Slashdot Mirror
ADTI Whitepaper Released
"Another security concern is that the primary distribution channel for GPL open source is the Internet. As opposed to proprietary vendors, open source is freely downloaded. However, software in the public domain could contain a critical problem, a backdoor or worse, a dangerous virus."
Reverse engineering "harbors very close to IP infringement because and has staggering economic implications." [sic]
"On a lighter note, while many open source enthusiasts are proponents for copyleft, they insist on trademark protection for their ideas."
"If a software application representing 5000 hours uses GPL code that reflects only 100 hours, is the GPL fair in its argument that the entire product is GPL? This point is of considerable concern to software companies that value their secrets, design and architecture strategies. Proponents of the GPL argue that each party in the exchange is benefiting equally, but without a means to properly make this evaluation, this position at best is over-assuming."
"The federal government's information systems requirements intersect countless sensitive operations. The limitless potential for holes and back doors in an open source product would require unyielding scrutiny by staff that decided to use it. For example, if the Federal Aviation Agency were to develop an application (derived from open source) which controlled 747 flight patterns, a number of issues easily become national security questions such as: Would it be prudent for the FAA to use software that thousands of unknown programmers have intimate knowledge of for something this critical? Could the FAA take the chance that these unknown programmers have not shared the source code accidentally with the wrong parties? Would the FAA's decision to use software in the public domain invite computer 'hackers' more readily than proprietary products?"
here is my mirror of the "old" report, safely out of the reach of the DMCIA...
A valid concern.
But is it more or less risky in comparison to using closed source software?
I can't be the only one saddened to see the name of Alexis de Toqueville besmirched by being associated with a think tank for hire.
His insights into America of the early 19th century were profound.
Meanwhile, the points of this paper, besides being wide of the mark in assessing the truth, are not even particularly original - other fear mongers have trotted out the same vague bogeymen prior to the publication of this report. And those objections to open source have no more basis in fact now than they did when they were originally brought out.
"Provided by the management for your protection."
"If a software application representing 5000 hours uses GPL code that reflects only 100 hours, is the GPL fair in its argument that the entire product is GPL? This point is of considerable concern to software companies that value their secrets, design and architecture strategies. Proponents of the GPL argue that each party in the exchange is benefiting equally, but without a means to properly make this evaluation, this position at best is over-assuming."
If you don't want your app to be GPL, and you've already spent 5000 hours coding it, might as well spend another 100 writing that piece instead of cutting and pasting.
Goodness, this thing is full of gramatical errors. (Grammar may be optional here, but these people are lobbying the Feds). Any of my teachers in High School would have sent this paper back if it had been submitted to them:
"harbors very close to IP infringement"
"are proponents for copyleft"
"code that reflects only 100 hours"
"knowledge of for something this critical"
Blech...
"Well it's not Victory - but then it's not Death either."
Being paid to troll has been around for decades now.
Its called "marketing".
Yeah, there's nothing like the good ol' security through obscurity. Thank God no one knows how does the software controling 747 flight works, so now I can fly safely.
Krótko: kady Erotomek
W pimiennictwie ma swój domek.
They attempt to draw a dividing line in a community. They do this by trying to stress "differences". They list these differences with the claim that it makes software more secure, BAH!
They also ignore the aspect of the GPL that says you can keep your secret changes if you don't distribute the software outside of your organization. Where is the security leak now?
The difference between "GNU FREE" and "BSD FREE" is that the people in BSD are willing to sacrifice themselves (no reward), whereas the GNU people are willing to take up arms (we reward you, but you must reward us in return, if you use our stuff).
The comminuty is more alike that it is different. Don't let these types of papers and publicity screw that up.
Sauce for the goose is sauce for the gander; anyone can put a backdoor into an OSS program, but anyone can also see it. With closed source, you're trusting that the vendor won't put one in. Of course, now you're assuming that (1) the vendor has no malicious intent and (2) that they keep their code completely safe. Of course, that could never happen...
