Slashdot Mirror

← Back to Stories (view on slashdot.org)

US Dept. of Defense Creates Its Own Sourceforge

Posted by Soulskill on from the sharing-their-toys dept.

mjasay writes "The US Department of Defense, which has been flirting with open source for years as a way to improve software quality and cut costs, has finally burst the dam on Defense-related open-source adoption with Forge.mil, an open-source code repository based on Sourceforge. Though it currently only holds three projects and is limited to DoD personnel for security reasons, all code is publicly viewable and will almost certainly lead to other agencies participating on the site or creating their own. Open source has clearly come a long way. Years ago studies declared open source a security risk. Now, one of the most security-conscious organizations on the planet is looking to open source to provide better security than proprietary alternatives."

42 of 131 comments (clear)

  1. ~obscurity = security? by rlseaman · · Score: 5, Insightful

    Denigrating the concept of security through obscurity is not the same as claiming the inverse holds. This should be an interesting experiment in whether subjecting code to an early phase of public hazing reduces security holes and risks of all sorts.

    1. Re:~obscurity = security? by Anonymous Coward · · Score: 5, Funny

      I have a server running somewhere on the internet.
      It has an IPv4 address with an open port 666
      The password is donkeydick69

      If you can't find and login then obscurity does equal security.

    2. Re:~obscurity = security? by Anonymous Coward · · Score: 2, Funny

      I left you a present :)

    3. Re:~obscurity = security? by Anonymous Coward · · Score: 3, Insightful

      You have an unusual definition of security. Let me tell you a few ways that having an obscured login name does not make you secure:

      Insecure server or service: By virtue of running a machine connected to the internet with an open port attached to a program, you are opening a potential security risk.

      If you can't find and login then obscurity does equal security

      You presume that login credentials and IP addresses are "unfindable". Warrants, interrogation, torture, greased palms, all of these things can easily circumvent the fact that one does not know information about your machine _right now_.

      Obscurity always sucks. There are plenty of easy ways to provide security without having to rely on the fact that a second party does not know easily found information.

    4. Re:~obscurity = security? by Cillian · · Score: 2, Interesting

      The whole security != obscurity thing is bollocks. Pretty much any "security" around today is basically obscurity. People say it's a bad idea to have a security system which relies on the process being unknown. It's comparable to having a system where the process is known but the password is unknown - the only difference being it's easier to change a password. The same applies to more advanced stuff like keys or certificates - The process is known, but one of the parameters is unknown, i.e. the key. If you could create a process with a similar complexity to the key, and keep it unknown, then presumably it'd be about as secure. The only sorts of security that aren't obscurity are the more brick-wall methods - e.g. unplug the network cable, don't allow access to anybody, even if they know the password. (I'm ignoring the more weird/bleeding edge stuff like quantum, because I don't have a clue about it.)

      --
      -- All your booze are belong to us.
    5. Re:~obscurity = security? by Srin+Tuar · · Score: 5, Insightful

      OK, you missed the entire point of the maxim "Security != Obscurity".

      It is a truism. The point is this: any secrets will eventually be leaked, whether you know it or not. Things that are easy to change, such as keys and passwords, are relatively low risk. Things that are very difficult to change, such as algorithms, are very high risk.

      If you count on the fact that your crypto algorithm or operating system is secure because its obscure, then when its leaked you will be facing a catastrophic disaster. Instead of losing the data on one communication or one server, you face a organization wide vulerability, and compromise of past communications.

      The extra security gained from keeping the algorithms secret pales in comparison to the disaster of having them be weak.
      Getting as many eyes on this type of code as possible is the best way to mitigate risk.

      After that, you still keep as much secret as possible.

    6. Re:~obscurity = security? by FlyingBishop · · Score: 5, Insightful

      You're missing the point. Good processes are hard to come up with. Pick a good process that has some well-defined unknown, something that you need to keep safe, and you're assured that no one will break your security. Pick a bad process, and someone may tell you.

