whitehouse drupal

The new media team at the White House announced over the weekend that the whitehouse.gov website has been moved to Drupal. Open source advocates are hailing this as a victory for open source over proprietary software.

Tim O'Reilly says:

This move is obviously a big win for open source. As John Scott of Open Source for America (a group advocating open source adoption by government, to which I am an advisor) noted in an email to me: "This is great news not only for the use of open source software, but the validation of the open source development model. The White House's adoption of community-based software provides a great example for the rest of the government to follow."

John is right. While open source is already widespread throughout the government, its adoption by the White House will almost certainly give permission for much wider uptake.

Dana Blankenhorn says:

The switch was designed to be transparent, but even a casual observer will note the site now features five separate blogs, and that officials’ names are now listed on announcements that read more like stories, often with personal details.

So it’s one small step for Washington, one giant leap for open source.

He also notes:

Sites like Whitehouse.gov are the ultimate honeypots for hackers and script kiddies around the world. This is true regardless of the party in power.

Because the White House is such an inviting target, the White House team needs to be extra vigilant.

Security expert Robert "RSnake" Hansen explains:

According to Dries Buytaert, “…this is a clear sign that governments realize that Open Source does not pose additional risks compared to proprietary software…” This is a complete fallacy. More than that, it’s a dangerous that non-security people are touting their knowledge of security as if it’s fact. Look, if you were talking about vulnerabilities per line of code or something, I may get on board with that statement, but that’s just not how the real world works. There is one very massive difference between open source and proprietary coded applications. I can pen-test Drupal all day long without sending a single packet to Whitehouse.gov.

That is, if the White House is actually using an unmodified ont-of-the-box version of Drupal. But if the White House is concerned at all about security, they have already hardened their copy of Drupal before going live:

Like ha.ckers.org they most likely chopped it up, removed all the unnecessary functionality, stripped it down to bare bones, locked the server up so tight it would be impossible to even upgrade it without an act of Congress and on and on…

The irony of all this, RSnake notes, is this:

And how is a locked down highly customized variant of Drupal different than a proprietary solution?

programming experiments

Bill the Lizard, in a post titled Programming and Experimentation, writes about his experience as a tutor of first-year CS students in college:

I would frequently have students bring code to me and ask me what I thought of it. Some would even go so far as to ask me if I thought their code would compile. I would never answer this question directly (despite Head First Java repeatedly urging me to "Be the Compiler"), but would instead patiently show them how to answer it for themselves. These students weren't lazy, they were scared. In many cases it seemed like they were more scared of being wrong than they were of not knowing the answer. [emphasis in original]

He then notes that curiosity is a trait shared by most or all of the best programmers, that curiosity leads to experimentation, and that a good teacher or mentor can impart that curiosity to others. It's a good post, well worth the reading.

But what jumped out at me is how this dovetails with something I read this week in Clay Shirky's Here Comes Everybody, on exactly how open source software threatens the proprietary model:

Open source is a profound threat, not because the open source ecosystem is outsucceeding commercial efforts but because it is outfailing them.

Shirky took a look through the project tree at SourceForge, and found that the vast majority of projects could not be considered successes in any sense of the word. But here's the key: Someone made the effort to start a project. Someone tried an experiment.

And a few, a small but significant number, built something worth using. Of these, most are niche software, useful to a few people. But a few have attracted a wide audience.

It's impossible to know at the outset which projects will be successful. What SourceForge and other open source project hosting sites provide is a platform for programmers to try something without a large up-front financial commitment. The more experiments, the greater the likelihood that someone will succeed.

That's why inspiring beginning programmers to try their own experiments is such a valuable gift. Bill the Lizard says it well:

If you show someone how experimentation works in programming, and you're enthusiastic about learning with them, they might catch the bug from you. I had very few students who were disappointed that I wouldn't just tell them the answers to their programming assignments. Most of them wanted to learn how to do it for themselves once they were convinced that they could.