Slashdot Mirror
Trustworthy Software For The NSA?
Janus Daniels writes "There's a new story from the New York Times, as reprinted at CNET News, about security concerns for Government agencies buying software from overseas. According to the article, a whistle-blower who helped sell software to the National Security Agency says that much of the development work is subcontracted to China, raising serious national security risks. He also discovered in the sales-support database... the names of more than 30 [identity-classified] employees of the United States National Security Agency...'"
of what it is they're programming, in the sense that do they know they are making a sensitive program for the NSA of the United States? If not then what could be the harm unless a backdoor gets thru unchecked? (I can only hope that some US officials or hired techies DO check this code for backdoors and the like.)
"There is no real right or wrong, just what the majority accepts at the time."
China is a Strategic Partner (TM) anyway.
And obviously Chinese intel has capitalized on this - succesfully directing the US Air Force to it's embassy during the Serbian fiasco a few years back...
... but if they are afraid of untrustworthy software they really should hire someone to make them a custom open source solution. Or something. Yeah.
Okay, I've wondered this for a long time, and it's tangentially on-topic:
Given that secretive government organizations invariably lead to unchecked abuses, and given that the global environment does not allow for a country to operate entirely in the open, how do we, as citizens, ensure that organizations like the NSA are helping us more than they hurt us? Hell, how are we to even know how MUCH they hurt us, if we - as citizens - are not allowed to know what they are doing? But if we ARE allowed to know what they're doing, and are allowed to travel abroad and associate with whomever we please (it's a free country, after all), how do these organizations ensure the safety of their personell and the effectiveness of their missions?
Do we even NEED the NSA? Does it do more for us than it does to us? And how could we ever possibly find out for sure?
-Hentai [in vita non pacem est]
[sarcasm]
cool.. we're finally going to go to war with china
[/sarcasm]
I write sig's like I know what I'm talking about.
...when the NSA is having companies bid for a given project, how do they think companies are offering rediculously low prices compared to others?
This has been a trend for a long time, and not just in the IT industry, so one would expect the NSA to apply the same logic to purchases such as this too.
...who's to say that there might not be spies writting the software anyways. Can't the NSA write their own source code. They've already contributed selinux.
----
Go canucks, habs, and sens!
Obviously, having all software written in the US eliminates the risk of having security risks.
http://blogs.lns.kicks-ass.net/moonjihad/
The concerns cut both ways. The Chinese government has repeatedly accused the United States military and intelligence organizations of attempting to conduct espionage by manipulating American products sold in China. The tracking features in Intel's microprocessors and Microsoft's operating system software are of particular concern to Chinese officials, which is one reason China is intent on expanding its own technology industry. And so has the rest of the world.
There are two kinds of egotists: 1) Those who admit it 2) The rest of us
Those guys at MIT constructing the database on government members should get these names. oh what juicy tidbits of info they would be!
The same people who collect everything I do online?
Forgive me, but I hope they rot in hell with their compromised software.
Given the recent push to commercialize various aspects of government, this is one of the potential pitfalls. Businesses will subcontract work to the lowest bidder and eliminate one of the internal controls that many government software projects have had in the past.
Visit Jonesblog and say hello.
This is just the tip of the iceberg. I just quit a job (read by choice, not fired) where some of the software created for the DOD was done by mainland Chinese programmers ....without the knowledge of the DOD. This was software which was tied to a backend database containing sensitive information. No, we are not talking nuclear secrets, but it was information which other non-friendly countries to the U.S. (ie anyone by England) would find interesting and useful. I broached the subject numerous times to my employer, who essentially pulled an Alfred E. Nueman (What?!?! ME worry?!?!). Finally, I quit and informed the proper people, washing my hands of the entire mess. While it may sound stupid to quit a high-paying job in this economy, having Bubba has a cellmate made it a lot easier.
My rambling point is this....the U.S. Government, particuarly the DOD, will be using software made by non-friendly parties with an axe to grind, without ever receiving the source code or knowing who actually wrote the software. And what's more, it's been my experience the bueacracy really doesn't give a sh*t as long as they can pass the buck.
NSA is about total information, right?
I think it's a good idea that NSA software is developed in China. I bet there are "undocumented" key combinations that will disable Macrovision and regional restrictions.
Best Windows Freeware
The bigger issue is not where the code is written, it's whether you can audit the source yourself (and whether you actually do so.
See reflections on trusting trust for a nice article about why, if it really matters, you should be careful with other people's code.
