Forgot your password?
typodupeerror
Programming IT Technology

Open Source in the Military? 398

Posted by Cliff
from the you-saw-how-well-NT-on-a-carrier-went dept.
djmcmath asks: "Does anyone have any experience with Open Source Software and/or GPL'd software in military applications? I'm only asking because I'm involved in work on the combat systems for a new submarine, and had considered an Open Source solution. (I apologize, I must be intentionally vague for obvious reasons.) So ignore the obvious questions (Is it really suitable? Are closed-source proprietary options better? Does MS have a good solution?) and skip to the good stuff. What about the fact that my code would be classified Secret under US Code Umptifratz? I cannot distribute my code (and it's changes) without being tried for treason. What happens to the rest of the combat system code when I submit my GPL'd module?" Open Source and the Military: it's a tricky combination of keeping what can be open, open and keeping your secrets...well, secrets! However, open source in the military need not be as high profile as weapons systems. One of the only major OS projects that I'm aware of that had any form of military involvement was GRASS, the open-source GIS system. I'm sure there may be a few others out there. Does anyone know of other OS projects with military association? If there are any projects out there that interface with classified bits, how did you deal with those issues?
This discussion has been archived. No new comments can be posted.

Open Source in the Military?

Comments Filter:
  • Source Distribution (Score:5, Informative)

    by aridhol (112307) <ka_lac@hotmail.com> on Saturday March 16, 2002 @05:14PM (#3174424) Homepage Journal
    I cannot distribute my code (and it's changes) without being tried for treason

    Are you distributing your executables? If you use the OSS for a specific system and only on that system, you are not required to distribute source - everyone that has the binaries (the military) will have the source.
    • by Anonymous Coward on Saturday March 16, 2002 @06:40PM (#3174799)
      Are you distributing your executables? If you use the OSS for a specific system and only on that system, you are not required to distribute source - everyone that has the binaries (the military) will have the source.

      It's actually simpler than that -- this is the US -- therefore, you only need to say aloud one of two magic incantations, "National Security" or "For the love of God, will no one think of the children?" and debate is terminated. In your favor.
    • by kryonD (163018)
      So far it seems that everyone has failed to actually read what he wrote. It's not like he hopped on freshmeat [freshmeat.net] and searched for "torpedo guidance system" and actually found something to work with. His quandry is most likely whether or not using open source tools for his project requires his project to be open source. This is an easy answer as you can generate all the code you want using open source tools and then release it under any license that makes you happy. The Marine Corps Warehouse Management System is powered by Red Hat 6.0 and compiled using gcc. While the number of $500 toilet seats we have in warehouse 5 is not really a matter of National Security, it still may be a peice of information that enemies could develop intelligence with, so the system specifications and code remain closed source. We are not violating the GPL because our system is not based on GPL'd code.

      Although, to keep everyone happy, you may have to name your project GNU/Submarine.
  • by Account 10 (565119) on Saturday March 16, 2002 @05:14PM (#3174427)

    You only need to distribute the source to the people that you distribute the binary to.

    Presumably the binary is covered by the same secrecy rules as the source, so the only people entitled to the source are the miltary.

    Although, if the binary is in a bomb, you may also need to distribute the source to the poor sod that you drop it on.
    • by linzeal (197905) on Saturday March 16, 2002 @05:16PM (#3174442) Homepage Journal
      They could just include the source in a leaflet attached to the side of the bomb with a stern finger wagging RMS on it.
    • Maybe this is an intentional joke/troll, but it's completely wrong. If you distribute the binary, it must be under the terms of the GPL. Not only do the users need to be able to get the source, but the GPLed source- that means they are allowed to modify and redistribute it as they see fit.

      If you use some other means (written orders from the commanding officer) to force the users not to republish the source code, then you have NOT given them a GPLed release, because you haven't given them permission to redistribute it under the same terms you acquired the software with.

      (I do software contracting for the US military, and we'll include LGPL or PD code, but not GPL).

      Imagine if this happened in the civilian world- CompanyX modifies GPLed GNU Emacs and puts it up for sale- but before a customer can purchase it, they have to sign a separate contract promising to never redistribute the source code. It's a blatant violation.

      (Actually, that has been attempted before. A group published a modified version of the GPLed Quake game, but required users to sign away their rights to the source code before they could download the binary. The original author sent his lawyers after them, and they gave up on the scheme)
      • by jpt.d (444929) <abfall@NOSPam.rogers.com> on Saturday March 16, 2002 @06:56PM (#3174852)
        I believe you are possibly in error. The US military is an organization, and any software is published to the organization. You are not giving the binary/code to anyone but the military, not any particular person. The organization has access to the code, but they are only ones that have the binaries anyways.
        • Sweet! (Score:3, Interesting)

          by roystgnr (4015)
          I hereby declare that I and everyone I know form a conglomerate "organization", and as such we will only be purchasing copyrighted material collectively in the future. Because we will only be redistributing this material within our own organization, and not to anyone outside it, we should be exempt from copyright restrictions, right?
          • The US military is an organization, and any software is published to the organization

          Hrrm, but army, navy and air force have separate budgets and chains of command, plus they subcontract work. It's an interesting issue; as I (personally) read the GPL, the onus is on me (personally) to comply. That means that the distributable I produce must be accompanied by the written offer to supply source. It's irrelevant whether I intend to supply it to my mother, my workmate, another department in my company, or Osama bin Laden for that matter. If I use GPL code, I have to ensure that I'm in a position to comply with the terms. Saying "I voz only obeying orders" isn't good enough.

