Caveat 1.27.22
Ep 110 | 1.27.22

How the "Wild West" of open source could be in trouble.


Susan St. Clair: There's just so many eyes, and there's just so many people looking for things that they just get found.

Dave Bittner: Hello, everyone, and welcome to "Caveat," the CyberWire's privacy, surveillance, law and policy podcast. I'm Dave Bittner, and joining me is my co-host Ben Yelin from the University of Maryland Center for Health and Homeland Security. Hello, Ben. 

Ben Yelin: Hello, Dave. 

Dave Bittner: On today's show, Ben looks at a lawsuit against Google targeting location data. I've got the story of rising cyber insurance costs and the influence the insurance companies have on best practices. And later in the show, my conversation with Susan St. Clair from WhiteSource. We're discussing increased regulation in the open-source community. 

Dave Bittner: While this show covers legal topics and Ben is a lawyer, the views expressed do not constitute legal advice. For official legal advice on any of the topics we cover, please contact your attorney. 

Dave Bittner: All right, Ben, let's jump right into some stories this week. Why don't you start things off for us? 

Ben Yelin: So I have the big one. You could have read this in pretty much any news source, but I'm taking my article from The New York Times. And it is entitled "Four Attorneys General Claim Google Secretly Tracked People," and it's by Cecilia Kang. So the District of Columbia and three other states - or three other jurisdictions, I would say - Texas, Washington and Indiana - each filed separate state lawsuits against Google, claiming that Google misled users of Android phones and of applications like Google Maps and its search engine by continuing to track location information even after the user had tried to opt out of that feature. 

Ben Yelin: So like I said, it's four separate lawsuits, each based on consumer protection laws within those jurisdictions. So each lawsuit is going to look slightly different, but it is a unified effort. They were filed on the same day. 

Ben Yelin: And, you know, I think it's important to note the political diversity here. You have the most liberal jurisdiction in the country, the District of Columbia, and a blue state like Washington. And then you have two of the redder states in the country, Texas and Indiana, with Republican attorneys general. So this is truly a bipartisan effort here and part of kind of a legal onslaught against Google that's been a multifaceted onslaught over the past couple of years. 

Dave Bittner: So let's unpack what's going on here. I mean, I'm a Google user. And as part of my everyday use on Google, I sign in, and Google, through the things they do, tracks my location. That's not surprising to anyone. But then I go in and - 'cause I'm concerned about my privacy, I go in and opt out of having that tracked, and I think I'm good to go. But these attorneys general are saying not so fast. 

Ben Yelin: Exactly. You've done what you're supposed to do. So you changed the settings on your account or on your Android device to stop location tracking. These lawsuits allege that Google still collected and stored location information through Wi-Fi data, marketing partners, et cetera. So even when the user was proactive and tried to disable location services, Google was misleading its customers - at least this is what these lawsuits allege - by claiming that they're not tracking your location when they actually are. 

Ben Yelin: Something else that this lawsuit alleges, which is really interesting, is that Google has misled and pressured users to enable more location tracking by claiming things like this application won't have full functionality without, you know, the use of location services. So you're not going to get the full use out of this application unless you let us track your location. And the allegation here is that that's a misleading business practice that violates principles of consumer protection. 

Ben Yelin: So, for example, the attorney general for the District of Columbia is quoted as saying Google falsely led customers to believe that changing their account and device settings would allow customers to protect their privacy and control what personal data the company could access. But the truth is that contrary to these representations, Google continues to systematically surveil and profit from consumer data. So it's, you know, a pretty serious allegation that I think is opening Google up to potentially some significant legal liability. 

Ben Yelin: They're, of course, denying this claim. A spokesman for Google said that the case is based on inaccurate claims and outdated assertions, that they have built privacy protections into their products, into their applications, into their devices. So they are going to vigorously defend themselves in court in these four states. 

Ben Yelin: But, you know, I think there are a couple of broader lessons we can take here. One is as part of this pushback against Big Tech that we've seen in other spheres - we've seen cases railing against monopolization, you know, other deceptive consumer practices - this is part of this full-frontal legal attack on Big Tech companies, and Google is just the latest victim of that effort. This is something that's relatively nonideological. It's being pursued by attorneys general with varying political viewpoints. And, you know, it's something that's broad enough that it would be covered by four separate state consumer protection statutes. So it's something that I'm going to be very interested in following as these suits move forward. 

