News

Microsoft Fixes Critical 19-Year-Old SChannel Bug, But No Patch For XP provided by Mark Bohannon

Originally posted on http://www.darkreading.com.  No patch for unsupported XP, even though some say the “Winshock” bug in Windows’ SSL/TLS installation is worse than Heartbleed.

Microsoft has patched a critical 19-year-old data manipulation vulnerability that’s been lurking in every version of Windows — both server and client operating systems — since Windows 95 (MS14-066). Windows has not released a patch for the now unsupported Windows XP.

This critical bug in Windows SChannel, Microsoft’s implementation of SSL/TLS, is remotely executable and could be used to run malicious code on vulnerable systems by sending specially crafted packets to a Windows server. It has been rated a 9.3 on the CVSS scale. The vulnerability, called “Winshock” by some, is next on the list of bugs exposing SSL/TLS installations — like OpenSSL’s Heartbleed (for which Microsoft did release an XP patch after support officially ended) and the vulnerability in Apple Secure Transport released in the spring.

“Is WinShock as bad as ShellShock and Heartbleed?” asks Gavin Millard, EMEA technical director at Tenable Network Security. “At the moment, due to the lack of details and proof of concept code it’s hard to say, but a remote code execution vulnerability affecting all versions of Windows server on a common component like SChannel is up there with the worst of them.”

So far, no exploits of Winshock have been reported in the wild.

Winshock was discovered and privately disclosed by researchers at IBM X-Force in May. As Robert Freeman, manager of IBM X-Force Research, explained in a blog post:

This complex vulnerability is a rare, “unicorn-like” bug found in code that

      [Internet Explorer]

relies on but doesn’t necessarily belong to. The bug can be used by an attacker for drive-by attacks to reliably run code remotely and take over the user’s machine — even sidestepping the Enhanced Protected Mode (EPM) sandbox in IE 11 as well as the highly regarded Enhanced Mitigation Experience Toolkit (EMET) anti-exploitation tool Microsoft offers for free.

Freeman acknowledges that exploitation is “tricky.” He describes how the vulnerability, which originates in “some very old code within the OleAut32 library,” can be exploited remotely via the Visual Basic Script present in all versions of Internet Explorer since IE 3.0.

This bug is significant, he says, because it shows that critical vulnerabilities can be overlooked for nearly 20 years. “It indicates that there may be other bugs still to be discovered that relate more to arbitrary data manipulation than more conventional vulnerabilities such as buffer overflows and use-after-free issues.”

Bromium Labs security researcher Jared DeMott tells us:

One of the interesting bits in this story is that Microsoft is not really saying exactly how bad this bug is for the client. The vulnerability bulletin provided calls out servers as the potential victims, but the SSL/TLS stack is used every time your browser connects to a secure website, which most are these days. And it would be straightforward for an attacker with details of this vulnerability to host a malicious site that offers “security” via the bogus SSL/TLS packets. Could a malicious website exploit IE with this bug? Until someone reverse engineers the patch, we’ll have to wait to hear about how bad it is.

Millard says that “no proof of concept code has surfaced yet, due to Microsoft thankfully being tightlipped on the exact details of the vulnerability.” Nevertheless, “it won’t be long until one does which could be disastrous for any admin that hasn’t updated. It is of critical importance that all versions of Windows are updated due to the ability of attackers to execute code on the server remotely, allowing them to gain privileged access to the network and lead to further exploitation such as infect hosts with malware or rootkits and the exfiltration of sensitive data.”

Joe Barrett, senior security consultant of Foreground Security says that Winshock “will most likely be the first true ‘forever-day’ vulnerability for Windows NT, Windows 2000, and Windows XP. As Microsoft has ceased all support and publicly stated they will no longer release security patches, enterprises who still have Windows 2000 and Windows XP machines will find themselves in the uncomfortable situation of having an exploitable-but-unpatchable system on their network. Security researchers and blackhats alike are most likely racing to get the first workable exploit against this vulnerability, and the bad guys will begin immediately using it to compromise as much as they can. As a result, enterprises need to immediately deploy the patch to every system they can and also begin isolating and removing the unpatchable systems to prevent serious compromise of their networks.”

