Slashdot Mirror
Defense Dept. Memo Explains Open Source Policy
TonyStanco writes "Big news. DoD issued a policy statement leveling the playing field for Open Source. We have the memo on the Center of Open Source & Government site." The requirements listed in this memo make me think of a company policy along the lines of "You can bring your baby or toddler to work, so long as it can talk, feed itself and stick effortlessly to the ceiling like a spider." See this PDF for more information about National Security Telecommunications and Information Systems Security Policy (NSTISSP) number 11.
Oh wait, everything but the use of Microsoft products that is. It seems like that gets instant approval without the need for any justification. "Microsoft released Windows XP? OK, upgrade, forget about the costs and everything else that such an upgrade demands - just do it - across the board. Office XP you say? OK, allocate $10,000,000 for the software, we'll worry about paying for the licenses later."
Everyone knows that the benefits of using open source products far exceeds any benefits that can be reaped by paying a whole bunch of money for closed source products and their associated licenses (which are arguably always more extensive and restrictive then open source license schemes). Sure, paying $50,000,000 to upgrade your old NT servers to 2000 and your 98 desktops to either Windows 2000 or XP has it's benefits over spending $30,000,000 on Redhat and Star Office and the training. A bunch of sales people always say that such a move (upgrading Windows servers and clients and Office) has it's benefits. I just don't seem to see them. Maybe I'm too progressive, I don't know.
PS: didn't get it...this time
You can bring your baby or toddler to work, so long as it can talk, feed itself and stick effortlessly to the ceiling like a spider." Thanks for that, now everytime the AC comes out at work I'm going to expect an army of spider-babies to pop out and steal my printer.
It's not stupid. It's advanced.
What is bureaucracy?
This guy wants to clean out a room in the Pentagon, stacked to the ceiling with boxes labeled, "non-essential documents". So he starts a study showing how much space they can save by ridding themselves of all of these useless documents.
A few months later they complete this study, and send it up for a review. A board determines that this is a great idea and they can in fact save tons of space by ridding themselves of all of these documents, with one stipulation. They must make copies of all the documents for their records...
Craenor
My toddler can do all that. Can't yours?
....Bethanie....
I think the FOOS community notably the ones (like me) that do not write code but tries to get FOOS into the corporations, increasingly need to stress the fact that it comes with strings attached and that the corporations need to make sure that those strings is being honored.
Help fight continental drift.
Gawd!
It aint that hard.
Basically:
1) It defines OSS & GPL
2) Says they're OK to use provided:
a) They comply with the same Dod policies for equivilant Off the Shelf software
b) They're comply with the requirements defined by the National Security Telecommunications and Information Systems Secuirty policy.
c) They're configured as per DoD approved security configurations from http://iase.disa.mil and http://www.nsa.gov.
d) You dont break any licenses.
Thats all!
"You can bring your baby or toddler to work, so long as it can talk, feed itself and stick effortlessly to the ceiling like a spider."
Hi Timothy, we'd like to make you an honorary member of our organization - PIFCA (People Incapable of Forming Cogent Analogies).
You belong with us like a marmot is comfortable with peanut butter.
"You can bring your baby or toddler to work, so long as it can talk, feed itself and stick effortlessly to the ceiling like a spider."
I work for the government, so maybe I am more used to seeing security requirements for everything, but I didn't get that impression at all. We expect everything to talk, feed itself, and stick effortlessly to the ceiling all the while being secure. The government (DoD, DoE, etc) is probably one of the biggest users and innovaters of open source so I wouldn't get too feisty. The only reason people (managers) get a little hesitant about Open Source is blame. When something drops on the floor, they want someone to point the finger at, someone we have a contract with so that they can fix it reducing personal liability. Enter Microsoft with contracts in hand.
Support a great indie game: http://www.abaddon360.com
True, the core Linux maintainers could die or quit at any time. So could a software company drop a given application or operating system. For example, my company used a CRM called Vantive that was vastly superior in terms of ease of use and custimozation compared to PeopleSoft 8. We have in-house programmers that are very adept at coding for it. But PeopleSoft bought Vantive and dis-continued it. A few bugs sprang up that required access to certain source code that we didn't have. The answer? Pay 2 million (absolutely no exagueration) for People Soft 8 and go through the process of buying better servers and changing the structure of your Oracle databases "if you need future support for a PeopleSoft CRM". And yes, we had a service contract.
