Slashdot Mirror
Pentagon To Make a Big Push Toward Open-Source Software Next Year (theverge.com)
"Open-source software" is computer software with its source code made available with a license in which the copyright holder provides the rights to study, change, and distribute the software to anyone and for any purpose. According to The Verge, the Pentagon is going to make a big push for open-source software in 2018. "Thanks to an amendment introduced by Sen. Mike Rounds (R-SD) and co-sponsored by Sen. Elizabeth Warren (D-MA), the [National Defense Authorization Act for Fiscal Year 2018] could institute a big change: should the bill pass in its present form, the Pentagon will be going open source." From the report: We don't typically think of the Pentagon as a software-intensive workplace, but we absolutely should. The Department of Defense is the world's largest single employer, and while some of that work is people marching around with rifles and boots, a lot of the work is reports, briefings, data management, and just managing the massive enterprise. Loading slides in PowerPoint is as much a part of daily military life as loading rounds into a magazine. Besides cost, there are two other compelling explanations for why the military might want to go open source. One is that technology outside the Pentagon simply advances faster than technology within it, and by availing itself to open-source tools, the Pentagon can adopt those advances almost as soon as the new code hits the web, without going through the extra steps of a procurement process. Open-source software is also more secure than closed-source software, by its very nature: the code is perpetually scrutinized by countless users across the planet, and any weaknesses are shared immediately.
So, is that why all of the NSA and CIA source code has hit the street?
"the Pentagon can adopt those advances almost as soon as the new code hits the web"
Better make sure your enemies aren't building in obscure vulnerabilities right under your nose/
Expect Billions to flow from the deep pockets of the likes of Boeing and Lockheed Martin to the K street lobbying machine
No one is perpetually scrutinizing anything. That's an old fallacy wrongly attributed to ESR and/or Torvalds. "Linus's Law" merely states all bugs are shallow given enough eyeballs, not the some vast benevolent army of free labor is auditing everything all the time. That's fiction, as as been proven many times with the discovery of ancient zero days in software that's been open source for decades.
Maw! Fire up the karma burner!
There will be a LOT of yapping and some apps will be created then in about 9 months they will toss it all and sign a Billion dollar check to Microsoft.
What happened to NSA Linux.
The other fallout from that was tossing out all our Apple and Sun systems too.
Then came the ship with NT 4.0 that never worked correctly and the brief Idea to launch nukes from NT 4 computers.
For something as critical as the US military, software should not be Open source and it sure as hell shouldn't be the proprietary shit that it is. Every DOD system needs to either have software developed in-house from the ground up or audited at the source level by (and compiled from source by) DOD auditors. Compilers must be developed in-house using audited assembler code. Assemblers must be hand assembled from audited code. ABSOLUTELY NO CODE shall be permitted that does not follow this process. This includes microcode, security module code, the micros in the keyboards (don't waste my damn tax dollars on mice and flashy GUIs). Encryption of communications must be in hardware, furthermore, no user interface component of any software, shall be difficult to use at less than 1200 baud and must work as low as 300 baud for remote connections. Communications systems for user interfaces must be able to maintain security and applications must remain waiting at the level desired even if congestion requires a break of several minutes. Communications for user interface and basic (text email without attachment) messaging must be able to operate on voice bandwidth and tolerate noise required for communications as low as 500 Kilohertz.
Open-source software is also more secure than closed-source software, by its very nature: the code is perpetually scrutinized by countless users across the planet, and any weaknesses are shared immediately.
This is total bullshit. No one noticed, for example, the Debian OpenSSL vulnerability for nearly 2 years. There are also plenty of other examples that were around many times longer without being spotted despite all this claimed “perpetual scrutiny.”
Open source is not necessarily more secure than proprietary software. Because it is visible, good programmers can look for bugs and plug security leaks if they want to, but bad guys can also look for vulnerabilities to exploit. Nobody has to look at the code and/or fix anything. In fact, most people have ZERO interest in doing so. Plenty of security flaws have gone either unnoticed or unfixed for an awful long time in open source projects.
Open-source software is also more secure than closed-source software, by its very nature: the code is perpetually scrutinized by countless users across the planet, and any weaknesses are shared immediately.
Remember it wasn't that long ago when all you had to do was hit Backspace 28 times and you could bypass login security on almost all Linux distros....
I only please one person per day. Today is not your day. Tomorrow isn't looking good either. - Scott Adams
You might want to talk to the Munich city council about that.
