Trustworthy Software For The NSA? 229
Janus Daniels writes "There's a new story from the New York Times, as reprinted at CNET News, about security concerns for Government agencies buying software from overseas. According to the article, a whistle-blower who helped sell software to the National Security Agency says that much of the development work is subcontracted to China, raising serious national security risks. He also discovered in the sales-support database... the names of more than 30 [identity-classified] employees of the United States National Security Agency...'"
Are the subcontractors fully aware.. (Score:5, Interesting)
Re:Are the subcontractors fully aware.. (Score:2, Insightful)
Re:Are the subcontractors fully aware.. (Score:2)
Re:Are the subcontractors fully aware.. (Score:4, Interesting)
heck, the nsa is even working on selinux (a security enhanced linux) that is open source. and the kicker is this: one of their partners is pgp secruity. (source: here [nwfusion.com]
times have changed
Re:Are the subcontractors fully aware.. (Score:2)
Probably not very well depending on the amount of source code, to thoroughly scour the source code takes the same resources if not more as it does to make the code. I assume the requestor gets th
Why are people always assuming... (Score:2)
It would be naive to assume either way: The software can't be left unchecked, but it would be unfair to just assume that any software developer in China is working for or collaborating with the Communist government. There is percaution, then there is just baseless suspiction. Ch
Re:Why are people always assuming... (Score:2)
Reply: Not the first time not the last (Score:2, Insightful)
Not the first time not the last time for Clueless Management in politics as usual DC and Government. Our potential destruction due the stupid, pompus, and greedy.
In our Capitalist Democracy our leaders political and religious place more priority on enforcement of the Digital Millennium Copyright Act (DMCA) and Library internet filters, than homeland defense. It looks better to the illiterate moral majority bigots that vote and supports the economy (the real priority) with questionable profit penalti
chinese intelligence (Score:5, Funny)
No, no, no! (Score:2)
I mean, after the French forced the F-111's to go the long way to Libya, BOOM!, there goes the French Embassy in Tripoli.
The Chinese bought the Clinton administration. made off with designs for nuclear weapons, and stole guidance systems from Loral. Then, BOOM!, there goes teh Chinese Embassy.
God bless 'em!
This will probably be said 22241515 times... (Score:3, Insightful)
Can you say "PROMIS"? (Score:2, Informative)
Re:Can you say "PROMIS"? (Score:2, Informative)
Re:Can you say "PROMIS"? (Score:3, Interesting)
If the US Government is doing the same thing, then they're getti
Even if its in the U.S. (Score:5, Insightful)
Re:Even if its in the U.S. (Score:2, Funny)
Absolutely correct. Think Banzai Buddy.
Where do you think spyware comes from?
Outsiders (Score:5, Funny)
Re:Outsiders (Score:3, Insightful)
Obviously, having all software written in the US eliminates the risk of having security risks.
No. Having all software for government agencies written in the U.S. greatly reduces the risk of deliberately planted back doors and logic bombs. The company in question can't even keep a confidential database secure. From the article:
The company also does not make customer information stored in its sales support database generally available within the company, he said, adding that it was unclear how it wou
Re:Outsiders (Score:2)
The US military doesn't farm out its missile design and production to China to save money. It's all done in the US by contractors like Raytheon, where all of the employees have security clearances. So why aren't we doing this with software?
Re:Outsiders (Score:2, Funny)
See kiddies, two wrongs don't make a right.
Stop tracking (Score:2, Insightful)
Total government awareness (Score:4, Interesting)
Very unjuicy. (Score:2)
In fact, this whole post might just be an elaborate ruse....
The NSA? (Score:2, Flamebait)
Forgive me, but I hope they rot in hell with their compromised software.
Re:The NSA? (Score:2, Insightful)
What's worse - collecting some bits of what some people do online? Or as China does, censor what online content is available (right down to individual posts on messageboards) to over 1 Billion people?
Agreed that privacy is an important issue, but like most things, it is relative. Look around at what others have (or haven't) before bitching about your individual situation.
