Slashdot Mirror
White House Checks Out Open Source
Floris writes "The White House goes Open Source? It sure seems that way! (credit for the link goes to LinuxToday)" The story quotes "a senior White House official." Federal Times, which ran the article, is generally a pretty reliable source of "insider" government news. And I've been to some meetings of the DC LUG mentioned in the story and it's full of staunch Linux advocates who are busily infiltrating Linux into the government agencies where they work. Nice to see they're finally getting some attention from the higher-ups.
I've been getting tired of adults telling me that linux is too difficult for their fragile little minds. I mean if a 13 year old (now 14) can use it as easily as i can what's preventing buisnesses from using it. Anyone who deserves to be called a network administrator should know how to work a linux/unix system. /. but i really had to get some of that out.
I'm glad to see that the government is using it, at least some people have come to their senses in realizing that yes Linux IS hard to use, but it isn't death.
I almost vomit when I see people getting 50+ thousand dollars a year for pointing and clicking their mouse. The fact is anyone can do that. All suceeding in the computer industry seems to require now is knowing how to touch type.
Even worse than that is how two of my friends refuse to learn to type because they think they'll just be able to talk to their computers by the time they need to use them(college). And how my middle school computer teacher insisted on explaining what a lan was to me last year, but when i asked her to let me telnet to the server she gave me this blank look of "you can telnet to a unix computer??". Grr... i'm gonna go off on these people someday.. sorry for posting this on
Should a general really be concerned about TCP stack bugs?
If the life of his troops are at risk.
Should a general even know that his computer has a TCP stack?
FWIW to be a Officer in the US military requires a higher education. I don't think it would be beyond their comprehension. You will agree that the General needs to know if his tanks are deisel powered or gas turbine. Likewise what caliber shells his artillery requires.
Now should the General be able to _code_ his own TCP/IP stack?
It would be nice if he could do it himself, but he's a General, he can delegate the work.
I'm gonna go out on a limb here and make a comparison.
During the Viet Nam war soldiers were issued the, at the time, new M-16 rifle.
The M-16 was well designed and tested. However the testing and design didn't take into account the tropical conditions of south east asia. The result was more than a few soldiers losing their lives because corrosion caused their arms to misfire. This was corrected by nickel plating the chamber. Guns that were already issued were modified by military machinists.
"Microsoft officials argue their software products meet federal security standards."
;)
Is that like the expression 'Close enough for government work'?
"There is no spoon" - Neo, The Matrix
Imagine how far that money would go if they spent even 1/10 of it on open source software development instead of purchasing ready made software. That's $200 million. What do you suppose the Gnome project could do with $10 million? Maybe give Linus a big fat check just for being a nice guy. Send the samba folks a couple million. No sweat.
Everyone working on open source/free software should be thinking about how to get their hands on some of that money. If the government is serious about using open source software, it could be a virtual gold mine for all those projects struggling for people and resources.
Good point.
:) Wonder how they'll tackle that one.
However, I wouldn't worry about the govt. giving back fixes.
You can argue, that the US government probably some way or the other is immune to copyright law (at least US copyright law). So they don't _have_ to give back the fixes.
But it's a matter of common interest. It's in their best interest to see that the stock distributions are as secure as possible, in order to minimize the hazzle they go thru when maintaining their installations. Therefore the government _will_ be interested in giving back any fixes, even though they don't have to.
Still, I wouldn't be surprised if some brown nosed idiot would suggest they they shouldn't give back the fixes, because of national security reasons or whatever. Like the crypto restrictions. But I'm confident that such measures would be short-term, and that we will definitely see contributions from the government, should they decide to use the more secure platform.
Ironically, the government may some day be part of a community
First of all, as far as the White House was concerned, they don't need to worry about a singular dependence on M$ because they had a hodgepodge of machines (Linux, SGI, HPUX, VMS, NT). And their IT infrastructure was poor at best. One day we all had to stay late because someone knocked the only router we had to the outside world off a desk and we were out for hours.
