Slashdot Mirror
MITRE Corp. Report On Open Source In Government
Jeremy Allison (of the Samba team) writes "Very interesting paper just published by MITRE corporation. (In PDF - they've learned not to use Microsoft Word. :-). Highlights: 'The main conclusion of the article was that FOSS software plays a more critical role in the DoD than has generally been recognised.'; 'Create a "Generally Recognised as Safe" FOSS list ... including Linux, OpenBSD, NetBSD, FreeBSD, Samba, Apache, Perl, GCC, GNAT, XFree86, OpenSSH, bind, and sendmail.'
'FOSS' stands for 'Free and Open-Source Software.' Looks like these people 'get it.'"
"Generally Recognised as Safe ... bind, and sendmail."
:)
I'm all for Unix server software, but BIND and Sendmail? True, they haven't been bad lately, but both of these are former poster childs for the land of remote root exploits. Yet Qmail, djbdns, and Postfix--some of the most secure software ever made, is strangely absent.
Well, it is the government. They are making progress in their own little way.
Computer Science is no more about computers than astronomy is about telescopes. --E. W. Dijkstra
Nice to see some of our tax dollars not going to waste on over-priced under-powered software.
...
I suppose this means there will be more job openings for geeks in government possisions. Get out your resumes guys and gals
No sig for you. YOU GET NO SIG!
About time somebody did something like this. I mean, to the average Joe, the advantages of FOSS are obvious. But the DoD need documents, papers...anything written. It's similar to businesses WANTING to pay for software and therefore keeping away from FOSS.
I guess everyone was waiting for somebody to basically do a "study" or write a paper that could be quoted or "fallen back upon" if you will.
Then again, this report is about the fact that FOSS already plays a more critical role. My point is, it's high time somebody came out and recognised the fact. Great job on the paper.
Find a job you like and you will never work a day in your life.
A very minor and unimportant comment:
Most companies when publishing in PDF format do so, not for openness but to preotect against copying or modification.
For example, my company works extensively with the FDA and we publish all our standard operating procedures (SOPs) in PDF format since it's so difficult to copy. We rely not on the openess of the format but on its limitations. Not earth-shattering but I wanted to mention that PDF is not a particularly open format, despite its structures being well known.
This list would provide quick official recognition of FOSS (Free and Open-Source Software) applications that are:
(a) commercially supported
(b) widely used and
(c) have proven track records of security and reliability (eg. as measured by speed of closures of CERT reports in comparision to closed-source alternatives)
Gmanske.
While the Navy has its much-farted-upon attempt to build Win2k-powered "Smart Ships", the NSA has been developing SELinux (Security Enhanced Linux), their homebrew kernel.
It seems that the right hand doesn't see what the left hand is doing. That's the USA federal government for you. However, based on the existance of the "safe" FOSS list, perhaps the DoD is rethinking their investments in eN Tee. I sure hope so, for the sake of national security. Meh.
"I am root. Bow before me." To this I say, "You are root, and you bear the sins of the world upon your shoulders."
In this paragraph MITRE seems to infer that GPL'ed software is some how more secure, or better able to be secured then other software.
"For Security, use of GPL within
groups with well-defined security boundaries should be encouraged to promote faster,
more locally autonomous responses to cyber threats. "
Page 3, Example 2.
This really makes no sense to me. Especially when the majority of the software they list as "heavily used infrastrucuture tools such as "Linux, OpenBSD, NetBSD, FreeBSD, Samba, Apache, Perl, GCC, GNAT, XFree86, OpenSSH, bind, and sendmail," are a good portion of NOT licensed under the GPL. (Yes I realize some, are but the majority of that list are not.)
Doesn't make a lot of sense. Considering most people would agree the most secure OS out there is OpenBSD.
Banning Free and Open Source Software would remove certain types of infrastructure components (e.g., OpenBSD) that currently help support network security. It would also limit DoD access to -- and overall expertise in -- the use of powerful FOSS analysis and detection applications that hostile groups could use to help stage cyberattacks. Finally, it would remove the demonstrated ability of FOSS applications to be updated rapidly in response to new types of cyberattack. Taken together, these factors imply that banning FOSS would have immediate, broad, and strongly negative impacts on the ability of many sensitive and security focused DoD groups to defend against cyberattacks.
