Forwarded from: William Knowles <wkat_private> http://www.washingtonpost.com/wp-dyn/articles/A60050-2002May22.html By Jonathan Krim Washington Post Staff Writer Thursday, May 23, 2002; Page E01 Microsoft Corp. is aggressively lobbying the Pentagon to squelch its growing use of freely distributed computer software and switch to proprietary systems such as those sold by the software giant, according to officials familiar with the campaign. In what one military source called a "barrage" of contacts with officials at the Defense Information Systems Agency and the office of Defense Secretary Donald H. Rumsfeld over the past few months, the company said "open source" software threatens security and its intellectual property. But the effort may have backfired. A May 10 report prepared for the Defense Department concluded that open source often results in more secure, less expensive applications and that, if anything, its use should be expanded. "Banning open source would have immediate, broad, and strongly negative impacts on the ability of many sensitive and security-focused DOD groups to protect themselves against cyberattacks," said the report, by Mitre Corp. A Microsoft Corp. spokesman acknowledged discussions between the company and the Pentagon but denied urging a ban on open-source software. He also said Microsoft did not focus on potential security flaws. Spokesman Jon Murchinson said Microsoft has been talking about how to allow open-source and proprietary software to coexist. "Our goal is to resolve difficult issues that are driving a wedge between the commercial and free software models," he said. John Stenbit, an assistant secretary of defense and the Defense Department's chief information officer, said that Microsoft has said using free software with commercial software might violate companies' intellectual-property rights. Stenbit said the issue is legally "murky." The company also complained that the Pentagon is funding research on making free software more secure, which in effect subsidizes Microsoft's open-source competitors, Stenbit said. Microsoft's push is a new front in a long-running company assault on the open-source movement, which company officials have called "a cancer" and un-American. Software is designated open source when its underlying computer code is available for anyone to license, enhance or customize, often at no cost. The theory is that by putting source code in the public domain, programmers worldwide can improve software by sharing one another's work. Vendors of the proprietary systems, such as Microsoft and Oracle Corp., keep their source codes secret, control changes to programs and collect all licensing fees for their use. Government agencies use a patchwork of systems and software, and proprietary software is still the most widely used. But open source has become more popular with businesses and government. The Mitre report said open-source software "plays a more critical role in the DOD than has been generally recognized." The report identified 249 uses of open-source systems and tools, including running a Web portal for the Defense Intelligence Agency, running network security for the Army command in Europe and support for numerous Air Force Computer Network Defense tools. Among the most high-profile efforts is research funded by the National Security Agency to develop a more secure version of the open-source Linux operating system, which competes with Microsoft's Windows. The report said banning open-source software would drive up costs, though it offered no specifics. Some government agencies have saved significantly by using open source. At the Census Bureau, programmers used open-source software to launch a Web site for obtaining federal statistics for $47,000, bureau officials said. It would have cost $358,000 if proprietary software were used, they said. Microsoft has argued that some free-licensing regimes are antithetical to the government's stated policy that moneymaking applications should develop from government-funded research and that intellectual property should be protected. Microsoft also said open-source software is inherently less secure because the code is available for the world to examine for flaws, making it possible for hackers or criminals to exploit them. Proprietary software, the company argued, is more secure because of its closed nature. "I've never seen a systematic study that showed open source to be more secure," said Dorothy Denning, a professor of computer science at Georgetown University who specializes in information warfare. Others argue that the flexibility provided by open-source software is essential, enabling users to respond quickly to flaws that are found. "With open source, there is no need to wait for a large software firm to decide if a set of changes is in its best interests," said Eugene Spafford, a computer-science professor at Purdue University who specializes in security. Jonathan Shapiro, who teaches computer science at Johns Hopkins University, said: "There is data that when the customer can inspect the code the vendor is more responsive. . . . Microsoft is in a very weak position to make this argument. Whose software is the largest, most consistent source of security flaws? It's Microsoft." Stenbit said that the debate is academic and that what matters is how secure a given piece of software is. To that end, the Defense Department is now prohibited from purchasing any software that has not undergone security testing by the NSA. Stenbit said he is unaware of any open-source software that has been tested. *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Fri May 24 2002 - 06:18:28 PDT