Slashdot Mirror
Defense Dept. Memo Explains Open Source Policy
TonyStanco writes "Big news. DoD issued a policy statement leveling the playing field for Open Source. We have the memo on the Center of Open Source & Government site." The requirements listed in this memo make me think of a company policy along the lines of "You can bring your baby or toddler to work, so long as it can talk, feed itself and stick effortlessly to the ceiling like a spider." See this PDF for more information about National Security Telecommunications and Information Systems Security Policy (NSTISSP) number 11.
....make me think of a company policy along the lines of "You can bring your baby or toddler to work, so long as it can talk, feed itself and stick effortlessly to the ceiling like a spider."
Except it's not really like that is it?
OSS is not a toddler - it's tends to be just as mature as proprietry equivilants.
So it should be covered by similar guidlines.
Which is all memo says really.
I think the FOOS community notably the ones (like me) that do not write code but tries to get FOOS into the corporations, increasingly need to stress the fact that it comes with strings attached and that the corporations need to make sure that those strings is being honored.
Help fight continental drift.
Provided they're electronic copies.
Oh wait, everything but the use of Microsoft products that is. It seems like that gets instant approval without the need for any justification.
... 9 times out of 10, the least upgraded systems you will find will be in the government or DOD. There are thousands of little fiefdoms, all run by different little chiefs, and their IT structure is a mess.
:)
Whatever
Sure, the nice high tech stuff is out in the field, but Joe Government is working off a 95 box hooked up to an NT network most likely, with 3270's into some ancient mainframe or some Sun system.
This is where OSS can make a big impact. Shit, half the IT guys in the government are UNIX guys, where do you think they've been hiding? Right next to the Novell Guys. All of a sudden, thousands of "out of date" UNIX guys are competitive with linux, and they're bringing in new blood to supplement them, because many are close to retirement. All the while their outdated Win and proprietary UNIX systems are nearing EOL, with nary a vendor in sight.
You couldn't get a better situation for FOSS in the government right now. Someone's gotta replace those big nasty mainframe's and NT 3.51 boxen. Some of us make a decent living doing it.
What I'd like to know is why does an organization that sets United States federal technology policy guidelines post their policies on the web by scanning a paper document into PDF format! So we can all see a facsimile of John P. Stenbit's signature?!
--Lawrence Lessig for Congress!
"You can bring your baby or toddler to work, so long as it can talk, feed itself and stick effortlessly to the ceiling like a spider."
I work for the government, so maybe I am more used to seeing security requirements for everything, but I didn't get that impression at all. We expect everything to talk, feed itself, and stick effortlessly to the ceiling all the while being secure. The government (DoD, DoE, etc) is probably one of the biggest users and innovaters of open source so I wouldn't get too feisty. The only reason people (managers) get a little hesitant about Open Source is blame. When something drops on the floor, they want someone to point the finger at, someone we have a contract with so that they can fix it reducing personal liability. Enter Microsoft with contracts in hand.
Support a great indie game: http://www.abaddon360.com
True, the core Linux maintainers could die or quit at any time. So could a software company drop a given application or operating system. For example, my company used a CRM called Vantive that was vastly superior in terms of ease of use and custimozation compared to PeopleSoft 8. We have in-house programmers that are very adept at coding for it. But PeopleSoft bought Vantive and dis-continued it. A few bugs sprang up that required access to certain source code that we didn't have. The answer? Pay 2 million (absolutely no exagueration) for People Soft 8 and go through the process of buying better servers and changing the structure of your Oracle databases "if you need future support for a PeopleSoft CRM". And yes, we had a service contract.
But the beauty of open source insures that others will pick up where they left off. It happens with alomst every popular and useful open source project whose lead developers quit. In the case of Linux, you would have people from companies like Redhat, Suse, and IBM ready to take the lead. The costs of such a change of "power" is rarely passed on to the consumer. Also, the really good analysts do,/i> factor in the cost of hiring contractors to specialize your code.
I don't think you understand how OSS works. See, if Linus&Co decide to stop whatever they're doing and go live fat and happy in Silicon Valley or somewhere, 'we' still have the code. Anyone can take it and continue the development -worst case scenario, they can't call it 'Linux' anymore. However, if Microsoft says 'well, that's all, folks! We'll start selling beach balls from now on!', there's not a single thing anyone can do about it. And no one can continue the development of those systems.
