Slashdot Mirror
FBI Software For Analyzing Fingerprints Contains Russian-Made Code, Whistleblowers Say (buzzfeed.com)
schwit1 shares an exclusive report via BuzzFeed: The fingerprint-analysis software used by the FBI and more than 18,000 other U.S. law enforcement agencies contains code created by a Russian firm with close ties to the Kremlin, according to documents and two whistleblowers. The allegations raise concerns that Russian hackers could gain backdoor access to sensitive biometric information on millions of Americans, or even compromise wider national security and law enforcement computer systems. The Russian code was inserted into the fingerprint-analysis software by a French company, said the two whistleblowers, who are former employees of that company. The firm -- then a subsidiary of the massive Paris-based conglomerate Safran -- deliberately concealed from the FBI the fact that it had purchased the Russian code in a secret deal, they said. The Russian company whose code ended up in the FBI's fingerprint-analysis software has Kremlin connections that should raise similar national security concerns, said the whistleblowers, both French nationals who worked in Russia. The Russian company, Papillon AO, boasts in its own publications about its close cooperation with various Russian ministries as well as the Federal Security Service -- the intelligence agency known as the FSB that is a successor of the Soviet-era KGB and has been implicated in other hacks of U.S. targets.
Cybersecurity experts said the danger of using the Russian-made code couldn't be assessed without examining the code itself. But "the fact that there were connections to the FSB would make me nervous to use this software," said Tim Evans, who worked as director of operational policy for the National Security Agency's elite cyberintelligence unit known as Tailored Access Operations and now helps run the cybersecurity firm Adlumin. The FBI's overhaul of its fingerprint-recognition technology, unveiled in 2011, was part of a larger initiative known as Next Generation Identification to expand the bureau's use of biometrics, including face- and iris-recognition technology. The TSA also relies on the FBI fingerprint database.
Cybersecurity experts said the danger of using the Russian-made code couldn't be assessed without examining the code itself. But "the fact that there were connections to the FSB would make me nervous to use this software," said Tim Evans, who worked as director of operational policy for the National Security Agency's elite cyberintelligence unit known as Tailored Access Operations and now helps run the cybersecurity firm Adlumin. The FBI's overhaul of its fingerprint-recognition technology, unveiled in 2011, was part of a larger initiative known as Next Generation Identification to expand the bureau's use of biometrics, including face- and iris-recognition technology. The TSA also relies on the FBI fingerprint database.
This anti-Russia hysteria is really jumping the shark about now. A Russian company makes biometric software. Naturally, being Russian, they have 'close ties to the Kremlin', and are no doubt putting in nefarious backdoors to purloin the biometric data of unsuspecting Americans. Because, you know, Russia.
This is worse than the Kaspersky stupidity, which is saying something.
I thought that architecture and the base code in the Linux networking protocol stack was mostly written by some guy in Russia. Can anyone here confirm that?
If true, it therefore must follow that Putin has my browser history. And yours. Also everything we ever did online.
That seems to be about the standard for panic being followed. here.
Can nobody with skills be found in the USA to be trusted to work on US computer systems for US law enforcement?
Do people in the US private sector get invited to work on US law enforcement sensitive software?
Does the FBI not trust US experts with security clearances to write quality code on time for the FBI?
Has the FBI had some bad past experiences software created and supported domestiaclly?
Did the US workers sell or copy code from law enfacement for another nations/criminal groups/their own use so it was time to trust something different?
What do programmers in other nations like France have that the FBI cannot find in security cleared graduates and engineers domestically?
What did the French do better in the math and science education that they can out smart everyone in the US that could have completed a US law enforcement sensitive project?
What did the French do that so that impressed the FBI during the procurement that locked out people from the USA?
Did the French software do calculations on US hardware faster? Was the GUI more pretty and more ready for law enforcement needs? Did it work with other US law enforcement databases in better ways?
What can loyal, hardworking US brands do to win back the trust of the FBI and once again sell quality US designed software to the US government again?
Domestic spying is now "Benign Information Gathering"
npm deploy tinfoil-hat --save-dev There's no Russian code on github, is there?
..all roads lead to russia
(about time we start a new meme dont you think?)
When you outsource everything there is not much more left Made in USA. The only choice you have left is if you want a code from Russia, post-Russian countries, China, or India.
You're onto something there. The question I think we should be asking though is why wasn't there an audit?
Face it, its Putin that's the problem here, blaming this to a wider Russian problem is not correct. Putin fears elections because he jails his opponents, so he isn't representative of the whole of Russia.
