Please create an account to participate in the Slashdot moderation system


Forgot your password?
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
GNU is Not Unix

MITRE Corp. Report On Open Source In Government 289

Jeremy Allison (of the Samba team) writes "Very interesting paper just published by MITRE corporation. (In PDF - they've learned not to use Microsoft Word. :-). Highlights: 'The main conclusion of the article was that FOSS software plays a more critical role in the DoD than has generally been recognised.'; 'Create a "Generally Recognised as Safe" FOSS list ... including Linux, OpenBSD, NetBSD, FreeBSD, Samba, Apache, Perl, GCC, GNAT, XFree86, OpenSSH, bind, and sendmail.' 'FOSS' stands for 'Free and Open-Source Software.' Looks like these people 'get it.'"
This discussion has been archived. No new comments can be posted.

MITRE Corp. Report On Open Source In Government

Comments Filter:
  • by Sivar ( 316343 ) <charlesnburns[@]> on Tuesday October 29, 2002 @01:13AM (#4553798)
    "Generally Recognised as Safe ... bind, and sendmail."

    I'm all for Unix server software, but BIND and Sendmail? True, they haven't been bad lately, but both of these are former poster childs for the land of remote root exploits. Yet Qmail, djbdns, and Postfix--some of the most secure software ever made, is strangely absent.
    Well, it is the government. They are making progress in their own little way. :)
    • by Sivar ( 316343 ) <charlesnburns[@]> on Tuesday October 29, 2002 @01:17AM (#4553814)
      Correction: Upon further inspection, Qmail is graciously listed, though the others seem to still be absent (unless I can't search properly).

      "Qmail is a FOSS replacement for Sendmail, the
      program that transfers emails between computers
      on the Internet. Qmail has improved security,
      reliability, and performance features."

      Yep, that pretty much sums it up. I'm impressed. :)
      • Only problem is, Qmail isn't "FOSS". It doesn't fit in with either of the Free Software or Open Source definitions. You're allowed to look at the source code of Qmail but not touch. Distributing modified versions isn't allowed. I'm going to contact them and point this out -- they're free to use Qmail, but they shouldn't use it thinking it's open source.
        • I think you may have jumped the gun here. Qmail is "free" as in beer. It does clearly meet the requirements as set out in the document to be Free and/or Open Source Software. They are not mutually exclusive, or inclusive.
        • Distributing modified versions isn't allowed.
          I'm free to use qmail.
          I'm free to modify qmail for whatever purposes for myself.
          I'm not free to hold Dan Bernstein responsible for my butcheries, whether or not I (or anyone else) is aware of them.

          If you want to distribute modified versions of qmail (including ports, no matter how minor the changes are) you'll have to get my approval. This does not mean approval of your distribution method, your intentions, your e-mail address, your haircut, or any other irrelevant information. It means a detailed review of the exact package that you want to distribute.

          Close is not very good for security stuff. Can't say I blame him at all.

      • One of the reports' three recommendations is to create a "Generally Recognized As Safe" list of Free or Open Source Software. The stable distribution [] of Debian has already done this. If the DoD is looking for a base set of packages, then Debian looks to be the set to work with.
        • by Xtifr ( 1323 )
          As a Debian Developer, allow me to strongly disagree. There is a lot of software in Debian! It's as reliable and trustworthy as we can make it, but a lot of stuff doesn't get banged on very heavily (some of it is downright obscure), and the best we can really say is, "we haven't found any obvious problems". Which is a whole world apart from "Generally Recognized As Safe."

          Now, anything that's FOSS and GRAS is probably in Debian, but being in Debian stable is only evidence of being FOSS and NPU (Not Proven Unsafe).

          I think that the idea of having an external list of FOSS/GRAS software is an excellent one. Moreover, I doubt if Debian wants to accept responsibility for maintaining such a list.
    • by GreatDave ( 620927 ) on Tuesday October 29, 2002 @01:24AM (#4553841)
      I'll wager that the feds' decision not to mark, say, other MTAs is safe may be due to lack of adoption in the public and age of the code. Let's face it, Sendmail touches just about every email sent, anytime and anywhere. It's old code that has its nuances known. Sure, it's not a daemon but a demon, but by the DoD's logic, it can be trusted while something like qmail cannot.

      >They are making progress in their own little way. :)

      Military intelligence... if we ever understood it, we'd be arrested and our brains classified. :P
    • by kryonD ( 163018 ) on Tuesday October 29, 2002 @01:55AM (#4553931) Homepage Journal
      Just to add some info here. Just because an article talks about usage and approval of FOSS in the "DoD" (Department of Defense), it doesn't mean that there is signifigant usage. Remember that the DoD is comprised of some management overhead and three sub departments: Army, Navy, Air Force. While Linux may be used and even endorsed by the "DoD", it's usage is not permitted without one hell of a waiver process in the Department of the Navy. Especially under NMCI(Navy Marine Corps Intranet), Linux is not even listed as an approved legacy system, much less something EDS will agree to support.

      Additonally, each branch of the service is autonomous in IT management, which means there are FOUR DIFFERENT ways of running a network with the associated FOUR sets of management overhead and of course, they aren't interoperable. This is a fairly generalized statement, but most of the systems I deal with daily in the Marine Corps are specific to us and don't work with the other services systems despite the fact that they all do the EXACT SAME THING.

      So kids, the moral of the story is: Write you congressman and complain about the misuse of your tax dollars. And don't forget to tell them that free software == excuse for lower taxes == more votes for them.
      • by Anonymous Coward on Tuesday October 29, 2002 @03:19AM (#4554125)
        Linux is in widespread use in the Navy research lab that I work for. And our NMCI installation apparently does include Linux in some way as I have seen reports of "compatibility testing" that mentioned NT/2k/XP/Linux/Solaris and a couple others.

        Not to imply that NMCI isn't ridiculous and a huge waste of money. We're trying to fight it...

        And don't forget that most computers aren't desktops. We certainly don't have any MS OS on our many embedded computers.
      • Especially under NMCI(Navy Marine Corps Intranet), Linux is not even listed as an approved legacy system, much less something EDS will agree to support.

        I guess this means that if I want to mount a pirate attack on the DOD, I should make the Marines my beachhead?

        Sir! The enemy is sighted, and they are using ISS!

        Arrgh! Prepare to board them, and take no prisoners!
    • I think you need to adjust your idea of "secure" a little bit. Sendmail is ancient-- in Internet terms-- and it is widely known. Everybody knows where Sendmail's bones are buried. Qmail, on the other hand, is newer and less widely used. The fact that Qmail has had fewer known security flaws can be interpreted as a sign that there are more left to be discovered.

