Slashdot Mirror
MITRE Corp. Report On Open Source In Government
Jeremy Allison (of the Samba team) writes "Very interesting paper just published by MITRE corporation. (In PDF - they've learned not to use Microsoft Word. :-). Highlights: 'The main conclusion of the article was that FOSS software plays a more critical role in the DoD than has generally been recognised.'; 'Create a "Generally Recognised as Safe" FOSS list ... including Linux, OpenBSD, NetBSD, FreeBSD, Samba, Apache, Perl, GCC, GNAT, XFree86, OpenSSH, bind, and sendmail.'
'FOSS' stands for 'Free and Open-Source Software.' Looks like these people 'get it.'"
"Generally Recognised as Safe ... bind, and sendmail."
:)
I'm all for Unix server software, but BIND and Sendmail? True, they haven't been bad lately, but both of these are former poster childs for the land of remote root exploits. Yet Qmail, djbdns, and Postfix--some of the most secure software ever made, is strangely absent.
Well, it is the government. They are making progress in their own little way.
Computer Science is no more about computers than astronomy is about telescopes. --E. W. Dijkstra
Nice to see some of our tax dollars not going to waste on over-priced under-powered software.
...
I suppose this means there will be more job openings for geeks in government possisions. Get out your resumes guys and gals
No sig for you. YOU GET NO SIG!
About time somebody did something like this. I mean, to the average Joe, the advantages of FOSS are obvious. But the DoD need documents, papers...anything written. It's similar to businesses WANTING to pay for software and therefore keeping away from FOSS.
I guess everyone was waiting for somebody to basically do a "study" or write a paper that could be quoted or "fallen back upon" if you will.
Then again, this report is about the fact that FOSS already plays a more critical role. My point is, it's high time somebody came out and recognised the fact. Great job on the paper.
Find a job you like and you will never work a day in your life.
A very minor and unimportant comment:
Most companies when publishing in PDF format do so, not for openness but to preotect against copying or modification.
For example, my company works extensively with the FDA and we publish all our standard operating procedures (SOPs) in PDF format since it's so difficult to copy. We rely not on the openess of the format but on its limitations. Not earth-shattering but I wanted to mention that PDF is not a particularly open format, despite its structures being well known.
This list would provide quick official recognition of FOSS (Free and Open-Source Software) applications that are:
(a) commercially supported
(b) widely used and
(c) have proven track records of security and reliability (eg. as measured by speed of closures of CERT reports in comparision to closed-source alternatives)
Gmanske.
While the Navy has its much-farted-upon attempt to build Win2k-powered "Smart Ships", the NSA has been developing SELinux (Security Enhanced Linux), their homebrew kernel.
It seems that the right hand doesn't see what the left hand is doing. That's the USA federal government for you. However, based on the existance of the "safe" FOSS list, perhaps the DoD is rethinking their investments in eN Tee. I sure hope so, for the sake of national security. Meh.
"I am root. Bow before me." To this I say, "You are root, and you bear the sins of the world upon your shoulders."
In this paragraph MITRE seems to infer that GPL'ed software is some how more secure, or better able to be secured then other software.
"For Security, use of GPL within
groups with well-defined security boundaries should be encouraged to promote faster,
more locally autonomous responses to cyber threats. "
Page 3, Example 2.
This really makes no sense to me. Especially when the majority of the software they list as "heavily used infrastrucuture tools such as "Linux, OpenBSD, NetBSD, FreeBSD, Samba, Apache, Perl, GCC, GNAT, XFree86, OpenSSH, bind, and sendmail," are a good portion of NOT licensed under the GPL. (Yes I realize some, are but the majority of that list are not.)
Doesn't make a lot of sense. Considering most people would agree the most secure OS out there is OpenBSD.
Banning Free and Open Source Software would remove certain types of infrastructure components (e.g., OpenBSD) that currently help support network security. It would also limit DoD access to -- and overall expertise in -- the use of powerful FOSS analysis and detection applications that hostile groups could use to help stage cyberattacks. Finally, it would remove the demonstrated ability of FOSS applications to be updated rapidly in response to new types of cyberattack. Taken together, these factors imply that banning FOSS would have immediate, broad, and strongly negative impacts on the ability of many sensitive and security focused DoD groups to defend against cyberattacks.
Starting on page 32, theres a very nice glossary of common Free and Open Source Acronyms.
In PDF - they've learned not to use Microsoft Word
.doc file, so it's slower to download too!
and it's a darn shame...