Dave Bittner: What are these states' attorneys general looking to get out of this? Is this - are they looking for money? Are they looking - is this a slap on the wrist for Google? Are they looking for Google to change their ways? What outcome here are we aiming for? 

Ben Yelin: Sure. So their prayers for relief vary. They are seeking monetary damages. Again, that's the type of thing where, you know, if the companies are successful or Google settles, all of us might get a payoff of 10 cents... 

Dave Bittner: Right. 

Ben Yelin: ...When we take our proportion of the monetary damages. I think they would look for injunctive relief or a declaratory judgment. Injunctive relief would compel Google to change these deceptive practices, and some sort of declaratory relief would say what you're doing here is illegal, and we're declaring it illegal. And you have to stop this behavior, or you're going to subject yourself to further judicial sanctions. So there are a bunch of avenues for potential relief that we see in each of these suits. 

Ben Yelin: I think from the consumer's perspective, what you would like to see, since the monetary damages wouldn't be, you know, significant enough given the fact that Google has millions and billions of customers, you know, I think seeing injunctive relief would probably be the best outcome for people who are users of these platforms and devices because you'd be getting the relief of Google being forced to change these deceptive business practices. 

Dave Bittner: Now, if these states and the district are successful here, could that success play into a case against Google on monopoly basis? The folks who are coming after Google for that, could they point to something like this as evidence in their own case? 

Ben Yelin: That's a good question. I think the cases are not necessarily related. I mean, the allegations are based on a completely different set of facts. Google could have completely cornered the market on applications or devices without having deceptive practices relating to location services. And vice versa, they could have had deceptive practices relating to location services without unduly, you know, limiting competition. And that's true for all of the tech companies. 

Ben Yelin: I mean, I think they're very distinct legal issues that are being brought under completely distinct legal theories. So antitrust statutes, whether at the state level or the federal level, are one thing, and then these broader consumer protection statutes are pretty distinct. And I don't think the two are necessarily closely related except to say that, thematically, we are finally seeing a broad pushback against Big Tech companies on a number of fronts. 

Dave Bittner: And these lawsuits will continue to track independently. There's no chance of these being combined into one thing, for example. 

Ben Yelin: Not these lawsuits because they're based on four separate state/district statutes. That's going to be one really interesting aspect of this is - you know, you get different courts. If there's a jury trial, you'll get, you know, a composition of juries that's completely distinct in each of these states. You might end up getting four separate results. I mean, I think what happens in one state might have persuasive authority as to what happens in another state. A judge might see the legal reasoning of, you know, an appellate judge in another state who reviewed the case and say, you know, you know what? That's a compelling read of their statute. Our statute is similar here in Indiana. You know, that might be reasoning that I'll use. But they're not directly related. So we could see, you know, people in the District of Columbia securing relief just because of the nature of the judges and juries in D.C. and people in Indiana, you know, losing the case or having the case thrown out in court. So that's one really interesting aspect of this. 

Ben Yelin: While this is a unified effort, there's certainly not going to be a unified outcome. Oftentimes, you'll see attorneys general band together as part of one lawsuit, usually in federal court, against a company. But that's not what's happening here. It's a sort of - these are four cases on four separate tracks. That sort of increases the chances from consumer advocates that one of them is going to be successful. And once you're successful once, that really can be persuasive to other judges because you've established some sort of legal precedent, some sort of compelling legal theory, at least, to one judge or to one jury. 

Dave Bittner: I see. And these are civil suits, not criminal. 

Ben Yelin: Yep. These are civil suits. No one's going to jail. 

Dave Bittner: OK. 

Ben Yelin: Despite the wishes of, you know, some people who would want to jail Big Tech companies, nobody's freedom is being threatened here. This is just about, you know, giving some sort of relief to consumers in these jurisdictions who have faced this alleged wrong - people who have really tried to proactively protect their information and Google allegedly is still collecting their location data, you know, whether it's through Wi-Fi or broadband or anything else. 

Dave Bittner: And what kind of timeline are these sorts of things typically on? Are we talking years here? 

Ben Yelin: Let's just say the timeline we're on will make a snail in your backyard look like a Indy 500 race car. 

Dave Bittner: (Laughter). 

Ben Yelin: These take forever. I mean, it's so unsatisfying to follow these legal developments in our system because we get really excited when these suits are filed, but then we have years of discovery and competing motions. If we got a firm resolution to this by 2024, I'd be pleasantly surprised. But you have to start somewhere. These suits have to start somewhere. 

