Slashdot Mirror
ADTI Whitepaper Released
"Another security concern is that the primary distribution channel for GPL open source is the Internet. As opposed to proprietary vendors, open source is freely downloaded. However, software in the public domain could contain a critical problem, a backdoor or worse, a dangerous virus."
Reverse engineering "harbors very close to IP infringement because and has staggering economic implications." [sic]
"On a lighter note, while many open source enthusiasts are proponents for copyleft, they insist on trademark protection for their ideas."
"If a software application representing 5000 hours uses GPL code that reflects only 100 hours, is the GPL fair in its argument that the entire product is GPL? This point is of considerable concern to software companies that value their secrets, design and architecture strategies. Proponents of the GPL argue that each party in the exchange is benefiting equally, but without a means to properly make this evaluation, this position at best is over-assuming."
"The federal government's information systems requirements intersect countless sensitive operations. The limitless potential for holes and back doors in an open source product would require unyielding scrutiny by staff that decided to use it. For example, if the Federal Aviation Agency were to develop an application (derived from open source) which controlled 747 flight patterns, a number of issues easily become national security questions such as: Would it be prudent for the FAA to use software that thousands of unknown programmers have intimate knowledge of for something this critical? Could the FAA take the chance that these unknown programmers have not shared the source code accidentally with the wrong parties? Would the FAA's decision to use software in the public domain invite computer 'hackers' more readily than proprietary products?"
here is my mirror of the "old" report, safely out of the reach of the DMCIA...
There is a big distinction between the GPL and the BSD-style licenses. The GPL is all about making sure that people who use GPL licensed code release their new code under the GPL too. The intention is to create more GPLed code. The BSD license is about propogating quality code. The idea is that if you think your code is a good implementation of something, you release it under the BSD, which allows anyone to use it in their own applications without being restricted in how they license their own code at all. A BSD coder doesn't care what use their code is put to or who profits from it, they just want it to be used. That's a pretty big difference :-)
This paper was prepared as part of The MITRE Corporation?s FY00 Mission-Oriented Investigation and Experimentation (MOIE) research project "Open Source Software in Military Systems.. This paper analyzes the business case of open source software. It is intended to help Program Managers evaluate whether open source software and development methodologies are applicable to their technology programs. In the Executive Summary, the paper explains open source, describes its significance, compares open source to traditional commercial off-the-shelf (COTS) products, presents the military business case, shows the applicability of Linux to the military business case, analyzes the use of Linux, discusses anomalies, and provides considerations for military Program Managers. The paper also provides a history of Unix and Linux, presents a business case model, and analyzes the commercial business case of Linux.
Here
The FAA has incredibly strict requirements for software critical to keeping a plane in the air. Open Source or not, every single line must be proven to do exactly what it needs to, and the entire system must be deterministic (meet real-time requirements, such as knowing the maximum latency for interrupt processing). The FAA itself should be giving these jokers an earful - this is pure FUD.
Check out Thomas Greene's article at the Register, a great critique.
I read the GPL and I don't see any provision mandating that if I use the code or modify the code that I MUST redistribute it.
Only provisions that I see state that if I DO distribute it, I must mark it clearly that I modified it and my changes must be GPL.
Where does it say I MUST redistribute my changes?
-- Many men would appreciate a woman's mind more if they could fondle it
GPL vs Open Source is a clearly different thing. GPL means the code is free to be used by anyone, provided they release _all_ their code as GPL.
Open source just means the code is visible to anyone. This gives 3rd-parties an easier time making programs which work with yours.
Their main points are that GPL is flawed due to requiring anything which uses GPLd code [no matter how little] to be licensed under the GPL; and, that most GPL projects encourage many unvarifiable developers to take part in the project, resulting in potential malicious code being inserted without anyone else taking notice.
Remember: Open-Source does not mean FREE software, it doesnt even mean "Libre" software, it just means that you can see the code. That is _ALL_ it means.
The internet would not have become so popular if not for the ease of looking at the code a page is displayed by, and learning from that code. Does that mean that you can legally copy word-for-word a copywrited web page? Of course not. But can you build a related site that offers a seemless transition in style of display between the websites? Of course you can.
Open Source allows you to see what someone did, how they did it, and then use that in order to make something which can work alongside the original product. Neither of you is required to give away anything for free, and why would you want to?
GPL, however, is known as a "Viral" license, in that using code from something licensed under the GPL requires that your code is now GPL-infected. I personally have no problem with this, since there is a simple protection from this so-called "Virus" by just NOT USING GPL'd CODE IN SOMETHING YOU DONT WANT TO GIVE AWAY THE SOURCE TO.
I dont think the GPL has anything against reverse-engineering in it, so anyone who wants their program to work with GPLd software but doesnt want to use GPL is no worse off than if the others werent using GPL.
Opponents of Open-Source dont seem to understand that while you can't trust an individual, that individual's code has to work well with everyone else involved in the project. The result is that not only will this untrustworthy individual be sneaking in his code, but he'll be doing it with everyone else watching. You would have to expect that not just the one person, but everyone working on the project, was out to get you. If you assume that, then you're still a lot better off than the same situation occuring with closed-source software. In fact, due to the GPL's "Viral" nature, you are far better off under the GPL. Remember: millions of people able to be intimately familiar with the code means millions of people able to see a problem. If you use the infected [two-meanings] code in your program, then yours is now GPL'd, and not only will everyone who was working with the other software have the potential to spot a problem, but everyone working with your software can too. This just increases the chance that the problem will be found.
