Slashdot Mirror
MITRE Corp. Report On Open Source In Government
Jeremy Allison (of the Samba team) writes "Very interesting paper just published by MITRE corporation. (In PDF - they've learned not to use Microsoft Word. :-). Highlights: 'The main conclusion of the article was that FOSS software plays a more critical role in the DoD than has generally been recognised.'; 'Create a "Generally Recognised as Safe" FOSS list ... including Linux, OpenBSD, NetBSD, FreeBSD, Samba, Apache, Perl, GCC, GNAT, XFree86, OpenSSH, bind, and sendmail.'
'FOSS' stands for 'Free and Open-Source Software.' Looks like these people 'get it.'"
About time somebody did something like this. I mean, to the average Joe, the advantages of FOSS are obvious. But the DoD need documents, papers...anything written. It's similar to businesses WANTING to pay for software and therefore keeping away from FOSS.
I guess everyone was waiting for somebody to basically do a "study" or write a paper that could be quoted or "fallen back upon" if you will.
Then again, this report is about the fact that FOSS already plays a more critical role. My point is, it's high time somebody came out and recognised the fact. Great job on the paper.
Find a job you like and you will never work a day in your life.
A very minor and unimportant comment:
Most companies when publishing in PDF format do so, not for openness but to preotect against copying or modification.
For example, my company works extensively with the FDA and we publish all our standard operating procedures (SOPs) in PDF format since it's so difficult to copy. We rely not on the openess of the format but on its limitations. Not earth-shattering but I wanted to mention that PDF is not a particularly open format, despite its structures being well known.
While the Navy has its much-farted-upon attempt to build Win2k-powered "Smart Ships", the NSA has been developing SELinux (Security Enhanced Linux), their homebrew kernel.
It seems that the right hand doesn't see what the left hand is doing. That's the USA federal government for you. However, based on the existance of the "safe" FOSS list, perhaps the DoD is rethinking their investments in eN Tee. I sure hope so, for the sake of national security. Meh.
"I am root. Bow before me." To this I say, "You are root, and you bear the sins of the world upon your shoulders."
In this paragraph MITRE seems to infer that GPL'ed software is some how more secure, or better able to be secured then other software.
"For Security, use of GPL within
groups with well-defined security boundaries should be encouraged to promote faster,
more locally autonomous responses to cyber threats. "
Page 3, Example 2.
This really makes no sense to me. Especially when the majority of the software they list as "heavily used infrastrucuture tools such as "Linux, OpenBSD, NetBSD, FreeBSD, Samba, Apache, Perl, GCC, GNAT, XFree86, OpenSSH, bind, and sendmail," are a good portion of NOT licensed under the GPL. (Yes I realize some, are but the majority of that list are not.)
Doesn't make a lot of sense. Considering most people would agree the most secure OS out there is OpenBSD.
I work for the DoD (and am lucky enough to work with MITRE folk as well), and we go for the open source solution whenever we can. Why? We're in security. We absolutely NEED to be able to hack our own code whenever necessary. We can't afford to be taken down by any sort of attack, whether it be a worm, virus, or directed attack -- and I'm not talking "afford" in the sense of a dollar amount. We also like to be able to do things like add signatures to our IDSs whenever we feel like it. We often notice and track new virus and worm activity before it "breaks." We can't wait for vendor updates.
I've sat through meetings with vendor reps where certain office members tore the reps some new orifices. I've heard from a *major AV/Firewall company name deleted* rep "Oh, you use open source FREEWARE! Well, if you want to go with something totally insecure that has absolutely no support and you don't know exactly what the code actually does..." The rep then sat there in stunned silence as the department head launched into a detailed tirade about how every member of the office not only knew what the open source we used did, most of us could re-write it if we needed to. The rep actually blushed and admitted that if we could do that, we didn't need their product.
Most of our offices do use Microsoft on most of the standard user desktops... but it's open source hacked-to-hell code that runs everything else around here! Well, aside from the gallons and gallons of coffee and Mountain Dew that runs the people..
Moderation totals that amuse me for one of my posts: Flamebait=1, Insightful=2, Funny=2, Overrated=1, Underrated=1
I've always wondered about the supposed lack of "FOSS" at DoD. Aside from SE Linux, there are other quite public acknowledgements of support for open source software. From the back of the OpenBSD 3.1 CD case:
"This effort sponsored in part by the Defense Advanced Research Projects Agency (DARPA) and Air Force Research Laboratory, Air Force Material Command, USAF, under agreement number F30602-01-2-0537"
Kind of a big hint that someone somewhere in DoD thinks highly of OpenBSD.
