DHS Claims Open Source Software Is Like Giving The Mafia A Copy Of FBI Code; Hastily Walks Back Statement
from the psst...-your-ignorance-is-showing dept
Late last week, the DHS's Chief Information Officer Luke McCormack (or someone from his office) posted comments to GitHub arguing against the proposed policy of making 20% of its code (whatever that means) open source in the interest of better sharing between agencies. The rationale is that shared code could save tax dollars by preventing paying developers to perform redundant work. The DHS felt strongly about this and said as much using an Excel-based parade of horrors.
Many private companies (especially security companies) do not publish their source code is because it allows attackers to (a) construct highly targeted attacks against the software, or (b) build-in malware directly into the source code, compile, then replace key software components as 'doppelgangers' of the original. How will this be prevented? Government-specific examples: citizenship anti-fraud rules that are coded into software, identification of special codes used to flag law enforcement actions, APT threat indicator scripts, Mafia having a copy of all FBI system code, terrorist with access to air traffic control software, etc. How will this be prevented?Contrary to the CIO's statements, open source software can actually be safer than closed source options. More eyes on the source means more people finding flaws and holes and working towards fixes, rather than simply compiling internal discoveries and forwarding them to the vendor and allowing the company to determine which holes/flaws should be repaired and in which order.
The DHS has now walked back this unfortunate comment, claiming it was just one of those mysterious things that somehow materialized out of the ether.
Those comments were "incorrectly posted" and do not represent DHS' position, agency spokesman Justin Greenberg told Nextgov in an email. McCormack's new comments "serve as the department’s official stance on the policy," the spokesman said. In his new comment, McCormack said the earlier comments reflected "a variety of individual positions across DHS components."This explains next to nothing and leaves readers with the impression that the DHS has been publicly embarrassed by the "source code sky is falling [pending proposal approval]" emailed in by its CIO.
The DHS has a history of walking back things after they've received public criticism. This is good, but the walkbacks seem to be accompanied by obfuscatory statements that give everyone involved a pass on their misguided actions. Back in 2014, DHS component ICE started soliciting bids for a national license plate database (built from the hundreds of automatic license plate readers in use around the nation). Backlash ensued and DHS Secretary Jeh Johnson quickly issued a statement claiming the posting was done without the approval of "ICE leadership." In other words, the issuance was just a governmental glitch and the hasty retreat being beaten entirely unrelated to the public outcry.
Here, the same thing seems to be happening. The DHS CIO posts comments full of alarmism, is called out for it and a spokesperson appears on scene to say that comments released by a DHS official are not the official comments of the agency he represents. To borrow the blame-shifting parlance of law enforcement, a misguided comment "discharged" and no one should have to own up to actually pulling the trigger. Yes, mistakes were made. But apparently no government official should need to acknowledge they were just flat-out wrong.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: dhs, government, open source
Reader Comments
Subscribe: RSS
View by: Time | Thread
Freudian Slip!
[ link to this | view in chronology ]
"....Your winnings, sir."
"Ehm....um....'bye!"
[ link to this | view in chronology ]
Both my former and current employer banned open source software from being used because the executives literally believed open source = open to abuse.
Worse: both try to blame HIPAA as stating it's against the law to use it. It's not.
The DHS should know better, but then again, considering many people don't understand what open source is, expect this ignorance to continue for another few millennia.
:`(
[ link to this | view in chronology ]
[ link to this | view in chronology ]
How effective was Microsoft's FUD campaign, really?
Microsoft's entire history is one of creating and protecting a monopoly.
Microsoft prevented competing OSes by making contracts with OEMs that if the OEM ships a box with an alternative OS, that the OEM still must pay Microsoft as though it included Microsoft's product.
Microsoft prevented competing applications by manipulating APIs. Or moving certain important features into undocumented APIs that only its own applications could use.
When the web came along, Microsoft ignored it at first. Saying "it's just a fad". Yes, really!
Then they bought a browser (Spyglass) for $100,000 up front plus royalty percent of sales. Renamed it to Internet Explorer. Guess how many copies of IE have ever been "sold" ?
Microsoft worked to monopolize the web by both pushing developers towards major features only available in its browser, and working to frustrate standardization efforts.
