MITRE Corp. Report On Open Source In Government

Jeremy Allison (of the Samba team) writes "Very interesting paper just published by MITRE corporation. (In PDF - they've learned not to use Microsoft Word. :-). Highlights: 'The main conclusion of the article was that FOSS software plays a more critical role in the DoD than has generally been recognised.'; 'Create a "Generally Recognised as Safe" FOSS list ... including Linux, OpenBSD, NetBSD, FreeBSD, Samba, Apache, Perl, GCC, GNAT, XFree86, OpenSSH, bind, and sendmail.' 'FOSS' stands for 'Free and Open-Source Software.' Looks like these people 'get it.'"

Generally Recognised as Safe.

"Generally Recognised as Safe ... bind, and sendmail."

I'm all for Unix server software, but BIND and Sendmail? True, they haven't been bad lately, but both of these are former poster childs for the land of remote root exploits. Yet Qmail, djbdns, and Postfix--some of the most secure software ever made, is strangely absent.
Well, it is the government. They are making progress in their own little way. :)

Re:Generally Recognised as Safe.

Correction: Upon further inspection, Qmail is graciously listed, though the others seem to still be absent (unless I can't search properly).

"Qmail is a FOSS replacement for Sendmail, the
program that transfers emails between computers
on the Internet. Qmail has improved security,
reliability, and performance features."

Yep, that pretty much sums it up. I'm impressed. :)

Re:Generally Recognised as Safe.

I'll wager that the feds' decision not to mark, say, other MTAs is safe may be due to lack of adoption in the public and age of the code. Let's face it, Sendmail touches just about every email sent, anytime and anywhere. It's old code that has its nuances known. Sure, it's not a daemon but a demon, but by the DoD's logic, it can be trusted while something like qmail cannot.

>They are making progress in their own little way. :)

Military intelligence... if we ever understood it, we'd be arrested and our brains classified. :P

What the DoD is and isn't

Just to add some info here. Just because an article talks about usage and approval of FOSS in the "DoD" (Department of Defense), it doesn't mean that there is signifigant usage. Remember that the DoD is comprised of some management overhead and three sub departments: Army, Navy, Air Force. While Linux may be used and even endorsed by the "DoD", it's usage is not permitted without one hell of a waiver process in the Department of the Navy. Especially under NMCI(Navy Marine Corps Intranet), Linux is not even listed as an approved legacy system, much less something EDS will agree to support.

Additonally, each branch of the service is autonomous in IT management, which means there are FOUR DIFFERENT ways of running a network with the associated FOUR sets of management overhead and of course, they aren't interoperable. This is a fairly generalized statement, but most of the systems I deal with daily in the Marine Corps are specific to us and don't work with the other services systems despite the fact that they all do the EXACT SAME THING.

So kids, the moral of the story is: Write you congressman and complain about the misuse of your tax dollars. And don't forget to tell them that free software == excuse for lower taxes == more votes for them.

Re:What the DoD is and isn't

Linux is in widespread use in the Navy research lab that I work for. And our NMCI installation apparently does include Linux in some way as I have seen reports of "compatibility testing" that mentioned NT/2k/XP/Linux/Solaris and a couple others.

Not to imply that NMCI isn't ridiculous and a huge waste of money. We're trying to fight it...

And don't forget that most computers aren't desktops. We certainly don't have any MS OS on our many embedded computers.

Re:What the DoD is and isn't

Especially under NMCI(Navy Marine Corps Intranet), Linux is not even listed as an approved legacy system, much less something EDS will agree to support.

I guess this means that if I want to mount a pirate attack on the DOD, I should make the Marines my beachhead?

Sir! The enemy is sighted, and they are using ISS!

Arrgh! Prepare to board them, and take no prisoners!

Re:Generally Recognised as Safe.

True, but then again Qmail has offered a USD $500 security guarantee [cr.yp.to] since 1997, which so far remains unclaimed. Sendmail does not, and since then they've had a number of security issues to deal with.

As for its usage, Qmail at one stage included Hotmail among its users, so it has had a reasonable amount of testing and use.

Re:Generally Recognised as Safe.

Your comment reminds me of the old joke about the optimist and the pessimist who visited California. They heard that there hadn't been a major earthquake in California in however-many years. The optimist thought to himself, "We're safe!" The pessimist though, "We're due!"

Security-minded folks are more likely to be pessimists than optimists.

Re:Generally Recognised as Safe.

Age of code doesn't always directly relate to security of code. Yes, Sendmail is older. While that means the code has been around to be looked at by more people, it also means it was written before security was even close to the priority it is today.