One day, a group of daring young renegades discovered that there were other ways to get air, just by moving some rocks that blocked openings to the outside. And they offered their air free. At first people were hesitant to use Free Air, thinking something must be wrong with it since it was free. Initially Microshaft ignored the renegades, dismissing them as a fringe movement and minor nuisance. But eventually Microshaft saw them as a threat. They started a major marketing campaign to convince people that the Free Air was bad for their health. But people found that they actually felt better and healthier breathing the free, fresh air. Microshaft added more and more features to their air, perfuming it and coloring it with smoke to give it "added value". Many people started to dislike Microshaft's heavy, bloated air that was hard to breath and began flocking in droves to the sources of Free Air.
About this time, after some years of hard volunteer work, Open Air developers finally increased the size of a Free Air portal so that a person could actually squeeze through to the outside. The first brave individuals who ventured through it discovered that not only was there an unlimited supply of air in the outside world, there was no way you could harness and control its supply.
Alarmed, Microshaft sought to have the government declare Free Air illegal since it threatened their business model, which they had developed and rightfully earned through many years of hard work. They called the use of Free Air "theft" and claimed that the "viral" nature of the Public Breathing License advocated by many Open Air rebels would threaten the livelihood of Microshaft's suppliers and distributors. Indeed, the whole economy of the cave would collapse, they said. Laws were quickly passed and the portals of Free Air were sealed off.
A charitable organization called the Business Air Alliance was formed to help protect businesses against the threat of Free Air portals. By proving that it was theoretically possible to fund terrorist organizations with the money saved by breathing Free Air, the BAA successfully lobbied to strengthen the laws so that any attempt to make an opening to the outside became punishable by death. Possession of shovels and picks became a criminal offense, and the BAA performed random audits to help citizens comply with the law. For their protection, everyone was required to wear an Air Rights Management security device, which would send an alarm to the authorities if it didn't detect a secret mix of fumes found only in Microshaft air.
As time passed, Microshaft and the government became indistinguishable. To prevent future uprisings, a new feature was added to the air to keep the people sedated happily ever after.
by its programmer, hiding the underlying code from its user. Software can only be modified in
its "unlocked" state when source code is viewable.
This is the assumption that is the flaw in the entire argument. While having the source code makes it easier in some ways to find exploits, it of course makes it easier to find them earlier and fix them. Whereas in a closed source implementation it's more likely that there are unidentified flaws in the software because there are fewer eyes willing to parse through assembly listings. But if a 'terrorist' is dedicated enough to do that, they're more likely to find such flaws.
The GPL is one of the most uniquely restrictive product
agreements in the technology industry.
Interesting. I never thought of it that way when I can use a program for whatever purpose I want, make modifications to that program, and distribute either the original or my modified version of that program. Maybe I'm just weird like that...
By the early 90's, open source enthusiasts began to view Stallman as an extremist and fanatic. The rise in the popularity of Linus Torvalds and the Linux
open source operating system began to create new supporters. Ironically, Linux supporters
became the biggest proponents of the GPL. Although Stallman is a fallen hero in the open
source world, most open source products today are distributed under the GPL license.
While I'm not the biggest RMS fan, uhh, I can't just let that statement go. For once, I agree that not calling it GNU/Linux really misleads readers in this case. Without the GNU tools, Linux wouldn't have a leg to stand on. It's tough to dismiss RMS's importance here (but the author manages somehow..)
The article goes on (and on and on), but I think it's fair to say that this is a fairly one-sided view of the GPL that looks like it was written by MS and Kenneth Brown just signed his name to it. Nothing here, just the usual FUD.
Many of the headlines are quite revealing about their intentions. Many are about the importance of MCSE:
- Inc. 500 Shops Value Certification Most (MCSE vs college degrees)
- Familiarity Breeds Respect
- Technology Trends: Program Provides Information For New Age
- The Impact of Technology Training Programs Case Study: MCSE Training
And then there are numerous anti-trust criticism articles:"Recruiters tend to hire MCSEs just as often, if not more so, than those with a four-year college degree."
"Eighty-seven percent of human resource managers surveyed believed that MCSE's are equally or more successful than college students."
- Break up Microsoft? Rest of world pooh-poohs the notion
- Press Release: Japan, Switzerland, and the EU do NOT insist on breakup of Microsoft, unlike the U.S.
