Like many Americans, I am struggling to come to terms with how
my country’s leadership is dealing with the rest of the world. The
Bush administration seems hell-bent on its policy of “preemptive
protectionism,” and we’re angering pretty much any country that
does any kind of business with us.
Which means pretty much everyone.
I struggle with this because I understand that there are bad
people in the world, and as the father of two, any legitimate
efforts to keep my children safe are welcome. The key word here is
legitimate, and I’m not sure that flipping off the rest of the
planet qualifies. Curiously, in their zeal to protect all that is
ours, the US government’s own methods have been tossed back at
them.
Witness the isolationist reaction to the Dubai ports deal.
Whether you agree or disagree with foreign ownership of US ports,
it is pretty obvious that the whole Islam=bad nonsense shoved down
the American people’s throats was a big part of the disagreeing
side’s arguments. Ironic, given that the purveyors of this
ridiculous concept wanted the ports deal to go
through.
More recently, the United Kingdom, one of the US’s oldest
allies, announced it is
fully prepared to kill a $12 billion [€10 billion] deal
for 150 F-35 (Joint Strike Fighter) jets unless the US hands over
the source code for the software that controls the planes. The
stance is simple and direct: unless the UK can have the source
code, there will always be a danger that the original manufacturer
of the jets–the US–could have the ability to turn the planes off
in a combat situation.
Talk about an erosion of trust, though I happen to agree with
the UK’s point.
And then there was today, when Israeli software firm Check Point
opted to pull out of its $225 million [€187 million]
acquisition deal for US-based Sourcefire, which owns and develops
the open source intrusion-detection tool known as Snort. This was
after FBI and Department of Defense testimony before the Treasury
Department’s Committee on Foreign Investments. Basically the FBI
and the Pentagon are long-time users of Snort and they had problems
with a foreign corporation having control over such a critical
piece of software.
Now, the reason for my pointing all of this out is not to start
ranting about US policy–at least, not in a political sense. But
when I read about the cancellation of the Check Point acquisition,
something bothered me about the response of the government agencies
in a technical sense. It seems that even though they use
open source products, the government doesn’t really “get” open
source. And if they don’t get it, they might be in a position to do
some real harm to open source in the future.
There are two technical inconsistencies, at least on the
surface, with the DoD/FBI testimony.
First, they have misgivings about Check Point owning the Snort
code and patents.
According to Martin Roesch, founder and CTO of Sourcefire (and
Snort inventor), there are no plans to shift Snort away from an
open license. So, even though an Israeli firm would own Snort, the
code is still transparent and easily scrutinized by any customer of
Snort.
There is, of course, the possibility that Check Point would
close the code. At that point, a fork could be started, and
customers would still have the IDS system of their choice. (I
can blow my forking argument by mentioning those patents.
The US loses a useful piece of security tech due to patents? Gee,
there’s more of that irony again.)
Second, am I to understand that every collaborator of
Snort is a bona fide US citizen? I would imagine that somewhere
along the line, a non-US programmer would have already participated
in Snort development. Even if not, I know a huge cross-section of
open source projects have international participation. Should
someone let the National Security Agency know that the kernel for
SELinux was invented by–gasp!–a Finn?
Though the arguments against the Sourcefire acquisition were
technical in nature, no one should be naïve enough to think
that this was a very political decision. But it concerns me that if
wrong-headed technical arguments will be successfully used like
this, how long is it before someone gets the really bone-headed
idea that any international participation in an open source project
is a security problem? And, while it is easy to point at the US
government as the likely perpetrator of such a dumb idea, it could
just as easily be some other nation.
The very cynical part of me wonders if that is indeed the
expected outcome. Who knows what proprietary companies are
whispering just such tales of horror in lawmakers’ and officials’
ears? If that is indeed the case, this strategy will definitely
come around and bite those companies on their collective butts,
when the rest of the world wonders why they have to put up
with American software.
Back to the topic at hand. The best way to combat such ignorance
about open source is though education, and it is becoming more
important than ever to educate lawmakers about how and why open
source works. If nothing else, the transparency of open and free
software is the best combatant against the FUD of international
politics.
Maybe the trust and cooperation found in trans-national open
source projects will even rub off on international leaders.
One can hope.