US Needs Secure Coding Office

Trailrunner7 writes "If the United States wants to remain competitive in the global economy and prevent widespread penetrations of its strategic, corporate, and commercial networks, enterprises and government agencies should stop relying on commercial software and go back to writing more of their own custom code. 'If we're going to maintain our place in the world, software is not a strategic problem, it is the strategic problem going forward,' security expert Marcus Ranum said in a speech Tuesday. 'Covert penetration becomes something that you think about on a five, 10, or 20-year scale. Why don't we have a government coding office? We have a government printing office. Why don't we have a strategic software reserve? Our own software is probably a greater threat to us than anything other people can do to us.'"

Tinfoil hats

[Zironic]

Why don't we have a government tinfoil hat office? Clearly we're under great threat of alien mindrays.

Agreed

[geekoid]

In house software for government jobs is the way to go.
1) You own the code
2) You're goal is to have software that works for a long time. You vendor does not share that goal. They want you to rebuy software every 5 years.

3) It's a lot cheaper to maintain.
4) It's written to get a job done. Once that's done, you don't have to worry about some revising the requires new hardware.

Re:Agreed

[1729]

There's a third issue: salaries. Programming talent is used to silicon valley pay grades, not military pay grades. How many employees would be willing to leave their current position and take a 50% pay cut to work for the government? Would you be willing to trust the code of someone working for $40K/year?

Actually, there are a lot of government programming jobs that pay decently. I work at a government research lab, and the pay is competitive with industry (though no stock options, etc.), and I've seen a lot of FBI/NSA/CIA job postings for computer scientists that advertise 6-figure salaries.

Re:Agreed

[geekoid]

I did. I make less money, 75K as opposed to 120K, but I get more time to enjoy my life.
after 25 years, I was real tired of pointless 60 hour weeks and day long meetings.

You really don't understand people. I pity someone that places all value someone could possible have on their salary.

Re:Agreed

[binarylarry]

Working at NASA is like working in the game industry, it's the coolest gig around and attracts tons of people which creates more competition and ultimately drives salaries down.

Re:Agreed

[mlts]

There is one thing forgotten. For the most part, US government "GS" jobs have job security. Unless someone commits a felony on the job, they know that their badge and CAC will work the next day. Private industry has higher salaries, but there is always the chance of being pitched out like last night's garbage if a PHB decides to swallow outsourcing/offshoring Kool-Aide.

And people know this. Government jobs have a lot more competition going for them than private jobs in a lot of places, from what I've seen.

Don't forget benefits. A $60k/year job may not be as alluring when one realizes that they have to spend $15k a year after taxes for health insurance for them and their family.

What?

[fahrbot-bot]

1. Why don't we have a government coding office? We have a government printing office.
2. Why don't we have a strategic software reserve?

1. Why indeed, Marcus, "coding" and "printing" are so similar.
2. And the shelf-life of that software "reserve" is...

Re:What?

[K.+S.+Kyosuke]

2. And the shelf-life of that software "reserve" is...

At least a few decades, isn't it? At least Maxima, Emacs and others work perfectly on my modern PC.

Poor comparison

[Dan+East]

"Why don't we have a government coding office? We have a government printing office."

That comparison is ridiculous. A proper comparison would be "We engineer our own government printing presses and copiers, why don't we engineer our own software?" But of course the government doesn't engineer printing presses...

Re:Poor comparison

[phantomcircuit]

Actually yes there was a big push for COTS software in government a whiel ago. The idea was that it would reduce costs, but it was a short term cost reduction with a long term significant cost increase. The problem is that those doing procurement often are not responsible for long term negative effects, because they will be long gone.

Re:OpenBSD

[abigor]

Unfortunately, they got fired: http://www.infoworld.com/t/platforms/openbsd-contract-suspended-due-world-events-727

We do

[greenbird]

Why don't we have a government coding office? We have a government printing office. Why don't we have a strategic software reserve?

We do. It's called open source. And it's run by a militia just like the one that started this country.

What the hell is a strategic software reserve?

[Nadaka]

Seriously. WTF. How can anyone ask that question and expect to not be laughed at.

Re:What the hell is a strategic software reserve?

[robot256]

The only thing it could possibly mean is a reserve of *coders* ready to jump at any problem or bug that arises. Oh wait, that's called the NSA. Just need to give them more resources and jurisdiction to fix any code anywhere in the government. That'd work great:

Setting: Nondescript cubicle farm full of people working an eating donuts.
Cubicle farm is suddenly stormed by a SWAT team with M16s and tablet PCs.
Team leader: "Everybody freeze! Hands off the keyboards! We've detected a buffer overrun condition! Move, move, move!"
Guys with tablets rush to the PCs and networking closet and start typing like mad. Soldiers round up all the people into the middle of the room.
A five-star general walks into the room.
General: "What's going on here?"
Team leader: "Sir! We're neutralizing a threat in the PR office happy-hour scheduling system. We should be finished soon."
General: "Good. I'll want a full report when this is over. We need to catch the idiot who's responsible for this."
A soldier escorts an intern with hands behind his head to the leader.
Soldier: "This guy did it. We found non-compliant source code on his machine."
Team leader: "Good work, sergeant. Hand him off to headquarters at 1300."
General: "Glad to see that was taken care of quickly."
Team leader: "All in a day's work, sir."

Re:Because we don't need one.