Qmail, on the other hand (and Postfix, and others. Sorry if I don't mention everyone's favorite :P), was created from the start to be as secure as possible. It has the advantage of being able to build on many years of advancement in secure coding practices. For example, the way as little of its code is executed as root as possible gives it a big advantage. Sendmail 8.12 is moving in the same direction, but it's much newer than Qmail and, while I haven't gazed at the Sendmail source recently I'd be willing to wager that getting it to play with privilege separation wasn't a trivial change.

I'm not knocking Sendmail. I use it on a whole bunch of production boxes. It's familiar, easy to use, and works out of the box with everything. It's also fast enough to make it suitable for most environments and I have a whole lot of time invested in learning the various ways to configure and tweak it and how to fix it when it's being moody.

That said, I also use Qmail on a regular basis. Of the two I keep a much closer eye on the Sendmail installations. Sendmail's current biggest known flaw is its history, and until a something approximating that shows up in Qmail I'm more inclined to trust djb's baby (even though I put it in /usr/local/qmail. nyeh!).

(Qmail also has the luxury of being the product of someone who comes off as a complete asshole. I can guarantee you that the fact that Qmail doesn't have any known security holes is not for a lack of trying. There are plenty of people who would *love* to find a hole in Qmail just to shut him up . I hope djb doesn't have mod points!)

djbdns & qmail

I'm not trying to torch anybody's favorite software here, but both djbdns and qmail have drawbacks.

The biggest issue is the license. Qmail is limited to source-code only distribution, with an exception being made for precompiled binaries if they behave exactly the same as qmail normally behaves. Information here [cr.yp.to]. This means that if you want qmail not to throw all of its binaries under /var and ignore most of /etc for configuration files (which it normally does), you have to compile and patch it by yourself. Also, there is no distributing patched versions, so if D. J. Bernstein dies tomorrow, qmail development is effectively frozen until qmail passes into the public domain decades later. That includes any security/performance patches, as well as ports to other architectures. Djbdns has a similiar license.

There is also compatability. Djbdns does not support certain zone transfer mechanisms [linuxsecurity.com]. It ignores some IETF standards entirely and impliments its own version instead. I get upset when Microsoft twists and corrupts public standards for its own ends, and I get upset when Bernstien does it as well. I'm lazy, I don't want to have to doublecheck if my DNS servers supports a certain standard if my cofiguration changes. Qmail is more of a quibble, I don't like how it throws everything in /var. (And I'm not sure why the world needs qmtp)

I'm not saying that a lot of people and smaller sites won't find qmail/djbdns (and the rest of Bernstein's software) useful. They seem to be secure, and they do their job as long as everything is compatible.

However, one of the reasons why I avoid proprietary software for many tasks is that I don't want to hitch my wagon to somebody else's horse. If I go with a MTA that is wildly used and is GPL or BSDl, I am assured that development does not rest solely on one person. And if I go with standards-compliant software, it ends up being less of a hassle in the long run.

Djbdns and Qmail aren't bad. But they have licenses that limit distribution and development, and they break interoperability.

Rock on.

Nice to see some of our tax dollars not going to waste on over-priced under-powered software.

I suppose this means there will be more job openings for geeks in government possisions. Get out your resumes guys and gals ...

Re:Rock on.

You may not want to work for the government in anything technical. Sure, you may get to play with some neat toys, but after seeing so many Sun Enterprise systems used as office mail servers -- sitting alongside NT database servers equipped with 64MB RAM, one tends to go insane. :)

About time.

About time somebody did something like this. I mean, to the average Joe, the advantages of FOSS are obvious. But the DoD need documents, papers...anything written. It's similar to businesses WANTING to pay for software and therefore keeping away from FOSS.

I guess everyone was waiting for somebody to basically do a "study" or write a paper that could be quoted or "fallen back upon" if you will.

Then again, this report is about the fact that FOSS already plays a more critical role. My point is, it's high time somebody came out and recognised the fact. Great job on the paper.

PDF format freer than Word?

A very minor and unimportant comment:

Most companies when publishing in PDF format do so, not for openness but to preotect against copying or modification.

For example, my company works extensively with the FDA and we publish all our standard operating procedures (SOPs) in PDF format since it's so difficult to copy. We rely not on the openess of the format but on its limitations. Not earth-shattering but I wanted to mention that PDF is not a particularly open format, despite its structures being well known.

Re:PDF format freer than Word?

