Slashdot is powered by your submissions, so send in your scoop

 


Forgot your password?
Close
typodupeerror
×
Security

Trustworthy Software For The NSA? 229

Posted by simoniker from the secrets-lurking-behind-installer dept.
Janus Daniels writes "There's a new story from the New York Times, as reprinted at CNET News, about security concerns for Government agencies buying software from overseas. According to the article, a whistle-blower who helped sell software to the National Security Agency says that much of the development work is subcontracted to China, raising serious national security risks. He also discovered in the sales-support database... the names of more than 30 [identity-classified] employees of the United States National Security Agency...'"
This discussion has been archived. No new comments can be posted.

Trustworthy Software For The NSA? More

Trustworthy Software For The NSA?

Comments Filter:

  • Are the subcontractors fully aware.. (Score:5, Interesting)

    by Xuranova ( 160813 ) on Monday July 07, 2003 @05:15PM (#6386037)
    of what it is they're programming, in the sense that do they know they are making a sensitive program for the NSA of the United States? If not then what could be the harm unless a backdoor gets thru unchecked? (I can only hope that some US officials or hired techies DO check this code for backdoors and the like.)
    • Isn't it time for the obSecurity through obscurity comment? Also, I don't think he's worried so much about a foreign developer getting a spontaneous urge to modify code because he just found out it was headed to the NSA, but rather foreign governments discovering where the software went and setting up spy developers to go mess with the code. (insert backdoors, whathave you).
    • If they don't know initially, I'm sure it wouldn't be too hard to figure out. Especially given the nature of the program (I assume security is a major focus of whatever the NSA has ordered). I'm pretty sure the chinese gov't could and would figure it out and make sure there are backdoors in place.

    • Re:Are the subcontractors fully aware.. (Score:4, Interesting)

      by Frymaster ( 171343 ) on Monday July 07, 2003 @06:09PM (#6386477) Homepage Journal
      the thing to realize is that the nsa is not the "no such agency" it was back in the 70s and 80s! twenty years ago, if a cryptologic solution or piece of software was not made in house, the nsa regarded it as either useless or dangerous.

      heck, the nsa is even working on selinux (a security enhanced linux) that is open source. and the kicker is this: one of their partners is pgp secruity. (source: here [nwfusion.com]

      times have changed

    • "of what it is they're programming, in the sense that do they know they are making a sensitive program for the NSA of the United States? If not then what could be the harm unless a backdoor gets thru unchecked? (I can only hope that some US officials or hired techies DO check this code for backdoors and the like.)"

      Probably not very well depending on the amount of source code, to thoroughly scour the source code takes the same resources if not more as it does to make the code. I assume the requestor gets th
    • That every single agency in a "Communist" nation is controlled by the government? It just so happens that many urban dwelling Chinese people actually have some pro-American sentiment and are usually apathetic to the ruling regieme.

      It would be naive to assume either way: The software can't be left unchecked, but it would be unfair to just assume that any software developer in China is working for or collaborating with the Communist government. There is percaution, then there is just baseless suspiction. Ch

    • Folks,

      Not the first time not the last time for Clueless Management in politics as usual DC and Government. Our potential destruction due the stupid, pompus, and greedy.

      In our Capitalist Democracy our leaders political and religious place more priority on enforcement of the Digital Millennium Copyright Act (DMCA) and Library internet filters, than homeland defense. It looks better to the illiterate moral majority bigots that vote and supports the economy (the real priority) with questionable profit penalti

  • chinese intelligence (Score:5, Funny)

    by lurgyman ( 587233 ) on Monday July 07, 2003 @05:16PM (#6386044)
    And obviously Chinese intel has capitalized on this - succesfully directing the US Air Force to it's embassy during the Serbian fiasco a few years back...
    • It's just the Air Force's puckish sense of humor.

      I mean, after the French forced the F-111's to go the long way to Libya, BOOM!, there goes the French Embassy in Tripoli.

