Slashdot Mirror

← Back to Stories (view on slashdot.org)

India, China Try Import Regulations As Security Tools

Posted by timothy on from the you-can't-enter-our-theme-park dept.

An anonymous reader writes "The Register reports that the Chinese government is forcing vendors to cough up the source code to their encryption alogrithms before they can sell their equipment to the Chinese government. The EU doesn't seem to like it, but if I were in their position I'd want the same thing." China's biggest neighbor goes further; another anonymous reader writes "Telco equipment from China could have spyware that gives access to telcom networks in India. The Indian government has officially told mobile operators not to import any equipment manufactured by Chinese vendors, including Huawei and ZTE. The ban order follows concerns raised by the Home Ministry that telecom equipment from some countries could have spyware or malware that gives intelligence agencies across the border access to telecom networks in India. The biggest gainers from the move could be Ericsson, Nokia, and Siemens, which have been losing market share to aggressive Chinese equipment-makers in India."

42 of 108 comments (clear)

  1. The only encryption algorithms worth a damn by al0ha · · Score: 4, Insightful

    are the ones that are open to peer review. So Kudos to the Chinese for being smart enough to make these idiot companies with closed-source encryption technologies provide them with the source code for review. Good encryption does not rely on obfuscation of code and processes!

    --
    Did you ever wake up in the morning, with a Zombie Woof behind your eyes? -- FZ
    1. Re:The only encryption algorithms worth a damn by Anonymous Coward · · Score: 4, Insightful

      I don't think that's why they want to view the source code...

    2. Re:The only encryption algorithms worth a damn by Anonymous Coward · · Score: 2, Insightful

      Regardless of whether that's why they want to view it or not, the net effect is that only robust algorithms will be exported to China. Everybody can get the code to GPG, but that doesn't make the keys invalid.

    3. Re:The only encryption algorithms worth a damn by Monkeedude1212 · · Score: 3, Funny

      Hey, MD5 was perfectly fine until your type started investigating it.

      See, we've had Quantum Encryption for a while now!

    4. Re:The only encryption algorithms worth a damn by commodore64_love · · Score: 2, Insightful

      If only the State governments were that smart. Who the hell knows what's inside the Diebold voting machines? When working with the Defense Department we're expected to provide all the code for review.

      --
      "I disapprove of what you say, but I will defend to the death your right to say it." - historian Evelyn Beatrice Hall
    5. Re:The only encryption algorithms worth a damn by elrous0 · · Score: 2, Funny

      Who the hell knows what's inside the Diebold voting machines?

      Karl Rove.

      --
      SJW: Someone who has run out of real oppression, and has to fake it.
    6. Re:The only encryption algorithms worth a damn by c0d3g33k · · Score: 3, Funny

      He must cramp up after awhile and need to change position. Surely someone could hear him shifting around inside after that.

    7. Re:The only encryption algorithms worth a damn by elrous0 · · Score: 2, Funny

      He can go without moving or needed sustenance for months at a time. But when they pull him out, he can eat almost an entire herd of baby seals to restore his winter coat.

      --
      SJW: Someone who has run out of real oppression, and has to fake it.
    8. Re:The only encryption algorithms worth a damn by rtfa-troll · · Score: 3, Insightful

      The effect of giving the Windows source code to China seems to have been that people in China used it to break into Google and tens of other major corporations. Why should this be any different? There are expert groups in China who will find vulnerabilities in the systems and then, instead of having to have trojanised equipment from their own vendors, they will be able to attack the other vendor's equipment just as well.

      What's really funny is that India is stopping buying Chinese made teleco equipment whilst other countries like the US; also great friends of China (when will you stop blocking their discipline against the rebel province of Taiwan???) still continue to buy Chinese.

      --
      =~ s,(.*),<sarcasm>$1</sarcasm>,g if any_point_you_wish();
    9. Re:The only encryption algorithms worth a damn by _merlin · · Score: 5, Interesting

      What's really funny is that India is stopping buying Chinese made teleco equipment whilst other countries like the US; also great friends of China (when will you stop blocking their discipline against the rebel province of Taiwan???) still continue to buy Chinese.

