Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

US Needs Secure Coding Office

CmdrTaco posted more than 4 years ago | from the measured-in-klocs dept.

Security 236

Trailrunner7 writes "If the United States wants to remain competitive in the global economy and prevent widespread penetrations of its strategic, corporate, and commercial networks, enterprises and government agencies should stop relying on commercial software and go back to writing more of their own custom code. 'If we're going to maintain our place in the world, software is not a strategic problem, it is the strategic problem going forward,' security expert Marcus Ranum said in a speech Tuesday. 'Covert penetration becomes something that you think about on a five, 10, or 20-year scale. Why don't we have a government coding office? We have a government printing office. Why don't we have a strategic software reserve? Our own software is probably a greater threat to us than anything other people can do to us.'"

cancel ×

236 comments

Sorry! There are no comments related to the filter you selected.

OpenBSD (2, Interesting)

Anonymous Coward | more than 4 years ago | (#32183762)

Hire the OpenBSD boys. They have a proven track record.

Re:OpenBSD (-1, Troll)

Anonymous Coward | more than 4 years ago | (#32183840)

Hire the OpenBSD boys. They have a proven track record.

Yeah, they do... [wikipedia.org]

Re:OpenBSD (1)

K. S. Kyosuke (729550) | more than 4 years ago | (#32183926)

No, that's called a frak [wikipedia.org] record.

Re:OpenBSD (5, Insightful)

Anonymous Coward | more than 4 years ago | (#32184084)

Hire the OpenBSD boys. They have a proven track record.

SELinux has a pretty good track record too, and they wouldn't even need to outsource.

Really that's what they ought to be doing anyway: Not rewriting internal government clones of proprietary software, but giving the spooks a mandate to improve the security of open source software, and then use that.

Tinfoil hats (3, Funny)

Zironic (1112127) | more than 4 years ago | (#32183768)

Why don't we have a government tinfoil hat office? Clearly we're under great threat of alien mindrays.

Spending is the goal (0, Redundant)

Anonymous Coward | more than 4 years ago | (#32183954)

As long as it justifies more money passing through the business of government, you can guarantee the elite at the top of the pyramid will approve of it.

There's a reason why every year government expands in terms of both power and reveune, and it's sure as hell isn't because government is getting better. It's because the bigger the business of government, the more lucrative it is for those who control it.

Re:Tinfoil hats (1)

Z00L00K (682162) | more than 4 years ago | (#32184030)

Already forgotten NSA?

In case you live in the US.

Anyway - if everyone uses the same software it means that everyone knows how it works which also means that more people are able to crack any security measures involved. This also makes it easy for people making malicious software.

A more mixed environment causes other types of trouble. So what's necessary is to find a balance between standard software and custom softwares.

To Be Run By (0)

Anonymous Coward | more than 4 years ago | (#32183772)

Visual Basic [microsoft.com] .

Yours In Astrakhan,
Kilgore Trout

In Soviet Amerika, coding office secure YOU !

And the government has such a fine track record (-1, Flamebait)

Anonymous Coward | more than 4 years ago | (#32183782)

Let's expand it some more.

Re:And the government has such a fine track record (1)

FlyingBishop (1293238) | more than 4 years ago | (#32184316)

The government's primary problems in this area are an excess of bureaucracy holding back stable software development. A very good first step is removing contractors from the equation, since that's an enormous layer of bureaucracy. We need to be funding real power-plays, not keeping the system as is.

"Government" has a terrible track record the same way "corporations" or "people" have a terrible track record. It only gets better if you look for improvements.

I think I can hear (0, Flamebait)

binarylarry (1338699) | more than 4 years ago | (#32183784)

Ballmer scrambling the jets now.

From the midwest.

Agreed (5, Insightful)

geekoid (135745) | more than 4 years ago | (#32183792)

In house software for government jobs is the way to go.
1) You own the code
2) You're goal is to have software that works for a long time. You vendor does not share that goal. They want you to rebuy software every 5 years.

3) It's a lot cheaper to maintain.
4) It's written to get a job done. Once that's done, you don't have to worry about some revising the requires new hardware.

Re:Agreed (1)

CannonballHead (842625) | more than 4 years ago | (#32183830)

They want you to rebuy software every 5 years.

I don't disagree that many vendors do; but it seems in the past, that wasn't always the way it was, or something... because there are a lot of servers still running some pretty old software.

I'm thinking primarily of IBM stuff... but I guess IBM sold support, too, so they still got money, even if you didn't rebuy.

Re:Agreed (2, Insightful)

Zironic (1112127) | more than 4 years ago | (#32183876)

It's clear you've never seen the government at work. There's two issues with the govenrment writing it's own software.

1) Each individual part of the government only needs custom made software once every 5 years or so
2) Every government in the known history of mankind has been utterly incompetent in cross-department communication

Since you can't reasonably expect the government to hire teams of programmers to write software one year and sit on their asses for 4 years while there's on demand and that traditionally trying to centralize the work leads to horror stories, you can see why most governments (even the socialists) have opted for contractors.

Re:Agreed (2, Interesting)

sunderland56 (621843) | more than 4 years ago | (#32184090)

There's a third issue: salaries. Programming talent is used to silicon valley pay grades, not military pay grades. How many employees would be willing to leave their current position and take a 50% pay cut to work for the government? Would you be willing to trust the code of someone working for $40K/year?

Re:Agreed (4, Informative)

1729 (581437) | more than 4 years ago | (#32184200)

There's a third issue: salaries. Programming talent is used to silicon valley pay grades, not military pay grades. How many employees would be willing to leave their current position and take a 50% pay cut to work for the government? Would you be willing to trust the code of someone working for $40K/year?

