Pentagon To Make a Big Push Toward Open-Source Software Next Year (theverge.com) 99
"Open-source software" is computer software with its source code made available with a license in which the copyright holder provides the rights to study, change, and distribute the software to anyone and for any purpose. According to The Verge, the Pentagon is going to make a big push for open-source software in 2018. "Thanks to an amendment introduced by Sen. Mike Rounds (R-SD) and co-sponsored by Sen. Elizabeth Warren (D-MA), the [National Defense Authorization Act for Fiscal Year 2018] could institute a big change: should the bill pass in its present form, the Pentagon will be going open source." From the report: We don't typically think of the Pentagon as a software-intensive workplace, but we absolutely should. The Department of Defense is the world's largest single employer, and while some of that work is people marching around with rifles and boots, a lot of the work is reports, briefings, data management, and just managing the massive enterprise. Loading slides in PowerPoint is as much a part of daily military life as loading rounds into a magazine. Besides cost, there are two other compelling explanations for why the military might want to go open source. One is that technology outside the Pentagon simply advances faster than technology within it, and by availing itself to open-source tools, the Pentagon can adopt those advances almost as soon as the new code hits the web, without going through the extra steps of a procurement process. Open-source software is also more secure than closed-source software, by its very nature: the code is perpetually scrutinized by countless users across the planet, and any weaknesses are shared immediately.
Re: (Score:2)
Not really, because the exploits would likely be data that is stored in a system for managing exploits. The system for managing the data would be the open source part. It is the (new) DoD tools that would be opened, not the data stored in them.
Re: (Score:2)
Why? Open source means that they have the rights to modify the code. They can distribute an internal patch with a classified notice on it and keep the exploit for attacking others.
The main drive away from spooks doing this is that people keep pointing out to the people that control their funding how much critical infrastructure runs on the code that they're keeping vulnerable.
Re: (Score:2)
Disclaimer: Have worked in the DoD
DoD has promised to use open source (and IPv6) since prior to 2010. There is a very split mentality inside. Most of us who deal is cybersecurity, safety, acquisition (engineering), and other areas HATE closed source items because of the inherent lack of ability to test it for risk reduction, future proofing, and optimization. It also (IMHO) creates situations of vendor lock in much more easily, which costs the DoD (and thus the taxpayer) more. There is still a _lot_ o
Re: (Score:2)
I would agree in part. The knowledge to review the entire Linux kernel code base does exist in the DoD, but not in enough people exist to do the work needed internally and accomplish all the other work they need to do before the next kernel version comes out. At least it's only a technical hurdle. The additional legal hurdle of copyright to the code base is no longer present.
IMHO the NSA should have a mission funded line item in its budget for a group to make and uphold a linux distro (thresh base distro
Re: (Score:2)
In the past they gave us BRL-CAD.
And they built the internet, though it was Congress that gave it to us peons. Thanks Al!
And then they gave us SElinux.
And now they'll give us something new!
Thanks everybody! I don't want the military-industrial complex just to blow things up, I want them to also give us new technologies as a byproduct!
Blow things up, but remember the People.
Re: (Score:2)
The research for Tor was developed at NRL as well.
Re:Ummm (Score:4)
Yep, this is exactly right. Now that they know, Russian, Chinese, and ISIS hackers will be adding new features like crazy to OpenOffice Impress, all with the handy new feature of sending your deck to the cloud..........and more than one cloud...and more than you know about.
Re: (Score:2)
...how many times were we told that ISIS is some kind of existential threat to the U.S.? And people beloved it?
At least three or four, but the FBI conveniently arranged for them to activate hoax devices.
Re: (Score:2)
I see, and the Iraqis with U.S. support somehow doesn't count? Or the Kurds with U.S. support? C'mon comrade, you can do better than that.
Re: (Score:2)
I will be stunned if this amandment survives (Score:3)
Re: (Score:2)
This is about DoD software tools, not the guidance system for the F-35! lol
Where contractors are writing it, the exact same contractors would be writing it. This doesn't change the procurement system at all.
Re: (Score:2)
Re: (Score:1)
You're wrong. Go check the license. Go look up what "open source" means.
Receiving rights from your contractors is something that everybody always gets. All closed source software written by contractors comes with an implicit license; furthermore, software that is Classified can be controlled by the government and they can share it with their other contractors. You can get a license fee, but you don't get to control who they give access to.
So yeah, if you don't know what the words mean, they might mean anyth
Re: (Score:2)
You're wrong. Go check the license. Go look up what "open source" means.
