Slashdot Mirror

← Back to Stories (view on slashdot.org)

McAfee Says It No Longer Will Permit Government Source Code Reviews (reuters.com)

Posted by msmash on from the tussle-continues dept.

Dustin Volz, Joel Schectman, and Jack Stubbs, reporting for Reuters: U.S.-based cyber firm McAfee said it will no longer permit foreign governments to scrutinize the source code of its products, halting a practice some security experts have warned could be leveraged by nation-states to carry out cyber attacks. Reuters reported in June that McAfee was among several Western technology companies that had acceded in recent years to greater demands by Moscow for access to source code, the instructions that control basic operations of computer equipment. The reviews, conducted in secure facilities known as "clean rooms" by Russian companies with expertise in technology testing, are required by Russian defense agencies for the stated purpose of ensuring no hidden "backdoors" exist in foreign-made software. But security experts and former U.S. officials have said those inspections provide Russia with opportunities to find vulnerabilities that could be exploited in offensive cyber operations. McAfee ended the reviews earlier this year after spinning off from Intel in April as an independent company, a McAfee spokeswoman said in an email to Reuters last week.

8 of 79 comments (clear)

  1. Re:Clickbait headline by Anonymous Coward · · Score: 2, Insightful

    Of course, the US govt doesn't need to review mcafee's source code, they already know exactly what back doors they have inserted into it, just like they claim Russia has done

  2. Re:Maybe if Russia stops meddling in our elections by Archangel+Michael · · Score: 4, Insightful

    You mean, stop bribing Secretary of States, former presidents under the watchful eye of the Robert Mueller FBI ?

    --
    Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
  3. The Antivirus War is On by cloud.pt · · Score: 3, Insightful

    This is interesting news, I didn't know Russia demanded this, but I guess they wised up before, well, the US.

    I do love the tongue-in-cheek from McAfee: they're blatantly trying to get the Kaspersky US market with the patriotic card by exiting the Russian one, and going backwards on the exact thing Kaspersky has stated they would allow from US!

    Now, in all seriousness - does McAfee really think they are gonna catch any market with this? Does anyone with a 2 digit IQ still install McAfee?

  4. Double standard, anyone? by Scarred+Intellect · · Score: 2, Insightful

    So it's OK for the US to audit Kaspersky's source code for hidden backdoors (and Kaspersky is highly regarded for offering it), but it's not OK for Russia to audit McAfee's source code for hidden backdoors.

    Because Russia.

    Did I get that right?

    1. Re:Double standard, anyone? by Frosty+Piss · · Score: 4, Insightful

      So it's OK for the US to audit Kaspersky's source code for hidden backdoors (and Kaspersky is highly regarded for offering it), but it's not OK for Russia to audit McAfee's source code for hidden backdoors.

      McAfee does not set the policies of Kaspersky as to if they let people look at the code. Whether or not it's "OK" for one company to choose one thing and another company to choose another thing is a false dynamic. Both can choose to do whatever they like.

      --
      If you want news from today, you have to come back tomorrow.
    2. Re:Double standard, anyone? by Jeremi · · Score: 2

      Really it doesn't make much difference either way.

      Unless you are as familiar with the codebase as its authors are (and you definitely won't be) and unless you are doing all of the compilation from source yourself (which you probably won't be), you're still more or less at the mercy of the software vendor.

      Even if you read all of the source code they provide you with to "prove" the program doesn't do anything nefarious, there is no guarantee that the binary you install on your computers was based on the source code you read, and not some other version of that source code with a back-door installed.

      So it comes down to the same thing -- you either trust your Anti-virus company not to spy on you, or you don't.

      --


      I don't care if it's 90,000 hectares. That lake was not my doing.
  5. How do code reviews do anything? by llZENll · · Score: 2

    Enterprise software is so complex that there must be thousands of source files with hundreds of thousands of lines of code. How does a code review catch anything? If a company has a backdoor, why on earth would they provide it in a source review? Just remove the backdoor, submit the files, and pass. Source review seems like a waste of time, how do they, or did they ensure the source they were reviewing is the source that's in the application? Perhaps they did the review, compiled, packaged, then copied to memory for installation?

  6. Re: Maybe if Russia stops meddling in our election by Archangel+Michael · · Score: 2

    The amount of Russian Meddling in our elections is by far, much less than the Obama Administration Meddling in Israeli elections.Perhaps the world should stop doing business with the US who meddles everywhere all the time, then whines when 100,000 facebook ad campaign is all the "proof" of meddling by Russians shows up.

    --
    Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.