Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Government News Your Rights Online

White House Website Switches To Open Source 219

Falc0n writes "WhiteHouse.gov has gone Drupal. After months of planning, says an Obama Administration source, the White House has ditched the proprietary content management system that had been in place since the days of the Bush Administration in favor of the latest version of the open-source Drupal software. Dries Buytaert reflected on this, adding: 'this is a clear sign that governments realize that Open Source does not pose additional risks compared to proprietary software, and furthermore, that by moving away from proprietary software, they are not being locked into a particular technology, and that they can benefit from the innovation that is the result of thousands of developers collaborating on Drupal.'"
This discussion has been archived. No new comments can be posted.

White House Website Switches To Open Source

Comments Filter:
  • by abigsmurf ( 919188 ) on Sunday October 25, 2009 @08:44AM (#29864153)
    The problem with using Drupal for the White House is that it's a popular CMS and has lots of people looking for exploits and vulnerabilities. The second a proof of concept piece of code or an easy exploit is discovered, a few thousand script kiddies will decend to get their 15 minutes of fame.

    I'm not sure how Drupal fares with bugs and patching speed (I know Wordpress seems to get some high profile holes discovered) but even if all vulns are patched before someone takes advantage of it, you're still going to need an admin who's going to be constantly alert to patching it.

    I'm not arguing against closed source vs open, more about popular vs obscure.
    • Re: (Score:3, Insightful)

      by Anonymous Coward

      You could just as easily turn that argument around and say that because it's a popular CMS and has a lot of people looking through it's code for exploits, it's also a lot more secure than some other more obscure CMS which would have much less reviewed code.

      • that was my reaction. What ever choice the White House made, it would still be a target for malicious hackers.
      • Yep, that's the same reasoning Microsoft makes with Windows being more secure than OS X! ;)

        [Not really, I'm just trying to be mildly humorous].
      • As much sense as that makes and as true as it may be, those who exploit will always be one step ahead of those who patch the exploits.
      • by nmb3000 ( 741169 ) on Sunday October 25, 2009 @03:36PM (#29866967) Journal

        because it's a popular CMS and has a lot of people looking through it's code for exploits, it's also a lot more secure

        As pointed out, Wordpress easily proves this long-believed mantra false. It's one of the mostly widely used blogging applications and it is consistently in the news for high-profile hacks and exploits. That, and Drupal hardly seems immune [google.com].

        What's even more interesting is the possibility for intentional security flaws in the code. Interested parties can start submitting patches and changes to the Drupal codebase with inherent flaws. These might even be distributed (module A has a flaw that uses module B's flaw that uses module C's flaw...), which combined with submissions over a series of weeks or months and it seems unlikely they'll be easily spotted.

        This is the real downside to using open source code in government applications -- In four months the White House website may be running code written by Chineses (or Russian or whoever) hackers (who may or may not be government employees) for the sole purpose of exploiting the site. Expand this into internally used applications like MediaWiki, Pidgin and it has even bigger implications for intelligence gathering and infiltration.

        Major programs like these are big and complex. If the Debian OpenSSH fiasco taught us anything it should be that when you combine big and complex, don't be surprised if those many average eyes are insufficient to catch what the few skilled and experience hands put in the codebase.

        • Re: (Score:3, Insightful)

          by g253 ( 855070 )
          So they fork it and maintain it themselves. Problem solved.
          (okay, it's not that simple, but it's still a nice option to have)
        • Re: (Score:3, Insightful)

          by rtb61 ( 674572 )

          Perhaps you would also like to talk about all that closed source proprietary code that government espionage agencies all over the world have access to. In fact most governments are now refusing to you closed source proprietary code unless they have access to the code to scan for back doors not only put in by corporations for then own advantage but put in by governments via secret warrants and not disclosed for national security reasons.