That is kind of funny because the line feeds are ^M just like what the acrobat distiller does. I would say PDF is freer than word however, because you don't have to pay money to view the document and since the purpose of this document is to be read then this particular format is best suited to enable that viewing across platforms without additional costs for the reader while maintaining the original format of the document.

I would also say anyone using PDF's for the security of them not being easily modifiable is running on assumptions that the people they are sending the files to are to stupid to figure out how to modify them to their hearts content.

Re:PDF format freer than Word?

Most companies when publishing in PDF format do so, not for openness but to preotect against copying or modification.

Ironically, you think that PDF protects against copying, because it is difficult to modify them in Windows. By the same token, you may think that .DOC files are less secure, due to the fact that they are easy to read and modify in Windows.

Which of course, is the opposite for any *NIX system running Ghostscript (where a PDF -> ASCII conversion is trival, but .DOCs require much more work).

I guess you do have to play to your users strengths and weaknesses, it just seems funny to me, somehow.

"Generally Recognised as Safe" Reference

If like me, you were wondering what the "Generally Recognised as Safe" reference was referring to, here's an excerpt of the executive summary of the report.

This list would provide quick official recognition of FOSS (Free and Open-Source Software) applications that are:

(a) commercially supported
(b) widely used and
(c) have proven track records of security and reliability (eg. as measured by speed of closures of CERT reports in comparision to closed-source alternatives)

Gmanske.

This is a pleasant surprise...

While the Navy has its much-farted-upon attempt to build Win2k-powered "Smart Ships", the NSA has been developing SELinux (Security Enhanced Linux), their homebrew kernel.

It seems that the right hand doesn't see what the left hand is doing. That's the USA federal government for you. However, based on the existance of the "safe" FOSS list, perhaps the DoD is rethinking their investments in eN Tee. I sure hope so, for the sake of national security. Meh.

Re:This is a pleasant surprise...

It seems that the right hand doesn't see what the left hand is doing. That's the USA federal government for you.

With all due respect to your example, I would rather each department of the government be allowed to implement its own solutions, at least based on my experiences working for large corporations (where the right hand often doesn't know what the right middle finger is doing). The most productive situations arise when divisions and departments are allowed to solve their own problems, rather than having some senior-level executive decided, "okay, this worked for marketing, so now everyone has to do it this way." Information sharing is important, of course, but forcing one-size-fits-all "solutions" can be counter-productive.

Michael

Infers that GPL means better security

In this paragraph MITRE seems to infer that GPL'ed software is some how more secure, or better able to be secured then other software.

"For Security, use of GPL within
groups with well-defined security boundaries should be encouraged to promote faster,
more locally autonomous responses to cyber threats. "
Page 3, Example 2.

This really makes no sense to me. Especially when the majority of the software they list as "heavily used infrastrucuture tools such as "Linux, OpenBSD, NetBSD, FreeBSD, Samba, Apache, Perl, GCC, GNAT, XFree86, OpenSSH, bind, and sendmail," are a good portion of NOT licensed under the GPL. (Yes I realize some, are but the majority of that list are not.)

Doesn't make a lot of sense. Considering most people would agree the most secure OS out there is OpenBSD.

Exerpt

Banning Free and Open Source Software would remove certain types of infrastructure components (e.g., OpenBSD) that currently help support network security. It would also limit DoD access to -- and overall expertise in -- the use of powerful FOSS analysis and detection applications that hostile groups could use to help stage cyberattacks. Finally, it would remove the demonstrated ability of FOSS applications to be updated rapidly in response to new types of cyberattack. Taken together, these factors imply that banning FOSS would have immediate, broad, and strongly negative impacts on the ability of many sensitive and security focused DoD groups to defend against cyberattacks.

Starting on page 32, theres a very nice glossary of common Free and Open Source Acronyms.

Wait...another term?

Isn't anybody gonna mention that RMS is going to say that FOSS should really be reffered to as Dental/FOSS?

PDF?

whatever happened to good old ASCII or ISO text files? nothing says cross-platform than an ISO format

I work for the DoD.. open source rules!

I work for the DoD (and am lucky enough to work with MITRE folk as well), and we go for the open source solution whenever we can. Why? We're in security. We absolutely NEED to be able to hack our own code whenever necessary. We can't afford to be taken down by any sort of attack, whether it be a worm, virus, or directed attack -- and I'm not talking "afford" in the sense of a dollar amount. We also like to be able to do things like add signatures to our IDSs whenever we feel like it. We often notice and track new virus and worm activity before it "breaks." We can't wait for vendor updates.

