Microsoft Battles Free Software at Pentagon

Spirit of Ishmael writes "The May 22 Washington Post is running a story under the headline Microsoft Fights Free Software at Pentagon. According to the story: 'Microsoft Corp. is aggressively lobbying the Pentagon to squelch its growing use of freely distributed computer software and switch to proprietary systems such as those sold by the software giant, according to officials familiar with the campaign.'"

NSA's Security-Enhanced Linux

[Broadcatch]

See their selinux page.

Re:Nothing like drumming up business for yourself

[MrResistor]

Mitre has been tight with the government since just about the dawn of time. They were one of the origionators of what became the internet. At this point, I doubt Mitre has much difficulty getting contracts, especially from the DoD, since they have such a long-standing relationship. I think it is significant, however, that Mitre is pushing Linux. That, even more so than IBM's efforts, tells me that Linux has made it to the big time.

The Navy Loves Windows NT!

[toupsie]

The US Navy "Smart Ship" Yorktown was outfitted completely with Windows NT to run the ship's systems. Because of a Divide By Zero bug, the Aegis missile cruiser became dead in the water in 1997 and had to be towed back to dock. Windows NT had frozen the propulsion systems.

At least with an open source system, they could have patched the code and moved on. But with the closed source Windows NT system, the USS Yorktown had to be towed into harbor and let the boys from Redmond check under the hood.

Thank God it was peacetime..

Re:The Navy Loves Windows NT!

[T.E.D.]

Why in the fuck was the navy using Windows NT, when they could have been using Solaris or Linux or even fucking HP-UX?

See my reply to the parent of this post for the answer to this question. The exectutive summary is that it was a political, not technical decision. If it was technical, they would have been following their own policies, which would mean it would have been migrated (rather than developed from scratch) to HP/UX boxes using Ada (HP/UX was their standard OS at the time, and Ada their standard language), which together would have provided orders of magnitude more reliability.

Re:The Navy Loves Windows NT!

[T.E.D.]

Do you have any evidence that Ada increases software reliability? I've used Ada for about 5 years and I haven't seen any significant difference in reliability between Ada applications and those written in other languages such as C++.

Actually Rational (the compiler and process folks) did an exhaustive study on this. Their findings were that they had about 2x the productivity in Ada than they did in C, and 1/4th the bugs. You can read the findings yourself
(Note: before you post replies with possible reasons why their results were wrong, read the study. Just about every flaw imagineable was looked into.)

Its very tough to do such studies, so there isn't a lot of other studies around for comparison. I'm aware of a couple of other informal ones with CS students, (which were interesting, but I wouldn't bet my project on) and that's about it. Rational just happened to have the data available and the expertise to study it. But even the infomal studies I've seen give Ada the nod for reliability. The only thing that seems to come close is Java.

This makes sense when you consider that Ada is the only language that was designed from the start for use in "life-critical" applications.

Most of the Ada vendors have gone out of business so I guess Ada would be a great open source project. You aren't going to get any technical support for the compiler so you might as well have the source.

Most compiler vendors in general have gone out of business, so that really doesn't mean much. What is significant is that there are 4 (perhaps more I don't know about) Ada compiler vendors currently supporting Windows, which is more than can be said for C++ and Java.

As for Ada being a great OpenSource project you are right, but not for the reason you think. I guess you didn't realise that the Gnu Ada compiler not only exists, but is now in the official gcc baseline.

However, I've always had great support from my proprietary compiler vendors too. I'd love to see someone try to get the level of vendor support I recieve from GreenHills and Aonix from Microsoft for VC++.

ACT is actually one of the very few Free Software commercial success stories, so you are quite likely to hear about them if you ever attend an RMS talk. I've seen no less than 3 transcripts where he mentioned them or their Gnu Ada compiler in reference to a question about commercial Free Software.

Re:The Navy Loves Windows NT!

[sheldon]

That sounds great except there is no VREDIR.DLL on Windows NT. That's a Windows 95 thing, or even Windows for Workgroups... VREDIR.VXD, VREDIR.386 respectively.

The redirector in Windows NT is RDR.SYS.

Access 1.1 also was a Win16 application, which makes your explanation seem even more interesting and I'm wondering if you aren't confusing Windows for Workgroups with NT.

BTW, both CodeRed and Nimda had had patches available for them from Microsoft for months prior to their exploits. Also in both cases if you had followed Microsoft's instructions for locking down IIS neither worm would have impacted you.

I hate to be critical but I don't think people who obviously know nothing about NT are really in a position to be critical of the OS.

MS vs National Security

[Alien54]

Wasn't there an article the other day citing

"a senior Microsoft Corp. executive [who] told a federal court last week that sharing information with competitors could damage national security and even threaten the U.S. war effort in Afghanistan. He later acknowledged that some Microsoft code was so flawed it could not be safely disclosed."

Which would be a national security threat?

And they wonder why the Pentagon is Doubtful?

