Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
United States

White House Checks Out Open Source 119

Floris writes "The White House goes Open Source? It sure seems that way! (credit for the link goes to LinuxToday)" The story quotes "a senior White House official." Federal Times, which ran the article, is generally a pretty reliable source of "insider" government news. And I've been to some meetings of the DC LUG mentioned in the story and it's full of staunch Linux advocates who are busily infiltrating Linux into the government agencies where they work. Nice to see they're finally getting some attention from the higher-ups.
This discussion has been archived. No new comments can be posted.

White House Checks Out Open Source

Comments Filter:
  • by Anonymous Coward
    According to the most recent Gartner Group study, the costs of moving to windows 2000 will range up to $3,000 per PC for large organizations using win9x. $1,200-2000 for winN't based PC's. The projected break even point when the transition supposedly will start saving more money than it costs =THREE YEARS OUT! (assuming nothing else changes)

    If you work in government, please let your PHBs know about this study --and about Linux and StarOffice.

  • by Anonymous Coward
    Balmer has also said that Microsoft is considering making some of its software "open-source".This is how MS has traditionally responded to competition--announce a future "feature" already offered by a competitor. This technique has been used to stifle competition by relying on timid human nature to hold out for future promises from a trusted pimp^h^h^h^h dealer^h^h^h^h^h^h vendor--MS--instead of going with what is already available. This is the age-old Microsoft vaporware technique.
  • by Anonymous Coward
    "Established by law in 1947 as a body of cabinet-level officials, the National Security Council (NSC) advises the President on national-security policy. Its role was expanded during the Eisenhower administration, when a relatively small NSC staff organization was created to serve as a secretariat coordinating foreign policy."

    From here [centerfordiplomacy.org].
    (Sorry, but I was too lazy to make the above paragraph more readable.)
  • by vipw ( 228 )
    Server: Netscape-Enterprise/3.6

    looks like they are using the Netscape Enterprise server to me. I am not sure where you came up with them using apache.
  • I like the part about how they're concerned about "excessive reliance on Microsoft software". That alone has to tell you something.
  • ...Microsoft has been considering making some
    of its software products open source for two years."

    Two years, eh? That's a real good license. I'm just dying to work on code that's open for 2 years.

    I beleive you may have misinterpreted that.
    IMHO he was saying they have been considering it for two years already.
    People are getting clueful... a certain company is in for a good hard spanking.

  • Congratulations! Now every teenage hacker type who works on a kernel patch or device driver is a "system analyst"!

    You oughtta put that on your resumé...

    I would.

    There are many people out there who have 'Systems Analyst' on their business cards that don't have the skills to contribute to a kernel patch or device driver.

  • The main problem with the media (and therefore the general public) believing that Linus wrote GNU/Linux is, as I see it, that Linus getting hit by a bus will scare the sh*t out of people.

    _If_ Linus decides to stop working on Linux, or he gets hit by the famous bus, the general public will think that the sole person who is developing this great ``new'' promising system is gone, and therefore any further development is stalled.

    We all know that this is not the way things are. But if the general public, believes it really is so, we may see companies abandoning Linux, ultimately making Linus _the_ central person of GNU/Linux (or open source in general) development.

    The power if PR should not be underestimated. Now that the media already has the wrong picture of how open source works, we're in a hurry to seek to rectify that view.

    This may be a good reason to insist on calling a Linux system a GNU/Linux system. To emphasize that it is not just the system written by some crazed Finnish communist student with too much spare time on his hand, or whatever it is the media seems to believe.

    Stallman may be more justified in his insistance on the GNU/Linux labelling that we would normally agree he is.
  • Forgive me if I'm being ignorant, but what's wrong with the statement you quoted (other than the misspelling)? Wasn't Linus the original creator of Linux? And isn't the code scrutinized and tested...blah blah blah?

    I doesn't say Linus wrote everything -- only that he created Linux. Last time I checked, he did.
  • The specs are pretty tight in what hardware you're using, too. For a system to pass any of the tests NT has been certified to, you can't for example have a floppy drive in the machine.

    I haven't seen this advertised anywhere by MS. :(
  • "Zaman added that Microsoft has been considering making some of its software products open source for two years."

    Could this mean that Microsoft has, for the past two years, been considering open-sourcing some of there software ?

  • The article specifically quotes an MS official as saying that if the NSA asked for source for "national security reasons," then MS would happily give it to them. What a surprise, huh?
  • It's not like that all over. I had a similar problem in a previous position. I needed a low-volume, local email solution with the ability to have dialup connectivity with the campus mail server. I asked our IT folks for an NT box and Exchange. They decided we did not need it bad enough to spend the required money. Fine. Slackware to the rescue. I put together a 386/20 with 8MB RAM, and a 140MB hard disk and made it a mail server for about a dozen people. No problem.

    There are lots of Linux and *BSD boxed in the .gov and .mil domains. Lots of people have a requirement and don't have the time, money, or both that it takes to get a commercial solution. So they bring in the handy-dandy CDROM and install an Open Source solution in less time and money than it would take to purchase something that may not be as useful in the long run.
  • I work down the feeding chain for the USG doing research so I'm not restricted on what OS and platform that I want to use; I just have to justify my decision with my boss. Right now we are slowly converting from commercial unix systems to linux. We are having problems handling the big/little endian problem (hey guys, why not use linuxppc on a mac?). Additionally, most of our home grown software is a combo of X, OpenGL (some, not all), and Motif. What? Motif? gag, gag. Hey folks, acceptance of a "new" system is gained if porting over legacy code is fairly painless. BTW, the binary problem is currently being solved by using xdr.

    The MS Office suite has a strangle-hold on the USG. A few yrs ago, there was a good number of WP docs for down loading from USG web sites. Now all you find are pdf, word, and powerpoint docs. Upper management demands that we send them only .doc and .ppt files. E-mail attachments confuse the decision makers unless they are, well, you know the format. I recently was forced to send a PHB in another agency a rather complicated figure (EPSF but it could have been pdf) pasted into a .ppt file.

