ADTI Whitepaper Released

Dave Wreski Writes: "This PDF article, written by Kenneth Brown of ADTI, attempts to explain that "Open source GPL use by government agencies could easily become a nation security concern. Government use of software in the public domain is exceptionally risky." The paper has been taken down since this reader submitted the link -- they promise to replace it by the end of the day -- but as of right now, it's still available here. Their accompanying press release is out too. You might remember that we ran a story on this whitepaper earlier. At the time, a CNET story said that it was going to link open-source to terrorism; it does so in a glancing reference on p. 8 to the FAA and "national security." But the thrust of the paper is "GPL bad, open-source good," coincidentally Microsoft's position, as was hinted-at in NewsForge's interview last week. In case they take the second copy of the paper down, we'll include some teaser quotes for you below. Update by HeUnique:The Register got some nice critique about this paper.

"Another security concern is that the primary distribution channel for GPL open source is the Internet. As opposed to proprietary vendors, open source is freely downloaded. However, software in the public domain could contain a critical problem, a backdoor or worse, a dangerous virus."

Reverse engineering "harbors very close to IP infringement because and has staggering economic implications." [sic]

"On a lighter note, while many open source enthusiasts are proponents for copyleft, they insist on trademark protection for their ideas."

"If a software application representing 5000 hours uses GPL code that reflects only 100 hours, is the GPL fair in its argument that the entire product is GPL? This point is of considerable concern to software companies that value their secrets, design and architecture strategies. Proponents of the GPL argue that each party in the exchange is benefiting equally, but without a means to properly make this evaluation, this position at best is over-assuming."

"The federal government's information systems requirements intersect countless sensitive operations. The limitless potential for holes and back doors in an open source product would require unyielding scrutiny by staff that decided to use it. For example, if the Federal Aviation Agency were to develop an application (derived from open source) which controlled 747 flight patterns, a number of issues easily become national security questions such as: Would it be prudent for the FAA to use software that thousands of unknown programmers have intimate knowledge of for something this critical? Could the FAA take the chance that these unknown programmers have not shared the source code accidentally with the wrong parties? Would the FAA's decision to use software in the public domain invite computer 'hackers' more readily than proprietary products?"

frame of reference?

[Jucius+Maximus]

"Open source GPL use by government agencies could easily become a nation security concern. Government use of software in the public domain is exceptionally risky."

A valid concern.

But is it more or less risky in comparison to using closed source software?

Sad

[4of12]

I can't be the only one saddened to see the name of Alexis de Toqueville besmirched by being associated with a think tank for hire.

His insights into America of the early 19th century were profound.

Meanwhile, the points of this paper, besides being wide of the mark in assessing the truth, are not even particularly original - other fear mongers have trotted out the same vague bogeymen prior to the publication of this report. And those objections to open source have no more basis in fact now than they did when they were originally brought out.

Sounds good to the ignorant

[mcfiddish]

I'm always amazed at the flat-out bullshit that gets published as "research". I guess I shouldn't be, since it all sounds good to someone who doesn't know anything about anything.

Where are the "think tanks" that actually have people who can think critically?

Re: Sounds good to the ignorant

[Black+Parrot]

> Where are the "think tanks" that actually have people who can think critically?

Think tanks only need to think critically enough to fool their intended audience.

And this is for consumption by businessmen, legislators, and bureaucrats, so...

Re:Sounds good to the ignorant

[thaddjuice]

Where are the "think tanks" that actually have people who can think critically?

The fact of the matter is that objective think tanks just don't exist because there aren't any companies out there that want to fund truly objective research.

They want the research to show what they want it to show.

Obvious Answer ...

[BoyPlankton]

"If a software application representing 5000 hours uses GPL code that reflects only 100 hours, is the GPL fair in its argument that the entire product is GPL? This point is of considerable concern to software companies that value their secrets, design and architecture strategies. Proponents of the GPL argue that each party in the exchange is benefiting equally, but without a means to properly make this evaluation, this position at best is over-assuming."

If you don't want your app to be GPL, and you've already spent 5000 hours coding it, might as well spend another 100 writing that piece instead of cutting and pasting.

Re:Obvious Answer ...

[taniwha]

exactly - it's up to the writer of the 100 hour bit to decide how he/she wants to license it - GPL doesn't mean you HAVE to use someone's code - it just describes a particular set of conditions under which you can.

