Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

Does Offshoring Threaten Combat Software?

Posted by kdawson on Thu Nov 02, 2006 11:33 AM
from the pentagon-pondering dept.
United States Security
PreacherTom writes, "Pentagon officials report that 'maliciously placed code' could compromise the security of the Defense Department and, ultimately, hurt its ability to fight wars. The culprits: offshore programmers. While the Pentagon has stepped up its vendor screening and software testing of late, it's becoming more difficult and costly to test every line of software code on increasingly sophisticated weapons systems. The task force assigned to this issue will be soon presenting its report, and most likely will determine that offshoring presents too great a risk."
+ -
story
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Does Offshoring Threaten Combat Software? 50 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.
  • Offshoring will save costs,m and ensure that overseas developers, often with considerably greater knowledge of these systems will be able to develop them. the risks are totalyl negligible. I say we petition the government to offshore more development.

    Yours - Cylon number 6
    • overseas developers, often with considerably greater knowledge of these systems will be able to develop them
      I think thats the real issue here. The US military and defence industries (should really be called attack industries now) spend a fortune developing advanced weaponry and they are probably less than amused that a bunch of indian/chinese/durkastani developers have such detailed knowledge of their systems and potential weaknesses.

      • Re: (Score:3, Informative)

        by soft_guy (534437)
        The US military and defence industries (should really be called attack industries now)

        At one time, the US had a "War Department" and a "Secretary of War". Sometime in history, we changed the name to "Department of Defense" and "Secretary of Defense". This happened about the time we stopped using the army for actual defense of the country and instead started using it to bully the rest of the world.

        • Re: (Score:2, Insightful)

          by gb506 (738638)
          This happened about the time we stopped using the army for actual defense of the country and instead started using it to bully the rest of the world.

          Let's see now, who have we directly bullied since the War Department became the DoD?

          North Korea - fuzzy, cuddly little things they are, what with the gulags, starvation, totalitarianism, etc.

          North Vietnam - stict followers of peace and non-aggression, them. Never hurt a flea.

          Grenada - after cuddly little Cubans took over the island nation by force and

            • Re: (Score:3, Insightful)

              by ArcherB (796902)
              So if a country's leaders are assholes, then the US has the right to butcher its people????

              Where do you come up with this garbage? After all the wars listed by GP, we have yet to fill up a single mass grave of civilians. We have, however, found many filled by the country's previous asshole leaders. No one seems to give a shit about that!

              So, to edit your statement to make it true:
              So if a country's leaders are assholes, then the US has the duty to prevent the butcher its people????
    • You know, the whoosh the previous posters heard was the joke going completely over their heads.

      (Hint: the signature should be a dead giveaway.)
        • I don't watch BSG ;~(

          I am missing out.

          No worries. :-) In short, during the Battlestar Galactica miniseries, it's established that a Number Six model Cylon (who'd come to be known as "Caprica-Six") seduced Gaius Baltar and convinced him she worked for a rival defense contract company. She got him to show her the source code for the software he developed for controlling military vehicles.

          As a result, the Cylons found a remotely exploitable bug in the software; when the Cylons launched their surprise attack,
    • In the early 20th century, domestic arms production was a prestige thing for most countries. The thought being that in the event of war, supplies of needed material would be interrupted if the factory was not at home. The political ramifications were prickly too; Example: The Austro-Hungarian Empire had standardized on the model 1907 Roth Steyr pistol for their cavalry but as the "Dual Monarchy" needed to apease various factions, the armory for this weapon was set up in Vienna and duplicated completely i

      • Re: (Score:3, Interesting)

        by XSforMe (446716)
        "Government however should promote within it's own and never send work away."

        Not too long ago, I had the chance to go to a contractor convention of one of our major clients. There, I had the chance to meet our chinese counterpart and even though he seemed very energetic and enthusiastic it was apparent he was far from being on the same level than most of the contractors over there.

        Later on, I asked our client what was the deal with the chinese contractor. It turns out the client won a huge government contra
      • The U.S. military does not want foreigners to have this knowledge, and for good reason.

        At least, not without paying a hefty fee for the privilege. Otherwise, it would be like Microsoft giving away free copies of Windows.
  • FTA:"We're happy to use Microsoft"

    Some people never learn. [wikipedia.org]

    Maybe they could just ask to see the source code and audit it themselves, or just use software with the source code available. Its not as though they need to write it themselves, just be able to examine the source code. If they don't want to, well, they get what they deserve.

    • Wow. That's pretty bad. Entering a zero into a field causes the ship's propulsion to die because some programmer, and all his reviewers, couldn't be bothered to check for zero in a division algorithm.

      That's par for the course for MS. Remember the expandable menus? Hope you didn't hover your mouse a moment too long before clicking -- you might have saved your document when you were looking for the page setup.