      No, it's actually quote logical. You see, for Western countries, China is a nominally communist "bad guy" that conveniently serves as an example of what the opposite of their idea of "freedom" would be. In practice, they're too distant for this to cause any change in behaviour, and buying their cheap products seems to keep the plebs happy. OTOH, India and China are highly populous nuclear armed mega-countries that share a disputed land border (see Arunachal Pradesh) - that warrants a degree of caution when dealing with each other.

  2. Trust by WrongSizeGlass · · Score: 3, Insightful

    This seems like a natural progression down the line of diminishing trust between countries. It's not very surprising, especially since the Chinese government *may* have been 'supportive' of some of the China/Google hacking. It appears the downside of possibly endorsing or supporting security breaches is other people/countries/etc will suspect you of it from that point on.

    I can't blame the Chinese government for wanting to have the encryption information ... and I can't blame India for not trusting Chinese technology. Nobody wins when no one trusts each other.

    1. Re:Trust by FooAtWFU · · Score: 5, Insightful

      I'm just reminded of the old security-oriented definition of Trust: the person you trust is the person who can break your security. It's a perfectly healthy attitude to trust people (/businesses/nations) as little as possible when the security of your data is at risk. In arena of IT security, we need less "trust" and more "verify".

      --
      The World Wide Web is dying. Soon, we shall have only the Internet.
    2. Re:Trust by timeOday · · Score: 2, Interesting

      This seems like a natural progression down the line of diminishing trust between countries.

      I could just as well see it as a progression reflecting increasing levels of economic interdependence. Granted, economic interdependence isn't quite the same thing as trust - it's more substantial; it's trust expressed through actions.

    3. Re:Trust by OhHellWithIt · · Score: 2, Insightful

      I can't blame the Chinese government for wanting to have the encryption information ... and I can't blame India for not trusting Chinese technology. Nobody wins when no one trusts each other.

      What about the domestic producers of encryption equipment? Don't they stand to gain a little through sales to their government, whether it be India, China, or the U.S.A.?

      For my part, I don't understand why any government trusts producers of other countries for their critically sensitive information. In the U.S., we know that our "friends", like Israel, engage in espionage, and I'm pretty sure we spy on them (although I have no evidence to back it up other than fuzzy recollections of news articles over the years). How do I know that a U.S.-produced item doesn't have a back door for NSA to use?

      --
      "Who controls the past controls the future. Who controls the present controls the past." -- George Orwell
    4. Re:Trust by Arker · · Score: 5, Insightful

      Nobody wins when no one trusts each other.

      Au contraire, when it comes to security, everyone wins when no one trusts each other.

      The chinese move, at least, is long overdue. No one should ever trust a device whose source code is secret.

      --
      =-=-=-=-=-=-=-=-=-=-=-=-=-=-
      Friends don't let friends enable ecmascript.
  3. Copying by mwvdlee · · Score: 5, Insightful

    If you're going to give your source code to the Chinese, you know for certain they will copy it and never buy a product from you again.

    --
    Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
    1. Re:Copying by Jawn98685 · · Score: 5, Funny

      Yes, but you can then buy "Genyooine Cisko Router" for only $199 American dollar, so is good deal for everybody.

    2. Re:Copying by game+kid · · Score: 4, Funny

      That one sucks. I prefer "Ginuwine Sisqó Router" because its Web interface has lots of thongs and double entendres.

      --
      You can hold down the "B" button for continuous firing.
    3. Re:Copying by Myji+Humoz · · Score: 4, Interesting

      How does giving the source code for an encryption algorithm equate with giving the sourcecode for the hardware?

      For that matter, how the heck does giving someone the source code (controlling software, drivers, encryption, backup algorithms, etc) equate with giving them blueprints for your hardware?

      Mindless Chinabashing at its best.

