Linux Today: Linux News On Internet Time.

More on LinuxToday

Editor's Note: Lines on a Map

Mar 24, 2006, 23:30 (20 Talkback[s])
(Other stories by Brian Proffitt)

Like many Americans, I am struggling to come to terms with how my country's leadership is dealing with the rest of the world. The Bush administration seems hell-bent on its policy of "preemptive protectionism," and we're angering pretty much any country that does any kind of business with us.

Which means pretty much everyone.

I struggle with this because I understand that there are bad people in the world, and as the father of two, any legitimate efforts to keep my children safe are welcome. The key word here is legitimate, and I'm not sure that flipping off the rest of the planet qualifies. Curiously, in their zeal to protect all that is ours, the US government's own methods have been tossed back at them.

Witness the isolationist reaction to the Dubai ports deal. Whether you agree or disagree with foreign ownership of US ports, it is pretty obvious that the whole Islam=bad nonsense shoved down the American people's throats was a big part of the disagreeing side's arguments. Ironic, given that the purveyors of this ridiculous concept wanted the ports deal to go through.

More recently, the United Kingdom, one of the US's oldest allies, announced it is fully prepared to kill a $12 billion [€10 billion] deal for 150 F-35 (Joint Strike Fighter) jets unless the US hands over the source code for the software that controls the planes. The stance is simple and direct: unless the UK can have the source code, there will always be a danger that the original manufacturer of the jets--the US--could have the ability to turn the planes off in a combat situation.

Talk about an erosion of trust, though I happen to agree with the UK's point.

And then there was today, when Israeli software firm Check Point opted to pull out of its $225 million [€187 million] acquisition deal for US-based Sourcefire, which owns and develops the open source intrusion-detection tool known as Snort. This was after FBI and Department of Defense testimony before the Treasury Department's Committee on Foreign Investments. Basically the FBI and the Pentagon are long-time users of Snort and they had problems with a foreign corporation having control over such a critical piece of software.

Now, the reason for my pointing all of this out is not to start ranting about US policy--at least, not in a political sense. But when I read about the cancellation of the Check Point acquisition, something bothered me about the response of the government agencies in a technical sense. It seems that even though they use open source products, the government doesn't really "get" open source. And if they don't get it, they might be in a position to do some real harm to open source in the future.

There are two technical inconsistencies, at least on the surface, with the DoD/FBI testimony.

First, they have misgivings about Check Point owning the Snort code and patents. According to Martin Roesch, founder and CTO of Sourcefire (and Snort inventor), there are no plans to shift Snort away from an open license. So, even though an Israeli firm would own Snort, the code is still transparent and easily scrutinized by any customer of Snort.

There is, of course, the possibility that Check Point would close the code. At that point, a fork could be started, and customers would still have the IDS system of their choice. (I can blow my forking argument by mentioning those patents. The US loses a useful piece of security tech due to patents? Gee, there's more of that irony again.)

Second, am I to understand that every collaborator of Snort is a bona fide US citizen? I would imagine that somewhere along the line, a non-US programmer would have already participated in Snort development. Even if not, I know a huge cross-section of open source projects have international participation. Should someone let the National Security Agency know that the kernel for SELinux was invented by--gasp!--a Finn?

Though the arguments against the Sourcefire acquisition were technical in nature, no one should be naïve enough to think that this was a very political decision. But it concerns me that if wrong-headed technical arguments will be successfully used like this, how long is it before someone gets the really bone-headed idea that any international participation in an open source project is a security problem? And, while it is easy to point at the US government as the likely perpetrator of such a dumb idea, it could just as easily be some other nation.

The very cynical part of me wonders if that is indeed the expected outcome. Who knows what proprietary companies are whispering just such tales of horror in lawmakers' and officials' ears? If that is indeed the case, this strategy will definitely come around and bite those companies on their collective butts, when the rest of the world wonders why they have to put up with American software.

Back to the topic at hand. The best way to combat such ignorance about open source is though education, and it is becoming more important than ever to educate lawmakers about how and why open source works. If nothing else, the transparency of open and free software is the best combatant against the FUD of international politics.

Maybe the trust and cooperation found in trans-national open source projects will even rub off on international leaders.

One can hope.