MITRE Corp. Report On Open Source In Government 289
Jeremy Allison (of the Samba team) writes "Very interesting paper just published by MITRE corporation. (In PDF - they've learned not to use Microsoft Word. :-). Highlights: 'The main conclusion of the article was that FOSS software plays a more critical role in the DoD than has generally been recognised.'; 'Create a "Generally Recognised as Safe" FOSS list ... including Linux, OpenBSD, NetBSD, FreeBSD, Samba, Apache, Perl, GCC, GNAT, XFree86, OpenSSH, bind, and sendmail.'
'FOSS' stands for 'Free and Open-Source Software.' Looks like these people 'get it.'"
Generally Recognised as Safe. (Score:4, Insightful)
I'm all for Unix server software, but BIND and Sendmail? True, they haven't been bad lately, but both of these are former poster childs for the land of remote root exploits. Yet Qmail, djbdns, and Postfix--some of the most secure software ever made, is strangely absent.
Well, it is the government. They are making progress in their own little way.
Re:Generally Recognised as Safe. (Score:5, Informative)
"Qmail is a FOSS replacement for Sendmail, the
program that transfers emails between computers
on the Internet. Qmail has improved security,
reliability, and performance features."
Yep, that pretty much sums it up. I'm impressed.
Re:Generally Recognised as Safe. (Score:2, Insightful)
Re:Generally Recognised as Safe. (Score:2, Informative)
Re:Generally Recognised as Safe. (Score:3, Insightful)
Re:Generally Recognised as Safe. (Score:2)
I'm free to use qmail.
I'm free to modify qmail for whatever purposes for myself.
I'm not free to hold Dan Bernstein responsible for my butcheries, whether or not I (or anyone else) is aware of them.
If you want to distribute modified versions of qmail (including ports, no matter how minor the changes are) you'll have to get my approval. This does not mean approval of your distribution method, your intentions, your e-mail address, your haircut, or any other irrelevant information. It means a detailed review of the exact package that you want to distribute.
Close is not very good for security stuff. Can't say I blame him at all.
Generally Recognised as Safe == Debian/stable? (Score:2, Informative)
Debian may not agree... (Score:3, Informative)
Now, anything that's FOSS and GRAS is probably in Debian, but being in Debian stable is only evidence of being FOSS and NPU (Not Proven Unsafe).
I think that the idea of having an external list of FOSS/GRAS software is an excellent one. Moreover, I doubt if Debian wants to accept responsibility for maintaining such a list.
Re:Generally Recognised as Safe. (Score:5, Insightful)
>They are making progress in their own little way.
Military intelligence... if we ever understood it, we'd be arrested and our brains classified.
What the DoD is and isn't (Score:5, Insightful)
Additonally, each branch of the service is autonomous in IT management, which means there are FOUR DIFFERENT ways of running a network with the associated FOUR sets of management overhead and of course, they aren't interoperable. This is a fairly generalized statement, but most of the systems I deal with daily in the Marine Corps are specific to us and don't work with the other services systems despite the fact that they all do the EXACT SAME THING.
So kids, the moral of the story is: Write you congressman and complain about the misuse of your tax dollars. And don't forget to tell them that free software == excuse for lower taxes == more votes for them.
Re:What the DoD is and isn't (Score:4, Informative)
Not to imply that NMCI isn't ridiculous and a huge waste of money. We're trying to fight it...
And don't forget that most computers aren't desktops. We certainly don't have any MS OS on our many embedded computers.
Re:What the DoD is and isn't (Score:4, Funny)
I guess this means that if I want to mount a pirate attack on the DOD, I should make the Marines my beachhead?
Re:Generally Recognised as Safe. (Score:3, Insightful)
Secure doesn't mean invulnerable. It means trusted. You can trust something with known flaws if you know where those flaws, how to avoid them when necessary, and how to fix them when possible.
Re:Generally Recognised as Safe. (Score:5, Informative)
True, but then again Qmail has offered a USD $500 security guarantee [cr.yp.to] since 1997, which so far remains unclaimed. Sendmail does not, and since then they've had a number of security issues to deal with.
As for its usage, Qmail at one stage included Hotmail among its users, so it has had a reasonable amount of testing and use.
Re:Generally Recognised as Safe. (Score:4, Interesting)
Security-minded folks are more likely to be pessimists than optimists.
Re:Generally Recognised as Safe. (Score:2)
As far as I can tell, DJB refuses to incorporate any of the many patches into his software, so the security of his unpatched sources is of limited value. This also makes using qmail a royal pain in the ass. It can sometimes take hours to figure out which patches you want and then find and download them. As much as I like some of the ideas behind the design and implementation of the software, the license discourages me from using it (even though I generally get paid by the hour when I install it!)
Qmail: secure, but not responsible (Score:3, Interesting)
If somebody finds a bug in, say Linux, that can be exploited against both Sendmail and Qmail, the Sendmail folk will fall all over themselves to find and distribute a workaround. Bernstein, on the other hand, will likely just smile and say "not qmail's fault". This doesn't do much good for people who are actually using qmail in the field and will need to create and distribute their own patches on the back-channels -- and then integrate them with the myriad of patches out there.