Actually, there are a lot of government programming jobs that pay decently. I work at a government research lab, and the pay is competitive with industry (though no stock options, etc.), and I've seen a lot of FBI/NSA/CIA job postings for computer scientists that advertise 6-figure salaries.

Re:Agreed (1, Insightful)

Anonymous Coward | more than 4 years ago | (#32184562)

6 figures.... No. If you look at the GS Scale, GS12-13 do get that high but that is nowhere near mid career level.

Re:Agreed (1, Insightful)

Anonymous Coward | more than 4 years ago | (#32184216)

Federal IT workers do a bit better than 40k/year. Most enterprise level IT positions are GS12 or GS13, non-supervisory. That's a range of $68,809 through $106,369. More if you live in an area with a high cost of living.

Re:Agreed (4, Insightful)

geekoid (135745) | more than 4 years ago | (#32184234)

I did. I make less money, 75K as opposed to 120K, but I get more time to enjoy my life.
after 25 years, I was real tired of pointless 60 hour weeks and day long meetings.

You really don't understand people. I pity someone that places all value someone could possible have on their salary.

Re:Agreed (1)

jlechem (613317) | more than 4 years ago | (#32184260)

Just for shits and giggles I looked at applying to NASA until I realized my starting pay grade was around 45,000 USD per year. It would be a huge pay cut and even if the cost of living was lower that's a big blow to the wallet.

Re:Agreed (4, Interesting)

binarylarry (1338699) | more than 4 years ago | (#32184328)

Working at NASA is like working in the game industry, it's the coolest gig around and attracts tons of people which creates more competition and ultimately drives salaries down.

Re:Agreed (1)

Bigbutt (65939) | more than 4 years ago | (#32184618)

When I was working as a contractor for NASA, all of the Government computer jobs were contracted out (the "smaller government" initiative) so the people who were left could concentrate on the business of running NASA. This was through the 90's into the early 00's. Don't know how it is now.

[John]

Re:Agreed (3, Insightful)

mlts (1038732) | more than 4 years ago | (#32184496)

There is one thing forgotten. For the most part, US government "GS" jobs have job security. Unless someone commits a felony on the job, they know that their badge and CAC will work the next day. Private industry has higher salaries, but there is always the chance of being pitched out like last night's garbage if a PHB decides to swallow outsourcing/offshoring Kool-Aide.

And people know this. Government jobs have a lot more competition going for them than private jobs in a lot of places, from what I've seen.

Don't forget benefits. A $60k/year job may not be as alluring when one realizes that they have to spend $15k a year after taxes for health insurance for them and their family.

Re:Agreed (2, Interesting)

geekoid (135745) | more than 4 years ago | (#32184412)

1) Each individual part of the government only needs custom made software once every 5 years or so

False. maintenance is always an issue, no matter what software you have. #rd parties know this, that is why they make most there money off consultants you have to hire from then at 250 or more per hour.

"2) Every government in the known history of mankind has been utterly incompetent in cross-department communication"

Way to buy into a myth. This is false for two reasons:
1) it assumes that sort of thing never happens in the private sector
2) The US government does very well at cross communication. there are problems, but not as bad as people who sell solution would lead you to believe.

"Since you can't reasonably expect the government to hire teams of programmers to write software one year and sit on their asses for 4 years"
because the government would only ever need one application? and that application would never need new features?

Are you stupid or just blinded by fallacy's about the government you believe without question?

" trying to centralize the work leads to horror stories"
Only when centralizing work that should not be centralized. Usually done by people who don't understand how a government works.

"you can see why most governments (even the socialists) have opted for contractors."

no. The have opted for contractors becasue of political ideoolgy and ignorance, not for a trong business need.

For the record:
I worked in the private sector for over 25 year.
most of the was as a software engineer, programmer, analyst.
I have worked in the public sector for almost 5 years.

1) It isn't nearly as political as the private sector corporations
2) The people here have a breadth and depth of knowledge about the business you can't find in the private sectr any more.
3) the people I work with care and work hard to saver money and work efficiently
4) running a city is far more complex then you can imagine.
5) I work with programmers that could write circles around pretty much everyone else. Plus they document their work, and almost always write in a readable manner.
6) There is no 'up or out ' attitude. That means if you like you're job, you can keep doing it.

|

Re:Agreed (1)

lorenlal (164133) | more than 4 years ago | (#32184078)

In house software for government jobs is the way to go.
1) You own the code
2) You're goal is to have software that works for a long time. You vendor does not share that goal. They want you to rebuy software every 5 years.
3) It's a lot cheaper to maintain.
4) It's written to get a job done. Once that's done, you don't have to worry about some revising the requires new hardware.

1) We own the government, so we all own the code?
2) It seems to me that vendors are more interested in selling you support for the software. That has no end of life.
3) Until the folks who wrote it leave for other jobs, and they leave behind all that lovely documentation....
4) Until someone makes new *faster* hardware that has no compatibility with the old hardware.

Mostly cultural, not technical (2, Interesting)

wurp (51446) | more than 4 years ago | (#32184330)

IMO the place to start if you want to fix computer security is with the culture of software use rather than the software itself.

There are plenty of places where security can be made better technically, and it is our nature as "software guys" to focus on those, but most significant break-ins come from the way people treat software and password information.

