<div dir="ltr"><div class="gmail_default" style="font-size:large">this may be of interest to TCMUG</div><div class="gmail_quote">---------- Forwarded message ----------<br>From: <b class="gmail_sendername">Van Dyke, Daryl</b> <span dir="ltr"><<a href="mailto:daryl_van_dyke@fws.gov">daryl_van_dyke@fws.gov</a>></span><br>Date: Tue, Nov 14, 2017 at 5:35 PM<br>Subject: [fws-gis] DOD moves to consolidate investment in FOSS<br>To: fws-gis gis <<a href="mailto:fws-gis@lists.fws.gov">fws-gis@lists.fws.gov</a>><br><br><br>******************************<wbr>******************************<wbr>***************<br>
Reply to this list by replying to fws-gis.<br>
[Do not include cc's or bcc's. These people are subscribed.]<br>
Alternatively, you can reply directly to the poster of this<br>
message by using his/her email address.<br>
******************************<wbr>******************************<wbr>***************<br>
<br>
<br>
Hi All-<br>
<br>
You may have read, the DOD is setting explicit goals to migrate to FOSS<br>
(Free and Open-Source) software. They have released this very thoughtful<br>
FAQ on the subject <<a href="http://dodcio.defense.gov/Open-Source-Software-FAQ" rel="noreferrer" target="_blank">http://dodcio.defense.gov/<wbr>Open-Source-Software-FAQ</a>>.<br>
<br>
While cost-savings are part of the justification, the primary reasons<br>
identified are increased security through code transparency and frequency<br>
of updates. The exact language is given below.<br>
<br>
I thought we should recognize the groundwork being set by the DOD, NSA, and<br>
other organizations in Federal service to increase the value and security<br>
of our actions for our trust resources.<br>
<br>
Daryl<br>
<br>
<br>
<br>
Q: Doesn't hiding source code automatically make software more secure?<br>
<br>
No. Indeed, vulnerability databases such as CVE make it clear that merely<br>
hiding source code does not counter attacks:<br>
<br>
- Dynamic attacks (e.g., generating input patterns to probe for<br>
vulnerabilities and then sending that data to the program to execute) don’t<br>
need source or binary. Observing the output from inputs is often sufficient<br>
for attack.<br>
- Static attacks (e.g., analyzing the code instead of its execution) can<br>
use pattern-matches against binaries - source code is not needed for them<br>
either.<br>
- Even if source code is necessary (e.g., for source code analyzers),<br>
adequate source code can often be regenerated by disassemblers and<br>
decompilers sufficiently to search for vulnerabilities. Such source code<br>
may not be adequate to cost-effectively *maintain* the software, but<br>
attackers need not maintain software.<br>
- Even when the original source is necessary for in-depth analysis,<br>
making source code available to the public significantly aids defenders and<br>
not just attackers. Continuous and broad peer-review, enabled by publicly<br>
available source code, improves software reliability and security through<br>
the identification and elimination of defects that might otherwise go<br>
unrecognized by the core development team. Conversely, where source code is<br>
hidden from the public, attackers can attack the software anyway as<br>
described above. In addition, an attacker can often acquire the original<br>
source code from suppliers anyway (either because the supplier voluntarily<br>
provides it, or via attacks against the supplier); in such cases, if only<br>
the attacker has the source code, the attacker ends up with another<br>
advantage.<br>
<br>
Hiding source code *does* inhibit the ability of third parties to respond<br>
to vulnerabilities (because changing software is more difficult without the<br>
source code), but this is obviously *not* a security advantage. In general,<br>
“Security by Obscurity” is widely denigrated.<br>
<br>
This does *not* mean that the DoD will reject using proprietary COTS<br>
products. There are valid business reasons, unrelated to security, that may<br>
lead a commercial company selling proprietary software to choose to hide<br>
source code (e.g., to reduce the risk of copyright infringement or the<br>
revelation of trade secrets). What it does mean, however, is that the DoD<br>
will not reject consideration of a COTS product merely because it is OSS.<br>
Some OSS is very secure, while others are not; some proprietary software is<br>
very secure, while others are not. Each product must be examined on its own<br>
merits.<br>
<br>
<br>
<br>
--<br>
______________________________<wbr>___________<br>
Daryl Van Dyke<br>
GIS Analyst<br>
Klamath Strategic Habitat Conservation Team<br>
US Fish & Wildlife Service - AFWO, R8<br>
(707) 825-5153<br>
<a href="https://github.com/GeospatialDaryl" rel="noreferrer" target="_blank">https://github.com/<wbr>GeospatialDaryl</a><br>
<br>
******************************<wbr>******************************<wbr>****************<br>
To get general information about this list send e-mail to <a href="mailto:fws-gis-request@lists.fws.gov">fws-gis-request@lists.fws.gov</a> with 'faq' in the subject line.<br>
There is also on-line help with the commands. Go to <a href="https://www.fws.gov/lists/listinfo/fws-gis" rel="noreferrer" target="_blank">https://www.fws.gov/lists/<wbr>listinfo/fws-gis</a><br>
To unsubscribe, send e-mail to <a href="mailto:fws-gis-request@lists.fws.gov">fws-gis-request@lists.fws.gov</a> with 'unsubscribe' in the subject line.<br>
******************************<wbr>******************************<wbr>****************</div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature" data-smartmail="gmail_signature"><font face="tahoma, sans-serif" size="4"><b>Brian Huberty</b></font><div><font face="tahoma, sans-serif">U.S. Fish & Wildlife Service, Ecological Services</font></div><div><font face="tahoma, sans-serif">Upper Midwest - Great Lakes Region</font></div><div><font face="tahoma, sans-serif">5600 American Blvd W, Suite 990</font></div><div><font face="tahoma, sans-serif">Bloomington, MN 55437</font></div><div><b><br></b></div><div><font face="tahoma, sans-serif"><b>(612) 713-5332 Office</b></font></div><div><font face="tahoma, sans-serif">(612) 308-7306 Cell</font></div><div><span style="font-family:tahoma,sans-serif"><b><a href="mailto:brian_huberty@fws.gov" target="_blank">brian_huberty@fws.gov</a></b></span></div></div>
</div>