Slashdot Mirror
Defense Dept. Memo Explains Open Source Policy
TonyStanco writes "Big news. DoD issued a policy statement leveling the playing field for Open Source. We have the memo on the Center of Open Source & Government site." The requirements listed in this memo make me think of a company policy along the lines of "You can bring your baby or toddler to work, so long as it can talk, feed itself and stick effortlessly to the ceiling like a spider." See this PDF for more information about National Security Telecommunications and Information Systems Security Policy (NSTISSP) number 11.
....make me think of a company policy along the lines of "You can bring your baby or toddler to work, so long as it can talk, feed itself and stick effortlessly to the ceiling like a spider."
Except it's not really like that is it?
OSS is not a toddler - it's tends to be just as mature as proprietry equivilants.
So it should be covered by similar guidlines.
Which is all memo says really.
Oh wait, everything but the use of Microsoft products that is. It seems like that gets instant approval without the need for any justification. "Microsoft released Windows XP? OK, upgrade, forget about the costs and everything else that such an upgrade demands - just do it - across the board. Office XP you say? OK, allocate $10,000,000 for the software, we'll worry about paying for the licenses later."
Everyone knows that the benefits of using open source products far exceeds any benefits that can be reaped by paying a whole bunch of money for closed source products and their associated licenses (which are arguably always more extensive and restrictive then open source license schemes). Sure, paying $50,000,000 to upgrade your old NT servers to 2000 and your 98 desktops to either Windows 2000 or XP has it's benefits over spending $30,000,000 on Redhat and Star Office and the training. A bunch of sales people always say that such a move (upgrading Windows servers and clients and Office) has it's benefits. I just don't seem to see them. Maybe I'm too progressive, I don't know.
PS: didn't get it...this time
"You can bring your baby or toddler to work, so long as it can talk, feed itself and stick effortlessly to the ceiling like a spider.
Well, hey. At least its a start. Previously, many DOD organizations and departments had an absolute policy on software/platform. In many places, especially sensitive installations, the policy was Solaris. In the last few years there has been an inexorable move toward Windows, despite the obvious problems. Other defense contractors have been moving in the same direction presumably to control costs by moving everything to one platform. However, most people are finding that this is not the best solution and they are allowing the installation/use/purchase of other systems including open source, Linux and OS X.
Visit Jonesblog and say hello.
You can bring your baby or toddler to work, so long as it can talk, feed itself and stick effortlessly to the ceiling like a spider." Thanks for that, now everytime the AC comes out at work I'm going to expect an army of spider-babies to pop out and steal my printer.
It's not stupid. It's advanced.
Isn't that putting it a bit strongly?
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
What is bureaucracy?
This guy wants to clean out a room in the Pentagon, stacked to the ceiling with boxes labeled, "non-essential documents". So he starts a study showing how much space they can save by ridding themselves of all of these useless documents.
A few months later they complete this study, and send it up for a review. A board determines that this is a great idea and they can in fact save tons of space by ridding themselves of all of these documents, with one stipulation. They must make copies of all the documents for their records...
Craenor
Sorry.
That document you linked to is dated Janurary, 2000, not may 2003.
It also does not mention the GPL.
and stick effortlessly to the ceiling like a spider
Better start here then.
My toddler can do all that. Can't yours?
....Bethanie....
Best first bet would be it will slip in from DARPA. They've probably *already* been using it in places they're technically supposed to be using a commercial UNIX.
--Dave
I think the FOOS community notably the ones (like me) that do not write code but tries to get FOOS into the corporations, increasingly need to stress the fact that it comes with strings attached and that the corporations need to make sure that those strings is being honored.
Help fight continental drift.
Gawd!
It aint that hard.
Basically:
1) It defines OSS & GPL
2) Says they're OK to use provided:
a) They comply with the same Dod policies for equivilant Off the Shelf software
b) They're comply with the requirements defined by the National Security Telecommunications and Information Systems Secuirty policy.
c) They're configured as per DoD approved security configurations from http://iase.disa.mil and http://www.nsa.gov.
d) You dont break any licenses.
