Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

US Dept. of Defense Creates Its Own Sourceforge

Soulskill posted more than 5 years ago | from the sharing-their-toys dept.

Government 131

mjasay writes "The US Department of Defense, which has been flirting with open source for years as a way to improve software quality and cut costs, has finally burst the dam on Defense-related open-source adoption with Forge.mil, an open-source code repository based on Sourceforge. Though it currently only holds three projects and is limited to DoD personnel for security reasons, all code is publicly viewable and will almost certainly lead to other agencies participating on the site or creating their own. Open source has clearly come a long way. Years ago studies declared open source a security risk. Now, one of the most security-conscious organizations on the planet is looking to open source to provide better security than proprietary alternatives."

cancel ×

131 comments

Sorry! There are no comments related to the filter you selected.

First Post! (-1, Offtopic)

gbutler69 (910166) | more than 5 years ago | (#26684065)

Yeah Baby! Groovy!

Re:First Post! (-1, Troll)

Anonymous Coward | more than 5 years ago | (#26684071)

You cockgobbling shitcunt fucker.

I was going to get first post.

First post? (-1, Offtopic)

Anonymous Coward | more than 5 years ago | (#26684075)

Wow. DOD. Suck on that.

~obscurity = security? (5, Insightful)

rlseaman (1420667) | more than 5 years ago | (#26684079)

Denigrating the concept of security through obscurity is not the same as claiming the inverse holds. This should be an interesting experiment in whether subjecting code to an early phase of public hazing reduces security holes and risks of all sorts.

Re:~obscurity = security? (5, Funny)

Anonymous Coward | more than 5 years ago | (#26684107)

I have a server running somewhere on the internet.
It has an IPv4 address with an open port 666
The password is donkeydick69

If you can't find and login then obscurity does equal security.

Re:~obscurity = security? (2, Funny)

Anonymous Coward | more than 5 years ago | (#26684135)

I left you a present :)

Re:~obscurity = security? (3, Insightful)

Anonymous Coward | more than 5 years ago | (#26684281)

You have an unusual definition of security. Let me tell you a few ways that having an obscured login name does not make you secure:

Insecure server or service: By virtue of running a machine connected to the internet with an open port attached to a program, you are opening a potential security risk.

If you can't find and login then obscurity does equal security

You presume that login credentials and IP addresses are "unfindable". Warrants, interrogation, torture, greased palms, all of these things can easily circumvent the fact that one does not know information about your machine _right now_.

Obscurity always sucks. There are plenty of easy ways to provide security without having to rely on the fact that a second party does not know easily found information.

Re:~obscurity = security? (1)

Thiez (1281866) | more than 5 years ago | (#26684657)

> You presume that login credentials and IP addresses are "unfindable". Warrants, interrogation, torture, greased palms, all of these things can easily circumvent the fact that one does not know information about your machine _right now_.

Sure, but that means nothing can be secure unless nobody knows about it and nobody can find out about it OR it in inaccesable for everyone. If we assume an opponent who plays without any rules whatsoever and has unlimited resources and can find out where you live, you always lose. Duh. Very insightful indeed.

> Obscurity always sucks. There are plenty of easy ways to provide security without having to rely on the fact that a second party does not know easily found information.

Tell me a way to secure something I have/know against an opponent that has no morals, my body, my posessions, and everything I know.

Re:~obscurity = security? (1, Informative)

Anonymous Coward | more than 5 years ago | (#26684809)

It isn't even about having unlimited resources. For instance, take the great grandparent scenario. Lets say I offered some slashdot intern $4000 to get the IP address of the person who made that anonymous post, then I offered $4000 to some underpaid tech support person at his ISP to give me some information about this person. If he was posting at home, I could find out where he lived. A plane ticket, a rental car, a gun, and you would be able to hack into his "security through obscurity" server.

$12,000 (estimating fees) isn't anywhere near unlimited funds. If he had something that was worth the effort, an average businessman could spend that much to get it.

Tell me a way to secure something I have/know against an opponent that has no morals, my body, my posessions, and everything I know.

Step 1. Secure the location. The article was originally talking about government security. A server hosted in someone's basement is a bit less secure than a government hosted server guarded by men holding sub machine guns. It's also a lot more challenging to harass an individual with limited resources than a government agent/agency/company with larger resources.

Step 2. If it's important, why is it internet accessible? The great grandparent refers to a server which is connected to the internet. If his information is so important and ready to be hacked, why is the machine readily available for anyone to connect to?

Step 3. If it has to be internet accessible, there are various methods of encryption and person-verification which can help to thwart attacks against the weak human element.

So, in short, guard it with guns. If it has to be accessible by the internet, factor that into your security scheme.

Re:~obscurity = security? (1)

Thiez (1281866) | more than 5 years ago | (#26684913)

> $12,000 (estimating fees) isn't anywhere near unlimited funds. If he had something that was worth the effort, an average businessman could spend that much to get it.

Sure, but an average businessman doesn't go around kicking peoples doors in and threatening people with a gun to force them to give up their secrets (well, not where I'm from). Even if they do, the password great great grandparent gave us is useless: if you visit him and threaten him with a gun, you don't ask for the ip and login of his server, you ask him to simply hand over the secrets you want. If great great grandparent visits slashdot through a few proxies (== adds more 'obscurity'), his server is once again safe and you lost $4000 in your quest for his server.

