The national security risk of secure software

Here is a new twist on the Bush Administration’s concern about national security, and their concern about open ports (ha ha). The AP reports that the US government is worried that their intrusion detection system of choice is about to be purchased by an Israeli company:

The contrast between the administration’s handling of the $6.8 billion Dubai ports deal and the Israeli company’s $225 million technology purchase offers an uncommon glimpse into the U.S. government’s choices to permit some deals but raise deep security concerns over others.

[…]

Under the sale, publicly announced Oct. 6, Check Point would own all Sourcefire’s patents, source-code blueprints for its software and the expertise of employees.

One might think this would be less of a problem for national security if Sourcefire were open source; however, the article first suggests that officials are concerned about the fate of Snort, but then that they prefer it because it is open source. Doesn’t that contradict? Here, you figure it out:

The objections by the FBI and Pentagon were partly over specialized intrusion detection software known as “Snort,” which guards some classified U.S. military and intelligence computers.

[…]

Sourcefire’s protection and monitoring technology builds on the popularity of Snort, which was created by its chief technology officer and is distributed free. Unlike Sourcefire’s commercial products, Snort’s blueprints are open for inspection to assure it works as advertised. This makes it popular inside the U.S. intelligence community, even alongside more mainstream security products from Cisco Systems Inc. or Juniper Networks Inc.

The funny thing I’ve noticed with Sourcefire is how annoyingly complex the management console tends to be, which sort of eliminates the value proposition over Snort. Even if you just want to apply the latest patch to a Sourcefire system you have to download the code to one system, then upload that code to the management console, then push the code out to the sensor, then notify the sensor to install the code that you just pushed. It tends to be a terribly slow and clumsy process that I have to explain over and over again when training someone on the system. Don’t get me wrong, I like the technical aspects of Sourcefire (mostly as it is still a derivative of Snort) and appreciate the system’s capabilities, but the GUI can be a real headache.

Anyway, I guess it says a lot that Checkpoint would rather extricate all of its software from the US government than forgoe the acquisition of Sourcefire or allow all of the code to be open, at least to governments.

The DRM sleeps tonight

1939 was the year Solomon Linda recorded “Mbube” with The Evening Birds. 3rd Ear Music Forum has a nice write-up of the man who wrote the song commonly known as “The Lion Sleeps Tonight”:

This one’s for Solomon Linda, then, a Zulu who wrote a melody that earned untold millions for white men but died so poor that his widow couldn’t afford a stone for his grave. Let’s take it from the top, as they say in the trade.

[…]

What might all this represent in songwriter royalties and associated revenues? I put the question to lawyers around the world, and they scratched their heads. Around 160 recordings of three versions? Thirteen movies? Half a dozen TV commercials and a hit play? Number Seven on Val Pak’s semi-authoritative ranking of the most-beloved golden oldies, and ceaseless radio airplay in every corner of the planet? It was impossible to accurately calculate, to be sure, but no one blanched at $15 million. Some said 10, some said 20, but most felt that $15 million was in the ball park.

Which raises an even more interesting question: What happened to all that loot?

The problem with information is the ease of transfer. For example “identity theft” means someone else can profit by taking your identity and using it for their own financial gain without authorization. We all have multiple identities, if you will (e.g. father, brother, friend, son, boss) and an artist’s identity is often their business (singer, writer, comedian, etc.). The difference here seems to be that Solomon Linda was somehow convinced to transfer his identity/creation for only ten shillings.

Part Four: in which a moral is considered Once upon a time, a long time ago, a Zulu man stepped up to a microphone and improvised a melody that earned in the region of $15 million. That Solomon Linda got almost none of it was probably inevitable. He was a black man in white-ruled South Africa, but his American peers fared little better. Robert Johnson’s contribution to the blues went largely unrewarded. Leadbelly lost half of his publishing to his white “patrons.” DJ Alan Freed refused to play Chuck Berry’s “Maybellene” until he was given a songwriter’s cut. Led Zeppelin’s “Whole Lotta Love” was nicked off Willie Dixon. All musicians were minnows in the pop-music food chain, but blacks were most vulnerable, and Solomon Linda, an illiterate tribesman from a wild valley where lions roamed, was totally defenseless against sophisticated predators.

Smoke chandelier

Apparently “fire is the most common of all business disasters”. Maybe the numbers will change slightly next year (given all the storms and flooding) but in the meantime here is a somewhat orthogonal way to protect possessions from devaluation due to fire: buy things already burned to a crisp.

Here is a fine example of what you can do with some fire and epoxy:

Burn it

Even more ironic, I suppose, if smoke became the hottest trend in industrial design. Or maybe it will become standard issue for emergency management agencies. Can you see FEMA with a few of these chairs?

Burning seat of fire

the poetry of information security