Slashdot Mirror

← Back to Stories (view on slashdot.org)

Open Source in the Military?

Posted by Cliff on from the you-saw-how-well-NT-on-a-carrier-went dept.

djmcmath asks: "Does anyone have any experience with Open Source Software and/or GPL'd software in military applications? I'm only asking because I'm involved in work on the combat systems for a new submarine, and had considered an Open Source solution. (I apologize, I must be intentionally vague for obvious reasons.) So ignore the obvious questions (Is it really suitable? Are closed-source proprietary options better? Does MS have a good solution?) and skip to the good stuff. What about the fact that my code would be classified Secret under US Code Umptifratz? I cannot distribute my code (and it's changes) without being tried for treason. What happens to the rest of the combat system code when I submit my GPL'd module?" Open Source and the Military: it's a tricky combination of keeping what can be open, open and keeping your secrets...well, secrets! However, open source in the military need not be as high profile as weapons systems. One of the only major OS projects that I'm aware of that had any form of military involvement was GRASS, the open-source GIS system. I'm sure there may be a few others out there. Does anyone know of other OS projects with military association? If there are any projects out there that interface with classified bits, how did you deal with those issues?

33 of 388 comments (clear)

  1. Source Distribution by aridhol · · Score: 5, Informative

    I cannot distribute my code (and it's changes) without being tried for treason

    Are you distributing your executables? If you use the OSS for a specific system and only on that system, you are not required to distribute source - everyone that has the binaries (the military) will have the source.

    --
    I can't say that I don't give a fuck. I've just run out of fuck to give.
    1. Re:Source Distribution by Anonymous Coward · · Score: 5, Funny

      Are you distributing your executables? If you use the OSS for a specific system and only on that system, you are not required to distribute source - everyone that has the binaries (the military) will have the source.

      It's actually simpler than that -- this is the US -- therefore, you only need to say aloud one of two magic incantations, "National Security" or "For the love of God, will no one think of the children?" and debate is terminated. In your favor.

    2. Re:Source Distribution by kryonD · · Score: 3, Insightful

      So far it seems that everyone has failed to actually read what he wrote. It's not like he hopped on freshmeat and searched for "torpedo guidance system" and actually found something to work with. His quandry is most likely whether or not using open source tools for his project requires his project to be open source. This is an easy answer as you can generate all the code you want using open source tools and then release it under any license that makes you happy. The Marine Corps Warehouse Management System is powered by Red Hat 6.0 and compiled using gcc. While the number of $500 toilet seats we have in warehouse 5 is not really a matter of National Security, it still may be a peice of information that enemies could develop intelligence with, so the system specifications and code remain closed source. We are not violating the GPL because our system is not based on GPL'd code.

      Although, to keep everyone happy, you may have to name your project GNU/Submarine.

      --
      I've dirtied my hands writing poetry, for the sake of seduction; that is, for the sake of a useful cause. --Dostoevsky
  2. GLP and software availability by Account+10 · · Score: 5, Funny


    You only need to distribute the source to the people that you distribute the binary to.

    Presumably the binary is covered by the same secrecy rules as the source, so the only people entitled to the source are the miltary.

    Although, if the binary is in a bomb, you may also need to distribute the source to the poor sod that you drop it on.

    1. Re:GLP and software availability by linzeal · · Score: 5, Funny

      They could just include the source in a leaflet attached to the side of the bomb with a stern finger wagging RMS on it.

      --
      An Education is the Font of All Liberty
    2. Re:GLP and software availability by ProfessorPuke · · Score: 3, Informative

      Maybe this is an intentional joke/troll, but it's completely wrong. If you distribute the binary, it must be under the terms of the GPL. Not only do the users need to be able to get the source, but the GPLed source- that means they are allowed to modify and redistribute it as they see fit.

      If you use some other means (written orders from the commanding officer) to force the users not to republish the source code, then you have NOT given them a GPLed release, because you haven't given them permission to redistribute it under the same terms you acquired the software with.