I guess you could still try to connect to all used IPv4 addresses and try the password. Then again, great great grandparent's computer could be behind a router blocking incomming connections, or the password could be of an account that has no rights to do anything.

Re:~obscurity = security? (1)

Malevolyn (776946) | more than 5 years ago | (#26685193)

Then again, great great grandparent's computer could be behind a router blocking incomming connections...

Then it's no longer simply obscurity.

Re:~obscurity = security? (2, Funny)

Thiez (1281866) | more than 5 years ago | (#26685325)

But it IS irrelevant if you are prepared to go to his home and beat any information you need out of him.

Re:~obscurity = security? (1)

Malevolyn (776946) | more than 5 years ago | (#26685337)

This is turning into job interview 2.0, where there is simply no possible solution and then you don't get hired because you didn't have a solution.

Re:~obscurity = security? (0)

Anonymous Coward | more than 5 years ago | (#26685517)

Surey that is nothing that 'Warrants, interrogation, torture, greased palms' cannot easily circumvent? For $4000 you can find an employee who knows where the interviewer lives...

Re:~obscurity = security? (1)

mysidia (191772) | more than 5 years ago | (#26689279)

There is a solution to this: metal detectors on all doors and windows, and a degaussing coil.

If someone steps in with a gun, the secrets automatically get blown away.

Re:~obscurity = security? (2, Insightful)

silanea (1241518) | more than 5 years ago | (#26684931)

Sure, but that means nothing can be secure unless nobody knows about it and nobody can find out about it OR it in inaccesable for everyone. [...]

Yes and no. Security is not absolute, it's not binary. It is the factor by which the amount of time and resources needed to break a certain security measure outnumbers the value of what's protected (or the effort needed to go through a different vector).

Obscurity does not add anything on your side of the scale because you can't depend on it, you can't measure it, you can't audit it, and in most cases you will only know it has been broken when it is too late. It is a good idea to keep information about your valuable goods and the security measures that protect them hidden, but this does not add any security in itself.

Not giving away your IP on /. may protect you from "our" wrath, but some script kiddie randomly scanning for open ports might still wreak havoc on your machine if you didn't lock it down properly.

Don't mix up security and secrecy! They have little to do with each other.

Re: Here is a way... (1)

Douglas Goodall (992917) | more than 5 years ago | (#26690983)

Secure the machine with a password, but don't watch what you are typing when you enter it. Now no one knows the password, and even though they have you, what you know, your body... They cannot get into the system. Of course you can't either, but you didn't say anything about that being a requirement. What you have, what you know, and who you are... The big three..... We are all waiting for a fourth security principle to make things better :-)

Re:~obscurity = security? (0)

Anonymous Coward | more than 5 years ago | (#26684607)

found it. Login is Mrs. Mallo-

hey that's my mom!

Re:~obscurity = security? (1)

lordsid (629982) | more than 5 years ago | (#26684705)

Just because I can't find it and login does not make it secure. You need to take into consideration the massive bot nets currently operating that constantly search IP addresses for security holes.

Even if a setup is never compromised it is not necessarily secure. I hate to get all philosophical but if you build they will hack it.

For example I give you any copy protection that has ever been implemented.

Re:~obscurity = security? (1)

Thiez (1281866) | more than 5 years ago | (#26684957)

> For example I give you any copy protection that has ever been implemented.

That's a bad example. Copy protection can easily be circumvented because you have physical access to and root permissions on the machine the to-be-copied data is on. DRM gives you the encrypted data and the key.

Re:~obscurity = security? (1)

davolfman (1245316) | more than 5 years ago | (#26687777)

And tells you not to use them.

Re:~obscurity = security? (0)

Anonymous Coward | more than 5 years ago | (#26688031)

It seems that only you, your family, friends, ISP, local and state government and the bastard that snoops your wireless know which server you are referring too. So should be safe enough.

Re:~obscurity = security? (1)

jotok (728554) | more than 5 years ago | (#26691851)

Back of a napkin: Using my modest (hypothetical) botnet of about 10,000 hosts, there's a decent (~25%) chance I will find and exploit you inside of a day, and a near-certainty that I will get you within 3 days. Just to be charitable I could throw in a random fudge factor of one week.

I could probably speed it up if I could depend on certain assumptions or if I have a little additional data.

Point being, the internet seems huge but it's not really all that big.

Re:~obscurity = security? (2, Interesting)

Cillian (1003268) | more than 5 years ago | (#26684293)

The whole security != obscurity thing is bollocks. Pretty much any "security" around today is basically obscurity. People say it's a bad idea to have a security system which relies on the process being unknown. It's comparable to having a system where the process is known but the password is unknown - the only difference being it's easier to change a password. The same applies to more advanced stuff like keys or certificates - The process is known, but one of the parameters is unknown, i.e. the key. If you could create a process with a similar complexity to the key, and keep it unknown, then presumably it'd be about as secure. The only sorts of security that aren't obscurity are the more brick-wall methods - e.g. unplug the network cable, don't allow access to anybody, even if they know the password. (I'm ignoring the more weird/bleeding edge stuff like quantum, because I don't have a clue about it.)

