Contract clauses that forbid benchmark publication (unless the vendor likes them) are called DeWitt clauses. The clause was originally created to squelch database research being performed by Dr. David DeWitt. These should be illegal, but Oracle certainly rigorously enforces them. There was a law passed in 2016 that prevented similar problems for Yelp, but DeWitt clauses haven't been struck down yet (and should be). See my post, "The DeWitt clause’s censorship should be illegal" by David A. Wheeler (2017-06-25): https://www.dwheeler.com/essay...

China indeed forces geographic data to be "off" a little bit compared to the rest of the world. For more information, see: https://en.wikipedia.org/wiki/... in particularly the discussion on the GCJ-02 datum (colloquially Mars Coordinates).

Won't happen, that amendment died in the conference reconciliation. The merged version does have an open source software pilot, but that's it: Section 875: (a) DoD shall “initiate the open source software pilot program” (b) NLT 60 days enactment of this Act, the SECDEF shall “provide a report to Congress with details of the plan of the Department of Defense to implement the pilot program required by subsection (a).”

The #1 problem is lack of education. A large number of software developers have had no formal training in software development. Almost all who HAVE had formal education don't receive any education or training in how to develop SECURE software.

I teach a graduate course at George Mason University (GMU) on how to design and implement secure software. So there are people who are learning, but there are many more to go.

For the most part, countering the OWASP top 10 doesn't cost more, so cost has nothing to do with it. At the high end of security requirements it definitely costs more, but stuff like parameterized statements (countering SQL injection) and using web frameworks that automatically counter XSS injection don't cost any more.

This isn't about open source software, or "compliance" regarding open source software. This is about failing to do timely security updates of reused third-party software. It doesn't matter if it's open source software or not. If you use third-party software, you need to update that software when a security update happens, and you have to do it BEFORE an attacker exploits it. This has been necessary for decades. Haven't you ever updated an operating system because a vulnerability was found in it? Of course you have. If you reuse software, and you embed it in something you use or deploy, then you need to update when the reused software has a security vulnerability. One advantage of open source software today is that there are tools that make it easier to monitor and update. But you still have to be prepared for security updates. You can do this by monitoring updates, using package managers to let you easily update, having automated tests so you can verify that the update is okay, and by having a deployment system so you can send out your update. All of this is available. Check out this video for an example: https://www.youtube.com/watch?... . If you don't keep your software patched in a timely way, you get p0wned. That's how it works. That's ALWAYS been how it works.

"E-mail" is not a hard term to define. It's just "electronic mail". You can split email into "local on one computer" and "distributed across a network", since those were created separately, but it really isn't that complicated. There really is something called "truth", it'd be nice to acknowledge that sometimes.

Nazi Germany was not a "Christian nation". Nazi leaders like Joseph Goebbels, Martin Bormann, and Heinrich Himmler saw the kirchenkampf campaign against the Churches as high priority, and anti-church and anticlerical sentiments were strong among the grassroots party activists. The Nazi propaganda minister, Joseph Goebbels, said that there was "an insoluble opposition between the Christian and a heroic-German world view". Hitler's chosen deputy, Martin Bormann, advised Nazi officials in 1941 that "National Socialism and Christianity are irreconcilable.".

We can't solve all problems with laws, but some laws could reduce the problem. Here are some ideas: http://www.dwheeler.com/essays...

This is an old idea, see Plato's "Allegory of the Cave".

Their argument mostly disproves their claim. I agree that security is much more than eliminating software exploits, but at least 3 of their "top" 5 examples ARE software exploits (because of either a fault in the implementation or in its spec). 1. abuse of weak domain user passwords -- used in 66% of Praetorian pen testers' successful attacks The software should prevent bad passwords by default, but for the sake of argument I'll grant them that one. 2. broadcast name resolution poisoning (like WPAD) -- 64% That's a software exploit. If your protocol is vulnerable to poisoning, your protocol has a problem. 3. local admin password attacks (pass-the-hash attacks) -- 61% Software exploit. Hashes are supposed to *not* be equivalent to the password they were derived from. This is a well-known software exploit. 4. attacks on cleartext passwords in memory (like those using Mimikatz) -- 59% If an untrusted program can see cleartext passwords in memory, there's a software exploit, they're not supposed to do that. 5. insufficient network segmentation -- 52% Okay, that's not a software exploit. So #5 is not a software exploit, #1 is arguably not a software exploit (though it suggests a software problem), and the rest (#2, #3, #4) are software exploits (there's a software vulnerability in the protocol or its implementation). I would agree with them that security is much more than software, but software has an important role to play. The *REASON* that #2, #3, and #4 are problems is because people weren't paying enough attention to security.

You mean "unlimited rights" not "unlimited use rights". Once the government has unlimited rights it can release the software as open source software. For more details, see my paper "Publicly Releasing Open Source Software Developed for the U.S. Government" by David A. Wheeler, Software Tech News, Volume: 14 Number: 1 - DoD and Open Source Software. https://www.csiac.org/journal-...

I don't think that "open source software" has been significantly redefined. Here's the definition of Open Source Software in this memo: "Software that can be accessed, used, modified, and shared by anyone. OSS is often distributed under licenses that comply with the definition of "Open Source" provided by the Open Source Initiative (https://opensource.org/osd) and/or that meet the definition of "Free Software" provided by the Free Software Foundation (https://www.gnu.org/philosophy/free-sw.html)." That's a little laxer than I'd prefer, but it seems reasonable enough.

Not so. It's true that the policy focuses more on sharing within the federal government, but it also specifically requires that at least 20% of the code be shared with the public as OSS. It's a start.