MITRE Corp. Report On Open Source In Government

Jeremy Allison (of the Samba team) writes "Very interesting paper just published by MITRE corporation. (In PDF - they've learned not to use Microsoft Word. :-). Highlights: 'The main conclusion of the article was that FOSS software plays a more critical role in the DoD than has generally been recognised.'; 'Create a "Generally Recognised as Safe" FOSS list ... including Linux, OpenBSD, NetBSD, FreeBSD, Samba, Apache, Perl, GCC, GNAT, XFree86, OpenSSH, bind, and sendmail.' 'FOSS' stands for 'Free and Open-Source Software.' Looks like these people 'get it.'"

About time.

[carlmenezes]

About time somebody did something like this. I mean, to the average Joe, the advantages of FOSS are obvious. But the DoD need documents, papers...anything written. It's similar to businesses WANTING to pay for software and therefore keeping away from FOSS.

I guess everyone was waiting for somebody to basically do a "study" or write a paper that could be quoted or "fallen back upon" if you will.

Then again, this report is about the fact that FOSS already plays a more critical role. My point is, it's high time somebody came out and recognised the fact. Great job on the paper.

PDF format freer than Word?

[coupland]

A very minor and unimportant comment:

Most companies when publishing in PDF format do so, not for openness but to preotect against copying or modification.

For example, my company works extensively with the FDA and we publish all our standard operating procedures (SOPs) in PDF format since it's so difficult to copy. We rely not on the openess of the format but on its limitations. Not earth-shattering but I wanted to mention that PDF is not a particularly open format, despite its structures being well known.

Re:PDF format freer than Word?

[lemkebeth]

PDF isn't open?

Thats news to me.

PDF is an open specification, anyone can write their own PDF creation tool as well as reader.

The security thing is a bad idea though, as is the attachments in PDF files that Adobe just added support for in their apps. Ah, the coming the the PDF virus era....

This is a pleasant surprise...

[GreatDave]

While the Navy has its much-farted-upon attempt to build Win2k-powered "Smart Ships", the NSA has been developing SELinux (Security Enhanced Linux), their homebrew kernel.

It seems that the right hand doesn't see what the left hand is doing. That's the USA federal government for you. However, based on the existance of the "safe" FOSS list, perhaps the DoD is rethinking their investments in eN Tee. I sure hope so, for the sake of national security. Meh.

Infers that GPL means better security

[AIXadmin]

In this paragraph MITRE seems to infer that GPL'ed software is some how more secure, or better able to be secured then other software.

"For Security, use of GPL within
groups with well-defined security boundaries should be encouraged to promote faster,
more locally autonomous responses to cyber threats. "
Page 3, Example 2.

This really makes no sense to me. Especially when the majority of the software they list as "heavily used infrastrucuture tools such as "Linux, OpenBSD, NetBSD, FreeBSD, Samba, Apache, Perl, GCC, GNAT, XFree86, OpenSSH, bind, and sendmail," are a good portion of NOT licensed under the GPL. (Yes I realize some, are but the majority of that list are not.)

Doesn't make a lot of sense. Considering most people would agree the most secure OS out there is OpenBSD.

I work for the DoD.. open source rules!

[Shalome]

I work for the DoD (and am lucky enough to work with MITRE folk as well), and we go for the open source solution whenever we can. Why? We're in security. We absolutely NEED to be able to hack our own code whenever necessary. We can't afford to be taken down by any sort of attack, whether it be a worm, virus, or directed attack -- and I'm not talking "afford" in the sense of a dollar amount. We also like to be able to do things like add signatures to our IDSs whenever we feel like it. We often notice and track new virus and worm activity before it "breaks." We can't wait for vendor updates.

I've sat through meetings with vendor reps where certain office members tore the reps some new orifices. I've heard from a *major AV/Firewall company name deleted* rep "Oh, you use open source FREEWARE! Well, if you want to go with something totally insecure that has absolutely no support and you don't know exactly what the code actually does..." The rep then sat there in stunned silence as the department head launched into a detailed tirade about how every member of the office not only knew what the open source we used did, most of us could re-write it if we needed to. The rep actually blushed and admitted that if we could do that, we didn't need their product.

Most of our offices do use Microsoft on most of the standard user desktops... but it's open source hacked-to-hell code that runs everything else around here! Well, aside from the gallons and gallons of coffee and Mountain Dew that runs the people..

No surprise

[e5z8652]

I've always wondered about the supposed lack of "FOSS" at DoD. Aside from SE Linux, there are other quite public acknowledgements of support for open source software. From the back of the OpenBSD 3.1 CD case:

"This effort sponsored in part by the Defense Advanced Research Projects Agency (DARPA) and Air Force Research Laboratory, Air Force Material Command, USAF, under agreement number F30602-01-2-0537"

Kind of a big hint that someone somewhere in DoD thinks highly of OpenBSD.

