lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <Pine.LNX.4.64.0603141011130.25215@forced.attrition.org>
Date: Tue Mar 14 15:12:02 2006
From: jericho at attrition.org (security curmudgeon)
Subject: US Government Studies Open Source Quality


(I recommend you read the original, as many parts of the text are links to 
other resources)

http://www.osvdb.org/blog/?p=104

US Government Studies Open Source Quality

"US Government Studies Open Source Quality" reads the SlashDot thread, and it 
certainly sounds interesting. Reading deeper, it links to an article by the Reg 
titled "Homeland Security report tracks down rogue open source code". The 
author of the article, Gavin Clarke, doesnt link to the company who performed 
the study (Coverity) or the report itself. A quick Google search finds the 
Coverity home page. On the right hand side, under Library, there is a link 
titled "NEW >> Open Source Quality Report". Clicking that, you are faced with 
"request information", checking the Open Source Quality Report box (one of 
seven boxes including Request Sales Call as the first option, and Linux 
Security Report is the default checked box), and then filling out 14 fields of 
personal information, 10 of which are required.

So, let me get this straight. My tax dollars fund the Department of Homeland 
Security. The DHS opts to spend $1.24 million dollars on security research, by 
funding a university and two commercial companies. One of the commercial 
companies does research into open source software, and creates a report 
detailing their findings. To get a copy of this report, you must give the 
private/commercial company your first name, last name, company name, city, 
state, telephone, how you heard about them, email address, and a password for 
their site (you can optionally give them your title, and describe your 
project).

Excuse me, but it should be a CRIME for them to require that kind of personal 
information for a study that I helped fund via my tax dollars. Given this is a 
study of open source software, requiring registration and giving up that kind 
of personal information is doubly insulting. Coverity, you should be ashamed at 
using extortion to share information/research that should be free.

Even worse, your form does not accept RFC compliant e-mail addresses (RFC 822, 
RFC 2142 (section 4) and RFC 2821). Now I have to add your company to my "no 
plus" web page for not even understanding and following 24 year old RFC 
standards. HOW CAN WE TRUST ANYTHING YOU PUBLISH?!

Oh, if you dont want to go through all of that hassle, you can grab a copy of 
the PDF report anyway.

http://osvdb.org/ref/blog/open_source_quality_report.pdf

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