          The biggest difference between closed source and open source in gover

    • by Kifoth ( 980005 ) on Sunday October 25, 2009 @09:07AM (#29864309)
      You're assuming that the site's pages aren't served via a third party 'dumb' caching server, with the actual Drupal server locked down and disconnected from the internet.
    • by kamelkev ( 114875 ) on Sunday October 25, 2009 @09:28AM (#29864447)

      I run a fairly high profile drupal site - and this has always been a large concern for us.

      Our solution was basically to disable user logins completely. An overwhelming number of the exploits require you to login, so by removing this prerequisite, we basically avoided the problem.

      Security isn't exactly a priority for drupal either, it's almost added as an afterthought. To put things in perspective, their login page doesn't even support SSL by default in either drupal 5 or drupal 6. To me that's verging on pathetic.

      We were lucky because user logins weren't a core part of our site concept when we implemented the site, but I am now thinking that it might be a good way to go in the future, but I'm mostly petrified of this problem.

      On the bright side of things they include a large number of extensions, and things mostly work as advertised, so we found this to be our best option out of all the open source CMSes we tried.

      • by gbjbaanb ( 229885 ) on Sunday October 25, 2009 @10:28AM (#29864779)

        Security isn't exactly a priority for drupal either, it's almost added as an afterthought.

        not any more!!

      • by blakhol ( 919393 ) on Sunday October 25, 2009 @02:14PM (#29866431)

        Security is most certainly not an afterthought for Drupal.

        Up though version 6 you needed to turn on a module like Securepages module to enable SSL logins.

        The upcoming Drupal 7 has SSL login support in core.

        See http://crackingdrupal.com/blog/greggles/drupal-and-ssl-multiple-recipes-possible-solutions [crackingdrupal.com]

    • Wait, are you trying to say it might be possible that closed source might be safer than open source in some situation?
    • by Junior J. Junior III ( 192702 ) on Sunday October 25, 2009 @09:50AM (#29864569) Homepage
      Popular OSS products are generally popular for a good reason. Many people find them to be useful. Lots of people looking for exploits on a popular product means that, all things being equal, the more popular product will be more secure, not less, so long as security holes are being attended to by the project's maintainers. If a product is good enough to become popular, that usually means that the product also has people working on it who know what they're doing, and with a lot of interest in a product it means that there's likely to be more interest in contributing improvements. Going with an unfamiliar/poorly known/obscure solution isn't going to help whitehouse.gov. People know about whitehouse.gov, and are going to want to attack it, regardless of what they implement the site in. If it's some obscure solution that few people know about, then you can be sure very quickly people will start to learn about it. So selecting a more obscure solution isn't going to help them out any.
    • by Nemyst ( 1383049 ) on Sunday October 25, 2009 @10:09AM (#29864661) Homepage
      Didn't most people agree that security through obscurity is bad? If using popular open-source software was so bad, how come so many servers use Linux?

      I'd argue it's the exact opposite: by choosing a popular, mature CMS, they're insuring a LOT of the vulnerabilities have been found, exploited and fixed. The major difference between the White House site and Joe Web Dev's site is that the former will probably only upgrade for security fixes and will be very careful with new features, since that's where the bugs and exploits can hide. With good sysadmins, proper security tools and good practices, the site can be very safe. I just don't see them using alpha versions of modules and such.

      On the flip side, I'm hopeful that WhiteHouse.org's programmers and sysadmins will also contribute to the codebase with fixes and improvements of their own. This could end up being very beneficial for the Drupal community.
      • Re: (Score:3, Funny)

        by elashish14 ( 1302231 )

        Actually, it's www.whitehouse.gov for the Obama administration. I'll let it slide though; as long as you don't confuse it with whitehouse.com - not linkified for a very special reason....

      • With Linux you can heap extra layers of security on so that exploits can't be attempted. You not only have to deal with an exploit, you need to get past all the other security measures too.

        With a web based CMS you are constantly exposed and exploits can implemented and run in minutes (mod security only provides limited protection). You don't need to infect a webserver to do damage, you just need to be able run an sql query or upload a file with code.

        There will always be a timelag between an exploit be
    • > I'm not arguing against closed source vs open, more about popular vs obscure.

