Alex Payne writes online here.

See also the archive, books & talks.

An individual post follows.

Security Doesn’t Mean Politics, DARPA

Computer security was my main interest way before I got into the politech stuff, and I guess it pushed me in my present direction. I’m not the best offensive hacker, but I’d like to think I run pretty good defense; I know of what I speak (for a change). So when government types start talking security I get skeptical. When they start throwing money around, I get critical. And when they totally screw up where they put their (read: our) money, I get pissed.

And pissed is what I am, presently at DARPA, who just withdrew the remaining portion of the funding they promised to the OpenBSD project.
DARPA’s public reasoning is that too much of the funding was going to non-US coders. This is, of course, a totally inane justification. Regardless of what flag the OpenBSD programmers salute, their code is open for all the world to check for, shall we say, patriotic bias. Okay, forget being coy: it’s open source, and that means any backdoors these guys try to code in will eventually be brought to light. What I’m guessing is going on behind the scenes, however, is that US security companies were pissed that this portion of the post-9/11 security bounty wasn’t going to them. A sad minority of professional security types I’ve met really see security as an ethical priority, and if it’s not a ethics at work then it’s likely greed. Ten taxpayer bucks earmarked for infosec says that’s what’s up.

This, of course, comes at that lovely time of the year when the industry calls for more security. It’s an annual ritual: sweeping calls for action within the security industry at the professional conferences, and then drunken indulgence on the company/taxpayer dime with the very folks they’re supposed to be “fighting” when DefCon rolls around. It’s ugly, it’s wrong, and it isn’t getting things more secure. Projects like OpenBSD, that historically have put quality work and methodical testing before commercial flash and even social pleasantries, actually get things more secure. If DARPA cared more about security than politics they’d be putting their money where Theo de Raadt’s loud mouth is. Love him or hate him (and most people hate him), the man gets the job done. And that’s what the government, and the security industry, could use for a change: a job well done.

UPDATE: The Register weighs in with a story on the pulled funding and a superb opinion piece recommending a “harm reduction” approach to stopping crackers, which mentions OpenBSD explicitly."