Slashdot Mirror
Defense Dept. Memo Explains Open Source Policy
TonyStanco writes "Big news. DoD issued a policy statement leveling the playing field for Open Source. We have the memo on the Center of Open Source & Government site." The requirements listed in this memo make me think of a company policy along the lines of "You can bring your baby or toddler to work, so long as it can talk, feed itself and stick effortlessly to the ceiling like a spider." See this PDF for more information about National Security Telecommunications and Information Systems Security Policy (NSTISSP) number 11.
"You can bring your baby or toddler to work, so long as it can talk, feed itself and stick effortlessly to the ceiling like a spider.
Well, hey. At least its a start. Previously, many DOD organizations and departments had an absolute policy on software/platform. In many places, especially sensitive installations, the policy was Solaris. In the last few years there has been an inexorable move toward Windows, despite the obvious problems. Other defense contractors have been moving in the same direction presumably to control costs by moving everything to one platform. However, most people are finding that this is not the best solution and they are allowing the installation/use/purchase of other systems including open source, Linux and OS X.
Visit Jonesblog and say hello.
Best first bet would be it will slip in from DARPA. They've probably *already* been using it in places they're technically supposed to be using a commercial UNIX.
--Dave
So basically this policy says that if you use OSS then you have to follow the licensing that went with it. What happens if it was sensitive code and it could be detrimental(sp?) if you released the source? Do you still have to do it or is that an exception in the GPL?
The Navy/Marine corp are launching a large scale contract (NMCI) that restricts all Navy IT to MS and MS solutions.
This contract locks down the network to only NMCI managed systems (MS only). If there are existing systems that cannot run under windows than you have to apply for a "legacy system" exception and pay extra for no service.
This one size fits all approach is short sighted and foolish. The upper echelon has yet to catch on that the network is the backbone or the infrastructure that enables an ever increasing plethora of monitoring systems, data acquisition and control systems, collabration and communication mechanisms, etc.
As more and more devices become Web enabled the Navy has effectively locked itself out in the cold and crawled in bed with built in obsolesce - not to mentioned left itself vulnerable to an attack or virus that would spead like wild fire in a homogeneous network.
Use of Free and Open-Source Software (FOSS) in the U.S. Department of Defense -- This report documents the results of a short email-mediated study by The MITRE Corporation on the use of free and open-source software (FOSS) in the U.S. Department of Defense (DoD).
pb Reply or e-mail; don't vaguely moderate.
I'd say that's so important as to be essential. That can lessen the "buyer's remorse" if a company discovers it can't do something it wants to down the road and, more importantly, focuses the consumers' minds on the idea that there are different kinds of licenses. That seemingly simple concept can be a huge revelation to someone who has only dealt with proprietary software or has only a vague idea like "Linux is free and hard to use."
It also perhaps gives developers pause to consider different types of licenses. Perhaps the GPL is not a good "default" license (I personally think the BSD and LGPL are better for commercial entities -- I realize I can be debated on that subject). Perhaps it is. Still, even developers should think about what license is best for their software. And it'd be nice if the software didn't dictate that to them...
I agree with you 100%. Heck, I will even go so far as to say that in many cases replacing proprietary software with Free Software is a loser over the long term. There are plenty of commercial software systems that are good deals, and there are Free Software systems that do not measure up.
However, the second the commercial software folks start talking about accountability (especially with regards to Microsoft) I can't help but cry foul. Microsoft sells their software "as is" they are not remotely liable for their software, and if you want a decent service contract you have to purchase one on top of your licensing agreement, and you probably have to get the contract from someone besides Microsoft. Purchasing a commercial contract is also no guarantee that the software in question will be developed in the future. The company I work for currently is in the middle of a JD Edwards ERP installation, and today PeopleSoft announced they will be purchasing JD Edwards.
What do you bet that future JD Edwards "upgrades" will involve paying huge money for a completely different product?
Like I said, there are plenty of hidden costs associated with switching to Free Software. However, service, support, and longterm viability of your software all play into the hands of Free Software adoptees.
The buzzword for what you're talking about is Security Through Obscurity. The problem is that it will keep away the casual hackers and script kiddies so you will have many fewer attacks, but to a determined attacker (think of Bletchly Park in WW2 attacking the Enigma) if there are any weaknesses, they will most likely be found and you will not know about it until it's too late. The KGB (or whatever the enemy is these days) doesn't brag about their exploits on IRC.
I would NOT be offended if goverment agencies decided to use undocumented closed source protocals
I wouldn't be offended- I'd be scared. The rule of thumb is that "Security through obscurity is no security at all", but realistically, it's good enough for some situations where there aren't large numbers of dedicated, well-fianced enemy spies. That is, anyplace other than National Security can get away with it for a while.
