Slashdot Mirror
Pentagon To Make a Big Push Toward Open-Source Software Next Year (theverge.com)
"Open-source software" is computer software with its source code made available with a license in which the copyright holder provides the rights to study, change, and distribute the software to anyone and for any purpose. According to The Verge, the Pentagon is going to make a big push for open-source software in 2018. "Thanks to an amendment introduced by Sen. Mike Rounds (R-SD) and co-sponsored by Sen. Elizabeth Warren (D-MA), the [National Defense Authorization Act for Fiscal Year 2018] could institute a big change: should the bill pass in its present form, the Pentagon will be going open source." From the report: We don't typically think of the Pentagon as a software-intensive workplace, but we absolutely should. The Department of Defense is the world's largest single employer, and while some of that work is people marching around with rifles and boots, a lot of the work is reports, briefings, data management, and just managing the massive enterprise. Loading slides in PowerPoint is as much a part of daily military life as loading rounds into a magazine. Besides cost, there are two other compelling explanations for why the military might want to go open source. One is that technology outside the Pentagon simply advances faster than technology within it, and by availing itself to open-source tools, the Pentagon can adopt those advances almost as soon as the new code hits the web, without going through the extra steps of a procurement process. Open-source software is also more secure than closed-source software, by its very nature: the code is perpetually scrutinized by countless users across the planet, and any weaknesses are shared immediately.
Expect Billions to flow from the deep pockets of the likes of Boeing and Lockheed Martin to the K street lobbying machine
No one is perpetually scrutinizing anything. That's an old fallacy wrongly attributed to ESR and/or Torvalds. "Linus's Law" merely states all bugs are shallow given enough eyeballs, not the some vast benevolent army of free labor is auditing everything all the time. That's fiction, as as been proven many times with the discovery of ancient zero days in software that's been open source for decades.
Maw! Fire up the karma burner!
There will be a LOT of yapping and some apps will be created then in about 9 months they will toss it all and sign a Billion dollar check to Microsoft.
What happened to NSA Linux.
The other fallout from that was tossing out all our Apple and Sun systems too.
Then came the ship with NT 4.0 that never worked correctly and the brief Idea to launch nukes from NT 4 computers.
Open-source software is also more secure than closed-source software, by its very nature: the code is perpetually scrutinized by countless users across the planet, and any weaknesses are shared immediately.
This is total bullshit. No one noticed, for example, the Debian OpenSSL vulnerability for nearly 2 years. There are also plenty of other examples that were around many times longer without being spotted despite all this claimed “perpetual scrutiny.”
Open source is not necessarily more secure than proprietary software. Because it is visible, good programmers can look for bugs and plug security leaks if they want to, but bad guys can also look for vulnerabilities to exploit. Nobody has to look at the code and/or fix anything. In fact, most people have ZERO interest in doing so. Plenty of security flaws have gone either unnoticed or unfixed for an awful long time in open source projects.
Open-source software is also more secure than closed-source software, by its very nature: the code is perpetually scrutinized by countless users across the planet, and any weaknesses are shared immediately.
Remember it wasn't that long ago when all you had to do was hit Backspace 28 times and you could bypass login security on almost all Linux distros....
I only please one person per day. Today is not your day. Tomorrow isn't looking good either. - Scott Adams
You might want to talk to the Munich city council about that.
You'll be receiving my bill for $3,500,000 by the end of the week.
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
Won't happen, that amendment died in the conference reconciliation. The merged version does have an open source software pilot, but that's it: Section 875: (a) DoD shall “initiate the open source software pilot program” (b) NLT 60 days enactment of this Act, the SECDEF shall “provide a report to Congress with details of the plan of the Department of Defense to implement the pilot program required by subsection (a).”
- David A. Wheeler (see my Secure Programming HOWTO)
Yep, this is exactly right. Now that they know, Russian, Chinese, and ISIS hackers will be adding new features like crazy to OpenOffice Impress, all with the handy new feature of sending your deck to the cloud..........and more than one cloud...and more than you know about.
SJW: a person who perceives an injustice, and while correcting it, commits a greater injustice.
Dammit. I was hoping for the old /. I new and loved so well. Just a teaser. Will anyone think of the children?
putting the 'B' in LGBTQ+
A friend of mine is working on one of those government projects you can't talk about. What he can say is that they are in a 'bake off' with other projects where his project is using OSS, quasi-Agile (*cough* SAFe *cough*) , automated testing (apparently an unknown concept to the beltway bandits, perhaps because there are huge billable hours to be made fixing bugs), CI, etc.
