Open Source Software and Security

Back in December the UK Government published their Open Source procurement toolkit (in PDF and ODF formats) which is mostly aimed at the public sector procurement officials, but is of general interest too. One document in particular I would like to pick out and quote verbatim (which I can do under the creative-commons inspired open government license) relates to the myth that the government can’t use Free Software because of security concerns. This is completely and utterly false. Free Software can be put through the certification processes just like closed software, but for most normal applications formal certification makes little difference one way or another as this is not the way solutions are accredited. So here it is, in their own words:

Open Source Software and Security

December 2011
This note, developed in consultation with CESG, highlights some of the key security considerations for the use of open source software in Government, and their implications for procurement practice. It focuses on dispelling common security myths about open source software which prevent a level playing field for its evaluation and use in Government. It is published in recognition that a wider audience wish to understand the UK Government’s position on open source software and security. Public sector customers can obtain further information from CESG in GPG38.

1. Open source, as a category, is no more or less secure than closed proprietary software.

All software, including open source and closed proprietary, will have vulnerabilities. Individual software products, regardless of category, will have strengths and weaknesses in security characteristics such as provenance, quality, support, and vulnerability management. Given the range of vulnerabilities and diversity of exploits, on balance, neither category is considered more or less secure than the other.

2. Therefore, open source software cannot be excluded from an options analysis for Government IT.

Given that no one type of software is inherently more secure than another, neither open source nor closed proprietary software should be excluded from an options analysis for security reasons. It is Government policy for open source software to be evaluated in an options analysis, and for suppliers to provide appropriately detailed evidence of the reasoning behind their selection. It is entirely possible that an open source option is not selected for valid reasons, such as insufficient functional fit, inability to meet performance requirements, or higher cost of ownership due to more expensive security controls. It is important that the same selection criteria are applied to all options. It is also important that requirements are not exaggerated, unnecessarily inflating costs.

3. CESG does not accredit software products. Departments accredit their own ICT solutions.

It is a myth that some software products are “accredited” for use in Government. This is a misunderstanding of the security framework and accreditation process. Departmental accreditation of their own IT solutions is a sophisticated and rigorous process encompassing business benefit, threat and risk assessment, hardware, software, communications, and human factors. CESG does operate assurance schemes through which security enforcing products, both open source and closed proprietary, can be evaluated and certified. Such certification assures the public sector that security enforcing products, such as firewalls and cryptography tools, can mitigate various risks to its information. The large majority of software used to build Government IT solutions does not fall into this category. Furthermore, the risk managed decision whether or not to use such software remains with the Department’s information risk owner.

Open Standards Open Opportunities

Flexibility and efficiency are perhaps not two words that have been traditionally associated with the public sector in general, and certainly not with government IT. This might change though, and you can help nudge it in the right direction. Last week, just before the budget was announced in front of a packed house of commons there was this little exchange:

John Pugh (Southport, Liberal Democrat)

To ask the Minister for the Cabinet Office what recent assessment he has made of Government policy on open source software and open standards; and if he will make a statement.

Francis Maude (Minister for the Cabinet Office; Horsham, Conservative)

We have always made clear that, where appropriate, Government will procure open source solutions.

Open source products are used in the delivery, of huge database programmes—such as the Indian Identity card scheme—at a greater scale and for much less cost than we have experienced in the past., the new platform for publishing in UK Government employs the same open source technologies.

It’s being delivered for a fraction of the cost of previous Government web schemes.

So not a big long speech, but there it is, said in the house and recorded for posterity with the transcript of the oral answers in Hansard and,

The government is moving on Free Software, there is a very high level understanding of the need to avoid lock in, promote re-use and to remove the barriers to adoption for Open Source software. They have been taken for a ride by a bunch of proprietary suppliers who have sold them the same old stuff over and over again, with contracts that tie the government down and keep the gravy train rolling. There is no massive appetite for the government to contribute directly to free software projects, but they are very willing to have more open software from their existing and new suppliers, and to have those suppliers be good citizens in the open source community.

There appears to be a general alignment (and indeed confusion between) open source and open standards. What the government really appears to want is open standards, with open source software as a means to get to an environment where open standards are prevalent. This will give them the re-use and interoperability that they really want.

