Slashdot Mirror
MITRE Corp. Report On Open Source In Government
Jeremy Allison (of the Samba team) writes "Very interesting paper just published by MITRE corporation. (In PDF - they've learned not to use Microsoft Word. :-). Highlights: 'The main conclusion of the article was that FOSS software plays a more critical role in the DoD than has generally been recognised.'; 'Create a "Generally Recognised as Safe" FOSS list ... including Linux, OpenBSD, NetBSD, FreeBSD, Samba, Apache, Perl, GCC, GNAT, XFree86, OpenSSH, bind, and sendmail.'
'FOSS' stands for 'Free and Open-Source Software.' Looks like these people 'get it.'"
"Generally Recognised as Safe ... bind, and sendmail."
:)
I'm all for Unix server software, but BIND and Sendmail? True, they haven't been bad lately, but both of these are former poster childs for the land of remote root exploits. Yet Qmail, djbdns, and Postfix--some of the most secure software ever made, is strangely absent.
Well, it is the government. They are making progress in their own little way.
Computer Science is no more about computers than astronomy is about telescopes. --E. W. Dijkstra
Banning Free and Open Source Software would remove certain types of infrastructure components (e.g., OpenBSD) that currently help support network security. It would also limit DoD access to -- and overall expertise in -- the use of powerful FOSS analysis and detection applications that hostile groups could use to help stage cyberattacks. Finally, it would remove the demonstrated ability of FOSS applications to be updated rapidly in response to new types of cyberattack. Taken together, these factors imply that banning FOSS would have immediate, broad, and strongly negative impacts on the ability of many sensitive and security focused DoD groups to defend against cyberattacks.
Starting on page 32, theres a very nice glossary of common Free and Open Source Acronyms.
The US government provides thousands of IT jobs already. I wouldn't be surprised if they were the largest IT employer in the world. There's always been plenty of government work for an ambitious and well trained geek.
--
pants ahoy
whatever happened to good old ASCII or ISO text files? nothing says cross-platform than an ISO format
In SOVIET RUSSIA... erm...NSA AMERICA, the Internet logs onto YOU!
"For Security, use of GPL within groups with well-defined security boundaries should be encouraged to promote faster, more locally autonomous responses to cyber threats."
;-) Somehow I doubt that is what they meant, though.
... they are mistakenly equating GPLed software with free software (when in fact it is only a subset).
Perhaps one aspect of the security to which they refer is the secure knowledge that inhouse software developed under the GPL will remain free, i.e. they will in turn receive any and all improvements made by others.
While the GPL is arguably more appropriate for public funded software development than licenses that lend themselves to proprietarization, I must agree wholeheartedly with you that it is clear that the advantage in security goes to free software over proprietary software, and not GPLed software over other free software to any degree. Indeed, as you point out, OpenBSD is the most secure operating system around, and it is certainly not GPLed.
What they clearly meant to say was the free software should be encouraged to promote faster, more locally autonomous responses to cyber threats
The Future of Human Evolution: Autonomy
That is kind of funny because the line feeds are ^M just like what the acrobat distiller does. I would say PDF is freer than word however, because you don't have to pay money to view the document and since the purpose of this document is to be read then this particular format is best suited to enable that viewing across platforms without additional costs for the reader while maintaining the original format of the document.
I would also say anyone using PDF's for the security of them not being easily modifiable is running on assumptions that the people they are sending the files to are to stupid to figure out how to modify them to their hearts content.
Most companies when publishing in PDF format do so, not for openness but to preotect against copying or modification.
.DOC files are less secure, due to the fact that they are easy to read and modify in Windows.
.DOCs require much more work).
Ironically, you think that PDF protects against copying, because it is difficult to modify them in Windows. By the same token, you may think that
Which of course, is the opposite for any *NIX system running Ghostscript (where a PDF -> ASCII conversion is trival, but
I guess you do have to play to your users strengths and weaknesses, it just seems funny to me, somehow.
Do you have Linux and a DotPal? Click here now!
By the way, the document summary shows that it was originally a Microsoft Word Doc titled "Microsoft Word - 3DBD823B-1ABD-0AA6.doc" with the author being www.
Interesting that the DOD uses GnuPG, Linux, Linux (Red Hat), FreeBSD, NetBSD, OpenBSD, OpenOffice, Perl, Perl CGI Scripts, PerLDAP, PHP, Tcl/Tk and TCP Wrappers, amongst others.
