Slashdot Mirror

← Back to Stories (view on slashdot.org)

Trustworthy Software For The NSA?

Posted by simoniker on from the secrets-lurking-behind-installer dept.

Janus Daniels writes "There's a new story from the New York Times, as reprinted at CNET News, about security concerns for Government agencies buying software from overseas. According to the article, a whistle-blower who helped sell software to the National Security Agency says that much of the development work is subcontracted to China, raising serious national security risks. He also discovered in the sales-support database... the names of more than 30 [identity-classified] employees of the United States National Security Agency...'"

24 of 229 comments (clear)

  1. Are the subcontractors fully aware.. by Xuranova · · Score: 5, Interesting

    of what it is they're programming, in the sense that do they know they are making a sensitive program for the NSA of the United States? If not then what could be the harm unless a backdoor gets thru unchecked? (I can only hope that some US officials or hired techies DO check this code for backdoors and the like.)

    --
    "There is no real right or wrong, just what the majority accepts at the time."
    1. Re:Are the subcontractors fully aware.. by Frymaster · · Score: 3, Interesting
      the thing to realize is that the nsa is not the "no such agency" it was back in the 70s and 80s! twenty years ago, if a cryptologic solution or piece of software was not made in house, the nsa regarded it as either useless or dangerous.

      heck, the nsa is even working on selinux (a security enhanced linux) that is open source. and the kicker is this: one of their partners is pgp secruity. (source: here

      times have changed

      --

      2 1337 4 u!

  2. chinese intelligence by lurgyman · · Score: 5, Funny

    And obviously Chinese intel has capitalized on this - succesfully directing the US Air Force to it's embassy during the Serbian fiasco a few years back...

  3. This will probably be said 22241515 times... by ascalon · · Score: 3, Insightful

    ... but if they are afraid of untrustworthy software they really should hire someone to make them a custom open source solution. Or something. Yeah.

  4. Even if its in the U.S. by Goalie_Ca · · Score: 5, Insightful

    ...who's to say that there might not be spies writting the software anyways. Can't the NSA write their own source code. They've already contributed selinux.

    --

    ----
    Go canucks, habs, and sens!
  5. Outsiders by mjihad · · Score: 5, Funny

    Obviously, having all software written in the US eliminates the risk of having security risks.

    --
    http://blogs.lns.kicks-ass.net/moonjihad/
  6. Total government awareness by aberant · · Score: 4, Interesting

    Those guys at MIT constructing the database on government members should get these names. oh what juicy tidbits of info they would be!

  7. One of the problems of commercializing government. by BWJones · · Score: 4, Insightful

    Given the recent push to commercialize various aspects of government, this is one of the potential pitfalls. Businesses will subcontract work to the lowest bidder and eliminate one of the internal controls that many government software projects have had in the past.

    --
    Visit Jonesblog and say hello.
  8. If my experience is any indication... by instantkarma1 · · Score: 4, Interesting

    This is just the tip of the iceberg. I just quit a job (read by choice, not fired) where some of the software created for the DOD was done by mainland Chinese programmers ....without the knowledge of the DOD. This was software which was tied to a backend database containing sensitive information. No, we are not talking nuclear secrets, but it was information which other non-friendly countries to the U.S. (ie anyone by England) would find interesting and useful. I broached the subject numerous times to my employer, who essentially pulled an Alfred E. Nueman (What?!?! ME worry?!?!). Finally, I quit and informed the proper people, washing my hands of the entire mess. While it may sound stupid to quit a high-paying job in this economy, having Bubba has a cellmate made it a lot easier.

    My rambling point is this....the U.S. Government, particuarly the DOD, will be using software made by non-friendly parties with an axe to grind, without ever receiving the source code or knowing who actually wrote the software. And what's more, it's been my experience the bueacracy really doesn't give a sh*t as long as they can pass the buck.

    1. Re:If my experience is any indication... by Leffe · · Score: 3, Informative

      This kind of reminds me of the Quake backdoor.(barb barb, do some googling to find it out, I can not type it all right now. Ah well, it basically allows any one at iD software to control a server remotely, the flaw in the backdoor is that you can edit your packets to make them look like they come from iD.)