I hate it when documents are in a format that requires me to download a 10 meg viewer program to view in windows, while you can open up any old word file in wordpad (which comes with windows). It's nice to inconvenience 90% of computer users. PDF files also tend to be huge compared to
GoatPigSheep, the 3 most important food groups
Isn't anybody gonna mention that RMS is going to say that FOSS should really be reffered to as Dental/FOSS?
If Mr. Edison had thought smarter he wouldn't sweat as much. --Nikola Tesla
whatever happened to good old ASCII or ISO text files? nothing says cross-platform than an ISO format
In SOVIET RUSSIA... erm...NSA AMERICA, the Internet logs onto YOU!
I work for the DoD (and am lucky enough to work with MITRE folk as well), and we go for the open source solution whenever we can. Why? We're in security. We absolutely NEED to be able to hack our own code whenever necessary. We can't afford to be taken down by any sort of attack, whether it be a worm, virus, or directed attack -- and I'm not talking "afford" in the sense of a dollar amount. We also like to be able to do things like add signatures to our IDSs whenever we feel like it. We often notice and track new virus and worm activity before it "breaks." We can't wait for vendor updates.
I've sat through meetings with vendor reps where certain office members tore the reps some new orifices. I've heard from a *major AV/Firewall company name deleted* rep "Oh, you use open source FREEWARE! Well, if you want to go with something totally insecure that has absolutely no support and you don't know exactly what the code actually does..." The rep then sat there in stunned silence as the department head launched into a detailed tirade about how every member of the office not only knew what the open source we used did, most of us could re-write it if we needed to. The rep actually blushed and admitted that if we could do that, we didn't need their product.
Most of our offices do use Microsoft on most of the standard user desktops... but it's open source hacked-to-hell code that runs everything else around here! Well, aside from the gallons and gallons of coffee and Mountain Dew that runs the people..
Moderation totals that amuse me for one of my posts: Flamebait=1, Insightful=2, Funny=2, Overrated=1, Underrated=1
I've always wondered about the supposed lack of "FOSS" at DoD. Aside from SE Linux, there are other quite public acknowledgements of support for open source software. From the back of the OpenBSD 3.1 CD case:
"This effort sponsored in part by the Defense Advanced Research Projects Agency (DARPA) and Air Force Research Laboratory, Air Force Material Command, USAF, under agreement number F30602-01-2-0537"
Kind of a big hint that someone somewhere in DoD thinks highly of OpenBSD.
Of course, this support may have since been reduced or eliminated due to the same pressure that the NSA faced with SE Linux.
null sig
By the way, the document summary shows that it was originally a Microsoft Word Doc titled "Microsoft Word - 3DBD823B-1ABD-0AA6.doc" with the author being www.
Interesting that the DOD uses GnuPG, Linux, Linux (Red Hat), FreeBSD, NetBSD, OpenBSD, OpenOffice, Perl, Perl CGI Scripts, PerLDAP, PHP, Tcl/Tk and TCP Wrappers, amongst others.
A rant I wrote a few months ago:
/rant
Someone please respond because I love being proved wrong.
Some background. My unix like operating system experience is limited. I'm trying but I keep going back to window$ because I play too many games.
What is the deal with OpenBSD?
I thought this product was supposed to be a secure OS.
Here's some funny stuff.
www.openBSD.org
Have a look at the tagline:
One remote hole in the default install, in nearly 6 years!
Uh huh.
1. DNS resolver libraries. Remote - execute arbitrary software. (not that they actually say that ANYWHERE)
2. OpenSSH malicious auth response - execute arbitrary software.
Let's split hairs about "remote holes" shall we?
Then...
Looking at the cert vulnerability announcement on DNS resolver stuff:
http://www.cert.org/advisories/CA-2002-19.html
I love the OpenBSD advisory section. SOOOO helpful in understanding what patchlevel is required or where to go to get it.
Go to OpenBSD's website and look up the patch.
007: SECURITY FIX: June 25, 2002
A potential buffer overflow in the DNS resolver has been found.
A source code patch exists which remedies the problem .
mmm... VERY informative. References or discussion perhaps?
OK now admittedly I'm not a BSD / UNIX expert but isn't JUST releasing source code just a little bit stupid? Now I have to have compilers and libraries on my supposedly secure box just to apply security hotfixes? Not to mention how bloody unfriendly this is for the new user to the OS. I can see there would be quite a few unpatched OpenBSD systems out there because of this rubbish.
