Slashdot Mirror
DoD team nears Security Validation of OpenSSL
tadelste writes "An important DoD program took a page from Open Source and Do-It-Yourself-IT (DIYIT) and applied for their own Security Validation. In this article Steve Marquess says:as a taxpayer, I felt very annoyed. But it made me realize a couple of things. First, if OpenSSL had been validated, then it was possible for us to do it again. Secondly, if we could do it we could save a lot of money for the program."
- Government pays directly for certifying open source products
- Private companies "use" the open source product in their own commercial (very expensive) offerings, pay for the certification, then sell the (largely open source) products at a substantial markup to the government
You save a few pennies in the first option by no longer having the government pay for certification, but you lose many times over in the markup"dope will get you through times of no money better than money will get you through times of no dope"
Since they are having to revalidate the same code others have already validated (albeit with some modifications) but its still a good thing to see DoD at least attempting to use my tax dollars smarter, by spending the time to formally validate open source software instead of buying proprietary software for hundreds of thousands of dollars, that contains basically the same code.
Any time the Govt. decides to use Free software instead of MS stuff, I also sleep better at night, for several reasons.
Tequila: It's not just for breakfast anymore!
Maybe a couple of people in the gov't. The gov't is HUGE and full of all sorts of different people. Basically a microcosm of the American public, really. :)
More than likely someone open minded enough to try and save money on his budget, or even an idealist
This guy is way out there
BTW, this shows some of the GPL-camp fears: Too-free (as in BSD) code packaged into propietary apps... some people will not realize they can get the exact same code for free.
(the debate on "in licensing from private outfit you are paying for support of that free code" is left to the reader ;)
In a lot of cases, when software is been written to do X thing, the DoD will goto lengths to write it from top to bottom.
OpenSSL has proven itself worthy on the battle field of the internet.
If by using OpenSSL, the DoD can design better systems faster that allow our troops to be more efficient (i.e. deadlier) and it costs us less money and the DoD returns any bugs it finds to the community, I don't see how this is a bad thing.
Yes Francis, the world has gone crazy.
yeah until its on 90% of desktops...then we'll see how secure it is
You miss the point entirely. OpenSSL have already been validated, and the source has been seen by thousands of other people. THAT is what makes it more secure. Its proven and open. OpenSSL isn't a "desktop", its a library for encryption. Its released under a BSD license, so Microsoft could include it in every copy of XP if it so chose to. Its not platform dependent.
And to further blow your smug theory away, any Unix like operating system will always be more secure than the current Windows systems by design. Its not an opinion, its a design choice that makes the software somewhat more difficult to use but gaining security. You CAN make a Unix like OS as insecure as a standard Windows install (hello Lindows) but you have to really try.
It would be nice if the "yea, wait until more people use Linux" had a clue what they were talking about, especially since has exactly NOTHING to do with Linux. Linus, to my knowledge, has not contributed to OpenSSL and it OpenSSL will work just fine with no need for Linux.
Tequila: It's not just for breakfast anymore!
Validation is an expensive process, the vendors had to pay for it themselves so they were not necessarily 'ripping the government off'.
Mielipiteet omiani - Opinions personal, facts suspect.
He is working on saving the US government money. Wish there were more guys like him in the US gov. For non-US readers : The US government has issues of spending bloat. They spend way too much on stuff. Us taxpayers don't like that. X_X
/b
|f(x)dx = F(b) - F(a)
They knew that OpenSSL had already been validated by several commercial vendors. So validating OpenSSL by itself should be a slam-dunk after they'd already done it N times. But suggesting that they just use OpenSSL for free rather than paying a commercial supplier for it is an "out of the box move" that "took guts"? As Dick Cheney might ask, WTF?
.mil sites.
...
Furthermore, it would be a big surprise if other parts of the military didn't have copies of OpenSSL lying about on a few thousand machines already, so they wouldn't even have to go through the motion of downloading and verifying the public version. I'd bet that it's already mirrored on any number of
How can this idiocy be explained, other than by the theory that they shouldn't get something for free if they can spend money for the same thing and support a campaign contributor?
It does sorta go along with the old stories of the Navy using Windows NT to control their hardware
Those who do study history are doomed to stand helplessly by while everyone else repeats it.
Remember, he spent 18 months getting just the OpenSSL libraries accredidated. If a company had two people assigned to the task of accrediting both product and the incorporated OpenSSL for a year; and if we assume 50K/year per person--that's a hundred-thousand before the company makes any profit. (And we're skipping the overhead of the manager, their office space, etc.)
The fault here is in the government not having a pre-approved solution for the vendors to use.