BTW 100 hours is a ridiculously small number - certainly below the threshold where even if you're considering licensing a commercial package it's probably not worth the lawyer time to write a contract

Re:Obvious Answer ...

[lynx_user_abroad]

If a software application representing 5000 hours uses GPL code that reflects only 100 hours, is the GPL fair in its argument that the entire product is GPL?

If I have 5000 hours of video in my library, but only 100 hours of that is copyrighted by Hollywood, is the MPAA being fair in their argument that I'm stealing from them?

Re:Obvious Answer ...

[1010011010]

I posted this earlier, but it seems like an appropriate response here.

"If a software application representing 5000 hours uses GPL code that reflects only 100 hours, is the GPL fair in its argument that the entire product is GPL? After all, if proprietary software vendors don't like the terms of a software license, they should not reasonably be expected to abide by it. This point is of considerable concern to software companies who wish to use the work of other without compensation -- 'pirating' the free software, to use a popular industry term. Proponents of the GPL argue that each party in the exchange benefits, which is the basis for a free, capitalist society, but proprietary software vendors don't always like this arrangement. Interestingly, proprietary software vendors often include highly restrictive and draconian licenses with their products, and disallow all use of them by any other developers; this, somehow, is presented by them as the 'fair market solution' -- what's ours is ours, and what's yours is ours."

Re:Obvious Answer ...

[taniwha]

just because something can be done doesn't mean it should be done. what if they budgeted for exactly 5000 hours?

but you knew it was GPL'd up front when you decided to use it right? if so then you budgeted for it - either to replace it with your own or to negotiate a non-GPL license from the author. If you didn't do either then you're lying to yourself (or your boss) and you are going to screw yourself.

In the real world there are good reasons to use GPL and LGPL - it depends on what your goals are - GPL tends to encourage other people to add to your code and give it back to the greater community (Linux, KDE, Gnome etc)- long term you get back your stuff in a better state (and other stuff from other people) and you win - you help create a community of people who want to make stuff and share it with you - humans have been coming together in communities for all of recorded history because it's in our individual interests to live and work together.

On the other hand LGPL addresses a wider audience - you might have different reasons for using it - you like the idea of more people using your stuff, you want to be able to say "my code's running in that game/app/whatever", lots of people lent on you to LGPL it and you caved, you feel that with a wider audience more people will use it and you feel that forcing people to publish their changes to it will cause it to become better faster.

My point is of course that neither of these are necessarily "good" or "bad" but that they are vehicles of their authors and because those authors put their time and effort into the project thay get to choose the goals (and as a result the license) for their code - as a user you have the choice - either agree to the license or do it yourself

Re:Obvious Answer ...

[lynx_user_abroad]

Could you offer up any reason why people should do work for you without any return?

I can offer none. Can you offer any reason why I shouldn't be able to take what I've learned from reading your (GPL licensed) source and use that knowledge to create my own (proprietary, closed source) program?

If I am free to steal, you are likely to stop sharing. And that's the point the MPAA (and the RIAA, and closed source software companies like Microsoft, etc.) have been trying to make all along.

There are many people (and many Slashdotters among them) who think nothing of taking a video or a song (which was NOT released under any sort of "share me freely under these conditions" license) and making copies of it available for any joe with a network drop to download for free.

These people are often the same one who express outrage when anyone proposes taking the products of the Free Software and Open Source community and sharing them in specific violation of the agreed license.

I have a hard time reconciling the two. Is there a "Fair Use" provision for software? If I take a snippet (or 1000 hours) of your GPL'd code and include it in my proprietary product (and don't release source) is this a GPL violation, or is this acceptable and covered under fair use because I only "borrowed" a snippet?

(Let's try to avoid all the obfuscating uses like "what if that code is in MP3 format, or what if the code can be represented as an n-digit prime number?")

To me this reads clearly; If you want the world to respect your copyright and Open Source License then you gotta respect the rest of the world's copyrights and licenses. You can't go distributing mp3's and DVD's then expect others to respect the GPL.

In other words, pick one: Choose a world where you have the right to make your computer do anything it can be made to do, and to share your discoveries with anyone who will learn (the Open Source and Free Software course) and moderate your own actions, or choose a world where you don't have to moderate your own actions; you can do anything the computer will let you do, it just won't be that much. You'll be able to claim "fair use" to make as many copies of as much content as you want and share them with everyone worldwide provided you don't violate the terms of the license you signed; you just won't be able to get access to any of that content without signing a license prohibiting you from doing anything useful with the content in the first place.

