ADTI Whitepaper Released

Dave Wreski Writes: "This PDF article, written by Kenneth Brown of ADTI, attempts to explain that "Open source GPL use by government agencies could easily become a nation security concern. Government use of software in the public domain is exceptionally risky." The paper has been taken down since this reader submitted the link -- they promise to replace it by the end of the day -- but as of right now, it's still available here. Their accompanying press release is out too. You might remember that we ran a story on this whitepaper earlier. At the time, a CNET story said that it was going to link open-source to terrorism; it does so in a glancing reference on p. 8 to the FAA and "national security." But the thrust of the paper is "GPL bad, open-source good," coincidentally Microsoft's position, as was hinted-at in NewsForge's interview last week. In case they take the second copy of the paper down, we'll include some teaser quotes for you below. Update by HeUnique:The Register got some nice critique about this paper.

"Another security concern is that the primary distribution channel for GPL open source is the Internet. As opposed to proprietary vendors, open source is freely downloaded. However, software in the public domain could contain a critical problem, a backdoor or worse, a dangerous virus."

Reverse engineering "harbors very close to IP infringement because and has staggering economic implications." [sic]

"On a lighter note, while many open source enthusiasts are proponents for copyleft, they insist on trademark protection for their ideas."

"If a software application representing 5000 hours uses GPL code that reflects only 100 hours, is the GPL fair in its argument that the entire product is GPL? This point is of considerable concern to software companies that value their secrets, design and architecture strategies. Proponents of the GPL argue that each party in the exchange is benefiting equally, but without a means to properly make this evaluation, this position at best is over-assuming."

"The federal government's information systems requirements intersect countless sensitive operations. The limitless potential for holes and back doors in an open source product would require unyielding scrutiny by staff that decided to use it. For example, if the Federal Aviation Agency were to develop an application (derived from open source) which controlled 747 flight patterns, a number of issues easily become national security questions such as: Would it be prudent for the FAA to use software that thousands of unknown programmers have intimate knowledge of for something this critical? Could the FAA take the chance that these unknown programmers have not shared the source code accidentally with the wrong parties? Would the FAA's decision to use software in the public domain invite computer 'hackers' more readily than proprietary products?"

frame of reference?

[Jucius+Maximus]

"Open source GPL use by government agencies could easily become a nation security concern. Government use of software in the public domain is exceptionally risky."

A valid concern.

But is it more or less risky in comparison to using closed source software?

Sad

[4of12]

I can't be the only one saddened to see the name of Alexis de Toqueville besmirched by being associated with a think tank for hire.

His insights into America of the early 19th century were profound.

Meanwhile, the points of this paper, besides being wide of the mark in assessing the truth, are not even particularly original - other fear mongers have trotted out the same vague bogeymen prior to the publication of this report. And those objections to open source have no more basis in fact now than they did when they were originally brought out.

Obvious Answer ...

[BoyPlankton]

"If a software application representing 5000 hours uses GPL code that reflects only 100 hours, is the GPL fair in its argument that the entire product is GPL? This point is of considerable concern to software companies that value their secrets, design and architecture strategies. Proponents of the GPL argue that each party in the exchange is benefiting equally, but without a means to properly make this evaluation, this position at best is over-assuming."

If you don't want your app to be GPL, and you've already spent 5000 hours coding it, might as well spend another 100 writing that piece instead of cutting and pasting.

No wonder they took it down...

[slowtech]

Goodness, this thing is full of gramatical errors. (Grammar may be optional here, but these people are lobbying the Feds). Any of my teachers in High School would have sent this paper back if it had been submitted to them:

"harbors very close to IP infringement"

"are proponents for copyleft"

"code that reflects only 100 hours"

"knowledge of for something this critical"

Blech...

Good ol' security through obscurity

[Erotomek]

For example, if the Federal Aviation Agency were to develop an application (derived from open source) which controlled 747 flight patterns, a number of issues easily become national security questions such as: Would it be prudent for the FAA to use software that thousands of unknown programmers have intimate knowledge of for something this critical?

Yeah, there's nothing like the good ol' security through obscurity. Thank God no one knows how does the software controling 747 flight works, so now I can fly safely.

What an interesting ploy.. they are full of FUD

[Yohahn]

They attempt to draw a dividing line in a community. They do this by trying to stress "differences". They list these differences with the claim that it makes software more secure, BAH!

They also ignore the aspect of the GPL that says you can keep your secret changes if you don't distribute the software outside of your organization. Where is the security leak now?

The difference between "GNU FREE" and "BSD FREE" is that the people in BSD are willing to sacrifice themselves (no reward), whereas the GNU people are willing to take up arms (we reward you, but you must reward us in return, if you use our stuff).

The comminuty is more alike that it is different. Don't let these types of papers and publicity screw that up.

