Report Says China Will Demand Source Code

An anonymous reader alerts us to a two-week-old story that hasn't gotten much traction in the press to date. A Japanese newspaper and the AP report that China plans to demand source code from hardware manufacturers, and ban the sale of products from companies that don't comply. China is calling this an "obligatory accreditation system for IT security products." The plan is to go into effect next May, according to sources. "Products expected to be subject to the system are those equipped with secret coding, such as [a] contactless smart card system developed by Sony Corp., digital copiers, and computer servers. The Chinese government said it needs the source code to prevent computer viruses taking advantage of software vulnerabilities and to shut out hackers. However, this explanation is unlikely to satisfy concerns that disclosed information might be handed from the Chinese government to Chinese companies. There also are fears that Chinese intelligence services could exploit such confidential information by making it easier to break codes used in... digital devices."

So they can counterfeit

[rugger]

Haha,

Yes, why would chinese business go to the effort of replicating the functionality of western devices when their government can just demand we give the source code to the devices.

Expect to see more Sorny goods if this goes ahead!

Re:So they can counterfeit

[edittard]

if you ask me, it's about time profligate western nations got a taste of what it's like at the other end of the stick.

Brought to you by the two-wrongs-make-a-right department.

One other thing. Extort doesn't normally take a person or people as its direct object.

Re:So they can counterfeit

[MrNaz]

Brought to you by the two-wrongs-make-a-right department.

That would be a meaningful response if the West was currently a good global citizen engaging in fair trade and not still engaging in military campaigns with the thinly veiled purpose of usurping economic resources. But as it stands, the west is still fighting in Iraq and Afghanistan for control of petroleum, De Beers is still financing wars in Africa to ensure the continuance of its diamond monopoly, South East Asian nations are still used as a source of cheap de facto slave labour, the IMF is still used as the G8's stick to ensure sovereignty of the third world governments is a purchasable commodity and companies like Bechtel are still pulling this sort of rubbish.

So, sorry, your moral high horse has no legs.

Re:So they can counterfeit

I client of mine had to completely stop selling a product. To be competitive he had to make his widgets (hight end sound elements) in China like everybody else. At several occasions during "surprise factory inspections" he found sub-par, out of spec end-products. At some point some items where even with his logo replaced by some unknown Asian brand. Suddenly all sales in Asia and part of Europe came to a near stop. Within months they just change product line altogether.

This is exactly why numerous parents around me are throwing away their 25-35 years old oven or washing machine, at the same time as their kid's 3 to 5 years old ones. Quality is dead for low price is king. The landfills have plenty of space anyway.

Their is a difference between a product that is already made in China anyway, and a product that is being re-produced to be sold as unfair competition. Even the most hard core capitalist system has some laws to let the hard working people get some reasonable amount of revenue from their work. (Let's not argue on how he system is sliding away in this topic). In China corruption is the norm. Just like in the Old West, but with modern equipment and factories.

I do not think China can give any lesson on "with as much regard for ethics as our own companies", when all level of business, government and legal (if any), are in it to get the profits in total disregard of security, justice or basic decency without any possibility of consequences. We should be very careful with them.

We should all forget the USA as the unfair capitalist system. China is the most savage capitalists of all. They where already grabbing everything they could on foreign markets and use it in total diseregard of any international aw or agreement. Now they want you to give it to them on a platter.

Re:So they can counterfeit

[geekmux]

You guys are missing the point: Demanding that the source code be made available for your products is a reasonable thing to do. Just like demanding that the ingredients of your foodstuffs be made available is a reasonable thing to do. It has to do with safety and trust.

The ONLY real reason a company maintains ANY closed source is profitability. Everyone would run open source otherwise, because it costs way too damn much money to maintain close source, from physical protection to legal costs.

I sure as hell don't see people boycotting Coca Cola products because they haven't revealed their secret formula to EVERYONE.

That being said, one CANNOT overlook WHO is asking for the closed source, and determining the REAL reason WHY they need it. Somehow the words "safety" and "trust" do NOT come to mind.

Re:So they can counterfeit

[hedwards]

Except that isn't actually true. The main reason why China has spent so much money in the US is so that they can continue to exploit their workers. They keep the wages artificially low with currency value manipulation and refusing to pay their workers accordingly. Which allows their government to continue to exert a larger than appropriate degree of control on the people.

Ultimately that hurts the US as well since our workers can't work for that low of a wage.

Simple solution

[DeltaQH]

Just use open source. ;-)

Re:Simple solution

[EdIII]

I'm thinking along the same lines in a security context. I have never supported Security Through Obscurity.