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad … View Full Bio

U.S. Digital Services and Playbook: “Default to Open” by Mark Bohannon

U.S. Digital Services and Playbook: “Default to Open” by Mark Bohannon

Originally posted on opensource.com About this time last year, I laid out some trends I saw for the coming year in government take up of open source software. Looking back now, it appears those trends are not only here to stay, they are accelerating and are more important than ever.

In particular, I wrote that “open source will continue to be the ‘go to’ approach for governments around the world” and that “increasingly, governments are wrestling with the ‘how tos’ of open source choices; not whether to use it.”

Recent developments in the United States highlight these points.

First, the White House (via OMB and the Federal CIO) has issued a Digital Services Playbookdescribed in some quarters as “something of a marvel for an official government policy: it’s elegantly designed, has clear navigation, and is responsive to any device you choose to view it upon.” It is well worth a read.

At its core, the Playbook is about more agile use of reusable software and processes that focus on the customer. Central to that approach is its emphasis on open source. The final ‘play’ in the Playbook captures the notion of ‘Default to Open’. Play 8 encourages agencies to ‘Choose a Modern Technology Stack’. “In particular, digital services teams should consider using open source, cloud based, and commodity solutions across the technology stack, as these solutions have seen widespread adoption and support by the most successful private-sector consumer and enterprise software technology companies.” It clearly states, “Consider open source software solutions at all layers of the stack.”

Of course, none of this is entirely new. One can find echoes of all these points in earlier Administration policy statements. For example, its ‘Shared Services‘ strategy clearly calls for use of open standards in data and information exchange and states clearly the technology principle that “open-source software solutions should be included in alternatives analyses.” (If there is one concern I have with the Digital Services Playbook, it is that there is an ‘old school’ statement that “open source solutions are [to be] evaluated alongside commercial solutions when technology choices are made,” a throwback to the days when there was confusion on this front. In fact, the US government has long recognized that open source software is, in fact, commercial software.)

The Digital Services Playbook bears strong resemblance to the principles driving the United Kingdom’s (UK) Government Digital Service (GDS), announced in 2013. As Mike Bracken, the head of the UK’s DGS said in an interview, “The principles by which we work are nothing more than applied common sense in the Internet age. If they make sense, use them: they’re for everybody.” The same can be said for the US government’s Playbook.

Second, the Administration also announced two other initiatives this summer. One was the creation of 18F, which will be housed at the US General Services Agency (GSA). Also known as “Digital Services Delivery,” 18F is a self-described ‘open source team’ that encompasses the Presidential Innovation Fellows and an “in house digital delivery team.” 18F has published a policy which clearly states as its mantra to:

  • Use Free and Open Source Software (FOSS) in our projects and to contribute back to the open source community
  • Create an environment where any project can be developed in the open
  • Publish all source code created or modified by 18F publicly

And, on August 11, the White House announced a new U.S. Digital Service, which it described as “a small team made up of our country’s brightest digital talent that will work with agencies to remove barriers to exceptional service delivery and help remake the digital experience that people and businesses have with their government.” It is the Administration’s intention that the two groups “will collaborate closely.” The U.S. Digital Service will, as far as I can tell, be the proverbial shepherd herding the cats.

My colleague, Gunnar Hellekson, Red Hat’s North American Public Sector Chief Technology Strategist, has posted a thoughtful blog: U.S. Digital Service is Born. It is well worth a read, as it highlights both the challenges and opportunities facing these recent initiatives. As he says, “the questions of talent, agency appetite for change, procurement reform, and the bureaucratic home are all implementation details.” Yes, it’s about the how of open source software (and IT reform generally); it’s not about the whether.

These initiatives, particularly 18F and the U.S. Digital Services, are just getting started. By any measure they are works in progress. While there are some lessons from the UK experience to draw on, as one report indicates, “unlike the United Kingdom’s Digital Government Service, the United States has not created a singular new entity with a large budget and spending authority. Nor has it hired dozens and dozens of top technologists at high pay grades who then set about building core digital services for the country, although 18F merits comparison. Instead, the USDS will work with federal agencies as they create or upgrade services and products.”

The question for the US, however, is not merely staff size or budget, per se. Rather, it is assessing the ‘gap’ or problem where it can make a difference. And making sure that the lessons from prior US government efforts to develop open source software are not lost.