Okay, here's the definition [opensource.org]. Please point to anything in that definition that contradicts what I've said.
Receiving rights from your contractors is something that everybody always gets.
If only that were true. A huge amount of code is written on contract but then received with a proprietary license that locks the customer into the vendor for any support.
All closed source software written by contractors comes with an implicit license
It comes with a license to use (typically within an organisation), it usually doesn't permit modification or redistribution.
Re: (Score:2)
Try wikipedia, so that you're not accidentally just being propagandized by one of the various factions.
That's true in general; start from encyclopedia articles, not people with vested interests.
You'll find that "open source" is a very broad idea, and doesn't mean very much until you specify a license.
Re: (Score:2)
Re: (Score:2)
No, I'm saying that the term "Open Source" wasn't coined by the OSI and when people use the words "open source" they are not declaring allegiance to OSI! In fact, there are numerous "camps" with different opinions; some people actually hate the OSI, and yet are proponents of things that other people would describe as "Open Source."
In short, the meaning of a loose term that isn't a proper noun is not determined by what one person (you) says, it is determined instead by how people actually use the word. On Pl
You'll be stunned because you're ignorant (Score:2)
I've worked for two very big contractors in the past, and they enthusiastically embraced open source. In fact, there was a consensus among management that open source is preferable whenever FOSS can get the job done at an acceptable level. Every dollar not spent on commercial licenses is another dollar that could be spent on billing labor.
"the code is perpetually scrutinized" (Score:5, Insightful)
No one is perpetually scrutinizing anything. That's an old fallacy wrongly attributed to ESR and/or Torvalds. "Linus's Law" merely states all bugs are shallow given enough eyeballs, not the some vast benevolent army of free labor is auditing everything all the time. That's fiction, as as been proven many times with the discovery of ancient zero days in software that's been open source for decades.
Re: (Score:1)
The presence of Heartbleed being an excellent example that belies this claim.
Re:"the code is perpetually scrutinized" (Score:5, Insightful)
The presence of Heartbleed being an excellent example that belies this claim.
No, you clearly didn't understand him. Heartbleed exemplifies his claim.
As soon as people knew about Heartbleed, there were fixes available. The bug was proven shallow almost instantly upon discovery, and numerous were the workarounds. People even re-implemented the whole software package to make sure it was fixed! And their fixes worked, the bug was indeed gone. You can't get a shallower bug.
Every example you can even find of a deep bug, a bug that is known to exist but that people don't know how to fix, it is a bug where either there are nearly zero users of the code, or the code is closed source and there are few people with access. Any bug that has even a moderate number of eyes will be very very shallow.
Re: (Score:1, Informative)
No it doesn’t. The claim of the quotation is that people are constantly scruntinizing open source code but this is false. Heartbleed existed for years without being found.
Re: (Score:2)
The claim of the quotation is that people are constantly scruntinizing open source code
Right, that's what you're not comprehending. You're getting the claim wrong, and people are trying to explain it to you, but you can't fucking understand because you don't know the meaning of words.
Yeah, if that was the claim it would be fucking stupid and wrong. But it isn't.
Re: (Score:3)
You might want to look at Open BSD. Much of what they have done has been adopted by lesser OSS projects.
Re: (Score:1)
You might want to look at Open BSD. Much of what they have done has been adopted by lesser OSS projects.
Have you looked at the OpenBSD [openbsd.org] license?
From the URL "OpenBSD strives to provide code that can be freely used, copied, modified, and distributed by anyone and for any purpose. This maintains the spirit of the original Berkeley Software Distribution."
Very altruistic but does not have much control over what can be done with said software and do you honestly think some users are going to play fair?
Re: (Score:2)
Equally fallacious is that every weakness is reported immediately, not sure what fantasy writer made this article. There's plenty of black hats that'll sell backdoors to any system, open or closed. Regarding Linus's law, I think it's valid but with limitations. Like if you have a square mile of land, the more people use it the more likely they'll stumble upon something but nearly all will take the natural paths. It's vastly different from a search party where you comb the bushes and look in all the places t
Re: (Score:2)
No, you're not understanding it.
In your example, it means that if you send out a search party, and you have a lot of people, you can easily cover the whole area. It doesn't even speak to what is happening when you're not searching; when you don't know you have a bug.
