India, China Try Import Regulations As Security Tools

An anonymous reader writes "The Register reports that the Chinese government is forcing vendors to cough up the source code to their encryption alogrithms before they can sell their equipment to the Chinese government. The EU doesn't seem to like it, but if I were in their position I'd want the same thing." China's biggest neighbor goes further; another anonymous reader writes "Telco equipment from China could have spyware that gives access to telcom networks in India. The Indian government has officially told mobile operators not to import any equipment manufactured by Chinese vendors, including Huawei and ZTE. The ban order follows concerns raised by the Home Ministry that telecom equipment from some countries could have spyware or malware that gives intelligence agencies across the border access to telecom networks in India. The biggest gainers from the move could be Ericsson, Nokia, and Siemens, which have been losing market share to aggressive Chinese equipment-makers in India."

The only encryption algorithms worth a damn

[al0ha]

are the ones that are open to peer review. So Kudos to the Chinese for being smart enough to make these idiot companies with closed-source encryption technologies provide them with the source code for review. Good encryption does not rely on obfuscation of code and processes!

Re:The only encryption algorithms worth a damn

I don't think that's why they want to view the source code...

Re:The only encryption algorithms worth a damn

Regardless of whether that's why they want to view it or not, the net effect is that only robust algorithms will be exported to China. Everybody can get the code to GPG, but that doesn't make the keys invalid.

Re:The only encryption algorithms worth a damn

[Monkeedude1212]

Hey, MD5 was perfectly fine until your type started investigating it.

See, we've had Quantum Encryption for a while now!

Re:The only encryption algorithms worth a damn

[commodore64_love]

If only the State governments were that smart. Who the hell knows what's inside the Diebold voting machines? When working with the Defense Department we're expected to provide all the code for review.

Re:The only encryption algorithms worth a damn

[betterunixthanunix]

What is your theory then?

Re:The only encryption algorithms worth a damn

[elrous0]

Who the hell knows what's inside the Diebold voting machines?

Karl Rove.

Re:The only encryption algorithms worth a damn

or, NO algorithms.

Re:The only encryption algorithms worth a damn

[c0d3g33k]

He must cramp up after awhile and need to change position. Surely someone could hear him shifting around inside after that.

Re:The only encryption algorithms worth a damn

[elrous0]

He can go without moving or needed sustenance for months at a time. But when they pull him out, he can eat almost an entire herd of baby seals to restore his winter coat.

Re:The only encryption algorithms worth a damn

[Mike+McTernan]

smart enough to make these idiot companies with closed-source encryption

It's often overlooked that GSM development started in 1982. At that time computing power was a fraction of what it is now and DSPs, rather than dedicated logic used in today's chipsets, would be used for the first implementations of this new technology. Mobile phones are also very power sensitive devices - battery life is very important.

So given these pressures, some corners had to be cut to make the system workable on the available technology. This lead to the A5 algorithms being both proprietary and somewhat lightweight given the limited computing resources in a mobile phone. Due to the huge success of GSM and the number of handsets out there, it rapidly becomes very difficult to change the standard in such a fundamental manner. 3G is one attempt to upgrade the GSM standards and brings in new ciphers based upon an existing published standard, but even that has taken a long time to get traction and GSM is still very widely available.

So to say these companies are idiots is somewhat ignorant of the historical practicalities required to make GSM a success.

Re:The only encryption algorithms worth a damn

[rtfa-troll]

The effect of giving the Windows source code to China seems to have been that people in China used it to break into Google and tens of other major corporations. Why should this be any different? There are expert groups in China who will find vulnerabilities in the systems and then, instead of having to have trojanised equipment from their own vendors, they will be able to attack the other vendor's equipment just as well.

What's really funny is that India is stopping buying Chinese made teleco equipment whilst other countries like the US; also great friends of China (when will you stop blocking their discipline against the rebel province of Taiwan???) still continue to buy Chinese.

Re:The only encryption algorithms worth a damn

Who the hell knows what's inside the Diebold voting machines?

I think you mean Premier Election Systems - Diebold split its voting machines division off a while back.

As for who knows what's inside them: independent, EAC-accredited Voting Systems Test Laboratories (VSTLs) like InfoGard, Wyle and iBeta go through all the source code, all the hardware, and do extensive testing before a voting system can be certified.

Of course, this has only been the case in the last few years.

Re:The only encryption algorithms worth a damn

Isn't it obvious? Reverse engineering for exploits. Then, anywhere this product runs in the world, it's theirs.