I've sat through meetings with vendor reps where certain office members tore the reps some new orifices. I've heard from a *major AV/Firewall company name deleted* rep "Oh, you use open source FREEWARE! Well, if you want to go with something totally insecure that has absolutely no support and you don't know exactly what the code actually does..." The rep then sat there in stunned silence as the department head launched into a detailed tirade about how every member of the office not only knew what the open source we used did, most of us could re-write it if we needed to. The rep actually blushed and admitted that if we could do that, we didn't need their product.

Most of our offices do use Microsoft on most of the standard user desktops... but it's open source hacked-to-hell code that runs everything else around here! Well, aside from the gallons and gallons of coffee and Mountain Dew that runs the people..

PDF

If they wanted the paper to be in an open format, and still be able to preserve formatting, why not use HTML?

Re:PDF

You hate PDF files with every fiber of your being?

Good lord! What's with this rabid hatered of the PDF file format on Slashdot? I'm not referring only to this poster, but many others I've read on this story and others.

Here's what PDF has going for it:

As the parent poster attests to, it preserves formatting. While this is not always needed to the degree that PDF offers, if you are distributing documents that you intend to be printed, there are few alternatives. In fact, I can't really think of any others at the moment. HTML certainly doesn't count. TeX doesn't count (a tex file can't embed bitmap graphics or fonts inside it). Even Microsoft Word will re-flow your document the moment you open it if you have a different printer selected than the one it was last saved with.

PDF is based on Postscript, but is really a subset of it and is not covered by any -patents- (I'll get to copyrights in a moment) as postscript most certainly is. This means that with a thin postscript wrapper, you can shove a PDF document at any postcript (level 2 or higher) printer and it will happily print it.

It is an open standard. How you define open is obviously a matter great debate. The standard is published by Adobe and anyone can use that document to write a program that creates, reads or processes PDF documents. Adobe retains copyright of this standard, but gives permission for anyone to use it with ONE major stipulation: you cannot use the standard to write a tool that ignores the access controls built into the PDF standard.

While I don't know the legal details of any of this, I don't really see why it would be illegal to clean-room reverse-engineer the standard to write a tool specifically for this purpose, but seriously, for any legit purpose, you can do whatever you want with it.

PDF has a growing source of free software tools that can be used to create, render, slice, dice, etc, PDF files. This includes Ghostscript and a fantastic java library called iText. There is also a good C-library called PDFLib that has bindings for C, C++, java, perl, python and perhaps others. It is only partially open-source, though.

Alright. PDF has this going against it:

The already mentioned copyright standard issue.

The PDF file format is not really designed to be easily editable. Pulling apart the bits that make up a PDF page basically involves rendering them using a psudo-postscript interpreter and turning that into editable objects. I do not know of an open-source tool that lets you do this. iText, ghostscript and the closed portion of PDFLib allow you to pull apart pages from PDF documents and draw atop existing pages.

When it comes down to it, not only is PDF relatively free, but quite a bit more free than some other formats that are quite popular in the open source community. Take mp3 as an example. It's covered by patents up the wazoo. But until Vorbis takes over the music industry (I, for one, am not holding my breath), that's what we'll have.

PDF is a little bit of a compromise, but until someone invents an alternative that is compatable with all postscript printers, can embed bitmaps, vector art and even fonts inside the file, looks decent both on screen and on the printer, has a large amount of commercial and open-source tools available... Well... I'm not holding my breath for that either.

No surprise

I've always wondered about the supposed lack of "FOSS" at DoD. Aside from SE Linux, there are other quite public acknowledgements of support for open source software. From the back of the OpenBSD 3.1 CD case:

"This effort sponsored in part by the Defense Advanced Research Projects Agency (DARPA) and Air Force Research Laboratory, Air Force Material Command, USAF, under agreement number F30602-01-2-0537"

Kind of a big hint that someone somewhere in DoD thinks highly of OpenBSD.

Of course, this support may have since been reduced or eliminated due to the same pressure that the NSA faced with SE Linux.

How much respect does MITRE command?

How well is the MITRE Corporation regarded in general? How well are the thought of by the government in particular? How influential will their word on things be?

By the way, the document summary shows that it was originally a Microsoft Word Doc titled "Microsoft Word - 3DBD823B-1ABD-0AA6.doc" with the author being www.

Interesting that the DOD uses GnuPG, Linux, Linux (Red Hat), FreeBSD, NetBSD, OpenBSD, OpenOffice, Perl, Perl CGI Scripts, PerLDAP, PHP, Tcl/Tk and TCP Wrappers, amongst others.

