Related link: http://www.egovos.org/march-2003/index.html
I spent three days in Washington DC this week at the Open Standards/Open Source for National and Local eGovernment Programs in the U.S. and EU conference.
The conference started off with Whitfield Diffie, looking like Gandalf in a
3-piece suit, describing some of the security benefits of open source
software and transparency in general. This boils down mostly to the notion
that a secret which is difficult to change is a vulnerability. Cryptosystems
are time-consuming and expensive to develop, so if your security depends on
the secrecy of the system, then you have big problems if that secrecy is
breached. Keys are easier and cheaper to regenerate. If you have to come up
with and distribute a new encryption key because one was compromised, you
have a much smaller headache.
Peter Loscocco talked about NSA’s SELinux project, which adds a
Mandatory Access Control framework to the Linux kernel. What was most
interesting to me about this talk was the discussion of technology transfer
as an explicit part of NSA’s mission. Linux provided a more effective means
for them to accomplish this than previous efforts.
A session presenting the results of a survey of Open Source software in the
Department of Defense revealed plenty of examples. However, it seems that
concern about licensing hinders its use. This is story that has been
repeated many times here. A commercial or government organization convenes
their herd of IP lawyers to decide whether using Open Source products would
imperil their rights. Yet hardly any of these organizations are planning to
modify the OSS, and even fewer have redistribution plans. The licenses
shouldn’t be such a concern, but they are. The absence of caselaw regarding
Open Source license enforcement makes this an even murkier area.
Fixing unneeeded licensing concerns is mostly a perceptual problem, but a
more substantive one is indemnification. Johan Goossens of
NATO and Rob Page of Zope Corp. gave an presentation of the NATO intranet
system developed on top of Zope. One of the reasons that NATO chose Zope was
that a company stands behind to indemnify the components in case of patent
problems or other issues. The existence of a corporate backer wasn’t crucial
for support, release management, or other traditional factors cited in
defense of proprietary software (although those are nice), but solving the
indemnification issue was necessary.
Jim Willis gave an excellent talk about products he’s developed for the
State of Rhode Island that enhance citizen access to public data. Public
interest groups and lobbyists both appreciate the ability to track rules,
regulations, and pending legislation with e-mail alerts, calendaring, and
various kinds of searching. Using PHP to glue together existing open-source
products, Jim produced impressive results in just a few months. One of his motivations is the very important point that his government has a very real responsibility act as a custodian for data that belongs to its citizens. Storing the data in open formats and building open source tools to access that data are a crucial part of that custodianship.
Jesse Kornblum from the Air Force Office of Special Investigations Computer Investigations and Operations Branch demonstrated some forensics tools that he uses to gather evidence. His team has released the source code to their customized versions of dd and md5sum. His talk highlighted another asset of open source software: easy independent verification of results. If his investigation produces evidence that prohibited material was found on a computer, no one (prosecution or defense) has to take his word for it. He can provide the disk image he worked on, the tool that found the prohibited material and the source code to that tool. His results can be reproduced and verified by others. He can even provide the source code to the tool that ensures that the disk image contains the same data as the original computer being investigated. Open source ensures that the conclusions of investigators aren’t black box “take it from me” assertions, but well-justified statements of fact that can be independently verified and duplicated.
My talk on PHP went well. I had a cheering section in the folks from the OU Sinapse project. They’ve built (and open-sourced) a huge campus portal project with PHP and have many universities both deploying it and collaborating on development. There were plenty of other examples of PHP users I ran into at the conference such as the US Defense Department, the US Census Bureau, and the Mexican federal government.
There were a number of sessions and discussions that debated the relative security merits of open source and closed source software. The typical response to “open source => more eyeballs => security holes are found and fixed” was that “open source => more enemy eyeballs => security holes exploited before they’re widely fixed.” Mostly overlooked was the fact that a sufficiently well-funded and well-connected attacker will have the source code to a “closed source” product. Microsoft has signed a shared source agreement with the Russian government. How likely is it that copies of the source code might make its way out of the government? Would it be that difficult to get a job with the company that Oracle hires to empty its trashcans and bring a FireWire DVD burner to work with you one night? Security is always a tradeoff, never an absolute. But when governments are discussing repelling attackers, they have to be prepared for the best attackers. For those folks, everything is open source.
What are your thoughts on or experiences with government and open source software?