Defense Dept. Memo Explains Open Source Policy

TonyStanco writes "Big news. DoD issued a policy statement leveling the playing field for Open Source. We have the memo on the Center of Open Source & Government site." The requirements listed in this memo make me think of a company policy along the lines of "You can bring your baby or toddler to work, so long as it can talk, feed itself and stick effortlessly to the ceiling like a spider." See this PDF for more information about National Security Telecommunications and Information Systems Security Policy (NSTISSP) number 11.

It's a start

[BWJones]

"You can bring your baby or toddler to work, so long as it can talk, feed itself and stick effortlessly to the ceiling like a spider.

Well, hey. At least its a start. Previously, many DOD organizations and departments had an absolute policy on software/platform. In many places, especially sensitive installations, the policy was Solaris. In the last few years there has been an inexorable move toward Windows, despite the obvious problems. Other defense contractors have been moving in the same direction presumably to control costs by moving everything to one platform. However, most people are finding that this is not the best solution and they are allowing the installation/use/purchase of other systems including open source, Linux and OS X.

It's not that bad

[Mahrin Skel]

The regulations cited are basically a bunch of qualification hoops that have to be jumped through before software is considered "Mil-Spec". The first outfit inside DoD to qualify a OSS package is going to have to *really* want it to fill out all that paperwork, but once it is done it should get a lot easier. Keep in mind, that doesn't mean it will get used for Top Secret or above work right away, some of those hoops are *not* pro forma. But once DoD starts using it, even for trivial things, there will be outfits that just need to satisfy *one* more requirement than has already been filled, and will find it worthwhile to take it the next step.

Best first bet would be it will slip in from DARPA. They've probably *already* been using it in places they're technically supposed to be using a commercial UNIX.

--Dave

So Basically...

[snipingkills]

So basically this policy says that if you use OSS then you have to follow the licensing that went with it. What happens if it was sensitive code and it could be detrimental(sp?) if you released the source? Do you still have to do it or is that an exception in the GPL?

Waivers

[MonkeyBoyo]

How much do you want to bet that most acceptible software in the DoD is there because of waivers? In the NSTISSP link [nist.gov] it says:

(14) Waivers to this policy may be granted by the NSTISSC on a case-by-case basis. Requests for waivers, including a justification and explanatory details, shall be forwarded through the Director, National Security Agency (DIRNSA), ATTN: V1, who shall provide appropriate recommendations for NSTISSC consideration. Where time and circumstances may not allow for the full review and approval of the NSTISSC membership, the Chairman of the NSTISSC is authorized to approve waivers to this policy which may be necessary to support U.S. Government operations which are time-sensitive, or where U.S. lives may be at risk.

Navy/Marine Corp and the desktop

[Camel Pilot]

The Navy/Marine corp are launching a large scale contract (NMCI) that restricts all Navy IT to MS and MS solutions.

This contract locks down the network to only NMCI managed systems (MS only). If there are existing systems that cannot run under windows than you have to apply for a "legacy system" exception and pay extra for no service.

This one size fits all approach is short sighted and foolish. The upper echelon has yet to catch on that the network is the backbone or the infrastructure that enables an ever increasing plethora of monitoring systems, data acquisition and control systems, collabration and communication mechanisms, etc.

As more and more devices become Web enabled the Navy has effectively locked itself out in the cold and crawled in bed with built in obsolesce - not to mentioned left itself vulnerable to an attack or virus that would spead like wild fire in a homogeneous network.

another interesting link...

[pb]

Use of Free and Open-Source Software (FOSS) in the U.S. Department of Defense [216.239.51.100] -- This report documents the results of a short email-mediated study by The MITRE Corporation on the use of free and open-source software (FOSS) in the U.S. Department of Defense (DoD).

Re:Maybe time to change attitude a bit

[Anonymous Coward]

increasingly need to stress the fact that it comes with strings attached and that the corporations need to make sure that those strings is being honored.

I'd say that's so important as to be essential. That can lessen the "buyer's remorse" if a company discovers it can't do something it wants to down the road and, more importantly, focuses the consumers' minds on the idea that there are different kinds of licenses. That seemingly simple concept can be a huge revelation to someone who has only dealt with proprietary software or has only a vague idea like "Linux is free and hard to use."

