Open Source Is Becoming a Military Necessity

The Street ^ | 17 August 2012 | Dana Blankenhorn

[ShadowAce]

One of the biggest lies told about open source is that it's insecure.

In letting just anyone use your code, that has to include the bad guys. They're bound to find a way to compromise it, the thinking goes.

But that's not the way it works in real life. Having every potential victim working on your neighborhood code watch turns out to deliver more security, not less.

Having everyone who might be the victim of an online break-in organized, finding bugs, writing and testing fixes, constantly improving security tools, works.

Don't believe me? Well, maybe you'll believe the National Security Agency or the Department of Homeland Security. The open source process works for them, too.

For a decade, one of the most popular intrusion prevention and detection systems has been Snort, created by Martin Roesch. But the company he built around that software, Sourcefire, only gives away the basic package. If you need extensions, if you want a more complete system, you have to pay. That code is controlled by Sourcefire.

There is nothing unusual in that. Many open-source businesses create free community and paid "enterprise" editions of their software. This is what Red Hat(RHT) is all about -- you can download Fedora Linux free or buy Red Hat Enterprise Linux. In both cases you get to see the code, but with the paid version you get the support needed to run it professionally.

But this model didn't work with Snort. The Department of Homeland Security, the military, and the NSA could not be "held hostage" to Sourcefire for improvements to the code, or for the specialized suite needed to protect the nation.

So the Department of Homeland Security got together with major contractors and formed their own open source project, the Open Information Security Foundation. OISF has its own intrusion system, called Suricata, whose syntax is based on Snort, so if you are accustomed to one you can use the other.

But Suricata will be a complete system, not just a "sniffer," as intrusion detection products are colloquially known. The whole Suricata suite will be open source. This process is now expanding, as I noted here at TheStreet.com on Monday.

In May, the National Security Agency co-hosted an Open Source Security Industry Day at a Johns Hopkins facility in Fort Meade, Md. As ZDNet's Steven J. Vaughan-Nichols reported, agency people described their needs for open source and urged suppliers to include open source in their offerings.

John Weathersby of the OSS-Institute, which is now affiliated with Georgia Tech in Atlanta, told me most of the day was devoted to small "breakout" sessions, where contractors answered hard, detailed questions put to them by key government customers. The affair wasn't just a series of sales pitches, he said. It was the first step in a negotiation.

Among the open source projects the NSA supports is Security Enhanced Linux (SE-Linux), for which it has developed an access control module called Flask, hosted at the University of Utah. Open source and security, in other words, do go together.

Open source can only provide tools. Procedures are also needed to assure that people maintain security. So the Cloud Security Alliance offers an integrated stack of such procedures, called the GRC Stack. GRC stands for Governance, Risk management and Compliance. This is maintained in an open process with the support of both contractors and software vendors.

Point is, open source and security do mix. They mix well. With more businesses moving toward cloud technology, much of it based on open source software, they are going to be doing a lot more mixing.

[ShadowAce]

[JRandomFreeper]

Security = 1/convenience.

/johnny

[so_real]

The formula "security = 1 / convenience" is a formula I can understand. What I don't understand is what the advantages are to moving an organization's date "to the cloud" where hands unknown have access to it. I've heard people say "you don't have to invest in bandwidth or the knowledge base to maintain the systems". But that seems more like an excuse to be "dumb and lazy" as a company at the risk of leaking company information. Why the push to centralize to cloud locations rather than remaining distributed?

[JRandomFreeper]

Got me. I have no clue why handing over the crown jewels of any company to some 'cloud' seems to make sense to some management types.

I expect to see some pretty bloody reprisals after the first multi-million dollar loss of data in the 'cloud'.

/johnny

[LaserJock]

“Why the push to centralize to cloud locations rather than remaining distributed?”

I’ll claim ignorance here, but I thought “the cloud” was the definition of distributed computing and data management.

