[email protected] (Clark Morris) writes: > Actually allowing any country to review code is to open an exposure. > On the other hand all users have at least some need to verify that > code is not exposing them. For those users with high security needs > and a large enough budget, having all software in house maybe using > open source software as a starting base can make sense. I believed > back in the 1970s and 80s that one of the best places to put a spy was > in the IBM software creation and distribution system. These comments > apply to all countries. It would be interesting to find out which > countries and entities are reviewing source code from the various > vendors. I believe that Snowden supporters are naive if they believe > that other major and not so major countries are not engaged in much > the same activities as those he accused the United States NSA and > other agencies of committing. If IBM is allowing the Chinese > government to review the code, I will guarantee that other governments > are also reviewing the code. In addition we know that at least some > ISV's have access to at least some of the code under non-disclosure > agreements. I leave to you who are citizens of various countries to > determine how concerned you should be.
a lot of this is consequence of significant publicity in the past couple years about US gov. agencies putting backdoors in many products from US companies. In many parts of the world, US companies are now faced with proving that their products don't have backdoors. There is the folklore from the early 80s about certain gov. agency asking IBM if it could guarentee that all the source IBM provided for the POK favorite son operating system exactly corresponded to all the code they were actually running. Supposedly a large taskforce spent significant amount of money investigating the issue and concluded that it wasn't practical (almost impossible to identify exactly all the corresponding source that went with all the running porducts that a customer had installed). It use to be all source was available ... it was only in the 80s that started having the OCO-wars ... with IBM moving to no longer making source available. Long ago and far away, litigation results in the 23Jun1969 Unbundling announce ... some past posts http://www.garlic.com/~lynn/submain.html#unbundle charging for (application) software, SE services, maintenance, etc ... however the company made the case that operating system software should still be free. Then "Future System" was started in the early 70s as countermeasure to clone controllers (totally different from 370, with tightly integrated controllers having exceedingly complex protocol). Internal politics started killing off 370 products. Then the lack of 370 products during this period is credited with giving clone processor makers a market foothold. I continued to work on 360 & 370 stuff during this period, even periodically ridiculing the FS efforts (not exactly career enhancing activity). some past posts http://www.garlic.com/~lynn/submain.html#futuresys Then when "Future System" imploded, there was a mad rush to get products back into the 370 pipeline. This contributed to selecting several of the things that I had been doing for release to customers. Part of the stuff was dynamic adaptive resource management (dating back to when I was undergraduate in the 60s) was selected to be a separate kernel component and the guinea pig for starting to charge for operating system/kernel software (in large part because of the rise of clone processors ... which was because of the lack of 370 products during the FS period) ... on the path to charging for all software ... and then stopping making source code available. some past posts http://www.garlic.com/~lynn/subtopic.html#fairshare ... AMEX is in competition with KKR to do private equity LBO take-over of RJR. KKR wins, but runs into trouble and hires away the president of AMEX to turn it around. http://en.wikipedia.org/wiki/Barbarians_at_the_Gate:_The_Fall_of_RJR_Nabisco IBM has gone into the red and was being reorganized into the 13 "baby blues" in preparation for breaking up the company. The board then hires the former president of AMEX to resurrect IBM and reverse the breakup. Some of the some techniques used at RJR are then used at IBM: http://www.ibmemployee.com/RetirementHeist.shtml The former president of AMEX then leaves IBM and becomes head of another major private equity company ... which then does a private equity LBO of the company that employs Snowden. Last decade there is enormous uptic of outsourcing to for-profit companies ... especially those under the thumb of private-equity owners with enormous political clout. Majority of the intelligence budget and over half the people are now with for-profit companies. http://www.investingdaily.com/17693/spies-like-us/ Private contractors like Booz Allen now reportedly garner 70 percent of the annual $80 billion intelligence budget and supply more than half of the available manpower. They're not going away any time soon unless the CIA and NSA want to start over and with some off-the-shelf laptops, networked by the Geek Squad from Best Buy. Security clearances used to be a government function too, but are now a profit center for various private-equity subsidiaries. ... snip ... comparison of private-equity LBOs to house flipping, except the loan for the purchase goes on the victim company's books ... and stays with it even after flipping. They can even sell a victim company for less than they paid and still walk away with boat loads of money. Victim companies are under intense pressure to make money to service the debt and they account for over half corporate defaults (the companies being paid for security clearances were found to be doing the paperwork ... but not actually doing the security checking). http://www.nytimes.com/2009/10/05/business/economy/05simmons.html?_r=0 another ... "OPM Contractor's Parent Firm Has a Troubled History" https://firstlook.org/theintercept/2015/06/24/opm-contractor-veritas/ and ... "How Private Contractors Have Created a Shadow NSA; A new cybersecurity elite moves between government and private practice, taking state secrets with them" (also references oil rig company that was transformed into one of the largest defense contractors after former SECDEF and future VP becomes CEO, including no-bid contracts in Iraq) http://www.thenation.com/article/how-private-contractors-have-created-shadow-nsa/ there was enormous uptic in outsourcing to for-profit companies last decade, above includes references to some of the events around the spreading "success of failure" culture by the for-profit beltway bandits (make more money off series of failures) http://www.govexec.com/excellence/management-matters/2007/04/the-success-of-failure/24107/ (note sometimes clicking govexec serves up a blank page and you have to repeat the click) There has been a lot written about the failure of gov. whistleblower provisions ... rather than protecting the whistleblowers ... it sets them up for prosecution. The "success of failure" scenario has long time senior people reporting problems to the responsible group in congress ... and then getting charged under the same statute that was used to charge Snowden. The whistleblower provisions are for employees only (not for the exploding number of contractors like Snowden) ... and it didn't protect them either. Other trivia, in the wake of the "success of failure" scandal, congress put the agency on probation and not allowed to manage its own projects (however, that may have just been a ploy to further outsource to for-profit companies). some past posts http://www.garlic.com/~lynn/submisc.html#success.of.failure More trivia, IC-ARDA (since renamed IARPA) released an unclassified BAA around the first of the century ... that basically said that none of the tools they had did what was needed ... which turns out to correspond to a lot of what was exposed in the later "success of failure" scandal. Member: Mainframe Hall of Fame www.Enterprisesystemsmedia.com/mainframe-hall-of-fame Original Member of Knights of VM http://www2.marist.edu/~mvmua/knights.html -- virtualization experience starting Jan1968, online at home since Mar1970 ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