          • They are all part of the Dept of Defense, and ultimately, the US federal gov't. As long as they don't distribute it outside the US gov't, they shouldn't have to release the code outside the US gov't.
      • Imagine if this happened in the civilian world- CompanyX modifies GPLed GNU Emacs and puts it up for sale- but before a customer can purchase it, they have to sign a separate contract promising to never redistribute the source code. It's a blatant violation.
        Wrong. Only restrictive contracts between the licensor and licensee are prohibited. Here's how to get around it:
        1. Form a shell company that never touches the code. Since we're Star Wars fans, let's call the shell company Chewco (after Chewbacca).
        2. Licensor publicly says "We give code to people who have secrecy contracts with Chewco." Since they never say "We don't give code to people who don't have secrecy contracts", it isn't a "further restriction" according to the GPL.

          If anybody without a secrecy contract asks for code, they say "We choose not to give you code at this time for private reasons."
        3. Anybody can get a secrecy contract with Chewco. They give money and promise secrecy, and Chewco gives them a nice flower arrangement (or some other valuable consideration) in return. This is a legal, enforceable contract. Since Chewco is not a licensor, they are not affected by the GPL. The GPL does not prohibit the licensee from being restricted, it merely keeps the licensor from imposing the restriction as a condition of licensing, so it's OK on that count too.
      • Contracts vs. laws (Score:4, Informative)

        by coyote-san (38515) on Saturday March 16, 2002 @09:51PM (#3175444)
        You're missing an important distinction here. The GPL limits what restrictions (none) you can place on redistribution of source code as a term of the license CONTRACT.

        Security classifications, in contrast, are a matter of LAW.

        This is an important distinction that comes up periodically. E.g., there's a fair amount of software that is used to control the operation of amateur radio station equipment. The licenses inevitably require that the user have suitable FCC (or local equivalent) certification suitable for the operation of this equipment, probably due to FCC regulations. Does this violate the GPL? I would argue it doesn't - it's the FCC that requires a license to operate the equipment, not the author, and the sole purpose of this restriction is to limit the author's liability in those cases when the receiver acts in bad faith.

        Ditto the occasional licenses that require the receiver be old enough to enter into a binding contract. Of course it's silly to say that a 17-year-old can't make valuable contributions, but the law says that contracts with 17-year-olds are never binding except for some relatively rare circumstances. (E.g., they can be emanicpated by a court, by enlistment in the military, or by marriage. Or it could be a "necessity" such as a contract for housing.)

        I think the same argument can be made here. Are you willing to make the source code available to any agency legally entitled to view it? If so, then I think you can still use the GPL.
        • Yes, security classifications are legally enforced.
          But if you cannot simultaneously simultaneously obey the the Gnu Public license and the law, then the license doesn't take effect, copyright law kicks in, and you have no permission to redistribute modified code at all.

          Any person who inserts willingly mingles GPL code with classified code is either immediately violating copyright, or conspiring to commit espionage (when they release the code, as the license requires).

          Of course, in real life no real criminal espionage charges would be pressed. If this were to actually happen- by accident, say, a subcontractor programmer gets confused), and is found out, then the government would have to weigh the value of the combined code, and either arrange payment to the original authors, or promise to destroy (in a security-level approved fashion) the offending software.
          Unless they declare it a matter of National Security and just pull the whole thing under Eminent Domain.
    • by FattMattP (86246) on Saturday March 16, 2002 @05:55PM (#3174630) Homepage
      Although, if the binary is in a bomb, you may also need to distribute the source to the poor sod that you drop it on.
      That would only be necessary if he's going to execute the code. If the code is in a bomb, it's more likely that it's going to be executing him.
    • Embedded devices (Score:4, Interesting)

      by phr2 (545169) on Saturday March 16, 2002 @06:26PM (#3174757)
      That was a very good answer, and as a GPL'd code author I don't mind the military using my code but I'm quite happy to not have be used directly in bombs.

      That brings up the question of embedded devices in general, e.g. what if the binary is in night vision goggles or a satellite radio issued to troops? They presumably can't be given the classified source code. I discussed embedded devices with RMS a long time ago and back then, he seemed to think it was technically a GPL violation, but if the code in the device can't be changed (i.e. it's in ROM) then it didn't really count as software, so he wasn't too worried. At that time, embedded CPU's weren't so ubiquitous and those that existed were mostly tiny and didn't run much GPL'd code. It might be time for a more formal policy on stuff like this.

      Of course, the GPL'd code owner can always grant GPL exemptions for specific purposes (the GPL itself has a clause saying this and I think the FSF has given a few exemptions in the past), so the surest way to be in good standing is if you can get permission from the owner.

      Disclaimer: IANAL and I don't speak for the FSF.

      • That brings up the question of embedded devices in general, e.g. what if the binary is in night vision goggles or a satellite radio issued to troops? They presumably can't be given the classified source code.

        Hm... to whom do you have to make the source available to:

        • The user?
        • The owner of the equipment it's running on?
        If it's Uncle Sam's goggles or satellite, maybe it's enough that Uncle Sam has the source, instead of GI Joe himself.
    • Although, if the binary is in a bomb

      And you thought copy-protected CD-ROMs were bad.