Just to add some info here. Just because an article talks about usage and approval of FOSS in the "DoD" (Department of Defense), it doesn't mean that there is signifigant usage. Remember that the DoD is comprised of some management overhead and three sub departments: Army, Navy, Air Force. While Linux may be used and even endorsed by the "DoD", it's usage is not permitted without one hell of a waiver process in the Department of the Navy. Especially under NMCI(Navy Marine Corps Intranet), Linux is not even listed as an approved legacy system, much less something EDS will agree to support.
Additonally, each branch of the service is autonomous in IT management, which means there are FOUR DIFFERENT ways of running a network with the associated FOUR sets of management overhead and of course, they aren't interoperable. This is a fairly generalized statement, but most of the systems I deal with daily in the Marine Corps are specific to us and don't work with the other services systems despite the fact that they all do the EXACT SAME THING.
So kids, the moral of the story is: Write you congressman and complain about the misuse of your tax dollars. And don't forget to tell them that free software == excuse for lower taxes == more votes for them.
I've dirtied my hands writing poetry, for the sake of seduction; that is, for the sake of a useful cause. --Dostoevsky
It seems that the right hand doesn't see what the left hand is doing. That's the USA federal government for you.
With all due respect to your example, I would rather each department of the government be allowed to implement its own solutions, at least based on my experiences working for large corporations (where the right hand often doesn't know what the right middle finger is doing). The most productive situations arise when divisions and departments are allowed to solve their own problems, rather than having some senior-level executive decided, "okay, this worked for marketing, so now everyone has to do it this way." Information sharing is important, of course, but forcing one-size-fits-all "solutions" can be counter-productive.
Michael
"No live organism can continue for long to exist sanely under conditions of absolute reality;..."
whatever happened to good old ASCII or ISO text files?
The PDF document contains images, tables, colors, and underlined/italicized/bold text. Those are rather difficult to express in plain ASCII text.
Doing so is not unlike trying to write a voxel-based graphics engine in HTML.
Right tool for the job...
Computer Science is no more about computers than astronomy is about telescopes. --E. W. Dijkstra
They refer to an ideal situation. The use of GPL soft would free completely their hands on changing every piece of soft that might be compromised. And they would not have to deal with licensing hurdles. But there are two caveats here.
First, a GPL-exclusivety would be appropriate only in top-security situations that demand a fast and very flexible response. Not having barriers on how to deal with the soft, be it binary or sourcecode is extremely important here. However, I would not be so fanatical on saying that only GPL soft is appropriate. Frankly, I think it would be better to say: licenses to do not impose barriers of any kind to software changes and distribution.
Second, to do such thing, people should be uberprofessional. Having GPL code is not enough to provide security. There should be someone who's able to manage the guns. However, if a certain department or site is considered to be top-security, then one should have someone of that weight out there... Isn't it? But... well... we know that even security guards love to sleep when they shouldn't. And that engineers are underpaid and don't have enough qualification. And that the managers will still buy some piece of crap instead of listening the experts... So this caveat is utterly pointless...
OpenBSD is one of the most secure. Because it is made for security. Most Linux machines are not because it would be a problem trying to adapt users to the level of security in OpenBSD. I made a few installs of OpenBSD and I may tell you that it is not easy to install something on it. Besides it is much harder to use. And, sometimes it is quite slower than other BSD and Linux conceptions. But it is very good on kicking every kiddie out.However, its administration demands every kind of tasks as nay other system. A badly administered OpenBSD is also breakable.
On what concerns Linux itself, unfortunately there are very few secure distros. But it is possible to reach a level of security near to OpenBSD or even better. By hand and making the system from scratch. Once we had such a machine. We named it "The Castle", out of the name of a distro that gave us the idea to make it. It was a damn well secured system. But using it... Better walking through the Labyrinth...
1. Somehow I doubt that the DoD -- or anywhere that security is really important -- throws together code and puts it into production right away. (Who hasn't heard the stories about the draconian code review policies?)
2. Why would the DoD distribute their modified code? Perhaps they would send a patch to Apache or whatever if it was sufficiently general interest, but I suspect most of the modifications have to do with security policies particular to them.
3. Do you really believe that "Al-Qaeda hackers" [sic] spend more person-hours looking at the code than non-malicious users?
