Open SOUrce
Mun-Wai Hon, Greg Russell, and Michael Welch,Noblis
Can law enforcement agencies leverage open source to benefit the
communities they serve? In some areas, recommending open source
solutions is easy. In others, the arguments for open source solutions are
less clear.
F
aced with little funding and aging tech-nology components, some law enforce-ment practitioners have turned to using open source software as a cost-effective solution for meeting their technology needs. Small- and medium-sized agencies often lack technical resources, yet their need for IT tools continues to grow.Supported by nationwide survey results and published references, this article provides a set of considerations for evaluating the implementa-tion of open source software for state and local law enforcement agencies. We also report on four agencies that have experience with open source software.
Considering Open Source
As part of a National Institute of Justice research effort, we developed the following list of general benefits, based on reviewing literature on open source software.1–3 To see whether the benefits
extended to law enforcement agencies, we con-ducted a nationwide survey of 300 agencies to see if they were using open source software.4 We found that although the survey responses support some of the benefits listed in the literature—benefits similar to those experi-enced by commercial firms5—they also present some noteworthy concerns and raise interest-ing questions.
Benefits
The benefits of open source software, which are not law enforcement specific, include system in-teroperability, source code visibility, and a low initial acquisition cost.1–3
System Interoperability. Open source software lets law enforcement agencies employ a wealth of freely available database, utility, and software de-velopment tools that are based on open standards such as structured query language (SQL) and Java.
Open Source
Software
Considerations for
Law Enforcement
The flexibility to evolve and extend applications without a vendor lock-in also drives open source software adoption.6 Database compatibility is-sues can be a major source of prob-lems when considering the shift to an open source database. While many applications have the ability to trans-fer data via an open database con-nectivity (ODBC)-compliant protocol (or something similar), other appli-cations have their data essentially “locked” in a proprietary code. These proprietary databases might be ac-cessible with the assistance of a ven-dor, or the data could be unavailable for use outside of the application that references it.
Visibility into Software Code. Unlike proprie-tary software, when using open source software, an agency can examine the code to ensure that no backdoor functions or security risks exist, thus preventing unauthorized access to sensi-tive information. Although open source advo-cates often cite the ability to see into the open source code and functions as a benefit,7 few state and local agencies have the staff resources with the technical depth to perform such a detailed review.
Low Initial Acquisition Cost. Products cited by the surveyed agencies incur a low acquisition cost relative to commercial, closed source prod-ucts in the same category. According to Gartner, the lower-costing open source software would let contractors and other agency service providers reduce the cost of their services accordingly.8
Agencies use office-productivity software daily for everything from generating case re-ports to creating community awareness flyers. Using an office-productivity software suite as a hypothetical scenario, Table 1 depicts the initial acquisition cost for Open Office, IBM Symphony, KOffice, and Microsoft Office. Although the
products vary in functionality, Open Office has been cited as the “default” open source substitute for Microsoft Office.9
Survey Responses
As Figure 1a shows, in our nationwide survey, “lower costs” was the top reason for using open source (38 percent). However, another 28 percent had “no response.” So, although open source offers system interoperability and visibility into software code, law enforcement agencies with smaller IT staffs have a harder time exploiting these benefits. This suggests that agencies need to be better educated about how to exploit the benefits of open source software.
In fact, the agencies’ top concerns were about the cultural change, lack of technical support, and lack of training (see Figure 1b).
Microsoft-Accustomed Users. Computer us-ers are less familiar with open source software than with the commercial—often Microsoft-based—equivalents. In open source software, the commands and pull-down menus are often in different locations and use different terminol-ogy. So it’s not surprising that 26 percent of our Table 1. Initial acquisition costs for office-productivity software suites.
Product Basic-package acquisition cost
Open Office Free download (www.openoffice.org)
IBM Symphony Free download (http://symphony.lotus.com)
KOffice Free download (www.koffice.org)
Microsoft Office 2007 Standard US$312 on Amazon.com (as of Sept. 2010)
Figure 1. Survey responses: (a) reasons to use open source software and (b) concerns about its use.