Re:The only encryption algorithms worth a damn

[Weirsbaski]

are the ones that are open to peer review. So Kudos to the Chinese for being smart enough to make these idiot companies with closed-source encryption technologies provide them with the source code for review. Good encryption does not rely on obfuscation of code and processes!

I'm not disputing your premise, but adding a rider- sending your source code to somebody who has no intention of telling you about the holes they found (and might be planning to abuse them instead) won't help you or your other customers one bit.

Re:The only encryption algorithms worth a damn

[_merlin]

What's really funny is that India is stopping buying Chinese made teleco equipment whilst other countries like the US; also great friends of China (when will you stop blocking their discipline against the rebel province of Taiwan???) still continue to buy Chinese.

No, it's actually quote logical. You see, for Western countries, China is a nominally communist "bad guy" that conveniently serves as an example of what the opposite of their idea of "freedom" would be. In practice, they're too distant for this to cause any change in behaviour, and buying their cheap products seems to keep the plebs happy. OTOH, India and China are highly populous nuclear armed mega-countries that share a disputed land border (see Arunachal Pradesh) - that warrants a degree of caution when dealing with each other.

Re:The only encryption algorithms worth a damn

[betterunixthanunix]

Which is nothing more than peer review for a security system -- they are performing a security evaluation by looking for exploits.

Re:The only encryption algorithms worth a damn

[CajunArson]

Ahh... So Karl Rove works for Obama, and Pelosi, and Reid... check.

Re:The only encryption algorithms worth a damn

[Bert64]

However the Chinese also have the source code to Linux, BSD, Solaris etc but they still targeted windows.

Re:The only encryption algorithms worth a damn

[daem0n1x]

The effect of giving the Windows source code to China seems to have been that people in China used it to break into Google and tens of other major corporations.

What does one thing have to do with the other? What have you been smoking?

Why should this be any different? There are expert groups in China who will find vulnerabilities in the systems and then, instead of having to have trojanised equipment from their own vendors, they will be able to attack the other vendor's equipment just as well.

Great, so let's make all encryption algorithms secret. Security through obscurity has worked sooooo well in the past...

What's really funny is that India is stopping buying Chinese made teleco equipment whilst other countries like the US; also great friends of China (when will you stop blocking their discipline against the rebel province of Taiwan???) still continue to buy Chinese.

Can India afford that, or are they just bluffing? And why do you think it's your job to "block" a sovereign country on an internal issue? Would you like the Chinese to "block" you if California wanted to become independent? Mind your own fucking business!

The fact that you were modded 5+ Insigthful for this crazy post makes me think you're not the only one smoking weird stuff.

Re:The only encryption algorithms worth a damn

[elrous0]

No, not after 2005.

Re:The only encryption algorithms worth a damn

[RockDoctor]

Regardless of whether that's why they want to view it or not, the net effect is that only robust algorithms will be exported to China.

Oh dear, the second logical fallacy of the day. That I've noticed.

The article (not that I've read it) does not imply this ; the most that the article implies is that the only firmware algorithms that will be accepted by China will be those that it's code reviewer(s) think are robust. And there is no guarantee that the reviewers will be competent for this task (this is not to impugn Chinese coders generally ; more an acceptance that the person appointed by a PHB may know nothing appropriate about the task s/he's assigned to ; the code reviewer might be a world-class celestial mechanics coder, but that ain't going to help him spotting a backdoor spread over 5 interacting code modules, planted by a spook with 20 years of canny source code obfustication behind him.
(I do actually think that this is a clue-full action by the Chinese. But a clue-full start can still be hopelessly compromised by cack-handed execution. )

Re:The only encryption algorithms worth a damn

this is not to impugn Chinese coders generally

Why not? They make Indiots look good by comparison.

Re:The only encryption algorithms worth a damn

The only official border dispute between India and China should be Kashmir. Arunachal Pradesh dispute is just a way for China to bully its neighbors and increase its influence in the region.

Re:The only encryption algorithms worth a damn

[rtfa-troll]

What does one thing have to do with the other? What have you been smoking?

The break in to google was based on a windows / IE vulnerability which was otherwise unknown. Looking through articles about it it's pretty clear it ends up as "state actors" from China. In other words, exactly they people MS gave source code access to.

Great, so let's make all encryption algorithms secret. Security through obscurity has worked sooooo well in the past...

Or how about using one of the standard open source well studied implementations? What's wrong is the idea of giving the source code to China and leaving all other users in the dark.

Can India afford that, or are they just bluffing?