      --
      Signatures are the new names.
    4. Re:Copying by grcumb · · Score: 2, Funny

      That one sucks. I prefer "Ginuwine Sisqó Router" because its Web interface has lots of thongs and double entendres.

      Bollocks. My Honour Brand Enlightened Crisco router also makes our fried chicken taste less greasy. It's true! I took the paper towel test!

      The missus loves it.

      --
      Crumb's Corollary: Never bring a knife to a bun fight.
  4. What a novel concept by srussia · · Score: 5, Insightful

    Security through security!

    --
    Set your phasers on "funky"!
  5. What's the point exactly? by c0d3g33k · · Score: 4, Insightful

    Unless the source can be compiled from scratch and used in place of the pre-compiled versions, including flashing of firmware, creation of installable ROM images or OS installs, having source code guaranteed by analysis to be exploit-free gains the user nothing. There could still be spyware in the final product. Short of self-installing, I guess creation of bit-equivalent or checksum-equivalent binaries would be good enough as a verification mechanism.

    1. Re:What's the point exactly? by Arker · · Score: 3, Insightful

      Unless the source can be compiled from scratch and used in place of the pre-compiled versions, including flashing of firmware, creation of installable ROM images or OS installs, having source code guaranteed by analysis to be exploit-free gains the user nothing. There could still be spyware in the final product. Short of self-installing, I guess creation of bit-equivalent or checksum-equivalent binaries would be good enough as a verification mechanism.

      It should be common sense that you have to verify that the source code you were given actually compiles to a bit-identical executable in order for the exercise to mean anything at all.

      --
      =-=-=-=-=-=-=-=-=-=-=-=-=-=-
      Friends don't let friends enable ecmascript.
    2. Re:What's the point exactly? by c0d3g33k · · Score: 3, Insightful

      Yes, but that's not always the case, even with nominally "Open Source" software that ends up on proprietary closed devices. Tivo comes to mind, as does Android. I can't recall ever reading about building bit-identical executables as a way of verifying that what is running on the hardware is actually the same as the audited source code. Mostly I read the opposite - what actually runs is always different from what the 'open' source can produce, if for no other reason than signing them with a private key. That's enough to slip in some clever assembler routine that can be used as a backdoor, I'm guessing.

    3. Re:What's the point exactly? by Anonymous Coward · · Score: 2, Informative

      ... signing them with a private key. That's enough to slip in some clever assembler routine that can be used as a backdoor, I'm guessing.

      Nope. Signed files are designed so that you can extract the original data minus the signature and calculate a hash on it. Otherwise you could never check the signature.

      And since you can extract the original data, you can compare it to your own build.

      Signing does not provide a backdoor.

  6. Timing of Indian ban - just in time for 3G auction by sznupi · · Score: 3, Insightful

    Yes, India is, like, right now in the process of auctioning 3G licenses. This will really bring benefits to Ericsson and Nokia Siemens.

    --
    One that hath name thou can not otter
  7. China good, India bad by daoshi · · Score: 3, Funny

    I think China's move makes sense - they just want to check and make sure there is no backdoor in your code/algo. As an earlier post said "Good encryption does not rely on obfuscation of code and processes." They trust what the users want to encrypt, just making sure the devices are not leaking the info to uninvited parties.

    As for India, this is very bad. They are just paranoid. This sets up a very bad example. They are scaring off all the business partners and hence the opportunities. Think if you are a vendor, how can you be sure that they would never do the same thing to you one day?

  8. Re:I would want this too by denis-The-menace · · Score: 2, Funny

    You mean like PGP that will now be made by Symantec?

    http://it.slashdot.org/article.pl?sid=10/04/29/1552249

    --
    Obama's legacy: (N)othing (S)ecure (A)nywhere and (T)error (S)imulation (A)dministration
  9. big bussines is all about politics by Anonymous Coward · · Score: 2, Insightful

    actually Alcatel-Lucent will benefit from this. They have low priced telecom equipment and they have been replaced in many countries by even cheaper Huawei.