      If you keep your process a secret, on the other hand, you have a host of unknowns - unknowns you do not know - that may provide someone access to your system. The point is, relying on a variety of ill-defined unknowns is inferior to relying on a single, well-defined unknown.

    7. Re:~obscurity = security? by mazarin5 · · Score: 4, Insightful

      The point of it is that things like "Oh don't worry, nobody would think to look at /admin.pl so there's no point in putting a password on it" is not a good idea. Of course something has to be unknown or inaccessible for good security - that's not the same thing as claiming your system is secure when you're just hoping somebody doesn't notice a gaping flaw.

      There's nothing wrong with obscurity in a secure system, but obscurity alone is not genuine security.

      --
      Fnord.
    8. Re:~obscurity = security? by silanea · · Score: 2, Insightful

      Sure, but that means nothing can be secure unless nobody knows about it and nobody can find out about it OR it in inaccesable for everyone. [...]

      Yes and no. Security is not absolute, it's not binary. It is the factor by which the amount of time and resources needed to break a certain security measure outnumbers the value of what's protected (or the effort needed to go through a different vector).

      Obscurity does not add anything on your side of the scale because you can't depend on it, you can't measure it, you can't audit it, and in most cases you will only know it has been broken when it is too late. It is a good idea to keep information about your valuable goods and the security measures that protect them hidden, but this does not add any security in itself.

      Not giving away your IP on /. may protect you from "our" wrath, but some script kiddie randomly scanning for open ports might still wreak havoc on your machine if you didn't lock it down properly.

      Don't mix up security and secrecy! They have little to do with each other.

      --
      Rudolf Hess edited Mein Kampf. He was the very first grammar nazi.
    9. Re:~obscurity = security? by Thiez · · Score: 2, Funny

      But it IS irrelevant if you are prepared to go to his home and beat any information you need out of him.

    10. Re:~obscurity = security? by Rhabarber · · Score: 2, Informative

      In Germany we have a government payed open source site since 2000. They provide good service for free, to anybody and without commercial annoyances. I especially like the choice between CVS/SVN/Mercurial/GIT.

  2. forgemil.com? by 1u3hr · · Score: 5, Interesting

    Okay, why the hell does the DoD call the site "forge.mil" but actually host it at "forgemil.com"? If they can't get a real .mil site, who can? I thought it was some phishing scam. "forge.mil" doesn't even resolve, let alone redirect. And ".com"? Government reserved .gov, .mil and some other domains for its exclusive use. Why on earth are they using .com?

    1. Re:forgemil.com? by 1u3hr · · Score: 5, Interesting

      PS: checked out forgemil.com: It's registered at Godaddy. Great. Are we sure this isn't some Nigerian scam? (I think the Chinese or Russians would be more subtle.)

    2. Re:forgemil.com? by El+Torico · · Score: 2

      Probably because the servers are located in a commercial and not a government facility. They probably don't want to go through the hassle and cost of getting a NIPRNET circuit, which is somewhat ironic because this is a DISA effort (the same people who run NIPRNET).

      --
      In the land of the blind, the one-eyed man is usually crucified.
    3. Re:forgemil.com? by imamac · · Score: 5, Informative

      Nice. It even points the user to ANOTHER non-.mil site to download a PKI certificate. That settles it for me. This is NOT the military.

    4. Re:forgemil.com? by legirons · · Score: 5, Informative

      You know it's the right site, because its certificate is signed by the DoD CA.

      Except that CA isn't installed in any browser.

      And the site to download that cert is signed by the cert itself. Security by circular reasoning.
         

    5. Re:forgemil.com? by qw0ntum · · Score: 2, Informative

      Try https://www.forge.mil/ . Once you get past the invalid certificate (allegedly because the DoD CA isn't included with most browsers) you'll get an SSL error.