Re:~obscurity = security? (5, Insightful)

Srin Tuar (147269) | more than 5 years ago | (#26684599)

OK, you missed the entire point of the maxim "Security != Obscurity".

It is a truism. The point is this: any secrets will eventually be leaked, whether you know it or not. Things that are easy to change, such as keys and passwords, are relatively low risk. Things that are very difficult to change, such as algorithms, are very high risk.

If you count on the fact that your crypto algorithm or operating system is secure because its obscure, then when its leaked you will be facing a catastrophic disaster. Instead of losing the data on one communication or one server, you face a organization wide vulerability, and compromise of past communications.

The extra security gained from keeping the algorithms secret pales in comparison to the disaster of having them be weak.
Getting as many eyes on this type of code as possible is the best way to mitigate risk.

After that, you still keep as much secret as possible.

Re:~obscurity = security? (0)

Anonymous Coward | more than 5 years ago | (#26687219)

Good luck with that.

Now people can look up the actuall source of defence servers ? What crazy 'canonical' security egghead brought that up? 90% of Apache hacks are because somebody uncovered something in the source. They would have absolutely no clue if the Apache was source-closed. That is why ISS is becoming more secure as it matures. Nobody sees inside the thing.

Re:~obscurity = security? (5, Insightful)

FlyingBishop (1293238) | more than 5 years ago | (#26684625)

You're missing the point. Good processes are hard to come up with. Pick a good process that has some well-defined unknown, something that you need to keep safe, and you're assured that no one will break your security. Pick a bad process, and someone may tell you.

If you keep your process a secret, on the other hand, you have a host of unknowns - unknowns you do not know - that may provide someone access to your system. The point is, relying on a variety of ill-defined unknowns is inferior to relying on a single, well-defined unknown.

Re:~obscurity = security? (0)

Anonymous Coward | more than 5 years ago | (#26685425)

you have a host of unknowns - unknowns you do not know

Mr. Rumsfeld, is that you?

Re:~obscurity = security? (4, Insightful)

mazarin5 (309432) | more than 5 years ago | (#26684757)

The point of it is that things like "Oh don't worry, nobody would think to look at /admin.pl so there's no point in putting a password on it" is not a good idea. Of course something has to be unknown or inaccessible for good security - that's not the same thing as claiming your system is secure when you're just hoping somebody doesn't notice a gaping flaw.

There's nothing wrong with obscurity in a secure system, but obscurity alone is not genuine security.

Re:~obscurity = security? (1, Informative)

Anonymous Coward | more than 5 years ago | (#26684355)

This is NOT an official DoD site. It's pointing to too many non-DoD sites, including for CAC/PKI sig's registered through GoDaddy, hosted on Collab.net.

Using Slashdot as a large DoD Fishing Scam is interesting...

Re:~obscurity = security? (2, Informative)

Rhabarber (1020311) | more than 5 years ago | (#26685653)

In Germany we have a government payed open source site since 2000 [berlios.de] . They provide good service for free, to anybody and without commercial annoyances. I especially like the choice between CVS/SVN/Mercurial/GIT.

Re:~obscurity = security? (1)

Frosty Piss (770223) | more than 5 years ago | (#26687151)

This should be an interesting experiment in whether subjecting code to an early phase of public hazing reduces security holes and risks of all sorts.

It's extremely unlikely that any SourceForge type repository for government-used code will have much if any public access.

forgemil.com? (5, Interesting)

1u3hr (530656) | more than 5 years ago | (#26684093)

Okay, why the hell does the DoD call the site "forge.mil" but actually host it at "forgemil.com"? If they can't get a real .mil site, who can? I thought it was some phishing scam. "forge.mil" doesn't even resolve, let alone redirect. And ".com"? Government reserved .gov, .mil and some other domains for its exclusive use. Why on earth are they using .com?

Re:forgemil.com? (5, Interesting)

1u3hr (530656) | more than 5 years ago | (#26684101)

PS: checked out forgemil.com: It's registered at Godaddy. Great. Are we sure this isn't some Nigerian scam? (I think the Chinese or Russians would be more subtle.)

Re:forgemil.com? (1, Insightful)

Anonymous Coward | more than 5 years ago | (#26684195)

Yeah. If it's not a .mil site, then it's not US military. This has a very rotten smell. It's possible that some military folks got together to this on the private side, but it is definitely not military sanctioned. We have plenty of servers, why would we use GoDaddy?

Re:forgemil.com? (5, Informative)

imamac (1083405) | more than 5 years ago | (#26684213)

Nice. It even points the user to ANOTHER non-.mil site to download a PKI certificate. That settles it for me. This is NOT the military.

Re:forgemil.com? (2, Insightful)

Frosty Piss (770223) | more than 5 years ago | (#26687415)

Nice. It even points the user to ANOTHER non-.mil site to download a PKI certificate. That settles it for me. This is NOT the military.

It's almost certainly a phishing site to gather CAC data from unsuspecting CAC holders.