    • Although, if the binary is in a bomb, you may also need to distribute the source to the poor sod that you drop it on.

      Except that the GPL only requires that you make available the source on request. A note on the bomb casing would do the trick, since the requirement would only apply if you dropped a bomb which didn't go off.
  • License it? (Score:2, Insightful)

    by Anonymous Coward
    Couldn't the military, if it wanted to avoid the legalities and implications of the GPL, just license whatever code it wanted directly from the authors?
  • I'd say as long as you didn't specify what the program was beng used for specifically, there shouldn't be a problem.

    (I.E., we need .5% accuracy on this, not "The targetting for the ICBM needs to be .5% accurate", etc.)

    Just my $.02.

    JoeLinux
    • Targetting only 0.5% accurate? Remind me to take my vacation underneath the designated target - it's the safest place in the world.
      • That's why ICBMs carry such devistating payloads, if it misses the target, ah, oh well, the whole country's blown to bits anyway :)
      • Oopsie...meant "Accurate to .5%" Amazing how a few words can change the WHOLE meaning.

        JoeLinux
  • ksonar (Score:3, Funny)

    by Innomi (566928) on Saturday March 16, 2002 @05:17PM (#3174445)
    Imagine, a whole new suite of apps for KDE, ksonar ktorpedo kcmissile ...
  • It makes me doubt the veracity of your entire question. Here's what the constitution says about treason:

    Article III:

    Section 3. Treason against the United States, shall consist only in levying war against them, or in adhering to their enemies, giving them aid and comfort. No person shall be convicted of treason unless on the testimony of two witnesses to the same overt act, or on confession in open court.

    The Congress shall have power to declare the punishment of treason, but no attainder of treason shall work corruption of blood, or forfeiture except during the life of the person attainted.

    I fail to see how software distibution could be considered treason. Has slashdot just been duped again?

    • by aridhol (112307) <ka_lac@hotmail.com> on Saturday March 16, 2002 @05:21PM (#3174475) Homepage Journal
      Perhaps he meant espionage - the release of state secrets to an enemy of the state.

    • Okay, so your little research into Article III makes you an expert over the person with DOD clearence (any level) who has filled out 15-30 pages of personal facts/history, who had to read another 50-100 pages of what to do/what not to do/possible punishments, and has their personal life investigated left and right (at their choice) to benefit our country?

      Until you've been there and done it and know what it takes to get a clearence and what ramifications exist if you break the agreement, keep you opinions to yourself and go back to your text book. That is real world buddy.
    • by BoneFlower (107640) <george.worrollNO@SPAMgmail.com> on Saturday March 16, 2002 @05:38PM (#3174562) Journal
      Treason is an overstatement, but in his case, the penalties would be stiff, and could depending on the circumstances and who he distributes it to, could be considered treason. The non disclosure agreement sets penalties of 10 years and 10,000 dollars for EACH violation of the security regs. For example:

      Classified fact a
      classified fact b
      classified fact c
      classified fact d
      classified fact e

      If those were real classified facts, I could easily end up in jail for 50 years for this post.

      It may not technically be treason, but it can be as severe and match the spirit of treason if not the letter of the definition.
    • I fail to see how software distibution could be considered treason. Has slashdot just been duped again?

      Wouldn't that fall under giving them aid and comfort? Giving the ennemy vital information (such as the source code of weapons control systems) sure helps (aids) them, doesn't it?

  • Read the FAQ (Score:5, Informative)

    by gkirkend (111309) on Saturday March 16, 2002 @05:19PM (#3174461) Homepage
    Take a look at the GPL FAQ [gnu.org]

    A quote from the FAQ which I believe applies to your situation:
    "The GPL does not require you to release your modified version. You are free to make modifications and use them privately, without ever releasing them. This applies to organizations (including companies), too; an organization can make a modified version and use it internally without ever releasing it outside the organization. But if you release the modified version to the public in some way, the GPL requires you to make the modified source code available to the users, under the GPL. Thus, the GPL gives permission to release the modified program in certain ways, and not in other ways; but the decision of whether to release it is up to you."

    Greg

    • I wonder how they define "organization". Does an employer need to give the source to an employee (if they ask for it) for the internally modified GPL programs they use on their workstation?

      If they DON'T have to distibute source internally, then can't I say that my "organization" is Humanity, and that I can distribute my GPL-derived binaries (without source) to anyone within the "organization"?

      And if they DO have to distribute source internally, then Pt. Joe Schmoe would be able to request the source for the missile guidence software he is pressing the blinky red buttons on. Unless they order him not to... =)
      • I wonder how they define "organization".

        Whatever the excact definition it's hard to see how it could not apply to a nation's military.

        Does an employer need to give the source to an employee (if they ask for it) for the internally modified GPL programs they use on their workstation?

        Not necessarily, since the origanisation can choose how information is stored internally. In just the same way that not every cell in someone's body "knows" everything that they, as a person, knows...
  • by mcrbids (148650) on Saturday March 16, 2002 @05:20PM (#3174463) Journal
    It's a common misunderstanding of the GPL... using GPL software does not mean you have to distribute it.

    The terms of the GPL simply state that if you sell a GPL product to a customer, you must provide the source to that customer.

