Web-accessible information that is user-friendly for all stakeholders, including hyperlinked icons and a Web-enabled KnowledgeBase that can be placed on an intranet.

So, basically, it's a blog?

Actually, a while ago I took the blog software I'm using and did some futzing with it. I made a version that links any mention of other entries to that entry. So, for example, if I had an entry titled "Ptech", then every instance of "Ptech" in the rest of the blog would be linked to that entry. It had a bit of brains about it, so it preferred longer links over shorter (so "Ptech management" would get linked to an entry titled "Ptech management" rather than "Ptech").

With a bit of work, that kind of system would be really cool.

Judging from the buzzword density on that page, though, I have to wonder what they're software really DOES. It's clear they have upper management and bureaucrats as their target audience there.

I'm sure they started looking at the code well before this raid. What makes me uneasy is, why raid the company? There must be probable cause to issue the warrant, it can't be a fishing expedition (maybe lenient standard for national security purposes). They went there looking for something. Either the code revealed something, or they had no assurance that the software was clean.

Perhaps it's not so much the code itself, but how much access those working for the company had into the government files.

Of course, with in-depth knowledge of the code, one could build in all kinds of little hidden routines that would allow whatever access was required.

As Charles says, there are millions of lines of code to be considered...

The story says they're looking for ties to an investor:

A federal law enforcement official, who also spoke on condition of anonymity, told The Associated Press: ``We're investigating whether a businessman on the list of alleged or potential terrorist financiers is a part-owner of the company.

They're probably looking at email, phone logs, money transfers, that kind of thing.

Backdoors and trojan horses are not difficult to hide in large software.

Good, what a relief! I feel as good now as when the Government concluded that TWA 800 succumbed to a center fuel tank explosion.

Great - these assholes are practically in my backyard...

I'm with Charles: even if the source code was shown ahead of time to the Feds, if the code is complied or "shrouded", what they were shown is not necessarily what the computers were running.

Be very worried...+

One of the three creators of Unix famously described how to insert a trojan horse in a system, in such a way that anyone attempting to clean up the system would keep re-introducing the trojan horse, even if they recompiled all applications in the whole system from source code known to be safe.

I'm sure they started looking at the code well before this raid. What makes me uneasy is, why raid the company?

Some reasons, 1, because they still aren't really sure of what else might be lurking, and 2, perhaps its some sort of political calculus re: Saudis this week..

I prefer the former, since I think the White House has a pretty good leash on the FBI, unless the WH wanted to put more heat on the Saudis, but after the latest reports that theya re going to allow us to use their air base I can't see them doing that..

It takes the better part of a day to run a full security check on one of my boxes, running Win98, not even a server, checking the registry, firewall logs, virus logs, system logs, running port scans, a full virus scan, a spyware scan, etc, etc, etc.

On the bright side, computer security doesn't depend on a single failure point. Even clearly malicious software running on a given computer may not constitute a security breach. For example, you may have a trojan running on your comp right now, but your firewall could blocking it from attacking other computers on your LAN or communicating with computers other than those you trust.

I believe Ptech makes what's known as "Enterprise Resource Planning" software.
What it basically does is provide a portal-type program through which most, if not all, of the data the company deals with, passes through. This happens from the lowest level on up.
It has a lot of advantages, but the main draw is that the software can aggregate data, providing the decision-makers at the highest levels of the organization all kinds of up-to-the-minute info. At any given moment, for example, the CEO in London of a manufacturing company can check to see how many of a certain brand of part their assembly line in Singapore has used. He can then compare the average speed of the assemblies in Singapore to their plant in Mexico, which uses a different brand part, to see if the brand choice impacts it. Or he could reference it to the quality of the finished product. Or see when a certain employee last logged in to the system. Or get any amount of operational or financial data on the organization, with the right clearance. Data-mining techniques could also be used to find weaknesses in the organization.
Also-- these are huge, intricate programs. It'd be extremely time-consuming to check the code line-by-line for security flaws.

A local radio show (KTAR in Phoenix) interviewed the lead investigative reporter for ABC (Brian _____ - didn't catch the last name - he'll be on ABC with Peter this evening). In addition to stating that the FBI brushed the employees' concerns off, forcing them to approach Customs, he also indicated that the administration ordered a review of this code beginning some time ago (weeks/months). While a few weeks certainly wouldn't provide enough time to detect all nefarious tricks, I don't think this is a case of immediate, completely unsubstantiated denial.

Maybe I'm misunderstanding the story but to me it comes across like this:

The raid on Ptech had to do with suspicion of financial connections between insiders there and terrorism-related groups. It had nothing to do with any concerns about IT security, the software is not used in any sensitive context and there are no known concerns about its integrity.

Sorry Charles, but this sounds more like an alarmist Slashdot article than something I should get excited about...