    One handicap that linux currently has is the lack of operational support that the USG would be confortable with. If someone in the USG wants to use linux and wants to hire contractors to provide admin support, then where do they turn to? Usenet? Hence, there will have to be an established, reputable company that they can turn to (IBM, could make a killing here). These companies need to establish a presence in the DC metro area. By law, the major USG agencies have to have their headquarters in this region; the implications of this should be obvious. Redhat would be wise to open a small DC area office ASAP.

    Linux will probably make some inroads into the USG server market. But it could do more.

    craw posting with a no score because he now can.

  • I'd say that respectable uni's don't require that you sign an NDA.

    It sounds silly anyway: "Hi, we're an uni teaching you this stuff, but you have to sign this paper so that you're legally bound not to tell anyone else about what you've learned here." Crossed purposes, eh?

    Besides, what good can NT source code do for a CS course? Example of how not to do it? NT is way too big and ugly for those poor impressionable students (yes, yes, I guess I'm one too) to be exposed to during such a course.

  • Another two D.C. 'government related' sites, (i.e. somewhat political), are that of the Consumer Project On Technology, (http://www.cmptech.org [cmptech.org]), and Essential Information, (http://www.essential.org [essential.org]). These are the people that brought us the Appraising Microsoft [appraising-microsoft.org] conferences, which in part helped spawn the current DOJ antitrust suit against MS.

    Nice to know both sites run Linux with Apache.
  • Created by a Finnish graduate student named Linus Torvalls in 1991, Linux's open code is relentlessly scrutinized and tested by tens of thousands of systems analysts worldwide, who constantly recommend improvements, Klosowski said.

    Congratulations! Now every teenage hacker type who works on a kernel patch or device driver is a "system analyst"!

    You oughtta put that on your resumé...

    Jay (=
  • I believe you may have misinterpreted that. IMHO he was saying they have been considering it for two years already.

    Whew! For a while there I was under the assumption that Zaman was talking about another open source license with a termination clause. But it turns out that not only can't Microsoft develop a good product, they can't hire someone who knows english enough to construct a good sentence. Perhaps it would have been better worded ...Microsoft has been considering for the last two years making some of its products open source.

    Of course, we've got to remember that Microsoft has been telling its customers for the last two years that open source was not a good development model. Who would forget that? Now that the government starts to understand the benefit of open source, we find out that Microsoft has been "considering" the open source model for the last years.

    Oh, next thing we'll here is that Microsoft *pioneered* the open source movement. Yep, as someone already mentioned, they were the "first" to support open source with gorilla.bas and nibbles.bas. Also they'll claim that their Open source model is "superior" to the competing ones, but it'll just be a more restrictive version of the SCSL. And it'll only cover products that aren't important to Microsoft's core business.

    If you can't beat them, join them is what we're seeing from Microsoft now. Of course, they're no more joining us, then a parasite joins its host. Watch out for Micrsoft!

  • I wouldn't go anywhere near so far as to consider those dirty bastards in the whitehouse my "higher-ups"
  • A branch of the NSA does have NT source code. For C2 certification you have to provide source code, and NT 3.51 was C2 certified under some conditions. Plus the official word has been NT 4 will be C2 in 6 months (well that's what I've been hearing for about 2 years). This would signify to me that Microsoft has provided that branch of the NSA (NSCS I think) with some source code.
  • The government is using Java all over the place right now. In fact with almost all the databases in the government introducing some web frontend probably 10% to 15% are being done with java on the server side (from personal observation of many government projects). This number should increase in the near term as PERL has with the government in the recent past.

    One thing to note those is that databases that are to be used by multiple agencies rarely use java or javascript on the client side. This is due to the large number of agencies that block them at their firewalls.

    Now if only they wouldn't complain so much when we introduce Python.
  • OK, so they give you some examples. Great. (No sarcasm.)

    But has Microsoft considered making their products open source for two years? How long ago was Halloween?

  • Zaman added that Microsoft has been considering making some of its software products open source for two years.

    "Open source is a very innovative way to develop software," Zaman said. "The issue is how much of our own code we should put out in the open source environment."

    Two years huh? :)
  • Is there a cure for that? Can't we force-feed them some cod liver oil or something and get that worked through their system?

    Perhaps a nice ipecac or saltwater enema . . .

  • jflynn wrote
    It might be worth looking into the certification standard they mentioned and see what's missing, if anything.

    Heck, if you want to eyeball a public key certification system, take a look at OSCAR [qut.edu.au] (Open Secure Certificate ARchitecture). While we all know that Silicon Valley is the centre of the IPO universe ;-), some interesting work gets done outside California. Anyone knows whether it is legal to download and test this out within the US juristiction?

  • While I think that the idea of the government using OSS is great, something even better could happen. Instead of spending US$2 billion next year, they could spend US$1 billion on the proprietary software they still need and the conversion to OSS and donate the surplus billion to funding OSS projects.

  • he prolly saw linux running the fvwm95 WM. Wnen my dad saw that, (the first time he EVER saw linux, his response was "wow, it's just windows by another name", then I showed him WindowMaker.... Fixed that.....
  • "Amazing it is, that the US government has been just as naive, believing that a closed source product
    only did what the package said it would do. I wonder how much insight MS/Sun/Oracle/others
    have into what's going on behind those closed doors. "

    While there may be select individuals from these companies who have the appropriate security clearances and background investigations to be allowed supervised access to these systems for troubleshooting / technical support, no cryptography / software from any of these companies is responsible for protecting classified information. The job of providing cryptographic algorithms and hardware (and yes they are generally hardware implementations) is solely the responsibility of the NSA.