But the beauty of open source insures that others will pick up where they left off. It happens with alomst every popular and useful open source project whose lead developers quit. In the case of Linux, you would have people from companies like Redhat, Suse, and IBM ready to take the lead. The costs of such a change of "power" is rarely passed on to the consumer. Also, the really good analysts do,/i> factor in the cost of hiring contractors to specialize your code.
I don't think you understand how OSS works. See, if Linus&Co decide to stop whatever they're doing and go live fat and happy in Silicon Valley or somewhere, 'we' still have the code. Anyone can take it and continue the development -worst case scenario, they can't call it 'Linux' anymore. However, if Microsoft says 'well, that's all, folks! We'll start selling beach balls from now on!', there's not a single thing anyone can do about it. And no one can continue the development of those systems.
E
Marxist evolution is just N generations away!
Oh, how I love NMCI. We (a couple of consultants) won a gig with the Navy, developing a web application on Linux, MySQL & Apache. Got the go-ahead and started developing...Then, the big bad NMCI came along. In order to be NMCI compliant, we were forced to switch from MySQL to Oracle (to be fair, we were given the choice to use SQL Server....bah!). Ok, I can deal with that. I now get paid to learn Oracle. Cool. Then, after three months of development..."uh...we need you to switch to Windows. It's a NMCI thingy". Not a happy day. Anyway...to make a long story short, in order to be NMCI compliant (and not having the requirements up front), we have this monstrosity of a web application running on Win2000 with Perl, PHP, Oracle and Apache. Needless to say, there aren't too many people in that boat (whoa...a funny...navy..boat...oh nevermind).
There really is no point to this posting, so mod me down. I'm just ranting and wanted to share an example of your tax dollars at work.
yeah, this is the point. There is the same amount of risk or greater with closed source projects. Do you think the DOD has never used a piece of software the creator discontinued? Or went out of business? To protect against that I am sure they always manage to get the source code up front (to say nothing of the security issues that require them to get closed source)... In either case if something bad happens the dod can maintain their own systems, open source would just take a step out of the contract negotiations that allow that.
If a root exploit were discovered and widely used, and it affected government servers, and Microsoft chose not to do anything about it, I suspect they would be sued and the US would win.
You are kidding, right? Windows is full of holes, and many of have been around for years by the time people get around to using them for break-ins, including into government computers. I don't know whether the US government could, in theory, win, but in practice, they don't seem to be sueing.
If the OSS developer drops the project, there is no guarantee that anyone will pick it back up. It may be likely, but that's not good enough for many officials. Without something in writing, there's no real security in your purchase/training.
Microsoft drops products constantly. And when Microsoft does that, you are completely stuck because nobody can pick up the software.
Perhaps what's confusing you is that Microsoft refers to many different, incompatible products using the same trademark. But that doesn't do you any good when your programs stop running.
The reality of it all is that if you buy Microsoft, not only do you have to put up with buggy software, but you get no guarantees, you have to expect security holes and accept the risk for them yourself, you can't fix anything, and the software likely has a much shorter usable life than comparable open source software.
Having a policy that OSS must compare favorably with Non-OSS is reasonable, and a good sign. Any policy other than "No OSS" is a good sign, as it shows they are considering it. I would say that OSS's biggest worry is simply not being noticed, not just failing to measure up. After all, most Open Source projects simply don't have the advertising budget their Closed-Source, Commercial competitors do.
Contact Me (got tired of viruses emailing me).
The dipshit that posted the article linked the wrong doc. Here is the right one: http://www.egovos.org/pdf/OSSinDoD.pdf
"that's not encryption - it's a new perl script that I'm working on..." - from some Matrix parody
The requirements listed in this memo make me think of a company policy along the lines of "You can bring your baby or toddler to work, so long as it can talk, feed itself and stick effortlessly to the ceiling like a spider."
How you can make this out from that memo which basically says we have a set of procedures in place for software evaluation, if OSS passes those then fine, no problem and secondly be aware of the terms of the license that the OSS comes under.
I know this is Slashdot but the fact that OSS may have to go through a regular selection process instead of being mandated as defacto standard, to the detriment of all others is proper procedure in most large organisations. You should be saying well done for leveling the playing and giving OSS a chance to compete on equal terms.