    Red Hat, Mandrake, and the like are being nice enough to provide iso images of their software for your download - they are not required to.

    So what are the ramifications? Well, if the military sells your GPL solution to a 3rd country, they have to provide the source to that 3rd country, as well.

    In other words, in this case, GPL (or no) makes no difference at all. GPL code can be "top secret" as long as the customer has full access to the code.

    The idea of the GPL is that "If I bought it, I can do as I please with it - and if I sell it, so can whoever I sell it to..."

    • Perhaps there are aspects to this that need to be reviewed.

      With military systems, it's common to sell systems of varying degree of capability to various entities so as to maintain various strategic aims.

      For example, we might keep tier 1 functionality for ourselves, offer tier 2 to the say, the Israelis, and tier 3 to other Mideast countries.

      If this practice of sharing systems with various capability levels extends to software systems... Well, if you ship someone a device with binaries burned into the ROMs, don't you also have to provide the source? Could they then examine the source and add back in capabilities you've disabled? Don't you have to provide the same source to all who might have the binaries?

      • While having source makes it easier to find out what something does, not having source doesn't make it impossible to find out.

        If the second and third tier shipments just had a switch (or a bit) flipped to disable a feature, that's a problem -- source or no source.

      • With military systems, it's common to sell systems of varying degree of capability to various entities so as to maintain various strategic aims.
        For example, we might keep tier 1 functionality for ourselves, offer tier 2 to the say, the Israelis, and tier 3 to other Mideast countries.
        If this practice of sharing systems with various capability levels extends to software systems... Well, if you ship someone a device with binaries burned into the ROMs, don't you also have to provide the source? Could they then examine the source and add back in capabilities you've disabled? Don't you have to provide the same source to all who might have the binaries?


        There is a simple solution. Either only load the ROMS with the software modules you want to supply or completly obliterate the software you don't want to supply before you ship the stuff. Then the only source you need to supply is that for the software you have actually shipped. Even with no GPL issues you really don't want to ship the code you don't want shipped in a trivially disabled form...
  • by lkaos (187507) <anthony@codemonkAUDENey.ws minus poet> on Saturday March 16, 2002 @05:21PM (#3174474) Homepage Journal
    I actually have had to deal with this an the GPL really isn't your biggest concern, but first, let me address that.

    The GPL is a set of licensing terms between the author and whomever he distributes the code to. If you are working directly with the Navy (unlikely) then writing and consuming the GPL code would pose no problem since your not distributing to anyone.

    If you are working for a contractor, then it is a bit more hairy. You can still write the code GPL and distribute it to the Navy under the GPL. This of course gives the Navy whatever rights to the code so that they could redistribute it if they choose. It does not allow some guy in Florida to obtain secret info though. You would have to first give him a binary for him to have grounds to ask for the source and of course, classified source code produces classified binaries so this isn't an issue.

    The real issue is QA. There are all sorts of processes (I know at least for Surface Systems) covering COTS verses in house software. Now, I spent a great deal of time working things out with QA and this is what we came up with when I first asked to use an OS library in a tactical program:

    First, I had to vouch for the code. That meant I literally had to go through it line by line and make sure there were no possible backdoors in it. Also, if I modified more than a certain percentage of the library, then I was responsible for bringing that library up to in-house standards (which I'm sure you know is a real pain in the ass).

    Don't worry about the licensing terms, they aren't going to be a sticking point likely. QA is what is going to kill you... (and it will only get worse if your program carries a higher classification).
    • The real problems come if the US decides to give the technology to some 3rd party. We might want to give them Mark-3 smart bombs, but we might not want to give them the ability to develop their own Mark-4 smart bombs. Therefore, DO NOT include GPL'd code in a product if you can foresee that we might want to give binary-only versions of it to another country. Since you can't predict such actions, my conclusion is that you shouldn't include GPL code in any such project. Heck, this is a defense project! Clean-room the whole thing from the ground up. Go nuts. Spend billions.

      • The real problems come if the US decides to give the technology to some 3rd party. We might want to give them Mark-3 smart bombs, but we might not want to give them the ability to develop their own Mark-4 smart bombs. Therefore, DO NOT include GPL'd code in a product if you can foresee that we might want to give binary-only versions of it to another country.

        If they have the skills to develop Mk4 from the Mk3 code it probably makes little difference if they have the source or not. Also they might be reluctant to buy if they don't get the source and can have their own people check for lack of bugs.
  • by FredGray (305594) on Saturday March 16, 2002 @05:26PM (#3174508) Homepage
    I'm not sure why the author of this question thinks that he'll get good advice from Ask Slashdot. The only reasonable response is "you should find an attorney with experience in intellectual property and national security laws and an appropriate security clearance to be told the complete story."
    • On the one hand, I think we need something more devious than that... Put somewhere in the FAQ:

      Q: blahblahblahOpen Sourceblahblahblahlegal question?
      A: Get a fucking lawyer.

      On the other appendage, I think Taco & Co. post these questions because of the anecdotes provided in the comments. And since the comments are the most important part of the site, what better way to add value to slashdot than to repeatedly post the variations of the question?