You'll be receiving my bill for $3,500,000 by the end of the week.
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
Won't happen, that amendment died in the conference reconciliation. The merged version does have an open source software pilot, but that's it: Section 875: (a) DoD shall “initiate the open source software pilot program” (b) NLT 60 days enactment of this Act, the SECDEF shall “provide a report to Congress with details of the plan of the Department of Defense to implement the pilot program required by subsection (a).”
- David A. Wheeler (see my Secure Programming HOWTO)
Dammit. I was hoping for the old /. I new and loved so well. Just a teaser. Will anyone think of the children?
putting the 'B' in LGBTQ+
A friend of mine is working on one of those government projects you can't talk about. What he can say is that they are in a 'bake off' with other projects where his project is using OSS, quasi-Agile (*cough* SAFe *cough*) , automated testing (apparently an unknown concept to the beltway bandits, perhaps because there are huge billable hours to be made fixing bugs), CI, etc.
We'll see if they win the bake off.
putting the 'B' in LGBTQ+
The DoD is a MASSIVE client for corporations like Microsoft and Dell. If they are going fully open source then either Microsoft will release an open source version of Windows+Office+SQL Server or the open source toolset will get similarly advanced (which it simply isn't, at least not when you factor in the responsiveness at the user level for Windows, the overwhelming Office+Outlook+Exchange integration compared to all the competition, and the Analysis Server aspect of SQL Server) tools.
The author of the article wrote:
One big advantage is that, often, the agreements to run open-source software are much more relaxed than those behind proprietary code, and come without licensing fees. The license to run a copy of Adobe Photoshop for a year is $348; the similar open-source GNU Image Manipulation Program is free.
I feel that, for a large corporation or institution, licensing cost should probably be the least concern. Functionality is not free. What counts is transparency (you can inspect the software), control (you can modify the software), relaxed legal constraints (no need to waste resources counting billable seats or hours), and benefiting the community (enhancements you make or sponsor are usable by all). All of which will likely contribute to lowering costs in the long run.
So I am hoping two things. First, that this is not a mere effort to save money in the short term, which would likely fail; and that they will instead recognise the need to support existing open-source software projects by contributing to them (with money, code or both). Second, that this will inspire them to publish as open source the more useful software components that they might develop internally (in line with the federal source code policy of 2016).
The author also wrote:
Loading slides in PowerPoint is as much a part of daily military life as loading rounds
This is rather off-topic, but it makes me sad that “loading slides” is used (by the article’s author, not the DOJ themselves!) as a shining example for the need of computers at the DOJ (or anywhere else, really). I don’t recall many corporate meetings (even briefings) where slides were used appropriately (i.e., to show something that the speaker could not adequately convey with words) and didn’t actually detract from the presentation. Yet, presenters now feel the imperious need to waste hours preparing useless slideshows. Often, that comes from some inane corporate standard that might go as far as dictating the layout. We seem to care much more about displaying a professional look than about producing useful content or communicating it effectively. Of course, that’s not to say that a briefing could not possibly benefit from illustrations (pictures, charts, etc.). But, frankly, displaying (or disseminating) those does not require specialised presentation software!
If the DOD is forced by Congress to use open source, it will make it harder for the spooks to hoard zero day exploits in open source software lest they also leave themselves open to attack.
In 35 years in that business, I saw and used a lot of open source development tools, as well as in deployed software. Red Hat is a major provider of OS to DoD, including embedded in weapon systems. GNAT Ada is open source.
And on my last project we kept 2 lawyers (one government, one prime contractor) busy nearly full-time evaluating various OSS licenses for our intended use. The GPL was a significant debate; most OSS licenses were deemed acceptable by both sides. In each case, we evaluated OSS and proprietary software for functionality, life-cycle costs, supportability, expected security/vulnerabilities, and made a decision that balanced these factors. Sometimes the OSS components won out, other times not. But there was a documented decision with rationale.
In general, the choice of software was not a government decision, but a prime contractor decision. Not sure how much we want Congress dictating to contractors what they put into their products.