Re:How much respect does MITRE command?

quoth the poster: How well is the MITRE Corporation regarded in general? How well are the thought of by the government in particular? How influential will their word on things be? You're kidding, right?

On the front page of MITRE's website [mitre.org]: MITRE is a not-for-profit national resource that provides systems engineering, research and development, and information technology support to the government. It operates federally funded research and development centers for the DOD, the FAA, and the IRS, with principal locations in Bedford, Massachusetts, and Northern Virginia.

Trust me, they're extremely highly regarded and their analysis carries quite a bit of weight.

Re:How much respect does MITRE command?

Not only this, Mitre are the origin of the Capabilities Maturity Model - in conjunction with CMU.

Process and methodology kings, par excellence.

Do you want to know how to do something right? Do you want to know how to repeat the performance? Mitre are your experts in the field.

If your organization has a job-title of "Program Manager", there is at least a passing nod to the CMM processes outlined by Mitre, which breaks down all process and initiative into functional program areas.

Re:How much respect does MITRE command?

MITRE is a DoD child, created in the heat of the Cold War. It was and probably still is one of the best brainstorm centers in the world. And DoD loves it a lot. Besides, MITRE is one of the historic hallmarks on computer development. It was one of the organisations that tightly worked with ARPA in the 60's. So, in some way they can be the aunties of Internet. Many other things we use today were also developed by MITRE. So DoD will probably listen to its giant child.

Report is written in Word

Open with Acrobat Reader, File->Document Properties->Summary... reveals:

Title: Microsoft Word - 3DB823B-1ABD-0AA6.doc

Furthermore, the PDF file was created by http://createpdf.adobe.com [adobe.com] - which allows one to upload files and have the processed into PDF - 15 for free, more for $$$.

Seems like they didn't find out that ghostview [wisc.edu] allows you to generate pdf files as well as view them...

Report says GPL was the original

Last I checked the BSD's were first:
"The General Public License (GPL)4 is the original FOSS license, and GPL software is simply FOSS software that is covered by the GPL."
Page 12

This report is really full of holes. In the chart it says that BSD and Artistic licensed software cannot be combined with closed source software.

A funny bit

In page 22:

[i]Ironically, a thoroughly rigorous and systematic ban on DoD use of FOSS could also affect a number of proprietary product that rely on FOSS products that permit incorporation of FOSS into their closed-source products. For example, Microsoft Office uses the FOSS zlib collection of data compression software, and thus could technically be banned as a product that incorporates FOSS software.[/i]

MITRE...sounds familiar

Weren't they the defense contractor with the absolutely awful security in Cliff Stoll's _The Cuckoo's Egg_?

Open Source and the DoD

Yes, there may be holes in the article, but overall it just makes sense for the people in the defense industry to use open source. Their GRAS list is rather accurate- and don't forget in essense that any system is only as stable as the sysadmin behind it; that goes for NT networks as well.

Report makes no difference between OS and FS

The report also no makes no differentation between Open Source Software like FreeBSD, OpenBSD, and Apache; and Free Software which generally always refers to software under the GPL or LGPL. Like Linux, gcc, or GNATS.

"The word free in FOSS refers not to fiscal cost, but to the autonomy rights that FOSS grants its users. (A better word for zero-cost software, which lacks such rights, is freeware.) The phrase open source1 emphasizes the right of users to study, change, and improve the source codethat is, the detailed designof FOSS applications. Software that qualifies as free almost always also qualifies as open source, and vice versa, since both phrases derive from the same set of software user rights2 formulated in the late 1980s by Richard Stallman of the Free Software Foundation."

The writer of this report does not make differentation between Open Source and Free Software. He call's things under a BSD license with no cost, and no restriction on rights, freeware. (Freeware does not mean OSS. Freeware is closed source software, that is given away at no cost.) While in the next setence pushing the view that all OSS is GPL'ed.

This report is a grave disapointment.

Re:Report makes no difference between OS and FS

You didn't get the point. The problem this report tries to cover is not about costs but about the ability to control the software you use. And that's the what DoD is concerned about. And the report notes that DoD is damn dependent on FOSS:

The main conclusion of the analysis was that FOSS software plays a more critical role in the DoD than has generally been recognized. FOSS applications are most important in four broad areas: Infrastructure Support, Software Development, Security, and Research. One unexpected result was the degree to which Security depends on FOSS. Banning FOSS would remove certain types of infrastructure components (e.g., OpenBSD) that currently help support network security. It would also limit DoD access to and overall expertise in the use of powerful FOSS analysis and detection applications that hostile groups could use to help stage cyberattacks. Finally, it would remove the demonstrated ability of FOSS applications to be updated rapidly in response to new types of cyberattack. Taken together, these factors imply that banning FOSS would have immediate, broad, and strongly negative impacts on the ability of many sensitive and security- focused DoD groups to defend against cyberattacks.

