DARPA-Funded Linux Security Hub Withers 281
mAriuZ writes "Initially funded by a grant from the Pentagon's DARPA, the Sardonix project aspired to replace the Linux security review process with a public website that meticulously tracks which code has been audited for security holes, and by whom. As conceived by Crispin Cowan, Sardonix was to attract volunteer auditors by automatically ranking them according to the amount of code they've examined, and the number of security holes they've found. Auditors would lose points if a subsequent audit by someone else turned up bugs they missed. ... In the end, though, nobody showed up."
If a tree falls in a forrest... (Score:5, Funny)
Re:If a tree falls in a forrest... (Score:3, Funny)
I'm hoping a fucking Sequoia lands on this thread.
Re:If a tree falls in a forrest... (Score:3, Funny)
It's like a box of chocolates.
Re:If a tree falls in a forrest... (Score:2, Informative)
The guy who played Dr. McCoy on Star Trek.
Really? (Score:4, Funny)
Re:Really? (Score:5, Funny)
Re:Really? (Score:5, Funny)
Re:Really? (Score:2)
Re:Really? (Score:2)
I'd like to see Slashdot ID counter vs. time graph. I came to the party late.
Re:Really? Haha (Score:3, Funny)
I'm glad I didn't have to say that in person; I couldn't possibly have kept a straight face
Re:Really? Haha (Score:2)
Re:Really? (Score:2)
Re:Really? (Score:2)
Wait, that's the First Hundred, not the first thousand.
Re:Really? (Score:2)
Re:Really? (Score:2, Funny)
Not with a UID that low, dude. That only tells your prospective employer, "I spend way too much time cruising the Internet instead of working."
Re:Really? (Score:2)
Re:Really? (Score:5, Funny)
Re:Really? (Score:2)
Any of them from NineNine or autopr0n by any chance?
Re:Really? (Score:4, Interesting)
The free market beat them to the punch. Why play for Sardonix "street-cred" when you can start your own security company. Most security companies do a fair share of the advertising on the existing security mailing lists.
Besides which, the Linux Kernel Mailing Lists already purport to do the same thing. You think that the Linux kernel hackers don't think that they are already creating secure code? By the time a security bug gets through the LKML's brutal peer review the chances that some outsider gunning for "street cred" is going to find it is essentially nil. Why join Sardonix when you can pile right in to the LKML?
Re:Really? (Score:5, Funny)
This isn't Compton.
You're not going to go on an interview and throw up your Linux "signs."
Slackware beeyotch. Represent.
apt-get 4 life, thug.
Werd.
Story of my Life (Score:2)
I have a pretty low ICQ # too... wonder what it is??? I don't seem to remember.. must be old age.
Damn kids... always going on about how "OLD SCHOOL" they are. How many of them walked 10 miles to a university lab to have access to a VT-100 terminal... oh well was for mudding
DARPA "funded" !? (Score:5, Insightful)
Our model is: review a whole body of code, eventually finding no bugs, and receive a deeper level of appreciation from people who use the code.
I'm sorry, appreciation does not pay bills.
Re:DARPA "funded" !? SETI @ Home (Score:2, Insightful)
True, but also true of most work being done for Free & Open Source software.
Just look at how many people got seriously enthusiastic about their SETI @ Home rankings. That doesn't pay the bills either, and it uses real electricity.
If they could just find a way to tap into _that_ enthusiasm. Maybe all they need to do is put up a bightly-colored blinking screensaver whenever someone found a bug . . .
Re:DARPA "funded" !? SETI @ Home (Score:5, Insightful)
Ah give me a break!
As someone who has written [modpython.org] open source software, I can tell you that there is no enthusiasm that you "tap into".
When you are an agency that is part of a department of the government whose budget is in the billions (or is it trillions?), no sane "enthusiast" is going to do jack for you for "appreciation", especially when you are a military organization...
But even if this wasn't DOD we were talking about, I find the assumption that people will perform valuable services for simple recognition just plain weird. People who think this way just don't get it - you want someone to do something for you, you pay for it.
When I feel like releasing code to the public is a good idea, I will do it, but don't think that I am some sort of an OSS monkey who jumps at every opportunity to work for free!