Microsoft also tried to monopolize the server. IIS and FrontPage. FrontPage had a license that forbade you to ever disparage or write negatively about Microsoft or any of it's properties, Expedia, etc. Guess how much FrontPage got used once this news went viral? Meanwhile IIS was the most hacked web server on the planet. For years simple URL manipulation would allow remote command execution. Each fix was focused on the specific problem, so the broader problem continued.
At the start of the rise of Open Source, Microsoft started a huge FUD campaign. Meanwhile Microsoft continued protecting its monopoly as usual.
But the furry little mammals hidden in the holes in the rocks kept working, and working. FireFox materialized. It was radically superior. Within a few years, it had 50 % share of web users -- which was a major wake up call. After years and years of neglect and stagnation, we suddenly had IE 7, 8, 9, etc. Never quite achieving full compliance until it was way too late to matter.
Meanwhile, open source took over the servers. The data centers. Embedded devices. TiVos. Cameras. DVD players. TV sets. IoT. Anything that was not part of the desktop PC monopoly. Netbooks. Phones. Tablets.
Microsoft realized way too late it had to react. Windows Mobile never went anywhere. Android took over the world.
It became clearer and clearer that Microsoft was always playing catch up with open source. Even at the start of XP, the introduction of remote desktop access was a copy of what open source was already doing. Jump to today, Microsoft only got onto the Raspberry Pi 2, because it had enough power to run the core of Windows without any GUI.
Now Microsoft Loves Linux. (Like Sharks Love Fish, and Foxes Love Chickens.) Now it is clear Microsoft's best days are behind it. It plays catch up with everything. Developers use open source and Microsoft is trying to woo them back.
I have to admit that Ballmer's move to sell the Surface tablet was absolutely brilliant! In one single stroke, Microsoft pissed off:
1. Their developers, but forcing new APIs, and use of Microsoft's store, and terms of that store
2. Their OEMs, by directly competing with them, and undercutting them
3. Their customers who purchased the product . . . but the sales already reflect that.
4. Desktop PC users, the core of its business, by forcing them to use a UI that makes their work inefficient. Sacrifice the core business in a futile attempt to sell a sinking product that keeps refusing to take off. (WP 7, WP 8, Surface, Surface RT, etc)
We now live in an open source world. You have more Linux devices in your home already than you have Windows PCs or Macs combined. For all family members combined.
Microsoft is trying to embrace open source in ways that create a one-way street back to Microsoft. (A far worse approach than Apple has.)
So I'll ask: just how successful was Microsoft's FUD campaign?
Maybe in the short term.
But not in the long term.
Don't forget kids: open source is communist and a cancer. Don't be a freetard that uses open sores.
[ link to this | view in chronology ]
Re: How effective was Microsoft's FUD campaign, really?
[ link to this | view in chronology ]
Re: Re: How effective was Microsoft's FUD campaign, really?
Microsoft's Java trying to lock developers into Windows. But using techniques expressly forbidden by its contract. Which Sun sued for and won, IIRC, $1.2 Billion, and an injunction.
Then Microsoft copied Java and JVM to create C# and .NET. A close copy indeed. But with a few of Java's warts removed, and some genuine improvements. But the idea was the same. Take the best technology, add deliciously addictive sweeteners that lock developers in to the monopoly. The first hit is free, pay later. Yet Java and especially the JVM took off. One of the most sophisticated managed, GC enabled runtime engines on the planet. Used extensively for enterprise applications, major web applications, banking, and surprisingly: high speed trading where milliseconds count! JVM has had tons of third party research poured into it. Meanwhile .NET was a locked black box. Now many languages run on the JVM -- and all interoperate. You can pass data structures between languages. Once again, belatedly, Microsoft finally makes .NET open source, but mostly in a way that is a one way street leading back into the prison camp. Er, I should use a more positive spin like "walled garden".
Touching on IoT again, the world today is a bazaar abuzz with innovation unlike anything we have seen since the days when hobbyist magazines like Popular Electronics were popular before the IBM PC / Microsoft monopolies set in and locked everything up.
