NSA Makes Contribution To Apache Hadoop Project

An anonymous reader writes "The National Security Agency has submitted a new database, Accumulo, to the Apache Foundation for incubation. Accumulo is based on the original BigTable paper with some extensions such as the ability to provide cell-level security. It appears there are some hurdles that must be cleared concerning copyright before the project could be accepted."

It's a trap

[hjf]

It's a trap! It HAS to be. /tinfoil

Re:It's a trap

Of course not. Why would the NSA, an organisation known to approach people with dark offers of inserting backdoors in their products in exchange for lucrative deals, to glean information of course, ever want to insert a backdoor into your web-scale database system that will probably end up powering a lot of the planet?

I just wish I could find a copy of linux that had no trace of SELinux in it.

Re:It's a trap

[thePuck77]

Unless you know something that I don't, the SELinux code has been reviewed several times looking for backdoors and there aren't any. Or is it just that the config is a PITA for you? That I can understand.

Re:It's a trap

[gatkinso]

Well, if he is referring to SELinux, he is wrong. If he is referring to many other technologies that the NSA has subverted either thru cooperation with the company or by covertly infiltrating their engineering into the company... then he is correct.

If you run such a company making security products and you strangely have a few workers who seem to be very familiar with the Baltimore metro area but nothing on their resume shows that they worked or went to school there, you may want to take a closer look at their work.

Re:It's a trap

"Well, if he is referring to SELinux, he is wrong."

Have proof of that, do you?

Re:It's a trap

[thePuck77]

Huh. That's disturbing. And you've seen this before? Like actual planted employees whose job is to slip in backdoors and exploitable code? And management and the assorted PHBs are what...in on this? Unaware? And the code doesn't get found in reviews? It seems like it would make more sense for the NSA to make dummy corps to develop and sell security software than it makes to plant people and then expect them not to be detected.

I always find conspiracies hard to believe. They require two things humans are historically very bad at: working together and keeping secrets.

Re:It's a trap

[gatkinso]

The fact that this is happening is well known.

One such example: http://en.wikipedia.org/wiki/Crypto_AG#Back-doored_machines

But I guess that might be too hard for you the believe.

Re:It's a trap

[gatkinso]

Audit the code yourself. It's all there for one to obsess over.

Re:It's a trap

[thePuck77]

I had heard about collusion on that level, it was the planted employees I hadn't heard of. I didn't mean to imply that I thought you were lying or whatever other offense your tone implies you believe I meant.

Re:It's a trap

Yes, that's a great response. Now if only everyone has years of time and a lifetime of IT skills to devote to auditing their OS code, they too can be reasonably confident that they're not using suspect code from suspect people with a track record of malevolence.

Or we could just not include code from suspect people with a track record of malevolence.

Why an Apache donation

[digitalderbs]

I'm a heavy user of open source and GPL software, but I admit to not knowing the nuances of open source licenses. My question is this: why are corporations donating their code to Apache instead of just releasing them through the GPL and Sourceforge? Oracle recently did this as well with OpenOffice, and I seem to vaguely recall a few others.

Re:Why an Apache donation

Just because something has been open-sourced doesn't mean it's going to be maintained and developed.

Re:Why an Apache donation

[Fnord666]

According to TFA:

Apache Brand

Our interest in releasing this code as an Apache incubator project is due to its strong relationship with other Apache projects, i.e. Accumulo has dependencies on Hadoop, Zookeeper, and Thrift and has complementary goals to HBase.

Re:Why an Apache donation

Possibly because they want someone else to maintain the code for them. This way the NSA gets to keep their cell-level security and sit back while others provide bug fixes and new features.

Re:Why an Apache donation

Because they wanted to release it under a truly free license, which the GPL is not.

Re:Why an Apache donation

[__aailrp9629]

Works of the US government are public domain, and thus can't be released under the GPL. That's the copyright issue mentioned in the summary.

(I know people here don't read the articles, but don't they at least read the summaries?)

Re:Why an Apache donation

Tell us more about your agenda.

Re:Why an Apache donation

[LordLimecat]

Protip, a license that restricts what the coder and devs using the code can do, is not really "free". It may protect the end users freedoms but it inarguably does so at the expense of developer freedoms.

When he says GPL is not truly free, he means it, and I dont think anyone involved with the development of GPLv2 and GPLv3 would argue that.

Re:Why an Apache donation

[arose]

Public domain is perfectly GPL compatible, where did you get the idea that it wasn't?