Am I mad, stupid or just missing something?
rant/
Just to add some info here. Just because an article talks about usage and approval of FOSS in the "DoD" (Department of Defense), it doesn't mean that there is signifigant usage. Remember that the DoD is comprised of some management overhead and three sub departments: Army, Navy, Air Force. While Linux may be used and even endorsed by the "DoD", it's usage is not permitted without one hell of a waiver process in the Department of the Navy. Especially under NMCI(Navy Marine Corps Intranet), Linux is not even listed as an approved legacy system, much less something EDS will agree to support.
Additonally, each branch of the service is autonomous in IT management, which means there are FOUR DIFFERENT ways of running a network with the associated FOUR sets of management overhead and of course, they aren't interoperable. This is a fairly generalized statement, but most of the systems I deal with daily in the Marine Corps are specific to us and don't work with the other services systems despite the fact that they all do the EXACT SAME THING.
So kids, the moral of the story is: Write you congressman and complain about the misuse of your tax dollars. And don't forget to tell them that free software == excuse for lower taxes == more votes for them.
I've dirtied my hands writing poetry, for the sake of seduction; that is, for the sake of a useful cause. --Dostoevsky
Open with Acrobat Reader, File->Document Properties->Summary... reveals:
Title: Microsoft Word - 3DB823B-1ABD-0AA6.doc
Furthermore, the PDF file was created by http://createpdf.adobe.com - which allows one to upload files and have the processed into PDF - 15 for free, more for $$$.
Seems like they didn't find out that ghostview allows you to generate pdf files as well as view them...
Ubi dubium ibi libertas: Where there is doubt, there is freedom.
Last I checked the BSD's were first:
"The General Public License (GPL)4 is the original FOSS license, and GPL software is simply FOSS software that is covered by the GPL."
Page 12
This report is really full of holes. In the chart it says that BSD and Artistic licensed software cannot be combined with closed source software.
In page 22:
[i]Ironically, a thoroughly rigorous and systematic ban on DoD use of FOSS could also affect a number of proprietary product that rely on FOSS products that permit incorporation of FOSS into their closed-source products. For example, Microsoft Office uses the FOSS zlib collection of data compression software, and thus could technically be banned as a product that incorporates FOSS software.[/i]
So, do you distribute that hacked-to-hell "open source" code, if you're so confident in its abilities?
Imagine if an Al-Qaeda hacker -- trust me, some computer science programs and IRC channels in this country and especially in Europe are not unlike those flight schools for them -- got ahold of some of that open-source code, browsed through it, and immediately found a really nasty root exploit due to some quickly-hacked up code.
Do you think he would be altruistic enough to report it, or would he try everything he could to cause havoc -- perhaps give out wrong intelligence to troops so they could cause another Afghan Wedding Party massacre or Chinese Embassy bombing, or steal some valuable intelligence and use it to plan terror attacks?
While open source is good, the DoD should be a bit more careful about being so open.
Weren't they the defense contractor with the absolutely awful security in Cliff Stoll's _The Cuckoo's Egg_?
May we never see th
Yes, there may be holes in the article, but overall it just makes sense for the people in the defense industry to use open source. Their GRAS list is rather accurate- and don't forget in essense that any system is only as stable as the sysadmin behind it; that goes for NT networks as well.
The report also no makes no differentation between Open Source Software like FreeBSD, OpenBSD, and Apache; and Free Software which generally always refers to software under the GPL or LGPL. Like Linux, gcc, or GNATS.
"The word free in FOSS refers not to fiscal cost, but to the autonomy rights that FOSS grants its users. (A better word for zero-cost software, which lacks such rights, is freeware.) The phrase open source1 emphasizes the right of users to study, change, and improve the source codethat is, the detailed designof FOSS applications. Software that qualifies as free almost always also qualifies as open source, and vice versa, since both phrases derive from the same set of software user rights2 formulated in the late 1980s by Richard Stallman of the Free Software Foundation."
The writer of this report does not make differentation between Open Source and Free Software. He call's things under a BSD license with no cost, and no restriction on rights, freeware. (Freeware does not mean OSS. Freeware is closed source software, that is given away at no cost.) While in the next setence pushing the view that all OSS is GPL'ed.
This report is a grave disapointment.
The servers for this office were of Sun origin. The clients were mac's. Executives got power mac's. Of course, there was free software on the Sun boxes at the time.
My favorite special facility though had some type of unix I did not get to inspect freely. They were running a modified version of a free MUSH. It was not my area of concern. The administrator refused to answer questions regarding it; though, I tried to entice knowledge from him.
I know it's DoD SOP to coin TLAs for everything, but FOSS is just lame. Reminds me of dental FOSS.