      Secure doesn't mean invulnerable. It means trusted. You can trust something with known flaws if you know where those flaws, how to avoid them when necessary, and how to fix them when possible.
      • by novakreo ( 598689 ) on Tuesday October 29, 2002 @03:40AM (#4554164) Homepage

        True, but then again Qmail has offered a USD $500 security guarantee [] since 1997, which so far remains unclaimed. Sendmail does not, and since then they've had a number of security issues to deal with.

        As for its usage, Qmail at one stage included Hotmail among its users, so it has had a reasonable amount of testing and use.

        • by Twirlip of the Mists ( 615030 ) <> on Tuesday October 29, 2002 @03:47AM (#4554183)
          Your comment reminds me of the old joke about the optimist and the pessimist who visited California. They heard that there hadn't been a major earthquake in California in however-many years. The optimist thought to himself, "We're safe!" The pessimist though, "We're due!"

          Security-minded folks are more likely to be pessimists than optimists.
        • Part of the reason why the $500 security guarantee hasn't been claimed is that -- as far as I can tell -- very few people use it unpatched. If someone were to find a bug, they would have to revert to an unpatched version and then recreate the error there. Not many people have the time and energy to do this -- and it doesn't do them much good if the problem is in the patch.

          As far as I can tell, DJB refuses to incorporate any of the many patches into his software, so the security of his unpatched sources is of limited value. This also makes using qmail a royal pain in the ass. It can sometimes take hours to figure out which patches you want and then find and download them. As much as I like some of the ideas behind the design and implementation of the software, the license discourages me from using it (even though I generally get paid by the hour when I install it!)

        • Qmail's security is more theoretical than actual. From what I can tell, Bernstein wrote Qmail more to prove that he can design and write secure software than to provide a service to the public. He disclaims responsibility for problems that come from outside his source code.

          If somebody finds a bug in, say Linux, that can be exploited against both Sendmail and Qmail, the Sendmail folk will fall all over themselves to find and distribute a workaround. Bernstein, on the other hand, will likely just smile and say "not qmail's fault". This doesn't do much good for people who are actually using qmail in the field and will need to create and distribute their own patches on the back-channels -- and then integrate them with the myriad of patches out there.

          I really believe that Qmail's license was and is the biggest barrier to it's more widespread adoption.

      • by lewp ( 95638 ) on Tuesday October 29, 2002 @03:54AM (#4554197) Journal
        Age of code doesn't always directly relate to security of code. Yes, Sendmail is older. While that means the code has been around to be looked at by more people, it also means it was written before security was even close to the priority it is today.

        Qmail, on the other hand (and Postfix, and others. Sorry if I don't mention everyone's favorite :P), was created from the start to be as secure as possible. It has the advantage of being able to build on many years of advancement in secure coding practices. For example, the way as little of its code is executed as root as possible gives it a big advantage. Sendmail 8.12 is moving in the same direction, but it's much newer than Qmail and, while I haven't gazed at the Sendmail source recently I'd be willing to wager that getting it to play with privilege separation wasn't a trivial change.

        I'm not knocking Sendmail. I use it on a whole bunch of production boxes. It's familiar, easy to use, and works out of the box with everything. It's also fast enough to make it suitable for most environments and I have a whole lot of time invested in learning the various ways to configure and tweak it and how to fix it when it's being moody.

        That said, I also use Qmail on a regular basis. Of the two I keep a much closer eye on the Sendmail installations. Sendmail's current biggest known flaw is its history, and until a something approximating that shows up in Qmail I'm more inclined to trust djb's baby (even though I put it in /usr/local/qmail. nyeh!).

        (Qmail also has the luxury of being the product of someone who comes off as a complete asshole. I can guarantee you that the fact that Qmail doesn't have any known security holes is not for a lack of trying. There are plenty of people who would *love* to find a hole in Qmail just to shut him up . I hope djb doesn't have mod points!)
    • djbdns & qmail (Score:5, Informative)

      by dasunt ( 249686 ) on Tuesday October 29, 2002 @03:35AM (#4554153)

      I'm not trying to torch anybody's favorite software here, but both djbdns and qmail have drawbacks.

      The biggest issue is the license. Qmail is limited to source-code only distribution, with an exception being made for precompiled binaries if they behave exactly the same as qmail normally behaves. Information here []. This means that if you want qmail not to throw all of its binaries under /var and ignore most of /etc for configuration files (which it normally does), you have to compile and patch it by yourself. Also, there is no distributing patched versions, so if D. J. Bernstein dies tomorrow, qmail development is effectively frozen until qmail passes into the public domain decades later. That includes any security/performance patches, as well as ports to other architectures. Djbdns has a similiar license.

      There is also compatability. Djbdns does not support certain zone transfer mechanisms []. It ignores some IETF standards entirely and impliments its own version instead. I get upset when Microsoft twists and corrupts public standards for its own ends, and I get upset when Bernstien does it as well. I'm lazy, I don't want to have to doublecheck if my DNS servers supports a certain standard if my cofiguration changes. Qmail is more of a quibble, I don't like how it throws everything in /var. (And I'm not sure why the world needs qmtp)

      I'm not saying that a lot of people and smaller sites won't find qmail/djbdns (and the rest of Bernstein's software) useful. They seem to be secure, and they do their job as long as everything is compatible.

      However, one of the reasons why I avoid proprietary software for many tasks is that I don't want to hitch my wagon to somebody else's horse. If I go with a MTA that is wildly used and is GPL or BSDl, I am assured that development does not rest solely on one person. And if I go with standards-compliant software, it ends up being less of a hassle in the long run.

      Djbdns and Qmail aren't bad. But they have licenses that limit distribution and development, and they break interoperability.

    • Sivar wrote:
      "Generally Recognised as Safe ... bind, and sendmail."
      I'm all for Unix server software, but BIND and Sendmail?

      Don't mix old Bind and Bind 9, Bind 9 is an entirely new code base written from scratch with security as a basic premise. Version 9 is not susceptible to the same issues found in earlier versions of the Bind DNS server.

      The track record for Bind 9 is *much* better than it used to be ....

    • Yet Qmail, djbdns, and Postfix--some of the most secure software ever made, is strangely absent.

      Did you ommit exim because you:
      • Don't know it?
      • Forgot about it?
      • Don't like it?
      • Think it's insecure?
      • Think CoyboyNeal wouldn't approve?
  • Rock on. (Score:3, Funny)

    by LoudMusic ( 199347 ) on Tuesday October 29, 2002 @01:15AM (#4553805)
    Nice to see some of our tax dollars not going to waste on over-priced under-powered software.