Re:Why an Apache donation

He didn't say it wasn't GPL compatible, he said it wasn't able to be released under the GPL. The US Government doesn't automatically license stuff as public domain - instead no copyright is held by anyone for work produced by government employees. As nobody holds the copyright there is nobody in the US Government who could issue the GPL license. Of course, if a non-government employee creates a derived work from this material, they can put their changes under the GPL which would mean that any further derivations would have to be GPL.

Re:Why an Apache donation

[arose]

What exactly is that relevant to? It's like saying that you can't release BSD licensed code under the GPL. Technically correct, but not relevant to the topic at hand. It's not an issue, which was the actual point of his post, so...

government never has copyright

The government is explicitly exempt from the ability to claim copyright. There is no problem.

Re:government never has copyright

[Sarten-X]

But other companies and individuals that produce works do get copyright. While they may give the government (and even the NSA) a license to use their works, the government can't just donate those works off to Apache without clearing it first. That means any code the NSA didn't write themselves needs to be removed, replaced, or also donated by the owner.

Re:government never has copyright

[drnb]

That means any code the NSA didn't write themselves needs to be removed, replaced, or also donated by the owner.

Unless that code was "work for hire". If so the contractor (individual or company) has no rights to it, just like any other employee.

Re:government never has copyright

[zippthorne]

I'm not sure i'd want to go anywhere near the work of an NSA "contractor..."

Re:government never has copyright

Better not use Linux.

Re:government never has copyright

This depends on how the software was purchased by the government. Was the software written at the behest of the government or was it an already existing software product that the government purchased licenses of. In the former case, the government typically can do whatever it will with the software, including switching the contractor writing it. In the latter case, its exactly how the government uses any normal vendor's software such as Microsoft Windows or RedHat Linux.

Please trust the NSA. Pretty please.

[AliasMarlowe]

It's a trap! It HAS to be. /tinfoil

No, no, it's not a trap, not in the slightest. Just insert your penis into this device... I assure you, it's not a meat-grinder, really, it's not! And I didn't have my fingers crossed when I said that, not even a little bit.

Re:Please trust the NSA. Pretty please.

[wootest]

Helpful tip: Having your fingers crossed while saying something only means what you think it means (that you're lying) in Swedish, not in English. In English, it means you're hoping for a particular outcome, which could be true in this case too, I guess.

Re:Please trust the NSA. Pretty please.

[TheRaven64]

Depends on where your fingers are. Not sure where it comes from, but when I was growing up (in England, home of English), crossing your fingers behind your back meant that you were lying.

Re:Please trust the NSA. Pretty please.

[vlm]

Helpful tip: Having your fingers crossed while saying something only means what you think it means (that you're lying) in Swedish, not in English. In English, it means you're hoping for a particular outcome, which could be true in this case too, I guess.

Well, OK, whatever, so what does meat-grinder mean in Swedish? Slang for some body orifice, I'm guessing from context.

Re:Please trust the NSA. Pretty please.

By whose standards? It has meant a lie everywhere I've lived in the US.

Re:Please trust the NSA. Pretty please.

[zach_the_lizard]

Behind the back it does, but it doesn't exclusively mean that in general.

Re:Please trust the NSA. Pretty please.

[93+Escort+Wagon]

Depends on where your fingers are. Not sure where it comes from, but when I was growing up (in England, home of English), crossing your fingers behind your back meant that you were lying.

That's also the case in America, at least in the places I grew up in - and we moved around a lot when I was a kid.

Re:Please trust the NSA. Pretty please.

[Moridineas]

I agree with everyone else who says you're absolutely wrong. In common (American at least) English usage if you say something like "Here's hoping!" or "Did you get the part? I hope so!" and cross your fingers it means you're hoping for an outcome.

If you have your fingers crossed for another type of statement (typically obscuring them), it means you're lying. Typically children's usage.

Re:Please trust the NSA. Pretty please.

[AliasMarlowe]

Well, OK, whatever, so what does meat-grinder mean in Swedish? Slang for some body orifice, I'm guessing from context.

No. It means a meat-grinder, or köttkvarn - the mechanical device which turns lumps of meat into ground meat or minced meat.
Pro tip: don't stick your dick into one of these.

Re:Please trust the NSA. Pretty please.

[TrueSatan]

I'm English too and you're right only in as much that hiding ones crossed fingers (can be behind ones back or in ones pocket) is a sign of subterfuge (something intended to misrepresent the true nature of an activity). Showing them openly to be crossed is not a sign of lying or subterfuge and, as per wootest comment, is merely signifying a hope for good luck in pursuit of a particular outcome.

