Open Source Security
Welcome at » 2007 » November

IBM has announced [1] plans to contribute to the Mifos [2] open source microfinance software project. Microfinanciers loan small sums of money to the extremely poor to help them get businesses off the ground to improve not only the person who receives the loan, but the entire community. Kiva [3] while not affiliated with Mifos to my knowledge is one of the best known players in this space. It is a microfinance loan aggregator where individuals can loan small sums of money to projects that they select. The Mifos community seems to be quite well established and extremely active.

Benjamin Rosenbaum has an interesting blog post [4] (from way back in April) on how Grameen and Kiva fit relative to each other in the microfinance world and the benefits and limitations of microfinance.

Anyway, this looks like a great opportunity for both IBM and Mifos and I’m thrilled to see this announcement. This is the type of announcement that after almost 11 years with IBM, still makes me proud to be an IBMer.


The current magazine from the European Network and information Security Agency (ENISA) highlights Trusted Computing in their current issue of ENISA Quarterly [1]. There are four articles on Trusted Computing – one which compares TC to automobile airbags. There is an interesting article on Trusted Computing from a European perspective which covered the workshop by the same name held in Germany earlier this year. Another article touches on the OpenTC project’s goal of providing European citizens “informational self-determination” in a secure context. Also noteworthy is the call for papers for Trust 2008.


This combination of stories makes me crazy:

Just as Good as Windows isn’t Good Enough [1]
Choice quotes: “In the end, if all else is equal, Windows get the nod because it is a safe choice. ” and “In this scenario, TCO does not come into play because ongoing support will be local and will come from other funding sources.”

A Little Laptop with Big Ambitions [2] (WSJ so no idea how long this will be available.)
Choice quotes: Last sentence in the article: “Just who would provide support a few years from now, he said, was ‘a frightening question.’ The students, he said, will need ‘to do as much maintenance as possible.'” and “Nigeria, for example, so far has failed to honor a pledge by its former president to purchase one million laptops.” and “It recently inked deals to sell hundreds of thousands of Classmates in Nigeria…”

and (though almost completely unrelated)
Software Group Targets Small Businesses
Choice quotes: “Of the $13 million that the BSA reaped in software violation settlements with North American companies last year, almost 90 percent came from small businesses, the AP found.” and “The letter demanded $67,000 — most of one year’s profit — or else the BSA would seek more in court. ‘It just scared the hell out of me,'” and and “some employees had been unable to open files with the firm’s drafting software, so they worked around it by installing programs they found on their own” and “‘It was basically just a lack of knowledge and sloppy record-keeping on my part,’ said Gaertner, who ended up with a settlement that cost him $40,000.”

First off, it really bugs me that none of the articles pick up on the educational opportunities of having the source code available and the OLPC feature of actually showing the student the code that is running at the moment. I guess this is just too geeky to be considered relevant to the politicians and journalists.

But really, there are three issues at work in these articles: support, piracy/TCO/license management, and security/safety.

On support, the WSJ article cites OLPC support as lacking, emphasizing the importance of this point by ending the article with it. Yet, there is no discussion on Classmate support and the ZDNet blogger posts that Classmate support will be “local” which doesn’t sound much better to me than the OLPC support. Plus teaching the students how to support the OLPC (both hardware and software) provides another educational opportunity for the kids.

On piracy (and the cost/complexity of managing software licenses), while I don’t expect the BSA to go after school kids worldwide, it wouldn’t really shock me if they did and they would conceivably be within their legal rights to do so. Who will manage the licenses for the software installed on the Classmates to ensure that they don’t run pirated software? Will the schools be responsible? The governments? The parents? The children? Will they implicitly allow piracy on the student laptops, training them to disregard the issue and then smack them down once the children grow up and start their own small businesses?

And finally, on security, while Windows is mentioned as being perceived as the “safe choice” (and while I hate to pick on Nigeria here), it just makes me cringe to imagine hundreds of thousands of Windows laptops out there with none of the thoughtful security improvements of the OLPC that will prevent them from becoming spambots.


So, the One Laptop Per Child Get One, Give One program [1] started this week and I ordered one for my kids. I can’t wait to get it and try it out and see what my kids will do with it. I downloaded the ISO earlier this year and tried it out and it seems pretty awesome. My secret hope is that early education (pre-k) software will really take off on Linux once more these have been distributed.

This occasion has prompted Jon Espenschied to write a very nice article called Security and the One Laptop Per Child sensibility [2] with his plea for improved security through simplicity. While I really love this article pointing out the problems associated with software becoming ever more complex, I think he has missed that the OLPC has added some radical new security features to help secure the laptop.

If you have a spare hour to dedicate to OLPC, I highly recommend listening to Ivan Krstic’s Google Tech Talk on the OLPC [3]. Ivan is the lead for OLPC security. This Tech Talk was primarily about technical details about OLPC in general. He lays out the best arguments for the project (to refute the common complaint about why laptops rather than food). He points out that a primary motivation for the project is to encourage kids to retain active learning (which is their primary learning mechanism up until they enter school). He says that one of his interview questions was “Can you make 100 million laptops secure?” His answer (in collaboration with Simson Garfinkel) is Bitfrost. Jonathan Corbet did his usual excellent job describing Bitfrost: the OLPC security model [4] back in February and the specification [5] can be found on the OLPC wiki.

