Say That Again

by Tim Cushing


Filed Under:
dhs, government, open source



DHS Claims Open Source Software Is Like Giving The Mafia A Copy Of FBI Code; Hastily Walks Back Statement

from the psst...-your-ignorance-is-showing dept

Late last week, the DHS's Chief Information Officer Luke McCormack (or someone from his office) posted comments to GitHub arguing against the proposed policy of making 20% of its code (whatever that means) open source in the interest of better sharing between agencies. The rationale is that shared code could save tax dollars by preventing paying developers to perform redundant work. The DHS felt strongly about this and said as much using an Excel-based parade of horrors.

Many private companies (especially security companies) do not publish their source code is because it allows attackers to (a) construct highly targeted attacks against the software, or (b) build-in malware directly into the source code, compile, then replace key software components as 'doppelgangers' of the original. How will this be prevented? Government-specific examples: citizenship anti-fraud rules that are coded into software, identification of special codes used to flag law enforcement actions, APT threat indicator scripts, Mafia having a copy of all FBI system code, terrorist with access to air traffic control software, etc. How will this be prevented?
Contrary to the CIO's statements, open source software can actually be safer than closed source options. More eyes on the source means more people finding flaws and holes and working towards fixes, rather than simply compiling internal discoveries and forwarding them to the vendor and allowing the company to determine which holes/flaws should be repaired and in which order.

The DHS has now walked back this unfortunate comment, claiming it was just one of those mysterious things that somehow materialized out of the ether.
Those comments were "incorrectly posted" and do not represent DHS' position, agency spokesman Justin Greenberg told Nextgov in an email. McCormack's new comments "serve as the department’s official stance on the policy," the spokesman said. In his new comment, McCormack said the earlier comments reflected "a variety of individual positions across DHS components."
This explains next to nothing and leaves readers with the impression that the DHS has been publicly embarrassed by the "source code sky is falling [pending proposal approval]" emailed in by its CIO.

The DHS has a history of walking back things after they've received public criticism. This is good, but the walkbacks seem to be accompanied by obfuscatory statements that give everyone involved a pass on their misguided actions. Back in 2014, DHS component ICE started soliciting bids for a national license plate database (built from the hundreds of automatic license plate readers in use around the nation). Backlash ensued and DHS Secretary Jeh Johnson quickly issued a statement claiming the posting was done without the approval of "ICE leadership." In other words, the issuance was just a governmental glitch and the hasty retreat being beaten entirely unrelated to the public outcry.

Here, the same thing seems to be happening. The DHS CIO posts comments full of alarmism, is called out for it and a spokesperson appears on scene to say that comments released by a DHS official are not the official comments of the agency he represents. To borrow the blame-shifting parlance of law enforcement, a misguided comment "discharged" and no one should have to own up to actually pulling the trigger. Yes, mistakes were made. But apparently no government official should need to acknowledge they were just flat-out wrong.


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 21 Apr 2016 @ 9:33am

    Freudian Slip!

    Someone just needs to tell them... we already know this about you, stop trying to act like you don't hate Americans and Liberty!

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 21 Apr 2016 @ 9:38am

    "I'm shocked that there's gambling in tHis establishment!"

    "....Your winnings, sir."

    "Ehm....um....'bye!"

    reply to this | link to this | view in chronology ]

  • icon
    Violynne (profile), 21 Apr 2016 @ 9:41am

    What's really troubling is how many people still believe this crap.

    Both my former and current employer banned open source software from being used because the executives literally believed open source = open to abuse.

    Worse: both try to blame HIPAA as stating it's against the law to use it. It's not.

    The DHS should know better, but then again, considering many people don't understand what open source is, expect this ignorance to continue for another few millennia.

    :`(

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 21 Apr 2016 @ 9:45am

    It seem's Microsoft's FUD campaign was quite effective.

    reply to this | link to this | view in chronology ]

    • icon
      DannyB (profile), 21 Apr 2016 @ 11:41am

      How effective was Microsoft's FUD campaign, really?

      Let us consider just how effective Microsoft's FUD campaign really was.

      Microsoft's entire history is one of creating and protecting a monopoly.

      Microsoft prevented competing OSes by making contracts with OEMs that if the OEM ships a box with an alternative OS, that the OEM still must pay Microsoft as though it included Microsoft's product.

