DHS & Your Tax Dollars
Posted by jericho
Through its Science and Technology Directorate, the department has given $1.24 million in funding to Stanford University, Coverity and Symantec to hunt for security bugs in open-source software and to improve Coverity’s commercial tool for source code analysis, representatives for the three grant recipients told CNET News.com.
The Homeland Security Department grant will be paid over a three-year period, with $841,276 going to Stanford, $297,000 to Coverity and $100,000 to Symantec, according to San Francisco-based technology provider Coverity, which plans to announce the award publicly on Wednesday.
The project, while generally welcomed, has come in for some criticism from the open-source community. The bug database should help make open-source software more secure, but in a roundabout way, said Ben Laurie, a director of the Apache Foundation who is also involved with OpenSSL. A more direct way would be to provide the code analysis tools to the open-source developers themselves, he said.
So DHS uses $1.24 million dollars to fund a university and two commercial companies. The money will be used to develop source code auditing tools that will remain private. Coverity and Symantec will use the software on open-source software (which is good), but is arguably a huge PR move to help grease the wheels of the money flow. Coverity and Symantic will also be able to use these tools for their customers, which will pay them money for this service.
Why exactly do my tax dollars pay for the commercial development of tools that are not released to the public? As Ben Laurie states, why can’t he get a copy of these tax payer funded tools to run on the code his team develops? Why must they submit their code to a commercial third party for review to get any value from this software?
Given the date of this announcement, coupled with the announcement of Stanford’s PHP-CHECKER makes me wonder when the funds started rolling. There are obviously questions to be answered regarding Stanford’s project (that I already asked). This also makes me wonder what legal and ethical questions should be asked about tax dollars being spent by the DHS, for a university to fund the development of a security tool that could potentially do great good if released for all to use.
It’s too bad there is more than a year long wait for FOIA requests made to the DHS.
Let’s see… $1.24 million would patch what extremely small percentage of gov’t systems over the course of a year? I don’t know, but this is a MUCH smarter allocation of $1.24 million that benefits everybody. It’s great that some gov’t people are moving in this direction, even though it would be much nicer for these tools to be available to everyone.
Don’t get me wrong, I think it is great that the money is being used in a way that has a chance of protecting systems for years to come (fix the problem at the source, early on). I just question why certain companies got the money to do it and why the tools are not available to me when funded by me. What bidding process took place before allocating this money for example?
To continue with Jericho’s line of thought… who decided Symantec and Coverty, as regular corporatios, could use our tax dollars? I know several small corporations and one non-profit that could benefit immensely from even a portion of the $1.24 million.
If the answer is ‘no’ to all those questions, the person in charge of that process should really contact me… I have ideas, need money, and would prefer not to have someone pointing out the flaws in my plan. Seriously.