Microsoft advocacy

[magi]

You might want to take a look at their technology pages, especially the Anti-trust & Internet Regulation Program and Intellectual Property Program sections.

Many of the headlines are quite revealing about their intentions. Many are about the importance of MCSE:

• Inc. 500 Shops Value Certification Most (MCSE vs college degrees)
• Familiarity Breeds Respect

  "Recruiters tend to hire MCSEs just as often, if not more so, than those with a four-year college degree."

• Technology Trends: Program Provides Information For New Age

  "Eighty-seven percent of human resource managers surveyed believed that MCSE's are equally or more successful than college students."

• The Impact of Technology Training Programs Case Study: MCSE Training

And then there are numerous anti-trust criticism articles:

• Break up Microsoft? Rest of world pooh-poohs the notion
• Press Release: Japan, Switzerland, and the EU do NOT insist on breakup of Microsoft, unlike the U.S.
• Fine Microsoft, use funds for new competition (anti-breakup)
• Fine Microsoft and use funds to catalize new competition (anti-breakup)
• Break-up Remedy for Microsoft Not Supported by Key Democrats
• Technology and The Congressional Black Caucus (Microsoft anti-trust)
• Breaking Windows Over Antitrust Dogma
• Pause the Microsoft Case and Examine U.S. Anti-trust Policy
• Punishing Winners Hurts the Marketplace
• Suit Threatens U.S. Computer Dominance
• Taking a Byte Out of Microsoft

Etc. Also lots of articles about the precious intellectual property rights, although not specifically in relation to Microsoft.

Make your own conclusions freely.

My word! Get a better hysterical example!

[GMontag]

For example, if the Federal Aviation Agency were to develop an application (derived from open source) which controlled 747 flight patterns, a number of issues easily become national security questions...

FAA controlling the flight patterns of any aircraft is absolute nonsense! First, every pilot in the system would block it before it ever got past the talking stage, second it is just ignorant.

Maybe software to control the traffic flow? Sorry, that deflates this FUD too, since it would not apply to just one airframe and the author assumes that the people operating the aircraft are just going to let that happen too.

Maybe if he said some more nonsense about FAA requiring all 747s to have this software? Nope, that is the NTSB and the manufacturers, the latter would be marching on the Congress like you never seen before!

Humm, here is a more believeable thing to scare people with "what if all automated traffic light systems had to run Open Source, could you imagine the national security issue of flashing red lights all over the heartland"?

Re: Sounds good to the ignorant

[Black+Parrot]

> Where are the "think tanks" that actually have people who can think critically?

Think tanks only need to think critically enough to fool their intended audience.

And this is for consumption by businessmen, legislators, and bureaucrats, so...

Re:ADTI Whitepaper Released

[lysurgon]

There is a big distinction between the GPL and the BSD-style licenses. The GPL is all about making sure that people who use GPL licensed code release their new code under the GPL too.

Except that using GPL code doesn't compel you to "release" anything. It only means that if you elect to share your code with another party, you do so under the terms of the GPL.

The .gov could pick up a bunch of GPL code, hire some hakers (or use the NSA) to brew their own system and simply make the decision not to share the code. That's nice and legal. They'd simply make distribution a matter of national security.

The only security issue with the GPL is the security of companies who derive revenue from selling proprietary code.

Why is the GPL so misunderstood?

[TheConfusedOne]

Their main points are that GPL is flawed due to requiring anything which uses GPLd code [no matter how little] to be licensed under the GPL; and, that most GPL projects encourage many unvarifiable developers to take part in the project, resulting in potential malicious code being inserted without anyone else taking notice.

Please, take a moment and read the GPL. Then come back and ask people questions about it. (I believe there was an Ask Slashdot about it awhile ago...)

Using GPL'd code does not mean you have to automatically release all of your code. First off, the GPL cannot override other more restrictive licenses. If you don't have the right to GPL the code that you've included then you can't release it, you have to remove the GPL'd code instead. Second, the GPL's release/publish conditions are only invoked if you release/publish your code. This is a very important distinction. If you develop something "in house" for your company's use, then you don't have to release the resulting code. If you don't distribute it then you don't have to publish it.

As far as "malicious code" goes, look at all of the "easter eggs" and "bugs" in current "professional" code. How much overall code review do you think goes on when an entire flight simulator gets packed into a spreadsheet application? (You may have noticed how a Service Release deactivated it.)

In the Open Source world, if you doubt some code then you can simply audit it. Good luck if you think there's some backdoor lurking in the latest MS code. (Look at MS's WMP EULA that gives them permission to force downloads on your box in the name of "DRM".)

There's a reason that people use the cover of darkness to perform questionable/malicious acts. Having the source code for full review and scrutiny is the best way to shine a bright light into all corners.