US Dept. of Defense Creates Its Own Sourceforge 131
mjasay writes "The US Department of Defense, which has been flirting with open source for years as a way to improve software quality and cut costs, has finally burst the dam on Defense-related open-source adoption with Forge.mil, an open-source code repository based on Sourceforge. Though it currently only holds three projects and is limited to DoD personnel for security reasons, all code is publicly viewable and will almost certainly lead to other agencies participating on the site or creating their own. Open source has clearly come a long way. Years ago studies declared open source a security risk. Now, one of the most security-conscious organizations on the planet is looking to open source to provide better security than proprietary alternatives."
It's not "SourceForge" anymore... (Score:1, Informative)
It's based on SourceForge Enterprise Edition, a product that VA Software (Now SourceForge, Inc) sold off to CollabNet about two years ago. It's not even close to the code that runs sourceforge.net (sf.net's code was a php/python/perl based site, SFEE is J2EE).
Re:forgemil.com? (Score:5, Informative)
Re:forgemil.com? (Score:5, Informative)
You know it's the right site, because its certificate is signed by the DoD CA.
Except that CA isn't installed in any browser.
And the site to download that cert is signed by the cert itself. Security by circular reasoning.
Re:forgemil.com? (Score:3, Informative)
Big brother is watching... (Score:3, Informative)
STANDARD MANDATORY NOTICE AND CONSENT BANNER
YOU ARE ACCESSING A U.S. GOVERNMENT (USG) INFORMATION SYSTEM (IS) THAT IS PROVIDED FOR USG-AUTHORIZED USE ONLY. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.
Use of this system constitutes consent to monitoring for all lawful purposes.
Re:~obscurity = security? (Score:1, Informative)
This is NOT an official DoD site. It's pointing to too many non-DoD sites, including for CAC/PKI sig's registered through GoDaddy, hosted on Collab.net.
Using Slashdot as a large DoD Fishing Scam is interesting...
Hopefully all the GOTS software will be there too. (Score:4, Informative)
In most cases, if software was developed under a government contract, then the government has full rights to the source code. It would be a great starting place for updating a number of existing applications. Version control and vetting of results could be problematic in some cases, but not impossible to overcome.
For those of you trying to connect...read the FAQ (Score:4, Informative)
"Though it currently only holds three projects and is limited to DoD personnel for security reasons, all code is publicly viewable"
No, it's not. Code posted to .mil is only available to those with sufficient authorisation. The .com site is publicly available for those seeking more information.
So, code will be NOT be 'publicly' available - only to those on secure. Kinda as you'd expect, but rather a long way away from real FOSS.
Re:forgemil.com? (Score:4, Informative)
forgemil.com is for public access to information about what the project/service is. It explaines, quite clearly, that to access forge.mil, you will need either a DoD-issued pki cert (CAC for you DoD folks), or a cert from a DoD-trusted source. All .mil infrastructure stuff is pki protected by policy. It also explains in the FAQ why you get the ssl warnings about untrusted certs. It also tells you how you can download the DoD root certs (they only provide installs for Windows; you'll either have to dig around to get the certs for other platforms or just create an exception in your browser).
Re:Open the flood gates (Score:2, Informative)
In the Intelligence Community (IC), the term "open" refers to overt, publicly available sources (as opposed to covert or classified sources); it is not related to open-source software.
Re:Huh? (Score:3, Informative)
Also... How can something military be open source at all?
Military, unless we are talking para-military guerrilla troops somewhere in the jungle/desert, represents a particular government.
Say... government of Canada. Or Peru.
Now... that government is responsible and accountable to IT'S people. Not to the people of say... Singapore. Or Italy.
People and nations that are on a good day economic competition and on a bad day vile evildoers.
So, giving access to state secrets to potential enemies (and open source does not exactly mean "Anyone but our current enemies") isn't something I see any government doing. At least not on purpose.
And ANYTHING military can be declared a state secret - right down to the brand of toilet paper used cause the enemy might just decide to inconvenience "our boys" a little further by denying them the ass wipes they are used to by sabotaging the toilet paper factory.
