[NTLUG:Discuss] Hidden Malware in offshore products raises concerns

[Steve]

On Fri, 2003-09-12 at 20:21, Tom Adelstein wrote:
> I don't think that's the point at all.

> I wish more people understood the issues. They don't and won't.

> The Chinese understand it and that's why they compile everything themselves and have their own official Linux. 

Since the Chinese government understands the issues, what is the U.S.
official Linux distro and what makes it (and other domestic distros)
more secure wrt malware than the non-official, foreign distros? Please
tell us so we can tell our Suse and Mandrake friends why Lindows is the
superior linux distribution if you're concerned about malware. 

What does compiling something yourself have to do with the risks of
offshore programming? If a domestic programmer gives you customized,
complex code with something malicious in it, and you don't have a
process to check the code or don't want to, just compiling it yourself
isn't going to diminish your risk profile.


> Americans have little to no understanding of the risks and perils associated with people doing software offshore.

How are these risks and perils radically different from using domestic
programmers? Is there some consolation for being cracked by a domestic
programmer instead of a foreign one? "Well, at least he wasn't Indian." 

The Computerworld article spends a lot of time discussing security
issues and responses that apply to using ANY programmers of complex,
critical application. That's what I mean by "I'm not sure what the point
is." And the article mostly ends with this thought:

********
"Oracle Corp. Chief Security Officer Mary Ann Davidson said the
globalization of software development dictates global development
processes. "The assumption is that everybody physically located outside
the U.S. is more of a risk." But that assumption is incorrect, Davidson
said, citing the many documented and publicized security lapses from
trusted U.S. employees in both the public and private sector. Still, at
the end of the day, with current tools, it's difficult to find hidden
malware, she said.
********

Never mind that the security problems arising from poor programming and
setup far outweigh that of malware. I'm sure that Interbase customers
were comforted when they found out that the backdoor to their database
that existed for years was from a domestic company. Of course, this
wasn't malware. This was for "to help the customer" by letting them get
into my db with the hard-to-guess userid and password of "politically"
and "correct".


> At OSSI, we can't even bring a non-citizen anywhere near a project. 

So the Chinese guy who just became an American citizen is going to be
way ahead of that guy in India wrt your peace of mind. And this
differentiation, by itself, will change how OSSI views the risk profile
of its actions?

If the person is creating customized code for you, it is there for you
to see, just as it is with a domestic programmer. An organization that
means to do you harm can easily infiltrate an organization through a
domestic programmer. No process for proofing your code and a dubious
trust position with respect to your programmers, regardless of their
nationality, is going to be the achilles heel from a security
standpoint. 

Steve