I really believe that Qmail's license was and is the biggest barrier to it's more widespread adoption.
Re:Generally Recognised as Safe. (Score:4, Interesting)
Qmail, on the other hand (and Postfix, and others. Sorry if I don't mention everyone's favorite
I'm not knocking Sendmail. I use it on a whole bunch of production boxes. It's familiar, easy to use, and works out of the box with everything. It's also fast enough to make it suitable for most environments and I have a whole lot of time invested in learning the various ways to configure and tweak it and how to fix it when it's being moody.
That said, I also use Qmail on a regular basis. Of the two I keep a much closer eye on the Sendmail installations. Sendmail's current biggest known flaw is its history, and until a something approximating that shows up in Qmail I'm more inclined to trust djb's baby (even though I put it in
(Qmail also has the luxury of being the product of someone who comes off as a complete asshole. I can guarantee you that the fact that Qmail doesn't have any known security holes is not for a lack of trying. There are plenty of people who would *love* to find a hole in Qmail just to shut him up . I hope djb doesn't have mod points!)
djbdns & qmail (Score:5, Informative)
I'm not trying to torch anybody's favorite software here, but both djbdns and qmail have drawbacks.
The biggest issue is the license. Qmail is limited to source-code only distribution, with an exception being made for precompiled binaries if they behave exactly the same as qmail normally behaves. Information here [cr.yp.to]. This means that if you want qmail not to throw all of its binaries under /var and ignore most of /etc for configuration files (which it normally does), you have to compile and patch it by yourself. Also, there is no distributing patched versions, so if D. J. Bernstein dies tomorrow, qmail development is effectively frozen until qmail passes into the public domain decades later. That includes any security/performance patches, as well as ports to other architectures. Djbdns has a similiar license.
There is also compatability. Djbdns does not support certain zone transfer mechanisms [linuxsecurity.com]. It ignores some IETF standards entirely and impliments its own version instead. I get upset when Microsoft twists and corrupts public standards for its own ends, and I get upset when Bernstien does it as well. I'm lazy, I don't want to have to doublecheck if my DNS servers supports a certain standard if my cofiguration changes. Qmail is more of a quibble, I don't like how it throws everything in /var. (And I'm not sure why the world needs qmtp)
I'm not saying that a lot of people and smaller sites won't find qmail/djbdns (and the rest of Bernstein's software) useful. They seem to be secure, and they do their job as long as everything is compatible.
However, one of the reasons why I avoid proprietary software for many tasks is that I don't want to hitch my wagon to somebody else's horse. If I go with a MTA that is wildly used and is GPL or BSDl, I am assured that development does not rest solely on one person. And if I go with standards-compliant software, it ends up being less of a hassle in the long run.
Djbdns and Qmail aren't bad. But they have licenses that limit distribution and development, and they break interoperability.
Re:Generally Recognised as Safe. (Score:3, Interesting)
Sivar wrote: ... bind, and sendmail."
"Generally Recognised as Safe
I'm all for Unix server software, but BIND and Sendmail?
Don't mix old Bind and Bind 9, Bind 9 is an entirely new code base written from scratch with security as a basic premise. Version 9 is not susceptible to the same issues found in earlier versions of the Bind DNS server.
The track record for Bind 9 is *much* better than it used to be ....
Re:Generally Recognised as Safe. (Score:3, Funny)
Did you ommit exim because you:
Rock on. (Score:3, Funny)
I suppose this means there will be more job openings for geeks in government possisions. Get out your resumes guys and gals
Re:Rock on. (Score:4, Funny)
Re:Rock on. (Score:3, Insightful)
Interestingly, I feel more like a "stakeholder" as a govt. employee than I did as an industry stock-holding employee. It's my tax money, too, I guess.
Re:Rock on. (Score:2, Insightful)
About time. (Score:4, Interesting)
I guess everyone was waiting for somebody to basically do a "study" or write a paper that could be quoted or "fallen back upon" if you will.
Then again, this report is about the fact that FOSS already plays a more critical role. My point is, it's high time somebody came out and recognised the fact. Great job on the paper.
Re:About time. (Score:2)
No, maybe to the average slashdot.org/~joe the advantages are obvious, but the average Joe doesn't know FOSS exists. Heck, 5 minutes ago, I didn't know FOSS existed ;-)
Re:About time. (Score:3, Funny)
Hmmm... if Joe knows that FOSS exists, he sure ain't admitting to it!
http://slashdot.org/~joe [slashdot.org]
joe has posted 0 comments.
Re:About time. (Score:3, Funny)
I mean, to the average Joe, the advantages of FOSS are obvious.
Don't you mean "to the average Slashdot poster"? When I think of the average Joe, I think of my father, who believes that my computer must be turned on for him to send me e-mail from his computer. That, and that Prodigy is the greatest thing on the planet...
Yeah, I know, I'm nitpicking...