    I suppose this means there will be more job openings for geeks in government possisions. Get out your resumes guys and gals ...
    • Re:Rock on. (Score:4, Funny)

      by Sivar ( 316343 ) <charlesnburns[@]> on Tuesday October 29, 2002 @01:21AM (#4553832)
      You may not want to work for the government in anything technical. Sure, you may get to play with some neat toys, but after seeing so many Sun Enterprise systems used as office mail servers -- sitting alongside NT database servers equipped with 64MB RAM, one tends to go insane. :)
      • Re:Rock on. (Score:3, Insightful)

        by budalite ( 454527 )
        Yeah, well, we can be either a part of the answer, part of the problem or work both sides of the fence, like I do. :) I have worked in both the fed. govt and private industry. There isn't really much difference in how things get done. The main difference is that where business people reward each other with fat contracts, in the fed. world, one must change the *policies* to reward your buddies. That is exactly what happens after every election. A new policy can reap billions in rewards. If you didn't know that, now you know why the position of president, though it "only" earns $200k/yr (+ room, board, and security detail), causes millions and millions to be spent to get someone the job.
        Interestingly, I feel more like a "stakeholder" as a govt. employee than I did as an industry stock-holding employee. It's my tax money, too, I guess.
    • Re:Rock on. (Score:2, Insightful)

      The US government provides thousands of IT jobs already. I wouldn't be surprised if they were the largest IT employer in the world. There's always been plenty of government work for an ambitious and well trained geek.

  • About time. (Score:4, Interesting)

    by carlmenezes ( 204187 ) on Tuesday October 29, 2002 @01:17AM (#4553812) Homepage
    About time somebody did something like this. I mean, to the average Joe, the advantages of FOSS are obvious. But the DoD need documents, papers...anything written. It's similar to businesses WANTING to pay for software and therefore keeping away from FOSS.

    I guess everyone was waiting for somebody to basically do a "study" or write a paper that could be quoted or "fallen back upon" if you will.

    Then again, this report is about the fact that FOSS already plays a more critical role. My point is, it's high time somebody came out and recognised the fact. Great job on the paper.
    • to the average Joe, the advantages of FOSS are obvious.

      No, maybe to the average the advantages are obvious, but the average Joe doesn't know FOSS exists. Heck, 5 minutes ago, I didn't know FOSS existed ;-)

    • quoth the poster:
      I mean, to the average Joe, the advantages of FOSS are obvious.
      Don't you mean "to the average Slashdot poster"? When I think of the average Joe, I think of my father, who believes that my computer must be turned on for him to send me e-mail from his computer. That, and that Prodigy is the greatest thing on the planet...

      Yeah, I know, I'm nitpicking...
    • What if ... (Score:3, Interesting)

      It's interesting that the report starts out with a what-if scenario. "What if FOSS were banned in the DoD?" Answer - things would pretty much stop. FOSS has played and continues to play a critical role in the DOD.

      A lot of people will begin to think about the converse, "What if Closed Source were banned from the DoD?" or even more specifically, "What if Closed Source from companies found guilty of breaking federal law were banned from the DoD?". I wouldn't be surprised if the answers were "not much change" and "things improve", respectively.

  • by coupland ( 160334 ) <dchase @ h o> on Tuesday October 29, 2002 @01:17AM (#4553813) Journal

    A very minor and unimportant comment:

    Most companies when publishing in PDF format do so, not for openness but to preotect against copying or modification.

    For example, my company works extensively with the FDA and we publish all our standard operating procedures (SOPs) in PDF format since it's so difficult to copy. We rely not on the openess of the format but on its limitations. Not earth-shattering but I wanted to mention that PDF is not a particularly open format, despite its structures being well known.

    • by pauldy ( 100083 ) on Tuesday October 29, 2002 @01:43AM (#4553891) Homepage
      That is kind of funny because the line feeds are ^M just like what the acrobat distiller does. I would say PDF is freer than word however, because you don't have to pay money to view the document and since the purpose of this document is to be read then this particular format is best suited to enable that viewing across platforms without additional costs for the reader while maintaining the original format of the document.

      I would also say anyone using PDF's for the security of them not being easily modifiable is running on assumptions that the people they are sending the files to are to stupid to figure out how to modify them to their hearts content.
      • I would say PDF is freer than word however, because you don't have to pay money to view the document

        Only half true. Microsoft offers [] a little known Word 2000 viewer (and similar viewers for Excel etc) that is available gratis [].

        • It's only available for Windows (although it might work in Wine I suppose), so you still have to pay Microsoft for the operating system.

        • Only half true. Microsoft offers [] a little known Word 2000 viewer (and similar viewers for Excel etc) that is available gratis []. It's only free as in beer. I can use xpdf and the like to view pdf's... Also I've had the experience of the Word Viewer crashing on complex word documents. Only ones from Microsofties so far, but even so it's sad when I have to turn to openoffice to view a word file (even if it takes minutes to render a page), and then convert it to postscript to be able to view it in something solid like ghostview.
        • Microsoft offers a little known Word 2000 viewer [...] gratis

          But that supposedly gratis viewer requires a non-gratis OS to run, so many of us would still have to pay money to view the document.

          (But then you did say, "half true", and anyway, my objection is only half true because it probably runs under Wine. Though I'm not sure that helps people running Solaris/AIX/LinuxPPC/LinuxARM/LinuxPS2/etc.)

          Anyway, the bottom line is that PDF is freer than Word because PDF is an open standard, and multiple implementations exist (some gratis, some FOSS) while Word is a closed, proprietary format subject to change without notice.
    • by JordoCrouse ( 178999 ) on Tuesday October 29, 2002 @01:43AM (#4553894) Homepage Journal
      Most companies when publishing in PDF format do so, not for openness but to preotect against copying or modification.

      Ironically, you think that PDF protects against copying, because it is difficult to modify them in Windows. By the same token, you may think that .DOC files are less secure, due to the fact that they are easy to read and modify in Windows.

      Which of course, is the opposite for any *NIX system running Ghostscript (where a PDF -> ASCII conversion is trival, but .DOCs require much more work).

      I guess you do have to play to your users strengths and weaknesses, it just seems funny to me, somehow.

    • If you are worried about tampering, just use a secure hash. e.g. create a web site or phone number people can call to verify md5sums of important documents.