The can't afford not to. China and India are in a state of more or less cold war. Whilst I think that India has probably been more aggressive than China, the lack of trust means that when there's the next crisis, the measures they need to take to secure their telecomms infrastructure will be much more expensive than getting it right in the first place

And why do you think it's your job to "block" a sovereign country on an internal issue? Would you like the Chinese to "block" you if California wanted to become independent? Mind your own fucking business!

a) I'm not American, and, for the record, I think the US attitude to China and the Chinese is totally fucked up (be rude to them, threaten them, insult them whilst at the same time getting all your goods from them and doing nothing for ethics of your companies in China).

b) the people of California have the same right to self determination as the Taiwanese and I would strongly encourage them to become independent. In the case where they had a clear mass majority will to do so I would definitely support them as reasonable. Unfortunately, unlike the Taiwanese, they don't want to be independent, so their own wish leaves them trapped in the USA.

c) This is nowhere near an internal issue. Taiwan has been independent of the PRC for years. It was part of the UN independently. There is very little common link between it and modern day China. It has every right to it's own sovereignty.

The fact that you were modded 5+ Insigthful for this crazy post makes me think you're not the only one smoking weird stuff.

China is a wierd place right now. Trying to achieve the highest quality in manufacturing and killing Chinese children (mainly) with bad baby milk. Fighting against corruption, but not understanding that the stuff that happened to Google causes even more harm (which could be mitigated with an open, clear, good investigation and punishment of whoever did it, even if they are in the securit forces). As long as that's true, you can hardly expect the outsider's view to be solidly and clearly positive. China needs to get serious democracy and human rights. If that happened, it could be a real world leader the rest of us could follow.

Re:The only encryption algorithms worth a damn

The effect of giving the Windows source code to China seems to have been that people in China used it to break into Google and tens of other major corporations.

You don't know this. Plenty of hackers find vulnerabilities in Windows without the source code. Maybe it helped them, maybe they found it a different way. Security through obscurity is is the weakest form of security and there are plenty of closed supposedly secure products that have been hacked and found out that their security isn't worth a damn. China is right to demand the source code for these products, if them seeing the source code is a concern, well the product probably should be based on open-source encryption algorithms anyway, so the Chinese wouldn't be learning anything new.

I would want this too

If I am buying encryption software I too would like assurance that it is not filled with back doors.

Re:I would want this too

[denis-The-menace]

You mean like PGP that will now be made by Symantec?

http://it.slashdot.org/article.pl?sid=10/04/29/1552249

Re:I would want this too

[Bert64]

Not just backdoors, i have seen implementations of encryption with serious weaknesses...

I saw a commercial encryption product which used an off the shelf 128-bit AES implementation (and their marketing literature made a big point of saying it used AES), but due to the way it derived a key from your entered passphrase there were only 2^21 possible keys making it trivially easy to brute force.

Another package i saw used OpenSSL to handle encryption, which seems sensible - use a known good set of algorithms... Only they initialized a pseudo-random generator with a static value...

Trust

[WrongSizeGlass]

This seems like a natural progression down the line of diminishing trust between countries. It's not very surprising, especially since the Chinese government *may* have been 'supportive' of some of the China/Google hacking. It appears the downside of possibly endorsing or supporting security breaches is other people/countries/etc will suspect you of it from that point on.

I can't blame the Chinese government for wanting to have the encryption information ... and I can't blame India for not trusting Chinese technology. Nobody wins when no one trusts each other.

Re:Trust

[FooAtWFU]

I'm just reminded of the old security-oriented definition of Trust: the person you trust is the person who can break your security. It's a perfectly healthy attitude to trust people (/businesses/nations) as little as possible when the security of your data is at risk. In arena of IT security, we need less "trust" and more "verify".

Re:Trust

[c0d3g33k]

This seems like a natural progression down the line of diminishing trust between countries. It's not very surprising, especially since the Chinese government *may* have been 'supportive' of some of the China/Google hacking. It appears the downside of possibly endorsing or supporting security breaches is other people/countries/etc will suspect you of it from that point on.

You might also consider that if they are spying on their own citizens via spyware installed by the manufacturer (at government insistence), they realize fully well that it can be done to them via software or equipment from sources not under their control. No need to invoke the Google hacking - that was just a sloppy fiasco. The government hacking "bay of pigs", if you will.

Re:Trust

Nobody wins when no one trusts each other.

It certainly helps maintain some diversity, which is otherwise all but killed off by globalization. Without diversity, there's no competition.

Re:Trust

[timeOday]

This seems like a natural progression down the line of diminishing trust between countries.

I could just as well see it as a progression reflecting increasing levels of economic interdependence. Granted, economic interdependence isn't quite the same thing as trust - it's more substantial; it's trust expressed through actions.