What if ... (Score:3, Interesting)
A lot of people will begin to think about the converse, "What if Closed Source were banned from the DoD?" or even more specifically, "What if Closed Source from companies found guilty of breaking federal law were banned from the DoD?". I wouldn't be surprised if the answers were "not much change" and "things improve", respectively.
Re:About time. (Score:2)
If that was the case, they wouldn't be using Microsoft products :-)
Re:About time. (Score:3, Informative)
As a vet, believe me, I'm not happy about this. I've seen the effects first-hand. I was a medic for eight years in the Air Force. About halfway through my second enlistment, we switched from company A's IV needles, which were very high-quality and never crimped up -- i.e., the plastic cannula over the needle, which is the part that actually stays in the patient when the needle is pulled out, always went in smoothly with the needle instead of crimping up around the needle and not going in -- to company B's IV needles, which crimped up about a third of the time -- which of course meant that the patient had an extra hole in his skin and the needle was now useless. We did this, as it turned out, because the recently retired General X, who had been quite high up in the AF medical bureaucracy, was now a member of Company B's board of directors. When I got out of the service a couple of years later, we were told that the AF was "studying the problem." Meanwhile our supply guys were cutting "gray" deals with local medical supply companies to get us needles that worked.
This may seem like a minor problem, but consider that a) the switch caused a lot of pain and suffering (even good IV sticks are painful; bad ones are worse) and wasted a lot of money, and b) this sort of thing happens all the time, all over the place, in places ranging from the base personnel office to the ER to the flightline where people are loading nuclear weapons onto bombers. And not just in the AF; there are similar stories from almost every job in every branch of the service. Your tax dollars at work, folks.
PDF format freer than Word? (Score:5, Interesting)
A very minor and unimportant comment:
Most companies when publishing in PDF format do so, not for openness but to preotect against copying or modification.
For example, my company works extensively with the FDA and we publish all our standard operating procedures (SOPs) in PDF format since it's so difficult to copy. We rely not on the openess of the format but on its limitations. Not earth-shattering but I wanted to mention that PDF is not a particularly open format, despite its structures being well known.
Re:PDF format freer than Word? (Score:5, Insightful)
I would also say anyone using PDF's for the security of them not being easily modifiable is running on assumptions that the people they are sending the files to are to stupid to figure out how to modify them to their hearts content.
Re:PDF format freer than Word? (Score:3, Informative)
Only half true. Microsoft offers [microsoft.com] a little known Word 2000 viewer (and similar viewers for Excel etc) that is available gratis [microsoft.com].
Re:PDF format freer than Word? (Score:2)
It's only available for Windows (although it might work in Wine I suppose), so you still have to pay Microsoft for the operating system.
Re:PDF format freer than Word? (Score:2)
Actually, all the M$ viewers work in CrossOver [codeweavers.com], but you have to pay for that too... BUT IT'S CHEAP!
Re:PDF format freer than Word? (Score:2)
True... But, it does work surprisingly well.
Re:PDF format freer than Word? (Score:3, Offtopic)
Re:PDF format freer than Word? (Score:3, Informative)
But that supposedly gratis viewer requires a non-gratis OS to run, so many of us would still have to pay money to view the document.
(But then you did say, "half true", and anyway, my objection is only half true because it probably runs under Wine. Though I'm not sure that helps people running Solaris/AIX/LinuxPPC/LinuxARM/LinuxPS2/etc.)
Anyway, the bottom line is that PDF is freer than Word because PDF is an open standard, and multiple implementations exist (some gratis, some FOSS) while Word is a closed, proprietary format subject to change without notice.
Re:PDF format freer than Word? (Score:5, Insightful)
Ironically, you think that PDF protects against copying, because it is difficult to modify them in Windows. By the same token, you may think that
Which of course, is the opposite for any *NIX system running Ghostscript (where a PDF -> ASCII conversion is trival, but
I guess you do have to play to your users strengths and weaknesses, it just seems funny to me, somehow.
Re:PDF format freer than Word? (Score:2)
If you really want to prevent copying (as in copyright infringement), then you'll have to wait for Palladium. ("Ctrl-C" - "I'm sorry Dave, I can't let you do that...")
Re:PDF format freer than Word? (Score:2)
Re:PDF format freer than Word? (Score:3, Informative)
1) The format is compressed, so it is smaller in size.
2) The PDF viewer is available on more platforms than Word viewer
3) The PDF is already formatted for printing.
Re:PDF format freer than Word? (Score:2, Informative)
Or it could simply be because its much easier to predict how the document will print / read on various platforms. At this point, PDF files are pretty much a web standard for white papers, reports, etc. I guess if it were me I would skip the paranoia factor and the black helicopter sightings and take the report at face value.
- Brandon
Re:PDF format freer than Word? (Score:2, Interesting)
Thats news to me.
PDF is an open specification, anyone can write their own PDF creation tool as well as reader.
The security thing is a bad idea though, as is the attachments in PDF files that Adobe just added support for in their apps. Ah, the coming the the PDF virus era....
