[attrition] DHS & Your Tax Dollars
security curmudgeon
jericho at attrition.org
Wed Jan 11 07:29:45 EST 2006
http://www.osvdb.org/blog/?p=83
DHS & Your Tax Dollars
http://news.com.com/Homeland+Security+helps+secure+open-source+code/2100-1002_3-6025579.html
Through its Science and Technology Directorate, the department has given
$1.24 million in funding to Stanford University, Coverity and Symantec
to hunt for security bugs in open-source software and to improve
Coveritys commercial tool for source code analysis, representatives for
the three grant recipients told CNET News.com.
The Homeland Security Department grant will be paid over a three-year
period, with $841,276 going to Stanford, $297,000 to Coverity and
$100,000 to Symantec, according to San Francisco-based technology
provider Coverity, which plans to announce the award publicly on
Wednesday.
The project, while generally welcomed, has come in for some criticism
from the open-source community. The bug database should help make
open-source software more secure, but in a roundabout way, said Ben
Laurie, a director of the Apache Foundation who is also involved with
OpenSSL. A more direct way would be to provide the code analysis tools
to the open-source developers themselves, he said.
So DHS uses $1.24 million dollars to fund a university and two commercial
companies. The money will be used to develop source code auditing tools
that will remain private. Coverity and Symantec will use the software on
open-source software (which is good), but is arguably a huge PR move to
help grease the wheels of the money flow. Coverity and Symantic will also
be able to use these tools for their customers, which will pay them money
for this service.
Why exactly do my tax dollars pay for the commercial development of tools
that are not released to the public? As Ben Laurie states, why cant he get
a copy of these tax payer funded tools to run on the code his team
develops? Why must they submit their code to a commercial third party for
review to get any value from this software?
Given the date of this announcement, coupled with the announcement of
Stanfords PHP-CHECKER makes me wonder when the funds started rolling.
There are obviously questions to be answered regarding Stanfords project
(that I already asked). This also makes me wonder what legal and ethical
questions should be asked about tax dollars being spent by the DHS, for a
university to fund the development of a security tool that could
potentially do great good if released for all to use.
Its too bad there is more than a year long wait for FOIA requests made to
the DHS.
More information about the attrition
mailing list