Thats all!
especially since OSS is often (and arguably most useful) used to augment existing systems, with no expectation of redistribution. It is up to the project managers to make a product that delivers; forget about NSTISS or the GPL.
And most COTS systems in use don't have the certs anyway, and no one gets in a tizzy. It's only if you wanted to hook it up to SIPRNET or something (and then it gets reviewed independantly anyway).
This is just some stuff to make the guys funding the projects (Congress) feel better.
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
The Navy/Marine corp are launching a large scale contract (NMCI) that restricts all Navy IT to MS and MS solutions.
This contract locks down the network to only NMCI managed systems (MS only). If there are existing systems that cannot run under windows than you have to apply for a "legacy system" exception and pay extra for no service.
This one size fits all approach is short sighted and foolish. The upper echelon has yet to catch on that the network is the backbone or the infrastructure that enables an ever increasing plethora of monitoring systems, data acquisition and control systems, collabration and communication mechanisms, etc.
As more and more devices become Web enabled the Navy has effectively locked itself out in the cold and crawled in bed with built in obsolesce - not to mentioned left itself vulnerable to an attack or virus that would spead like wild fire in a homogeneous network.
Use of Free and Open-Source Software (FOSS) in the U.S. Department of Defense -- This report documents the results of a short email-mediated study by The MITRE Corporation on the use of free and open-source software (FOSS) in the U.S. Department of Defense (DoD).
pb Reply or e-mail; don't vaguely moderate.
"You can bring your baby or toddler to work, so long as it can talk, feed itself and stick effortlessly to the ceiling like a spider."
Hi Timothy, we'd like to make you an honorary member of our organization - PIFCA (People Incapable of Forming Cogent Analogies).
You belong with us like a marmot is comfortable with peanut butter.
"You can bring your baby or toddler to work, so long as it can talk, feed itself and stick effortlessly to the ceiling like a spider."
I work for the government, so maybe I am more used to seeing security requirements for everything, but I didn't get that impression at all. We expect everything to talk, feed itself, and stick effortlessly to the ceiling all the while being secure. The government (DoD, DoE, etc) is probably one of the biggest users and innovaters of open source so I wouldn't get too feisty. The only reason people (managers) get a little hesitant about Open Source is blame. When something drops on the floor, they want someone to point the finger at, someone we have a contract with so that they can fix it reducing personal liability. Enter Microsoft with contracts in hand.
Support a great indie game: http://www.abaddon360.com
True, the core Linux maintainers could die or quit at any time. So could a software company drop a given application or operating system. For example, my company used a CRM called Vantive that was vastly superior in terms of ease of use and custimozation compared to PeopleSoft 8. We have in-house programmers that are very adept at coding for it. But PeopleSoft bought Vantive and dis-continued it. A few bugs sprang up that required access to certain source code that we didn't have. The answer? Pay 2 million (absolutely no exagueration) for People Soft 8 and go through the process of buying better servers and changing the structure of your Oracle databases "if you need future support for a PeopleSoft CRM". And yes, we had a service contract.
But the beauty of open source insures that others will pick up where they left off. It happens with alomst every popular and useful open source project whose lead developers quit. In the case of Linux, you would have people from companies like Redhat, Suse, and IBM ready to take the lead. The costs of such a change of "power" is rarely passed on to the consumer. Also, the really good analysts do,/i> factor in the cost of hiring contractors to specialize your code.
I don't think you understand how OSS works. See, if Linus&Co decide to stop whatever they're doing and go live fat and happy in Silicon Valley or somewhere, 'we' still have the code. Anyone can take it and continue the development -worst case scenario, they can't call it 'Linux' anymore. However, if Microsoft says 'well, that's all, folks! We'll start selling beach balls from now on!', there's not a single thing anyone can do about it. And no one can continue the development of those systems.
E
Marxist evolution is just N generations away!
You can bring your baby or toddler to work, so long as it can talk, feed itself and stick effortlessly to the ceiling like a spider."