      If you really want to prevent copying (as in copyright infringement), then you'll have to wait for Palladium. ("Ctrl-C" - "I'm sorry Dave, I can't let you do that...")
    • Open the pdf in XPDF, left click to highlite text, centre click to drop into text editor. It's that easy on my system. Ironically, the MITRE report is a pdf of a Word doc.
    • There are three main advantages of PDF over Word:

      1) The format is compressed, so it is smaller in size.

      2) The PDF viewer is available on more platforms than Word viewer

      3) The PDF is already formatted for printing.

    • Most companies when publishing in PDF format do so, not for openness but to preotect against copying or modification.

      Or it could simply be because its much easier to predict how the document will print / read on various platforms. At this point, PDF files are pretty much a web standard for white papers, reports, etc. I guess if it were me I would skip the paranoia factor and the black helicopter sightings and take the report at face value. :)

      - Brandon
    • PDF isn't open?

      Thats news to me.

      PDF is an open specification, anyone can write their own PDF creation tool as well as reader.

      The security thing is a bad idea though, as is the attachments in PDF files that Adobe just added support for in their apps. Ah, the coming the the PDF virus era....
    • we publish all our standard operating procedures (SOPs) in PDF format since it's so difficult to copy.

      I just found a way to penetrate your security! The exploit is:

      1. Ctrl-C
      2. Ctrl-V

      Do you think I should post this to SecurityFocus or something?

      Honestly, I know what you're trying to say, but I don't understand why companies do this. Anyone who was motivated to fake a report from your company could still do so. All publishing in PDF format does is annoy people and waste bandwidth. Actually, you'd be better off publishing documents as HTML on a webserver you control, because people can see the address it's at and be (reasonably) sure that it's official. If you release them as PDF files, surely people will be more likely to save them, print them out and forward them around, creating a situation where a fake is less likely to be spotted straight away?

      If you're worried about employees tampering with internal documents - that's what file permissions are for.

      I once worked for a shit company who generated a lot of their transaction reports as PDFs for "security" so they couldn't be modified. It also made it impossible to do diffs, search groups of reports, etc. I was ordered to compare files by flicking between them and looking for differences. Tards.

  • by gmanske ( 312125 ) on Tuesday October 29, 2002 @01:19AM (#4553823) Homepage
    If like me, you were wondering what the "Generally Recognised as Safe" reference was referring to, here's an excerpt of the executive summary of the report.

    This list would provide quick official recognition of FOSS (Free and Open-Source Software) applications that are:

    (a) commercially supported
    (b) widely used and
    (c) have proven track records of security and reliability (eg. as measured by speed of closures of CERT reports in comparision to closed-source alternatives)


  • by GreatDave ( 620927 ) on Tuesday October 29, 2002 @01:20AM (#4553825)
    While the Navy has its much-farted-upon attempt to build Win2k-powered "Smart Ships", the NSA has been developing SELinux (Security Enhanced Linux), their homebrew kernel.

    It seems that the right hand doesn't see what the left hand is doing. That's the USA federal government for you. However, based on the existance of the "safe" FOSS list, perhaps the DoD is rethinking their investments in eN Tee. I sure hope so, for the sake of national security. Meh.
    • by mcubed ( 556032 ) on Tuesday October 29, 2002 @01:59AM (#4553940) Homepage

      It seems that the right hand doesn't see what the left hand is doing. That's the USA federal government for you.

      With all due respect to your example, I would rather each department of the government be allowed to implement its own solutions, at least based on my experiences working for large corporations (where the right hand often doesn't know what the right middle finger is doing). The most productive situations arise when divisions and departments are allowed to solve their own problems, rather than having some senior-level executive decided, "okay, this worked for marketing, so now everyone has to do it this way." Information sharing is important, of course, but forcing one-size-fits-all "solutions" can be counter-productive.


  • by AIXadmin ( 10544 ) on Tuesday October 29, 2002 @01:20AM (#4553831) Homepage
    In this paragraph MITRE seems to infer that GPL'ed software is some how more secure, or better able to be secured then other software.

    "For Security, use of GPL within
    groups with well-defined security boundaries should be encouraged to promote faster,
    more locally autonomous responses to cyber threats. "
    Page 3, Example 2.

    This really makes no sense to me. Especially when the majority of the software they list as "heavily used infrastrucuture tools such as "Linux, OpenBSD, NetBSD, FreeBSD, Samba, Apache, Perl, GCC, GNAT, XFree86, OpenSSH, bind, and sendmail," are a good portion of NOT licensed under the GPL. (Yes I realize some, are but the majority of that list are not.)

    Doesn't make a lot of sense. Considering most people would agree the most secure OS out there is OpenBSD.
    • "For Security, use of GPL within groups with well-defined security boundaries should be encouraged to promote faster, more locally autonomous responses to cyber threats."

      Perhaps one aspect of the security to which they refer is the secure knowledge that inhouse software developed under the GPL will remain free, i.e. they will in turn receive any and all improvements made by others. ;-) Somehow I doubt that is what they meant, though.

      While the GPL is arguably more appropriate for public funded software development than licenses that lend themselves to proprietarization, I must agree wholeheartedly with you that it is clear that the advantage in security goes to free software over proprietary software, and not GPLed software over other free software to any degree. Indeed, as you point out, OpenBSD is the most secure operating system around, and it is certainly not GPLed.

      What they clearly meant to say was the free software should be encouraged to promote faster, more locally autonomous responses to cyber threats ... they are mistakenly equating GPLed software with free software (when in fact it is only a subset).
      • While the GPL is arguably more appropriate for public funded software development than licenses that lend themselves to proprietarization

        I would say that the license that gives the most freedom is the license that publically funded development should have. Guess what: that license is not the GPL (though you could easily create your own GPL'd fork of a BSDL'd project... it's identical as far as the BSD license is concerned to proprietary licensing)

    • They refer to an ideal situation. The use of GPL soft would free completely their hands on changing every piece of soft that might be compromised. And they would not have to deal with licensing hurdles. But there are two caveats here.

      First, a GPL-exclusivety would be appropriate only in top-security situations that demand a fast and very flexible response. Not having barriers on how to deal with the soft, be it binary or sourcecode is extremely important here. However, I would not be so fanatical on saying that only GPL soft is appropriate. Frankly, I think it would be better to say: licenses to do not impose barriers of any kind to software changes and distribution.

      Second, to do such thing, people should be uberprofessional. Having GPL code is not enough to provide security. There should be someone who's able to manage the guns. However, if a certain department or site is considered to be top-security, then one should have someone of that weight out there... Isn't it? But... well... we know that even security guards love to sleep when they shouldn't. And that engineers are underpaid and don't have enough qualification. And that the managers will still buy some piece of crap instead of listening the experts... So this caveat is utterly pointless...

