FW: [ISN] DHS & Your Tax Dollars

["Henderson, Dennis K." <Dennis.Henderson () umb com>]

Anyone care to comment on this?
 


-----Original Message-----
From: isn-bounces () attrition org <isn-bounces () attrition org>
To: isn () attrition org <isn () attrition org>
Sent: Thu Jan 12 03:27:19 2006
Subject: [ISN] DHS & Your Tax Dollars

Forwarded from: security curmudgeon <jericho () attrition org>

http://www.osvdb.org/blog/?p=83

DHS & Your Tax Dollars

http://news.com.com/Homeland+Security+helps+secure+open-source+code/2100
-1002_3-6025579.html

   Through its Science and Technology Directorate, the department has
given
   $1.24 million in funding to Stanford University, Coverity and
Symantec
   to hunt for security bugs in open-source software and to improve
   Coveritys commercial tool for source code analysis, representatives
for
   the three grant recipients told CNET News.com.

   The Homeland Security Department grant will be paid over a three-year
   period, with $841,276 going to Stanford, $297,000 to Coverity and
   $100,000 to Symantec, according to San Francisco-based technology
   provider Coverity, which plans to announce the award publicly on
   Wednesday.

   The project, while generally welcomed, has come in for some criticism
   from the open-source community. The bug database should help make
   open-source software more secure, but in a roundabout way, said Ben
   Laurie, a director of the Apache Foundation who is also involved with
   OpenSSL. A more direct way would be to provide the code analysis
tools
   to the open-source developers themselves, he said.

So DHS uses $1.24 million dollars to fund a university and two
commercial companies. The money will be used to develop source code
auditing tools that will remain private. Coverity and Symantec will use
the software on open-source software (which is good), but is arguably a
huge PR move to help grease the wheels of the money flow. Coverity and
Symantic will also be able to use these tools for their customers, which
will pay them money for this service.

Why exactly do my tax dollars pay for the commercial development of
tools that are not released to the public? As Ben Laurie states, why
cant he get a copy of these tax payer funded tools to run on the code
his team develops? Why must they submit their code to a commercial third
party for review to get any value from this software?

Given the date of this announcement, coupled with the announcement of
Stanfords PHP-CHECKER makes me wonder when the funds started rolling. 
There are obviously questions to be answered regarding Stanfords project
(that I already asked). This also makes me wonder what legal and ethical
questions should be asked about tax dollars being spent by the DHS, for
a university to fund the development of a security tool that could
potentially do great good if released for all to use.

Its too bad there is more than a year long wait for FOIA requests made
to the DHS.



_________________________________
InfoSec News v2.0 - Coming Soon! 
http://www.infosecnews.org 


_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.