Slashdot Mirror
Trustworthy Software For The NSA?
Janus Daniels writes "There's a new story from the New York Times, as reprinted at CNET News, about security concerns for Government agencies buying software from overseas. According to the article, a whistle-blower who helped sell software to the National Security Agency says that much of the development work is subcontracted to China, raising serious national security risks. He also discovered in the sales-support database... the names of more than 30 [identity-classified] employees of the United States National Security Agency...'"
of what it is they're programming, in the sense that do they know they are making a sensitive program for the NSA of the United States? If not then what could be the harm unless a backdoor gets thru unchecked? (I can only hope that some US officials or hired techies DO check this code for backdoors and the like.)
"There is no real right or wrong, just what the majority accepts at the time."
And obviously Chinese intel has capitalized on this - succesfully directing the US Air Force to it's embassy during the Serbian fiasco a few years back...
... but if they are afraid of untrustworthy software they really should hire someone to make them a custom open source solution. Or something. Yeah.
...who's to say that there might not be spies writting the software anyways. Can't the NSA write their own source code. They've already contributed selinux.
----
Go canucks, habs, and sens!
Obviously, having all software written in the US eliminates the risk of having security risks.
http://blogs.lns.kicks-ass.net/moonjihad/
The concerns cut both ways. The Chinese government has repeatedly accused the United States military and intelligence organizations of attempting to conduct espionage by manipulating American products sold in China. The tracking features in Intel's microprocessors and Microsoft's operating system software are of particular concern to Chinese officials, which is one reason China is intent on expanding its own technology industry. And so has the rest of the world.
There are two kinds of egotists: 1) Those who admit it 2) The rest of us
Those guys at MIT constructing the database on government members should get these names. oh what juicy tidbits of info they would be!
The same people who collect everything I do online?
Forgive me, but I hope they rot in hell with their compromised software.
Given the recent push to commercialize various aspects of government, this is one of the potential pitfalls. Businesses will subcontract work to the lowest bidder and eliminate one of the internal controls that many government software projects have had in the past.
Visit Jonesblog and say hello.
This is just the tip of the iceberg. I just quit a job (read by choice, not fired) where some of the software created for the DOD was done by mainland Chinese programmers ....without the knowledge of the DOD. This was software which was tied to a backend database containing sensitive information. No, we are not talking nuclear secrets, but it was information which other non-friendly countries to the U.S. (ie anyone by England) would find interesting and useful. I broached the subject numerous times to my employer, who essentially pulled an Alfred E. Nueman (What?!?! ME worry?!?!). Finally, I quit and informed the proper people, washing my hands of the entire mess. While it may sound stupid to quit a high-paying job in this economy, having Bubba has a cellmate made it a lot easier.
My rambling point is this....the U.S. Government, particuarly the DOD, will be using software made by non-friendly parties with an axe to grind, without ever receiving the source code or knowing who actually wrote the software. And what's more, it's been my experience the bueacracy really doesn't give a sh*t as long as they can pass the buck.
NSA is about total information, right?
I think it's a good idea that NSA software is developed in China. I bet there are "undocumented" key combinations that will disable Macrovision and regional restrictions.
Best Windows Freeware
The bigger issue is not where the code is written, it's whether you can audit the source yourself (and whether you actually do so.
See reflections on trusting trust for a nice article about why, if it really matters, you should be careful with other people's code.
China is free democratic and trustworty country with a growing group software developers.I'm sure that they could make something secure for NSA that we could lay our nations hands in. It's extremly important that we help to foster proprietary solutions that will help bussiness abroad.
And after all its much better to use secure and trusted solutios from a close ally than having to resort to some of those old versions of UNIX. Know that SCO probably wins their case and AIX and Solaris goes down the drain, it could be nice to have some other alternatives than only american software. Because we all know, as DARPA found out, that you just can't trust FreeBSD and Linux in an environment like the NSA needs.
Proud patriot and republican voter.