      But then, I've seen it in open source too. Not monitoring the critical paths closely enough. Ha

      • Entering a zero into a field causes the ship's propulsion to die because some programmer, and all his reviewers, couldn't be bothered to check for zero in a division algorithm.

        Well, that's probably because the programmer didn't write the division algorithm himself. I may be going out on a limb here, but I believe the programmer may have used a built-in operator from the programming language he was using, the operator being called "/".

        But seriously, these sort of things happen. And in fact, at the time

        • Well, that's probably because the programmer didn't write the division algorithm himself. I may be going out on a limb here, but I believe the programmer may have used a built-in operator from the programming language he was using, the operator being called "/".

          Very funny, asshole. I was talking about the function that contained that "/". *That* function should have made sure all denominators would be non-zero. That part of the package is most certainly *not* experimental. On that task, basic programmi
    • "In September 21, 1997 while on maneuvers off the coast of Cape Charles, Virginia, a crew member entered a zero into a database field causing a divide by zero error in the ships Remote Data Base Manager which brought down all the machines on the network, causing the ship's propulsion system to fail."

      I'm not sure what Microsoft had to do with bad data entry.
      • I'm not sure what Microsoft had to do with bad data entry.


        Well, really bad data entry validation. Which would be the fault of the author of the database front-end. Whether that was Microsoft or a U.S. Navy software development team is unknown based on that article.
    • WinNT did not fail. On a test platform, not an operational ship, running non-release versions of software: A client application accepted incorrect input. A server application accepted this bad data, performed a bad calculation, and corrupted it's database. Client apps that tried to use this database crashed. These events are OS independent, the same thing would have happened under MacOS X or Linux. The publisher of the original article that blamed WinNT later distanced themselves from the article calling it
      • A server application accepted this bad data, performed a bad calculation, and corrupted it's database. Client apps that tried to use this database crashed. These events are OS independent, the same thing would have happened under MacOS X or Linux.

        Yeah, because *every* OS out there fails to check for valid input, and in fact, *must* fail to check for valid input.
      • ... and therein lies the problem. The Windows(blank) code base is simply too widespread for a specialized application like this. If they used a stripped down Linux kernel with only the bare essentials for the system in question, no IE, Notepad, or Minesweeper, then it's well within the realm of capability for a small team to review every single line of code. It may have made sense in the Win on DOS days, but the current MS arch is far over engineered for these types of applications.
          • A ship with a metal hull is good for attracting mines. That's why supertankers were used in the Persian Gulf when the U.S. warships were "protecting" them from Iraq in the 1990's.

  • Appeals to emotion for fun and profit (Score:4, Insightful)

    by Control Group (105494) * on Thursday November 02 2006, @11:39AM (#16690031) Homepage
    "Pentagon officials report that 'maliciously placed code' could compromise the security of the Defense Department and, ultimately, hurt its ability to fight wars. The culprits: offshore programmers. While the Pentagon has stepped up its vendor screening and software testing of late, it's becoming more difficult and costly to test every line of software code on increasingly sophisticated weapons systems. The task force assigned to this issue will be soon presenting its report, and most likely will determine that offshoring presents too great a risk."
    Blaming "offshoring" is a neat wave of the bloody shirt, but I don't think it's relevant to the problem. Take the word "offshoring" out of that quote, and replace it with "outsourcing." Does it still make sense? Let's see:

    "Pentagon officials report that 'maliciously placed code' could compromise the security of the Defense Department and, ultimately, hurt its ability to fight wars. The culprits: offshore programmers. While the Pentagon has stepped up its vendor screening and software testing of late, it's becoming more difficult and costly to test every line of software code on increasingly sophisticated weapons systems. The task force assigned to this issue will be soon presenting its report, and most likely will determine that outsourcing presents too great a risk."

    Looks like it does.

    If the problem is that there aren't enough resources (including time) to do a sufficiently thorough audit of all the code, then it doesn't matter where the code was written, does it? Do we really suppose that a malicious actor would have that much harder a time getting a job for a DoD contractor in the US than overseas? Do we really suppose that it would be that much more difficult to suborn a programmer overseas than here?

    Or, more accurately, is it enough more difficult in either case for us to be confident of code written inside the country as opposed to outside?

    It's not that I do think that offshored code is trustworthy, it's that I don't think "onshored" code is. And if we can't trust either, what does offshoring have to do with anything?
    • There are levels of trust just like there are layers of security. Outsourced code is probably a little bit safer than offshored code, not to mention having economic benefits. It's also easier to prosecute people on our shores. We can't afford to go to war with China if we find something malicious in code/hardware that comes from that country.