Re:Please trust the NSA. Pretty please.

Typically children's usage.

...and secret agents.

Re:Please trust the NSA. Pretty please.

[wootest]

So it seems from the other replies that "crossing your fingers" in that way is used by at least some English speakers as well. Neat. Didn't know that, primarily because Swedish English education teaches that it is a false friend since "crossing your fingers" is already something else in English.

With this in mind, I'm not surprised that AliasMarlowe is Swedish per the above because I've never heard a native English speaker use it in that context.

Re:Please trust the NSA. Pretty please.

[sumdumass]

A lot of words and gestures in the US and likely other English speaking nations carry duel meanings. This is probably because of the expansions of the English speaking countries into other nations and territories as well as a one time liberal immigration policy over the years.

Take shag for instance, in some uses, it means sex, in others it describes the look and feel of something like shag carpet which is a thick loose pile of thread instead of a rug someone had sex on/with. That would be a shag on the carpet.

Re:Please trust the NSA. Pretty please.

It means that you're crossing your fingers for luck. Whether someone wants luck because they're lying or not is up to them (and you, as the beholder or the person judging by their own standards).

Re:Please trust the NSA. Pretty please.

[LordLimecat]

I just wanted to step in and express my gratitude for how much I have learned in this thread. I now know where not to stick body parts, what crossing my fingers means, and what a meatgrinder does.

Re:Please trust the NSA. Pretty please.

[zippthorne]

Huh. I always assumed the etymology was related... As in, a "shag carpet" being thicker and softer than most floor surfaces, it must've seemed like a clever place to practice the various marital arts for quite a few couples....

Re:Please trust the NSA. Pretty please.

[theArtificial]

A lot of words and gestures in the US and likely other English speaking nations carry duel meanings.

Quite right! Pistols at dawn, then?

Re:Please trust the NSA. Pretty please.

[thePuck77]

I grew up with both.

Re:Please trust the NSA. Pretty please.

[AliasMarlowe]

So it seems from the other replies that "crossing your fingers" in that way is used by at least some English speakers as well. Neat. Didn't know that, primarily because Swedish English education teaches that it is a false friend since "crossing your fingers" is already something else in English.

With this in mind, I'm not surprised that AliasMarlowe is Swedish per the above because I've never heard a native English speaker use it in that context.

Um, not exactly, but Google Translate was helpful. I spent a few months in Sweden back in the 80's, and have made shorter visits since then, but never picked up much of the language. I'm a native English speaker and have spent decades in various places on both sides of the Atlantic, so consider myself fluent in British and American English and familiar with many local variants (Ontario, BC, Alabama, Florida, Maine, Wisconsin, as well as several regions of the British Isles).

On the "fingers crossed" phrase, which seemed to cause unexpected confusion, I had thought the meaning clear from context. If fingers are crossed in plain view, then it has the connotation of hopeful intent. If they are crossed while concealed - such as behind one's back or under a table - then the implication is that one is lying. The assertion that one's fingers were not crossed would be necessary only if one or both hands were not in plain view, so the association would be an untrustworthy denial of lying. Both usages are found on both sides of the Atlantic, in every place I've lived.

Re:Please trust the NSA. Pretty please.

[Johann+Lau]

Heh? They're perfectly safe. Just don't turn the handle.

Re:Please trust the NSA. Pretty please.

[silentcoder]

> like shag carpet which is a thick loose pile of thread instead of a rug someone had sex on/with

I dispute the accuracy of that claim, there is no reason that your "instead of" could not be replaced with "as well as". In fact, considering how soft and comfortable shag carpets are compared to other carpets the odds that somebody already shagged on it is much higher than other carpets.
Then again not so long ago shag was a popular brand of particularly strong pipe tobacco, Sherlock Holmes had an affinity for it and once declared that solved a case "over an ounce of shag" (in the short stories).
So that means you can have a smoking shag while smoking shag on a shag.

Re:Please trust the NSA. Pretty please.

Or...... the dance?

Re:Please trust the NSA. Pretty please.

[gatkinso]

In America it also means you are lying. At least in some places.

Re:Please trust the NSA. Pretty please.

[jalefkowit]

Finally, the NSA's secret plan to eliminate Julian Assange is revealed!

Re:Please trust the NSA. Pretty please.