      (I do software contracting for the US military, and we'll include LGPL or PD code, but not GPL).

      Imagine if this happened in the civilian world- CompanyX modifies GPLed GNU Emacs and puts it up for sale- but before a customer can purchase it, they have to sign a separate contract promising to never redistribute the source code. It's a blatant violation.

      (Actually, that has been attempted before. A group published a modified version of the GPLed Quake game, but required users to sign away their rights to the source code before they could download the binary. The original author sent his lawyers after them, and they gave up on the scheme)

    3. Re:GLP and software availability by FattMattP · · Score: 5, Funny
      Although, if the binary is in a bomb, you may also need to distribute the source to the poor sod that you drop it on.
      That would only be necessary if he's going to execute the code. If the code is in a bomb, it's more likely that it's going to be executing him.
      --
      Prevent email address forgery. Publish SPF records for y
    4. Re:GLP and software availability by jpt.d · · Score: 4, Informative

      I believe you are possibly in error. The US military is an organization, and any software is published to the organization. You are not giving the binary/code to anyone but the military, not any particular person. The organization has access to the code, but they are only ones that have the binaries anyways.

      --
      What we see depends on mainly what we look for. -- John Lubbock Now search for that bug slave!
  3. ksonar by Innomi · · Score: 3, Funny

    Imagine, a whole new suite of apps for KDE, ksonar ktorpedo kcmissile ...

  4. Read the FAQ by gkirkend · · Score: 5, Informative
    Take a look at the GPL FAQ

    A quote from the FAQ which I believe applies to your situation:
    "The GPL does not require you to release your modified version. You are free to make modifications and use them privately, without ever releasing them. This applies to organizations (including companies), too; an organization can make a modified version and use it internally without ever releasing it outside the organization. But if you release the modified version to the public in some way, the GPL requires you to make the modified source code available to the users, under the GPL. Thus, the GPL gives permission to release the modified program in certain ways, and not in other ways; but the decision of whether to release it is up to you."

    Greg

    --
    To a shark, you are just another food choice...
  5. Another mis-understanding of the GPL by mcrbids · · Score: 5, Informative
    It's a common misunderstanding of the GPL... using GPL software does not mean you have to distribute it.

    The terms of the GPL simply state that if you sell a GPL product to a customer, you must provide the source to that customer.

    Red Hat, Mandrake, and the like are being nice enough to provide iso images of their software for your download - they are not required to.

    So what are the ramifications? Well, if the military sells your GPL solution to a 3rd country, they have to provide the source to that 3rd country, as well.

    In other words, in this case, GPL (or no) makes no difference at all. GPL code can be "top secret" as long as the customer has full access to the code.

    The idea of the GPL is that "If I bought it, I can do as I please with it - and if I sell it, so can whoever I sell it to..."

    --
    I have no problem with your religion until you decide it's reason to deprive others of the truth.
  6. GPL Distribution & Security by lkaos · · Score: 4, Insightful

    I actually have had to deal with this an the GPL really isn't your biggest concern, but first, let me address that.

    The GPL is a set of licensing terms between the author and whomever he distributes the code to. If you are working directly with the Navy (unlikely) then writing and consuming the GPL code would pose no problem since your not distributing to anyone.

    If you are working for a contractor, then it is a bit more hairy. You can still write the code GPL and distribute it to the Navy under the GPL. This of course gives the Navy whatever rights to the code so that they could redistribute it if they choose. It does not allow some guy in Florida to obtain secret info though. You would have to first give him a binary for him to have grounds to ask for the source and of course, classified source code produces classified binaries so this isn't an issue.

    The real issue is QA. There are all sorts of processes (I know at least for Surface Systems) covering COTS verses in house software. Now, I spent a great deal of time working things out with QA and this is what we came up with when I first asked to use an OS library in a tactical program:

    First, I had to vouch for the code. That meant I literally had to go through it line by line and make sure there were no possible backdoors in it. Also, if I modified more than a certain percentage of the library, then I was responsible for bringing that library up to in-house standards (which I'm sure you know is a real pain in the ass).