      Personally I'm waiting for April 4, so I can be rejected for asking, "Hey, it's been a year since we talked about Game Programming w/ SDL, what's changed since then?"
  • I wonder if this is for the Virginia Class [naval-technology.com] of mini-subs. These things are just so freaking cool. I'd give my right leg to have one of these things to ride around the Jersey shore in :)
    • give my right leg to have one of these things to ride around the Jersey shore in :)

      You don't haveto - just enlist.
      • Ha, the mini-subs are for Navy Seal deployment.

        I think I have a better chance of trading the Navy my right leg then of becoming a Navy Seal :)
      • True, why give up your own right leg when you could join the military and try to blow up your enemies right leg.

        If you're lucky, you just might have a chance to get your own right leg blown off. It would be the best of both worlds! You'd be a cripple, your enemy would be a cripple, but fuck yeah, you got to ride inside of a shiny blinky deathmobile!
  • Hmm.. interestting (Score:5, Informative)

    by BoneFlower (107640) <george.worrollNO@SPAMgmail.com> on Saturday March 16, 2002 @05:33PM (#3174545) Journal
    IANAL, however I did work in military intelligence and information security.

    From what I understand, in this case, the government agency responsible for the code changes would be required to distribute those changes to any agency they distribute the binaries too... This should not, as I understand it, mean the individual users of the software.

    For example, lets say the Navy sends copies of the binaries to Electric Boat(a sub manufacturer). They would be required to send the source to Electric boat as well.

    However, in this case, it is Electric Boats IT department that is the receiver of the binary, NOT the electric boat employee who uses the software. Therefore, the source can legally be kept inside a safe at the CMCC(classified material control center), shown only to the IT department and others with an established need to know.

    However, in any case, regardless of license, if the source changes reveal classified information it would be illegal to release them to the general public. I'd wager that even if that turned out to be a direct violation of the GPL, the classification side of the case would win in court.

    With all that said, I would recommend you push for release of all source changes that do not reveal classified information. I realize that might not be much, but what you can, go for it.
  • Support? (Score:5, Funny)

    by gehrehmee (16338) on Saturday March 16, 2002 @05:40PM (#3174566) Homepage
    Open software is typically accompanied by open support. If the usage of your software is as secret as you make it sound, it might be really difficult to get technical support from the community in the same way civillian users might.
    I finally got Linux 2.4.CLASSIFIED to work on my CLASSIFIED system, which required me to work around the CLASSIFIED component attached to the CLASSIFIED-CLASSIFIED. However, I'm still having some stability problems. Anybody see anything blatently wrong with this patch? :

    --- /usr/local/src/linux/fs/devices.c Sat Sep 22 21:35:43 2001
    +++ CLASSIFIED.c Sat Mar 16 14:32:35 2002
    @@ -32,7 +32,7 @@

    struct CLASSIFIED_struct {
    const char * name;
    - struct file_operations * fops;
    + struct string_operations * CLASSIFIED;
    };

    static CLASSIFIED_t CLASSIFIED_lock = RW_LOCK_UNLOCKED;
    @@ -62,9 +62,9 @@
    Load the CLASSIFIED if needed.
    Increment the CLASSIFIED count of module in question.
    */
    -static struct CLASSIFIED_operations * get_chrfops(unsigned int CLASSIFIED, unsigned int CLASSIFIED)
    +static struct string_operations * get_chrfops(unsigned int CLASSIFIED, unsigned int CLASSIFIED)
    {
    - struct CLASSIFIED_operations *ret = NULL;
    + struct CLASSIFIED_operations *ret = NULL;

    if (!CLASSIFIED || CLASSIFIED >= MAX_CHRDEV)
    return NULL;
    @@ -95,7 +95,7 @@
    return ret;
    }
  • by Ektanoor (9949) on Saturday March 16, 2002 @05:40PM (#3174567) Journal
    Just a note on how military are involved on spreading the evil "specter" all over the world. Just one name that means all:

    "TCP/IP"

    It's open, clear and crystal like water. The whole world uses it. 90% of open/closed source network systems depend on it. It's open, it's readable. And it's ARPA...

    What else is needed to talk about the military involvement? From start to end, many things done on computers are orginally military by their nature... First computers were created for military needs, let's not forget this. And today nearly everyone uses them. From Taco to Ben Laden...

  • by rossz (67331)
    I cannot distribute my code (and it's changes) without being tried for treason.
    I don't think treason would apply here. Look at Article III, Section 3 of the Constitution:
    Treason against the United States, shall consist only in levying war against them, or in adhering to their enemies, giving them aid and comfort.
    On the other hand, you might be charged with espionage.
  • OSS in the USAF (Score:4, Interesting)

    by The Snowman (116231) on Saturday March 16, 2002 @05:45PM (#3174590) Homepage
    I am a programmer in the USAF, and my squadron (for security reasons I cannot say what my unit does) uses OSS.

    We use Samba for sharing printers between Windows NT and Solaris. We don't change the source code, but we do use OSS. I believe that we also use GCC for some things, because (and I am not 100% sure on this since I am not a sysadmin) I don't think Solaris comes with a C compiler. We also use DivX for... I could tell you but then I'd have to kill you ;-)

    I've thought about this before because of our software licensing. Let's say Microsoft thinks they need a license audit. What's more important: maintaining our security by not allowing Microsoft access to sensitive computer systems, or complying with their "copyright" policies? If a computer is located in a secure area protected by federal classification law, who will know?

