the equivalent of the Gestapo take an interest in what is near and dear to them is a Good Thing? The administration idea of software security is to lock down every thing possible against anf modification whatsoever lest some "cyber-terrorist" does something nasty.
  • One might think the reason for their spending money on finding bugs but not spending money on fixing them was so they could be a few steps ahead of everyone in knowing ways into OSS systems.

    These are the folks that hired an officer from doubleclick.net
  • by pvera ( 250260 )
    Are they doing this because they understand that open source allows easier auditing for security issues? Or are they doing it because they are using open source just to save money?

    What I find creepy is that the purpose of this initiative is to look for stuff on their own and then keep a database of bugs. Will this be so automated that nobody will actually look and check if maybe a new vulnerability should not be announced out in the open until the core developers of the affected item have had a chance to fi

To be awake is to be alive. -- Henry David Thoreau, in "Walden"

Working...