26% 18% 21% 12% 7% 16% 28% 9% 8% 17% 38%
High life-cycle costs Lack of patches, updates, and documentation Lack of technical support Lack of training
Microsoft-accustomed users
Lack of OS applications Less reliance on a single
platform vendor Lower costs No response
Open source applications replace legacy software Re-use of legacy hardware
Open SOUrce
survey respondents listed being more accus-tomed to Microsoft as a reason not to use open source software.
Lack of Technical Support. Users want some-one accountable for the software they use. It’s important to them to be able to call the software vendor for help when needed. They do not want to have to rely on a community of developers to help resolve any issues. Although major pack-ages like Red Hat Linux have support options, agencies have found fewer experienced staff for patching and maintaining open source software. Thus, 21 percent of respondents were concerned about the lack of technical support.
Lack of Training. Eighteen percent of respon-dents listed “lack of training” as a reason not to adopt open source software. Given the extensive installation of Microsoft-based products in the world, finding training courses and materials for Microsoft-based software development tools and products is easier than finding similar training courses on open source software development tools. Computer training companies that offer training on open source software often offer few-er sections vfew-ersus classes on Microsoft products. For example, the ratio is 10 to 1 at Learning Tree International (see www.learningtree.com). Additional Concerns. Few open source law-enforcement-specific applications exist, so for a given product type, there’s only one supporting application—if any at all.
Sourceforge currently has only two projects that have reached the download maturity level: Tickets and Capsit. Tickets is a computer-aided dispatch (CAD) package that incorporates Google Maps for tracking units sent to respond to an in-cident. Capsit is a Web-based CAD that’s shared by a consortium of agencies in a geographic area. However, 16 percent of respondents listed a lack of applications as a concern, and 12 percent were concerned about the lack patches, updates, and documentation.
Also, although the acquisition cost is low, seven percent of the early-adopting agencies in-dicated concerns about the high lifecycle cost for maintaining their open source implementa-tions. Furthermore, while Figure 1a illustrates the perception that some legacy machines can
support open source software, the GUIs that end users favor typically require the processing capa-bilities, speed, and storage capacities of current hardware.
Finally, early adopters of Linux desktop sys-tems and open source platforms have cited a lower return on investment compared to upgrading and maintaining a Microsoft infrastructure.10 Although few in our survey cited this as a con-cern, it’s important to note that when agencies switch to using open source office-productivity suites, they can no longer leverage their invest-ment in Microsoft macro-enabled spreadsheets and report templates because of functional incompatibilities.
Agencies Using Open Source Software
Looking to leverage open source benefits, several agencies are currently using open source soft-ware for law enforcement business functions. We studied such agencies and found that each loca-tion offers different perspectives and evoluloca-tion paths toward using open source software.
Garden Grove, California
Garden Grove’s city administrators have been us-ing open-source-based solutions for more than 11 years. They have their own development staff, which has produced at least five applications and employs open source development tools and software packages.
Under the direction of Charles Kalil, Garden Grove’s IT department realized early on that its users’ needs would quickly outpace the applica-tions that the city could purchase with its limited funding. Kalil began experimenting with open source software for storing and managing data while maintaining a Windows-based workstation for users. For Garden Grove, the open source software fits into niche areas such as mapping, network monitoring tools, and Web browsers. Table 2 lists some of the open source workstation applications Garden Grove uses.
Although the open source software on work-stations provides some benefit to users (city em-ployees), open source on the back end for the city databases, system-to-system links, and po-lice records management system has had a larger impact.
Garden Grove uses the PostgreSQL open source database. It uses the standard tool set
that comes free with the software—it does not use any of the added features. Currently, about 60 percent of the police applications are running off of the PostgreSQL database. The police de-partment has its own PostgreSQL database in City Hall, separate from other equipment, for security reasons.
Largo, Florida
City employees in Largo, Florida use Linux as their default operating system and OpenOffice 2.0 as their integrated office suite (see Table 3), although they still use Microsoft PowerPoint for presentations. The city plans to switch from PowerPoint to an open source presentation ap-plication in the near future.
Keeping with the belief that the city should use the “best of breed” for a particular appli-cation, Largo uses a blend of open and closed source software. In the case of the city’s email system, an open source email application (Novell Evolution) is combined with Novell’s proprietary GroupWise 7 to provide calendaring functions.
The GroupWise database and no Web interface served their needs better. Largo’s database envi-ronment is mixed as well, running Oracle 9i on Linux along with MySQL and MyProgress.