      --
      'Every story, if continued long enough, ends in death.' --Ernest Hemingway
    6. Re:forgemil.com? by Anonymous Coward · · Score: 4, Informative

      forgemil.com is for public access to information about what the project/service is. It explaines, quite clearly, that to access forge.mil, you will need either a DoD-issued pki cert (CAC for you DoD folks), or a cert from a DoD-trusted source. All .mil infrastructure stuff is pki protected by policy. It also explains in the FAQ why you get the ssl warnings about untrusted certs. It also tells you how you can download the DoD root certs (they only provide installs for Windows; you'll either have to dig around to get the certs for other platforms or just create an exception in your browser).

    7. Re:forgemil.com? by Grandim · · Score: 2, Insightful

      My guess is that forgemil.com is the worldwide site that advertise the project while forge.mil is reserved to the individuals with the required certificate.

    8. Re:forgemil.com? by Vertana · · Score: 4, Informative

      The reason for that is, you have to be in the DoD and you receive the cert by CaC (DoD ID cards which double as a smart card with your PKI certs and authentication information). This forces you to obtain the certs physically and in person at a DoD site (ie ID Center on a military base, etc.).

      --
      "The best way to accelerate a Macintosh is at 9.8m/sec^2" -Marcus Dolengo
    9. Re:forgemil.com? by Frosty+Piss · · Score: 2, Insightful

      Nice. It even points the user to ANOTHER non-.mil site to download a PKI certificate. That settles it for me. This is NOT the military.

      It's almost certainly a phishing site to gather CAC data from unsuspecting CAC holders.

      --
      If you want news from today, you have to come back tomorrow.
    10. Re:forgemil.com? by RyoShin · · Score: 4, Insightful

      But wait, there's more!

      DefenseLink is a DoD site that lists all DoD sites. Forge.mil(.com) is not on that list. Of course, it could be bureaucracy acting slow.

      Second, WHOIS contact connects to an individual at collab.net, another sourceforge-like site. Were this a government site, I would think they would have it registered to a position in a department, or at least a c/o address for a military/goverment institution, not an individual.

      Just to be sure, popping the given address into Google Maps returns what looks like a residential area.

      So this is either a horribly managed project (not surprising for the government), or some weird scam of sorts.

    11. Re:forgemil.com? by mysidia · · Score: 3, Informative

      Nice. It even points the user to ANOTHER non-.mil site to download a PKI certificate. That settles it for me. This is NOT the military.

      The homepage of the site they are pointing to https://www.dodpke.com/ Says the site has moved to: another url

      Which refers you to: this document

      Which states the following:

      Alternate method of retrieving DoD Root Certificate

      If you have trouble accessing the page listed above you can also visit the following page to download the DoD Root Certificates: https://www.dodpke.com/InstallRoot.

      The dodpke.com site is also linked by http://www.nsa.naples.navy.mil/bno/PKI/index.htm.

      I cannot conclude that this is a scam, it appears to be probably legitimate, or at least the cert information is legitimate.

      What they don't mention though is it's probably more secure to use a workstation that already has the certificate installed, download the file to a medium, then use the medium to install the certs on the 'fresh' workstation (No risk of man-in-the-middle while connecting with SSL to a site without a trusted cert).

      dodpke.com has a registration date in 2002

  3. Legacy Applications by El+Torico · · Score: 2, Interesting

    I would like to see open source applications that would replace all of the legacy, proprietary applications. DoD is loaded with very badly written applications that usually can only be changed by giving the same companies that produced them more money. Notice I said "changed" and not "improved".

    --
    In the land of the blind, the one-eyed man is usually crucified.
  4. Huh? by RDW · · Score: 3, Insightful

    If it's 'limited to DoD personnel for security reasons' in what sense is it 'Open'?

    1. Re:Huh? by denzacar · · Score: 2, Informative

      Also... How can something military be open source at all?

      Military, unless we are talking para-military guerrilla troops somewhere in the jungle/desert, represents a particular government.
      Say... government of Canada. Or Peru.
      Now... that government is responsible and accountable to IT'S people. Not to the people of say... Singapore. Or Italy.
      People and nations that are on a good day economic competition and on a bad day vile evildoers.

