Slashdot Mirror
Under Pressure, Western Tech Firms Including Cisco and IBM Bow To Russian Demands To Share Cyber Secrets (reuters.com)
An anonymous reader shares a Reuters report: Western technology companies, including Cisco, IBM and SAP, are acceding to demands by Moscow for access to closely guarded product security secrets, at a time when Russia has been accused of a growing number of cyber attacks on the West, a Reuters investigation has found. Russian authorities are asking Western tech companies to allow them to review source code for security products such as firewalls, anti-virus applications and software containing encryption before permitting the products to be imported and sold in the country. The requests, which have increased since 2014, are ostensibly done to ensure foreign spy agencies have not hidden any "backdoors" that would allow them to burrow into Russian systems. But those inspections also provide the Russians an opportunity to find vulnerabilities in the products' source code -- instructions that control the basic operations of computer equipment -- current and former U.S. officials and security experts said. [...] In addition to IBM, Cisco and Germany's SAP, Hewlett Packard Enterprise Co and McAfee have also allowed Russia to conduct source code reviews of their products, according to people familiar with the companies' interactions with Moscow and Russian regulatory records.
These are reasonable requests and fit perfictly within the Open Source paradigm. So what's the issue?
Oh, yeah it's Russia...
If you want news from today, you have to come back tomorrow.
The "Russia hacked the election" narrative is DNC/MSM political fiction. The rest of the world isn't paying any attention and it's business as usual.
They should be standard procedure by every authority dealing with security sensitive systems.
This story is the best reply to all those who claim that closed source offers intrinsically better security than open source: close source code is only closed for you.
this post contain no useful information, no need to mod it down
American agencies have been doing this for decades now, but its apparently a story when the Russians do it...
Capcha: stench
There is very easy solution to this - open source the proprietary code :-)
US Government does this. China does this. Others do. I'm only surprised they didn't start sooner.
It is to be expected that the US agencies have had access to the source code for years, so it is not unreasonable for other countries to want to review the code too. As long as it is a technical review (and not cover for corporate espionage) this could be a good thing to help make everyone feel more comfortable (if the Russians buy the devices after reviewing the code, it is unlikely that they saw lots of backdoors).
I'm glad the US, British and western governments never do such things. /s
Western technology companies, including Cisco, IBM and SAP, are acceding to demands by concerned citizens in many countries for access to closely guarded product security secrets
Weird that the companies value making a buck today over the possibility that a hostile foreign power could undermine the security of their products tomorrow. I see it as these companies throwing everyone who depends on these systems under the bus.
The Russians have won. They have made the world a cesspool of distrust, greed, fear and hate.
Before, no-one would have cared about Russia at all. Many openly mocked Romney years ago for saying Russia was still a threat...
Now Russia actually concerns people, not just on the right anymore but also the left. FINALLY we have some agreement that we need to be more cautious with security around Russia and that they are a major player in security breaches.
Mind you, the left has probably gone overboard on the Russia concern, but they are way closer to the correct degree of paranoia than they once were even if they overshot.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
"We will hang the capitalists with the rope that they sell us."
W.I. Lenin
Sorry, Google won't let me search social security numbers. Who does that one belong to?
"are ostensibly done to ensure foreign spy agencies have not hidden any "backdoors""
"Ostensibly"? The US government has a verified history of sneaking malicious items into commercial electronics, The Cisco Routher fiasco, the Iraq printer chips, the printer watermarks are just few of the more well known ones. Foreign governments have good reason to be wary of US computer hardware/software.
... the Russians let me know if my Cisco router is a piece of shit.
It little behooves the best of us to comment on the rest of us.
... certainly be doing the same for IoT.
It little behooves the best of us to comment on the rest of us.
Okay, do we really want business with Russia so badly we are going to potentially exposure ourselves so freely? Wonder how Trump is enjoying this.
"Imagination is more important than knowledge" - Einstein
Sadly, its that simple.
I've always said English was my second language. Had Romeo and Juliet been written in C, I might have understood it.
Well, its not as if Cisco and Co are obliged to reveal their code. They choose to agree to the demand so as to be able to sell their products there. So that is just plain commercial interest - nothing inherently wrong there.
On a political level the adversary has a chance to spot and exploit possible flaws in said code to do Bad Things... different pair of shoes, isn't it, Donald.
Importing crypto to Russia requires two licenses.
One from their equivalent of the State Department, and one from their equivalent of the NSA.
The NSA part stopped granting licenses a while back, which is why the Chromebook crypto development group was disbanded in Moscow (and most of them ended up moving West to Finland, and started working on the same code again).
You weren't allowed to import or export computers with TPM hardware.
Hard to work on Chromebooks when you can't get Chromebooks.
I thought there were export controls on security/encryption software, specifically to prevent this technology from falling into the hands of international rivals.
Nope, no sig
I work making security products for a big company. Not one of those listed in TFS, but you use their products.
Yes we share design details and source code with governments and other big customers, under NDA. It's normal practice. They need a reason to trust the product. We want to sell it to them. The value is not in the source code. It's in the trust that customers have in the product.
We aren't acceding to demands. Someone sends an email. We pull in a lawyer who does the NDAs (if we don't already have one) and than have a couple of meetings to find out what they are after and to go over the design and code.
