

DoD team nears Security Validation of OpenSSL 109
tadelste writes "An important DoD program took a page from Open Source and Do-It-Yourself-IT (DIYIT) and applied for their own Security Validation. In this article Steve Marquess says:as a taxpayer, I felt very annoyed. But it made me realize a couple of things. First, if OpenSSL had been validated, then it was possible for us to do it again. Secondly, if we could do it we could save a lot of money for the program."
Re:microsoft not secure (Score:5, Insightful)
You miss the point entirely. OpenSSL have already been validated, and the source has been seen by thousands of other people. THAT is what makes it more secure. Its proven and open. OpenSSL isn't a "desktop", its a library for encryption. Its released under a BSD license, so Microsoft could include it in every copy of XP if it so chose to. Its not platform dependent.
And to further blow your smug theory away, any Unix like operating system will always be more secure than the current Windows systems by design. Its not an opinion, its a design choice that makes the software somewhat more difficult to use but gaining security. You CAN make a Unix like OS as insecure as a standard Windows install (hello Lindows) but you have to really try.
It would be nice if the "yea, wait until more people use Linux" had a clue what they were talking about, especially since has exactly NOTHING to do with Linux. Linus, to my knowledge, has not contributed to OpenSSL and it OpenSSL will work just fine with no need for Linux.
Re:microsoft not secure (Score:3, Interesting)
I have to disagree on this point. Windows XP/2000 has a fairly sophisticated system of permissions even though programmers and users alike tend to misuse or fail to use them. I think the major windows security problem is poor choice of default access control settings, not a lack of capability to make and enforce settings. That's something that Microsoft can (and pr
Re:microsoft not secure (Score:1, Informative)
ND
Re:microsoft not secure (Score:2, Informative)
Look, I'm a die-hard Linux user (that even boarders on Zealot). I've been using "Linux" for 7 or so years now (RH 5.1 is the first "Linux" I tried). THe "yea, wait until more people use Linux" people are right.
Sure, OK, all teh source code to everthing on this machine is out there (well, except for the nVidia module, but...), but if only somet
Re:microsoft not secure (Score:4, Insightful)
Linux is used in millions of embedded products. Embedded products probably outnumber desktop use by at least 100 to 1. The reason for its popularity in embedded products is the networking stack, the security layers, the routing, the filtering and to a lesser extent, the multi tasking and all these embedded developers are looking critically at Linux security, since nobody wants to buy an embedded product that hangs up every couple of hours.
Linux security is multi layered. It doesn't matter much if some gee wizz seldom used desktop app has a security hole - the attacker has to get through the TCP/IP stack, iptables, tcpwrappers and portsentry/snort first. That is where the security of Linux lies.
The difference with MS Windows is that it doesn't have the equivalent of iptables, tcpwrappers or portsentry and it also has a tightly built in browser with more holes than a swiss cheese.
The result is that it doesn't matter how good the underlying Windows kernel is - there is virtually no security around the Windows core system and that is why it is easy to breach.
Re:microsoft not secure (Score:3, Insightful)
Compared to how many that have seen Microsoft's?
I don't read the source code either, but many do. I feel better with people from dozens of countries looking over code, than just a couple hundred in Redmond. I can also read the opinions of many people who do use Linux, and I can compile and run any version of the kernel I w
Re:microsoft not secure (Score:2)
Man, hands-down. No argument there. That's most of the reason I use and support "Linux". *ANYONE* can see what Under-The-Hood(tm).
You are nothing but 100% right (in my eyes anyway). The main "selling point" that Open Source has to offer is the fact that it's *NOT* centralized.
Re:microsoft not secure (Score:1)
If you use gentoo, getting and using "updates" or adding new software is easy; portage does the work for you. If you want to "surf the internet" or use e-mail, linux is very easy to use. Please explain this whole issue of ease of use to me.
Re:microsoft not secure (Score:4, Insightful)
More than likely someone open minded enough to try and save money on his budget, or even an idealist
More cost effective (Score:5, Insightful)
Re:More cost effective (Score:4, Insightful)
That way everyone saves. The applications can be developed more easily without redoing a specific encryption layer for every one. Nobody wastes money developing and verifying a redundant system.
If the government simply accepted that contractors were going to base things on OpenSSL they'd need to verify every product, to make sure that nobody had accidently or intentionally, weakened it. By simply using the official signed and verified version they only have to trust their verification team once.
Ironic (Score:5, Insightful)
Any time the Govt. decides to use Free software instead of MS stuff, I also sleep better at night, for several reasons.