[wootest]

Serves me right then, but assuming someone that knows the correct spelling and meaning of "köttkvarn" to be Swedish is generally a low-risk bet.

If fingers are crossed in plain view, then it has the connotation of hopeful intent. If they are crossed while concealed - such as behind one's back or under a table - then the implication is that one is lying. The assertion that one's fingers were not crossed would be necessary only if one or both hands were not in plain view, so the association would be an untrustworthy denial of lying.

Certainly, but in written form, you'd have to point out that your fingers were crossed no matter which meaning you were aiming for. So the matter of pointing out that one's fingers were crossed didn't make it clear, the surrounding context did.

Re:OK, now try it in English

[Sarten-X]

You're either trolling terribly or just terribly ignorant. In the hopes of the latter:

The Apache Foundation maintains many open-source software projects, one of which is a popular web server. Another is Hadoop, which is a distributed file system for storing huge amounts of data on a cluster of individual computers, based on Google's Google File System and other similar technologies.. To facilitate access to that data, there are other projects that function as databases, with the actual information stored in Hadoop. One existing project is HBase, which is an implementation of a system (called BigTable) described by Google. Now, the NSA has donated the source code for their own such database (also based on BigTable) to the Apache Foundation.

Now, there are a lot of Apache Foundation projects, and never enough time or people to maintain them all completely. The best projects are considered "mature", and the ones that aren't up to the normal Apache levels of quality and support and considered to be in "incubation". Someday, if enough people like Accumulo and help with it, it will mature.

Re:OK, now try it in English

[Goaway]

How do you "submit" a databse?

It turns out that if you read sentences all the way to the end, they become a lot more clear.

Re:OK, now try it in English

Wikipedia is your friend.

The National Security Agency is a cryptologic intelligence agency of the United States Department of Defense responsible for the collection and analysis of foreign communications and foreign signals intelligence, as well as protecting U.S. government communications and information systems,[1] which involves cryptanalysis and cryptography.

Database Engine* if you want to be pedantic about it.

The Apache Foundation is not a "website server outfit". It's an open source community with their own licenses that contributes to a variety projects. But yes, much of their work is related to developing servers, engines and protocols for the web.

I am tired of typing, so see BigTable and google Cell Level Security. I have not really heard of the latter, but I think it's basically the policy used to grant or deny cell level access to various users in each row of a table.

Honestly, if you have not even heard of many of the names used in the summary, this article probably holds no interest to you.

Re:OK, now try it in English

You're either trolling terribly or just terribly ignorant. In the hopes of the latter:

I believe you're right on both counts. He's trying to troll but he's also terribly ignorant.

Re:OK, now try it in English

"You're either trolling terribly or just terribly ignorant. In the hopes of the latter:"

Seriously, fuck you. Not everyone is up on the latest fads and buzzwords in the software "industry", OK? Nothing at all made the barest sense to me in that headline.

"Another is Hadoop, which is a distributed file system for storing huge amounts of data on a cluster of individual computers, based on Google's Google File System and other similar technologies.."

There, I knew you could do it. Was that too much to hope for?

"To facilitate access to that data, there are other projects that function as databases, with the actual information stored in Hadoop."

What's Hadoop? Do you at least understand that software's massive hierarchy of vaguely interrelated concepts is not exactly crystal clear to an outsider?

Re:OK, now try it in English

But, this article really doesn't apply to someone outside the Software or IT industry. For instance, If you or I read an article here about life sciences, semiconductors or black holes, we wouldn't go about flaming about why the summary didn't explain basic concepts, would we?

NSA tries to get vendors serious about security

[Animats]

NSA has been trying for decades to get vendors to get serious about security, without much success. One of NSA's units is the Central Security Service, the defensive side, which develops and tests security technologies for Government and military use. They have people testing safes and locks, for example.

Back in the 1980s, NSA tried applying that approach to computing, with the Trusted Computer System Evaluation Criteria. Systems were classified from A1 down to D. A very few specialized systems made it to an A level, but most commercial systems couldn't come close.

Manufacturers hated the testing procedure. Software vendors are used to controlling their own Q/A process. The NSA approach came from the test procedures for safes and padlocks - vendors could submit something, and it was tested by NSA personnel against NSA criteria. If it failed, the manufacturer got a list of defects, which was not necessarily complete. The manufacturer could resubmit the product, and NSA would retest it, on a strictly pass/fail basis. No third try was allowed, and failure was publicly announced by NSA.