In typical paranoia, how many times were we told that ISIS is some kind of existential threat to the U.S.? And people beloved it? But those of us who actually study foreign affairs knew better: ISIS has always been a bunch of disgruntled hobos with thirty year old technology, and now they are all but wiped out (mostly by the Syrians and Russians, no less â"- who the D.C. neocons love to hate):
http://news.antiwar.com/2017/11/08/syrian-troops-seize-last-isis-stronghold/
What boogeyman will we be told to fear next? Guam?
https://brlcad.org/d/about
"technology outside the Pentagon simply advances faster than technology within it, and by availing itself to open-source tools, the Pentagon can adopt those advances almost as soon as the new code hits the web, without going through the extra steps of a procurement process"
If that's all they care about, they could just buy Office 365 and have the benefits of compatibility along with frequent updates that don't require procurement to get involved. Just sayin
Historically militaries grow as inefficient and complacent as their environment allows. All it will take is one real war that actually endangers American soil and all that cruft will go away, doubletime. Pray that doesn't happen.
It's the year for the Linux Desktop for sure!
Can you imagine how many desktops the DOD has and is paying Microsoft for?
"File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
"What happened to NSA Linux." https://en.wikipedia.org/wiki/...
"The Department of Defense is the world's largest single employer,"
Not Gattaca Corp, not Tyrell, not Weyland-Utani or Tessier-Ashpool. This demonstrates why we won't get super-cool things in our lifetimes. Sure DARPA shmarpa, but if we instead had 3.2 million people working on nano-tech, biology, AI, lunar colonies and FTL, then maybe we could get somewhere as a civilization.
The US has plenty of nukes, has demonstrated a willingness to use them. That is all we basically need for defense. All the rest of if is clearly for offensive military use, unfortunately which seems to have broad support no matter the human or monetary costs.
Powerpoint slides make me want to load magazines.
I object to power without constructive purpose. --Spock
Presentation software is a weird animal.
All it needs to do is show pictures....why God did anyone add a text feature?
Probably someone are Harvard Graphics or Freelance is to blame.
I object to power without constructive purpose. --Spock
No matter the project, the Pentagon and DOD rely so heavily on Windows, so any open source project that wants to play with the DOD should run on Windows.
As long as DoD does not distribute anything it develops beyond DoD (or the Federal government since it is all part of the same organization) it is all staying within the organization developing it and thus would not be obligated to share any improvements.
Per gnu.org:
The GPL does not require you to release your modified version, or any part of it. You are free to make modifications and use them privately, without ever releasing them. This applies to organizations (including companies), too; an organization can make a modified version and use it internally without ever releasing it outside the organization.
and
For instance, you can accept a contract to develop changes and agree not to release your changes until the client says ok. This is permitted because in this case no GPL-covered code is being distributed under an NDA. You can also release your changes to the client under the GPL, but agree not to release them to anyone else unless the client says ok. In this case, too, no GPL-covered code is being distributed under an NDA, or under any additional restrictions. The GPL would give the client the right to redistribute your version. In this scenario, the client will probably choose not to exercise that right, but does have the right.
Thus, as long as they only use it internally they have no obligation to make the changed source code available. In addition, they could require contractors to develop code under and NDA that prohibits release until the authorize its release so even if they do not do the actual development internally they can still control its release. I would not bet on the DoD probably choosing not to exercise that right.
So while it may be good PR for OSS in reality it may not actually advance OSS for the public. DoD could classify any OSS projects to prevent its release using the argument that its release would be detrimental to national security and require contractors to sign an NDA for any work they do for DoD.
https://www.gnu.org/licenses/gpl-faq.en.html#GPLRequireSourcePostedPublic
I'm a consultant - I convert gibberish into cash-flow.
This also leads to another overlooked point. Which is easier for a hostile programmer to infiltrate, contributors to a FOSS project or a commercial development team like Powerpoint's, Word's, etc? A hostile programmer being someone intentionally introducing an exploit. A designed "zero day".
Not only does that not follow (you have no idea who scrutinizes their copy of FLOSS precisely because of the privacy FLOSS affords users) but you're missing a much more important point: FLOSS respects a user's ability to do things computer owners want their software to do but inherently can't trust proprietary software to carry out. Proprietary software can't be trusted because the users can't be sure it is doing what the users want and not doing what the users don't want (typically this means leaking information, opening backdoors, and implementing malware). It's not about guarantees, it's about the permission to exert as much control over one's own computers as one wishes. Proprietary software inherently doesn't grant that permission and FLOSS does. Couple that with a monied organization as big as the American federal government, and you have the ability for significantly increasing control over their own computers.