    Then of course the classified networks are physically separate from unclassified networks, so all the hackers that "forced" the Army to switch their web server from NT to Mac OS had no capability to actually compromise any National Security information.

  • One other benifit of the USG going open source is it would break the Microsoft monopoly a lot faster than the antitrust trial. A year and we are still waiting for the decesion. When it finally comes then we can wait for the appeals. If the USG had started a switch to Linux and Free BSD instead of going to court by now MS would have a much smaller market share, and there would be a lot more software ported to the open source OSes, which would have resulted in many non Goverment changeovers
  • Actually, the chambers were not nickel plated. The real reason the M16 had such a high failure rate was marketing. Colt sold the M16 as a point and shoot automatic rifle, no cleaning required. When it was used as advertised a combination of the South East Asian climate and powder residue/gunk caused the failures. What was added was the chamber assist knob and instructions to clean the rifle everyday.
  • As 'the computer guy' at one of those under 100 employees companies, I'd say that getting Linux in the door means getting the software vendors on board. I'm speaking here about accounting and sales packages, that's what we really care about, not what program we use for typing.

    And for those big packages we pick the software we like first, then ask the vendor what platform to run it on. Right now that means Solaris, but if our vendors started saying Linux is the best platform for our product ... so be it.

    Why not develop our own stuff? We just don't have the time, or money for enough staff, and I imagine that most small businesses are in the same boat.

    So -- convince the software vendors and they will sell Linux to the business community.
  • "Created by a Finnish graduate student named Linus Torvalls in 1991, Linux's open code is relentlessly scrutinized and tested by tens of thousands of systems analysts worldwide, who constantly recommend improvements, Klosowski said."

    I noticed that line too. I guess it sounds better to say "systems analyst" instead of hacker. I have an great idea -- instead of going round and round on hacker vs. cracker we can just call everyone a "systems analyst"!!!
  • I also like the bit where about Linux being "similar in functionality" to Microsoft Windows. Hehehe. He must have been using either for about 2.18 microseconds...
  • "I mean if a 13 year old (now 14) can use it as easily as i can what's preventing buisnesses from using it. "
    Well, how much time have you put into learning Linux? I know that I put in a ton of my free time in college with it. Now that I work, I understand a bit of a business's hesitation. Time is more important to a company than money and Linux may not cost any money but is does cost time. Making administration easier is a good thing. We have to lose the RTFM attitude that was handed to us by the Unix folks. Heck, I think that Linux could achieve a big victory if it duplicated the look and feel of NT down to the menu. "It's NT on the outside but Linux on the inside!" or "It's NT but it works!". Excel 5 killed off Lotus 1-2-3 because it had so much Lotus support, there was no reason not to switch. Right now the thought of retraining many workers is an expensive scare that IT people will want ot avoid. As for learning on their own...I hate to say this but life can suck for adults. Enjoy the free time to hack at Linux while you can. After 8-10 hours of work and trying to maintain some sort of a social life (can't meet people at school anymore), there is little time left over for learning a new OS. In a world where we have Macintosh for Dummies, switching to a new OS can be too much of risk for a company.
  • Point taken. I was talking more about the small companies. 98% of US companies have under 100 employees. For these companies it is an expensive risk, albeit a worthwhile one. A goal of Linux should be to reduce the risk involved in switching to Linux. Providing full Windows compatibility and look and feel would go long way towards achieving that goal.
  • According to the article, these security breeches can even be easily patched. Good thing if you're playing lots of football :-)
  • Hopefully as a shining example of how to take a decent idea and passable engineering and drive it kicking and screaming into the ground by adding features like flashy lights and purty pictures.
  • Could you supply a URL or some other reference where Microsoft states they have released Open Source software?
  • I was the one who posted that link to Linux Today. At my agency (IRS) the borg has made a steady encroachment, so that now just about everything else has been pushed aside. IRS has just implemented a $120 million contract with beyond.com for supply of laptops and desktops. My laptop issue is a 233 mhz Micron running NT4 and Office. The govt still hasn't answered my question about the (alleged) C2 security problem with NT 4.
  • Woohoo 17th and H! :)

    I worked there too, many years ago, as a network engineer right when whitehouse.gov was moving from JPL to the NEOB. Lotsa fun if you're the shoestring engineer that we all are, as they had next to no budget for anything.

    Its good to see that it only took 4 years (*grin*) for them to come around from when we started infesting the EOP network with linux boxes. (The best was shado.whitehouse.gov, a monitoring box for web servers) We told them "shado" stood for Sureptitious Hacking And Detection Operation. Really we got the name from the TV Show from the 60's called U.F.O (Supreme Headquarters for the Alien Defense Organization), at the time, we also contemplated calling it "potatoe".

    As I recall, the routers (Cisco 7000's) that handled the eop.gov (sprintlink) and whitehouse.gov (PSInet) links werent on anyones desk. :) They were in the cabinets in the Operations center across from the Vaxen. What I imagine really happened was one of the Synoptics 3030s died again, or the FDDI link to the firewalls went down.

    As for large goverment web sites that run linux, go take a look at www.sec.gov [sec.gov]. Does over a terabyte in traffic a month.

  • One of my colleagues didn't study with the source, although they did study the architecture. He
    maintains that the Kernel itself is designed quite well, and that the user level stuff is so bad...

    I hear that the NT kernel is reasonably good because they hired the architect of the VMS operating system to run the project, and he did it largely as a VMS clone/next generation. Person who told me this also says that most of the major data structures retain the VMS naming.

  • So if you want G2 certification for your proprietary system, you have to give the source to NSA.

    Any bets on whether they pass it on to their intrusion department?

    It's not a problem for Open Source of course. We've got much of the world's programmer stock on our side of the security game. But with Closed Source the NSA could easily put far more crackers onto a project to break the code's security than the vendor can afford to put on cerating and fixing it.