China is free democratic and trustworty country with a growing group software developers.I'm sure that they could make something secure for NSA that we could lay our nations hands in. It's extremly important that we help to foster proprietary solutions that will help bussiness abroad.
And after all its much better to use secure and trusted solutios from a close ally than having to resort to some of those old versions of UNIX. Know that SCO probably wins their case and AIX and Solaris goes down the drain, it could be nice to have some other alternatives than only american software. Because we all know, as DARPA found out, that you just can't trust FreeBSD and Linux in an environment like the NSA needs.
Proud patriot and republican voter.
This guy sounds a bit paranoid to me. As far as I'm concerned it's the US Governments job to look into things like this, not his. Does he honestly think the *NSA* would buy software with huge security holes? One might wonder if the names he saw were fake in the first place; I personally doubt the *NSA* would just give them out. Or maybe I just give them more credit than they deserve...
India and other asian countries are targetting American jobs and they don't have any IT business in their own countries. Do Indians afford computers in their budgets? NO.
Their gov targets Americas economy.
Tech companies need to be exposed for shifting jobs offshore.
I should have also said that a number of contracts that one might expect would be internal government projects have more and more been bid out to private contractors. For instance, you might be surprised to find that a number of very sensitive database projects, military police actions and military interventions in the Balkans and Central America are being handled by companies such as Dyncorp.
Visit Jonesblog and say hello.
what about background checks for people writing software for the fed in the US? (for the chinese immigrants with maintenance and testing experience)
I suppose with TIA that would be redundant
whatever you do, don't buy that fancy new software from skynet!! /ahnuld accent on "Trust Me" /off
C:\earth\humans\del *.m0ronz
The Sun Grid software does the same stuff just as well, its open source, and after the NSA's contributions to SE Linux they must be ok with that. Platforms software is very expensive.
Jeebus Christ, don't those idiots remember what we did in the Inslaw affair? (Not so much what was done to Inslaw, but the backdoors the CIA put into software which was then sold to unfriendly countries.)
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
Moderators should give credit to such posts.
Countries which develop their own military equipment usually do so in a secret/classified manner, and if they choose to import the necessary technology, they do so under an assumption that the country developing the technology would not try to sell them defective/backfiring technology.
The same assumption of trust applies (or should apply) to military software too.
An Indian-American Hindu committed to non-violent thought/speech/action alarmed by the global explosion of radical Islam
As someone who performs security code reviews on outsourced code I can say that this happens all the time. When everyone was outsourcing code to india for y2k work we found back doors all over the place. Everyone does it. It's a form of R&D. Give coutry X project review technical capabilities of coutry X people.
People who bite the hand that feeds them usually lick the boot that kicks them
OSS is just giving the plans to the enemy. With DRM, Bill Gates will ensure that all Americans sleep at night under the blanket of freedom. If you don't agree with that, then GET THE HELL OUT of this country!!!
Have they ever had software that was made overseas and which caused a security problem ?
Even more than home-made Microsoft - ware ?
This is definitely a problem. I used to support the CIA as a customer, and though the users were only identified by first name, we had home addresses for a few because they sometimes wanted us to ship stuff in a hurry and not have it slowed down by inspections.
Companies which have code written outside of the U.S. should pay duty or tariffs on each license they sell just like vendors of manufactured items do. That would slow down the Great Tech Job Exodus.
So the government doesn't have enough money to hire their own people? They have to subcontract it to china? heh...
----------
Check out Harvest Moon Online (a free online game based on the SNES game)
"stressed that he had seen no evidence of espionage or other wrongdoing by Platform employees either in Canada or China"
If he's really so worried about the threat to national security posed by the list of contact names, he should report it direct to the NSA.
"tamper with software being used by [NSA]" - that would be true wherever the software was written and regardless of who wrote it.
Presumably, the NSA has its own procedures for vetting and accepting new software - or are they really a bunch of innocents who just accept whatever they're given?
Do we even NEED the NSA? Does it do more for us than it does to us? And how could we ever possibly find out for sure?
This question is kind of like asking, "Do we even need the President's Cabinet?" Because the Cabinet doesn't work for the citizens of the USA, except in a technical taxpayer-dollars kind of way -- they work for the President, collecting information and advising on policy to him and him alone. They have no responsibility to the average citizen, nor are they any use to them. Their information and advice is for the chief executive.
