Slashdot Mirror

← Back to Stories (view on slashdot.org)

DoD team nears Security Validation of OpenSSL

Posted by CmdrTaco on from the something-to-think-about dept.

tadelste writes "An important DoD program took a page from Open Source and Do-It-Yourself-IT (DIYIT) and applied for their own Security Validation. In this article Steve Marquess says:as a taxpayer, I felt very annoyed. But it made me realize a couple of things. First, if OpenSSL had been validated, then it was possible for us to do it again. Secondly, if we could do it we could save a lot of money for the program."

7 of 109 comments (clear)

  1. some thoughts by zoloto · · Score: 3, Interesting

    With OpenSSL being validated by the government as secure, it makes me wonder when SELinux will have it's own distro (something a bit thinner than fedore). this kind of stuff is great, i love it.

  2. Re:microsoft not secure by Anonymous Coward · · Score: 3, Interesting

    And to further blow your smug theory away, any Unix like operating system will always be more secure than the current Windows systems by design

    I have to disagree on this point. Windows XP/2000 has a fairly sophisticated system of permissions even though programmers and users alike tend to misuse or fail to use them. I think the major windows security problem is poor choice of default access control settings, not a lack of capability to make and enforce settings. That's something that Microsoft can (and probably will) fix over time without rewriting the entire OS.

    Just to be sure I'm not missing anything, can you give an example of a by-design security feature that Unix has but Windows doesn't?

  3. cryptographic fingerprints by artg · · Score: 3, Interesting

    "Usually with FIPS 140 validation the vendor supplies binary code that is validated as if it were distributed to customers. FIPS 140 requires a runtime integrity check of the binary code. But open-source software is distributed in source code form. The trick here, then, was to produce a mechanism by which cryptographic fingerprints could be chained from the original source code all the way to the final runtime executable."

    This sounds a very useful technique for any software that's verified in source form but deployed in binary form : voting machines and Formula 1 ECUs come to mind. Anybody know if there are more details of how they solved it ?

  4. Re:Lemme get this straight ... by WindBourne · · Score: 2, Interesting

    It does not work this way. The other companies took SSL and enhanced. We do not know if those enhancements were to get around weaknesses or for the companies marketers. Now, by validating a base, it will make it possible to lower the costs for all.

    Now if the Linux community would take a base system and run it through all this and then add their own stuff. That would improve everybodies lot

    --
    I prefer the "u" in honour as it seems to be missing these days.
  5. Re:OpenSSL *is* Free Software by Pharmboy · · Score: 2, Interesting

    A little surprised OpenSSL isn't GPL compatible.

    It is GPL compatible. See this. Any software that used a modern BSD license (without the advertising clause) is GPL compatible.

    The bitch is from BSD authors, because you can include BSD code into GPL projects, but you can't include GPL code into BSD projects. This is because BSD allows you to NOT release code for distributed binaries, and this is not allowed in the GPL.

    BSD is actually MORE Free than GPL (as an author, you can take other BSD code, make programs, and NOT release your code if you want), but the GPL offers better protection for users, because if you distribute the binaries, you MUST provide access to the source.

    --
    Tequila: It's not just for breakfast anymore!
  6. Re:OpenSSL *is* Free Software by Pharmboy · · Score: 2, Interesting

    Has this changed? The FAQ suggests things are a little shaky.

    Hmm, you are correct, it is not as clear as I thought. Fortunately, SCO is expending a lot of energy to make licensing and the GPL much more clear for the future... :)

    I am between the two. BSD is easier to like, but GPL does seem to give more protection that MS wont take your code and get rich from it without putting back into the community. The problem with sharing software on "the honor system" is not everyone is honorable. Its hard enough to get Linksys to comply with the GPL on their routers.

    --
    Tequila: It's not just for breakfast anymore!
  7. Re:Summary misleading by ozbird · · Score: 3, Interesting

    How many more of these rip-off stories before the BSD license is modified (or replaced with the GPL) to prevent commercial exploitation?

    While it may be good karma to freely share your code, there's no obligation for anyone using the code to be a good citizen and give back to the community. How do BSD developers feel about their taxpayer dollars being spent on software that they wrote, but almost certainly won't see one cent of it?