The whole premise of Linus' Law is that you have a bug; it has been reported. And you're trying to fix it. If you have enough people involved in the search, it becomes almost guaranteed that you'll find it. If you only have a few people searchin
Must Run on Windows (Score:1)
Which is easier to infiltrate, FOSS or Microsoft (Score:2)
Not the point, but missing the point as well (Score:4, Interesting)
Not only does that not follow (you have no idea who scrutinizes their copy of FLOSS precisely because of the privacy FLOSS affords users) but you're missing a much more important point: FLOSS respects a user's ability to do things computer owners want their software to do but inherently can't trust proprietary software to carry out. Proprietary software can't be trusted because the users can't be sure it is doing what the users want and not doing what the users don't want (typically this means leaking information, opening backdoors, and implementing malware). It's not about guarantees, it's about the permission to exert as much control over one's own computers as one wishes. Proprietary software inherently doesn't grant that permission and FLOSS does. Couple that with a monied organization as big as the American federal government, and you have the ability for significantly increasing control over their own computers.
Not what Linus & ESR said, but some truth to i (Score:2)
Thanks for posting that. You're absolutely right that when ESR wrote that Linus thought "with enough eyeballs, all bugs are shallow ... the fix will be obvious to someone" , he did NOT mean "all bugs are non-existent". He said "the fix will be obvious to someone" because that's what he meant - with "a large enough co-developer base" looking at a bug, one of them will come up with an elegant fix.
Separately, another, different statement is also true.
I maintain a database of all the CVEs ever issued, with th
Re: (Score:2)
The fact of the matter is that every month dozens of new vulnerabilities in Windows come out. We're now at Microsoft KBnumber 4052231, and a significant fraction of those four million KBs address security issues.
Windows is pretty big. How does that number compare to Linux, plus glibc, plus glib, plus GTK, plus the core GNOME libraries, plus systemd, dbusd, and so on (i.e. the 2,000 or so open source packages that, combined, provide roughly equivalent functionality to the base Windows install)?
Someone says "but but but three years ago Heartbleed was in open source software", and I point to the 40 or so vulnerabilities published for Windows THIS MONTH, and EVERY MONTH.
And I can point to 40 in the Linux kernel's USB stack alone from this month (and we're only half way through the month). How many Windows kernel CVEs have there been?
I'll call that bluff (Score:2)
> And I can point to 40 in the Linux kernel's USB stack alone from this month
Okay, go!
No? How about 4? Still no? Maybe 3? How about ANY at all?
Did I not mention I curate a database of every CVE ever issued? My team looks at each and every one.
> Windows is pretty big. How does that number compare to Linux, plus glibc, plus glib, plus GTK, plus the core GNOME libraries, plus systemd, dbusd, and so on
Compared to the entire standard Red Hat installation, the number of CVEs times their CVSS severity is
Re: (Score:2)
And I can point to 40 in the Linux kernel's USB stack alone from this month
Okay, go!
Okay, here you go [github.com].
No? How about 4? Still no? Maybe 3? How about ANY at all?
Did I not mention I curate a database of every CVE ever issued? My team looks at each and every one.
Doing a great job, if you miss ones that even The Registers notices [theregister.co.uk]
Compared to the entire standard Red Hat installation, the number of CVEs times their CVSS severity is roughly ten times higher for Windows 8.
You'll forgive me if I don't trust your number when you seem to be unaware of recent kernel vulnerabilities and haven't published your methodology.
Oh, and it's worth noting that a number of the CVEs related to the USB stack are impossible for any certified drivers on Windows because they're required to pass a static analysis check that would catch them (Microsoft had a few hundred CVEs for similar bugs some years back w
Has already seen this episode of the Soap Opera. (Score:3, Interesting)
There will be a LOT of yapping and some apps will be created then in about 9 months they will toss it all and sign a Billion dollar check to Microsoft.
What happened to NSA Linux.
The other fallout from that was tossing out all our Apple and Sun systems too.
Then came the ship with NT 4.0 that never worked correctly and the brief Idea to launch nukes from NT 4 computers.
Re:Has already seen this episode of the Soap Opera (Score:4, Informative)
Re: (Score:2)
Then came the ship with NT 4.0 that never worked correctly ...
That is an urban myth. Application software allowed an invalid value, a zero, to be accepted and saved to a database. Controller software that read data from that database accepted an invalid value then performed a divide by zero and was halted by the operating system. This controller software was involved in engine operation. Application, database, controller, ... the operating system was irrelevant, the same thing would happen under Linux.
Immediately after the failure a laid-off *nix engineer, who was
lolwut? (Score:2, Interesting)
Open-source software is also more secure than closed-source software, by its very nature: the code is perpetually scrutinized by countless users across the planet, and any weaknesses are shared immediately.