      OpenBSD is one of the most secure. Because it is made for security. Most Linux machines are not because it would be a problem trying to adapt users to the level of security in OpenBSD. I made a few installs of OpenBSD and I may tell you that it is not easy to install something on it. Besides it is much harder to use. And, sometimes it is quite slower than other BSD and Linux conceptions. But it is very good on kicking every kiddie out.However, its administration demands every kind of tasks as nay other system. A badly administered OpenBSD is also breakable.

      On what concerns Linux itself, unfortunately there are very few secure distros. But it is possible to reach a level of security near to OpenBSD or even better. By hand and making the system from scratch. Once we had such a machine. We named it "The Castle", out of the name of a distro that gave us the idea to make it. It was a damn well secured system. But using it... Better walking through the Labyrinth...
      • Meh? A Linux system you create yourself isn't going to be any more secure than a properly-configured RedHat box in the hands of someone who knows what they're doing. It's not like you're not going to be running the same software for the most part.

        I, like most people, wish that the more mainstream distros didn't ship with everything but the kitchen sink on by default, but come on. If you've got the know-how to put together a Linux box from scratch there's no reason you can't properly lock down one you get from a mainstream distributor in much less time.

        I realize it's good security practice to start from zero and enable only what you need rather than have everything on and disable what you don't, but UNIX isn't Windows. Unless a distro is shipped with a rootkit in it already it's quite easy to turn everything off. Once you've done that you can pretend you started from scratch if that makes you feel better.

        Building "Linux From Scratch" is fun (for some people, myself included) and a great way to learn about how your system works. But if you do it on a regular basis for systems you deploy you're just wasting a lot of time and being masochistic.

        On another note, I've never found it that much harder to admin or use an OpenBSD box than I have say, FreeBSD or even your average Linux box. I find that the difference in philosophy is the biggest hurdle (vi this file vs. use our badly-designed ncurses/GTK+ config tool). Once you get over that any of the above can be quite usable.
    • So how exactly do your statements show that OpenBSD wouldn't be more secure if it was GPL'ed?
      The point is: "what license promotes security the best" What OS is currently most secure, may or may not be under that license.
      BTW, I would probably agree with you about OpenBSD's security.
  • Exerpt (Score:5, Insightful)

    by willpost ( 449227 ) on Tuesday October 29, 2002 @01:21AM (#4553833)
    Banning Free and Open Source Software would remove certain types of infrastructure components (e.g., OpenBSD) that currently help support network security. It would also limit DoD access to -- and overall expertise in -- the use of powerful FOSS analysis and detection applications that hostile groups could use to help stage cyberattacks. Finally, it would remove the demonstrated ability of FOSS applications to be updated rapidly in response to new types of cyberattack. Taken together, these factors imply that banning FOSS would have immediate, broad, and strongly negative impacts on the ability of many sensitive and security focused DoD groups to defend against cyberattacks.

    Starting on page 32, theres a very nice glossary of common Free and Open Source Acronyms.
  • by Rhinobird ( 151521 ) on Tuesday October 29, 2002 @01:29AM (#4553852) Homepage
    Isn't anybody gonna mention that RMS is going to say that FOSS should really be reffered to as Dental/FOSS?
  • PDF? (Score:3, Insightful)

    by intermodal ( 534361 ) on Tuesday October 29, 2002 @01:33AM (#4553861) Homepage Journal
    whatever happened to good old ASCII or ISO text files? nothing says cross-platform than an ISO format
    • Re:PDF? (Score:3, Insightful)

      by Sivar ( 316343 )
      whatever happened to good old ASCII or ISO text files?
      The PDF document contains images, tables, colors, and underlined/italicized/bold text. Those are rather difficult to express in plain ASCII text.
      Doing so is not unlike trying to write a voxel-based graphics engine in HTML.

      Right tool for the job...
    • Re:PDF? (Score:3, Funny)

      by zulux ( 112259 )
      whatever happened to good old ASCII or ISO text files? nothing says cross-platform than an ISO format

      Oh sure, leave out us EBCDIC users, you young whipper-snappers with your fanch-schmancy ISO standards. HA! ...I'll just go back to my Forth system and cry.

    • Ever tried to read a "good old ASCII" text file? If you try to read it on screen, you'll suffer annoyance and fatigue after mere minutes. If you try to print it out, you'll end up with page after page after page of unformatted text, probably wrapped to 80 characters.

      ASCII is a fine format for email and config files. It's not an acceptable document format. PDF is, despite what some people seem to think, the best digital document format available today.
    • whatever happened to good old ASCII or ISO text files? nothing says cross-platform than an ISO format

      I'm currently trying to write a parser for ISO8211. Currently it makes me very cross and won't run on any platform. Just because a format has been endorsed by ISO doesn't mean it's either any good or easy to use.

      [Yes, I know there already are two open source ISO8211 parsers out there. Unfortunately they're in C++ and Python respectively and I need one in Java].

  • by Shalome ( 566988 ) on Tuesday October 29, 2002 @01:36AM (#4553871) Homepage
    I work for the DoD (and am lucky enough to work with MITRE folk as well), and we go for the open source solution whenever we can. Why? We're in security. We absolutely NEED to be able to hack our own code whenever necessary. We can't afford to be taken down by any sort of attack, whether it be a worm, virus, or directed attack -- and I'm not talking "afford" in the sense of a dollar amount. We also like to be able to do things like add signatures to our IDSs whenever we feel like it. We often notice and track new virus and worm activity before it "breaks." We can't wait for vendor updates.

    I've sat through meetings with vendor reps where certain office members tore the reps some new orifices. I've heard from a *major AV/Firewall company name deleted* rep "Oh, you use open source FREEWARE! Well, if you want to go with something totally insecure that has absolutely no support and you don't know exactly what the code actually does..." The rep then sat there in stunned silence as the department head launched into a detailed tirade about how every member of the office not only knew what the open source we used did, most of us could re-write it if we needed to. The rep actually blushed and admitted that if we could do that, we didn't need their product.

    Most of our offices do use Microsoft on most of the standard user desktops... but it's open source hacked-to-hell code that runs everything else around here! Well, aside from the gallons and gallons of coffee and Mountain Dew that runs the people..
    • You need to remember that reps aren't *real* people in most cases, and especially in a field like anti-virus, reps are often keen to over-sell products.

