Slashdot Mirror

← Back to Stories (view on slashdot.org)

HP Enterprise Let Russia Scrutinize The Pentagon's Cyberdefense Software (reuters.com)

Posted by EditorDavid on from the opening-source dept.

"A Russian defense agency was allowed to review the cyberdefense software used by the Pentagon to protect its computer networks," writes new submitter quonset. "This according to Russian regulatory records and interviews with people with direct knowledge of the issue." Reuters reports: The Russian review of ArcSight's source code, the closely guarded internal instructions of the software, was part of Hewlett Packard Enterprise's effort to win the certification required to sell the product to Russia's public sector, according to the regulatory records seen by Reuters and confirmed by a company spokeswoman. Six former U.S. intelligence officials, as well as former ArcSight employees and independent security experts, said the source code review could help Moscow discover weaknesses in the software, potentially helping attackers to blind the U.S. military to a cyber attack. "It's a huge security vulnerability," said Greg Martin, a former security architect for ArcSight. "You are definitely giving inner access and potential exploits to an adversary."
It's another example of the problems security companies face when they try to do business internationally, according to Reuters. "One reason Russia requests the reviews before allowing sales to government agencies and state-run companies is to ensure that U.S. intelligence services have not placed spy tools in the software."

Long-time Slashdot reader bbsguru has his own worries. "So, opening your code for review because it is demanded by a potential customer? What could possibly go wrong? HPE may find out, and the U.S. Military is among the many clients depending on the answer."

13 of 121 comments (clear)

  1. Ordinary by Xenographic · · Score: 2

    Wait until they figure out who all Microsoft has shared the Windows source code with.

    1. Re:Ordinary by fibonacci8 · · Score: 3, Interesting

      Wait until they figure out who all Microsoft has shared the Windows source code with.

      Or Linux, just look at who they share the source code with!

      --
      Inheritance is the sincerest form of nepotism.
    2. Re:Ordinary by ArchieBunker · · Score: 2

      Keep laughing. Wait until Poettering dreams up this new brilliant idea. Instead of having /etc and its collection of human readable text files, all system configuration settings will be kept in a binary database named REGISTRY.DAT. Redhat will love this because their business model is selling support.

      --
      Only the State obtains its revenue by coercion. - Murray Rothbard
  2. Security through Obscurity? by Kaenneth · · Score: 5, Insightful

    A good security product is secure even if attackers know how it works.

    1. Re: Security through Obscurity? by Anonymous Coward · · Score: 4, Insightful

      If your bank is only secure as long as no one is allowed to see you handle the money, you don't have a very secure bank.

      If your software is only secure as long as no one is allowed to see it handle input, then you don't have very secure software.

      FYI: Saying that your protection is a smokescreen and magic hand waving is not as good as having good documentation detailing what the protection's limits are and where improvements can be made. The latter can be implemented with those

    2. Re:Security through Obscurity? by Frobnicator · · Score: 2

      Many people think in an a mutually exclusive way. EITHER a secure tool, OR a system using obscurity. Good security systems employ both. Lock it with the best tools that can be found, AND obscure all the details.

      What is described sounds just fine. A security company revealed their source code to be used by a government to show it is backdoor-free. That's typical in the security industry, and is generally not inherently a problem. The organizations should, as you described, not tell the world exactly which implementation they're using, which could include the stock version of the one being sold or a specially modified version, or even a completely different program.

      The problem is the masses don't understand that. This is SOP in security systems, not a headline news story.

      --
      //TODO: Think of witty sig statement
  3. Re:Trump lets them own the oval office... by gravewax · · Score: 5, Informative

    What treason? This story is utter garbage, HP weren't revealing US secrets, they were submitting their OWN software for review to win sales. Every large company does this for governments and sometimes private sector as well. Microsoft, IBM, Apple, Oracle etc etc all do this and if they didn't they would all be a fraction of the size they are now as none of them would get international government business.

  4. Re:This is HPE by stephanruby · · Score: 5, Informative

    You mean like the network connected smart HP photocopy/scanning machine that are almost everywhere in Fortune 500 companies, government agencies, and FedEx Offices (formerly Kinkos).

    Russians having access to that would be some sweet revenge. After all, we used Xerox copiers and Xerox maintenance people to keep copies of all the documents Russian government officials photocopied for years.

  5. Obligatory relevant quote by Rick+Zeman · · Score: 5, Insightful

    "The capitalists will sell us the rope with which we will hang them."

    V.I Lenin

  6. Re:So why does the most powerful country on earth by Anonymous Coward · · Score: 2, Insightful

    At the end of the day they'll sit down with their fellow global citizens and hash it all out.

    I doubt it. They'd never be able to agree upon who among them should rule the world. Human history is full of those able and willing to kill in pursuit of domination and despite all of our efforts the veneer of civilization remains thin indeed. The savage instinct is still alive and well in modern man and it doesn't take much to bring it clawing back to the surface.

    Usually to the detriment of those of us still dependent on nation-states.

    Power trumps wealth. Wealth can be stripped but real power is absolute and although the two are often found together they ought not to be confused. Vladimir Putin regularly strips and imprisons billionaires who displease him and kills those he cannot imprison. There's a lesson there on the limits of wealth and the utility of absolute power.

  7. what is wrong with you? by Tom · · Score: 4, Insightful

    Sensationalist crap if I ever saw one.

    Making a source-code review is standard operation procedure for high security settings. In fact, I recommend exactly this to some of my clients (I've worked in IS before the abbreviation had a second meaning about murderous religious idiots).

    If this allowed them to discover weaknesses in the software, then maybe the US departments should've done a source-code review themselves and discovered those same weaknesses? What is wrong with the author of this crap to shout wolf because someone is doing proper security?

    "omg, the Russians tested the same rifle that our army uses! Maybe they discovered at what temperature it explodes!"

    Guys, you need to wake up over there before you find yourself plundged into a new Cold War by nonsense propaganda. Ask yourself who profits from such shit, who gets to sell more stuff thanks to articles like this, and who gets to gain more influence from the fear.

    --
    Assorted stuff I do sometimes: Lemuria.org
    1. Re:what is wrong with you? by chill · · Score: 2

      Exactly. Both Russia and China have demanded -- and gotten -- source code reviews of code from Microsoft, Cisco, IBM, and SAP. This is, and has been, standard practice for over a decade.

      This isn't news, it is sensationalist headline clickbait.

      https://venturebeat.com/2017/06/23/tech-firms-including-cisco-ibm-and-sap-allow-russian-authorities-to-review-product-source-code/ (2017)

      http://www.zdnet.com/article/microsoft-opens-source-code-to-russian-secret-service/ (2010)

      https://www.computerworld.com/article/2581562/security0/china-next-to-get-access-to-microsoft-source-code.html (2003)

      --
      Learning HOW to think is more important than learning WHAT to think.
  8. Re:So you're in favor of "security through obscuri by RightwingNutjob · · Score: 3, Interesting

    Source code can contain information the binary doesn't. Like why mistakes are made and who made them, to give an example. So if there's an exploit in the binary, you find it either way. If the source code with the mistake contains comments from Sanjay at CompuGlobalHyperMegaNet in Mumbai, that tells you where else that mistake could be. If there's no mistakes in Sanjay's code, you still have a potential recruitment target. Paranoid? Yes. Unlikely? Can't say. Implausible? No.