    Don't worry about the licensing terms, they aren't going to be a sticking point likely. QA is what is going to kill you... (and it will only get worse if your program carries a higher classification).

    --
    int func(int a);
    func((b += 3, b));
  7. Re:Treason? Very unlikely... by aridhol · · Score: 4, Insightful

    Perhaps he meant espionage - the release of state secrets to an enemy of the state.

    --
    I can't say that I don't give a fuck. I've just run out of fuck to give.
  8. ask a military lawyer by FredGray · · Score: 3, Informative

    I'm not sure why the author of this question thinks that he'll get good advice from Ask Slashdot. The only reasonable response is "you should find an attorney with experience in intellectual property and national security laws and an appropriate security clearance to be told the complete story."

    1. Re:ask a military lawyer by Lord+Omlette · · Score: 3, Insightful

      On the one hand, I think we need something more devious than that... Put somewhere in the FAQ:

      Q: blahblahblahOpen Sourceblahblahblahlegal question?
      A: Get a fucking lawyer.

      On the other appendage, I think Taco & Co. post these questions because of the anecdotes provided in the comments. And since the comments are the most important part of the site, what better way to add value to slashdot than to repeatedly post the variations of the question?

      Personally I'm waiting for April 4, so I can be rejected for asking, "Hey, it's been a year since we talked about Game Programming w/ SDL, what's changed since then?"

      --
      [o]_O
  9. Re:GLP [sic] and software availability by Anonymous Coward · · Score: 3, Funny

    The point was:

    If the bomb crashes and does not explode, and some people can extract the binary out of it, then these people can ask for the source code and get it.

  10. Hmm.. interestting by BoneFlower · · Score: 5, Informative

    IANAL, however I did work in military intelligence and information security.

    From what I understand, in this case, the government agency responsible for the code changes would be required to distribute those changes to any agency they distribute the binaries too... This should not, as I understand it, mean the individual users of the software.

    For example, lets say the Navy sends copies of the binaries to Electric Boat(a sub manufacturer). They would be required to send the source to Electric boat as well.

    However, in this case, it is Electric Boats IT department that is the receiver of the binary, NOT the electric boat employee who uses the software. Therefore, the source can legally be kept inside a safe at the CMCC(classified material control center), shown only to the IT department and others with an established need to know.

    However, in any case, regardless of license, if the source changes reveal classified information it would be illegal to release them to the general public. I'd wager that even if that turned out to be a direct violation of the GPL, the classification side of the case would win in court.

    With all that said, I would recommend you push for release of all source changes that do not reveal classified information. I realize that might not be much, but what you can, go for it.

  11. Re:GPL by anonymous_wombat · · Score: 3, Funny

    The only practical implication is if the defense contractor wanted to sell the weapons system to other countries, but not give them the source.
    Of course, the military has a lot of firepower, and Stallman doesn't have any, so it is probably a moot point.

  12. Re:GLP [sic] and software availability by innocent_white_lamb · · Score: 3, Funny

    If the bomb crashes and does not explode, and some people can extract the binary out of it, then these people can ask for the source code and get it.

    I don't think so. The intention of the bomb-dropper was not to provide the drop-ee with a copy of the binary included with the bomb. That would be like stating that if I broke into your office and stole a copy of the binary I could then walk in the front door and demand a copy of the source code.

    --
    If you're a zombie and you know it, bite your friend!
  13. Re:GPL by yintercept · · Score: 3, Insightful

    If, however, these combat systems were to be _sold_ (or given away, though that's unlikely)

    Selling military equipment is a multibillion dollar business. Where do you think we get all our cheap gas? We've been trading military technology for cheap oil in the mideast for ages.