There is way, way more to Microsoft's history. Signing deals with cell phone manufacturers, and then setting about to put them out of business before the ink on the paper is even dry. And lest you think Nokia, I'm talking about back in the very early 2000's. And these kinds of deals had clauses that the company's IP went to Microsoft if they were to cease business.
[ link to this | view in chronology ]
Re: Re: Re: How effective was Microsoft's FUD campaign, really?
[ link to this | view in chronology ]
Re: How effective was Microsoft's FUD campaign, really?
I may sound like an idiot but "Embrace, Extend, Extinguish" never really went away. With the IE6 era over, people simply wised up to such brute attempts.
There's little doubt Microsoft will try (and fail) to lock developers down to its platforms again in the next 10 years.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Kerckhoff's Principle, as it applies to software, says that any security analysis must necessarily begin with the presumption (even if it's not actually true) that "the adversary knows the system," and that if your system is not secure with the adversary having all of the code, then it's not secure at all. During the Cold War, the NSA had a similar principle: make systems secure even assuming that "serial number 1 of any new device was delivered to the Kremlin." In today's world of rampant data breaches and cyber-espionage, this is not at all an unreasonable assumption!
Based on this idea, we see that sharing code can't actually make security worse, because we must assume that the adversary already knows the system. On the other hand, opening the code up makes it possible for friends to look at it, notice problems or potential improvements, and contribute. Far from giving your adversary a leg up, open source levels the playing field in your favor.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
The fact it is open can be a motivating factor in doing a better job.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
You are totally correct, but the problem today with OpenSource imho is lack of resources. So for example the HeartBleed bug was in there a long time because there just wasn't enough people to validate the code and catch it. The solution of course is more open sourcing of projects which will allow for more developers and testing. This is especially true for programming modules like OpenSSL, but than you can run into issues like NPM in which one developer (Azer Koçulu) can destroy many projects by pulling his code.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re:
But on the other hand maybe the lack of resources can be addressed by simply writing better code. For example it's much easier to vet Wayland and a graphics library than it is to understand X, and reportedly OpenSSL does face some of these issues.
[ link to this | view in chronology ]
Re: Re:
With open source, you can keep local copies of all modules that your project depends on; which is an good thing to do for all released code. Further it can be packed into a distribution archive as well, so that users are not dependent on the primary repository.
All Linux and BSD distributions keep their own repositories of all the 'official' modules that they use, and from which their users obtain their software.
[ link to this | view in chronology ]
Someone hacked the account and posted a bogus policy before, but this one is for real.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Then there's simply stronger assurance
Sure for a large project like an OS or it's kernel personal review is impractical* and we must put some trust in peer-review, but it's certainly practical for most applications.
* Not that I don't enjoy trying.
[ link to this | view in chronology ]
Wikipedia has an article on this approach and why it's a bad idea.
He believes in keeping things secure in the short run until the code gets leaked or the black box gets hacked externally.
I bet he also likes to pretend everything is fine after FBI code's exploits are well known and abused.
[ link to this | view in chronology ]
That's the crux of the situation. While open source CAN be safer than closed source due to anyone being able to review the code, it doesn't necessarily follow that the people with the right skill sets will be interested enough to review it.
There are any number of cases where completely open source projects have had critical security bugs for many years that no one caught because no one bothered to review the code for flaws and errors. Open source is not a silver bullet for security concerns especially if you're using poorly written software or niche software that few people ever see to begin with.
It's only with thorough audits of 100% of the code base on a regular basis by skilled security specialists does this mantra hold water. The majority of open source projects, even the big ones, don't get this kind of regular scrutiny because it's very labor intensive and requires those with well above average code skill sets.
[ link to this | view in chronology ]
Re:
Then again we're talking "left-pad" level here aren't we?
And that's more about laziness than poor coding skills.
But hay, with MS's new Linux layer, maybe we'll get some proper Valgrind support in VS. Looks more likely than getting people on proper C++11.
[ link to this | view in chronology ]
And that's for the best engineers; so for something complex like OpenSSL you could see bugs going undetected.
Obviously not having the code out in the open would be somewhat more "secure"!? But for how long really?
We're talking "hardened criminals" here right? /s
[ link to this | view in chronology ]