Re:PDF format freer than Word? (Score:2)
I just found a way to penetrate your security! The exploit is:
Do you think I should post this to SecurityFocus or something?
Honestly, I know what you're trying to say, but I don't understand why companies do this. Anyone who was motivated to fake a report from your company could still do so. All publishing in PDF format does is annoy people and waste bandwidth. Actually, you'd be better off publishing documents as HTML on a webserver you control, because people can see the address it's at and be (reasonably) sure that it's official. If you release them as PDF files, surely people will be more likely to save them, print them out and forward them around, creating a situation where a fake is less likely to be spotted straight away?
If you're worried about employees tampering with internal documents - that's what file permissions are for.
I once worked for a shit company who generated a lot of their transaction reports as PDFs for "security" so they couldn't be modified. It also made it impossible to do diffs, search groups of reports, etc. I was ordered to compare files by flicking between them and looking for differences. Tards.
"Generally Recognised as Safe" Reference (Score:5, Informative)
This list would provide quick official recognition of FOSS (Free and Open-Source Software) applications that are:
(a) commercially supported
(b) widely used and
(c) have proven track records of security and reliability (eg. as measured by speed of closures of CERT reports in comparision to closed-source alternatives)
Gmanske.
This is a pleasant surprise... (Score:4, Interesting)
It seems that the right hand doesn't see what the left hand is doing. That's the USA federal government for you. However, based on the existance of the "safe" FOSS list, perhaps the DoD is rethinking their investments in eN Tee. I sure hope so, for the sake of national security. Meh.
Re:This is a pleasant surprise... (Score:5, Insightful)
It seems that the right hand doesn't see what the left hand is doing. That's the USA federal government for you.
With all due respect to your example, I would rather each department of the government be allowed to implement its own solutions, at least based on my experiences working for large corporations (where the right hand often doesn't know what the right middle finger is doing). The most productive situations arise when divisions and departments are allowed to solve their own problems, rather than having some senior-level executive decided, "okay, this worked for marketing, so now everyone has to do it this way." Information sharing is important, of course, but forcing one-size-fits-all "solutions" can be counter-productive.
Michael
Infers that GPL means better security (Score:5, Interesting)
"For Security, use of GPL within
groups with well-defined security boundaries should be encouraged to promote faster,
more locally autonomous responses to cyber threats. "
Page 3, Example 2.
This really makes no sense to me. Especially when the majority of the software they list as "heavily used infrastrucuture tools such as "Linux, OpenBSD, NetBSD, FreeBSD, Samba, Apache, Perl, GCC, GNAT, XFree86, OpenSSH, bind, and sendmail," are a good portion of NOT licensed under the GPL. (Yes I realize some, are but the majority of that list are not.)
Doesn't make a lot of sense. Considering most people would agree the most secure OS out there is OpenBSD.
Re:Infers that GPL means better security (Score:3, Insightful)
Perhaps one aspect of the security to which they refer is the secure knowledge that inhouse software developed under the GPL will remain free, i.e. they will in turn receive any and all improvements made by others.
While the GPL is arguably more appropriate for public funded software development than licenses that lend themselves to proprietarization, I must agree wholeheartedly with you that it is clear that the advantage in security goes to free software over proprietary software, and not GPLed software over other free software to any degree. Indeed, as you point out, OpenBSD is the most secure operating system around, and it is certainly not GPLed.
What they clearly meant to say was the free software should be encouraged to promote faster, more locally autonomous responses to cyber threats
Re:Infers that GPL means better security (Score:2)
I would say that the license that gives the most freedom is the license that publically funded development should have. Guess what: that license is not the GPL (though you could easily create your own GPL'd fork of a BSDL'd project... it's identical as far as the BSD license is concerned to proprietary licensing)
Re:Infers that GPL means better security (Score:3, Insightful)
First, a GPL-exclusivety would be appropriate only in top-security situations that demand a fast and very flexible response. Not having barriers on how to deal with the soft, be it binary or sourcecode is extremely important here. However, I would not be so fanatical on saying that only GPL soft is appropriate. Frankly, I think it would be better to say: licenses to do not impose barriers of any kind to software changes and distribution.
Second, to do such thing, people should be uberprofessional. Having GPL code is not enough to provide security. There should be someone who's able to manage the guns. However, if a certain department or site is considered to be top-security, then one should have someone of that weight out there... Isn't it? But... well... we know that even security guards love to sleep when they shouldn't. And that engineers are underpaid and don't have enough qualification. And that the managers will still buy some piece of crap instead of listening the experts... So this caveat is utterly pointless...
OpenBSD is one of the most secure. Because it is made for security. Most Linux machines are not because it would be a problem trying to adapt users to the level of security in OpenBSD. I made a few installs of OpenBSD and I may tell you that it is not easy to install something on it. Besides it is much harder to use. And, sometimes it is quite slower than other BSD and Linux conceptions. But it is very good on kicking every kiddie out.However, its administration demands every kind of tasks as nay other system. A badly administered OpenBSD is also breakable.
