Sticking your CAC in the Pooter for Uncle Sugar

So I finally broke down and started writing tutorials about how to use your DoD CAC in conjunction with Linux and Mac OS X (and other Unixes as I get more test systems assembled…). Since Fedora 13 pretty much took the cake for this year’s kickass Linux distro I wrote instructions for 32-bit Fedora 13 first. Next up will be 32-bit Ubuntu 10.4 LTS, then 64-bit Fedora 13, 32-bit Ubuntu 10.10, 64-bit Ubuntu (probably 10.4 LTS first), Fedora 14, and Mac OS X somewhere in there as soon as I get my hands on a test system.

The main guide portal page can be found here: http://zxq9.com/dodcac/

It turns out that a huge number of people in the military have been waiting to get above the Windows scramble and move on to Linux or Mac OS X. The awareness of Unix-type systems in this generation is pretty amazing considering recent history (it is equally amazing that almost nobody knows what BSD is anymore). The one thing holding them back is an unfounded fear of not being able to access DoD web apps such as DTS, AKO/DKO and RMT. Another thing they fear is losing the ability to play DVDs on their computers because they have heard the evil (and tragi-comic) rumors that playing DVDs on Linux is hard to do and makes your palms hairy. (Of course, they could always dual-install… and doing it with a new harddrive is so easy my tech-uninterested wife can do it.)

I cover all of that in the tutorials and its pretty easy. If I got paid to maintain this stuff by DoD then I would go as far as writing GUI Python scripts to make the installations cake for everyone the way Anonymouse used to. But alas I spend an inordinate amount of time doing this and its all for free — and the solutions are half-way to the level of user-friendliness they could be. Actually, that I don’t get paid for this and it is a concrete service realized by many servicemembers sort of pisses me off when we have literally millions a year getting pissed away on bad projects all over the place. If DoD would consider the utility of standing up a development house of, say, 10 top-level open source developers (the sort who can demand low-six-figure salaries) and a person who can bridge the gap between combat operations and military experience and the open source world (hint: this would be someone just like me…) they could safely switch most of their infrastructure and save roughly $15,000 per seat (this figure comes from my signal officer’s quote for how much it costs us to put a single computer on the network) in recurring site licenses, security and maintenance across the force.

(Where I work right now there are about 300 computers deployed on the NIPR. Just switching that single building over would pay for three times the development group I am discussing, so fix-figures for no-shit developers is actually extremely cheap and you could get the right people, not the inept folks who bumbled through development of crap like DTS and said they had a product worth releasing…)

The fact that the MPAA and RIAA have so much political clout is something I would ordinarily have blogged about by now. I have not… yet. Instead of writing yet another rant-on-the-web-about-the-media-industry and thereby merely regurgitating all of the great points both personal and legal that have been better stated elsewhere, I think it would be more interesting and productive to abstain (though ranting about it is tempting) and instead examine the fundamental trends which will eventually render all such efforts at controlling individual and independent mathematical achievements impossible and unenforceable in the future.

There are some great points to be made and some incredible busines opportunities emerging as the nature of the world changes and art, math, social interaction, thought and even evolution (in some senses) become digitized, mathematical processes. Give some thought to this. Depending on where your social and/or religious emotional investments lay this is very exciting, frightening, unstoppable or something which must be fought. Whoever though math machines could be so controversial?

7 thoughts on “Sticking your CAC in the Pooter for Uncle Sugar

  1. David

    Great rant, and an even better tutorial! I’m at the threshold of of understanding linux, and ive been able to follow most of your tutorial w/o a problem.

    About that DoD Open Source community you were talking about: Forge.mil

    You should check out the firefox/thunderbird add-on they have. It isn’t perfect but it cuts down on some of the manual steps in your tutorial (like Installation of DoD Certificates)

    I have not been able to actually spend time at Forge.mil other than download those add-ons for my MAC (and still haven’t got them working perfectly) but I think they have quite a number of projects moving. They also boast an open community of 6000+ members.

    Reply
  2. zxq9 Post author

    Thanks for the note. I am a little lukewarm on forge.mil, but only because I view it as an isolated movement that will have trouble plugging into the more evolved open source community (in much the same way the Microsoft sponsored exploit-the-power-user “shared source” community has). It is also frustrating to see the open source community get zero benefit from the military when DoD pays so much money for downright bad software from so many vendors, often to reimplement existing functionality in worse ways (Zapgrab and DBSign are prime examples…).

    Smartcards are in no way a strictly military phenomenon (or military at all, actually) so the technologies involved tend to be more highly evolved outside rather than inside of it. Keeping forge.mil walled off on its own just keeps elegant ideas from permeating the society and introducing a lot of reinventing of various round objects, imnsho.

    “Walled off” just means socially speaking, by the way. Realistically speaking we have the general open source community and then there are forge.mil and the MS scripting/shared source communities. I realise there is nothing preventing individuals from having a foot in both worlds. On the other hand, that means that the barrier to entry for such a dual society member is the willingness to put that much effort forth, and that is not something to taken for granted (take me, for example).

    As far as Firefox plugins… if I get the time (or a random check falls in my box with a sweet note requesting it in exchange for cashing the check) I want to do a for-DoD version of Anonymouse’s awesome Python post-install script. What it would do is give a user a single thing to download and run as root on the desktop. From there it would ask what components the user wants installed and after doing the appropriate checking and sourcing, install everything, including automating the Firefox configuration for certificates, Coolkey and registering the CAC with Dogtag.

    It wouldn’t be difficult at all to write, I’m just loathe to actually open the Firefox documentation up and find the correct config files to append profiles to… but that doesn’t mean I won’t do it in the near future. Who knows…

    Reply
  3. zxq9 Post author

    Oh… and you said you were able to follow “ive been able to follow most of your tutorial w/o a problem.”
    Where did you have a problem? Maybe I can clarify something for you and the next user if you let me know.

    Reply
  4. Kralik

    The CAC tutorials are very well written – thank you for making them available. I was able to complete most of the process on Ubuntu 10.10 (64 bit), but encountered errors when configuring the new security device. Will let you know if I get that figured out.

    Reply
  5. zxq9 Post author

    Kralik,
    Unfortunately I haven’t yet found the time to update the Ubutnu 10.10 and Fedora 14 tutorials. The good news is that they are basically the same (though some poor decisions on the part of Oracle’s Java dev team conflict with the SELinux design model (and common sense), if you happen to be running SELinux…).

    The bad news is that occasionally Firefox will erroneously tell you that creating a new security device is impossible. This is just a little Firefox joke (eh?). I have not located the source of this problem yet, though it seems more prevalent on Ubuntu than Fedora (but it does occur on both, so it is definitely a Firefox issue). Usually after a reboot I can get the security device to install properly and from there everything works fine.

    If you happen to find the cause of the problem please let me know. It is a small setup frustration, but there is no reason to just live with frustration when we can patch the source ourselves and make this issue go away for everyone.

    Reply

Leave a Reply to Kralik Cancel reply

Your email address will not be published. Required fields are marked *