Slashdot Mirror

← Back to Stories (view on slashdot.org)

Trustworthy Software For The NSA?

Posted by simoniker on from the secrets-lurking-behind-installer dept.

Janus Daniels writes "There's a new story from the New York Times, as reprinted at CNET News, about security concerns for Government agencies buying software from overseas. According to the article, a whistle-blower who helped sell software to the National Security Agency says that much of the development work is subcontracted to China, raising serious national security risks. He also discovered in the sales-support database... the names of more than 30 [identity-classified] employees of the United States National Security Agency...'"

8 of 229 comments (clear)

  1. Are the subcontractors fully aware.. by Xuranova · · Score: 5, Interesting

    of what it is they're programming, in the sense that do they know they are making a sensitive program for the NSA of the United States? If not then what could be the harm unless a backdoor gets thru unchecked? (I can only hope that some US officials or hired techies DO check this code for backdoors and the like.)

    --
    "There is no real right or wrong, just what the majority accepts at the time."
  2. chinese intelligence by lurgyman · · Score: 5, Funny

    And obviously Chinese intel has capitalized on this - succesfully directing the US Air Force to it's embassy during the Serbian fiasco a few years back...

  3. Even if its in the U.S. by Goalie_Ca · · Score: 5, Insightful

    ...who's to say that there might not be spies writting the software anyways. Can't the NSA write their own source code. They've already contributed selinux.

    --

    ----
    Go canucks, habs, and sens!
  4. Outsiders by mjihad · · Score: 5, Funny

    Obviously, having all software written in the US eliminates the risk of having security risks.

    --
    http://blogs.lns.kicks-ass.net/moonjihad/
  5. Trusting trust by robindmorris · · Score: 5, Interesting
    I RTA, and the whistleblower claims that the Chinese could have the opportunity to put something malicious into the code. The company claims that work for the US Govt. is not sent out to China. The security agencies say that they audit all outside code anyway.

    The bigger issue is not where the code is written, it's whether you can audit the source yourself (and whether you actually do so.

    See reflections on trusting trust for a nice article about why, if it really matters, you should be careful with other people's code.

    1. Re:Trusting trust by FredThompson · · Score: 5, Insightful

      A common misconception is that the NSA buys/evaluates software the same way Joe Blow does.

      I've been there and written code. Got a joint service commendation medal for software work for nuke command & control. The review process for critical code is excruciating.

      This article is a lot of FUD.

      Did you notice they don't make ANY claim whatsoever about what TYPE of software development? Hmmmm...that's interesting.

      It's always possible espionage can happen. Having said that, there's a LOT that goes on at the NSA. Look at the publicly available pictures of the headquarters building. Ever wonder what it takes to feed and supply people and keep it clean?

      There are different levels of software oversight, just as in the "outside" world. Yes, IRTA, and all I see is what looks like someone who was outside the loop making FUD statements about what's inside the loop.

      Did you notice this doofus hasn't been on the job that long? Did you notice he was "alarmed" that the names of people were available? Well, duh!!

      If you need to contact someone because you're contractually obligated to them, don't you need to know who they are and how to reach them? My family could pick up the phone and call me at work anytime they wanted and they met a lot of the people I worked with. This guy has watched too much TV. How does he think contrators communicate with the NSA? Trap doors and dead drops?

      FWIW, I've never used or owned a shoe phone. Nor did we talk under a cone of silence.

      Personally, I like "Alias" but let's get real, everyone doesn't sneak around through hidden doors with code names.

      To my eyes, this guy didn't have access to much of anything. Maybe he wanted to get into the secure side of the development and was refused. Hmmm..ya think?

  6. It's a government agency, what's the shock? by AxelTorvalds · · Score: 5, Insightful
    I've wondered about this for years. In some circles they talk of the near mystical powers the NSA must have and how they must be like 20 years more advanced than the private sector. Every time I've dealt with the feds and IT stuff I'm amazed we're doing as well as we are because it is such a cluster fuck.