Starting on page 32, theres a very nice glossary of common Free and Open Source Acronyms.
Isn't anybody gonna mention that RMS is going to say that FOSS should really be reffered to as Dental/FOSS?
If Mr. Edison had thought smarter he wouldn't sweat as much. --Nikola Tesla
whatever happened to good old ASCII or ISO text files? nothing says cross-platform than an ISO format
In SOVIET RUSSIA... erm...NSA AMERICA, the Internet logs onto YOU!
I work for the DoD (and am lucky enough to work with MITRE folk as well), and we go for the open source solution whenever we can. Why? We're in security. We absolutely NEED to be able to hack our own code whenever necessary. We can't afford to be taken down by any sort of attack, whether it be a worm, virus, or directed attack -- and I'm not talking "afford" in the sense of a dollar amount. We also like to be able to do things like add signatures to our IDSs whenever we feel like it. We often notice and track new virus and worm activity before it "breaks." We can't wait for vendor updates.
I've sat through meetings with vendor reps where certain office members tore the reps some new orifices. I've heard from a *major AV/Firewall company name deleted* rep "Oh, you use open source FREEWARE! Well, if you want to go with something totally insecure that has absolutely no support and you don't know exactly what the code actually does..." The rep then sat there in stunned silence as the department head launched into a detailed tirade about how every member of the office not only knew what the open source we used did, most of us could re-write it if we needed to. The rep actually blushed and admitted that if we could do that, we didn't need their product.
Most of our offices do use Microsoft on most of the standard user desktops... but it's open source hacked-to-hell code that runs everything else around here! Well, aside from the gallons and gallons of coffee and Mountain Dew that runs the people..
Moderation totals that amuse me for one of my posts: Flamebait=1, Insightful=2, Funny=2, Overrated=1, Underrated=1
I've always wondered about the supposed lack of "FOSS" at DoD. Aside from SE Linux, there are other quite public acknowledgements of support for open source software. From the back of the OpenBSD 3.1 CD case:
"This effort sponsored in part by the Defense Advanced Research Projects Agency (DARPA) and Air Force Research Laboratory, Air Force Material Command, USAF, under agreement number F30602-01-2-0537"
Kind of a big hint that someone somewhere in DoD thinks highly of OpenBSD.
Of course, this support may have since been reduced or eliminated due to the same pressure that the NSA faced with SE Linux.
null sig
By the way, the document summary shows that it was originally a Microsoft Word Doc titled "Microsoft Word - 3DBD823B-1ABD-0AA6.doc" with the author being www.
Interesting that the DOD uses GnuPG, Linux, Linux (Red Hat), FreeBSD, NetBSD, OpenBSD, OpenOffice, Perl, Perl CGI Scripts, PerLDAP, PHP, Tcl/Tk and TCP Wrappers, amongst others.
Just to add some info here. Just because an article talks about usage and approval of FOSS in the "DoD" (Department of Defense), it doesn't mean that there is signifigant usage. Remember that the DoD is comprised of some management overhead and three sub departments: Army, Navy, Air Force. While Linux may be used and even endorsed by the "DoD", it's usage is not permitted without one hell of a waiver process in the Department of the Navy. Especially under NMCI(Navy Marine Corps Intranet), Linux is not even listed as an approved legacy system, much less something EDS will agree to support.
Additonally, each branch of the service is autonomous in IT management, which means there are FOUR DIFFERENT ways of running a network with the associated FOUR sets of management overhead and of course, they aren't interoperable. This is a fairly generalized statement, but most of the systems I deal with daily in the Marine Corps are specific to us and don't work with the other services systems despite the fact that they all do the EXACT SAME THING.
So kids, the moral of the story is: Write you congressman and complain about the misuse of your tax dollars. And don't forget to tell them that free software == excuse for lower taxes == more votes for them.