Ben Yelin: We end up seeing really interesting decisions on cases that were brought sometimes as long as 10 to 15 years ago. They've made their way through our court system. You know, there - a decision might come down at a state district court. It will be appealed. The appellate court will say, you know, you got this interpretation of this law wrong in your original decision, so they'll remand the case for reconsideration. Somebody else wins. That's appealed to the appeals court. 

Ben Yelin: So it can be an extremely long, frustrating process. And, you know, that means that lawyers out there, legal academics have to have a certain stick-to-itiveness, if that's a word... 

Dave Bittner: (Laughter) Right. 

Ben Yelin: ...To follow these developments, you know, even after they're out of the headlines. And let's be honest. It will be out of the headlines, you know, in the next couple of days. But these suits are still - you know, they are active. And unless they are immediately dismissed, which I find completely unlikely, you know, we're at least going to have some twists and turns to this litigation for the foreseeable future. 

Dave Bittner: Just kind of a question out of left field, but do different states, do different jurisdictions in different parts of the country have reputations for things going through them quickly or more slowly when it comes to legal things? 

Ben Yelin: I'm not sure about quickly or slowly. Some courts are better equipped to deal with certain types of cases. So there's a reason, for example, that all businesses are incorporated in the state of Delaware. It has nothing to do with the beauty of Rehoboth Beach, which is beautiful. 

Dave Bittner: (Laughter) Right. 

Ben Yelin: But it's because they have business-friendly chancery courts. So they - if they're going to get sued, they want to be sued in that venue because they have a sympathetic court and one that efficiently handles cases. So sometimes it's about speed. But sometimes it's about, you know, just the way - the nature of how state courts have developed, you know, based on the political history of that state. 

Dave Bittner: All right. Well, as they say, time will tell. And we'll keep an eye on it over the next few years (laughter). 

Ben Yelin: Our hair will be a lot grayer... 

Dave Bittner: That's right. That's right. 

Ben Yelin: ...By the time we get a resolution here. 

Dave Bittner: We'll have a link to that in the show notes, of course. 

Dave Bittner: My story this week - kind of a lighter story, but I thought it could lead to some interesting conversation for the two of us. This is from, which is an NPR station from Illinois State University, written by Jack Graue. And the headline is the district's - a school district - this is District 87 - their cybersecurity insurance costs are going to jump 334%. This story says that just a year ago, they were paying about $5,000 a year for cybersecurity insurance. This year, the cost is more than tripled. They're going to be paying over $22,000 a year for cyber insurance. 

Dave Bittner: Couple things stood out to me here. One, they are shopping for their cyber insurance through a cooperative, which was sort of, I guess, news to me that this exists. But when I thought about it, I thought, yeah, that makes total sense... 

Ben Yelin: Right. 

Dave Bittner: ...That you'd have a cooperative for buying these sorts of things. That's certainly in the best interest of the school districts. 

Ben Yelin: Absolutely, yeah. And we've seen that in other settings, too, these insurance cooperatives, for sure. 

Dave Bittner: Yeah. But the other thing that caught my eye here was they pointed out that in a memo to the school board, they said that their limits are decreased. The limits of coverage are decreased until they fully implement multifactor authentication and that they're expecting their multifactor authentication rollout to be done by sometime in late March. So I thought, just from a policy point of view, that, you know, this is something you and I have talked about before - how much influence the insurance companies have on best practices. And it seems to me that's playing out here. 

Ben Yelin: Absolutely. I mean, if you look at insurance in any other context, you see these same types of policies. So if you are a safe driver, they will decrease your premiums. If you have the latest safety feature in your vehicle, it'll be easier to insure, and you might get lower deductibles. 

Ben Yelin: So that's not something that just happens in the cyber insurance industry. I think because cybersecurity insurance is still a relatively new phenomenon, it's still sort of being worked out what that looks like in the real world. I happen to think it's a completely sensible policy from the perspective of an insurance company. You know, if we are going to cover you and give you a, you know, nice little sum of money if you're the victim of a ransomware attack, we want to make sure that you are doing the most you possibly can to limit your own risk. And something like multifactor authentication, which it seems like the school district is saying, you know, they're going to try and institute that over the next couple of months, I think that's, you know, a very good place for them to start. 