This is total bullshit. No one noticed, for example, the Debian OpenSSL vulnerability for nearly 2 years. There are also plenty of other examples that were around many times longer without being spotted despite all this claimed “perpetual scrutiny.”
Re: (Score:2)
Just imagine how much less secure it was when it was closed source.
Re: (Score:1)
Re: (Score:2)
Re: (Score:1)
Goal post shifting at its finest. Also, people find bugs in closed-source software all the time so your second claim is also patently false. You think Project Zero has source code to all the programs they find bugs in?
More secure??? (Score:4, Insightful)
Theoretically might not be true, but IS true (Score:2)
> Open source is not necessarily more secure than proprietary software. Because it is visible, good programmers can look
It's not *necessarily* so, in the sense that nothing *requires* that open-source code is automatically better. On the other hand, I curate a database of over 90,000 software vulnerabilities, and spend my work days examining security issues. Every CVE that is issued goes into our system. The fact is, Windows and Flash alone make up a very large percentage of the vulnerabilities, and hav
Re: (Score:2)
More secure? (Score:5, Interesting)
Open-source software is also more secure than closed-source software, by its very nature: the code is perpetually scrutinized by countless users across the planet, and any weaknesses are shared immediately.
Remember it wasn't that long ago when all you had to do was hit Backspace 28 times and you could bypass login security on almost all Linux distros....
Re: (Score:1)
It’s also not that long ago that OpenSSL had that massive Heartbleed bug and that Debian was generating predictable random numbers in their OpenSSL version.
Re: (Score:2)
Open-source software is also more secure than closed-source software, by its very nature: the code is perpetually scrutinized by countless users across the planet, and any weaknesses are shared immediately.
Remember it wasn't that long ago when all you had to do was hit Backspace 28 times and you could bypass login security on almost all Linux distros....
Exactly! Open Source is only as good as the company that wants to keep up with patching and devote resources for regression testing. These days that is very few (unfortunately).
Re: (Score:2)
Remember it wasn't that long ago when all you had to do was hit Backspace 28 times and you could bypass login security on almost all Linux distros....
No, I don't remember that at all. What I do remember is that on some systems, before the OS was loaded, you could drop into a GRUB bootloader rescue shell by connecting a keyboard emulator that could spam the keyboard buffer with backspaces during boot. If you're actually pressing a backspace key as you describe then no, that isn't actually likely.
Generally speaking, if you have keyboard access during boot you can get to that sort of rescue screen on a computer, unless it has been locked down. Note that unl
uh guys (Score:2)
You'll be receiving my bill for $3,500,000 by the end of the week.
No, that amendment died in conference (Score:5, Informative)
Re: (Score:2)
Dammit. I was hoping for the old /. I new and loved so well. Just a teaser. Will anyone think of the children?
They're working on it (Score:2)
A friend of mine is working on one of those government projects you can't talk about. What he can say is that they are in a 'bake off' with other projects where his project is using OSS, quasi-Agile (*cough* SAFe *cough*) , automated testing (apparently an unknown concept to the beltway bandits, perhaps because there are huge billable hours to be made fixing bugs), CI, etc.
We'll see if they win the bake off.
This Is Huge (Score:2)
Re: (Score:2)
Re: (Score:3)
This has nothing to do with the software they buy.
This has to do with the software they write or have written.
Microsoft doesn't mind writing open source software if you're paying them the same for it; this isn't the type of contract where they would get residuals, this is the type where they get paid for their time doing the work. Stuff with residuals where they're licensing the software to DoD, that would all be unchanged.
Open source? If they contribute! PowerPoint? Bah! (Score:2)
The author of the article wrote:
One big advantage is that, often, the agreements to run open-source software are much more relaxed than those behind proprietary code, and come without licensing fees. The license to run a copy of Adobe Photoshop for a year is $348; the similar open-source GNU Image Manipulation Program is free.
I feel that, for a large corporation or institution, licensing cost should probably be the least concern. Functionality is not free. What counts is transparency (you can inspect the software), control (you can modify the software), relaxed legal constraints (no need to waste resources counting billable seats or hours), and benefiting the community (enhancements you make or sponsor are usable by all). All of which will likely contribute to lowering costs in the long run.
So I a
Re: (Score:2)
There's already -a lot- of OSS in DoD (Score:5, Interesting)
In 35 years in that business, I saw and used a lot of open source development tools, as well as in deployed software. Red Hat is a major provider of OS to DoD, including embedded in weapon systems. GNAT Ada is open source.