    • Re: (Score:3, Interesting)

      by Ana10g (966013)

      Do we really suppose that a malicious actor would have that much harder a time getting a job for a DoD contractor in the US than overseas? Do we really suppose that it would be that much more difficult to suborn a programmer overseas than here?

      Yes and yes (good word, by the way, had to look up "suborn"). We may not have the man power here to conduct a thorough, line by line audit, but we do have legions of background investigators. And, it's currently illegal for a non-US citizen to hold a security cle

    • Or, more accurately, is it enough more difficult in either case for us to be confident of code written inside the country as opposed to outside?

      No, no, you don't understand. See, the word is divided into the 300 million people who live inside our borders and the 6 billion outside. Every single one of the 300 million insiders is a patriotic hard working american who could never write any insecure code, intentionally or not; only the outsiders are suspect. Any rare exceptions to this rule are therefore c

    • Re: (Score:3, Interesting)

      by thermopile (571680)
      Here's why the US government is so concerned about someone hiding a trojan horse inside sensitive code: The U.S. has done it to other countries before.

      Click here [ranum.com] for a fascinating article describing how the CIA and FBI managed to sell to the Soviets some chips with bungled operations "hidden" in the chips, to be used for their shiny, new Trans-Siberian natural gas pipeline. The result was the largest non-nuclear explosion ever seen from space.

      What goes around, comes around, and the government is get

    • Do we really suppose that a malicious actor would have that much harder a time getting a job for a DoD contractor in the US than overseas?

      I guess you don't, but yes, I suppose so.

      Not that I care all that much either way.

    • If the problem is that there aren't enough resources (including time) to do a sufficiently thorough audit of all the code, then it doesn't matter where the code was written, does it? Do we really suppose that a malicious actor would have that much harder a time getting a job for a DoD contractor in the US than overseas? Do we really suppose that it would be that much more difficult to suborn a programmer overseas than here? Or, more accurately, is it enough more difficult in either case for us to be confi

      • But is it so much harder to do here that we can trust all the coders in this country?

        That's the question. Like I said, offshored code is less trustworthy. I don't believe, however, that locally sourced code is more trustworthy enough to not need review.

        And if the review process is the problem, as the article says, than it doesn't matter where the code comes from.

        • You are confusing the issues. First, the finished code must be thrustworthy. This is done by having skilled programmers, skilled managers, using the right tools, the right development methods, as well as the right testing methods. And of course you also need to be able to trust those programmers, so they don't put in backdoors, deliberate bugs, etc. Although the risk is probably pretty low.

          Secondly, you need everyone involved in the project to be thrustworthy. Having the best team in the world develop the

        • Okay... let's make it as obvious as possible.

          Is it safer to hire
          * a citizen with security clearance to do the coding?
          * a citizen of a country we are friendly with?
          * a citizen of a country we are neutral with?
          * a citizen of a country we are hostile but not at war with?
          * a citizen of a country we are currently at war with to do the coding?

          Now keep in mind, that even if we are not in an open bullets flying war with China, they are still basically at economic war with us and very hostile. And that lots of peop
      • Wow, you're paranoid ...

        Should the Department of Defence in every Non-American country in the world develop their own operating system rather than use Windows or Unix because those systems are (mostly) developed in the USA?

        The answer is probably not ...

        The fact is that in the modern world Corporations have no interest in Nationality and are (excusively) profit motivated. The US DoD pays really well compared to most other clients in the world and their main requirement is security. It really doesn't matter i

  • ...what if they'd offshored WOPR?

    "How about a nice game of Chinese Checkers?"

  • I am all for cutting costs where need be, but there should be a line drawn somewhere. Send the web app that tracks sales of a company offshore. Dont send software that the department of defense uses offshore. At the very least, you buy 'accountability'. I dont know how easy it would be to track down the person who worked on the program in a difference country.

  • New tag: "noshit" (Score:3, Insightful)

    by Kadin2048 (468275) <slashdot@kadin.xoxy@net> on Thursday November 02 2006, @11:40AM (#16690059) Homepage Journal
    I'm glad the Pentagon finally woke up to reality, where maybe it's not such a hot idea to pay some Indian contract programmers a few bucks an hour to write the firmware for your cruise missiles.

    I'm not sure of the exact law, but I believe there is one which basically says, all U.S. defense procurement must come from domestic sources, unless it's some exceptional item that can only be purchased abroad. Maybe we need a law like that for government contracting and outsourcing. Unless there's a demonstratable reason for having to do it offshore, it shouldn't be.
      • The pentagon does not pay $600 dollars for a toilet seat they never have and never will. What you see on those budget sheets was a quick and dirty accounting trick to hide where the funding for various black ops went.
  • I imagine they were probably more concerned with other issues like foreign programmers who could easily be hired to work on other military projects for rivals. They'd even have large parts of the source available while programming on such systems and even if they didn't create backdoors they could still try and hack the system later if there was a change in their situation.
  • ...there has never been anyone located in the United States that has worked on a sensitive project and worked to compromise its success and otherwise betray the US to enemies. So, obviously, offshoring is the only concern, not the complete inadequacy of the testing and verification procedures at the Pentagon.

