US Needs Secure Coding Office 236
Trailrunner7 writes "If the United States wants to remain competitive in the global economy and prevent widespread penetrations of its strategic, corporate, and commercial networks, enterprises and government agencies should stop relying on commercial software and go back to writing more of their own custom code. 'If we're going to maintain our place in the world, software is not a strategic problem, it is the strategic problem going forward,' security expert Marcus Ranum said in a speech Tuesday. 'Covert penetration becomes something that you think about on a five, 10, or 20-year scale. Why don't we have a government coding office? We have a government printing office. Why don't we have a strategic software reserve? Our own software is probably a greater threat to us than anything other people can do to us.'"
Agreed (Score:5, Insightful)
In house software for government jobs is the way to go.
1) You own the code
2) You're goal is to have software that works for a long time. You vendor does not share that goal. They want you to rebuy software every 5 years.
3) It's a lot cheaper to maintain.
4) It's written to get a job done. Once that's done, you don't have to worry about some revising the requires new hardware.
Where's the USDS/W? (Score:1, Insightful)
We have a US Dept of Agriculture (USDA) because agriculture is a essential part of our nation's prosperity and well being. In this day and age so is software.
Having said that, I'm a little skeptical that the gov't could be as effective at being a source of knowledge, studies, research and tools in the realm of software.
What? (Score:4, Insightful)
1. Why indeed, Marcus, "coding" and "printing" are so similar.
2. And the shelf-life of that software "reserve" is...
Poor comparison (Score:5, Insightful)
"Why don't we have a government coding office? We have a government printing office."
That comparison is ridiculous. A proper comparison would be "We engineer our own government printing presses and copiers, why don't we engineer our own software?" But of course the government doesn't engineer printing presses...
Re:Agreed (Score:3, Insightful)
It's clear you've never seen the government at work. There's two issues with the govenrment writing it's own software.
1) Each individual part of the government only needs custom made software once every 5 years or so
2) Every government in the known history of mankind has been utterly incompetent in cross-department communication
Since you can't reasonably expect the government to hire teams of programmers to write software one year and sit on their asses for 4 years while there's on demand and that traditionally trying to centralize the work leads to horror stories, you can see why most governments (even the socialists) have opted for contractors.
Just what we need ... bring back Ada !!! (Score:2, Insightful)
That worked so well, I mean it's just ubiquitous now with overwhelming support right?
Re:Where's the USDS/W? (Score:3, Insightful)
We don't make enough food, we starve to death, we don't make enough software we.......?
At the end of the day software is just yet another export product, while it would be bad for the economy if the software industry wasn't competitive (just like it would be bad for the economy if the car/toys/foresting industries wern't competitive) the country doesn't literally die if it fails, you'll just have to live with it being slightly less prioritized.
Re:Writing code is error-prone and expensive! (Score:3, Insightful)
Who says the government code wouldn't be open source?
For the people, by the people eh?
Re:What? (Score:5, Insightful)
2. And the shelf-life of that software "reserve" is...
At least a few decades, isn't it? At least Maxima, Emacs and others work perfectly on my modern PC.
What the hell is a strategic software reserve? (Score:4, Insightful)
Seriously. WTF. How can anyone ask that question and expect to not be laughed at.
Re:Because we don't need one. (Score:5, Insightful)
I've seen some of the code produced at big shops like that. Not Halliburton, but Northrop Grumman started the project I am currently working on. After they lost their last round of bidding, my employers company picked it up. They lost for very good reasons. We inherited unbelievably bad and broken code.
Re:Poor comparison (Score:3, Insightful)
That comparison is ridiculous. A proper comparison would be "We engineer our own government printing presses and copiers, why don't we engineer our own software?" But of course the government doesn't engineer printing presses...
We do engineer the documents though. We specify what kind of paper, what kind of markings, what kind of anti-forgery devices.
Of course, I was under the impression that we also specified what kind of code to write... Is this no longer true? Is the government just basically buying off-the-shelf software these days?
Does Intuit make some kind of IRS Edition of QuickBooks?
Re:OpenBSD (Score:5, Insightful)
Hire the OpenBSD boys. They have a proven track record.
SELinux has a pretty good track record too, and they wouldn't even need to outsource.
Really that's what they ought to be doing anyway: Not rewriting internal government clones of proprietary software, but giving the spooks a mandate to improve the security of open source software, and then use that.
Re:Agreed (Score:1, Insightful)
Federal IT workers do a bit better than 40k/year. Most enterprise level IT positions are GS12 or GS13, non-supervisory. That's a range of $68,809 through $106,369. More if you live in an area with a high cost of living.
So where does the OS come from then? (Score:5, Insightful)
There are some big reasons why this might be a good idea:
1. Vendors have every incentive to pull the rug out from under you support-wise and make you buy their product again every few years.
