Slashdot Mirror
Report Says China Will Demand Source Code
An anonymous reader alerts us to a two-week-old story that hasn't gotten much traction in the press to date. A Japanese newspaper and the AP report that China plans to demand source code from hardware manufacturers, and ban the sale of products from companies that don't comply. China is calling this an "obligatory accreditation system for IT security products." The plan is to go into effect next May, according to sources. "Products expected to be subject to the system are those equipped with secret coding, such as [a] contactless smart card system developed by Sony Corp., digital copiers, and computer servers. The Chinese government said it needs the source code to prevent computer viruses taking advantage of software vulnerabilities and to shut out hackers. However, this explanation is unlikely to satisfy concerns that disclosed information might be handed from the Chinese government to Chinese companies. There also are fears that Chinese intelligence services could exploit such confidential information by making it easier to break codes used in... digital devices."
Haha,
Yes, why would chinese business go to the effort of replicating the functionality of western devices when their government can just demand we give the source code to the devices.
Expect to see more Sorny goods if this goes ahead!
Just use open source. ;-)
My guess is that this is to check the hardware for backdoors. Probably figures that they have put out so many backdoors in products like Cisco, Dell, Acer, HP, Apple, etc and now wants to check to make sure that nobody is doing the same to them.
that disclosed information might be handed from the Chinese government to Chinese companies
It might. And then they have a massive re-engineering problem on their hands. It would usually be easier for them to reimplement the functionality than try to start with undocumented, unsupported source code.
Doing security audits on software is a legitimate request by a governmental agency. Of course, they should just request that vendors provide open source software.
Do companies think that the market in China is big enough to justify giving them the source code?
It doesn't really matter what foreign governments think of this. The can scream all they want. If a company thinks the Chinese market is big enough and they want a piece of it. Then they will cough up the code.
Privacy, security and IP rites are second tier considerations when it comes to product sales.
So again. Do companies think that the market in China is big enough to justify giving them the source code?
Don't do business with them if you don't like it. The Chinese concerns are valid, the hyperbole response is lame.
China is out of control. How can anyone compete if they have cheaper labor and can demand everyone hand over technologies. They can pirate the hardware but reverse engineering the rest is harder. What's next them demanding chip manufacturers hand over chip templates to "make sure they meet China's standards".
I thought source should be free?
I know American are scared, losing world leader status, economy going down the drain, hockey mom for vp and everything but seriously it's a great move on the Chinese government that you should be applauding. You should be hoping it will be replicated by ALL other governments and that distributing the source becomes an habit for HW manufacturer.
China has its issue (police state, freedom of the press...), but they seem sometime to have the balls to go where no other lobbyist sponsored government in the "free world" would go and when it's a good move at least have the intellectual honesty to recognize it.
It's the Prisoner's Dilemma. Unless you want to make it illegal to give source code to the Chinese, there will be some companies who will comply because it is better for their bottom line to do so.
They are doing by legal fiat what the open source community has failed to do through voluntary cooperation, namely, boycotting products that don't provide their source code. Ironically, this autocratic move could be a boon to open source.
Don't worry about the voting software, the Chinese government will check the results for you and they'll tell you who has won.
I fear an official must have been misunderstood.
This would mean that China is asking any supplier to lay down their IP to sell in China with the following risks:
- claims of other nations that the supplier supports Chinese intelligence in bypassing their product (read: NOBODY will buy)
- duplication of the product (China stealing the IP and making its own, which is something it has been repeatedly accussed of in the past)). It's hard enough to bring out anything these days without some US patent troll trying to get a slice of your life's work so avoiding China would thus appear to be a good move.
- leaking any real or alleged deficiency to the rest of the world (espionage and politics is a seriously filthy mix together).
I think this generations of badmouthing China coming home to roost in combination with the shenanigans of the Bush administration which has evaporated the last smidgen of trust in them doing anything NOT self serving. Whereas the main flaw of the previous administration was an overfondness of interns, they did have good international relationships and thus trade, a degree of trust and a budget surplus. Whoever votes to keep the current clowns in place will be ignoring the fact they they CAUSED the problems, making the US a virtual pariah that nobody trusts, turning a surplus that would have helped everyone when deployed into a ginormous black hole that will take decades to recover from.