Guess they couldn't use OSS, cause that's another government agency, right? What about DFSG...
I work in the trenches so-to-speak.
The good news is that the DoD is paying attention to Linux in a big way. Undoubtedly, Solaris, HP, and SGI were among a few of the favorite big ticket items that the DoD likes to purchase. However, there is a small number of people who are using linux. We're expecting that number to grow.
Mitre gets it -- they're pretty smart folks. But does the rank-and-file military? By and large -- no -- although there's more currently than say 18 months ago. Some are still caught of in the security problems linux has. Others are just ignorant by calling it "freeware" -- when linux really rises to a level above the typical "freeware" moniker.
The military is really a bargain buyer -- yes they don't want those M16's to explode -- but they don't want to be bled dry for a shoddy system, either. Especially when they have to report to a congressional subcomittee explaining why they blew billions of taxpayer dollars on incompatible systems.
The DoD has been asked to conduct internal software audit or trash MITRE report on FOSS.
Even the GPL does not require anyone to distribute their customized in-house modifications.
I do hope that some employees who are exposed to open source, its benefits and the values of the community behind it contribute to open source projects in some way.
Stop worrying about the risks of nuclear power and start worrying about the risks of not using nuclear power.
"Generally Recognised as Safe...
;)
Recognised?!?!?! The MI5 has infiltrated the DoD!!!!!
Get over it. Most things in this world do cost money.
Good, I'm glad they get it.
Now let's slashdot the 1.5 meg PDF file and have them get it some more.
Text you fools!
-Tom
A lot of people will begin to think about the converse, "What if Closed Source were banned from the DoD?" or even more specifically, "What if Closed Source from companies found guilty of breaking federal law were banned from the DoD?". I wouldn't be surprised if the answers were "not much change" and "things improve", respectively.
Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
'FOSS software'?
yes that is right even though the paper makes it sound like GNAT is a separate project from GCC, they are now one, GCC (GNU Compiler Collection). Their description says they are one now but I think this description was copied from each of their web sites.
Also is not RTLinux longer consider free software, because it restricts more than the GPL due to patents?
Also looks like they do not use csh at all which is under the BSD license. or pdksh which is in public domain, they are the default shells on OpenBSD.
They are also missed Binutils from the GNU which is the assembler and linker for most open/free operating systems.
Also is there not versions of sed and make and m4 and top that are under the BSD license?
Is perl not dual licensed, GPL and artistic?
I'm not trying to torch anybody's favorite software here, but both djbdns and qmail have drawbacks.
The biggest issue is the license. Qmail is limited to source-code only distribution, with an exception being made for precompiled binaries if they behave exactly the same as qmail normally behaves. Information here. This means that if you want qmail not to throw all of its binaries under /var and ignore most of /etc for configuration files (which it normally does), you have to compile and patch it by yourself. Also, there is no distributing patched versions, so if D. J. Bernstein dies tomorrow, qmail development is effectively frozen until qmail passes into the public domain decades later. That includes any security/performance patches, as well as ports to other architectures. Djbdns has a similiar license.
There is also compatability. Djbdns does not support certain zone transfer mechanisms. It ignores some IETF standards entirely and impliments its own version instead. I get upset when Microsoft twists and corrupts public standards for its own ends, and I get upset when Bernstien does it as well. I'm lazy, I don't want to have to doublecheck if my DNS servers supports a certain standard if my cofiguration changes. Qmail is more of a quibble, I don't like how it throws everything in /var. (And I'm not sure why the world needs qmtp)
I'm not saying that a lot of people and smaller sites won't find qmail/djbdns (and the rest of Bernstein's software) useful. They seem to be secure, and they do their job as long as everything is compatible.
However, one of the reasons why I avoid proprietary software for many tasks is that I don't want to hitch my wagon to somebody else's horse. If I go with a MTA that is wildly used and is GPL or BSDl, I am assured that development does not rest solely on one person. And if I go with standards-compliant software, it ends up being less of a hassle in the long run.
Djbdns and Qmail aren't bad. But they have licenses that limit distribution and development, and they break interoperability.
I didn't even know Microsoft has that restrictive license. It says here that it "Specifically bans use of: GPL, LGPL, Artistic, Perl, Mozilla, Netscape, Sun Community, and Sun Industry Standards."
Microsoft's site shows the license. It's really true. This particular EULA seems to be for a "Microsoft Mobile Internet Toolkit Beta 2". They actually call OSS as "Potentially Viral Software" in the license.
dick blowjob dns. genius, my friend. pure genius.