I don't see where your disappointment comes up. The report shows that both OSS and FreeSoftware are the major players in DoD sectors (well I would be very admired if they wouldn't). Besides, it shows that all this FUD from M$ is a national danger to the US (and I would be HIGHLY admired if it wouldn't). Apart of some gaffes the report is superb.

Time to put Redmond on the rough nations list...

FOSS?

I know it's DoD SOP to coin TLAs for everything, but FOSS is just lame. Reminds me of dental FOSS.

Guess they couldn't use OSS, cause that's another government agency, right? What about DFSG...

COE (now NCES) will support Linux

I work in the trenches so-to-speak.

The good news is that the DoD is paying attention to Linux in a big way. Undoubtedly, Solaris, HP, and SGI were among a few of the favorite big ticket items that the DoD likes to purchase. However, there is a small number of people who are using linux. We're expecting that number to grow.

Mitre gets it -- they're pretty smart folks. But does the rank-and-file military? By and large -- no -- although there's more currently than say 18 months ago. Some are still caught of in the security problems linux has. Others are just ignorant by calling it "freeware" -- when linux really rises to a level above the typical "freeware" moniker.

The military is really a bargain buyer -- yes they don't want those M16's to explode -- but they don't want to be bled dry for a shoddy system, either. Especially when they have to report to a congressional subcomittee explaining why they blew billions of taxpayer dollars on incompatible systems.

price for this report...

The BSA has asked MITRE to conduct internal software audit or pay 10 Million dollars.

The DoD has been asked to conduct internal software audit or trash MITRE report on FOSS.

"They Get It"

Good, I'm glad they get it.

Now let's slashdot the 1.5 meg PDF file and have them get it some more.

Text you fools!

GNAT is part of GCC

yes that is right even though the paper makes it sound like GNAT is a separate project from GCC, they are now one, GCC (GNU Compiler Collection). Their description says they are one now but I think this description was copied from each of their web sites.

Also is not RTLinux longer consider free software, because it restricts more than the GPL due to patents?

Also looks like they do not use csh at all which is under the BSD license. or pdksh which is in public domain, they are the default shells on OpenBSD.

They are also missed Binutils from the GNU which is the assembler and linker for most open/free operating systems.

Also is there not versions of sed and make and m4 and top that are under the BSD license?

Is perl not dual licensed, GPL and artistic?

Brilliant example of Microsoft

The document is an enjoyment to read. It has a few pearls which are especially enlightening. One of these is a table illustrating the actual freedoms and restrictions placed by various licences, for example GPL and a Microsoft's MIT EULA:

Properties (a) through (e) in the table examine the ability of a license to co-exist with other types of software, e.g., the ability of FOSS licenses to co-exist with proprietary software. In this
category, the most exclusive license is easily the Microsoft MIT EULA license 1 , which prohibits a number of FLOSS licenses from co-existing on the same platform as the EULA software. No other FLOSS or proprietary license encountered during the survey came close to this level of exclusivity. The GPL takes a very distant second place for exclusivity, since it forbids design- time incorporation of GPL source code into non-GPL source code. However, unlike the Microsoft MIT EULA, the GPL places no constraints on software simply running on the same system, and actually goes out of its way not to intrude on other licenses outside of that context."

I didn't even know Microsoft has that restrictive license. It says here that it "Specifically bans use of: GPL, LGPL, Artistic, Perl, Mozilla, Netscape, Sun Community, and Sun Industry Standards."

Microsoft's site [microsoft.com] shows the license. It's really true. This particular EULA seems to be for a "Microsoft Mobile Internet Toolkit Beta 2". They actually call OSS as "Potentially Viral Software" in the license.

This is probably the reason for the MITRE report

The DoD is under tremendous pressure to have Microsoft blessed as the only products they use, as Microsoft has learned how to lobby and started throwing lots of money at this. The government is a huge purchaser of systems, and there are many legacy things out there. Since the past 10 years or so have brought many fresh college grads into the workforce, many of whom only know Microsoft products, there is pressure on the technical selection folks to replace with Microsoft since those precious MCSE's only know these platforms.