I've dirtied my hands writing poetry, for the sake of seduction; that is, for the sake of a useful cause. --Dostoevsky
Open with Acrobat Reader, File->Document Properties->Summary... reveals:
Title: Microsoft Word - 3DB823B-1ABD-0AA6.doc
Furthermore, the PDF file was created by http://createpdf.adobe.com - which allows one to upload files and have the processed into PDF - 15 for free, more for $$$.
Seems like they didn't find out that ghostview allows you to generate pdf files as well as view them...
Ubi dubium ibi libertas: Where there is doubt, there is freedom.
Last I checked the BSD's were first:
"The General Public License (GPL)4 is the original FOSS license, and GPL software is simply FOSS software that is covered by the GPL."
Page 12
This report is really full of holes. In the chart it says that BSD and Artistic licensed software cannot be combined with closed source software.
In page 22:
[i]Ironically, a thoroughly rigorous and systematic ban on DoD use of FOSS could also affect a number of proprietary product that rely on FOSS products that permit incorporation of FOSS into their closed-source products. For example, Microsoft Office uses the FOSS zlib collection of data compression software, and thus could technically be banned as a product that incorporates FOSS software.[/i]
The report also no makes no differentation between Open Source Software like FreeBSD, OpenBSD, and Apache; and Free Software which generally always refers to software under the GPL or LGPL. Like Linux, gcc, or GNATS.
"The word free in FOSS refers not to fiscal cost, but to the autonomy rights that FOSS grants its users. (A better word for zero-cost software, which lacks such rights, is freeware.) The phrase open source1 emphasizes the right of users to study, change, and improve the source codethat is, the detailed designof FOSS applications. Software that qualifies as free almost always also qualifies as open source, and vice versa, since both phrases derive from the same set of software user rights2 formulated in the late 1980s by Richard Stallman of the Free Software Foundation."
The writer of this report does not make differentation between Open Source and Free Software. He call's things under a BSD license with no cost, and no restriction on rights, freeware. (Freeware does not mean OSS. Freeware is closed source software, that is given away at no cost.) While in the next setence pushing the view that all OSS is GPL'ed.
This report is a grave disapointment.
If you actually tried to open up any but the most basic Word document in Wordpad, it butchers the document. Try it.
.PDF documents are extremely common. Get used to it. If you really can't stand to have to download extra software to view such a common format, you'll be happy to know that most Linux distributions come with at least one .PDF viewer.
However, that's beside the point. You see, not everyone runs Windows, and not everyone wants to open a document that can come with little extras like macro virii.
Further,
Not that the parent wasn't a troll or anything...
Computer Science is no more about computers than astronomy is about telescopes. --E. W. Dijkstra
whatever happened to good old ASCII or ISO text files?
The PDF document contains images, tables, colors, and underlined/italicized/bold text. Those are rather difficult to express in plain ASCII text.
Doing so is not unlike trying to write a voxel-based graphics engine in HTML.
Right tool for the job...
Computer Science is no more about computers than astronomy is about telescopes. --E. W. Dijkstra
I work in the trenches so-to-speak.
The good news is that the DoD is paying attention to Linux in a big way. Undoubtedly, Solaris, HP, and SGI were among a few of the favorite big ticket items that the DoD likes to purchase. However, there is a small number of people who are using linux. We're expecting that number to grow.
Mitre gets it -- they're pretty smart folks. But does the rank-and-file military? By and large -- no -- although there's more currently than say 18 months ago. Some are still caught of in the security problems linux has. Others are just ignorant by calling it "freeware" -- when linux really rises to a level above the typical "freeware" moniker.
The military is really a bargain buyer -- yes they don't want those M16's to explode -- but they don't want to be bled dry for a shoddy system, either. Especially when they have to report to a congressional subcomittee explaining why they blew billions of taxpayer dollars on incompatible systems.
whatever happened to good old ASCII or ISO text files? nothing says cross-platform than an ISO format
...I'll just go back to my Forth system and cry.
Oh sure, leave out us EBCDIC users, you young whipper-snappers with your fanch-schmancy ISO standards. HA!
