Defense Dept. Memo Explains Open Source Policy 387
TonyStanco writes "Big news. DoD issued a policy statement leveling the playing field for Open Source. We have the memo on the Center of Open Source & Government site." The requirements listed in this memo make me think of a company policy along the lines of "You can bring your baby or toddler to work, so long as it can talk, feed itself and stick effortlessly to the ceiling like a spider." See this PDF for more information about National Security Telecommunications and Information Systems Security Policy (NSTISSP) number 11.
OSSis not a toddler. (Score:3, Insightful)
Except it's not really like that is it?
OSS is not a toddler - it's tends to be just as mature as proprietry equivilants.
So it should be covered by similar guidlines.
Which is all memo says really.
Maybe time to change attitude a bit (Score:5, Insightful)
I think the FOOS community notably the ones (like me) that do not write code but tries to get FOOS into the corporations, increasingly need to stress the fact that it comes with strings attached and that the corporations need to make sure that those strings is being honored.
No problem (Score:3, Insightful)
Re:Justification.... (Score:5, Insightful)
Whatever
Sure, the nice high tech stuff is out in the field, but Joe Government is working off a 95 box hooked up to an NT network most likely, with 3270's into some ancient mainframe or some Sun system.
This is where OSS can make a big impact. Shit, half the IT guys in the government are UNIX guys, where do you think they've been hiding? Right next to the Novell Guys. All of a sudden, thousands of "out of date" UNIX guys are competitive with linux, and they're bringing in new blood to supplement them, because many are close to retirement. All the while their outdated Win and proprietary UNIX systems are nearing EOL, with nary a vendor in sight.
You couldn't get a better situation for FOSS in the government right now. Someone's gotta replace those big nasty mainframe's and NT 3.51 boxen. Some of us make a decent living doing it.
What I'd like to know... (Score:3, Insightful)
hmmm... (Score:5, Insightful)
I work for the government, so maybe I am more used to seeing security requirements for everything, but I didn't get that impression at all. We expect everything to talk, feed itself, and stick effortlessly to the ceiling all the while being secure. The government (DoD, DoE, etc) is probably one of the biggest users and innovaters of open source so I wouldn't get too feisty. The only reason people (managers) get a little hesitant about Open Source is blame. When something drops on the floor, they want someone to point the finger at, someone we have a contract with so that they can fix it reducing personal liability. Enter Microsoft with contracts in hand.
Re:Contracs (Score:5, Insightful)
True, the core Linux maintainers could die or quit at any time. So could a software company drop a given application or operating system. For example, my company used a CRM called Vantive that was vastly superior in terms of ease of use and custimozation compared to PeopleSoft 8. We have in-house programmers that are very adept at coding for it. But PeopleSoft bought Vantive and dis-continued it. A few bugs sprang up that required access to certain source code that we didn't have. The answer? Pay 2 million (absolutely no exagueration) for People Soft 8 and go through the process of buying better servers and changing the structure of your Oracle databases "if you need future support for a PeopleSoft CRM". And yes, we had a service contract.
But the beauty of open source insures that others will pick up where they left off. It happens with alomst every popular and useful open source project whose lead developers quit. In the case of Linux, you would have people from companies like Redhat, Suse, and IBM ready to take the lead. The costs of such a change of "power" is rarely passed on to the consumer. Also, the really good analysts do,/i> factor in the cost of hiring contractors to specialize your code.
Re:Contracs (Score:5, Insightful)
I don't think you understand how OSS works. See, if Linus&Co decide to stop whatever they're doing and go live fat and happy in Silicon Valley or somewhere, 'we' still have the code. Anyone can take it and continue the development -worst case scenario, they can't call it 'Linux' anymore. However, if Microsoft says 'well, that's all, folks! We'll start selling beach balls from now on!', there's not a single thing anyone can do about it. And no one can continue the development of those systems.
E
Re:Contracs (Score:5, Insightful)
Oh please, no one has ever sued Microsoft for lack of "service," and it is not because Microsoft products are perfect either.
Not only that, but Microsoft has done just about every other unfriendly thing that a software vendor can do. They have stopped development of projects, created spurious incompatibilities, and sold bugs as "features." If the government paid IBM (or RedHat or whomever) half of what they currently spend on Microsoft software they could almost certainly get a real service contract for a huge pile of Free Software, and if they didn't like the service they got, they could take that money next year and hire someone else without having to switch software.