> Software that qualifies as free almost always
> also qualifies as open source, and vice versa
One of the reports' three recommendations is to create a "Generally Recognized As Safe" list of Free or Open Source Software. The stable distribution of Debian has already done this. If the DoD is looking for a base set of packages, then Debian looks to be the set to work with.
Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
In AFTER CHRIST
the war started 2101.
Captain: Product he himself that?
Mechanic: Somebody the bomb installed for us.
Economy of the restaurant: We receive the signal.
Captain: Which!
Economy of the restaurant: The main screen is inflamed.
Captain: You have!
Chats: As you gentlemen go!
Chats: All its base is in belongs them.
Cats: They are in the way in the destruction.
Captain: How it so-called!
Chats: They do not have settle of the luck its hour to survive.
Cats: Hectar to hectar to hectar of Hectar....
Economy of the restaurant: Captain!
Captain: Each ' Zig ' removes!
Captain: They know, that it who makes.
Captain: displacements ' of Zig '.
Captain: For the great law.
Woohoo, finally figured out how to replace Microsoft Word with ... Adobe Acrobat? What the Fuck? Did we just spend 4 times as much?
2. Why would the DoD distribute their modified code? Perhaps they would send a patch to Apache or whatever if it was sufficiently general interest, but I suspect most of the modifications have to do with security policies particular to them.
Same as everybody else I'd guess, not having to keep their own branch and re-implement any fixes in the public branch, keeping track what they have fixed and public branch haven't when the interface changes. Of course, the NSA could probably afford that, but the benefits are few...
Kjella
Live today, because you never know what tomorrow brings
If somebody finds a bug in, say Linux, that can be exploited against both Sendmail and Qmail, the Sendmail folk will fall all over themselves to find and distribute a workaround. Bernstein, on the other hand, will likely just smile and say "not qmail's fault". This doesn't do much good for people who are actually using qmail in the field and will need to create and distribute their own patches on the back-channels -- and then integrate them with the myriad of patches out there.
I really believe that Qmail's license was and is the biggest barrier to it's more widespread adoption.
OS Software is like love: The best way to make it grow is to give it away.
As a Debian Developer, allow me to strongly disagree. There is a lot of software in Debian! It's as reliable and trustworthy as we can make it, but a lot of stuff doesn't get banged on very heavily (some of it is downright obscure), and the best we can really say is, "we haven't found any obvious problems". Which is a whole world apart from "Generally Recognized As Safe."
Now, anything that's FOSS and GRAS is probably in Debian, but being in Debian stable is only evidence of being FOSS and NPU (Not Proven Unsafe).
I think that the idea of having an external list of FOSS/GRAS software is an excellent one. Moreover, I doubt if Debian wants to accept responsibility for maintaining such a list.
Seriuously. There are established procedures for keeping people out. If you're not at a very minimum using HTTP Basic authentication, it's the equivalent of setting up a billboard, or leaving a stack of papers face down on a public sidewalk in hopes nobody flips the stack over. Reasonable and innocent curiousity is not a crime, nor is reasonable reporting of the reslults of such.
A friend once got sued for using a "guest" dialup account with a null password from a local telco back in the early 1990s, when net access was damn expensive and for the most part not available to kids. He didn't set up a BBS or crack any passwrd files. He just used the guest account to telnet into some MUDs and read some newsgroups. Luckily, the jury decided it was reasonable for him to assume that as a customer, the "guest" account with no attepts made to restrict acess applied to him.
If you put a table in your front yard with a "free" banner hanging over it, it's kinda hard to charge someone for trespassing if they walk up and eat a few brownies off the table when you weren't arround. Maybe it is your yard and maybe they were your brownies, but you implied consent in a major way by putting them out there in that context. If you really only meant for the paper cups next to the brownies to be free, it's your problem. In fact, it's false advertising if you try and collect damages.
Copyright Violation:"theft, piracy"::Anti-Trust Violation:"thermonuclear price terrorism"<-Overly dramatic language.
I'm actually quite relieved to see that they don't include csh. I think that's just good sense. As for pdksh, I doubt if even BSDers use it very often, so it probably fails the widely-used test. I actually know of more people that use ash (recently renamed dash), which is originally from NetBSD, but is now found on many other systems (Linux, FreeBSD, etc.)