Digital Citizen
> Open source is not necessarily more secure than proprietary software. Because it is visible, good programmers can look
It's not *necessarily* so, in the sense that nothing *requires* that open-source code is automatically better. On the other hand, I curate a database of over 90,000 software vulnerabilities, and spend my work days examining security issues. Every CVE that is issued goes into our system. The fact is, Windows and Flash alone make up a very large percentage of the vulnerabilities, and have a much higher average risk score.
Some people here can name three or four vulnerabilities that have come up in open source software over the last five years and they use that to say "see, open source isn't more secure, because Heartbleed". Just Windows alone has dozens of new vulnerabilities EVERY MONTH. A couple of months ago I did a SUM (cvss) for Red Hat and for Windows. Windows is has something like 10 times as much risk (number of vulnerabilities * severity).
One major reason for that is not because a ton of people are randomly looking over code and finding issues, but because developers on significant open source projects know that a few people code review each commit, so they write code they can be proud of, or at least not embarrassed about. Anybody who has done proprietary development for a few years has seen plenty of code go to production that you wouldn't want a stranger to see because you know it's embarrassingly bad. When I make a pull request to Moodle or Apache or LVM I *know* that at least two or three other people are going to code review it, looking for things that can be done better, so I write it well to start with. I don't commit code I'd be embarrassed about, that doesn't represent my best work, because I KNOW people from other organizations, not my teammate I go to lunch with, will be examining my code.
Thanks for posting that. You're absolutely right that when ESR wrote that Linus thought "with enough eyeballs, all bugs are shallow ... the fix will be obvious to someone" , he did NOT mean "all bugs are non-existent". He said "the fix will be obvious to someone" because that's what he meant - with "a large enough co-developer base" looking at a bug, one of them will come up with an elegant fix.
Separately, another, different statement is also true.
I maintain a database of all the CVEs ever issued, with their CVSS severity scored. We also catalog and examine some vulnerabilities that do not have CVEs issued. The fact is, proprietary software, especially Windows and Flash, have a) far more vulnerabilities and b) a higher average severity. The fact of the matter is that every month dozens of new vulnerabilities in Windows come out. We're now at Microsoft KBnumber 4052231, and a significant fraction of those four million KBs address security issues.
Someone says "but but but three years ago Heartbleed was in open source software", and I point to the 40 or so vulnerabilities published for Windows THIS MONTH, and EVERY MONTH.
Adobe Acrobat has over EIGHT HUNDRED CVEs, 800 vulnerabilities in Acrobat alone. (evince has 4, pdfedit has 1).
For one reason why, see the bottom of this post:
https://yro.slashdot.org/comme...
I thought the Chinese army was No 1, and the UK's NHS was No 2.
Am I wrong? anyone have actual figures?
Sent from my ASR33 using ASCII
or you will have to switch back in a few years.
"Open-source software" is computer software with its source code made available with a license in which the copyright holder provides the rights to study, change, and distribute the software to anyone and for any purpose
I'm torn between making a snarky remark about how I, thanks to slashdot, finally learned what open source software is, or whether I should point out that in no way "open source" implies the right to "distribute the software to anyone and for any purpose" because that is clear and utter bullshit that only applies to free software (as in e.g. BSD-licensed stuff).
CLI paste? paste.pr0.tips!
> Loading slides in PowerPoint is as much a part of daily military life as loading rounds into a magazine.
This is no joke. Creating PowerPoint is what the military does whenever it has a computer in front of it. And their slides are the most amazingly absurd works of PowerPoint art you'll ever see. See, for example... http://msnbcmedia.msn.com/i/MSNBC/Components/Photo/2009/December/091202/091203-engel-big-9a.jpg
Slashdot posted my question about auditing on Linux seventeen years ago in reference to the DoD using Red Hat. We are using all kinds of other OSS back then as well so The Verge, and these senators, is just a few years late. The amendment will not result in any changes in how DoD procures software/services or operates at any level from the foxhole to Earth orbit.
I've worked for two very big contractors in the past, and they enthusiastically embraced open source. In fact, there was a consensus among management that open source is preferable whenever FOSS can get the job done at an acceptable level. Every dollar not spent on commercial licenses is another dollar that could be spent on billing labor.
http://code.gov/
http://18f.gsa.gov/
The fact of the matter is that every month dozens of new vulnerabilities in Windows come out. We're now at Microsoft KBnumber 4052231, and a significant fraction of those four million KBs address security issues.