This guy sounds a bit paranoid to me. As far as I'm concerned it's the US Governments job to look into things like this, not his. Does he honestly think the *NSA* would buy software with huge security holes? One might wonder if the names he saw were fake in the first place; I personally doubt the *NSA* would just give them out. Or maybe I just give them more credit than they deserve...
A lot of questions and insults. Not surprising, as you appear to have done no research. Well, we do know what the NSA does. The NSA is charged with breaking other people's coded message. In other words, it is basically the MOST defensive, MOST safe secret service we have. The worst it does is invade privacy. And it is very unlikely to invade YOUR privacy, as most people do not use the kind of High end cryptology that they coutner. The CIA is far more dangerous and active. Not to mention the various military agencies that do the black ops for the CIA.
P.S. What fool moded this as interesting. It is clearly off topic.
excitingthingstodo.blogspot.com
The NSA deals with mathimatics and technology, primary cryptography although it deals with a lot of the other facets of secure communications. It doesn't deal directly with the information it recovers/protects, it passes it on to the other intel & military groups.
R acers.com
The NSA is a great place to work for geeks as long as they don't want high pay (it is a government job).
No, I don't work there (Since I'm in college, but I might someday), but I know a mathmatician who worked there for a number of years and swears it was the best experience of his life (and he has a lot of cool stories about working there).
http://www.WhiteHatResearch.net
http://www.MSU
I should have also said that a number of contracts that one might expect would be internal government projects have more and more been bid out to private contractors. For instance, you might be surprised to find that a number of very sensitive database projects, military police actions and military interventions in the Balkans and Central America are being handled by companies such as Dyncorp.
Visit Jonesblog and say hello.
whatever you do, don't buy that fancy new software from skynet!! /ahnuld accent on "Trust Me" /off
C:\earth\humans\del *.m0ronz
Jeebus Christ, don't those idiots remember what we did in the Inslaw affair? (Not so much what was done to Inslaw, but the backdoors the CIA put into software which was then sold to unfriendly countries.)
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
So why does the NSA emplyee the most people of any goverment TLA? FBI,CIA etc I'm not sure but I think it was only recently eclipsed by the Homeland Security Office.
Given it's secrecy how do you know that NSA is doing what it's mandated to do?
why dont you visit their website and attempt to find out for yourself what they do? Here are the two big terms to look for: SIGINT and INFOSEC. When you can tell someone what those are in your own words, you'll know what the NSA does.
This is definitely a problem. I used to support the CIA as a customer, and though the users were only identified by first name, we had home addresses for a few because they sometimes wanted us to ship stuff in a hurry and not have it slowed down by inspections.
>how do we, as citizens, ensure that organizations like the NSA are helping us more than they hurt us?
We pay attention when we vote for our congressmen, who control the budget and some of whom sit on the intelligence oversight committees.
We support a free press, so that a whistleblowing employee has somewhere to turn to get the word out.
We keep ourselves informed, so that we know the NSA makes and breaks ciphers, secures US communications, and eavesdrops on foreign communications.
Companies which have code written outside of the U.S. should pay duty or tariffs on each license they sell just like vendors of manufactured items do. That would slow down the Great Tech Job Exodus.
I know someone that has a small software company that's done contract work for the CIA. He is much, much more careful with his software than that, and would never make a mistake like that because he'd be afraid that he'd lose his security clearance and never be able to get his cushy government contracts.
He also said that he worked for a certain salad dressing company once, and they were much more careful about their trade secrets (recepies) than the CIA was about anything.
There are no trails. There are no trees out here.
There's no other way to see it. It is grossly negligent for any agency involved in national security (NSA, CIA, NRO, FBI, etc.) to outsource software. Any "budget" or "manpower" excuse is unacceptable. Frankly, the US should have a "National Coding Office" to make all government software. Nothing should be purchased from Microsoft, and it sure as hell shouldn't be purchased from the Chinese communists (i.e. the enemy). Would we have outsourced to the Soviets during the Cold War? Apparently so.
Stupid people make stupid things profitable.