    It goes both ways. The government could potentially abuse the GPL, but they could do the same to the draconian licensing terms in commercial software. It is my experience that the people in charge of acquiring systems will make sure their subordinates comply with the law. The higher-ups at my squadron stress that we must obey licensing laws because it's The Right Thing To Do.

    I like open source software. I think it's the greatest thing since sliced bread. But for some applications, such as classified computer systems, it may be best to stick to closed source if you need to change the open source software.
  • My company lists their open source projects here [mitre.org]. No missile guidance systems, just stuff like virtual workspaces, and I haven't worked on any of these projects so I can't vouch for their quality/usefulness. But hey, if you're a US taxpayer you paid for them, so have at it.
  • by guygee (453727) on Saturday March 16, 2002 @05:48PM (#3174604)


    I worked on a terrain database analysis tool, called ZCAP [ucf.edu],
    that was funded a few years back by U.S. Army STRICOM [army.mil]
    and the Defense Modeling and Simulation Office [dmso.mil]
    We distributed the application (and still do) in a complete package
    that included a number of supporting free source applications, such as gnuplot
    and tcl/tk. We handled the combination of free source, (no longer)export-restricted
    software, and proprietarty libraries by loosely integrating
    using system calls under a tk-based gui. Not very clean, but there
    is a lot of good code in there, and I'm planning to gpl it in the near future.

  • If this is YOUR GPLed module, you have the RIGHT to Re-Licence your code to anyone you choose.

    This is something that people don't realize. When you put something under the GPL, YOU say that ANYONE can use your software/code under the terms of it. But you CAN STILL make SEPARATE licenses to third parties which can be as restrictive or unrestrictive as you please.

    However, if this GPLed code you speak of was written by somebody else, you're fucked unless you can get that person to re-license the code for you.

  • RTEMS (see http://www.rtems.army.mil) is a very nice real time OS that the military has open sourced with a very BSD like license that even mentions GPL (see http://www.rtems.army.mil/rg4/copyright.html)

    As a side note I see that RTEMS stands for something new - perhaps I am having a 1984 experience but I seem to remember it used to stand for "Real Time Executive for Missile Systems"

    Don't say the us military has not done anything for open source or I will be forced to mention Arpanet :-)
  • The M-1 tank uses the Firebird [sourceforge.net] database apparently. The military really liked the near-instant recovery from power failure (apparently the M-1 tank loses it's power every time it shoots it's main gun).
  • I work for the Army Corps of Engineers and our entire IM infrastructure (at our location) runs NT. I am unique in that I have been running and using linux for about 7 years outside COE.

    I decided to install Linux on a box in my location and brought in several apps that I developed on my own (that I am releasing as open source). One of these boxes I had set up as a web server and I demoed some of these apps to the front office, they mandated that we needed a linux box.

    42 NT boxes and now a Linux box too!

    One app that I created (eNewsbot) used the PERL LWP mods and scanned the front pages of up to 4,000 media outlets and returned any successful matches through email. WAY cheaper than Lexis Nexis and you can customize which outlets to scan for (like only states that are affected by a certain river, etc). Other successful apps that we use include Checkbot to scan for broken URLs, and we are testing open source for an internal new mechanism. Perl's CGI.pm really came in handy when we needed to get presentations from the field. They needed to be in Powerpoint and only powerpoint so we just rolled our own script to accept them to our intranet.

    Could you do this kind of stuff on NT? Sure, but our people couldn't so I had a huge leg up. Plus the fact that open source costs us 0.00 to implement was a HUGE plus.

    I have had the open source discusssion with the front office and what (our) green suiters want is functionality not platforms. It just so happens that what makes this functionality possible is open source. They couldn't care less if it was NT or Open Source as long as they are getting this new ability.

    This works for non classified stuff so I don't know about what you are doing in particular. If you want other good info regarding Open Source in Government check out the Open Source Software Institute [oss-institute.org].

    They have a mailing list with great info and knowledgable folks.
  • What if the enemy, after finding out that the sub is using GPL'd app "x" starts submitting patches to it so they can influence it's design?

    I know the versions would be audited for security vulnerabilities, but what if the goal of introducing a patch to say, the linux kernel, would be to ensure that the noise from a hard drive had a certain pattern they could listen for? Or maybe APMD so they could listen for spin ups at certain intervals? This is a sub, so naturally being able to introduce patterns of noise into such a system would be an advantage.

    And you also have upgrades to worry about. How fast could you patch zlib throughout the fleet before an exploit was developed and deployed by the opposition? Does the boat need to have a full time bugtraq officer? How about modifying sonarbouys to probe comm on the boats...or use buffer overflows that have only been discovered within the last hour or so?

    Even if you keep your modifications secret, what does the standard public tree tell the enemy about the capability of a weapons system?

    Replacing windows in the admin shop is probably a good idea, but deploying OSS in a weapons system should heed the possibilities the enemy has to use analysis of the public tree to find weaknesses in that system.
    • And you also have upgrades to worry about. How fast could you patch zlib throughout the fleet before an exploit was developed and deployed by the opposition?

      ...or use buffer overflows that have only been discovered within the last hour or so?