  • Colt sold the M16 as a point and shoot automatic rifle, no cleaning required. When
    it was used as advertised a combination of the South East Asian climate and powder residue/gunk
    caused the failures

    That's not the whole story.

    When used with the specified ammuntion, the original M16 worked as advertised. But there was an admiral who had a warehouse full of ball powder that was going out of date. It was the sort that was in bags, and you throw several of the bags into the breech of a big naval gun on a battleship. So he decided to save the Navy a few bucks by having the poweder made up into ammo for this new gun the Marines had just started using in the current war, instead of buying this expensive fancy-schmancy clearn-burn ammo that looked like another $200-hammer boondoggle.

    Now when you're firing a bullet the size of a large automobile, from a gun reloaded by a conveyor-belt or something similar, you're not too concerned about powder residue fouling the barrel and loading mechanism. But when you're firing something the size of a .22 bullet, with a reloading mechanism powered by a similarly-sized piston in a cylinder filled with the combustion gasses, a little smoke residue quickly clogs the works.

    And while a warehouse full of powder for navy guns might only make for few dozen volleys of those guns, it can make up a LOT of ammo for overpowered .22s like the M16.

    So the Marines (and others) got a lot of bad ammo. And even with the spray-and-pray style of fighting (where they even used M16s to cut grass) it took a long time to shoot it up. Meanwhile, those M16s were clogging up, and people were dying, and the new-fangled gun got blamed. So they retrofitted it with that knob to get it restarted when it stuck, and passed out some cleaning kits. And people got by. And eventually the bad ammo got used up or discarded and things went back to working.

  • Should a general really be concerned about TCP stack bugs? Should a general even know that his
    computer has a TCP stack?

    If he's the general in charge of evaluating, obtaining, modifying, and deploying some computer system for the military, or making the selection of an OS for the military, he and/or his subordiantes should be concerned about it. If he's a general using them, he should only have to worry about the likelyhood of his security being compromized, and delegate these matters to the people below him.

    A general has too much else to think about to be involved with the details of everything under his command.

    And the same holds true for everybody else in large organizations, government or private. The system security is the job of particular people, who should know at least as much as they need to know to do the job right - and some extra to be sure they didn't miss something. But the rest of the people - from the President to the Receptionist - only needs to know enough to be sure they don't compromize security by improper operation, plus enough more to motivate them not to skimp to save some effort - or to interfere in the selection process.

  • Looks to me like there are two ways this might impact crypto:

    On one hand, the Fed might decide to open up crypto so they could get better stuff. (And pigs might start to fly.)

    On the other hand, the Fed might start having its own Linux distribution, or NSA/military/etc. crypto add-ons for NSA/military/etc.-certified configurations of commercial products. This is how I expect them to go.

    This second approach has two variants: They might loosen up crypto for the general public, or they might try to keep it locked up.

    In either case, when crypto-enhanced stuff is distributed widely among the civilian portion of the government, it's only a matter of time until the object code leaks out, is reverse-engineered, and appears as bare source, as plug-ins, and what-have you. Then it gets analyzed in the open crypto community, and anything useful gets integrated into the general code base.

    The remaining variable is how much the government fights this. If they try to stay tight, expect loud screaming about espionage and nasty crackers and the like. They'll slow it down a bit. But the main result of their fighting will be to continue to retard crypto among the US civilian population relative to the rest of the world, making us fall progressively behind on computer secutiry, and leaving US private and private-enterprise systems more open to snooping and attack than they otherwise might be.

    Of course that might be what they want: The main problem for an oppressive government is keeping its own population under control.

  • Now the USG will be able to whittle away our rights reliably, quickly, efficiently and in Style! Awww yeah. I've died and gone to funkytown. I'd much prefer to see the gov using Micros~1 products, especially if I ever get audited. "Mister Taxpayer, according to our records you owe us $1,241 and... uh... hold on, let me reboot. ah. Well, I was saying...err... wait a moment, please. (reboot). Right, ok. You owe us... uh... we owe you $10,314 and 99 cents. (reboot)."
  • Why, of course you'll be seeing Federal mail on LKML. After all, no doubt the Father of the Internet has plenty of proposed patches for the Linux IPv4 code.

    Think Al Gore, networking guru extraordinaire, Linux Hacker, Creator of the Internet, and all-'round net.god. Bow down before the Great Tree^H^H^H^HMan.

  • I'm involved in some government-funded projects at the moment (test sites for airborn-agents, simulations, etc.), and all coding we do is in Java. Very cool. In fact, they've been given an ultimatum nationally to be compatible with a large common system or lose funding within just over a year, and it's best implemented in Java.
  • ...well Eric, we seem to have found someone to replace you when you retire from the crusade;)

  • Imagine how far that money would go if they spent even 1/10 of it on open source software
    development instead of purchasing ready made software. That's $200 million. What do you
    suppose the Gnome project could do with $10 million? Maybe give Linus a big fat check just
    for being a nice guy. Send the samba folks a couple million. No sweat.

    The simple fact is that the majority of the money will be simply given to Microsoft. (and some other large companies). But what if they spent it *all* on open source development for everything they need? Two *billion* dollars per year could pay a $100k/year salary for an army of programmers 20,000 strong. This army would be difficult to manage and coordinate, but it could be done. And imagine the wonderous results.

  • I assume you're trying to be funny.

    But regarding sample source - there's much more than IIS and VB samples. I've found the hundreds of COM, VC++ & DDK samples that come with various windows SDKs invaluable.
  • Taken from www.mi5.gov.uk

    Server: Apache/1.3.0 (Unix)

    Not linux but at least it's not WinNT!!!

  • We didn't study NT in the Operating System classes where I went to school. If that's what the NDA says then I'm happy we didn't :) We did have one professor offer a summer course in Linux Kernel Hacking, which I unfortunately never got to take.