As I laid out in my post last year, I assessed government’s growing use of open source software and observed, “If government IT professionals rely solely on ad hoc rules or seat-of-the pants judgment, this exposes government agencies to significant risk that is not, at present, properly documented or understood.” I identified at least three areas where the ‘how to’ of open source needs to be considered:

  • There are distinct risks associated with choosing a freebie/insourced model for use of open source software. In particular, community/freebie projects or insourced projects are likely to lack key security certifications, regular updates, support from third-party vendors, and interoperability with your critical applications.
  • Relying on freebie/insourced open source software effectively means a strategy of relying on internal support for critical mission which is unknown territory and potentially expensive, given the difficulty of obtaining and retaining qualified IT and management personnel.
  • We could see a repeat of the failures and long-term costs associated with ‘government-off-the-shelf’ (GOTS) solutions. Although the projects may be, technically, commercial items as generally understood by governments, they present the same risks and economic liabilities as government-off-the-shelf software.

In my interview with David A. Wheeler, the long-time recognized leader in advising and working with the US government on issues related to open source software, he elaborated on the last point. “Project forking is still a big problem. … Government employees who are officially managing the project may be smart in general, but they often know little about software. Obviously, managers who don’t understand what they’re managing are often easily fooled. For example, government managers often don’t realize that most software costs are in maintenance and typically do not understand that maintenance costs can be greatly reduced (through sharing) if changes are released back to a larger community. … Part of the problem is that in most agencies, the easy thing to do is to create project-special forks, even though it is almost always the highest-cost and highest-risk approach for maintenance.”

As one step to mitigate that risk, Wheeler pointed to the open source software policy created by the Consumer Financial Protection Bureau (CFPB). In the CFPB approach, software developed using government funds must be released as open source software unless a special waiver is granted.

To their credit, 18F has built on that example and established as a key operating principle that it will publish all source code created or modified by 18F publicly. And the Digital Services Playbook in its ‘Default to Open’ play suggests for agencies to, “when appropriate, publish source code of projects or components online… and share your development process and progress publicly.”

Notably, this key Play advises agencies to “ensure that we maintain the rights to all data developed by third parties in such a manner that is releasable and reusable at no cost to the public… [and] that we maintain contractual rights to all custom software developed by third parties in such a manner that is publishable and reusable at no cost.”

In the end, 18F and the U.S. Digital Service will be successful if they set by way of example and show leadership with US agencies on the ‘how to’ of open source software. They need to focus on instilling best practices across government as they work to implement this key tenet of IT reform, centered on agility, reusability, and default to open.

This measurement of achievement may be as, if not more, important than any specific application or tool that emerges from their efforts.

Doubling down on government technology by Luke Fretwell

Doubling down on government technology by Luke Fretwell

Originally posted on govfresh.com.     We’ve recently seen an uptick in venture capital interest around government and civic technology startups, but before we enthusiastically celebrate these investments, we must ask ourselves whether this potential bubble will truly reshape government IT or simply leave us five years from now in the same place we are today.

During the Code for America Summit in September, Govtech Fund’s Ron Bouganim and Code for America Director of Products & Startups Lane Becker had a great “Emerging Startup Ecosystem” discussion about the the difference between civic and government technology, and the latter’s focus on solving inherent bureaucratic problems.

Bouganim’s closing comments have stuck with me since watching the interview, and they’re important for us all to think about as we commit to building technology solutions, whether it’s for internal government operations or public-facing citizen engagement applications:

“It is tough because it’s early. Clearly everybody in this room is transformers. These are the folks … that are at the front of this, so it’s tough, because you often at times feel alone, but I think there’s a growing community, and it’s only going to get better. So, I guess my fundamental advice is that if you’re really passionate about this space, and you really identify a big problem, you have to kind of double down on being an entrepreneur. It’s hard enough being an entrepreneur and, in an emerging space like gov tech, you have to double down on that, and I would just encourage you to stick with it.”

Announced in September, Govtech Fund will invest $23 million into government-focused technology ventures. Recently, Y Combinator also expressed an interest in the industry when it issued a request for startups that included those focused on the public sector. Andreessen Horowitz has already invested $15 million in OpenGov, focused on bringing visualizations to government budgets. Other startups such as Socrata and MindMixer have also received multi-million dollar infusions to build the future of public sector IT.