      The Chinese bought the Clinton administration. made off with designs for nuclear weapons, and stole guidance systems from Loral. Then, BOOM!, there goes teh Chinese Embassy.

      God bless 'em!

  • This will probably be said 22241515 times... (Score:3, Insightful)

    by ascalon ( 683759 ) on Monday July 07, 2003 @05:17PM (#6386045) Homepage
    ... but if they are afraid of untrustworthy software they really should hire someone to make them a custom open source solution. Or something. Yeah.

    • Can you say "PROMIS"? (Score:2, Informative)

      by Thud457 ( 234763 )
      Jeebus Christ, don't those idiots remember what we did in the Inslaw affair? (Not so much what was done to Inslaw, but the backdoors the CIA put into software which was then sold to unfriendly countries.)

      • Re:Can you say "PROMIS"? (Score:2, Informative)

        by Anonymous Coward
        Dammit, twice in one day I forget the sumbitch LINK [webcom.com]! (Notice that link starts with an excerpt from our government's finding on the affair.)
      • Personally, I believe that if any country buys software from another country which they use for sensitive government applications, and that software has backdoors in it, the government that purchased it got exactly what it deserved for its stupidity. If you want real security, you need to develop your code in-house, or use open-source code (and have it audited in-house). Trusting your government secrets to a foreign company is beyond stupid.

        If the US Government is doing the same thing, then they're getti

  • Even if its in the U.S. (Score:5, Insightful)

    by Goalie_Ca ( 584234 ) on Monday July 07, 2003 @05:18PM (#6386060)
    ...who's to say that there might not be spies writting the software anyways. Can't the NSA write their own source code. They've already contributed selinux.

  • Outsiders (Score:5, Funny)

    by mjihad ( 686196 ) on Monday July 07, 2003 @05:18PM (#6386070) Homepage
    Obviously, having all software written in the US eliminates the risk of having security risks.

    • Re:Outsiders (Score:3, Insightful)

      by vsprintf ( 579676 )

      Obviously, having all software written in the US eliminates the risk of having security risks.

      No. Having all software for government agencies written in the U.S. greatly reduces the risk of deliberately planted back doors and logic bombs. The company in question can't even keep a confidential database secure. From the article:

      The company also does not make customer information stored in its sales support database generally available within the company, he said, adding that it was unclear how it wou

    • No, but having sensitive software written in the US only by programmers employed by the government, and who have passed a background check and obtained a security clearance would mostly eliminate these security risks.

      The US military doesn't farm out its missile design and production to China to save money. It's all done in the US by contractors like Raytheon, where all of the employees have security clearances. So why aren't we doing this with software?

  • Stop tracking (Score:2, Insightful)

    by geekmetal ( 682313 )
    The concerns cut both ways. The Chinese government has repeatedly accused the United States military and intelligence organizations of attempting to conduct espionage by manipulating American products sold in China. The tracking features in Intel's microprocessors and Microsoft's operating system software are of particular concern to Chinese officials, which is one reason China is intent on expanding its own technology industry. And so has the rest of the world.

  • Total government awareness (Score:4, Interesting)

    by aberant ( 631526 ) on Monday July 07, 2003 @05:19PM (#6386077) Homepage Journal
    Those guys at MIT constructing the database on government members should get these names. oh what juicy tidbits of info they would be!
    • Probably just 30 engineers who happen to work at the NSA who lead otherwise boring lives. The only reason they're identity-classified is because you can't threaten/blackmail someone working for the NSA if you don't know who they are. If I worked for them, you can bet I wouldn't be telling anyone about it.

      In fact, this whole post might just be an elaborate ruse....

  • The NSA? (Score:2, Flamebait)

    by Dashmon ( 669814 )
    The same people who collect everything I do online?

    Forgive me, but I hope they rot in hell with their compromised software.