Of course, this support may have since been reduced or eliminated due to the same pressure that the NSA faced with SE Linux.

Re:How much respect does MITRE command?

[Shalome]

quoth the poster: How well is the MITRE Corporation regarded in general? How well are the thought of by the government in particular? How influential will their word on things be? You're kidding, right?

On the front page of MITRE's website: MITRE is a not-for-profit national resource that provides systems engineering, research and development, and information technology support to the government. It operates federally funded research and development centers for the DOD, the FAA, and the IRS, with principal locations in Bedford, Massachusetts, and Northern Virginia.

Trust me, they're extremely highly regarded and their analysis carries quite a bit of weight.

Report is written in Word

[ronys]

Open with Acrobat Reader, File->Document Properties->Summary... reveals:

Title: Microsoft Word - 3DB823B-1ABD-0AA6.doc

Furthermore, the PDF file was created by http://createpdf.adobe.com - which allows one to upload files and have the processed into PDF - 15 for free, more for $$$.

Seems like they didn't find out that ghostview allows you to generate pdf files as well as view them...

Report says GPL was the original

[AIXadmin]

Last I checked the BSD's were first:
"The General Public License (GPL)4 is the original FOSS license, and GPL software is simply FOSS software that is covered by the GPL."
Page 12

This report is really full of holes. In the chart it says that BSD and Artistic licensed software cannot be combined with closed source software.

Report makes no difference between OS and FS

[AIXadmin]

The report also no makes no differentation between Open Source Software like FreeBSD, OpenBSD, and Apache; and Free Software which generally always refers to software under the GPL or LGPL. Like Linux, gcc, or GNATS.

"The word free in FOSS refers not to fiscal cost, but to the autonomy rights that FOSS grants its users. (A better word for zero-cost software, which lacks such rights, is freeware.) The phrase open source1 emphasizes the right of users to study, change, and improve the source codethat is, the detailed designof FOSS applications. Software that qualifies as free almost always also qualifies as open source, and vice versa, since both phrases derive from the same set of software user rights2 formulated in the late 1980s by Richard Stallman of the Free Software Foundation."

The writer of this report does not make differentation between Open Source and Free Software. He call's things under a BSD license with no cost, and no restriction on rights, freeware. (Freeware does not mean OSS. Freeware is closed source software, that is given away at no cost.) While in the next setence pushing the view that all OSS is GPL'ed.

This report is a grave disapointment.

COE (now NCES) will support Linux

I work in the trenches so-to-speak.

The good news is that the DoD is paying attention to Linux in a big way. Undoubtedly, Solaris, HP, and SGI were among a few of the favorite big ticket items that the DoD likes to purchase. However, there is a small number of people who are using linux. We're expecting that number to grow.

Mitre gets it -- they're pretty smart folks. But does the rank-and-file military? By and large -- no -- although there's more currently than say 18 months ago. Some are still caught of in the security problems linux has. Others are just ignorant by calling it "freeware" -- when linux really rises to a level above the typical "freeware" moniker.

The military is really a bargain buyer -- yes they don't want those M16's to explode -- but they don't want to be bled dry for a shoddy system, either. Especially when they have to report to a congressional subcomittee explaining why they blew billions of taxpayer dollars on incompatible systems.

What if ...

[SgtChaireBourne]

It's interesting that the report starts out with a what-if scenario. "What if FOSS were banned in the DoD?" Answer - things would pretty much stop. FOSS has played and continues to play a critical role in the DOD.

A lot of people will begin to think about the converse, "What if Closed Source were banned from the DoD?" or even more specifically, "What if Closed Source from companies found guilty of breaking federal law were banned from the DoD?". I wouldn't be surprised if the answers were "not much change" and "things improve", respectively.

GNAT is part of GCC

[norwoodites]

yes that is right even though the paper makes it sound like GNAT is a separate project from GCC, they are now one, GCC (GNU Compiler Collection). Their description says they are one now but I think this description was copied from each of their web sites.

Also is not RTLinux longer consider free software, because it restricts more than the GPL due to patents?

Also looks like they do not use csh at all which is under the BSD license. or pdksh which is in public domain, they are the default shells on OpenBSD.

They are also missed Binutils from the GNU which is the assembler and linker for most open/free operating systems.

Also is there not versions of sed and make and m4 and top that are under the BSD license?

Is perl not dual licensed, GPL and artistic?

Re:Generally Recognised as Safe.