      Of course, it's worth remembering (going a little off-thread here), that unpatched open-source software isn't any more secure than unpatched Windows software - IIS can be patched and secured too. A good tutorial on hardening IIS can be found here: mpossible.xml []
    • A DoD guy talking about his knowledgeable co-workers advocating OSS, being powered by coffee and Dew, and whose signature links to a web page whose largest graphic is a Southpark character...

      Is this some other Department of Defense that I was not previously aware of?
    • I'm a DoD contractor too and it's not like that where I work. Here it's windoze, windoze, windoze... except for my BSD FW, Linux/BSD web servers, and a few misc workstations. All of these are kept pretty hush-hush (except the FW), otherwise they'd probably make me reinstall them with win2k... yuck!

      Can I please come work with you? PLEASE!!!!! I'll send you my resume... a couple hundred dollars? Just put in a good word for me ;-) !

  • PDF (Score:2, Insightful)

    by Anonymous Coward
    If they wanted the paper to be in an open format, and still be able to preserve formatting, why not use HTML?
    • Re:PDF (Score:3, Insightful)

      While I utterly and truly hate PDF files with every fiber of my being, it always looks the same no matter what platform you view it on. That's it's thing. HTML gets rendered slightly differently in different browsers... so strictly speaking, formatting is not preserved in HTML.

      I don't think I personally know anyone that actually likes pdf files or their associated viewers.
      • by Jordy ( 440 )
        Using MacOS X, I have to say, I love PDF. Of course that may simply be because I can save any document I can print as PDF format and it comes out looking sharp as could be. It may also be because a PDF reader comes with my OS or because of the extremely clear text rendering by my PDF viewer.

        Good for some things, terrible for others, but if you want to distribute a document that prints out the same no matter where you take it, PDF is great.
      • Re:PDF (Score:4, Informative)

        by alannon ( 54117 ) on Tuesday October 29, 2002 @05:25AM (#4554449)
        You hate PDF files with every fiber of your being?

        Good lord! What's with this rabid hatered of the PDF file format on Slashdot? I'm not referring only to this poster, but many others I've read on this story and others.

        Here's what PDF has going for it:

        As the parent poster attests to, it preserves formatting. While this is not always needed to the degree that PDF offers, if you are distributing documents that you intend to be printed, there are few alternatives. In fact, I can't really think of any others at the moment. HTML certainly doesn't count. TeX doesn't count (a tex file can't embed bitmap graphics or fonts inside it). Even Microsoft Word will re-flow your document the moment you open it if you have a different printer selected than the one it was last saved with.

        PDF is based on Postscript, but is really a subset of it and is not covered by any -patents- (I'll get to copyrights in a moment) as postscript most certainly is. This means that with a thin postscript wrapper, you can shove a PDF document at any postcript (level 2 or higher) printer and it will happily print it.

        It is an open standard. How you define open is obviously a matter great debate. The standard is published by Adobe and anyone can use that document to write a program that creates, reads or processes PDF documents. Adobe retains copyright of this standard, but gives permission for anyone to use it with ONE major stipulation: you cannot use the standard to write a tool that ignores the access controls built into the PDF standard.

        While I don't know the legal details of any of this, I don't really see why it would be illegal to clean-room reverse-engineer the standard to write a tool specifically for this purpose, but seriously, for any legit purpose, you can do whatever you want with it.

        PDF has a growing source of free software tools that can be used to create, render, slice, dice, etc, PDF files. This includes Ghostscript and a fantastic java library called iText. There is also a good C-library called PDFLib that has bindings for C, C++, java, perl, python and perhaps others. It is only partially open-source, though.

        Alright. PDF has this going against it:

        The already mentioned copyright standard issue.

        The PDF file format is not really designed to be easily editable. Pulling apart the bits that make up a PDF page basically involves rendering them using a psudo-postscript interpreter and turning that into editable objects. I do not know of an open-source tool that lets you do this. iText, ghostscript and the closed portion of PDFLib allow you to pull apart pages from PDF documents and draw atop existing pages.

        When it comes down to it, not only is PDF relatively free, but quite a bit more free than some other formats that are quite popular in the open source community. Take mp3 as an example. It's covered by patents up the wazoo. But until Vorbis takes over the music industry (I, for one, am not holding my breath), that's what we'll have.

        PDF is a little bit of a compromise, but until someone invents an alternative that is compatable with all postscript printers, can embed bitmaps, vector art and even fonts inside the file, looks decent both on screen and on the printer, has a large amount of commercial and open-source tools available... Well... I'm not holding my breath for that either.
  • No surprise (Score:4, Interesting)

    by e5z8652 ( 528912 ) on Tuesday October 29, 2002 @01:45AM (#4553898) Homepage
    I've always wondered about the supposed lack of "FOSS" at DoD. Aside from SE Linux, there are other quite public acknowledgements of support for open source software. From the back of the OpenBSD 3.1 CD case:

    "This effort sponsored in part by the Defense Advanced Research Projects Agency (DARPA) and Air Force Research Laboratory, Air Force Material Command, USAF, under agreement number F30602-01-2-0537"

    Kind of a big hint that someone somewhere in DoD thinks highly of OpenBSD.

    Of course, this support may have since been reduced or eliminated due to the same pressure that the NSA faced with SE Linux.
  • by burgburgburg ( 574866 ) <> on Tuesday October 29, 2002 @01:46AM (#4553905)
    How well is the MITRE Corporation regarded in general? How well are the thought of by the government in particular? How influential will their word on things be?

    By the way, the document summary shows that it was originally a Microsoft Word Doc titled "Microsoft Word - 3DBD823B-1ABD-0AA6.doc" with the author being www.

    Interesting that the DOD uses GnuPG, Linux, Linux (Red Hat), FreeBSD, NetBSD, OpenBSD, OpenOffice, Perl, Perl CGI Scripts, PerLDAP, PHP, Tcl/Tk and TCP Wrappers, amongst others.

    • by Shalome ( 566988 ) on Tuesday October 29, 2002 @01:50AM (#4553915) Homepage
      quoth the poster: How well is the MITRE Corporation regarded in general? How well are the thought of by the government in particular? How influential will their word on things be? You're kidding, right?

      On the front page of MITRE's website []: MITRE is a not-for-profit national resource that provides systems engineering, research and development, and information technology support to the government. It operates federally funded research and development centers for the DOD, the FAA, and the IRS, with principal locations in Bedford, Massachusetts, and Northern Virginia.

      Trust me, they're extremely highly regarded and their analysis carries quite a bit of weight.
      • by Jeremiah Cornelius ( 137 ) on Tuesday October 29, 2002 @02:00AM (#4553942) Homepage Journal
        Not only this, Mitre are the origin of the Capabilities Maturity Model - in conjunction with CMU.