If I were Al-Qaeda and still trying to attack us (and they are), I would use some of the billions that we have not found, to influence USA (and friends)to install an unsecured OS that can be cracked. I would have to get midde men who would then buy off senators and Reps with money and perhaps with off-beat arguments of "What is good for the US business is good for security" (btw, that is rarely true). I would get this unsecured OS/programs into every single niche of US life and then attack with a virus/worm.
By now, I would have to guess that at least a dozen senators/reps are busy pushing MS every where becuase some group other than MS has been paying them large money to do so.
I was recently at a conference where several vendors promised that their anti-virus product "stopped attacks 100% of the time." I didn't bother pointing out that that wasn't exactly likely or sustainable in an operational environment.
Someone else at the conference mentioned a foreign vendor whose firewall was supposed to stop 100% of traffic -- well, it did. However, it blocked ALL network traffic to the machine it was installed on and was not reconfigurable. Hey, it did what it was advertised to do, right?
Moderation totals that amuse me for one of my posts: Flamebait=1, Insightful=2, Funny=2, Overrated=1, Underrated=1
Because what you had to say is about right.
;-)
Don't use qmail, use postfix. It's more secure, faster, simpler to use, and it has a much better license. Also, Weiste Venema is a much nicer person
himi
My very own DeCSS mirror.
I get "Connection Refused" from the link to the article.
I took a class recently conducted by a Major ( in the Corps) who informed me that Linux is used for firewalling at the higher echelons of IT in the Corps. As for other services, I can point you to quite a few Navy guys running Linux mailservers. The Navy is much less regimented than the Corps and their IT think nothing of going Fry's, building a nice Athlon system, and throwing Linux on it. That would never happen here in the Corps unfortunately. I'm sure if I'm in Kuwait in six months setting up a network and the only way to get said network running was through the LEAF project, I'd get the go-ahead until we could get some expensive, proprietary firewall sent to us. The poster above is pretty much dead on. Each service does have its own way of going things. Just head on over to Netcraft.com and see what the Army's running for a webserver.
This guy is way out there
I'm confused. If open source is so good, then why does it have to be "hacked-to-hell" ?
He said he works for the DoD. All really good software must be hacked and trashed a bit do be acceptable in that environment.
Therefore, open source - scramble it using the DIICOE process.
Anything Microsoft - Pre trashed, no changes necessary.
You are checking your backups, aren't you?
-1 Offtopic FOSS/GRAS? What is this, a French restaurant?
(In PDF - they've learned not to use Microsoft Word. :-).
Ok and how is PDF any better then Word?
The USA or DoD does not class me as an IT Specialist.
I have never worked in an IT slot in the USA or DoD.
I had a Linux PC up running a test Apache website in the ".mil" domain back in 1997. I developed a very basic one-week Linux course for and delivered it to key-personnel for a couple "train-the-trainer" sessions. I am also not a trained instructor and/or BS type person. I also did similar (except for time line) with Cisco, telephone circuit and packet switching networks.... So,
Okay, why AFT, Yippee, Dang, because in non-social situations, I have always believed that security is greatly helped when you can be sure of every line that may be used against you. Then you can hope that, you are smart enough in the environment and no line goes over your head. So, god bless the USA and pseudo-savants everywhere.
Jadi
Reality is a self-induced hallucination.
I would say that the license that gives the most freedom is the license that publically funded development should have. Guess what: that license is not the GPL
This is a tired argument, but to recap:
Long story short, GPL is analogous to a constitution protecting the freedoms of its citizens (users) by constraining in a few minor ways what freedoms the developers can deny their users.
The BSD license is more akin to a democracy with no constitution, or no strong constitution, which constrains the developers little or not at all, at the expense of leaving the users with no protection of their freedoms.
Both licenses are appropriate in some circumstances. BSDL is good for getting protocols, algorithms, and other standards widely accepted by allowing proprietary as well as free products to use the code (good example: ogg vorbis), while the GPL is excellent at insuring that a project remains free in perpetuity.
Software funded by tax dollars is funded by the users. It is therefor more appropriate to have a license which protects the rights and freedoms of the users who are paying for the developmnt over those of the developers who are being paid (though of course developers benefit immensly, in having their freedoms protected with respect to contributions by other developers. Not every user is a developer, but every developer is a user somewhere along the line).
The Future of Human Evolution: Autonomy
The DoD is under tremendous pressure to have Microsoft blessed as the only products they use, as Microsoft has learned how to lobby and started throwing lots of money at this. The government is a huge purchaser of systems, and there are many legacy things out there. Since the past 10 years or so have brought many fresh college grads into the workforce, many of whom only know Microsoft products, there is pressure on the technical selection folks to replace with Microsoft since those precious MCSE's only know these platforms.