On what concerns Linux itself, unfortunately there are very few secure distros. But it is possible to reach a level of security near to OpenBSD or even better. By hand and making the system from scratch. Once we had such a machine. We named it "The Castle", out of the name of a distro that gave us the idea to make it. It was a damn well secured system. But using it... Better walking through the Labyrinth...
Re:Infers that GPL means better security (Score:2)
I, like most people, wish that the more mainstream distros didn't ship with everything but the kitchen sink on by default, but come on. If you've got the know-how to put together a Linux box from scratch there's no reason you can't properly lock down one you get from a mainstream distributor in much less time.
I realize it's good security practice to start from zero and enable only what you need rather than have everything on and disable what you don't, but UNIX isn't Windows. Unless a distro is shipped with a rootkit in it already it's quite easy to turn everything off. Once you've done that you can pretend you started from scratch if that makes you feel better.
Building "Linux From Scratch" is fun (for some people, myself included) and a great way to learn about how your system works. But if you do it on a regular basis for systems you deploy you're just wasting a lot of time and being masochistic.
On another note, I've never found it that much harder to admin or use an OpenBSD box than I have say, FreeBSD or even your average Linux box. I find that the difference in philosophy is the biggest hurdle (vi this file vs. use our badly-designed ncurses/GTK+ config tool). Once you get over that any of the above can be quite usable.
Re:Infers that GPL means better security (Score:2)
The point is: "what license promotes security the best" What OS is currently most secure, may or may not be under that license.
BTW, I would probably agree with you about OpenBSD's security.
Exerpt (Score:5, Insightful)
Starting on page 32, theres a very nice glossary of common Free and Open Source Acronyms.
Wait...another term? (Score:5, Funny)
PDF? (Score:3, Insightful)
Re:PDF? (Score:3, Insightful)
The PDF document contains images, tables, colors, and underlined/italicized/bold text. Those are rather difficult to express in plain ASCII text.
Doing so is not unlike trying to write a voxel-based graphics engine in HTML.
Right tool for the job...
Re:PDF? (Score:3, Funny)
Oh sure, leave out us EBCDIC users, you young whipper-snappers with your fanch-schmancy ISO standards. HA!
Re:PDF? (Score:2)
ASCII is a fine format for email and config files. It's not an acceptable document format. PDF is, despite what some people seem to think, the best digital document format available today.
Re:PDF? (Score:2)
I'm currently trying to write a parser for ISO8211. Currently it makes me very cross and won't run on any platform. Just because a format has been endorsed by ISO doesn't mean it's either any good or easy to use.
[Yes, I know there already are two open source ISO8211 parsers out there. Unfortunately they're in C++ and Python respectively and I need one in Java].
I work for the DoD.. open source rules! (Score:5, Interesting)
I've sat through meetings with vendor reps where certain office members tore the reps some new orifices. I've heard from a *major AV/Firewall company name deleted* rep "Oh, you use open source FREEWARE! Well, if you want to go with something totally insecure that has absolutely no support and you don't know exactly what the code actually does..." The rep then sat there in stunned silence as the department head launched into a detailed tirade about how every member of the office not only knew what the open source we used did, most of us could re-write it if we needed to. The rep actually blushed and admitted that if we could do that, we didn't need their product.
Most of our offices do use Microsoft on most of the standard user desktops... but it's open source hacked-to-hell code that runs everything else around here! Well, aside from the gallons and gallons of coffee and Mountain Dew that runs the people..
Re:I work for the DoD.. open source rules! (Score:3, Informative)
Of course, it's worth remembering (going a little off-thread here), that unpatched open-source software isn't any more secure than unpatched Windows software - IIS can be patched and secured too. A good tutorial on hardening IIS can be found here:
http://www.virusbtn.com/magazine/archives/200208/
Re:I work for the DoD.. open source rules! (Score:3, Funny)
Is this some other Department of Defense that I was not previously aware of?
Re:I work for the DoD.. open source rules! (Score:2)
I'm a DoD contractor too and it's not like that where I work. Here it's windoze, windoze, windoze... except for my BSD FW, Linux/BSD web servers, and a few misc workstations. All of these are kept pretty hush-hush (except the FW), otherwise they'd probably make me reinstall them with win2k... yuck!
Can I please come work with you? PLEASE!!!!! I'll send you my resume... a couple hundred dollars? Just put in a good word for me ;-) !
Re:Open source, eh? (Score:3, Insightful)
2. Why would the DoD distribute their modified code? Perhaps they would send a patch to Apache or whatever if it was sufficiently general interest, but I suspect most of the modifications have to do with security policies particular to them.
3. Do you really believe that "Al-Qaeda hackers" [sic] spend more person-hours looking at the code than non-malicious users?
4. Neglecting the silliness about Al-Qaeda, why should I trust you that "some computer science programs and IRC channels" are training highly dangerous black hats? Last I checked, IRC was the land of windows-running script kiddies, and typical computer science programs include perhaps one optional course on security [cornell.edu].