    Why should the NSA be any better? Why would the best of the best go there when they can make a whole lot of money in the private sector? I'm not just talking about the mathematicians, computer guys and cryptographers either, you need the top notch managers to run those groups and deal with the compartmentization that goes on while still motivating and producing top quality results. I could see the government rounding up geeks and math guys, I couldn't see them cultivating that leadership or hiring much of it.

    Honestly, I think their biggest thing is that they never get tired or run out of resources. That's how the FBI caught the unabomber, they just kept looking and looking and looking and then they got him. There are textbook methods and approaches to security. Their ciphers have looked like they simply follow them and are extremely conservative and diligent.

  7. Re:NSA, CIA, HSA... by Loki_1929 · · Score: 5, Informative

    " Do you know who/what the NSA are? "

    Yes, I do. In a moment, you, and anyone else reading this will too.

    "The NSA is charged with breaking other people's coded message."

    Well, no, not really. That's just oh so simplistic. You make it sound as though someone slaps a coded message on the NSA's desk and they sit there with a room full of really nerdy guys trying to figure out what it means. That's simply ridiculous.

    Now let's talk about what the NSA really does. The NSA operates, with the help of a select few other nations, a worldwide communications survillance and recovery network designed to capture, decode, sort, and record any and all internet, satellite, radio, telephone, cellular, fax, or any other communications which travel from one location to another via technology while prioritising data in need of further review. With installations in the US, Canada, the UK, New Zealand, Australia, and numerous other places, the NSA monitors and oversees this massive woldwide network. All messages are automatically compiled and sorted by the system for analysis, at which point any and all irrelevant data is purged. Coded or encrypted information is recorded and decoded on a priority-based system. Keywords are no longer used, as they were 20 years ago or so. Context-sensitive AI systems work through messages to understand a wide range of contextual and syntatic items, setting aside possible intelligence leads, threat information, uninterpretable data, and other information of interest (information which could be useful for or against certain coporations, for instance) for more detailed analysis; or in the case of items deemed high priority, immediate human analysis.

    The NSA's missions also include, as you state, cryptography-breaking, but also cryptography-making. They are responsible for creating and maintaining the encryption systems of intelligence and military institutions at the higher levels. In addition to this, they are also responsible for ensuring that new systems developed by anyone, friend or foe, are quickly cyphered so no information remains hidden from us. Much of the mathematics done at the NSA is for the study of cryptography, both practical and theoretical.

    The NSA also designs and manufactures survillence devices for audio, visual, and GPS-based tracking. GPS-based systems are developed at a number of NSA sites, and new technologies are first tested and implemented in NSA-controlled satellites in geo-sync orbit for use in tracking and survillance. Part of the NSA's mission has been expanded to include corporate espionage for large US-based mega-corps. NSA surveillance devices have also been used to gain an edge in diplomatic situations, such as in the UN. While the CIA is mostly human to human interactions and manpower-based intelligence, the NSA is nearly entirely technology-based.

    "In other words, it is basically the MOST defensive, MOST safe secret service we have."

    The NSA is the most likely candidate for the first agency to be used to try to turn the US into a totalitarian state. Its massive surveillance capabilities make a 1984-style society seem so attainable. In the information age, information is power. In the information age, the NSA is the information source. In a world where everything is electronic, the NSA has eyes and ears everywhere, and has developed the technology (with the help of a massive, secretive budget) to ensure that whoever is in control gets the information they need when they need it.

    "The worst it does is invade privacy."

    Invasion of privacy is 90% of what makes 1984 possible. If you have privacy, you don't have 1984; a dark corner is all it takes.

    "And it is very unlikely to invade YOUR privacy, as most people do not use the kind of High end cryptology that they coutner. "

    Completely wrong. The NSA does not only monitor highly-encrypted data; that's absurd. The NSA monitors all telecommunications. If it's on the i

    --
    -- "Government is the great fiction through which everybody endeavors to live at the expense of everybody else."