Re:The NSA? (Score:2)
The same people who collect everything I do online?
Forgive me, but I hope they rot in hell with their compromised software.
Upon analysis of your post, we have decided you are a possible security risk. Given the location you have posted at, "news for nerds" and all, there's also a high probability you are a programmer, and thus able to write "compromised code" yourself if contracted.
Our people are currently identifying your real identity and should be arriving at your house shortly. Please do not re
One of the problems of commercializing government. (Score:5, Insightful)
Re:One of the problems of commercializing governme (Score:4, Informative)
Outsourcing isn't always the problem either (Score:3, Interesting)
They could perform background checks of the programmers they hire or of all the programmers that work for an IT outsourcing outfit. But even then, it's possible for spies to slip through. After all, do you think anyone's gonna write "worked for Chinese military intelligence as a spy" on their resume?
This is an inherent problem in running a group like the NSA. You can't trust anyone. The best you can hope fo
Re:Outsourcing isn't always the problem either (Score:2)
No, you hire a government contracting company where all the employees have obtained USG security clearances. Who do you think builds all the missiles, tanks, fighter jets, guns, etc. that the military uses
Re:Outsourcing isn't always the problem either (Score:2)
Re:One of the problems of commercializing governme (Score:2)
Yep, no matter how impressive it looks, there's only so much you can do with Powerpoint.
Re:One of the problems of commercializing governme (Score:2)
Yep, no matter how impressive it looks, there's only so much you can do with Powerpoint.
All kidding aside, there are only so many good programmers and associated professionals. If a government agency wants the good ones, chances are they're going to have to either lure them in, train them from the inside, or buy off the rack; contracto
Re:One of the problems of commercializing governme (Score:2)
As for how the money trails tie together, it's amazing what information Google will find for you [jonathanpollard.org].
If my experience is any indication... (Score:4, Interesting)
My rambling point is this....the U.S. Government, particuarly the DOD, will be using software made by non-friendly parties with an axe to grind, without ever receiving the source code or knowing who actually wrote the software. And what's more, it's been my experience the bueacracy really doesn't give a sh*t as long as they can pass the buck.
Re:If my experience is any indication... (Score:3, Informative)
I would personally never use software written by someone else(closed source, that is, open source software is great in the way that it will let me see all it can do) for anything remomtely secure/sensit
Re:If my experience is any indication... (Score:2)
Aside: That paragraph should be required reading for anyone who thinks NSA's just being silly here. Don't just read it, understand it. Drink it in its fullness. Sear it into your memory with red-hot nichrome wire.
Now, grok this: If you wouldn't trust yo
Re:If my experience is any indication... (Score:2)
Taken to it's logical extreme why should anybody ever use non-FOSS software?
I suspect the answer lies in a combination of ignorance (lack of knowledge, not stupidity), habit, convenience, cost (perceived?).
Re:If my experience is any indication... (Score:2)
There are plenty of secrets worth spying. Espionage is alive and well.
Re:If my experience is any indication... (Score:2)
Ummm... that dirt-throwing material that you dismiss is a spy's wet dream. Ever hear of blackmail?
Re:If my experience is any indication... (Score:2)
My rambling point is this....the U.S. Government, particuarly the DOD, will be using software made by non-friendly parties with an axe to grind, without ever receiving the source code or knowing who actually wrote the software. And what's more, it's been my experience the bueacracy really doesn't give a sh*t as long as they can pass the buck.
Excellent points, but in some cases, they do know that possibly "non-friendly parties" are writing the software and use it anyway. Recently, U.S. government agencie
Easter Eggs (Score:2, Funny)
I think it's a good idea that NSA software is developed in China. I bet there are "undocumented" key combinations that will disable Macrovision and regional restrictions.
Trusting trust (Score:5, Interesting)
The bigger issue is not where the code is written, it's whether you can audit the source yourself (and whether you actually do so.
See reflections on trusting trust [acm.org] for a nice article about why, if it really matters, you should be careful with other people's code.