If the Free Software community is to survive, then the Free Software community has to step up to the plate and take responsibility for ensuring that what is produced is a net benefit to the greater community as a whole. That doesn't mean shutting down GNUtella, but it does mean not illegally publishing others copyright content to the GNUtella network, not downloading illegal content others have provided, and shunning those who engage in such practices. It may mean buying a commercial copy of a CD (or program) even though you've already downloaded an illegitimate copy of it. It's a tough road, because we have an obligation to both provide the DeCSS software (so you can get around the DRM when the need arises) while at the same time creating a community that knows enough not to use DeCSS to publish content they're not entitled to. That may mean adding a DRM module to the Linux kernel, and leaving it there even though anyone who can type make could pull it out.

If we can't show a willingness to police ourselves, Hollywood, Disney, Jack Valenti, and Sen. Hollings will likely step in to remove the options.

No wonder they took it down...

[slowtech]

Goodness, this thing is full of gramatical errors. (Grammar may be optional here, but these people are lobbying the Feds). Any of my teachers in High School would have sent this paper back if it had been submitted to them:

"harbors very close to IP infringement"

"are proponents for copyleft"

"code that reflects only 100 hours"

"knowledge of for something this critical"

Blech...

Re:No wonder they took it down...

[Soko]

Touché.

This is (somewhat) more important than it looks, folks. When the ADTI folks accuse OSS projects of being less than professional, we can simply point to the origional document and say that this "Think Tank" can't even correctly write American Engish.

Rushing the document out the door without proper proof reading shows un-professionalism from ADTI in completeing thier task, a clearly worded and concise critique of the GPL. Pointing out this fact may damage thier credibility in a way that regular folks will understand. This should then allow the larger arguments of an opinion bought and paid for by the BSA in the door, too. We win. ;-)

Think tank indeed. Wonder if the CSS camp got it's money's worth?

Soko

Good ol' security through obscurity

[Erotomek]

For example, if the Federal Aviation Agency were to develop an application (derived from open source) which controlled 747 flight patterns, a number of issues easily become national security questions such as: Would it be prudent for the FAA to use software that thousands of unknown programmers have intimate knowledge of for something this critical?

Yeah, there's nothing like the good ol' security through obscurity. Thank God no one knows how does the software controling 747 flight works, so now I can fly safely.

Re:Good ol' security through obscurity

[liquidsin]

And you don't suppose that any open source they adapted for use in controlling airplanes would get the same rigorous testing? You think the FAA would just download ControlTower v1.0 from sourceforge, compile it, and go?

What an interesting ploy.. they are full of FUD

[Yohahn]

They attempt to draw a dividing line in a community. They do this by trying to stress "differences". They list these differences with the claim that it makes software more secure, BAH!

They also ignore the aspect of the GPL that says you can keep your secret changes if you don't distribute the software outside of your organization. Where is the security leak now?

The difference between "GNU FREE" and "BSD FREE" is that the people in BSD are willing to sacrifice themselves (no reward), whereas the GNU people are willing to take up arms (we reward you, but you must reward us in return, if you use our stuff).

The comminuty is more alike that it is different. Don't let these types of papers and publicity screw that up.

Microsoft advocacy

[magi]

You might want to take a look at their technology pages, especially the Anti-trust & Internet Regulation Program and Intellectual Property Program sections.

Many of the headlines are quite revealing about their intentions. Many are about the importance of MCSE:

• Inc. 500 Shops Value Certification Most (MCSE vs college degrees)
• Familiarity Breeds Respect

  "Recruiters tend to hire MCSEs just as often, if not more so, than those with a four-year college degree."

• Technology Trends: Program Provides Information For New Age

  "Eighty-seven percent of human resource managers surveyed believed that MCSE's are equally or more successful than college students."

• The Impact of Technology Training Programs Case Study: MCSE Training

And then there are numerous anti-trust criticism articles:

• Break up Microsoft? Rest of world pooh-poohs the notion
• Press Release: Japan, Switzerland, and the EU do NOT insist on breakup of Microsoft, unlike the U.S.
• Fine Microsoft, use funds for new competition (anti-breakup)
• Fine Microsoft and use funds to catalize new competition (anti-breakup)
• Break-up Remedy for Microsoft Not Supported by Key Democrats
• Technology and The Congressional Black Caucus (Microsoft anti-trust)
• Breaking Windows Over Antitrust Dogma
• Pause the Microsoft Case and Examine U.S. Anti-trust Policy
• Punishing Winners Hurts the Marketplace
• Suit Threatens U.S. Computer Dominance
• Taking a Byte Out of Microsoft

Etc. Also lots of articles about the precious intellectual property rights, although not specifically in relation to Microsoft.