A current colleague of mine interviewed for a developer position there back in April. I asked him what they had there and there really aren't too many changes. My understanding is that they are still running hand-me-down SGI Indigos running Irix 5.3. Hey guys - think Y2K!!! Upgrade to 6.5!!!
"Microsoft is the epitome of innovation and product quality."
Sanity.html - Error 404 not found
If the government embraces open protocols and file formats, that would make a great start. Why should tax payers have to go out to buy a copy of MS Word to view documents on a government funded web server ?
Dunno how many of you have ever worked with government before, but my aunt (who works for an unnamed, county level government in Florida) is now managing a brand-spanking new AIX system for her employer. To get a new piece of software, she had to wage a couple of weeks long campaign with her management, with memos, meetings, the whole nine yards. In the end, after all of that effort, she was denied. The piece of software she wanted? The one that took so much trouble to get? sudo. Uhuh. GPL'd, publicly available, sudo. Needless to say, the poor woman is also stuck with vi- she says she spends 1/2 of her time teaching other people that. She dreams of the day she can get emacs. That is the bureaucratic mindset in govm't IT these days. So, don't hold your breath about Linux. They'll probably have to read every single line of code before it ever gets installed- and by that time, we'll be at kernel 4.0. Argh...
~tieguy
IAAL,BIANLY
They want security? How ironic that possibly the most secure operating system, OpenBSD, has to be developed in Canada because of US export restrictions!
If the government could require people to communicate with it by open standards, this could break some of the market standardization on Microsoft Office. Many people buy MSoffice so they can exchange documents. If people who need to submit documents to or recieve documents from are forced to use open standards such as HTML, XML, or something new. Then people could buy what they like and no need to upgrade just tostay compatible.
;-).
The only question is the government big enough to provide the critical mass around some open standards for a variety of documents. Oh for the days of Big Government again
Still, MS instills a culture where the machine does everything for you. You are not supposed to question what is really going on. The OS has deep roots in a single user non-networked system. A switch to Linux along with some training might be more effective in changing the state of some minds than you think.
Should the majority of people who use computers have to worry about "what is really going on"? Tha advantage to using Linux in sensitive government applications comes from the ability of admins to review their systems and set them up properly more easily. From a user's point of view, it would be better the more internals of computation the software is able to obfuscate.
Should a general really be concerned about TCP stack bugs? Should a general even know that his computer has a TCP stack? If it allows him to do effectively whatever he does as a general and is easily kept secure by his system administrators, then that's great.
Don't get me wrong - I think Linux could definitely be great in a lot of government applications. But relying on users' increased sense of "knowing what the computer's doing" is a far from ideal situation.
--Andrew Grossman
grossdog@dartmouth.edu
C2 certification requires an audit of the code that pertains to those requirements. A vendor has to pay for this audit (when Novell went for it the cost was implied to be quite high in the press), and then control the releases to some degree (audit the final setup with a small application tends to be the way it's done).
I've had Linux used in projects for the verious government agencies for five years now, but I can't get it onto the classified systems because it's not C2 certified. In general NT's lack of current cert is ignored or exempted (as is some other OSs), but Linux is not.
If Redhat could get their distribution of linux C2 certified then the government would have to consider it against NT everytime someone brought it up.
If the regulations are public knowledge then is anyone currently trying to get Linux certified?
After what kind of modifications to the OS does the certification become invalid? This might be a very important point since the kernel is now going through faster development cycles. Would the US Gov be able to use the latest and greatest or would they be stuck with something that was certified but older? (at least for operations that require that certification)
And, since I'm a UK bound persona, anyone know if Linux is being used in MI5/6? *grin*
Wiggly -- But I want to be different, just like everybody else.
Who on earth is still using NT 3.5
It's only certified as a stand-alone machine. How useful is a server with no clients???
The NSA is the evil agency we all know and love. What's the funciton of the NSC? Does it control the NSA?
Bureaucracy...reminds me of the part in Cryptonomicon when one of the characters has a waking nightmare while someone explains the German bureaucracy to him.
"I don't know of any large government Linux contracts,"
:)
This could be a very stable revenue stream for some Linux companies. Distribute updates, security patches, and support on a contract basis.