  • It's not clear to me what software the Government is outsourcing or has outsourced or is considering. But it does seem they have at least dabbled in weapons systems and other software related to warfare being offshored. I can think of reasons this isn't a good idea...

    • first (and maybe most importantly) if we are creating and structuring a defense system for our country, why would we ask others to write the software? Would be outsource our soldiers for the military?
    • relatedly, when there are wars, why wo

  • Inconsistency (Score:5, Interesting)

    by Flying pig (925874) on Thursday November 02 2006, @11:47AM (#16690177)
    The UK government buys military equipment from the US which contains software which it is not permitted to review, and indeed for which it may not be allowed the latest version. And we are supposed to be about the only real international friend the US can rely on.

    And this software which we are not allowed to review may have been written by offshore programmers who will know perfectly well that they are doing the job because they are cheaper, and have absolutely no patriotic investment in the US?

    I wonder how many other global empires have been brought down by the desire to make a quick buck?

  • There is an old military saying that goes something like, "Do not worry about your weaknesses, the Enemy will be more than happy to demonstate them to you." - Unknown
  • a maliciously place car can kill someone, too. So maybe we should remove all cars?

    Simply put, don't use offshore devs --- its all in the contracts. you know the ones that result in tolit seats costing thousands of dollars....

    If defence programming is going to be open to companies anywhere in the world, then what exactly are you defening against?

  • Already affecting the military (Score:5, Interesting)

    by britneys 9th husband (741556) on Thursday November 02 2006, @12:15PM (#16690627) Homepage Journal
    Maliciously placed software code is already weakening our military and hurting its ability to effectively fight wars. And that code was developed by Diebold right here in the USA.
  • Of course offshoring combat software opens a greater likelihood of threat! Duh! That doesn't mean that home grown coders won't ever betray trust either, but if we can spend billions of dollars on rockets and bombs, then surely we can spend what it takes to use our own developers to write and test combat software! The very thought of important defense software being written in foreign countries, that may or may not remain friendly, is patently absurd. There are just some things you should do for yourself.
  • The basic liberal (in the commonly used sense) position on globalization isn't that it is bad in principle. It is just bad when it connects us to places with very low standards for human and labor rights.

    While we have our own home grown terrorists (Timothy McVeigh, Richard Reid, Ted Kaczynski et al), the condition of human rights and economic development in low wage, low cost countries poses a particular security concern, not only for military contracting but for commercial espionage. I'm not concerned ab

  • Here's what scares me: The Intelligent Platform Management Interface [intel.com] (IPMI) and the Remote Management and Control Protocol. [microsoft.com] (RMCP). Many machines in the field implement these protocols in the network controller, independent of the operating system.

    These are UDP-based protocols, on port 623. They can be sent from anywhere on the Internet; not just local machines. They provide total power over the target computer. Functions include:

    • Change boot device for next boot, including boot from network.
    • Turn
  • I really, REALLY hope this pisses you Americans off, because it's got me pretty fuming. If this makes it to CNN or something otherwise, I'll write my reps, but seeing as midterms are next week, I won't do it just now. My state is about to have a lame duck or two.

    Let's see the issues here.

    - The government took jobs away from Americans to try and save money.

    Then, since they didn't think it through,

    - The government failed to adequately protect its people by allowing foreigners, possibly enemies, to write code
  • I'm so glad to already see a bunch of comments to the effect of "well duh!" I've been wondering how long it would take the military's strong sense of self-preservation to kick in. It's one thing to be all for free markets to the extent of selling out your own population. But when you give away your military advantages to you potential adversaries for a quick market gain ...

    A friend of mine and I have both been wondering when the US policy on off-shoring would change. My constant source of confusion is h
  • ZeroWing joke in 5 .. 4 .. 3 ..
  • I think this problem applies to all software out there.

    One has bigger problems than malicious people planting trojans if they can't audit every line of their "mission critical" software OR hardware.

    Would you trust your respirator and other hospital life support system to unaudited code whether or not it has been written by malicious people ? If not, then why should anyone trust his defense system ?

    I remember there was a story long back about "intelligent guns" that identify their owners. No one thought it'd

    • Re: (Score:3, Insightful)

      by Sepper (524857)
      What scares me the most is the fact that they even gave offshoring a consideration!!!

      The DOD didn't do it themselves... they outsourced it to contractor 1 who outsourced part 1A and 3B to contractor 2 who outsourced it offshore.

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.