Make your own conclusions freely.

My word! Get a better hysterical example!

[GMontag]

For example, if the Federal Aviation Agency were to develop an application (derived from open source) which controlled 747 flight patterns, a number of issues easily become national security questions...

FAA controlling the flight patterns of any aircraft is absolute nonsense! First, every pilot in the system would block it before it ever got past the talking stage, second it is just ignorant.

Maybe software to control the traffic flow? Sorry, that deflates this FUD too, since it would not apply to just one airframe and the author assumes that the people operating the aircraft are just going to let that happen too.

Maybe if he said some more nonsense about FAA requiring all 747s to have this software? Nope, that is the NTSB and the manufacturers, the latter would be marching on the Congress like you never seen before!

Humm, here is a more believeable thing to scare people with "what if all automated traffic light systems had to run Open Source, could you imagine the national security issue of flashing red lights all over the heartland"?

Not convinced

[Space+cowboy]

The issue of whether source code is as-the-author-intended is an old one, and is very well catered for by signing the .bz2 or .gz archive with the authors GPG/PGP key.

If you subscribe to Redhat Network, all the .rpm's that are downloaded can be optionally (by default they are) checked against the GPG key - this prevents anyone from inserting their own version of /bin/login into the system... I'm assuming the machines doing the signing aren't the machines doing the delivery, but that would be an elementary mistake to make on Redhat's part...

In short - this is not an issue.

Simon

FUD

Terrorists, seem to be the key word now a days. Kind of like *do it for the children*, or global warming.

If the application is well coded, then having the source code will not have any effect on how secure it is.

Trademarks

[DustMagnet]

"On a lighter note, while many open source enthusiasts are proponents for copyleft, they insist on trademark protection for their ideas."

I have a hard time taking anyone seriously who could write that.

Trademarks protect product labeling. Patents protect ideas.

Unlike patents and copyrights, trademarks are there to protect consumers. If I go to the store and want to buy Kraft mac and cheese, I don't want to have someone labeling some other brand as Kraft. If it says RedHat, it should be from RedHat.

The idea behind open source and trademarks are to help the end user. I don't see how they are incompatable.

Re:Well, they may have a point somewhere in there.

[Jsprat23]

"Another security concern is that the primary distribution channel for GPL open source is the Internet. As opposed to proprietary vendors, open source is freely downloaded. However, software in the public domain could contain a critical problem, a backdoor or worse, a dangerous virus."

While what you say is technicaly true, at least with open source, hackers(as in the jargon file definition) have a chance to go over the source and fix any back doors implemented. If you only receive binary files, who's to say that the company themselves hasn't inserted a backdoor or left a myriad of security holes unfixed. The above quote is a bad way of looking at it, because the exact same arguement can be applied to closed source.

study is just a hack piece

[Lewis+Mettler,+Esq.]

Study is just a hack piece I am afraid.

Even Allchin (under oath no less) testified that the GPL was one of the reasons that Microsoft did not include a SUN compliant JVM with XP.

What GPL has to do with a JVM from SUN is beyond me. But, that is the lie that Allchin put out to fool the court. And, the GPL was not even an issue in the trial.

I think Microsoft is just spending any money it can on bad mouthing the ideas it does not like. It does not matter if it is true or even relevant.

Besides, some bureaucrats only need a fake excuse anyway.

This fake study is just like the one a few weeks back bad mouthing linux on mainframes. It does not make any sense except the Microsoft salesman will be sure to refer to it during their sales pitches. After all, customers are assumed to be pretty stupid by Microsoft.

Re:study is just a hack piece

[sealawyer]

The paper is riddled with grammatical errors, incorrect statements of law, and factual mistakes.

Perhaps the paper was taken down to fix at least the grammatical errors that Mr. Brown and his organization ought to be less than proud of.

But I hope the other errors and obvious stupid comments stay in the paper.