To this end the cabinet office is running a public consultation at the moment, asking you to comment on their thinking in the area of open standards. Don’t be misled though, this is all about open source really, and they really really want a bunch more responses to their consultation. You can view the consultation website here:

It is a bit of an epic read, there is a 31 page pdf describing the consultation then you can go on to provide your responses on the website where your answers will be published along with those of everyone else. I don’t think I have ever filled in a form where my answers were broken down into chapters before, but there is a first time for everything. Chapter 1 is all about how they should define what an open standard actually is, kind of like art, you know it when you see it. Chapter 2 discusses whether open standards should be mandatory (expect some detailed answers from proprietary suppliers in this section explaining why the world would end if openness was not optional). Chapter 3 is all about international alignment and would be a great place for comments from people who are not UK based but for whatever reason think we should be more interoperable at a government level.

Please do have a read of it and browse the questions and answer any you feel like giving your opinion on. Don’t feel you have to answer them all, or give long answers. I am assured that this consultation will make a difference.

Westminster eForum Speech

Today I had the pleasure of addressing the Westminster eForum event on Free and open source software in business, in government. I had a five minute slot following the excellent Karsten Gerloff of the Free Software Foundation Europe, then after speeches from Paul Holt, Andrew Katz and Christopher Roberts we had a panel Q&A with questions from the audience. Here are the notes from my speech, transcripts of the whole event will be distributed around Westminster. The seminar was sponsored by our friends at Sirius.

Hello & Good Morning Ladies & Gentleman.

My name is Alan Lord and I am co-owner of The Open Learning Centre; an Open Source Software Consulting and Services business based in Surrey.

In the few minutes I have I would like to briefly discuss a few of the themes that were suggested for this session.

So, starting with the first one then:

The challenges faced by small, medium and large organisations implementing Free & Open Source Software?

For me, one of the key challenges is Procurement:

Procurement practices have not kept pace with changing times. Existing policies and procedures often struggle with the idea of acquiring something that is ”free”. In addition, in our Free Software marketplace, many suppliers do not have the budgets or resources to participate in lengthy tendering processes and, frankly, often have better and less costly opportunities to pursue elsewhere.

Another challenge is lack of familiarity and knowledge: There is still a significant proportion of the population who haven’t really heard of, or understand what Free & Open Source Software is, even though they may use it everyday. The Open Source community has made tremendous inroads and awareness is definitely increasing, but bear in mind, we are competing against companies with multi-billion dollar marketing budgets.
Now I’d like to move on to mention something about:

The costs of deploying Free and Open Source software?

Firstly, it’s important to recognise that the ”free” in Free Software generally refers to freedom and not necessarily the price; although Open Source Software is frequently zero cost too. It should be recognised that implementing any software solution has costs, whether or not the software itself is freely available.

Time, of course, is not free; training, consulting and other professional services require people and knowledge, all of which have a cost whether they be internally or externally sourced. Although I feel fairly confident in saying that Open Source providers tend to charge comparatively less, I would recommend you use your experience to estimate and budget for the financial costs of the professional services you will need to acquire. Typically, the work required will be similar, in volume at least, for any given project whether Free or proprietary.

The financial benefits of Open Source really make an impact once you start using it: There are no ongoing licensing fees; you may copy and replicate what you have as many times as you wish. Product development, bug fixes and new features can generally be introduced at your discretion, and not that of your software vendor.

Another question that is often discussed is:

Is Open Source Software vulnerable?

Open Source Software is widely regarded as being inherently more secure than comparable proprietary software. Generally I would concur with this; particularly with regard to Operating Systems such as Linux and BSD. However, no software is ever infallible or 100% secure, so as an IT manager one must take all available precautions.

Many of the stories of Open Source vulnerabilities are, in the end, down to lack of skill or knowledge in setting up and maintaining these systems; this is just the same as with the proprietary alternatives. Again, skills and good education are the key to minimising these risks.

Free and Open Source Software is created in a very different way to legacy software. The ‘source code’, or instructions, are public; anyone can look at them. In a well managed Open Source project this visibility actually helps to improve the security of the end product. The benefit of this code-transparency was famously described by Eric S. Raymond, a well known Open Source author and advocate:

“Given enough eyeballs, all bugs are shallow.”