Re:forgemil.com? (1)

mysidia (191772) | more than 5 years ago | (#26689473)

It's almost certainly a phishing site to gather CAC data from unsuspecting CAC holders.

The CAC is a smart card, which shouldn't willingly reveal any of the keys stored on it.

Moreover, I suspect it would be impossible to authenticate without the server itself having certain keys and credentials.

I don't know enough about it to declare that phishing is completely impossible, but I would say that phishing seems unlikely.

It would also be pretty hard with a SSL client certificate.. although a man-in-the-middle attack is impossible if the client improperly trusts a fake certificate, the appearance is the cert is probably a bonafide legitimate one.

Re:forgemil.com? (4, Insightful)

RyoShin (610051) | more than 5 years ago | (#26687619)

But wait, there's more!

DefenseLink [defenselink.mil] is a DoD site that lists all DoD sites. Forge.mil(.com) is not on that list. Of course, it could be bureaucracy acting slow.

Second, WHOIS contact connects to an individual at collab.net, another sourceforge-like site. Were this a government site, I would think they would have it registered to a position in a department, or at least a c/o address for a military/goverment institution, not an individual.

Just to be sure, popping the given address into Google Maps returns what looks like a residential area.

So this is either a horribly managed project (not surprising for the government), or some weird scam of sorts.

Re:forgemil.com? (3, Informative)

mysidia (191772) | more than 5 years ago | (#26689411)

Nice. It even points the user to ANOTHER non-.mil site to download a PKI certificate. That settles it for me. This is NOT the military.

The homepage of the site they are pointing to https://www.dodpke.com/ [dodpke.com] Says the site has moved to: another url [army.mil]

Which refers you to: this document [army.mil]

Which states the following:

Alternate method of retrieving DoD Root Certificate

If you have trouble accessing the page listed above you can also visit the following page to download the DoD Root Certificates: https://www.dodpke.com/InstallRoot [dodpke.com] .

The dodpke.com site is also linked by http://www.nsa.naples.navy.mil/bno/PKI/index.htm [navy.mil] .

I cannot conclude that this is a scam, it appears to be probably legitimate, or at least the cert information is legitimate.

What they don't mention though is it's probably more secure to use a workstation that already has the certificate installed, download the file to a medium, then use the medium to install the certs on the 'fresh' workstation (No risk of man-in-the-middle while connecting with SSL to a site without a trusted cert).

dodpke.com has a registration date in 2002

Re:forgemil.com? (0)

Anonymous Coward | more than 5 years ago | (#26684649)

Needless to say that you cannot register (for softwareforgemil) because not only do they have a broken html syntax but https://software.forge.mil/ also refuses connections.

Re:forgemil.com? (0)

Anonymous Coward | more than 5 years ago | (#26684125)

Okay, why the hell does the DoD call the site "forge.mil" but actually host it at "forgemil.com"? If they can't get a real .mil site, who can?

If it's open source stuff, they aren't going to put it on a .mil site. They'll just use a .com site and take what they want from the code like the Chinese do with their Buddhism, Taoism, and Confucianism (like Egg says from Big Trouble In Little China). "Just like your salad bar."

Re:forgemil.com? (2)

El Torico (732160) | more than 5 years ago | (#26684185)

Probably because the servers are located in a commercial and not a government facility. They probably don't want to go through the hassle and cost of getting a NIPRNET circuit, which is somewhat ironic because this is a DISA effort (the same people who run NIPRNET).

Re:forgemil.com? (5, Informative)

legirons (809082) | more than 5 years ago | (#26684219)

You know it's the right site, because its certificate is signed by the DoD CA.

Except that CA isn't installed in any browser.

And the site to download that cert is signed by the cert itself. Security by circular reasoning.
   

Re:forgemil.com? (1)

will_die (586523) | more than 5 years ago | (#26684617)

If it was an real DoD site it would use the CAC system [cac.mil] or at the very least be on the NIPRNet [wikipedia.org] .
This site just screams scam.

Re:forgemil.com? (4, Informative)

Vertana (1094987) | more than 5 years ago | (#26684701)

The reason for that is, you have to be in the DoD and you receive the cert by CaC (DoD ID cards which double as a smart card with your PKI certs and authentication information). This forces you to obtain the certs physically and in person at a DoD site (ie ID Center on a military base, etc.).

Re:forgemil.com? (0)

Anonymous Coward | more than 5 years ago | (#26688435)

Actually, it appears to signed by a "Three Pillar Software" CA. Hardly a DoD CA or even a U.S. Government CA.

Re:forgemil.com? (2, Informative)

qw0ntum (831414) | more than 5 years ago | (#26684317)

Try https://www.forge.mil/ [forge.mil] . Once you get past the invalid certificate (allegedly because the DoD CA isn't included with most browsers) you'll get an SSL error.

Re:forgemil.com? (2, Insightful)

Grandim (1390511) | more than 5 years ago | (#26684491)

My guess is that forgemil.com is the worldwide site that advertise the project while forge.mil is reserved to the individuals with the required certificate.