    • Re:The NSA? (Score:2, Insightful)

      by chunkwhite86 ( 593696 )
      The same people who collect everything I do online? Forgive me, but I hope they rot in hell with their compromised software.

      What's worse - collecting some bits of what some people do online? Or as China does, censor what online content is available (right down to individual posts on messageboards) to over 1 Billion people?

      Agreed that privacy is an important issue, but like most things, it is relative. Look around at what others have (or haven't) before bitching about your individual situation.

    • The same people who collect everything I do online?

      Forgive me, but I hope they rot in hell with their compromised software.

      Upon analysis of your post, we have decided you are a possible security risk. Given the location you have posted at, "news for nerds" and all, there's also a high probability you are a programmer, and thus able to write "compromised code" yourself if contracted.

      Our people are currently identifying your real identity and should be arriving at your house shortly. Please do not re

  • One of the problems of commercializing government. (Score:5, Insightful)

    by BWJones ( 18351 ) on Monday July 07, 2003 @05:21PM (#6386093) Homepage Journal
    Given the recent push to commercialize various aspects of government, this is one of the potential pitfalls. Businesses will subcontract work to the lowest bidder and eliminate one of the internal controls that many government software projects have had in the past.

    • Re:One of the problems of commercializing governme (Score:4, Informative)

      by BWJones ( 18351 ) on Monday July 07, 2003 @05:25PM (#6386134) Homepage Journal
      I should have also said that a number of contracts that one might expect would be internal government projects have more and more been bid out to private contractors. For instance, you might be surprised to find that a number of very sensitive database projects, military police actions and military interventions in the Balkans and Central America are being handled by companies such as Dyncorp [dyncorp.com].

      • Even if they hire their own programmers, who's to say the programmers they hire aren't spies?

        They could perform background checks of the programmers they hire or of all the programmers that work for an IT outsourcing outfit. But even then, it's possible for spies to slip through. After all, do you think anyone's gonna write "worked for Chinese military intelligence as a spy" on their resume? ;)

        This is an inherent problem in running a group like the NSA. You can't trust anyone. The best you can hope fo
        • They could perform background checks of the programmers they hire or of all the programmers that work for an IT outsourcing outfit. But even then, it's possible for spies to slip through. After all, do you think anyone's gonna write "worked for Chinese military intelligence as a spy" on their resume? ;)

          No, you hire a government contracting company where all the employees have obtained USG security clearances. Who do you think builds all the missiles, tanks, fighter jets, guns, etc. that the military uses
        • The answer: Hire Israelis to write the code, and Palestinians to check it.
      • I should have also said that a number of contracts that one might expect would be internal government projects have more and more been bid out to private contractors.

        Yep, no matter how impressive it looks, there's only so much you can do with Powerpoint.

          1. I should have also said that a number of contracts that one might expect would be internal government projects have more and more been bid out to private contractors.

          Yep, no matter how impressive it looks, there's only so much you can do with Powerpoint.

          All kidding aside, there are only so many good programmers and associated professionals. If a government agency wants the good ones, chances are they're going to have to either lure them in, train them from the inside, or buy off the rack; contracto

    • Ok, so now out-sourcing is causing all the information leaks, as opposed to the previous administration, who outright sold [nyu.edu] our secrets to competetor nations.

      As for how the money trails tie together, it's amazing what information Google will find for you [jonathanpollard.org].

  • If my experience is any indication... (Score:4, Interesting)

    by instantkarma1 ( 234104 ) on Monday July 07, 2003 @05:21PM (#6386101)
    This is just the tip of the iceberg. I just quit a job (read by choice, not fired) where some of the software created for the DOD was done by mainland Chinese programmers ....without the knowledge of the DOD. This was software which was tied to a backend database containing sensitive information. No, we are not talking nuclear secrets, but it was information which other non-friendly countries to the U.S. (ie anyone by England) would find interesting and useful. I broached the subject numerous times to my employer, who essentially pulled an Alfred E. Nueman (What?!?! ME worry?!?!). Finally, I quit and informed the proper people, washing my hands of the entire mess. While it may sound stupid to quit a high-paying job in this economy, having Bubba has a cellmate made it a lot easier.

