Slashdot Mirror

← Back to Stories (view on slashdot.org)

McAfee Says It No Longer Will Permit Government Source Code Reviews (reuters.com)

Posted by msmash on from the tussle-continues dept.

Dustin Volz, Joel Schectman, and Jack Stubbs, reporting for Reuters: U.S.-based cyber firm McAfee said it will no longer permit foreign governments to scrutinize the source code of its products, halting a practice some security experts have warned could be leveraged by nation-states to carry out cyber attacks. Reuters reported in June that McAfee was among several Western technology companies that had acceded in recent years to greater demands by Moscow for access to source code, the instructions that control basic operations of computer equipment. The reviews, conducted in secure facilities known as "clean rooms" by Russian companies with expertise in technology testing, are required by Russian defense agencies for the stated purpose of ensuring no hidden "backdoors" exist in foreign-made software. But security experts and former U.S. officials have said those inspections provide Russia with opportunities to find vulnerabilities that could be exploited in offensive cyber operations. McAfee ended the reviews earlier this year after spinning off from Intel in April as an independent company, a McAfee spokeswoman said in an email to Reuters last week.

32 of 79 comments (clear)

  1. Re:Clickbait headline by Anonymous Coward · · Score: 2, Insightful

    Of course, the US govt doesn't need to review mcafee's source code, they already know exactly what back doors they have inserted into it, just like they claim Russia has done

  2. Re:Maybe if Russia stops meddling in our elections by Archangel+Michael · · Score: 4, Insightful

    You mean, stop bribing Secretary of States, former presidents under the watchful eye of the Robert Mueller FBI ?

    --
    Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
  3. The Antivirus War is On by cloud.pt · · Score: 3, Insightful

    This is interesting news, I didn't know Russia demanded this, but I guess they wised up before, well, the US.

    I do love the tongue-in-cheek from McAfee: they're blatantly trying to get the Kaspersky US market with the patriotic card by exiting the Russian one, and going backwards on the exact thing Kaspersky has stated they would allow from US!

    Now, in all seriousness - does McAfee really think they are gonna catch any market with this? Does anyone with a 2 digit IQ still install McAfee?

    1. Re:The Antivirus War is On by Aighearach · · Score: 1

      Even an unpopular offering will likely experience increased sales when one of their biggest competitors is burning down and everybody is jumping ship.

      For example, there are probably lots of people who dislike Symantec and don't want to install their product, and those people might not know which other companies have a good product. They might only know that McAfee has been around for a long time, and try it.

      McAfee at least is easier to uninstall.

    2. Re:The Antivirus War is On by Frosty+Piss · · Score: 1

      I do love the tongue-in-cheek from McAfee: they're blatantly trying to get the Kaspersky US market...

      McAfee is already on many of the DoD computers I use, working hard to slow them to a crawl...

      --
      If you want news from today, you have to come back tomorrow.
    3. Re:The Antivirus War is On by DontBeAMoran · · Score: 1

      Doesn't Windows come with a built-in antivirus these days?

      --
      #DeleteFacebook
    4. Re:The Antivirus War is On by Gilgaron · · Score: 1

      If the government regulations require an antivirus that meets A,B, and C, and only one company has those, then they win even if the application is a dumpster fire. You won't get any of those govt contract without meeting their requirements.

    5. Re:The Antivirus War is On by geekmux · · Score: 1

      Doesn't Windows come with a built-in antivirus these days?

      "It's secure. Trust me."

      After looking at the rather colorful history of the built-in browser, tends to make you wonder just how many times we're gonna believe that line...

    6. Re:The Antivirus War is On by HalAtWork · · Score: 1

      It makes no sense. I'd rather more countries review it, so there's more eyes on it and less likely to have something nefarious that only benefits one or some countries.

      --
      Twinstiq, game news
    7. Re:The Antivirus War is On by cloud.pt · · Score: 1

      Yeah you have a fair point!

    8. Re:The Antivirus War is On by cloud.pt · · Score: 1

      If that is true it makes me cringe a bit. But then again Kaspersky use induced in stolen info so I digress...

    9. Re:The Antivirus War is On by cloud.pt · · Score: 1

      Another fair point indeed.

    10. Re:The Antivirus War is On by cloud.pt · · Score: 1

      2 digit, _positive_ IQ

      I laughed kinda hard on that one. Good job!

    11. Re:The Antivirus War is On by cloud.pt · · Score: 1

      I guess joke's on me for not making it clear. I obviously meant "at least a 2 digit IQ". And to answer your question as is: no. I believe last time I tested it I was safely on the 3 digits, and it was less than 10 years ago.

      In my defense I'm no native English speaker. I kind of assumed "at least" could be implied, when you say stuff like "anyone with ", when used in a question at least.