After a decade of screaming and foot-dragging by vendors, the "common criteria" security scheme replaced the TCSEC in 2002-2005. This is much more "vendor friendly". The most strict levels of the TCSEC criteria were removed. Security evaluation is mostly done by outside labs, not NSA, and the vendor pays for and controls the process. The vendor can keep trying to pass as many times as they want. Failure is not publicized.

A reasonable number of systems meet some levels of the common criteria, but nothing below EAL5 really means much. Windows XP made it to EAL4.

NSA has tried, with NSA Secure Linux, to get people to take mandatory security seriously. NSA Secure Linux has "mandatory security", where there are levels and compartments which create boundaries data is not allowed to cross. Think of everything being in its own sandbox, with limited and tightly controlled intercommunication between sandboxes.

The point of that is not that NSA Secure Linux is a highly secure implementation of mandatory security. It was to get people to implement, modify, and partition applications so that they could work under a mandatory security model. A web browser, for example, would have to be structured so that the parts which could open local files were completely separated from the parts that communicated with the untrusted outside world. This didn't catch on in the browser world, although finally, a decade or so too late, browsers are starting to to run Flash in sandboxes.

NSA keeps trying. This new database is one for which fine-grained access control is possible. The challenge is to write apps that can live with such tight controls. They're trying to get people to get serious about security.

(It's been a long time, but I used to work on this stuff.)

Re:NSA tries to get vendors serious about security

[hjf]

Most competent sysadmins try to do their best to secure their system, and those worth their salt, succeed to do so. SELinux (and Tomoyo) are painful to use, easy to lock yourself out, and cumbersome. But that's the price to pay, I guess. Some admins decide the price is too high.

Re:NSA tries to get vendors serious about security

Think of everything being in its own sandbox, with limited and tightly controlled intercommunication between sandboxes.

Yeah, think of that. Now think of this.

Re:NSA tries to get vendors serious about security

[lennier]

Most competent sysadmins try to do their best to secure their system, and those worth their salt, succeed to do so.

So, um. What does that make the kernel.org guys? ;)

Yeah, I thought so.

Re:NSA tries to get vendors serious about security

[gumbi+west]

In that article, it specifically says that NSA require covert channel monitoring.

Re:NSA tries to get vendors serious about security

"One of NSA's units is the Central Security Service, the defensive side, which develops and tests security technologies for Government and military use."

Actually, the defensive side is the Information Assurance Directorate (http://www.nsa.gov/ia/index.shtml) not the CSS, but nice try. Apparently it has been a long time since you used to work on this stuff.

Re:NSA tries to get vendors serious about security

NSA keeps trying. This new database is one for which fine-grained access control is possible. The challenge is to write apps that can live with such tight controls. They're trying to get people to get serious about security.

Admittedly, I haven't looked at this new database, but many databases have fine-grained access control. We use a lot of MS sql server at the office, and you can have separate permissions for just about everything, down to the row & column level. Oracle & DB2 are similar.

Re:NSA tries to get vendors serious about security

This "doesn't catch on" because (so far) the expense of these sorts of redesign/reimplementation efforts are not recoupable - i.e. customers won't pay for them.

Doing that sort of redesign is expensive in several ways - if you're going to have a chance of doing it "right" you'll need very skilled, smart people. Those people are expensive. You'll also be investing a lot of time, which is also expensive (particularly when using said smart people.) Lot of little issues like "how do I keep this code portable" crop up and butt heads with the security stuff. And the clincher is that better security usually STOPS problems from happening - often subtle problems that are are hard to see/quantify/explain - rather than solving existing problems by adding more features. So you be investing all of those resources to take a product that generally "works" and make it somewhat LESS friendly to use and more inconvenient to program.

Oddly enough, it's a lot like trying to get people to start and maintain a fitness program. You spend a lot of money, and in the short run you make yourself MORE miserable, not less. The long term benefits are real, but if you're not interested in the long term (determining how interested software consumers are in the long term is left as an exercise for the reader) the up-front pain makes it an impossible sell; if you DON'T value long term benefits, then there really IS no benefit from your perspective to justify the Right Now costs.

Re:NSA tries to get vendors serious about security

[hjf]

Yeah that's the other thing too. SELinux doesn't "protect" you against attacks more than mosquito repellant doesn't protect you against mosquito bites... there's always going to be a way. But the more precautions you take, less chances of getting hacked you have.