So, it is either not a completely thought through action (someone trying to be cool and hip using terms like OSS, or just plain not understanding what it stands for)...
Or, it is some strange kind of OSS which can with a flip of a switch become not just proprietary but also a state secret that can get you a one way ticket to Gitmo or some similar exotic resort.
Come on... how can ANYTHING that works by these rules be considered "open".
Forge.mil User Agreement
STANDARD MANDATORY NOTICE AND CONSENT BANNER
YOU ARE ACCESSING A U.S. GOVERNMENT (USG) INFORMATION SYSTEM (IS) THAT IS PROVIDED FOR USG-AUTHORIZED USE ONLY. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.
Use of this system constitutes consent to monitoring for all lawful purposes.
Open as in slammed-shut-in-a-box-and-hauled-away-to-be-hidden-somewhere-inside-Area-51-kinda-open I guess?
Re:forgemil.com? (Score:5, Informative)
The reason for that is, you have to be in the DoD and you receive the cert by CaC (DoD ID cards which double as a smart card with your PKI certs and authentication information). This forces you to obtain the certs physically and in person at a DoD site (ie ID Center on a military base, etc.).
Re:~obscurity = security? (Score:1, Informative)
It isn't even about having unlimited resources. For instance, take the great grandparent scenario. Lets say I offered some slashdot intern $4000 to get the IP address of the person who made that anonymous post, then I offered $4000 to some underpaid tech support person at his ISP to give me some information about this person. If he was posting at home, I could find out where he lived. A plane ticket, a rental car, a gun, and you would be able to hack into his "security through obscurity" server.
$12,000 (estimating fees) isn't anywhere near unlimited funds. If he had something that was worth the effort, an average businessman could spend that much to get it.
Tell me a way to secure something I have/know against an opponent that has no morals, my body, my posessions, and everything I know.
Step 1. Secure the location. The article was originally talking about government security. A server hosted in someone's basement is a bit less secure than a government hosted server guarded by men holding sub machine guns. It's also a lot more challenging to harass an individual with limited resources than a government agent/agency/company with larger resources.
Step 2. If it's important, why is it internet accessible? The great grandparent refers to a server which is connected to the internet. If his information is so important and ready to be hacked, why is the machine readily available for anyone to connect to?
Step 3. If it has to be internet accessible, there are various methods of encryption and person-verification which can help to thwart attacks against the weak human element.
So, in short, guard it with guns. If it has to be accessible by the internet, factor that into your security scheme.
Re:Huh? (Score:4, Informative)
Yes, which claims a standard United States Government agreement which claims they own the computer, the data, your soul and anything else that may come in contact with it... but it also states "Forge.mil is currently in beta with limited operational availability. General availability for unclassified use is scheduled for Spring 2009." So, one could safely assume (at this point) that with the PKI Certification that's needed and the agreement they expect only DoD computers to be accessing it at the moment. However, at some point everything stated will be changed (or they'll change their mission from being 'open').
Re:~obscurity = security? (Score:2, Informative)
Re:I hope this is a fishing site (Score:2, Informative)
Re:forgemil.com? (Score:3, Informative)
Nice. It even points the user to ANOTHER non-.mil site to download a PKI certificate. That settles it for me. This is NOT the military.
The homepage of the site they are pointing to https://www.dodpke.com/ [dodpke.com] Says the site has moved to: another url [army.mil]
Which refers you to: this document [army.mil]
Which states the following:
Alternate method of retrieving DoD Root Certificate
If you have trouble accessing the page listed above you can also visit the following page to download the DoD Root Certificates: https://www.dodpke.com/InstallRoot [dodpke.com].
The dodpke.com site is also linked by http://www.nsa.naples.navy.mil/bno/PKI/index.htm [navy.mil].
I cannot conclude that this is a scam, it appears to be probably legitimate, or at least the cert information is legitimate.
What they don't mention though is it's probably more secure to use a workstation that already has the certificate installed, download the file to a medium, then use the medium to install the certs on the 'fresh' workstation (No risk of man-in-the-middle while connecting with SSL to a site without a trusted cert).
dodpke.com has a registration date in 2002