    12. Re:The Antivirus War is On by cloud.pt · · Score: 1

      Had no idea of this. Tantalizing. Reminds me of my junior high, where all PCs also had it

  4. Double standard, anyone? by Scarred+Intellect · · Score: 2, Insightful

    So it's OK for the US to audit Kaspersky's source code for hidden backdoors (and Kaspersky is highly regarded for offering it), but it's not OK for Russia to audit McAfee's source code for hidden backdoors.

    Because Russia.

    Did I get that right?

    1. Re:Double standard, anyone? by Anonymous Coward · · Score: 1

      There is no right or wrong. There is either wanting to do business or not.

    2. Re:Double standard, anyone? by Frosty+Piss · · Score: 4, Insightful

      So it's OK for the US to audit Kaspersky's source code for hidden backdoors (and Kaspersky is highly regarded for offering it), but it's not OK for Russia to audit McAfee's source code for hidden backdoors.

      McAfee does not set the policies of Kaspersky as to if they let people look at the code. Whether or not it's "OK" for one company to choose one thing and another company to choose another thing is a false dynamic. Both can choose to do whatever they like.

      --
      If you want news from today, you have to come back tomorrow.
    3. Re:Double standard, anyone? by Jeremi · · Score: 2

      Really it doesn't make much difference either way.

      Unless you are as familiar with the codebase as its authors are (and you definitely won't be) and unless you are doing all of the compilation from source yourself (which you probably won't be), you're still more or less at the mercy of the software vendor.

      Even if you read all of the source code they provide you with to "prove" the program doesn't do anything nefarious, there is no guarantee that the binary you install on your computers was based on the source code you read, and not some other version of that source code with a back-door installed.

      So it comes down to the same thing -- you either trust your Anti-virus company not to spy on you, or you don't.

      --


      I don't care if it's 90,000 hectares. That lake was not my doing.
    4. Re:Double standard, anyone? by geekmux · · Score: 1

      Really it doesn't make much difference either way.

      Unless you are as familiar with the codebase as its authors are (and you definitely won't be) and unless you are doing all of the compilation from source yourself (which you probably won't be), you're still more or less at the mercy of the software vendor.

      Even if you read all of the source code they provide you with to "prove" the program doesn't do anything nefarious, there is no guarantee that the binary you install on your computers was based on the source code you read, and not some other version of that source code with a back-door installed.

      So it comes down to the same thing -- you either trust your Anti-virus company not to spy on you, or you don't.

      A world full of social media narcissists who post every detail about their lives online via dozens of apps that abuse 100 back-channels of telemetry and data aggregation is worried about Nation States stealing shit via hidden anti-virus code.

      Fucking hell.

      If you're looking for a horror story, read a EULA sometime.

    5. Re:Double standard, anyone? by Oswald+McWeany · · Score: 1

      So it's OK for the US to audit Kaspersky's source code for hidden backdoors (and Kaspersky is highly regarded for offering it), but it's not OK for Russia to audit McAfee's source code for hidden backdoors.

      Because Russia.

      Did I get that right?

      And Russia is perfectly welcome to not install McAfee on THEIR government computers. Infact, it would be wise if they didn't.

      --
      "That's the way to do it" - Punch
    6. Re:Double standard, anyone? by gravewax · · Score: 1

      If you are relying on code obscurity for a security product you are already fucked. All this does is reduce their own market. Almost every country in the world demands these security reviews/checks before use by government.

    7. Re:Double standard, anyone? by Jeremi · · Score: 1

      A world full of social media narcissists who post every detail about their lives online via dozens of apps that abuse 100 back-channels of telemetry and data aggregation is worried about Nation States stealing shit via hidden anti-virus code.

      I was thinking more of the NSA, DOD, and other government agencies that have made the (questionable) decision to run their critical infrastructure on Windows, and now find themselves in the position of depending on Kaspersky/McAfee/etc to protect their computers against malware, and therefore having to trust said companies not to be installing malware themselves.

      Whether government agencies are full of social media narcissists or not, I don't know... I try not to spend a lot of time at government agencies :)

      --


      I don't care if it's 90,000 hectares. That lake was not my doing.
    8. Re:Double standard, anyone? by Dare+nMc · · Score: 1

      > If you are relying on code obscurity for a security product you are already fucked.

      If your relying on anti-virus for your primary security, you are already fucked. It is the barn door was left open and the horse is out, try and close the barn door solution. It is important that it doesn't have back doors, but everything else is just a last hope that it saves you.

      Providing the source to eyes that may make malware, if they don't also provide vulnerability feedback or sales to mcafee is useless. Especially as AV is a cat and mouse product, where they attempt to detect malware, and the malware attempts to evade. It doesn't fit as nicely into a open security model.

  5. Re:In Russia antivirus hack you! by DontBeAMoran · · Score: 1

    In antivirus, hack Russia you!

