Slashdot Mirror
Trustworthy Software For The NSA?
Janus Daniels writes "There's a new story from the New York Times, as reprinted at CNET News, about security concerns for Government agencies buying software from overseas. According to the article, a whistle-blower who helped sell software to the National Security Agency says that much of the development work is subcontracted to China, raising serious national security risks. He also discovered in the sales-support database... the names of more than 30 [identity-classified] employees of the United States National Security Agency...'"
... but if they are afraid of untrustworthy software they really should hire someone to make them a custom open source solution. Or something. Yeah.
...who's to say that there might not be spies writting the software anyways. Can't the NSA write their own source code. They've already contributed selinux.
----
Go canucks, habs, and sens!
The concerns cut both ways. The Chinese government has repeatedly accused the United States military and intelligence organizations of attempting to conduct espionage by manipulating American products sold in China. The tracking features in Intel's microprocessors and Microsoft's operating system software are of particular concern to Chinese officials, which is one reason China is intent on expanding its own technology industry. And so has the rest of the world.
There are two kinds of egotists: 1) Those who admit it 2) The rest of us
Given the recent push to commercialize various aspects of government, this is one of the potential pitfalls. Businesses will subcontract work to the lowest bidder and eliminate one of the internal controls that many government software projects have had in the past.
Visit Jonesblog and say hello.
Isn't it time for the obSecurity through obscurity comment? Also, I don't think he's worried so much about a foreign developer getting a spontaneous urge to modify code because he just found out it was headed to the NSA, but rather foreign governments discovering where the software went and setting up spy developers to go mess with the code. (insert backdoors, whathave you).
Why not fork?
>how do we, as citizens, ensure that organizations like the NSA are helping us more than they hurt us?
We pay attention when we vote for our congressmen, who control the budget and some of whom sit on the intelligence oversight committees.
We support a free press, so that a whistleblowing employee has somewhere to turn to get the word out.
We keep ourselves informed, so that we know the NSA makes and breaks ciphers, secures US communications, and eavesdrops on foreign communications.
Companies which have code written outside of the U.S. should pay duty or tariffs on each license they sell just like vendors of manufactured items do. That would slow down the Great Tech Job Exodus.
The same people who collect everything I do online? Forgive me, but I hope they rot in hell with their compromised software.
What's worse - collecting some bits of what some people do online? Or as China does, censor what online content is available (right down to individual posts on messageboards) to over 1 Billion people?
Agreed that privacy is an important issue, but like most things, it is relative. Look around at what others have (or haven't) before bitching about your individual situation.
I'd rather be a conservative nutjob than a liberal with no nuts and no job.
A common misconception is that the NSA buys/evaluates software the same way Joe Blow does.
I've been there and written code. Got a joint service commendation medal for software work for nuke command & control. The review process for critical code is excruciating.
This article is a lot of FUD.
Did you notice they don't make ANY claim whatsoever about what TYPE of software development? Hmmmm...that's interesting.
It's always possible espionage can happen. Having said that, there's a LOT that goes on at the NSA. Look at the publicly available pictures of the headquarters building. Ever wonder what it takes to feed and supply people and keep it clean?
There are different levels of software oversight, just as in the "outside" world. Yes, IRTA, and all I see is what looks like someone who was outside the loop making FUD statements about what's inside the loop.
Did you notice this doofus hasn't been on the job that long? Did you notice he was "alarmed" that the names of people were available? Well, duh!!
If you need to contact someone because you're contractually obligated to them, don't you need to know who they are and how to reach them? My family could pick up the phone and call me at work anytime they wanted and they met a lot of the people I worked with. This guy has watched too much TV. How does he think contrators communicate with the NSA? Trap doors and dead drops?
FWIW, I've never used or owned a shoe phone. Nor did we talk under a cone of silence.
Personally, I like "Alias" but let's get real, everyone doesn't sneak around through hidden doors with code names.
To my eyes, this guy didn't have access to much of anything. Maybe he wanted to get into the secure side of the development and was refused. Hmmm..ya think?
Why should the NSA be any better? Why would the best of the best go there when they can make a whole lot of money in the private sector? I'm not just talking about the mathematicians, computer guys and cryptographers either, you need the top notch managers to run those groups and deal with the compartmentization that goes on while still motivating and producing top quality results. I could see the government rounding up geeks and math guys, I couldn't see them cultivating that leadership or hiring much of it.
Honestly, I think their biggest thing is that they never get tired or run out of resources. That's how the FBI caught the unabomber, they just kept looking and looking and looking and then they got him. There are textbook methods and approaches to security. Their ciphers have looked like they simply follow them and are extremely conservative and diligent.
NSA Echelon system provided information to CIA which leaded to the arrest of two major Al-Qaida figures after one gave and interview (giving a blueprint of his voice), and later placed a cell phone call.
Also note that now I have used important keywords on sensitive subject, prepare your account "Hentai" to be well ranked on the radar of NSA.