It also perhaps gives developers pause to consider different types of licenses. Perhaps the GPL is not a good "default" license (I personally think the BSD and LGPL are better for commercial entities -- I realize I can be debated on that subject). Perhaps it is. Still, even developers should think about what license is best for their software. And it'd be nice if the software didn't dictate that to them...

Questions: OSS and Dod?

[zakezuke]

I'm all for open source, but there are some solutions that sorta imply a closed source solution.

*ISSUES OF NATIONAL SECURITY* is one of those issues. I would NOT be offended if goverment agencies decided to use undocumented closed source protocals in order to communicate and store information. In fact, I'm all for that. Hell if they want to write their propriority software in ADA, more power too them.

Typicaly speaking, goverment encryption systems should be protected from public use, and not be released under open source.

Re:Navy/Marine Corp and the desktop

[instantkarma1]

Oh, how I love NMCI. We (a couple of consultants) won a gig with the Navy, developing a web application on Linux, MySQL & Apache. Got the go-ahead and started developing...Then, the big bad NMCI came along. In order to be NMCI compliant, we were forced to switch from MySQL to Oracle (to be fair, we were given the choice to use SQL Server....bah!). Ok, I can deal with that. I now get paid to learn Oracle. Cool. Then, after three months of development..."uh...we need you to switch to Windows. It's a NMCI thingy". Not a happy day. Anyway...to make a long story short, in order to be NMCI compliant (and not having the requirements up front), we have this monstrosity of a web application running on Win2000 with Perl, PHP, Oracle and Apache. Needless to say, there aren't too many people in that boat (whoa...a funny...navy..boat...oh nevermind).

There really is no point to this posting, so mod me down. I'm just ranting and wanted to share an example of your tax dollars at work.

Re:Contracs

[Jason Earl]

I agree with you 100%. Heck, I will even go so far as to say that in many cases replacing proprietary software with Free Software is a loser over the long term. There are plenty of commercial software systems that are good deals, and there are Free Software systems that do not measure up.

However, the second the commercial software folks start talking about accountability (especially with regards to Microsoft) I can't help but cry foul. Microsoft sells their software "as is" they are not remotely liable for their software, and if you want a decent service contract you have to purchase one on top of your licensing agreement, and you probably have to get the contract from someone besides Microsoft. Purchasing a commercial contract is also no guarantee that the software in question will be developed in the future. The company I work for currently is in the middle of a JD Edwards ERP installation, and today PeopleSoft announced they will be purchasing JD Edwards.

What do you bet that future JD Edwards "upgrades" will involve paying huge money for a completely different product?

Like I said, there are plenty of hidden costs associated with switching to Free Software. However, service, support, and longterm viability of your software all play into the hands of Free Software adoptees.

Re:Questions: OSS and Dod?

[wayne606]

The buzzword for what you're talking about is Security Through Obscurity. The problem is that it will keep away the casual hackers and script kiddies so you will have many fewer attacks, but to a determined attacker (think of Bletchly Park in WW2 attacking the Enigma) if there are any weaknesses, they will most likely be found and you will not know about it until it's too late. The KGB (or whatever the enemy is these days) doesn't brag about their exploits on IRC.

Re:Questions: OSS and Dod?

[Minna Kirai]

I would NOT be offended if goverment agencies decided to use undocumented closed source protocals

I wouldn't be offended- I'd be scared. The rule of thumb is that "Security through obscurity is no security at all", but realistically, it's good enough for some situations where there aren't large numbers of dedicated, well-fianced enemy spies. That is, anyplace other than National Security can get away with it for a while.

It is critical that, if a software developer who knows the code defects, we can simply change everyone's password and not junk the entire system until the program can be re-written from scratch. But that's what relying on closed-source for security would require.

Hell if they want to write their propriority software in ADA, more power too them.

The US government doesn't write proprietary software. Or anything else proprietary for that matter- all their intellectual works are public domain. Some of them are protected under security classification, like the way Air Force bases belong to the public, but they're not allowed inside without permission.

(And, a Top-Secret classification will expire long before copyrights do...)

Close, but not quite

[Arker]

The GPL never requires you to post code to a public site. You only have to give it to people who recieve binaries.

