DARPA-funded Linux security hub withers

[William Knowles <wk () c4i org>]

http://www.theregister.co.uk/content/55/35262.html

By Kevin Poulsen
SecurityFocus
Posted: 01/02/2004 

Two years after its hopeful launch, a U.S.-backed research project
aimed at drawing skilled eyeballs to the thankless task of open-source
security auditing is prepared to throw in the towel.

Initially funded by a research grant from the Pentagon's Defense
Advanced Research Projects Agency (DARPA), the Sardonix project
aspired to replace the loosely-structured Linux security review
process with a public website that meticulously tracks which code has
been audited for security holes, and by whom.

As conceived by Oregon-based computer scientist Crispin Cowan,
Sardonix was to attract volunteer auditors by automatically ranking
them according to the amount of code they've examined, and the number
of security holes they've found. Auditors would lose points if a
subsequent audit by someone else turned up bugs they missed.

Cowen hoped that the system would produce the same cocktail of
goodwill and computer-judged competition that fuels other successful
geeky endeavors, from the distributed computing effort that recognizes
top producers in the search for new prime numbers, to the "karma"  
points awarded highly-rated posters on the news-for-nerds site
Slashdot.

In the end, though, nobody showed up.

"I got a great deal of participation from people who had opinions on
how the studliness ranking should work, and then squat from anybody
actually reviewing code," says Cowan, chief research scientist at
WireX Communications.

The project's DARPA funding ran out nine months ago, and the website
lingers as a mostly-abandoned husk. The only code audits on the site
were performed by a handful of graduate students directed to the task
by David Wagner, a computer science professor at U.C. Berkeley.

Cowen believes Sardonix was a casualty of security community culture,
which he says rewards researchers who find clever or splashy holes in
a program, but not for making software more secure. "The Bugtraq model
is: find a bug, win a prize -- a modest amount of fame," says Cowen.  
"Our model is: review a whole body of code, eventually finding no
bugs, and receive a deeper level of appreciation from people who use
the code.

"It seems the Sardonix lesson is people don't want to play this game,
they want to play the Bugtraq game."



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.