  • Leaving USB drives or laptops lying around without using existing encrypted drive technology
  • writing your password down
  • believing someone is there in an official capacity because they talk in the expected way and are dressed correctly
  • etc.

are all bigger problems than

  • buffer overflows
  • privilege escalation
  • sql injection

Not because the latter aren't issues that need work, but because those are issues that get recognized and fixed quickly. As far as I know, there is no widely accepted way of fixing the social problems that plague computer security.

Re:Agreed (0)

Anonymous Coward | more than 4 years ago | (#32184448)

Basic security measures come in as well.

In-house code's worst issue is that some spy might dink with it. However, a peer or a code review periodically most likely would spot a backdoor (a UID = 0 instead of UID == 0) or a way for something to overflow a buffer (scanf() instead of sscanf()). Code outsourced (especially closed source) can have any types of security issues in it and would likely never be spotted until exploited in the field.

One thing the US government needs to do is what China does. Private companies can write code, but the government gets access to the source code and the ability to review it. This is just basic security 101 here.

Hardware-wise, I'd like to see TPM hardware that is made in the US, and supervised vetted from the ground up by DoD employees. This won't completely stop any backdoors, but it would lesson the chances of some added "functionality" on a chip appearing from the fab out of Shanghai when it shouldn't be there (such as storing keys unencrypted for later retrieval via an undocumented command.)

Re:Agreed (1)

bill_mcgonigle (4333) | more than 4 years ago | (#32184598)

In house software for government jobs is the way to go. 1) ... 4) ...

You seem to have left off 'junkets to the tropics' from your list. Perhaps that was an oversight.

Re:Agreed (1)

Kaboom13 (235759) | more than 4 years ago | (#32184608)

That's an accounting problem, not a technical problem. It can be solved quickly and easily. Raise the pay to whatever is necessary to attract appropriate talent. HR departments across the world somehow manage to figure this out. I know government jobs are fond of pay grades and other such nonsense, but if our legislators gave a crap about the security and prosperity of our nation they could fix the issue in an afternoon.

Where's the USDS/W? (1, Insightful)

Anonymous Coward | more than 4 years ago | (#32183824)

We have a US Dept of Agriculture (USDA) because agriculture is a essential part of our nation's prosperity and well being. In this day and age so is software.

Having said that, I'm a little skeptical that the gov't could be as effective at being a source of knowledge, studies, research and tools in the realm of software.

Re:Where's the USDS/W? (2, Insightful)

Zironic (1112127) | more than 4 years ago | (#32183930)

We don't make enough food, we starve to death, we don't make enough software we.......?

At the end of the day software is just yet another export product, while it would be bad for the economy if the software industry wasn't competitive (just like it would be bad for the economy if the car/toys/foresting industries wern't competitive) the country doesn't literally die if it fails, you'll just have to live with it being slightly less prioritized.

Re:Where's the USDS/W? (1)

BrotherBeal (1100283) | more than 4 years ago | (#32184086)

we don't make enough software we ......?

... have to go outside for a change?

Re:Where's the USDS/W? (1)

Ephemeriis (315124) | more than 4 years ago | (#32184152)

we don't make enough software we.......?

It isn't a matter of making enough software. Nobody is suggesting that the government code up five different word processing packages and sell them to the highest bidder. It's about knowing that the software running our essential government functions is reliable.

At the end of the day software is just yet another export product

No it isn't. It's a tool that lets people get their jobs done.

the country doesn't literally die if it fails, you'll just have to live with it being slightly less prioritized.

Depends on what fails.

If the word processor on some senator's desktop dies, I doubt if anyone is terribly inconvenienced.

If something big and important breaks at the IRS, it may very well be a very big problem.

Software used for essential functions of the federal government probably shouldn't be off-the-shelf. It probably should be somehow verified or authenticated. It might be a very good idea to bring the development of that software in-house, rather than to outsource it. Because if that software fails badly enough, it can render those essential functions essentially disabled.

Why bother flying a plane into a building if you can do as much, if not more, by simply breaking a bit of software?

Re:Where's the USDS/W? (1)

Bing Tsher E (943915) | more than 4 years ago | (#32184230)

If something big and important breaks at the IRS, it may very well be a very big problem.

True. Taxes wouldn't be collected and the economy might even grow. Very big problem, grasshopper.

Re:Where's the USDS/W? (0)

Anonymous Coward | more than 4 years ago | (#32184256)

Exactly. If we're not good at making food... obviously, we go hungry. If we're not good at making software... maybe somebody takes strategic advantage of that, and we go back to being an agrarian society? ;)

Re:Where's the USDS/W? (1)

Tubal-Cain (1289912) | more than 4 years ago | (#32184436)

We don't make enough food, we starve to death, we don't make enough software we.......?

Not quantity. Quality. It's about not being driven by the whims of software companies.
No planned obsolescence.
Able to patch a security hole in $OLD_VERSION rather than installing $CURRENT_VERSION on every PC in the office.
Not needing to change document formats every few years.
That sort of thing.

Re:Where's the USDS/W? (1)

geekoid (135745) | more than 4 years ago | (#32184446)

fall back into a 3rd world, fail to be able to support are current society, and loose are place at the big boys table.

IN general, the US provides plenty of food. We are now past that.

Re:Where's the USDS/W? (0, Troll)

SlippyToad (240532) | more than 4 years ago | (#32184046)

I'm a little skeptical that the gov't could be as effective

Republicans have spent years convincing you by their deliberate incompetence and stupidity that government can't be more efficient than private industry.

It's the most amazing flimflam in history.

Re:Where's the USDS/W? (1)

jasmusic (786052) | more than 4 years ago | (#32184144)

And Democrats have placed it beyond all doubt. The feds are great at one thing: destruction. Hence they're given the war power. And not a whole lot else.