Dave Bittner: Yeah. I mean, it reminds me of, you know, insurers requiring things like sprinklers and fire escapes. And to your point, I know, like, on my own homeowners insurance, one of the check boxes is, do you have a fire extinguisher in your kitchen? You know, and check yes and... 

Ben Yelin: Absolutely. Do you have smoke alarms in every room - which I'm reminded... 

Dave Bittner: Right. 

Ben Yelin: ...Of every time I cook something. 

Dave Bittner: (Laughter) That's right. That's right. That's right. 

Dave Bittner: So I guess - I mean, I guess there's a danger of overreach here, that, you know, the insurance companies could be so restrictive/expensive that, as you and I have mentioned here before, I've wondered if this - if cyber insurance could go the way of flood insurance... 

Ben Yelin: Right. 

Dave Bittner: ...Where it becomes such a bad bet for for-profit companies that we have to rely on the federal government as a backstop. And again, I think, you know, time will tell if that happens. But with these huge payouts we see with ransomware, I don't think it's out of the question that we - it could go that way. 

Ben Yelin: Absolutely. I mean, this school district, as you said, was paying $5,000 a year, and that's up to $22,000. So in the context of this district's budget, which they quote at 80 million, that, for now, is a drop in the bucket. But these costs are going to add up over time. 

Ben Yelin: And as we see ransomware attacks happen to all different types of public and private institutions, you know, that's - the likeliness of that risk befalling your company, your school district, your municipality is greater, you know, just because we've seen it happen in so many places across the country. And so it, of course, makes sense that because these companies have had to, you know, provide payoffs after ransomware attacks, that they are going to want to minimize their own risk by raising premiums. 

Ben Yelin: I'm hoping there's sort of a price sweet spot where we won't go the way of flood insurance. School districts, municipalities will still be able to afford cyber insurance. The costs aren't going to be astronomical, but they will be enough so that the industry can sustain itself. 

Dave Bittner: Yeah. 

Ben Yelin: You know, I think we found that sweet spot in homeowners insurance and auto insurance. It's not always perfect, but they are viable markets. 

Dave Bittner: Right. 

Ben Yelin: I know that because I watch TV, and there's a commercial for a home insurance or auto insurance company, you know, every two minutes. 

Dave Bittner: Right, right, right. So it's a competitive market. 

Ben Yelin: It is. And that's what we're hoping... 

Dave Bittner: Yeah. 

Ben Yelin: ...For here with cybersecurity insurance. I do think there - that danger of it becoming like flood insurance, where it's something that's uninsurable, the risk is too high for any individual company to undertake - that's going to end up being really dangerous for consumers. So I hope that they find that sweet spot. And even despite, you know, the 330% increase we see in this article, it seems like the school here is still going to pay for cyber insurance and... 

Dave Bittner: Yeah. They have to. 

Ben Yelin: They have to, yeah. Otherwise you're just assuming too much risk. 

Dave Bittner: Yeah, yeah. All right, well, we will have a link to that story as well in our show notes. 

Dave Bittner: And we would love to hear from you. If you have a question for us, you can email us. It's 

Dave Bittner: Ben, I recently had the pleasure of speaking with Susan St. Clair. She's from a company called WhiteSource. And our conversation focused on open-source software and potential regulations that might be coming down the pike that could affect the way folks use open-source software and develop it. Here's my conversation with Susan St. Clair. 

Susan St. Clair: You know, certainly, open-source software has been a very strong community. It's grown over time. I can speak from my, you know, very short professional experience in saying that, you know, back in the day, you know, people really looked at open source as sort of this hobbyist sort of thing. You know, it wasn't where real software development happened. 

Susan St. Clair: That has completely changed 180 degrees in that, you know, now it is certainly, you know, a majority of applications, depending on your industry and vertical and language and all of that, but, you know, certainly well over half or even as high as 90% of applications that are being developed commercially - you know, not just for internal use - that we see out in the world. 

Susan St. Clair: And I really think that what's driving that - one, I think times have changed. People are more open to the idea that, oh, you know, I can go to some repo somewhere, some registry somewhere and grab what I need. 

Susan St. Clair: But I think also what's driving it is really - I mean, we all feel it in all aspects of our lives. But, you know, there's not enough time. We're being asked to do more with less time at a higher quality. So you know what? Not in a negative way, but we have to look at ways we can become more efficient, take shortcuts, you know, be smarter about what we do in our jobs and getting software out. 

