[dundee] U.S. Dept of Defense & Open-Source Software
Rick Moynihan
rick.moynihan at gmail.com
Fri Oct 30 00:04:03 UTC 2009
2009/10/29 gordon dunlop <astrozubenel at googlemail.com>:
> This is an article where the U.S. Department of Defense clarifies the use of
> open-source software and puts it on level terms with proprietary software,
> U.K. take note, no-one wants to see aircraft and warships etc. crippled by
> silly viruses e.g. conficker.
>
> http://gcn.com/Articles/2009/10/28/DoD-OSS-II.aspx?Page=1
Neat... Reminds me of this article I read in the New York Times about
the potential for hidden "kill switches" to be hidden in the commodity
hardware that gets used in high tech weaponry.
http://www.nytimes.com/2009/10/27/science/27trojan.html?_r=1
(Sorry for the NYT link (use bugmenot to read the full article if you
have problems)).
How can the can the US know that their shiny new F22's can't be
bricked mid flight via a trojan inserted by that Chinese semiconductor
fabricator who was contracted to print the chips? Answer... they
don't.
Interesting that they suspect Israel of switching the Syrian air
defence system off when they attacked air striked their nuclear
reactor.
Open Source along with an auditing process has to be a good solution
to this (for the software/firmware at least). For details on the
relatively trivial forensics for spotting when people sneak security
patches (good or malicious) through the back door see this post
describing how Zed Shaw found out what the undisclosed (but patched)
security vulnerabilities were in ruby/rails. (IIRC the Ruby dev's
discovered a vulnerability and patched it secretly to protect the
likes of twitter).
http://www.zedshaw.com/essays/the_big_ruby_vulnerabilities.html
That reminds me git bisect is awesome for discovering exactly when
(i.e. which commit/version) software was patched to fix particular
issues.
R.
More information about the dundee
mailing list