- Fine Microsoft, use funds for new competition (anti-breakup)
- Fine Microsoft and use funds to catalize new competition (anti-breakup)
- Break-up Remedy for Microsoft Not Supported by Key Democrats
- Technology and The Congressional Black Caucus (Microsoft anti-trust)
- Breaking Windows Over Antitrust Dogma
- Pause the Microsoft Case and Examine U.S. Anti-trust Policy
- Punishing Winners Hurts the Marketplace
- Suit Threatens U.S. Computer Dominance
- Taking a Byte Out of Microsoft
Etc. Also lots of articles about the precious intellectual property rights, although not specifically in relation to Microsoft.Make your own conclusions freely.
For example, if the Federal Aviation Agency were to develop an application (derived from open source) which controlled 747 flight patterns, a number of issues easily become national security questions...
FAA controlling the flight patterns of any aircraft is absolute nonsense! First, every pilot in the system would block it before it ever got past the talking stage, second it is just ignorant.
Maybe software to control the traffic flow? Sorry, that deflates this FUD too, since it would not apply to just one airframe and the author assumes that the people operating the aircraft are just going to let that happen too.
Maybe if he said some more nonsense about FAA requiring all 747s to have this software? Nope, that is the NTSB and the manufacturers, the latter would be marching on the Congress like you never seen before!
Humm, here is a more believeable thing to scare people with "what if all automated traffic light systems had to run Open Source, could you imagine the national security issue of flashing red lights all over the heartland"?
Eve Fairbanks says I drive a hybrid!LOL
This paper was prepared as part of The MITRE Corporation?s FY00 Mission-Oriented Investigation and Experimentation (MOIE) research project "Open Source Software in Military Systems.. This paper analyzes the business case of open source software. It is intended to help Program Managers evaluate whether open source software and development methodologies are applicable to their technology programs. In the Executive Summary, the paper explains open source, describes its significance, compares open source to traditional commercial off-the-shelf (COTS) products, presents the military business case, shows the applicability of Linux to the military business case, analyzes the use of Linux, discusses anomalies, and provides considerations for military Program Managers. The paper also provides a history of Unix and Linux, presents a business case model, and analyzes the commercial business case of Linux.
Here
> Where are the "think tanks" that actually have people who can think critically?
Think tanks only need to think critically enough to fool their intended audience.
And this is for consumption by businessmen, legislators, and bureaucrats, so...
Sheesh, evil *and* a jerk. -- Jade
Of course any normal person would be utterly humiliated to have their name associated with this piece of nonsense. Perhaps that's why it has been pulled? I'd be interested if Microsoft really did pay for it. If so, I think they should feel a little cheated. The standard of FUD required in 2002 is far higher than this. Even the mainstream press are going to tear this crap to pieces.
Reality is defined by the maddest person in the room
I love the quote on backdoors and viruses. Windows systems don't have their source code publically available, and yet that doesn't seem to stop the creation of backdoor programs and viruses.
I like how they insinuate that people would just download some code from the Internet, and then immediately put that into a production air traffic control system. Talk about a straw man argument.
Someone needs to explain to this think-tank (or senseless-opinion-tank) that people can do these things called code reviews. Ya see, if I download a new version of this mail client (for example), I can look at the differences between the current source and the last version I checked. Not only could I spot back doors, but I'd likely find some bugs too.
These guys that develop safety-critical systems (like air traffic control) are real sticklers for inspections, documentation, etc. I bet most of them would be glad for more independant reviews of the code they depend on, rather than just hoping Windows doesn't have bugs in it.
As for me, my requirements aren't as critical. When I downloaded OpenOffice from some mirror in Timbuktoo, all I did was check the MD5 sum. The five seconds that took assured me that at least no third-party inserted viruses or back doors in the program.
Wish I had kept my old sig...
"Don't like the 'viral' nature of the GPL? Try this: WRITE YOUR OWN CODE"
If a business doesn't want to give away their code, they shouldn't weave in GPL source to begin with. If they do so, it's their OWN damn fault, not the GPL's.
Secondly, I still fail to see how this has anything to do with security. Open source is open source - whether released BSD/MIT style or GPL, it's STILL "open to hackers", which I thought was the point of the whole "risk" of Open Source security in the first place.