I can fully understand China not trusting anything coming from the US because it wouldn't be the first time the US administration sells something with a backdoor. (look for the story about Swiss Crypto AG if you want an earlier example)
The most immediate result of this policy would be that only second rate products would be offered to the Chinese, offers by people that feel so little confident about their product that they will happily give away the crown jewels to get a few bucks. There are better ways.
I suspect someone hasn't been quoted right. I'm sure they meant to say they would require full audits of any company supplying security gear, and that company should be in a trusted nation (if such a beast exists, but that's my theory).
They could combine that with what a large quantity of Arab banks have done over the last few months: eject everything US sourced. I've heard of banks even throwing out Messagelabs because it's American (no kidding). No idea if that led to an upsurge in Linux desktops, though..
The thinking behind the demand is good. Implementation, however, could be better.
Insert
I used to work in a CE firm that manufactured in China and sold across the world - reverse engineering was a particular problem and IP protection was the talk of the day.
And now they demand source code? Well I can assure you that it will *not* happen.
I hear Hungary and eastern Europe are offering particularly cheap factory sites - and this might persuade some firms to relocate.
Honestly you cannot make this stuff up. I suspect they will allow manufacturing in china of export goods with no access to source code (to protect their national growth and wealth), but only "approved" population control devices will be allowed to be sold inside China (to spy on their own citizens) - it's control freakery gone mad. This would allow them the best of both worlds, after all its no secret that China has various special economic zones (and they are huge) to allow export factorys to undercut everywhere else in the world - so they just make export rules different.
We really are a joke to them, I remember the hilarious conversations we used to have about IP in Shenzhen with the local engineers, they have no concept of it at all. Its all fair game if they can work out how we did it. Of course, that never stopped them abusing our own system by buying as many patents as they could and hitting us over the head with them on one side, whilst copying everything we did on the other. And now they will try and demand the source code as well? No matter what safeguards they pretend to employ corruption is a business tactic out there and the information will be just another market to exploit. I remember sitting at a conference table with out local contact (who we found out was also employed by the client) taking both sides of the argument as well as two pay checks, literally forwarding out confidential information to competitors because they paid him to do so. NDAs, contracts and so are meaningless.
Yes I am rather bitter and annoyed about it years later, and I accept that they are probably not all like that and things *might* of improved.
What makes you think the source code will be publically available outside the government (and perhaps select "partners" who will help them "understand" the source code?)
If you live in a world where you believe everyone has the same motives, well then I hope when you get burned by that view it is in a way that doesn't hurt you too much. People are perfectly justified in calling in to question the motives of various entities. For example if your family doctor tells you to remove your clothes because he needs to perform a complete medical check, I think it is reasonable to trust him. His motives are most likely pure. However if a random guy in an alley with unkempt hair and a crazy expression asks you to do the same thing, I'd say you should probably question his motives, lest you end up getting hurt.
You are also mistaken that various governments haven't seen the source to commercial products. Microsoft, would be an example. The Windows source code isn't secret. It isn't public, but it isn't secret. Many organizations, including universities, have it.
The reason people find China's proposition scary is because of their track record. For example if you search around on the web you'll find that counterfeit Cisco gear form China is fairly common (often called 'Chisco'). It looks similar to real Cisco gear, but it of inferior production quality, and is of course unsupported. China has a very poor track record with regards to ownership laws and thus it is reasonable to call their motives in to question.
There's also a big difference between believing in open source, and believing in ripping people off. Let's not pretend that it doesn't take a lot of work to write good code. If you want people to be able to do that work as a job, they need to get paid. However if what you support is for company A to spend lots of money writing it, and then company B to just rip it off and give nothing back, well you'll find that doesn't work. Open source works only when everyone contributes. If you have a bunch of people/companies that spend a lot of time and money to make something, only to have it ripped off, well they can't afford to keep doing it.
So the problem isn't with a government wanting to see source code. I think you'll find that the US government verifies the code for anything used in critical systems. The problem is that the Chinese government does not have a good track record on this kind of thing. Thus I (and others) question their motives. I don't believe it is really about openness. I do not question RMS's motives. I believe he really just wanted openness.