Re:Trust

[OhHellWithIt]

I can't blame the Chinese government for wanting to have the encryption information ... and I can't blame India for not trusting Chinese technology. Nobody wins when no one trusts each other.

What about the domestic producers of encryption equipment? Don't they stand to gain a little through sales to their government, whether it be India, China, or the U.S.A.?

For my part, I don't understand why any government trusts producers of other countries for their critically sensitive information. In the U.S., we know that our "friends", like Israel, engage in espionage, and I'm pretty sure we spy on them (although I have no evidence to back it up other than fuzzy recollections of news articles over the years). How do I know that a U.S.-produced item doesn't have a back door for NSA to use?

Re:Trust

[Arker]

Nobody wins when no one trusts each other.

Au contraire, when it comes to security, everyone wins when no one trusts each other.

The chinese move, at least, is long overdue. No one should ever trust a device whose source code is secret.

Re:Trust

How do I know that a U.S.-produced item doesn't have a back door for NSA to use?

Always assume that it does. If you are wrong, good. If you are right, you are prepared.

Re:Trust

[Bert64]

Domestic publishers could insert backdoors too... The government should be demanding source code for review in all cases, and verifying that the devices they get are actually running the source they've seen.

Copying

[mwvdlee]

If you're going to give your source code to the Chinese, you know for certain they will copy it and never buy a product from you again.

Re:Copying

[Jawn98685]

Yes, but you can then buy "Genyooine Cisko Router" for only $199 American dollar, so is good deal for everybody.

Re:Copying

[game+kid]

That one sucks. I prefer "Ginuwine Sisqó Router" because its Web interface has lots of thongs and double entendres.

Re:Copying

[Myji+Humoz]

How does giving the source code for an encryption algorithm equate with giving the sourcecode for the hardware?

For that matter, how the heck does giving someone the source code (controlling software, drivers, encryption, backup algorithms, etc) equate with giving them blueprints for your hardware?

Mindless Chinabashing at its best.

Re:Copying

[mwvdlee]

China has a very bad track record when it comes to copyright protection and the production of knock-off products. It is true that software is only part of a product, but there's no need to make it any easier for them.
Chinabashing it may be, but mindless it sadly is not.

Re:Copying

[grcumb]

That one sucks. I prefer "Ginuwine Sisqó Router" because its Web interface has lots of thongs and double entendres.

Bollocks. My Honour Brand Enlightened Crisco router also makes our fried chicken taste less greasy. It's true! I took the paper towel test!

The missus loves it.

Re:Copying

you can reverse engineer it at least partly. the rest with electron microscope. poster who said .cn will copy and not buy more was spot on!

What a novel concept

[srussia]

Security through security!

Ahhh, Globalization...

[frank_adrian314159]

... will your wonders never cease?

Anonymous Coward

Good move by India. Now, US and EU should ban chinese junk like Huawei, ZTE etc.

What's the point exactly?

[c0d3g33k]

Unless the source can be compiled from scratch and used in place of the pre-compiled versions, including flashing of firmware, creation of installable ROM images or OS installs, having source code guaranteed by analysis to be exploit-free gains the user nothing. There could still be spyware in the final product. Short of self-installing, I guess creation of bit-equivalent or checksum-equivalent binaries would be good enough as a verification mechanism.

Re:What's the point exactly?

[Arker]

Unless the source can be compiled from scratch and used in place of the pre-compiled versions, including flashing of firmware, creation of installable ROM images or OS installs, having source code guaranteed by analysis to be exploit-free gains the user nothing. There could still be spyware in the final product. Short of self-installing, I guess creation of bit-equivalent or checksum-equivalent binaries would be good enough as a verification mechanism.

It should be common sense that you have to verify that the source code you were given actually compiles to a bit-identical executable in order for the exercise to mean anything at all.

Re:What's the point exactly?

[c0d3g33k]

Yes, but that's not always the case, even with nominally "Open Source" software that ends up on proprietary closed devices. Tivo comes to mind, as does Android. I can't recall ever reading about building bit-identical executables as a way of verifying that what is running on the hardware is actually the same as the audited source code. Mostly I read the opposite - what actually runs is always different from what the 'open' source can produce, if for no other reason than signing them with a private key. That's enough to slip in some clever assembler routine that can be used as a backdoor, I'm guessing.

Re:What's the point exactly?

... signing them with a private key. That's enough to slip in some clever assembler routine that can be used as a backdoor, I'm guessing.

Nope. Signed files are designed so that you can extract the original data minus the signature and calculate a hash on it. Otherwise you could never check the signature.

And since you can extract the original data, you can compare it to your own build.

Signing does not provide a backdoor.

Sino-Indian War impact on decisions?

