Log in

No account? Create an account

Previous Entry | Next Entry

Wow. Not much more to say, Bruce pretty much covered it:

U.S. Government Contractor Injects Malicious Software into Critical Military Computers

This is just a frightening story. Basically, a contractor with a top secret security clearance was able to inject malicious code and sabotage computers used to track Navy submarines.

Yeah, it was annoying to find and fix the problem, but hang on. How is possible for a single disgruntled idiot to damage a multi-billion-dollar weapons system? Why aren't there any security systems in place to prevent this? I'll bet anything that there was absolutely no control or review over who put what code in where. I'll bet that if this guy had been just a little bit cleverer, he could have done a whole lot more damage without ever getting caught.

One of the ways to deal with the problem of trusted individuals is by making sure they're trustworthy. The clearance process is supposed to handle that. But given the enormous damage that a single person can do here, it makes a lot of sense to add a second security mechanism: limiting the degree to which each individual must be trusted. A decent system of code reviews, or change auditing, would go a long way to reduce the risk of this sort of thing.

I'll also bet you anything that Microsoft has more security around its critical code than the U.S. military does.

Read more....



( 2 comments — Leave a comment )
Apr. 16th, 2007 01:26 am (UTC)
Color me unsurprised
I worked in that world for 3 years. I joined it because post-9/11, I was motivated to something to help with national security. I left it because I found out that no one else gave a rat's ass.

True story: The technical lead on the FBI's failed Trilogy project brought on his wife as one of the lead DBAs. She claimed, on her resume and on her papers for clearance, that she had a college degree. It took the FBI nearly TWO YEARS to figure out that she was lying.

Both she and her husband ended up being denied clearance. You might think that when the technical lead for the FBI's project to update its computer system cannot get clearance, there might be some sort of review of the code they were responsible for. There wasn't. The fact that the entire system didn't work kept it from going live, but the inability for key developers to gain clearance was irrelevant.
Apr. 16th, 2007 01:32 am (UTC)
OK, reading that article gets me even madder.

I knew one person who was denied a security clearance (and had his existing security clearances revoked) because when the gov't was poking through the files of his psychiatrist (when apply for a security clearance, you give the government permission to do such things), they didn't like some of the things he said about his ex-wife . Meanwhile, someone who claims he is BI-POLAR can hold a DOD TS.

Yeah, the system's not broken...

As for code reviews, security audits, and other such processes, I never saw such things used. Not to say they don't happen (and I didn't work on weapons systems), but yeah, MS certainly has better code control in general than the federal government.
( 2 comments — Leave a comment )

Latest Month

June 2013
Powered by LiveJournal.com
Designed by Tiffany Chow