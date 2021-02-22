from the adopt-buy-create dept.
Late last month the US Department of Defence (DoD) published a memorandum on software development (warning for PDF). It focuses specifically on Open Source Software (OSS), though it misses the fact that OSS can also be commercial in nature.
- A. The Department must follow an "Adopt, Buy, Create" approach to software, preferentially adopting existing government or OSS solutions before buying proprietary offerings, and only creating new non-commercial software when no off-the-shelf solutions are adequate.
- (1) OSS meets the definition of "commercial computer software" and therefore, shall be given equal consideration with proprietary commercial offerings, in accordance with Section 2377 of Title 10, U.S.C. (reference (e)) (see also FAR 2.l0l(b), 12.000, 12.101 (reference (f)); and DFARS 212.212, DFARS 208.74, DFARS 227.7202, and 252.227-7014(a)(l) (reference (g))).
- (2) In accordance with FAR 13.104, (reference (h)) refusal to consider all OSS based solely on software being open source may be contrary to statutory and regulatory preferences for commercial products, and would unnecessarily restrict competition. OSS should be considered to the maximum extent practical.
Across the pond, the EU's Open Source Observatory (OSOR) has an analysis of the memorandum in the context of DoD Software Modernization Strategy from earlier this month.
Even back in 1998 MS proprietary software was deemed a threat and the situation has not changed it is still a threat to safety, reliability, confidentiality, and costs.
The US Department of Defense wants you to contribute unclassified code to software projects developed in support of national security. Toward that end, it has launched Code.mil, which points to a Github repository intended to offer public access to code financed by public money. But at the moment, the DoD's repo lacks any actual code.
Open source and free software represent industry best practices, the DoD said in a statement, even as it acknowledged the agency has yet to widely adopt it. Code.mil represents an attempt to change that dynamic. On the project website, the DoD goes so far as to suggest that anything other than open source software puts lives at risk.
"US military members and their families make significant sacrifices to protect our country," the agency explains in its FAQs. "Their lives should not be negatively impacted by outdated tools and software development practices that lag far behind private sector standards." And in case that isn't clear enough, the agency states, "Modern software is open sourced software."
-- submitted from IRC
The US Department of Defense is in the process of releasing all of its custom software under Free and Open Source Software (FOSS) licenses with a deadline of June for getting under way. Most of the barriers so far have been legal and policy ones, not technical.
As part of the 2018 National Defense Authorization Act, the Defense Department has until June to start moving much of its custom-developed software source code to a central repository and begin managing and licensing it via open source methods.
The mandate might prove daunting for an organization in which open source practices are relatively scarce, especially considering that, until recently, there was no established open source playbook for the federal government. That's begun to change, however, with the Office of Management and Budget's code.gov, and its DoD corollary, code.mil, run by the Defense Digital Service (DDS).
The fact that such software is actually under public domain inside the US adds a small twist to the release process.
From Federal News Radio : Amid congressional mandate to open source DoD's software code, Code.mil serves as guidepost.
Pentagon lawyer Sharon Woods gives a LibrePlanet presentation about free software in the US DoD (video).
A battle is underway at the US Department of Defense (DoD) to improve the way DoD develops, secures, and deploys software. The National Defense Authorization Act (NDAA) is not common reading for most people, but buried within the DoD's 2,000-page budget authorization is a provision to free source code. The lively history behind this provision is simultaneously frustrating and encouraging, with private industry giants, Congress, and other federal agencies jockeying around the effort to free the code at DoD. Come listen to this important, but perhaps lesser known, chapter of the free software narrative, and learn how a small group of impassioned digital service experts are defying all odds to continue the fight for free software adoption.
The relevant bit of the NDAA, H.R.2810 § 875.
Back in 1998, Paul Strassmann, a former CIO of Xerox, NASA, and the US Department of Defense, wrote in Computerworld about how Microsoft's overly complex, defective, and vulnerable systems which were already a threat to national security even back then. The intervening time has shown Strassmann to have been more than correct as the problems he identified with Microsoft and its products worsen monatonically. Mitchel Lewis writes a guest post at Techrights about the current situation and how Microsoft remains a security threat against national security and systematic reliability of our computer-based society today:
That said, I think enough time has elapsed to confirm that Paul Strassmann is an authority on such matters and that Microsoft is precisely who he said they were. Further and with hindsight in our pocket, it seems as if Microsoft was merely projecting when they said Strassmann's paper was flawed and that he made errors in analyzing the state of computer security and its causes in light of their 95–99% monopoly on ransomware infections alone and that ransomware is already considered to be a national security threat.
[...] However, I'd like to think that Microsoft would get creative if the government were to sanction Microsoft by allowing allow citizens and businesses impacted by ransomware to bill Microsoft for the cost of the ransom and their losses in productivity. And although Microsoft cannot be faulted for the attacks, they can be faulted for their shit-in-hand approach to quality and security while sanctioning them until they actually take a common-sensical approach to quality and security appears to be the simplest means of combating ransomware and mitigating the threat it poses to our national security.
While 2% of known ransomware affects Android, which makes 72% of the mobile market and 41% of all clients, the rest is for Microsoft's product line which weighs in at 32% of the market nowadays. So far Microsoft's response has been weak and based on strawman fallacies with the occasional feeble ad-hominem fallacy thrown in.