Re:Where's the USDS/W? (1)

strikeleader (937501) | more than 4 years ago | (#32184344)

What's even more amazing is that you have been convinced by the Democrats that it is a flimflam by the Republicans. Seriously, what is the government efficient at?

How does that koolaid taste anyway?

utilities (1)

Chirs (87576) | more than 4 years ago | (#32184532)

I'm in Canada, so things are a bit different. Generally I've found that things that are "utilities" (that is, basically necessary for normal living) are provided quite efficiently by the government.

My car insurance is via the provincial insurance company and the rates are some of the best around.

My phone and internet service is via the provincial telco. The rates are competitive and there is no usage cap.

Electrical and natural gas rates are via the provincial corporations and their rates are among the lower ones in the country.

"the government" is responsible to us, the people. There's no excuse for letting government be inefficient--hold them to account.

Re:Where's the USDS/W? (0)

Anonymous Coward | more than 4 years ago | (#32184252)

We have a US Dept of Agriculture (USDA) because agriculture is a essential part of our nation's prosperity and well being. In this day and age so is software.

You convinced me. As a developer, I want to be subsidized to NOT write software the way farmers are subsidized to NOT plant crops.

Re:Where's the USDS/W? (0)

Anonymous Coward | more than 4 years ago | (#32184272)

I believe it's called Capability Maturity Model

What? (3, Insightful)

fahrbot-bot (874524) | more than 4 years ago | (#32183826)

1. Why don't we have a government coding office? We have a government printing office.
2. Why don't we have a strategic software reserve?

1. Why indeed, Marcus, "coding" and "printing" are so similar.
2. And the shelf-life of that software "reserve" is...

Re:What? (5, Insightful)

K. S. Kyosuke (729550) | more than 4 years ago | (#32183952)

2. And the shelf-life of that software "reserve" is...

At least a few decades, isn't it? At least Maxima, Emacs and others work perfectly on my modern PC.

Re:What? (-1, Flamebait)

Anonymous Coward | more than 4 years ago | (#32184082)

At least Maxima, Emacs and others work perfectly on my modern PC.

Utter bullshit. Emacs doesn't work perfectly anywhere; vi, on the other hand, is a joy in all situations.

Re:What? (1)

aztracker1 (702135) | more than 4 years ago | (#32184246)

Don't you mean vim? Because vi just wasn't good enough. I jest though. I do think that a certain amount of software development in the government should be brought in-house, or at least made public. The same should go for K-12 educational materials for general subjects as well though. The fact is, as long as there's lobbyists it won't happen that way. Also, I don't know that it *should* happen that way. FYI, there already are a number of software developers in-house. And the IRS examples in terms of failure, much of those systems are developed by employees of the IRS.

Re:What? (1)

fahrbot-bot (874524) | more than 4 years ago | (#32184180)

At least a few decades, isn't it? At least Maxima, Emacs and others work perfectly on my modern PC.

I would argue that the more general the software, the longer the shelf-life, the more specific the shorter. The main reason for in-house (or custom) software is specific purpose application. The two examples you provided have very general use - in the sense that Math and editing are general and constant over the long term. But, for example, network / system monitoring or battlefield management software is more specific and will need more frequent updating to be useful.

Re:What? (2, Interesting)

OldSoldier (168889) | more than 4 years ago | (#32184262)

2. And the shelf-life of that software "reserve" is...

At least a few decades, isn't it? At least Maxima, Emacs and others work perfectly on my modern PC.

And I could argue that for software created today it could be much longer. Many things seem to have stabilized or at least compartmentalized their growth. Think air traffic control. IIRC the machines they run on now are 20+ years old as is the software. Not only that the scale of the problem has grown significantly from 20 years ago, but will we see that same growth in: computer performance, software tools and air traffic in the next 20 years? Probably not. Again, IIRC reliance on radar for air traffic control may be on the way out, but realizing that sort of modularity, seems like you could design a system where a GPS module could be added with much less pain than re-writing the whole system.

Re:What? (1)

Ephemeriis (315124) | more than 4 years ago | (#32183998)

1. Why indeed, Marcus, "coding" and "printing" are so similar.

Sure, the end products are pretty different... But most folks just buy off-the-shelf paper for their needs. Or maybe outsource the custom printing to someone else. Just like most folks buy off-the-shelf software or outsource the custom coding to someone else.

If you move enough paper... Or have unique needs... Or are concerned about the authenticity/security of your printed documents... Then moving it in-house makes a lot of sense.

Similarly, if you use enough code... Or have unique needs... Or are concerned about the authenticity/security of your code... Then moving it in-house may make a lot of sense.

2. And the shelf-life of that software "reserve" is...

Theoretically infinite.

Oh, sure, there'll be new hardware... And new requirements... And new features...

But once you've got a piece of software that actually does what you need it to, you can keep using that pretty much forever - unless something forces you to make changes. If it's your own code, you choose when to make the changes and how significant they're going to be. If it's somebody else's code, you upgrade when they tell you to.

There's plenty of software out there that's been running just fine for the last couple of decades.

Re:What? (1)

Bing Tsher E (943915) | more than 4 years ago | (#32184270)

If it's somebody else's code, you upgrade when they tell you to.

Where do you get this idea? Upgrades are not mandatory. They're often not needed at all.

I don't upgrade my electric pencil sharpener or file cabinet every time a new model comes out.

Re:What? (1)

Ephemeriis (315124) | more than 4 years ago | (#32184334)

Where do you get this idea? Upgrades are not mandatory. They're often not needed at all.