And on my last project we kept 2 lawyers (one government, one prime contractor) busy nearly full-time evaluating various OSS licenses for our intended use. The GPL was a significant debate; most OSS licenses were deemed acceptable by both sides. In each case, we evaluated OSS and proprietary software for functionality, life-cycle costs, supportability, expected security/vulnerabilities, and made a decision that balanced these factors. Sometimes the OSS components won out, other times not. But there was a documented decision with rationale.
In general, the choice of software was not a government decision, but a prime contractor decision. Not sure how much we want Congress dictating to contractors what they put into their products.
Re: (Score:2)
Re: (Score:2)
BRL-CAD 4evR!!!!!!!!!!!
Re: (Score:2)
In general, the choice of software was not a government decision, but a prime contractor decision. Not sure how much we want Congress dictating to contractors what they put into their products.
To the exact same extent that it has become a contractor decision! That is the extent to which Government should re-impose controls over what the Government buys. Congress is the best our country has come up with to make those decisions.
Re: (Score:1)
Which OSS licenses did you find to be most DoD amenable, when all was said and done?
Re: (Score:2)
Most were OK, I think the Apache license was one we saw frequently. The GPL 'contamination' clauses were a concern, and there was a lot of disagreement over how they should be interpreted.
Finally the year of the Linux Desktop! (Score:2)
It's the year for the Linux Desktop for sure!
Can you imagine how many desktops the DOD has and is paying Microsoft for?
Largest employer (Score:1)
Not Gattaca Corp, not Tyrell, not Weyland-Utani or Tessier-Ashpool. This demonstrates why we won't get super-cool things in our lifetimes. Sure DARPA shmarpa, but if we instead had 3.2 million people working on nano-tech, biology, AI, lunar colonies and FTL, then maybe we could get somewhere as a civilization.
The US has plenty of nukes, has demonstrated a willingness to use them. That is all we basically need for defense. All the res
Re: (Score:2)
DoD OSS won't necessarily mean Open Source (Score:3)
As long as DoD does not distribute anything it develops beyond DoD (or the Federal government since it is all part of the same organization) it is all staying within the organization developing it and thus would not be obligated to share any improvements.
Per gnu.org:
The GPL does not require you to release your modified version, or any part of it. You are free to make modifications and use them privately, without ever releasing them. This applies to organizations (including companies), too; an organization can make a modified version and use it internally without ever releasing it outside the organization.
and
For instance, you can accept a contract to develop changes and agree not to release your changes until the client says ok. This is permitted because in this case no GPL-covered code is being distributed under an NDA. You can also release your changes to the client under the GPL, but agree not to release them to anyone else unless the client says ok. In this case, too, no GPL-covered code is being distributed under an NDA, or under any additional restrictions. The GPL would give the client the right to redistribute your version. In this scenario, the client will probably choose not to exercise that right, but does have the right.
Thus, as long as they only use it internally they have no obligation to make the changed source code available. In addition, they could require contractors to develop code under and NDA that prohibits release until the authorize its release so even if they do not do the actual development internally they can still control its release. I would not bet on the DoD probably choosing not to exercise that right.
So while it may be good PR for OSS in reality it may not actually advance OSS for the public. DoD could classify any OSS projects to prevent its release using the argument that its release would be detrimental to national security and require contractors to sign an NDA for any work they do for DoD.
https://www.gnu.org/licenses/gpl-faq.en.html#GPLRequireSourcePostedPublic
Largest employer? (Score:2)
I thought the Chinese army was No 1, and the UK's NHS was No 2.
Am I wrong? anyone have actual figures?
TIL (Score:2)
"Open-source software" is computer software with its source code made available with a license in which the copyright holder provides the rights to study, change, and distribute the software to anyone and for any purpose
I'm torn between making a snarky remark about how I, thanks to slashdot, finally learned what open source software is, or whether I should point out that in no way "open source" implies the right to "distribute the software to anyone and for any purpose" because that is clear and utter bullshit that only applies to free software (as in e.g. BSD-licensed stuff).
Look who's learning the big words now (Score:1)
Slashdot posted my question about auditing on Linux seventeen years ago in reference to the DoD using Red Hat. We are using all kinds of other OSS back then as well so The Verge, and these senators, is just a few years late. The amendment will not result in any changes in how DoD procures software/services or operates at any level from the foxhole to Earth orbit.
The GSA is open source friendly NOW (Score:2)
http://code.gov/ [code.gov]
http://18f.gsa.gov/ [gsa.gov]