Slashdot Mirror
Under Pressure, Western Tech Firms Including Cisco and IBM Bow To Russian Demands To Share Cyber Secrets (reuters.com)
An anonymous reader shares a Reuters report: Western technology companies, including Cisco, IBM and SAP, are acceding to demands by Moscow for access to closely guarded product security secrets, at a time when Russia has been accused of a growing number of cyber attacks on the West, a Reuters investigation has found. Russian authorities are asking Western tech companies to allow them to review source code for security products such as firewalls, anti-virus applications and software containing encryption before permitting the products to be imported and sold in the country. The requests, which have increased since 2014, are ostensibly done to ensure foreign spy agencies have not hidden any "backdoors" that would allow them to burrow into Russian systems. But those inspections also provide the Russians an opportunity to find vulnerabilities in the products' source code -- instructions that control the basic operations of computer equipment -- current and former U.S. officials and security experts said. [...] In addition to IBM, Cisco and Germany's SAP, Hewlett Packard Enterprise Co and McAfee have also allowed Russia to conduct source code reviews of their products, according to people familiar with the companies' interactions with Moscow and Russian regulatory records.
These are reasonable requests and fit perfictly within the Open Source paradigm. So what's the issue?
Oh, yeah it's Russia...
If you want news from today, you have to come back tomorrow.
They should be standard procedure by every authority dealing with security sensitive systems.
This story is the best reply to all those who claim that closed source offers intrinsically better security than open source: close source code is only closed for you.
this post contain no useful information, no need to mod it down
US Government does this. China does this. Others do. I'm only surprised they didn't start sooner.
Western technology companies, including Cisco, IBM and SAP, are acceding to demands by concerned citizens in many countries for access to closely guarded product security secrets
Weird that the companies value making a buck today over the possibility that a hostile foreign power could undermine the security of their products tomorrow. I see it as these companies throwing everyone who depends on these systems under the bus.
The Russians have won. They have made the world a cesspool of distrust, greed, fear and hate.
Before, no-one would have cared about Russia at all. Many openly mocked Romney years ago for saying Russia was still a threat...
Now Russia actually concerns people, not just on the right anymore but also the left. FINALLY we have some agreement that we need to be more cautious with security around Russia and that they are a major player in security breaches.
Mind you, the left has probably gone overboard on the Russia concern, but they are way closer to the correct degree of paranoia than they once were even if they overshot.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Well, except for the DAILY new information supporting the Trump - Putin - Hacker - Election axis, yes, that means everyone NOT in the Faux "News" moonbat directory.
Daily
With former FBI, NSA and CIA directors acknowledging the One Party Promoting Hacks
"We will hang the capitalists with the rope that they sell us."
W.I. Lenin
You might want to mention that to President Trump and current Homeland Security officials. He seems to think it was real. Also, to those left-wing Democratic operatives over at Voice of America.
https://www.voanews.com/a/trum...
You are welcome on my lawn.
... the Russians let me know if my Cisco router is a piece of shit.
It little behooves the best of us to comment on the rest of us.
... certainly be doing the same for IoT.
It little behooves the best of us to comment on the rest of us.
Okay, do we really want business with Russia so badly we are going to potentially exposure ourselves so freely? Wonder how Trump is enjoying this.
"Imagination is more important than knowledge" - Einstein
Sadly, its that simple.
I've always said English was my second language. Had Romeo and Juliet been written in C, I might have understood it.
Well, its not as if Cisco and Co are obliged to reveal their code. They choose to agree to the demand so as to be able to sell their products there. So that is just plain commercial interest - nothing inherently wrong there.
On a political level the adversary has a chance to spot and exploit possible flaws in said code to do Bad Things... different pair of shoes, isn't it, Donald.
Importing crypto to Russia requires two licenses.
One from their equivalent of the State Department, and one from their equivalent of the NSA.