      Microsoft prevented competing applications by manipulating APIs. Or moving certain important features into undocumented APIs that only its own applications could use.

      When the web came along, Microsoft ignored it at first. Saying "it's just a fad". Yes, really!

      Then they bought a browser (Spyglass) for $100,000 up front plus royalty percent of sales. Renamed it to Internet Explorer. Guess how many copies of IE have ever been "sold" ?

      Microsoft worked to monopolize the web by both pushing developers towards major features only available in its browser, and working to frustrate standardization efforts.

      Microsoft also tried to monopolize the server. IIS and FrontPage. FrontPage had a license that forbade you to ever disparage or write negatively about Microsoft or any of it's properties, Expedia, etc. Guess how much FrontPage got used once this news went viral? Meanwhile IIS was the most hacked web server on the planet. For years simple URL manipulation would allow remote command execution. Each fix was focused on the specific problem, so the broader problem continued.

      At the start of the rise of Open Source, Microsoft started a huge FUD campaign. Meanwhile Microsoft continued protecting its monopoly as usual.

      But the furry little mammals hidden in the holes in the rocks kept working, and working. FireFox materialized. It was radically superior. Within a few years, it had 50 % share of web users -- which was a major wake up call. After years and years of neglect and stagnation, we suddenly had IE 7, 8, 9, etc. Never quite achieving full compliance until it was way too late to matter.

      Meanwhile, open source took over the servers. The data centers. Embedded devices. TiVos. Cameras. DVD players. TV sets. IoT. Anything that was not part of the desktop PC monopoly. Netbooks. Phones. Tablets.

      Microsoft realized way too late it had to react. Windows Mobile never went anywhere. Android took over the world.

      It became clearer and clearer that Microsoft was always playing catch up with open source. Even at the start of XP, the introduction of remote desktop access was a copy of what open source was already doing. Jump to today, Microsoft only got onto the Raspberry Pi 2, because it had enough power to run the core of Windows without any GUI.

      Now Microsoft Loves Linux. (Like Sharks Love Fish, and Foxes Love Chickens.) Now it is clear Microsoft's best days are behind it. It plays catch up with everything. Developers use open source and Microsoft is trying to woo them back.

      I have to admit that Ballmer's move to sell the Surface tablet was absolutely brilliant! In one single stroke, Microsoft pissed off:
      1. Their developers, but forcing new APIs, and use of Microsoft's store, and terms of that store
      2. Their OEMs, by directly competing with them, and undercutting them
      3. Their customers who purchased the product . . . but the sales already reflect that.
      4. Desktop PC users, the core of its business, by forcing them to use a UI that makes their work inefficient. Sacrifice the core business in a futile attempt to sell a sinking product that keeps refusing to take off. (WP 7, WP 8, Surface, Surface RT, etc)



      We now live in an open source world. You have more Linux devices in your home already than you have Windows PCs or Macs combined. For all family members combined.

      Microsoft is trying to embrace open source in ways that create a one-way street back to Microsoft. (A far worse approach than Apple has.)

      So I'll ask: just how successful was Microsoft's FUD campaign?
      Maybe in the short term.
      But not in the long term.

      Don't forget kids: open source is communist and a cancer. Don't be a freetard that uses open sores.

      reply to this | link to this | view in chronology ]

      • icon
        Charles (profile), 21 Apr 2016 @ 1:32pm

        Re: How effective was Microsoft's FUD campaign, really?

        Bravo! DannyB is to Microsoft FUD as Stephen Colbert is to Lord of the Rings trivia.

        reply to this | link to this | view in chronology ]

        • icon
          DannyB (profile), 22 Apr 2016 @ 9:45am

          Re: Re: How effective was Microsoft's FUD campaign, really?

          I only touched on some of the highlights. There are many more items I could have brought up. And many of them go much deeper than the surface treatment I touched on.

          Microsoft's Java trying to lock developers into Windows. But using techniques expressly forbidden by its contract. Which Sun sued for and won, IIRC, $1.2 Billion, and an injunction.

