Trustworthy Software For The NSA?

Janus Daniels writes "There's a new story from the New York Times, as reprinted at CNET News, about security concerns for Government agencies buying software from overseas. According to the article, a whistle-blower who helped sell software to the National Security Agency says that much of the development work is subcontracted to China, raising serious national security risks. He also discovered in the sales-support database... the names of more than 30 [identity-classified] employees of the United States National Security Agency...'"

Are the subcontractors fully aware..

[Xuranova]

of what it is they're programming, in the sense that do they know they are making a sensitive program for the NSA of the United States? If not then what could be the harm unless a backdoor gets thru unchecked? (I can only hope that some US officials or hired techies DO check this code for backdoors and the like.)

Re:Are the subcontractors fully aware..

[Frymaster]

the thing to realize is that the nsa is not the "no such agency" it was back in the 70s and 80s! twenty years ago, if a cryptologic solution or piece of software was not made in house, the nsa regarded it as either useless or dangerous.

heck, the nsa is even working on selinux (a security enhanced linux) that is open source. and the kicker is this: one of their partners is pgp secruity. (source: here

times have changed

Total government awareness

[aberant]

Those guys at MIT constructing the database on government members should get these names. oh what juicy tidbits of info they would be!

If my experience is any indication...

[instantkarma1]

This is just the tip of the iceberg. I just quit a job (read by choice, not fired) where some of the software created for the DOD was done by mainland Chinese programmers ....without the knowledge of the DOD. This was software which was tied to a backend database containing sensitive information. No, we are not talking nuclear secrets, but it was information which other non-friendly countries to the U.S. (ie anyone by England) would find interesting and useful. I broached the subject numerous times to my employer, who essentially pulled an Alfred E. Nueman (What?!?! ME worry?!?!). Finally, I quit and informed the proper people, washing my hands of the entire mess. While it may sound stupid to quit a high-paying job in this economy, having Bubba has a cellmate made it a lot easier.

My rambling point is this....the U.S. Government, particuarly the DOD, will be using software made by non-friendly parties with an axe to grind, without ever receiving the source code or knowing who actually wrote the software. And what's more, it's been my experience the bueacracy really doesn't give a sh*t as long as they can pass the buck.

Trusting trust

[robindmorris]

I RTA, and the whistleblower claims that the Chinese could have the opportunity to put something malicious into the code. The company claims that work for the US Govt. is not sent out to China. The security agencies say that they audit all outside code anyway.

The bigger issue is not where the code is written, it's whether you can audit the source yourself (and whether you actually do so.

See reflections on trusting trust for a nice article about why, if it really matters, you should be careful with other people's code.

Platform Software

[rf0]

In a previous job I dealt with a piece of Platform Software called LSF (Load Sharing Facility). Now I have to say it was a very complicated bit of software which to me seem to be a mixture of shell scripts, binarys and NFS/SMB mounts. After actually doing the training courses my belief didn't change and I regularly found bugs in it.

Now this might of just been the SGI version but overall taking this as a particular example the quality of the code was terrible and 1/2 had undocument features

Just my 2p

Rus