If your security depends on your code being hidden, then I don't find it as valuable as a method that is open to scrutiny. Open Source Vs. Closed Source is a heated debate as always, but Open Source has a serious advantage when it comes to security. Trust. If the public at large can scrutinize the code, it is harder to say that anything nefarious is going on. With Closed Source, you HAVE to trust the company.

Sony?

Be fucking serious. The people that brought you a widespread implementation of a root kit to further their own agenda? I am going to have a hard time trusting ANY of their security products.

I don't know why China may want to do this, but there are good arguments to support their position.

Re:Simple solution

[maharg]

1) provide source code for product x to Beijing
2) get product x accredited
3) add nefarious functions to source code, re-compile, surreptitiously update product
4) ???
5) profit!

Makes you wonder

My guess is that this is to check the hardware for backdoors. Probably figures that they have put out so many backdoors in products like Cisco, Dell, Acer, HP, Apple, etc and now wants to check to make sure that nobody is doing the same to them.

yeah, right

[speedtux]

that disclosed information might be handed from the Chinese government to Chinese companies

It might. And then they have a massive re-engineering problem on their hands. It would usually be easier for them to reimplement the functionality than try to start with undocumented, unsupported source code.

Doing security audits on software is a legitimate request by a governmental agency. Of course, they should just request that vendors provide open source software.

Re:yeah, right

[unlametheweak]

It would usually be easier for them to reimplement the functionality than try to start with undocumented, unsupported source code.

I'm sure they would demand that the source code be fully commented and documented. I'm sure they would also insist on having the engineers explain anything that may be obtuse. If they can't understand the source code to begin with then it would be no use to them in the first place.

Re:yeah, right

[amirulbahr]

I'm sure DoD has access to for e.g. Windows source code that they may run on their servers.

Actually, I wouldn't have a clue but maybe some here knows if this is the case.

The big question.

[upuv]

Do companies think that the market in China is big enough to justify giving them the source code?

It doesn't really matter what foreign governments think of this. The can scream all they want. If a company thinks the Chinese market is big enough and they want a piece of it. Then they will cough up the code.

Privacy, security and IP rites are second tier considerations when it comes to product sales.

So again. Do companies think that the market in China is big enough to justify giving them the source code?

Re:The big question.

[Alistair+Hutton]

Do companies think that the market in China is big enough to justify giving them the source code?

If they give away the crown jewels they might be surprised how swiftly China starts supplying itself.

Re:The big question.

[IamTheRealMike]

If you build your hardware in a country notorious for having shadow shifts at factories, and then give away your source code as well, what makes you think there'd be any market left for your products?

Don't like it?

Don't do business with them if you don't like it. The Chinese concerns are valid, the hyperbole response is lame.

Give 'em different code if you need to.

If someone thinks China is a big enough market, the Chinese-market goods can simply ship with their own damn set of code, API's, and even unique board revision if a company worries about it that much.

I hope there's zero compliance

China is out of control. How can anyone compete if they have cheaper labor and can demand everyone hand over technologies. They can pirate the hardware but reverse engineering the rest is harder. What's next them demanding chip manufacturers hand over chip templates to "make sure they meet China's standards".

Re:I hope there's zero compliance

Don't like the market economy much now, huh?

Haha bitch!

Re:I hope there's zero compliance

[RAMMS+EIN]

``China is out of control. How can anyone compete if they have cheaper labor and can demand everyone hand over technologies.''

Well, for starters, they can "demand that everyone hand over technologies", too. That's a choice you can make. There is nothing preventing you from competing with China there. If the choice you make causes you to lose, it's not because something is preventing you from competing with China - it's because you competed, but China won.

That leaves the cheaper labor. And, frankly, if China has cheaper labor, that's an advantage they have. So if they win, based on that, it's not because something is preventing you from competing - it's because you competed with China and China won.

So, really, your "How can anyone compete?" is a bit misplaced.

Perhaps a more interesting question would be how to get desireable results, given what China is doing, but that would require you to, first of all, define what results are desireable.

Re:I hope there's zero compliance

[Apple+Acolyte]

Seriously? I think every other government implicitly trusts that the technology the rest of the world uses is good enough to get the job done. Spy agencies should have higher standards, but I somehow doubt Intel M$ clear each one of their designs with the NSA every release. If you can point me to a statute from another government that demands what China is supposedly demanding, I'll concede the point.

Biased view of the world have we?