Various futurists have been arguing that the value of data is rapidly approaching zero during this age of accelerating change and ubiquitous information access. Put another way, the half life of a good idea is getting shorter and shorter. Business models based on husbanding data as if it has value (the crown jewels) are going to fade away and be replaced by business models built on the concept of exploiting new and publicly available data more rapidly than your peers.

I fear that if these predictions are true, the U.S. government and its love of classified data will fail to compete with faster governments not married to protecting mountains of information or data. Many of our larger businesses could follow suit.

We live in interesting times.

[Dr. Sivana]

Slight modification:

Security = (1/convenience)*(RND(10)-1) Where RND(10) is a function that generates a random # from 1 to 10. In other words. Increasing, inconvenience may or may not increase security. For example. Maxwell Smart has to go through 10 sets of automoatic doors, followed by dialing the correct number in a phone booth before he can enter CONTROL headquarters. But if he left a window open, the doors and phone booth provide zero protection against enemy infiltration. Password routines so complex that users resort to placing sticky notes on or under their keyboards show the "Laffer curve" of secure passwords. At some point you get worse results, not better.

[willyd]

You are exactly correct...the value of data is plummeting. As we trend towards perfect information, it seems like markets will begin to correct instantly almost removing short term profit takers and liquidity from the markets.

As consumers increasingly use engines like amazon and google products, retailers will continue to die off and the profit model will continue to be destroyed.

I don’t know where it all ends. Combine this with the automation trend it seems we in a negative feedback loop that doesn’t have an obvious solution. I don’t know what happens when there are just no jobs and no ways for 80% of the population to make any money.

[LaserJock]

I see what you're saying, but I'm a bit more optimistic. I think profit making opportunities will proliferate in this new world. They'll just be brief. Agility will be the key to long term success. It may be that we're seeing the beginning of the end of the age of great empires - nations as well as businesses. The age of the empowered individual or small team is emerging. If this is true, then nations filled with industrious people who value personal responsibility will prosper. This could be very good for the U.S. - if we don't let government infantalize us first!

[montag813]

So the Department of Homeland Security got together with major contractors and formed their own open source project

DykeNet?

[so_real]

The way it was explained to me, is that the cloud is everywhere. You put your data in the cloud, and it is stored on any number of physical machines, in any number of countries, so you never have to worry about a disk failure losing it, or a segment of the network going down making it unavailable. That sounds great until you wonder who has access to it. Do you really want your competitors to know who your vendors are? the names of your most productive sales people? the target objectives for your next sales campaign or media blitz? etc, etc. I don't have a problem with library and audio visual material being ubiquitous. But there are just some things better kept under lock and key.

[LaserJock]

“But there are just some things better kept under lock and key.”

I agree. Even in a full-on information age, there will be a need to protect some data. I'm thinking it's a tiny amount though.

[RedMDer]

FReepers who believe in and support our pro-life, pro-family, pro-limited government conservative causes, enjoy reading and participating on FR, think it's a worthwhile endeavor and would like to help us keep it going. Please click the link. The Republic you save may be your own.

FReepers who believe in and support our pro-life, pro-family, pro-limited government conservative causes, enjoy reading and participating on FR, think it's a worthwhile endeavor and would like to help us keep it going. Please click the link. The Republic you save may be your own.

---

FReepers who believe in and support our pro-life, pro-family, pro-limited government conservative causes, enjoy reading and participating on FR, think it's a worthwhile endeavor and would like to help us keep it going.
Please click the link.
The Republic you save may be your own.

[wally_bert]

[don-o]

Already posted

[Jim Robinson]

Knock it off!

[don-o]

Knock off commenting on the thread spam which you used to forbid?

Knock THAT off?

[Jim Robinson]

RedMDer’s posts are not spam. He’s helping tremendously with our FReepathon and I appreciate it very much.

[Jim Robinson]

Look, if we had to go to commercial advertising to pay for this site, you’d probably see several with every click. They only raise a tiny fraction of a cent per impression.

[RedMDer]

Thanks Boss.