The Free desktop that Just Works
If we blindly take the assumptions of this article then only some DoD funded Unix should be used for Mission/Life critical systems.
There is a big distinction between the GPL and the BSD-style licenses. The GPL is all about making sure that people who use GPL licensed code release their new code under the GPL too.
.gov could pick up a bunch of GPL code, hire some hakers (or use the NSA) to brew their own system and simply make the decision not to share the code. That's nice and legal. They'd simply make distribution a matter of national security.
Except that using GPL code doesn't compel you to "release" anything. It only means that if you elect to share your code with another party, you do so under the terms of the GPL.
The
The only security issue with the GPL is the security of companies who derive revenue from selling proprietary code.
Howard Dean for president
Their main points are that GPL is flawed due to requiring anything which uses GPLd code [no matter how little] to be licensed under the GPL; and, that most GPL projects encourage many unvarifiable developers to take part in the project, resulting in potential malicious code being inserted without anyone else taking notice.
Please, take a moment and read the GPL. Then come back and ask people questions about it. (I believe there was an Ask Slashdot about it awhile ago...)
Using GPL'd code does not mean you have to automatically release all of your code. First off, the GPL cannot override other more restrictive licenses. If you don't have the right to GPL the code that you've included then you can't release it, you have to remove the GPL'd code instead. Second, the GPL's release/publish conditions are only invoked if you release/publish your code. This is a very important distinction. If you develop something "in house" for your company's use, then you don't have to release the resulting code. If you don't distribute it then you don't have to publish it.
As far as "malicious code" goes, look at all of the "easter eggs" and "bugs" in current "professional" code. How much overall code review do you think goes on when an entire flight simulator gets packed into a spreadsheet application? (You may have noticed how a Service Release deactivated it.)
In the Open Source world, if you doubt some code then you can simply audit it. Good luck if you think there's some backdoor lurking in the latest MS code. (Look at MS's WMP EULA that gives them permission to force downloads on your box in the name of "DRM".)
There's a reason that people use the cover of darkness to perform questionable/malicious acts. Having the source code for full review and scrutiny is the best way to shine a bright light into all corners.
--- I wish I could hear the soundtrack to my life. That way I'd know when to duck.
On a lighter note, while many open source advocates atre proponents for copyleft, they insist on trademark protection for their ideas.
...by posting notices in publications and websites that their trademarks are protected. For example, the notice on the OSI website reads, "... To identify your software distribution as OSI Certified, you must attach one of the following two notices..." The same is true for a number of prominent open source firms including VA Linux.
You bet they do, or else commercial interests would steal their work and profit from it, without due compensation to the creator.
I hear the Red Cross and Salvation Army have trademarks as well, which they zealously protect, even though they are in the business of giving stuff away to those in need.
The Free Software Foundation, the Open Source Initiative and a number of other organized GPL enthusiasts protect their "marks"...
Putting the word "marks" in quotes in this context seems to imply that not-for-profit trademark holders are not holding "real" trademarks, and therefore the author of the paper feels entitled to sneer at them.
This is the most damning section of the entire document, im my opinion. The author betrays his contempt for the fact that open source advocates utilize the copyright system as it was intended: to control the distribution of their works. What burns this author the most however, is that he knows they are correct and the GPL succeeds at its aims, which is preventing GPL code from being hijacked by proprietary, closed source projects. This makes him very angry, and he can barely conceal it in this paragraph.
While each of these firms would insist that they are not against copyright protection, invoking the protections argues that they are against people copying their marketing documents and symbols.
He left out the crucial phrase at the end of the sentence: "without authorization." This guy is really burned that the GPL is successful. And it seems clear to me now that "this guy" is the Microsoft FUD^WMarketing department. Their past FUD releases on this topic have been infamous for conflating trademark and copyright, as well as copyright and copy-prevention.
Now I gotta go take a walk, because I am worked up. But man, this is the most blatant and desperate FUD I have read in a long, long time.
Edith Keeler Must Die
And your point, Mr. Brown, is exactly what?
