The MIT Technology Review writes in a long form article about how DARPA has rediscovered Free and Open Source Software, or at least the latter, and how it is now found everywhere across the board. As far as the Internet and the World Wide Web goes, its ubiquity has been a given since they were founded on it, but nowadays even at least 70% of closed source, proprietary products also contain lots of it. DARPA is worried about the kernel Linux in particular and the vetting process for adding code to the project specifically.
Now DARPA, the US military's research arm, wants to understand the collision of code and community that makes these open-source projects work, in order to better understand the risks they face. The goal is to be able to effectively recognize malicious actors and prevent them from disrupting or corrupting crucially important open-source code before it's too late.
DARPA's "SocialCyber" program is an 18-month-long, multimillion-dollar project that will combine sociology with recent technological advances in artificial intelligence to map, understand, and protect these massive open-source communities and the code they create. It's different from most previous research because it combines automated analysis of both the code and the social dimensions of open-source software.
"The open-source ecosystem is one of the grandest enterprises in human history," says Sergey Bratus, the DARPA program manager behind the project.
"It's now grown from enthusiasts to a global endeavor forming the basis of global infrastructure, of the internet itself, of critical industries and mission-critical systems pretty much everywhere," he says. "The systems that run our industry, power grids, shipping, transportation."
Recently, software appears to have been occupying a lot of attention over in Washington, DC. Unfortunately occasional lines in mainstream articles indicate that it is M$ and M$ lobbyists are steering the policy discussion there. It appears that they are spending an enormous amount of time in direct contact with politicians and policy makers, all the while log4j is still getting milked by them as a distraction from all the actively exploited vulnerabilities in their own products.
Related Stories
US Senators Gary Peters (D-MI) and Rob Portman (R-OH) introdced S.4913 - Securing Open Source Software Act of 2022 the other day. It has been read twice and referred to the Committee on Homeland Security and Governmental Affairs. Here is the US Senate's press release:
U.S. Senators Gary Peters (D-MI) and Rob Portman (R-OH), Chairman and Ranking Member of the Homeland Security and Governmental Affairs Committee, introduced bipartisan legislation to help protect federal and critical infrastructure systems by strengthening the security of open source software. The legislation comes after a hearing convened by Peters and Portman on the Log4j incident earlier this year, and would direct the Cybersecurity and Infrastructure Security Agency (CISA) to help ensure that open source software is used safely and securely by the federal government, critical infrastructure, and others. A vulnerability discovered in Log4j – which is widely used open source code – affected millions of computers worldwide, including critical infrastructure and federal systems. This led top cybersecurity experts to call it one of the most severe and widespread cybersecurity vulnerabilities ever seen.
[...] The overwhelming majority of computers in the world rely on open source code – freely available code that anyone can contribute to, develop, and use to create websites, applications, and more. It is maintained by a community of individuals and organizations. The federal government, one of the largest users of open source software in the world, must be able to manage its own risk and also help support the security of open source software in the private sector and the rest of the public sector.
The Securing Open Source Software Act would direct CISA to develop a risk framework to evaluate how open source code is used by the federal government. CISA would also evaluate how the same framework could be voluntarily used by critical infrastructure owners and operators. This will identify ways to mitigate risks in systems that use open source software. The legislation also requires CISA to hire professionals with experience developing open source software to ensure that government and the community work hand-in-hand and are prepared to address incidents like the Log4j vulnerability. Additionally, the legislation requires the Office of Management and Budget (OMB) to issue guidance to federal agencies on the secure usage of open source software and establishes a software security subcommittee on the CISA Cybersecurity Advisory Committee.
(Score: 2, Insightful) by SomeRandomGeek on Monday July 18 2022, @03:12PM (5 children)
Eventually, the government will figure out that if they are concerned about the security of open source software, they can contribute to securing it.
They can contribute directly. But also, they currently "ensure" the security of closed source software by setting security standards for the private companies that they buy from. The government could easily change those standards to include those private companies contributing the to the security of open source software included in their products.
(Score: 4, Insightful) by crafoo on Monday July 18 2022, @04:52PM (2 children)
it's so adorable that you think your government even considers your best interests.
> Eventually, the government will figure out that if they are concerned about the security of open source software, they can contribute to securing it.
No they won't and that's not their goal in the first place. That's just the story.
Imagine your typical DMV, but with guns and a massive sense of entitlement and arrogance.
(Score: 2) by Freeman on Monday July 18 2022, @05:48PM
You've just described Texas DMVs. Okay, they probably can't take their guns with them to work.
Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
(Score: 2) by JoeMerchant on Monday July 18 2022, @08:10PM
There are some basic personality profile differences between the military and the DMV, yes both have outsized entitlement, but DMV isn't inclined to think in terms of deadly force. If they were they would move faster and also not grant operators licenses to so many 80+ year olds.
🌻🌻 [google.com]
(Score: 5, Insightful) by RS3 on Monday July 18 2022, @05:12PM
I believe they did and that's what SELinux is: https://www.redhat.com/en/topics/linux/what-is-selinux [redhat.com]
(Score: 3, Insightful) by JoeMerchant on Monday July 18 2022, @08:13PM
>those standards to include those private companies contributing the to the security of open source software included in their products.
This is coming to medical devices as we speak.
If open source is scary, closed source should be terrifying.
🌻🌻 [google.com]
(Score: 3, Touché) by sgleysti on Monday July 18 2022, @03:49PM (3 children)
This is a good article on an important topic, but it's not a long form article. It's normal length. Just saying.
(Score: 1) by Runaway1956 on Monday July 18 2022, @04:27PM (2 children)
For politicians, anything over 50 words is "long form". All they want is the 3 to 10 word soundbyte.
(Score: -1, Redundant) by Anonymous Coward on Monday July 18 2022, @04:44PM (1 child)
For Republican politicians, anything over 50 words is "long form".
TFTFY
(Score: 1, Redundant) by Runaway1956 on Monday July 18 2022, @05:56PM
You know, I think you might be correct. And, Democrats are limited to 16 words.
(Score: 3, Offtopic) by jasassin on Monday July 18 2022, @04:27PM
It’s the assholes that do this kind of shit are the reason why we can’t have nice things. I can understand wanting to steal cryptocurrency, and I personally couldn’t give a shit less, but the malware just to fuck with shit really grinds my gears. It’s like the asshats that key super expensive cars because they are jealous or envious or whatever is going through their stupid pissant minds. The thought of doing that kind of thing has never crossed my mind.
Fuck cryptocurrency, but stealing is wrong.
jasassin@gmail.com GPG Key ID: 0xE6462C68A9A3DB5A
(Score: 2) by PiMuNu on Monday July 18 2022, @08:48PM
ROFL
(Score: 3, Funny) by bmimatt on Tuesday July 19 2022, @12:15AM
...we are here to help.
(Score: 2, Funny) by pD-brane on Tuesday July 19 2022, @06:39PM
Would it not be more efficient and in line with their principles if the US government just prosecute Lennart Poettering without due process, or did he already flee to Russia?