    My rambling point is this....the U.S. Government, particuarly the DOD, will be using software made by non-friendly parties with an axe to grind, without ever receiving the source code or knowing who actually wrote the software. And what's more, it's been my experience the bueacracy really doesn't give a sh*t as long as they can pass the buck.

    • This kind of reminds me of the Quake backdoor.(barb barb, do some googling [google.com] to find it out, I can not type it all right now. Ah well, it basically allows any one at iD software to control a server remotely, the flaw in the backdoor is that you can edit your packets to make them look like they come from iD.)

      I would personally never use software written by someone else(closed source, that is, open source software is great in the way that it will let me see all it can do) for anything remomtely secure/sensit
      • > I would personally never use software written by someone else(closed source, that is, open source software is great in the way that it will let me see all it can do) for anything remomtely secure/sensitive. I just do not trust people enough.

        Aside: That paragraph should be required reading for anyone who thinks NSA's just being silly here. Don't just read it, understand it. Drink it in its fullness. Sear it into your memory with red-hot nichrome wire.

        Now, grok this: If you wouldn't trust yo

        • Now, grok this: If
          you wouldn't trust your secrets to code you couldn't audit yourself, why should you expect NSA to?
          Similarly why should any government use non-OS software? Or more particlarly why should any non-US gov buy MS software?
          Taken to it's logical extreme why should anybody ever use non-FOSS software?

          I suspect the answer lies in a combination of ignorance (lack of knowledge, not stupidity), habit, convenience, cost (perceived?).

      • Are you kidding me? Think of how much we Americans actually know about what our Govt is doing and the information it has. Very little.

        There are plenty of secrets worth spying. Espionage is alive and well.
      • Otherwise I would guess that all you can get is dirt-throwing material. Possibly of the grade that some high ranking officials will have to resign or go to jail, but what is the bug deal? It suits them right to get punished for their crimes.

        Ummm... that dirt-throwing material that you dismiss is a spy's wet dream. Ever hear of blackmail?

    • My rambling point is this....the U.S. Government, particuarly the DOD, will be using software made by non-friendly parties with an axe to grind, without ever receiving the source code or knowing who actually wrote the software. And what's more, it's been my experience the bueacracy really doesn't give a sh*t as long as they can pass the buck.

      Excellent points, but in some cases, they do know that possibly "non-friendly parties" are writing the software and use it anyway. Recently, U.S. government agencie

  • Easter Eggs (Score:2, Funny)

    by L. VeGas ( 580015 )
    NSA is about total information, right?

    I think it's a good idea that NSA software is developed in China. I bet there are "undocumented" key combinations that will disable Macrovision and regional restrictions.

  • Trusting trust (Score:5, Interesting)

    by robindmorris ( 682328 ) on Monday July 07, 2003 @05:23PM (#6386115)
    I RTA, and the whistleblower claims that the Chinese could have the opportunity to put something malicious into the code. The company claims that work for the US Govt. is not sent out to China. The security agencies say that they audit all outside code anyway.

    The bigger issue is not where the code is written, it's whether you can audit the source yourself (and whether you actually do so.

    See reflections on trusting trust [acm.org] for a nice article about why, if it really matters, you should be careful with other people's code.

    • Good post!

      Security problems are like bugs, only harder to find. It's easy to write a bug that will slip through a code inspection. Would you trust an audit to uncover a cleverly crafted malicious security hole? Even if the auditors were as good as the OpenBSD team, which is a tall order?

      I'd recommend controlling the environment the software runs in, so as to contain the damage done by a security problem. Then screening vendors for trustworthiness, then auditing their output to give yourself a chance of ca

    • Re:Trusting trust (Score:5, Insightful)

      by FredThompson ( 183335 ) <fredthompson&mindspring,com> on Monday July 07, 2003 @05:53PM (#6386363)
      A common misconception is that the NSA buys/evaluates software the same way Joe Blow does.