By far the most amusing part of the paper is the description of Netscape's role in so infuriating the open source community that they flocked to Microsoft browser out of anger. Really? So Internet Explorer then runs on how many of the open source operating systems? Does Brown's version of what happened to Netscape match what the courts and the DOJ think happened?

what if you used some Ms code?

[Lewis+Mettler,+Esq.]

Just where would you be if you slipped in 100 hours of Microsoft proprietary code you got your hands on?

What would that do your 5000 hour product?

The GPL is less disruptive than borrowing other code that comes with limitations.

Besides, if you use code from other sources you certainly should know the impact of doing so. The GPL is not different in that regard.

I guess Microsoft thinks that proprietary code should be outlawed because if it should mistakenly get its way into an application, you could be sued, right?

Not Invented Here Syndrome

[reaper20]

NIH syndrome is more prevalent than people blatantly ripping off open source code or commiting 'acts of IP theft'. I think moreso than people give it credit for.

Even Mandrake rewrote their installer to "differentiate" between Red Hat. Redhat doesn't include fontdrake, or any of their competitor GPL tools. It seems alot more like a bazaar of cathedrals to use the analogy.

If I write the ultimate Linux app, what are the chances that someone is going to 'steal my IP', or even if it is GPL, contribute back? Look at the ton of duplicate GPL programs.

If I were a programmer I think I'd GPL my software so people can look at the code and contribute patches - chances are some other OSS programmer is going to not like the language it was written in, which widget set I used, or whatever, and just rewrite it to suit their needs.

I have no numbers to back this up, just seems that most programmers and/or companies prefer to write their own software, regardless of reusable code or license.

Re:Question

[carlos_benj]

The solution then is to not include any GPL code in your security-critical application, not to denigrate the GPL. Look, if they went with a closed source OS and wanted to write the same application in-house and didn't want to include any GPL'd code this wouldn't even get airtime. They'd just write the stinkin' code - ALL of it (or they'd steal some good GPL'd stuff and just not tell anybody - no, nobody'd do that). What's the difference? If I don't want to share my 50bajillion lines of IP then I can probably figure out a non-GPL'd alternative to those 100 lines of code that I'm missing - including nabbing some BSD nuggets. Just because part of my solution is open source doesn't mean it all has to be.

Re:Just being GPL not necessarily less secure...

[Misch]

since you have to publish any changes you might make to the original software.

That is incorrect. You are allowed to take a GPL'ed program, modify it to your hearts' content, and never release a single line of source code to anyone. Only if you then *distribute* the code to anyone else do you have to offer up the code. You have the right to not share. But, if you do share, you have to share completley.

Re:Well, they may have a point somewhere in there.

[SirSlud]

> But I believe in this case, the group is advocating commercial code that comes with the source.

No, they ad advocating that open source is good, because commercial companies can use it to cut costs (and profit on the backs of others' work), but that those companies should not have to repay the community for reasons of security.

It really should read 'borrowable open-source good, except when the source code is mine .. then it should be closed.'

We all know the usual /. arguments on whether OS is more or less secure than CS, so we dont need to go into that. But really, they like it when companies can borrow source (heaven forbid they have to actually hire as many skilled programmers as it takes to build any given application .. I mean, they have execs and marketers to pay, doncha know!) .. but hate it when they have to give that source back.

I've been watching the commercial world come to the realization that open-source isn't what they should be scared of (MS has borrowed BSD'd code many a time) .. its just the thought of holding the quality of their software accountable to a community that scares the shit out of them. Anyone following what the multinationals have been doing for the last 20 years in order to divest themselves from ALL possible negative public reaction understands this position. Just like Nike no longer technically employs their sweatshop workers (they're contracted, so the accountability is divested from Nike to their contractors), companies want to be able to take 'tried and true' code, use it, not have to hold their use of the code (and the rest of their code) accountable to the community, and PLUS they get the benifit of passing the buck to the open-source author should problems be found! (Since in a closed source product, nobody can proove it _wasnt_ the open source chunk that caused the problems or indroduced the security hole or whatever.)

It's the usual power mongering, and desire to not be held accountable for any of it.