      I would personally never use software written by someone else(closed source, that is, open source software is great in the way that it will let me see all it can do) for anything remomtely secure/sensitive. I just do not trust people enough. Especially not people from other countries, why should I? It is a normal behaviour to not trust other people. And I would rather buy software from my own country, it is nationalism!

      Also, I find spying very overrated, exactly what can you find out abot a country? If you are really lucky you might steal some blueprints for a new lawnmover, but that is just if you are extremely lucky. Otherwise I would guess that all you can get is dirt-throwing material. Possibly of the grade that some high ranking officials will have to resign or go to jail, but what is the bug deal? It suits them right to get punished for their crimes.

  9. Trusting trust by robindmorris · · Score: 5, Interesting
    I RTA, and the whistleblower claims that the Chinese could have the opportunity to put something malicious into the code. The company claims that work for the US Govt. is not sent out to China. The security agencies say that they audit all outside code anyway.

    The bigger issue is not where the code is written, it's whether you can audit the source yourself (and whether you actually do so.

    See reflections on trusting trust for a nice article about why, if it really matters, you should be careful with other people's code.

    1. Re:Trusting trust by FredThompson · · Score: 5, Insightful

      A common misconception is that the NSA buys/evaluates software the same way Joe Blow does.

      I've been there and written code. Got a joint service commendation medal for software work for nuke command & control. The review process for critical code is excruciating.

      This article is a lot of FUD.

      Did you notice they don't make ANY claim whatsoever about what TYPE of software development? Hmmmm...that's interesting.

      It's always possible espionage can happen. Having said that, there's a LOT that goes on at the NSA. Look at the publicly available pictures of the headquarters building. Ever wonder what it takes to feed and supply people and keep it clean?

      There are different levels of software oversight, just as in the "outside" world. Yes, IRTA, and all I see is what looks like someone who was outside the loop making FUD statements about what's inside the loop.

      Did you notice this doofus hasn't been on the job that long? Did you notice he was "alarmed" that the names of people were available? Well, duh!!

      If you need to contact someone because you're contractually obligated to them, don't you need to know who they are and how to reach them? My family could pick up the phone and call me at work anytime they wanted and they met a lot of the people I worked with. This guy has watched too much TV. How does he think contrators communicate with the NSA? Trap doors and dead drops?

      FWIW, I've never used or owned a shoe phone. Nor did we talk under a cone of silence.

      Personally, I like "Alias" but let's get real, everyone doesn't sneak around through hidden doors with code names.

      To my eyes, this guy didn't have access to much of anything. Maybe he wanted to get into the secure side of the development and was refused. Hmmm..ya think?

  10. What suits them best. by The+Old+Burke · · Score: 3, Funny
    NSA is so importsnat that they should be allowed to use whatever software solutions they have to.

    China is free democratic and trustworty country with a growing group software developers.I'm sure that they could make something secure for NSA that we could lay our nations hands in. It's extremly important that we help to foster proprietary solutions that will help bussiness abroad.

    And after all its much better to use secure and trusted solutios from a close ally than having to resort to some of those old versions of UNIX. Know that SCO probably wins their case and AIX and Solaris goes down the drain, it could be nice to have some other alternatives than only american software. Because we all know, as DARPA found out, that you just can't trust FreeBSD and Linux in an environment like the NSA needs.

    --
    Proud patriot and republican voter.
  11. Re:NSA, CIA, HSA... by gurps_npc · · Score: 4, Informative
    Do you know who/what the NSA are? Before you start spreading generic crap that could be applied to any secreat agency, you might at least make the attempt to make it specific to the agency you are attacking.

    A lot of questions and insults. Not surprising, as you appear to have done no research. Well, we do know what the NSA does. The NSA is charged with breaking other people's coded message. In other words, it is basically the MOST defensive, MOST safe secret service we have. The worst it does is invade privacy. And it is very unlikely to invade YOUR privacy, as most people do not use the kind of High end cryptology that they coutner. The CIA is far more dangerous and active. Not to mention the various military agencies that do the black ops for the CIA.

    P.S. What fool moded this as interesting. It is clearly off topic.

