Open Source In the National Interest

munchola writes "A new report from the Department of Defense's Advanced Systems and Concepts Office recommends that the DoD move to adopt open source software and methodologies as well as open standards in order to make the most efficient use of internal resources. According to CBR, the report states that a move to 'Open Technology Development' is not only in the U.S. national interest, but in the interests of U.S. national security. OTD incorporates open source methodologies and open standards, but also takes into account the fact that the DoD has systems that it would rather keep secret."

Yay! :)

[Spy der Mann (805235)]

Let's have a party! Invite Linus and Stallman! :)

Bring the fireworks! :)

2 words.

[jellomizer (103300)]

About Time

This all makes now but...

[Recovering Hater (833107)]

I foresee the DoD changing its tune after Microsoft drops a few million dollars in the right direction to make this go away. Remember the Open Doc file format drama that unfolded not too long ago? ...where did I put my tinfoil hat again...

"Always remember...

[Irvu (248207)]

...your rifle was made by the lowest bidder."

That's a relatively old joke in the Military, and a relatively sick one when you consider the problems of faulty weapons (e.g exploding in your hands). But it points to something pretty basic. When it comes to things the DOD is rewarded for going cheap. This doesn't mean that they won't but they are rewarded for trying. In this gig Microsoft is at a disadvantage as their competitors are a) Free, and b) can be taken under total control by the DOD. Remeber that in-house changes to GPL'd code need not be released. Microsoft on the other hand is likely to worry about in-house changes to their stuff (e.g. document security restrictions for Office).

While I doubt Stallman will be welcome any time soon keep in mind that Theo De Raadt and the other BSD people have been welcomed (and financed) by the DOD before now. Ditto things like SELinux. In many ways this is only surprising because it took so long for them to say openly.

Re:"Always remember...

[liliafan (454080)]

I will believe it when I see it, I just got told in no uncertain terms by our site IT security officer that:

"Nessus is unapproved software, we only allow xxxxxx(closed source) security scans to lock down your UNIX servers"

Yes I work for the DoD.

Re:This all makes now but...

[Poppler (822173)]

I foresee the DoD changing its tune after Microsoft drops a few million dollars in the right direction

Except a few million is peanuts to the DoD. Their budget for 2006 was well over $400 Billion. I think they're going to make whatever decision will benefit them most, regardless of the cost.

Re:This all makes now but...

[Beryllium Sphere(tm) (193358)]

Does the Advanced Systems & Concepts office carry so much weight that the DoD as a whole can't simply pretend the report never happened?

NEWSFLASH

[P3NIS_CLEAVER (860022)]

Govt. IT is highly fragmented. It took 20 years for DOD to switch to all-diesel. How long to switch to open-source?

The anti-OSS people do have one point.

[LWATCDR (28044)]

The statement that people could introduce malicus code into Linux that then makes it's way into secure systems. Of course with companies outsourcing programming jobs to other countries the same thing could happen with a closed source system.
The solution for OSS is simple. Any OSS software that goes into a Command and Control system needs to have it's source code audited by an independent authority.
Of course the same thing should be done with any software that goes into a military, aerospace, or any other mission critical system. In this case OSS does have a clear advantage in that the end user can select any group to perform the code audit instead of depending on the vendor.
Of course if the military does a code audit on Linux they would have contribute back the patches so it is a win win situation.

Re:The anti-OSS people do have one point.

[Peter Mork (951443)]

The solution for OSS is simple. Any OSS software that goes into a Command and Control system needs to have it's source code audited by an independent authority.

Unfortunately, it's not as simple as auditing the source code. You also need to have complete control over the compiler, as implemented in machine code. For example, see Ken Thompson's comments [acm.org] on how to imbed self-replicating code into a compiler so that every program has a back door.

Re:The anti-OSS people do have one point.

[jZnat (793348)]

No matter how many times that FUD is introduced here, people forget that GCC bootstrapped itself, and I'm sure it gives you directions somewhere on how to bootstrap it yourself as well. Writing a simple C compiler in Assembly and "compiling" the Assembly by hand is very possible if you need that degree of paranoia distinguished.