In other news, Safeco has been reported to have replaced all their acustic cieling material with velco in order that their company wide pre-toddler policy can be implemented. In order to prevent possible liability, they had to replace their traditional furnature with what can only be described as a rubber room.
When asked about the subject, representatives of Safeco were unavailable for comment, but issued the following statement, "we are cleaning baby vomit out of our clothing".
According to one district manager, "I can't tell if productivity is up or down, i'm stuck. Help!".
There is no sanctuary. There is no sanctuary. SHUT UP! There is no shut up. There is no shut up.
Oh please, no one has ever sued Microsoft for lack of "service," and it is not because Microsoft products are perfect either.
Not only that, but Microsoft has done just about every other unfriendly thing that a software vendor can do. They have stopped development of projects, created spurious incompatibilities, and sold bugs as "features." If the government paid IBM (or RedHat or whomever) half of what they currently spend on Microsoft software they could almost certainly get a real service contract for a huge pile of Free Software, and if they didn't like the service they got, they could take that money next year and hire someone else without having to switch software.
I agree that there are costs to switching to Free Software, and I definitely agree that Free Software can't currently fill everyone's computer needs, but your arguments against Linux amount to nothing more than FUD. There are plenty of valid reasons for not choosing Linux. However, service, support, and longterm viability are all parameters that favor Linux.
If the software was GPL, it wouldn't matter how the contract was structured, because our programmers could have fixed the code. Instead, 2 million bucks was spent.
And PeopleSoft is not liable or accountable, because all they did was gain ownership of the closed code. The agreement of assurance was specifically with Vantive. We didnt' buy the patented works itself (which wasn't an option, and People Soft refused to sell Vantive after-the-fact).
As a side note, PeopleSoft 8 is laughable. I could design a better tool using PHP-Nuke (I actually hacked up a solution that was based on PHP-nuke for real simple CRM fucntions to show that it could be done - it was ignored, of course).
yeah, this is the point. There is the same amount of risk or greater with closed source projects. Do you think the DOD has never used a piece of software the creator discontinued? Or went out of business? To protect against that I am sure they always manage to get the source code up front (to say nothing of the security issues that require them to get closed source)... In either case if something bad happens the dod can maintain their own systems, open source would just take a step out of the contract negotiations that allow that.
Right, then somebody implements a bad encryption scheme and because it's closed source nobody sees it and breaks it, and the DoD or other users fool themselves into thinking it's secure, until a foreign government breaks it and reads all our coded communications for years... (Or whatever it is that these people are afraid of). I'd much rather trust something like PGP that everybody can read and understand and crackers (black and white hatted) can do their worst at. Otherwise you are just buying a false set of security.
Why bother with OSS when you can simply pay $30,000 per Microsoft license? They paid that much for a toilet, they might as well pay that much more for something to flush down it!
I HAVE COME TO CONQUER YOU ALL, EARTH SCUM!
If a root exploit were discovered and widely used, and it affected government servers, and Microsoft chose not to do anything about it, I suspect they would be sued and the US would win.
You are kidding, right? Windows is full of holes, and many of have been around for years by the time people get around to using them for break-ins, including into government computers. I don't know whether the US government could, in theory, win, but in practice, they don't seem to be sueing.
If the OSS developer drops the project, there is no guarantee that anyone will pick it back up. It may be likely, but that's not good enough for many officials. Without something in writing, there's no real security in your purchase/training.
Microsoft drops products constantly. And when Microsoft does that, you are completely stuck because nobody can pick up the software.
Perhaps what's confusing you is that Microsoft refers to many different, incompatible products using the same trademark. But that doesn't do you any good when your programs stop running.
The reality of it all is that if you buy Microsoft, not only do you have to put up with buggy software, but you get no guarantees, you have to expect security holes and accept the risk for them yourself, you can't fix anything, and the software likely has a much shorter usable life than comparable open source software.
Having a policy that OSS must compare favorably with Non-OSS is reasonable, and a good sign. Any policy other than "No OSS" is a good sign, as it shows they are considering it. I would say that OSS's biggest worry is simply not being noticed, not just failing to measure up. After all, most Open Source projects simply don't have the advertising budget their Closed-Source, Commercial competitors do.