      I've been there and written code. Got a joint service commendation medal for software work for nuke command & control. The review process for critical code is excruciating.

      This article is a lot of FUD.

      Did you notice they don't make ANY claim whatsoever about what TYPE of software development? Hmmmm...that's interesting.

      It's always possible espionage can happen. Having said that, there's a LOT that goes on at the NSA. Look at the publicly available pictures of the headquarters building. Ever wonder what it takes to feed and supply people and keep it clean?

      There are different levels of software oversight, just as in the "outside" world. Yes, IRTA, and all I see is what looks like someone who was outside the loop making FUD statements about what's inside the loop.

      Did you notice this doofus hasn't been on the job that long? Did you notice he was "alarmed" that the names of people were available? Well, duh!!

      If you need to contact someone because you're contractually obligated to them, don't you need to know who they are and how to reach them? My family could pick up the phone and call me at work anytime they wanted and they met a lot of the people I worked with. This guy has watched too much TV. How does he think contrators communicate with the NSA? Trap doors and dead drops?

      FWIW, I've never used or owned a shoe phone. Nor did we talk under a cone of silence.

      Personally, I like "Alias" but let's get real, everyone doesn't sneak around through hidden doors with code names.

      To my eyes, this guy didn't have access to much of anything. Maybe he wanted to get into the secure side of the development and was refused. Hmmm..ya think?
      • I spent some time around NSA, and I thought it was funny, cause the guys in the Laurel area would be like, "I can't tell you where I work." Which meant I work for NSA. Then when you got to places like Ft. Smallwood/Jacobsville, and Columbia. "What do you do for a living?" "I work at NSA." "Oh then I guess you can't say what you do." "Well lets just say it involves the fact I speak Russian/Spanish/some other language," or "I use a lot of math to figure stuff out about where satellite signals come from.
      • A common misconception is that the NSA buys/evaluates software the same way Joe Blow does.

        And as a former senator [wpunj.edu], Mr. Thompson should know!

  • What suits them best. (Score:3, Funny)

    by The Old Burke ( 679901 ) on Monday July 07, 2003 @05:24PM (#6386117)
    NSA is so importsnat that they should be allowed to use whatever software solutions they have to.

    China is free democratic and trustworty country with a growing group software developers.I'm sure that they could make something secure for NSA that we could lay our nations hands in. It's extremly important that we help to foster proprietary solutions that will help bussiness abroad.

    And after all its much better to use secure and trusted solutios from a close ally than having to resort to some of those old versions of UNIX. Know that SCO probably wins their case and AIX and Solaris goes down the drain, it could be nice to have some other alternatives than only american software. Because we all know, as DARPA found out, that you just can't trust FreeBSD and Linux in an environment like the NSA needs.

  • This guy sounds a bit paranoid to me. As far as I'm concerned it's the US Governments job to look into things like this, not his. Does he honestly think the *NSA* would buy software with huge security holes? One might wonder if the names he saw were fake in the first place; I personally doubt the *NSA* would just give them out. Or maybe I just give them more credit than they deserve...

  • don't buy skynet!! (Score:3, Funny)

    by slyguy420 ( 193568 ) on Monday July 07, 2003 @05:26PM (#6386144) Homepage
    whatever you do, don't buy that fancy new software from skynet!! /ahnuld accent on "Trust Me" /off

  • Nothing new (Score:2, Flamebait)

    by FooGoo ( 98336 )
    As someone who performs security code reviews on outsourced code I can say that this happens all the time. When everyone was outsourcing code to india for y2k work we found back doors all over the place. Everyone does it. It's a form of R&D. Give coutry X project review technical capabilities of coutry X people.

