Slashdot Mirror


India, China Try Import Regulations As Security Tools

An anonymous reader writes "The Register reports that the Chinese government is forcing vendors to cough up the source code to their encryption alogrithms before they can sell their equipment to the Chinese government. The EU doesn't seem to like it, but if I were in their position I'd want the same thing." China's biggest neighbor goes further; another anonymous reader writes "Telco equipment from China could have spyware that gives access to telcom networks in India. The Indian government has officially told mobile operators not to import any equipment manufactured by Chinese vendors, including Huawei and ZTE. The ban order follows concerns raised by the Home Ministry that telecom equipment from some countries could have spyware or malware that gives intelligence agencies across the border access to telecom networks in India. The biggest gainers from the move could be Ericsson, Nokia, and Siemens, which have been losing market share to aggressive Chinese equipment-makers in India."

14 of 108 comments (clear)

  1. The only encryption algorithms worth a damn by al0ha · · Score: 4, Insightful

    are the ones that are open to peer review. So Kudos to the Chinese for being smart enough to make these idiot companies with closed-source encryption technologies provide them with the source code for review. Good encryption does not rely on obfuscation of code and processes!

    --
    Did you ever wake up in the morning, with a Zombie Woof behind your eyes? -- FZ
    1. Re:The only encryption algorithms worth a damn by Anonymous Coward · · Score: 4, Insightful

      I don't think that's why they want to view the source code...

    2. Re:The only encryption algorithms worth a damn by rtfa-troll · · Score: 3, Insightful

      The effect of giving the Windows source code to China seems to have been that people in China used it to break into Google and tens of other major corporations. Why should this be any different? There are expert groups in China who will find vulnerabilities in the systems and then, instead of having to have trojanised equipment from their own vendors, they will be able to attack the other vendor's equipment just as well.

      What's really funny is that India is stopping buying Chinese made teleco equipment whilst other countries like the US; also great friends of China (when will you stop blocking their discipline against the rebel province of Taiwan???) still continue to buy Chinese.

      --
      =~ s,(.*),<sarcasm>$1</sarcasm>,g if any_point_you_wish();
  2. Trust by WrongSizeGlass · · Score: 3, Insightful

    This seems like a natural progression down the line of diminishing trust between countries. It's not very surprising, especially since the Chinese government *may* have been 'supportive' of some of the China/Google hacking. It appears the downside of possibly endorsing or supporting security breaches is other people/countries/etc will suspect you of it from that point on.

    I can't blame the Chinese government for wanting to have the encryption information ... and I can't blame India for not trusting Chinese technology. Nobody wins when no one trusts each other.

    1. Re:Trust by FooAtWFU · · Score: 5, Insightful

      I'm just reminded of the old security-oriented definition of Trust: the person you trust is the person who can break your security. It's a perfectly healthy attitude to trust people (/businesses/nations) as little as possible when the security of your data is at risk. In arena of IT security, we need less "trust" and more "verify".

      --
      The World Wide Web is dying. Soon, we shall have only the Internet.
    2. Re:Trust by Arker · · Score: 5, Insightful

      Nobody wins when no one trusts each other.

      Au contraire, when it comes to security, everyone wins when no one trusts each other.

      The chinese move, at least, is long overdue. No one should ever trust a device whose source code is secret.

      --
      =-=-=-=-=-=-=-=-=-=-=-=-=-=-
      Friends don't let friends enable ecmascript.
  3. Copying by mwvdlee · · Score: 5, Insightful

    If you're going to give your source code to the Chinese, you know for certain they will copy it and never buy a product from you again.

    --
    Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
  4. What a novel concept by srussia · · Score: 5, Insightful

    Security through security!

    --
    Set your phasers on "funky"!
  5. What's the point exactly? by c0d3g33k · · Score: 4, Insightful

    Unless the source can be compiled from scratch and used in place of the pre-compiled versions, including flashing of firmware, creation of installable ROM images or OS installs, having source code guaranteed by analysis to be exploit-free gains the user nothing. There could still be spyware in the final product. Short of self-installing, I guess creation of bit-equivalent or checksum-equivalent binaries would be good enough as a verification mechanism.

    1. Re:What's the point exactly? by Arker · · Score: 3, Insightful

      Unless the source can be compiled from scratch and used in place of the pre-compiled versions, including flashing of firmware, creation of installable ROM images or OS installs, having source code guaranteed by analysis to be exploit-free gains the user nothing. There could still be spyware in the final product. Short of self-installing, I guess creation of bit-equivalent or checksum-equivalent binaries would be good enough as a verification mechanism.

      It should be common sense that you have to verify that the source code you were given actually compiles to a bit-identical executable in order for the exercise to mean anything at all.

      --
      =-=-=-=-=-=-=-=-=-=-=-=-=-=-
      Friends don't let friends enable ecmascript.
    2. Re:What's the point exactly? by c0d3g33k · · Score: 3, Insightful

      Yes, but that's not always the case, even with nominally "Open Source" software that ends up on proprietary closed devices. Tivo comes to mind, as does Android. I can't recall ever reading about building bit-identical executables as a way of verifying that what is running on the hardware is actually the same as the audited source code. Mostly I read the opposite - what actually runs is always different from what the 'open' source can produce, if for no other reason than signing them with a private key. That's enough to slip in some clever assembler routine that can be used as a backdoor, I'm guessing.

  6. Timing of Indian ban - just in time for 3G auction by sznupi · · Score: 3, Insightful

    Yes, India is, like, right now in the process of auctioning 3G licenses. This will really bring benefits to Ericsson and Nokia Siemens.

    --
    One that hath name thou can not otter
  7. same thing happened in manufacturing... by Anonymous Coward · · Score: 3, Insightful

    in the 80's and 90's American manufacturers gave away their technology to the Chinese to get a piece of the huge Chinese market. This allowed the Chinese to modernize their manufacturing technology by decades in a few years. Then instead of opening their markets, China flooded the world markets and decimated the foreign competition.
    One might hope managers of corporations would learn from the past...

  8. Re:Good India is worried on this instead of sewage by webminer · · Score: 3, Insightful

    Why do obnoxious dumbasses like you bring up poverty everytime India does something good or aspires for something that only developed countries has 'rights' to? A developing country cannot aspire to have security and be able to defend itself from commie and islamic terror neighbours? Cant it become self-sufficient in space, defence and other technological advances? Because it is poor, the entire populace is doomed to live in 15th century?