    --
    excitingthingstodo.blogspot.com
  12. Re:One of the problems of commercializing governme by BWJones · · Score: 3, Informative

    I should have also said that a number of contracts that one might expect would be internal government projects have more and more been bid out to private contractors. For instance, you might be surprised to find that a number of very sensitive database projects, military police actions and military interventions in the Balkans and Central America are being handled by companies such as Dyncorp.

    --
    Visit Jonesblog and say hello.
  13. don't buy skynet!! by slyguy420 · · Score: 3, Funny

    whatever you do, don't buy that fancy new software from skynet!! /ahnuld accent on "Trust Me" /off

    --


    C:\earth\humans\del *.m0ronz
  14. Re:NSA, CIA, HSA... by Anonymous Coward · · Score: 3, Informative

    why dont you visit their website and attempt to find out for yourself what they do? Here are the two big terms to look for: SIGINT and INFOSEC. When you can tell someone what those are in your own words, you'll know what the NSA does.

  15. Uh. Wow. by Elwood+P+Dowd · · Score: 4, Funny

    I know someone that has a small software company that's done contract work for the CIA. He is much, much more careful with his software than that, and would never make a mistake like that because he'd be afraid that he'd lose his security clearance and never be able to get his cushy government contracts.

    He also said that he worked for a certain salad dressing company once, and they were much more careful about their trade secrets (recepies) than the CIA was about anything.

    --

    There are no trails. There are no trees out here.
  16. Platform Software by rf0 · · Score: 3, Interesting

    In a previous job I dealt with a piece of Platform Software called LSF (Load Sharing Facility). Now I have to say it was a very complicated bit of software which to me seem to be a mixture of shell scripts, binarys and NFS/SMB mounts. After actually doing the training courses my belief didn't change and I regularly found bugs in it.

    Now this might of just been the SGI version but overall taking this as a particular example the quality of the code was terrible and 1/2 had undocument features

    Just my 2p

    Rus

    --
    Cheap UK and US VPS
  17. It's a government agency, what's the shock? by AxelTorvalds · · Score: 5, Insightful
    I've wondered about this for years. In some circles they talk of the near mystical powers the NSA must have and how they must be like 20 years more advanced than the private sector. Every time I've dealt with the feds and IT stuff I'm amazed we're doing as well as we are because it is such a cluster fuck.

    Why should the NSA be any better? Why would the best of the best go there when they can make a whole lot of money in the private sector? I'm not just talking about the mathematicians, computer guys and cryptographers either, you need the top notch managers to run those groups and deal with the compartmentization that goes on while still motivating and producing top quality results. I could see the government rounding up geeks and math guys, I couldn't see them cultivating that leadership or hiring much of it.

    Honestly, I think their biggest thing is that they never get tired or run out of resources. That's how the FBI caught the unabomber, they just kept looking and looking and looking and then they got him. There are textbook methods and approaches to security. Their ciphers have looked like they simply follow them and are extremely conservative and diligent.

    1. Re:It's a government agency, what's the shock? by maelstrom · · Score: 3, Insightful
      "That's how the FBI caught the unabomber, they just kept looking and looking and looking and then they got him."

      Only half right. The FBI did not get tired of looking for him, but that is not what lead to his capture. The fact that the unabomber got cocky, published his manifesto and the feds got lucky enough that his brother had the moral fortitude to turn in his own brother.

      The FBI deserves almost no credit for catching the unabomber. Even their much vaunted behaviorial profiles were off the mark.

      --
      The more you know, the less you understand.
  18. What an odd set of posts.... by Osrin · · Score: 3, Insightful

    Like all secret service orgs the NSA has many arms dealing with various levels of classification and security. If you want to know more about them just go to http://www.nsa.gov, if you want a collection of names of people who work there go to http://www.nsa.gov/releases/speeches.html, learn who they are and feel free to digest all that they have to say. This is the story of a guy who was fired for missing his performance goals, he should be laughed at not heralded as a hero. I'm not sure anybody really cares about the 30 procurement execs that he found in his companies CRM system. You can bet your bottom dollar that any contractors working on secret systems will have been vetted, depending upon the classification level there is a good chance that the vetting will go down to employee level. I therefore have to assume that the work that Platform are doing is non-essential, I for one am glad to see the Government spending our dollars a little more wisely than they would be if they applied the highest level of security regulations to all of their systems.