After spending much effort scaring developers in the US out of working on open source crypto with its munitions export laws the DoD is now "importing" and spending money certifying munitions grade encryption from abroad. Same for the NSA with OpenBSD.
Steve Marquess, the technical manager of DMLSS, had no issue with vendors making money, it was the means they chose that annoyed him. If everyone in government felt as he did, taxpayers like you and me would have a lot more money in our pockets.
What happens when OpenSSL makes a code fix? Does it all have to be re-validated? Do they supply a signed MD5 hash that says: "These sources are authorized for compiling a FIPS-140 compliant binary"?
There was a comment here on slashdot in the past few months (can't find it now) about if you want to create trustworthy code, you first need to trust every layer below it, and every tool used to create it. Did this team use a validated build of gcc to create their OpenSSL binaries?
Chip H.
'What happens when OpenSSL makes a code fix? Does it all have to be re-validated? Do they supply a signed MD5 hash that says: "These sources are authorized for compiling a FIPS-140 compliant binary"?' and this is different from a proprietary product how?
My other OS is also FreeBSD
Yes they incorporated it into the product, meaning they aren't simply reselling OpenSSL libraries, but it is a part of a larger whole. Once again, quit whining about someone making money. Taxes won't go down simply because the government isn't spending as much money.
"I use a Mac because I'm just better than you are."
But technically the interesting point of the certification id that they managed to get the source code certified. There is at least one other open souce product Crypto++ that is also FIPS 140.2 validated (Certificate #343). But they only managed to get a compiled package validated, which does help me to trust the code but not really to "sell" the library to PHBs. The article doesn't really go into how they did get NIST to validate the source code. Anybody know more details?
In which case how could a validated OpenSSL be an alternative?
k. Use of "shareware" or "freeware" is prohibited unless specifically approved through IA personnel and by the DAA for a specific operational mission requirement and length of time when no approved IA product exists. Notify NETCOM RCIOs and the supporting RCERT/TNOSC of local software use approval.
Thus, unless the local designating approving authority (DAA) is willing to accept the risk of the software, and it is a mission requirement when no approved software exists (which SSL does), the DA won't be using it anytime soon. The biggest problem will be that the DAA's will not want to accept local risk when another product that will do the job, and is approved will work.
This regulation, while good intentioned, is really difficult to live with. Try finding a good non-freeware spyware remover. It's not easy.
Re-read the article. When the "National Security Agency promulgated a policy that required any military program using information assurance" to have NIST FIPS 140-2 validation, that "...led Steve Marquess, the technical manager of DMLSS, to the job of finding replacements for the OpenSSL libraries so prominently used in DMLSS." The article strongly implies their 'product' was a exactly a repackaging of the OpenSSL libraries because it's what Marquess was tasked to find.
"Once again, quit whining about someone making money."
Nowhere in my post did I express my opinion about making money, I simply relayed the opinion of Marquess. I have nothing against people making an honest living.
Linux is used in millions of embedded products. Embedded products probably outnumber desktop use by at least 100 to 1. The reason for its popularity in embedded products is the networking stack, the security layers, the routing, the filtering and to a lesser extent, the multi tasking and all these embedded developers are looking critically at Linux security, since nobody wants to buy an embedded product that hangs up every couple of hours.
Linux security is multi layered. It doesn't matter much if some gee wizz seldom used desktop app has a security hole - the attacker has to get through the TCP/IP stack, iptables, tcpwrappers and portsentry/snort first. That is where the security of Linux lies.
The difference with MS Windows is that it doesn't have the equivalent of iptables, tcpwrappers or portsentry and it also has a tightly built in browser with more holes than a swiss cheese.
The result is that it doesn't matter how good the underlying Windows kernel is - there is virtually no security around the Windows core system and that is why it is easy to breach.
Oh well, what the hell...
OpenSSL is not gcc-dedpendant. Pretty much any C compiler will work. I'm sure there are compilers out there that are already proven for DoD use.
-molo
Using your sig line to advertise for friends is lame.
but if only something like 10% of all teh computer users on this even use "Linux", that would leave a tiny percent of people that actually understand the ccode enough to validate it.
Compared to how many that have seen Microsoft's?
I don't read the source code either, but many do. I feel better with people from dozens of countries looking over code, than just a couple hundred in Redmond. I can also read the opinions of many people who do use Linux, and I can compile and run any version of the kernel I want, with any features I want, and I am not a programmer either. Its not that hard. ( I do a little more than "hello world" programs, but still a novice programmer.)
I don't hate Windows (Im typing this on an xp laptop now) but I realize the shortcomings of it. I also have reasons to think that Microsoft believes in a degree of "security through obscurity", which I feel is dangerous.
Tequila: It's not just for breakfast anymore!