2. Having people in-house who _actually know_ everything about how a system works really helps with debugging. Oracle, for example, is the king of finger-pointing when it comes to blaming some other part of the system for crashing a database.
3. Custom code would still have holes, but at least they wouldn't be the exact same ones being exploited in the private sector.
There's also some really good reasons not to do it:
1. You will still need to source an OS from somewhere. Whether $LinuxDistribution, IBM, Sun/Oracle, HP or Microsoft, ti wouldn't make sense to build a single purpose OS unless you were working on embedded systems. This OS would still have the same problem of limited-time support, publically available security exploits, and crappy support when you do get it.
2. Government organizations are very bad with communication. At the state level, practically every department sets their own standards. How could you get agencies with very different priorities to sign on to something that centralized?
3. Quality of code (see below.)
I work in systems integration, and have done so for many large companies. This is the place where we take applications, figure out how they can fit together, and merge them into a platform of clients/servers/network connections/databases. Software written by in-house IT is often the biggest bug-filled, resource hogging mess to get working. This goes double if the dev work is outsourced to a provider that doesn's know about the environment the app will run in. Think about the in-house apps you use -- the order entry client that requires a dual core processor and 2 GB of RAM, or the app that crashes with no explanation or a dialog box that says "You should never see this message." It's not all that bad, and some apps actually work really well. But developer training and skill levels are all over the map. At the very least, a vendor is responsible for their code, and can be persuaded/paid to fix bugs instead of letting them fester. A vendor specializes in building software meant to be used outside of their little corner of the world, so some companies do take time to make sure bugs are fixed.
This would work well when the field of software development matures a little more, and best practices aren't dictated by companies trying to sell you something. That's why IT has a very hard time being recognized as a branch of engineering - there's very few standard ways of doing anything. On the OS front, you have major vendors, hundreds of Linux distributions and other small players. On the database front, you have a few huge vendors that take totally different approaches.
Re:Agreed (Score:5, Insightful)
I did. I make less money, 75K as opposed to 120K, but I get more time to enjoy my life.
after 25 years, I was real tired of pointless 60 hour weeks and day long meetings.
You really don't understand people. I pity someone that places all value someone could possible have on their salary.
Re:Because we don't need one. (Score:3, Insightful)
By definition you've only seen the bad code that comes from such outfits. As so, you don't have a full picture of the quality of code from 'big shops.'
Re:Just what we need ... bring back Ada !!! (Score:5, Insightful)
Re:Agreed (Score:4, Insightful)
There is one thing forgotten. For the most part, US government "GS" jobs have job security. Unless someone commits a felony on the job, they know that their badge and CAC will work the next day. Private industry has higher salaries, but there is always the chance of being pitched out like last night's garbage if a PHB decides to swallow outsourcing/offshoring Kool-Aide.
And people know this. Government jobs have a lot more competition going for them than private jobs in a lot of places, from what I've seen.
Don't forget benefits. A $60k/year job may not be as alluring when one realizes that they have to spend $15k a year after taxes for health insurance for them and their family.
Re:Agreed (Score:1, Insightful)
6 figures.... No. If you look at the GS Scale, GS12-13 do get that high but that is nowhere near mid career level.
The COTS battle is over, get over it (Score:3, Insightful)
Sorry, but the COTS battle started in the 80s and has been over for a while. Nobody builds when they can buy anymore. If you believe your business is utterly unique and needs custom-written software... well, you are wrong. And nobody outside of a few folks just emerging from college really believe that way.
Would it be better if the government (and businesses) paid for software development rather than paying for packaged software? Maybe, but it would cost more - it certainly did in the 70s and 80s. The difference for nearly everyone today is they are buying a package for $500 instead of paying a year or two salary for a programmer. Sure, when the project was done there would be something else to do - this is a basic maxim that work expands to fill available staff. But today just about everyone has figured out that COTS is the only way to go. The buyer is isolated from personality quirks of the developers and isolated from the development process itself. The buyer also never has to worry about being held hostage by some lone wolf developer.
Yes, there can be the dreaded upgrade cycle where support for really old creaky software is discontinued no matter what the desires of the customers. And it does mean that the package you bought in 1993 for Windows 3.1 absolutely does not work on Windows 7 x64. But the world does not stand still and there generally needs to be some movement on the upgrade front.
Re:Just what we need ... bring back Ada !!! (Score:2, Insightful)
WTF? (Score:3, Insightful)
The government already funds software development and the past results of that funding predict the would-be future success of a government coding office; It would be a massive, expensive failure. The Census Bureau IRS, FBI and FAA have records of incredible, mind-boggling, massive failure in producing software. Not to mention state funded universities, the University of Wisconsin being the most recent travesty.