It certainly doiesn't sound like something worthy of milspec regulations.

An error in the article

[fava]

A Quote.

The theory is that by putting source code in the public domain, programmers worldwide can improve software by sharing one another's work.

One thing that the GPL is NOT is public domain.

Public domain means that the copyright holders relinquish any claim that they might have.

Public domain is for those who think that the BDS licence is not free enough.

Re:How to spot bias

[Amazing+Quantum+Man]

Denning was one of the main professors pushing Clipper.

Re:Under GPL NSA must release source code?

[ProfMoriarty]

What could the NSA do to compel them to show us what modifications they made?

Uhmmm ... you already answered your own question ... partially.

You are free to make modifications and use them privately, without ever releasing them.

and ...

But if you release the modified version to the public in some way, the GPL requires you to make the modified source code available to the users, under the GPL.

So ... no release to the public, no need to mention what was secured.

Re:Under GPL NSA must release source code?

[Animats]

NSA does release the source code for Security-Enhanced Linux. Click on the above link for the project page and download.

SELinux is not well understood. NSA has built a version of Linux with a mandatory security module. The idea is to allow people to experiment with a system that enforces mandatory security (which can be tough to live with) and to develop apps that can work within that model.

If you want to move things along, download SELinux and make some application work within a mandatory security model.

Re:What do you expect?

List of US planes (nowhere near complete, either) that have been sold to foreign governments:

F-15

F-14 (Iran!)

C-130

AWACS

F-16

F-18

Probably about the only thing that hasn't been sold are the Stealth planes - F-117 and F-22.

Who needs the plans when they can get the whole damn plane?

Parent is correct

From Scientific American:

According to Lieutenant Commander Roderick Fraser, who was the chief engineer on board the ship at the time of the incident, the fault was with certain applications that were developed by CAE Electronics in Leesburg, Va. As Harvey McKelvey, former director of navy programs for CAE, admits, "If you want to put a stick in anybody's eye, it should be in ours." But McKelvey adds that the crash would not have happened if the navy had been using a production version of the CAE software, which he asserts has safeguards to prevent the type of failure that occurred.

Re:What are their selling points?

[OrangeTrafficCone]

Here is a battle I fought (and won) in the bowels of the Pentagon, when I was a lowly enlisted man (USAF) in 1994:

Boss: You need to update the documentation for your system [IBM RS/6000 running AIX]; use MSWord.
Me: That format is not standard; we need to use HTML.
Boss: Not standard? Of course it's standard, everyone with Windows has MSWord.
Me: Not everyone is using Windows; most members of our team use XStations.
Boss: Hmm, will I be able to read the documents from here [Windows 3.x]?
Me: Yes, just as I am reading them from here [FreeBSD running on same class of hardware as boss], or from here [XStation connected to internal RS/6000].
Boss: Ok, I suppose you can do that.

Considering the previous format was troff, which only I (in a shop of 6 people) could still read and write, HTML seemed the logical choice.

I shudder to think of how I would have viewed the docs on the XStation on the production floor if we had to use MS products...

Re:Nothing like drumming up business for yourself

[Cowculator]

As someone who has worked for MITRE, I know there's a reason that it "has been tight with the government since just about the dawn of time:" That's the company's purpose. It's a private company whose mission is to provide independent contracting for the government, so it has all the benefits of being able to do cool scientific research for DoD, DoE, the military, etc. with all the benefits of not actually being a government agency.

What this means is that a large number of its employees have advanced degrees - especially Ph.Ds - in scientific fields, so they have probably done their share of academic research in various *nices. They're used to it, and it's definitely pervasive throughout the company - plenty of Linux machines as well as Solaris and others - because they know they can use it for research and they don't have to worry about government licensing and other paperwork when buying their own equipment. They're free to push these systems all they want because they know they work and they have plenty of freedoms that a normal government agency might not have.

Re:Steve Ballmer, unplugged.

[regen]

SIAC - the folks who run the networks for the stock exchanges, have cut over some mission-critical functionality over to Linux.

As one of the people who developed the ARTmail network at SIAC (The application running on linux), I can tell you that it is not mission critical.

The mission critical application run on MVS, Solaris, HP/UX, Tru64, and a few other obscure comerical unices but not Linux. Most of the mission critical apps actually run on MVS.

Nice to see more advocates of free software at DoD

[stress4dad]

I left the military a year ago, and I was always a big proponent of free software, particulary Linux and free clones of mathematical software (e.g. R, SciLab, etc...). Using free software for stand alone "research" purposes was never a big deal, but once you hooked that computer up to a network, it was like you had committed high treason. The biggest hurdle to overcome in the DoD is getting an established base of network administrators who are WILLING to invest the TIME and EFFORT into following the DoD procedures for ensuring software functionality and security. Like most IT shops, DoD IT is underfunded and overtasked, and can barely keep up with the minimum requirments they have. What will probably shift the balance in the future is when someone who used Linux in graduate school (most military officers DO go to graduate school at some point in their career) gets promoted to high enough position and says, "Do it!"