    One of my colleagues didn't study with the source, although they did study the architecture. He maintains that the Kernel itself is designed quite well, and that the user level stuff is so bad that the whole package is BAD, BAD, BAD. (We both run Linux :)
  • All throughout our lives, we are told - "don't put all your eggs in one basket"! At college - "if you make backups, it is safer not to put you backups in one location - whether it be a hard disc, same safe etc". Well, i'm suprised its taken people (in this case american government)*so* long to realise that its not a good idea to keep to the same software company - ie, microsoft - ie, keeping all your eggs in one basket. Hopefully, other companies will follow the us governments example and think the same - "well, perhaps its not a good idea to rely on microsoft for EVERYTHING" - and suddenly opening their eyes to reports such as the HotMail, bugs in Windows, windows not being a good secure, stable operating system and that there are other software companies around... Secondly, its very convient, for when the us government makes this statement about looking towards open source - that microsoft suddenly say "ah, yes, we've been looking into open source for several years"... like bloody hell have they... and pink pigs fly.
  • Yes, I fully understand that what I quoted was technically accurate, spelling issues aside. However, what the entire article suggests to me is that the person who wrote it has no idea that Linux refers to the kernel and not the OS. This is a critical issue that needs to be made clear. The previous reply to my original post on this thread points this all out quite well. Every article by the general media has misrepresented this issue. All other issues aside, Richard Stallman has done a lot more for the free software community (would "liberated" be a better choice of words, since we are not trying to reference price?) than Linus Torvalds (though I admire both) with regards to his stunning philosophy.. without the benefit of which we would probably not be where we are today. After all, how many software applications are released under the GPL today?

  • After all, they could always think of something devious like the Netscape Public License. They sure could use some help fixing all those annoying bugs..

  • Actually, I use the term Linux rather than GNU/Linux myself. However, it would be nice if people knew the whole truth. Saying Linus wrote the Linux OS, for instance, isn't quite the truth. Forcing people to call it GNU/Linux has absolutely nothing to do with my point, nor do I think anyone should even bother, nor did I ever run around yelling that people should call it that. I could care less. Linux is good enough for me, because I know what the hell it is. Perhaps you should think about what you have to say before you flame someone? It helps to keep -yourself- from appearing stupid..

  • Hmm.. "Created by a Finnish graduate student named Linus Torvalls in 1991, Linux's open code is relentlessly scrutinized and tested by tens of thousands of systems analysts worldwide, who constantly recommend improvements, Klosowski said."

    Well, aside from the fact that they can't even spell Linus' name right.. If I were Richard Stallman, I'd be thinking myself to be really good material for a prospective U.S. postal employee by now. You'd think Linus had written Linux, the GNU system (oh, I meant Linux again), and every piece of software for it.. and that all of those other programmers in the world don't really do anything other than give him ideas. Is there a religion for him yet?

  • Take a look at http://niap.nist.gov/ for information about the National Information Assurance Partnership. Here is some info from the August 27, 1997 press release:

    "In a move to assist U.S. information security technology producers in achieving international competitiveness, the Commerce Department's National Institute of Standards and Technology and the National Security Agency today signed a letter of partnership establishing the National Information Assurance Partnership (NIAP)SM. This initiative is expected to break new ground by providing both independent evaluators and product producers with objective measures for evaluating the quality and security of these products. In turn, this should result in increased consumer confidence in evaluated information security
  • I work for the Navy installing Windows NT 4.0 on battleships, aircraft carriers etc... As soon as I am finished with the install, my boss comes and "improves" the security of the machine. This is not just settings, he changes code. The government is competent, and IMHO has source code for NT.
  • by Anonymous Coward
    I've been getting tired of adults telling me that linux is too difficult for their fragile little minds. I mean if a 13 year old (now 14) can use it as easily as i can what's preventing buisnesses from using it. Anyone who deserves to be called a network administrator should know how to work a linux/unix system.
    I'm glad to see that the government is using it, at least some people have come to their senses in realizing that yes Linux IS hard to use, but it isn't death.
    I almost vomit when I see people getting 50+ thousand dollars a year for pointing and clicking their mouse. The fact is anyone can do that. All suceeding in the computer industry seems to require now is knowing how to touch type.
    Even worse than that is how two of my friends refuse to learn to type because they think they'll just be able to talk to their computers by the time they need to use them(college). And how my middle school computer teacher insisted on explaining what a lan was to me last year, but when i asked her to let me telnet to the server she gave me this blank look of "you can telnet to a unix computer??". Grr... i'm gonna go off on these people someday.. sorry for posting this on /. but i really had to get some of that out.
  • Should a general really be concerned about TCP stack bugs?

    If the life of his troops are at risk.

    Should a general even know that his computer has a TCP stack?

    FWIW to be a Officer in the US military requires a higher education. I don't think it would be beyond their comprehension. You will agree that the General needs to know if his tanks are deisel powered or gas turbine. Likewise what caliber shells his artillery requires.

    Now should the General be able to _code_ his own TCP/IP stack?
    It would be nice if he could do it himself, but he's a General, he can delegate the work.
    I'm gonna go out on a limb here and make a comparison.
    During the Viet Nam war soldiers were issued the, at the time, new M-16 rifle.
    The M-16 was well designed and tested. However the testing and design didn't take into account the tropical conditions of south east asia. The result was more than a few soldiers losing their lives because corrosion caused their arms to misfire. This was corrected by nickel plating the chamber. Guns that were already issued were modified by military machinists.

  • "Microsoft officials argue their software products meet federal security standards."

    Is that like the expression 'Close enough for government work'? ;)

    "There is no spoon" - Neo, The Matrix
  • The government will buy $2 billion worth of software in 2000

    Imagine how far that money would go if they spent even 1/10 of it on open source software development instead of purchasing ready made software. That's $200 million. What do you suppose the Gnome project could do with $10 million? Maybe give Linus a big fat check just for being a nice guy. Send the samba folks a couple million. No sweat.