5000 hours vs 100 hours

[Hnice]

"If a software application representing 5000 hours uses GPL code that reflects only 100 hours, is the GPL fair in its argument that the entire product is GPL? "

first of all, if the 100 hours is GPLd, then the GPL isn't 'arguing' anything -- the rest *is* GPLd, according to the GPL. using the verb 'argue' here is like saying that my rental agreement 'puts forth the assertion' that i have to pay my landlord every month. it's not appropriate, because there's nothing to argue, no ambiguity. the GPL is very clear here.

second, if GPL'd software is, as the statement is clearly implying, a negligible part of the final product, what's the big deal with spending the other 100 hours to build that part yourself? no one's making you use that 100 hours worth of software.

and imagine how stupid that argument sounds when phrased this way: "i just built a huge program that only makes use of [some copyrighted product] in passing -- why should i have to conform to that company's contract terms in order to use it?" would anyone argue that degree of use is going to make any difference at all here? and if you don't like corporate-bashing, consider this example -- "sure, i stole $100 from you, but i put it towards this car that cost $5000, so why should I owe you anything at all?"

this is a stupid point. if you don't want to use GPLd code, don't, and if you do, understand the terms.

Re:ADTI Whitepaper Released

[lysurgon]

There is a big distinction between the GPL and the BSD-style licenses. The GPL is all about making sure that people who use GPL licensed code release their new code under the GPL too.

Except that using GPL code doesn't compel you to "release" anything. It only means that if you elect to share your code with another party, you do so under the terms of the GPL.

The .gov could pick up a bunch of GPL code, hire some hakers (or use the NSA) to brew their own system and simply make the decision not to share the code. That's nice and legal. They'd simply make distribution a matter of national security.

The only security issue with the GPL is the security of companies who derive revenue from selling proprietary code.

Why is the GPL so misunderstood?

[TheConfusedOne]

Their main points are that GPL is flawed due to requiring anything which uses GPLd code [no matter how little] to be licensed under the GPL; and, that most GPL projects encourage many unvarifiable developers to take part in the project, resulting in potential malicious code being inserted without anyone else taking notice.

Please, take a moment and read the GPL. Then come back and ask people questions about it. (I believe there was an Ask Slashdot about it awhile ago...)

Using GPL'd code does not mean you have to automatically release all of your code. First off, the GPL cannot override other more restrictive licenses. If you don't have the right to GPL the code that you've included then you can't release it, you have to remove the GPL'd code instead. Second, the GPL's release/publish conditions are only invoked if you release/publish your code. This is a very important distinction. If you develop something "in house" for your company's use, then you don't have to release the resulting code. If you don't distribute it then you don't have to publish it.

As far as "malicious code" goes, look at all of the "easter eggs" and "bugs" in current "professional" code. How much overall code review do you think goes on when an entire flight simulator gets packed into a spreadsheet application? (You may have noticed how a Service Release deactivated it.)

In the Open Source world, if you doubt some code then you can simply audit it. Good luck if you think there's some backdoor lurking in the latest MS code. (Look at MS's WMP EULA that gives them permission to force downloads on your box in the name of "DRM".)

There's a reason that people use the cover of darkness to perform questionable/malicious acts. Having the source code for full review and scrutiny is the best way to shine a bright light into all corners.

Re:Question

[this is a little fragmented, sorry about that]

Actually, yes.. they do have a point. But that point is, how shall we say, pointless.

There is no reason why the US Govt can't use GPL'd software, while not writing software directly into it that would put the US at a security risk.

People seem to see these things as one-way-street issues. You must either use GPL software, or not use it at all. Really kids, the world was not built in black&white for a reason.

Despite common belief, you really CAN use GPL software and still use and create software that will work with that GPL software to perform a greater function. Please, inform me if I'm wrong here.

As far as software security is concerned, having the source code available surely does help the attacker, but if potentially hundreds of people audit that code each time it changes, wouldn't that be better than 10 people auditing it on a stressed time schedule with corporate pride in the way? And what was that about Al'Queda infiltrating Microsoft?

In response to a very common thread I keep seeing our nations government and political circles I would like to remind people that just because some people abuse *things*, does not mean that those things in and of themselves are evil or bad or destructive. It means that there are people abusing a perfectly good thing, and the only way to combat that is education, and law enforcement. We don't have the money, warm bodies, or the desire as a people, to demand that law enforcement be everywhere (big brother), all of the time. It simply isn't conducive to our ideal of being a "Free Country", so it stands to reason that Education of the people themselves is the only reasonable and realistic option. Unfortunately too many people are leaning toward the "law enforcement everywhere" idea these days because the word "terrorist" is big-and-bad-and-frightening... and poorly misused.

