I have been a Pennsylvania State Trooper for the last 16 years. For the last 10 years I have been in the Computer Crime Unit where I have investigated incidents from homicide to retail theft to include several intrusion cases. The vast majority of our work deals with child exploitation. For the last eight years I have been the Coordinator for our Central Computer Crime Task Force, which is made up of local, state and federal law enforcement entities. I graduated in May 2009 with my BS in Computer Science and an Undergraduate Certificate in Computer Security. Over the last 10 years I have been using OSS extensively in our Task Force operations, developed a version of Knoppix for on scene forensic previews, and have been an advocate for OSS within my organization and to the law enforcement community. In regards to the opening topic...I think the open source model (OSM) meets the challenge of providing secure code and more cybersecurity far better than the closed source proprietary model (CSPM) does. With the larger collaboration of interested developers in the OSM, bugs, security holes, “timebombs”, backdoors and embedded malware are much less likely to be introduced, much less make it out of alpha or beta releases. In my opinion, the biggest hurdle is getting people who are used to the CSPM to see that the OSM works, and that it is not a fad. To this end, there are many mature government OSS projects that can be pointed to as success stories. On your question of background checks, this is something that I have advocated for years for both developers and system admins on closed systems (something I have always gotten a lot of blow back from HR for). In OSS development, I am not sure sure that it is all that practical or necessary, except for the top developers who a responsible for the codebase. As the saying goes, "Sunshine is the best disinfectant." That is not to say that there could be an effort by foreign government(s) to poison the codebase, but in a large OSM project I think this effort would be discovered rather quickly. As this is the first time I have participated in a working group, so I hope this was what you were looking for. Regards, Jon <div class="gmail_quote">On Mon, Feb 8, 2010 at 11:21 PM, Roger Yee <<a href="mailto:rogeryee@gmail.com">rogeryee@gmail.com</a>> wrote: <blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><div link="blue" vlink="purple" lang="EN-US"><div>Welcome to the Cybersecurity Working Group in support of Open Source for America. I’ll be your working group chair for cybersecurity. A quick background on me: most recently I was a VP with BAE Systems responsible for global defense and security IT programs for US customers. A portion of this business area formed the basis of what is now the Cybersecurity business unit within BAE Systems. Additionally, I have successfully championed the use of open technology and standards within our cybersecurity products and associated programs. With the increasing focus of cybersecurity by the government and industry, it has become even more important for those of us engaged in the open source community to help shape and voice the role of open source and cybersecurity. I am sure there are more than plenty of topics and issues for this group to put forth and openly discuss. Opening topic: Securing the software supply chain has received notable attention in recent months over concerns of software “timebombs”, backdoors and embedded malware. What challenges does the open source development model face in the context of secure code and cybersecurity? Should developers be subject to background checks (aka security clearances)? What role should industry play in securing the software supply chain? I invite you to introduce yourself to the working group and join the conversation! Roger </div> </div> _______________________________________________ cybersecurity-wg mailing list <a href="mailto:cybersecurity-wg@opensourceforamerica.org">cybersecurity-wg@opensourceforamerica.org</a> <a href="http://opensourceforamerica.org/cgi-bin/mailman/listinfo/cybersecurity-wg" target="_blank">http://opensourceforamerica.org/cgi-bin/mailman/listinfo/cybersecurity-wg</a> </blockquote></div>