      Why does everyone assume every computer sytem in the world is on the Internet??? Lets be serious, a submarine under water in a war situation is sure as hell not going to be on a 24/7 net connection. Probably it will never be on ANY internet connection at all, especially on secure systems. So zlib has a buffer overflow on the boat, if the enemy manages to get a spy on the boat to get local access to use this overflow then we have much bigger problems.
  • "I cannot distribute my code (and it's changes) without being tried for treason."

    Learn this and learn it well:

    it's == it is
    its == the possessive version of it

    The word 'its' is a possessive pronoun (its, yours, hers, his, theirs) as opposed to a possessive noun and therefore does not follow the rules set out in Bob's Quick Guide To The Apostrophe, You Idiots [angryflower.com]. </grammar police>

  • I remember Cygnus [cygnus.com] used to advertise that this big Navy software system was built using GNU tools because the Navy decided that Microsoft stuff wasn't reliable enough. Of course that refers to the compilers etc. and I'm not sure if the resulting Navy software contained GPL code itself. However it shows there's already nontrivial military use of GPL'd software.
  • ... implement some sort of "Don't ask, Don't tell" policy for this whole "Open in the military" issue.
  • The GPL basically says "if you provide an executable to anyone outside your organization, you have to provide the source also." And if you as a government employee provide any sort of classified executable to anyone outside the government... well... enjoy your stay at Ft. Levenworth...


    Seems that this is a somewhat stupid question. Even if classified work is done by a contractor, and sold to the government as work-for-hire, the contractor is the only one required to provide the source code to anyone, and then, only to the group to whom they give the executable - the government. So, as long as they wouldn't give the executable to anyone else, the GPL is obeyed. And quite honestly, if a contractor provides classified software to anyone except the government, under government blessing, they'll have bigger problems than a GPL violation.


    Go ahead, use GPL'd software in whatever you like. Unless the government plans to sell the software to anyone else later, you're completly within the bounds of the license. Nowhere does the GPL say "if you give this software to someone, you have to provide it to the world." It simply says that "if you give someone this software, you have to give them the means to modify it."

  • Maybe you should ask your Project Manager or Government Contract Manager. They are required to understand what you can and can't use, particularly when the project is classified.

    Unless things have changes a lot in the past couple years, I suspect you won't be able to use any open source software. Even if you can, you should check with your Project Manager and your Government Contract Manager before you make that decision for yourself - it could cost you more than your job.

  • by trims (10010) on Saturday March 16, 2002 @08:54PM (#3175248) Homepage

    First off, run, do not walk, do not pass go, straight to the base/department legal department. Do not attempt to do ANYTHING until they OK it - the regulations surrounding secret-level work are inordinately hairy and convoluted, and only a lawyer specialized in classified-work law can answer your question definitively.

    The other note, which is useful when discussing this with aforementioned lawyer: any work done under a Classified label (or higher) has different rules than "normal" work. Basically, any license that gets applied to the code only applies to those with a clearance at least as high as the code was written. Thus, if your code is Classified, I don't care if it has the BSD license, GPL, Bob's SuperFree License, or whatnot. Anyone without a Classified clearance isn't entitled to see it. Period.

    This is a case where the murky grounds of National Security trumps Copyright (and other Intellectual Property) law. The law still holds, but it's restricted to the circle of security it's at.

    National Security law basically allows you to use anybody else's code, provide you compensate them in a just and reasonable manner. As far as I've experienced, this means that you have to pay them the basic asking price on the free (i.e non-classified) market, and they don't get to say "no, you can't use it". For GPL/BSD/Open Source licenses, the asking price is Free, so well, they've been "compensated" as they've normally would.

    In this case, Classifed work can certainly suck in Open Source code and not release it until it gets unClassified. And, as a side note, there is no "leaking" - people are not entitled to distribute code to non-cleared people, so it's not like Trade Secrets. It stays locked up until it's declassfied.

    -Erik

    • As far as I've experienced, this means that you have to pay them the basic asking price on the free (i.e non-classified) market, and they don't get to say "no, you can't use it". For GPL/BSD/Open Source licenses, the asking price is Free, so well, they've been "compensated" as they've normally would.

      Actually the asking price for GPL code isn't "free" it's that you must distribute derived works under the same licence. But it dosn't oblige you to distribute in the first place or override restrictions on distribution.
      So in theory you could have software as "classified" and "GPL". Meaning it's only possible to distribute it under certain conditions, but anyone who it is distributed to must be able to get the source code.
      Note however the "classified" bit only applies within your own country though. So if the software ends up being distributed elsewhere, including in faulty munitions fired in anger, only the GPL should apply.
      • you have to pay them the basic asking price on the free (i.e non-classified) market, and they don't get to say "no, you can't use it". For GPL/BSD/Open Source licenses, the asking price is Free, so well, they've been "compensated" as they've normally would.

      This is absolutely untrue for the majority of open source licenses. I suggest you go and look at a piece of open source code. See the first line? The little © symbol? If you don't want to read any further, then just stop right there and assume that the code is neither free as in speech or in beer.

      There is a cost associated with using open source code, usually acknowledgement, sometimes releasing your changes, occasionally open sourcing your project. It is not generally "free as in beer", it's just that the cost is in behaviour, not $$$.

      I take your point that the military can do whatever it damn well likes, but it'd be interesting to see what a court would consider a "just and reasonable" paying of the cost of using open source code. I'm a little tired of groups thinking that they can behave any way they like, then substitute money afterwards when they are forced to. It's not OK for Microsoft to do it, and I don't think it's OK for the Dubyament either.