Shoe's On The Other Foot (Score:4, Interesting)
Re:Shoe's On The Other Foot (Score:2, Informative)
#1. Buy CD from the store. Cost, $20. The artist w
Re:Shoe's On The Other Foot (Score:2)
It's just too easy to procrastinate after you have what you wanted.
That said, I think you overestimate what the RIAA pays the average artist. (Not what they claim to pay them, but they do funny things with accounting. And they won't let anyone check their books. Well, not without a lawsuit, and getting plenty of time to make things look right.)
Re:Shoe's On The Other Foot (Score:3, Informative)
Re:DARPA "funded" !? (Score:3, Insightful)
Just my two cents...since Darpa won't give me $100k...or 2 dollars. I want my two dollars.
Re:DARPA "funded" !? (Score:2)
The key distinction is whose initiative it is: I can do something nice for you, seeking nothing but a thank you. But it doesn't mean that you can now ask me to do something and expect that it will cost you a mere thank you.
Re:DARPA "funded" !? (Score:2)
Really? A big portion of the Open Source business is predicated upon this.
As someone who has done a small amount of OS coding, I think the motivation really is to scratch one's own itch.
The OS work I'm doing right now is to adapt software to my specific needs. Of course, I recognize that others may have the same itch, so I release the code.
Because I value craftsmanship in its own right, I also attempt to make it usable for someone other than me (by using stand
never heard of it! (Score:5, Interesting)
I'm a sysadmin that secures plenty of mission-critical Linux (and FreeBSD) boxes, and I *thought* I kept on top of all the security news, I'd never heard of this project!
Oh well! Try try again...
Re:never heard of it! (Score:2, Informative)
Let's be honest (Score:5, Insightful)
Re:Let's be honest (Score:3, Interesting)
Not nessicarly. I know a number of programers who read code to learn how it works. They aren't auditing directly, just looking to see how/if they can use something in their own code. Programers are lazy, if they can use someone else's debuged work they will.
There is far too much code to write, without wasting time re-inventing the wheel.
Re:Let's be honest (Score:5, Funny)
Don't forget we live in a world where people collect stamps..
Re:Let's be honest (Score:2)
Re:Let's be honest (Score:3, Informative)
What the AC in post #8154783 [slashdot.org] seemed to be trying to say is that the leader of the OpenBSD project turned off network-accessible services in the default install, is not forthcoming with the details of these security-related modifications, and acts in a self-promotional manner.
I don't actually agree with this characterization of OpenBSD; I'm simply trying to provide a translation for the curious. I don't think the AC is using stunningly effective debate technique, either.
Re:Let's be honest (Score:2)
Still A Good Idea (Score:5, Insightful)
Re:Still A Good Idea (Score:3, Informative)
Too bad that the real work to be done here was largeley undertaken previously by the "Kernel Janitors" [kerneljanitors.org]. This is a genuinely community-based effort, designed EXACTLY to remediate the less-than-glorious issues within existing kernel trees.
And, Hey!
They are training aspiring kernel developers, who can hone their skills and become intimately familiar with kernel internals by contributing in a meaningful way! Even if it's just repairing bad use of whitespace...
Re:Still A Good Idea (Score:2)
Well, there's your problem. Nobody is particularly interested in making a name for Crispin-whoever through working their arse off on unglamorous bugs. People are quite happy to work under their own names and on the existing projects.
Thankless task indeed . . . (Score:5, Interesting)
It does seem to be a thankless task. For a new guy on a project, criticizing the leaders' work doesn't seem a good way to gain influence. For an old contributor, you might feel compelled to add functionality the userbase is demanding.
Interestingly, the OpenBSD [openbsd.org] project has put a lot of effort into auditing, and they also have a reputation of being somewhat, um, "grouchy". I wonder if there's some correlation?
Re:Thankless task indeed . . . (Score:2, Interesting)
They talk a good game but let's face it, if you don't run any services on any platform it's about as secure as an OpenBSD install is out of the box. That's not exactly securing the code through audit, it's just locking down a box.
I like what they are saying they are doing but I have no idea what it is they are changing or why those changes make OpenBSD any more secure than anything else.