Dave Bittner: Yeah, it strikes me that it allows developers to be very modular as they're putting things together. You know, why should I write a new bit of code that checks a credit card number if that already exists, it's out there, it's been tested, lots of people have had the opportunity to bang on it and, you know, feedback is it's pretty good? Is that a fair assessment of how some people are approaching this? 

Susan St. Clair: I think absolutely. Absolutely. And I would even say that not only more modularized. I think, again, that's just kind of the way that we're writing applications now with, you know, microservices and APIs, even. But - you know, so it's more modular. 

Susan St. Clair: And I think there's also just we kind of like, well, why should I - I mean, there's always been modular components, like, you know, back in the day, you know, FlexNet and all of that within the Microsoft ecosystem. But why would I have to pay for that? Like, it should just be part of the community. I do think it's a shift in that aspect as well. 

Dave Bittner: So what are some of the risks then, I mean, security-wise, if we're sharing things that, you know, take away a little bit of the genetic diversity in our code, if you will? 

Susan St. Clair: Yeah. So I think there are multiple risks. Certainly, I do think potentially a lack of diversity - I like that. I like that in our code. That being said, there are so many open-source repositories or libraries out there that by - I don't know that that's, like, a huge risk - maybe in certain ecosystems, for sure. 

Susan St. Clair: But I think the risk - and this is interesting. I think the risk is actually that we become - it's more visible - right? - that some of the flaws that - in how we write code. So certainly, security - 'cause kind of that's my space, and that's my focus right now - is a big risk. It's not so much, I think, that things are more - or worse, they're more insecure. I think it's more that there's just so many eyes on it and so many people testing it and using it that it just becomes more visible, when if you probably looked at, you know, applications way back in the day, nobody really knew what was going on. So they might be there. They might not be there. But you just really don't know. And that's not the case in open source today. So I think there's that. 

Susan St. Clair: I think there's also certainly - of course, you know, when you look at quality and performance and, you know, some of these other ones, certainly they're - at legal, of course - I mean, there are certainly risks there. But I think from security, my feel is that, again, there's just so many eyes, and there's so many people looking for things that they just get found. 

Dave Bittner: So in terms of the regulatory scrutiny that open-source software is receiving these days, what - where are we with that? Or is there - are we coming into an era where it's attracting more attention? 

Susan St. Clair: Oh, absolutely. I mean, 100% absolutely. Again, we're looking back into history. Like, when was - when you first started in the industry, when was the last time you heard about a cyber breach in the mainstream news? Like, never. I would never be able to explain that to my parents. Now it seems to be on the daily, or at least the weekly, that we're hearing about these supply chain attacks or certainly, you know, breaches because a cloud component wasn't secured appropriately, some sort of IaC template, you know, wasn't correctly configured. So I do think that that has again risen the profile. It has become mainstream. 

Susan St. Clair: It's also hit, like, not just, like, some little shop or some little schoolboy (ph) hardware. You know, of course they don't know what they're doing with regards to security. It's hit, like, big companies like, you know, Microsoft, you know, Apple, the U.S. government, certain agencies. So again, that's really raised the profile, and then that comes with it regulatory - I don't know requirements is the right word at this point. But certainly, that is the direction that we're moving. 

Susan St. Clair: You know, again, I kind of go back-and-forth in terms of, you know, I'm very much a, like, oh, let's be free, and let's - you know, this is innovation, and we need this openness. But when you look at certain systems and they're relying on that 90% of open-source components and this is how we work, this is how we live, this is - I mean, it's our cars, it's our Zoom meetings, it's whatever - I mean, I do think there needs to be some sort of oversight, just like any sort of utility, if you will, that we use elsewhere. 

Dave Bittner: You know, in my mind, it's sort of - I guess I can see some parallels to cybersecurity in general, which is that, you know, over time, we've seen this professionalization of that vertical. And in that process, you know, there are some people who get - who pine for the old days, you know, when it was more like the Wild West, when you could do whatever you want, when there were a handful of people who, you know, were the rock stars who really knew what was going on. 

Dave Bittner: And I wonder how much of that analogy really plays out here with open source that, you know, professionalization, it seems, is absolutely necessary as we all rely on these tools. But I suppose, you know, with that comes a little less freedom than we used to have. 