Of course, this support may have since been reduced or eliminated due to the same pressure that the NSA faced with SE Linux.
null sig
quoth the poster: How well is the MITRE Corporation regarded in general? How well are the thought of by the government in particular? How influential will their word on things be? You're kidding, right?
On the front page of MITRE's website: MITRE is a not-for-profit national resource that provides systems engineering, research and development, and information technology support to the government. It operates federally funded research and development centers for the DOD, the FAA, and the IRS, with principal locations in Bedford, Massachusetts, and Northern Virginia.
Trust me, they're extremely highly regarded and their analysis carries quite a bit of weight.
Moderation totals that amuse me for one of my posts: Flamebait=1, Insightful=2, Funny=2, Overrated=1, Underrated=1
The report also no makes no differentation between Open Source Software like FreeBSD, OpenBSD, and Apache; and Free Software which generally always refers to software under the GPL or LGPL. Like Linux, gcc, or GNATS.
"The word free in FOSS refers not to fiscal cost, but to the autonomy rights that FOSS grants its users. (A better word for zero-cost software, which lacks such rights, is freeware.) The phrase open source1 emphasizes the right of users to study, change, and improve the source codethat is, the detailed designof FOSS applications. Software that qualifies as free almost always also qualifies as open source, and vice versa, since both phrases derive from the same set of software user rights2 formulated in the late 1980s by Richard Stallman of the Free Software Foundation."
The writer of this report does not make differentation between Open Source and Free Software. He call's things under a BSD license with no cost, and no restriction on rights, freeware. (Freeware does not mean OSS. Freeware is closed source software, that is given away at no cost.) While in the next setence pushing the view that all OSS is GPL'ed.
This report is a grave disapointment.
yes that is right even though the paper makes it sound like GNAT is a separate project from GCC, they are now one, GCC (GNU Compiler Collection). Their description says they are one now but I think this description was copied from each of their web sites.
Also is not RTLinux longer consider free software, because it restricts more than the GPL due to patents?
Also looks like they do not use csh at all which is under the BSD license. or pdksh which is in public domain, they are the default shells on OpenBSD.
They are also missed Binutils from the GNU which is the assembler and linker for most open/free operating systems.
Also is there not versions of sed and make and m4 and top that are under the BSD license?
Is perl not dual licensed, GPL and artistic?
Your comment reminds me of the old joke about the optimist and the pessimist who visited California. They heard that there hadn't been a major earthquake in California in however-many years. The optimist thought to himself, "We're safe!" The pessimist though, "We're due!"
Security-minded folks are more likely to be pessimists than optimists.
I write in my journal
Age of code doesn't always directly relate to security of code. Yes, Sendmail is older. While that means the code has been around to be looked at by more people, it also means it was written before security was even close to the priority it is today.
:P), was created from the start to be as secure as possible. It has the advantage of being able to build on many years of advancement in secure coding practices. For example, the way as little of its code is executed as root as possible gives it a big advantage. Sendmail 8.12 is moving in the same direction, but it's much newer than Qmail and, while I haven't gazed at the Sendmail source recently I'd be willing to wager that getting it to play with privilege separation wasn't a trivial change.
/usr/local/qmail. nyeh!).
Qmail, on the other hand (and Postfix, and others. Sorry if I don't mention everyone's favorite
I'm not knocking Sendmail. I use it on a whole bunch of production boxes. It's familiar, easy to use, and works out of the box with everything. It's also fast enough to make it suitable for most environments and I have a whole lot of time invested in learning the various ways to configure and tweak it and how to fix it when it's being moody.
That said, I also use Qmail on a regular basis. Of the two I keep a much closer eye on the Sendmail installations. Sendmail's current biggest known flaw is its history, and until a something approximating that shows up in Qmail I'm more inclined to trust djb's baby (even though I put it in
(Qmail also has the luxury of being the product of someone who comes off as a complete asshole. I can guarantee you that the fact that Qmail doesn't have any known security holes is not for a lack of trying. There are plenty of people who would *love* to find a hole in Qmail just to shut him up . I hope djb doesn't have mod points!)
Game... blouses.
I didn't even know Microsoft has that restrictive license. It says here that it "Specifically bans use of: GPL, LGPL, Artistic, Perl, Mozilla, Netscape, Sun Community, and Sun Industry Standards."
Microsoft's site shows the license. It's really true. This particular EULA seems to be for a "Microsoft Mobile Internet Toolkit Beta 2". They actually call OSS as "Potentially Viral Software" in the license.