  • Identity (in)security (Score:2, Interesting)

    by crism ( 194943 )
    This is definitely a problem. I used to support the CIA as a customer, and though the users were only identified by first name, we had home addresses for a few because they sometimes wanted us to ship stuff in a hurry and not have it slowed down by inspections.
  • Companies which have code written outside of the U.S. should pay duty or tariffs on each license they sell just like vendors of manufactured items do. That would slow down the Great Tech Job Exodus. [washtech.org]
    • Companies which have code written outside of the U.S. should pay duty or tariffs on each license they sell just like vendors of manufactured items do. That would slow down the Great Tech Job Exodus.

      Tariffs hooray!

      Don't let that nasty Free Trade concept get in the way! Oh yeah and how do you plan to do this? What about free software? Do we pay only if we pay for the distro, are we off the hook if we download it for free? Ok, maybe we only pay the tariff if we buy the distro. What about BSD code, do
      • Exactly. All tariffs do is slow down the economy. Just because some Indian can sling crappy VB code faster than you doesn't mean that you have a right to do it for more money. The fools who complain about outsourcing tech jobs are just not providing a marketable service to people. I'm not here to make sure they make money, nor should the government. Instead of passing the buck on to someone else, maybe they should put the blame on themselves for being unemployable.
      • Why the fuck should we leave tariffs behind? Tariffs kept countries competetive and level for YEARS. All free trade has done is increase the disparity between the rich countries and the poor ones, increase the disparity between rich people and poor people in both countries, and decrease the general quality of goods and services.

        Free trade is killing american prosperity and isn't helping other countries catch up so much as it is giving outsourcers an excuse to allay the morality of dangerously antisocial

      • Excuse me for being naive but I had hoped that we in the tech community had left this kind of thinking behind.

        You're excused, and the original poster obviously wasn't talking about OSS. The EU is demanding that all U.S. digital products sold there include a VAT. No doubt, you will tell us how that differs from a tariff. Personally, I'm not happy about all my personal (credit card) information being handled overseas in countries known to be unfriendly to the U.S. (which is pretty much everybody these d

  • "stressed that he had seen no evidence of espionage or other wrongdoing by Platform employees either in Canada or China"

    If he's really so worried about the threat to national security posed by the list of contact names, he should report it direct to the NSA.

    "tamper with software being used by [NSA]" - that would be true wherever the software was written and regardless of who wrote it.

    Presumably, the NSA has its own procedures for vetting and accepting new software - or are they really a bunch of innocent

  • Uh. Wow. (Score:5, Funny)

    by Elwood P Dowd ( 16933 ) <judgmentalist@gmail.com> on Monday July 07, 2003 @05:48PM (#6386305) Journal
    I know someone that has a small software company that's done contract work for the CIA. He is much, much more careful with his software than that, and would never make a mistake like that because he'd be afraid that he'd lose his security clearance and never be able to get his cushy government contracts.

    He also said that he worked for a certain salad dressing company once, and they were much more careful about their trade secrets (recepies) than the CIA was about anything.

  • NSA should make its own software (Score:3, Interesting)

    by kaltkalt ( 620110 ) on Monday July 07, 2003 @05:53PM (#6386356)
    There's no other way to see it. It is grossly negligent for any agency involved in national security (NSA, CIA, NRO, FBI, etc.) to outsource software. Any "budget" or "manpower" excuse is unacceptable. Frankly, the US should have a "National Coding Office" to make all government software. Nothing should be purchased from Microsoft, and it sure as hell shouldn't be purchased from the Chinese communists (i.e. the enemy). Would we have outsourced to the Soviets during the Cold War? Apparently so.

  • Platform Software (Score:4, Interesting)

    by rf0 ( 159958 ) <rghf@fsck.me.uk> on Monday July 07, 2003 @05:53PM (#6386357) Homepage
    In a previous job I dealt with a piece of Platform Software called LSF (Load Sharing Facility). Now I have to say it was a very complicated bit of software which to me seem to be a mixture of shell scripts, binarys and NFS/SMB mounts. After actually doing the training courses my belief didn't change and I regularly found bugs in it.

