Slashdot Mirror

← Back to Stories (view on slashdot.org)

India, China Try Import Regulations As Security Tools

Posted by timothy on from the you-can't-enter-our-theme-park dept.

An anonymous reader writes "The Register reports that the Chinese government is forcing vendors to cough up the source code to their encryption alogrithms before they can sell their equipment to the Chinese government. The EU doesn't seem to like it, but if I were in their position I'd want the same thing." China's biggest neighbor goes further; another anonymous reader writes "Telco equipment from China could have spyware that gives access to telcom networks in India. The Indian government has officially told mobile operators not to import any equipment manufactured by Chinese vendors, including Huawei and ZTE. The ban order follows concerns raised by the Home Ministry that telecom equipment from some countries could have spyware or malware that gives intelligence agencies across the border access to telecom networks in India. The biggest gainers from the move could be Ericsson, Nokia, and Siemens, which have been losing market share to aggressive Chinese equipment-makers in India."

4 of 108 comments (clear)

  1. "biggest neighbor"? by by+(1706743) · · Score: 2, Informative

    Isn't Russia China's biggest (at least by area) neighbor, not India?

  2. TFA doesn't say that by Mr+Otobor · · Score: 2, Informative

    First off, TFA article doesn't mention source code; second, it quite explicitly says 'details are murky' and it is unclear what the PRC is asking for. At least as far as the article goes, that is what is said.

    Second, to some comments: Other countries already have various schemes in place for reviewing code (which doesn't preclude flaws or backdoors, intentional or not, from being included in compiled / embedded code...)

    India is saying what other countries fear, but since they are in China's backyard and vice versa, it's not surprising they're willing to go a little further and say it out loud as well as act on it. Also, as a bit of a reminder, India and China are as much --if not more so-- in competition than US/China/Europe: India has been trying to bolster it's sea power as it falls further behind China in that regard, China has close ties with Pakistan partially because Pakistan and India don't like each other particularly much, India is courting Afghanistan partially to offset Pakistan's power, etc. And let's not forget China and India have fought an actual war, albeit a fairly small one, and India lost and has never accepted the outcome.

  3. Re:What's the point exactly? by Anonymous Coward · · Score: 2, Informative

    ... signing them with a private key. That's enough to slip in some clever assembler routine that can be used as a backdoor, I'm guessing.

    Nope. Signed files are designed so that you can extract the original data minus the signature and calculate a hash on it. Otherwise you could never check the signature.

    And since you can extract the original data, you can compare it to your own build.

    Signing does not provide a backdoor.

  4. some projects embed a timestamp of the build by Chirs · · Score: 2, Informative

    It's hard to test a linux kernel build for instance, because it embeds the time of the kernel build (and other information) into the kernel binary itself.