Necessary but not sufficient (Score:2)
Security problems are like bugs, only harder to find. It's easy to write a bug that will slip through a code inspection. Would you trust an audit to uncover a cleverly crafted malicious security hole? Even if the auditors were as good as the OpenBSD team, which is a tall order?
I'd recommend controlling the environment the software runs in, so as to contain the damage done by a security problem. Then screening vendors for trustworthiness, then auditing their output to give yourself a chance of ca
Re:Trusting trust (Score:5, Insightful)
I've been there and written code. Got a joint service commendation medal for software work for nuke command & control. The review process for critical code is excruciating.
This article is a lot of FUD.
Did you notice they don't make ANY claim whatsoever about what TYPE of software development? Hmmmm...that's interesting.
It's always possible espionage can happen. Having said that, there's a LOT that goes on at the NSA. Look at the publicly available pictures of the headquarters building. Ever wonder what it takes to feed and supply people and keep it clean?
There are different levels of software oversight, just as in the "outside" world. Yes, IRTA, and all I see is what looks like someone who was outside the loop making FUD statements about what's inside the loop.
Did you notice this doofus hasn't been on the job that long? Did you notice he was "alarmed" that the names of people were available? Well, duh!!
If you need to contact someone because you're contractually obligated to them, don't you need to know who they are and how to reach them? My family could pick up the phone and call me at work anytime they wanted and they met a lot of the people I worked with. This guy has watched too much TV. How does he think contrators communicate with the NSA? Trap doors and dead drops?
FWIW, I've never used or owned a shoe phone. Nor did we talk under a cone of silence.
Personally, I like "Alias" but let's get real, everyone doesn't sneak around through hidden doors with code names.
To my eyes, this guy didn't have access to much of anything. Maybe he wanted to get into the secure side of the development and was refused. Hmmm..ya think?
Re:Trusting trust (Score:2)
Re:Trusting trust (Score:2)
And as a former senator [wpunj.edu], Mr. Thompson should know!
What suits them best. (Score:3, Funny)
China is free democratic and trustworty country with a growing group software developers.I'm sure that they could make something secure for NSA that we could lay our nations hands in. It's extremly important that we help to foster proprietary solutions that will help bussiness abroad.
And after all its much better to use secure and trusted solutios from a close ally than having to resort to some of those old versions of UNIX. Know that SCO probably wins their case and AIX and Solaris goes down the drain, it could be nice to have some other alternatives than only american software. Because we all know, as DARPA found out, that you just can't trust FreeBSD and Linux in an environment like the NSA needs.
NSA can't be that stupid. (Score:2, Informative)
don't buy skynet!! (Score:3, Funny)
Nothing new (Score:2, Flamebait)
Identity (in)security (Score:2, Interesting)
Import Tariffs on Foreign Code (Score:2, Insightful)
Re:Import Tariffs on Foreign Code (Score:3, Insightful)
Tariffs hooray!
Don't let that nasty Free Trade concept get in the way! Oh yeah and how do you plan to do this? What about free software? Do we pay only if we pay for the distro, are we off the hook if we download it for free? Ok, maybe we only pay the tariff if we buy the distro. What about BSD code, do
Re:Import Tariffs on Foreign Code (Score:2)
Re:Import Tariffs on Foreign Code (Score:2)
Free trade is killing american prosperity and isn't helping other countries catch up so much as it is giving outsourcers an excuse to allay the morality of dangerously antisocial
Re:Import Tariffs on Foreign Code (Score:2)
Excuse me for being naive but I had hoped that we in the tech community had left this kind of thinking behind.
You're excused, and the original poster obviously wasn't talking about OSS. The EU is demanding that all U.S. digital products sold there include a VAT. No doubt, you will tell us how that differs from a tariff. Personally, I'm not happy about all my personal (credit card) information being handled overseas in countries known to be unfriendly to the U.S. (which is pretty much everybody these d
What's the beef? (Score:2)
If he's really so worried about the threat to national security posed by the list of contact names, he should report it direct to the NSA.