Government software specialists said the company's software was safe, after studying the software code for evidence it might do anything other than advertised, such as allowing any insiders to read or steal sensitive data, a U.S. official said, speaking on condition of anonymity.

Just because they have found no unadvertized code does not necessarily mean that the software is safe. A bug in the security-related portion of the code would do. Having access to the source code greatly simplifies the job of uncovering such a bug. The bottom line is that trusted software can only be produced by trustworthy programmers.

This is the software DARPA was using for the credit card analysis...

Or not.

#15 is right.

as for Kallie, #9: Yah. The trick is to put trojan insertion code IN THE COMPILER, INTERPRETER, OR THE LIBRARY, not in the application source code. That code uses keywords and such to insert the trojan code when the application source code is compiled, interpreted, and executed. Quite nifty, and probably what M$ meant when they said closed source code is more secure. Only in a few ways...

Why are the guvvies so quick to come out with the news that No Harm No Foul? If the code is innocuous and there is no link to al Qaeda what the hell are they doing busting into this place at 2 AM?

Something stinks here.

If the code is innocuous and there is no link to al Qaeda what the hell are they doing busting into this place at 2 AM?

They're looking for a money link to al'Qaeda.

I am pretty techno-illiterate please excuse if this is not even possible. But over the last several months Debka ran some stories about al-Qaida being able to access key American security communications. I believe their theory was that somehow the information got into al-Qaida's hands through Aldrich Ames and/or Hanssen, to the Russians, then to Saddam or some other client and ultimately to bin Laden. It was pretty cooky.

The story seemed somewhat credible, however, because Debka claimed that the corruption of our military/intelligence communications was the reason behind the 'Blackhawk Down' incident in Mogadishu, explaining why hundreds of Somalis were able to meet our troops every they went (i.e. someone was eavesdropping on our communications). Also, Debka said the reason Bush was flying all over the place on 9/11 was the belief, I think widely reported, that somehow Air Force One was being trakced.

It all seems far-fetched, but wouldn't something like this Quincy story lend some credence to this?

A software PHd in my office said that there is no way the FBI could guarantee the source code is clean because it would be very hard and take extreme expertise to detect some malicious element in the code.

Debka claimed that the corruption of our military/intelligence communications was the reason behind the 'Blackhawk Down' incident in Mogadishu, explaining why hundreds of Somalis were able to meet our troops every they went

The reason everyone knew when the Rangers were heading out is because they could SEE into the US compound. Helicopters aren't small or quiet, and a guy with binoculars and a radio could give warning when they're being loaded and taking off. I'm pretty sure the book describes this problem. The movie does a great job of portraying it -- as the helicopters are taking off, there's a kid with a radio (or cellphone) who calls somebody to let them know.

Remember that the actual mission that day was a success. The guys the Rangers and Delta went out to capture were captured -- they were exactly where they were supposed to be, and hadn't made an effort to escape. If our communications were compromised, it's unlikely the targets would have waited around to get captured.

OT: the latest speculation on an Iraq timeline.

Two more months! The wait will have driven us all nuts by then. But having the Turkish PM visit next week indicates Bush will wait on that to actually move troops in, I think, though there are other things that may go down beforehand. In any event, get set for more weeks of UN flailing.

The White House also was satisifed that the software never had been used in any sensitive government systems, this person said.

??? - Say again? What the f--k, over?

What about the fact that this company was crawling all over the Rocky Flats DoE facility, where plutonium is inventoried?

I can hear it now: "There is no evidence whatsoever that the individuals who stole plutonium from a Department of Energy site intend to use it in the construction of a nuclear weapon."

Well, PTech have tried to sell their products to me, because they are designed to support Enterprise Architects, which is what I do for living!

Most of this stuff helps you model an organisation's business processes, the organisation's data, the organisation's structure and so on, and relate these models to each other. Go to John Zachman's website to see why you might want to do this.

Here is Ptech's case study on Rocky Flats, from their own website:

[Link: www.ptechinc.com...]

This is not a sensitive government system?

Take a look at their customer list. The FBI, the FAA, a buttload of defense contractors like Alliant, and the Allegheny Energy Supply Co.

Nice to know all of this has been investigated and cleared up so fast. Superman must have been up all night.

This is really quite a stretch... the government investigates a company looking for a possible money trail to terrorism... now it's about plutonium? Terrorists have intercepted communications so now it's about the company being investigated for terrorist ties? The software is huge and complex so therefore the feds couldn't possibly understand it?

None of these tie together in any significant way. It's like saying MS writes incredibly complex code that manages communications and has a Saudi investor, so therefore Microsoft is a security risk and aiding terrorists.

Ralph, I think you're missing at least part of the point. The point is not "Ptech must have caused some government agency to be compromised"... the point is that there hasn't been nearly enough time to figure out whether there's a problem, so what are federal officials doing saying "Run along, nothing to see here, we're absolutely sure that this complex product has no security holes!" That is not a realistic statement and invites speculation as to why they'd say such a thing.