          Then Microsoft copied Java and JVM to create C# and .NET. A close copy indeed. But with a few of Java's warts removed, and some genuine improvements. But the idea was the same. Take the best technology, add deliciously addictive sweeteners that lock developers in to the monopoly. The first hit is free, pay later. Yet Java and especially the JVM took off. One of the most sophisticated managed, GC enabled runtime engines on the planet. Used extensively for enterprise applications, major web applications, banking, and surprisingly: high speed trading where milliseconds count! JVM has had tons of third party research poured into it. Meanwhile .NET was a locked black box. Now many languages run on the JVM -- and all interoperate. You can pass data structures between languages. Once again, belatedly, Microsoft finally makes .NET open source, but mostly in a way that is a one way street leading back into the prison camp. Er, I should use a more positive spin like "walled garden".

          Touching on IoT again, the world today is a bazaar abuzz with innovation unlike anything we have seen since the days when hobbyist magazines like Popular Electronics were popular before the IBM PC / Microsoft monopolies set in and locked everything up.

          There is way, way more to Microsoft's history. Signing deals with cell phone manufacturers, and then setting about to put them out of business before the ink on the paper is even dry. And lest you think Nokia, I'm talking about back in the very early 2000's. And these kinds of deals had clauses that the company's IP went to Microsoft if they were to cease business.

          reply to this | link to this | view in chronology ]

          • identicon
            Wendy Cockcroft, 26 Apr 2016 @ 2:07pm

            Re: Re: Re: How effective was Microsoft's FUD campaign, really?

            You've just explained why Microsoft thinks Windows 10 and its Edge browser are awesome when they're utter crap.

            reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 25 Apr 2016 @ 3:14am

        Re: How effective was Microsoft's FUD campaign, really?

        Microsoft doesn't want to adapt, nor play nice except as a prelude to RULING. The IE6 era was great for them. Big returns for little to no investment. Imagine how good it would feel for them to get back in that position...

        I may sound like an idiot but "Embrace, Extend, Extinguish" never really went away. With the IE6 era over, people simply wised up to such brute attempts.

        There's little doubt Microsoft will try (and fail) to lock developers down to its platforms again in the next 10 years.

        reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 21 Apr 2016 @ 9:57am

    "Good luck" banning open source software, specially free software.

    reply to this | link to this | view in chronology ]

  • icon
    Mason Wheeler (profile), 21 Apr 2016 @ 10:14am

    Ugh. Someone teach this idiot about Kerckhoff's Principle before he stuffs his foot even further into his mouth!

    Kerckhoff's Principle, as it applies to software, says that any security analysis must necessarily begin with the presumption (even if it's not actually true) that "the adversary knows the system," and that if your system is not secure with the adversary having all of the code, then it's not secure at all. During the Cold War, the NSA had a similar principle: make systems secure even assuming that "serial number 1 of any new device was delivered to the Kremlin." In today's world of rampant data breaches and cyber-espionage, this is not at all an unreasonable assumption!

    Based on this idea, we see that sharing code can't actually make security worse, because we must assume that the adversary already knows the system. On the other hand, opening the code up makes it possible for friends to look at it, notice problems or potential improvements, and contribute. Far from giving your adversary a leg up, open source levels the playing field in your favor.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 21 Apr 2016 @ 11:01am

      Re:

      I never knew of this principal, so need to make this a house hold term like DNS!

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 21 Apr 2016 @ 11:02am

      Re:

      Most people dislike being shamed by their peers.

      The fact it is open can be a motivating factor in doing a better job.

      reply to this | link to this | view in chronology ]

    • identicon
      Rich Kulawiec, 21 Apr 2016 @ 11:22am

      Re:

      Absolutely. If security software is NOT open-source, then it's fraudulent -- because the claims it makes cannot be subjected to independent scrutiny and verified, those claims should be considered false.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 21 Apr 2016 @ 11:37am

      Re:

      Mason,

      You are totally correct, but the problem today with OpenSource imho is lack of resources. So for example the HeartBleed bug was in there a long time because there just wasn't enough people to validate the code and catch it. The solution of course is more open sourcing of projects which will allow for more developers and testing. This is especially true for programming modules like OpenSSL, but than you can run into issues like NPM in which one developer (Azer Koçulu) can destroy many projects by pulling his code.

      reply to this | link to this | view in chronology ]

      • icon
        Mason Wheeler (profile), 21 Apr 2016 @ 2:05pm

        Re: Re:

        The problem with NPM really had nothing to do with open source vs. non-open source. The problem was that the NPM system did not track dependencies correctly. If dependencies were tracked in a proper relational database, designed with referential integrity principles that have been understood for decades, it would have been literally impossible to delete a module that other modules depended on.

        reply to this | link to this | view in chronology ]

      • icon
        Adrian Cochrane (profile), 21 Apr 2016 @ 2:07pm

        Re: Re:

        Maybe there is a lack of resources in the FLOSS community, but leave that NPM case out of this. That's rather a problem with NPM failing to realize that letting developers remove their code from the site can ruin unrelated projects, and a general overuse of modules in Node.js.