Re:Thankless task indeed . . . (Score:2, Interesting)
<offtopic>Your comments are discussion-worthy! Why post as an AC? I've been reading /. since at least 1998, but never got around to signing up and commenting properly. I'm glad I finally did, but I could have had bragging rights with one of those low UIDs if I had registered earlier.<offtopic>
Anyway, I see these comments often enough so I suppose they merit some response. I'm not sure I'm the one to do it, but anyway . . .
Re:Thankless task indeed . . . (Score:3, Insightful)
Hmm, you're right it did. I don't think there was an official reason given, but many attribute it to the OpenBSD leader saying less-than-supportive things about American military policy.
Or I suppose it could be that DARPA simply doesn't want people to have genuinely secure software. But that would be a conspiracy theory, wouldn't it?
Re:Thankless task indeed . . . (Score:2)
Anyway, after they offered him the money, he said yeah, thanks, your money would be best spent on OpenBSD. So Jonathan Smith was going to give it to Theo De Raadt.
Theo said some very mild things to the press, but it caught aflame and the che
Re:Thankless task indeed . . . (Score:3, Informative)
"Timing the Application of Security Patches for Optimal Uptime". Steve Beattie, Seth Arnold, Crispin Cowan, Perry Wagle, Chris Wright, and Adam Shostack. Presented at the USENIX 16th Systems Administration Conference (LISA2002) [usenix.org], Ph
No reason to play the NSA game... (Score:5, Interesting)
Perhaps this is because for most of the (incredibly smart) people who make contributions to Linux kernel development, it's not about points? Now if they had attached MONEY value to those points, maybe the result would have been different; I mean at least SOME motivation to play the NSA game.
If a project falls.... (Score:4, Interesting)
I know Crispin Cowan personally, and I have never heard of this project! Maybe some of the DARPA funding should have gone to advertising, publicity, or (God forbid) Marketing?
Re:If a project falls.... (Score:2, Insightful)
Sardonix web site [sardonix.org] (Why isn't this on the front page?)
List of vulnerabilities [sardonix.org]
Subscribe to the Mailing list [sardonix.org]
Become an auditor [sardonix.org]
Audited programas [sardonix.org]
Unaudited programs [sardonix.org]
(Yes, I just linked the left menu in wwww.sardonix.org [sardonix.org]. Isn't that what marketing is all about after all?)
Guys, this is important. This needs to be promoved everywhere. I'm thinking of translating their website - some spanish people can help?
It's NOT that bored. It CAN'T be that bored. Hell, there're d
Re:If a project falls.... (Score:3, Informative)
All the conspiracy theory noise on this topic is just a load of crap. DARPA didn't cut us off for any spooky reason, the contract just ended on schedule. I did my best to market the project to suitable audiences, but it never caught on. I'm still all for making it work, but I no longer have Federal money to pay for it, so its now all-volunteer.
Crisp
Securityfocus batting .500 (Score:5, Interesting)
They should have a volunteer review process to catch spelling mistakes...
Re:Securityfocus batting .500 (Score:2)
I chose his OGI Faculty page - you can choose your own
Definition of root word tells all. (Score:4, Interesting)
sardonic (sar-dnk) adj.
Scornfully or cynically mocking.
See Synonyms at sarcastic.
Damn... (Score:2)
Curses! Foiled again.
Doomed from the start (Score:5, Insightful)
Re:Doomed from the start (Score:2)
I wonder if there are any legal implications to this? Funding an OSS project in an indirect manner?
Re:Doomed from the start (Score:2)
You know what I do all day at "work"? I write python code. Python happens to be my favorite language but I HATE GOD DAMNED DATABASE PROGRAMMING. Guess what though? It pays the bills :)
When i work on open source software, I want to do something I believe in or something I'm good at or something that I want to see done. Not something the NSA wants to see done, thats alot like "work" and alot
geek.paranoia++; (Score:5, Insightful)
Not to mention the job is thankless, it's an infinite loop of paranoia and nit-picking.
code.insecure = true;
While(code.insecure) {
geek.paranoia++;
geek.review(code);
}
solution (Score:2)
Maybe nobody took the idea seriously (Score:5, Funny)
Too low profile (Score:4, Informative)
Re:Too low profile (Score:4, Interesting)
Project remit: appropriation increase? (Score:3, Interesting)
competitive shit work (Score:2, Insightful)
Isn't this OSS'a strongest arguement? (Score:2, Interesting)
Mod me down -50....I don't care anymore, my faith is lost.