The NSA part stopped granting licenses a while back, which is why the Chromebook crypto development group was disbanded in Moscow (and most of them ended up moving West to Finland, and started working on the same code again).
You weren't allowed to import or export computers with TPM hardware.
Hard to work on Chromebooks when you can't get Chromebooks.
I thought there were export controls on security/encryption software, specifically to prevent this technology from falling into the hands of international rivals.
Nope, no sig
WHAT evidence? Wikileaks is hardly evidence that the Russians tried to interfere. If anything, Dem administrations - both Clinton & Obama - tried interfering in foreign elections, such as Israel's.
What's there to stop the Russians from creating Chromebook VMs? That's easy to do on standard, more powerful computers. They can then work on those VMs.
McCarthy wasn't always wrong. What goes around comes around. Welcome to the New Cold War, same as the Old Cold War.
How effective is having a foreign government, potentially hostile to your country, sign an NDA, so far as preventing them from using knowledge of that source code to mount attacks targeting your specific products?
of the likes of GCHQ and the NSA to hoard vulnerabilities that they find. The Russians, and likely other ''bad guys'', are probably going to find the same set of vulnerabilities.
If they really wanted to do their job of protecting us they would tell the vendor and we would all be a lot safer.
Because a VM isn't real hardware and you miss out on a lot of platform issues when you never run your software on the real platform.
“Common sense is not so common.” — Voltaire
Yeah like you are going to do any business in Russia without going through the Russian Mafia to some degree - who cares?? The Russian Mafia is old news compared to Russian Government. Get a new hobby as yours is driving you CRAY CRAY.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
And these reviews are nothing to fear. Cone to think of it, maybe have such reviews of your products done independently and regularly anyways?
I can see nothing bad here, the Russians are doing it right.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
everyone NOT in the Faux "News" moonbat directory.
What news source isn't in the moonbat directory right now? They've all gone off the deep end as far as I can tell.
"First they came for the slanderers and i said nothing."
Maybe you should find a better way to waste your time than responding to an obvious ringer?
(ProTip: Posts from real Slashdot editor accounts are badged with the Slashdot logo.)
Il n'y a pas de Planet B.
What a misleading headline, wow.
Yes, you would want to see the source code of security products, especially if they are made in a country that constantly paints you as its #1 cyber enemy and that is known for having its secret services work closely with its IT companies. If the Kremlin had hired me for consulting, getting the source code and carefully inspecting it would've definitely been on the list of things I'd recommend.
What's next? "Russian authorities enforce self-bondage laws on all citizens, requiring the use of seatbelts" ?
Assorted stuff I do sometimes: Lemuria.org
How much of the Cold War do you think was created by people believing and/or wanting to have a Cold War?
McCarthy certainly caused many of the things he was afraid of to happen. For example, communists within the USA went underground due to his prosecutions. Before him, communism was simply another political option, like the Green party is today.
Assorted stuff I do sometimes: Lemuria.org
I'd get the point if you're talking about hardware that's very different from the host hardware. Like if you were talking about a Solaris/SPARC VM on a Windows Server. But in the case of Chromebooks, the hardware is a feature subset of the host: it's usually an Atom based netbook running ChromeOS. So the hardware should be rather trivial to duplicate on the VM, even if the OS is very different.
If you can do a TPM in a VM, it's strong cryptography.
Which you are not allowed to have without a license from two agencies in Russia.
It's also a waste of time, when you have actual hardware available, but you are not allowed to take it into or out of the country.
If the things will never be allowed to be sold in Russia, why pay a Russian team to work on something that's never going to impact their market? How can they be expected to come up with clever or innovative new things, when all they have is their imagination about how they might be used, rather than actually using them themselves?
But seriously: if you could build software TPMs that are as useful and secure as a hardware TPM, why would you ever buy a hardware TPM again?
Except the TPM, of course. And the Cellular modem. And the camera controller. And the PMU.
An emulator isn't the same as a simulator.
That's what TRUMP wants you to think, prevent Democratic elections!