Or in more technical terms, SELinux doesn't protect you from a malicious user hacking into your system more than giving him a regular user account instead of root access. There are exploits to gain root access, and I guess SELinux can be exploited too.

Re:NSA tries to get vendors serious about security

[Errtu76]

There are exploits to gain root access, and I guess SELinux can be exploited too.

Indeed. Google for 'selinux 2.6.30 exploit' and you'll find one by 'cheddar bay' that's targeted explicitly at SELinux.

Re:NSA tries to get vendors serious about security

[TheLink]

NSA has been trying for decades to get vendors to get serious about security, without much success

Car analogy. Most vendors can barely get their cars to run, so preventing the cars from getting broken into and/or stolen is not the top priority.

It only becomes a priority in places where legislation requires the vendors to worry about it.

Re:OK, now try it in English

"this article probably holds no interest to you."

Maybe my reply holds no interest for you? Oh yeah, fuck you too.

Before donning tinfoil hats...

[hattable]

I know NSA doesn't have the best 'street-cred' but remember that they are the folks that brought up SELinux. When they are working for security they generally know what they are talking about. Has anyone had any experience installing software on a NSA machine? If you have then you know the hurdles and testing that takes place to get something usable. They LOVE security and really just want you to love it as much as they do.

Re:Before donning tinfoil hats...

The NSA's lack of street cred is based on a smear job by the NY Times. What the Times artfully hid is that the agency complied with federal law in the wiretapping. They exploited a loophole in the law to support CALEA efforts. However, what they did was legal, and how the agency did it was legal. The folks requesting the information from the agency broke several laws, but attacking the NSA is a lot safer than attacking federal law enforcement agencies who broke the laws.

The NSA has two huge problems right now. One is that a lot of good people quit between the warrantless wiretapping and a bad management period. The other is that they just don't have the funding, manning or kilowatts available to keep up as the threat evolves. You will, however, never meet a group of people as dedicated as they are to defending the United States, and it's sad to see how many good people have been hurt by sketchy journalism.

Re:Before donning tinfoil hats...

[gatkinso]

Most of these hurdles and testing are performed by so called "Information Assurance Engineers" who could not hack it as a sys admin. Most of what they do consists of installing from an approved kick-start media, running various scripts to configure and test the machine.

Dispel yourself of the notion of some super security guru setting up this machine. It is some drone following a checklist he/she doesn't really understand using media given to them, running the STIG scripts, running their verification scripts, and move on to the next machine. If there is a problem, they have a troubleshooting script which they run. If there is still a problem after that they turn the machine off, completely unplug it, note it, and move on.

These hurdles you speak of are mostly with accreditation and media/hw trust.
 

If our overlords are to record everything we do...

[leftie]

...the least our overlords can do is pitch in on building the databases our overlords are going to store all that crap they recorded about us.

Re:OK, now try it in English

[Ksevio]

Just a nit-pick, but the main value of Hadoop is to run distributed map-reduce applications across individual computers. The Hadoop file system is often used along with it, but other distributed file systems can be used in its place.

The myth of security...

[blahplusplus]

... the best security programmed in software can and will be breached by other means. This emphasis on security IMHO is misplaced, if you want something secure you don't hook it up to the outside world.

Re:The myth of security...

We need to be hooked up to the outside world. That's the whole point of this. Obviously you do not connect a top secret system to a public network. But at the same time, an entire dump of a few peoples non-classified mail boxes could be collected together to build a picture that you wanted hidden.
Security in ALL aspects is good. (personally, I'd like to have one less vector for someone to be able to read my email, even if it only means they don't get to read the flirting between myself and the wife)

Re:The myth of security...

[sumdumass]

When i gain employment at your company and you are not looking, the outside world is effectively inside the company.

Almost everywhere one of these databases will be used will have employees accessing the systems (remember manning?) and there may be a complete need to access the information remotely which even if the internet isn't involved (T1 loop or something) you have the potential of unauthorized access.

You simply cannot focus on one side of the equation. This focus is for where the other sides can't be effective either.

Re:The myth of security...

[syousef]

... the best security programmed in software can and will be breached by other means. This emphasis on security IMHO is misplaced, if you want something secure you don't hook it up to the outside world.

I know my front door can easily be breached by a determined attacker, yet I put a lock on it. Why bother? Insurance requires it for starters. It deters casual thieves for another. Abandoning security altogether is just as stupid as making what you're trying to secure unusable by over securing it. A bit of balance goes a long way.

Re:The myth of security...