Countering Trusting Trust

[dwheeler (321049)]

There's a technique for completely countering the "Trusting Trust" attack, called "Diverse double-compiling". See my web page on countering trusting trust through diverse double-compiling [dwheeler.com], which includes a link to a paper describing how to do it, and an example where it's been done.

Re:The anti-OSS people do have one point.

[ZachPruckowski (918562)]

Of course if the military does a code audit on Linux they would have contribute back the patches so it is a win win situation.

Only if they distribute it outside their organization, which in this case could be probably construed as the US government and the military and national guard.

Re:The anti-OSS people do have one point.

[jc42 (318812)]

... hey would have contribute back the patches so it is a win win situation.

This is hardly anything new. Look into how the DoD funded the development of the Internet (aka ARPAnet).

Actually, in most cases they didn't even develop their own patches. Rather, they told their academic and industry fundees about the problems in the latest code, let the hackers work out a solution, took the code for their own uses, and left it in the public code base for further use and development.

Yeah, they probably did a bit of development on their own, but the evidence is that there hasn't been as much of this as you might expect. The military has found the academic hacker community to be a much better testbed for most of the code, and a lot cheaper than trying to debug changes in a military setting. As long as the crypto stuff is highly modular (and it is), it's a lot more effective to just leave the code development in the public sector, where there are lots of eyes and people happy to show off their expertise by doing the hacking that a strictly-managed power structure finds highly distateful.

For a feel of the US government's relationship with the linux part of the open-source community, google for "secure linux" and do a bit of reading. There's a lot going on there.

Re:The anti-OSS people do have one point.

[wfberg (24378)]

The statement that people could introduce malicus code into Linux that then makes it's way into secure systems. Of course with companies outsourcing programming jobs to other countries the same thing could happen with a closed source system.
American programmers are just as capable of introducing (intentional) bugs as foreign programmers.


Of course the same thing should be done with any software that goes into a military, aerospace, or any other mission critical system. In this case OSS does have a clear advantage in that the end user can select any group to perform the code audit instead of depending on the vendor.

The US armed forces have enough spending power to convince even Microsoft to pony up the source code. And they do.

Of course if the military does a code audit on Linux they would have contribute back the patches so it is a win win situation.

Under the GPL, you only have to contribute patches if you distribute your modified code to third parties. The result of a code audit might also just be "don't use module X", in which case there's nothing to patch.

The way I read it the article is more about encouraging DoD programmers to be more like the open source community in sharing programs, ideas and sourcecode with each other, rather than continually reinventing the wheel.

Re:The anti-OSS people do have one point.

[thewiz (24994)]

FYI: The government already has several organizations that review source code and test software before it is accepted for use. Putting something that has not been reviewed on a government computer is a good way to lose your clearance.

Re:The anti-OSS people do have one point.

[db32 (862117)]

Go ask Cisco, or MS, or any of the other major vendors how many of their patches came from the DoD. DoD has found a great number of problems in a great number of products and has in turn work on a great number of patches that made it back into the consumer world.

Coarse...for the really paranoid type...I would like to point out that the DoD has played very large roles in quite a few other critical areas that I'm sure everyone holds near and dear...vehicles, aircraft, radar, computers, oh and that intarweb thingy...DARPAnet and all.

DoD has had a pretty good history of providing goodness to the populace as well as all the negative that people like to focus on. DoD doesn't start the fight...politicians do, remember that next time you see a service member. They bleed for the good causes, and the bad causes...its the leaders that determine what causes they are going to bleed for next.

Training

[mo'o ahi (633487)]

First, I generally agree that there are many areas where this will be of significant benefit. Unfortunately, there are so many problems across DOD right now due to insufficiently trainied operators/admins - this will make it significantly worse in the operational arena. I have been on board many installations to train people and was saddened by the lack of sound IT skills by those that are supposed to be managing the systems. Of the 100 or so IT personnel I have trained, I would say that 5-6 have the necessary mindset and skills to effectively implement OSS. Centralized control is a hallmark of DOD IT - and this flies in the face of that as well, from a cultural perspective. (not that this is a bad thing) So, this means that not only will they need to change the infrastructure - the culture will need to shift, which is a much longer term issue. Then again, this could be good for the network-centric warfare concept. It could inject a much needed does of innovation.