      Whatever they use is going to be a high-profile target just because they are using it. Security by obscurity doesn't work for such sites.

    • Re: (Score:3, Informative)

      The advantage to using Drupal for the White House is that it's a popular CMS and has lots of people patching exploits and vulnerabilities. The second a proof of concept piece of code or an easy exploit is discovered, a few thousand developers will descend to get their patches submitted.

      As opposed to your homegrown CMS, where you only discover the security holes when 3gotiZt posts pictures of full frontal nudity on the home page of your site.

    • Re: (Score:3, Insightful)

      You're certainly right the Drupal has a lot of visibility. On the other hand, is it the end of the world if Whitehouse.gov gets exploited? If we can assume that the site is reasonably managed, and does not have a direct pipeline from the front end web server into the CIA's servers, then the likely worst result would seem to be that misinformation would be published. This isnt' good, but it would probably get detected fairly quickly by partisans. We're not talking missle launch systems here.

      If Drupal hel

  • Clearly (Score:3, Interesting)

    by Chelloveck ( 14643 ) on Sunday October 25, 2009 @09:00AM (#29864275)

    this is a clear sign that governments realize that Open Source does not pose additional risks compared to proprietary software

    Huh. Now to me, this is a clear sign that they hired a new web guy who happens to have experience with and a preference for Drupal. I don't think there's a necessarily a political statement here.

    • Re:Clearly (Score:5, Insightful)

      by betterunixthanunix ( 980855 ) on Sunday October 25, 2009 @09:25AM (#29864423)
      The new guy does not get to just through any random software into a government system with no oversight...
    • Re:Clearly (Score:4, Insightful)

      by A beautiful mind ( 821714 ) on Sunday October 25, 2009 @09:27AM (#29864437)

      Huh. Now to me, this is a clear sign that they hired a new web guy who happens to have experience with and a preference for Drupal. I don't think there's a necessarily a political statement here.

      The top of the government and especially the president are HR people first and foremost. They don't do much personally, but act through the agents they select, rely on their judgement and trust them to condense issues of importance for them. Sure, they also get to make some decisions, but they decide based on the information fed to them and the decisions are broad, policy decisions in most cases.

      The point is, they didn't make a policy decision that "zomg, F/OSS ftw!", but they hired the guy who hired the guy who hired the guy who hired the web guy and the web guy seems competent enough to pick a F/OSS solution.

      • The point is, they didn't make a policy decision that "zomg, F/OSS ftw!"

        Sure, that's the way it works in theory. But how do you really know that a PHB looking to leverage some synergies didn't hand down this decision from on high? It's not like the private sector has a monopoly on incompetent management. (Yes, I know this applies equally well and probably moreso to "zomg $PROPRIETARY_SYSTEM ftw!" and even more likely to "zomg $SYSTEM_OWNED_BY_COMPANY_I_OWN_SHARES_IN ftw!")

  • PHP based? (Score:2, Funny)

    by Anonymous Coward

    I wish they used something Python based:

    def askPresidentQuestion(q):
            if president == "Bush":
                    misSpeak()
            elif president == "Obama":
                    pass

  • Just out of curiosity, what were they using before?
  • by yelvington ( 8169 ) on Sunday October 25, 2009 @10:05AM (#29864641) Homepage

    If some of the people who post here were as smart as they think they are, they'd figure out:

    * Whitehouse.gov is not running Drupal on a ten-dollar shared server at GoDaddy.com.
    * Building and maintaining a large, continuously updated website is not something you do in a weekend with Notepad, a giant bag of Cheetos, and a case of diet Coke.
    * Any Drupal project of this scale involves layers of extremely high-performance caching and multiple firewalls.
    * The site's administrative tools aren't available from the outside. (This is not difficult to implement.)
    * Life does not begin and end with your personal favorite programming language, database server, etc., or with the boundaries of your parents' basement.
    * Security reports are reports of vulnerabilities that have been fixed, not vulnerabilities that lie in wait to ambush your site. A properly run open-source project has a documented process [drupal.org] for handling security issues.