In a previous job I dealt with a piece of Platform Software called LSF (Load Sharing Facility). Now I have to say it was a very complicated bit of software which to me seem to be a mixture of shell scripts, binarys and NFS/SMB mounts. After actually doing the training courses my belief didn't change and I regularly found bugs in it.
Now this might of just been the SGI version but overall taking this as a particular example the quality of the code was terrible and 1/2 had undocument features
Just my 2p
Rus
Cheap UK and US VPS
Why should the NSA be any better? Why would the best of the best go there when they can make a whole lot of money in the private sector? I'm not just talking about the mathematicians, computer guys and cryptographers either, you need the top notch managers to run those groups and deal with the compartmentization that goes on while still motivating and producing top quality results. I could see the government rounding up geeks and math guys, I couldn't see them cultivating that leadership or hiring much of it.
Honestly, I think their biggest thing is that they never get tired or run out of resources. That's how the FBI caught the unabomber, they just kept looking and looking and looking and then they got him. There are textbook methods and approaches to security. Their ciphers have looked like they simply follow them and are extremely conservative and diligent.
Let no one make the mistake that this story has any connection to "trustworthy computing". The story does not use the word "trustworthy", much less suggest that that the NSA should use trustworthy computing.
Anyone who suggests that trustworthy computing would be good for government security doesn't know what they are talking about. Trustworthy computing would be an absolute disaster for security. Any intelligence agency on earth can dig one of the keys out of trustworthy hardware and beat the system. Hell, college students with access to a well stocked university lab can break the hardware security and beat the system.
-
- - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
It's called congressional oversight. You need to go back to civics class. Please see 50 USC 413
OK, I read this article this morning.
The guy is telling the NSA stuff they already know, and have signed off as acceptable. His company was entirely above board in explaining their operations to the NSA in the first place.
Everyone involved knows what's going on. He is the only person who seems to have a problem with it. It doesn't sound like whistle-blowing to me, as much as whining.
"People who do stupid things with hazardous materials often die." -- Jim Davidson on alt.folklore.urban
That's foreign. They haven't blown anyone up domestically, have they?
--
http://nemilar.net - Not your grandmother's soup kitchen
Even if they hire their own programmers, who's to say the programmers they hire aren't spies?
;)
They could perform background checks of the programmers they hire or of all the programmers that work for an IT outsourcing outfit. But even then, it's possible for spies to slip through. After all, do you think anyone's gonna write "worked for Chinese military intelligence as a spy" on their resume?
This is an inherent problem in running a group like the NSA. You can't trust anyone. The best you can hope for is to bring your programmers (or any employee or contractor) in-house and keep a watchful eye on them. Even then, how do you know for sure they aren't leaking documents when they go home? What are you gonna do? Lock all the programmers in a room with lead walls and no door? How realistic is that?
My journal has hot
I thought you said: "CIA they are simply an information-gathering agency"? Or is blowing people up some new form of gathering information?
The meme police, They live inside of my head
Like all secret service orgs the NSA has many arms dealing with various levels of classification and security. If you want to know more about them just go to http://www.nsa.gov, if you want a collection of names of people who work there go to http://www.nsa.gov/releases/speeches.html, learn who they are and feel free to digest all that they have to say. This is the story of a guy who was fired for missing his performance goals, he should be laughed at not heralded as a hero. I'm not sure anybody really cares about the 30 procurement execs that he found in his companies CRM system. You can bet your bottom dollar that any contractors working on secret systems will have been vetted, depending upon the classification level there is a good chance that the vetting will go down to employee level. I therefore have to assume that the work that Platform are doing is non-essential, I for one am glad to see the Government spending our dollars a little more wisely than they would be if they applied the highest level of security regulations to all of their systems.
anything that can't be known by the public, even after the fact, probably shouldn't be done.
I'm sure that the Afgahn nationals passing on intelligence to the CIA fully agree with you. The Taliban and AQ wouldn't hold a grudge.
I'm sure the British agent(s) who infiltrated the IRA agree wholeheartedly. Why, after 10 years, they could all get together and share a pint down at the pub.