  19. Re:NSA, CIA, HSA... by Red+Warrior · · Score: 3, Insightful

    anything that can't be known by the public, even after the fact, probably shouldn't be done.
    I'm sure that the Afgahn nationals passing on intelligence to the CIA fully agree with you. The Taliban and AQ wouldn't hold a grudge.
    I'm sure the British agent(s) who infiltrated the IRA agree wholeheartedly. Why, after 10 years, they could all get together and share a pint down at the pub.
    Likewise, the informant who decides to turn in a mob boss.

    I'm just about as libertarian and pro-transparency as the next guy...But We DO live on earth.

    --
    "If, therefore, any be unhappy, let him remember that he is unhappy by reason of himself alone."
    ~Epictetus
  20. Re:NSA, CIA, HSA... by Loki_1929 · · Score: 5, Informative

    " Do you know who/what the NSA are? "

    Yes, I do. In a moment, you, and anyone else reading this will too.

    "The NSA is charged with breaking other people's coded message."

    Well, no, not really. That's just oh so simplistic. You make it sound as though someone slaps a coded message on the NSA's desk and they sit there with a room full of really nerdy guys trying to figure out what it means. That's simply ridiculous.

    Now let's talk about what the NSA really does. The NSA operates, with the help of a select few other nations, a worldwide communications survillance and recovery network designed to capture, decode, sort, and record any and all internet, satellite, radio, telephone, cellular, fax, or any other communications which travel from one location to another via technology while prioritising data in need of further review. With installations in the US, Canada, the UK, New Zealand, Australia, and numerous other places, the NSA monitors and oversees this massive woldwide network. All messages are automatically compiled and sorted by the system for analysis, at which point any and all irrelevant data is purged. Coded or encrypted information is recorded and decoded on a priority-based system. Keywords are no longer used, as they were 20 years ago or so. Context-sensitive AI systems work through messages to understand a wide range of contextual and syntatic items, setting aside possible intelligence leads, threat information, uninterpretable data, and other information of interest (information which could be useful for or against certain coporations, for instance) for more detailed analysis; or in the case of items deemed high priority, immediate human analysis.

    The NSA's missions also include, as you state, cryptography-breaking, but also cryptography-making. They are responsible for creating and maintaining the encryption systems of intelligence and military institutions at the higher levels. In addition to this, they are also responsible for ensuring that new systems developed by anyone, friend or foe, are quickly cyphered so no information remains hidden from us. Much of the mathematics done at the NSA is for the study of cryptography, both practical and theoretical.

    The NSA also designs and manufactures survillence devices for audio, visual, and GPS-based tracking. GPS-based systems are developed at a number of NSA sites, and new technologies are first tested and implemented in NSA-controlled satellites in geo-sync orbit for use in tracking and survillance. Part of the NSA's mission has been expanded to include corporate espionage for large US-based mega-corps. NSA surveillance devices have also been used to gain an edge in diplomatic situations, such as in the UN. While the CIA is mostly human to human interactions and manpower-based intelligence, the NSA is nearly entirely technology-based.

    "In other words, it is basically the MOST defensive, MOST safe secret service we have."

    The NSA is the most likely candidate for the first agency to be used to try to turn the US into a totalitarian state. Its massive surveillance capabilities make a 1984-style society seem so attainable. In the information age, information is power. In the information age, the NSA is the information source. In a world where everything is electronic, the NSA has eyes and ears everywhere, and has developed the technology (with the help of a massive, secretive budget) to ensure that whoever is in control gets the information they need when they need it.

    "The worst it does is invade privacy."

    Invasion of privacy is 90% of what makes 1984 possible. If you have privacy, you don't have 1984; a dark corner is all it takes.

    "And it is very unlikely to invade YOUR privacy, as most people do not use the kind of High end cryptology that they coutner. "

    Completely wrong. The NSA does not only monitor highly-encrypted data; that's absurd. The NSA monitors all telecommunications. If it's on the i

    --
    -- "Government is the great fiction through which everybody endeavors to live at the expense of everybody else."