Forgot your password?

Close
typodupeerror
Open Source

DHS Funds Open Source Cyber Security->

Submitted by
BrandiCook
BrandiCook writes "A PCMag article reveals the U.S. Department of Homeland Security has named Georgia Tech Research Institute (GTRI) to lead the five-year, $10 million Homeland Open Security Technology (HOST) program. HOST aims to find open approaches to handling the country's cyber security. An open solution could potentially save the government an enormous amount of money, although the primary objective is to protect the country with the best possible solutions. GTRI is leading HOST efforts in conjunction with the Open Technology Research Consortium (OTRC). OTRC members participating in the HOST program include: GTRI, University of Texas at Austin, the Open Information Security Foundation and the Open Source Software Institute."
Link to Original Source
Government

Kundra advocates open source->

Submitted by
jmwci1
jmwci1 writes "Obama's new CIO supports it, but is that enough to earn it a seat at the table?

Open-source software advocates are feeling energized. With the first semi-geek president in power, one who wields a cudgel for the kind of transparency and accountability that the open-source community is based on, they see a golden opportunity to push their case for the type of software that allows anyone to contribute code subject to the scrutiny of their peers."
Link to Original Source
Government

Military enlists open source community ->

Submitted by
jmwci1
jmwci1 writes "The U.S. Defense Department is enlisting an open source approach to software development — an about-face for such a historically top-down organization.

In recent weeks, the military has launched a collaborative platform called Forge.mil for its developers to share software, systems components and network services. The agency also signed an agreement with the Open Source Software Institute to allow 50 internally developed workforce management applications to be licensed to other government agencies, universities and companies."
Link to Original Source
Government

DISA to open source administrative software->

Submitted by
jmwci1
jmwci1 writes "The Defense Information Systems Agency (DISA) plans to open source a suite of programs that it developed for administrative tasks. The agency has signed a Cooperative Research and Development Agreement with the Open Source Software Institute (OSSI) to help release the source code of the programs.

The set of 50 programs, collectively called the Corporate Management Information System (CMIS), handles duties such as human resource management, training, security, acquisition and related functions. All the programs were developed by internally by DISA, and are used by more that 16,000 users worldwide.

"Numerous other government agencies have asked if we'd allow them to adopt CMIS for their internal use," Jack Penkoske, DISA's director of manpower, security and personnel, said in a statement. "We believe this will be a win-win for all involved."

By allowing third-party developers to view, modify, and reuse the software source code, DISA is hoping that others will improve the code when they modify it for their own purposes.

DISA will license the software under version 3 of the Open Software License as well as version 3 of the Academic Free License, according to John Weathersby, OSSI's executive director."
Link to Original Source
Security

Flaws in the OpenSSL FIPS Object Module v1.1.1->

Submitted by
jmwci1
jmwci1 writes "A significant flaw in the PRNG implementation for the OpenSSL FIPS Object Module v1.1.1 (certificate #733, http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#733) has been reported by Geoff Lowe of Secure Computing Corporation. Due to a coding error in the FIPS self-test the auto-seeding never takes place.

That means that the PRNG key and seed used correspond to the last self-test. The FIPS PRNG gets additional seed data only from date-time information, so the generated random data is far more predictable than it should be, especially for the first few calls (CVE-2007-5502).

Note that this PRNG bug is only present in the v1.1.1 implementation and not in the regular OpenSSL product or in the OpenSSL FIPS Object Module v1.2 now undergoing validation testing. Only those applications using v1.1.1 of the OpenSSL FIPS Object Module which enter FIPS mode are affected. Applications which do not enter FIPS mode or which use any other version of OpenSSL are not affected.

Bugs like this in open source software are routinely found and corrected with a patch and/or updated source distribution. In this case two separate patches have been developed by Dr Stephen Henson (steve@openssl.org):

http://www.openssl.org/news/patch-CVE-2007-5502-1.txt

(the simplest direct fix) and:

http://www.openssl.org/news/patch-CVE-2007-5502-2.txt

(a workaround which avoids touching the PRNG code directly). However, for FIPS 140-2 validated software no changes are permitted without prior CMVP approval so neither of these patches can be applied to the v1.1.1 distribution for the purposes of producing a validated module.

We have supplied the information needed for a "letter change" update request based on the latter of these two patches to the CMT Laboratory for their submission to the CMVP. Once (and if) approved the new distribution containing this patch will be posted as

http://openssl.org/source/openssl-fips-1.1.2.tar.gz to replace the current distribution at http://openssl.org/source/openssl-fips-1.1.1.tar.gz.

Note that in addition to this real-world vulnerability there is a separate problem in this same PRNG implementation concerning the FIPS 140-2 continuous self-test, about which we have received multiple reports. The resolution of that problem hinges on interpretation of FIPS 140-2 scripture and we're still working on crafting a fix consistent with the conflicting opinions we've received.

At this point I have no estimate as to when the change letter(s), for either or both fixes, will be approved. From the perspective of those who must deal with events on "Internet time" the CMVP process is glacially slow. In the absence of any realistic expectation of quick results in that regard OSSI has chosen to make this announcement now in the hope of minimizing the disruption for the many products and "private label" validations known to use or be derived from the v1.1.1 validation and currently undergoing FIPS 140-2 validation.

-Steve M.


Steve Marquess
Open Source Software Institute
marquess@oss-institute.org"
Link to Original Source

What ever happened to happily ever after?