E
Marxist evolution is just N generations away!
Oh please, no one has ever sued Microsoft for lack of "service," and it is not because Microsoft products are perfect either.
Not only that, but Microsoft has done just about every other unfriendly thing that a software vendor can do. They have stopped development of projects, created spurious incompatibilities, and sold bugs as "features." If the government paid IBM (or RedHat or whomever) half of what they currently spend on Microsoft software they could almost certainly get a real service contract for a huge pile of Free Software, and if they didn't like the service they got, they could take that money next year and hire someone else without having to switch software.
I agree that there are costs to switching to Free Software, and I definitely agree that Free Software can't currently fill everyone's computer needs, but your arguments against Linux amount to nothing more than FUD. There are plenty of valid reasons for not choosing Linux. However, service, support, and longterm viability are all parameters that favor Linux.
A service contract with Microsoft doesn't usually include accountability.
And that doesn't necessarily preclude a successful lawsuit, should the government choose to persue it. If a root exploit were discovered and widely used, and it affected government servers, and Microsoft chose not to do anything about it, I suspect they would be sued and the US would win.
True, the core Linux maintainers could die or quit at any time. So could a software company drop a given application or operating system.
But not for the duration of the service contract or, again, there would be repercussions. While this is part of the way Microsoft controls the market, it is also a guarantee of service. If the OSS developer drops the project, there is no guarantee that anyone will pick it back up. It may be likely, but that's not good enough for many officials. Without something in writing, there's no real security in your purchase/training.
Skipping around:
And yes, we had a service contract.
Sounds like your legal department didn't do their job. Either the contract had some holes or PeopleSoft should have had their asses sued off.
If the software was GPL, it wouldn't matter how the contract was structured, because our programmers could have fixed the code. Instead, 2 million bucks was spent.
And PeopleSoft is not liable or accountable, because all they did was gain ownership of the closed code. The agreement of assurance was specifically with Vantive. We didnt' buy the patented works itself (which wasn't an option, and People Soft refused to sell Vantive after-the-fact).
As a side note, PeopleSoft 8 is laughable. I could design a better tool using PHP-Nuke (I actually hacked up a solution that was based on PHP-nuke for real simple CRM fucntions to show that it could be done - it was ignored, of course).
yeah, this is the point. There is the same amount of risk or greater with closed source projects. Do you think the DOD has never used a piece of software the creator discontinued? Or went out of business? To protect against that I am sure they always manage to get the source code up front (to say nothing of the security issues that require them to get closed source)... In either case if something bad happens the dod can maintain their own systems, open source would just take a step out of the contract negotiations that allow that.
Right, then somebody implements a bad encryption scheme and because it's closed source nobody sees it and breaks it, and the DoD or other users fool themselves into thinking it's secure, until a foreign government breaks it and reads all our coded communications for years... (Or whatever it is that these people are afraid of). I'd much rather trust something like PGP that everybody can read and understand and crackers (black and white hatted) can do their worst at. Otherwise you are just buying a false set of security.
So Basicaly.. It needs to fit thier needs :) How else would you eval something :)
Can't Imagine any IT manager giving a go ahead on a product that doesn't hold up to the current min standards. :)
Who needs WiFi when we can have Packet Over Sheep! http://datacomm.org/PoS-InternetDraft.txt
If a root exploit were discovered and widely used, and it affected government servers, and Microsoft chose not to do anything about it, I suspect they would be sued and the US would win.
You are kidding, right? Windows is full of holes, and many of have been around for years by the time people get around to using them for break-ins, including into government computers. I don't know whether the US government could, in theory, win, but in practice, they don't seem to be sueing.
If the OSS developer drops the project, there is no guarantee that anyone will pick it back up. It may be likely, but that's not good enough for many officials. Without something in writing, there's no real security in your purchase/training.
Microsoft drops products constantly. And when Microsoft does that, you are completely stuck because nobody can pick up the software.
Perhaps what's confusing you is that Microsoft refers to many different, incompatible products using the same trademark. But that doesn't do you any good when your programs stop running.