It is critical that, if a software developer who knows the code defects, we can simply change everyone's password and not junk the entire system until the program can be re-written from scratch. But that's what relying on closed-source for security would require.
Hell if they want to write their propriority software in ADA, more power too them.
The US government doesn't write proprietary software. Or anything else proprietary for that matter- all their intellectual works are public domain. Some of them are protected under security classification, like the way Air Force bases belong to the public, but they're not allowed inside without permission.
(And, a Top-Secret classification will expire long before copyrights do...)
Right.
Umm no. As long as it doesn't leave the DoD it's not 'distribution' under the terms of the license. You don't have to do shit.
Selling the program to outside customers and simply using it in-house are two entirely different situations though. See this entry in the GPL FAQ.
The only difference between GPL and BSD in this context would be if the DoD had some reason to distribute the program in question to the public. As long as it's used exclusively in-house it doesn't matter at all.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Friends don't let friends enable ecmascript.
openBSD is of course reputed to be the most secure open source operating system.
I think that it seems a little weird that the US military is on the one hand acting very anti opensouce, while on the other- it is actively funding its development.
Additionally, I have seen one or two "discovery channel" type documentaries in recent months that have filmed computer terminals inside US military installations. There was no doubt that the personnel were running Unix, although the exact flavour remained unclear- but could it be openBSD...?
Even MS if survives the summer, they've already left Win95/98 behind and tried (or have) dropped NT. So, in regards to "who do you sue?" logic, read your license. MS-Windows could be chock full of remote exploits or send your personal data abroad or monitor your files and habits or break your third party applications and you'd have no recourse whatsoever -- except maybe upgrade to OS X/*BSD/Linux/QNX/etc.
Nice of Timothy to set up a straw man
Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
To the best of my knowledge as a US Military employee: No, and no. If Microsoft software breaks, it's up to the people in our Network Operations Centers to fix it. I'd imagine the government gets a good discount in support costs, though. . . and probably has more than a couple Microsoft employees on contract to boot.
!#@%*)anks for hanging up the phone, dear.
no, no, that means that when we sell guidance systems to Israel with requirements that they get our approval before selling them on, the Israelis are bound to give the source code to the PRC when they next do an illegal technology transfer otherwise next time they're not only going to have to face congressional scrutiny but the wrath of Richard Stallman.
God, I'm looking forward to a ME where Israel isn't the most open and democratic society so they'll get off their US subsidized, pampered butts and fix what ails them.
By this argument does Ford Motor company have to give you source code for their embedded computers running Linux? If so, that's really going to kick embedded Linux in the teeth if your appliance and motor vehicle vendors also have to become software distributors.
Do you seriously think they do provide any guarantees?
In the corporate mentality (and government is the worst case of it) it is not important what is in the contract. What counts is the simple fact that there is an external entity (i.e. Microsoft) you can point finger on should something go wrong. As opposed to the situation, when there is no external entity, no contract and someone has to admit that it was they (or their subordinate) who screwed up something. Corporate mentality is about keeping safe within the structure with minimum effort - not about doing something.
I think that is one of the driving forces of outsourcing (apart from the issue of cost savings).
Yup. Personal experience in that area. A suprisingly large amount of DOD software was written for Clipper Summer '87.
BWAAAAHAAHAHAHAHAHAHA!!!!! (thunk!)
(/me gets back on chair.)
(sniffle!)
Oh, that's RICH!
You almost had me fooled for a minute there.
The Web is like Usenet, but
the elephants are untrained.
I think that it seems a little weird that the US military is on the one hand acting very anti opensouce, while on the other- it is actively funding its development.
Well, the DARPA thing was more an anti free speech thing, and anti-canadian. But then again, Canada is a haven for pot-smoking communist al-qaeda agents! ;) (Well, to be fair, there were several terrorists caught trying to cross the Canadian border to execute attacks timed for New Year's Day 2000...)
The most anti Open Source thing they have done recently is accepting Microsoft's new licensing terms after finding out they had been charged far more than ordinary businesses would be charged for the same Microsoft Software. They accepted Microsoft's song and dance about giving them a discount, whereas the Germans were smart enough to say "forget you, man!"
I for one would support legislation that requires all government entities to use ONLY open source software. It is unconscionable that they are wasting taxpayer dollars on crappy software to which they do not even possess the source code. How do they know there are no trojans and backdoors in that software that could be revealed to our enemies?
we were a middling sized company - about 400 people. The CTO was supposed to do CTO type stuff, but he preferred to tinker with the code - we had to make the new product perform better, and for him, that meant the opportunity to fiddle with very low level OS features.
The company is called AIT - listed on LSE, it all collapsed when the directors were caught effectively fiddling the accounts.