  14. Re:Treason? Very unlikely... by BoneFlower · · Score: 4, Insightful

    Treason is an overstatement, but in his case, the penalties would be stiff, and could depending on the circumstances and who he distributes it to, could be considered treason. The non disclosure agreement sets penalties of 10 years and 10,000 dollars for EACH violation of the security regs. For example:

    Classified fact a
    classified fact b
    classified fact c
    classified fact d
    classified fact e

    If those were real classified facts, I could easily end up in jail for 50 years for this post.

    It may not technically be treason, but it can be as severe and match the spirit of treason if not the letter of the definition.

  15. Support? by gehrehmee · · Score: 5, Funny
    Open software is typically accompanied by open support. If the usage of your software is as secret as you make it sound, it might be really difficult to get technical support from the community in the same way civillian users might.
    I finally got Linux 2.4.CLASSIFIED to work on my CLASSIFIED system, which required me to work around the CLASSIFIED component attached to the CLASSIFIED-CLASSIFIED. However, I'm still having some stability problems. Anybody see anything blatently wrong with this patch? :

    --- /usr/local/src/linux/fs/devices.c Sat Sep 22 21:35:43 2001
    +++ CLASSIFIED.c Sat Mar 16 14:32:35 2002
    @@ -32,7 +32,7 @@

    struct CLASSIFIED_struct {
    const char * name;
    - struct file_operations * fops;
    + struct string_operations * CLASSIFIED;
    };

    static CLASSIFIED_t CLASSIFIED_lock = RW_LOCK_UNLOCKED;
    @@ -62,9 +62,9 @@
    Load the CLASSIFIED if needed.
    Increment the CLASSIFIED count of module in question.
    */
    -static struct CLASSIFIED_operations * get_chrfops(unsigned int CLASSIFIED, unsigned int CLASSIFIED)
    +static struct string_operations * get_chrfops(unsigned int CLASSIFIED, unsigned int CLASSIFIED)
    {
    - struct CLASSIFIED_operations *ret = NULL;
    + struct CLASSIFIED_operations *ret = NULL;

    if (!CLASSIFIED || CLASSIFIED >= MAX_CHRDEV)
    return NULL;
    @@ -95,7 +95,7 @@
    return ret;
    }
    --
    "You know, Hobbes, some days even my lucky rocketship underpants don't help" -- Calvin
  16. Military involvement by Ektanoor · · Score: 5, Insightful

    Just a note on how military are involved on spreading the evil "specter" all over the world. Just one name that means all:

    "TCP/IP"

    It's open, clear and crystal like water. The whole world uses it. 90% of open/closed source network systems depend on it. It's open, it's readable. And it's ARPA...

    What else is needed to talk about the military involvement? From start to end, many things done on computers are orginally military by their nature... First computers were created for military needs, let's not forget this. And today nearly everyone uses them. From Taco to Ben Laden...

  17. OSS in the USAF by The+Snowman · · Score: 4, Interesting

    I am a programmer in the USAF, and my squadron (for security reasons I cannot say what my unit does) uses OSS.

    We use Samba for sharing printers between Windows NT and Solaris. We don't change the source code, but we do use OSS. I believe that we also use GCC for some things, because (and I am not 100% sure on this since I am not a sysadmin) I don't think Solaris comes with a C compiler. We also use DivX for... I could tell you but then I'd have to kill you ;-)

    I've thought about this before because of our software licensing. Let's say Microsoft thinks they need a license audit. What's more important: maintaining our security by not allowing Microsoft access to sensitive computer systems, or complying with their "copyright" policies? If a computer is located in a secure area protected by federal classification law, who will know?

    It goes both ways. The government could potentially abuse the GPL, but they could do the same to the draconian licensing terms in commercial software. It is my experience that the people in charge of acquiring systems will make sure their subordinates comply with the law. The higher-ups at my squadron stress that we must obey licensing laws because it's The Right Thing To Do.

    I like open source software. I think it's the greatest thing since sliced bread. But for some applications, such as classified computer systems, it may be best to stick to closed source if you need to change the open source software.