[mrboyd]

• When RMS wants the printer driver source code it's freedom protection.
• When the chinese government wants his printer driver source code their trying to embezzle the gentle and caring westerners...

I thought source should be free?

I know American are scared, losing world leader status, economy going down the drain, hockey mom for vp and everything but seriously it's a great move on the Chinese government that you should be applauding. You should be hoping it will be replicated by ALL other governments and that distributing the source becomes an habit for HW manufacturer.
China has its issue (police state, freedom of the press...), but they seem sometime to have the balls to go where no other lobbyist sponsored government in the "free world" would go and when it's a good move at least have the intellectual honesty to recognize it.

Re:Biased view of the world have we?

[justinlee37]

You've committed the common fallacy of supposing that there is some kind of "average" slashdot user, who represents every user, and believes every opinion that has ever been expressed on this message board. Obviously that can't be the case. Anybody like that would have to contradict every one of their own opinions.

On the actual issue, it's not a "good move" because they are probably doing this to control the populace; if they know the source code for the hardware on all consumer electronics, there's no way that people could find some way to communicate with the outside world on "unmonitored" channels, probably on a proprietary hardware network separate from the standard internet.

Keeping that source code out of chinese hands is imperative in empowering the chinese people to determine their own destiny. This isn't a software patents issue.

You should make it "an habit" not to confuse the issues. And stop assuming everybody here is a cookie-cutter version of everyone else.

Re:Biased view of the world have we?

[jamesh]

* When RMS wants the printer driver source code it's freedom protection.
        * When the chinese government wants his printer driver source code their trying to embezzle the gentle and caring westerners...

I'm not sure you understand the concept of 'freedom' in the context of open source.

RMS wants source code to be released free for everyone.

The Chinese government (according to the extract provided in the slashdot summary...) wants to be able to inspect the source code for their own purposes (with the possibility implied by the article authors that they might then seek to gain from it).

The former is embracing freedom. The second is not.

I know it's fun to point out hypocrisy in American (or other Western) cultures, but make sure you have your facts straight first.

Re:Biased view of the world have we?

[MobileTatsu-NJG]

You've committed the common fallacy of supposing that there is some kind of "average" slashdot user, who represents every user, and believes every opinion that has ever been expressed on this message board. Obviously that can't be the case. Anybody like that would have to contradict every one of their own opinions. ... ... And stop assuming everybody here is a cookie-cutter version of everyone else.

I mainly agree with the spirit of your post, but I had to say something about this little blurb: There are topics on Slashdot where a majority of the people who post agree. This is also reflected in the moderator pool. It is rather common for these opinions to be enforced via mod-points. For example: If you were to travel back to the year 1999 and post on Slashdot that 'Microsoft kills babies', that post would rocket up to +5. If you were to then post that 'Linux could use a little improvement in this particular area...', that post would disappear into a sea of other -1 posts. The specific attitudes change over the years, but the underlying principle always remains. That's why sometimes you really have to walk on eggshells with certain opinions to avoid your posts disappearing into oblivion. People who happen to be on the majority's side of opinion could make a great speech and get cheered for it. Now, here's the funny bit. Everybody's post comes with its own little score. There are a fair number of active posters who posture themselves to raise that score, appealing to the majority view. These are the guys that come in and say things like "I just want a phone that's just a phone!!!". All these people get talkative on certain topics, whether it be praise or waving of pitchforks. And Slashdot, which is ad-supported btw, caters to these people with stories that are going to interest them.

Slashdot most definitely has a voice, some call it the GroupThink. Some people have taken offense to this, but really, the "but there's one guy that doesn't agree!" argument just doesn't apply. It's not an absolute term, it's just about majority. Generalizations always suck, right? Well, okay, but through the natural path of posting on Slashdot, you have to pick up these generalizations if you want to post your opinion without too much trouble. (I personally blame the moderation system for giving power to those with extreme opinions. I think it illustrates why vigilantism is illegal.)

In any event, Slashdot does have opinions. If you'd like to test that theory, wander into an iPhone thread and say it's the best phone ever. ;)

a cold day in hell first...

[apodyopsis]

I used to work in a CE firm that manufactured in China and sold across the world - reverse engineering was a particular problem and IP protection was the talk of the day.

And now they demand source code? Well I can assure you that it will *not* happen.

I hear Hungary and eastern Europe are offering particularly cheap factory sites - and this might persuade some firms to relocate.