It might be worth looking into the certification standard they mentioned and see what's missing, if anything.
I'd love to see slashdot.gov
You're right of course, sloppy users are the biggest threat.
Still, MS instills a culture where the machine does everything for you. You are not supposed to question what is really going on. The OS has deep roots in a single user non-networked system. A switch to Linux along with some training might be more effective in changing the state of some minds than you think.
For example, with all its security holes, I find Windows users rarely talk about security, except when headline news forces them to take note. Linux users on the other hand discuss it often, and developers code with the concept in mind from the start.
It just occurred to me that if UCITA passed, and the Federals were using commercial, proprietary software for critical systems, that they'd be up the proverbial creek at the whim of the vendors... not necessarily a good thing when you're suing one for anti-trust violations. Heh.
Not that'd ever happen, but...
Only the dead have seen the end of war.
Interesting point. I was under the impression that the source is sometimes made available to outside groups; my memory is telling me that some universities have operating systems courses where students are required to sign NDAs, because they get access to at least some of the NT sources. I can't give specific citations, 'tho, just vagaries.
It's possible that the statement should be taken to mean: source code for not only the Linux kernel, but just about everything else as well with fairly few exceptions (for Gov't stuff. I doubt, say, that Civ:CTP or Myth II are on procurement lists...); whereas the opposite is true for most of the Windows world. Even if the NSA had access to NT sources, they'd still need audit ability for all the applications; even a safe kernel with poorly written applications isn't that safe.
Only the dead have seen the end of war.
Of course the White House wants to go open source -- do you seriously think that the security-paranoid folks who work there really want the NSA reading all about the next Monica and using it to get more funding? I think not.
----
Every year during my review, I just pray the words "slashdot.org" aren't mentioned.
I can dream at least, eh?
This could be good for Java and other cross platform languages like Tcl/Tk. If the goverment has servers that are NT and some that are Linux and several other platforms then they are going to want software that will run on both you'd think.
I am interested in where this will go. If the goverement gets into Open Source code, will they give back to the Open Source community if they find security issues and fix them?
If the goverment enhances security in the kernel will they Open Source these too?
Only 'flamers' flame!
Open source is a very innovative way to develop software," Zaman said. "The issue is how much of our own code we should put out in the open source environment."
He is, I assume, talking about the IIS Sample Site and VB Examples. I remember Microsoft's commitment going back as far as gorillas.bas and other QBasic example programs, which were freely available when you bought QBasic.
Gates' Law: Every 18 months, the speed of software halves.
I've always wondered if the government, which uses Windows for much of its operations, is given (or pays for) the NT source. This quote seems to imply that they don't have it. Surprising, if so--I would have thought that the NSA would want to examine and/or customize the OS, at least for sensitive networks. Maybe I overestimate the competence of the US government.
--- Kernel Patch Request Form ---
Adding a patch to the Linux kernel (hereafter referred to as "kernel") may compromise security, functionality or both. Therefore, before submitting patch for inclusion you must attach a Form 15812n Software Audit Report for all contexts in which you intend to use this patch. This procedure must be repeated should additional contexts emerge.
We will need the following details.
Who wrote the patch? Is/are the people responsible (hereafter referred to as "patch author(s)") U.S. citizens? Please have them undergo security clearances and attach the resulting paperwork. Use of nails and rivets is for this purpose (attaching, not auditing) is hereby sanctioned.
What does this patch do, and why do you want it? Be sure to detail all system resources consumed by such, and study the impact upon the targetted environment. Include time and resources expended on this application, sub-applications and related activities.
Do you expect it to be applied to future revisions of the kernel? If so, explain why and bear in mind that this is included in the aforementioned "additional contexts" section, and thus will require periodical documentation and re-application.
Please remit this form once completed to your supervisor and all other individuals affected for approval, with copies for yourself, the Software Patching Department, and Personnel (for your quarterly performance evaluation) as usual.
Bear in mind that approval may not occur until a full review of your provided documentation has occured. We hope to be able to respond to you within six months of completion of said review. Thank you for your time.
--end form--
Only the dead have seen the end of war.
That was about time that some government took off the sunglasses and had a look at the real world.
