It is reported that the US Department of Homeland Security is spending $1.24 million to "hunt for security bugs in open-source software"....
>From a "spin" standpoint, you have to wonder why the government is spending $1.24 million to "hunt for security bugs in open-source software", a phrase that conjures up images of security bugs just waiting to be discovered, while a different spin could have been to "assess the level of security of open-source software", a phase conjuring up a more accurate picture of something that is secure, but "how secure"? Given that much of the US government is for sale to the highest bidder, is it too paranoid to wonder if Microsoft has dumped a vast pile of cash into corrupt government officials hands to get them to attack Linux and OpenOffice.org? How better to do this than to come up with "evidence" through a "study" claiming that open source software is dangerous? RM Ref. 1 http://blogs.zdnet.com/BTL/index.php?p=2394 blogs Between the Lines January 11, 2006 What if Microsoft is right? (about open source insecurities) Posted by David Berlind @ 9:21 am Over the last few years, particularly as server-based deployments have eaten away at the software giant's bottom line, Microsoft has routinely derided open source software as being less secure than its own closed-source proprietary offerings. Microsoft executives used to routinely take security-related pot shots at Linux and more recently (a little less than a year ago), the company funded a study (the findings of which were presented at last year's RSA conference under dubious conditions) that backed up Microsoft's long standing assertions that Linux is riskier than Windows. <digression>Even when vendors leave the methodologies behind such studies up to the researchers, I take them with a grain of salt. That's because the vendor controls whether the study gets published or not. In other words, if the results don't favor the vendor(s) who commission the studies, those studies almost never see the light of day. </digression> Now, with its increasing reliance on open source software, the US Government (Dept. of Homeland Security) wants to get to the bottom of the burning question, according to News.com: The U.S. Department of Homeland Security is extending the scope of its protection to open-source softwareâ¦Through its Science and Technology Directorate, the department has given $1.24 million in funding to Stanford University, Coverity and Symantec to hunt for security bugs in open-source software and to improve Coverity's commercial tool for source code analysisâ¦.The list of open-source projects that Stanford and Coverity plan to check for security bugs includes Apache, BIND, Ethereal, KDE, Linux, Firefox, FreeBSD, OpenBSD, OpenSSL and MySQLâ¦. No matter how this news is sliced, it isn't good for providers of commercial alternatives to these open source products. Nor is the timing. If there are security problems (as Microsoft has long asserted), this program is certain to root many of them out to a point that, from a security perspective, the aforementioned open source projects would be on par with their closed-source counterparts (if they're not there alreadyâ¦. which many believe they are) or even worse, improve them beyond the securability of those closed-source counterparts. OK. So, what can $1.24 million really get you. 10 bug fixes? 20? 100? Even so, what could be worse for competitors to open source than the US government taking measures to make open source even better. Not only that, but the move comes at a time when Microsoft â" which itself has taken a beating on the security front â" is looking to improve its own security image, relatively speaking.