Re:forgemil.com? (4, Informative)

Anonymous Coward | more than 5 years ago | (#26684449)

forgemil.com is for public access to information about what the project/service is. It explaines, quite clearly, that to access forge.mil, you will need either a DoD-issued pki cert (CAC for you DoD folks), or a cert from a DoD-trusted source. All .mil infrastructure stuff is pki protected by policy. It also explains in the FAQ why you get the ssl warnings about untrusted certs. It also tells you how you can download the DoD root certs (they only provide installs for Windows; you'll either have to dig around to get the certs for other platforms or just create an exception in your browser).

Re:forgemil.com? (0)

Anonymous Coward | more than 5 years ago | (#26686293)

forgemil.com---->71.163.169.73--->static-71-163-169-73.washdc.fios.verizon.net

forge.mil---> (150.125.33.34), ---> Space and Naval Warfare Command

Re:forgemil.com? (0)

Anonymous Coward | more than 5 years ago | (#26686707)

forgemil.com appears to be the "store front"; it provides links to the https://software.forge.mil, which is completely locked down to ECA or CAC access only.

This type of source has been a long time in coming. Two issues have substantially restricted open source projects in DoD. 1) Big name contractors are very close-hold with their code for business reasons, and 2) simply posting existing projects to sourceforge presents export control and "unclassified, for official use only" projects.

Re:forgemil.com? (1)

ion.simon.c (1183967) | more than 5 years ago | (#26686913)

1) Big name contractors are very close-hold with their code for business reasons

This boggles my mind. Isn't most everything developed under government contract property of the government? This is to say, "Doesn't the government own pretty much all of the source code that its contractors produce for it?"

Re:forgemil.com? (1)

budgenator (254554) | more than 5 years ago | (#26686785)

forgemil.com resolves fine in my browser, forge.mil requires that a dod root certificate be entered, and also seems to be slashdotted at times. The official forge.mil site requires DOD credentials so the projects can be edited, forgemil.com seems to be read only.

It's not "SourceForge" anymore... (1, Informative)

Anonymous Coward | more than 5 years ago | (#26684115)

It's based on SourceForge Enterprise Edition, a product that VA Software (Now SourceForge, Inc) sold off to CollabNet about two years ago. It's not even close to the code that runs sourceforge.net (sf.net's code was a php/python/perl based site, SFEE is J2EE).

Re:It's not "SourceForge" anymore... (2, Funny)

troll8901 (1397145) | more than 5 years ago | (#26685529)

They won't have a "news for (military) nerds" site called Dot.mil, would they?

Legacy Applications (2, Interesting)

El Torico (732160) | more than 5 years ago | (#26684139)

I would like to see open source applications that would replace all of the legacy, proprietary applications. DoD is loaded with very badly written applications that usually can only be changed by giving the same companies that produced them more money. Notice I said "changed" and not "improved".

Huh? (3, Insightful)

RDW (41497) | more than 5 years ago | (#26684165)

If it's 'limited to DoD personnel for security reasons' in what sense is it 'Open'?

Re:Huh? (1)

LingNoi (1066278) | more than 5 years ago | (#26684211)

Indeed, I just tried to look at some projects and you can't. Pointless.

export controls? Re:Huh? (0)

Anonymous Coward | more than 5 years ago | (#26684287)

Open within a community that is guaranteed to be all "U.S. Persons" for export control purposes, perhaps.

Sure, it's not open to 6 billion people, but it might be open to several million, and that's a heck of a lot better than closed in someone's desk drawer.

Re:export controls? Re:Huh? (2, Insightful)

denzacar (181829) | more than 5 years ago | (#26684795)

Sure, it's not open to 6 billion people, but it might be open to several million, and that's a heck of a lot better than closed in someone's desk drawer.

How exactly is that different than something like this:

3. RESERVATION OF RIGHTS AND OWNERSHIP. Microsoft reserves all rights not expressly granted to you in this EULA. The Software is protected by copyright and other intellectual property laws and treaties. Microsoft or its suppliers own the title, copyright, and other intellectual property rights in the Software. The Software is licensed, not sold.

4. LIMITATIONS ON REVERSE ENGINEERING, DECOMPILATION, AND DISASSEMBLY. You may not reverse engineer, decompile, or disassemble the Software, except and only to the extent that such activity is expressly permitted by applicable law notwithstanding this limitation.

5. NO RENTAL/COMMERCIAL HOSTING. You may not rent, lease, lend or provide commercial hosting services with the Software.

It is ours not yours. You may do only what we let you. You can't give it away.

Million drawers or just one - same thing if there is only one key to all the drawers.

Open within a community that is guaranteed to be all "U.S. Persons" for export control purposes, perhaps.

Apple's and MS' products are open within their own community too - is that also Open Source?

Re:Huh? (2, Informative)

denzacar (181829) | more than 5 years ago | (#26684691)

Also... How can something military be open source at all?

Military, unless we are talking para-military guerrilla troops somewhere in the jungle/desert, represents a particular government.
Say... government of Canada. Or Peru.
Now... that government is responsible and accountable to IT'S people. Not to the people of say... Singapore. Or Italy.
People and nations that are on a good day economic competition and on a bad day vile evildoers.