I agree that there are costs to switching to Free Software, and I definitely agree that Free Software can't currently fill everyone's computer needs, but your arguments against Linux amount to nothing more than FUD. There are plenty of valid reasons for not choosing Linux. However, service, support, and longterm viability are all parameters that favor Linux.
Re:Contracs (Score:3, Insightful)
And that doesn't necessarily preclude a successful lawsuit, should the government choose to persue it. If a root exploit were discovered and widely used, and it affected government servers, and Microsoft chose not to do anything about it, I suspect they would be sued and the US would win.
True, the core Linux maintainers could die or quit at any time. So could a software company drop a given application or operating system.
But not for the duration of the service contract or, again, there would be repercussions. While this is part of the way Microsoft controls the market, it is also a guarantee of service. If the OSS developer drops the project, there is no guarantee that anyone will pick it back up. It may be likely, but that's not good enough for many officials. Without something in writing, there's no real security in your purchase/training.
Skipping around:
And yes, we had a service contract.
Sounds like your legal department didn't do their job. Either the contract had some holes or PeopleSoft should have had their asses sued off.
You're first assumption was right, sort of (Score:4, Insightful)
If the software was GPL, it wouldn't matter how the contract was structured, because our programmers could have fixed the code. Instead, 2 million bucks was spent.
And PeopleSoft is not liable or accountable, because all they did was gain ownership of the closed code. The agreement of assurance was specifically with Vantive. We didnt' buy the patented works itself (which wasn't an option, and People Soft refused to sell Vantive after-the-fact).
As a side note, PeopleSoft 8 is laughable. I could design a better tool using PHP-Nuke (I actually hacked up a solution that was based on PHP-nuke for real simple CRM fucntions to show that it could be done - it was ignored, of course).
Re:Contracs (Score:5, Insightful)
Re:Questions: OSS and Dod? (Score:4, Insightful)
Re:Gawd. If code were written that way . . . (Score:2, Insightful)
Re:Contracs (Score:5, Insightful)
You are kidding, right? Windows is full of holes, and many of have been around for years by the time people get around to using them for break-ins, including into government computers. I don't know whether the US government could, in theory, win, but in practice, they don't seem to be sueing.
If the OSS developer drops the project, there is no guarantee that anyone will pick it back up. It may be likely, but that's not good enough for many officials. Without something in writing, there's no real security in your purchase/training.
Microsoft drops products constantly. And when Microsoft does that, you are completely stuck because nobody can pick up the software.
Perhaps what's confusing you is that Microsoft refers to many different, incompatible products using the same trademark. But that doesn't do you any good when your programs stop running.
The reality of it all is that if you buy Microsoft, not only do you have to put up with buggy software, but you get no guarantees, you have to expect security holes and accept the risk for them yourself, you can't fix anything, and the software likely has a much shorter usable life than comparable open source software.
Re:OSSis not a toddler. (Score:4, Insightful)
So it should be covered by similar guidlines.
Which is all memo says really.
Mostly. But I found couple of things that bothered me a little:
"OSS refers to software that is copyrighted and distributed under a license that provides everyone the right to use, modify and redistribute the source code of software. Open source licenses impose certain obligations on users who exercise these rights." [Emphasis mine]
This is not entirely true. Most open source licenses that I know of do not impose any obligations on *use* of the software (unless you consider warranty disclaimer as an obligation). These types of obligations usually come with proprietary software and licenses.
"Certain restrictive open source licenses allow users to copy, modify and distribute software..." [Emphasis mine]
"Restrictive" is a relative term. That's why I say, make all Open Source apps double-license - one Open Source license of choice, the other - binary only regular EULA with all its conditions. Let users choose which one they want. They will not call this software "restrictive", "cancerous" or any other names anymore.
This is a good thing. (Score:5, Insightful)
Re:Navy/Marine Corp and the desktop (Score:5, Insightful)
I deal with this monster everyday and there is very little publicity about this contract. There needs to be more horror stories out in the press. NMCI forces MS on everything that touches that friggen network and all other Operating Systems are considered "legacy".
Be careful about Tony Stanco. (Score:3, Insightful)
Erm... (Score:3, Insightful)
It was a joke about how strict the regulations were. Didn't you see the part about sticking to the ceiling like a spider? That's not normal human child behavior, hence, the stated regulations that would require such would be unreasonably stringent. Timothy was drawing a parallel to the stringent regulations regarding OSS.