About #2 (Score:2)
Same as everybody else I'd guess, not having to keep their own branch and re-implement any fixes in the public branch, keeping track what they have fixed and public branch haven't when the interface changes. Of course, the NSA could probably afford that, but the benefits are few...
Kjella
They are not required to distribute it (Score:3, Informative)
I do hope that some employees who are exposed to open source, its benefits and the values of the community behind it contribute to open source projects in some way.
Re:Open source, eh? (Score:3, Informative)
Even on Slashdot the GPL is largely misunderstood. It principally dictates that if you redistribute the software you must also redistribute the source; it does not require that you redistribute the source in order to use the code yourself in whatever fashion you require. Your error is exactly the misunderstanding that MS capitalizes upon in describing the GPL as 'viral'.
PDF (Score:2, Insightful)
Re:PDF (Score:3, Insightful)
I don't think I personally know anyone that actually likes pdf files or their associated viewers.
Re:PDF (Score:2)
Good for some things, terrible for others, but if you want to distribute a document that prints out the same no matter where you take it, PDF is great.
Re:PDF (Score:4, Informative)
Good lord! What's with this rabid hatered of the PDF file format on Slashdot? I'm not referring only to this poster, but many others I've read on this story and others.
Here's what PDF has going for it:
As the parent poster attests to, it preserves formatting. While this is not always needed to the degree that PDF offers, if you are distributing documents that you intend to be printed, there are few alternatives. In fact, I can't really think of any others at the moment. HTML certainly doesn't count. TeX doesn't count (a tex file can't embed bitmap graphics or fonts inside it). Even Microsoft Word will re-flow your document the moment you open it if you have a different printer selected than the one it was last saved with.
PDF is based on Postscript, but is really a subset of it and is not covered by any -patents- (I'll get to copyrights in a moment) as postscript most certainly is. This means that with a thin postscript wrapper, you can shove a PDF document at any postcript (level 2 or higher) printer and it will happily print it.
It is an open standard. How you define open is obviously a matter great debate. The standard is published by Adobe and anyone can use that document to write a program that creates, reads or processes PDF documents. Adobe retains copyright of this standard, but gives permission for anyone to use it with ONE major stipulation: you cannot use the standard to write a tool that ignores the access controls built into the PDF standard.
While I don't know the legal details of any of this, I don't really see why it would be illegal to clean-room reverse-engineer the standard to write a tool specifically for this purpose, but seriously, for any legit purpose, you can do whatever you want with it.
PDF has a growing source of free software tools that can be used to create, render, slice, dice, etc, PDF files. This includes Ghostscript and a fantastic java library called iText. There is also a good C-library called PDFLib that has bindings for C, C++, java, perl, python and perhaps others. It is only partially open-source, though.
Alright. PDF has this going against it:
The already mentioned copyright standard issue.
The PDF file format is not really designed to be easily editable. Pulling apart the bits that make up a PDF page basically involves rendering them using a psudo-postscript interpreter and turning that into editable objects. I do not know of an open-source tool that lets you do this. iText, ghostscript and the closed portion of PDFLib allow you to pull apart pages from PDF documents and draw atop existing pages.
When it comes down to it, not only is PDF relatively free, but quite a bit more free than some other formats that are quite popular in the open source community. Take mp3 as an example. It's covered by patents up the wazoo. But until Vorbis takes over the music industry (I, for one, am not holding my breath), that's what we'll have.
PDF is a little bit of a compromise, but until someone invents an alternative that is compatable with all postscript printers, can embed bitmaps, vector art and even fonts inside the file, looks decent both on screen and on the printer, has a large amount of commercial and open-source tools available... Well... I'm not holding my breath for that either.
No surprise (Score:4, Interesting)
"This effort sponsored in part by the Defense Advanced Research Projects Agency (DARPA) and Air Force Research Laboratory, Air Force Material Command, USAF, under agreement number F30602-01-2-0537"
Kind of a big hint that someone somewhere in DoD thinks highly of OpenBSD.
Of course, this support may have since been reduced or eliminated due to the same pressure that the NSA faced with SE Linux.
How much respect does MITRE command? (Score:3, Insightful)
By the way, the document summary shows that it was originally a Microsoft Word Doc titled "Microsoft Word - 3DBD823B-1ABD-0AA6.doc" with the author being www.
Interesting that the DOD uses GnuPG, Linux, Linux (Red Hat), FreeBSD, NetBSD, OpenBSD, OpenOffice, Perl, Perl CGI Scripts, PerLDAP, PHP, Tcl/Tk and TCP Wrappers, amongst others.
Re:How much respect does MITRE command? (Score:5, Interesting)
On the front page of MITRE's website [mitre.org]: MITRE is a not-for-profit national resource that provides systems engineering, research and development, and information technology support to the government. It operates federally funded research and development centers for the DOD, the FAA, and the IRS, with principal locations in Bedford, Massachusetts, and Northern Virginia.
Trust me, they're extremely highly regarded and their analysis carries quite a bit of weight.
Re:How much respect does MITRE command? (Score:4, Informative)
Process and methodology kings, par excellence.