    Now this might of just been the SGI version but overall taking this as a particular example the quality of the code was terrible and 1/2 had undocument features

    Just my 2p

    Rus

  • It's a government agency, what's the shock? (Score:5, Insightful)

    by AxelTorvalds ( 544851 ) on Monday July 07, 2003 @05:56PM (#6386386)
    I've wondered about this for years. In some circles they talk of the near mystical powers the NSA must have and how they must be like 20 years more advanced than the private sector. Every time I've dealt with the feds and IT stuff I'm amazed we're doing as well as we are because it is such a cluster fuck.

    Why should the NSA be any better? Why would the best of the best go there when they can make a whole lot of money in the private sector? I'm not just talking about the mathematicians, computer guys and cryptographers either, you need the top notch managers to run those groups and deal with the compartmentization that goes on while still motivating and producing top quality results. I could see the government rounding up geeks and math guys, I couldn't see them cultivating that leadership or hiring much of it.

    Honestly, I think their biggest thing is that they never get tired or run out of resources. That's how the FBI caught the unabomber, they just kept looking and looking and looking and then they got him. There are textbook methods and approaches to security. Their ciphers have looked like they simply follow them and are extremely conservative and diligent.

    • I've wondered about this for years. In some circles they talk of the near mystical powers the NSA must have and how they must be like 20 years more advanced than the private sector.

      You mean stuff like this [milk.com], right?
      • From the linked article:
        The Grays have renegged on their abduction quota agreement, and are abducting many more people than before. Most of these are returned, after being implanted with a device which allows the grays to have total control over their thoughts and actions. Approximately 40% of Americans now carry one of these devices, which are impossible to remove without killing the host.

        So this is why Americans seem so stupid these days!

    • Re:It's a government agency, what's the shock? (Score:4, Insightful)

      by maelstrom ( 638 ) on Monday July 07, 2003 @06:25PM (#6386632) Homepage Journal
      "That's how the FBI caught the unabomber, they just kept looking and looking and looking and then they got him."

      Only half right. The FBI did not get tired of looking for him, but that is not what lead to his capture. The fact that the unabomber got cocky, published his manifesto and the feds got lucky enough that his brother had the moral fortitude to turn in his own brother.

      The FBI deserves almost no credit for catching the unabomber. Even their much vaunted behaviorial profiles were off the mark.

    • 20 years head start (Score:3, Insightful)

      by Goonie ( 8651 ) *
      There are several reasons why it's reasonable to assume that the NSA may have had (and may still have) a very substantial lead over the open world in secure communications technology:
      • Modern cryptography didn't really become important until the 1960's and 70's in the open world. The NSA, its predecessors, and its sister agencies (GCHQ, DSD, and so on) have been working on it very hard since World War II.
      • They have huge financial resources, so they could afford to build a DES brute-force cracker well befor

  • Do not confuse with "TRUSTWORTHY" computing (Score:3, Interesting)

    by Alsee ( 515537 ) on Monday July 07, 2003 @06:06PM (#6386455) Homepage
    Let no one make the mistake that this story has any connection to "trustworthy computing". The story does not use the word "trustworthy", much less suggest that that the NSA should use trustworthy computing.

    Anyone who suggests that trustworthy computing would be good for government security doesn't know what they are talking about. Trustworthy computing would be an absolute disaster for security. Any intelligence agency on earth can dig one of the keys out of trustworthy hardware and beat the system. Hell, college students with access to a well stocked university lab can break the hardware security and beat the system.

    -

  • Whistleblowing on WHAT??!! (Score:3, Interesting)

    by swordgeek ( 112599 ) on Monday July 07, 2003 @06:27PM (#6386651) Journal
    OK, I read this article this morning.