Obviously it depends on the software...

Nobody is going to force you to upgrade the copy of Microsoft Word installed on your home computer.

But the HIS software we run at work has to be at the latest version if we want to be able to receive support. And support is kind of a big deal for us.

Re:What? (1)

astar (203020) | more than 4 years ago | (#32184538)

shelf life is a good point

If you want to consider software that is immeadiately vital, you would look first at software that was directly embedded in the physical production process. Just looking at current popular concerns that match this, consider electrical utilities and freight transportation.

If you are looking at electrical utilities, you see 50 year old software, which is pretty good for a shelf life.

On the other hand, in a sensible society, you produce a lot of machine tools, and you make lots of continuous improvements. So the shelf life of the controlling software is real short. And putting a government critical path component in gives me lots of warm fuzzies (NOT).

So I guess you could play programmer licensing games and so on. So we might know more than we did about programming than 50 years ago, but if you eliminate all the current fads, what do we really know and how often do we really apply it? So what body of knowledge do you base compentcy (spell) for licensing upon?

acm sometimes has occasion to make official statements on licensing issues. For some reason texas get this in their head every once in a while.

I suppose I should mention that proveability approaches get a little further along over time. I recall that somebody recently managed to prove a microkernel. At the present time, I suppose we could talk about some sort of proven components to use when possible, maybe government generated. But last I looked you almost had to have special languages.

Poor comparison (4, Insightful)

Dan East (318230) | more than 4 years ago | (#32183832)

"Why don't we have a government coding office? We have a government printing office."

That comparison is ridiculous. A proper comparison would be "We engineer our own government printing presses and copiers, why don't we engineer our own software?" But of course the government doesn't engineer printing presses...

Re:Poor comparison (2, Insightful)

Ephemeriis (315124) | more than 4 years ago | (#32184054)

That comparison is ridiculous. A proper comparison would be "We engineer our own government printing presses and copiers, why don't we engineer our own software?" But of course the government doesn't engineer printing presses...

We do engineer the documents though. We specify what kind of paper, what kind of markings, what kind of anti-forgery devices.

Of course, I was under the impression that we also specified what kind of code to write... Is this no longer true? Is the government just basically buying off-the-shelf software these days?

Does Intuit make some kind of IRS Edition of QuickBooks?

Re:Poor comparison (1)

blueg3 (192743) | more than 4 years ago | (#32184122)

In general, we don't specify strong enough requirements and we don't do sufficient validation. Of course, validation of software is hard when you have the source and is nearly impossible without it.

Re:Poor comparison (3, Informative)

phantomcircuit (938963) | more than 4 years ago | (#32184362)

Actually yes there was a big push for COTS software in government a whiel ago. The idea was that it would reduce costs, but it was a short term cost reduction with a long term significant cost increase. The problem is that those doing procurement often are not responsible for long term negative effects, because they will be long gone.

Re:Poor comparison (1)

obi1one (524241) | more than 4 years ago | (#32184204)

I dont think he meant that all software used by the government must be built by the government coding office, but rather that all software created for government should come from the theoretical government coding office. If that is what he meant, it makes sense to me. Most shops wouldnt let the marketing department, for instance, hire a group of programmers to build some software for them without at least involving IT, and really most shops would require that the software be created by developers in the IT department. Having programmers or contractors working for every government agency imaginable, reporting to people who dont specialize in managing software development, is silly.

Not so poor comparison (2, Interesting)

DragonWriter (970822) | more than 4 years ago | (#32184248)

That comparison is ridiculous.

Its actually not: printing and software development are both services that most government agencies regularly need, but that in general most don't need the same subtype of the broader service enough to justify retaining the capacity to meet all their needs in-house without outsourcing, but where the needs of the government as a whole would be more able to justify maintaining resources centrally and then making them available to individual agencies.

The fact that the necessary resources in the case of printing involve a mix that is heavier on physical capital than human capital, while the resources in the case of software development is a mix that is heavier on human capital than physical capital is a difference, but its not a difference that is particularly relevant to the point of the analogy.

You'd probably have a better case if you argued that the "strategic software reserve" was a bad comparison. Software isn't an physical resource with an interruptible supply that you can horde in advance against a future crisis. OTOH, I can see a useful "strategic software reserve" in one sense -- not a reserve of software but of software-related IP. If you accept as a baseline the current US system of fairly strong software-related creator IP rights (copyright and patent, most particularly), it might make sense for the government to strategically exercise the power to acquire property for the public use by eminent domain with a payment of the fair market value to "buy out" existing IP rights where there is a substantial public good to be served by doing so. This might -- structured properly -- be a system that serves the public interest and the Constitutional purpose of IP protections better than either maintaining the status quo without such a system, or just weakening IP protections generally.

Writing code is error-prone and expensive! (1, Interesting)

Anonymous Coward | more than 4 years ago | (#32183846)

Writing code is fundamentally error-prone, and expensive! Programmers, young and experienced, make mistakes. Young programmers in particular overestimate their abilities, and wildly under-test, and pretty much totally fail to think about compatibility or vulnerability. Proper management to enforce testing, reviews, documentation, security, etc. is very expensive. And once you've written the code, the marginal cost of sharing it widely is very low ... which is why I believe that this proposal will fail: it will always be cheaper to use either commercial code, or open source.

Re:Writing code is error-prone and expensive! (2, Insightful)

TheKidWho (705796) | more than 4 years ago | (#32183932)

Who says the government code wouldn't be open source?

For the people, by the people eh?