That's not OSS's strongest argument (Score:2)
"OSS's strongest argument", as you put it, is that people who use the code will find the bugs, fix the bugs, and share the fixes. I fix a bug that may affect you, you fix a bug that may affect me, we both benefit; so does the guy that hasn't run into either bug yet.
But Crispin Cowan scratches his head because the few people who heard of his project thought comin
I love sitting down and reviewing other's code. (Score:2, Interesting)
Rather than fixing borken code, why don't we teach some people how to write decent programs? Maybe put up some documentation of some common security flaws and how people could have avoided coming near them by structuring their code differently.
I know some code needs to be fixed, but lets face it, most people aren't willing to do it. There are a few unappreciated people out there who do this, and their job would be easier if people kne
Re:I love sitting down and reviewing other's code. (Score:2, Informative)
There are some obvious things you can do, but on a sufficiently complex project, it's impossible to think of every possible use or misuse of the resulting code. Hell, some exploitable stuff is injected by the compiler.
Sardonyx is NOT a good name for this project. (Score:3, Funny)
Who 'lead' the project, Ctuchik The Grolim High Priest?
------>
Ok, ok... I'm a dork. Read David Eddings' "Belgariad" and "Malloreon" though - they make for a great read.
Sardonix had some value (Score:3, Interesting)
Sardonix got me interested in source code auditing, but I didn't like the reputation model [xwell.org]. It's been more interesting to just do it; while so far I haven't found anything in the packages I've audited (and haven't bothered to report), it's taught me a lot about auditing in general and so I've found multiple vulnerabilities in various web packages I use both personally and professionally.
If you want to encourage source code auditing, then the current system needs to be mended just a bit: as long as researchers are disdained by vendors who don't want to give credit for the problem or even prosecute folks who were kind enough to let them know about the vulnerability of their software, then there's going to be a chilling effect. That's what leads to the disclosure impasse that many find themselves in: disclose to the vendor first and not get credit, or disclose to the public first and get criticized?
It never helped me get started (Score:5, Interesting)
I visited the site a few times, but didn't see anything to help me get started. Just some "we need to get project X reviewed". Then a complex point system that sounded motivating, but didn't do anything.
I just wanted to get started. All they said was "read this code and look for problems". No duh, but how about some examples. Some help. I'd learn much more if 30 people read one file, each commented on it, and I could read them all. Once I learn to think of everything 30 people think of (who have expirence reading code) I'll do some more on my own. Nothing gets me started though. I'm an okay programer (better than most really, but that isn't saying much considering the typical programer I've seen), and I need to learn how to do this. How do expert code reviewers think?
I just got back from wineconf, Alexander personally reads every single line that is commited to Wine. I know it can be done, but I need expirence before I could possibly do that, and noone bootstraps me to get the expirence.
I understand this is a hard thing. I've developed before, and I can't document my code any better than anyone else. They made it their stated goal to help me, but then never did anything useful.
Bussines plan (Score:2, Funny)
2. Document all critical security vulnerabilities
3. Do not report any bugs
4. ???
5. Profit!
Augment, Not "Replace" (Score:5, Insightful)
Crispin
----
Crispin Cowan, Ph.D.
CTO, Immunix Inc. [immunix.com]
A few reasons why... (Score:5, Insightful)
First, they widely advertised it and then took forever to get the site going. I think most people had forgotten about it or given up on it by that point. And then they never publicized it again. (Specifically, it was initially slashdotted on 6 Feb 2002 [slashdot.org]. On 13 Oct 2002, a message on the Sardonix mailing list mentioned that it had been mostly live for a couple weeks, and that the point system still wasn't online. No wider announcement.)
Second, all the packages listed there for review were fairly well-respected blocks of code written by skilled coders. Consequently, most of the reviews were of the form "yup, this code essentially looks good". They were also extremely large projects, so people said "I didn't do a full review; I just tried this automated tool". It doesn't really mesh up with what he said in the article:
There was no "making software more secure [...] eventually finding no bugs"; I don't think anyone ever really found a significant bug through this project.