    --
    24 beers in a case, 24 hours in a day. Coincidence? I think not!
  18. One Approach - Loose Integration by guygee · · Score: 5, Interesting



    I worked on a terrain database analysis tool, called ZCAP,
    that was funded a few years back by U.S. Army STRICOM
    and the Defense Modeling and Simulation Office
    We distributed the application (and still do) in a complete package
    that included a number of supporting free source applications, such as gnuplot
    and tcl/tk. We handled the combination of free source, (no longer)export-restricted
    software, and proprietarty libraries by loosely integrating
    using system calls under a tk-based gui. Not very clean, but there
    is a lot of good code in there, and I'm planning to gpl it in the near future.

  19. Re:Virginia Class by Registered+Coward+v2 · · Score: 3, Insightful

    give my right leg to have one of these things to ride around the Jersey shore in :)

    You don't haveto - just enlist.

    --
    I'm a consultant - I convert gibberish into cash-flow.
  20. Re:This just might align with your politics. by Registered+Coward+v2 · · Score: 4, Insightful

    If you can't release your source code, don't use the GPL.

    Why? Because a lot of us GPL fans are Buddhist, Pacifist, Hippie types! :)

    Seriously... I don't want you using my software to help kill people.

    But you can't under the GPL, stop anyone from using the software to do things you don't like, as long as they comply with the GPL. Open Source is about making software freely available - if you do that, you have to be willing to let people use it for things you may not like.

    I have also talked to Stallman about putting a clause in the GPL about not using the GPL in military systems because of these concerns

    Now your advocating clsoing the source to people whose world view conflicts with yours. Beyond teh difficulty in sorting out what would be limited and what wouldn't, since you can change the terms of another writer's license, why limit this to the military? Either the source is open and free to all, under the same terms, or it isn't. This gets real close to MS' FUD about viral code - all of a sudden you can't reffly use and distribute code you've created beacuse it incorporates someone else's more restrictive license.

    If you want to limit your code's uses, write seperate modules that don't incorporate others code. Unfortunately, you cna't have things both ways Open Source and Restrictions on End Users.

    --
    I'm a consultant - I convert gibberish into cash-flow.
  21. Re:GPL by ProfessorPuke · · Score: 3, Informative
    No, the GPL is meant to protect the developers of software. RMS initially created the GPL after he, as a developer, was screwed by a company who marketed emacs without paying him, and without releasing their source code.

    GPL is supposed to allow developers to give out their source code, without having to worry that someone else will change the code and not share their modifications.

    I code for the army, and we're very clear that unless they truely don't mind Iraq getting a copy of their software, then it can't be based on GPL sources. If its GPL, then any developer, contractor, sysadmin, or random private who comes across the code can walk it right off the base, and no one can legally stop him.

    (I suppose for some categories of software, the benefit to Iraq might be low enough that the Army truly wouldn't mind giving them a copy- especially if the hardware is permantently beyond their reach)

  22. Embedded devices by phr2 · · Score: 4, Interesting
    That was a very good answer, and as a GPL'd code author I don't mind the military using my code but I'm quite happy to not have be used directly in bombs.

    That brings up the question of embedded devices in general, e.g. what if the binary is in night vision goggles or a satellite radio issued to troops? They presumably can't be given the classified source code. I discussed embedded devices with RMS a long time ago and back then, he seemed to think it was technically a GPL violation, but if the code in the device can't be changed (i.e. it's in ROM) then it didn't really count as software, so he wasn't too worried. At that time, embedded CPU's weren't so ubiquitous and those that existed were mostly tiny and didn't run much GPL'd code. It might be time for a more formal policy on stuff like this.

    Of course, the GPL'd code owner can always grant GPL exemptions for specific purposes (the GPL itself has a clause saying this and I think the FSF has given a few exemptions in the past), so the surest way to be in good standing is if you can get permission from the owner.

    Disclaimer: IANAL and I don't speak for the FSF.