They've been using OSS for years

[LWGLIN (98225)]

Granted, I'm not talking about Command and Control systems, but the DoD has been using OS Software for years now. I know because they are using iText [lowagie.com] to produce billions of PDF documents. I have been mailing with DoD developers regularly in the past (and neither I, nor my product is American). It's not as if they have changed their mind about OSS overnight. The remarkable thing is that they are now coming out with a policy about OSS, and that they are considering to use it on a larger scale. (Yes, we're talking about Operating Systems now!)

OSS has one solid advantage

[MikeRT (947531)]

It makes contract bidding cheaper. If you can use an OSS toolkit over a proprietary one, the cost that gets billed to the government is lower which makes it easier to win contracts. Other than that, bureaucratic inertia is the only major problem OSS faces. There is hardly any more bias against OSS than there is toward any regular commercial software.

The point everyone seems to have missed...

[jd (1658)]

...is that Closed Source vendors have opposed Open Source "in the national interest" and "for reasons of security" for some time now. Regardless of whether the DoD ever actually follows through on this, there is now an official statement by the US Government no less that these claims are false. Hey, we've all known that for some time, but ringing endorsements by the DoD don't come by on a weekly basis.

This is the time that Open Source activists and promoters need to run with the ball. Draw the attention of CEOs and business executives to the fact that the DoD advocates Open Source. Show them that we're not talking toy software. Show them that this isn't about not wanting to spend money. (Since when was the DoD afraid to spend money?) This is about an innately powerful method of developing high-grade - even military-grade - products that do what people actually need done.

We couldn't ask for better, but only if those outside of the IT industry actually hear of it. If only those who already accept the strengths of Open Source know that someone else has also decided it is a good solution, then that decision means nothing. Particularly as the DoD is very unlikely to do anything about it. It'll just be a decision. But if the business community got shown this... That would be a whole different ball-game.

We use open source in NM state gov.

[spun (1352)]

I work for the Child, Youth and Family Development department. We use Windows on the desktop, Novell as our file server and SuSE Linux for everything else. Currently we are transitioning away from HPUX to an IBM BladeCenter environment running VMWare and SuSE. We have one major application and several minor ones. The major app, a client tracking system, was developed in house and runs Sybase as a back end. Eventually we plan on porting it to use Postgres and releasing it as open source so that anyone in need of a client tracking system can use it.

This is the real beauty of open source in government, not leveraging the work of others by running open source systems, but leveraging the large development force that most governments have to share in house apps wit less of the usual inter-agency squabbling. An agency that might be wary of using a non open source application developed by a rival agency will be less wary of using an open source app that just happens to be developed by said rival. Instead of reinventing the wheel, in house development staff can cooperate with other staff in other agencies.

That the DoD would recommend open source is exciting, because it really is a good fit for government agencies. Believe it or not, our little state government IT department is better run and more on the ball than most IT departments that I have worked for in big corporations. Moving to Linux hosted on blades running VMWare has freed up a lot of resources to plan for the future that used to be used in just putting out fires.

awesome

[eliot1785 (987810)]

To: Department of Defense, Source Distribution Department
From: Kim Jong Il

To Whom It May Concern,

In accordance with the terms of the GNU General Public License, I'd like to receive a copy of the source code for your Pacific-based Ballistic Missile Defense System. I do not require it in CD form; please simply email it to me at the above address (k.il@korea-dpr.com).

Thank you for your prompt fulfillment of your obligations under the GPL.

Sincerely,
Kim Jong Il

Re:awesome

[Scarblac (122480)]

Mind you, the DOD is under no obligation to give the source to random members of the public, only those who received binaries... So he would have to wait until he got one of those missiles distributed to him first :-)

Not recommending open soruce software

[flooey (695860)]

The recommendation by the DoD isn't specifically to use open source software, though that'd be one possible implementation of it. What they're recommending is that the DoD build a foundation upon which code and standards can be shared in the way that open source tends to do. The current situation in DoD is that basically every project writes its own code, so the software in a GPS satellite may well be entirely distinct from the software in a communications satellite, even though they could both be cheaper and more reliable if they were to reuse code and standards. It's the methodology, not the actual code, of the open source movement that they're interested in.