[Mindjiver]

I wonder how the fact that India and China went to war in 1962 impacts these decisions. They also still share a disputed border.

Would not surprise me if this influences how the Indian government feels about their telecoms using equipment from ZTE or Huawei.

Re:Sino-Indian War impact on decisions?

Well, I heard rumours that during that war Chinese exchanges were disabled remotely, so that sounds pretty wise. Hmm.

Timing of Indian ban - just in time for 3G auction

[sznupi]

Yes, India is, like, right now in the process of auctioning 3G licenses. This will really bring benefits to Ericsson and Nokia Siemens.

China good, India bad

[daoshi]

I think China's move makes sense - they just want to check and make sure there is no backdoor in your code/algo. As an earlier post said "Good encryption does not rely on obfuscation of code and processes." They trust what the users want to encrypt, just making sure the devices are not leaking the info to uninvited parties.

As for India, this is very bad. They are just paranoid. This sets up a very bad example. They are scaring off all the business partners and hence the opportunities. Think if you are a vendor, how can you be sure that they would never do the same thing to you one day?

Re:China good, India bad

[kubitus]

Google also had to find out that China does not want backdoors - unless they are their own.

.

I would recommend every government, company or institution to use especially network devices only, if they can review and then compile the code themselves which is to be run in the device.

So as to avoid Trojan Boot Loaders within their networks.

Re:China good, India bad

So to appease businesses a country should forgo all security risks? Especially significant considering that the country whose products are blocked has a track record for utilizing such technology for illicit purposes.

China has shown that it cannot be trusted time and again. This is especially true in context of Sino-Indian relations.

Re:China good, India bad

China's move does make sense. And India does have a reason to be paranoid. A little bit of world history would do wonders to your perspective.

And China should be the last to complain even if this leads to protectionism - they keep their currency pegged to low levels so they can export more to US and disrupt global trade.

big bussines is all about politics

actually Alcatel-Lucent will benefit from this. They have low priced telecom equipment and they have been replaced in many countries by even cheaper Huawei.

But isn't this strange? They put a ban because chinese "could have spyware or malware" in their equipment. Isn't this like putting someone in jail because he might do something bad in the future?

Here is my conspiracy theory: big companies export corruptions in the developing countries (this is a fact). Some companies could just not compete with the cheap Huawei so they paid officials for the ban. Problem solved! either this or the chinese really have spyware on their machines.

Re:big bussines is all about politics

Isn't this like putting someone in jail because he might do something bad in the future?

No it's more like not buying someone's products because you don't trust them.

Re:big bussines is all about politics

[vadim_t]

But isn't this strange? They put a ban because chinese "could have spyware or malware" in their equipment. Isn't this like putting someone in jail because he might do something bad in the future?

Why is it strange? I'm pretty sure the FDA does something quite similar to this. You can't sell a medicine made of undisclosed components.

Re:big bussines is all about politics

but Indian goverment is not buying the stuff. It's the telecom operators that buy it and use it to sell services to regular citizens. The goverment could buy trusted equipment for their needs.

Re:big bussines is all about politics

well it's strange because we are talking about servers that "could have spyware or malware". Wouldn't it be easier to actually search for the spyware and come forward with some proof?

Also for telecom the security it's pretty easy to achieve: you need physical access to their machines to do anything. Spyware calling home? how? These are not 24/7 internet connected machines.

Re:big bussines is all about politics

[vadim_t]

well it's strange because we are talking about servers that "could have spyware or malware". Wouldn't it be easier to actually search for the spyware and come forward with some proof?

When checking that a medicine is not poisonous, what you'd do is to look at what's in it. It's much easier to check a list of ingredients, and test those if necessary, than to check it against every harmful substance known.

In the same way, when checking a program for malicious content, it's best to look at the source code. How else would they do it, anyway? A virus scanner won't work if it's custom made.

And no, it "wouldn't be easier". When trying to ensure security you apply a whitelist: you demand that things be proved to be safe to be allowed. Then if you allow 3 devices to be used, you only need to check those 3. That's easier than trying to blacklist every malicious one in existence.

Also for telecom the security it's pretty easy to achieve: you need physical access to their machines to do anything. Spyware calling home? how? These are not 24/7 internet connected machines.

Eh? Huawei sells things like 3G dongles. Those things connect to the internet by definition. And firewalls and routers tend to run 24/7 and to have an internet connection.

Re:big bussines is all about politics

[vacarul]

we are not talking about the same thing. A dongle it's not really part of the telecom network; it is user equipment. Why bother selling compromised dongles when you can buy a dongle for any network you want and do whatever with it?

