Slashdot Mirror

← Back to Stories (view on slashdot.org)

Under Pressure, Western Tech Firms Including Cisco and IBM Bow To Russian Demands To Share Cyber Secrets (reuters.com)

Posted by msmash on from the folding-up dept.

An anonymous reader shares a Reuters report: Western technology companies, including Cisco, IBM and SAP, are acceding to demands by Moscow for access to closely guarded product security secrets, at a time when Russia has been accused of a growing number of cyber attacks on the West, a Reuters investigation has found. Russian authorities are asking Western tech companies to allow them to review source code for security products such as firewalls, anti-virus applications and software containing encryption before permitting the products to be imported and sold in the country. The requests, which have increased since 2014, are ostensibly done to ensure foreign spy agencies have not hidden any "backdoors" that would allow them to burrow into Russian systems. But those inspections also provide the Russians an opportunity to find vulnerabilities in the products' source code -- instructions that control the basic operations of computer equipment -- current and former U.S. officials and security experts said. [...] In addition to IBM, Cisco and Germany's SAP, Hewlett Packard Enterprise Co and McAfee have also allowed Russia to conduct source code reviews of their products, according to people familiar with the companies' interactions with Moscow and Russian regulatory records.

18 of 111 comments (clear)

  1. I'd want to know, too. by Frosty+Piss · · Score: 5, Insightful

    These are reasonable requests and fit perfictly within the Open Source paradigm. So what's the issue?

    Oh, yeah it's Russia...

    --
    If you want news from today, you have to come back tomorrow.
    1. Re:I'd want to know, too. by rmandevi · · Score: 5, Insightful

      If they're sharing the code with everybody, that's good engineering practice. This raises the possibility that a White Hat will discover a bug and report it to the vendor, who can then close the hole.

      If they're sharing it with only Russia, this puts them in a privileged position to exploit those bugs without reporting them. Clearly, this increases the odds of a breach. This isn't because it's Russia, either; sharing with any one entity, unless you absolutely trust them to report all the flaws they find, causes the same problem.

      --
      People who live in glass houses shouldn't walk and text.
    2. Re:I'd want to know, too. by ShanghaiBill · · Score: 4, Insightful

      These are reasonable requests and fit perfectly within the Open Source paradigm. So what's the issue?

      The Open Source paradigm is that with many eyes all bugs are shallow. But in this case, there are not many eyes, only a few Russian eyes, and those eyes are at least potentially hostile.

      If they want to give the Russians access, it would be wise to also give more source access to friendly eyes, such as Western security experts, along with some bug bounties to incentivise them.

    3. Re:I'd want to know, too. by Frosty+Piss · · Score: 5, Insightful

      If they want to give the Russians access, it would be wise to also give more source access to friendly eyes, such as Western security experts, along with some bug bounties to incentivise them.

      Who says they haven't? My guess is the NSA has looked at the code...

      --
      If you want news from today, you have to come back tomorrow.
    4. Re: I'd want to know, too. by Anonymous Coward · · Score: 3, Insightful

      Do you honestly think that US agencies don't have access to the source code of US products? I can't imagine the department of defense running Cisco routers without inspecting the source code at first. Can you imagine US agencies running Chinese products and wouldn't it be reasonable to ask them to disclose their source code before you buy from them ?

      I mean Cisco don't HAVE to sell to Russia and Russia doesn't have to buy their stuff. They can go for Huwaweii instead and I am pretty sure they will get the source for that,

    5. Re:I'd want to know, too. by ShanghaiBill · · Score: 2, Interesting

      Who says they haven't? My guess is the NSA has looked at the code...

      The NSA doesn't report bugs and vulnerabilities back to the tech company.

      If I had a choice of disclosing my source code to either the Russians or the NSA, I would pick the Russians.

    6. Re: I'd want to know, too. by ShanghaiBill · · Score: 2

      Do you honestly think that US agencies don't have access to the source code of US products?

      Do you honestly think that these agencies are "friendly eyes"?

    7. Re:I'd want to know, too. by OrangeTide · · Score: 2

      If I had a choice of disclosing my source code to either the Russians or the NSA, I would pick the Russians.

      I strongly disagree, I say this having worked at Cisco when Russian companies were building and selling clones of Cisco gear, and firmware updates with hacked licenses.

      --
      “Common sense is not so common.” — Voltaire
    8. Re:I'd want to know, too. by Tom · · Score: 2

      If they're sharing it with only Russia,

      What makes you think the US or other western governments didn't ask for the source code and had it inspected?

      --
      Assorted stuff I do sometimes: Lemuria.org
  2. Code audits shouldn't be suspicious by Hentes · · Score: 3, Interesting

    They should be standard procedure by every authority dealing with security sensitive systems.

  3. A headline you'll never see... by mnemotronic · · Score: 2
    A headline you'll never see...

    Western technology companies, including Cisco, IBM and SAP, are acceding to demands by concerned citizens in many countries for access to closely guarded product security secrets

    Weird that the companies value making a buck today over the possibility that a hostile foreign power could undermine the security of their products tomorrow. I see it as these companies throwing everyone who depends on these systems under the bus.

    --
    The Russians have won. They have made the world a cesspool of distrust, greed, fear and hate.
  4. This is the absolute best effect of Trump elected by SuperKendall · · Score: 2

    Before, no-one would have cared about Russia at all. Many openly mocked Romney years ago for saying Russia was still a threat...

    Now Russia actually concerns people, not just on the right anymore but also the left. FINALLY we have some agreement that we need to be more cautious with security around Russia and that they are a major player in security breaches.

    Mind you, the left has probably gone overboard on the Russia concern, but they are way closer to the correct degree of paranoia than they once were even if they overshot.

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
  5. And Why are we saying "yes"? by evolutionary · · Score: 2

    Okay, do we really want business with Russia so badly we are going to potentially exposure ourselves so freely? Wonder how Trump is enjoying this.

    --
    "Imagination is more important than knowledge" - Einstein
  6. Re:This is the absolute best effect of Trump elect by nnet · · Score: 4, Insightful

    McCarthy wasn't always wrong. What goes around comes around. Welcome to the New Cold War, same as the Old Cold War.

  7. This is why it is so stupid ... by Alain+Williams · · Score: 3, Insightful

    of the likes of GCHQ and the NSA to hoard vulnerabilities that they find. The Russians, and likely other ''bad guys'', are probably going to find the same set of vulnerabilities.

    If they really wanted to do their job of protecting us they would tell the vendor and we would all be a lot safer.

  8. Re:Fake red scare by phantomfive · · Score: 2

    everyone NOT in the Faux "News" moonbat directory.

    What news source isn't in the moonbat directory right now? They've all gone off the deep end as far as I can tell.

    --
    "First they came for the slanderers and i said nothing."
  9. Re:Many governments do this by AHuxley · · Score: 2

    Companies that wanted to sell to the US gov often show their code in full too.

    --
    Domestic spying is now "Benign Information Gathering"
  10. Re:This is the absolute best effect of Trump elect by Tom · · Score: 2

    How much of the Cold War do you think was created by people believing and/or wanting to have a Cold War?

    McCarthy certainly caused many of the things he was afraid of to happen. For example, communists within the USA went underground due to his prosecutions. Before him, communism was simply another political option, like the Green party is today.

    --
    Assorted stuff I do sometimes: Lemuria.org