Contact Me (got tired of viruses emailing me).
I would NOT be offended if goverment agencies decided to use undocumented closed source protocals
I wouldn't be offended- I'd be scared. The rule of thumb is that "Security through obscurity is no security at all", but realistically, it's good enough for some situations where there aren't large numbers of dedicated, well-fianced enemy spies. That is, anyplace other than National Security can get away with it for a while.
It is critical that, if a software developer who knows the code defects, we can simply change everyone's password and not junk the entire system until the program can be re-written from scratch. But that's what relying on closed-source for security would require.
Hell if they want to write their propriority software in ADA, more power too them.
The US government doesn't write proprietary software. Or anything else proprietary for that matter- all their intellectual works are public domain. Some of them are protected under security classification, like the way Air Force bases belong to the public, but they're not allowed inside without permission.
(And, a Top-Secret classification will expire long before copyrights do...)
Be careful about Tony Stanco, the person who wrote the Slashdot story. He seems to be using computer issues as a way of promoting himself.
The requirements listed in this memo make me think of a company policy along the lines of "You can bring your baby or toddler to work, so long as it can talk, feed itself and stick effortlessly to the ceiling like a spider."
How you can make this out from that memo which basically says we have a set of procedures in place for software evaluation, if OSS passes those then fine, no problem and secondly be aware of the terms of the license that the OSS comes under.
I know this is Slashdot but the fact that OSS may have to go through a regular selection process instead of being mandated as defacto standard, to the detriment of all others is proper procedure in most large organisations. You should be saying well done for leveling the playing and giving OSS a chance to compete on equal terms.
Do not try to read the dupe, thats impossible. Instead, only try to realize the truth
What truth?
There is no dupe
Working as an intern for a national laboratory, I noticed how getting new equipment worked. First, you find what you really want, like a computer for instance. Next, in your proposal, you go around and find different parts for that machine, and make sure the stuff you really want is the lowest price. Send it up to the people who double check this to see if they are getting a "good" deal, and bam, you get your computer.
With this in mind, what Linux or Unix OS are they planning on using already? They must have one picked out if they are going to start making rules on the OSS situation.
"Some fight for law. Some fight for justice. What will you fight for? One day, you will see."
How else would you eval something :)
Depending on the time period:
"Is it IBM? If not, you're fired." or "Is it IBM? If so, you're fired."
--TheOrangeSquid Is it any wonder things seem so awry? We swim in a sea of confusion and don't have to think to survive
Without something in writing, there's no real security in your purchase/training.
As mentioned in the parent, companies like Red Hat and Suse make their money from support contracts. Since their bread and butter is in these contracts, and not in selling upgrades, they are more likely to take an active role in fixing problems, instead of having a vested interest in propogating problems (leading to more upgrades).
Microsoft has, in the past, refused to fix bugs in "older" software. In many circumstances, the solution is to "upgrade." In several cases, bugs deemed non-critical by MS have been left unfixed for months. In several other cases, the fixes to these bugs have caused even worse problems.
I have yet to see a contract stipulating Microsoft promises to fix any problems discovered, let alone take resonsibility for any defects. Doesn't mean they don't exist; but, like invisible ephemeral unicorns, until I see one (or the effects of one), I don't believe in them.
The concept of manufacturer liability in the software market is laughable. Schools can get sued for millions for choosing co-valedictorians, but Microsoft sure as hell isn't going to pay for the privacy-raping holes in Passport.
Something is fucked up here.
Microsoft is to software what Budweiser is to beer.
If you GPLed the software that controls your guided missiles, where are you going to get a platform to run it on? Meanwhile, perhaps some of the guidance algorithms could be modified into something useful to the general public. After all, they are *my* missiles too - my taxes paid for them.
openBSD is of course reputed to be the most secure open source operating system.
I think that it seems a little weird that the US military is on the one hand acting very anti opensouce, while on the other- it is actively funding its development.