Given the consistent inability for government projects to deliver on time or on budget, especially in the light of recent, major IT failures, we’ve collectively identified the problem. While much of this is due to culture, bureaucratic procurement processes and waterfall project management practices, the fundamental issue with failed government IT is that it is built on proprietary solutions.

Because of this, not only do we not have access to code, more importantly, we lose an opportunity to create an ecosystem of community and collaboration that sustains itself. To put it in context of the latest civic meme, today’s government technology is built for, not with.

The early trend we’re seeing in government technology venture investments is that the focus is still on the proprietary. While this will have incremental benefits and provide short-term excitement with each new launch, they don’t address the bigger issue every government faces in harnessing control over their IT systems.

They’re locked down and locked in.

The argument you often hear when discussing open source with proprietary government technology startup entrepreneurs is that businesses need some form of competitive advantage to build a product and develop a customer base with enough runway to sustain itself longer term. While this makes sense in a commercial market, it addresses the needs not of government, but that of the entrepreneur. The technology may provide a cutting-edge, cloud-based, big data, mobile or social solution worthy of a press release or mention in the trades, but what is it doing to really change the IT conundrum we can’t seem to procure our way out of?

This isn’t to say these new technologies don’t have merit or their builders don’t have good intention. Indeed, some do, however, there’s a classic innovation wall proprietary government IT software hits when it has reached a certain level of customer acquisition and no longer needs to compete. Oakland’s recent insistence that Granicus open up its application programming interface is exhibit A on what happens when a vendor corners a government market: technology stagnation trumps innovation. Without open systems or modularity, government is safely locked in.

We frequently hear the vending machine analogy applied to government. Today, the vending machine is the proprietary vendor machine, and government is the one doing the shaking.

If we’re going to double down and truly build a civic operating system anyone can plug into, and be proud of, we must invest in a strategy that sustains beyond one software solution.

We need to double down on a philosophical approach to government technology.

There’s not an overnight solution and the problem won’t be solved tomorrow, but if you’re really in this business to transform government, whether you’re an entrepreneur or investor, it’s time to double down on open.

Government can, literally, no longer afford to operate business as usual when it comes to technology. If ‘Vendor 2.0′ is simply a new class of fresh faces operating no differently than its predecessor, let’s prepare our kids for disappointment.

You’re either investing in or building tomorrow’s problem today, or you’re co-creating the future of government.

The latter might be a longer, lonelier road, but we have to stick with it because, as Bouganim says, it’s only going to get better.

Let’s double down.

What’s Ahead for Open Source in Government?

What’s Ahead for Open Source in Government?

(originally published at opensource.com.  Republished with permission.  http://opensource.com/government/13/9/trends-open-source-government-2013)

It’s a relatively quiet time for most governments around the world right now. Typically, during this time there are few new initiatives, policies, or announcements related to open source.

So, it’s a good time to consider the trends of the first half of the year and ponder what the remainder of this calendar year holds.

Here are a few that come to mind.

Open Source will continue to be the ‘go to’ approach for governments around the world facing budget constraints amid growing demand for innovative services and citizen engagement.

I speak regularly about the trends in government open source and one of my consistent themes is that the ‘wind is behind’ the take up of open source for government missions.

More than 40 governments, by my conservative count, have policies that create a positive environment for open source use.

These policies are important to level the playing field: on the one hand highlighting the benefits of open source to governments (saying ‘it’s ok to use it’) as well as providing meaningful answers to commonly asked questions by government IT professionals.

The more potent driver toward open source software utilization, I’ve come to realize in recent years, is the fundamental shift in IT architecture, away from coupled hardware, software, and data to more modularity, reuse, and a central focus on interoperability—all of which is enhanced by tigher government IT budgets and the goal of avoiding vendor lock-in.

More recently, open source use has grown with the rise of high profile ‘digital agendas’. As a means of enhancing civic engagement, governments are using community-powered innovation to build open data and digital services platforms that are almost entirely built on open software and applications. We may truly be on the verge of the ‘citizen CIO’.

Increasingly, governments are wrestling with the ‘how tos’ of open source choices; not ‘whether’ to use it.

As broader acceptance of open source grows, governments are seeking to understand how to grasp the broad array of open source offerings that are available.