    Everyone working on open source/free software should be thinking about how to get their hands on some of that money. If the government is serious about using open source software, it could be a virtual gold mine for all those projects struggling for people and resources.

  • Good point.

    However, I wouldn't worry about the govt. giving back fixes.

    You can argue, that the US government probably some way or the other is immune to copyright law (at least US copyright law). So they don't _have_ to give back the fixes.

    But it's a matter of common interest. It's in their best interest to see that the stock distributions are as secure as possible, in order to minimize the hazzle they go thru when maintaining their installations. Therefore the government _will_ be interested in giving back any fixes, even though they don't have to.

    Still, I wouldn't be surprised if some brown nosed idiot would suggest they they shouldn't give back the fixes, because of national security reasons or whatever. Like the crypto restrictions. But I'm confident that such measures would be short-term, and that we will definitely see contributions from the government, should they decide to use the more secure platform.

    Ironically, the government may some day be part of a community :) Wonder how they'll tackle that one.
  • I worked for the White House at the New Executive Office Building not too long ago. I had the pleasure of visiting their secure server room and what I saw was a mess.

    First of all, as far as the White House was concerned, they don't need to worry about a singular dependence on M$ because they had a hodgepodge of machines (Linux, SGI, HPUX, VMS, NT). And their IT infrastructure was poor at best. One day we all had to stay late because someone knocked the only router we had to the outside world off a desk and we were out for hours.

    A current colleague of mine interviewed for a developer position there back in April. I asked him what they had there and there really aren't too many changes. My understanding is that they are still running hand-me-down SGI Indigos running Irix 5.3. Hey guys - think Y2K!!! Upgrade to 6.5!!!

    "Microsoft is the epitome of innovation and product quality."

  • If the government embraces open protocols and file formats, that would make a great start. Why should tax payers have to go out to buy a copy of MS Word to view documents on a government funded web server ?
  • Dunno how many of you have ever worked with government before, but my aunt (who works for an unnamed, county level government in Florida) is now managing a brand-spanking new AIX system for her employer. To get a new piece of software, she had to wage a couple of weeks long campaign with her management, with memos, meetings, the whole nine yards. In the end, after all of that effort, she was denied. The piece of software she wanted? The one that took so much trouble to get? sudo. Uhuh. GPL'd, publicly available, sudo. Needless to say, the poor woman is also stuck with vi- she says she spends 1/2 of her time teaching other people that. She dreams of the day she can get emacs. That is the bureaucratic mindset in govm't IT these days. So, don't hold your breath about Linux. They'll probably have to read every single line of code before it ever gets installed- and by that time, we'll be at kernel 4.0. Argh...
  • They want security? How ironic that possibly the most secure operating system, OpenBSD [localhost], has to be developed in Canada because of US export restrictions!
  • If the government could require people to communicate with it by open standards, this could break some of the market standardization on Microsoft Office. Many people buy MSoffice so they can exchange documents. If people who need to submit documents to or recieve documents from are forced to use open standards such as HTML, XML, or something new. Then people could buy what they like and no need to upgrade just tostay compatible.

    The only question is the government big enough to provide the critical mass around some open standards for a variety of documents. Oh for the days of Big Government again ;-).

  • Still, MS instills a culture where the machine does everything for you. You are not supposed to question what is really going on. The OS has deep roots in a single user non-networked system. A switch to Linux along with some training might be more effective in changing the state of some minds than you think.

    Should the majority of people who use computers have to worry about "what is really going on"? Tha advantage to using Linux in sensitive government applications comes from the ability of admins to review their systems and set them up properly more easily. From a user's point of view, it would be better the more internals of computation the software is able to obfuscate.

    Should a general really be concerned about TCP stack bugs? Should a general even know that his computer has a TCP stack? If it allows him to do effectively whatever he does as a general and is easily kept secure by his system administrators, then that's great.

    Don't get me wrong - I think Linux could definitely be great in a lot of government applications. But relying on users' increased sense of "knowing what the computer's doing" is a far from ideal situation.

    --Andrew Grossman
  • C2 certification requires an audit of the code that pertains to those requirements. A vendor has to pay for this audit (when Novell went for it the cost was implied to be quite high in the press), and then control the releases to some degree (audit the final setup with a small application tends to be the way it's done).

    I've had Linux used in projects for the verious government agencies for five years now, but I can't get it onto the classified systems because it's not C2 certified. In general NT's lack of current cert is ignored or exempted (as is some other OSs), but Linux is not.

    If Redhat could get their distribution of linux C2 certified then the government would have to consider it against NT everytime someone brought it up.
  • Okay, anyone out there know about the certification they discuss regarding NT? What does it comprise of? Can anyone apply for it or does the US Government only attempt to certify those systems that they wish to use? Also, if anyone knows, is there any reason that Linux (either now or in the future) would not be eligible for this kind of certification?

    If the regulations are public knowledge then is anyone currently trying to get Linux certified?

    After what kind of modifications to the OS does the certification become invalid? This might be a very important point since the kernel is now going through faster development cycles. Would the US Gov be able to use the latest and greatest or would they be stuck with something that was certified but older? (at least for operations that require that certification)

    And, since I'm a UK bound persona, anyone know if Linux is being used in MI5/6? *grin*

  • Okay, anyone out there know about the certification they discuss regarding NT?

    It is an often pointed at (and laughed at) fact that NT 3.5 has been certified "C2 secure" in accordance with the NSA "Orange Book". However, the configuration used lacked a floppy drive and a network connection. In effect, NT is only secure if you don't communicate with anybody.

    Microsoft has been claiming NT 4.0 will be certified Real Soon Now for years. I do not think anyone is holding their breath. :-)
  • MS's "main server product" NT 3.5 is certified. Well umm yes, but..

    Who on earth is still using NT 3.5

    It's only certified as a stand-alone machine. How useful is a server with no clients???