If they had targeted lots of small projects on freshmeat (like web stuff - PHP, mod_perl, JSP/servlet, etc.), it would have been much more interesting. Those projects have all kinds of security bugs. They could have taught the people in question some good security practices and actually accomplished what they set out to do. Maybe they would have eventually branched out into certifying these infrastructure projects, but it wasn't a good initial goal.
Lastly, who knows they did with that DARPA funding. Plenty of open source projects with no funding do much more impressive works than that website, and in much less time, too.
code audits (Score:4, Insightful)
Why? Because auditing code is
* difficult and tricky
* unrewarding
* lots of hard work
It simply isn't something you want to do unless you are as passionate and fanatic about your project as the OpenBSD guys are.
Re:Classic misdirection (Score:4, Funny)
Re:Classic misdirection (Score:2, Funny)
Re:Classic misdirection (Score:3, Insightful)
It's so incredible, with all the evidence of government deceit and treachery all around us that we would still have people giving them the benefit of the doubt!
Power corrupts, and absolute power corrupts absolutely, and our government is as close to wielding absolute power as anyone ever has.
And you want to trust them to coordinate auditing open-source software? I can't imagine a more naive posture to take!
Re:Classic misdirection (Score:3, Insightful)
I know! It's very exciting, isn't it!
Power corrupts, and absolute power corrupts absolutely, and our government is as close to wielding absolute power as anyone ever has.
I know! Who knows, they may even invent a device that allows them to maintain communictation even in the event of a nuclear war, allowing them to continue to assemble and at
Re:Classic misdirection (Score:2)
Beautiful.
Re:Classic misdirection (Score:5, Informative)
Check the FAQ [crypt.gen.nz]
Re:Classic misdirection (Score:3, Interesting)
They don't have to touch the code, in fact, for exactly the reasons you offer, it is best that they don't. But that doesn't mean they can't use their considerable CPU resources to catalog its vulnerabilities.
Re:Classic misdirection (Score:3, Insightful)
If they have such considerable resources that they can catalog all the vulnerabilities of Windows and Linux systems, why go through the charade? They can just perform their calculcations heind the scene.
You sound like a typical paranoid nerd.
Re:Classic misdirection (Score:2)
Ok, that has to be the most uninformative post ever to rake in an Informative. I do know what it's worth [ohiomulch.us]. Gimme Score: 5!
By the way, doesn't anyone understand the difference between "DARPA-funded" and having Donald Rumsfeld whisper orders in your ear while you code?
You are right (Score:4, Insightful)
Re:Classic misdirection (Score:5, Insightful)
The question I have is this: If there are hundreds of invisible exploits in the SELinux kernel, how are we to know that the same situation doesn't exist in OpenBSD?
Furthermore, how are we to be certain that OpenBSD (oft touted as the most secure OS in the world, and I'll certainly grant it's one of the most secure out of the box OS's I've ever seen) isn't some clandestine creation of the NSA created to lull paranoid psychotics into believing that they were secured against intrusion?
Re:Classic misdirection (Score:3, Interesting)
I never asserted anything of the kind. SELinux is about implementing access control, which has little if anthing to do with enhancing the kind of security being discussed here, i.e., getting root.
: If there are hundreds of invisible exploits in the SELinux kernel, how are we to know that the same situation doesn't exist in OpenBSD?
OpenBSD has made a big deal about auditing its code, looking for all the potential vulnerabilities. Linux tends
Re:Classic misdirection (Score:4, Informative)
But access control is very much related to stopping exploits. A good set of access controls (SELinux or LIDS or RSBAC or the like) means that when, say, apache gets exploited, the attacker can't do any real damage and certainly can't fork a command shell.
It means that when your mail client gets exploited through an attachment type hole, the executed attachment can't access your address book or send mail itself. All good stuff.
It also means that very few programs need to be run as root thus providing even fewer avenues for the attacker to use.
- Muggins the MadRe:Classic misdirection (Score:4, Insightful)
Well, this would indicate to me that you have no idea what issues SELinux might or might not address. Perhaps you should research the topics of your closely held opinions somewhat. From the FAQ [nsa.gov]:
I would say this rather soundly addresses the concept of "getting root", wouldn't you?
This is exactly the situation that SELinux hopes to address, isn't it?
