[ISN] U.S. military helps fund Calgary hacker

From: InfoSec News (isnat_private)
Date: Mon Apr 07 2003 - 01:43:16 PDT

  • Next message: InfoSec News: "[ISN] Ely hospital hacker traced to former Soviet Union"

    http://www.globetechnology.com/servlet/story/RTGAM.20030406.whack46/GTStory
    
    By DAVID AKIN
    Globe and Mail
    April 6, 2003
    
    The U.S. military believes the work of a Calgary hacker may be its
    best bet to protect its computer networks from so-called
    cyber-terrorist attacks. And although Theo de Raadt is happy to have
    more than $2-million (U.S.) in research support from the U.S.  
    military's research and development office, the source of that funding
    has made him more than a little uneasy.
    
    "I actually am fairly uncomfortable about it, even if our firm 
    stipulation was that they cannot tell us what to do. We are simply 
    doing what we do anyways - securing software - and they have no say in 
    the matter," Mr. de Raadt said in a recent e-mail exchange. "I try to 
    convince myself that our grant means a half of a cruise missile 
    doesn't get built."
    
    The grant comes from the U.S. Defense Advanced Research Projects 
    Agency (DARPA), the R&D arm of the U.S. military, whose most widely 
    known invention would be the Internet. For this grant, DARPA is 
    interested in testing the security of commercial software systems 
    against the security of open source software projects.
    
    Mr. de Raadt leads development of an open source project called 
    OpenBSD. It is a computer operating system, used most often to power 
    the large server computers that run corporate networks or Web sites. 
    OpenBSD, a derivative of the Unix operating system, is widely 
    considered by computer experts to be the most resistant to 
    unauthorized use.
    
    "We were convinced OpenBSD was the best platform to use as a basis for 
    further securing open source," said Jonathan Smith, a professor of 
    computer and information science at the University of Pennsylvania.
    
    Because DARPA does not directly fund projects outside the United 
    States, it is Mr. Smith's computer science department that received 
    the grant, although most of the money - $2.3-million - flows through 
    to Mr. de Raadt's project.
    
    Although Microsoft Corp., whose Windows products are the world's 
    dominant operating system products, and many other commercial software 
    vendors are paying new attention to the security of their products, 
    that renewed interest has done little to improve their products so 
    far, Mr. de Raadt said.
    
    "Low code quality keeps haunting our entire industry. That, and sloppy 
    programmers who don't understand the frameworks they work within. 
    They're like plumbers high on glue," Mr. de Raadt said.
    
    Microsoft, for example, has issued 68 security bulletins or alerts for 
    its products in the past year, better than one a week. OpenBSD, which 
    does not develop as many products as Microsoft, says only one 
    vulnerability or hole has been found in its software in the past seven 
    years. OpenBSD has been created largely through the work of volunteers 
    over its seven-year existence.
    
    The DARPA grant enabled Mr. de Raadt to add the equivalent of four 
    full-time developers to supplement the work of about 80 volunteers. 
    And although he's happy about the extra support for the project, he's 
    nervous that critics may get the idea he's working for the U.S. 
    military.
    
    "We're not doing anything for them. They just fund us to do what we 
    do," said Mr. de Raadt, a 35-year-old graduate of the University of 
    Calgary's computer science program. Mr. de Raadt is no fan of the U.S. 
    military at the moment. He calls the war in Iraq an oil grab. "It just 
    sickens me."
    
    He also notes that the software his group develops is made available 
    free of charge via Internet download or for a nominal fee on CD. The 
    next major upgrade to the software, version 3.3., will be released on 
    May 1. Because OpenBSD is often used in computing environments where 
    security is a top concern, OpenBSD users are often reluctant to 
    identify themselves. But Mr. de Raadt's group said that in addition to 
    running the servers for several branches of the U.S. military, 
    including the Pentagon, OpenBSD is also installed on the servers the 
    U.S. Department of Justice uses to track and catch hackers and 
    so-called cyber-terrorists.
    
    OpenBSD is also used by the University of Alberta, the University of 
    Minnesota, Adobe Systems Inc. and FSC Internet Corp. of Toronto. More 
    than 50,000 copies of OpenBSD have been downloaded from the project's 
    servers in the past six months.
    
    Corrections Canada, Health Canada, Parliament and the Canada Customs 
    and Revenue Agency are among the federal users that have downloaded 
    the software, although it's not clear if it is being used by them.
    
    OpenBSD is one of several open source operating systems, the most 
    famous of which is Linux. The source code for the software is open or 
    uncompiled, which means any software programmer can examine the code 
    and can make changes before it is formatted to run on a computer. 
    OpenBSD is a variant of a kind of Unix-based operating system known as 
    BSDs, short for Berkeley Software Distribution.
    
    The software traces its roots to projects that began in the 1970s at 
    the University of California at Berkeley. Mr. de Raadt, who's been 
    working full-time on the OpenBSD project for seven years, pays his own 
    bills with the money from the sale of the CDs - he sells about 8,000 a 
    year - as well as from selling OpenBSD T-shirts and other 
    paraphernalia.
    
    
    David Akin is national business and technology correspondent for CTV 
    News and a contributing writer to The Globe and Mail.
    
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Mon Apr 07 2003 - 04:27:11 PDT