  • Actually, it says that about the NSC, not the NSA:
    Zaman added that Microsoft likely would be willing to provide the National Security Council with its code for security inspections if it is for national security purposes. So far, he said, the NSC has not asked for access to any of Microsoft's software code.

    The NSA is the evil agency we all know and love. What's the funciton of the NSC? Does it control the NSA?

    Bureaucracy...reminds me of the part in Cryptonomicon when one of the characters has a waking nightmare while someone explains the German bureaucracy to him.
  • "I don't know of any large government Linux contracts,"

    This could be a very stable revenue stream for some Linux companies. Distribute updates, security patches, and support on a contract basis.

    It might be worth looking into the certification standard they mentioned and see what's missing, if anything.

    I'd love to see slashdot.gov :)
  • You're right of course, sloppy users are the biggest threat.

    Still, MS instills a culture where the machine does everything for you. You are not supposed to question what is really going on. The OS has deep roots in a single user non-networked system. A switch to Linux along with some training might be more effective in changing the state of some minds than you think.

    For example, with all its security holes, I find Windows users rarely talk about security, except when headline news forces them to take note. Linux users on the other hand discuss it often, and developers code with the concept in mind from the start.
  • It just occurred to me that if UCITA passed, and the Federals were using commercial, proprietary software for critical systems, that they'd be up the proverbial creek at the whim of the vendors... not necessarily a good thing when you're suing one for anti-trust violations. Heh.

    Not that'd ever happen, but...
  • Interesting point. I was under the impression that the source is sometimes made available to outside groups; my memory is telling me that some universities have operating systems courses where students are required to sign NDAs, because they get access to at least some of the NT sources. I can't give specific citations, 'tho, just vagaries.

    It's possible that the statement should be taken to mean: source code for not only the Linux kernel, but just about everything else as well with fairly few exceptions (for Gov't stuff. I doubt, say, that Civ:CTP or Myth II are on procurement lists...); whereas the opposite is true for most of the Windows world. Even if the NSA had access to NT sources, they'd still need audit ability for all the applications; even a safe kernel with poorly written applications isn't that safe.
  • At the "Linux University" held in Washington, DC (9 Sept. 1999) SGI announced their goal of developing a secured Linux(tm) distribution, first at the C2 level then at the B1. The presenter indicated that they (SGI) intended to offer their security work to the "Open Source" community. SGI also announced that, in addition to their offer of the journal file system, they are going to offer their considerable experience in SMP kernel implementation. The "Linux University" was co-sponsored by SGI, Red Hat, and Government Computer News.

    The presentations will be posted by 13 September 1999 at http://www.sgilinux.org. For those interested in the security related announcement, look of the presentation call "Tux goes to Washington". All in all, a very exciting set of announcements.

    Thanks, SGI.
  • by Skyshadow ( 508 ) on Saturday September 11, 1999 @01:04AM (#1689863) Homepage
    Am I the only one remembering the end of Sneakers here? The part about the NSA being able to read everybody's mail?

    Of course the White House wants to go open source -- do you seriously think that the security-paranoid folks who work there really want the NSA reading all about the next Monica and using it to get more funding? I think not.


  • by zilym ( 3470 ) on Saturday September 11, 1999 @01:23AM (#1689864)
    It's seems kind of ironic that the Feds are complaining about poor security in Microsoft software, then praising how stable and secure Linux is, when the Feds are probably part of the problem. I agree, with the Feds: Linux will help to improve security through encrypted file systems and network pipes (www.kerneli.org) plus encrypted/signed email and files (www.gnupg.org). However, Linux had a hard time getting here since all the developement of these strong security tools had to be done outside of the country. Maybe when the Feds have Linux installed all over the place and get tired of having to patch their kernel all the time (to get the International Crypto pieces), they'll start thinking about making the restrictions a little more open.

    I can dream at least, eh?

  • by josepha48 ( 13953 ) on Saturday September 11, 1999 @01:26AM (#1689865) Journal

    This could be good for Java and other cross platform languages like Tcl/Tk. If the goverment has servers that are NT and some that are Linux and several other platforms then they are going to want software that will run on both you'd think.

    I am interested in where this will go. If the goverement gets into Open Source code, will they give back to the Open Source community if they find security issues and fix them?

    If the goverment enhances security in the kernel will they Open Source these too?

  • by Imperator ( 17614 ) <.ten.reknehsremo. .ta. .2todhsals.> on Saturday September 11, 1999 @01:31AM (#1689866)
    Zaman added that Microsoft has been considering making some of its software products open source for two years.

    Open source is a very innovative way to develop software," Zaman said. "The issue is how much of our own code we should put out in the open source environment."

    He is, I assume, talking about the IIS Sample Site and VB Examples. I remember Microsoft's commitment going back as far as gorillas.bas and other QBasic example programs, which were freely available when you bought QBasic.

  • by shadrax ( 50923 ) on Saturday September 11, 1999 @01:12AM (#1689867) Homepage
    From the article:
    Access to the Linux source code "gives us some confidence," the White House official said, adding that it simplifies patching security breeches and correcting routine errors.

    I've always wondered if the government, which uses Windows for much of its operations, is given (or pays for) the NT source. This quote seems to imply that they don't have it. Surprising, if so--I would have thought that the NSA would want to examine and/or customize the OS, at least for sensitive networks. Maybe I overestimate the competence of the US government.
  • by Stonehand ( 71085 ) on Saturday September 11, 1999 @04:27AM (#1689868) Homepage
    --- Kernel Patch Request Form ---

    Adding a patch to the Linux kernel (hereafter referred to as "kernel") may compromise security, functionality or both. Therefore, before submitting patch for inclusion you must attach a Form 15812n Software Audit Report for all contexts in which you intend to use this patch. This procedure must be repeated should additional contexts emerge.

    We will need the following details.