Come on, that one is too easy... the security of the parent system has absolutely nothing to do with the security of an isolated data stream - i.e., email, instant messenger, http, ftp - you name it. SELinux also does little to address the security of daemons like, say, MySQL - it simply isolates the components so that a compromise of the apache code doesn't translate to a compromise of the system.
There is also the fact that the NSA and DARPA don't have to work to compromise our security - after all, the RIAA and MPAA may engineer us into a government-controlled cryptographic system with government (or copyright holder!) held keys - for Intellectual Properties enforcement, of course.
Re:Classic misdirection (Score:2, Troll)
No, I wouldn't. I was using the term "getting root" as a slang for entering a system. We're dealing with semantics here. SELinux wants to say there is no root, but it really doesn't matter what they call it, there are still accounts and the same exploits that lead to the compromising of one acccount can cascade into the compromising of other accounts.
the security of the parent system has absolutely nothing to do wit
Re:Classic misdirection (Score:2)
Way to dodge! Unfortunately, 'getting root' has a very specific meaning. Compromising a user account with an ID other than 0 is NOT 'getting root', no mat
Re:Classic misdirection (Score:3, Informative)
Perhaps because their mission also includes improving the information security of their own nation?
Re:Classic misdirection (Score:2)
I could see it being true for DARPA, but then, if they were really interested in improving the information security of the U.S., then why renege on the grants/funding for OpenBSD, an OS that is frequently reputed to be one of the--if not the most--secure OS's out there?
I guess it comes down to this: do you trust your government?
Re:Classic misdirection (Score:2)
Err, actually, it is. Remember, this is a governmental organization; there's quite a bit of left hand/right hand disconnect.
I could see it being true for DARPA, but then, if they were really interested in improving the information security of the U.S., then why renege on the grants/funding for OpenBSD, an OS that is frequently reputed to be one of the--if not the most--secure OS's out there?
Eh? So they fund something for a while, and then they stop, and from
Re:Classic misdirection (Score:2)
Re:Classic misdirection (Score:4, Insightful)
I would say it's a strech to call the Defence Advanced Research Projects Agency an organization dedicated to eavesdropping and intelligence gathering. Their entire purpose is simply to research things that might be useful to the Department of Defence; however, I will grant you that a large part of what the DoD does is intelligence gathering and eavesdropping -- but it's part of their job, and they don't really shy away from telling the citizens that. On top of all that, if you're going to be so overly paranoid about government involvement in public projects, then why in the hell are you using the internet anyways? It began its life as a DARPA project, as research into self-healing networks.
Also, the NSA isn't dedicated to eavesdropping or intelligence gathering. If you read their original charter, it seems that it was originally created to help organize and distribute intelligence information gathered from the various intelligence agencies working for the US. That isn't all they do either, as this country has changed and their existence become more widely known, their role has changed somehwat as well. Specifically, they also play a role in securing this country (meaning it's citizens, businesses and government) from foreign attack, espionage, and intelligence gathering/manipulation. They are, after all, the National Security Agency.
So, as part of the ideal of securing the nation, they decided that it would be a good idea to make a highly securable operating system available to the public (meaning it's citizens, businesses and government) for free. Given that, it's not too hard to see why they chose Linux as their candidate: It's already available freely, it's already somewhat securely designed, and already implements a unix-style user-based security model. Not only that, but they realized for the system to be truly secure, that it's source code and thus it's development also had to be open to the public and freely available.
I don't think there is any doubt that the NSA has been entirely up front with everyone on this. If it weren't the case, there is no way that the SELinux security model would be included in Linux today, and I don't see any directives from the Ministry Of Coding demanding it's implementation. On the other point, the DARPA was just throwing around some research money (it's what they do best) and decided that this project might turn out something useful; they were wrong, but it didn't really seem as if they had any opportunity for misdirection anyways.
Re:Classic misdirection (Score:2)
They get free hosting and bandwidth from the U of Alberta. The U of Alberta uses Solaris.
Re:Classic misdirection (Score:2, Funny)
You've fallen right into their trap.
You've fell victim for one of the classic blunders. The most famous is never get involved in a land war in Asia.
But only slightly less well known is this never go in against a Sicilian when (FreeBSD) death is on the line.