Slashdot Mirror

← Back to Stories (view on slashdot.org)

US Dept. of Defense Creates Its Own Sourceforge

Posted by Soulskill on from the sharing-their-toys dept.

mjasay writes "The US Department of Defense, which has been flirting with open source for years as a way to improve software quality and cut costs, has finally burst the dam on Defense-related open-source adoption with Forge.mil, an open-source code repository based on Sourceforge. Though it currently only holds three projects and is limited to DoD personnel for security reasons, all code is publicly viewable and will almost certainly lead to other agencies participating on the site or creating their own. Open source has clearly come a long way. Years ago studies declared open source a security risk. Now, one of the most security-conscious organizations on the planet is looking to open source to provide better security than proprietary alternatives."

15 of 131 comments (clear)

  1. ~obscurity = security? by rlseaman · · Score: 5, Insightful

    Denigrating the concept of security through obscurity is not the same as claiming the inverse holds. This should be an interesting experiment in whether subjecting code to an early phase of public hazing reduces security holes and risks of all sorts.

    1. Re:~obscurity = security? by Anonymous Coward · · Score: 5, Funny

      I have a server running somewhere on the internet.
      It has an IPv4 address with an open port 666
      The password is donkeydick69

      If you can't find and login then obscurity does equal security.

    2. Re:~obscurity = security? by Srin+Tuar · · Score: 5, Insightful

      OK, you missed the entire point of the maxim "Security != Obscurity".

      It is a truism. The point is this: any secrets will eventually be leaked, whether you know it or not. Things that are easy to change, such as keys and passwords, are relatively low risk. Things that are very difficult to change, such as algorithms, are very high risk.

      If you count on the fact that your crypto algorithm or operating system is secure because its obscure, then when its leaked you will be facing a catastrophic disaster. Instead of losing the data on one communication or one server, you face a organization wide vulerability, and compromise of past communications.

      The extra security gained from keeping the algorithms secret pales in comparison to the disaster of having them be weak.
      Getting as many eyes on this type of code as possible is the best way to mitigate risk.

      After that, you still keep as much secret as possible.

    3. Re:~obscurity = security? by FlyingBishop · · Score: 5, Insightful

      You're missing the point. Good processes are hard to come up with. Pick a good process that has some well-defined unknown, something that you need to keep safe, and you're assured that no one will break your security. Pick a bad process, and someone may tell you.

      If you keep your process a secret, on the other hand, you have a host of unknowns - unknowns you do not know - that may provide someone access to your system. The point is, relying on a variety of ill-defined unknowns is inferior to relying on a single, well-defined unknown.

    4. Re:~obscurity = security? by mazarin5 · · Score: 4, Insightful

      The point of it is that things like "Oh don't worry, nobody would think to look at /admin.pl so there's no point in putting a password on it" is not a good idea. Of course something has to be unknown or inaccessible for good security - that's not the same thing as claiming your system is secure when you're just hoping somebody doesn't notice a gaping flaw.

      There's nothing wrong with obscurity in a secure system, but obscurity alone is not genuine security.

      --
      Fnord.
  2. forgemil.com? by 1u3hr · · Score: 5, Interesting

    Okay, why the hell does the DoD call the site "forge.mil" but actually host it at "forgemil.com"? If they can't get a real .mil site, who can? I thought it was some phishing scam. "forge.mil" doesn't even resolve, let alone redirect. And ".com"? Government reserved .gov, .mil and some other domains for its exclusive use. Why on earth are they using .com?

    1. Re:forgemil.com? by 1u3hr · · Score: 5, Interesting

      PS: checked out forgemil.com: It's registered at Godaddy. Great. Are we sure this isn't some Nigerian scam? (I think the Chinese or Russians would be more subtle.)

    2. Re:forgemil.com? by imamac · · Score: 5, Informative

      Nice. It even points the user to ANOTHER non-.mil site to download a PKI certificate. That settles it for me. This is NOT the military.

    3. Re:forgemil.com? by legirons · · Score: 5, Informative

      You know it's the right site, because its certificate is signed by the DoD CA.

      Except that CA isn't installed in any browser.

      And the site to download that cert is signed by the cert itself. Security by circular reasoning.
         

    4. Re:forgemil.com? by Anonymous Coward · · Score: 4, Informative

      forgemil.com is for public access to information about what the project/service is. It explaines, quite clearly, that to access forge.mil, you will need either a DoD-issued pki cert (CAC for you DoD folks), or a cert from a DoD-trusted source. All .mil infrastructure stuff is pki protected by policy. It also explains in the FAQ why you get the ssl warnings about untrusted certs. It also tells you how you can download the DoD root certs (they only provide installs for Windows; you'll either have to dig around to get the certs for other platforms or just create an exception in your browser).

    5. Re:forgemil.com? by Vertana · · Score: 4, Informative

      The reason for that is, you have to be in the DoD and you receive the cert by CaC (DoD ID cards which double as a smart card with your PKI certs and authentication information). This forces you to obtain the certs physically and in person at a DoD site (ie ID Center on a military base, etc.).

      --
      "The best way to accelerate a Macintosh is at 9.8m/sec^2" -Marcus Dolengo
    6. Re:forgemil.com? by RyoShin · · Score: 4, Insightful

      But wait, there's more!

      DefenseLink is a DoD site that lists all DoD sites. Forge.mil(.com) is not on that list. Of course, it could be bureaucracy acting slow.

      Second, WHOIS contact connects to an individual at collab.net, another sourceforge-like site. Were this a government site, I would think they would have it registered to a position in a department, or at least a c/o address for a military/goverment institution, not an individual.

      Just to be sure, popping the given address into Google Maps returns what looks like a residential area.

      So this is either a horribly managed project (not surprising for the government), or some weird scam of sorts.

  3. We needed this years ago by superid · · Score: 5, Funny

    When I was first hired as a budding DoD programmer a long time ago, one of the first things I asked is "where is our library of stuff that has been developed locally?"

    I might as well have asked "where is my +3 mace?" because we didn't have that either.

    I'm glad this is finally happening.

  4. Open the flood gates by auric_dude · · Score: 4, Interesting

    Open source code, Open Government http://www.whitehouse.gov/ and Open Source Intelligence http://en.wikipedia.org/wiki/Open_source_intelligence all good ideas that may well speed things along and save the tax payers some cash.

  5. I hope this is a fishing site by yorkshiredale · · Score: 5, Insightful

    Clicked through the site a little to the 'PKI Online Training' section, and I'm informed that I must :

    1. enable flash

    2. enable cookies

    3. enable javascript

    4. disable pop-up blocking

    I desperately hope this is a scam, since the alternative possibility is just frightening

    --
    The opinions expressed here are those of this individual, and may not reflect the policy or practice of the collective