And who says geeks don't have a sense of humor?
More conspiracy theories (Score:5, Insightful)
How you can make this out from that memo which basically says we have a set of procedures in place for software evaluation, if OSS passes those then fine, no problem and secondly be aware of the terms of the license that the OSS comes under.
I know this is Slashdot but the fact that OSS may have to go through a regular selection process instead of being mandated as defacto standard, to the detriment of all others is proper procedure in most large organisations. You should be saying well done for leveling the playing and giving OSS a chance to compete on equal terms.
Security-wise... (Score:2, Insightful)
What do they really have planned? (Score:5, Insightful)
With this in mind, what Linux or Unix OS are they planning on using already? They must have one picked out if they are going to start making rules on the OSS situation.
Re:hmmm... (Score:5, Insightful)
I am very serious in asking this.
1) Does microsoft offer guarantees to the military. for example do they guarantee uptimes or security. Do their contracts stipulate that Microsoft is liable for defects in their software.
2) Do the contracts that MS sign specify that MS will always fix the problem if things go wrong. Do they guarantee it?
It would be interesting if MS offered such contracts to the military because in the commercial world their contracts disavow any kind of liability.
Re:Contracs (Score:5, Insightful)
As mentioned in the parent, companies like Red Hat and Suse make their money from support contracts. Since their bread and butter is in these contracts, and not in selling upgrades, they are more likely to take an active role in fixing problems, instead of having a vested interest in propogating problems (leading to more upgrades).
Microsoft has, in the past, refused to fix bugs in "older" software. In many circumstances, the solution is to "upgrade." In several cases, bugs deemed non-critical by MS have been left unfixed for months. In several other cases, the fixes to these bugs have caused even worse problems.
I have yet to see a contract stipulating Microsoft promises to fix any problems discovered, let alone take resonsibility for any defects. Doesn't mean they don't exist; but, like invisible ephemeral unicorns, until I see one (or the effects of one), I don't believe in them.
The concept of manufacturer liability in the software market is laughable. Schools can get sued for millions for choosing co-valedictorians, but Microsoft sure as hell isn't going to pay for the privacy-raping holes in Passport.
Something is fucked up here.
Re:hmmm... (Score:3, Insightful)
Yep. And that contract says when something drops on the floor don't try pointing that finger at us or we'll bite it off.
-
Re:So Basically... (Score:2, Insightful)
Now if an employee takes the modified software home and installs it on his personal machine, he has violated his company's copyright. If his company allows him to install it on his personal machine, then they must license the modifications to him under the GPL.
Simply using propriotary software installed on your company's computer doesn't mean you own a license. The same is true with GPL'd software. However in most cases, that same GPL'd software is available from multiple sources, so it's a non-issue.
Re:OSSis not a toddler. (Score:5, Insightful)
The referenced guidelines require that all Information Assurance applications MUST have gone through the NIAP certification process. This includes security scanners like nmap or nessus, lockdown tools like bastille, intrusion detection systems like Snort, and also (I think) any security-enabled applications like OpenSSH, or really anything OpenSSL-enabled like Apache, and even the operating systems that run them. With the current certification requirements, it is incumbent upon the vendor to pay to have a certified 3rd party testing group send the product through the testing. It is a lengthy, expensive, beauracracy-driven process. It is highly unlikely that any opensource project will have the time, money, or patience for dealing with it. Someone like RedHat or IBM would have to feel that it is in their best interests to throw away millions of dollars to prove that a given installation of a particular opensource application is acceptably, provably secure. Given the intense lobbying by Microsoft that happened when the NSA undertook the SE Linux project, and more importantly given that most managers have serious missions to accomplish that have nothing to do with software evaluations, it is highly unlikely that any government manager is going to put their budgets and careers on the line by having an opensource product put through evaluation.
This situation does not just affect opensource projects, but also small businesses and vendors. It's unlikely that such organizations would have the resources to get this certification process completed. This game is clearly closed to only big and/or well-heeled vendors.
For this reason, it is highly unlikely that officially blessed opensource products will ever enter an environment with even marginal security requirements. Until the beaucractic process for evaluation changes significantly, the current situation is decidedly biased against opensource, as well as small businesses and vendors.
All this being said, while DoD has fairness as a goal in its procurement processes, safeguarding the lives of its servicemen and servicewomen is the top priority, even if that means a bias for or against certain classes of organizations. Whether there is an effective way of making this process more fair while keeping things secure, whether the benefits of the system outweigh the detriments, or whether the process as it exists now is doing an effective job in passing products that are secure in the real world and not just on paper, is a question that I cannot answer.
