Slashdot Mirror

← Back to Stories (view on slashdot.org)

US Dept. of Defense Creates Its Own Sourceforge

Posted by Soulskill on from the sharing-their-toys dept.

mjasay writes "The US Department of Defense, which has been flirting with open source for years as a way to improve software quality and cut costs, has finally burst the dam on Defense-related open-source adoption with Forge.mil, an open-source code repository based on Sourceforge. Though it currently only holds three projects and is limited to DoD personnel for security reasons, all code is publicly viewable and will almost certainly lead to other agencies participating on the site or creating their own. Open source has clearly come a long way. Years ago studies declared open source a security risk. Now, one of the most security-conscious organizations on the planet is looking to open source to provide better security than proprietary alternatives."

15 of 131 comments (clear)

  1. ~obscurity = security? by rlseaman · · Score: 5, Insightful

    Denigrating the concept of security through obscurity is not the same as claiming the inverse holds. This should be an interesting experiment in whether subjecting code to an early phase of public hazing reduces security holes and risks of all sorts.

    1. Re:~obscurity = security? by Anonymous Coward · · Score: 3, Insightful

      You have an unusual definition of security. Let me tell you a few ways that having an obscured login name does not make you secure:

      Insecure server or service: By virtue of running a machine connected to the internet with an open port attached to a program, you are opening a potential security risk.

      If you can't find and login then obscurity does equal security

      You presume that login credentials and IP addresses are "unfindable". Warrants, interrogation, torture, greased palms, all of these things can easily circumvent the fact that one does not know information about your machine _right now_.

      Obscurity always sucks. There are plenty of easy ways to provide security without having to rely on the fact that a second party does not know easily found information.

    2. Re:~obscurity = security? by Srin+Tuar · · Score: 5, Insightful

      OK, you missed the entire point of the maxim "Security != Obscurity".

      It is a truism. The point is this: any secrets will eventually be leaked, whether you know it or not. Things that are easy to change, such as keys and passwords, are relatively low risk. Things that are very difficult to change, such as algorithms, are very high risk.

      If you count on the fact that your crypto algorithm or operating system is secure because its obscure, then when its leaked you will be facing a catastrophic disaster. Instead of losing the data on one communication or one server, you face a organization wide vulerability, and compromise of past communications.

      The extra security gained from keeping the algorithms secret pales in comparison to the disaster of having them be weak.
      Getting as many eyes on this type of code as possible is the best way to mitigate risk.

      After that, you still keep as much secret as possible.

    3. Re:~obscurity = security? by FlyingBishop · · Score: 5, Insightful

      You're missing the point. Good processes are hard to come up with. Pick a good process that has some well-defined unknown, something that you need to keep safe, and you're assured that no one will break your security. Pick a bad process, and someone may tell you.

      If you keep your process a secret, on the other hand, you have a host of unknowns - unknowns you do not know - that may provide someone access to your system. The point is, relying on a variety of ill-defined unknowns is inferior to relying on a single, well-defined unknown.

    4. Re:~obscurity = security? by mazarin5 · · Score: 4, Insightful

      The point of it is that things like "Oh don't worry, nobody would think to look at /admin.pl so there's no point in putting a password on it" is not a good idea. Of course something has to be unknown or inaccessible for good security - that's not the same thing as claiming your system is secure when you're just hoping somebody doesn't notice a gaping flaw.

      There's nothing wrong with obscurity in a secure system, but obscurity alone is not genuine security.

      --
      Fnord.
    5. Re:~obscurity = security? by silanea · · Score: 2, Insightful

      Sure, but that means nothing can be secure unless nobody knows about it and nobody can find out about it OR it in inaccesable for everyone. [...]

      Yes and no. Security is not absolute, it's not binary. It is the factor by which the amount of time and resources needed to break a certain security measure outnumbers the value of what's protected (or the effort needed to go through a different vector).

      Obscurity does not add anything on your side of the scale because you can't depend on it, you can't measure it, you can't audit it, and in most cases you will only know it has been broken when it is too late. It is a good idea to keep information about your valuable goods and the security measures that protect them hidden, but this does not add any security in itself.

      Not giving away your IP on /. may protect you from "our" wrath, but some script kiddie randomly scanning for open ports might still wreak havoc on your machine if you didn't lock it down properly.