        But on the other hand maybe the lack of resources can be addressed by simply writing better code. For example it's much easier to vet Wayland and a graphics library than it is to understand X, and reportedly OpenSSL does face some of these issues.

        reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 21 Apr 2016 @ 2:25pm

        Re: Re:

        ,
        but than you can run into issues like NPM in which one developer (Azer Koçulu) can destroy many projects by pulling his code.

        With open source, you can keep local copies of all modules that your project depends on; which is an good thing to do for all released code. Further it can be packed into a distribution archive as well, so that users are not dependent on the primary repository.
        All Linux and BSD distributions keep their own repositories of all the 'official' modules that they use, and from which their users obtain their software.

        reply to this | link to this | view in chronology ]

  • icon
    DB (profile), 21 Apr 2016 @ 10:41am

    Wait... why do we believe that the walk-back is real?

    Someone hacked the account and posted a bogus policy before, but this one is for real.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 21 Apr 2016 @ 10:48am

      Re:

      Good point -- why isn't the CIO being prosecuted for hacking? He was obviously using an account without the authority to do so.

      reply to this | link to this | view in chronology ]

  • icon
    Adrian Cochrane (profile), 21 Apr 2016 @ 11:20am

    Then there's simply stronger assurance

    The other thing security-wise with free/open source software is that you can review the code yourself, or hire someone to do it for you, in order to better know it's secure. With proprietary software the best we can do is try to pick up suspicious networking, and beyond that give the vendor undeserved trust.

    Sure for a large project like an OS or it's kernel personal review is impractical* and we must put some trust in peer-review, but it's certainly practical for most applications.

    * Not that I don't enjoy trying.

    reply to this | link to this | view in chronology ]

  • icon
    Uriel-238 (profile), 21 Apr 2016 @ 2:22pm

    Wikipedia has an article on this approach and why it's a bad idea.

    Chief Information Officer Luke McCormack is a security-through-obscurity man.

    He believes in keeping things secure in the short run until the code gets leaked or the black box gets hacked externally.

    I bet he also likes to pretend everything is fine after FBI code's exploits are well known and abused.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 22 Apr 2016 @ 7:01am

    "Contrary to the CIO's statements, open source software can actually be safer than closed source options. More eyes on the source means more people finding flaws and holes and working towards fixes, rather than simply compiling internal discoveries and forwarding them to the vendor and allowing the company to determine which holes/flaws should be repaired and in which order. "

    That's the crux of the situation. While open source CAN be safer than closed source due to anyone being able to review the code, it doesn't necessarily follow that the people with the right skill sets will be interested enough to review it.

    There are any number of cases where completely open source projects have had critical security bugs for many years that no one caught because no one bothered to review the code for flaws and errors. Open source is not a silver bullet for security concerns especially if you're using poorly written software or niche software that few people ever see to begin with.

    It's only with thorough audits of 100% of the code base on a regular basis by skilled security specialists does this mantra hold water. The majority of open source projects, even the big ones, don't get this kind of regular scrutiny because it's very labor intensive and requires those with well above average code skill sets.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 25 Apr 2016 @ 2:54am

      Re:

      LOL @"above average code skill sets". Most government software is so poorly written that a simple run through Cppcheck (and maybe something like Dr. Memory) would throw up at least a dozen critical issues.

      Then again we're talking "left-pad" level here aren't we?
      And that's more about laziness than poor coding skills.

      But hay, with MS's new Linux layer, maybe we'll get some proper Valgrind support in VS. Looks more likely than getting people on proper C++11.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 25 Apr 2016 @ 2:47am

    Regarding code review, human understanding tops (and goes out the window) at about 6000 relations per module.
    And that's for the best engineers; so for something complex like OpenSSL you could see bugs going undetected.

    Obviously not having the code out in the open would be somewhat more "secure"!? But for how long really?

    We're talking "hardened criminals" here right? /s

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Shop Now: Copying Is Not Theft
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.