Similarly, the NSA's function is nominally to protect America's secrets -- but really, it's to protect the American government's secrets. That government holds the data, collects the intelligence, operates the military, builds the equipment, etc. etc. Personally speaking, the NSA doesn't do jack for me. Their job is to serve the government and its offices.
The NSA isn't responsible to me because I don't vote for them, anymore than I vote for the President's cabinet. If I find out the NSA (or FBI or CIA) is doing something I don't like, then the only thing I can do is get the word out through the free press and vote out the elected officers who made it possible for those organizations to do so.
This is not a bad thing, mind you. I have enough trouble deciding which representatives, judges, councilmembers, etc. I ought to vote for on the local, state and federal levels every year. I don't need to vote for the NSA, too.
What the hell is with all these whistle-blowers? Anybody's who's heard of fire and the wheel knows that Uncle Sam & Co. have demoted/fired/blacklisted virtually every idiot who's ever stuck his head up to rat on the system (while the folks being ratted on get far more promotions that prosecutions).
Is there some DNA test that'd prevent hiring from the shallow end of the gene pool?
It's easy to make up & spread cool- and credible-sounding stuff. Finding & checking hard facts is hard work.
Good post!
Security problems are like bugs, only harder to find. It's easy to write a bug that will slip through a code inspection. Would you trust an audit to uncover a cleverly crafted malicious security hole? Even if the auditors were as good as the OpenBSD team, which is a tall order?
I'd recommend controlling the environment the software runs in, so as to contain the damage done by a security problem. Then screening vendors for trustworthiness, then auditing their output to give yourself a chance of catching breaches of trust.
don't you think the NSA would prefer that the software they are using is created by people in the US? ooh wait, that's too uneconomical since they can hire people over seas for 10% of the cost.
I know someone that has a small software company that's done contract work for the CIA. He is much, much more careful with his software than that, and would never make a mistake like that because he'd be afraid that he'd lose his security clearance and never be able to get his cushy government contracts.
He also said that he worked for a certain salad dressing company once, and they were much more careful about their trade secrets (recepies) than the CIA was about anything.
There are no trails. There are no trees out here.
There might be problems with letting US companies code things...
John Kerry is a Joke!
There's no other way to see it. It is grossly negligent for any agency involved in national security (NSA, CIA, NRO, FBI, etc.) to outsource software. Any "budget" or "manpower" excuse is unacceptable. Frankly, the US should have a "National Coding Office" to make all government software. Nothing should be purchased from Microsoft, and it sure as hell shouldn't be purchased from the Chinese communists (i.e. the enemy). Would we have outsourced to the Soviets during the Cold War? Apparently so.
Stupid people make stupid things profitable.
In a previous job I dealt with a piece of Platform Software called LSF (Load Sharing Facility). Now I have to say it was a very complicated bit of software which to me seem to be a mixture of shell scripts, binarys and NFS/SMB mounts. After actually doing the training courses my belief didn't change and I regularly found bugs in it.
Now this might of just been the SGI version but overall taking this as a particular example the quality of the code was terrible and 1/2 had undocument features
Just my 2p
Rus
Cheap UK and US VPS
If I wanted to increase my profit margins, what is a better way than to reduce my cost. Remove the high-paying jobs here in the good ol' US of A, and put minimum wage overseas workers in their place. BOOM! More profit!
If you want a simpler answer: Greed.
"Some fight for law. Some fight for justice. What will you fight for? One day, you will see."
Why should the NSA be any better? Why would the best of the best go there when they can make a whole lot of money in the private sector? I'm not just talking about the mathematicians, computer guys and cryptographers either, you need the top notch managers to run those groups and deal with the compartmentization that goes on while still motivating and producing top quality results. I could see the government rounding up geeks and math guys, I couldn't see them cultivating that leadership or hiring much of it.
Honestly, I think their biggest thing is that they never get tired or run out of resources. That's how the FBI caught the unabomber, they just kept looking and looking and looking and then they got him. There are textbook methods and approaches to security. Their ciphers have looked like they simply follow them and are extremely conservative and diligent.
Free trade is not Fair trade. Foreign countries dump their products here.
Let no one make the mistake that this story has any connection to "trustworthy computing". The story does not use the word "trustworthy", much less suggest that that the NSA should use trustworthy computing.
Anyone who suggests that trustworthy computing would be good for government security doesn't know what they are talking about. Trustworthy computing would be an absolute disaster for security. Any intelligence agency on earth can dig one of the keys out of trustworthy hardware and beat the system. Hell, college students with access to a well stocked university lab can break the hardware security and beat the system.