What I see in this article is that the author things that the GPL is an all or nothing gig, that the rights afforded to authors who choose the GPL are unfair, reverse engineering is evil, if your code doesn't provide *somebody* an income you just don't matter (how about a 'revenue involving the GPL' section, after all I got paid to set up GnuCash for my neighbor, and Linux for Corp X, and...), if the Big Corp wants to break the rules with your software you shouldn't have the right to take action,

It just seems to me that where capitalistic venture stands to gain, those not pursuing that very same thing are fair targets for those capitalistic ventures, and aren't deemed worthy of having rights because they are not capitalistic ventures. I don't think that this is a fair practice at all, and I know that for myself it causes a strong distaste for those companies (and supporting agencies, government officials, etc).

I had always been a Windows user until I started to feel like I had been raped and abused by them, and that they were damaging my ability to perform.

There is lots more to this rant but I'll save it. It's all been said before, and if you really take a look around, and READ what is in front of you, you will understand. It wasn't that hard for me, and I've only been working with this stuff for 1 year.

Lastly, may I point out that the GPL truly is flexible, and the software author gets to decide just how much copying, modification, redistribution and whatever else, will be allowed.. It just requires you make the source "available". Don't believe me? Go read it, really read it.

The GPL: Hey, if you don't like it, don't use it. And if you cry about not being able to use it because it is GPL, your barking up a dead tree. I want the code to Windows 2000, but I can't have it because Microsoft says so, and I think this is really unfair. I will ABSOLUTELY REFUSE to sell you my own software, but you can have the source code.. I said NO dammit, your money is no good here.

-Anon

Hey Microsoft, your source code is ajar

[Alien+Being]

i.e. it's partly open. It has been viewed by hundreds or thousands of MS programmers, any one of whom might be an enemy spy. Windows src has already been distributed to certain colleges and corporations. Furthermore, MS's internal networks have been broken into in the past. Go ahead Bill, swear on a stack that no terrorists have the source to Windows.

Unless MS, Oracle, Sun, et al. do all their development under the same security controls as, say ICBMs, the "need for secrecy" argument works no better for their code than for OpenSource.

Maybe there are a few situations which call for Top Secret Source, but most do not. Use hardware as an analogy.

The U.S. armed forces use plenty of off-the-shelf type hardware. Many types of military aircraft are based on the same platforms as commercial craft. SR-71 Blackbirds are secret, 747-based AWACS share many of the same vulnerabilities as those flown by Trans American. F-xx fighters have been sold to questionable foreign governments, lost in battle, etc. How secret are they?

If the U.S. adopts this "Secret Source" philosophy, our computers will turn out the be the equivalent of those goofy cars (Trabant?) Russians were forced to drive all those years.

Re:I was wating for this to come out!

The paper quotes 319 million jobs in the US for the software industry... hmmm last time I checked the population of the US wasn't THAT Large... also the whole argument about FAA traffic control and military weapons systems is a bit off base... If the FAA or Military doesn't distribute their source to anyone... they don't have to worry do they??? Seems like FUD from micro$haft more than carefull thoughtful commentary...

Re:Some thoughts on the paper..

[RoninM]

Uniquely restrictive. Break it down.

Except that it's "MOST uniquely restrictive." It's already been established (in other comments) that this Think Tank consists of so many high-minded, conceptual thinkers that there was no room for a grammarian. Even still, I have to give them the benefit of the doubt and assume they meant "most ... restrictive," and not the completely daft, "most uniquely."

The most important restriction (as noted here, there, elsewhere, and everywhere) is that if you use some GPL code, the whole package has to be GPL. If your app requires a GPL package, then your package has to be GPL. [...yawn...] So I'm sure you can see why the license would be unattractive to some people.

First, I've never heard of anyone absolutely needing to use GPL code in their package. You can choose to do so or not. Of greater import, however, is that despite your keen insight that some people just won't understand/like the viral nature of the GPL, this whitepaper isn't purporting to be opinion, but a factual analysis of the risk inherent in the GPL. Additionally, you fail to point out that even if the resulting package is GPL, that doesn't oblige you to distribute it, and thus, you don't have to release the source code.

If we're talking about national security, it's going to be written from a paranoid mindset, and rightfully so.

