43 comments

[ 2.7 ms ] story [ 85.5 ms ] thread
This is really smart, and I hope this becomes the norm across all governments.

Governments not knowing what their software is doing is a recipe for chaos.

Hopefully this also leads to more audits of said code.

Hopefully this also introduces standardized auditing of open sourced packages. Just because something is open sourced, doesn’t mean it’s altruistic and not susceptible to malicious actors submitting seemingly innocuous code that gives bad actors a back door.

The xz fiasco earlier this year should encourage every organization to conduct such audits. A code smell could and should be enough for packages to not be supported.

Obvious strategy to reduce legaö risks like the postmaster debacle.
For anyone who has not heard of the “postmaster debacle”, as I; it is a stunning atrocity of government that appears to have affected 3,650 people who were hounded and persecuted and prosecuted for various types of theft and malfeasance even though it was a glitch in the Fujitsu software that caused whatever appeared to have been thefts or irregularities in the accounting that was the basis for the government tyrannical terror descending on these people. It also cause at least four (4) suicides.

https://en.m.wikipedia.org/wiki/British_Post_Office_scandal

I suspect this also has its roots in the European legal tendency to presume guilt and the accused having to prove their innocence, far more than the system has also been poisoned with in the USA. It’s not perfect and getting worse in the USA, but in the past, it would have been incumbent upon the prosecution to prove you actually stole, not just that the system used indicated irregularities. For example there would have to be evidence of money transfers, exceptional lifestyles, video surveillance of stealing money, or at least witness testimony of some kind validating that money was stolen, etc. If something was stolen, it essentially has to be shown what happened to it, i.e., it was in the possession/control of the accused.

> I suspect this also has its roots in the European legal tendency to presume guilt and the accused having to prove their innocence

This scandal took place in the UK, though, not in a European civil code jurisdiction. The concept of "presumption of innocence" originates in English common law.

Under British law, however, courts presume that a computer system is working flawlessly unless proven otherwise, so if computer says guilty it'll be tough to convince a jury that you're not.

And that was made even harder by the massive and continuous perjury by the Post Office when it came to the robustness of the system

The US government, especially the military, is largely allergic to software. This is slowly starting to change, but only in small pockets. I am aware of three software teams in the military but they are highly specialized with small dedicated customers.

I have tried several times to get Node.js into the military on approved software lists for internal development and its a huge struggle. I suspect the main culprits are due to valid security concerns regarding package managers like NPM and old ignorant thinking about open source being either immature or open software being a wide open exploitation vector. That is really tough because there aren't official binaries of Node without NPM and ignorant thinking about open source is really persistent.

I mean… open source IS suffering insecurity issues.

A lot of the supply chain failures I can think of, were open source projects.

I’m not saying node or OSS has no place, but there is more than something to do t being a security issue.

How many years was heartbleed exploitable despite “all the eyes on it”?

The good part about OSS is all the people that can review it, the bad part is all the people that can review it. Now… which one is more incentivized today ignoring a future military use?

It only works when assets are put into hardening existing code.

i can think of no act more deviously effective in bringing down the american empire than introducing the NPM ecosystem into its vital bloodstream, well played comrade!
If you had to select a single programming language, for US government agencies to use, which one would you pick?
go or java, in that order
(comment deleted)
(comment deleted)
Thank you for your reply. If you were asked develop a web application using Go, how would you go about doing it?
I would assume he would use HTMX, being the creator of it.
Yeah, go w/ htmx + vanillajs (or possibly alpine.js or https://github.com/gnat/surreal) would be a reasonable option for many government projects. You can audit the htmx codebase and it is dependency free (same w/ alpine & surreal) and self-host everything, go compiles to a single binary for deployment.
To be honest, not having node.js on the approved software list seems like a pretty good idea.
> I have tried several times to get Node.js into the military on approved software lists for internal development and its a huge struggle

What's on the approved stack? I imagine .Net and Java/spring are the standard, right? anything else like php, python, go etc?

But is node worth it without the npm packages?

I feel like it's pretty much one of the worst runtimes/scripting languages if you can't utilize it's ecosystem.

Yes, absolutely. I can manually import the 2-3 packages I regularly use. TypeScript, for example, has no dependencies. The only thing I would miss is ESLint which has a billion dependencies that I wouldn't bother with.
Considering the military has an offensive cybersecurity arm, maybe they know more about node js and why not to use it than you might assume.
(comment deleted)
This is actually really scary that you want NPM in the military... Thank god that I trust - this was denied - smart move.
I don't. I want Node available to write systems automation without dependency on OS specific code. I don't need NPM to make effective use of Node.
Sorry, but I'm glad they are not open to node. Why would you want node within the militaries network?
To quickly spin up OS-agnostic systems automation.
If you can piggyback on an existing system, you may only need to pursue using the RMF assess only process with the gaining system owner. Once the assess only process is approved, the hardware, software and PPSM in the gaining system would be updated to reflect the new components. Those approved software lists don’t get updated very quickly. Using an assess only process may move things ahead more quickly.
Well NPM isn't really your problem there, the registry its targeting is and that's a firewall & config change, no need to block npm.exe.
For the untested in this subject you’ve got to research about Brazil’s effort to use as much open source as they can at the state level. They’ve been doing so for nearly 20 years.

https://opensource.com/government/12/8/brazil-forefront-open...

Yet the Brazilian government releases little of its own code publicly. I'm still waiting for the ballot machine code.

Brazilian government's relation with open technology is such a weird thing. Lula and Dilma government were huge sponsors of free software conferences like FISL, with several ministries and agencies with huge booths and whatnot - but most of their actual technical side was just "we use libre office or Zimbra or whatever". All talk, no action.

One thing that specially made me angry was the lack of commitment with open data. The post office was eager to sponsor conferences, but kept zip code data under lock and key, only allowing a CAPTCHAd query tool for people, and selling API access to companies for huge prices. This was actually only fixed... during the right wing governments that followed (can't remember if Temer or Bolsonaro).

There was a talk about this at this years FOSDEM [0]

Regarding the "Several European countries are betting on open-source software for their technology. In the United States, eh, not so much." I thought software developed by the US govt is public domain? At least that's how I remember sqlite got it's license because it was developed for the US Navy.

[0] https://fosdem.org/2024/schedule/event/fosdem-2024-3401-the-...

Ah yes. Except most software the US Government uses was developed by contractors .
This forward thinking makes me proud.
Reading the sourced link, it's currently only for federal government institutions, a lot of things, like the "DMV", or social services, are still the domain of the Kantons (equivalent to a US state).

So it's "all" but in a different context to what you might understand as "all". ;)

(comment deleted)
This doesn't require all software used by Switzerland to be open source. Per the article:

> This new law requires all public bodies to disclose the source code of software developed by or for them unless third-party rights or security concerns prevent it. This "public money, public code" approach aims to enhance government operations' transparency, security, and efficiency.

Sounds great. Except that as a company, you can now only deliver services to this government. No products, since you will lose your competitive advantage. This is a big disadvantage for for instance startups that target this market.
It’s a disadvantage if you require proprietary licenses, but an advantage if you leverage open source licenses.
I don't hear anything I care about, or that anyone should care about, under the "except" column.

Don't target that market if you don't like the terms. Someone else will. I will.

Good ideas finally need government backing and adoption to scale and sustain. OSS has been facing tough times since cloud providers like AWS came in. Moves like this will help keep the open source spirit alive. Really proud to see this and hope more governments go this way.