And finally I’d like to touch upon the question:

Who is responsible if Open Source Software is compromised or malfunctions?

Well – to be blunt. You are.

But then how is this different to proprietary solutions? If you’ve ever read a License Agreement for proprietary software then I’m sure you will have noticed that they start by disclaiming all liabilities, warranties and risks. Here’s one sentence taken from a very famous proprietary software vendor’s license agreement:

“The entire risk arising out of use or performance of the OS Components AND ANY SUPPORT SERVICES remains with you.”

If your chosen proprietary software is compromised or malfunctions what happens? Basically, you await the benevolence of the manufacturer, who is hopefully still in business and has a copy of the version of your product. With Free and Open Source Software, you will ALWAYS have a copy of the source code available.

A key feature of Open Source licensing, and something that is specifically NOT offered in the proprietary world, is the empowerment to improve and change it yourself. This doesn’t mean that you have to write the code though, there are lots of developers who will do that for a fair price.

Thank you.

Adventures in Radio

A couple of weeks ago we had a call to the office from a BBC radio producer asking if the creators of Votegeek would like to be interviewed for the Radio 4 programme “Click On”. After thinking about this for a femptosecond or two the answer was “Yes!”. So on Friday I found myself sitting in reception of Broadcasting house in London watching lots of probably famous people that I didn’t recognise wandering in to work. After a little while I was called up to the studio (very nice anechoic chamber and separate room with mixing desks and blinking lights) and we got on with the interview. You can Listen to the show or read the transcript below.

Simon Cox:
Now the parties policies on technology probably aren’t not going to influence who gets your vote in the election. While the digital economy bill now may become law, the debate accompanying it’s rather speedy passage through parliament revealed just how little many politicians know about technology. With the economy dominating the campaign how can you find out what your local candidates think, or even know about technology. Well the answer is votegeek, the brainchild of Alan Bell, and he is with me in the studio. Alan, what are you hoping to achieve then through your site?
Alan Bell:
Well we have got a dual aim really, one half of it is to get the geeky type personality more interested in politics, and get people to understand that politics matters to them. The second aim is to get the candidates aware that we exist and that we are voters too.
What are the issues that people are wanting to focus on with candidates, presumably it is not just about broadband speed?
No, it is a wide range of issues, we are not focussing on a single issue, but we are focussing on a single topic. So there are issues such as the use of Free Software in the public sector. Public procurement policy, digital freedom, privacy, and censorship are definitely topic areas of interest.
In terms of the candidates you have been contacting what kind of reaction have you been getting from them?
A very positive reaction from some of them, and a lack of response from others! We have had responses from all the major parties, and a number of the minor parties. I was particularly pleased with a comment from the Official Monster Raving Loony Party for instance!
Are they surprised when you contact them?
The Official Monster Raving Loony Party gentleman was yes! But I would say it is not just me and my group of helpers that are contacting people, we are asking people out there to go and find their constituency on the site, look at the candidates that are available for them to vote for, and then contact their candidates. So the message to the candidates is coming from one of their constituents. There is then a comment area where people can record emails and letters they have sent to their candidates and also responses they have received back.
So it is trying to build up a profile is it on their views on particular technology issues?
Yes, it is allowing people to share information about their candidates views.
Now Rupert, what do you think about this, I mean with the Digital Economy Bill the politicians didn’t really cover themselves in glory did they?
Rupert Goodwins:
Well following the Digital Economy Bill closely was quite an eye opener for me, because not only did it transpire that the politicians didn’t know what they were talking about, but they didn’t quite realise why it was being rushed through so quickly, and this is an important part of anyone who wants to be an active democrat because you can’t be good at democracy unless you are informed. Things like votegeek mean that we can get much more involved and force politicians to be more serious about their jobs and that is an excellent thing.
What about the way that technology is being used during the campaign, we are always hearing that this is the election where we are suddenly going to see technology really beginning to take off, have you been struck at all by way it is being used?
Well yes there was the big debate, well the first of the debates between the three candidates for Prime Minister and if you were online whilst watching that there were lots and lots and lots of people talking away on twitter, blogs and instant messaging. There was an awful lot of debate going on at the same time which never happened before. The most important thing about politics is to be involved and to be informed and technology is allowing that to happen in a new way for the first time.
Alan Bell, thanks a lot for that, and Rupert thanks to you too.