Do you want to know how to do something right? Do you want to know how to repeat the performance? Mitre are your experts in the field.
If your organization has a job-title of "Program Manager", there is at least a passing nod to the CMM processes outlined by Mitre, which breaks down all process and initiative into functional program areas.
Re:How much respect does MITRE command? (Score:2)
You've never dealt with MITRE have you? MITRE, in my experience, are delay and overbilling kings, par excellence. They charge for this solutions library that you can never access and create some of the most god awful solutions mankind has ever witness, and then bury the evidence. Do a search on "Intelligence Training System" or "Sentinal II" on their website and see if you can find the US$50Million of taxpayer money,
Re:How much respect does MITRE command? (Score:4, Informative)
Report is written in Word (Score:3, Interesting)
Title: Microsoft Word - 3DB823B-1ABD-0AA6.doc
Furthermore, the PDF file was created by http://createpdf.adobe.com [adobe.com] - which allows one to upload files and have the processed into PDF - 15 for free, more for $$$.
Seems like they didn't find out that ghostview [wisc.edu] allows you to generate pdf files as well as view them...
Report says GPL was the original (Score:3, Interesting)
"The General Public License (GPL)4 is the original FOSS license, and GPL software is simply FOSS software that is covered by the GPL."
Page 12
This report is really full of holes. In the chart it says that BSD and Artistic licensed software cannot be combined with closed source software.
A funny bit (Score:5, Funny)
[i]Ironically, a thoroughly rigorous and systematic ban on DoD use of FOSS could also affect a number of proprietary product that rely on FOSS products that permit incorporation of FOSS into their closed-source products. For example, Microsoft Office uses the FOSS zlib collection of data compression software, and thus could technically be banned as a product that incorporates FOSS software.[/i]
MITRE...sounds familiar (Score:2)
Report makes no difference between OS and FS (Score:4, Interesting)
"The word free in FOSS refers not to fiscal cost, but to the autonomy rights that FOSS grants its users. (A better word for zero-cost software, which lacks such rights, is freeware.) The phrase open source1 emphasizes the right of users to study, change, and improve the source codethat is, the detailed designof FOSS applications. Software that qualifies as free almost always also qualifies as open source, and vice versa, since both phrases derive from the same set of software user rights2 formulated in the late 1980s by Richard Stallman of the Free Software Foundation."
The writer of this report does not make differentation between Open Source and Free Software. He call's things under a BSD license with no cost, and no restriction on rights, freeware. (Freeware does not mean OSS. Freeware is closed source software, that is given away at no cost.) While in the next setence pushing the view that all OSS is GPL'ed.
This report is a grave disapointment.
Re:Report makes no difference between OS and FS (Score:5, Insightful)
The main conclusion of the analysis was that FOSS software plays a more critical role in the DoD than has generally been recognized. FOSS applications are most important in four broad areas: Infrastructure Support, Software Development, Security, and Research. One unexpected result was the degree to which Security depends on FOSS. Banning FOSS would remove certain types of infrastructure components (e.g., OpenBSD) that currently help support network security. It would also limit DoD access to and overall expertise in the use of powerful FOSS analysis and detection applications that hostile groups could use to help stage cyberattacks. Finally, it would remove the demonstrated ability of FOSS applications to be updated rapidly in response to new types of cyberattack. Taken together, these factors imply that banning FOSS would have immediate, broad, and strongly negative impacts on the ability of many sensitive and security- focused DoD groups to defend against cyberattacks.
I don't see where your disappointment comes up. The report shows that both OSS and FreeSoftware are the major players in DoD sectors (well I would be very admired if they wouldn't). Besides, it shows that all this FUD from M$ is a national danger to the US (and I would be HIGHLY admired if it wouldn't). Apart of some gaffes the report is superb.
Time to put Redmond on the rough nations list...
Re:Report makes no difference between OS and FS (Score:3, Insightful)
The report also no makes no differentation between Open Source Software like FreeBSD, OpenBSD, and Apache; and Free Software which generally always refers to software under the GPL or LGPL. Like Linux, gcc, or GNATS.
you're repeating a distinction which is usually made only for the purposes of criticizing the GPL. All the software you mentioned is Free Software [fsf.org]. It all grants you the certain vital rights, such as the right to copy and the right to inspect and change. to repeat.. there is no distinction to be made. some of them are GPL-incompatible, and many are not copyleft ("viral") but this is not important for this paper.
also, from a user's point of view, this is mostly irrelevant. the "license wars" are between developers. to users, they grant the same freedoms.
finally, from the distant and unpleasant vantage point of most proprietary software, the gpl/non-gpl are pretty much identical. really, for most people, being able to copy the software at will is mind-boggling. "how do they make money", etc.
He call's things under a BSD license with no cost, and no restriction on rights, freeware.
No, he points out the distinction that "zero-cost software" which DOESN'T grant you the FOSS rights is NOT FOSS! This is an important and subtle distinction, because it's not just about price, but freedom to do certain things. I'm impressed by their understanding. I think you misread it.