Moneyed corporations, non-working 'poor' and criminal prisoners are turning productive citizens into tax-slaves.
The DoD has been asked to conduct internal software audit or trash MITRE report on FOSS.
1. Somehow I doubt that the DoD -- or anywhere that security is really important -- throws together code and puts it into production right away. (Who hasn't heard the stories about the draconian code review policies?)
2. Why would the DoD distribute their modified code? Perhaps they would send a patch to Apache or whatever if it was sufficiently general interest, but I suspect most of the modifications have to do with security policies particular to them.
3. Do you really believe that "Al-Qaeda hackers" [sic] spend more person-hours looking at the code than non-malicious users?
4. Neglecting the silliness about Al-Qaeda, why should I trust you that "some computer science programs and IRC channels" are training highly dangerous black hats? Last I checked, IRC was the land of windows-running script kiddies, and typical computer science programs include perhaps one optional course on security.
Even the GPL does not require anyone to distribute their customized in-house modifications.
I do hope that some employees who are exposed to open source, its benefits and the values of the community behind it contribute to open source projects in some way.
Stop worrying about the risks of nuclear power and start worrying about the risks of not using nuclear power.
A lot of people will begin to think about the converse, "What if Closed Source were banned from the DoD?" or even more specifically, "What if Closed Source from companies found guilty of breaking federal law were banned from the DoD?". I wouldn't be surprised if the answers were "not much change" and "things improve", respectively.
Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
yes that is right even though the paper makes it sound like GNAT is a separate project from GCC, they are now one, GCC (GNU Compiler Collection). Their description says they are one now but I think this description was copied from each of their web sites.
Also is not RTLinux longer consider free software, because it restricts more than the GPL due to patents?
Also looks like they do not use csh at all which is under the BSD license. or pdksh which is in public domain, they are the default shells on OpenBSD.
They are also missed Binutils from the GNU which is the assembler and linker for most open/free operating systems.
Also is there not versions of sed and make and m4 and top that are under the BSD license?
Is perl not dual licensed, GPL and artistic?
I'm not trying to torch anybody's favorite software here, but both djbdns and qmail have drawbacks.
The biggest issue is the license. Qmail is limited to source-code only distribution, with an exception being made for precompiled binaries if they behave exactly the same as qmail normally behaves. Information here. This means that if you want qmail not to throw all of its binaries under /var and ignore most of /etc for configuration files (which it normally does), you have to compile and patch it by yourself. Also, there is no distributing patched versions, so if D. J. Bernstein dies tomorrow, qmail development is effectively frozen until qmail passes into the public domain decades later. That includes any security/performance patches, as well as ports to other architectures. Djbdns has a similiar license.
There is also compatability. Djbdns does not support certain zone transfer mechanisms. It ignores some IETF standards entirely and impliments its own version instead. I get upset when Microsoft twists and corrupts public standards for its own ends, and I get upset when Bernstien does it as well. I'm lazy, I don't want to have to doublecheck if my DNS servers supports a certain standard if my cofiguration changes. Qmail is more of a quibble, I don't like how it throws everything in /var. (And I'm not sure why the world needs qmtp)
I'm not saying that a lot of people and smaller sites won't find qmail/djbdns (and the rest of Bernstein's software) useful. They seem to be secure, and they do their job as long as everything is compatible.
However, one of the reasons why I avoid proprietary software for many tasks is that I don't want to hitch my wagon to somebody else's horse. If I go with a MTA that is wildly used and is GPL or BSDl, I am assured that development does not rest solely on one person. And if I go with standards-compliant software, it ends up being less of a hassle in the long run.
Djbdns and Qmail aren't bad. But they have licenses that limit distribution and development, and they break interoperability.
I didn't even know Microsoft has that restrictive license. It says here that it "Specifically bans use of: GPL, LGPL, Artistic, Perl, Mozilla, Netscape, Sun Community, and Sun Industry Standards."
Microsoft's site shows the license. It's really true. This particular EULA seems to be for a "Microsoft Mobile Internet Toolkit Beta 2". They actually call OSS as "Potentially Viral Software" in the license.
