LOGIN | REGISTER NOW | SUBSCRIBE
 
 
News on Monday
more>>
SharePoint Tech Report
more>>


   

 
 
Download Current Issue
ISSUE 2/1/2010 PDF

Need Back Issues?
DOWNLOAD HERE

Receive the print Edition?


 
blogs tab
Visual Studio 2010 Release Candidate Available Today
A Visual Studio 2010 release candidate is available on MSDN.
02/09/2010 09:45 AM EST

Is Microsoft eyeing Office subscription pricing?
Microsoft may be preparing to offer a new Office pricing option called "union," which charges the same for cloud as on-premises.
02/01/2010 09:38 AM EST

Facebook rewrites PHP runtime
Facebook is about to open source its own PHP runtime, written from scratch for speed.
01/30/2010 08:53 PM EST

 

Events calendar tab
Macworld 2010
2/9/2010 to 2/13/2010
San Francisco
IDG World Expo

SPTechCon 2010
2/10/2010 to 2/12/2010
San Francisco
BZ Media

PyCon 2010 (Python Conf.)
2/17/2010 to 2/25/2010
Atlanta
Python Software Foundation

Southern Calif. Linux Expo
2/19/2010 to 2/20/2010
Los Angeles
SCALE

IBM Pulse
2/21/2010 to 2/24/2010
Las Vegas
IBM


 
print Printable version 
Most Read Latest News Blog Resources
Facebook brings HipHop to PHP
HipHop compiles PHP to speed up the Web layer at world's most popular social networking si...

Adobe moves LiveCycle application platform to the cloud
Release gives developers just what they need to create targeted business process-oriented ...

Oracle acquires AmberPoint
Today's merger will probably affect most of AmberPoint's existing partnerships with other ...

Digg!  Digg
Reddit  Reddit
Slashdot  Slashdot
Share on facebook  Facebook
Share on Twitter  Twitter

Black Duck identifies public projects that may be security risks


By David Worthington
November 5, 2009 — 
Black Duck Software, a company that sells tools for managing open-source development, has found more than 4,000 instances of public projects containing encryption algorithms strong enough to require a filing with the U.S. Department of Commerce Bureau of Industry and Security (BIS) to export downstream applications.

The company used its Export 5.0 product, which was released on Oct. 21, to analyze its repository of 220,000 open-source projects. Four thousand open-source projects required BIS for approval, and another 4,000 could be considered strong enough for requiring BIS approval depending on how they are used, said Eran Strod, director of product marketing for Black Duck.

Open-source projects are permitted to redistribute encryption algorithms in their source code because they have an exception to the rules, Strod explained. "The National Security Agency and BIS just want to be informed about what is happening in the open-source world."

The U.S. Commerce Department could not be reached comment by press time.

However, that authority does not carry on to downstream developers and organizations that create solutions using open source, Strod said. Those organizations need to obtain a new license to distribute code outside of the United States.

"This is the law, and you have to follow it," Strod said. It is important for developers to be aware of their compliance with encryption export control requirements because they may be "legally on the hook," he added.

The U.S. Commerce Department received oversight authority for encryption export when President Bill Clinton signed Executive Order 13026 in 1996 in response to requests for relaxations in control over U.S exports. Encryption algorithms were previously included on the United States Munitions List, pursuant to the Arms Export Control Act of 1976.

The Commerce Department's BIS prohibits encryption algorithms from being exported to so-called "rogue states." A rogue state is a term applied to a country that the U.S. government considers to be threatening to the world's peace.

Since government oversight of encryption became more relaxed, it has become possible to send algorithms around the world from the U.S., said Rex Black, president of Rex Black Consulting, a security group. There are still other countries that maintain control export regimes, he added, and the U.S law is a "moving target," that has evolved over time.

Changes in how the U.S, government has exercised export controls has created confusion. Black noted that Black Duck is selling software that manages compliance with government requirements, and that it would be in its interest to encourage maximum paranoia about what might be illegal.

However, he added, "It could be that attorneys on [Black Duck's] staff researched it completely."

Black acknowledged that knowing your compliance status is not necessarily a bad idea. "It is good for organizations to be aware of the extent encryption is included in their software, and to know the risks it might pose to them."


Related Search Term(s): Black Duckopen sourcesecurity


Share this link: http://www.sdtimes.com/link/33888
 

Add comment


Name*
Email*  
Country     


  • Comment
  • Preview
Loading