European Commission Recommends OSS to Fight Echelon

CrossRhythm writes: "The European Commission Resolution on Echelon encourages the Commission and Member States "to promote software projects whose source text is made public", to lay down a standard for the level of security of e-mail software packages, placing those packages whose source code has not been made public in the "least reliable" category," and "systematically to encrypt e-mails, so that ultimately encryption becomes the norm"."

what about MS "Shared Source"?

[room101]

I may be wrong, but it sounds like MS' totally bogus "shared source" will move MS from "least reliable" to something better.

The article is pretty long, so perhaps I missed something....

It all boils down to trust

[All+Dead+Homiez]

This is an area where OSS really shines. Microsoft NSA key rumors aside, the truth of the matter is that it is almost impossible to audit closed source programs for backdoors and security flaws. As more and more stupid programming mistakes are discovered, more and more people will realize that OSS is the only way to go when security and/or privacy is a concern. Expect many more endorsements of OSS in the near future for this very reason.

-all dead homiez

Europe luring programmers?

[dwbryson]

It's interesting to see that Europe is more openminded towards OSS than the US is. If they do things like this.. pass legislation to encourage OSS development. I could see how programmers would see countries in the EU as kind of a haven. Especially if they didn't arrest them on site like a certain country i know of...

Re:This is stupid

[All+Dead+Homiez]

You're missing an important point: how do you know that a given closed-source email encryption/decryption engine does not "leak" keys? You have no sure way to know that your keys won't wind up:

• "Accidentally" sent packed into an IP header and sent to the NSA
• Somewhere in your swap space, because some coder doesn't know how to lock memory correctly
• Somewhere else on your hard drive, because some coder doesn't care about protecting your keys (or know what he's doing).
• Compromised in response to a malicious message that the program is trying to decrypt. Don't forget about buffer overflows.

Trusting a closed source application means that you're trusting every programmer who ever wrote a line of code for the application. When you can't see that code to make sure it's not crap, you've got a security nightmare waiting to happen.

-all dead homiez

The proper solution: encrypt everything, not email

[hardaker]

You really want to encrypt everything, not just email. I'm not sure why the EU thinks encrypting just email will stop echelon from being effective. Even if echelon was was only sniffing email, they certainly would switch to sniffing other forms of communication if all email was encrypted.

The proper solution is to encrypt all your IP traffic through IPsec tunnels. Recent work within the IETF has given new ideas about how to start performing automatic IPsec connections with any host you can speak with. This is the type of solution that will help battle echelon like networks.

This answers another question

[rjamestaylor]

This answers another question, "Why did the Bush administration stop the MSFT breakup?". The US needs a US-based OS monopoly to insert APIs like NSA_key, FBI_tap, Jenna_beer, etc.

With European governments wise to Echelon and MSFT's complicity with the US requests to make certain back doors...it would not be in the US's best interest to speed adoption of OSS software by breaking MSFT's stranglehold on competition.

While I'm stretching a bit, I don't doubt this is inline with the thinking in Washington (or would that be Virginia?).