        Process and methodology kings, par excellence.

        Do you want to know how to do something right? Do you want to know how to repeat the performance? Mitre are your experts in the field.

        If your organization has a job-title of "Program Manager", there is at least a passing nod to the CMM processes outlined by Mitre, which breaks down all process and initiative into functional program areas.

        • You've never dealt with MITRE have you? MITRE, in my experience, are delay and overbilling kings, par excellence. They charge for this solutions library that you can never access and create some of the most god awful solutions mankind has ever witness, and then bury the evidence. Do a search on "Intelligence Training System" or "Sentinal II" on their website and see if you can find the US$50Million of taxpayer money,

    • by Ektanoor ( 9949 ) on Tuesday October 29, 2002 @03:12AM (#4554112) Journal
      MITRE is a DoD child, created in the heat of the Cold War. It was and probably still is one of the best brainstorm centers in the world. And DoD loves it a lot. Besides, MITRE is one of the historic hallmarks on computer development. It was one of the organisations that tightly worked with ARPA in the 60's. So, in some way they can be the aunties of Internet. Many other things we use today were also developed by MITRE. So DoD will probably listen to its giant child.
  • by ronys ( 166557 ) on Tuesday October 29, 2002 @01:56AM (#4553933) Journal
    Open with Acrobat Reader, File->Document Properties->Summary... reveals:

    Title: Microsoft Word - 3DB823B-1ABD-0AA6.doc

    Furthermore, the PDF file was created by [] - which allows one to upload files and have the processed into PDF - 15 for free, more for $$$.

    Seems like they didn't find out that ghostview [] allows you to generate pdf files as well as view them...

  • by AIXadmin ( 10544 ) on Tuesday October 29, 2002 @01:56AM (#4553934) Homepage
    Last I checked the BSD's were first:
    "The General Public License (GPL)4 is the original FOSS license, and GPL software is simply FOSS software that is covered by the GPL."
    Page 12

    This report is really full of holes. In the chart it says that BSD and Artistic licensed software cannot be combined with closed source software.
  • A funny bit (Score:5, Funny)

    by Vireo ( 190514 ) on Tuesday October 29, 2002 @02:01AM (#4553943)
    In page 22:

    [i]Ironically, a thoroughly rigorous and systematic ban on DoD use of FOSS could also affect a number of proprietary product that rely on FOSS products that permit incorporation of FOSS into their closed-source products. For example, Microsoft Office uses the FOSS zlib collection of data compression software, and thus could technically be banned as a product that incorporates FOSS software.[/i]
  • Weren't they the defense contractor with the absolutely awful security in Cliff Stoll's _The Cuckoo's Egg_?
  • by AIXadmin ( 10544 ) on Tuesday October 29, 2002 @02:03AM (#4553954) Homepage
    The report also no makes no differentation between Open Source Software like FreeBSD, OpenBSD, and Apache; and Free Software which generally always refers to software under the GPL or LGPL. Like Linux, gcc, or GNATS.

    "The word free in FOSS refers not to fiscal cost, but to the autonomy rights that FOSS grants its users. (A better word for zero-cost software, which lacks such rights, is freeware.) The phrase open source1 emphasizes the right of users to study, change, and improve the source codethat is, the detailed designof FOSS applications. Software that qualifies as free almost always also qualifies as open source, and vice versa, since both phrases derive from the same set of software user rights2 formulated in the late 1980s by Richard Stallman of the Free Software Foundation."

    The writer of this report does not make differentation between Open Source and Free Software. He call's things under a BSD license with no cost, and no restriction on rights, freeware. (Freeware does not mean OSS. Freeware is closed source software, that is given away at no cost.) While in the next setence pushing the view that all OSS is GPL'ed.

    This report is a grave disapointment.
    • by Ektanoor ( 9949 ) on Tuesday October 29, 2002 @02:58AM (#4554079) Journal
      You didn't get the point. The problem this report tries to cover is not about costs but about the ability to control the software you use. And that's the what DoD is concerned about. And the report notes that DoD is damn dependent on FOSS:

      The main conclusion of the analysis was that FOSS software plays a more critical role in the DoD than has generally been recognized. FOSS applications are most important in four broad areas: Infrastructure Support, Software Development, Security, and Research. One unexpected result was the degree to which Security depends on FOSS. Banning FOSS would remove certain types of infrastructure components (e.g., OpenBSD) that currently help support network security. It would also limit DoD access to and overall expertise in the use of powerful FOSS analysis and detection applications that hostile groups could use to help stage cyberattacks. Finally, it would remove the demonstrated ability of FOSS applications to be updated rapidly in response to new types of cyberattack. Taken together, these factors imply that banning FOSS would have immediate, broad, and strongly negative impacts on the ability of many sensitive and security- focused DoD groups to defend against cyberattacks.

      I don't see where your disappointment comes up. The report shows that both OSS and FreeSoftware are the major players in DoD sectors (well I would be very admired if they wouldn't). Besides, it shows that all this FUD from M$ is a national danger to the US (and I would be HIGHLY admired if it wouldn't). Apart of some gaffes the report is superb.

      Time to put Redmond on the rough nations list...
    • by Anonymous Coward
      you are -1 silly, not +1 insightful....

      The report also no makes no differentation between Open Source Software like FreeBSD, OpenBSD, and Apache; and Free Software which generally always refers to software under the GPL or LGPL. Like Linux, gcc, or GNATS.

      you're repeating a distinction which is usually made only for the purposes of criticizing the GPL. All the software you mentioned is Free Software []. It all grants you the certain vital rights, such as the right to copy and the right to inspect and change. to repeat.. there is no distinction to be made. some of them are GPL-incompatible, and many are not copyleft ("viral") but this is not important for this paper.

      also, from a user's point of view, this is mostly irrelevant. the "license wars" are between developers. to users, they grant the same freedoms.

      finally, from the distant and unpleasant vantage point of most proprietary software, the gpl/non-gpl are pretty much identical. really, for most people, being able to copy the software at will is mind-boggling. "how do they make money", etc.

      He call's things under a BSD license with no cost, and no restriction on rights, freeware.

      No, he points out the distinction that "zero-cost software" which DOESN'T grant you the FOSS rights is NOT FOSS! This is an important and subtle distinction, because it's not just about price, but freedom to do certain things. I'm impressed by their understanding. I think you misread it.

