Slashdot Mirror
Trustworthy Software For The NSA?
Janus Daniels writes "There's a new story from the New York Times, as reprinted at CNET News, about security concerns for Government agencies buying software from overseas. According to the article, a whistle-blower who helped sell software to the National Security Agency says that much of the development work is subcontracted to China, raising serious national security risks. He also discovered in the sales-support database... the names of more than 30 [identity-classified] employees of the United States National Security Agency...'"
of what it is they're programming, in the sense that do they know they are making a sensitive program for the NSA of the United States? If not then what could be the harm unless a backdoor gets thru unchecked? (I can only hope that some US officials or hired techies DO check this code for backdoors and the like.)
"There is no real right or wrong, just what the majority accepts at the time."
Those guys at MIT constructing the database on government members should get these names. oh what juicy tidbits of info they would be!
This is just the tip of the iceberg. I just quit a job (read by choice, not fired) where some of the software created for the DOD was done by mainland Chinese programmers ....without the knowledge of the DOD. This was software which was tied to a backend database containing sensitive information. No, we are not talking nuclear secrets, but it was information which other non-friendly countries to the U.S. (ie anyone by England) would find interesting and useful. I broached the subject numerous times to my employer, who essentially pulled an Alfred E. Nueman (What?!?! ME worry?!?!). Finally, I quit and informed the proper people, washing my hands of the entire mess. While it may sound stupid to quit a high-paying job in this economy, having Bubba has a cellmate made it a lot easier.
My rambling point is this....the U.S. Government, particuarly the DOD, will be using software made by non-friendly parties with an axe to grind, without ever receiving the source code or knowing who actually wrote the software. And what's more, it's been my experience the bueacracy really doesn't give a sh*t as long as they can pass the buck.
The bigger issue is not where the code is written, it's whether you can audit the source yourself (and whether you actually do so.
See reflections on trusting trust for a nice article about why, if it really matters, you should be careful with other people's code.
The NSA deals with mathimatics and technology, primary cryptography although it deals with a lot of the other facets of secure communications. It doesn't deal directly with the information it recovers/protects, it passes it on to the other intel & military groups.
R acers.com
The NSA is a great place to work for geeks as long as they don't want high pay (it is a government job).
No, I don't work there (Since I'm in college, but I might someday), but I know a mathmatician who worked there for a number of years and swears it was the best experience of his life (and he has a lot of cool stories about working there).
http://www.WhiteHatResearch.net
http://www.MSU
I used to work for the Army. During a training session for a mapping software (a few years after the incident you mention) they use, we were shown during the first five minutes a slide showing why the software was necessary: An editorial cartoon of a city street vendor and a guy in military uniform saying "Hey! Got a map of Belgrade!?"
So why does the NSA emplyee the most people of any goverment TLA? FBI,CIA etc I'm not sure but I think it was only recently eclipsed by the Homeland Security Office.
Given it's secrecy how do you know that NSA is doing what it's mandated to do?
This is definitely a problem. I used to support the CIA as a customer, and though the users were only identified by first name, we had home addresses for a few because they sometimes wanted us to ship stuff in a hurry and not have it slowed down by inspections.
There's no other way to see it. It is grossly negligent for any agency involved in national security (NSA, CIA, NRO, FBI, etc.) to outsource software. Any "budget" or "manpower" excuse is unacceptable. Frankly, the US should have a "National Coding Office" to make all government software. Nothing should be purchased from Microsoft, and it sure as hell shouldn't be purchased from the Chinese communists (i.e. the enemy). Would we have outsourced to the Soviets during the Cold War? Apparently so.
Stupid people make stupid things profitable.
In a previous job I dealt with a piece of Platform Software called LSF (Load Sharing Facility). Now I have to say it was a very complicated bit of software which to me seem to be a mixture of shell scripts, binarys and NFS/SMB mounts. After actually doing the training courses my belief didn't change and I regularly found bugs in it.
Now this might of just been the SGI version but overall taking this as a particular example the quality of the code was terrible and 1/2 had undocument features
Just my 2p
Rus
Cheap UK and US VPS
Let no one make the mistake that this story has any connection to "trustworthy computing". The story does not use the word "trustworthy", much less suggest that that the NSA should use trustworthy computing.
Anyone who suggests that trustworthy computing would be good for government security doesn't know what they are talking about. Trustworthy computing would be an absolute disaster for security. Any intelligence agency on earth can dig one of the keys out of trustworthy hardware and beat the system. Hell, college students with access to a well stocked university lab can break the hardware security and beat the system.
-
- - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
OK, I read this article this morning.
The guy is telling the NSA stuff they already know, and have signed off as acceptable. His company was entirely above board in explaining their operations to the NSA in the first place.
Everyone involved knows what's going on. He is the only person who seems to have a problem with it. It doesn't sound like whistle-blowing to me, as much as whining.
"People who do stupid things with hazardous materials often die." -- Jim Davidson on alt.folklore.urban
I apologize if my tone sounded in any way insulting; this was not at all my intent. I merely wanted to understand the situation better.
My issue with the NSA is that precisely because of its secrecy, I cannot be certain that any research I do is factual - just because its publically stated mission and charter prevents it from working domestically is no guarantee that it is, in fact, not working domestically - many of us are already well aware of some of the abuses of power performed domestically and abroad by various government agencies this century. "That couldn't happen here" is not a sentiment some of us will trust, especially not after having heard it echoing throughout history from other nationals just as brave, just as strong, and just as patriotic as ourselves.
Quis custodiet ipsos custodes, indeed?
-Hentai [in vita non pacem est]
Even if they hire their own programmers, who's to say the programmers they hire aren't spies?
;)
They could perform background checks of the programmers they hire or of all the programmers that work for an IT outsourcing outfit. But even then, it's possible for spies to slip through. After all, do you think anyone's gonna write "worked for Chinese military intelligence as a spy" on their resume?
This is an inherent problem in running a group like the NSA. You can't trust anyone. The best you can hope for is to bring your programmers (or any employee or contractor) in-house and keep a watchful eye on them. Even then, how do you know for sure they aren't leaking documents when they go home? What are you gonna do? Lock all the programmers in a room with lead walls and no door? How realistic is that?
My journal has hot
Personally, I believe that if any country buys software from another country which they use for sensitive government applications, and that software has backdoors in it, the government that purchased it got exactly what it deserved for its stupidity. If you want real security, you need to develop your code in-house, or use open-source code (and have it audited in-house). Trusting your government secrets to a foreign company is beyond stupid.
If the US Government is doing the same thing, then they're getting their just desserts as well.
Here in Europe, we have an uneasy feeling that any software made in USA may have some US government back doors in it, and as such not be suitable for any information we consider confidential. Even if we are on friendly terms with USA just now, we know that US policies have changed rather quickly (think Afghanistan), so we have a reason to guard our own data, even (especially?) from the Americans...