Lemme get this straight ... (Score:4, Insightful)
Furthermore, it would be a big surprise if other parts of the military didn't have copies of OpenSSL lying about on a few thousand machines already, so they wouldn't even have to go through the motion of downloading and verifying the public version. I'd bet that it's already mirrored on any number of
How can this idiocy be explained, other than by the theory that they shouldn't get something for free if they can spend money for the same thing and support a campaign contributor?
It does sorta go along with the old stories of the Navy using Windows NT to control their hardware
Re:Lemme get this straight ... (Score:3, Interesting)
It does not work this way. The other companies took SSL and enhanced. We do not know if those enhancements were to get around weaknesses or for the companies marketers. Now, by validating a base, it will make it possible to lower the costs for all.
Now if the Linux community would take a base system and run it through all this and then add their own stuff. That would improve everybodies lot
Re:Lemme get this straight ... (Score:5, Insightful)
Yes.
We are talking about a huge bureaucracy here, one that has procedures established. These guys bucked the procedures and did something different, rather than doing the safe and expected thing. I can well believe that this took guts.
steveha
Re:Lemme get this straight ... (Score:2)
Re:Lemme get this straight ... (Score:1)
Today's radicals are tomorrow's conservatives.
Re:Lemme get this straight ... (Score:1)
Re:Lemme get this straight ... (Score:1)
US of A brand army.mil [netcraft.com] not as interesting as the phillipines link, it is meagre
no idea how I missed that domain extension previously, so exc-u-u-u-u-u-se me!
Re:Lemme get this straight ... (Score:1)
Re:Lemme get this straight ... (Score:2)
Of course, there's also the venerable management principle that the more money (and people) you're in charge of, the more important you are. The capitalist ideologs like to claim that this is solely a problem in government. In fact, it's a generally-recognized management problem in all human organizations, and affects the corporate world as badly as any government.
It's interesting that so much linux/OSS/free-software news is coming from governments. It doe
Re:Ironic (Score:1, Insightful)
OpenSSL *is* Free Software (Score:5, Informative)
I really hate to get pedantic, but OpenSSL is Free Software. According [fsf.org] to the Free Software Foundation, the OpenSSL license is a Free Software license incompatible with the GPL.
What you should have said is that the Free Software Foundation recommends developers use the GNU TLS library, but using OpenSSL in non-GPL projects is perfectly okay. Remember, GPL licensed software is only a subset of Free Software.
Re:OpenSSL *is* Free Software (Score:1)
A little surprised OpenSSL isn't GPL compatible. Kind of ironic that it's compatible with closed source apps like my favourite SSH client [siliconcircus.com] but not with GPL software.
Re:OpenSSL *is* Free Software (Score:1)
GPL software is protected and can't be modified then sold for money without offering it for free (or for a small price to cover media costs) and must be shipped with source. I think.
It's licenses are incompatable, not the software itself. Important distinction here.
Re:OpenSSL *is* Free Software (Score:2)
Sorry, did I come across as someone who doesn't know what these licenses mean?
Re:OpenSSL *is* Free Software (Score:2)
Sorta, but not really. I could paraphrase it here, but I think quoting the actual text is more effective:
Re:OpenSSL *is* Free Software (Score:3, Interesting)
It is GPL compatible. See this. [gnu.org] Any software that used a modern BSD license (without the advertising clause) is GPL compatible.
The bitch is from BSD authors, because you can include BSD code into GPL projects, but you can't include GPL code into BSD projects. This is because BSD allows you to NOT release code for distributed binaries, and this is not allowed in the GPL.
BSD is actually MORE Free than GPL (as an author, you can take other BSD code, make
Re:OpenSSL *is* Free Software (Score:2, Informative)
Has this changed? The FAQ [openssl.org] suggests things are a little shaky.
Not that I much care; BSD's my preferred license, FreeBSD is my preferred OS, so it's all good. Makes a change from th
Re:OpenSSL *is* Free Software (Score:3, Interesting)
Hmm, you are correct, it is not as clear as I thought. Fortunately, SCO is expending a lot of energy to make licensing and the GPL much more clear for the future...
I am between the two. BSD is easier to like, but GPL does seem to give more protection that MS wont take your code and get rich from it without putting back into the community. The problem with sharing software on "the honor system" is not everyone is honorable. Its hard enoug
Re:OpenSSL *is* Free Software (Score:1)
Re:Ironic (Score:2)
BSD license qualifies as Free, according to the GNU project itself. So yes, OpenSSL is Free software.
Software doesn't have to be GPL to be free, even RMS openly admits it. GPL is just his favorite brand of "free", since its his.
Re:Ironic (Score:3, Insightful)
It's too bad they didn't certify GNU TLS instead.