Again, we are not talking about the same thing.

Re:big bussines is all about politics

[rtfa-troll]

but Indian goverment is not buying the stuff. It's the telecom operators that buy it and use it to sell services to regular citizens. The goverment could buy trusted equipment for their needs.

The teleco stuff is the stuff you will use to call for help and communicate during a war. Since the idea of total war it has been clear that your civilian infrastructure may be targeted in war. The idea of something which lets your opposition remotely disable most of your industrial capacity is crazy. That's what Chinese exchanges represent for India.

Re:big bussines is all about politics

[vadim_t]

The article says "including smart cards, firewall and routers".

So, how exactly is a router not a 24/7 internet connected machine, or require physical access to use it?

Re:big bussines is all about politics

I'm talking about India and the second article...

"biggest neighbor"?

[by+(1706743)]

Isn't Russia China's biggest (at least by area) neighbor, not India?

Re:"biggest neighbor"?

People count more than empty square miles of Tundra

This really can be a problem

[ThermalRunaway]

I have worked in the defense industry for a while, and used to work in the "Government" division of a major telecom company.

One project we had worked on was encrypted cell phones for gov use. Our customers were only interested in a solution that was top to bottom US made from cleared companies. The chipset, OS, drivers, etc, were all built in the US, so there was no issue of "back doors"

I also heard rumors at one point about some contractor actually finding mal-ware type SW embedded in the firmware of Lenovo laptops that could sort of call home to momma. I've never seen Lenovo boxes around after that.

I think these issues are going to be bigger than just a single point in the infrastructure chain. With so much cyber activity going on, I think many countries are going to face the same sort of issue India is trying to prevent.

Re:This really can be a problem

[ibsteve2u]

Glad to see you mention the vulnerabilities that can be introduced via the chipsets...a lot of people focus on the code and don't understand what you can do with a single chip - and "invisibly", for all practical purposes.

Re:Timing of Indian ban - just in time for 3G auct

Yes, India is, like, right now in the process of auctioning 3G licenses. This will really bring benefits to Ericsson and Nokia Siemens.

What a coincidence! Or is it...?

TFA doesn't say that

[Mr+Otobor]

First off, TFA article doesn't mention source code; second, it quite explicitly says 'details are murky' and it is unclear what the PRC is asking for. At least as far as the article goes, that is what is said.

Second, to some comments: Other countries already have various schemes in place for reviewing code (which doesn't preclude flaws or backdoors, intentional or not, from being included in compiled / embedded code...)

India is saying what other countries fear, but since they are in China's backyard and vice versa, it's not surprising they're willing to go a little further and say it out loud as well as act on it. Also, as a bit of a reminder, India and China are as much --if not more so-- in competition than US/China/Europe: India has been trying to bolster it's sea power as it falls further behind China in that regard, China has close ties with Pakistan partially because Pakistan and India don't like each other particularly much, India is courting Afghanistan partially to offset Pakistan's power, etc. And let's not forget China and India have fought an actual war, albeit a fairly small one, and India lost and has never accepted the outcome.

The future...

[MikeRT]

The idea that corporations that bowl over the largest nation states is our future has always seemed strange to me. Multinationals are really just a legal fiction that exists simultaneously in multiple countries. At any time, a political system can create problems that will effectively bring that multinational to its knees.

I think the future for big business is identical, only a little further out, to that of big government: replacement by small, agile businesses. Big business exists mainly because of big government and cooperation between the same. I think we're going to see a future in which each major country may trade for some tech products, but you'll see conditions begin to favor agile, much smaller businesses that can efficiently produce most important things at home.

Re:The future...

[ibsteve2u]

see conditions begin to favor agile, much smaller businesses that can efficiently produce most important things at home

I tend to disagree; while conditions may differ elsewhere, our Supreme Court's transformation of corporations into super-citizens will in fact encourage corporations to become ever bigger so as to ever better afford the purchase of both political advertising and politicians. Given enough political control, a corporation can simply and effectively modify the rules of the game to make "doing business" prohibitively expensive or complex unless you are already of sufficient size.

And they will do that; the important thing to remember is that our corporations have grown themselves to the size that they are now for the competitive advantage that size provides in the pursuit of profit; they do not, in fact, like competition, and size provides more and better opportunities to eliminate competition.

lolll...ask Wal*Mart.

Actually it's security as an import regulation

[M_Hulot]

The headline suggests that China is using import rules to bolster security. I think it is the other way round. They are using the demand for source code as a barrier to trade to (unfairly) help domestic firms. Not very many overseas firms are going to provide source code, leaving the market open to Chinese firms.