This report is probably an effort to build some evidence and support on why wholesale replacement of everything with off the shelf would add costs and hurt national security. Probably also explains IBM's (and others) shift to support Linux and variants over the past few years as they saw Microsoft tactics refined.
And, Microsoft's more recent license agreement language seems pointed at providing a legal reason why they need to be the only platform, since there are no technical reasons.
Sleep is for the Weak
After all, they're MIT. MITRE stands for MIT Research. For the uninitiated, MIT is Massachusetts Institute of Technology.
Laws affecting technology will always be bad until enough techies become lawyers.
Qmail is not really an open source software/ free software program. See my paper at http://www.dwheeler.com/oss_fs_why.html for an explanation.
- David A. Wheeler (see my Secure Programming HOWTO)
A common assumption about FOSS licenses such as GPL is that their transitive user rights
means they cannot be used with non-FOSS (e.g., government or proprietary) software. However,
this is generally not the case; such mixing can generally be done in various ways. For example,
even GPL with its strong protection of transitive user rights provides a number of mechanisms to
allow such mixing (Figure 1). Microsoft 5 provides a good example of an innovative use of one
such mixing strategy in their Windows Services for Unix (SFU)6 product.
This is an incredibly misleading statement. Nobody has ever assumed that GPL software cannot be used on the same system as proprietary software. This ignores the fact that you cannot link a GPL library into your proprietary code. For a company that writes top secret material, this is somewhat concerning that they would ignore this.
"so 'many 'quotes'; (and) "random?" 'punctuation!"' 'HELP!'"
Look for bolded text.
Regurgitate bolded text.
YAY +5!
In military context, it's spelled Materiel, a holdover from the olden days of the French dictator Napoleon
I couldn't get my work done if I didn't have this open source software. It is all over every government system I work on. And those programs work much better than most of the proprietary ones.
It was written by:
Terry Bollinger
The MITRE Corporation
1820 Dolley Madison Blvd.,
W534 McLean, VA, 22102, USA
terry@mitre.org
Terry Bollinger currently works at The MITRE Corporation, where he focuses on distributed software and hardware architectures issues for U.S. Department of Defense information infrastructures. He is an editor for IEEE Software, and was one of two Special Editors for the Jan/Feb 1999 issue of IEEE Software on Linux and open source software methods.
Terry has had extensive experience at all levels of software development in the telecommunications industry, at NASA, and for the U.S. Department of Defense. Especially while working in the telecommunications industry, he has had extensive hands-on experience with both a wide range of software construction methods and approaches, and with the consequenses of trying to apply some of these methods in "realistic" environments in which there is a typical spectrum of developer experience (e.g., what happens when C++ is applied in and environment consisting almost entirely of long-term funcional C programmers). Terry also has a strong background in software reusability and software process, including an IEEE Software Best Paper on why software process improvement doesn't always give the kinds of results advertised, and is intrigued by the issue of why some programmers seem to be so much better at producing high-quality, stable code that endures over time. In terms of software construction issues, he is both highly familiar with the overall set of techniques involved (including newer methods such a graphical component based programming), and is strongly supportive of the need for good methods while also being heathily skeptical about a lot of the claims made for various software construction methods and tools.
Terry has M.S. and B.S. degrees in Computer Science from the University of Missouri at Rolla, and has been a member of IEEE for 23 years.
As of yet, there's not enough incentive for the non-ideologically driven to drop Word and switch to an open source product. Large organizations, and MITRE is large, already have Word sitting on thousands of desktops, they've paid for it, and they've sent employees off to "How To Use Word" training. Bringing in a Word replacement means additonal time and cost (installations, tweaking, employee training, help desk training, etc.) without a compelling payoff --you pay for the transition and your capabilities remain essentially the same.
Open source office suites will need to do a lot more than be "free" and successfully mimic MS Office before they're become worth the price of switching.
-- Slashdot: When Public Access TV Says "No"
What I find really distasteful is the above phrase's incorporation of "MIT". Microsoft tries to pass it off as standing for "Mobile Internet Toolkit", but personally I believe it was intended to sound like (and evoke the favorable sentiments associated with) the Massachusetts Institute of Technology AND the associated, like-named OSS license.
.
- First they ignore you, then they laugh at you, then ???, then profit.
If the bug was in Linux, shouldn't the patch be done to Linux? And why should Bernstein take responsibility for bugs in other people's code?
Besides, Bernstein does fix his software when vulnerabilities in some platforms are discovered. He did it with his daemontools package (his replacement for inetd).
