Israeli coders, Arab testers
Major Variola (ret)
mv at cdc.gov
Thu Apr 1 10:22:11 PST 2004
from owner-cryptography at metzdowd.com
Eugene Volokh, 3/25/2004 04:02:38 PM
Israeli coders, Arab testers: A reader writes, apropos
checking sensitive source code for sabotage: I spoke to
[someone] from the NSA, about this subject a couple of
years back. As you probably know, although the NSA has
teams of cryptographers at its disposal, a large amount
of the successful interception it carries out is simply
due to exploiting software faults in communications soft-
ware. Consequently, in their other role, as advisor to
the DoD about communications security issues, they focus
on software assurance to an extent that often takes new-
comers by surprise.
The NSA used to have a requirement that only American
citizens should be allowed to work on sensitive source
code, because they considered there to be too great a
risk of backdoors being placed in the code by foreign
nationals . . . . More recently, because of the number
of H1(B)s and green cards in the computer industry, it's
been impractical for the NSA to insist on that. Instead,
what they've encouraged -- and this is the interesting
and quite clever part -- is that programmers and testers
should be of different nationalities. If you have Israeli
coders, get Arabic testers. If you have British coders,
get French testers. And so on.
A cute solution to the problem. But I don't know if it
ever worked. I suspect the NSA still insists, though,
that source code for sensitive systems be written by
American companies on American soil, even if it isn't
written by American fingers.Of course, even if the NSA's
program worked for the NSA, it would be pretty expensive
to adopt for the important source code and off-the-shelf
object code used by lots of other organizations -- many
of which are private companies -- that manage critical
American infrastructure. Nor am I sure that it would work
that well even if it were adopted. Still, it struck me as
interesting enough to be worth mentioning.
http://volokh.com/2004_03_21_volokh_archive.html#108025935883663167
More information about the cypherpunks-legacy
mailing list