Re:Actually it's security as an import regulation

[phantomcircuit]

I definitely agree with you, but I'd take it one step farther.

By issuing this as a security restriction they are completely circumventing the WTO, which would otherwise slap them with export tariffs.

Re:Actually it's security as an import regulation

[orasio]

The headline suggests that China is using import rules to bolster security. I think it is the other way round. They are using the demand for source code as a barrier to trade to (unfairly) help domestic firms. Not very many overseas firms are going to provide source code, leaving the market open to Chinese firms.

I would agree with you if you didn't say "(unfairly)".
Access to source code is a legitimate security concern. Fair trade doesn't mean that you can't set high standards if foreign providers can't reach them.

Re:Actually it's security as an import regulation

[hackingbear]

Good try. But do you know every other piece of imported hardware and semiconductor chip are smuggled into China, just to avoid the tariff. It is another open secrete in China.

same thing happened in manufacturing...

in the 80's and 90's American manufacturers gave away their technology to the Chinese to get a piece of the huge Chinese market. This allowed the Chinese to modernize their manufacturing technology by decades in a few years. Then instead of opening their markets, China flooded the world markets and decimated the foreign competition.
One might hope managers of corporations would learn from the past...

Awesome!

[Weezul]

Go India! Everyone should ban electronics made in China given China's general proclivity towards industrial espionage.

I hate to say it but I agree with China

[erroneus]

I think ALL governments should behave this way. If government is to take its own data security seriously, the boxes they use should not be "black boxes." For commercial business this should also be a rule but so far, business trusts closed source software and devices running on closed source software... well, not all businesses... not Ernie Ball ... not London Stock Exchange... but most businesses.

At some level, we have to trust technology though... seriously, I don't know what's in the Linux kernel. I trust that since it is peer reviewed and tested a lot that it can be trusted, but I personally and directly do not know everything in there. I don't know everything about my cars either come to think of it.... but in general, when it comes to matters of serious consequence, one is best advised to learn and understand what it going on and where the potential dangers lie.

Re:I hate to say it but I agree with China

[perryizgr8]

just having access to the software source is terribly inadequate to address security concerns. a kill switch can be easily implemented in hardware as a tiny, insignificant chip. now if you are going to have every single piece of equipment reviewed by hardware experts, then ok. but i dont think that is practical.

India's isn't about Trust.

[orlanz]

I think India isn't doing the restrictions for Trust or Security reasons. Their politicians couldn't care less. For the right price, they will sell you a state or two.

It probably has more to do with keeping knock off China phones off the markets to keep the big corps happy. In India, there is rampant import of Chinese knockoff phones. An HTC becomes a HIC. They add a little line at the bottom and cut the price from $400 to $50. I kid you not. Quality control is an issue, but if you have the right connections, that won't be a problem. The phone is from the same factory that makes the name brand, its the same materials, same machines, and same people. Just the 3rd shift of lineman and it doesn't go through QC before shipment.

So for sometime, the India government has been pressured to put a stop to this import. They haven't been very successful but that doesn't mean they don't look like they are trying. Exactly how do you stop 50 individually owned stores stuffed into an area the size of a CVS from selling the same stuff to a population that creates a massive amount of demand but isn't willing to pay like credit based Americans are. Not to mention your enforcement divisions are willing to look the other way for a dollar of that $50 sale. Additionally, the worst offenders are the politicians and those connected to them.

Re:India's isn't about Trust.

And what makes you think that preventing cheap knockoff phones from coming to the market(if at all it has anything to do with the network) is more important to politicians than the kick-backs they receive beacuse of the contracts. For once this is a problem with trust with China. Even in Indian politics there is always a section that likes to side with China(the left), and making a policy such as this one requires serious effort and evidence possibly.

Re:India's isn't about Trust.

[perryizgr8]

I think India isn't doing the restrictions for Trust or Security reasons. Their politicians couldn't care less. For the right price, they will sell you a state or two.

sadly true for many state governments.
but i think the government at the center is not that corrupt. this really is a security concern. the problem is that we don't have the kind of expertise to review each device individually for secret, kill-switch, call-home chips.
on the other hand china requiring source code won't do much about security, since it is easier to incorporate a tiny chip. imo, this is simply about not having to develop their own software.

Re:India's isn't about Trust.

This is not about cheap mobile phones. I agree with you on that part as well as the politicians. But the real problem are the telecom network infrastructure devices. In the event of a war between India and China, for all you know the Chinese manufacturer would be able to switch off the lines or tap those line with ease. This is what the Indian government is worried more about I think. The Chinese network equipments might be much cheaper than the competition and profit eager corporations would not want to block cheap hardware. India doesn't have many/any network equipment manufacturer, but I am not sure.