Even on Slashdot the GPL is largely misunderstood. It principally dictates that if you redistribute the software you must also redistribute the source; it does not require that you redistribute the source in order to use the code yourself in whatever fashion you require. Your error is exactly the misunderstanding that MS capitalizes upon in describing the GPL as 'viral'.
If somebody finds a bug in, say Linux, that can be exploited against both Sendmail and Qmail, the Sendmail folk will fall all over themselves to find and distribute a workaround. Bernstein, on the other hand, will likely just smile and say "not qmail's fault". This doesn't do much good for people who are actually using qmail in the field and will need to create and distribute their own patches on the back-channels -- and then integrate them with the myriad of patches out there.
I really believe that Qmail's license was and is the biggest barrier to it's more widespread adoption.
OS Software is like love: The best way to make it grow is to give it away.
As a Debian Developer, allow me to strongly disagree. There is a lot of software in Debian! It's as reliable and trustworthy as we can make it, but a lot of stuff doesn't get banged on very heavily (some of it is downright obscure), and the best we can really say is, "we haven't found any obvious problems". Which is a whole world apart from "Generally Recognized As Safe."
Now, anything that's FOSS and GRAS is probably in Debian, but being in Debian stable is only evidence of being FOSS and NPU (Not Proven Unsafe).
I think that the idea of having an external list of FOSS/GRAS software is an excellent one. Moreover, I doubt if Debian wants to accept responsibility for maintaining such a list.
The DoD is under tremendous pressure to have Microsoft blessed as the only products they use, as Microsoft has learned how to lobby and started throwing lots of money at this. The government is a huge purchaser of systems, and there are many legacy things out there. Since the past 10 years or so have brought many fresh college grads into the workforce, many of whom only know Microsoft products, there is pressure on the technical selection folks to replace with Microsoft since those precious MCSE's only know these platforms.
This report is probably an effort to build some evidence and support on why wholesale replacement of everything with off the shelf would add costs and hurt national security. Probably also explains IBM's (and others) shift to support Linux and variants over the past few years as they saw Microsoft tactics refined.
And, Microsoft's more recent license agreement language seems pointed at providing a legal reason why they need to be the only platform, since there are no technical reasons.
Sleep is for the Weak
It was written by:
Terry Bollinger
The MITRE Corporation
1820 Dolley Madison Blvd.,
W534 McLean, VA, 22102, USA
terry@mitre.org
Terry Bollinger currently works at The MITRE Corporation, where he focuses on distributed software and hardware architectures issues for U.S. Department of Defense information infrastructures. He is an editor for IEEE Software, and was one of two Special Editors for the Jan/Feb 1999 issue of IEEE Software on Linux and open source software methods.
Terry has had extensive experience at all levels of software development in the telecommunications industry, at NASA, and for the U.S. Department of Defense. Especially while working in the telecommunications industry, he has had extensive hands-on experience with both a wide range of software construction methods and approaches, and with the consequenses of trying to apply some of these methods in "realistic" environments in which there is a typical spectrum of developer experience (e.g., what happens when C++ is applied in and environment consisting almost entirely of long-term funcional C programmers). Terry also has a strong background in software reusability and software process, including an IEEE Software Best Paper on why software process improvement doesn't always give the kinds of results advertised, and is intrigued by the issue of why some programmers seem to be so much better at producing high-quality, stable code that endures over time. In terms of software construction issues, he is both highly familiar with the overall set of techniques involved (including newer methods such a graphical component based programming), and is strongly supportive of the need for good methods while also being heathily skeptical about a lot of the claims made for various software construction methods and tools.
Terry has M.S. and B.S. degrees in Computer Science from the University of Missouri at Rolla, and has been a member of IEEE for 23 years.
What I find really distasteful is the above phrase's incorporation of "MIT". Microsoft tries to pass it off as standing for "Mobile Internet Toolkit", but personally I believe it was intended to sound like (and evoke the favorable sentiments associated with) the Massachusetts Institute of Technology AND the associated, like-named OSS license.
.
- First they ignore you, then they laugh at you, then ???, then profit.