--
Re:Contracs (Score:5, Insightful)
With Microsoft, and under contract, you know that's going to happen.
Sorry - no you don't. Microsoft have previously claimed that Windows NTv4 is being supported for security hotfixes until 30 Jun 04 (see here [microsoft.com]) but then failed to fix a serious RPC based DoS attack [microsoft.com].
I should imagine this pisses "secure" government sites off quite a bit - they have been promised security fixes for another year now and then get shafted because MS claim that NTv4 "does not support the changes that would be required to remove this vulnerability".
At least with OSS users are capable of fixing the problem themselves (or paying for it, or using a general release patch etc).
But there are hidden costs that you just don't always see.
Yep - and what are the costs of upgrading all of the Windows NTv4 to Windows 2000 servers to avoid this security bug?
Re:Earth Governments Are Fools (Score:3, Insightful)
If you had a toilet that had to survive 1000 bums per day in a saltwater environment with no spares or repair shops for 5000 miles in all directions (this was a toilet on a SHIP) then you might expect to pay more than the HomeSpot $100 special.
Re:most important reason not to use OSS license (Score:5, Insightful)
Is that the DoD, the DoJ, dictator-of-the-week, and any other offensive military/rights-quashing group, can use your code, and you have no control over it.
Bullshit. Or can you actually think of cases where the "military/rights-quashing group" uses a developer's code without their permission? I personally don't see a need for the military to jackboot someone else's code, since there're about 1500 military programmers in the US Air Force alone. That doesn't count civil service or contracted personnel working with or for the Air Force.
And frankly, if you think people join the US Armed Forces because they want to "quash people's rights," you are sadly out-of-touch with reality. Military members swear an oath to defend the Constitution of the United States--it's an oath we don't take lightly. If you're not happy with the Iraq war, that's fine. . . neither am I. But blame the politicians you elected into office, who sent the troops in the first place.
Re:You're first assumption was right, sort of (Score:3, Insightful)
I think somehow the beancounters make it look better to buy something for $2 million than to increase headcount by a dozen people. I'll never understand how that works.
DOD and OSS (Score:3, Insightful)
Re:Earth Governments Are Fools (Score:4, Insightful)
If you've ever tried to take a dump on a C-130 in flight, going through a thunderstorm, after a 60 day deployment to a tent in Turkey, when your entire digestive tract is in full rebellion...you'd be damn glad that the toilet is designed properly.
Re:OSSis not a toddler. (Score:5, Insightful)
The regulations always say words to the effect of "a specific installation of a specific version of a specific software product (on a specific hardware configuration)". The parenthetical there is for some other security ratings.
A good example of this is the C2 security rating. Microsoft spent some money getting Windows NT C2 rated. Specifically, they got a specific patch level of a specific service pack of Windows NT v3.51 approved as C2 certified, on a specific set of hardware (with no floppy, I think) in a non-networked configuration.
No one paid any attention to those little details. They just saw "Windows NT is C2 rated" and used that for purchase decision approval for every Windows NT/2000 system the DoD has bought since then. Because the "bureaucratic process" doesn't know enough about computers to know what the ratings mean, or what they apply to, or where they don't apply.
The same will be done with this. "The NSA certified Linux for secure operation" will be enough, with supporting documentation to state that. Doesn't matter that it is for a different version of linux than your current procurement, it will still get it through the acceptance process.
Government regulations are only meant to be an overwhelming burden for those people silly enough to think you are actually supposed to comply with them fully. No one that has worked with government procurements for more than 3 months still believes that.
Re:Which in fact, means jack... (Score:2, Insightful)
They could also easily post said source code to their web servers. Have you ever seen their web site? They are insanely well-done. They're a combination of your wildest tech fantasies about online shopping and the most over-produced TV commercials known to man.
But hey, I'm sure Ford can't handle it. Never mind safety testing, emissions regulations, and all that hard stuff! Have you rebooted a Ford lately?
Re:Which in fact, means jack... (Score:2, Insightful)
This can be of benefit if the code is GPL'd and a contractor or other business that can accept (is allowed) the binary+clearance, they (hopefully) get the code. Which can be a real life saver especially if getting an antique (much of military stuff is just that) working again.
Probably though they'd just override the GPL and ship the binary only.