HOME ALL STORIES LATEST NEWS COLUMNS OPINIONS EDITORIALS GUEST VIEWS SHORT TAKES DATA WATCH SPECIAL REPORTS ZEICHICK'S TAKE SD TIMES 100 EDITORS' BLOG

RSS FEEDS

FACEBOOK

TWITTER

WHITE PAPERS SPONSORED PROFILES JOB BOARD WEBINAR CENTER FREE SOFTWARE BZ RESEARCH ALMSHAREPOINT EVENTS CALENDAR PRINT/PDF EDITION PRINT/PDF BACK ISSUES

SUBSCRIBE TODAY CUSTOMER SERVICE EDITORIAL CALENDAR EDITORIAL BEATS GUEST VIEW GUIDE SD TIMES 100 GUIDE EVENTS CALENDAR ADVERTISING ARTICLE REPRINTS REPORT A BUG SITE MAP

ABOUT US BZ MEDIA NEWS BZ RESEARCH SYSMANNEWS SPTECHCON ESDC IPHONEDEVCON PRIVACY POLICY CONTACT US

Printable version

HOME >> LATEST NEWS

Most Read Latest News Blog Resources

Does Windows cost Microsoft opportunities?
Microsoft's decision to focus .NET on Windows is stifling innovation due to the specter of...

Mono brings .NET to Android
At Microsoft MIX, Mono will unveil the ability to port .NET applications to the Android op...

OSBC focus turns to best practices for open-source adoption
Businesses are no longer asking why they should adopt, but how do they use open source leg...

Maven Studio for Eclipse gets developers up to speed
Sonatype tool simplifies onboarding by giving developers a way to easily deploy fully conf...

nVidia updates CUDA tools
Latest version helps developers turn desktops and servers with high-end GPUs into more pow...

Scrum Planning Board adds automation to Axosoft OnTime
Illustrations are also included to assist Scrum-using developers a better view of what the...

Google Code turns 5
Google Code Turns 5, and adds a Paxos Algorithm to make the system more stable and reliable.

Test your Visual Studio 2010 know-how
Microsoft is offering free beta certification exams for Visual Studio 2010.

Microsoft lifts the hood on IE9
Microsoft is previewing IE9.

Overcoming Development Challenges with Open Source Open source software can help you with your application development challenges. It doesn’t...

Accelerate Services and the Cloud Business units, functional groups, and different divisions of companies across industries...

Enterprise Mashup Platforms for Today’s Increasingly Complex and Real-Time Context Enterprise Mashups offer your company a new way to connect data from inside and outside yo...

Technorati

Digg

Slashdot

Facebook

Friendfeed

Twitter

del.icio.us

Black Duck identifies public projects that may be security risks

By David Worthington

November 5, 2009 —

Black Duck Software, a company that sells tools for managing open-source development, has found more than 4,000 instances of public projects containing encryption algorithms strong enough to require a filing with the U.S. Department of Commerce Bureau of Industry and Security (BIS) to export downstream applications.

The company used its Export 5.0 product, which was released on Oct. 21, to analyze its repository of 220,000 open-source projects. Four thousand open-source projects required BIS for approval, and another 4,000 could be considered strong enough for requiring BIS approval depending on how they are used, said Eran Strod, director of product marketing for Black Duck.

Open-source projects are permitted to redistribute encryption algorithms in their source code because they have an exception to the rules, Strod explained. "The National Security Agency and BIS just want to be informed about what is happening in the open-source world."

The U.S. Commerce Department could not be reached comment by press time.

However, that authority does not carry on to downstream developers and organizations that create solutions using open source, Strod said. Those organizations need to obtain a new license to distribute code outside of the United States.

"This is the law, and you have to follow it," Strod said. It is important for developers to be aware of their compliance with encryption export control requirements because they may be "legally on the hook," he added.

The U.S. Commerce Department received oversight authority for encryption export when President Bill Clinton signed Executive Order 13026 in 1996 in response to requests for relaxations in control over U.S exports. Encryption algorithms were previously included on the United States Munitions List, pursuant to the Arms Export Control Act of 1976.

The Commerce Department's BIS prohibits encryption algorithms from being exported to so-called "rogue states." A rogue state is a term applied to a country that the U.S. government considers to be threatening to the world's peace.

Since government oversight of encryption became more relaxed, it has become possible to send algorithms around the world from the U.S., said Rex Black, president of Rex Black Consulting, a security group. There are still other countries that maintain control export regimes, he added, and the U.S law is a "moving target," that has evolved over time.

Changes in how the U.S, government has exercised export controls has created confusion. Black noted that Black Duck is selling software that manages compliance with government requirements, and that it would be in its interest to encourage maximum paranoia about what might be illegal.

However, he added, "It could be that attorneys on [Black Duck's] staff researched it completely."

Black acknowledged that knowing your compliance status is not necessarily a bad idea. "It is good for organizations to be aware of the extent encryption is included in their software, and to know the risks it might pose to them."

Related Search Term(s): Black Duck, open source, security

Share this link: http://www.sdtimes.com/link/33888

New tools police use of open-source code Black Duck and OpenLogic announce new tools to help resolve IP and corporate policy conflicts

C, C++, Java lead open source A report on languages used in open-source projects shows JavaScript and PHP growing, while C, C++ and Java are the most used

Big investments in open source The cost of open-source software has been put at US$387 billion, a hefty sum that accounts for 200,000 projects and 4.9 billion lines of code, according to IP protection company Black Duck Software.

Add comment

Name*
Email*
Country

Comment
Preview

News on Monday
more>>
SharePoint Tech Report
more>>

Download Current Issue
ISSUE 3/15/2010 PDF

Need Back Issues?
DOWNLOAD HERE

Receive the print Edition?

Google Code turns 5
Google Code Turns 5, and adds a Paxos Algorithm to make the system more stable and reliable.
03/17/2010 11:16 AM EST

Test your Visual Studio 2010 know-how
Microsoft is offering free beta certification exams for Visual Studio 2010.
03/17/2010 11:08 AM EST

Microsoft lifts the hood on IE9
Microsoft is previewing IE9.
03/16/2010 01:10 PM EST