Their challenge has grown as governments move beyond use of open source in traditional server environments. Today, the cloud, big data, and mobile—which are heavily enabled by open source—are driving IT strategies. They make the question of How? especially acute: How do I take advantage of all this innovation, while still ensuring long-term reliability and consistency with my procurement goals?

To start, it’s important to understand the differences. There are OSS products which have commercial support from firms with proven track records of service and integrity. There are also “insourced” projects where agencies share software with each other, but not with the private sector. Finally, some agencies download community (also known as “freebie”) projects without any commercial support.

If government IT professionals rely solely on ad hoc rules or seat-of-the pants judgement, this exposes government agencies to significant risk that is not, at present, properly documented or understood:

  • There are distinct risks associated with choosing a “freebie/insourced” model for use of open source software. In particular, community/freebie projects or “insourced” projects are likely to lack key security certifications, regular updates, support from third-party vendors, and interoperability with your critical applications.
  • Relying on ‘freebie/insourced’ open source software effectively means a strategy of relying on internal support for critical mission which is unknown territory and potentially expensive, given the difficulty of obtaining and retaining qualified IT and management personnel.
  • We could see a repeat of the failures and long-term costs associated with ‘government-off-the-shelf’ (GOTS) solutions. Although the projects may be, technically, commercial items as generally understood by governments, they present the same risks and economic liabilities as government-off-the-shelf software.

On-going policy discussions will continue about ensuring an ‘open’ cloud.

In a recent opensource.com post, long-time open source advocate Georg Greve writes of the ‘storm triggered in the cloud’ by recent disclosures of access by intelligence agencies (US and others).

The challenge for open source software advocates is to continue to press for ‘openness’ in the infrastructure and implementation of open source, even as the critical issues of access to information is sorted through.

It won’t be easy. Even prior to these disclosures, it was becoming clear that government initiatives on the cloud were testing the community’s ability to maintain ‘openness’ in implementation of those strategies, even where there were long-standing public commitment to open source and open standards. Some have even spoken of the prospect of a forthcoming ‘cloud war’ between Europe and the US, which would undermine even basic efforts to promote open source cloud offerings globally.

That’s my quick take at the rest of 2013. What are your thoughts?

22 Years Ago Torvalds Sent the Email That Started Linux

22 Years Ago Torvalds Sent the Email That Started Linux

What started as an idea for an interesting project 22 years ago was kicked off by a single email from Linus Torvalds – https://www.linux.com/news/software/linux-kernel/734956-linuss-famous-email

To: Newsgroups: comp.os.inix
Subject: What would you like to see most in minix?
Summary: small poll for my new operating system
Message-ID:

Hello everybody out there using minix — I’m doing a (free) operating system (just a hobby, won’t be big and professional like gnu) for 386 (486) AT clones. This has been brewing since april, and is starting to get ready. I’d like any feedback on things people like/dislike in minix, as my OS resembles it somewhat (same physical layout of the file-system (due to practical reasons) among other things).

I’ve currently ported bash (1.08) and gcc (1.40), and things seem to work. This implies that I’ll get something practical within a few months, and I’d like to know what features most people would want. Any suggestions are welcome, but I won’t promise I’ll implement them :-).

Linus (mailto: torvalds@klaava.helsinki.fi)

PS. Yes — it’s free of any minix code, and it has a multi-threaded fs. It is NOT protable (uses 386 task switching etc), and it probably never will support anything other than AT-harddisks, as that’s all I have :-(.

Using Open Source to Fight Fraud

In her June 04, 2013 article, Fixing welfare fraud requires technology reform, Melissa Threadgill of the Boston Globe calls on Big Data and Open Source Software and Open Standards to fight fraud.

“This is why state government needs to dramatically rethink its approach. Big, expensive, proprietary systems need to be replaced with off-the-shelf, open-source programs that can easily be adapted and updated with the latest technology. State agencies should adopt common data standards, preferably in concert with the federal government, to make data-sharing between agencies easier, and they should prioritize operating on platforms that can easily communicate.”

Threadgill cites Kansas and California as examples of using Open Source wins in the fight against fraud. “Kansas increased legislative transparency, improved Web functionality for citizens and lawmakers, and saved over $850,000 a year by moving to an open-source, cloud-based system.” Threadgill noted that since California built, “a new integrated computer network through a combination of off-the-shelf systems and open-source software, the California Department of Child Support Services increased performance, improved data quality, and reduced operating costs.” Both are big successes for the citizens of Kansas and California enabled by Open Source.