      Don't mix up security and secrecy! They have little to do with each other.

      --
      Rudolf Hess edited Mein Kampf. He was the very first grammar nazi.
  2. Huh? by RDW · · Score: 3, Insightful

    If it's 'limited to DoD personnel for security reasons' in what sense is it 'Open'?

    1. Re:Huh? by Vertana · · Score: 2, Insightful

      The software is open... not every strategic decision or case use in which the software will be used.

      --
      "The best way to accelerate a Macintosh is at 9.8m/sec^2" -Marcus Dolengo
  3. Re:forgemil.com? by Anonymous Coward · · Score: 1, Insightful

    Yeah. If it's not a .mil site, then it's not US military. This has a very rotten smell. It's possible that some military folks got together to this on the private side, but it is definitely not military sanctioned. We have plenty of servers, why would we use GoDaddy?

  4. Re:forgemil.com? by Grandim · · Score: 2, Insightful

    My guess is that forgemil.com is the worldwide site that advertise the project while forge.mil is reserved to the individuals with the required certificate.

  5. Not new or even news .... by MasterAE2k9 · · Score: 1, Insightful

    The military has being using open source for more than 2 decades. They even have a huge repository of approved/certified open source products that people with the right clearance can access to assist with day to day work. This is not new in any way or shape. This is nothing more than the incompetent in the Whitehouse taking credit for other people's work to make himself look good in the eyes of the bubbling idiots who ate his turds during the election.

  6. Re:export controls? Re:Huh? by denzacar · · Score: 2, Insightful

    Sure, it's not open to 6 billion people, but it might be open to several million, and that's a heck of a lot better than closed in someone's desk drawer.

    How exactly is that different than something like this:

    3. RESERVATION OF RIGHTS AND OWNERSHIP. Microsoft reserves all rights not expressly granted to you in this EULA. The Software is protected by copyright and other intellectual property laws and treaties. Microsoft or its suppliers own the title, copyright, and other intellectual property rights in the Software. The Software is licensed, not sold.

    4. LIMITATIONS ON REVERSE ENGINEERING, DECOMPILATION, AND DISASSEMBLY. You may not reverse engineer, decompile, or disassemble the Software, except and only to the extent that such activity is expressly permitted by applicable law notwithstanding this limitation.

    5. NO RENTAL/COMMERCIAL HOSTING. You may not rent, lease, lend or provide commercial hosting services with the Software.

    It is ours not yours. You may do only what we let you. You can't give it away.

    Million drawers or just one - same thing if there is only one key to all the drawers.

    Open within a community that is guaranteed to be all "U.S. Persons" for export control purposes, perhaps.

    Apple's and MS' products are open within their own community too - is that also Open Source?

    --
    Mit der Dummheit kämpfen Götter selbst vergebens
  7. I hope this is a fishing site by yorkshiredale · · Score: 5, Insightful

    Clicked through the site a little to the 'PKI Online Training' section, and I'm informed that I must :

    1. enable flash

    2. enable cookies

    3. enable javascript

    4. disable pop-up blocking

    I desperately hope this is a scam, since the alternative possibility is just frightening

    --
    The opinions expressed here are those of this individual, and may not reflect the policy or practice of the collective
  8. Re:forgemil.com? by Frosty+Piss · · Score: 2, Insightful

    Nice. It even points the user to ANOTHER non-.mil site to download a PKI certificate. That settles it for me. This is NOT the military.

    It's almost certainly a phishing site to gather CAC data from unsuspecting CAC holders.

    --
    If you want news from today, you have to come back tomorrow.
  9. Re:forgemil.com? by RyoShin · · Score: 4, Insightful

    But wait, there's more!

    DefenseLink is a DoD site that lists all DoD sites. Forge.mil(.com) is not on that list. Of course, it could be bureaucracy acting slow.

    Second, WHOIS contact connects to an individual at collab.net, another sourceforge-like site. Were this a government site, I would think they would have it registered to a position in a department, or at least a c/o address for a military/goverment institution, not an individual.

    Just to be sure, popping the given address into Google Maps returns what looks like a residential area.

    So this is either a horribly managed project (not surprising for the government), or some weird scam of sorts.