Skip to content

Tag Archives: selinux

How Linux, sandboxes and happy accidents can help a soldier.

A small piece, very loosely coupled.

Today, we announced that Red Hat Enterprise Linux is shooting for its 14th Common Criteria certification. My job means I get excited about Common Criteria certifications, which also means I’m unpopular at dinner parties. This certification, though, has me more excited than usual, because it means much more than a rubber stamp from a certification body. With this certification, we’re including the SELinux security system and the KVM virtualization system. In short, it means being able to run many systems on one piece of hardware, and making sure that those systems can’t touch each other.

If you’ve seen me speak in the last few months, you’ve heard me talk about how the modular design of open source projects. Staying modular allows for new features to emerge by combining different, often unrelated components. Also, this “small pieces, loosely coupled” approach brings new features faster because improvements to one component don’t disrupt the whole system. I talk about the Linux community getting their “chocolate in their peanut butter, and their peanut butter in their chocolate,” which is more fun to say than “Linux creates an environment for emergent capabilities.”

Lockheed Goes Open Source. Blankenhorn Hates It.

A Tin Foil Hat

Courtesy CycleDog, Licensed CC-BY-NC

I was really pleased to read the announcement that Lockheed Martin’s social networking platform, EurekaStreams, was released as an open source project today. Lockheed is a very conservative company, and while they’re happy to use open source internally and on projects for their customers, this is their first experiment with actually running a project themselves. I think it’s a big deal, not just for Lockheed Martin, but for large corporations who are considering a more open, more innovative approach to software development. And yet, Dana Blankenhorn hates it:

I don’t see anything in Eureka Streams I can’t do in Drupal, or a number of other high-quality open source projects that have existed for years. Lockheed has reinvented the wheel — why?

So here’s the nice thing about the open source community: competition. If I think I’ve come up with a better way to solve a problem, it can easily compete with the incumbents. Low barrier to entry, we say. Let the best ideas win. Unless, apparently, the best ideas come from a company I don’t like.

Then things start going sideways:

The NSA’s Security Challenge

Using open source software, the National Security Agency was able to gather a community of professional and amateur security experts together to make unprecedented security protections available to public.

The National Security Agency has a mission. It is not just the nation’s code keeper and code breaker, but it must ensure the security of the nation’s digital infrastructure. Ironically, it had a security problem: the ecosystem for software that was keeping top secret information secret was deeply broken. There was little competition, no innovation and this essential software was expensive, slow to market, and antiquated.

Multi-Level Security, or MLS, is a complex problem: how to allow data with many different security classifications exist on the same machine? MLS software is difficult to get right, and easy to get wrong. It is subject to a stringent certification process. Although useful in certain areas of the private sector, there’s really only one customer for this kind of software: government. Once you’ve deployed MLS software, it’s very difficult to move to another solution as every MLS system was different. These are near-perfect conditions for very expensive, proprietary software that doesn’t innovate.