Re:Writing code is error-prone and expensive! (1)

ducomputergeek (595742) | more than 4 years ago | (#32184036)

However, for security reasons, the software has been declared secret under the states secret act.

Because we don't need one. (2, Funny)

ADHVfFsvjLIViaglKlqo (1766800) | more than 4 years ago | (#32183852)

We have Halliburton.

Re:Because we don't need one. (4, Insightful)

Nadaka (224565) | more than 4 years ago | (#32184040)

I've seen some of the code produced at big shops like that. Not Halliburton, but Northrop Grumman started the project I am currently working on. After they lost their last round of bidding, my employers company picked it up. They lost for very good reasons. We inherited unbelievably bad and broken code.

Re:Because we don't need one. (3, Insightful)

Bing Tsher E (943915) | more than 4 years ago | (#32184294)

By definition you've only seen the bad code that comes from such outfits. As so, you don't have a full picture of the quality of code from 'big shops.'

Just what we need ... bring back Ada !!! (1, Insightful)

rimcrazy (146022) | more than 4 years ago | (#32183890)

That worked so well, I mean it's just ubiquitous now with overwhelming support right?

Re:Just what we need ... bring back Ada !!! (4, Insightful)

darkstar949 (697933) | more than 4 years ago | (#32184424)

It may be a niche language, but it's still really good in areas where safety is a concern. The 777 uses it for the control software - http://www.adaic.org/atwork/boeing.html [adaic.org]

While you're at it (1)

trifish (826353) | more than 4 years ago | (#32183900)

Don't forget about hardware.

Oh, wait...

How do you know (0)

Anonymous Coward | more than 4 years ago | (#32183914)

they already don't have government developers in some kind of underground facility?

However, if they don't, then I couldn't agree more. Many of the issues that people worry about today will most likely be solved with future technology. Stable software networks and the security fight, however, are only the tip of the iceberg of the problems we will face in years to come. Research and development should be our number one priority, which would not only give us a head start on security, but would show high economic returns if we fund it now.

Haha, software is the anwser to it all? (2, Interesting)

Anon-Admin (443764) | more than 4 years ago | (#32183948)

Having worked in government IT, and worked for government military contractors I dont think that the software is the issue.

I would start by upgrading all the equipment that went EOL (End Of Life) more than 5 years ago! (90%+ of the hardware they run)
Then move to the equipment that is EOL now.
I would then work on implementing a proper patching and patch management plan.
Documentation would be useful as well, Stop expecting the new IT staff to understand how AIX v3 works on the H50's you are running. Especially when the old IT staff thought it was good security to replace the login with one that used a password file stored in the /var/log directory.

Security through obscurity is all that would happen if the government tried to make all systems code come from an internal group. I am sure we all know how well that works!

I say mandate that the government groups run only opensource software. Then hire select coders to quick patch any problems or security issues that are found and make the parches available to everyone. That way the government can be secure as well as any other company or person that runs the same software.

Re:Haha, software is the anwser to it all? (0)

Anonymous Coward | more than 4 years ago | (#32184108)

Yeah, we had some doofus here decide to use random names for administrator accounts rather than the real names of the administrators, because they read it somewhere. When I saw that I said WTF, how are we supposed to tell whether some account is supposed to have access to our shares if people are using made up names? Apparently hackers are supposed to be confused by the made up names and not looking at the access rights of the accounts.

This idea is dumb. (2, Interesting)

Maxo-Texas (864189) | more than 4 years ago | (#32183956)

A better idea would be to have an office that analyzes the code of existing software for security issues, develops solutions, and hands them over to the software owner.

Owner doesn't want to share the code? Don't use their software for government work.

But redeveloping from scratch at this point does not make fiscal sense any more. We stand on the shoulders of 30 year tall giants. There is no need to rewrite the TCP IP stack from scratch, to write a word processor from scratch, to write a web server from scratch, etc.

Re:This idea is dumb. (3, Interesting)

Ephemeriis (315124) | more than 4 years ago | (#32184214)

Meh.

Just mandate genuinely open source software for all government work.

You don't have to rely on your government to analyze code and submit the fixes back to the original author - anyone can look at the code. And you don't have to rely on the original author to incorporate the fixes - anyone can. And you don't have to trust that the binaries you're running actually match the code you're looking at - just compile your own.

The big problem with all of this isn't necessarily that the code is crap or anything like that... It's that the stuff is closed-source. We're basically trusting that the code does what it is supposed to, and we've got very little ability to verify that.

Re:This idea is dumb. (2, Interesting)

PeterM from Berkeley (15510) | more than 4 years ago | (#32184612)

Having an agency which uses public dollars to enhance and secure open source software for use both within Government and for the public at large makes a huge amount of sense. It's important that the Government not *own* the code, just provide patches/alerts to the project leaders, and customizations for internal Government use, as needed. (The reason for non-ownership is because, well, who *really* trusts the Government?)

In this way, software could become a public good and much cheaper in general rather than a profit center for a few companies and a millstone around the necks of most companies.

--PM

Secure coding office (0)

Anonymous Coward | more than 4 years ago | (#32183966)

US Needs Secure Coding Office

Why don't we just put some armed guards and security cameras on each floor and around the building?

It's a great idea, I know. You can pay me by paypal for it.

We do (3, Interesting)

greenbird (859670) | more than 4 years ago | (#32183990)

Why don't we have a government coding office? We have a government printing office. Why don't we have a strategic software reserve?

We do. It's called open source. And it's run by a militia just like the one that started this country.

Re:We do (1)

Em Emalb (452530) | more than 4 years ago | (#32184318)

What? Open Source Contributors are the same as the standing militia from when this country was founded?