Additionally, I have seen one or two "discovery channel" type documentaries in recent months that have filmed computer terminals inside US military installations. There was no doubt that the personnel were running Unix, although the exact flavour remained unclear- but could it be openBSD...?
With Microsoft, and under contract, you know that's going to happen.
Sorry - no you don't. Microsoft have previously claimed that Windows NTv4 is being supported for security hotfixes until 30 Jun 04 (see here) but then failed to fix a serious RPC based DoS attack.
I should imagine this pisses "secure" government sites off quite a bit - they have been promised security fixes for another year now and then get shafted because MS claim that NTv4 "does not support the changes that would be required to remove this vulnerability".
At least with OSS users are capable of fixing the problem themselves (or paying for it, or using a general release patch etc).
But there are hidden costs that you just don't always see.
Yep - and what are the costs of upgrading all of the Windows NTv4 to Windows 2000 servers to avoid this security bug?
"Mary had a crypto key, she kept it in escrow, and everything that Mary said, the Feds were sure to know."
Is that the DoD, the DoJ, dictator-of-the-week, and any other offensive military/rights-quashing group, can use your code, and you have no control over it.
Bullshit. Or can you actually think of cases where the "military/rights-quashing group" uses a developer's code without their permission? I personally don't see a need for the military to jackboot someone else's code, since there're about 1500 military programmers in the US Air Force alone. That doesn't count civil service or contracted personnel working with or for the Air Force.
And frankly, if you think people join the US Armed Forces because they want to "quash people's rights," you are sadly out-of-touch with reality. Military members swear an oath to defend the Constitution of the United States--it's an oath we don't take lightly. If you're not happy with the Iraq war, that's fine. . . neither am I. But blame the politicians you elected into office, who sent the troops in the first place.
!#@%*)anks for hanging up the phone, dear.
You can bring your baby or toddler to work, so long as it can talk, feed itself and stick effortlessly to the ceiling like a spider.
Stewie?
Look, The DoD uses Windows for shear monstrosity of the network users and their demographics. Average 18 year olds entering the military to Major Generals have used some form of windows. The same cannot be said of Linux or UNIX unless they were Technologically savvy /.ers. Colonel's would have a hell of a time learning Linux, trust me - they have a hard time with email. The tech savvy individuals will probably pursue some sort of computer related field in the military as well, where windows is most definitely not the answer as many pointed out. I.e. up time, security, etc. The military doesn't use windows, as an end all is all, especially for it's weapons systems. Case and point: I work as a USAF weather forecaster, our weather product dissemination uses a Silicon Graphics box dual booting Linux and WinNT via VMware. They sent me to school just to operate this stuff, as I had never used it in the past. One would find the majority of network *stuff* that matters to the DoD, not access to Yahoo, runs from something other than windows.
Just my .02 cents
Then why, pray tell, aren't the military (since I'm guessing they have the might) arresting Mr Ashcroft and several other members of the US Government elite? Why also are they not refusing to fight in Iraq?
Because it's not our job to arrest Mr. Ashcroft for exercising the duties of his office - and because it would be a violation of the worst sort for the military to actively remove politicians from office just because what they're doing might not be constitutional. Interpretation of what is or is not constitutional is not up to us, it's up to the courts.
As for Iraq - what was actually iillegal about the invasion? Congress authorized use of force in October 2002 and gave the President the money he asked for to fight the war in the 2003 budget. If Congress didn't want the war, all they had to do was refuse to pay for it.
Oh that's right, it's an oath you don't take "lightly", but when the alternative is court martial, you were just following orders.
If the President ordered the military to arrest members of Congress or the Supreme Court, you can bet that oath would come into play. But the military does not act based on what some Anonymous Coward thinks is unconstitutional. Hell, the US Military isn't even allowed to participate in domestic peacekeeping--Google for "Posse Comitatus Act," and contrast it with the military's active involvement in such nations as Pakistan and Turkey. Where would you rather live?
!#@%*)anks for hanging up the phone, dear.