The reality of it all is that if you buy Microsoft, not only do you have to put up with buggy software, but you get no guarantees, you have to expect security holes and accept the risk for them yourself, you can't fix anything, and the software likely has a much shorter usable life than comparable open source software.
Having a policy that OSS must compare favorably with Non-OSS is reasonable, and a good sign. Any policy other than "No OSS" is a good sign, as it shows they are considering it. I would say that OSS's biggest worry is simply not being noticed, not just failing to measure up. After all, most Open Source projects simply don't have the advertising budget their Closed-Source, Commercial competitors do.
Contact Me (got tired of viruses emailing me).
No no Mod parent up
I deal with this monster everyday and there is very little publicity about this contract. There needs to be more horror stories out in the press. NMCI forces MS on everything that touches that friggen network and all other Operating Systems are considered "legacy".
Be careful about Tony Stanco, the person who wrote the Slashdot story. He seems to be using computer issues as a way of promoting himself.
It was a joke about how strict the regulations were. Didn't you see the part about sticking to the ceiling like a spider? That's not normal human child behavior, hence, the stated regulations that would require such would be unreasonably stringent. Timothy was drawing a parallel to the stringent regulations regarding OSS.
And who says geeks don't have a sense of humor?
The requirements listed in this memo make me think of a company policy along the lines of "You can bring your baby or toddler to work, so long as it can talk, feed itself and stick effortlessly to the ceiling like a spider."
How you can make this out from that memo which basically says we have a set of procedures in place for software evaluation, if OSS passes those then fine, no problem and secondly be aware of the terms of the license that the OSS comes under.
I know this is Slashdot but the fact that OSS may have to go through a regular selection process instead of being mandated as defacto standard, to the detriment of all others is proper procedure in most large organisations. You should be saying well done for leveling the playing and giving OSS a chance to compete on equal terms.
Do not try to read the dupe, thats impossible. Instead, only try to realize the truth
What truth?
There is no dupe
The thousands of little fiefdoms with differing systems is a good thing, as due to the diversity, what knocks out one system won't necessarily knock out the one next door. Mono-culture is always a bad idea security and stability-wise.
Working as an intern for a national laboratory, I noticed how getting new equipment worked. First, you find what you really want, like a computer for instance. Next, in your proposal, you go around and find different parts for that machine, and make sure the stuff you really want is the lowest price. Send it up to the people who double check this to see if they are getting a "good" deal, and bam, you get your computer.
With this in mind, what Linux or Unix OS are they planning on using already? They must have one picked out if they are going to start making rules on the OSS situation.
"Some fight for law. Some fight for justice. What will you fight for? One day, you will see."
Without something in writing, there's no real security in your purchase/training.
As mentioned in the parent, companies like Red Hat and Suse make their money from support contracts. Since their bread and butter is in these contracts, and not in selling upgrades, they are more likely to take an active role in fixing problems, instead of having a vested interest in propogating problems (leading to more upgrades).
Microsoft has, in the past, refused to fix bugs in "older" software. In many circumstances, the solution is to "upgrade." In several cases, bugs deemed non-critical by MS have been left unfixed for months. In several other cases, the fixes to these bugs have caused even worse problems.
I have yet to see a contract stipulating Microsoft promises to fix any problems discovered, let alone take resonsibility for any defects. Doesn't mean they don't exist; but, like invisible ephemeral unicorns, until I see one (or the effects of one), I don't believe in them.
The concept of manufacturer liability in the software market is laughable. Schools can get sued for millions for choosing co-valedictorians, but Microsoft sure as hell isn't going to pay for the privacy-raping holes in Passport.
Something is fucked up here.
Microsoft is to software what Budweiser is to beer.
Now if an employee takes the modified software home and installs it on his personal machine, he has violated his company's copyright. If his company allows him to install it on his personal machine, then they must license the modifications to him under the GPL.
Simply using propriotary software installed on your company's computer doesn't mean you own a license. The same is true with GPL'd software. However in most cases, that same GPL'd software is available from multiple sources, so it's a non-issue.
-- Knowledge shared is power lost. -- Aleister Crowley
With Microsoft, and under contract, you know that's going to happen.