Holy shit, that's insulting.

Re:We do (1, Funny)

Anonymous Coward | more than 4 years ago | (#32184380)

A bunch of anti-royalist terrorists.

What the hell is a strategic software reserve? (3, Insightful)

Nadaka (224565) | more than 4 years ago | (#32183994)

Seriously. WTF. How can anyone ask that question and expect to not be laughed at.

Re:What the hell is a strategic software reserve? (5, Funny)

robot256 (1635039) | more than 4 years ago | (#32184336)

The only thing it could possibly mean is a reserve of *coders* ready to jump at any problem or bug that arises. Oh wait, that's called the NSA. Just need to give them more resources and jurisdiction to fix any code anywhere in the government. That'd work great:

Setting: Nondescript cubicle farm full of people working an eating donuts.
Cubicle farm is suddenly stormed by a SWAT team with M16s and tablet PCs.
Team leader:
"Everybody freeze! Hands off the keyboards! We've detected a buffer overrun condition! Move, move, move!"
Guys with tablets rush to the PCs and networking closet and start typing like mad. Soldiers round up all the people into the middle of the room.
A five-star general walks into the room.
General:
"What's going on here?"
Team leader: "Sir! We're neutralizing a threat in the PR office happy-hour scheduling system. We should be finished soon."
General: "Good. I'll want a full report when this is over. We need to catch the idiot who's responsible for this."
A soldier escorts an intern with hands behind his head to the leader.
Soldier:
"This guy did it. We found non-compliant source code on his machine."
Team leader: "Good work, sergeant. Hand him off to headquarters at 1300."
General: "Glad to see that was taken care of quickly."
Team leader: "All in a day's work, sir."

I can just about hear the whinging. (0)

Anonymous Coward | more than 4 years ago | (#32184068)

I can just hear the moaning of how unfair this would be to private software corporations right about ... now. After all it's bad enough that they actually have to compete in some form against "free" OSS projects, but teh gubbermint too? Oh noes!

Advantages and disadvantages (0)

Anonymous Coward | more than 4 years ago | (#32184094)

*off-the-shelf vendors are not contractors (but can be). Most contractors have no products, and only produce what the government needs when they need it.

*Contractors go through the same clearance processes as government employees.

*For all intents and purposes, most defense IT contractors work as part of the agencies employing them. The big difference is they assume the risk that if they suck, they will get canned much much faster than a government employee. Flip side is they get payed more because of that risk.

*Printing isn't a good comparison to programming. The GPO puts paper in the machine, makes sure it is running, and delivers the results. Programming is like inventing a new way to make paper, and then a new way to make ink, and then a new machine, and then printing the results. It requires more creativity.

*Programming is more like art than it is science. Because of that, programmers generally like freedom and flexibility in their workplaces. Do you think the best programmers would want to work for the government?

*The majority of security vulnerabilities are caused by lousy programmers. One good programmer is more valuable than 100 lousy programmers in terms of security. Pay the one good programmer.

*Classified code does exist. Perhaps there should be more of it for security purposes. Perhaps a classified operating system (if there isn't one already).

*The contractor system should be reworked so contractors inherently place less emphasis on sales. I personally believe that creating an easier, more automated proposal process would help.

*Big defense contractors are the gluttons of the industry. I believe focusing even more on helping small businesses have an easier time selling their services would help drive productivity.

You mean like Magic Lantern? (1)

SteveFoerster (136027) | more than 4 years ago | (#32184096)

We've had this. It was called Magic Lantern [wikipedia.org] . Really, I think we can do without any more of it.

And where will the secure coders come from? (1)

SirGarlon (845873) | more than 4 years ago | (#32184104)

I concede the point that government and industry are awash in misconfigured, insecure, and buggy code. However, I fail to see how developing more code in-house will result in code that is more secure and less buggy. Where will the expertise in secure coding come from? From TFA:

As a result, there are fewer and fewer people inside the agencies who understand what it takes to write and deploy good software.

So, if that is true, how exactly will it coding in-house help? There's no one in-house who can do it right and that's the whole problem!

Ranum's thesis seems to be "contractors suck" but buried in his article is the kernel of the real issue in my opinion: project managers don't understand security and aren't accountable for making their products secure. If they did and they were, we would get more secure code regardless of whether the development were in-house or outsourced.

So Ranum seems to think that the solution is to create more government jobs (maybe he wants one or something), but really I see this as a management challenge. If large institutions can set a priority on security and develop expertise in their managers, then I think the picture will start to look better. Until that happens, I don't think playing musical chairs with the development team is going to help.

What Ranum is proposing is simply yet another fake silver bullet.

Putting the cart in front of the horse (1)

MikeRT (947531) | more than 4 years ago | (#32184120)

Using the federal government as an example, Ranum pointed out that many, if not most, of the internal software development groups that used to exist in federal agencies are now largely gone. In their place now is an army of contractors doing much the same job, but with a couple of important differences. Because the internal development teams no longer exist, the contractors are reporting to program managers instead of managers who were developers themselves.

As a result, there are fewer and fewer people inside the agencies who understand what it takes to write and deploy good software. And the software they're getting is costing several times what it used to because it's coming from contractors rather than internal employees.

Contractors are favored by the federal government mainly because they can be hired and fired more easily than employees. Big commercial contractors are favored because they are the ones most capable of jumping through the flaming hurdles that the feds put up to keep up the appearance of saving tax money. The solution is simple: change the damn laws and regulations so that they can be easily hired and fired, and any 1099 can big on a small project without being an expert in government processes.