    I don't know any details of the site's technical architecture beyond the obvious, but it's blazingly fast. My bet is that when you hit the site, you're pulling completed pages out of RAM on a customized and hardened Varnish [varnish-cache.com], but that's just a guess. The HTTP headers identify the server technology as "White House."

    • Building and maintaining a large, continuously updated website is not something you do in a weekend with Notepad, a giant bag of Cheetos, and a case of diet Coke.

      You must be new here!

    • Re: (Score:3, Informative)

      by Simetrical ( 1047518 )

      I don't know any details of the site's technical architecture beyond the obvious, but it's blazingly fast. My bet is that when you hit the site, you're pulling completed pages out of RAM on a customized and hardened Varnish [varnish-cache.com], but that's just a guess. The HTTP headers identify the server technology as "White House."

      I don't know where you came up with Varnish . . . there are lots of ways to get performance that's just as snappy. A CDN is a good start. And it's pretty easy to tell that that's exactly what's being used here:

      $ dig +short www.whitehouse.gov
      www.whitehouse.gov.edgekey.net.
      e2561.g.akamaiedge.net.
      96.16.18.135

      They're using Akamai for most of their content, it seems. I get 35ms ping to www.whitehouse.gov from machines in New York, Denver, Holland, and Washington (the state). My Washington machine get

  • Hopefully this will drive a push to utilize open source in other aspects of government. Specifically secondary education. School districts across the country are locked in symbiotic dependency to profit driven computing / IT services and systems. Linux offers a robust full service option but gets NO (very little) attention from the department of education. DOE, Please support those of us who are trying to save money with open source in the schools!
  • I'd like to know what commercial CMS the white house dropped... Tridion, Interwoven, Fatwire, Windows Notepad? It's kind of weird that's not being mentioned.
  • Dries Buytaert reflected on this, adding: 'this is a clear sign that governments realize that Open Source does not pose additional risks compared to proprietary software, and furthermore, that by moving away from proprietary software, they are not being locked into a particular technology, and that they can benefit from the innovation that is the result of thousands of developers collaborating on Drupal.'"

    Or, more likely, the PHB in charge is running with Drupal because it's popular and CMS's are

  • This is Awesome, now all the Drupal vulnerabilities will be highlighted on a daily basis!

    I like Drupal, but security isn't really their strong point, nor is proper testing of their modules.

    Oh well.

  • Do any of you have a recommendation on what to use instead? Preferably PHP-based, so it has a realistic shot of being supported on most hosting plans?

    • by James Carnley ( 789899 ) on Sunday October 25, 2009 @03:46PM (#29867003) Homepage

      Actually most people have been praising Drupal for its excellent security. You aren't going to find a CMS with a much better track record than Drupal.

      What they were mainly saying is that Drupal is extremely popular with lots of people looking to exploit it, so it might theoretically be a high risk. A less well known CMS would not have many people looking (well, that would definitely change overnight if whitehouse.gov chose it :) and is therfore a lower risk, but also has tons of exploits not found yet.

      Stick with Drupal if you want a tested, secure, and reliable CMS.

  • Yes, whitehouse.gov is a very attacked site, for all sorts of reasons, and I bet it will be the very first place to try out any new Drupal vulnerability, and at least one of those will succeed sometime in the next couple of years.

    But, um...who cares if it does? It's not a mission critical web site. It's stupid fluff pieces about the president and his initiatives. If something goes wrong it gets flipped offline, restored from backup, patched, and brought back online.

    It's interesting to see the government try OSS, and that might be an interesting discussion, but way too many people(1) here instantly leapt to the non-existence security implications, acting like important government computers were going to be exposed via any security issues in Drupal.

    1) And half the remaining people appear to be morons talking about how CMS are useless. They haven't realized that stating 'people don't need CMSes' doesn't, like they think, show that they're some elite HTML coder, it just reveals them as someone who's never been hired to make a web site for someone else who then can add and remove content.

All constants are variables.

Working...