First point: Today I mistakenly started up IE's infamous "Windows Update" feature for the Win2K installation on the SunPCI card in my Ultra 10. The first "update" it wanted to install was the MS "Automatic Updater" so that Microsoft could cram changes to my system software down my throat whenever they chose to. Mr. Gates does not own my hardware, the State of Texas does. Given Microsoft's track record in the security area, please explain to me the exact difference between this "feature" and a "back door or worse, a dangerous virus"?
Second point: Microsoft's "Windows update" service is ONLY available over the internet and is usually the ONLY source for critical security fixes and other patches for Microsoft products. Please tell me exactly how that differs from the normal distribution channel for GPL software.
Reverse engineering "harbors very close to IP infringement because and has staggering economic implications."
Please show me your bar number before you start rendering legal opinions, Mr. Brown. The only class of Intellectual Property that is infringed by reverse engineering is patents. Specifically, so-called "clean room" reverse engineering of copyrighted works has been repeatedly blessed by the courts as an exercise of the fair-use doctrine.
"On a lighter note, while many open source enthusiasts are proponents for copyleft, they insist on trademark protection for their ideas."
Mr. Brown, this "lighter note" comment of yours is little more than a cheap shot that openly displays your lack of understanding of the subject matter on which you write.
"Open source enthusiasts" not only avail themselves of trademark protection, they also assert and defend their rights as copyright holders. This in no way conflicts with their advocacy of the principle of copyleft. What it DOES do is give them the power to enforce the particular license (GPL, LGPL BSD, or other) under which they choose to release their software.
"If a software application representing 5000 hours uses GPL code that reflects only 100 hours, is the GPL fair in its argument that the entire product is GPL? This point is of considerable concern to software companies that value their secrets, design and architecture strategies. Proponents of the GPL argue that each party in the exchange is benefiting equally, but without a means to properly make this evaluation, this position at best is over-assuming."
Answering your questions in order:
Yes, if it's my GPL code, it most certainly IS fair. If Microsoft, Adobe, Symantec or whoever, wants to license my code for use in their proprietary product, I will be HAPPY to negotiate a special *non-exclusive* license with them for a SUBSTANTIAL fee. HOWEVER, if their objective is to take my code without payment and claim it as their own they had better be ready for MAJOR litigation.
"The federal government's information systems requirements intersect countless sensitive operations. The limitless potential for holes and back doors in an open source product would require unyielding scrutiny by staff that decided to use it. For example, if the Federal Aviation Agency were to develop an application (derived from open source) which controlled 747 flight patterns, a number of issues easily become national security questions such as:
They already do. The FAA's Air Traffic Control Database uses Oracle 9i Real Application Clusters running on Dell PowerEdge servers and (surprise!) Red Hat Linux.
Apparently the FAA thinks it's a better gamble than hoping that no one with an old copy of debug.exe will find a buffer overflow in Windows 2000 Advanced Server.
Again, you clearly demonstrate your lack of knowledge in this field, Mr. Brown. GPL software is NOT public domain. It is private property released for public use under license. It is no more public domain software than Windows XP. And
However, a more cogent inquiry would be "If the FAA's Air Traffic Control System is exposed to access from the public internet, shouldn't we fire all the boneheaded bureaucrats that decided it SHOULD be?"
Most of the
Mr. Brown, your white paper exhibits a failure of understanding of your subject that I find very disappointing in one who would call his operation a "think-tank". You entitle your publication "Opening the Open-Source Debate,"
utter rubbish
Ofcourse this guy is funded under the table by Gates and his minions.
I googled for Andre Carter of Irimi Corpn whose comments Mr. Kenneth (or whatever frickin name he has) values more than anything else and this is what I found :
One pro-Microsoft observer credited Gates with being precise and helpful. "His testimony has been soaked with real-world examples, [and it shows] he understands the ramifications of how the states [want to affect his business]," said E. Andre Carter, CEO of Irimi, a Washington-based mobile and wireless consultancy, who also works for the pro-Microsoft lobbying group Americans for Technology Leadership.
BINGO!
When idiots like these make money by lying through their teeth, spread FUD and otherwise confuse the idiots who make decisions in the Senate and everywhere else, this industry, this country and the world we live in has such a fucked up future.
Rapid Nirvana