Okay, fine, I'll (temporarily) accept that paranoia is a good thing, here. But this is just one paranoid view. Another paranoid view is that with the number of foreigners employed in the tech sector, terrorists could already have been introducing backdoors into closed source products for years, now. Another paranoid view is that computers are inherently dangerous, electricity is the spawn of Satan, and we should all call each other Jebidiah, raise barns, churn butter, and sell cocaine. There's lots of paranoid views. Just because you think paranoia is acceptable in this instance doesn't do anything to validate the views expressed in the whitepaper. A lot of people, these days, have eschewed critical thinking for mindless support for whatever's been pushed to "stop the terrorists." It's both wrong and dangerous, even in paranoid times.

Of course, paranoia isn't the right framing for anyone, anyway. Rational risk analysis is, and always has been, better. There's a massive divide between planning for the Worst Case Scenario and outright paranoia. We'd be wiser to not ignore it.

excellent observation.

[twitter]

While I'm not familiar with Toqueville's work, I can see a glaring contradiction when it's put in my face. Their mission statement is at odds with what this Ken Brown says, and even with the page itself.

The page was generated with Adobe Go Live, and the mission statement is an image or something else difficult to copy, so I had to type it by hand for your enjoyment.

Since 1988, the Alexis de Toqueville Institution has studied the spread and perfection of democracy around the world. I'm not impressed

In this we follow the principles of Toqueville himself...

At the root, perhaps, is a populist belief in the basic goodness, perfectibility, and nobility of mankind and of the human community....

Our principles guide the selection of which issues are critical to the advancement of freedom - but we don't rush to judgment about which means will be most effective in producing it.

I'm afraid that they have rushed to judgment and condemned one of the most important documents protecting freedom of speech today. The GPL is the only document that insures that you will have control of your computer and therefore your publications will not be censored at the source. It does this by insuring that the possesor of GPL code will always have the ability to use, understand, modify and distribute that code as they see fit without reducing the rights of other users to do the same. Code that does not insure this right has all of the security flaws and fears raised in Ken Browns paper as the owner does not know what the machine is doing or have the ability to change it. ADTI completely misses the point and condemn the GPL because they fear it can not be comercialized in the conventional fashion and many other incorrect and confused reasons. This is a shame because there is nothing more important for "democracy" and freedom than the free exchange of information the GPL ultimately protects.

The greatest contradiction is seems to be their main reason for rejecting the GPL as a license worth using: that volunteer efforts can not match commercial ones, and that the GPL community of volunteers is a myth. Well, I'm sitting here with my mythical OS, typing into a mythical text editor, for a mythical browser. All are far better than commercial alternatives. All were developed and rely on tools created by volunteers and others who really do believe in the goodness and freedoms of their users. No one who has respect for his neighbor would ever say that people could not co-operate without a profit motive, but this is what Ken concludes,

...Removing the economic incentive for firms to own the rights to products spawned from research and development programs is the surest way to end their existence... the [Greatest risk of the GPL] is its threat to the cooperation between different parties who collaborate and create new technologies.

What utter hogwash. The GPL enables all to participate in the development of new technology and removes many artificial barriers. The fruit of all the mentioned government programs has been brought to me in a form I can manipulate by Debian. The number of sound scientific programs I now have access to, through GNU compilers, is uncountable. There are few academic publishers who would have it any other way, they exist to teach and promote their various specialties. To top it off, large companies will continue to pour money into the exploitation of these technologies because it is in their best financial interest. So much the better if that means their derivative works will be available to me as well. How can anyone intellectually honest say otherwise, especially while espousing freedom and the goodness of man?

Oh, enough. The more I read of this MicroSoft parrot's garbage, the angrier I get. Especially unkind and untrue is the assertion that RMS is a "fallen hero" viewed as radical. I respect that man more every day. Ken Brown, you are a 1/4 watt bulb.

Re:Microsoft has security Windows, not security Ho

Clever! Usurp Microsoft's product name and associate it with bad things.

If the media can get the entire country using the word 'hacker' incorrectly, surely we can convince people that mistakes in code are 'programming windows' or 'security windows' that leave 'open holes' for attackers.

And the best thing? Windows is already full of them.

Re:ADTI Whitepaper Released

[memfrob]

For sure you don't have to put the source code up on a public FTP to let anyone have a copy. But don't you still have to make the source available, under the GPL, to anyone you distribute a binary?

Are you sure they're giving you the binary? Did they give you that nice monitor on your desk, or would you say its still owned by the company?