      So, giving access to state secrets to potential enemies (and open source does not exactly mean "Anyone but our current enemies") isn't something I see any government doing. At least not on purpose.
      And ANYTHING military can be declared a state secret - right down to the brand of toilet paper used cause the enemy might just decide to inconvenience "our boys" a little further by denying them the ass wipes they are used to by sabotaging the toilet paper factory.

      So, it is either not a completely thought through action (someone trying to be cool and hip using terms like OSS, or just plain not understanding what it stands for)...
      Or, it is some strange kind of OSS which can with a flip of a switch become not just proprietary but also a state secret that can get you a one way ticket to Gitmo or some similar exotic resort.

      Come on... how can ANYTHING that works by these rules be considered "open".

      Forge.mil User Agreement
      STANDARD MANDATORY NOTICE AND CONSENT BANNER
      YOU ARE ACCESSING A U.S. GOVERNMENT (USG) INFORMATION SYSTEM (IS) THAT IS PROVIDED FOR USG-AUTHORIZED USE ONLY. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.
      Use of this system constitutes consent to monitoring for all lawful purposes.

      Open as in slammed-shut-in-a-box-and-hauled-away-to-be-hidden-somewhere-inside-Area-51-kinda-open I guess?

      --
      Mit der Dummheit kämpfen Götter selbst vergebens
    2. Re:Huh? by Vertana · · Score: 2, Insightful

      The software is open... not every strategic decision or case use in which the software will be used.

      --
      "The best way to accelerate a Macintosh is at 9.8m/sec^2" -Marcus Dolengo
    3. Re:Huh? by Vertana · · Score: 3, Informative

      Yes, which claims a standard United States Government agreement which claims they own the computer, the data, your soul and anything else that may come in contact with it... but it also states "Forge.mil is currently in beta with limited operational availability. General availability for unclassified use is scheduled for Spring 2009." So, one could safely assume (at this point) that with the PKI Certification that's needed and the agreement they expect only DoD computers to be accessing it at the moment. However, at some point everything stated will be changed (or they'll change their mission from being 'open').

      --
      "The best way to accelerate a Macintosh is at 9.8m/sec^2" -Marcus Dolengo
  5. Big brother is watching... by 3seas · · Score: 2, Informative

    STANDARD MANDATORY NOTICE AND CONSENT BANNER
    YOU ARE ACCESSING A U.S. GOVERNMENT (USG) INFORMATION SYSTEM (IS) THAT IS PROVIDED FOR USG-AUTHORIZED USE ONLY. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.
    Use of this system constitutes consent to monitoring for all lawful purposes.

  6. We needed this years ago by superid · · Score: 5, Funny

    When I was first hired as a budding DoD programmer a long time ago, one of the first things I asked is "where is our library of stuff that has been developed locally?"

    I might as well have asked "where is my +3 mace?" because we didn't have that either.

    I'm glad this is finally happening.

  7. Open the flood gates by auric_dude · · Score: 4, Interesting

    Open source code, Open Government http://www.whitehouse.gov/ and Open Source Intelligence http://en.wikipedia.org/wiki/Open_source_intelligence all good ideas that may well speed things along and save the tax payers some cash.

    1. Re:Open the flood gates by Hazelesque · · Score: 2, Informative
      From the linked wikipedia article...

      In the Intelligence Community (IC), the term "open" refers to overt, publicly available sources (as opposed to covert or classified sources); it is not related to open-source software.

  8. Studies? by Wolfbone · · Score: 3, Funny

    Years ago studies declared open source a security risk.

    Since when did risible falsehood and fallacy filled rants written by swivel-eyed ideologues count as 'studies'?

    http://www.sourcewatch.org/index.php?title=Ken_Brown

  9. Hopefully all the GOTS software will be there too. by robkill · · Score: 3, Informative

    In most cases, if software was developed under a government contract, then the government has full rights to the source code. It would be a great starting place for updating a number of existing applications. Version control and vetting of results could be problematic in some cases, but not impossible to overcome.