"tamper with software being used by [NSA]" - that would be true wherever the software was written and regardless of who wrote it.
Presumably, the NSA has its own procedures for vetting and accepting new software - or are they really a bunch of innocent
Uh. Wow. (Score:5, Funny)
He also said that he worked for a certain salad dressing company once, and they were much more careful about their trade secrets (recepies) than the CIA was about anything.
NSA should make its own software (Score:3, Interesting)
Re:NSA should make its own software (Score:2)
Platform Software (Score:4, Interesting)
Now this might of just been the SGI version but overall taking this as a particular example the quality of the code was terrible and 1/2 had undocument features
Just my 2p
Rus
It's a government agency, what's the shock? (Score:5, Insightful)
Why should the NSA be any better? Why would the best of the best go there when they can make a whole lot of money in the private sector? I'm not just talking about the mathematicians, computer guys and cryptographers either, you need the top notch managers to run those groups and deal with the compartmentization that goes on while still motivating and producing top quality results. I could see the government rounding up geeks and math guys, I couldn't see them cultivating that leadership or hiring much of it.
Honestly, I think their biggest thing is that they never get tired or run out of resources. That's how the FBI caught the unabomber, they just kept looking and looking and looking and then they got him. There are textbook methods and approaches to security. Their ciphers have looked like they simply follow them and are extremely conservative and diligent.
Re:It's a government agency, what's the shock? (Score:2)
You mean stuff like this [milk.com], right?
Re:It's a government agency, what's the shock? (Score:3, Funny)
The Grays have renegged on their abduction quota agreement, and are abducting many more people than before. Most of these are returned, after being implanted with a device which allows the grays to have total control over their thoughts and actions. Approximately 40% of Americans now carry one of these devices, which are impossible to remove without killing the host.
So this is why Americans seem so stupid these days!
Re:It's a government agency, what's the shock? (Score:4, Insightful)
Only half right. The FBI did not get tired of looking for him, but that is not what lead to his capture. The fact that the unabomber got cocky, published his manifesto and the feds got lucky enough that his brother had the moral fortitude to turn in his own brother.
The FBI deserves almost no credit for catching the unabomber. Even their much vaunted behaviorial profiles were off the mark.
20 years head start (Score:3, Insightful)
Do not confuse with "TRUSTWORTHY" computing (Score:3, Interesting)
Anyone who suggests that trustworthy computing would be good for government security doesn't know what they are talking about. Trustworthy computing would be an absolute disaster for security. Any intelligence agency on earth can dig one of the keys out of trustworthy hardware and beat the system. Hell, college students with access to a well stocked university lab can break the hardware security and beat the system.
-
Whistleblowing on WHAT??!! (Score:3, Interesting)
The guy is telling the NSA stuff they already know, and have signed off as acceptable. His company was entirely above board in explaining their operations to the NSA in the first place.
Everyone involved knows what's going on. He is the only person who seems to have a problem with it. It doesn't sound like whistle-blowing to me, as much as whining.
Re:Whistleblowing on WHAT??!! (Score:2)
You're right about the overseas-code issue if the NSA signed off on it, but the CNet article starts by discussing the list of NSA employees in the company's database. This should be a concern if they did not discuss the database as well.
What an odd set of posts.... (Score:3, Insightful)
These guys are missing the obvious... (Score:2, Funny)
As someone that knows about military software... (Score:2, Insightful)
So the software put into these electronics is well documented with specifications, design documents and quality assurance documents.
The government also gets to review all source code supplied along with running their own tests and so on to ensure that the software is of the proper quality. The master
I just can't believe this! (Score:2)
How incredibly STUPID..
And I thought he NSA was smarter than that.
They even have developed a secure version of the kernel and have it for public download http://www.nsa.gov/selinux/ [nsa.gov]
My faith has been shaken...
What is the world coming to? (Score:3, Funny)
They DO have the Source Code (Score:3, Insightful)
I agree with another poster that mentioned selinux. The NSA know how to write secure software and how to audit software and source code. Assuming they build their own binaries from the source it should be a relatively safe system. The only potential security problem I can see is that outsiders may know exactly what they are running. But assuming it's properly designed and implemented that shouldn't be a problem either. That's the why everyone like Linux/BSD so much.