-
- - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
If they used standard project management procedures, use project coding standards, have full source code review; how can there be security concerns? Sounds totally like scare mongering to me!
I was writing some firmware while working for an NSA contractor. I was using Denis Chertykov's AVR port of the GCC compiler, which hadn't yet been integrated into the main tree.
As I was working with the software, I hit a minor compiler snag, and I e-mailed Mr. Chertykov to see if he knew of any workarounds. He e-mailed me back, letting me know how I could fix the problem, and thanking me for pointing out the problem.
A few days later, I was called to my boss's office and thoroughly chewed out for "initiating contact with a foreign national". Moreover, he was a Russian foreign national (RFN), which was really unacceptable! The site certification had been endangered! I was ordered to explain exactly why I had contacted Mr. Chertykov. When I explained that he had written the main tool I was using in my project, my boss went paler than an englishman with an aversion to sunlight (apologies to the international readers). I was not only CONTACTING the RFN, but I was actually using software WRITTEN by the very same RFN!
I was able to calm my boss down, but I basically had to chuck out all of Mr. Chertykov's software, along with any code that I had written while Mr. Chertykov's compiler had been on my machine. The company then spent a couple hundred dollars on a really SHITTY proprietary AVR compiler from an American company (they've gone out of business since; we might well have been their only customers ever).
Funny part is, Mr. Chertykov's patches were eventually accepted into the official GCC distribution; Chertykov had assigned all copyrights to the FSF (an organization based in the U.S.). Once that had taken place, it suddenly became "okay" to use his software-- after all, it was copyrighted by an American organization! Still written by the same RFN, but copyrighted by an American organization...
Lord, I'll never work in the gov't contract sector again if I can help it.
OK, I read this article this morning.
The guy is telling the NSA stuff they already know, and have signed off as acceptable. His company was entirely above board in explaining their operations to the NSA in the first place.
Everyone involved knows what's going on. He is the only person who seems to have a problem with it. It doesn't sound like whistle-blowing to me, as much as whining.
"People who do stupid things with hazardous materials often die." -- Jim Davidson on alt.folklore.urban
Even if they hire their own programmers, who's to say the programmers they hire aren't spies?
;)
They could perform background checks of the programmers they hire or of all the programmers that work for an IT outsourcing outfit. But even then, it's possible for spies to slip through. After all, do you think anyone's gonna write "worked for Chinese military intelligence as a spy" on their resume?
This is an inherent problem in running a group like the NSA. You can't trust anyone. The best you can hope for is to bring your programmers (or any employee or contractor) in-house and keep a watchful eye on them. Even then, how do you know for sure they aren't leaking documents when they go home? What are you gonna do? Lock all the programmers in a room with lead walls and no door? How realistic is that?
My journal has hot
He also discovered in the sales-support database... the names of more than 30 [identity-classified] employees of the United States National Security Agency...
While I agree for national security purposes the list of employees should probably be held for review, I do hope a list exists somewhere and is being looked at. I would hate to think this whistleblower is acting like Joseph McCarthy 50-some-odd years ago.
Put it on a webcam.
Like all secret service orgs the NSA has many arms dealing with various levels of classification and security. If you want to know more about them just go to http://www.nsa.gov, if you want a collection of names of people who work there go to http://www.nsa.gov/releases/speeches.html, learn who they are and feel free to digest all that they have to say. This is the story of a guy who was fired for missing his performance goals, he should be laughed at not heralded as a hero. I'm not sure anybody really cares about the 30 procurement execs that he found in his companies CRM system. You can bet your bottom dollar that any contractors working on secret systems will have been vetted, depending upon the classification level there is a good chance that the vetting will go down to employee level. I therefore have to assume that the work that Platform are doing is non-essential, I for one am glad to see the Government spending our dollars a little more wisely than they would be if they applied the highest level of security regulations to all of their systems.
Probably just 30 engineers who happen to work at the NSA who lead otherwise boring lives. The only reason they're identity-classified is because you can't threaten/blackmail someone working for the NSA if you don't know who they are. If I worked for them, you can bet I wouldn't be telling anyone about it.
In fact, this whole post might just be an elaborate ruse....
paintball
Without them, how would US corporations know what to steal from European corporations?
paintball
Ok, so now out-sourcing is causing all the information leaks, as opposed to the previous administration, who outright sold our secrets to competetor nations.
As for how the money trails tie together, it's amazing what information Google will find for you.