Windows is pretty big. How does that number compare to Linux, plus glibc, plus glib, plus GTK, plus the core GNOME libraries, plus systemd, dbusd, and so on (i.e. the 2,000 or so open source packages that, combined, provide roughly equivalent functionality to the base Windows install)?
Someone says "but but but three years ago Heartbleed was in open source software", and I point to the 40 or so vulnerabilities published for Windows THIS MONTH, and EVERY MONTH.
And I can point to 40 in the Linux kernel's USB stack alone from this month (and we're only half way through the month). How many Windows kernel CVEs have there been?
I am TheRaven on Soylent News
"HATE closed source items because of the inherent lack of ability to test it for risk reduction" - by chainsaw1 ( 89967 ) on Wednesday November 15, 2017 @07:25AM (#55553369)
That works against Linux too & in favor of closed source (i.e./e.g. - It's much harder for miscreants to find bugs in closedsource MINUS sourcecode - fuzzers & debuggers work, BUT are tougher to look for security vulnerabilities using them vs. actually having code & step tracing it in an IDE debugger watch window (especially for variable types changes problems)).
* I've confronted the likes of Bruce Perens here on THAT VERY NOTE - he wouldn't even reply, he KNOWS I'm right as rain on that account IS why!
APK
P.S.=> HOWEVER - I do see YOUR point too (works both ways, see subject)... apk
Then came the ship with NT 4.0 that never worked correctly ...
That is an urban myth. Application software allowed an invalid value, a zero, to be accepted and saved to a database. Controller software that read data from that database accepted an invalid value then performed a divide by zero and was halted by the operating system. This controller software was involved in engine operation. Application, database, controller, ... the operating system was irrelevant, the same thing would happen under Linux.
Immediately after the failure a laid-off *nix engineer, who was not on the ship, speculated that NT was to blame and the Linux evangelists went with this and the myth was born. The people on the ship said it was userland software (application and controller) not operating system software that failed. The company writing that userland software admitted they were to blame for the incident.
Also, the ship was a test platform. They were testing, trying to break things, running debug software that didn't have the "watchdogs" that would restart the halted software. Zero was intentionally entered into a particular variable to see what would happen.
And I can point to 40 in the Linux kernel's USB stack alone from this month (and we're only half way through the month). How many Windows kernel CVEs have there been?
This just in: Software you use may contain bugs. Find out more at 11.
The PowerPoint issue in the DoD is a real problem. Reports used to be created and then a "brief" ppt presentation was created from that report. They have come full circle and now the PowerPoint Deck is the report and some people are considering making a shorter report. PowerPoint is a completely bollocks format for conveying information but it is what everyone has and what is expected.
> And I can point to 40 in the Linux kernel's USB stack alone from this month
Okay, go!
No? How about 4? Still no? Maybe 3? How about ANY at all?
Did I not mention I curate a database of every CVE ever issued? My team looks at each and every one.
> Windows is pretty big. How does that number compare to Linux, plus glibc, plus glib, plus GTK, plus the core GNOME libraries, plus systemd, dbusd, and so on
Compared to the entire standard Red Hat installation, the number of CVEs times their CVSS severity is roughly ten times higher for Windows 8.
See subject: Heard similar things during a 24++ yr. long career mostly as a software engineer (from tech-> network admin-> programmer-analyst) when I found bugs near deadline, ones that would only take a couple days to trace debug & fix - money, time, & contractual obligations took precedence (or contract company OR dept. monies penalties occurred if deadline missed etc.).
THAT ONLY HAPPENED ON NON-CRITICAL BUGS THOUGH - intermittent ones, usually was a problem in the data used & DBA's could fix that in view query filters often times.
IIRC? Oracle tried to build "Unbreakable Linux" (they actually did - eventually, since OS are so big & crooks etc. are getting more skilled too (often more skilled than most normal coders imo), it wasn't 'unbreakable' AND SeLinux IS AN EXAMPLE of what you want - it does further security harden Linux - but nothing's perfect when what you harden shows up an 'exception' due to being "F'd" with like hacker/crackers often do - fuzzers are the cause here imo!)
* Little 'trick' you MAY or may not be aware of? IF faced with a driver issue, develop a filtering layered one above the problematic one (works like a dream, intercepting for use on other things (like monitoring) OR changing outputs to hardware or files).
APK
P.S.=> Better than attempting to say, rebuild the IP stack itself in its entirety for sure, gets same results (especially if source is NOT around or OS is closed source)... apk