[ISN] Open-Source Fight Flares At Pentagon

From: InfoSec News (isnat_private)
Date: Fri May 24 2002 - 03:27:29 PDT

  • Next message: InfoSec News: "[ISN] Hackers can crack most in less than a minute"

    Forwarded from: William Knowles <wkat_private>
    
    http://www.washingtonpost.com/wp-dyn/articles/A60050-2002May22.html
    
    By Jonathan Krim
    Washington Post Staff Writer
    Thursday, May 23, 2002; Page E01 
    
    Microsoft Corp. is aggressively lobbying the Pentagon to squelch its 
    growing use of freely distributed computer software and switch to 
    proprietary systems such as those sold by the software giant, 
    according to officials familiar with the campaign.
    
    In what one military source called a "barrage" of contacts with 
    officials at the Defense Information Systems Agency and the office of 
    Defense Secretary Donald H. Rumsfeld over the past few months, the 
    company said "open source" software threatens security and its 
    intellectual property.
    
    But the effort may have backfired. A May 10 report prepared for the 
    Defense Department concluded that open source often results in more 
    secure, less expensive applications and that, if anything, its use 
    should be expanded.
    
    "Banning open source would have immediate, broad, and strongly 
    negative impacts on the ability of many sensitive and security-focused 
    DOD groups to protect themselves against cyberattacks," said the 
    report, by Mitre Corp.
    
    A Microsoft Corp. spokesman acknowledged discussions between the 
    company and the Pentagon but denied urging a ban on open-source 
    software. He also said Microsoft did not focus on potential security 
    flaws.
    
    Spokesman Jon Murchinson said Microsoft has been talking about how to 
    allow open-source and proprietary software to coexist. "Our goal is to 
    resolve difficult issues that are driving a wedge between the 
    commercial and free software models," he said.
    
    John Stenbit, an assistant secretary of defense and the Defense 
    Department's chief information officer, said that Microsoft has said 
    using free software with commercial software might violate companies' 
    intellectual-property rights. Stenbit said the issue is legally 
    "murky."
    
    The company also complained that the Pentagon is funding research on 
    making free software more secure, which in effect subsidizes 
    Microsoft's open-source competitors, Stenbit said.
    
    Microsoft's push is a new front in a long-running company assault on 
    the open-source movement, which company officials have called "a 
    cancer" and un-American.
    
    Software is designated open source when its underlying computer code 
    is available for anyone to license, enhance or customize, often at no 
    cost. The theory is that by putting source code in the public domain, 
    programmers worldwide can improve software by sharing one another's 
    work. 
    
    Vendors of the proprietary systems, such as Microsoft and Oracle 
    Corp., keep their source codes secret, control changes to programs and 
    collect all licensing fees for their use.
    
    Government agencies use a patchwork of systems and software, and 
    proprietary software is still the most widely used. But open source 
    has become more popular with businesses and government. 
    
    The Mitre report said open-source software "plays a more critical role 
    in the DOD than has been generally recognized."
    
    The report identified 249 uses of open-source systems and tools, 
    including running a Web portal for the Defense Intelligence Agency, 
    running network security for the Army command in Europe and support 
    for numerous Air Force Computer Network Defense tools.
    
    Among the most high-profile efforts is research funded by the National 
    Security Agency to develop a more secure version of the open-source 
    Linux operating system, which competes with Microsoft's Windows.
    
    The report said banning open-source software would drive up costs, 
    though it offered no specifics. Some government agencies have saved 
    significantly by using open source.
    
    At the Census Bureau, programmers used open-source software to launch 
    a Web site for obtaining federal statistics for $47,000, bureau 
    officials said. It would have cost $358,000 if proprietary software 
    were used, they said.
    
    Microsoft has argued that some free-licensing regimes are antithetical 
    to the government's stated policy that moneymaking applications should 
    develop from government-funded research and that intellectual property 
    should be protected.
    
    Microsoft also said open-source software is inherently less secure 
    because the code is available for the world to examine for flaws, 
    making it possible for hackers or criminals to exploit them. 
    Proprietary software, the company argued, is more secure because of 
    its closed nature.
    
    "I've never seen a systematic study that showed open source to be more 
    secure," said Dorothy Denning, a professor of computer science at 
    Georgetown University who specializes in information warfare.
    
    Others argue that the flexibility provided by open-source software is 
    essential, enabling users to respond quickly to flaws that are found.
    
    "With open source, there is no need to wait for a large software firm 
    to decide if a set of changes is in its best interests," said Eugene 
    Spafford, a computer-science professor at Purdue University who 
    specializes in security.
    
    Jonathan Shapiro, who teaches computer science at Johns Hopkins 
    University, said: "There is data that when the customer can inspect 
    the code the vendor is more responsive. . . . Microsoft is in a very 
    weak position to make this argument. Whose software is the largest, 
    most consistent source of security flaws? It's Microsoft."
    
    Stenbit said that the debate is academic and that what matters is how 
    secure a given piece of software is. To that end, the Defense 
    Department is now prohibited from purchasing any software that has not 
    undergone security testing by the NSA. Stenbit said he is unaware of 
    any open-source software that has been tested.
    
    
     
    *==============================================================*
    "Communications without intelligence is noise;  Intelligence
    without communications is irrelevant." Gen Alfred. M. Gray, USMC
    ================================================================
    C4I.org - Computer Security, & Intelligence - http://www.c4i.org
    *==============================================================*
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Fri May 24 2002 - 06:18:28 PDT