Repo: https://github.com/IRS-Public/direct-file

Hurry up and clone that ASAP, this is gonna get taken down once DOGE realizes what it is

More likely they'll just turn off or unpublish the API that it depends on.

really good article with a couple surprises in there.

"some people speculated that, because of the political pressure against it, its release must have been an act of resistance by someone within the IRS. But the open sourcing of the program was always part of the plan, and was required by a law called the SHARE IT Act. It happened “fully above board, which is honestly more of a feat!,” Given told 404 Media. “This has been in the works since last year.”

Vinton told 404 Media in a phone call that the open sourcing of Direct File “is just good government.”

“All code paid for by taxpayer dollars should be open source, available for comment, for feedback, for people to build on and for people in other agencies to replicate. It saves everyone money and it is our [taxpayers’] IP,” she said. “This is just good government and should absolutely be the standard that government technologists are held to.”"

Lmao, nice

“All code paid for by taxpayer dollars should be open source, available for comment, for feedback, for people to build on and for people in other agencies to replicate. It saves everyone money and it is our [taxpayers’] IP,” she said. “This is just good government and should absolutely be the standard that government technologists are held to.”"

Nice sentiment, but bad take. Open-sourcing the software that runs our military equipment would be a fantastic gift to the bad actors of the world.

security through obscurity is not security

Our entire Internet, the backbone of all encryption, all runs on open source software.

It is more secure because people can see and audit the code.

Let me flip what you wrote:

Our military equipment already is vulnerable. We just don't know how badly because it's not open source.

Prove it's secure by releasing the code.

Depends on the application.

In some cases, it would be fantastic. But it’s clearly not a one size fits all, yeah.

The GitHub page has a section for this:

Exempted Code

Not all source code, documentation and metadata used in the development of Direct File is included in this repository. Specifically, any code or data that is considered Personally Identifiable Information (PII), Federal Tax Information (FTI), Sensitive But Unclassified (SBU), or source code developed for National Security Systems (NSS), as defined in 40 U.S.C. § 11103, is exempt. Due to these restrictions, certain pieces of functionality have been removed or rewritten.

Security can mean security against hackers, but it can also mean security against revealing classified information. Classified information about weapons systems (e.g. performance characteristics) is inherently embedded into the code running on those systems, and therefore shouldn't be open sourced.

Source: used to write classified code

I'm sure a lot of military software, in contrast, is acquired from private companies that retain IP rights. Likely legal exceptions aside.

That was my thought too and I did so but it's been up for over a week now.

Is that even available right now? Usually for this type of thing you need API keys, which are not included, nor available at all.

The problem you’re describing (open sourcing critical software) could both increase the capabilities of adversaries and also make it easier for adversaries to search for exploits. Open sourcing defeats security by obscurity.

Leaving security by obscurity aside could be seen as a loss, but it’s important to note what is gained in the process. Most security researchers today advocate against relying on security by obscurity, and instead focus on security by design and open security. Why?

Security by obscurity in the digital world is very easily defeated. It’s easy to copy and paste supposedly secure codes. It’s easy to smuggle supposedly secret code. “Today’s NSA secrets become tomorrow’s PhD theses and the next day’s hacker tools.”

What's the alternative for the military? If you rely on security by design and open security for military equipment, it’s possible that adversaries will get a hold of the software, but they will get a hold of software that is more secure. A way to look at it is that all the doors are locked. On the other hand, insecure software leaves supposedly secret doors open. Those doors can be easily bashed by adversaries. So much for trying to get the upper hand.

The choice between (1) security by obscurity and (2) security by design and open security is ultimately the choice between (1) insecurity for all and (2) security for all. Security for all would be my choice, every time. I want my transit infrastructure to be safe. I want my phone to be safe. I want my election-related software to be safe. I want safe and reliable software. If someone is waging a war, they’re going to have to use methods that can actually create a technical asymmetry of power, and insecure software is not the way to gain the upper hand.

Don't worry, that's all written by defense contractors anyways, so they'll sell it to the US, and to others the US allows, all closed source. The source won't even be open to the US government, either, as that'd harm the bottom line of the contractor (support & maintenance contracts for that closed-source software).

It seems to be working out fine in Ukraine…

I wonder if this could be altered to work for other countries

Watch this thread from here on in carefully separate the idealists from those who know what defence is like.

• yes, open-source is the goal of everything that can be opened.
• no, defence code isn't on the list of what can be opened
• yes, obscurity isn't good as a sole effort
• yes, defence in depth
• no the funding to get it to where it's safe to open for randos to submit changes isn't there today

Anything I missed?

Yes, Virginia, it's better to open all the things right now, but there are risks you haven't taken into account because you're not aware of them. The pros are; it's their job and their work, so listen to their expertise no matter what the oppositional/defiant disorder suggests otherwise.