Read Threadgill’s full story at bostonglobe.com

Drupal Government Days 2013

Drupal Government Days 2013

Drupal4Gov and Mil-OSS | DC are happy to be working together to host Drupal Government Days 2013. Come join us for a a few days of Government-oriented Open Source, Drupal, and more!

Register at drupal4gov.drupalgardens.com

DC Metro Open Source Community Summit May 10, 2013

The Open Source Initiative (OSI) is hosting the non-profit DC Metro Open Source Community Summit, to be held in Washington, DC on May 10th, 2013.  The program will include short sessions by community notables and an “unconference” format for maximum attendee participation, collaboration, and learning.
Open source community and user group leadership, open source project leads, committers and developers, non-profit foundations, open data engineers and others with an interest in learning more about growing and sustaining open source should attend.  Registration is free to government employees, $20 to non, and includes lunch.
Program details and registration information is available at the event web site.
Event sponsors underwriting the non-profit event include Google, Eclipse Foundation, Red Hat, GitHub, Georgia Tech Research Institute, and MIL-OSS.

OSI Hosts Open Source License Clinic

The non-profit steward Open Source Initiative (OSI) will also host the DC Metro Open Source Community Summit on May 10th, 2013 The program will include short sessions by an international collection of OSI board members and an “unconference” format for maximum attendee participation, collaboration, and learning. Open source community and user group leadership, open source project leads, committers and developers, non-profit foundations, open data engineers and others with an interest in learning more about growing and sustaining open source are invited to attend and participate.

The OSI will host a small open source license clinic as part of its non-profit educational mission, in collaboration with federal agency participants and the Washington D.C. technology community The clinic is designed as a cross-industry, cross-community workshop for legal, contract, acquisition and program professionals who wish to deepen their understanding of open source software licenses, and raise their proficiency to better serve their organizations objectives as well as identify problems which may be unique to government.

Registration is free to government employees, $20 to non. Program details and registration information is available at the event web site at http://opensourcecommunitysummit.org. Event sponsors helping underwrite the non-profit event include Google, Eclipse Foundation, Red Hat, GitHub, Georgia Tech Research Institute (GTRI), and MIL-OSS. Labor for producing the summit has been donated by The Open Bastion, along with the efforts of local volunteers and OSI board members to organize the Summit’s program.

Register Here

OSFA Announces New Leadership

Deb Bryant and Kane McLean take on role of co-chairs

Washington, D.C April 09, 2013—Open Source for America (OSFA), an organization promoting the use of open source technologies in the U.S. federal government, today announced the election of Deb Bryant and Kane McLean as co-chairs of the organization.

Bryant created the public sector program at Oregon State University’s Open Source Lab (OSUOSL) and founded and produced the annual Government Open Source Conference (GOSCON) from 2005-2011. She serves on numerous boards and councils with public trust agendas and an emphasis on open source as enabling technology.

McLean is part of the Strategy & Communications Group at BRTRC and currently works supporting the Department of Defense. He also serves on the Steering Committee of Mil-OSS, a defense-oriented public sector open source community.

McLean and Bryant issued a joint statement regarding their new roles: “We strongly believe that governments at all levels can benefit from adoption of open source in terms of the actual technology as well as the model for collaboration between various stakeholders. Open Source for America is a great platform for that message, and we are thrilled to be given the opportunity to lead that effort.”

The new co-chairs replace Gunnar Hellekson of Red Hat and John Scott of Radiant Blue. “Deb and Kane have been long-time members of our Steering Committee and have already shown tremendous dedication to Open Source for America in various leadership roles,” said Hellekson. “We couldn’t ask for two better leaders for the organization.” Scott agreed, “They apply the best principles of open source, like transparency, collaboration, and meritocracy, to everything they do. OSFA is fortunate to have them at the helm.” Hellekson and Scott will remain on the Steering Committee of the organization.

About Open Source for America
Open Source for America (OSFA) is an organization of technology industry leaders, non-government associations and academic and research institutions dedicated to advocating the use of open source software in the U.S. federal government. Participation in Open Source for America is open to any individual or entity signing the campaign’s mission pledge at: http://www.opensourceforamerica.org.