Los Almos has a history of Physical Security problems that should cause more worries then this. Hard Drives disappearing and reporters sneaking in at night, getting locked in and then the guards let them out when they found them.
Re:NSA, CIA, HSA... (Score:5, Informative)
A lot of questions and insults. Not surprising, as you appear to have done no research. Well, we do know what the NSA does. The NSA is charged with breaking other people's coded message. In other words, it is basically the MOST defensive, MOST safe secret service we have. The worst it does is invade privacy. And it is very unlikely to invade YOUR privacy, as most people do not use the kind of High end cryptology that they coutner. The CIA is far more dangerous and active. Not to mention the various military agencies that do the black ops for the CIA.
P.S. What fool moded this as interesting. It is clearly off topic.
Re:NSA, CIA, HSA... (Score:3, Interesting)
Given it's secrecy how do you know that NSA is doing what it's mandated to do?
Re:NSA, CIA, HSA... (Score:2)
Where are you getting your information?
Re:NSA, CIA, HSA... (Score:2)
Impersonate Air Force officers? Why would they do that when there are so many assigned to them?
Re:NSA, CIA, HSA... (Score:3, Funny)
Re:NSA, CIA, HSA... (Score:2, Funny)
Re:NSA, CIA, HSA... (Score:2, Funny)
Re:NSA, CIA, HSA... (Score:2)
No, they leave that to Wilson Goode.
(Let's see how many Philadelphians are old enough to remember that one.)
Re:NSA, CIA, HSA... (Score:2)
Re:NSA, CIA, HSA... (Score:2, Interesting)
My issue with the NSA is that precisely because of its secrecy, I cannot be certain that any research I do is factual - just because its publically stated mission and charter prevents it from working domestically is no guarantee that it is, in fact, not working domestically - many of us are already well aware of some of the abuses of power performed domestically and abroad
Re:NSA, CIA, HSA... (Score:3, Insightful)
I also can't tell what the Department of Labor, Nasa, or any other government agency really does. Sure, they've got pretty offices you can go into, but is that all of it? Did they show you the sub-basement?
Having interned at NSA a number of years back, I can tell you I
Re:NSA, CIA, HSA... (Score:5, Informative)
Yes, I do. In a moment, you, and anyone else reading this will too.
"The NSA is charged with breaking other people's coded message."
Well, no, not really. That's just oh so simplistic. You make it sound as though someone slaps a coded message on the NSA's desk and they sit there with a room full of really nerdy guys trying to figure out what it means. That's simply ridiculous.
Now let's talk about what the NSA really does. The NSA operates, with the help of a select few other nations, a worldwide communications survillance and recovery network designed to capture, decode, sort, and record any and all internet, satellite, radio, telephone, cellular, fax, or any other communications which travel from one location to another via technology while prioritising data in need of further review. With installations in the US, Canada, the UK, New Zealand, Australia, and numerous other places, the NSA monitors and oversees this massive woldwide network. All messages are automatically compiled and sorted by the system for analysis, at which point any and all irrelevant data is purged. Coded or encrypted information is recorded and decoded on a priority-based system. Keywords are no longer used, as they were 20 years ago or so. Context-sensitive AI systems work through messages to understand a wide range of contextual and syntatic items, setting aside possible intelligence leads, threat information, uninterpretable data, and other information of interest (information which could be useful for or against certain coporations, for instance) for more detailed analysis; or in the case of items deemed high priority, immediate human analysis.
The NSA's missions also include, as you state, cryptography-breaking, but also cryptography-making. They are responsible for creating and maintaining the encryption systems of intelligence and military institutions at the higher levels. In addition to this, they are also responsible for ensuring that new systems developed by anyone, friend or foe, are quickly cyphered so no information remains hidden from us. Much of the mathematics done at the NSA is for the study of cryptography, both practical and theoretical.