Like all secret service orgs the NSA has many arms dealing with various levels of classification and security. If you want to know more about them just go to http://www.nsa.gov, if you want a collection of names of people who work there go to http://www.nsa.gov/releases/speeches.html, learn who they are and feel free to digest all that they have to say. This is the story of a guy who was fired for missing his performance goals, he should be laughed at not heralded as a hero. I'm not sure anybody really cares about the 30 procurement execs that he found in his companies CRM system. You can bet your bottom dollar that any contractors working on secret systems will have been vetted, depending upon the classification level there is a good chance that the vetting will go down to employee level. I therefore have to assume that the work that Platform are doing is non-essential, I for one am glad to see the Government spending our dollars a little more wisely than they would be if they applied the highest level of security regulations to all of their systems.
anything that can't be known by the public, even after the fact, probably shouldn't be done.
I'm sure that the Afgahn nationals passing on intelligence to the CIA fully agree with you. The Taliban and AQ wouldn't hold a grudge.
I'm sure the British agent(s) who infiltrated the IRA agree wholeheartedly. Why, after 10 years, they could all get together and share a pint down at the pub.
Likewise, the informant who decides to turn in a mob boss.
I'm just about as libertarian and pro-transparency as the next guy...But We DO live on earth.
"If, therefore, any be unhappy, let him remember that he is unhappy by reason of himself alone."
~Epictetus
Obviously, having all software written in the US eliminates the risk of having security risks.
No. Having all software for government agencies written in the U.S. greatly reduces the risk of deliberately planted back doors and logic bombs. The company in question can't even keep a confidential database secure. From the article:
The company also does not make customer information stored in its sales support database generally available within the company, he said, adding that it was unclear how it would have been possible for Gabrenya to have the authorization to view the security agency customer data.
If it's hard for well-meaning coders to produce exploit-free programs, how difficult is it going to be for coders who were taught to hate the U.S. to introduce potential buffer overflows? And please don't give the tired old code review argument. If code reviews stopped exploits, there wouldn't be any - well, from organizations that do reviews more often than every 20 years, anyway.
True. I also can't be certain that you actually are Hentai (165906). I can't be sure NSA isn't growing plants capable of world domination, and I can't be sure that Intel doesn't rutenly replace foreign dictators with animatronic robots.
I also can't tell what the Department of Labor, Nasa, or any other government agency really does. Sure, they've got pretty offices you can go into, but is that all of it? Did they show you the sub-basement?
Having interned at NSA a number of years back, I can tell you I never saw any Ninja's training in the cafeteria.
Mod point free since 2001
I can say that when a company does write software for something that goes into a military project, it has to conform to certain coding standards. IEEE 12207 is the standard most used for the US military.
So the software put into these electronics is well documented with specifications, design documents and quality assurance documents.
The government also gets to review all source code supplied along with running their own tests and so on to ensure that the software is of the proper quality. The master of the source is encrypted and put into a secure location.
The software and hardware is not always bug free, but between the customer and the buyer, the code is open.
Since the NSA is run by the Air Force, I would think that this guy is just moving some hot air around.
As for outsourcing the coding to a non-US company, that happens when the company happens to be a subcontractor for an American company, or if the American companies can't compete. The US isn't in the business of propping up American companies (at least, not in the sense that Europe does with say, Airbus). They will almost always go for the solution presented by the lowest bidder which performs the best in the tasks that are required.
Since I doubt the NSA is run by a bunch of idiots, I would say that they check the software that is supplied to them. Let me put it this way: you can't stay in the business of protecting the US and its interests if you are an idiot.
Any sufficiently advanced technology is indistinguishable from a rigged demo
--Andy Finkel (J. Klass?)
Folks,
.... We will contract out most of the worker-bee and pack-mule government jobs, because it is easier for (SUFU) idiots in management to manage a contract point fingers and have friends and family share awards and recognition for doing the wrong thing (... recent NASA, FBI, and CIA, failings)
... if they ain't solving and preventing problems. This is why we have the money and intelligence to buy software with China as the OSD and receive "Trojan Horse" applications from OSD even here in the USA for US Government and Military mission critical systems.
Not the first time not the last time for Clueless Management in politics as usual DC and Government. Our potential destruction due the stupid, pompus, and greedy.
In our Capitalist Democracy our leaders political and religious place more priority on enforcement of the Digital Millennium Copyright Act (DMCA) and Library internet filters, than homeland defense. It looks better to the illiterate moral majority bigots that vote and supports the economy (the real priority) with questionable profit penalties and no cost issue camouflage. Our true foreign policy at times to be develop a good customer or at least a foreign government that supports a capitalist economy
I strongly support our Marines, Soldiers, Sailors, and AirPersons, but the politicians and management need to get their priorities straight. FAILURE is never and option. It is time CEO, politicians, management and some other recognize that they are the problem
OldHawk777
Reality is a self-induced hallucination.
Unaccountable leaders are masters, and unrepresented people are slaves. How do US and EU fare?
I agree with another poster that mentioned selinux. The NSA know how to write secure software and how to audit software and source code. Assuming they build their own binaries from the source it should be a relatively safe system. The only potential security problem I can see is that outsiders may know exactly what they are running. But assuming it's properly designed and implemented that shouldn't be a problem either. That's the why everyone like Linux/BSD so much.
Los Almos has a history of Physical Security problems that should cause more worries then this. Hard Drives disappearing and reporters sneaking in at night, getting locked in and then the guards let them out when they found them.