    --
    #DeleteFacebook
  6. Re:Why are there no FOSS antivirus programs? by hackel · · Score: 1

    https://www.clamav.net/

    The fact is, researching new viruses and maintaining up-to-date signatures requires constant work, which means the need for paid employees. This is really something that should be a collaboration between all the governments of the world and provide for free, thus facilitating far greater FOSS anti-virus solutions. As it is, it's just not something that's interesting enough for anyone to want to do as a hobby. Add to that the fact that those of us running FOSS operating systems don't use anti-virus software in the first place. I think the last time I had an anti-virus application running on my own machine was in the late 90s.

  7. The Anti-Antivirus war is on by TiggertheMad · · Score: 1

    It makes no sense. I'd rather more countries review it, so there's more eyes on it and less likely to have something nefarious that only benefits one or some countries.

    It is a two edged sword. More people look at the code, the more confidence you have that it isn't hiding anything. But then, you also have more people who understand how to write malware that either attacks the AV app, or is able to bypass it entirely. You can have it both ways of course, if you don't let select countries that have historically acted against US interest (cough cough Russia) look at the code.

    --

    HA! I just wasted some of your bandwidth with a frivolous sig!
  8. How do code reviews do anything? by llZENll · · Score: 2

    Enterprise software is so complex that there must be thousands of source files with hundreds of thousands of lines of code. How does a code review catch anything? If a company has a backdoor, why on earth would they provide it in a source review? Just remove the backdoor, submit the files, and pass. Source review seems like a waste of time, how do they, or did they ensure the source they were reviewing is the source that's in the application? Perhaps they did the review, compiled, packaged, then copied to memory for installation?

    1. Re:How do code reviews do anything? by Theaetetus · · Score: 1

      Enterprise software is so complex that there must be thousands of source files with hundreds of thousands of lines of code. How does a code review catch anything? If a company has a backdoor, why on earth would they provide it in a source review? Just remove the backdoor, submit the files, and pass. Source review seems like a waste of time, how do they, or did they ensure the source they were reviewing is the source that's in the application? Perhaps they did the review, compiled, packaged, then copied to memory for installation?

      I think at a minimum, the best practices for any source code review include compiling and packaging, and at least calculating a hash of the executable and comparing it to a hash of the distributed product executable.

      I agree, you shouldn't immediately trust distributed software just because they open sourced it, but rather, the point is that you can roll your own and/or compare it to the distributed version to make sure they're the same.

  9. Re:Maybe if Russia stops meddling in our elections by Anonymous Coward · · Score: 1

    Found Trump's cockholster

    You keep telling yourself that.

    The "RUSSIANS STOLE THE ELECTION!!!" narrative is blowing up in Democrat's faces.

    Exclusive: In Hill interviews, top Dems denied knowledge of payments to firm behind Trump dossier

    Sitting next to Podesta during the interview: his attorney Marc Elias, who worked for the law firm that hired Fusion GPS to continue research on Trump on behalf of the Clinton campaign and DNC, multiple sources said. Elias was only there in his capacity as Podesta's attorney and not as a witness.

    On Tuesday, that law firm, Perkins Coie, wrote in a letter that it had retained Fusion GPS as part of its representation of the Clinton campaign and the DNC. The disclosure of the Democratic funding source for Fusion GPS is raising new questions for the congressional Russian investigators.

    Note also that Perkins Coie hiring Fusion GPS would have been required to be reported to the FEC:

    Hillary Clinton's Campaign Wasn't Honest About Paying for Trump Dossier

    Hillary Clinton's presidential campaign has been hit with a new complaint that alleges it tried to cover up the fact that it helped pay for the infamous "Trump Russia Dossier."

    The Washington-based Campaign Legal Center (CLC) said in a Wednesday complaint to the Federal Election Commission (FEC) that Hillary for America and the Democratic National Committee (DNC) broke campaign finance law by trying to hide payments related to the dossier...

    Note that those are CNN and Newsweek - hardly right-wing news outlets.

    That's not even getting into how Robert Meuller's FBI helped hide the bribery in the Uranium One deals that netted the Clinton's $145 million dollars....

  10. Re: Maybe if Russia stops meddling in our election by Archangel+Michael · · Score: 2

    The amount of Russian Meddling in our elections is by far, much less than the Obama Administration Meddling in Israeli elections.Perhaps the world should stop doing business with the US who meddles everywhere all the time, then whines when 100,000 facebook ad campaign is all the "proof" of meddling by Russians shows up.

    --
    Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
  11. It's a "war" amongst equally untrustworthy parties by jbn-o · · Score: 1

    McAfee, Norton, and Kaspersky all have the same problem: they're all nonfree software. No one of them is more trustworthy than the others because none of them give users the freedom to run, inspect, share, and modify the program at any time for any reason.

    --
    Digital Citizen