The Chinese government is well within it's rights to make decisions regarding what goes on within it's borders. Infact, the whole purpose of a government is to put the interest of it's own country first above the interest of any foreign power.
In this case, seeing the source code of electronic devices being sold in China is very much in their interest, why should the chinese government trust foreign corporations to supply black box equipment when they have no idea how it works? There are many people who boycott products, at least in certain areas, where they don't have source code... I wouldn't run an internet facing server on anything for which i didn't have the source for many reasons.
If you don't like it, noone is forcing you to sell or manufacture your products in china. If you don't like their rules, go somewhere else... If you want to take advantage of the large customer base in china, as well as the cheap labour costs then you have to play by chinese rules.
Ofcourse, this policy is also beneficial for those companies who already release their source code, since they're already compliant.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
They are doing by legal fiat what the open source community has failed to do through voluntary cooperation, namely, boycotting products that don't provide their source code. Ironically, this autocratic move could be a boon to open source.
Wha wha whaat? The open source community says:
... that looks almost exactly like the one from Germany, bases on the very same technology. That's your altruistic Open Source project right there.
"Hey we're writing tools, everyone should be able to participate so we release the code for free"
Companies say: "We build specialized applications and machines that would ruin us if everybody knew how we do it, under no circumstances will we give away the implementation of X that we've spent millions of R&D on."
So you say the second one will be happy to give it's source code to the Chinese? You must be bleeding from both eyes right now.
The reason why China does this is clear: Cheap technology, you cut out the research and development costs and go straight to production. That's what they mainly do anyway, all the stuff we send there to have produced cheaply now backfires. You got the manpower and the facilities all you need is something to build. They did the same thing with the Maglev train from Germany. They send engineers to work with the ICE speed train team, the team went to China to do material research and quality checks etc. and once the Chinese had enough the contact was interrupted and a couple of months later they introduced their own Maglev train
*shakes head*
"Expect to see more Sorny goods if this goes ahead!"
Maybe not. Maybe: "Expect to see a lot of counterfeit products labeled Sony, in the same kind of packaging Sony uses."
Ever since the days of the DOS operating system, when it was only the Taiwanese who supplied computer parts, the Chinese have been extremely dishonest. They would deliver computer parts until a distributor got established. They would get paid when a load was delivered to a ship in Taiwan. But, the would eventually deliver a huge load of junk, stuff that had failed testing but had been saved for that purpose. That would put the U.S. distributor out of business.
At the same time, there would be a Chinese distributor in town that just began doing business, selling the same items.
Now that everyone has paid to build factories and complicated procedures in China, they are very vulnerable to Chinese control.
Here are a few stories, chosen from thousands. The Chinese governments, in Taiwan and mainland China, have always pretended to be interested in stopping counterfeiting:
FBI and Chinese seize $500 million of counterfeit software.
Dangerous Fakes: How counterfeit, defective computer components from China are getting into U.S. warplanes and ships.
YouTube videos about Chinese counterfeiting
The World's Greatest Fakes: Chinese Copies Are Making Their Way Back To U.S.
Heparin Find May Point to Chinese Counterfeiting
Chinese Product Counterfeiting Causes US Job Layoffs
A hacker worth his salt should be able to exploit any kind of technology. All the rest of us demand is openness on the part of technology makers that are already protected by patents. Typically the path of least resistance is the easiest to exploit. China, as an outsider in to the rest of the world, is suspicious of the rest of the world so why shouldn't they demand transparency. As a positive side effect it benefits the rest of us and the FOSS movement.
That's a perfectly sensible thing for them to do. How else would they check it has sufficient toxic additives?
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
You know...we did just that...just a few decades ago. There weren't that many imports in the 70's and even into the early 80's. Not like there is today.
We did it fine 20-30+ years ago with mostly US made products, we just need to move back to it. I for one would pay more $$ for completely US produced and made products. I think it would make for a great marketing campaign...especially with all the toxic products coming out of China (toys, milk...etc).
Light travels faster than sound. This is why some people appear bright until you hear them speak.........