Right.

When you distribute that application to fellow DoD employees, you have two choices.

• 1. Give them unlimited permission to pass out copies to whomever they want. This is a violation of security clearance, and you could be prosecuted for treason.
• 2. Forbid them from handing out copies to anyone. Doing this will violate the GPL, meaning you have broken copyright law by duplicating the software.

Umm no. As long as it doesn't leave the DoD it's not 'distribution' under the terms of the license. You don't have to do shit.

If you have trouble understanding the second point, imagine that I want to sell a modified Gimp (GPL program), and that I first require all customers to sign a promise that they won't hand out copies. Then I sell them the Gimp, along with the GPL, whose permission to re-distribute I claim has been overridden by the other promise. See how that doesn't work?

Selling the program to outside customers and simply using it in-house are two entirely different situations though. See this entry in the GPL FAQ. [gnu.org]

The only difference between GPL and BSD in this context would be if the DoD had some reason to distribute the program in question to the public. As long as it's used exclusively in-house it doesn't matter at all.

most important reason not to use OSS license

[Anonymous Coward]

Is that the DoD, the DoJ, dictator-of-the-week, and any other offensive military/rights-quashing group, can use your code, and you have no control over it.

Linus Torvalds once said he doesn't care what's done with Linux, and Stallman accused him of being "just" an engineer (for the n'th time). Yet he seems to have no problem with any organisation that stands firmly against his views with benefitting from his work.

I can't think of anything worse than contributing to anything and finding out it's being used to kill a few more civilians or conscripts as part of the current stampede.

(All you "just war" fetishists can demonstrate your confidence in US methods by promising to live in the city of the next target of attack, during and for the months after its "liberation"; if you're still here, you're just hot air, and we can ignore your viewpoint.)

dont forget DARPA funded openBSD for 20 months...

[evil_one666]

As covered in slashdot [slashdot.org] and elsewhere, openBSD was being funded for 20 months by DARPA (that shady branch of the US military who originally invented the internet). Funding was eventually pulled after pro-peace comments from the (canadian) project leader, Theo de Raadt, 4 months early. It also had something to do with the hackathon convention he organised... maybe, DARPA has not officially commented.

openBSD is of course reputed to be the most secure open source operating system.

I think that it seems a little weird that the US military is on the one hand acting very anti opensouce, while on the other- it is actively funding its development.

Additionally, I have seen one or two "discovery channel" type documentaries in recent months that have filmed computer terminals inside US military installations. There was no doubt that the personnel were running Unix, although the exact flavour remained unclear- but could it be openBSD...?

"As-is"

[SgtChaireBourne]

With Open Source and Free Software, if one provider drops support anyone can pick it up. When commercial providers go bankrupt, the code becomes part of the asets and tied up in the courts. The only way for Microsoft, or any other closed-source vendor, to beat the saftey advantages of F/OSS would be to put the code in escrow before they go bankrupt, which in the case of Microsoft seems to be a distinct possibility. Here's a taste:

• $18 billion in losses in 1998 [economist.com]
• ...hideous losses [theregister.co.uk]...
• Xbox losses double [theregister.co.uk]
• huge fine over security [zdnet.co.uk]
• ongoing anti-trust problems [eweek.com]

Even MS if survives the summer, they've already left Win95/98 behind and tried (or have) dropped NT. So, in regards to "who do you sue?" logic, read your license. MS-Windows could be chock full of remote exploits or send your personal data abroad or monitor your files and habits or break your third party applications and you'd have no recourse whatsoever -- except maybe upgrade to OS X/*BSD/Linux/QNX/etc.

Nice of Timothy to set up a straw man

Re:hmmm...

[PhxBlue]

To the best of my knowledge as a US Military employee: No, and no. If Microsoft software breaks, it's up to the people in our Network Operations Centers to fix it. I'd imagine the government gets a good discount in support costs, though. . . and probably has more than a couple Microsoft employees on contract to boot.

Re:Which in fact, means jack...

[dbrutus]

no, no, that means that when we sell guidance systems to Israel with requirements that they get our approval before selling them on, the Israelis are bound to give the source code to the PRC when they next do an illegal technology transfer otherwise next time they're not only going to have to face congressional scrutiny but the wrath of Richard Stallman.

