Software Choice Group Tells DOD Not to Use Open Source

ducomputergeek writes "A group calling themselves the Initiative for Software Choice, backed by Microsoft and others, is recommending that the DOD drop plans for further adoption of Open Source software. This comes after MITRE, a defense contractor, published a report stating that not only does the Department of Defense use opensource, but is recommend on using it more. The article is at News.com and you can read it here."

The same article at the register

[MoonFog]

Here's an article from The Register talking about the same subjecf. News.com will probably get slashdotted now anyways =)

"Defending" my own computer

[j_dot_bomb]

I know at least one thing. I feel much better about the "defence" of my own computer from viruses and hackers with a stripped down linux that runs few services. I know exactly what programs/services are running. The stripped kernel code is small enough that I probably could audit it over say a year. The "Defense" Department could certainly allocate some resources to audit a stripped distribution.

Boo on Moft...

[pVoid]

I actually went and check out their list of partners, and this thing is just Microsoft plus a list of roughly a hundred small shops (probably moft shops)... No other big names (like Sun, which I was expecting to find mind you).

Anyways, a funny highlight, one of their members is: "Open Solutions" =)

that's what ISC was saying

[Kircle]

There was a link in the article to ISC's comments to the DoD. Skimmed through it and found very, very interesting quote:

ISC's main goal is to educate policymakers about the need to remain neutral with respect to government purchase of software.

So regarding to your comment that people have different options, that's what the ISC is arguing for. They don't think it's fair for the government to only consider open source software and ignore software made by, say, Microsoft.

Re:GPL FUD again?

[silas_moeckel]

Even more importantly the DOD can clasify something after the fact so while it might have to release source code but only if you have need to know as defined by the DOD.

Mitre Corp is not a Corp

Just a side note on this story; Mitre Corp is not, strictly speaking, a corporation. It's a front for the CIA. I delivered a paper once a Mitre Corp meeting, and it was the oddest experience of my life. No business cards, no last names, and locks on every trash can. Wasn't until a week later (after some digging) that I discovered that their "campus" in Virginia was part of Langley. Really weird outift.

Re:Mitre Corp is not a Corp

Check out MITRE's board of trustees. More than one has been the Director of the CIA in the past. In fact, a majority of the board has worked for the CIA in the past. Chuck Rob is one of the few that hasn't, but he is a hardcore republican and served on all three Senate national security committees.

I work for the DoD...

[ZeLonewolf]

I work for the DoD, in a branch that plans technology policy for various projects. Over the last 5-10 years, the push for "Open Standards Architecture" (OSA) has been at the forefront. It's the stated policy of the DoD, which comes from the mouth of a former Secretary of Defense, to push for open standards, open interfaces, and in general to be as far from proprietary as possible. Proprietary software means more expense for the government due to non-competition, and it also puts the government in the hands of a private corporation.

Open Source, while not specifically targeted by the DoD, is the next logical step. Although the previous generation of nuclear submarines ran HP-UX, the next generation (due to be delivered starting 2006) will run about half Solaris, half Linux. So yes, open source is on the way in in the government. Slightly off-topic, but if you want a good example of why proprietary software is no good for mission-critical work, look up on Google the problems the USS Yorktown had with Windows NT about 5 years ago...

Re:I work for the DoD...

[IamTheRealMike]

As a possibly interesting aside, I work for QinetiQ, the newly privatized DERA which was UK Military of Defense research. They do a lot of consulting for the MoD and the government. About a year or two ago they produced a report which was the definitive report for the UK government on open source.

It was very positive. I don't know if it was ever made public (I don't see why it wouldn't be) but I have a copy at home, and it made for pleasant reading. And here at work, Linux and open source is everywhere. When I was doing a demo of my project about a week ago, as I demoed it my boss was talking and he said "Oh yes, this is all done using only open source and free software" which got lots of approval from the customers and other project managers etc (in fact my brief was, do it with open source if possible). My boss uses windows but with cygwin and the Gimp. There are several Linux workstations in my small dept alone. They are big into open source here. This reflects into the next generation of technologies for the military

I think it must just be a government/civil service thing, but they seem to have a soft side for it. One thing I do think is dumb is that if the US DoD has made up its mind on open source that Microsoft amongst others should be telling them they are wrong, and denying choice. Uh, what? So people can no longer choose products based on what they think, in case it's "discrimination" or something? Hmmm.

Re:GPL FUD again?

[deander2]

It's important to make clear the difference between:
1) using OSS code in your software
2) using OSS code to write your software, or to deploy your software, or to distribute your software, or to hang your software out to dry on your clothesline, etc...

Only #1 requires you to make your software open source.

(btw, I work as a contractor for the DOD. we do #2 constantly, and I can promise you it's the much more common activity)

Re:Interesting choice of words

[ZeLonewolf]

I work for the DoD, in a technology policy branch.

Not only is proprietary softare inherently insecure, it's inherently more expensive, inherently doesn't work as well, and inherently causes the government to be screwed if the company goes out of business or decides to stop supporting the software. In fact, the government got screwed by using HP-UX when HP decided not to make new versions of the OS backwards-compatible with the older HP processors being used in most of our submarines...now, wisely, half of the computers in the NEXT generation of subs are running Linux (the rest are running Solaris...)

MITRE Is Not Just Another Contractor

[John+Hasler]

> This comes after MITRE, a defense contractor,
> published a report stating that not only does the
> Department of Defense use opensource, but is
> recommend on using it more.