You're right - mostly

[DG]

I don't think Microsoft is losing much actual money to Linux and Open Source just yet - but they can see the writing on the wall.

I was at the very first Perl conference a few years ago, when ESR presented CatB for the first (?) time. At that point, I wasn't really into the whole Free Software/Open Source thing; I just really liked Perl and was there to learn more about it.

Sitting there, listening to ESR, it hit me like a bolt of lightning; one of those ultra-rare flashes of "Eureka!" Commercial software, as embodied by Microsoft, was dead in the water. Open Source and the Internet had created - actually, had *evolved* - a new design method that would eventually supplant all commercial software development with mathematical certainty.

It's like when you're playing solitaire, and you get to the point in the game where you've won, and all the other moves are just the playing out of the algorithm.

Mind you, the time involved with the "playing out of the algorithm" as far as software development is concerned will still take years, but unless there is a dramatic change in the conditions under which software is developed and distributed, the Open Source/Free Software juggernaut is mathematically unstoppable.

Microsoft is the woolly mammoth eying the ice sheet creeping steadily southwards.

The people who run Microsoft, while they may be supremely arrogant, are not stupid. It may have taken them a little while to actually _believe_ that they were vulerable, but they seem to understand it now, and they have gotten religion in a big way.

They understand that they cannot possibly compete with Open Source on the merits - they lose on price (free vs $$) they lose on quality (given enough eyeballs, all bugs are shallow) and increasingly, they lose on response time as well (not even Microsoft can hope to employ as many developers as work on Open Source projects)

They can't even fall on the old Microsoft technique of last resort - buy the competitor's company - because Open Source is by definition decentralized. It cannot be killed, it can only be outcompeted.

(That's not to say Open Source as it exists today is perfect - it most definately has flaws. But as the ice sheet grinds southwards, these flaws tend to be (slowly) rectified. The number of niches where Microsoft can "beat" Open Source grows smaller every day.)

They only have themselves to blame for this. Microsoft has been the ultimate predator, culling the herd of lesser methods and companies, and in doing so, has forced the evolution of an even tougher force than itself.

What we're seeing now is a desparate attempt by Microsoft to try and change the conditions that allow the Open Source development method to work so well, because that it their only chance at mounting anything like a successful defence. Too bad that they made so many enemies on the way to the top; they are finding few allies.

I have to admit that it's nice to watch all the panic. Turnabout IS fair play.

DG

Not an issue

See how everyone, even on /. is buying into Microsoft's FUD? Everyone's worring about special cases with the GPL when the real issues are about licensing in general.

Let's say you do combine GPL code with propriatary binary-only code somehow. Can you distribute it? No. Because the GPL is an intellectual property destroyer? No.

You cannot distribute it because doing so would violate not just the GPL but the closed-source license as well.

In fact, your legal liability is much greater from the closed-source license, because now Microsoft can come in and sue you for millions of dollars whereas the FSF can ony ask you to open up all the source, but if you don't have it, or any legal claim to it....

But you could easily get around this by just distributing the source that you modified. "Here's a fork of OpenProgram that makes use of ClosedBinaries. You need to get your own copy of ClosedBinaries and compile."

But the moral of the story, boys and girls, is that if something is a violation of the GPL, you can bet your ass that it's a violation of Microsoft's EULA.

Re:Where is the Mitre report the Wash. Post cites?

[place4linux]

I believe this is the report they're talking about...

http://www.mitre.org/pubs/edge_perspectives/marc h_ 01/index.htm

Mitre: Assuring the Safety and Security of COTS So

[SgtChaireBourne]

That looks like it. The section Assuring the Safety and Security of COTS Software Products sums it up in the points quoted below. 2, 4, and 5 ping most closed source solutions and especially, given their business practices, Microsoft. Points 3, 5, and 6 imply Open Source / Free software based on practices. The last point names it explicitly.

It's mostly common sense, but common sense is forgotten too often. Since that which goes without saying often goes unsaid, it's useful to see these published. That Mitre has published is extra useful because of their reputation and weight.

Assuring the safety and security of COTS products is difficult because:

• The rush to market means end users become testers.
• COTS products have an unknown pedigree (who developed it, what process was used).
• The absence of source code precludes some analyses to certify the code, and it may be illegal to do reverse engineering of commercial products to deduce the code.
• Systems may not use all the features of COTS software but the unused features may have an undesirable effect on the behavior and resource consumption of the product.

Suggestions for managing these risks include:

• Determine if the vendor publishes all errors reported by users.
• Tap into user communities that do disseminate information on errors, problems, and solutions.
• Design the system to be defensive about COTS products performing critical functions by creating checks and bounds on the damage they can do if they perform incorrectly.
• Use open source products in order to be able to obtain and analyze the source code.