4. Neglecting the silliness about Al-Qaeda, why should I trust you that "some computer science programs and IRC channels" are training highly dangerous black hats? Last I checked, IRC was the land of windows-running script kiddies, and typical computer science programs include perhaps one optional course on security.
You didn't get the point. The problem this report tries to cover is not about costs but about the ability to control the software you use. And that's the what DoD is concerned about. And the report notes that DoD is damn dependent on FOSS:
The main conclusion of the analysis was that FOSS software plays a more critical role in the DoD than has generally been recognized. FOSS applications are most important in four broad areas: Infrastructure Support, Software Development, Security, and Research. One unexpected result was the degree to which Security depends on FOSS. Banning FOSS would remove certain types of infrastructure components (e.g., OpenBSD) that currently help support network security. It would also limit DoD access to and overall expertise in the use of powerful FOSS analysis and detection applications that hostile groups could use to help stage cyberattacks. Finally, it would remove the demonstrated ability of FOSS applications to be updated rapidly in response to new types of cyberattack. Taken together, these factors imply that banning FOSS would have immediate, broad, and strongly negative impacts on the ability of many sensitive and security- focused DoD groups to defend against cyberattacks.
I don't see where your disappointment comes up. The report shows that both OSS and FreeSoftware are the major players in DoD sectors (well I would be very admired if they wouldn't). Besides, it shows that all this FUD from M$ is a national danger to the US (and I would be HIGHLY admired if it wouldn't). Apart of some gaffes the report is superb.
Time to put Redmond on the rough nations list...
The report also no makes no differentation between Open Source Software like FreeBSD, OpenBSD, and Apache; and Free Software which generally always refers to software under the GPL or LGPL. Like Linux, gcc, or GNATS.
you're repeating a distinction which is usually made only for the purposes of criticizing the GPL. All the software you mentioned is Free Software. It all grants you the certain vital rights, such as the right to copy and the right to inspect and change. to repeat.. there is no distinction to be made. some of them are GPL-incompatible, and many are not copyleft ("viral") but this is not important for this paper.
also, from a user's point of view, this is mostly irrelevant. the "license wars" are between developers. to users, they grant the same freedoms.
finally, from the distant and unpleasant vantage point of most proprietary software, the gpl/non-gpl are pretty much identical. really, for most people, being able to copy the software at will is mind-boggling. "how do they make money", etc.
He call's things under a BSD license with no cost, and no restriction on rights, freeware.
No, he points out the distinction that "zero-cost software" which DOESN'T grant you the FOSS rights is NOT FOSS! This is an important and subtle distinction, because it's not just about price, but freedom to do certain things. I'm impressed by their understanding. I think you misread it.
While in the next setence pushing the view that all OSS is GPL'ed.
no, it just says that they are very similar, and they both came from Stallman's ideas. which is still correct. open source is weaker form of free software, but usually they grant you the same basic rights.
For the purposes of this document, it is completely correct and appropriate to mix OSS and FS together, and to concentrate on freedom rather than price.
i think the document is peachy keen, and it gives me a fat chubby.
Yeah, well, we can be either a part of the answer, part of the problem or work both sides of the fence, like I do. :) I have worked in both the fed. govt and private industry. There isn't really much difference in how things get done. The main difference is that where business people reward each other with fat contracts, in the fed. world, one must change the *policies* to reward your buddies. That is exactly what happens after every election. A new policy can reap billions in rewards. If you didn't know that, now you know why the position of president, though it "only" earns $200k/yr (+ room, board, and security detail), causes millions and millions to be spent to get someone the job.
Interestingly, I feel more like a "stakeholder" as a govt. employee than I did as an industry stock-holding employee. It's my tax money, too, I guess.
The DoD is under tremendous pressure to have Microsoft blessed as the only products they use, as Microsoft has learned how to lobby and started throwing lots of money at this. The government is a huge purchaser of systems, and there are many legacy things out there. Since the past 10 years or so have brought many fresh college grads into the workforce, many of whom only know Microsoft products, there is pressure on the technical selection folks to replace with Microsoft since those precious MCSE's only know these platforms.
This report is probably an effort to build some evidence and support on why wholesale replacement of everything with off the shelf would add costs and hurt national security. Probably also explains IBM's (and others) shift to support Linux and variants over the past few years as they saw Microsoft tactics refined.
And, Microsoft's more recent license agreement language seems pointed at providing a legal reason why they need to be the only platform, since there are no technical reasons.
Sleep is for the Weak