Vote Geek!

The UK is approaching the next General Election, the smart money is on it being May 6th, neatly falling between Oggcamp and UDS-M although it is just about possible that these two major events are not actually the driving reasons for a May 6th election. So who should you vote for? Who can you vote for? What do the candidates in your constituency think about issues important to the average geek? Good questions all of them, and to provide at least some of the answers we have set up a website where you can find out who is standing in your constituency and with a bit of crowd sourcing (which is where you come in) we can find out what they think. The site launched today and I am very pleased to say we have already had a comment direct from a candidate who will be standing in Hackney South and Shoreditch.
To talk techie for a second, the site is basically a WordPress blog, but not used in the traditional way, all the 650 posts for the constituencies were pre-created and don’t really have a chronological order, we are using WordPress to handle the comments, it is easy to theme and we know it can handle a lot of load.
The theme started out as a blue fixed width layout, I adapted it to a fluid layout (I hate fixed width sites) and changed it away from blue because I didn’t want to have a colour that is strongly associated with any of the parties. I was pondering the new colour options and ended up picking our new favourite colour – Aubergine! The swirly thing was done with the flame filter in the Gimp.
Most of the data about the candidates comes from if you spot any missing or incorrect information then click the candidate name to go to their page on the site and correct it there. All the constituencies get refreshed by a little python script that pulls data from the json API provided by yournextmp.
So the site has two main objectives, firstly to get geeks like me more interested in politics and more aware that they can and should contact their representatives about things that matter, and cast an informed vote. Secondly it is to make the candidates (including the all important winning candidate) aware that there are people in their area who care about issues in the general Free and Open Source arena.
So what do we need you to do now?
Well firstly if you are in the UK please go to and find your constituency. Take a look at your candidates and see what other people have written to them. Think about a question you would like to ask the people who might get your vote and then write them a letter. Leave a comment with your letter and the replies you get so other people in your area can see them too.
If you are of the tweeting/denting persuasion then please mention the site (and your comments on it) along with the #votegeek hashtag.

Update on UK Gov’s Institutional Profligacy

As you may recall, a couple of weeks ago I used Write to Them to contact my MP, Jeremy Hunt, regarding the comments of the new CIO of HMRC and how it seemed that saving money was not being encouraged by our civil servants. I discussed it in this blog post:

Phil Pavitt, recently-appointed CIO for HM Revenue and Customs, has revealed that attempts to cut government budget is positively discouraged. In a telling anecdote, he says “In my first few weeks of the job I was visited by leading members of the Cabinet Office. In that conversation with me they mentioned I am in the top purchasing club… That means you have tremendous influence on buying power, buying ideas and management and so on.”I said ‘If I reduce costs by 50 per cent what happens?’, ‘Well, you leave the club,’ I was told.”

A couple of days ago I got a follow up from Jeremy after he received a reply from the Rt. Hon Angela Smith MP, Minister of State at the Cabinet Office. He didn’t seem that impressed…

Dear Alan,

Further to my email of 16th February 2010, I have now received the attached response from the Rt Hon Angela Smith MP, Minister of State at the Cabinet Office.

Given the worrying content of your email, the Minister has responded with little more than a standard response about how they always try to obtain good value for money.

Sadly we will never know what was said amongst the Minister and her civil servants about your email. However, I think we can be confident that it bore no resemblance to the final response I received!

Whilst Ms Smith’s comments are not surprise, I am sorry to have to pass on such a disappointing reply. If there is anything further I can take up with the Minister in the future on this issue, please feel free to let me know.

Best wishes


Jeremy Hunt
Member of Parliament
South West Surrey

I’ve attached the reply* so everyone can read it. Here is page 1, and here is page 2.

As you will see, the response is just a stock reply and gives almost no comment whatsoever to the main thrust of the question.

* The Minister’s response was emailed to me as a scanned PDF and it contained my home address and her email and phone numbers. I imported it into Inkscape and obfuscated those details which ended up creating 2 separate files.

Next Page »