:)
I can't believe they haven't thought of this earlier (or at least thought of it in public). Linux is far from the only open-source OS, simply using the proprietary UN*Xes they've been running for long, with open-source daemons and tools would have gotten them a long way.
I remember the swedish government discovering that the proprietary e-mail tool they used had a backdoor in the encryption service they relied upon for security reasons. The backdoor was there for the US government (NSA probably).
This was so funny, or rather tragic, because they simply didn't think about before someone pointed it out to them. They honestly believed, that because the shrink-wrapped package said ``encryption'', they'd be safe.
Amazing it is, that the US government has been just as naive, believing that a closed source product only did what the package said it would do. I wonder how much insight MS/Sun/Oracle/others have into what's going on behind those closed doors.
Never underestimate the power of human stupidity.
Well, I'm looking forward to seeing new OSS daemons from the white-house, and mails from randomuser@whitehouse.gov on LKML
Reading further we see: As a result, Linux boasts a robust code that rarely malfunctions and is extremely difficult for hackers to crack, Klosowski said. Microsoft, on the other hand, keeps its code secret and makes upgrades to its products on a yearly basis, he said. Microsoft software products have been the target of numerous computer viruses. Neato! More positive news. My heart is warmed.
Now we get a few laughs. Microsoft's main server software, Microsoft Windows NT 3.5, for instance, is certified... I see. It's version 3.5 that is Microsoft's main server product, with NT 4 being relegated to just "Newest" status.
Zaman is amazing. After all the PR microsoft has done trying to convince people that "open source" development is not a good way to develop code. After all, who would work for free, eh? But now we find out that according to Zaman, "Open source is a very innovative way to develop software," In fact, Microsoft is so convinced of the viability of the Open Source model that "...Microsoft has been considering making some of its software products open source for two years." Two years, eh? That's a real good license. I'm just dying to work on code that's open for 2 years.
A few paragraphs later Zaman states that government agencies are not excessively reliant on Microsoft products... But just 2 paragraphs later we read The government already relies extensively on Microsoft products for desktop and, increasingly, server applications. Only a slight contradiction, eh? I suppose we can overlook that.And the last thing that we read is: Regardless of security concerns, Smith added, a multitude of software systems within an agency often can lead to interoperability problems. Very interesting. In the server market, you can't allow fragmentation within your product base. In the current server market, there is a lot of similarity within most server OS's, except one. That one is fragmented in the Server OS market. That OS is Windows. If I was an administer of a network and couldn't allow even one little bit of fragmentation, I'd keep Windows as far away from my servers as I could.
I wrote an essay on fragmentation of the Server Market. It may apply here.
-Brent--
While it may be laudable that public institutions are shifting to a more transparent OS, would it result in any increase in real security (as defined by the reduction of risk of data corruption and unauthorised duplication)? Just like replacing cracked window-panes with bullet-proof glass may result in a ra-ra feeling of improved safety, there is no additional protection if people carelessly leave windows open. Security results from modifying dangerous habits, just like we automatically check to see whether the door locks behind us when we leave the house, we need to condition ourselves to automatically log out or follow other basic data integrity procedures (duplicate copies, permissions, etc). This is a process of on-going education, informing people why certain procedures have to be followed despite the initial perceived hassle. One can point to the German Enigma machine which, while technically secure, lost integrity through operators being careless in their transmissions (using same callsigns, repeating the first sign-on phrase, etc) which allowed the British cryptoanalysis an opening. I believe the Americans used a variation of the easily cracked Italian crypto-machine but retained security through more rigorous operational procedures.
Security is only as strong as the weakest point and IMHO, people are the most fallible link in the system, not computers (though bad design flaws/assumptions are tough to figure out too). So, will the political establishment spend the savings from using OpenSource and not licensing windows to reinvest in helping the users effectively use the systems? In my observation hardware might take up 15-30% of the cost, similar for software, but the rest (40-60%) is in the education of users for them to be productive (and don't get me started on the folly of buying Pentium IIIs for web-browsing).
Throwing money at a problem is no solution to thinking through the issues.
LL