This report is probably an effort to build some evidence and support on why wholesale replacement of everything with off the shelf would add costs and hurt national security. Probably also explains IBM's (and others) shift to support Linux and variants over the past few years as they saw Microsoft tactics refined.

And, Microsoft's more recent license agreement language seems pointed at providing a legal reason why they need to be the only platform, since there are no technical reasons.

In other news...

For simplicity, KFC set up the world's largest builboard in its empoyees-onlyparking lot, facing company headquarts. The billboard contained the Colonel's secret recipie. A local photographer is being sued for taking an oblique picture of the sign from a nearby freeway.

Seriuously. There are established procedures for keeping people out. If you're not at a very minimum using HTTP Basic authentication, it's the equivalent of setting up a billboard, or leaving a stack of papers face down on a public sidewalk in hopes nobody flips the stack over. Reasonable and innocent curiousity is not a crime, nor is reasonable reporting of the reslults of such.

A friend once got sued for using a "guest" dialup account with a null password from a local telco back in the early 1990s, when net access was damn expensive and for the most part not available to kids. He didn't set up a BBS or crack any passwrd files. He just used the guest account to telnet into some MUDs and read some newsgroups. Luckily, the jury decided it was reasonable for him to assume that as a customer, the "guest" account with no attepts made to restrict acess applied to him.

If you put a table in your front yard with a "free" banner hanging over it, it's kinda hard to charge someone for trespassing if they walk up and eat a few brownies off the table when you weren't arround. Maybe it is your yard and maybe they were your brownies, but you implied consent in a major way by putting them out there in that context. If you really only meant for the paper cups next to the brownies to be free, it's your problem. In fact, it's false advertising if you try and collect damages.

Connection Refused

I get "Connection Refused" from the link to the article.

PDF

(In PDF - they've learned not to use Microsoft Word. :-). Ok and how is PDF any better then Word?

AFT, Yippee, Dang, I'm becoming mainstream at 50+

The USA or DoD does not class me as an IT Specialist.

I have never worked in an IT slot in the USA or DoD.

I had a Linux PC up running a test Apache website in the ".mil" domain back in 1997. I developed a very basic one-week Linux course for and delivered it to key-personnel for a couple "train-the-trainer" sessions. I am also not a trained instructor and/or BS type person. I also did similar (except for time line) with Cisco, telephone circuit and packet switching networks.... So, ... those folks who does-do and y'all reflect great credit on others, but not .... I still very much enjoy whatever jobs I end up doing, and only need to last another 10 years at it, then I am out the door.

Okay, why AFT, Yippee, Dang, because in non-social situations, I have always believed that security is greatly helped when you can be sure of every line that may be used against you. Then you can hope that, you are smart enough in the environment and no line goes over your head. So, god bless the USA and pseudo-savants everywhere.

Jadi

They SHOULD Get It

After all, they're MIT. MITRE stands for MIT Research. For the uninitiated, MIT is Massachusetts Institute of Technology.

Misleading...

A common assumption about FOSS licenses such as GPL is that their transitive user rights
means they cannot be used with non-FOSS (e.g., government or proprietary) software. However,
this is generally not the case; such mixing can generally be done in various ways. For example,
even GPL with its strong protection of transitive user rights provides a number of mechanisms to
allow such mixing (Figure 1). Microsoft 5 provides a good example of an innovative use of one
such mixing strategy in their Windows Services for Unix (SFU)6 product.

This is an incredibly misleading statement. Nobody has ever assumed that GPL software cannot be used on the same system as proprietary software. This ignores the fact that you cannot link a GPL library into your proprietary code. For a company that writes top secret material, this is somewhat concerning that they would ignore this.

aaugh

"so 'many 'quotes'; (and) "random?" 'punctuation!"' 'HELP!'"

Bio of the author

It was written by:

Terry Bollinger

The MITRE Corporation
1820 Dolley Madison Blvd.,
W534 McLean, VA, 22102, USA
terry@mitre.org

Terry Bollinger currently works at The MITRE Corporation, where he focuses on distributed software and hardware architectures issues for U.S. Department of Defense information infrastructures. He is an editor for IEEE Software, and was one of two Special Editors for the Jan/Feb 1999 issue of IEEE Software on Linux and open source software methods.