We already have a secure coding office... (1)

onionman (975962) | more than 4 years ago | (#32184136)

Here's the link: http://www.nsa.gov

Re:We already have a secure coding office... (0)

Anonymous Coward | more than 4 years ago | (#32184406)

Don't forget: SELinux [nsa.gov]

Re:We already have a secure coding office... (1)

flyingfsck (986395) | more than 4 years ago | (#32184462)

Yup, the poor sap is so totally clueless.

some of the dumbest comments on slashdot (0)

Anonymous Coward | more than 4 years ago | (#32184156)

You would all win the prize for twenty of the dumbest comments on slashdot, not a brain cell between you all, and a big advert for Sarah Palin right next to the article, is this what slashdot is reduced to ..

Sarah for 2012 [imageshack.us]

Hmm... what would it be called? (1, Informative)

Anonymous Coward | more than 4 years ago | (#32184172)

I know! Let's call it the National Security Agency... and they could do things like work on securing our systems. Take Linux for example... maybe they could create a more secure environment... and call it SE Linux...

Nah... that's silly...

That just sweeps vulnerabilities under the rug... (1)

2obvious4u (871996) | more than 4 years ago | (#32184194)

Dumb idea. You now have isolated code custom built for each group. Someone would have an easier time exploiting it without detection because there would be a smaller user pool. At least with commercial software there is a larger audience to find and fix security holes and if one is exploited there is an accountable party to hold responsible for fixing it.

Re:That just sweeps vulnerabilities under the rug. (1)

geekoid (135745) | more than 4 years ago | (#32184544)

"You now have isolated code custom built for each group"

How would having many small software piece that is open and used throughout the country lead to that?

"At least with commercial software there is a larger audience
false.

" to find and fix security holes "
ohn yeah, corporation are real well know for jumping on security holes~

" exploited there is an accountable party to hold responsible for fixing it."
yeah, try holding a private company to that. good luck.
With a government body there is a specific person you can go to and hold responsible. You don't just have to be a shareholder or someone spending thousands of dollars. You just need to be a citizen.

So where does the OS come from then? (4, Insightful)

ErichTheRed (39327) | more than 4 years ago | (#32184232)

There are some big reasons why this might be a good idea:
1. Vendors have every incentive to pull the rug out from under you support-wise and make you buy their product again every few years.
2. Having people in-house who _actually know_ everything about how a system works really helps with debugging. Oracle, for example, is the king of finger-pointing when it comes to blaming some other part of the system for crashing a database.
3. Custom code would still have holes, but at least they wouldn't be the exact same ones being exploited in the private sector.

There's also some really good reasons not to do it:
1. You will still need to source an OS from somewhere. Whether $LinuxDistribution, IBM, Sun/Oracle, HP or Microsoft, ti wouldn't make sense to build a single purpose OS unless you were working on embedded systems. This OS would still have the same problem of limited-time support, publically available security exploits, and crappy support when you do get it.
2. Government organizations are very bad with communication. At the state level, practically every department sets their own standards. How could you get agencies with very different priorities to sign on to something that centralized?
3. Quality of code (see below.)

I work in systems integration, and have done so for many large companies. This is the place where we take applications, figure out how they can fit together, and merge them into a platform of clients/servers/network connections/databases. Software written by in-house IT is often the biggest bug-filled, resource hogging mess to get working. This goes double if the dev work is outsourced to a provider that doesn's know about the environment the app will run in. Think about the in-house apps you use -- the order entry client that requires a dual core processor and 2 GB of RAM, or the app that crashes with no explanation or a dialog box that says "You should never see this message." It's not all that bad, and some apps actually work really well. But developer training and skill levels are all over the map. At the very least, a vendor is responsible for their code, and can be persuaded/paid to fix bugs instead of letting them fester. A vendor specializes in building software meant to be used outside of their little corner of the world, so some companies do take time to make sure bugs are fixed.

This would work well when the field of software development matures a little more, and best practices aren't dictated by companies trying to sell you something. That's why IT has a very hard time being recognized as a branch of engineering - there's very few standard ways of doing anything. On the OS front, you have major vendors, hundreds of Linux distributions and other small players. On the database front, you have a few huge vendors that take totally different approaches.

Yes... (0)

Anonymous Coward | more than 4 years ago | (#32184320)

Yes, let's create a Secure Coding Office, and call it SCO :)

What's that expression... (1)

HockeyPuck (141947) | more than 4 years ago | (#32184350)

Something about not reinventing the wheel.

No they don't (0)

Anonymous Coward | more than 4 years ago | (#32184374)

This is absurd.

coding - yuk (0)

JustNiz (692889) | more than 4 years ago | (#32184414)

I hate the word 'coding' it completely sets the wrong impression and totally degrades and devalues the work that a software engineer actually does.
Its as insulting as describing hardware design engineers as welders.

Well, the well known NIH sindrome (0)

Anonymous Coward | more than 4 years ago | (#32184568)

Not invented here: the old saying in IBM et al, in the previous millennium!-?
I assume that a cook in the CIA cafeteria should at least be a colonel, with 20 years
experience.

Ahhh Marcus.... (2, Funny)

GPLDAN (732269) | more than 4 years ago | (#32184606)

Marcus is something of a muckracker. At one time, he was in charge of whitehouse.gov website security, and has at times been incredibly critical of the US Gov - see his book The Myth of Homeland Security in which I think he rips every major division of federal government (but especially the DHS) a new asshole.

As such, many beltway types have tuned Marcus out. He's almost always right, but he goes about telling us the problems in the most confrontational manner possible.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?