We'll see if they win the bake off.
putting the 'B' in LGBTQ+
The DoD is a MASSIVE client for corporations like Microsoft and Dell. If they are going fully open source then either Microsoft will release an open source version of Windows+Office+SQL Server or the open source toolset will get similarly advanced (which it simply isn't, at least not when you factor in the responsiveness at the user level for Windows, the overwhelming Office+Outlook+Exchange integration compared to all the competition, and the Analysis Server aspect of SQL Server) tools.
The author of the article wrote:
One big advantage is that, often, the agreements to run open-source software are much more relaxed than those behind proprietary code, and come without licensing fees. The license to run a copy of Adobe Photoshop for a year is $348; the similar open-source GNU Image Manipulation Program is free.
I feel that, for a large corporation or institution, licensing cost should probably be the least concern. Functionality is not free. What counts is transparency (you can inspect the software), control (you can modify the software), relaxed legal constraints (no need to waste resources counting billable seats or hours), and benefiting the community (enhancements you make or sponsor are usable by all). All of which will likely contribute to lowering costs in the long run.
So I am hoping two things. First, that this is not a mere effort to save money in the short term, which would likely fail; and that they will instead recognise the need to support existing open-source software projects by contributing to them (with money, code or both). Second, that this will inspire them to publish as open source the more useful software components that they might develop internally (in line with the federal source code policy of 2016).
The author also wrote:
Loading slides in PowerPoint is as much a part of daily military life as loading rounds
This is rather off-topic, but it makes me sad that “loading slides” is used (by the article’s author, not the DOJ themselves!) as a shining example for the need of computers at the DOJ (or anywhere else, really). I don’t recall many corporate meetings (even briefings) where slides were used appropriately (i.e., to show something that the speaker could not adequately convey with words) and didn’t actually detract from the presentation. Yet, presenters now feel the imperious need to waste hours preparing useless slideshows. Often, that comes from some inane corporate standard that might go as far as dictating the layout. We seem to care much more about displaying a professional look than about producing useful content or communicating it effectively. Of course, that’s not to say that a briefing could not possibly benefit from illustrations (pictures, charts, etc.). But, frankly, displaying (or disseminating) those does not require specialised presentation software!
In 35 years in that business, I saw and used a lot of open source development tools, as well as in deployed software. Red Hat is a major provider of OS to DoD, including embedded in weapon systems. GNAT Ada is open source.
And on my last project we kept 2 lawyers (one government, one prime contractor) busy nearly full-time evaluating various OSS licenses for our intended use. The GPL was a significant debate; most OSS licenses were deemed acceptable by both sides. In each case, we evaluated OSS and proprietary software for functionality, life-cycle costs, supportability, expected security/vulnerabilities, and made a decision that balanced these factors. Sometimes the OSS components won out, other times not. But there was a documented decision with rationale.
In general, the choice of software was not a government decision, but a prime contractor decision. Not sure how much we want Congress dictating to contractors what they put into their products.
It's the year for the Linux Desktop for sure!
Can you imagine how many desktops the DOD has and is paying Microsoft for?
"File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
"What happened to NSA Linux." https://en.wikipedia.org/wiki/...
"The Department of Defense is the world's largest single employer,"
Not Gattaca Corp, not Tyrell, not Weyland-Utani or Tessier-Ashpool. This demonstrates why we won't get super-cool things in our lifetimes. Sure DARPA shmarpa, but if we instead had 3.2 million people working on nano-tech, biology, AI, lunar colonies and FTL, then maybe we could get somewhere as a civilization.
The US has plenty of nukes, has demonstrated a willingness to use them. That is all we basically need for defense. All the rest of if is clearly for offensive military use, unfortunately which seems to have broad support no matter the human or monetary costs.
Powerpoint slides make me want to load magazines.
I object to power without constructive purpose. --Spock
Presentation software is a weird animal.
All it needs to do is show pictures....why God did anyone add a text feature?
Probably someone are Harvard Graphics or Freelance is to blame.
I object to power without constructive purpose. --Spock
No matter the project, the Pentagon and DOD rely so heavily on Windows, so any open source project that wants to play with the DOD should run on Windows.
In the past they gave us BRL-CAD.
And they built the internet, though it was Congress that gave it to us peons. Thanks Al!