Re:India's isn't about Trust.

Umm, this isn't about cellphones. The ban on imports relates to equipment installed and operated by network operators.

some projects embed a timestamp of the build

[Chirs]

It's hard to test a linux kernel build for instance, because it embeds the time of the kernel build (and other information) into the kernel binary itself.

Re:some projects embed a timestamp of the build

[Arker]

As long as it's not deliberately obfuscated it would not be difficult to account for that.

Politics

[Blue6]

More then anything, India is probably retaliating for China teaming up with Pakistan on nuclear technology.

Sounds fine to me

Nobody should be using crypto whose source code hasn't been given to the Chinese government, the Cult of Scientology, the NSA, and the National Association of Marlon Brando Lookalikes. If you're not willing to share your code with them, then it must not be very good. I sure don't wanna use any crypto code, unless some smug smirking developer has said, "Sure, the Chinese can look at it."

I'm with India

[anarche]

I picked up a lovely dirt-cheap Chinese wireless card a month ago (Tenda from Jaycar in Oz for those interested).

Upon installation, the windows kept losing focus - type-type-type.. wtf (clicked back into the window).

Thought I'd watch the network traffic a bit, and sure enough; type-type-type.. window loses focus... network traffic spikes a smidgen...

Maybe I'm missing the point

The Indian end of it looks like their simply trying to bring manufacturing plants to India soil where they can tax people and propagate the whole "technology leader" thing they've been flying for several years.

The EU doesn't like it because it will "supposedly" hurt the bottom line for telco manufacturer's based in their taxable areas which is BS. Cheaper productions costs means more profit = more taxable income for the EU.

Telco's manufacturers own the hardware and usually stipulate unrestricted access to their platforms at all times. Its in the contract and has been since Watson sold Hollerith crap to the Nazi's. Was done 60 years ago, is being done today (Avaya, Alcatel, Nokia) nothing new here.

Google's using WIndows code ?

[Taco+Cowboy]

The effect of giving the Windows source code to China seems to have been that people in China used it to break into Google and tens of other major corporations.

Come again?

You mean Google is running on Microsoft Windows' code ???

No, I ain't trying to be funny. I just can not put the 2 and 2 together.

Having Windows code is one thing, cracking Google is another thing altogether.

Re:Google's using WIndows code ?

[Bert64]

Google's services aren't running on windows, but their office staff are and that's where the point of entry was... Once you start keylogging workstations it doesn't really matter how secure other servers are.

Re:Good India is worried on this instead of sewage

[webminer]

Why do obnoxious dumbasses like you bring up poverty everytime India does something good or aspires for something that only developed countries has 'rights' to? A developing country cannot aspire to have security and be able to defend itself from commie and islamic terror neighbours? Cant it become self-sufficient in space, defence and other technological advances? Because it is poor, the entire populace is doomed to live in 15th century?

Actually, there *are* winners ...

[Taco+Cowboy]

I can't blame the Chinese government for wanting to have the encryption information ... and I can't blame India for not trusting Chinese technology. Nobody wins when no one trusts each other.

But there *are* winners !

In the case of India not importing Chinese equipments, the Japanese, European, Korean, and American companies suddenly become the de facto winners.

typo

"The Register reports that the Chinese government is forcing vendors to cough up the source code to their encryption alogrithms before they can sell their equipment to the Chinese government."

Something wrong with this sentence...

Chinese vendors...

[Bert64]

So India is worried about backdoors in products from China, but is not worried about backdoors being present in products from other countries?
They should be worried about any proprietary products from any country... China isn't the only country that might want to spy on India.

Will they recompile to check ?

[Alain+Williams]

It is one thing to have something that is labeled ''source code to the product'' and to be sure that this is exactly what was used, eg no little extra ''tweak'' hidden in a system macro that leaves a security back door. If they are serious about this they will insist on compiling the source on one of their machines and check that it matches the binary that is shipped with the product.

All of this is a lot of work and will take a lot of time, who is going to pay for it ?

If they don't recompile it then the suspicion must be that they are more interested in getting/ripping-off the technology that doing a security audit.

And they called the NSA password in Windows ...

a conspiracy theory.

What's the point exactly?

Unless the source can be compiled from scratch and used in place of the pre-compiled versions, including flashing of firmware, creation of installable ROM images or OS installs, having source code guaranteed by analysis to be exploit-free gains the user nothing. There could still be spyware in the final product. Short of self-installing, I guess creation of bit-equivalent or checksum-equivalent binaries would be good enough as a verification mechanism. sesli sohbet