If you want something useless in the modern world, yes dont hook it up.

When is that rehashed "the only secure server is one that isn't connected" idiocy going to finally die?

Re:The myth of security...

[wvmarle]

Of course. Security must come in layers, and requires a holistic approach.

But tight computer security can also help keeping the human factor in check. By making sure no unauthorised persons can access the data for starters, particularly related to breaches from the outside. And then making sure there is an audit log of all accesses made to the system, particularly who accessed which piece of sensitive data when. So in case there is a security breach, that there is a way to trace back and know who did it. Knowing that one will get caught for a crime, is a great deterrent and will keep many people from attempting it to begin with.

You can never, ever have 100% security. Especially when people have to actually access data which by nature means data is released by the system. But that doesn't mean you can't do your best, and that's what the NSA is trying to do here on a technical level.

Re:The myth of security...

[silentcoder]

>I know my front door can easily be breached by a determined attacker, yet I put a lock on it

Of course, the world is full of towns and cities where people do NOT put locks on, or bother to shut the locks that came with the door.
A lock can reduce casual theft, reducing the casual thieves work better.

This is no less true of cybersecurity. As long as most cybercriminals get away with it most of the time - we won't see a reduction in exploits.

Re:The myth of security...

There is no "security," there is only making your target less attractive than the next. As the joke goes, I only have to be able to run faster than my partner to escape a bear attack.

Re:The myth of security...

[syousef]

A lock can reduce casual theft, reducing the casual thieves work better.

This is no less true of cybersecurity. As long as most cybercriminals get away with it most of the time - we won't see a reduction in exploits.

Yeah I agree but good luck with that. Dark side of human nature means if you put lots of people in a small space, statistically there are going to be a few rotten apples.

Re:OK, now try it in English

[tprox]

I think you should be appointed the editor of something like simple.slashdot.org (similar to simple.wikipedia.org). Great summary!

Re:OK, now try it in English

..."Another is Hadoop, which is a distributed file system for storing huge amounts of data on a cluster of individual computers, based on Google's Google File System and other similar technologies.."

There, I knew you could do it. Was that too much to hope for?

"To facilitate access to that data, there are other projects that function as databases, with the actual information stored in Hadoop."

What's Hadoop? Do you at least understand that software's massive hierarchy of vaguely interrelated concepts is not exactly crystal clear to an outsider?

So, you quote the information, then you ask for that information...

You're fucking retarded.

They are not abandoning the project ...

[drnb]

My question is this: why are corporations donating their code to Apache instead of just releasing them through the GPL and Sourceforge?

Corporations that want to continue to use the code are more likely to donate to Apache and use the Apache License. Fewer strings attached, much lower likelihood of unpleasant surprises in the next version of the license, etc. Basically open source without the politics and drama.

Corporations that are essentially abandoning/discontinuing the software are more likely to just putting it up on SourceForge and be done with it.

the NSA is not a corporation

[decora]

i think you might enjoy the book "Shadow Factory" by James Bamford,
or maybe you might like the PBS Frontline special about his book, available online at pbs.org (the video is called Spy Factory for some reason)

does this explain the Thomas Drake case?

[decora]

You are describing software testing in the 1990s. Thomas Drake was heavily involved in software testing, and worked for NSA contractors until 2001, when he was hired at NSA itself.

After 9/11, he got disturbed with some of their wasteful practices . . . I am wondering if 'vendor friendly' software testing was one of the practices he might have had a problem with.

The DoD IG report on Trailblazer is still mostly redacted... the public is left in the dark about these things.

Re:does this explain the Thomas Drake case?

[YaddaMinski]

ThinThread-LITTLE is listening... Seriously, the ThinThread project was what could have stopped 9/11 but instead the elites wanted to spend mega-bucks on TrailBlazer; you know the dance step. It is rumored that ThinThread code was adapted for the current system.

and thus can't grant an explicit license

[tepples]

The article mentions a technicality in Apache's current contributor license agreement that appears to bar Apache from accepting public domain work because there is no copyright owner to grant an explicit copyright license.

Re:OK, now try it in English

Well stop being a retard and you wont get flamed.

Copyright issues

[dwheeler]

We're going to see more of this sort of thing. Almost everyone assumes that all software is copyrighted, or that only the copyright holder can release software as free/libre/open source software (FLOSS). Neither are true!! This matters when the US government gets involved, because its "normal" rules are really different from most organization's.