And then they gave us SElinux.
And now they'll give us something new!
Thanks everybody! I don't want the military-industrial complex just to blow things up, I want them to also give us new technologies as a byproduct!
Blow things up, but remember the People.
Not really, because the exploits would likely be data that is stored in a system for managing exploits. The system for managing the data would be the open source part. It is the (new) DoD tools that would be opened, not the data stored in them.
...how many times were we told that ISIS is some kind of existential threat to the U.S.? And people beloved it?
At least three or four, but the FBI conveniently arranged for them to activate hoax devices.
As long as DoD does not distribute anything it develops beyond DoD (or the Federal government since it is all part of the same organization) it is all staying within the organization developing it and thus would not be obligated to share any improvements.
Per gnu.org:
The GPL does not require you to release your modified version, or any part of it. You are free to make modifications and use them privately, without ever releasing them. This applies to organizations (including companies), too; an organization can make a modified version and use it internally without ever releasing it outside the organization.
and
For instance, you can accept a contract to develop changes and agree not to release your changes until the client says ok. This is permitted because in this case no GPL-covered code is being distributed under an NDA. You can also release your changes to the client under the GPL, but agree not to release them to anyone else unless the client says ok. In this case, too, no GPL-covered code is being distributed under an NDA, or under any additional restrictions. The GPL would give the client the right to redistribute your version. In this scenario, the client will probably choose not to exercise that right, but does have the right.
Thus, as long as they only use it internally they have no obligation to make the changed source code available. In addition, they could require contractors to develop code under and NDA that prohibits release until the authorize its release so even if they do not do the actual development internally they can still control its release. I would not bet on the DoD probably choosing not to exercise that right.
So while it may be good PR for OSS in reality it may not actually advance OSS for the public. DoD could classify any OSS projects to prevent its release using the argument that its release would be detrimental to national security and require contractors to sign an NDA for any work they do for DoD.
https://www.gnu.org/licenses/gpl-faq.en.html#GPLRequireSourcePostedPublic
I'm a consultant - I convert gibberish into cash-flow.
This also leads to another overlooked point. Which is easier for a hostile programmer to infiltrate, contributors to a FOSS project or a commercial development team like Powerpoint's, Word's, etc? A hostile programmer being someone intentionally introducing an exploit. A designed "zero day".
Not only does that not follow (you have no idea who scrutinizes their copy of FLOSS precisely because of the privacy FLOSS affords users) but you're missing a much more important point: FLOSS respects a user's ability to do things computer owners want their software to do but inherently can't trust proprietary software to carry out. Proprietary software can't be trusted because the users can't be sure it is doing what the users want and not doing what the users don't want (typically this means leaking information, opening backdoors, and implementing malware). It's not about guarantees, it's about the permission to exert as much control over one's own computers as one wishes. Proprietary software inherently doesn't grant that permission and FLOSS does. Couple that with a monied organization as big as the American federal government, and you have the ability for significantly increasing control over their own computers.
Digital Citizen
> Open source is not necessarily more secure than proprietary software. Because it is visible, good programmers can look
It's not *necessarily* so, in the sense that nothing *requires* that open-source code is automatically better. On the other hand, I curate a database of over 90,000 software vulnerabilities, and spend my work days examining security issues. Every CVE that is issued goes into our system. The fact is, Windows and Flash alone make up a very large percentage of the vulnerabilities, and have a much higher average risk score.
Some people here can name three or four vulnerabilities that have come up in open source software over the last five years and they use that to say "see, open source isn't more secure, because Heartbleed". Just Windows alone has dozens of new vulnerabilities EVERY MONTH. A couple of months ago I did a SUM (cvss) for Red Hat and for Windows. Windows is has something like 10 times as much risk (number of vulnerabilities * severity).
One major reason for that is not because a ton of people are randomly looking over code and finding issues, but because developers on significant open source projects know that a few people code review each commit, so they write code they can be proud of, or at least not embarrassed about. Anybody who has done proprietary development for a few years has seen plenty of code go to production that you wouldn't want a stranger to see because you know it's embarrassingly bad. When I make a pull request to Moodle or Apache or LVM I *know* that at least two or three other people are going to code review it, looking for things that can be done better, so I write it well to start with. I don't commit code I'd be embarrassed about, that doesn't represent my best work, because I KNOW people from other organizations, not my teammate I go to lunch with, will be examining my code.