While in the next setence pushing the view that all OSS is GPL'ed.
no, it just says that they are very similar, and they both came from Stallman's ideas. which is still correct. open source is weaker form of free software, but usually they grant you the same basic rights.
For the purposes of this document, it is completely correct and appropriate to mix OSS and FS together, and to concentrate on freedom rather than price.
i think the document is peachy keen, and it gives me a fat chubby.
COE (now NCES) will support Linux (Score:3, Interesting)
The good news is that the DoD is paying attention to Linux in a big way. Undoubtedly, Solaris, HP, and SGI were among a few of the favorite big ticket items that the DoD likes to purchase. However, there is a small number of people who are using linux. We're expecting that number to grow.
Mitre gets it -- they're pretty smart folks. But does the rank-and-file military? By and large -- no -- although there's more currently than say 18 months ago. Some are still caught of in the security problems linux has. Others are just ignorant by calling it "freeware" -- when linux really rises to a level above the typical "freeware" moniker.
The military is really a bargain buyer -- yes they don't want those M16's to explode -- but they don't want to be bled dry for a shoddy system, either. Especially when they have to report to a congressional subcomittee explaining why they blew billions of taxpayer dollars on incompatible systems.
price for this report... (Score:3, Funny)
The DoD has been asked to conduct internal software audit or trash MITRE report on FOSS.
GNAT is part of GCC (Score:5, Interesting)
Also is not RTLinux longer consider free software, because it restricts more than the GPL due to patents?
Also looks like they do not use csh at all which is under the BSD license. or pdksh which is in public domain, they are the default shells on OpenBSD.
They are also missed Binutils from the GNU which is the assembler and linker for most open/free operating systems.
Also is there not versions of sed and make and m4 and top that are under the BSD license?
Is perl not dual licensed, GPL and artistic?
Brilliant example of Microsoft (Score:5, Interesting)
I didn't even know Microsoft has that restrictive license. It says here that it "Specifically bans use of: GPL, LGPL, Artistic, Perl, Mozilla, Netscape, Sun Community, and Sun Industry Standards."
Microsoft's site [microsoft.com] shows the license. It's really true. This particular EULA seems to be for a "Microsoft Mobile Internet Toolkit Beta 2". They actually call OSS as "Potentially Viral Software" in the license.
This is probably the reason for the MITRE report (Score:4, Insightful)
This report is probably an effort to build some evidence and support on why wholesale replacement of everything with off the shelf would add costs and hurt national security. Probably also explains IBM's (and others) shift to support Linux and variants over the past few years as they saw Microsoft tactics refined.
And, Microsoft's more recent license agreement language seems pointed at providing a legal reason why they need to be the only platform, since there are no technical reasons.
especially slimey (Score:3, Interesting)
What I find really distasteful is the above phrase's incorporation of "MIT". Microsoft tries to pass it off as standing for "Mobile Internet Toolkit", but personally I believe it was intended to sound like (and evoke the favorable sentiments associated with) the Massachusetts Institute of Technology AND the associated, like-named OSS license.
.
Bio of the author (Score:3, Informative)
Terry Bollinger
The MITRE Corporation
1820 Dolley Madison Blvd.,
W534 McLean, VA, 22102, USA
terry@mitre.org
Terry Bollinger currently works at The MITRE Corporation, where he focuses on distributed software and hardware architectures issues for U.S. Department of Defense information infrastructures. He is an editor for IEEE Software, and was one of two Special Editors for the Jan/Feb 1999 issue of IEEE Software on Linux and open source software methods.
Terry has had extensive experience at all levels of software development in the telecommunications industry, at NASA, and for the U.S. Department of Defense. Especially while working in the telecommunications industry, he has had extensive hands-on experience with both a wide range of software construction methods and approaches, and with the consequenses of trying to apply some of these methods in "realistic" environments in which there is a typical spectrum of developer experience (e.g., what happens when C++ is applied in and environment consisting almost entirely of long-term funcional C programmers). Terry also has a strong background in software reusability and software process, including an IEEE Software Best Paper on why software process improvement doesn't always give the kinds of results advertised, and is intrigued by the issue of why some programmers seem to be so much better at producing high-quality, stable code that endures over time. In terms of software construction issues, he is both highly familiar with the overall set of techniques involved (including newer methods such a graphical component based programming), and is strongly supportive of the need for good methods while also being heathily skeptical about a lot of the claims made for various software construction methods and tools.
Terry has M.S. and B.S. degrees in Computer Science from the University of Missouri at Rolla, and has been a member of IEEE for 23 years.
Re:PDF? (Score:2)
Re:PDF? (Score:3, Informative)
However, that's beside the point. You see, not everyone runs Windows, and not everyone wants to open a document that can come with little extras like macro virii.
Further,
Not that the parent wasn't a troll or anything...
Re:PDF? (Score:2)
Don't then. Download Open Office, buy Sun's Version, or use something like wordpad.
Re:PDF? (Score:2)
Re:PDF? (Score:2)