[Twirlip+of+the+Mists]

Your comment reminds me of the old joke about the optimist and the pessimist who visited California. They heard that there hadn't been a major earthquake in California in however-many years. The optimist thought to himself, "We're safe!" The pessimist though, "We're due!"

Security-minded folks are more likely to be pessimists than optimists.

Re:Generally Recognised as Safe.

[lewp]

Age of code doesn't always directly relate to security of code. Yes, Sendmail is older. While that means the code has been around to be looked at by more people, it also means it was written before security was even close to the priority it is today.

Qmail, on the other hand (and Postfix, and others. Sorry if I don't mention everyone's favorite :P), was created from the start to be as secure as possible. It has the advantage of being able to build on many years of advancement in secure coding practices. For example, the way as little of its code is executed as root as possible gives it a big advantage. Sendmail 8.12 is moving in the same direction, but it's much newer than Qmail and, while I haven't gazed at the Sendmail source recently I'd be willing to wager that getting it to play with privilege separation wasn't a trivial change.

I'm not knocking Sendmail. I use it on a whole bunch of production boxes. It's familiar, easy to use, and works out of the box with everything. It's also fast enough to make it suitable for most environments and I have a whole lot of time invested in learning the various ways to configure and tweak it and how to fix it when it's being moody.

That said, I also use Qmail on a regular basis. Of the two I keep a much closer eye on the Sendmail installations. Sendmail's current biggest known flaw is its history, and until a something approximating that shows up in Qmail I'm more inclined to trust djb's baby (even though I put it in /usr/local/qmail. nyeh!).

(Qmail also has the luxury of being the product of someone who comes off as a complete asshole. I can guarantee you that the fact that Qmail doesn't have any known security holes is not for a lack of trying. There are plenty of people who would *love* to find a hole in Qmail just to shut him up . I hope djb doesn't have mod points!)

Brilliant example of Microsoft

[magi]

The document is an enjoyment to read. It has a few pearls which are especially enlightening. One of these is a table illustrating the actual freedoms and restrictions placed by various licences, for example GPL and a Microsoft's MIT EULA:

Properties (a) through (e) in the table examine the ability of a license to co-exist with other types of software, e.g., the ability of FOSS licenses to co-exist with proprietary software. In this
category, the most exclusive license is easily the Microsoft MIT EULA license 1 , which prohibits a number of FLOSS licenses from co-existing on the same platform as the EULA software. No other FLOSS or proprietary license encountered during the survey came close to this level of exclusivity. The GPL takes a very distant second place for exclusivity, since it forbids design- time incorporation of GPL source code into non-GPL source code. However, unlike the Microsoft MIT EULA, the GPL places no constraints on software simply running on the same system, and actually goes out of its way not to intrude on other licenses outside of that context."

I didn't even know Microsoft has that restrictive license. It says here that it "Specifically bans use of: GPL, LGPL, Artistic, Perl, Mozilla, Netscape, Sun Community, and Sun Industry Standards."

Microsoft's site shows the license. It's really true. This particular EULA seems to be for a "Microsoft Mobile Internet Toolkit Beta 2". They actually call OSS as "Potentially Viral Software" in the license.

Re:Generally Recognised as Safe.

[geirt]

Sivar wrote:
"Generally Recognised as Safe ... bind, and sendmail."
I'm all for Unix server software, but BIND and Sendmail?

Don't mix old Bind and Bind 9, Bind 9 is an entirely new code base written from scratch with security as a basic premise. Version 9 is not susceptible to the same issues found in earlier versions of the Bind DNS server.

The track record for Bind 9 is *much* better than it used to be ....

Qmail: secure, but not responsible

[Black+Copter+Control]

Qmail's security is more theoretical than actual. From what I can tell, Bernstein wrote Qmail more to prove that he can design and write secure software than to provide a service to the public. He disclaims responsibility for problems that come from outside his source code.

If somebody finds a bug in, say Linux, that can be exploited against both Sendmail and Qmail, the Sendmail folk will fall all over themselves to find and distribute a workaround. Bernstein, on the other hand, will likely just smile and say "not qmail's fault". This doesn't do much good for people who are actually using qmail in the field and will need to create and distribute their own patches on the back-channels -- and then integrate them with the myriad of patches out there.

I really believe that Qmail's license was and is the biggest barrier to it's more widespread adoption.

especially slimey

[sacrilicious]

the Microsoft MIT EULA

What I find really distasteful is the above phrase's incorporation of "MIT". Microsoft tries to pass it off as standing for "Mobile Internet Toolkit", but personally I believe it was intended to sound like (and evoke the favorable sentiments associated with) the Massachusetts Institute of Technology AND the associated, like-named OSS license.

.