Likewise, the informant who decides to turn in a mob boss.
I'm just about as libertarian and pro-transparency as the next guy...But We DO live on earth.
"If, therefore, any be unhappy, let him remember that he is unhappy by reason of himself alone."
~Epictetus
Okay. So they test LSF in China.... big deal. C'mon people! LSF is written by CANADIANS! This is the country with 90% of its population within 200 miles of our northern border- they are poised for invasion! This is the country that is secretly spewing tons of CFCs into the atmosphere to drive up their real estate prices through global warming. While the lower 48 is a desert wasteland, those hockey loving, eh sayin' canucks will be living in a tropical paradise! Do you think it is a coincidence that microsoft is headquartered so close to the Canadian border? And what about all the money they make selling all that maple syrup? Where does that go? That's right... straight to the ACLU! I for one won't stand for it! The evil empire must be stopped! ;-)
well i have heard from friend who know some people who first hand got information from a very reliable source in the DMV whos cousin used to want to be in the CIA that your information is pure hyperbole!
True. I also can't be certain that you actually are Hentai (165906). I can't be sure NSA isn't growing plants capable of world domination, and I can't be sure that Intel doesn't rutenly replace foreign dictators with animatronic robots.
I also can't tell what the Department of Labor, Nasa, or any other government agency really does. Sure, they've got pretty offices you can go into, but is that all of it? Did they show you the sub-basement?
Having interned at NSA a number of years back, I can tell you I never saw any Ninja's training in the cafeteria.
Mod point free since 2001
I can say that when a company does write software for something that goes into a military project, it has to conform to certain coding standards. IEEE 12207 is the standard most used for the US military.
So the software put into these electronics is well documented with specifications, design documents and quality assurance documents.
The government also gets to review all source code supplied along with running their own tests and so on to ensure that the software is of the proper quality. The master of the source is encrypted and put into a secure location.
The software and hardware is not always bug free, but between the customer and the buyer, the code is open.
Since the NSA is run by the Air Force, I would think that this guy is just moving some hot air around.
As for outsourcing the coding to a non-US company, that happens when the company happens to be a subcontractor for an American company, or if the American companies can't compete. The US isn't in the business of propping up American companies (at least, not in the sense that Europe does with say, Airbus). They will almost always go for the solution presented by the lowest bidder which performs the best in the tasks that are required.
Since I doubt the NSA is run by a bunch of idiots, I would say that they check the software that is supplied to them. Let me put it this way: you can't stay in the business of protecting the US and its interests if you are an idiot.
Next thing you know we'll be trusting our software developement to Finish nationals.
My Blog
" Do you know who/what the NSA are? "
Yes, I do. In a moment, you, and anyone else reading this will too.
"The NSA is charged with breaking other people's coded message."
Well, no, not really. That's just oh so simplistic. You make it sound as though someone slaps a coded message on the NSA's desk and they sit there with a room full of really nerdy guys trying to figure out what it means. That's simply ridiculous.
Now let's talk about what the NSA really does. The NSA operates, with the help of a select few other nations, a worldwide communications survillance and recovery network designed to capture, decode, sort, and record any and all internet, satellite, radio, telephone, cellular, fax, or any other communications which travel from one location to another via technology while prioritising data in need of further review. With installations in the US, Canada, the UK, New Zealand, Australia, and numerous other places, the NSA monitors and oversees this massive woldwide network. All messages are automatically compiled and sorted by the system for analysis, at which point any and all irrelevant data is purged. Coded or encrypted information is recorded and decoded on a priority-based system. Keywords are no longer used, as they were 20 years ago or so. Context-sensitive AI systems work through messages to understand a wide range of contextual and syntatic items, setting aside possible intelligence leads, threat information, uninterpretable data, and other information of interest (information which could be useful for or against certain coporations, for instance) for more detailed analysis; or in the case of items deemed high priority, immediate human analysis.