It starts off with some very interesting requirements based on their target audience: “No reading required” and follows up with some classics “Open design” (aka Principle of Open Design) and “Unobtrusive security” (aka Principle of Psychological Acceptability). They set a goal for no user passwords which is audacious in its simplicity. There is a clear owner of each laptop established at first boot and the ability to wipe the owner information and all personal documents before transferring the laptop to a new owner. Untrusted programs are severely bandwidth limited to make the laptops unattractive targets for draft into a botnet army. They establish a “per-program permission list” which is created when a new program is installed – this is a whitelist of the permissions that the program needs for its normal operation (similar to AppArmor). The microphone and camera have LEDs which light up when they are activated (interestingly, this is also a FISMA requirement). Most controversial appears to be the anti-theft detection – it is a call home mechanism which causes the laptop to deactivate if it can’t successfully reach home within 3 weeks (apparently configurable). They plan to (or maybe have) integrate OpenID. The specification is quite engaging and readable with deep thought behind their anticipated threats and the protections to counter the threats. The outcome is quite simply good security and I’ll be eager to look at the detailed design and implementation of some of the key security features when I have a little more time at my disposal.

One curiosity about the whole security model is its reception by its users and the open source development community. So far the reception has been quite positive, despite utilizing some of the same security concepts that have been the source of continuous criticism for Trusted Computing. Some people have even defended Bitfrost using some of the same arguments used by pro-TC advocates, for example in this interesting argument and response [7] posted as comments to the LWN article.

All I really need to say is Yay! OLPC – I can’t wait to get mine … I mean I can’t wait until my kids get theirs.


According to HP Backs Red Hat in Government Biz Bid [1], “Lillestolen said, however, that HP has gone further than Big Blue by certifying a wider range of hardware.” Hopefully, this is just a mistake in the reporting and HP isn’t actually making such outrageous claims. As you can see in the Validation Report [2], HP tested on

  • Intel Xeon (HP DL360)
  • Intel Xeon/Pentium (HP Compaq dc7600)
  • Intel Xeon EM64T (HP DL360) – dualcore
  • Intel Xeon EM64T (HP DL360) – singlecore
  • AMD Opteron (HP DL 385) – singlecore
  • AMD Opteron (HP DL 385) – dualcore
  • AMD Opteron (HP DL 145) – singlecore
  • Intel Itanium 2 (rx 3600) – dualcore
  • Intel Itanium 2 (rx 2620) – singlecore

According to IBM’s Validation Report [3], the following platforms were tested:

  • System z Hardware: z900/z9 Host Operating system running: z/VM 5.1 or z/VM 5.3 within a PR/SM logical partition
  • Opteron Hardware: model 3455, Bladecenter LS-21
  • System p Hardware: p5 720 (9124), Bladecenter JS-21 Host system running: LPAR partition
  • System x 3550, HS-20 Bladecenter, HS-21 Bladecenter Hardware: Intel Xeon with Hyperthreading and EM64T

In both cases, 8 different machines were tested. However, IBM tested radically different architectures, whereas HP tested minor variations of a few themes. For those of you not familiar with IBM terminology, the IBM evaluation tested a mainframe, a POWER system, a POWER blade, a rack-mounted Opteron system and Opteron blade, two Intel Xeon blades, and a rack mounted, dual-core Intel Xeon server. For those unfamiliar with HP’s line of hardware as I am, their website shows that HP tested one desktop and 3 rack-mountable Intel Xeon systems, three rack-mountable Opteron systems, and two rack-mountable Itanium systems. None of the systems listed in their Validation Report is a laptop contrary to Lillestolen’s claim.

I am glad to see that RHEL5 has received so much testing in the MLS configuration. Perhaps widespread knowledge that many systems were tested in many configurations will help speed the adoption of the MLS configuration in the defense industry. But I hope that reporters won’t let HP get away with making such wild statements that are easily refutable via on-line documents.


As a security practitioner, you’ve got to love it when your company comes out with a line like “Security is our brand” [1] and the press eats it up. Of course, security has always been our brand and, on the Open Source side, we have done some significant things to prove it. I’m speaking here of our multi-million dollar investment over the course of many years to Common Criteria certify Red Hat and Novell SUSE. We started out at EAL2 with the security functionality defined in our Security Target against the pre-existing security functionality in SLES 8. We got that evaluation done within 6 months when everybody was saying that it couldn’t be done – ‘Common Criteria certification takes years’, ‘open source can’t be certified’ they said. From that ground work, we marched up the value chain to LSPP/RBACPP/CAPP at EAL4+ with RHEL5 when still (after 6 successful evaluations at progressive levels) people were saying that it couldn’t be done (although much more subtly now) – “The lack of this protection might prevent another evaluation target from passing this evaluation.” [2]

Our LSPP evaluation included more hardware platforms in one evaluation (7) than all previous completed LSPP certifications combined. The beauty of the range of platforms certified is that it allows government agencies who need LSPP to also take advantage of the scale-up and scale-out capabilities inherent in Linux. As a tax payer, I love this because it allows government agencies to benefit from the lower TCO that Linux and open source software provide.

The LSPP evaluation, in my eyes, constitutes a revalidation of the open source development methodology because the project included competing and cooperating companies, along with government, distro, and individual contributors who were contributing as a labor of love and because they believe in the necessity of adding this level of security to Linux.

When we completed the LSPP evaluation, I went back and looked at all of the people who had contributed to the Common Criteria certification effort over the years. Just within IBM, the number went into the high double digits. Of course, none of this would have been possible without the dedication and passion for security shown by Novell and Red Hat. And our evaluator was invaluable – the insight, integrity and sheer brilliance of the people working for atsec is without measure or compare.

Security is Our Brand!


This press item has been picked up all over the place – IBM announces an initiative to invest $1.5B in security development and marketing for 2008. This is seriously cool.

Very interesting quotes from IBM executive Val Rahmani:
“‘We believe there’s a crisis in the marketplace right now,’ said Val Rahmani, who heads IBM’s infrastructure management services.” from NYTimes at

“‘Security is broken,” Val Rahmani, general manager of IBM’s infrastructure management services, said in a telephone interview. ‘There has been a perfect storm of threats.”’ from