CRIME Feds say "never again" to Open Source

From: Andrew Plato (aplato@private)
Date: Mon Aug 26 2002 - 11:06:51 PDT

  • Next message: Robert Myles: "RE: CRIME Virus/Worm Query"

    Uh oh...
    
    Got this from WorldTechTribune: http://www.worldtechtribune.com/worldtechtribune/asparticles/buzz/bza08162002.asp
    
    Security Enhanced Linux, or SE Linux, was touted by open source advocates as the US National Security Agency’s secure, open source computing platform for use on NSA and other US government networks.  Released under the General Public License (GPL) in 2001, the NSA’s SE Linux was lauded by open source proponents as a step in the right direction towards mass acceptance of Linux and the GPL’s “open” method of software development. 
    SE Linux, like all other open source software projects released under the GPL, was a true community effort.  Anyone who wanted to view and modify SE Linux’s source code was free to do so, as long as they gave their modified code back to the SE Linux community.  Proponents of open source claimed that because the Cold War is over, government agencies like the NSA would benefit from the more open-minded “thousand eyes” approach (where thousands of volunteer open source programmers from any country view and debug a program’s source code from remote locations via the Internet) that both the GPL and open source development offers.
     Although this community-based development method where no entity can claim ownership of the software flew in the face of previous development practices for the NSA, one of the American government's premier security organizations, open source advocates convinced the NSA that SE Linux would enhance the government's cyber security by releasing the source code to a worldwide audience of open source programmers.
    The SE Linux project was developed during the Clinton administration in the summer of 1999 with the goal of providing “a well-documented example of how strong mandatory access controls can be effectively added to a mainstream operating system” and “eventually incorporat[ing] these [security enhancements] into the Linux kernel” according to an NSA spokeswoman in 2001. 
     Now, only a year after the release of SE Linux, the NSA has dropped its support for any future cyber security products based on the open source method.  NSA officials say their cyber security enhancements made for SE Linux have not only benefited the NSA, but because of the terms of the GPL have also strengthened the security architecture of computers used by malicious cyber terrorists around the world.    
     "We didn’t fully understand the consequences of releasing software under the GPL," said Dick Schafer, deputy director of the NSA. “We received a lot of loud complaints regarding our efforts with SE Linux.”
     Opponents of the NSA’s decision to release SE Linux last year were characterized as being closed-minded and unable to see the big picture by most tech news organizations but the NSA has now had to admit that the open source method was not in the best interest of national security.
    Deputy Director Schafer said that the GPL issue created so many problems for the security agency that “we won't be doing anything like that again.”
    



    This archive was generated by hypermail 2b30 : Mon Aug 26 2002 - 12:18:13 PDT