The NSA's missions also include, as you state, cryptography-breaking, but also cryptography-making. They are responsible for creating and maintaining the encryption systems of intelligence and military institutions at the higher levels. In addition to this, they are also responsible for ensuring that new systems developed by anyone, friend or foe, are quickly cyphered so no information remains hidden from us. Much of the mathematics done at the NSA is for the study of cryptography, both practical and theoretical.
The NSA also designs and manufactures survillence devices for audio, visual, and GPS-based tracking. GPS-based systems are developed at a number of NSA sites, and new technologies are first tested and implemented in NSA-controlled satellites in geo-sync orbit for use in tracking and survillance. Part of the NSA's mission has been expanded to include corporate espionage for large US-based mega-corps. NSA surveillance devices have also been used to gain an edge in diplomatic situations, such as in the UN. While the CIA is mostly human to human interactions and manpower-based intelligence, the NSA is nearly entirely technology-based.
"In other words, it is basically the MOST defensive, MOST safe secret service we have."
The NSA is the most likely candidate for the first agency to be used to try to turn the US into a totalitarian state. Its massive surveillance capabilities make a 1984-style society seem so attainable. In the information age, information is power. In the information age, the NSA is the information source. In a world where everything is electronic, the NSA has eyes and ears everywhere, and has developed the technology (with the help of a massive, secretive budget) to ensure that whoever is in control gets the information they need when they need it.
"The worst it does is invade privacy."
Invasion of privacy is 90% of what makes 1984 possible. If you have privacy, you don't have 1984; a dark corner is all it takes.
"And it is very unlikely to invade YOUR privacy, as most people do not use the kind of High end cryptology that they coutner. "
Completely wrong. The NSA does not only monitor highly-encrypted data; that's absurd. The NSA monitors all telecommunications. If it's on the i
-- "Government is the great fiction through which everybody endeavors to live at the expense of everybody else."
Any sufficiently advanced technology is indistinguishable from a rigged demo
--Andy Finkel (J. Klass?)
Folks,
.... We will contract out most of the worker-bee and pack-mule government jobs, because it is easier for (SUFU) idiots in management to manage a contract point fingers and have friends and family share awards and recognition for doing the wrong thing (... recent NASA, FBI, and CIA, failings)
... if they ain't solving and preventing problems. This is why we have the money and intelligence to buy software with China as the OSD and receive "Trojan Horse" applications from OSD even here in the USA for US Government and Military mission critical systems.
Not the first time not the last time for Clueless Management in politics as usual DC and Government. Our potential destruction due the stupid, pompus, and greedy.
In our Capitalist Democracy our leaders political and religious place more priority on enforcement of the Digital Millennium Copyright Act (DMCA) and Library internet filters, than homeland defense. It looks better to the illiterate moral majority bigots that vote and supports the economy (the real priority) with questionable profit penalties and no cost issue camouflage. Our true foreign policy at times to be develop a good customer or at least a foreign government that supports a capitalist economy
I strongly support our Marines, Soldiers, Sailors, and AirPersons, but the politicians and management need to get their priorities straight. FAILURE is never and option. It is time CEO, politicians, management and some other recognize that they are the problem
OldHawk777
Reality is a self-induced hallucination.
Unaccountable leaders are masters, and unrepresented people are slaves. How do US and EU fare?
I agree with another poster that mentioned selinux. The NSA know how to write secure software and how to audit software and source code. Assuming they build their own binaries from the source it should be a relatively safe system. The only potential security problem I can see is that outsiders may know exactly what they are running. But assuming it's properly designed and implemented that shouldn't be a problem either. That's the why everyone like Linux/BSD so much.
Los Almos has a history of Physical Security problems that should cause more worries then this. Hard Drives disappearing and reporters sneaking in at night, getting locked in and then the guards let them out when they found them.
They surely have a little more capacity than, say Google with "73.5 million unique users per month".
Whatever they do with so much electricity.
And they have their own HQs in all those countries in which they observe. In Frankfurt, Germany, it's one whole street, straight under the telecommunications tower.