Do not try to read the dupe, thats impossible. Instead, only try to realize the truth
What truth?
There is no dupe
Yes and no... Yes, OSS should be just as mature and reliable as accepted propreitary equivalents, and that is partially what the guidelines are saying. No, OSS doesn't get to be used just because it is widely considered to be mature and reliable, and here's where the difficulty comes in.
The referenced guidelines require that all Information Assurance applications MUST have gone through the NIAP certification process. This includes security scanners like nmap or nessus, lockdown tools like bastille, intrusion detection systems like Snort, and also (I think) any security-enabled applications like OpenSSH, or really anything OpenSSL-enabled like Apache, and even the operating systems that run them. With the current certification requirements, it is incumbent upon the vendor to pay to have a certified 3rd party testing group send the product through the testing. It is a lengthy, expensive, beauracracy-driven process. It is highly unlikely that any opensource project will have the time, money, or patience for dealing with it. Someone like RedHat or IBM would have to feel that it is in their best interests to throw away millions of dollars to prove that a given installation of a particular opensource application is acceptably, provably secure. Given the intense lobbying by Microsoft that happened when the NSA undertook the SE Linux project, and more importantly given that most managers have serious missions to accomplish that have nothing to do with software evaluations, it is highly unlikely that any government manager is going to put their budgets and careers on the line by having an opensource product put through evaluation.
This situation does not just affect opensource projects, but also small businesses and vendors. It's unlikely that such organizations would have the resources to get this certification process completed. This game is clearly closed to only big and/or well-heeled vendors.
For this reason, it is highly unlikely that officially blessed opensource products will ever enter an environment with even marginal security requirements. Until the beaucractic process for evaluation changes significantly, the current situation is decidedly biased against opensource, as well as small businesses and vendors.
All this being said, while DoD has fairness as a goal in its procurement processes, safeguarding the lives of its servicemen and servicewomen is the top priority, even if that means a bias for or against certain classes of organizations. Whether there is an effective way of making this process more fair while keeping things secure, whether the benefits of the system outweigh the detriments, or whether the process as it exists now is doing an effective job in passing products that are secure in the real world and not just on paper, is a question that I cannot answer.
--
With Microsoft, and under contract, you know that's going to happen.
Sorry - no you don't. Microsoft have previously claimed that Windows NTv4 is being supported for security hotfixes until 30 Jun 04 (see here) but then failed to fix a serious RPC based DoS attack.
I should imagine this pisses "secure" government sites off quite a bit - they have been promised security fixes for another year now and then get shafted because MS claim that NTv4 "does not support the changes that would be required to remove this vulnerability".
At least with OSS users are capable of fixing the problem themselves (or paying for it, or using a general release patch etc).
But there are hidden costs that you just don't always see.
Yep - and what are the costs of upgrading all of the Windows NTv4 to Windows 2000 servers to avoid this security bug?
"Mary had a crypto key, she kept it in escrow, and everything that Mary said, the Feds were sure to know."
I'll reply on some general topics here, because it's useful to understand what the regulations say and mean, as well as how they are interpretted.
The regulations always say words to the effect of "a specific installation of a specific version of a specific software product (on a specific hardware configuration)". The parenthetical there is for some other security ratings.
A good example of this is the C2 security rating. Microsoft spent some money getting Windows NT C2 rated. Specifically, they got a specific patch level of a specific service pack of Windows NT v3.51 approved as C2 certified, on a specific set of hardware (with no floppy, I think) in a non-networked configuration.
No one paid any attention to those little details. They just saw "Windows NT is C2 rated" and used that for purchase decision approval for every Windows NT/2000 system the DoD has bought since then. Because the "bureaucratic process" doesn't know enough about computers to know what the ratings mean, or what they apply to, or where they don't apply.
The same will be done with this. "The NSA certified Linux for secure operation" will be enough, with supporting documentation to state that. Doesn't matter that it is for a different version of linux than your current procurement, it will still get it through the acceptance process.
Government regulations are only meant to be an overwhelming burden for those people silly enough to think you are actually supposed to comply with them fully. No one that has worked with government procurements for more than 3 months still believes that.
This is my sig. There are many like it but this one is... Oops. Frank, I've got your sig again! Where's mine?