If they said "We currently have no reasoon to believe such a problem has occurred, the investigation is continuing", that would be a different matter.

Oh joy, I live within nuking distance of Rocky Flats.

#28
"Run along, nothing to see here, we're absolutely sure that this complex product has no security holes!" That is not a realistic statement and invites speculation as to why they'd say such a thing.

Your entirely right. It wasn't so much my intention to excuse the inane statements of the feds. I find it ridiculous to take such a high profile action and then, in a matter of hours, make a half-assed attempt at reassuring those they scared in the first place.

Nonetheless, though I could have put it better, I stand by my belief that the comments following Charles' post are little more than conjecture. Who knows, they may well prove accurate but until the facts become clear it's just silly to speculate on the ramifications of something that may not have even happened.

All and sundry...
I read this thread, logged off, and stepped out onto my back porch for a breath of fresh air (dumb: it's COLD out there!). While I was out there, I realized that back in the old days, I did some software debugging, and thought it might be a useful example of why the Powers That Be may have been hasty in saying "It's perfectly safe."

When I was a kid, I had a TRS-80 Model III, running a spiffing new version of BASIC. A friend of mine printed the BASIC code for a game and gave it to me to enter onto my computer (the earliest form of software piracy, I guess). I don't remember the name, but it was a "simulation" of a B-1 attack on the USSR, complete with enemy jet bases and SAM sites (To this day, I wince whenever I hear the name "Talinn." That one was a real bear to get past).
The printout ran close to 50 pages, probably well over 1000 lines of code (in BASIC, mind you). It took me a good long summer's day and night to enter into the 'puter, but by the end of it, I had a pretty darn good idea of what the designer was thinking, to the point where I was guessing correctly what the next set of lines was going to be ("770 If X=0, then goto 880, else goto 780").
Finally, I had it all entered in. I saved it (to a cassette drive, god help us all), and ran this masterpiece. About 10 minutes in, as I was calmly piloting my plane towards Moscow, dropping cruise missiles as I went, the program got stuck in an endless loop ("450 If X=0, goto 551 else goto 450").
After much wailing and gnashing of teeth, I went to bed. The next day, I began to go through this program that I was COMPLETELY familiar with, to find where I had mistyped.

It took 12 hours to find the mistake.
In BASIC.
For a 50 page hardcopy program.

The programs the feds are looking at are a gazillion times more complex, in a language that's as easy to understand as English would be to one of those "lost tribes" they still occasionally find in Africa.
Methinks they speak too quickly.
And so does my rubber duckie collection.

(PS: If anybody knows what the program I'm talking about up there was called, drop me an e-mail... I suspect I'm going to be up all night trying to remember the name)

#31
B-1 Nuclear Bomber?

#32
Ralph, that might just be it! Some of the facts seem a little different (I remember having more than one Phoenix missile, but I may have changed that in the program itself), but it sure SEEMS to be the right flavor.
Thanks! I can sleep well tonight.

(What can I say? I'm easy.)

#25 is correct. What PTech makes is software for meta-data modeling. This means they provide tools for organizaing and visualizing information about data. Managing the way data is structured, related, and organized is just as important (more so, the data architects will tell you) as the actual data itself.

PTech software doesn't touch, monitor, or store the actual data flowing through a system itself, so I believe the security risks are very small from the software itself. The bigger risk (still small IMHO) is from PTech personnel with access to gov't systems. Background checks for gov't contractors are routine these days, so again I believe the risk is small.

These guys are not IBM or Oracle - both of whom make the databases and warehouses used by gov'ts and businesses worldwide to store actual data. If the gov raided either of these guys, I would be very concerned...

I get the feeling that some think it's SOP after an IT security breach to make a public statement detailing what systems were compromised and how it was done. "Need to know."

I get the feeling that some think it's SOP after an IT security breach to make a public statement detailing what systems were compromised and how it was done.

If you do, you're not reading what's being said. Most of the people in this thread are saying that the denial came too quickly, as if the Powers That Be are just paying lip service to either us or the possibility that there could be a problem.

In fact, after re-reading the thread (quickly, I'll admit), I don't see ONE instance of anybody complaining that the Powers That Be didn't "detail what systems were compromised and how it was done." The only times code was mentioned, it was in a general way, not asking for specifics.

I think the posters are simply concerned that the PTB are being too quick with the denial.

The AP has apparently updated the story. Charles, the story you link now reads:

The company's software code was checked by the government to determine if outsiders could read or steal any sensitive data from the government, or embed the code with something destructive, officials said. Those checks began months ago, when the probe of Ptech started.

That matches Yahoo's current and Friday AP posts.

Hmm. I just updated the entry with a link to a story that says "weeks," not months.