Terry has had extensive experience at all levels of software development in the telecommunications industry, at NASA, and for the U.S. Department of Defense. Especially while working in the telecommunications industry, he has had extensive hands-on experience with both a wide range of software construction methods and approaches, and with the consequenses of trying to apply some of these methods in "realistic" environments in which there is a typical spectrum of developer experience (e.g., what happens when C++ is applied in and environment consisting almost entirely of long-term funcional C programmers). Terry also has a strong background in software reusability and software process, including an IEEE Software Best Paper on why software process improvement doesn't always give the kinds of results advertised, and is intrigued by the issue of why some programmers seem to be so much better at producing high-quality, stable code that endures over time. In terms of software construction issues, he is both highly familiar with the overall set of techniques involved (including newer methods such a graphical component based programming), and is strongly supportive of the need for good methods while also being heathily skeptical about a lot of the claims made for various software construction methods and tools.

Terry has M.S. and B.S. degrees in Computer Science from the University of Missouri at Rolla, and has been a member of IEEE for 23 years.

Highlight quote

Highlight from the report:

In short, FOSS [Free Open Source Software] seems to work best when people come to it, not vice versa.

is FOSS really free?

The definition of free in the article quotes Stallman's definition of free. A part of Stallman's definition of Freedom is:

"The freedom to redistribute copies so you can help your neighbor (freedom 2)." and

"The freedom to improve the program, and release your improvements to the public, so that the whole community benefits. (freedom 3). Access to the source code is a precondition for this."

Does anyone else notice how the word freedom in these statements should be replaced with condition, i.e.:

"The condition that you must redistribute copies so you can help your neighbor (freedom 2)." and

"The freedom to improve the program, under the condition that you release your improvements to the public, so that the whole community benefits. (freedom 3). Access to the source code is a precondition for this."

This is a strange definition of freedom if you ask me. It means that an individual working on software derivatives for whatever purpose, must sacrifice his work "for the public good"; A very blatant socialist mentality which ultimately restricts the rights of an individual to personally benefit from his own labor. Now, this is all well and good when people volunteer to work anyway, and sacrifice their individual rights. Just don't expect companies to pay people to help develop this software, since the company cannot gain any value from the software mods, other than for actual internal use in the company. This will ultimately restrict the use of this FOSS software in the DoD in this case, if any software mods are necessary for classified applications, for instance. We've already seen companies like Apple and TiVo pass over linux for freeBSD, because BSD really is free, i.e. no GPL.

GPLed libraries

I was a bit disappointed to read about the potential scenarios for using GPLed libraries on page 24 of this otherwise excellent report. One could easily misread the report as saying: if you develop some code that crucially relies on a GPLed library that you've thus created GPLed software. But that's far from being the case for in-house research or development. If you never release any of your code or binaries (correct me if I'm wrong), you can use supporting GPLed libraries.

Last Post!

There was a writer in 'Life' magazine ... who claimed that rabbits have
no memory, which is one of their defensive mechanisms. If they recalled
every close shave they had in the course of just an hour life would become
insupportable.
-- Kurt Vonnegut

- this post brought to you by the Automated Last Post Generator...

Re:PDF?

PDF files also tend to be huge compared to .doc file, so it's slower to download too!

OK. I'll bite on your trolling attempt.

Lets see, that was a 200 page document with several figures at 1.44Mb. I'd be curious to know what how big an MS-Word file it would be.

Anyway, I've got a rant about MS-Word for document exchange [goldmark.org].

Re:PDF?

Why use .doc at all, when a plain-text file could be viewed on any system. Or hell, do it in .html. But the fact of the matter is that most of the people who would really be interested in this document are probably using a flavor of *nix.

Re:PDF?

Please don't make me laugh! I just got my stitches out and it hurts!

Re:PDF?

If you actually tried to open up any but the most basic Word document in Wordpad, it butchers the document. Try it.
However, that's beside the point. You see, not everyone runs Windows, and not everyone wants to open a document that can come with little extras like macro virii.

Further, .PDF documents are extremely common. Get used to it. If you really can't stand to have to download extra software to view such a common format, you'll be happy to know that most Linux distributions come with at least one .PDF viewer.

Not that the parent wasn't a troll or anything...

Re:PDF?

I hate it when I have to buy a $400 program to view .doc file..:-)

Don't then. Download Open Office, buy Sun's Version, or use something like wordpad.

Re:PDF?

Don't then. Just use Open Office.

Re:PDF?

Show me a format that's cross-platform, has the concept of headers/footers and has formatting.

Oh, right, rtf...

Re:PDF?

Not exactly.

Try opening a .doc file produced by the most recent version of Word for Windows under Windows 2000. I think you will be surprised to find it won't be readable.

Re:XP Home is $89.

Are you sure it will open that word file?

I can't rember now if XP Home updated WordPad but, the version that comes with Win2000 can't open the latest version of MS's Word format.