[ISN] DHS & Your Tax Dollars

InfoSec News isn at c4i.org
Thu Jan 12 04:27:19 EST 2006 

Forwarded from: security curmudgeon <jericho at attrition.org>

http://www.osvdb.org/blog/?p=83

DHS & Your Tax Dollars

http://news.com.com/Homeland+Security+helps+secure+open-source+code/2100-1002_3-6025579.html

   Through its Science and Technology Directorate, the department has given
   $1.24 million in funding to Stanford University, Coverity and Symantec
   to hunt for security bugs in open-source software and to improve
   Coveritys commercial tool for source code analysis, representatives for
   the three grant recipients told CNET News.com.

   The Homeland Security Department grant will be paid over a three-year
   period, with $841,276 going to Stanford, $297,000 to Coverity and
   $100,000 to Symantec, according to San Francisco-based technology
   provider Coverity, which plans to announce the award publicly on
   Wednesday.

   The project, while generally welcomed, has come in for some criticism
   from the open-source community. The bug database should help make
   open-source software more secure, but in a roundabout way, said Ben
   Laurie, a director of the Apache Foundation who is also involved with
   OpenSSL. A more direct way would be to provide the code analysis tools
   to the open-source developers themselves, he said.

So DHS uses $1.24 million dollars to fund a university and two commercial 
companies. The money will be used to develop source code auditing tools 
that will remain private. Coverity and Symantec will use the software on 
open-source software (which is good), but is arguably a huge PR move to 
help grease the wheels of the money flow. Coverity and Symantic will also 
be able to use these tools for their customers, which will pay them money 
for this service.

Why exactly do my tax dollars pay for the commercial development of tools 
that are not released to the public? As Ben Laurie states, why cant he get 
a copy of these tax payer funded tools to run on the code his team 
develops? Why must they submit their code to a commercial third party for 
review to get any value from this software?

Given the date of this announcement, coupled with the announcement of 
Stanfords PHP-CHECKER makes me wonder when the funds started rolling. 
There are obviously questions to be answered regarding Stanfords project 
(that I already asked). This also makes me wonder what legal and ethical 
questions should be asked about tax dollars being spent by the DHS, for a 
university to fund the development of a security tool that could 
potentially do great good if released for all to use.

Its too bad there is more than a year long wait for FOIA requests made to 
the DHS.

More information about the ISN mailing list