Thanks for posting that. You're absolutely right that when ESR wrote that Linus thought "with enough eyeballs, all bugs are shallow ... the fix will be obvious to someone" , he did NOT mean "all bugs are non-existent". He said "the fix will be obvious to someone" because that's what he meant - with "a large enough co-developer base" looking at a bug, one of them will come up with an elegant fix.
Separately, another, different statement is also true.
I maintain a database of all the CVEs ever issued, with their CVSS severity scored. We also catalog and examine some vulnerabilities that do not have CVEs issued. The fact is, proprietary software, especially Windows and Flash, have a) far more vulnerabilities and b) a higher average severity. The fact of the matter is that every month dozens of new vulnerabilities in Windows come out. We're now at Microsoft KBnumber 4052231, and a significant fraction of those four million KBs address security issues.
Someone says "but but but three years ago Heartbleed was in open source software", and I point to the 40 or so vulnerabilities published for Windows THIS MONTH, and EVERY MONTH.
Adobe Acrobat has over EIGHT HUNDRED CVEs, 800 vulnerabilities in Acrobat alone. (evince has 4, pdfedit has 1).
For one reason why, see the bottom of this post:
https://yro.slashdot.org/comme...
I thought the Chinese army was No 1, and the UK's NHS was No 2.
Am I wrong? anyone have actual figures?
Sent from my ASR33 using ASCII
Why? Open source means that they have the rights to modify the code. They can distribute an internal patch with a classified notice on it and keep the exploit for attacking others.
The main drive away from spooks doing this is that people keep pointing out to the people that control their funding how much critical infrastructure runs on the code that they're keeping vulnerable.
I am TheRaven on Soylent News
You make it sound like that's hard for them to do with proprietary software. It's not like it's hard to get someone into a multinational company that hires developers all across the world or brings them into the US / EU on work visas. The difference with open source is that you can audit the code and if you find a vulnerability then you can fix it (or have a choice of companies to hire to fix it), you're not dependent on the original vendor.
I am TheRaven on Soylent News
"Open-source software" is computer software with its source code made available with a license in which the copyright holder provides the rights to study, change, and distribute the software to anyone and for any purpose
I'm torn between making a snarky remark about how I, thanks to slashdot, finally learned what open source software is, or whether I should point out that in no way "open source" implies the right to "distribute the software to anyone and for any purpose" because that is clear and utter bullshit that only applies to free software (as in e.g. BSD-licensed stuff).
CLI paste? paste.pr0.tips!
The research for Tor was developed at NRL as well.
I see, and the Iraqis with U.S. support somehow doesn't count? Or the Kurds with U.S. support? C'mon comrade, you can do better than that.
Disclaimer: Have worked in the DoD
DoD has promised to use open source (and IPv6) since prior to 2010. There is a very split mentality inside. Most of us who deal is cybersecurity, safety, acquisition (engineering), and other areas HATE closed source items because of the inherent lack of ability to test it for risk reduction, future proofing, and optimization. It also (IMHO) creates situations of vendor lock in much more easily, which costs the DoD (and thus the taxpayer) more. There is still a _lot_ of animosity in systems acquisition over the forced move from XP to 7 (which cost DoD 100s of M of dollars). Many are fearing another forced move from 7 to 10 which is only 3* years past the XP to 7 move.
(*--Some systems are still [2016] executing actions from the XP to 7 move)
On the other side, there are a lot of enterprise users who just like Windows and hate everything else (and in their defense a switch would reduce their productivity as they acclimate to the new computing environment with debates as to whether that would be a short or long term decrease). There are also items that rely on Windows because they run some piece of software that cant run on anything else (usually because of custom hardware with Windows only drivers). LAstly DoD has those business processes that someone 10+ years ago made a VB script to do a lot of work and retired. Now no one knows how to fix / replace it (as happens in a lot of corporate environments) or even that it is a VB script (and could be migrated to Linux with the open sourcing of VB / .NET)--but if it goes down they can't do their jobs. I suspect even if they wanted to "update" it, they would have to have the funding to do so and know how to set up a contract with someone (which requires a contracting officer--something hard to find for some smaller shops in the US Govt). *--Most US Govt employees avoid COR training like the plague due to the number of extra ways you can get sent to jail for doing it wrong.
Contrary to popular belief, the DoD in not made of money and continuing resolutions mean work like this doesn't get funded, since DoD has to execute last years budget.