Pennsylvania State Police Computer Forensics Task Force
The Pennsylvania State Police (PASP) foren-sics task force has used open source software to support the Computer Crime Unit. The task force augments its commercial software with open source both for cost and flexibility (see Table 4).
Open source computer forensics tools let in-vestigators examine seized computers without al-tering the data contained on the hard drive. Most seized computers use Microsoft Windows, which the open source tools do not need to activate to search through the files for key terms, pho-tographic images, and Internet chat transcripts. Thus, the open source tools let investigators find possible evidence without contaminating or al-tering the seized computer’s state.
Table 2. Open source applications used in Garden Grove.
Software URL Description
MapServer http://mapserver.gis.umn.edu An open source development environment for building spatially enabled Internet applications; renders spatial data (maps, images, and vector data) for the Web (but isn’t a full-featured GIS). MapGuide Open Source https://mapguide.osgeo.org A Web-based platform that lets users quickly develop and
deploy Web-mapping applications and geospatial Web services. Big Sister http://bigsister.sourceforge.net An open source monitoring tool used to monitor Linux systems, indicating database usage and server load (among other things). Firefox www.mozilla.com An award-winning Web browser (planned for future use in
Garden Grove).
Samba http://us3.samba.org/samba A suite that provides file and print services to Sever Message Block (SMB) clients, including the numerous versions of Microsoft Windows operating systems.
postgreSQL www.postgresql.org An open source database.
Table 3. Open source applications used in Largo.
Software URL Description
OpenOffice 2.0 www.openoffice.org A multiplatform and multilingual office suite that’s free to download, use, and distribute and is compatible with all other major office suites Tomboy www.gnome.org/projects/tomboy A desktop note-taking application for Linux and Unix
Firefox www.mozilla.com An award-winning Web browser
MySQL www.mysql.com An open source database
GIMp www.gimp.org The GnU Image Manipulation program
GTK www.gtk.org A multiplatform toolkit for creating GUIs
Gaim/pidgin www.pidgin.im A multiprotocol instant messaging (IM) client (renamed pidgin in April 2007)
Open SOUrce
For more information on open source com-puter forensics and utility applications, see the sidebar.
Open Source Software Institute, Mississippi
Funded by a US Department of Defense grant, the open source Jail Management System (JMS) was developed as part of the Mississippi Auto-mated System Project through the University of Southern Mississippi. Up to 18 agencies in Texas and Mississippi have installed or are evaluat-ing the open source JMS against local and state requirements.
According to John Weathersby, executive di-rector of the Open Source Software Institute (OSSI), the Gulf coast region needed a new JMS but lacked the funds for procuring vendor solu-tions (which often cost $1 million or more). OSSI worked with the University of Southern Missis-sippi and local software development contractors to create a system for roughly $350,000. Missis-sippi’s Forrest, Harrison, Hancock, and Jackson counties all have agencies with operational open source JMS installations. The open source JMS operates off a central network via a Web browser interface that lets installed sites share selected corrections records, which might include pris-oner classification and medical histories as well
as information about a prisoners’ scars, marks, or tattoos.
O
pen source has begun making inroads in many market segments and thus can no longer be seen as a “second-class” com-puting format—not with IBM, Novell, Sun, and others participating in its creation, distribution, and support. Hardware vendors have been in the open source market for some time, including IBM since 1998 and HP since at least 1999. Dell also recently agreed—after input from its user community—to consider expanding the sales, service, and support of computers with open source operating systems.11How can law enforcement leverage this success to benefit the communities they serve? In some areas, recommending open source solutions is easy and straightforward. In other cases, the ar-guments for open source solutions are less clear. The current state of open source computing as related to law enforcement is a mixed bag. It com-petently addresses many common law enforce-ment needs but insufficiently addresses other needs—or fails to address them at all.
As with any technology, proper use of open source software can help law enforcement ex-pand the IT capabilities available to the officer on Table 4. Open source applications used by the Pennsylvania State Police (PASP) forensics task force.