    But isn't this strange? They put a ban because chinese "could have spyware or malware" in their equipment. Isn't this like putting someone in jail because he might do something bad in the future?

    Here is my conspiracy theory: big companies export corruptions in the developing countries (this is a fact). Some companies could just not compete with the cheap Huawei so they paid officials for the ban. Problem solved! either this or the chinese really have spyware on their machines.

    1. Re:big bussines is all about politics by rtfa-troll · · Score: 2, Insightful

      but Indian goverment is not buying the stuff. It's the telecom operators that buy it and use it to sell services to regular citizens. The goverment could buy trusted equipment for their needs.

      The teleco stuff is the stuff you will use to call for help and communicate during a war. Since the idea of total war it has been clear that your civilian infrastructure may be targeted in war. The idea of something which lets your opposition remotely disable most of your industrial capacity is crazy. That's what Chinese exchanges represent for India.

      --
      =~ s,(.*),<sarcasm>$1</sarcasm>,g if any_point_you_wish();
  10. "biggest neighbor"? by by+(1706743) · · Score: 2, Informative

    Isn't Russia China's biggest (at least by area) neighbor, not India?

  11. This really can be a problem by ThermalRunaway · · Score: 5, Interesting

    I have worked in the defense industry for a while, and used to work in the "Government" division of a major telecom company.

    One project we had worked on was encrypted cell phones for gov use. Our customers were only interested in a solution that was top to bottom US made from cleared companies. The chipset, OS, drivers, etc, were all built in the US, so there was no issue of "back doors"

    I also heard rumors at one point about some contractor actually finding mal-ware type SW embedded in the firmware of Lenovo laptops that could sort of call home to momma. I've never seen Lenovo boxes around after that.

    I think these issues are going to be bigger than just a single point in the infrastructure chain. With so much cyber activity going on, I think many countries are going to face the same sort of issue India is trying to prevent.

  12. TFA doesn't say that by Mr+Otobor · · Score: 2, Informative

    First off, TFA article doesn't mention source code; second, it quite explicitly says 'details are murky' and it is unclear what the PRC is asking for. At least as far as the article goes, that is what is said.

    Second, to some comments: Other countries already have various schemes in place for reviewing code (which doesn't preclude flaws or backdoors, intentional or not, from being included in compiled / embedded code...)

    India is saying what other countries fear, but since they are in China's backyard and vice versa, it's not surprising they're willing to go a little further and say it out loud as well as act on it. Also, as a bit of a reminder, India and China are as much --if not more so-- in competition than US/China/Europe: India has been trying to bolster it's sea power as it falls further behind China in that regard, China has close ties with Pakistan partially because Pakistan and India don't like each other particularly much, India is courting Afghanistan partially to offset Pakistan's power, etc. And let's not forget China and India have fought an actual war, albeit a fairly small one, and India lost and has never accepted the outcome.

  13. The future... by MikeRT · · Score: 2, Insightful

    The idea that corporations that bowl over the largest nation states is our future has always seemed strange to me. Multinationals are really just a legal fiction that exists simultaneously in multiple countries. At any time, a political system can create problems that will effectively bring that multinational to its knees.

    I think the future for big business is identical, only a little further out, to that of big government: replacement by small, agile businesses. Big business exists mainly because of big government and cooperation between the same. I think we're going to see a future in which each major country may trade for some tech products, but you'll see conditions begin to favor agile, much smaller businesses that can efficiently produce most important things at home.

    1. Re:The future... by ibsteve2u · · Score: 4, Interesting

      see conditions begin to favor agile, much smaller businesses that can efficiently produce most important things at home

      I tend to disagree; while conditions may differ elsewhere, our Supreme Court's transformation of corporations into super-citizens will in fact encourage corporations to become ever bigger so as to ever better afford the purchase of both political advertising and politicians. Given enough political control, a corporation can simply and effectively modify the rules of the game to make "doing business" prohibitively expensive or complex unless you are already of sufficient size.