I'm hesitant as to how thoroughly DoD can do this. USAF enterprise IT love Microsoft pretty hard, and I don't think the Navy can be moved off of Windows for enterprise applications without huge costs added to the NMCI contract (which was created via Congress directly--not the USN). On the other hand, formal acquisition is a huge percent of DoD spending (and the source of tactical computing system requirements) and has been moving away from Windows due to all the stuff listed above for half a decade or more. Further, Office (esp Outlook and Project) are things some people can't live without for scheduling both their own and their projects work / meetings. I can't think of another Outlook-like client that include the integration of CAC [SmartCard] based private keys and Govt PKI infrastructure into a simple message signing and encryption of email and calendar with the other beyond-email functionality that Outlook has.
In short, Congress would have to mandate it for it to truly happen. In the past Microsoft has dropped buckets of money (usually in training or change requests--short term stuff) on keeping the DoD just hooked enough to not have it switch. My guess is MS is developing a coordinated response / lobbying effort now and will respond formally in the coming days.
- Sig
Slashdot posted my question about auditing on Linux seventeen years ago in reference to the DoD using Red Hat. We are using all kinds of other OSS back then as well so The Verge, and these senators, is just a few years late. The amendment will not result in any changes in how DoD procures software/services or operates at any level from the foxhole to Earth orbit.
I've worked for two very big contractors in the past, and they enthusiastically embraced open source. In fact, there was a consensus among management that open source is preferable whenever FOSS can get the job done at an acceptable level. Every dollar not spent on commercial licenses is another dollar that could be spent on billing labor.
http://code.gov/
http://18f.gsa.gov/
The fact of the matter is that every month dozens of new vulnerabilities in Windows come out. We're now at Microsoft KBnumber 4052231, and a significant fraction of those four million KBs address security issues.
Windows is pretty big. How does that number compare to Linux, plus glibc, plus glib, plus GTK, plus the core GNOME libraries, plus systemd, dbusd, and so on (i.e. the 2,000 or so open source packages that, combined, provide roughly equivalent functionality to the base Windows install)?
Someone says "but but but three years ago Heartbleed was in open source software", and I point to the 40 or so vulnerabilities published for Windows THIS MONTH, and EVERY MONTH.
And I can point to 40 in the Linux kernel's USB stack alone from this month (and we're only half way through the month). How many Windows kernel CVEs have there been?
I am TheRaven on Soylent News
Then came the ship with NT 4.0 that never worked correctly ...
That is an urban myth. Application software allowed an invalid value, a zero, to be accepted and saved to a database. Controller software that read data from that database accepted an invalid value then performed a divide by zero and was halted by the operating system. This controller software was involved in engine operation. Application, database, controller, ... the operating system was irrelevant, the same thing would happen under Linux.
Immediately after the failure a laid-off *nix engineer, who was not on the ship, speculated that NT was to blame and the Linux evangelists went with this and the myth was born. The people on the ship said it was userland software (application and controller) not operating system software that failed. The company writing that userland software admitted they were to blame for the incident.
Also, the ship was a test platform. They were testing, trying to break things, running debug software that didn't have the "watchdogs" that would restart the halted software. Zero was intentionally entered into a particular variable to see what would happen.
> And I can point to 40 in the Linux kernel's USB stack alone from this month
Okay, go!
No? How about 4? Still no? Maybe 3? How about ANY at all?
Did I not mention I curate a database of every CVE ever issued? My team looks at each and every one.
> Windows is pretty big. How does that number compare to Linux, plus glibc, plus glib, plus GTK, plus the core GNOME libraries, plus systemd, dbusd, and so on
Compared to the entire standard Red Hat installation, the number of CVEs times their CVSS severity is roughly ten times higher for Windows 8.
I would agree in part. The knowledge to review the entire Linux kernel code base does exist in the DoD, but not in enough people exist to do the work needed internally and accomplish all the other work they need to do before the next kernel version comes out. At least it's only a technical hurdle. The additional legal hurdle of copyright to the code base is no longer present.
IMHO the NSA should have a mission funded line item in its budget for a group to make and uphold a linux distro (thresh base distro w/ core packages for DoD, obj entire distro for whole US Govt, US companies, and US citizens in the 50 states) for secure Govt computing (a la SELinux "plus plus"). I _think_ this is in line with their defensive strategic objectives and probably best accomplished with a portage (i.e. code only) like delivery platform / package manager.
- Sig