  23. Re:License it? by Spoing · · Score: 3, Funny
    The downside to this, other than potentially having to track down every author is that you'd have to give the author a reason for wanting the license. That would probably compromise the security of the project, at least potentially. Even saying "the use will be classified" is probably too much information in some instances.

    1. Govmnt guy: "We need to have a private copy of your software. Can we buy it?"

      Me: "Hmmm...OK." (Govmnt gives money, Me gives Govmnt new licence.)

      Me: "Do I have to claim this on my taxes?

      Govmnt guy: "Yessss."

      Me: "By the way, what are you going to do with your new software, anyway?"

      Govmnt guy: "It's classified."

      Me: "Oh, really?" (Govmnt guy hands over more money.)

    Doesn't seem like a problem to me!

    --
    A firewall can not protect you from yourself. Turn off what you do not need. Do not use the firewall to do your work.
  24. Two point on Classified work... by trims · · Score: 5, Informative

    First off, run, do not walk, do not pass go, straight to the base/department legal department. Do not attempt to do ANYTHING until they OK it - the regulations surrounding secret-level work are inordinately hairy and convoluted, and only a lawyer specialized in classified-work law can answer your question definitively.

    The other note, which is useful when discussing this with aforementioned lawyer: any work done under a Classified label (or higher) has different rules than "normal" work. Basically, any license that gets applied to the code only applies to those with a clearance at least as high as the code was written. Thus, if your code is Classified, I don't care if it has the BSD license, GPL, Bob's SuperFree License, or whatnot. Anyone without a Classified clearance isn't entitled to see it. Period.

    This is a case where the murky grounds of National Security trumps Copyright (and other Intellectual Property) law. The law still holds, but it's restricted to the circle of security it's at.

    National Security law basically allows you to use anybody else's code, provide you compensate them in a just and reasonable manner. As far as I've experienced, this means that you have to pay them the basic asking price on the free (i.e non-classified) market, and they don't get to say "no, you can't use it". For GPL/BSD/Open Source licenses, the asking price is Free, so well, they've been "compensated" as they've normally would.

    In this case, Classifed work can certainly suck in Open Source code and not release it until it gets unClassified. And, as a side note, there is no "leaking" - people are not entitled to distribute code to non-cleared people, so it's not like Trade Secrets. It stays locked up until it's declassfied.

    -Erik

    --
    There are always four sides to every story: your side, their side, the truth, and what really happened.
  25. Sweet! by roystgnr · · Score: 3, Interesting

    I hereby declare that I and everyone I know form a conglomerate "organization", and as such we will only be purchasing copyrighted material collectively in the future. Because we will only be redistributing this material within our own organization, and not to anyone outside it, we should be exempt from copyright restrictions, right?

  26. Contracts vs. laws by coyote-san · · Score: 4, Informative

    You're missing an important distinction here. The GPL limits what restrictions (none) you can place on redistribution of source code as a term of the license CONTRACT.

    Security classifications, in contrast, are a matter of LAW.

    This is an important distinction that comes up periodically. E.g., there's a fair amount of software that is used to control the operation of amateur radio station equipment. The licenses inevitably require that the user have suitable FCC (or local equivalent) certification suitable for the operation of this equipment, probably due to FCC regulations. Does this violate the GPL? I would argue it doesn't - it's the FCC that requires a license to operate the equipment, not the author, and the sole purpose of this restriction is to limit the author's liability in those cases when the receiver acts in bad faith.

    Ditto the occasional licenses that require the receiver be old enough to enter into a binding contract. Of course it's silly to say that a 17-year-old can't make valuable contributions, but the law says that contracts with 17-year-olds are never binding except for some relatively rare circumstances. (E.g., they can be emanicpated by a court, by enlistment in the military, or by marriage. Or it could be a "necessity" such as a contract for housing.)

    I think the same argument can be made here. Are you willing to make the source code available to any agency legally entitled to view it? If so, then I think you can still use the GPL.

    --
    For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken