Open Source In the National Interest 170
munchola writes "A new report from the Department of Defense's Advanced Systems and Concepts Office recommends that the DoD move to adopt open source software and methodologies as well as open standards in order to make the most efficient use of internal resources. According to CBR, the report states that a move to 'Open Technology Development' is not only in the U.S. national interest, but in the interests of U.S. national security. OTD incorporates open source methodologies and open standards, but also takes into account the fact that the DoD has systems that it would rather keep secret."
Yay! :) (Score:3, Funny)
Bring the fireworks!
Re:Yay! :) (Score:2)
Supplied by Raymond?
What Would Shelley Do! (Score:2)
2 words. (Score:3, Insightful)
This all makes now but... (Score:5, Insightful)
Re:This all makes now but... (Score:2)
Re:This all makes now but... (Score:2)
How about demand and get a hundred billion more dollars?
Has the DoD ever done any wrong in the eyes of the administration or any body of congress other than the GAO?
Re:This all makes now but... (Score:3, Interesting)
"Always remember... (Score:5, Insightful)
That's a relatively old joke in the Military, and a relatively sick one when you consider the problems of faulty weapons (e.g exploding in your hands). But it points to something pretty basic. When it comes to things the DOD is rewarded for going cheap. This doesn't mean that they won't but they are rewarded for trying. In this gig Microsoft is at a disadvantage as their competitors are a) Free, and b) can be taken under total control by the DOD. Remeber that in-house changes to GPL'd code need not be released. Microsoft on the other hand is likely to worry about in-house changes to their stuff (e.g. document security restrictions for Office).
While I doubt Stallman will be welcome any time soon keep in mind that Theo De Raadt and the other BSD people have been welcomed (and financed) by the DOD before now. Ditto things like SELinux. In many ways this is only surprising because it took so long for them to say openly.
Re:"Always remember... (Score:4, Interesting)
"Nessus is unapproved software, we only allow xxxxxx(closed source) security scans to lock down your UNIX servers"
Yes I work for the DoD.
Re:"Always remember... (Score:2)
Is the IP of his personal workstation publicly routable? I'm sure a few people would like to run Nessus...um, I mean a some unapproved software against it.
How much personal stock in your DOD-approved Vendor of the Month(tm) does your security officer own? Seriously, if there is a widely distributed 100% free tool used by people knocking at your doors Right Now, why is your (in)security officer too stupid..
Re:"Always remember... (Score:2)
This [independent.co.uk] really isn't a shocker to me!
Re:"Always remember... (Score:2)
Yes, with the Free in point a) directly facilitating point b). Financially, the largest cost of any such project is in the systems integration work, leaving no competitor at a particular disadvantage.
Aside from the positive endorsement associated with this adoption by the DoD, the F/OSS community stands to gain very little: as the DoD aren't in the business of redistributing
Re:This all makes now but... (Score:4, Insightful)
Except a few million is peanuts to the DoD. Their budget for 2006 was well over $400 Billion. I think they're going to make whatever decision will benefit them most, regardless of the cost.
Re:This all makes now but... (Score:2)
NEWSFLASH (Score:4, Insightful)
Re:NEWSFLASH (Score:2)
As long as it takes for current systems to become obsolete. There are better things to spend taxpayer money on right now than a full-scale system switch-over to OSS just because.
As desktop computers need replacing, use Linux. As servers require replacing, use OSS as well. As for the immediate - go with what's already in place.
Re:NEWSFLASH (Score:3, Insightful)
The all-diesel thing is a hardware problem, and military hardware isn't cheap.
Who cares? The obvious has been stated. (Score:3, Insightful)
Govt. IT is highly fragmented. It took 20 years for DOD to switch to all-diesel. How long to switch to open-source?
Penis Cleaver, what a cute name you have. Oh well, it's worth the time to answer your silly question.
Intention is more important than time here. Now that the US DoD has realized and prooven the obvious, they will do it as they need to.
The rest of us can continue the migration and have fewer problem doing it. We can now point to it whenever we run into "Get the Facts" nonsense that M$
Re:Who cares? The obvious has been stated. (Score:2, Insightful)
You sound just as bad as the MS apologists. The fact of the matter is you can deploy decent solutions in either open source or closed source, and if you know anything about IT problems in govt you would realize that neither will cure the disease that ails it. You open source gu
Re:Who cares? The obvious has been stated. (Score:2)
Between the government stating the obvious, DRM and corporate rip offs, M$ is losing most of it's fan base.
Are they? Lots of people (outside Slashdot) are very eager to get their hands on Vista. Windows is still very widely used due to its support for games, its supporting the only fully usable office suite available and its instant accessibility to most computer user's around the world. As far as it goes, people don't care about DRM, because it doesn't actually affect them; for peop
Re:NEWSFLASH (Score:2)
The anti-OSS people do have one point. (Score:5, Insightful)
The solution for OSS is simple. Any OSS software that goes into a Command and Control system needs to have it's source code audited by an independent authority.
Of course the same thing should be done with any software that goes into a military, aerospace, or any other mission critical system. In this case OSS does have a clear advantage in that the end user can select any group to perform the code audit instead of depending on the vendor.
Of course if the military does a code audit on Linux they would have contribute back the patches so it is a win win situation.
Re:The anti-OSS people do have one point. (Score:5, Interesting)
The solution for OSS is simple. Any OSS software that goes into a Command and Control system needs to have it's source code audited by an independent authority.
Unfortunately, it's not as simple as auditing the source code. You also need to have complete control over the compiler, as implemented in machine code. For example, see Ken Thompson's comments [acm.org] on how to imbed self-replicating code into a compiler so that every program has a back door.
Re:The anti-OSS people do have one point. (Score:2)
Re:The anti-OSS people do have one point. (Score:4, Insightful)
Re:The anti-OSS people do have one point. (Score:2)
Re:The anti-OSS people do have one point. (Score:2)
MAY need to worry about this?
How about CERTAINLY HAVE TO worry about this.
I sure hope the NSA and CIA are making sure no spies or other subversive elements are putting anything bad into the chips at Intel, AMD, etc.
Due to excessive
Countering Trusting Trust (Score:5, Informative)
Verifying code (Score:2, Informative)
The chicken-and-egg problem is a big problem. If you need to verify the security of a system, you need to have written the compiler, from scratch. You cannot rely on a third-party tool, unless you can verify the compiler executable (not its source code). The article also notes that the problem is even worse: you need to verify that the hardware implementation of the instruction set is correct.
Don't get me wrong, I think that open-source is important. It just doesn't provide any absolute guarantees.
Re:The anti-OSS people do have one point. (Score:5, Insightful)
Only if they distribute it outside their organization, which in this case could be probably construed as the US government and the military and national guard.
Re:The anti-OSS people do have one point. (Score:4, Insightful)
This is hardly anything new. Look into how the DoD funded the development of the Internet (aka ARPAnet).
Actually, in most cases they didn't even develop their own patches. Rather, they told their academic and industry fundees about the problems in the latest code, let the hackers work out a solution, took the code for their own uses, and left it in the public code base for further use and development.
Yeah, they probably did a bit of development on their own, but the evidence is that there hasn't been as much of this as you might expect. The military has found the academic hacker community to be a much better testbed for most of the code, and a lot cheaper than trying to debug changes in a military setting. As long as the crypto stuff is highly modular (and it is), it's a lot more effective to just leave the code development in the public sector, where there are lots of eyes and people happy to show off their expertise by doing the hacking that a strictly-managed power structure finds highly distateful.
For a feel of the US government's relationship with the linux part of the open-source community, google for "secure linux" and do a bit of reading. There's a lot going on there.
Re:The anti-OSS people do have one point. (Score:2)
And yes; a lot of DoD systems do get code-reviews by independent organizations (like Mitre.org, and Aerospace Corp.).
Re:The anti-OSS people do have one point. (Score:2)
I have a sneaking suspicion that "State Secrets" privledge trumps GPL, since, you know, it trumps every other law in the land.
Re:The anti-OSS people do have one point. (Score:2)
Re:The anti-OSS people do have one point. (Score:5, Insightful)
Coarse...for the really paranoid type...I would like to point out that the DoD has played very large roles in quite a few other critical areas that I'm sure everyone holds near and dear...vehicles, aircraft, radar, computers, oh and that intarweb thingy...DARPAnet and all.
DoD has had a pretty good history of providing goodness to the populace as well as all the negative that people like to focus on. DoD doesn't start the fight...politicians do, remember that next time you see a service member. They bleed for the good causes, and the bad causes...its the leaders that determine what causes they are going to bleed for next.
Re:The anti-OSS people do have one point. (Score:2)
People seem to forget that the military go where the officials we vote into office tell them.
Re:The anti-OSS people do have one point. (Score:4, Insightful)
The statement that people could introduce malicus code into Linux that then makes it's way into secure systems. Of course with companies outsourcing programming jobs to other countries the same thing could happen with a closed source system.
American programmers are just as capable of introducing (intentional) bugs as foreign programmers.
Of course the same thing should be done with any software that goes into a military, aerospace, or any other mission critical system. In this case OSS does have a clear advantage in that the end user can select any group to perform the code audit instead of depending on the vendor.
The US armed forces have enough spending power to convince even Microsoft to pony up the source code. And they do.
Of course if the military does a code audit on Linux they would have contribute back the patches so it is a win win situation.
Under the GPL, you only have to contribute patches if you distribute your modified code to third parties. The result of a code audit might also just be "don't use module X", in which case there's nothing to patch.
The way I read it the article is more about encouraging DoD programmers to be more like the open source community in sharing programs, ideas and sourcecode with each other, rather than continually reinventing the wheel.
Re:The anti-OSS people do have one point. (Score:2)
I wonder how often they actually recompile the code and verify that it's byte-for-byte identical to the binaries that Microsoft sent them.
This is, of course, usually straightforward with any unix-based software, where often all you need to do is cd to the right directory and type "make", then run diff on the output and the delivered binary. I know from experience that it's usually not straightf
Re:The anti-OSS people do have one point. (Score:2)
>it holds the potential to reduce software purchasing and development costs.
and to improve security. The Naval Academy has held "hacking" exercises. How about a code auditing exercise? At the end of that, the graduating officers will be much harder to hoodwink about software security.
>Of course if the military does a code audit on Linux they would have contribute back the patches
Only if they distribute the binaries outside their organization.
Re:The anti-OSS people do have one point. (Score:3, Insightful)
Remember, it is the Generals who ultimately sign off on these large scale decisions, and not many of those come from the Engineering ranks (to get high office you usually have to serve in combat positions... generally a good idea, but might
Re:The anti-OSS people do have one point. (Score:3, Insightful)
No, they don't have a point. (Score:2)
I guess you didn't read all my post? (Score:2)
No they don't. (Score:2)
Show me the section of the GPL that stipulates this.
Don't bother, it isn't in there.
The Government (or any contractor) is under no obligation to release the results of any derivative works back to an upstream source. If a contractor like Northup Grummond did do a code audit and made patches, they'd only have to release these improvements to the customer (DoD). DoD could take or leave
Re:No they don't. (Score:2)
I should have said that they would probably contribute back the patches.
Aaah. Yes. (Score:2)
Why let your competitors enjoy the fruits of y
Re:Aaah. Yes. (Score:2)
I will admit that there is some software that I just don't think needs to be released. Almost any DSP code for sonar or Radar, a large section of Aegis code should probably be kept under raps as well.
What percentage of the code will get contributed back? Who knows?
I would say IBM is an exception to the rule. (Score:2)
Northup Grummond, Lockheed, TRW, etc. live and die by Govt. contracts and are not interested in new-fangled web-to-oh and wikiki-macalits or anything else "trendy" in the computing world. They have no relationship to maintain with the computing public at large, if you will.
I would wager that the use of OSS internally and for the customer is due to close relationships with Uni. labs and the graduates that come into those workplaces who know the territory.
But you kno
No they don't (Score:2)
Forget outsourcing. Software companies that don't manage their development process closely enough (and that's most of them) often end up with unauthorized features. Usually they're added because somebody thought they were cool, but backdoors are not unknown.
I used t
Re:The anti-OSS people do have one point. (Score:4, Informative)
Re:The anti-OSS people do have one point. (Score:2)
Security thru obscurity is like trying to hide your fortification in the bush: it hides you, but you don't know how well and you don't know if your enemy uses your cover for undetected infiltration into your perimeter, too. In other words, you may have false sense of security or put too much unnecesary effort to maintain secrecy, ending in paranoia. Therefore it is good when you have clear situation and can focus on secrecy of only those things you need secret
Re:The anti-OSS people do have one point (or not) (Score:2)
US companies have people working for them that have no security clearance and could easily be a foreign agent. If anything, the commercial code is more at risk, because there's no independent review of the potentially compromised code. At least if someone's contributing to Linux you know somebody's looking over their patch. With a proprietary company, wh
Re:The anti-OSS people do have one point. (Score:2)
Sandia Labs does a lot of GPL work. As a premire weapons lab, they have some bright people who write good code. MPQC [mpqc.org], for example.
Re:The anti-OSS people do have one point. (Score:2)
Wasn't it closed source software (Score:2)
Re:Wasn't it closed source software (Score:2, Insightful)
Why is this? Because 99% of these systems were done in closed source. If they were done in open source than open source applications would be blowing up pipelines and rockets.
Training (Score:3, Informative)
They've been using OSS for years (Score:4, Interesting)
Too many cooks spoil the broth (Score:3, Insightful)
For example, is it good or bad that JavaScript has implicit typing? Many developers want explicit typing, and call implicit typing "lazy". I can barely have a conversation with a group of fellow geeks without getting shouted down on this topic. The problem with group-anything is that group-think will prevail. To quote one of my favorite posters from demotivators.com, "Meetings: None of us is as dumb as all of us".
In addition, alternative lanuages and tools tend to be stifled in so-called "open" (read group) environments, because the rest of the group immediately pushes to have the alternative tool or environment removed, unless the group agrees that it is a good idea. Is that the way inventions are made? No. Inventions are made by a single person with a radical idea avoiding all the intervention/interference, naysayers, etc. and presenting that idea DESPITE the opinions of others. I can see opening source after the fact for auditing and sugestions, but not for development.
It seems that a lot of the open source push has been a reaction to the fact that many of the development tools we use are not at a high enough level of abstraction. If you abstract away from code and languages where you are doing your own memory management, one would think that you would experience fewer memory-related programming issues. What kind of issues are most often discussed with open-source development? Exploits, buffer overflows, etc. I can see the database engine being open source, which would help with dealing with injection attacks, but the rest of the application (where the money is) can't possibly benefit from having lots of people "helping out".
Imagine the entire cast of The Food Network making soup together at the same time. "None of us is as dumb as all of us".
Re:Too many cooks spoil the broth (Score:2)
Yes, that's why everyone in the entire Free Software community has completely standardized on -- for example -- GTK. Obviously, Motif, QT, Swing, WxWidgets, TK, etc. are all figments of your overactive imagination.
Re:Too many cooks spoil the broth (Score:2)
Re:Too many cooks spoil the broth (Score:2)
Inventions aren't always made by single people, either. Unless you think that, say, the CPU in your computer is made by a single-person enterprise. Or that things like Teflon weren't made in a research environment with other people.
The open-source push is because it keeps the process open. Anyone can add to it if they feel like it, and yes, it is controlled b
How is this different from closed source? (Score:2)
How on Earth is this different from working for a company on a closed-source project? In fact, such a decision to stifle an alternative tool is frequently made by non-programmers in a closed source environment or by higher-ranking programmers in an ent
Re:Too many cooks spoil the broth (Score:2)
How is that any better?
Comment removed (Score:4, Insightful)
The point everyone seems to have missed... (Score:5, Insightful)
This is the time that Open Source activists and promoters need to run with the ball. Draw the attention of CEOs and business executives to the fact that the DoD advocates Open Source. Show them that we're not talking toy software. Show them that this isn't about not wanting to spend money. (Since when was the DoD afraid to spend money?) This is about an innately powerful method of developing high-grade - even military-grade - products that do what people actually need done.
We couldn't ask for better, but only if those outside of the IT industry actually hear of it. If only those who already accept the strengths of Open Source know that someone else has also decided it is a good solution, then that decision means nothing. Particularly as the DoD is very unlikely to do anything about it. It'll just be a decision. But if the business community got shown this... That would be a whole different ball-game.
Re:The point everyone seems to have missed... (Score:2)
So you're telling me that Darl McBride was wrong? No! It can't be!!!!!
We use open source in NM state gov. (Score:5, Interesting)
This is the real beauty of open source in government, not leveraging the work of others by running open source systems, but leveraging the large development force that most governments have to share in house apps wit less of the usual inter-agency squabbling. An agency that might be wary of using a non open source application developed by a rival agency will be less wary of using an open source app that just happens to be developed by said rival. Instead of reinventing the wheel, in house development staff can cooperate with other staff in other agencies.
That the DoD would recommend open source is exciting, because it really is a good fit for government agencies. Believe it or not, our little state government IT department is better run and more on the ball than most IT departments that I have worked for in big corporations. Moving to Linux hosted on blades running VMWare has freed up a lot of resources to plan for the future that used to be used in just putting out fires.
You should use SCO OpenServer, UNICOS, and Ultrix (Score:2)
Re:You should use SCO OpenServer, UNICOS, and Ultr (Score:2)
The last point you make sounds suspiciously like the excuse an abuser would make. Sorry if you were a bad parent and someone took your kids away. Doesn't negate the good work we do.
Re:You should use SCO OpenServer, UNICOS, and Ultr (Score:2)
Re:You should use SCO OpenServer, UNICOS, and Ultr (Score:2)
Re:You should use SCO OpenServer, UNICOS, and Ultr (Score:2)
You can retroactively determine danger if and only if the family is not destroyed. On occasion, this makes for bad press. There is no way to determine how many decent families have been destroyed.
The concept of "innocent until proven guilty" does mean that a few evil people (serial killers, terrorists, rapists,
Re:We use open source in NM state gov. (Score:2)
WGA - when other governements follow? (Score:2, Insightful)
I'm not so sure I agree.... (Score:2)
Re:I'm not so sure I agree.... (Score:2)
I've been freaking telling my bosses (O6s) (Score:2)
awesome (Score:4, Funny)
From: Kim Jong Il
To Whom It May Concern,
In accordance with the terms of the GNU General Public License, I'd like to receive a copy of the source code for your Pacific-based Ballistic Missile Defense System. I do not require it in CD form; please simply email it to me at the above address (k.il@korea-dpr.com).
Thank you for your prompt fulfillment of your obligations under the GPL.
Sincerely,
Kim Jong Il
Re:awesome (Score:2)
Re:awesome (Score:5, Funny)
Mind you, the DOD is under no obligation to give the source to random members of the public, only those who received binaries... So he would have to wait until he got one of those missiles distributed to him first :-)
awesome, ill-informed Troll that is, if funny... (Score:2)
The US government would not be required to honor this request _UNLESS_ they had already distributed the binary for same to KJI.
See, If I make a distribution of something based on someone else's GPL code, I _only_ have to distribute the sources TO THE PEOPLE I DISTRIBUTED THE BINARIES TOO. I don't owe anybody else anything at all under the GPL.
In fact one basic technique is to distribute the sources with the binaries and then rely
Re:awesome, ill-informed Troll that is, if funny.. (Score:2)
Uh... no. -1 Wrong, because with the GPL you are only obligated to distribute source code when you distribute binaries, and then only to the people you distributed said binaries to.
So in your hypothetical scenario, the contractors would be obligated to send a copy of the source code to w
minor quibble (Score:2)
Although I agree with almost everything you said, I have to quibble with this part. If the contractors hold the full copyright on the code in question, then they would be under no obligation to anybody! The GPL is not binding on the actual copyright holders, except as promissary estoppel against infringem
Re:awesome, ill-informed Troll that is, if funny.. (Score:2)
No, apparently you don't.
> "The premise of my joke was that the DOD had directed its contractors to develop missile defense systems under the GPL free software license, and was then obligated as a customer of those contractors to release the code."
Proof positive that you don't understand the GPL.
First and foremost, such software would almost certainly be a work-for-hire, and the copyright would presumably go
Dear Mr. Il (Score:2)
Thank you for your interest in our Pacific-based Ballistic Missile Defense System (PBBMDS). The source code for the PBBMDS is only distributed with that system. We do not entertain requests from third parties to provide the source code. You may have been confused by reading clause 3b of the General Public License (GPL), however, we distribute the code under the terms of clause 3a of the GPL, which incurs no obligations to third parties. If you have received binaries of our code without
Not recommending open soruce software (Score:4, Informative)
Actual Report (Score:3, Interesting)
Haven't made it through the whole thing yet, but FTR:
The business model of purchasing physical goods and services has served DoD well in the past; but it falls short when applied to software acquisition. By treating DoD-developed software code as a physical good, DoD is limiting and restricting the ability of the market to compete for the provision of new and innovative solutions and capabilities. By enabling industry to leverage an open code development model, DoD would provide the market incentives to increase the agility and competitiveness of the industrial base. Currently within DoD, there is no internal distribution policy or mechanism for DoD developed and paid for software code. By not enabling internal distribution, DoD creates an arbitrary scarcity of its own software code, which increases the development and maintenance costs of information technology across the Department. Other negative consequences include lock-in to obsolete proprietary technologies, the inability to extend existing capabilities in months vs. years, and snarls of interoperability that stem from the opacity and stove-piping of information systems.
Absolutely.
There are over 100,000 publicly available open source projects available spanning most functional areas.4 Many of these projects provide mature and robust solutions in their areas of focus. When possible, OSS components should be leveraged rather than funding the development of equivalent proprietary components for specific programs.
Damn Skippy!.
Challenges Culture and Process The primary challenges to this transition will be cultural, not technical. Over time, government acquisitions and development processes have built a bureaucracy and rewards system that encourages and supports the status quo. Careers are advanced primarily on program size, not necessarily overall efficiency. Furthermore, government contractors are measured by revenue; government program managers are measured by the size of their organization and their overall budget. The canonical government contracting process creates high entry costs for small innovative companies -- the established contractors attempt to control their positions through proprietary implementations and interfaces. The system is very good at protecting itself -- new approaches, such as OTD, will have to endure legal, security, and process challenges. The current infrastructure will attempt to delay change, claim they are adapting by trying to assume control of the innovative process.
My Favorite Quote is in the DOD report.
There is one thing stronger than all the armies in the world, and that is an idea whose time has come.
-- Victor Hugo
All in All, I'd say the guy in charge of this report knows his stuff and I for one, welcome our new OSS-using DOD overlords.
The Mitre corp told them this in 2002! (Score:2)
You can read the whole thing here [egovos.org]. So, it's taken four years for the DoD to finally put in place an official policy encouraging the use of FOSS when the guys in the trenches have apparently been doing so routinely for about a decade. Typica
This is news? (Score:2)
The military security folks have been saying for decades "Don't run any software unless you have the source code all the way down, plus the circuit diagrams. If you don't, you have no idea what might be hidden inside."
So the DoD's decision makers are listening to their security experts?
I guess maybe it is news.
having source != Open Source (Score:2)
Open Standards doesn't mean LINUX only (Score:2)
Re:US Gov. Mandates ODF (Score:2)
Re:Wait a minute! (Score:3, Informative)
Re:Wait a minute! (Score:2)
Re:I look forward... (Score:2)
Re:I look forward... (Score:2)
As opposed to the Communist 1 1/2 party state that it is today?
I look forward to a day when the US is at least more Democratic. I think we already have much of the Socialist part already.
Re:bahumbug! (Score:2)
Pretty soon it's clear that it's better for everyone to have the blueprints of a secure system than for only your vendor to have the source of a closed system. Obvious, that is, unless you're stupid, a troll, or both.
$500 was a damn good deal (Score:2)
BTW, the "hammer" was a calibrated device that could be adjusted to limit the impact. This presumably avoids damaging something that would be very very expensive t