Open Source Pork

The adorably named “Snort” project has been the mainstay of open source intrusion detection systems for as long as I can remember. The success of Snort and its commercial wing, SourceFire, is one of the early successes of open source, especially in security. On July 5th, the Open Information Security Foundation, a consortium of companies and government agencies who want to experiment with new approaches to the IDS problem, released version 1.0 of their Suricata project. It’s great to see government agencies make use of the open source development process to collaborate with the private sector and advance technology in this important niche of the security ecosystem. But so far, the story is pretty boring.

But wait! It’s not boring at all, because at the same time as Suricata is released, the Washington Post’s Top Secret Nation series is running. A pall suddenly falls over every aspect of government, especially in security, and especially for Dana Blankenhorn of ZDNet. “Private open source security is not amused,” and neither is Blankenhorn, who is quickly becoming my favorite source of new material:

“The idea seems to be that military contractors will, together, copy the most useful open source tools under their own control, claiming it’s for security, and thus think they are delivering on the Administration’s open source promises while continuing to charge out the wazoo.”

Woah. There’s a lot of red meat in there, so let’s untangle the argument. First, he presumes that someone is getting charged out the wazoo. I don’t know where he gets that impression. Second, he presumes that releasing the code is a cynical act to satisfy an utterly non-existent promise from the Administration. Believe me, if the Administration officially promised anything to do with open source, I’d be shouting it from the rooftops. Third, he presumes that the OISF is not entitled to use open source code, which makes no sense whatever. The whole point of open source software is to share, borrow, and take advantage of the collective intelligence on the community. Fourth, he drags out the increasingly facile cliché of “military contractors” with “ties to government”. As I’ve said before, you can feel how you want about the DOD or the government, but it doesn’t have anything to do with code that’s available to the community.

Here’s another way to tell the story: public and private sector organizations rely on Snort, but are (right or wrong) dissatisfied with it. Maybe it’s the architecture. Maybe it’s the licensing. They decide that they should work together on a different approach. Can we all agree that this is perfectly reasonable? Isn’t this exactly how communities get formed?

Now, this could have gone horribly wrong. All too often, a government contractor will ask the government for money to develop some new technology. Once developed, the government gets rights to use it, but the contractor owns it. The contractor now has a shiny new technology that it can charge both citizens and the government for commercializing. This happens all the time. In some cases, it makes sense. In other cases, it creates monopolies and is an incredible waste of taxpayer dollars. I’ve mentioned John Scott’s take on this before.

But that’s not what happened here. Instead, all the concerned groups got together and decided that they wanted to build something of their own. They wanted to try something new. Instead of keeping that work to themselves, or entering a potentially wasteful procurement process, they decided that they would try their experiment under the open source model. Let me be clear: this is a success story. This is exactly what we want. No inadvertent monopolies, no wasteful contracting, no redundancy, just useful code that everyone can benefit from.

There’s another theme in Blankenhorn’s article, which suggests that the government is trying to starve out private industry. If the government had paid a company to create a proprietary product that it could just as easily have grabbed off-the-shelf from someone else, that’s not just a bad idea, it’s against the rules. Specifically, 41 USC Sec. 253a and FAR 10.001. But that’s not what happened here. First, they wanted to try a new approach that wasn’t available on the open market. Second, the code was released for anyone to use — even SourceFire. No one is getting special treatment. I think it’s very difficult to argue that OISF “shouldn’t” do this without slipping into a protectionism argument that favors SourceFire — which, by the way, doesn’t need any protectionism:

“During the company’s earnings call its officers were quick to note that only 30% of its revenue comes from government and only two-thirds of that comes from the federal government. Even if the OISF took away its federal work, in other words, it would be OK.”

So what’s the problem here? I see a responsible use of government funds, new code in the open source community, and a functioning, competitive market. So thanks to OISF, thanks to DHS for funding the project, and thanks to Snort and SourceFire for your tireless work to improve the IDS field.