It would be naive to assume either way: The software can't be left unchecked, but it would be unfair to just assume that any software developer in China is working for or collaborating with the Communist government. There is percaution, then there is just baseless suspiction. China was not always hostile in recent times to the US, but hostilities have increased ever since the rise of the Bush administration.
Okay. So they test LSF in China.... big deal. C'mon people! LSF is written by CANADIANS! This is the country with 90% of its population within 200 miles of our northern border- they are poised for invasion! This is the country that is secretly spewing tons of CFCs into the atmosphere to drive up their real estate prices through global warming. While the lower 48 is a desert wasteland, those hockey loving, eh sayin' canucks will be living in a tropical paradise! Do you think it is a coincidence that microsoft is headquartered so close to the Canadian border? And what about all the money they make selling all that maple syrup? Where does that go? That's right... straight to the ACLU! I for one won't stand for it! The evil empire must be stopped! ;-)
Please don't feed the trolls!
I think NSA got suspicious when they discovered the following comment in the software.
"Help! Help! We're being held prisoner in a Chinese system software factory!"
Good old System 6.
can't you use question marks?
I can say that when a company does write software for something that goes into a military project, it has to conform to certain coding standards. IEEE 12207 is the standard most used for the US military.
So the software put into these electronics is well documented with specifications, design documents and quality assurance documents.
The government also gets to review all source code supplied along with running their own tests and so on to ensure that the software is of the proper quality. The master of the source is encrypted and put into a secure location.
The software and hardware is not always bug free, but between the customer and the buyer, the code is open.
Since the NSA is run by the Air Force, I would think that this guy is just moving some hot air around.
As for outsourcing the coding to a non-US company, that happens when the company happens to be a subcontractor for an American company, or if the American companies can't compete. The US isn't in the business of propping up American companies (at least, not in the sense that Europe does with say, Airbus). They will almost always go for the solution presented by the lowest bidder which performs the best in the tasks that are required.
Since I doubt the NSA is run by a bunch of idiots, I would say that they check the software that is supplied to them. Let me put it this way: you can't stay in the business of protecting the US and its interests if you are an idiot.
Go read up on what the NSA actually does.
His police chief was Willie Williams, the dude who blessed the same thing at Waco.
"a whistle-blower who helped sell software to the National Security Agency says that much of the development work is subcontracted to China,"
How incredibly STUPID..
And I thought he NSA was smarter than that.
They even have developed a secure version of the kernel and have it for public download http://www.nsa.gov/selinux/
My faith has been shaken...
Next thing you know we'll be trusting our software developement to Finish nationals.
My Blog
Fact - The NSA is the largest purchaser of computer equipment in the US...hands down. Yes, this is documented and no all their purchases aren't documented thus they are an even larger purchasing entity than reported.
Fact - The NSA uses NO software that does not include source. Yes, if they use software from a closed source vendor, said vendor DOES provide source under NDA that is air tight (not because the NDA is that good, rather because the NSA is trustworthy).
Fact - The NSA employs thousands of incredible programmers to review, edit and secure outside source as well as create their own.
The NSA is a very VERY worthwhile entity that has given a lot to the tech community. While their skills may be misused at time by b-crats, they are on the whole a very good bunch.
Here in Europe, we have an uneasy feeling that any software made in USA may have some US government back doors in it, and as such not be suitable for any information we consider confidential. Even if we are on friendly terms with USA just now, we know that US policies have changed rather quickly (think Afghanistan), so we have a reason to guard our own data, even (especially?) from the Americans...
Any sufficiently advanced technology is indistinguishable from a rigged demo
--Andy Finkel (J. Klass?)
"Let me put it this way: you can't stay in the business of protecting the US and its interests if you are an idiot."
Try telling that to Bush.
The US is in the business of giving (some of) its secrets to anyone who might be a "useful" enemy in the future. The US LET the Chinese steal those nuclear secrets because the US WANTS the Chinese to be a credible nuclear threat in ten or fifteen years - just about the same time that the Chinese will be a credible ECONOMIC threat to the US economy - thereby justifying threats and war and political tinkering at home.
This is the standard government ploy - "You do everything we tell you to and give us everything you own, and we'll protect you from the bad people on the other side of the border and within our borders - and if there aren't any bad people, we'll make some."
The state is an extortion and protection racket, nothing more. ALL states are, without exception, throughout human history.
Therefore, it is no surprise that secrets get "leaked". Just as it is no surprise that weapons get sold to Iraq, Iran, nuclear reactors to North Korea by Rumsfeld's company, and so on...