Susan St. Clair: Yeah. No, absolutely. Absolutely. If I'm just, like, you know, playing around and I'm part of this amazing community and we can do what we want, I mean, that's one thing, and I'm willing to accept a little bit more risk. Again, oh, it's just, you know, there's some home automation thing that I built myself. And, I mean, my TV goes out or my lights don't, you know, work with my app that I built. Who cares? But it's when - if it's something that's running my business or that I'm selling to my customers, that's a whole 'nother ballgame. And so I think it's reasonable to ask for some sort of specialization or some sort of professionalism within that space. 

Susan St. Clair: I think the flip side of that is that, you know, certainly, this has been a very, in my opinion, kind of a niche thing - at least the security aspect of open source. You know, we're really now again - as an industry, security's overwhelmed. Technology is changing, perhaps, you know, with cloud native, with IaC, with all these things that maybe we didn't grow up with for people who've been in the industry a while. 

Susan St. Clair: And there aren't enough of us. So part of that - you know, asking our fellow team members in AppDev or DevOps or whatnot to help us out with regards to application security. I think that you do have to have standards and you do have to have expectations and you do have to have a certain level of professionalism to aid in that transition and to facilitate that conversation. 

Dave Bittner: How would you like to see this play out ideally? How - what would be the balance that we could strike between the need for more professionalism, perhaps more regulations, but also doing so in a mindful way to not stifle innovation? 

Susan St. Clair: Yeah. And that - isn't that the million-dollar question? 

Dave Bittner: Yeah (laughter). 

Susan St. Clair: I could take that, and I could build my own consultancy, and I'd be set for life. No. 

Dave Bittner: Right, right. 

Susan St. Clair: You know, I think the worry that I have and I - you know, talking to my colleagues, even - I think the worry that I have with regulation is that so many times with - especially within this industry, we have seen regulation for the sake of regulation or compliance for the sake of compliance. And then we see these lists that come out every year by various research entities or vendors. And, wow, you could just copy and replace that year from year to year 'cause nothing's changed. 

Susan St. Clair: So I think, like, to strike the balance between more regulation - or hopefully, you know, potentially more regulation and all that comes with that is that, you know, we need to somehow tie it to - we're not just checking a box. We're not just running that report. We're not just saying, oh, you know, we met this A1, you know, standard or whatnot. 

Susan St. Clair: But we need to really, I think, be tying it to results. And by results, I mean, like, again, you know, something that - you know, we run this report, and it says that it's clean from a security point of view, but then, you know, next month or something, something is found, and it was actually exploited. So what was your due diligence in terms of keeping up on that? What was your due diligence in fixing it and notifying it? You know, I think we need to tie the pieces together in some sort of meaningful way so, again, it's just not a box to be checked, a report to be generated to show your auditors. 

Dave Bittner: Yeah. Yeah, that's interesting. I mean, you know, bridges get inspected on a regular basis, right? You don't just build it, have it inspected and say, well, we're done here... 

Susan St. Clair: It's good. 

Dave Bittner: ...Forever more, right? Right, yeah. 

Susan St. Clair: It's an ongoing thing, and you actually have to fix, and you - you know, it's - yeah, it's an ongoing thing. It's not a one-time deal. 

Dave Bittner: Yeah. 

Dave Bittner: All right, Ben, what do you think? 

Ben Yelin: It's really interesting. I mean, you're balancing competing interests. The promise, as she talked about, of open-source software is it's available to everyone. It'll foster creativity and collaboration. But with that freedom comes, you know, security difficulties, security threats. 

Dave Bittner: Yeah. 

Ben Yelin: And that's just a really difficult problem to contend with. And I don't think that there's an easy solution there. 

Dave Bittner: No, no. And, you know, the thing that we've seen lately with this whole - all this stuff with Log4j, which has certainly been making headlines, that I think has put to bed - I don't know if it's fair to call it a myth, but the notion that open-source software is secure because of the fact that there are so many eyes on it. I think people have had to reexamine that notion that - whether or not that's actually the case. So... 

Ben Yelin: Right. 

Dave Bittner: It's interesting times. 

Ben Yelin: It is. You know, and there's still obviously advantages to having open-source software. But, you know, I think we need to recognize the reality that times have changed. 

Dave Bittner: Yeah, absolutely. All right. Well, our thanks to Susan St. Clair from WhiteSource for joining us. We do appreciate her taking the time. 

Dave Bittner: That is our show. We want to thank all of you for listening. 

Dave Bittner: The "Caveat" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Ben Yelin: And I'm Ben Yelin. 

Dave Bittner: Thanks for listening.