Re:Ironic (Score:2)
Re:Ironic (Score:5, Informative)
more irony (Score:4, Insightful)
Re:more irony (Score:2)
sweet.
Re:more irony (Score:2)
Govt saving money? OMG! (Score:5, Insightful)
BTW, this shows some of the GPL-camp fears: Too-free (as in BSD) code packaged into propietary apps... some people will not realize they can get the exact same code for free.
(the debate on "in licensing from private outfit you are paying for support of that free code" is left to the reader ;)
Re:Govt saving money? OMG! (Score:1)
"Derived works", you'll say. Well, the whole point of this certification is that identically the same source is used, and this is checked at runtime by "cryptographic fingerprints". So there is no issue of changing the source code.
A vendor will not risk submitting their income-producing work to the GPL because of the "derived work" clause, period. They will structure it so it is not derived work; for
Re:Govt saving money? OMG! (Score:2)
They'll have to use it exactly as it is, or jump through hoops to interface it, or plain old use it without abiding with the terms of the GPL.
Anyway, my post was not intended to stir controversy or argue the old GPL vs. BSD holy war, just pointing out that one of the GPL zealots' main fear was portrayed in the article.
Summary misleading (Score:5, Informative)
Because OpenSSL has a BSD-style license, many vendors simply grabbed the source code and incorporated it into their proprietary products. Those vendors wanted literally hundreds of thousands of dollars in licensing fees. As Steve attests, "as a taxpayer, I felt very annoyed. But it made me realize a couple of things. First, if OpenSSL had been validated, then it was possible for us to do it again. Secondly, if we could do it we could save a lot of money for the program."
So he was annoyed at vendors who he thought were ripping the governent off, not at the wastefullness of the government auditing OpenSSL as I read the summary to say.
Re:Summary misleading (Score:3, Insightful)
Re:Summary misleading (Score:1)
Re:Summary misleading (Score:2)
Re:Summary misleading (Score:3, Insightful)
Steve Marquess, the technical manager of DMLSS, had no issue with vendors making money, it was the means they chose that annoyed him. If everyone in government felt as he did, taxpayers like you and me would have a lot more money in our pockets.
Re:Summary misleading (Score:4, Insightful)
Re:Summary misleading (Score:3, Insightful)
In which case how could a validated OpenSSL be an alternative?
Re:Summary misleading (Score:3, Insightful)
Re-read the article. When the "National Security Agency promulgated a policy that required any military program using information assurance" to have NIST FIPS 140-2 validation, that "...led Steve Marquess, the technical manager of DMLSS, to the job of finding replacements for the OpenSSL libraries so prominently used in DMLSS." The article strongly implies their 'product'
Re:Summary misleading (Score:2)
That way these middle-ware companies wouldn't have to approve OpenSSL and they wouldn't have to pass the costs along. Cut out the middleman and everyone is happier because you get more product for less money, meaning you've got a more efficient economy. Considering this is something my taxes pay for, I like that.
I'm glad to see a g
It's not a ripoff. (Score:3, Insightful)
Remember, he spent 18 months getting just the OpenSSL libraries accredidated. If a company had two people assigned to the task of accrediting both product and the incorporated OpenSSL for a year; and if we assume 50K/year per person--that's a hundred-thousand before the company makes any profit. (And we're skipping the overhead of the manager, their office space, etc.)
The fault here is in the government not having a pre-approved solution for the vendors to use.
Re:It's not a ripoff. (Score:2)
The fault here is in the government not having a pre-approved solution for the vendors to use.
Are you seriously suggesting that the government should validate software and then buy a repackaged version from a vendor? Are you a member of Congress?
Yes. (Score:2)
That's exactly what I am suggesting.
However, if you've never dealt with the government, you may be assuming the vendor would charge just as much for a pre-approved version as a version in which they have to redo the validation effort. Strangely enough, the government has a person, the Contracting Officer, who should monitor the contract and will (o.k., should) disallow this. Instead, the vendor would be allowed a modest fee for the cost of documentation and any further required testing.
Re:Yes. (Score:2)
You need to work with better COs or COTRs. (Score:2)
and they don't inspect code to determine its origin
You'd have to be pretty dense not to notice the origin of the software if the document the vendor hands you for validation says exactly where it comes from. And even denser to allow a vendor to charge a man-year or two's worth of time for validation efforts if the documentation says the software had already been accreditated by the government for the level of security required by the contract.
On the other hand, if they don't use the pre-validated softwa
Re:You need to work with better COs or COTRs. (Score:2)
You'd have to be pretty dense not to notice the origin of the software if the document the vendor hands you for validation says exactly where it comes from.