Sorry - no you don't. Microsoft have previously claimed that Windows NTv4 is being supported for security hotfixes until 30 Jun 04 (see here) but then failed to fix a serious RPC based DoS attack.
I should imagine this pisses "secure" government sites off quite a bit - they have been promised security fixes for another year now and then get shafted because MS claim that NTv4 "does not support the changes that would be required to remove this vulnerability".
At least with OSS users are capable of fixing the problem themselves (or paying for it, or using a general release patch etc).
But there are hidden costs that you just don't always see.
Yep - and what are the costs of upgrading all of the Windows NTv4 to Windows 2000 servers to avoid this security bug?
"Mary had a crypto key, she kept it in escrow, and everything that Mary said, the Feds were sure to know."
If you had a toilet that had to survive 1000 bums per day in a saltwater environment with no spares or repair shops for 5000 miles in all directions (this was a toilet on a SHIP) then you might expect to pay more than the HomeSpot $100 special.
Is that the DoD, the DoJ, dictator-of-the-week, and any other offensive military/rights-quashing group, can use your code, and you have no control over it.
Bullshit. Or can you actually think of cases where the "military/rights-quashing group" uses a developer's code without their permission? I personally don't see a need for the military to jackboot someone else's code, since there're about 1500 military programmers in the US Air Force alone. That doesn't count civil service or contracted personnel working with or for the Air Force.
And frankly, if you think people join the US Armed Forces because they want to "quash people's rights," you are sadly out-of-touch with reality. Military members swear an oath to defend the Constitution of the United States--it's an oath we don't take lightly. If you're not happy with the Iraq war, that's fine. . . neither am I. But blame the politicians you elected into office, who sent the troops in the first place.
!#@%*)anks for hanging up the phone, dear.
Look, The DoD uses Windows for shear monstrosity of the network users and their demographics. Average 18 year olds entering the military to Major Generals have used some form of windows. The same cannot be said of Linux or UNIX unless they were Technologically savvy /.ers. Colonel's would have a hell of a time learning Linux, trust me - they have a hard time with email. The tech savvy individuals will probably pursue some sort of computer related field in the military as well, where windows is most definitely not the answer as many pointed out. I.e. up time, security, etc. The military doesn't use windows, as an end all is all, especially for it's weapons systems. Case and point: I work as a USAF weather forecaster, our weather product dissemination uses a Silicon Graphics box dual booting Linux and WinNT via VMware. They sent me to school just to operate this stuff, as I had never used it in the past. One would find the majority of network *stuff* that matters to the DoD, not access to Yahoo, runs from something other than windows.
Just my .02 cents
Quit inane, as many aircraft specs are
If you've ever tried to take a dump on a C-130 in flight, going through a thunderstorm, after a 60 day deployment to a tent in Turkey, when your entire digestive tract is in full rebellion...you'd be damn glad that the toilet is designed properly.
Let's see. First, if Ford is selling computers in cars, they are still selling computers. And if those computers contain software, then Ford is a software distributor. Second, you're telling me that in all the legal mess it takes to build cars, that it's too much of a hassle for Ford to post the source code to their embedded processors' software? They could conceivably put that code on a CD-ROM and put that in a pocket of your car's owners manual. This is not rocket science-- but it is a simple thing to do as part of the automotive engineering process.
They could also easily post said source code to their web servers. Have you ever seen their web site? They are insanely well-done. They're a combination of your wildest tech fantasies about online shopping and the most over-produced TV commercials known to man.
But hey, I'm sure Ford can't handle it. Never mind safety testing, emissions regulations, and all that hard stuff! Have you rebooted a Ford lately?
I do not have a signature
Their classifications override your copyright, besides as long as they don't sell or provide the binary to any other entity they don't have to provide the code and if they do provide the binary (if classified), the recipient has to have that particular classification rating.
This can be of benefit if the code is GPL'd and a contractor or other business that can accept (is allowed) the binary+clearance, they (hopefully) get the code. Which can be a real life saver especially if getting an antique (much of military stuff is just that) working again.
Probably though they'd just override the GPL and ship the binary only.
I'd go on a Vegan diet but the delivery time from Vega is too long. --brownkitty