A nice thing about governments is that they are usually well informed customers. They have experts who can ask difficult and pertinent questions that help in understanding your own designs from a security perspective.
There is nothing new here. Move along.
What's there to stop the Russians from creating Chromebook VMs? That's easy to do on standard, more powerful computers. They can then work on those VMs.
whats with all these ^9 numbers, are you fucking kids? god damned millenials.
McCarthy wasn't always wrong. What goes around comes around. Welcome to the New Cold War, same as the Old Cold War.
of the likes of GCHQ and the NSA to hoard vulnerabilities that they find. The Russians, and likely other ''bad guys'', are probably going to find the same set of vulnerabilities.
If they really wanted to do their job of protecting us they would tell the vendor and we would all be a lot safer.
Because a VM isn't real hardware and you miss out on a lot of platform issues when you never run your software on the real platform.
“Common sense is not so common.” — Voltaire
Yeah like you are going to do any business in Russia without going through the Russian Mafia to some degree - who cares?? The Russian Mafia is old news compared to Russian Government. Get a new hobby as yours is driving you CRAY CRAY.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
The NSA already knows about the vulnerabilities and refuses to tell the U.S. companies about them.
They [capitalists] will furnish credits which will serve us for the support of the Communist Party in their countries and, by supplying us materials and technical equipment which we lack, will restore our military industry necessary for our future attacks against our suppliers. To put it in other words, they will work on the preparation of their own suicide.
And these reviews are nothing to fear. Cone to think of it, maybe have such reviews of your products done independently and regularly anyways?
I can see nothing bad here, the Russians are doing it right.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Don't throw all of us into one pot.
I see you choosing geological areas however convenient. Fuck that.
> Well, except for the DAILY new information supporting the Trump - Putin - Hacker - Election axis, yes
Highly placed anonymous intelligence sources from the Obama administration, as well as seventeen US intelligence agencies, tell me that all of that information was fabricated out of thin air by people making up quotes. While I was not able to analyze the servers myself, the reports I was shown have given me high confidence that it's pure hokum. If you doubt me, I will be happy to supply some memos that I wrote which confirm that my version of the story is accurate.
So who are you to discount all of these intelligence agencies?
"The Russian Mafia is old news compared to Russian Government"
There's a big overlap between them.
Many openly mocked Romney years ago for saying Russia was still a threat...
No, we mocked him for his outdated response which was to act like Reagan did, or possibly Nixon, or even Eisenhower.
Notice how Romney frittered around about "bomber gaps" and "battleships in mothballs" instead of actual problems with Russia.
Fuck, old Mittens probably agreed with them on assaulting homosexuals. I'd give a 50% chance he didn't even realized WE were the ones who invaded Afghanistan.
McCarthy thought there were about 20 to 30 Russian spies working int he US government. When the USSR fell and their files opened up we learned they had closer to 300 spies in extremely high places in the government.
McCarthy wasn't just right, he was actually less paranoid than he should have been. Yet today, despite all the proof to the contrary leftists still use his name like he was the boogeyman, all because Hollywood got exposed as the anti-American shit stains they were/are.
Somebody's upset that McCarthy wasn't able to find the spies, just randomly attacking people like the drunken boor he was.
Go ahead, though, claim Hollywood was exposed as anti-American, and make yourself a proud example of everything that was wrong with McCarthy.
What a misleading headline, wow.
Yes, you would want to see the source code of security products, especially if they are made in a country that constantly paints you as its #1 cyber enemy and that is known for having its secret services work closely with its IT companies. If the Kremlin had hired me for consulting, getting the source code and carefully inspecting it would've definitely been on the list of things I'd recommend.
What's next? "Russian authorities enforce self-bondage laws on all citizens, requiring the use of seatbelts" ?
Assorted stuff I do sometimes: Lemuria.org
How much of the Cold War do you think was created by people believing and/or wanting to have a Cold War?
McCarthy certainly caused many of the things he was afraid of to happen. For example, communists within the USA went underground due to his prosecutions. Before him, communism was simply another political option, like the Green party is today.
Assorted stuff I do sometimes: Lemuria.org
Every single person McCarthy exposed was later proven to be a Russian spy. Every. Single. One.
I'd get the point if you're talking about hardware that's very different from the host hardware. Like if you were talking about a Solaris/SPARC VM on a Windows Server. But in the case of Chromebooks, the hardware is a feature subset of the host: it's usually an Atom based netbook running ChromeOS. So the hardware should be rather trivial to duplicate on the VM, even if the OS is very different.
If you can do a TPM in a VM, it's strong cryptography.
Which you are not allowed to have without a license from two agencies in Russia.
It's also a waste of time, when you have actual hardware available, but you are not allowed to take it into or out of the country.
If the things will never be allowed to be sold in Russia, why pay a Russian team to work on something that's never going to impact their market? How can they be expected to come up with clever or innovative new things, when all they have is their imagination about how they might be used, rather than actually using them themselves?
But seriously: if you could build software TPMs that are as useful and secure as a hardware TPM, why would you ever buy a hardware TPM again?
Except the TPM, of course. And the Cellular modem. And the camera controller. And the PMU.
An emulator isn't the same as a simulator.