God, I'm looking forward to a ME where Israel isn't the most open and democratic society so they'll get off their US subsidized, pampered butts and fix what ails them.

Re:Which in fact, means jack...

[dbrutus]

By this argument does Ford Motor company have to give you source code for their embedded computers running Linux? If so, that's really going to kick embedded Linux in the teeth if your appliance and motor vehicle vendors also have to become software distributors.

Re:Navy/Marine Corp and the desktop

[Anonymous Coward]

On the plus side, not all Microsoft products are allowed. The evil of Visual SourceSafe is not allowed on the NMCI network. Of course, that means the evil of SourceSafe is thye only thing keeping me from the evil of NMCI... I need a break.

Re:hmmm...

[Eminence]

Do you seriously think they do provide any guarantees?

In the corporate mentality (and government is the worst case of it) it is not important what is in the contract. What counts is the simple fact that there is an external entity (i.e. Microsoft) you can point finger on should something go wrong. As opposed to the situation, when there is no external entity, no contract and someone has to admit that it was they (or their subordinate) who screwed up something. Corporate mentality is about keeping safe within the structure with minimum effort - not about doing something.

I think that is one of the driving forces of outsourcing (apart from the issue of cost savings).

Re:Contracs

[bobv-pillars-net]

Do you think the DOD has never used a piece of software the creator discontinued?

Yup. Personal experience in that area. A suprisingly large amount of DOD software was written for Clipper Summer '87.

To protect against that I am sure they always manage to get the source code up front (to say nothing of the security issues that require them to get closed source)

BWAAAAHAAHAHAHAHAHAHA!!!!! (thunk!)

(/me gets back on chair.)

(sniffle!)

Oh, that's RICH!

You almost had me fooled for a minute there.

Re:dont forget DARPA funded openBSD for 20 months.

[rifter]

I think that it seems a little weird that the US military is on the one hand acting very anti opensouce, while on the other- it is actively funding its development.

Well, the DARPA thing was more an anti free speech thing, and anti-canadian. But then again, Canada is a haven for pot-smoking communist al-qaeda agents! ;) (Well, to be fair, there were several terrorists caught trying to cross the Canadian border to execute attacks timed for New Year's Day 2000...)

The most anti Open Source thing they have done recently is accepting Microsoft's new licensing terms after finding out they had been charged far more than ordinary businesses would be charged for the same Microsoft Software. They accepted Microsoft's song and dance about giving them a discount, whereas the Germans were smart enough to say "forget you, man!"

I for one would support legislation that requires all government entities to use ONLY open source software. It is unconscionable that they are wasting taxpayer dollars on crappy software to which they do not even possess the source code. How do they know there are no trojans and backdoors in that software that could be revealed to our enemies?

Re:Close, but not quite

[Minna Kirai]

Umm no. As long as it doesn't leave the DoD it's not 'distribution' under the terms of the license. You don't have to do shit.

Do you know how many employees the DoD has? More than 1 million.

The word "distribution" means passing something out. Nobody can claim that giving a program to 1 million people spread around the world is not "distribution". The fact that all the recipients get paychecks from the same place means nothing.

See this entry in the GPL FAQ.

I've seen that entry in the FAQ. FAQs, however, have no legal weight. Only licenses do. What I don't see is anything in the text of the GPL itself to modify the definition of "distribution" to something other than in the English dictionary.

Quoting from that FAQ:
an organization can make a modified version and use it internally without ever releasing it outside the organization.

It says the organization doesn't have to release to the public. It does not say the organization can forbid its members from releasing to the public. (In any group of a million users, at least a few will feel like uploading to USENET)

If a boss can forbid his employees from redistributing a GPLed program based on the strength of the employment contract between them, or because they're in the same "organization", then commercial software vendors could evade the GPL by requiring their customers to sign onto shell corporations first. Obviously, that can't fly.

Re:hmmm...

[gbjbaanb]

we were a middling sized company - about 400 people. The CTO was supposed to do CTO type stuff, but he preferred to tinker with the code - we had to make the new product perform better, and for him, that meant the opportunity to fiddle with very low level OS features.

The company is called AIT - listed on LSE, it all collapsed when the directors were caught effectively fiddling the accounts.