Honestly you cannot make this stuff up. I suspect they will allow manufacturing in china of export goods with no access to source code (to protect their national growth and wealth), but only "approved" population control devices will be allowed to be sold inside China (to spy on their own citizens) - it's control freakery gone mad. This would allow them the best of both worlds, after all its no secret that China has various special economic zones (and they are huge) to allow export factorys to undercut everywhere else in the world - so they just make export rules different.

We really are a joke to them, I remember the hilarious conversations we used to have about IP in Shenzhen with the local engineers, they have no concept of it at all. Its all fair game if they can work out how we did it. Of course, that never stopped them abusing our own system by buying as many patents as they could and hitting us over the head with them on one side, whilst copying everything we did on the other. And now they will try and demand the source code as well? No matter what safeguards they pretend to employ corruption is a business tactic out there and the information will be just another market to exploit. I remember sitting at a conference table with out local contact (who we found out was also employed by the client) taking both sides of the argument as well as two pay checks, literally forwarding out confidential information to competitors because they paid him to do so. NDAs, contracts and so are meaningless.

Yes I am rather bitter and annoyed about it years later, and I accept that they are probably not all like that and things *might* of improved.

Re:Cut them off. Draw the line.

[IamTheRealMike]

What makes you think the source code will be publically available outside the government (and perhaps select "partners" who will help them "understand" the source code?)

Ummmm

[Sycraft-fu]

If you live in a world where you believe everyone has the same motives, well then I hope when you get burned by that view it is in a way that doesn't hurt you too much. People are perfectly justified in calling in to question the motives of various entities. For example if your family doctor tells you to remove your clothes because he needs to perform a complete medical check, I think it is reasonable to trust him. His motives are most likely pure. However if a random guy in an alley with unkempt hair and a crazy expression asks you to do the same thing, I'd say you should probably question his motives, lest you end up getting hurt.

You are also mistaken that various governments haven't seen the source to commercial products. Microsoft, would be an example. The Windows source code isn't secret. It isn't public, but it isn't secret. Many organizations, including universities, have it.

The reason people find China's proposition scary is because of their track record. For example if you search around on the web you'll find that counterfeit Cisco gear form China is fairly common (often called 'Chisco'). It looks similar to real Cisco gear, but it of inferior production quality, and is of course unsupported. China has a very poor track record with regards to ownership laws and thus it is reasonable to call their motives in to question.

There's also a big difference between believing in open source, and believing in ripping people off. Let's not pretend that it doesn't take a lot of work to write good code. If you want people to be able to do that work as a job, they need to get paid. However if what you support is for company A to spend lots of money writing it, and then company B to just rip it off and give nothing back, well you'll find that doesn't work. Open source works only when everyone contributes. If you have a bunch of people/companies that spend a lot of time and money to make something, only to have it ripped off, well they can't afford to keep doing it.

So the problem isn't with a government wanting to see source code. I think you'll find that the US government verifies the code for anything used in critical systems. The problem is that the Chinese government does not have a good track record on this kind of thing. Thus I (and others) question their motives. I don't believe it is really about openness. I do not question RMS's motives. I believe he really just wanted openness.

Re:Cut them off. Draw the line.

[meist3r]

They are doing by legal fiat what the open source community has failed to do through voluntary cooperation, namely, boycotting products that don't provide their source code. Ironically, this autocratic move could be a boon to open source.

Wha wha whaat? The open source community says:
"Hey we're writing tools, everyone should be able to participate so we release the code for free"

Companies say: "We build specialized applications and machines that would ruin us if everybody knew how we do it, under no circumstances will we give away the implementation of X that we've spent millions of R&D on."

So you say the second one will be happy to give it's source code to the Chinese? You must be bleeding from both eyes right now.
The reason why China does this is clear: Cheap technology, you cut out the research and development costs and go straight to production. That's what they mainly do anyway, all the stuff we send there to have produced cheaply now backfires. You got the manpower and the facilities all you need is something to build. They did the same thing with the Maglev train from Germany. They send engineers to work with the ICE speed train team, the team went to China to do material research and quality checks etc. and once the Chinese had enough the contact was interrupted and a couple of months later they introduced their own Maglev train ... that looks almost exactly like the one from Germany, bases on the very same technology. That's your altruistic Open Source project right there.
*shakes head*

Re:Fuck China

[meist3r]

Bunch of idiots. Boycott chinese products and don't export anything to China.

Uhhhm, good luck shopping for clothes then. Or furniture, or kitchen appliances, or electronics.