Je ne parle pas francais.
Somebody there was aware that there was a bunch of people who argue about the differences between "Free" and "Open" and which one is better, while for all practical purposes they are exactly the same. Combining the acronym was a good way to not take sides in the argument (I suspect the authors had no opinion either). I also think a word starting with a consonant is easier to pronounce and put into sentences.
They mention MySQL but omit PostgreSQL? They list Tcl/Tk but not Python?
Slightly less than a complete list....
No offence to you, Sivar, since you're an innocent victim of this offtopic rant, but it's unfortunate that you can click a box to disable peoples .sigs, but there's no box to disable comments about people's sigs. If only...
They pretty much screwed me royally on a contract. They had no intention of completing it, they were just trolling for employees. When I wouldn't accept their job offer (at less than half of my consulting rate - a rate which THEY had offered in the first place) they dumped me with no notice. Then they proceeded to use the 10 weeks of work I did to satisfy a whole year's contract requirements to the NSA. (I started going out with a woman in the office after I left, which is how I know.) The agency I went through told me they had actually dropped them as a client because they had done the same thing to others. The people there were generally nice and there was interesting work, but the local management was pretty ruthless. YMMV
The revolution will NOT be televised.
What is the difference between a real song and a simulated song?
The definition of free in the article quotes Stallman's definition of free. A part of Stallman's definition of Freedom is:
"The freedom to redistribute copies so you can help your neighbor (freedom 2)." and
"The freedom to improve the program, and release your improvements to the public, so that the whole community benefits. (freedom 3). Access to the source code is a precondition for this."
Does anyone else notice how the word freedom in these statements should be replaced with condition, i.e.:
"The condition that you must redistribute copies so you can help your neighbor (freedom 2)." and
"The freedom to improve the program, under the condition that you release your improvements to the public, so that the whole community benefits. (freedom 3). Access to the source code is a precondition for this."
This is a strange definition of freedom if you ask me. It means that an individual working on software derivatives for whatever purpose, must sacrifice his work "for the public good"; A very blatant socialist mentality which ultimately restricts the rights of an individual to personally benefit from his own labor. Now, this is all well and good when people volunteer to work anyway, and sacrifice their individual rights. Just don't expect companies to pay people to help develop this software, since the company cannot gain any value from the software mods, other than for actual internal use in the company. This will ultimately restrict the use of this FOSS software in the DoD in this case, if any software mods are necessary for classified applications, for instance. We've already seen companies like Apple and TiVo pass over linux for freeBSD, because BSD really is free, i.e. no GPL.
Vote for Pedro
For some reason people are often wary about the idea of loading new versions of the kernel into running servers. and new kernel releases can take longer to test and propogate than (relatively) simple userspace programs.
How long do you want to wait for a patch to a security problem?
(Perhaps I should have used a proprietary Kernel as an example --- they're likely to take much longer to come out with a patch).
OS Software is like love: The best way to make it grow is to give it away.
Ahem... last time I checked, the "origin of Capabilities Maturity Model" (sic) was widely acknowledged to be Watts Humphrey and the Carnegie Mellon Software Engineering Institute (SEI), not the MITRE Corporation. Click here for some more info. I wonder if my MITRE associates would agree with the statement that MITRE "breaks down all... initiative"??? And I thought it was bad in the Government!
I was a bit disappointed to read about the potential scenarios for using GPLed libraries on page 24 of this otherwise excellent report. One could easily misread the report as saying: if you develop some code that crucially relies on a GPLed library that you've thus created GPLed software. But that's far from being the case for in-house research or development. If you never release any of your code or binaries (correct me if I'm wrong), you can use supporting GPLed libraries.
Marklar: marklar
PDF is a subset of Postscript all right, but while Postscript contains the actual character values, PDFs only store glyphIDs.
Glyphs, not characters.
There is a difference. A big difference. Trying to turn glyphIDs back into characters may work sometimes, but it's certainly not guaranteed to work. Any glyphs that do not have cmap entries in the font will come out as garbage.
Adobe should certainly never have put the text selection tool into Acrobat Reader. It does not work half the time, and it has fooled people into thinking that PDFs contain text. They don't. They only contain the vector image data necessary to render the text.
Free Hans!
There was a writer in 'Life' magazine ... who claimed that rabbits have
no memory, which is one of their defensive mechanisms. If they recalled
every close shave they had in the course of just an hour life would become
insupportable.
-- Kurt Vonnegut
- this post brought to you by the Automated Last Post Generator...