If, on the other hand, it is merely "Open-Source", not "GPL'd" then the number of people potentially working with your code is vastly reduced. Instead of people writing code and wanting to contribute it to the project, they'll just be writing it for themselves. If they were contributing to the project, able to redistribute it themselves, they could use the code, other people could see what they were working on, help out, and in general- just have more people working on the code.
The article seems to think that the more people work on code, the worse off they are, due to the increased likelyhood of malicious code being inserted. However, the more people work on the code, the more chance there is of malicious code being caught.
I would hope that there is some law in place which makes writing malicious code into open software just as much a crime as writing any other virus, the only problem is that it would be harder to determine from where the code originated.
I just said a bunch of random stuff and not all of it is accurate or precise or true or meaningful. So just ignore everything I said, k'?
-- 'The' Lord and Master Bitman On High, Master Of All
Wish I had kept my old sig...
"Don't like the 'viral' nature of the GPL? Try this: WRITE YOUR OWN CODE"
If a business doesn't want to give away their code, they shouldn't weave in GPL source to begin with. If they do so, it's their OWN damn fault, not the GPL's.
Secondly, I still fail to see how this has anything to do with security. Open source is open source - whether released BSD/MIT style or GPL, it's STILL "open to hackers", which I thought was the point of the whole "risk" of Open Source security in the first place.
The Free desktop that Just Works
The GPL is one of the most uniquely restrictive product agreements in the technology industry.
And, Yes, they have clicked ok to proprietary licenses much more restrictive than the GPL. These lines appear within their PDF file:
This simple fact can be easily verified with a command such as "stringsold_opensource_whitepaper.pdf| grep^/"
PJRC: Electronic Projects, 8051 Microcontroller Tools
You're correct about the risk, but the Government has strict standards that systems must adhere to, both when they go into production and when they are in initial development. The Common Criteria site has a listing of protection profiles that basicly spell out all the requirements a system must adhere to in order to be considered 'secure.' In the Labeled Security Protection Profile (and likely the others...I'm only familiar with this one) there is a section that basicly states that "the developer must use a content management system" and provide all documentation for how it functions, is administered, and how changes to the content are tracked.
In other words if any government group were to use an open source product or start one of their own they are still required to keep their copy of the source tree for the code under rigid, monitored control to ensure what happened to irssi and FragRoute could not happen to their project.
I'm not saying that CVS will be the total solution to this problem, but it's nice to see that they do have measures built-in to mitigate the risks.
--Kylus
Idiot-proof something, and Life will build a better Idiot.
This story came out early last week and is just a load of FUD. ADTI has no credibility and is funded by MicroSoft (which Microsoft admitted to).
These are the same guys who claimed that second hand smoke isn't harmful. Their panel of experts contained Scientists and Doctors who had previously been employeed by the Tobacco industry.
Article Link
Do a search for ADTI in article.
You can view the article at Phillip Morris Tobaccos archive.
See:
Article Link
Or the PDF at:
PDF Link
Ofcourse this guy is funded under the table by Gates and his minions.
I googled for Andre Carter of Irimi Corpn whose comments Mr. Kenneth (or whatever frickin name he has) values more than anything else and this is what I found :
One pro-Microsoft observer credited Gates with being precise and helpful. "His testimony has been soaked with real-world examples, [and it shows] he understands the ramifications of how the states [want to affect his business]," said E. Andre Carter, CEO of Irimi, a Washington-based mobile and wireless consultancy, who also works for the pro-Microsoft lobbying group Americans for Technology Leadership.
BINGO!
When idiots like these make money by lying through their teeth, spread FUD and otherwise confuse the idiots who make decisions in the Senate and everywhere else, this industry, this country and the world we live in has such a fucked up future.
Rapid Nirvana
first of all, if the 100 hours is GPLd, then the GPL isn't 'arguing' anything -- the rest *is* GPLd, according to the GPL.
People make this mistake all the time, but it is a mistake. If someone includes some GPL'ed work into a larger work, the larger work is not magically licensed under the GPL. (Nor, for that matter, is the copyright of the larger work magically made the property of the FSF). Instead, what becomes true is that the ensemble work cannot be legally distributed without violating the terms of the (GPL) license for the 100 hours.
In this eventuality, what would happen would be that the copyright holder for that 100 hours of labor would sue the infringer, and in the best of all worlds, the infringer would be obligated through an injunction to cease distribution of the offending code. If the copyright holder for the 100 hours was willing, some monetary arrangement might be reached in return for an alternate license for the 100 hours of code.
The problematic case is where the 100 hours of code was written by five coders spread over the planet, and nobody bothered to track who had copyright over what piece of the code. In that instance, all five coders should agree to the relicensing. If one of the coders does not agree to the relicensing, then the problem of how to clean up the 5000+100 hours of code devolves into one of cleaning up the 100 hours of code.
There is nothing in the GPL that forces anyone to license code under the GPL, no matter how Microsoft may wish to construe it.
- jon
Ganymede, a GPL'ed metadirectory for UNIX