http://www.wired.com/news/conflict/0,2100,56777,00.html By Michelle Delio Dec. 10, 2002 Software designed by Ptech, a Massachusetts technology firm U.S. federal agents suspect might be linked to terrorist groups, does not appear to threaten national security. Federal agents raided the company's Quincy offices early Friday morning. Officials are investigating allegations that investors in the company also finance terrorist organizations. News of the raid sparked concerns that Ptech's software could have been engineered to allow attackers access to classified national-security data. The Army and Air Force, Congress, the White House, the Federal Aviation Administration and the FBI use the company's knowledge-management software. Initial reports indicate that Ptech's software was not engineered to allow attackers easy access to government databases. But security experts warned that while Ptech products might be safe, the raids highlight the need to secure systems from internal as well as external threats. "Internal security breaches are the number one problem. It's rare that someone actually hacks a system without help from inside," networking consultant Mike Sweeny said. "Just look at the last news bite about ID theft," Sweeny said. "A help-desk worker was handing over credit reports with all the info needed to steal peoples' identities for 60 bucks a pop. No hacking required there." According to a representative from the Department of Justice, officials had determined that Ptech software was "clean" before Friday's raid. "All of the products Ptech provided to the government were of a non-classified nature," said U.S. Attorney Michael Sullivan in a statement. "However, out of an abundance of caution, the affected government agencies, including the FBI, conducted a review of their computer systems. "There is no reason to believe that the software has any secondary purpose or malicious code, or that there has been a breach of any kind. There have been no vulnerabilities identified in connection with any of the products provided by Ptech. There is also no evidence to suggest that the system is susceptible to compromise or poses any security risk." Many security experts also said they doubted Ptech's software was a threat, but wondered how officials arrived at that conclusion so quickly. "Most commercial software is compiled in some manner," said Sweeny. "In other words, you do not see the source code so it's tough to look for backdoors or Trojans. And even if it were not closed source, the amount of code to go through is overwhelming unless you know exactly where to look." Some said the Ptech incident proves that government should rely on open source software. "This is exactly why open source software advocates promote open code, to allow peer review and preclude such things from happening," said security consultant Richard Forno. "It works for both a security and operational stability benefit." But Michael Wendy, of the Initiative for Software Choice, a lobbying organization that's battling to block governments from passing legislation encouraging or mandating the use of open source software, cautioned against making any "sweeping security conclusions from this event or anything similar that may occur." "It's important to note that a development model is only a process," Wendy said. "It does not guarantee, in and of itself, that a product produced under one type of model will be any better than another product produced under a different model. In other words, no single development mode inherently produces safer, more secure software." Still others said it makes little difference whether the government uses open source or closed software. "Having more open source software in circulation with the government would be nice, but open source software can be as insecure as closed source software," said William Knowles, senior analyst at C4I.org, a private computer security and intelligence group. "But it's entirely possible that a backdoor could have been inserted into software destined for U.S. government clients," Knowles added. "I often wonder about all the Y2K programming done offshore in less-than-friendly countries and if there are any backdoors in that software." - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Wed Dec 11 2002 - 02:45:41 PST