    --
    DMCA - Chilling free speech since 1998.
  10. For those of you trying to connect...read the FAQ by Bearhouse · · Score: 3, Informative

    "Though it currently only holds three projects and is limited to DoD personnel for security reasons, all code is publicly viewable"

    No, it's not. Code posted to .mil is only available to those with sufficient authorisation. The .com site is publicly available for those seeking more information.

    So, code will be NOT be 'publicly' available - only to those on secure. Kinda as you'd expect, but rather a long way away from real FOSS.

  11. One project already works and is in use. by will_die · · Score: 3, Funny

    It looks like the military has solve the problem of time travel and web master has let it slip. According to the FAQ
    The Forge.mil effort started development in October 2009 and the first capability, SoftwareForge, is now available for limited, unclassified use.

  12. HUH by Anonymous Coward · · Score: 2, Funny

    " Though it currently only holds three projects and is limited to DoD personnel for security reasons, all code is publicly viewable and...."

    ok how do you limit the site and make it public at same time, good journalism guys.
    and

    "Slashdot only allows a user with your karma to post 2 times per day (more or less, depending on moderation). You've already shared your thoughts with us that many times. Take a breather, and come back and see us in 24 hours or so. If you think this is unfair, please email posting@slashdot.org with your username "CHRONOSS2008". Let us know how many comments you think you've posted in the last 24 hours."

    f#ck karma
    YA like yesterday must a been 22 hrs ago.
    this place sucks now. censorship on the uptake i guess them mpaa suiing you guys is having an effect soon it will be 1 post a week then a month then hey why bother letting anyone post.

  13. Re:export controls? Re:Huh? by denzacar · · Score: 2, Insightful

    Sure, it's not open to 6 billion people, but it might be open to several million, and that's a heck of a lot better than closed in someone's desk drawer.

    How exactly is that different than something like this:

    3. RESERVATION OF RIGHTS AND OWNERSHIP. Microsoft reserves all rights not expressly granted to you in this EULA. The Software is protected by copyright and other intellectual property laws and treaties. Microsoft or its suppliers own the title, copyright, and other intellectual property rights in the Software. The Software is licensed, not sold.

    4. LIMITATIONS ON REVERSE ENGINEERING, DECOMPILATION, AND DISASSEMBLY. You may not reverse engineer, decompile, or disassemble the Software, except and only to the extent that such activity is expressly permitted by applicable law notwithstanding this limitation.

    5. NO RENTAL/COMMERCIAL HOSTING. You may not rent, lease, lend or provide commercial hosting services with the Software.

    It is ours not yours. You may do only what we let you. You can't give it away.

    Million drawers or just one - same thing if there is only one key to all the drawers.

    Open within a community that is guaranteed to be all "U.S. Persons" for export control purposes, perhaps.

    Apple's and MS' products are open within their own community too - is that also Open Source?

    --
    Mit der Dummheit kämpfen Götter selbst vergebens
  14. I hope this is a fishing site by yorkshiredale · · Score: 5, Insightful

    Clicked through the site a little to the 'PKI Online Training' section, and I'm informed that I must :

    1. enable flash

    2. enable cookies

    3. enable javascript

    4. disable pop-up blocking

    I desperately hope this is a scam, since the alternative possibility is just frightening

    --
    The opinions expressed here are those of this individual, and may not reflect the policy or practice of the collective
    1. Re:I hope this is a fishing site by Anonymous Coward · · Score: 2, Informative

      The military uses cookies, flash, javascript, and pop-ups for just about everything. You have to enable all of the above to get a .mil site to load properly. It gets on everyone's nerves when we have to enable all of the above to do mandatory training.

  15. Re:It's not "SourceForge" anymore... by troll8901 · · Score: 2, Funny

    They won't have a "news for (military) nerds" site called Dot.mil, would they?

  16. slashdotted by sanguisdex · · Score: 2, Funny

    at 8:30 eastern time, on Feb 2. The site is still /.'ed. We have brought down a gov web site. (are we terrorists?)