[Nadaka]

I've seen some of the code produced at big shops like that. Not Halliburton, but Northrop Grumman started the project I am currently working on. After they lost their last round of bidding, my employers company picked it up. They lost for very good reasons. We inherited unbelievably bad and broken code.

Re:OpenBSD

Hire the OpenBSD boys. They have a proven track record.

SELinux has a pretty good track record too, and they wouldn't even need to outsource.

Really that's what they ought to be doing anyway: Not rewriting internal government clones of proprietary software, but giving the spooks a mandate to improve the security of open source software, and then use that.

Re:This idea is dumb.

[Ephemeriis]

Meh.

Just mandate genuinely open source software for all government work.

You don't have to rely on your government to analyze code and submit the fixes back to the original author - anyone can look at the code. And you don't have to rely on the original author to incorporate the fixes - anyone can. And you don't have to trust that the binaries you're running actually match the code you're looking at - just compile your own.

The big problem with all of this isn't necessarily that the code is crap or anything like that... It's that the stuff is closed-source. We're basically trusting that the code does what it is supposed to, and we've got very little ability to verify that.

So where does the OS come from then?

[ErichTheRed]

There are some big reasons why this might be a good idea:
1. Vendors have every incentive to pull the rug out from under you support-wise and make you buy their product again every few years.
2. Having people in-house who _actually know_ everything about how a system works really helps with debugging. Oracle, for example, is the king of finger-pointing when it comes to blaming some other part of the system for crashing a database.
3. Custom code would still have holes, but at least they wouldn't be the exact same ones being exploited in the private sector.

There's also some really good reasons not to do it:
1. You will still need to source an OS from somewhere. Whether $LinuxDistribution, IBM, Sun/Oracle, HP or Microsoft, ti wouldn't make sense to build a single purpose OS unless you were working on embedded systems. This OS would still have the same problem of limited-time support, publically available security exploits, and crappy support when you do get it.
2. Government organizations are very bad with communication. At the state level, practically every department sets their own standards. How could you get agencies with very different priorities to sign on to something that centralized?
3. Quality of code (see below.)

I work in systems integration, and have done so for many large companies. This is the place where we take applications, figure out how they can fit together, and merge them into a platform of clients/servers/network connections/databases. Software written by in-house IT is often the biggest bug-filled, resource hogging mess to get working. This goes double if the dev work is outsourced to a provider that doesn's know about the environment the app will run in. Think about the in-house apps you use -- the order entry client that requires a dual core processor and 2 GB of RAM, or the app that crashes with no explanation or a dialog box that says "You should never see this message." It's not all that bad, and some apps actually work really well. But developer training and skill levels are all over the map. At the very least, a vendor is responsible for their code, and can be persuaded/paid to fix bugs instead of letting them fester. A vendor specializes in building software meant to be used outside of their little corner of the world, so some companies do take time to make sure bugs are fixed.

This would work well when the field of software development matures a little more, and best practices aren't dictated by companies trying to sell you something. That's why IT has a very hard time being recognized as a branch of engineering - there's very few standard ways of doing anything. On the OS front, you have major vendors, hundreds of Linux distributions and other small players. On the database front, you have a few huge vendors that take totally different approaches.

Re:Because we don't need one.

[Bing+Tsher+E]

By definition you've only seen the bad code that comes from such outfits. As so, you don't have a full picture of the quality of code from 'big shops.'

Re:Just what we need ... bring back Ada !!!

[darkstar949]

It may be a niche language, but it's still really good in areas where safety is a concern. The 777 uses it for the control software - http://www.adaic.org/atwork/boeing.html

Re:Spending is the goal

[AndersOSU]

Government doesn't expand in terms of power and revenue because it's getting better, it expands because the economy is expanding.

http://www.nationalpriorities.org/Federal%20outlays%20and%20revenues

Not a case for tinfoil

[betterunixthanunix]

Take a look at Reflections on Trusting Trust, where Ken Thomson basically admitted to introducing a backdoor into a commercial operating system by hacking the compiler. The conclusion of the paper, in his own words, was not to trust commercial software to be secure -- the only secure code is code you control from the ground up. That paper was published in 1983.

Re:Not a case for tinfoil

[betterunixthanunix]

Really though, the absence of glaring backdoors does not imply the absence of deliberate and major security flaws. Even very subtle changes could potentially have serious security implications -- even a change as subtle as the way memory is aligned (this may, for example, amplify side channels).

General purpose commercial software packages raise a yellow flag for security as far as I am concerned. They are not necessarily a problem, but there are risks. The general purpose nature is itself a problem; a system that is intended to be used to schedule appointments should not have the capability to execute a shell, nor should it even have a shell installed. The problem with general purpose systems is that they ship with a lot of code that is never needed for a specific installation, but which an attacker could potentially make use of. This is the basic concept behind a "return to libc" attack, or more generally "arc injection."

No kidding.

[sean.peters]

For every example of software failures discussed above, you can come up with a fine example of a government system that worked great. I'm not going to spend a lot of time digging up examples, but here's one: the Navy's Aegis Combat System. Aegis is just Skynet's littler (and nicer) brother - it's vastly complex, and under certain circumstances is capable of conducting difficult anti-air battles more-or-less autonomously. It detects, tracks, and engages subsurface, surface, air, and ballistic missile threats. And yes, this was a program run by the government.

As the parent points out, the common thread in massive software implementation failures isn't that the customers were government agencies - it's that they didn't have their requirements nailed down before they started shoveling money at their problems. There's plenty of that going on in the private sector as well.