Slashdot Mirror
Trustworthy Software For The NSA?
Janus Daniels writes "There's a new story from the New York Times, as reprinted at CNET News, about security concerns for Government agencies buying software from overseas. According to the article, a whistle-blower who helped sell software to the National Security Agency says that much of the development work is subcontracted to China, raising serious national security risks. He also discovered in the sales-support database... the names of more than 30 [identity-classified] employees of the United States National Security Agency...'"
of what it is they're programming, in the sense that do they know they are making a sensitive program for the NSA of the United States? If not then what could be the harm unless a backdoor gets thru unchecked? (I can only hope that some US officials or hired techies DO check this code for backdoors and the like.)
"There is no real right or wrong, just what the majority accepts at the time."
Those guys at MIT constructing the database on government members should get these names. oh what juicy tidbits of info they would be!
This is just the tip of the iceberg. I just quit a job (read by choice, not fired) where some of the software created for the DOD was done by mainland Chinese programmers ....without the knowledge of the DOD. This was software which was tied to a backend database containing sensitive information. No, we are not talking nuclear secrets, but it was information which other non-friendly countries to the U.S. (ie anyone by England) would find interesting and useful. I broached the subject numerous times to my employer, who essentially pulled an Alfred E. Nueman (What?!?! ME worry?!?!). Finally, I quit and informed the proper people, washing my hands of the entire mess. While it may sound stupid to quit a high-paying job in this economy, having Bubba has a cellmate made it a lot easier.
My rambling point is this....the U.S. Government, particuarly the DOD, will be using software made by non-friendly parties with an axe to grind, without ever receiving the source code or knowing who actually wrote the software. And what's more, it's been my experience the bueacracy really doesn't give a sh*t as long as they can pass the buck.
The bigger issue is not where the code is written, it's whether you can audit the source yourself (and whether you actually do so.
See reflections on trusting trust for a nice article about why, if it really matters, you should be careful with other people's code.
The NSA deals with mathimatics and technology, primary cryptography although it deals with a lot of the other facets of secure communications. It doesn't deal directly with the information it recovers/protects, it passes it on to the other intel & military groups.
R acers.com
The NSA is a great place to work for geeks as long as they don't want high pay (it is a government job).
No, I don't work there (Since I'm in college, but I might someday), but I know a mathmatician who worked there for a number of years and swears it was the best experience of his life (and he has a lot of cool stories about working there).
http://www.WhiteHatResearch.net
http://www.MSU
So why does the NSA emplyee the most people of any goverment TLA? FBI,CIA etc I'm not sure but I think it was only recently eclipsed by the Homeland Security Office.
Given it's secrecy how do you know that NSA is doing what it's mandated to do?
This is definitely a problem. I used to support the CIA as a customer, and though the users were only identified by first name, we had home addresses for a few because they sometimes wanted us to ship stuff in a hurry and not have it slowed down by inspections.
There's no other way to see it. It is grossly negligent for any agency involved in national security (NSA, CIA, NRO, FBI, etc.) to outsource software. Any "budget" or "manpower" excuse is unacceptable. Frankly, the US should have a "National Coding Office" to make all government software. Nothing should be purchased from Microsoft, and it sure as hell shouldn't be purchased from the Chinese communists (i.e. the enemy). Would we have outsourced to the Soviets during the Cold War? Apparently so.
Stupid people make stupid things profitable.
In a previous job I dealt with a piece of Platform Software called LSF (Load Sharing Facility). Now I have to say it was a very complicated bit of software which to me seem to be a mixture of shell scripts, binarys and NFS/SMB mounts. After actually doing the training courses my belief didn't change and I regularly found bugs in it.
Now this might of just been the SGI version but overall taking this as a particular example the quality of the code was terrible and 1/2 had undocument features
Just my 2p
Rus
Cheap UK and US VPS
Let no one make the mistake that this story has any connection to "trustworthy computing". The story does not use the word "trustworthy", much less suggest that that the NSA should use trustworthy computing.
Anyone who suggests that trustworthy computing would be good for government security doesn't know what they are talking about. Trustworthy computing would be an absolute disaster for security. Any intelligence agency on earth can dig one of the keys out of trustworthy hardware and beat the system. Hell, college students with access to a well stocked university lab can break the hardware security and beat the system.
-
- - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
OK, I read this article this morning.
The guy is telling the NSA stuff they already know, and have signed off as acceptable. His company was entirely above board in explaining their operations to the NSA in the first place.
Everyone involved knows what's going on. He is the only person who seems to have a problem with it. It doesn't sound like whistle-blowing to me, as much as whining.
"People who do stupid things with hazardous materials often die." -- Jim Davidson on alt.folklore.urban
Even if they hire their own programmers, who's to say the programmers they hire aren't spies?
;)
They could perform background checks of the programmers they hire or of all the programmers that work for an IT outsourcing outfit. But even then, it's possible for spies to slip through. After all, do you think anyone's gonna write "worked for Chinese military intelligence as a spy" on their resume?
This is an inherent problem in running a group like the NSA. You can't trust anyone. The best you can hope for is to bring your programmers (or any employee or contractor) in-house and keep a watchful eye on them. Even then, how do you know for sure they aren't leaking documents when they go home? What are you gonna do? Lock all the programmers in a room with lead walls and no door? How realistic is that?
My journal has hot
Personally, I believe that if any country buys software from another country which they use for sensitive government applications, and that software has backdoors in it, the government that purchased it got exactly what it deserved for its stupidity. If you want real security, you need to develop your code in-house, or use open-source code (and have it audited in-house). Trusting your government secrets to a foreign company is beyond stupid.
If the US Government is doing the same thing, then they're getting their just desserts as well.