      And they will do that; the important thing to remember is that our corporations have grown themselves to the size that they are now for the competitive advantage that size provides in the pursuit of profit; they do not, in fact, like competition, and size provides more and better opportunities to eliminate competition.

      lolll...ask Wal*Mart.

      --
      Orwell: "In a Time of Universal Deceit, telling the Truth is a Revolutionary Act"
  14. Actually it's security as an import regulation by M_Hulot · · Score: 4, Interesting

    The headline suggests that China is using import rules to bolster security. I think it is the other way round. They are using the demand for source code as a barrier to trade to (unfairly) help domestic firms. Not very many overseas firms are going to provide source code, leaving the market open to Chinese firms.

    1. Re:Actually it's security as an import regulation by orasio · · Score: 2, Insightful

      The headline suggests that China is using import rules to bolster security. I think it is the other way round. They are using the demand for source code as a barrier to trade to (unfairly) help domestic firms. Not very many overseas firms are going to provide source code, leaving the market open to Chinese firms.

      I would agree with you if you didn't say "(unfairly)".
      Access to source code is a legitimate security concern. Fair trade doesn't mean that you can't set high standards if foreign providers can't reach them.

  15. same thing happened in manufacturing... by Anonymous Coward · · Score: 3, Insightful

    in the 80's and 90's American manufacturers gave away their technology to the Chinese to get a piece of the huge Chinese market. This allowed the Chinese to modernize their manufacturing technology by decades in a few years. Then instead of opening their markets, China flooded the world markets and decimated the foreign competition.
    One might hope managers of corporations would learn from the past...

  16. India's isn't about Trust. by orlanz · · Score: 3, Interesting

    I think India isn't doing the restrictions for Trust or Security reasons. Their politicians couldn't care less. For the right price, they will sell you a state or two.

    It probably has more to do with keeping knock off China phones off the markets to keep the big corps happy. In India, there is rampant import of Chinese knockoff phones. An HTC becomes a HIC. They add a little line at the bottom and cut the price from $400 to $50. I kid you not. Quality control is an issue, but if you have the right connections, that won't be a problem. The phone is from the same factory that makes the name brand, its the same materials, same machines, and same people. Just the 3rd shift of lineman and it doesn't go through QC before shipment.

    So for sometime, the India government has been pressured to put a stop to this import. They haven't been very successful but that doesn't mean they don't look like they are trying. Exactly how do you stop 50 individually owned stores stuffed into an area the size of a CVS from selling the same stuff to a population that creates a massive amount of demand but isn't willing to pay like credit based Americans are. Not to mention your enforcement divisions are willing to look the other way for a dollar of that $50 sale. Additionally, the worst offenders are the politicians and those connected to them.

  17. some projects embed a timestamp of the build by Chirs · · Score: 2, Informative

    It's hard to test a linux kernel build for instance, because it embeds the time of the kernel build (and other information) into the kernel binary itself.

  18. Re:Good India is worried on this instead of sewage by webminer · · Score: 3, Insightful

    Why do obnoxious dumbasses like you bring up poverty everytime India does something good or aspires for something that only developed countries has 'rights' to? A developing country cannot aspire to have security and be able to defend itself from commie and islamic terror neighbours? Cant it become self-sufficient in space, defence and other technological advances? Because it is poor, the entire populace is doomed to live in 15th century?

  19. Re:I would want this too by Bert64 · · Score: 2, Interesting

    Not just backdoors, i have seen implementations of encryption with serious weaknesses...

    I saw a commercial encryption product which used an off the shelf 128-bit AES implementation (and their marketing literature made a big point of saying it used AES), but due to the way it derived a key from your entered passphrase there were only 2^21 possible keys making it trivially easy to brute force.

    Another package i saw used OpenSSL to handle encryption, which seems sensible - use a known good set of algorithms... Only they initialized a pseudo-random generator with a static value...

    --
    http://spamdecoy.net - free throwaway anonymous email - avoid spam!