So, giving access to state secrets to potential enemies (and open source does not exactly mean "Anyone but our current enemies") isn't something I see any government doing. At least not on purpose.
And ANYTHING military can be declared a state secret - right down to the brand of toilet paper used cause the enemy might just decide to inconvenience "our boys" a little further by denying them the ass wipes they are used to by sabotaging the toilet paper factory.

So, it is either not a completely thought through action (someone trying to be cool and hip using terms like OSS, or just plain not understanding what it stands for)...
Or, it is some strange kind of OSS which can with a flip of a switch become not just proprietary but also a state secret that can get you a one way ticket to Gitmo or some similar exotic resort.

Come on... how can ANYTHING that works by these rules be considered "open".

Forge.mil User Agreement
STANDARD MANDATORY NOTICE AND CONSENT BANNER
YOU ARE ACCESSING A U.S. GOVERNMENT (USG) INFORMATION SYSTEM (IS) THAT IS PROVIDED FOR USG-AUTHORIZED USE ONLY. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.
Use of this system constitutes consent to monitoring for all lawful purposes.

Open as in slammed-shut-in-a-box-and-hauled-away-to-be-hidden-somewhere-inside-Area-51-kinda-open I guess?

Re:Huh? (2, Insightful)

Vertana (1094987) | more than 5 years ago | (#26684725)

The software is open... not every strategic decision or case use in which the software will be used.

Re:Huh? (1)

denzacar (181829) | more than 5 years ago | (#26684837)

Did you even bother to read the Forge.mil User Agreement?

Re:Huh? (3, Informative)

Vertana (1094987) | more than 5 years ago | (#26684885)

Yes, which claims a standard United States Government agreement which claims they own the computer, the data, your soul and anything else that may come in contact with it... but it also states "Forge.mil is currently in beta with limited operational availability. General availability for unclassified use is scheduled for Spring 2009." So, one could safely assume (at this point) that with the PKI Certification that's needed and the agreement they expect only DoD computers to be accessing it at the moment. However, at some point everything stated will be changed (or they'll change their mission from being 'open').

Re:Huh? (1)

lahvak (69490) | more than 5 years ago | (#26687159)

Also... How can something military be open source at all?

Lot's of software written by the military is not secret. For example, I believe the Army ran some sort of engineering competition for kids, where the participants had to "design and test" a bridge using a computer bridge simulator. The software was freely available (Windows only), and there were calls for them to release it as open source. They actually said they were considering it. I can't see how that could compromise our national security. Also, they recently released the source to a 3D modeler application they were using for many years to do some sort of simulations. I don't remember the details, but I think you should be able to find it on Freshmeat.

Re:Huh? (1)

Q-Hack! (37846) | more than 5 years ago | (#26687021)

If it's 'limited to DoD personnel for security reasons' in what sense is it 'Open'?

Many DoD contractors write software for various projects. Allowing them a secure means to share code with each other would be immensely helpful. You can have several developers within a single contract, but in different companies and different locations around the world contributing to the software. For instance somebody from Harris corp. could submit patches to software written by Raytheon. Up until now there was no way to accomplish this. The best you could hope for, was to submit a request, and hope it got worked on by the originating company. A process that has always been very expensive for the Government.

I would call it limited, but it's still Open Source. Now, lets hope that companies start using this.

Big brother is watching... (2, Informative)

3seas (184403) | more than 5 years ago | (#26684325)

STANDARD MANDATORY NOTICE AND CONSENT BANNER
YOU ARE ACCESSING A U.S. GOVERNMENT (USG) INFORMATION SYSTEM (IS) THAT IS PROVIDED FOR USG-AUTHORIZED USE ONLY. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.
Use of this system constitutes consent to monitoring for all lawful purposes.

Re:Big brother is watching... (1)

WindBourne (631190) | more than 5 years ago | (#26685995)

I am guessing that you have not been paying attention to Russel Tice or the ongoing case about W's admin spying on all American's communication. And if they are spying on us, what make you think that they are not spying on the majority of the world?

And you think that a little bitty notice on an obvious DOD site is scary?

Re:Big brother is watching... (1)

3seas (184403) | more than 5 years ago | (#26687263)

Did you miss the "devices connected" part? And what happens when you access the site... connection wise?

Re:Big brother is watching... (1)

3seas (184403) | more than 5 years ago | (#26687381)

I don't need Russels commentary. I'm well aware of the spying and know that we do not yet have the processing power to analyze such data stream in such amount for terrorist identification. Especially when you realize that terrorist communication can be so well hidden as to be common conversation where the communicating parties know a different meaning to what is said. Words, abstractions are only of value when used with agreed upon meaning, where the meaning can be established to be something quite different than perceived by spys.

During teh civil war there was what was called teh underground railroad where communication about it was done in teh cotton fields, via sing song.

However the spying on digital communications and transactions, though incapable of identifying specific "terrorist activities" was still valuable for determining the general populations attitude towards the Bush Admins public communications and as such provided a feedback loop to enable deceiving the American public and beyond into believe the line of BS they wanted to feed the public. And recent information has come out to further support this in that Journalist were of special spying focus.

The Obama Administration is supportive of this use of public funds and spying on the public. How else is it probably to promote change and claim it want the American public wants. But in itself this is not change at all but what has become same old, same old.... where change is only in improving the same old...direction.