For example, if a government employee develops software as part of his official duties, then in practically all cases that software is NOT subject to copyright in the US (per US law 17 USC 105). It's not just that the author doesn't have copyright; there IS no copyright in the US. Also, when a contractor writes software, the government often receives all the release rights as if it was the copyright holder yet it is not the copyright holder (these are called "unlimited rights"). In this case, the government can release the software as FLOSS, on its own initiative, even though it is NOT the copyright holder. For more details, see: Publicly Releasing Open Source Software Developed for the U.S. Government.

The US government spends billions of dollars each year developing software. It's my hope that, over time, it will release more of the software it develops to the people who paid for it.

Re:Copyright issues

[wvmarle]

So if I understand this correctly, and to say it simple: any software (and for that matter any creative work) created by the US government automatically falls in the public domain?

Interesting modification

[mveloso]

It seems that the extra cell-level security is more of a capability, in that you can categorize (or add a label to) a cell and when you query you specify the access level you have...and the result is included or not depending.

I wonder how it deals with "lost security levels?" If you don't know the security level of a cell, you can't ask for it. If everyone forgets, then the data just sits around, waiting to be pruned. How can you tell the difference between a resource leak and unarchived classified documents that you can't get to?

I suppose that's one of those odd problems that only happens in government. "Why is the database only returning 10 results to me when the database itself is over 16PB?" More amusingly, if the total amount of data used by an NSA system is classified, who has enough information to order more storage?

Re:OK, now try it in English

[thePuck77]

If you're an outsider, why do you care about an article that essentially only matters to insiders? And while we're explaining the intricacies of the software industry, I will take the opportunity to introduce you to this wonderful invention. It's called a search engine. When you don't know what something means, you can search for it yourself, therefore avoiding looking both ignorant and lazy.

By the by, this is /. Notice the subtitle: "News for nerds". I think you may be lost. You may feel more comfortable here: http://digg.com/ or perhaps here: http://myspace.com./

NSA breeds distrust and fear

Unfortunately the NSA exports something that the USA has in abundance - fear and distrust. It hasn't always been this way, and I can remember when people tended to trust each other much more. In the 1950's in my native New Zealand people didn't even feel the need to lock their doors at night. But since the USA has started bombing countries at random, and letting its own citizens arm themselves with whatever calibre weapon they feel like, the world has changed. And it wasn't terrorists that changed the world - it was the USA's fear and distrust that has changed the world for the worse. Distrust is contagious. If you distrust me then I am going to distrust you and probably everyone else. Seed people's minds with distrust and this is what you get from them. In any case, the NSA's paranoic attitude to systems and security is merely a cover for their nefarious reasons for "rating" secure systems - they want to know the worst of what is out there that they may have to deal with. Only a fool would allow an organization like the NSA "rate" their safe, their locks, or their computers. The knowledge that the NSA gains in such exercises is their raison d'etre, and foolishly submitting any secure item to the NSA for their rating only conveniently lets the NSA know that one has such a item when otherwise they might be totally unaware of the item's existence.

Maybe I should set up a gold rating agency. You show me your secret stash of gold and I will tell you whether it is secure or not.

Re:NSA breeds distrust and fear

[gatkinso]

You do realize that for an organization like the NSA to trust anybody, even their own employees, would be exceedingly foolish.

As far as I know, the people of the United States have had the right to bear arms for over two centuries. However if you think this means an American can go out on a whim and buy a heavy machine gun then you are mistaken.

Not sure why all of a sudden people are locking their doors in New Zealand, but I would suspect it has more to do with an uptick in local crime than American foreign policy.

Re:NSA breeds distrust and fear

Not sure why all of a sudden people are locking their doors in New Zealand, but I would suspect it has more to do with an uptick in local crime than American foreign policy.

Wait, you mean accept responsibility for my own circumstance? Nah, it's because "the USA has started bombing countries at random." Ours will be next.

Is there an OSI license that can work?

[bill_mcgonigle]

That's an interesting problem - most open source licenses depend on copyright for enforcement. If there is no copyright, those licenses can't be used. Is there a way to incorporate?

Mixing tenses... which is it?

[Beacon11]

It appears there are some hurdles that must be cleared concerning copyright before the project could be accepted.

Wait... what? I'm not trying to be a grammar nazi, I'm genuinely confused. ARE some hurdles that must be CLEARED (future tense)... COULD be accepted (past test)? Which is it-- do the hurdles still need to be cleared before the project can be accepted, or have the hurdles been cleared and the project accepted?