The new media team at the White House announced over the weekend that the whitehouse.gov
website has been moved to Drupal
. Open source advocates are hailing this as a victory for open source over proprietary software.Tim O'Reilly says
This move is obviously a big win for open source. As John Scott of Open Source for America (a group advocating open source adoption by government, to which I am an advisor) noted in an email to me: "This is great news not only for the use of open source software, but the validation of the open source development model. The White House's adoption of community-based software provides a great example for the rest of the government to follow." Dana Blankenhorn says
John is right. While open source is already widespread throughout the government, its adoption by the White House will almost certainly give permission for much wider uptake.
The switch was designed to be transparent, but even a casual observer will note the site now features five separate blogs, and that officials’ names are now listed on announcements that read more like stories, often with personal details.
So it’s one small step for Washington, one giant leap for open source.
He also notes:
Sites like Whitehouse.gov are the ultimate honeypots for hackers and script kiddies around the world. This is true regardless of the party in power.
Because the White House is such an inviting target, the White House team needs to be extra vigilant.
Security expert Robert "RSnake" Hansen explains
According to Dries Buytaert, “…this is a clear sign that governments realize that Open Source does not pose additional risks compared to proprietary software…” This is a complete fallacy. More than that, it’s a dangerous that non-security people are touting their knowledge of security as if it’s fact. Look, if you were talking about vulnerabilities per line of code or something, I may get on board with that statement, but that’s just not how the real world works. There is one very massive difference between open source and proprietary coded applications. I can pen-test Drupal all day long without sending a single packet to Whitehouse.gov.
That is, if the White House is actually using an unmodified ont-of-the-box version of Drupal. But if the White House is concerned at all about security, they have already hardened their copy of Drupal before going live:
Like ha.ckers.org they most likely chopped it up, removed all the unnecessary functionality, stripped it down to bare bones, locked the server up so tight it would be impossible to even upgrade it without an act of Congress and on and on…
The irony of all this, RSnake notes, is this:
And how is a locked down highly customized variant of Drupal different than a proprietary solution?
Labels: open source, security