    The guy is telling the NSA stuff they already know, and have signed off as acceptable. His company was entirely above board in explaining their operations to the NSA in the first place.

    Everyone involved knows what's going on. He is the only person who seems to have a problem with it. It doesn't sound like whistle-blowing to me, as much as whining.
    • The guy is telling the NSA stuff they already know, and have signed off as acceptable. His company was entirely above board in explaining their operations to the NSA in the first place.


      You're right about the overseas-code issue if the NSA signed off on it, but the CNet article starts by discussing the list of NSA employees in the company's database. This should be a concern if they did not discuss the database as well.

  • What an odd set of posts.... (Score:3, Insightful)

    by Osrin ( 599427 ) on Monday July 07, 2003 @06:39PM (#6386751) Homepage
    Like all secret service orgs the NSA has many arms dealing with various levels of classification and security. If you want to know more about them just go to http://www.nsa.gov, if you want a collection of names of people who work there go to http://www.nsa.gov/releases/speeches.html, learn who they are and feel free to digest all that they have to say. This is the story of a guy who was fired for missing his performance goals, he should be laughed at not heralded as a hero. I'm not sure anybody really cares about the 30 procurement execs that he found in his companies CRM system. You can bet your bottom dollar that any contractors working on secret systems will have been vetted, depending upon the classification level there is a good chance that the vetting will go down to employee level. I therefore have to assume that the work that Platform are doing is non-essential, I for one am glad to see the Government spending our dollars a little more wisely than they would be if they applied the highest level of security regulations to all of their systems.
  • Okay. So they test LSF in China.... big deal. C'mon people! LSF is written by CANADIANS! This is the country with 90% of its population within 200 miles of our northern border- they are poised for invasion! This is the country that is secretly spewing tons of CFCs into the atmosphere to drive up their real estate prices through global warming. While the lower 48 is a desert wasteland, those hockey loving, eh sayin' canucks will be living in a tropical paradise! Do you think it is a coincidence that micr
  • I can say that when a company does write software for something that goes into a military project, it has to conform to certain coding standards. IEEE 12207 is the standard most used for the US military.

    So the software put into these electronics is well documented with specifications, design documents and quality assurance documents.

    The government also gets to review all source code supplied along with running their own tests and so on to ensure that the software is of the proper quality. The master
  • "a whistle-blower who helped sell software to the National Security Agency says that much of the development work is subcontracted to China,"

    How incredibly STUPID..
    And I thought he NSA was smarter than that.
    They even have developed a secure version of the kernel and have it for public download http://www.nsa.gov/selinux/ [nsa.gov]

    My faith has been shaken...

  • What is the world coming to? (Score:3, Funny)

    by eniu!uine ( 317250 ) on Monday July 07, 2003 @07:57PM (#6387260)
    Next thing you know we'll be trusting our software developement to Finish nationals.

  • They DO have the Source Code (Score:3, Insightful)

    by PetoskeyGuy ( 648788 ) on Monday July 07, 2003 @10:18PM (#6388126)
    "Of course we knew that Platform has subsidiary offices all over the world, including China," said Kevin Roark, a spokesman for the Los Alamos laboratory. He said the lab reviewed all of the basic programmer instructions, known as source code, before running software used in classified applications. "The reality of software in the 21st century," he said, "is you count on software having source from foreign sources."

    I agree with another poster that mentioned selinux. The NSA know how to write secure software and how to audit software and source code. Assuming they build their own binaries from the source it should be a relatively safe system. The only potential security problem I can see is that outsiders may know exactly what they are running. But assuming it's properly designed and implemented that shouldn't be a problem either. That's the why everyone like Linux/BSD so much.

    Los Almos has a history of Physical Security problems that should cause more worries then this. Hard Drives disappearing and reporters sneaking in at night, getting locked in and then the guards let them out when they found them.

Slashdot Top Deals

Living on Earth may be expensive, but it includes an annual free trip around the Sun.

Close