MITRE is one hell of a lot more than just another defense contractor. Look into it's history and you'll see that DoD will value its opinion far above that of some Microsoft lobbiest.

Re:GPL FUD again?

[FreeUser]

This bring up a question I've asked before and no one seems to have a conclusive answer for. Technically, by the GPL rules, anyone who gets the binary has to be able to get the source. Now the DoD employees are certainly getting the binary, so they should have access to the source as well, correct? And if they have access to the source, the GPL gives them full legal rights to redistribute it as they want, correct?

The Free Software Foundation and Richard Stallman have both made this very, very clear.

Software kept within an organization is not considered to have been distributed. There is a very precise definitions of what distributed means, which the GPL, the FSF, etc. have made very clear. You can use as much GPLed code as you like with your in-house software, and as long as that software stays in-house it is not being distributed, and you are under no obligation to provide a single line of sourcecode to anyone. This has been made explicity clear by RMS and others.

Now, if you distribute the software outside of your organization, then you are obligated to provide the source code to that other organization.

So yes, the Army giving the Navy software would have to give them source code (and if the Navy wanted to give it to Joe Blow, the Army couldn't stop them). But having the source code distributed from Army Headquarters in the Pentagon to GI Jane in the field does not constitute distribution outside of the organization, and there is no obligation to either give Jane the code, nor to allow her to distribute it outside of the organization (in this case, the US military).

DoD Security Policy 8500.1

[xiitone]

DoDD 8500.1, *the* authoritative overarching DoD document concerning Computer Security contains this paragraph:

Public domain software products, and other software products with limited or no warranty, such as those commonly known as freeware or shareware, shall only be used in DoD information systems to meet compelling operational requirements. Such products shall be thoroughly assessed for risk and accepted for use by the responsible DAA.

The part that I wonder about is "other software products with limited or no warranty, such as those commonly known as freeware or shareware". I wonder if this was meant to indicate Open Source Software? IANAL, but I've never seen a EULA for software that didn't indicate a limited warranty. In fact, from my layman's point of view, all the standard EULAs seem to indicate that the software has no warranty, since they seem to claim that the software doesn't have to do anything at all...

Guide to software choice policies

[Anarchofascist]

Bookmarking this handy page to keep track of how well OSS is doing! Naughty software procurement policies.

Incidentally, don't use put a single quote in the zipcode field on their registration form...

The Army is tied to Windows.

Much to my dismay, the US Army is moving to a mandatory "smart card" system for computer access. I read the operational requirements document, and it lists Windows as a requirement, and Unix as "nice, but optional". So for all practical purposes we're tied to Windows as an OS, and Outlook as an email client (our servers will reject email not signed with a key from our smart card, and of course they're only integrating the smart card with Outlook). Oh, and the requirements document DOES call for "open standards", but that didn't seem to matter. (google for "set-d ord")

blah blah

[rsax]

This week, the Initiative for Software Choice counterattacked, telling the Defense Information Systems Agency that the Pentagon should not "openly promote the use" of open-source software, arguing that proprietary products are not inherently less secure.

Might not be less secure but I think the difference is how opensource projects respond to and handle security issues compared to some proprietary software companies. The latter have to consider reactions from shareholders, etc when informing users of vulnerabilities in their products, they have the choice to stay quiet more often since the source isn't open. That isn't the case with opensource projects, the source is right there for everyone to poke and prod at.

http://www.infoworld.com/articles/hn/xml/02/09/0 5/020905hnmssecure.xml

"I'm not proud," Valentine said, as he spoke to a crowd of developers here at the company's Windows .Net Server developer conference. "We really haven't done everything we could to protect our customers ... Our products just aren't engineered for security."

Re:Interesting choice of words

[ZeLonewolf]

Why were new versions of HP-UX required ?
My guesses:

Threads.
A version of Java later than 1.1.8.

Actually, the problem was that HP-UX ran only on HP processors. A brand new Navy nuclear submarine has a lifespan of 35-40 years, while a typical computer operating system becomes outdated in 5-7 years. The problem was that after about a year ago, HP stopped supporting the latest version of HP-UX that ran on those processors, stopped making patches for it, stopped adding support for new hardware, etc., etc. Thus, as the Navy's needs changed, their operating system couldn't change to meet the new needs. The options were to either upgrade all the hardware to all new HP processors and OSes (and probably get screwed again in the future), or move to something that was more likely to be supported, upgradeable, and backwards-compatible in the future. Since Linux is a relative newcomer, the choice was made at the time to use Sun Solaris, though the big push now is towards Linux.

Re:GPL FUD again?

[deander2]

That depends on what you mean by distribute. I would tend to think that distributing inside your company is still distributing, but it looks like I'm wrong.

(taken from gnu.org)
Does the GPL require that source code of modified versions be posted to the public?
The GPL does not require you to release your modified version. You are free to make modifications and use them privately, without ever releasing them. This applies to organizations (including companies), too; an organization can make a modified version and use it internally without ever releasing it outside the organization.

But if you release the modified version to the public in some way, the GPL requires you to make the modified source code available to the users, under the GPL.

Thus, the GPL gives permission to release the modified program in certain ways, and not in other ways; but the decision of whether to release it is up to you.

Re:It may become illegal . . .

[emptybody]

It already is. The newly signed homeland security bill saw to it.(all 420+ pages could not have been adequately examined by those who voted for it but that is another rant.) Download the PDF from the govt web site.
Page 323 Line 15.
...the selection of specific technical hardware and software information security solutions should be left to individual agencies from among commercially developed products.