The NSA also designs and manufactures survillence devices for audio, visual, and GPS-based tracking. GPS-based systems are developed at a number of NSA sites, and new technologies are first tested and implemented in NSA-controlled satellites in geo-sync orbit for use in tracking and survillance. Part of the NSA's mission has been expanded to include corporate espionage for large US-based mega-corps. NSA surveillance devices have also been used to gain an edge in diplomatic situations, such as in the UN. While the CIA is mostly human to human interactions and manpower-based intelligence, the NSA is nearly entirely technology-based.
"In other words, it is basically the MOST defensive, MOST safe secret service we have."
The NSA is the most likely candidate for the first agency to be used to try to turn the US into a totalitarian state. Its massive surveillance capabilities make a 1984-style society seem so attainable. In the information age, information is power. In the information age, the NSA is the information source. In a world where everything is electronic, the NSA has eyes and ears everywhere, and has developed the technology (with the help of a massive, secretive budget) to ensure that whoever is in control gets the information they need when they need it.
"The worst it does is invade privacy."
Invasion of privacy is 90% of what makes 1984 possible. If you have privacy, you don't have 1984; a dark corner is all it takes.
"And it is very unlikely to invade YOUR privacy, as most people do not use the kind of High end cryptology that they coutner. "
Completely wrong. The NSA does not only monitor highly-encrypted data; that's absurd. The NSA monitors all telecommunications. If it's on the i
Re:NSA, CIA, HSA... (Score:3, Informative)
Re:NSA, CIA, HSA... (Score:2, Interesting)
The NSA is a great place to work for geeks as long as they don't want high pay (it is a government job).
No, I don't work there (Since I'm in college, but I might someday), but I know a mathmatician who worked there for a number of years and s
Re:NSA, CIA, HSA... (Score:2)
Of course, you could argue that they are both part of the same system. It seems this would be to the cia as internal affairs is to the police dept.
I would also say that all acts should become public
Re:NSA, CIA, HSA... (Score:3, Insightful)
I'm sure that the Afgahn nationals passing on intelligence to the CIA fully agree with you. The Taliban and AQ wouldn't hold a grudge.
I'm sure the British agent(s) who infiltrated the IRA agree wholeheartedly. Why, after 10 years, they could all get together and share a pint down at the pub.
Likewise, the informant who decides to turn in a mob boss.
I'm just about as libertarian and pro-transparency as the next guy..
Re:NSA, CIA, HSA... (Score:3, Informative)
Re:NSA, CIA, HSA... (Score:3, Insightful)
We pay attention when we vote for our congressmen, who control the budget and some of whom sit on the intelligence oversight committees.
We support a free press, so that a whistleblowing employee has somewhere to turn to get the word out.
We keep ourselves informed, so that we know the NSA makes and breaks ciphers, secures US communications, and eavesdrops on foreign communications.
Wrong question (Score:2)
This question is kind of like asking, "Do we even need the President's Cabinet?" Because the Cabinet doesn't work for the citizens of the USA, except in a technical taxpayer-dollars kind of way -- they work for the President, collecting information and advising on policy to him and him alone. They have no responsibility to the average citizen, nor are they any use to them. Their information
Re:NSA, CIA, HSA... (Score:3, Informative)
It's called congressional oversight. You need to go back to civics class. Please see 50 USC 413 [cornell.edu]
Of course we need the NSA.. (Score:2)
The answer is money (Score:2)
If you want a simpler answer: Greed.
Re:paranoid (Score:2)
Have they ever had software that was made overseas and which caused a security problem ? Even more than home-made Microsoft - ware ?
You mean like all the Microsoft software exploits that originate overseas? The original MS software is only dangerous to the people trying to get their work done.
Re:This doesn't make sense? - Scare mongering. (Score:2)
If they used standard project management procedures, use project coding standards, have full source code review; how can there be security concerns? Sounds totally like scare mongering to me!
Mod that up, +5 Hilarious. It sounds just like a PHB pointing to an overhead.