    Who wrote the patch? Is/are the people responsible (hereafter referred to as "patch author(s)") U.S. citizens? Please have them undergo security clearances and attach the resulting paperwork. Use of nails and rivets is for this purpose (attaching, not auditing) is hereby sanctioned.

    What does this patch do, and why do you want it? Be sure to detail all system resources consumed by such, and study the impact upon the targetted environment. Include time and resources expended on this application, sub-applications and related activities.

    Do you expect it to be applied to future revisions of the kernel? If so, explain why and bear in mind that this is included in the aforementioned "additional contexts" section, and thus will require periodical documentation and re-application.

    Please remit this form once completed to your supervisor and all other individuals affected for approval, with copies for yourself, the Software Patching Department, and Personnel (for your quarterly performance evaluation) as usual.

    Bear in mind that approval may not occur until a full review of your provided documentation has occured. We hope to be able to respond to you within six months of completion of said review. Thank you for your time.

    --end form--
  • by Oestergaard ( 3005 ) on Saturday September 11, 1999 @01:22AM (#1689869) Homepage
    That was about time that some government took off the sunglasses and had a look at the real world.

    I can't believe they haven't thought of this earlier (or at least thought of it in public). Linux is far from the only open-source OS, simply using the proprietary UN*Xes they've been running for long, with open-source daemons and tools would have gotten them a long way.

    I remember the swedish government discovering that the proprietary e-mail tool they used had a backdoor in the encryption service they relied upon for security reasons. The backdoor was there for the US government (NSA probably).

    This was so funny, or rather tragic, because they simply didn't think about before someone pointed it out to them. They honestly believed, that because the shrink-wrapped package said ``encryption'', they'd be safe.

    Amazing it is, that the US government has been just as naive, believing that a closed source product only did what the package said it would do. I wonder how much insight MS/Sun/Oracle/others have into what's going on behind those closed doors.

    Never underestimate the power of human stupidity.

    Well, I'm looking forward to seeing new OSS daemons from the white-house, and mails from randomuser@whitehouse.gov on LKML :)
  • by bmetzler ( 12546 ) <bmetzlerNO@SPAMlive.com> on Saturday September 11, 1999 @02:30AM (#1689870) Homepage Journal
    Reading this article was fascinating. The first thing I saw was Linux, an open-source operating system similar in functionality to Microsoft Windows, is being given serious consideration as an alternative for government computer users, the official said. "Similar in functionality?" It's nice of them to acknoledge that, even though it could be argued that Linux has more functionality then Windows. Still I has to save this to show anyone who tries to tell me that Linux is brain-dead.

    Reading further we see: As a result, Linux boasts a robust code that rarely malfunctions and is extremely difficult for hackers to crack, Klosowski said. Microsoft, on the other hand, keeps its code secret and makes upgrades to its products on a yearly basis, he said. Microsoft software products have been the target of numerous computer viruses. Neato! More positive news. My heart is warmed.

    Now we get a few laughs. Microsoft's main server software, Microsoft Windows NT 3.5, for instance, is certified... I see. It's version 3.5 that is Microsoft's main server product, with NT 4 being relegated to just "Newest" status.

    Zaman is amazing. After all the PR microsoft has done trying to convince people that "open source" development is not a good way to develop code. After all, who would work for free, eh? But now we find out that according to Zaman, "Open source is a very innovative way to develop software," In fact, Microsoft is so convinced of the viability of the Open Source model that "...Microsoft has been considering making some of its software products open source for two years." Two years, eh? That's a real good license. I'm just dying to work on code that's open for 2 years.

    A few paragraphs later Zaman states that government agencies are not excessively reliant on Microsoft products... But just 2 paragraphs later we read The government already relies extensively on Microsoft products for desktop and, increasingly, server applications. Only a slight contradiction, eh? I suppose we can overlook that.

    And the last thing that we read is: Regardless of security concerns, Smith added, a multitude of software systems within an agency often can lead to interoperability problems. Very interesting. In the server market, you can't allow fragmentation within your product base. In the current server market, there is a lot of similarity within most server OS's, except one. That one is fragmented in the Server OS market. That OS is Windows. If I was an administer of a network and couldn't allow even one little bit of fragmentation, I'd keep Windows as far away from my servers as I could.

    I wrote an essay on fragmentation [twistedpair.net] of the Server Market. It may apply here.

  • by LL ( 20038 ) on Saturday September 11, 1999 @01:26AM (#1689871)
    While it may be laudable that public institutions are shifting to a more transparent OS, would it result in any increase in real security (as defined by the reduction of risk of data corruption and unauthorised duplication)? Just like replacing cracked window-panes with bullet-proof glass may result in a ra-ra feeling of improved safety, there is no additional protection if people carelessly leave windows open. Security results from modifying dangerous habits, just like we automatically check to see whether the door locks behind us when we leave the house, we need to condition ourselves to automatically log out or follow other basic data integrity procedures (duplicate copies, permissions, etc). This is a process of on-going education, informing people why certain procedures have to be followed despite the initial perceived hassle. One can point to the German Enigma machine which, while technically secure, lost integrity through operators being careless in their transmissions (using same callsigns, repeating the first sign-on phrase, etc) which allowed the British cryptoanalysis an opening. I believe the Americans used a variation of the easily cracked Italian crypto-machine but retained security through more rigorous operational procedures.

    Security is only as strong as the weakest point and IMHO, people are the most fallible link in the system, not computers (though bad design flaws/assumptions are tough to figure out too). So, will the political establishment spend the savings from using OpenSource and not licensing windows to reinvest in helping the users effectively use the systems? In my observation hardware might take up 15-30% of the cost, similar for software, but the rest (40-60%) is in the education of users for them to be productive (and don't get me started on the folly of buying Pentium IIIs for web-browsing).

    Throwing money at a problem is no solution to thinking through the issues.


The generation of random numbers is too important to be left to chance.