We deliver code to the government all the time, and the government expects it to be ours. From the article:
Stepping back, we are
Re:Summary misleading (Score:4, Interesting)
While it may be good karma to freely share your code, there's no obligation for anyone using the code to be a good citizen and give back to the community. How do BSD developers feel about their taxpayer dollars being spent on software that they wrote, but almost certainly won't see one cent of it?
Re:Summary misleading (Score:1)
GPL isn't against profits. BSD isn't against profits. Many people choose the BSD license because they don't agree fully with the GPL agenda.
People choose the BSD license because they are truly giving the software away without conditions and stipulations. They do understand that, and they don't mind if someone else turns a profit on it.
If you've ever given someone money for a gift, do you com
I think this is a good thing. (Score:5, Insightful)
OpenSSL has proven itself worthy on the battle field of the internet.
If by using OpenSSL, the DoD can design better systems faster that allow our troops to be more efficient (i.e. deadlier) and it costs us less money and the DoD returns any bugs it finds to the community, I don't see how this is a bad thing.
Re:I think this is a good thing. (Score:2)
We want soldiers to be incredibly deadly, because when we need to stop someone from doing something, we want our costs to be as low as possible, and to succeed as quickly as possible. We also want to have a seperate
some thoughts (Score:4, Interesting)
Re:some thoughts (Score:2)
Does FreeBSD ?
Re:some thoughts (Score:1)
Re:some thoughts (Score:1)
good for this Steve guy (Score:3, Insightful)
Re:good for this Steve guy (Score:3, Informative)
For non-US readers : The US government has issues of spending bloat.
LoL! Name just one government worldwide that doesn't have that specific problem!
Re:good for this Steve guy (Score:1)
Re:good for this Steve guy (Score:2)
Yep, with the exception of the fact that they usually speak perfect english, most europeans are just like us! :)
Re:good for this Steve guy (Score:1)
I'll make a new work- bloaterment.
Goverment that auto-bloats. ^_^
Code fixes? Trustworthy compiler used? (Score:5, Insightful)
There was a comment here on slashdot in the past few months (can't find it now) about if you want to create trustworthy code, you first need to trust every layer below it, and every tool used to create it. Did this team use a validated build of gcc to create their OpenSSL binaries?
Chip H.
Re:Code fixes? Trustworthy compiler used? (Score:2, Insightful)
Re:Code fixes? Trustworthy compiler used? (Score:1)
Probably same thing as when a commercial vendor has to amend their library; you either stick with what you had (if the change is non-critical), revalidate or ignore the issue.
Re:Code fixes? Trustworthy compiler used? (Score:1)
It also sounds like the used MD5 or SHA1 to validate what exactly must not change -- "...produce a mechanism by which cryptographic fingerprints could be chained from the original source code all the way to the final runtime executable.".
And nope they did not test gcc or validate that the cod
Re:Code fixes? Trustworthy compiler used? (Score:3, Insightful)
-molo
cryptographic fingerprints (Score:4, Interesting)
This sounds a very useful technique for any software that's verified in source form but deployed in binary form : voting machines and Formula 1 ECUs come to mind. Anybody know if there are more details of how they solved it ?
Source code validated (Score:5, Insightful)
But technically the interesting point of the certification id that they managed to get the source code certified. There is at least one other open souce product Crypto++ [cryptopp.com] that is also FIPS 140.2 validated [nist.gov] (Certificate #343 [nist.gov]). But they only managed to get a compiled package validated, which does help me to trust the code but not really to "sell" the library to PHBs. The article doesn't really go into how they did get NIST to validate the source code. Anybody know more details?
Re:Source code validated (Score:2)
Too bad the Army can't use it: (Score:3, Insightful)
k. Use of "shareware" or "freeware" is prohibited unless specifically approved through IA personnel and by the DAA for a specific operational mission requirement and length of time when no approved IA product exists. Notify NETCOM RCIOs and the supporting RCERT/TNOSC of local software use approval.
Thus, unless the local designating approving authority (DAA) is willing to accept the risk of the software, and it is a mission requirement when no approved software exists (which SSL does), the DA won't be using it anytime soon. The biggest problem will be that the DAA's will not want to accept local risk when another product that will do the job, and is approved will work.
This regulation, while good intentioned, is really difficult to live with. Try finding a good non-freeware spyware remover. It's not easy.
Re:Too bad the Army can't use it: (Score:1)
It says nothing about incorporating BSD licensed code in their in-house development.
Re:Too bad the Army can't use it: (Score:1)
Well, AdAware is pretty kick ass: http://www.lavasoftusa.com/purchase/business/ [lavasoftusa.com]