Say no to security through obscurity

[doub_l_heli]

A hacker worth his salt should be able to exploit any kind of technology. All the rest of us demand is openness on the part of technology makers that are already protected by patents. Typically the path of least resistance is the easiest to exploit. China, as an outsider in to the rest of the world, is suspicious of the rest of the world so why shouldn't they demand transparency. As a positive side effect it benefits the rest of us and the FOSS movement.

China has been doing this for the past 20 years

The chinese government opens it's borders to foreign companies if they are willing to share the blueprints of key components of that industry. They have demanded construction blueprints, machinery schematics, manufacture process information and even end product components. They, meanwhile, have used that information to develop their tech grasp and have incorporated those designs on native industrial enterprises. That's the secret behind China's ultra-fast development and the main reason behind the plague of chinese knock-off products.

This is nothing different. It's simply another step in the ladder. They developed (stole is more appropriate word) enough to have gained the capability to produce advanced electronic components like processors and now they are refining that knowledge and taking the next step. Get ready for a capable dragon chip.

It is only a matter of time (probably not even 5 years) before China becomes not only self-sufficient but also competing for the lead in the world's high tech industry, all thanks to capitalism and the good folks who brought you the globalization and outsourcing experience. Were all those cheap goods worth the loss of western values like democracy and freedom of expression?

Re:The Chinese are VERY dishonest.

[ozphx]

Wow, just like the west is very serious in cracking down on copyright infringement. An outsider would see the US govt's complete lack of dealing with mass scale copyright infringement as collusion. Leaving it to the copyright holders when theres such widespread infringement? I would say they aren't even pretending to be interested.

I'm in China right now. The majority of the "fakes" are misapplied trademarks. They work nothing like the real item, and often look nothing like a real item from the Brand.

You'd have to be a complete moron to be suckered in.

The other end of the scale is when the factory owner lets the Gruntmaster production line run for an extra hour or so and slaps "Oinkmaster" on the side. I've picked up a few "grey-market" items this way - identical to the branded product.

Sudden outbreak of common sense !

[Yvanhoe]

Now that's finally someone who gets it. Apparently, Chinese want to take security seriously and finally say out loud that having black boxes managing your network is not the way it should be done.

Re:Fuck China

[meist3r]

Firms will move to supply the increased demand for those things once the source is cut off. We have unemployment issues over here anyway.

Help me real quick, how can you keep building a TV that is sold for 600 bucks including margin when your employees cost dozens of times more than what you are currently paying? Don't you think that before someone says "Great I'll just sell my stuff for ten times the price, people will know it's the right thing" someone else simply co-operates with the Chinese or other country to get cheap-labor done? This has no impact whatsoever on your local employment market. Well, unless you live in India, Pakistan or the Ukraine.

It's not like we don't know how to make that stuff. We just built the factories elsewhere.

Uhm yeah? Because the companies didn't want to pay for all that health insurance stuff. In my country, companies threaten the government to move production out of the country and the laws are made accordingly. Tax cuts on revenue tax and corporate taxes are forced on us that way. It's not like we don't know how to make that stuff ... it's just too fucking expensive to make the kind of profits that we're used to and have promised to the investors.

Re:Cut them off. Draw the line.

[Peaker]

Sounds like the world is richer by a few trains then...

Why is that so bad?

Like my grandfather, Hung Dong Wang, told me

He said, boy, never trust anything without the source. I think he was ahead of his time. He was chinese, before the communism came, in the long, long time before.

Re:Fuck China

[cayenne8]

"e live in interdependency. Our systems have developed into hybridized solutions. China can't live without the money from the US, the US can't live without the range of affordable products from China."

You know...we did just that...just a few decades ago. There weren't that many imports in the 70's and even into the early 80's. Not like there is today.

We did it fine 20-30+ years ago with mostly US made products, we just need to move back to it. I for one would pay more $$ for completely US produced and made products. I think it would make for a great marketing campaign...especially with all the toxic products coming out of China (toys, milk...etc).

Moron, or just being stupid?

[lpq]

geekmux said: "I sure as hell don't see people boycotting Coca Cola products because they haven't revealed their secret formula to EVERYONE"..

I haven't seen one instance of someone cracking Coke's secret formula and using it to break into a system -- nor have I once seen a buffer overflow or backdoor or just stupid program error in Coke's formula cause billion dollar threats to the internet.

It's real different -- code that goes into computers doesn't go through testing like food or drug products -- as corrupt as drug testing is, it's orders of magnitude more testing than every line of code in a product goes through before being released in a closed source product.

If food and drugs were sold like code, they'd cause fatal lingering diseases that required you to buy a lifetime supply of "patch" drugs from the manufacturer...