I suspect the word Obama will become a word to mean "bait and switch". And I'd really like to be wrong on this, but read the Declaration of Independence for the probability of such change to actually happen.

Re:Big brother is watching... (1)

aksansai (56788) | more than 5 years ago | (#26690215)

Duh.

[sarcasm]I would feel a whole lot better if all the people of the world could access our government systems and do whatever the hell they could possibly want to with those systems[/sarcasm].

Yes, indeed, big brother is watching over who uses their systems, how they use it, and for what purpose and intent. Just like if someone were to come over to your house and use YOUR system, you'd feel better knowing the purpose of the use. "No, sir, that was certainly not MY kiddie porn on MY computer..."

Re:Big brother is watching... (1)

Sepodati (746220) | more than 5 years ago | (#26691555)

Everything in that statement is in reference to the "forge.mil" server. Communications to and from that server can (will) be monitored. You should accept that possibility with any system on the Internet, if you're smart. "device attached" refers to anything attached to the server, like a USB HD or other media. You can be paranoid and think your computer is "attached" to the server when you make an HTTP(S) connection, but you know that's not what they mean.

This is a standard warning that says you're connecting to a box controlled entirely by someone else and they are free to do whatever they want with what goes in and out of the box.

We needed this years ago (5, Funny)

superid (46543) | more than 5 years ago | (#26684341)

When I was first hired as a budding DoD programmer a long time ago, one of the first things I asked is "where is our library of stuff that has been developed locally?"

I might as well have asked "where is my +3 mace?" because we didn't have that either.

I'm glad this is finally happening.

Re:We needed this years ago (0)

Anonymous Coward | more than 5 years ago | (#26685407)

Wait, so you did get your +3 mace? Hot damn!

Re:We needed this years ago (0)

Anonymous Coward | more than 5 years ago | (#26686203)

It's on [developer's name]'s computer.

My perspective has been that each programmer is his or her own island. Occasionally there are 2-to-3-person islands, but there is not much know-how in team-based development.

Open the flood gates (4, Interesting)

auric_dude (610172) | more than 5 years ago | (#26684367)

Open source code, Open Government http://www.whitehouse.gov/ [whitehouse.gov] and Open Source Intelligence http://en.wikipedia.org/wiki/Open_source_intelligence [wikipedia.org] all good ideas that may well speed things along and save the tax payers some cash.

Re:Open the flood gates (2, Informative)

Hazelesque (1423711) | more than 5 years ago | (#26684651)

From the linked wikipedia article...

In the Intelligence Community (IC), the term "open" refers to overt, publicly available sources (as opposed to covert or classified sources); it is not related to open-source software.

Re:Open the flood gates (0)

Anonymous Coward | more than 5 years ago | (#26685313)

Obama's Whitehouse.gov does not differ greatly from W's. It certainly isn't any more "open." W's administration published their executive orders, presidential directives on the website. They even had an RSS feed you could subscribe to. Everything else is published in the federal register which is easily accessible to anyone.

The only thing Obama has added is a blog and video address which doesn't really increase the openness of government.

The first executive order Obama signed allowed Bush to have executive privilege just like Bush's first executive order gave Clinton the same thing. Even if Obama decided to let Bush be prosecuted Bush would be in some country without an extradition treaty with the US.

Studies? (3, Funny)

Wolfbone (668810) | more than 5 years ago | (#26684375)

Years ago studies declared open source a security risk.

Since when did risible falsehood and fallacy filled rants written by swivel-eyed ideologues count as 'studies'?

http://www.sourcewatch.org/index.php?title=Ken_Brown [sourcewatch.org]

Kindof open anyway (1)

Junior J. Junior III (192702) | more than 5 years ago | (#26684379)

[JoinCommunity]*

*DOD CAC or ECA Certificate Required

How easy is it to get one of these certificates?

Re:Kindof open anyway (0)

Anonymous Coward | more than 5 years ago | (#26684671)

Pretty easy. Quit your job and get one in the DoD.

Re:Kindof open anyway (1, Funny)

Anonymous Coward | more than 5 years ago | (#26687635)

Plenty easy. I know some recruiters that would be more than happy to give you a PKI enabled CaC...all it would take is a few signatures on your part, and raise your hand for one little oath...

Hopefully all the GOTS software will be there too. (3, Informative)

robkill (259732) | more than 5 years ago | (#26684385)

In most cases, if software was developed under a government contract, then the government has full rights to the source code. It would be a great starting place for updating a number of existing applications. Version control and vetting of results could be problematic in some cases, but not impossible to overcome.

Re:Hopefully all the GOTS software will be there t (0)

Anonymous Coward | more than 5 years ago | (#26684521)

Not bloody likely anytime soon. You should be able to get access to most source code for non-sensitive GOTS software today through the Freedom of Information Act, but I bet it would take so long that you'd stop caring.

For those of you trying to connect...read the FAQ (3, Informative)

Bearhouse (1034238) | more than 5 years ago | (#26684409)

"Though it currently only holds three projects and is limited to DoD personnel for security reasons, all code is publicly viewable"

No, it's not. Code posted to .mil is only available to those with sufficient authorisation. The .com site is publicly available for those seeking more information.