      While in the next setence pushing the view that all OSS is GPL'ed.

      no, it just says that they are very similar, and they both came from Stallman's ideas. which is still correct. open source is weaker form of free software, but usually they grant you the same basic rights.

      For the purposes of this document, it is completely correct and appropriate to mix OSS and FS together, and to concentrate on freedom rather than price.

      i think the document is peachy keen, and it gives me a fat chubby.

  • by Anonymous Coward on Tuesday October 29, 2002 @02:19AM (#4553999)
    I work in the trenches so-to-speak.

    The good news is that the DoD is paying attention to Linux in a big way. Undoubtedly, Solaris, HP, and SGI were among a few of the favorite big ticket items that the DoD likes to purchase. However, there is a small number of people who are using linux. We're expecting that number to grow.

    Mitre gets it -- they're pretty smart folks. But does the rank-and-file military? By and large -- no -- although there's more currently than say 18 months ago. Some are still caught of in the security problems linux has. Others are just ignorant by calling it "freeware" -- when linux really rises to a level above the typical "freeware" moniker.

    The military is really a bargain buyer -- yes they don't want those M16's to explode -- but they don't want to be bled dry for a shoddy system, either. Especially when they have to report to a congressional subcomittee explaining why they blew billions of taxpayer dollars on incompatible systems.

  • by u19925 ( 613350 ) on Tuesday October 29, 2002 @02:31AM (#4554025)
    The BSA has asked MITRE to conduct internal software audit or pay 10 Million dollars.

    The DoD has been asked to conduct internal software audit or trash MITRE report on FOSS.

  • GNAT is part of GCC (Score:5, Interesting)

    by norwoodites ( 226775 ) <pinskia@gmai[ ]om ['l.c' in gap]> on Tuesday October 29, 2002 @03:18AM (#4554122) Journal
    yes that is right even though the paper makes it sound like GNAT is a separate project from GCC, they are now one, GCC (GNU Compiler Collection). Their description says they are one now but I think this description was copied from each of their web sites.

    Also is not RTLinux longer consider free software, because it restricts more than the GPL due to patents?

    Also looks like they do not use csh at all which is under the BSD license. or pdksh which is in public domain, they are the default shells on OpenBSD.

    They are also missed Binutils from the GNU which is the assembler and linker for most open/free operating systems.

    Also is there not versions of sed and make and m4 and top that are under the BSD license?

    Is perl not dual licensed, GPL and artistic?
  • by magi ( 91730 ) on Tuesday October 29, 2002 @03:59AM (#4554211) Homepage Journal
    The document is an enjoyment to read. It has a few pearls which are especially enlightening. One of these is a table illustrating the actual freedoms and restrictions placed by various licences, for example GPL and a Microsoft's MIT EULA:

    Properties (a) through (e) in the table examine the ability of a license to co-exist with other types of software, e.g., the ability of FOSS licenses to co-exist with proprietary software. In this
    category, the most exclusive license is easily the Microsoft MIT EULA license 1 , which prohibits a number of FLOSS licenses from co-existing on the same platform as the EULA software. No other FLOSS or proprietary license encountered during the survey came close to this level of exclusivity. The GPL takes a very distant second place for exclusivity, since it forbids design- time incorporation of GPL source code into non-GPL source code. However, unlike the Microsoft MIT EULA, the GPL places no constraints on software simply running on the same system, and actually goes out of its way not to intrude on other licenses outside of that context."

    I didn't even know Microsoft has that restrictive license. It says here that it "Specifically bans use of: GPL, LGPL, Artistic, Perl, Mozilla, Netscape, Sun Community, and Sun Industry Standards."

    Microsoft's site [] shows the license. It's really true. This particular EULA seems to be for a "Microsoft Mobile Internet Toolkit Beta 2". They actually call OSS as "Potentially Viral Software" in the license.
    • The DoD is under tremendous pressure to have Microsoft blessed as the only products they use, as Microsoft has learned how to lobby and started throwing lots of money at this. The government is a huge purchaser of systems, and there are many legacy things out there. Since the past 10 years or so have brought many fresh college grads into the workforce, many of whom only know Microsoft products, there is pressure on the technical selection folks to replace with Microsoft since those precious MCSE's only know these platforms.

      This report is probably an effort to build some evidence and support on why wholesale replacement of everything with off the shelf would add costs and hurt national security. Probably also explains IBM's (and others) shift to support Linux and variants over the past few years as they saw Microsoft tactics refined.

      And, Microsoft's more recent license agreement language seems pointed at providing a legal reason why they need to be the only platform, since there are no technical reasons.
    • especially slimey (Score:3, Interesting)

      the Microsoft MIT EULA

      What I find really distasteful is the above phrase's incorporation of "MIT". Microsoft tries to pass it off as standing for "Mobile Internet Toolkit", but personally I believe it was intended to sound like (and evoke the favorable sentiments associated with) the Massachusetts Institute of Technology AND the associated, like-named OSS license.


  • Bio of the author (Score:3, Informative)

    by benploni ( 125649 ) on Tuesday October 29, 2002 @11:35AM (#4556411) Journal
    It was written by:

    Terry Bollinger

    The MITRE Corporation
    1820 Dolley Madison Blvd.,
    W534 McLean, VA, 22102, USA

    Terry Bollinger currently works at The MITRE Corporation, where he focuses on distributed software and hardware architectures issues for U.S. Department of Defense information infrastructures. He is an editor for IEEE Software, and was one of two Special Editors for the Jan/Feb 1999 issue of IEEE Software on Linux and open source software methods.

    Terry has had extensive experience at all levels of software development in the telecommunications industry, at NASA, and for the U.S. Department of Defense. Especially while working in the telecommunications industry, he has had extensive hands-on experience with both a wide range of software construction methods and approaches, and with the consequenses of trying to apply some of these methods in "realistic" environments in which there is a typical spectrum of developer experience (e.g., what happens when C++ is applied in and environment consisting almost entirely of long-term funcional C programmers). Terry also has a strong background in software reusability and software process, including an IEEE Software Best Paper on why software process improvement doesn't always give the kinds of results advertised, and is intrigued by the issue of why some programmers seem to be so much better at producing high-quality, stable code that endures over time. In terms of software construction issues, he is both highly familiar with the overall set of techniques involved (including newer methods such a graphical component based programming), and is strongly supportive of the need for good methods while also being heathily skeptical about a lot of the claims made for various software construction methods and tools.

    Terry has M.S. and B.S. degrees in Computer Science from the University of Missouri at Rolla, and has been a member of IEEE for 23 years.

A sine curve goes off to infinity, or at least the end of the blackboard. -- Prof. Steiner