Software URL Description
clusterKnoppix and chaos
http://clusterknoppix.sw.be and http:// midnightcode.org/projects/chaos
Lets pASp set up numerous computers in a distributive network and is useful for cracking passwords
curator http://furius.ca/curator Written in python, it compiles photographs, creates image thumbnails, and creates a directory; also allows multiple image layouts and runs from a cD
nIST Biometric Image Software (nBIS)
www.nist.gov/itl/iad/ig/nbis.cfm A Linux-based collection of general-purpose utilities to support fingerprint image processing
Xchat www.xchat.org An Internet relay chat application
Computer Forensics and Utility Applications
M
any agencies use proprietary software to con-duct computer forensics investigations such as encase from Guidance Software.However, innovative investigators have created open source software programs that offer similar file and folder analytical functionality, such as Autopsy (www.sleuthkit.org) and the penguin Sleuth Kit (http://penguinsleuth.org). Both packages let investigators unobtrusively monitor the functions on
a suspect machine for establishing timelines, recover-ing deleted files, and searchrecover-ing through volumes of electronic records.
To supplement the software’s imaging, searching, and write-blocking forensic functions, utilities such as Strip Snoop allow credit card fraud investigators to view the contents on magnetic cards while curator enables crime scene image management without the expense of purchasing proprietary software.
the street. Agencies with limited funding or size can apply specific niche open source software packages. Converting to open source offers the rare opportunity to review operational processes from the ground up. Regardless of the extent of implementation, open source software provides an opportunity to excise outdated methods and replace them with more streamlined procedures appropriate for today’s needs, which in turn yields a more efficient and effective law enforce-ment agency.
References
1. M. Fink, The Business and Economics of Linux and Open Source, Prentice Hall, 2002.
2. D. Woods and G. Guliani, Open Source for the Enter-prise, O’Reilly Media, 2005.
3. B. Golden, Succeeding with Open Source, Addison-Wesley Professional, 2004.
4. M.-W. Hon, G.A. Russell, and M.J. Welch, Open-Source Software Use in Law Enforcement, tech. report NTR-2007-024, Noblis, 2007; www.noblis.org/ MissionAreas/nsi/ThoughtLeadership/CriminalJustice_ PublicSafety/Documents/OS_2007_Report_FINAL. pdf.
5. M. Goulde, M. Speyer, and J. Stone, Open Source Be-coming Mission-Critical in North America and Europe, Forrester Reports, 11 Sept. 2006.
6. A. Di Maio and R.G. Harris, Open Source and Shared Services for Applications: Two Sides of the Same Coin?, Gartner, 25 July 2006.
7. S. Forge, “The Rain Forest and the Rock Garden: The Economic Impacts of Open Source Software,” J. Policy, Regulation, and Strategy for Telecommunications, Information, and Media, vol. 8, no. 3, 2006, pp. 12–31.
8. A. Di Maio, Explaining the Public Value of Open Source, report G00142077, Gartner, 31 July 2006.
9. S. Yegulalp, “Review: Open-Source Office Suites Compared,” Information Week, 10 Apr. 2009.
10. M.A. Silver, Return on Investment for Linux Desktop Mi-gration Improves, but Not Enough for Most Users, Gartner, 24 June 2005.
11. E.M. Rusli, “Dell Looks Into Linux,” Forbes.com, 7 Mar. 2007; www.forbes.com/markets/2007/03/07/dell-linux-update-markets-equity-cx_er_0307markets52.html.
Mun-Wai Hon is a principal at Noblis. His
re-search interests include computer forensics and clini-cal trial data management. Hon received his MS in engineering management from George Washington University. He’s a member of the International In-formation Systems Security Certification Consortium (ICS2) and of SANS. Contact him at mun-wai.hon@ noblis.org.
Greg Russell is a principal at Noblis. His research
in-terests include data analysis and database design. Rus-sell received his MS in computer science, with a systems engineering emphasis, from George Washington Uni-versity. Contact him at [email protected].
Michael Welch is a senior staff member in Noblis’
Center for National Security and Intelligence and he recently completed a program of study in physiology and neurobiology at the University of Maryland. His research interests include the human-machine inter-face, personal privacy issues, and maximizing the cost/ benefit ratio when implementing technological im-provements within emergency service organizations. Contact him at [email protected].
Silver Bullet Security Podcast
In- depth inter views with secur it y gur us . Hos ted by Gar y Mc Gr aw.