So, code will be NOT be 'publicly' available - only to those on secure. Kinda as you'd expect, but rather a long way away from real FOSS.

How to connect to the secure .mil server easily (0)

Anonymous Coward | more than 5 years ago | (#26684495)

No problem! What you have to do is wtf???!!!!dsfjsdqkjfghjkfgqs:gffg
[no carrier]

One project already works and is in use. (3, Funny)

will_die (586523) | more than 5 years ago | (#26684529)

It looks like the military has solve the problem of time travel and web master has let it slip. According to the FAQ
The Forge.mil effort started development in October 2009 and the first capability, SoftwareForge, is now available for limited, unclassified use.

Not new or even news .... (1, Insightful)

MasterAE2k9 (1466549) | more than 5 years ago | (#26684557)

The military has being using open source for more than 2 decades. They even have a huge repository of approved/certified open source products that people with the right clearance can access to assist with day to day work. This is not new in any way or shape. This is nothing more than the incompetent in the Whitehouse taking credit for other people's work to make himself look good in the eyes of the bubbling idiots who ate his turds during the election.

Re:Not new or even news .... (1)

jhaiduce (1033992) | more than 5 years ago | (#26686433)

On the contrary, the miltary is culturally paranoid of anything open source. The rare open source package that makes it on an "approved" list is nearly always shot down by local IT staff, who consider open source to be a security risk. The only exception is the software that comes pre-packaged with Solaris, and Sun workstations are being rapidly replaced by Windows boxes. If this initiative has any impact at all on the software actually used by the DoD, it will be an improvement.

Re:Not new or even news .... (0)

Anonymous Coward | more than 5 years ago | (#26687303)

This is nothing more than the incompetent in the Whitehouse taking credit for other people's work to make himself look good in the eyes of the bubbling idiots who ate his turds during the election.

Mod parent FLAMEBAIT.

its legit but done poorly (0)

Anonymous Coward | more than 5 years ago | (#26684575)

Disa frequently outsources it projects and this is one example of where the contractor didn't coordinate with his govt poc to obtain domain and PKI certs.

http://www.collab.net/news/press/2008/collabnet-disa.html [collab.net]

I work in Army IA division and this happens more often then i care to admit.

HUH (2, Funny)

Anonymous Coward | more than 5 years ago | (#26684731)

" Though it currently only holds three projects and is limited to DoD personnel for security reasons, all code is publicly viewable and...."

ok how do you limit the site and make it public at same time, good journalism guys.
and

"Slashdot only allows a user with your karma to post 2 times per day (more or less, depending on moderation). You've already shared your thoughts with us that many times. Take a breather, and come back and see us in 24 hours or so. If you think this is unfair, please email posting@slashdot.org with your username "CHRONOSS2008". Let us know how many comments you think you've posted in the last 24 hours."

f#ck karma
YA like yesterday must a been 22 hrs ago.
this place sucks now. censorship on the uptake i guess them mpaa suiing you guys is having an effect soon it will be 1 post a week then a month then hey why bother letting anyone post.

I hope this is a fishing site (5, Insightful)

yorkshiredale (1148021) | more than 5 years ago | (#26685175)

Clicked through the site a little to the 'PKI Online Training' section, and I'm informed that I must :

1. enable flash

2. enable cookies

3. enable javascript

4. disable pop-up blocking

I desperately hope this is a scam, since the alternative possibility is just frightening

Re:I hope this is a fishing site (2, Informative)

Anonymous Coward | more than 5 years ago | (#26688539)

The military uses cookies, flash, javascript, and pop-ups for just about everything. You have to enable all of the above to get a .mil site to load properly. It gets on everyone's nerves when we have to enable all of the above to do mandatory training.

Re:I hope this is a fishing site (0)

Anonymous Coward | more than 5 years ago | (#26688853)

Actually just having to do mandatory training gets on everyone's nerves.

It does have a .mil address (0)

Anonymous Coward | more than 5 years ago | (#26685507)

The site does have a .mil address. I'm on it right now but it's not very active since it looks to be brand new. You can only get on the .mil site with a DoD approved CAC Card. Anyways seems Linux is being used a bit more.

Is the time for this ripe at last? (0)

Anonymous Coward | more than 5 years ago | (#26685847)

[posting anon to not reveal username to those who will recognize me]

I wonder if this will catch on. In my little neck of the DoD woods, we've had great difficulty getting buy-in to collaborative, geographically dispersed software development. About 5 years ago we had the Sourceforge guys give a demo, but we opted to roll our own. I had the equivalent running with web-based tools for bug tracking, discussion boards, project pages, CVS browsing, project team roles and flexible authorization - but after hosting about 4 local software projects, it ultimately withered and died. Could not get other departments/agencies interested - everyone has their own rice bowl. Perhaps I'm just in the wrong area... I don't see much advantage being taken of collaboration or re-use.

That said, I will be taking a look at this newest effort once I get into the office.

awesome! (1)

Cyko_01 (1092499) | more than 5 years ago | (#26687961)

I'm really starting to like this Barrack Osama guy! Finally a president who knows how to take advantage of technology and open source
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?