The unstated assumption that government involvement in software production would improve, and not degrade, the quality of software is ludicrous in light of evidence from past results.
But it would not only fail. As with other government agencies, it would be subverted by special interests for nefarious causes. Patents and Trademarks, established to promote creative works, are abused by patent trolls to threaten innovation and by politicians who extort campaign donations in return for incremental, perpetual copyright extension. The Department of Agricultural, now a wholly owned subsidiary of ADM, runs welfare-for-millionairs programs. Oh, and have you heard of Fannie Mae and Freddie Mac?
Government coding office? What could possibly go wrong with that?
Not a proper role for government (Score:2, Insightful)
Obvious jokes aside, the government doesn't innovate very well. It has clear limits to its power under the Constitution, and this would just be another example of it stepping outside of those bounds... Kind of like this little red star. [bbc.co.uk] All in the name of security? Yeah right.
We need a few very secure systems (Score:3, Insightful)
We need a few special-purpose boxes that are highly secure, as examples. The components exist. There are hypervisors certified to EAL-7. [lynuxworks.com] They show up in industrial systems, DoD systems, and avionics. They should be showing up in routers, firewalls, DNS servers, and ATMs.
A push by Homeland Security to increase the security level of critical infrastructure would not be out of place.
Re:OpenBSD (Score:2, Insightful)
Why does one always find the argument "X must spend more on open source software" ? It's ridiculous, especially when, as usual, right next to "open source software is free !" ?
Re:Not a case for tinfoil (Score:5, Insightful)
General purpose commercial software packages raise a yellow flag for security as far as I am concerned. They are not necessarily a problem, but there are risks. The general purpose nature is itself a problem; a system that is intended to be used to schedule appointments should not have the capability to execute a shell, nor should it even have a shell installed. The problem with general purpose systems is that they ship with a lot of code that is never needed for a specific installation, but which an attacker could potentially make use of. This is the basic concept behind a "return to libc" attack, or more generally "arc injection."
Re:Poor comparison (Score:1, Insightful)
America used to custom engineer everything, but then commercial companies beat the pants off the custom stuff in categories like features, ease of use, and cost. Then the mantra became Commercial Off The Shelf. http://en.wikipedia.org/wiki/Commercial_off-the-shelf [wikipedia.org]
It's still a tremendous ripping pain to do business with the government, so most companies won't bother. See for example http://www.governmentcontractslawblog.com/2009/02/articles/country-of-origin/new-rules-for-commercial-offtheshelf-products-exempts-baa-components-and-exempts-recycled-content-reporting-requirement/ [government...awblog.com]
Re:Agreed (Score:1, Insightful)
> I've seen a lot of FBI/NSA/CIA job postings for computer scientists that advertise 6-figure salaries.
A good computer scientist is not necessarily a good programmer, let alone a good software engineer.
Re:OpenBSD (Score:3, Insightful)
Open source software is free, retraining staff to use it is not. Neither is hiring uber-expensive consultants when something goes wrong (which in the case of OSS can actually mean the ONE person still involved who wrote some of the original source).
Don't believe me ? I worked for a travel company for about 10 years, and when we had some database optimization issues, one of the actual lead coders from the project came and spent 2 days in our office. Nice guy though, optimized our queries and indexes like you wouldn't believe. But the point is still valid.
Re:Spending is the goal (Score:3, Insightful)
"Government doesn't expand in terms of power and revenue because it's getting better, it expands because the economy is expanding."
That's an interesting perspective given that the chart you referenced clearly shows Federal government spending as less than 5% of GDP in 1930, and ~25% of GDP right now.
Recall also that government spending is part of GDP. Therefore, showing spending and revenue as a % of GDP tends to obscure the picture of the size of government relative to the private sector. A $3.6T budget is ~24% of a $15T GDP, but ~31.5% the size of the real productive economy which has to bear the burden.
I also love the little inflection points showing that in the next few years the deficit is going to drop from 10% of GDP to 5% of GDP. I'd like to see it happen, but I see no evidence of any leadership or political will to make that happen.
I'll agree with one point however:
"Government doesn't expand in terms of power and revenue because it's getting better . . ."
It expands because it's filled with a bunch of self-serving parasites.
Re:You need to think about this one... (Score:3, Insightful)
When I said "genuinely open source software" I did not mean that it necessarily had to be released under the GPL and publicly available on an FTP site somewhere.
I mean that upon delivery of the software to whatever government office, full source code was provided as well.
Maybe the government wouldn't do a thing with it... But at least they'd be able to compile their own binaries and check them against those that were delivered. Or just use them instead of the binaries delivered. And they could easily audit the code whenever they wanted to.