      That said, if the binaries never leave the military, the source doesn't have to, even under GPL. But that doesn't mean that you can get away with paying the costs as they apply in the circumstances, i.e. adding GPL licenses to all linked source.

  • Many DARPA projects are done in cooperation with universities and many of the software supporting them end up as OSS.
    Here's [darpa.mil]a list of DARPA research areas, tying in to projects. I know MIT's project oxygen [mit.edu] has helped a lot in the world of linux on handhelds.
  • Let me get this straight, you work on a system that is designed to kill yet you worry about the copyright law?

    • You only have to make the source of GPL code available to whoever you make the program available to. If you're only using the program internally then you don't have to make the code available externally.
    • GPL covers only the code, it doesn't cover any of the data, graphics, resources, etc. Presumably your program will contain non-GPLable tryable-for-treason stuff like this, making your full working program non-distributable even if the code is (ala Quake).
    • If it really is classified Secret under US Code Umptifratz, or whatever, you have to ask yourself... do RMS or the FSF have Umptifratz clearance? Mum's the word.
    • If this stuff really concerns you, get a lawyer 'cause we don't know shit.


  • This is a CAD suite developed and used by the U.S. Army's Ballistics Research Lab. See http://ftp.arl.mil/brlcad for more information. It isn't fully Open Source for a number of reasons, but they do distribute the source code free of charge. (You can modify it, but not redistribute it.) Top secret components/add-ons are compiled separately, and of course are not available to the public.

    If nothing else, maybe the BRLCAD developers can answer some of your questions.

    -Sam
  • I've had network patches from interesting places. I've done work with bodies that wouldn't even tell me what they were using Linux for.

    Linux is already used for signal descrambling, SToW (Simulated Theatre of War) and a large number of other things, many of which mere mortals are never likely to discover until thirty years on.

    I get kernel fixes from such people, optimisations from such people and so forth, but I've yet to see any GPL'd nuclear attack management tools and I guess those won't be GPL 8)


  • Open Source is an act of love. Influencing people by killing them and destroying their property is an act of hate, or at least socially backward behavior.

    I think the haters should contact the lovers to see if the lovers want their software used for an alternative purpose.
  • ...to a proprietary OS. There are several good ones that make this arrangement easy and cost effective. (Yes, I work on making one, assume I'm plugging it.) You can then know exactly what's in your OS, hack on it to your heart's content, and maybe even get some good support for it.
  • This is a tough question to answer as I am not sure what exactly you are looking for. Because you are using open source development tools, it does NOT mean you have to distribute those changes to the rest of the world or release ANY of your source code or binaries. In fact, if you are using open source code, my understanding of many open source licenses is that you are only required to release the code to those that you distribute the binaries to. This may mean your defense contractor or the DOD or Dept. of the Navy. The tricky issue is the source code could (probably will be) actually be considered more classified than the binaries.

    Open source can certainly save you development time/money, but its application should depend upon its use and how it will integrate into the rest of the combat control system. For instance, how was Cluster Knave (Macintosh based submarine imagery system) integrated into command, control and combat? I don't know the answer to that one by the way. (Is Cluster Knave still around by the way? Anyone?)

    Will this software integrate/interface with the outside world at all? Obscurity is your friend here and one of the reasons the NSA makes their own stuff. (rolling their own) But this certainly depends upon other systems and their requirements.

    As for distributing ANY of your code, assuming you are working on anything with collateral clearance or higher, you would be under investigation PDQ. Especially given the current climate with lots of things going back into classification and security in many programs being looked at hard. Open source ideals aside, do not decide to use open source solutions for classified work if you would like to contribute back to the community. This would be a major career mistake. For classified work, use open source if it will help get the job done better/faster.
  • Once upon a time, the ArpaNet needed better protocols than NCP to run. The DoD wanted something that was Open. They gave a grant to Berkeley to develop network protocols that were not proprietary.

    Further back

    • The DoD needed a way to keep an infrastructure going during and after a war. Blah Blah Blah, arpanet was born.
    • They needed Operating Systems for it to run on - prefererably something not closed and owned by IBM, DEC, Prime, etc.
      They ended up funding a lot of the development of young Unix
    Many many tools that are "just there" are there because they were developed under public grants - often not the point of the research, just tools developed in the processes of doing the work. If I develop CoolTool(TM) while being paid by taxes to do something, I can't just sell CoolTool. Frankly, often it was put out because "here was something handy and I want it to keep going but am moving on."
    (GnuPlot came from Dartmouth after being written to plot data under a weather grant or something)

    My point is that Open Source and the gub'mint (esp the DoD and military) have a long history together. The fact that free software is auditable and readable is often mandatory - especially for systems that will never get third party support.

    No licenses I've glanced at have ever said "If you make changes for your own use, you must give them back." If this ends up being sold one day (and many military technologies (besides Tang) HAVE made it back into the civilian world), then you may have issues.

  • Ok, I got a little curious when this guy started mentioning "US Code Umptifratz" and after searching with google I couldn't find any reference to "Umptifratz" that relates to US law. In fact, only 2 search results came up. Could this guy be jerking our collective chain?

How often I found where I should be going only by setting out for somewhere else. -- R. Buckminster Fuller

Working...