But you monkeys just don't get it, do you? There's no sucker like an American sucker...
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
It's just the Air Force's puckish sense of humor.
I mean, after the French forced the F-111's to go the long way to Libya, BOOM!, there goes the French Embassy in Tripoli.
The Chinese bought the Clinton administration. made off with designs for nuclear weapons, and stole guidance systems from Loral. Then, BOOM!, there goes teh Chinese Embassy.
God bless 'em!
668: Neighbour of the Beast
Yep, no matter how impressive it looks, there's only so much you can do with Powerpoint.
A firewall can not protect you from yourself. Turn off what you do not need. Do not use the firewall to do your work.
Yep, no matter how impressive it looks, there's only so much you can do with Powerpoint.
All kidding aside, there are only so many good programmers and associated professionals. If a government agency wants the good ones, chances are they're going to have to either lure them in, train them from the inside, or buy off the rack; contractors.
A firewall can not protect you from yourself. Turn off what you do not need. Do not use the firewall to do your work.
LOL!!!
You must have experience with a different US government than I do! The government that I've worked with would:
1) Never check the source code
2) If someone was supposed to, they wouldn't be smart enough to actually find a security leak
3) If that person did find a security leak, it would get reported and filed, and the software would be distributed normally.
4) If Norton Antivirus reported the software as a virus, Norton would be uninstalled and deemed incompatible.
Folks,
.... We will contract out most of the worker-bee and pack-mule government jobs, because it is easier for (SUFU) idiots in management to manage a contract point fingers and have friends and family share awards and recognition for doing the wrong thing (... recent NASA, FBI, and CIA, failings)
... if they ain't solving and preventing problems. This is why we have the money and intelligence to buy software with China as the OSD and receive "Trojan Horse" applications from OSD even here in the USA for US Government and Military mission critical systems.
Not the first time not the last time for Clueless Management in politics as usual DC and Government. Our potential destruction due the stupid, pompus, and greedy.
In our Capitalist Democracy our leaders political and religious place more priority on enforcement of the Digital Millennium Copyright Act (DMCA) and Library internet filters, than homeland defense. It looks better to the illiterate moral majority bigots that vote and supports the economy (the real priority) with questionable profit penalties and no cost issue camouflage. Our true foreign policy at times to be develop a good customer or at least a foreign government that supports a capitalist economy
I strongly support our Marines, Soldiers, Sailors, and AirPersons, but the politicians and management need to get their priorities straight. FAILURE is never and option. It is time CEO, politicians, management and some other recognize that they are the problem
OldHawk777
Reality is a self-induced hallucination.
Unaccountable leaders are masters, and unrepresented people are slaves. How do US and EU fare?
I agree with another poster that mentioned selinux. The NSA know how to write secure software and how to audit software and source code. Assuming they build their own binaries from the source it should be a relatively safe system. The only potential security problem I can see is that outsiders may know exactly what they are running. But assuming it's properly designed and implemented that shouldn't be a problem either. That's the why everyone like Linux/BSD so much.
Los Almos has a history of Physical Security problems that should cause more worries then this. Hard Drives disappearing and reporters sneaking in at night, getting locked in and then the guards let them out when they found them.
That can't possibly be true ... CNN hasn't reported that yet, and if its not on CNN, it can't be true.
So what kind of people work in the NSA? People like you and me. Geeks and nerds. Lots of them. Some contractors too, sure. And bunches of non-geeks in the mix (they have janitors, right? Or are those guys uber-special too?). It's like any tech-oriented business if you look at what we can see (looking at Ft. Meade and watching people go to work and everything). Forget the "mystery" and "godlike" status that everyone perceives for a second. It's an organization like any other business, and an effective organization is only possible if all people work together. But remember, these people have morals, they have laws protecting them from harm, and they have concerns about what their employer does as well. Back on topic, if you were paranoid about threats from abroad constantly (I imagine if you knew all sorts of neato stuff you'd be pretty paranoid), then you would most likely distrust anything from overseas and maybe even within the US (one poster already mentioned this as commonplace). So they'd probably audit software, heck yeah... even rip apart distributed binaries and analyze them to confirm that there's no "weird-looking piece of assembly" that doesn't seem to execute no matter what you try. And remember how slow everybody in the government works? Look at the postal service! That's a government agency too! Nothing much of a surprise to me, but maybe it comes as a mild shock to most people in general.
They can have my tinfoil hat when they pry it from my cold, dead... uh... head.