What's needed is regime change in Russia.
It's Putin that ordered the attack on the US elections, it's Putin that is cocky enough to threaten the major democracies around the world, it's *Putin*, it's Putin's paymaster that Erick Prince met in the Seychelles, again and again it's Putin and his little circle of helpers that are the problem here.
The reason this code cannot be trusted is because its from companies in Putin's little circle of helpers in the FSB. You can't have network accessible code from the Russian FSB in the FBI's code base. That's fooking dumb.
"This is worse than the Kaspersky stupidity,"
Kaspersky scans code for signatures and UPLOADS the code it doesn't have a signature for to their own servers for analysis. FFS, every company has exposed their corporate software to Kaspersky unknowingly. You can kid yourself they're benign about it, but are you really that naive? Do you lock your office door when you go out??
Go fuck yourself, you damn dirty ape.
If you think I voted for Trump because of this post, you're wrong. I voted for Dr. Jill Stein of the Green Party. Again.
To be fair, I think it's reasonable to expect that our trade partnership with China is much more profitable to them than another cold war. This actually can't really be said for our trade partnership with Russia even on a good day. (And I don't necessarily think that's Russia's fault, but I don't see how this behavior is going to fix anything, either.)
Hey man, you are good.
If you think I voted for Trump because of this post, you're wrong. I voted for Dr. Jill Stein of the Green Party. Again.
Re "code is audited"?
Who knows the ways of the French programmes really well?
The English.
They live next door to France and are subjected to their computer programmes every year.
People working for the FBI should take the French code over to the experts in the UK.
A few months of intensive code work to find the Russian code litter in the French code while staying in the UK should get results for the US.
Domestic spying is now "Benign Information Gathering"
US competitors could FIOA an audit and find out why their good quality software was not selected for FBI use.
Think of the trade implications if the USA used secure US software and did not allow EU software equal access to make code for the US gov.
France would be upset at the USA for not considering French software.
Domestic spying is now "Benign Information Gathering"
Just because code is written by russians with connections to the FSB doesn't mean it's necessarily bad...
The fact that russians wrote or at some point had access to the code doesn't automatically give them access to data that the code is later processing, unless there are backdoor in the code allowing them to gain access and there aren't some other mitigating factors (network filters, airgap etc) which prevent them from accessing the backdoor.
Considering that the code analyzes fingerprints, who would have a need for such code? Chances are the FSB need to analyze fingerprints in much the same way the FBI do. It makes sense to collaborate with others who have similar requirements, as this will decrease your development costs. You just need to check the code thoroughly to ensure it works as you want it to. The russians will be doing their own checks during collaborative development, as they will be equally concerned that some of the code was written by people connected to the FBI.
The key point is understanding what your doing, and understanding what code you're running. Who wrote it doesn't matter, so long as it does the job it's supposed to.
Plus consider this, if the FSB wanted to get malicious code onto an american system they would go to great lengths to disguise the origin of the code, which doesn't seem to be the case here.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
Some of the Indians that are doing contracting work on western software are putting in backdoors for Russians, who then replace it with a different one and then let the code sit for a bit. This is why Microsoft has done tons of work to secure windows and yet the penetration rate on the most advanced continues to stay high. If CIOs continue to pay other nations such low money, then it should not be surprising that this has been going on for over 10 years.
I prefer the "u" in honour as it seems to be missing these days.
Enough of this BHO-Hillary "red-baiting".
History, based on the Soviet archives and the Venona intercepts, has proven McCarthy was broadly and often specifically, correct.
for the U.S. The vast majority of the world's software is made and sold by U.S. companies. If these software paranoia stories incite a global panic so that every country only "trusts" software made domestically, the biggest loser is going to be the U.S.
Some 20 years I worked on a big budget (it involved Satellites...) project. One of my co-workers was from Russia, and was his wife. Once you ran his code through indent it was pretty sweet stuff. He was a great guy, his wife was a wonderful woman, and last I saw of him his wife was 8 months pregnant. The joys of being a consultant at the end of the project.
// Seriously, Alex indented 1 column at a time, no blank lines anywhere, no whitespace in for/while loops, etc
/// After indent his code was beautiful.
/ we used to joke that in Russia they charged for whitespace
Note that US Army uses algebra to calculate trajectories of ballistic missiles. And algebra was developed in Islamic aliphate in IX century.
BTW, Russians in Kremlin use American software such as Wndows or MS Office. Moreover some years ago Russian President Medvedev accepted an iPhone as a gift from Jobs.
A system with millions of fingerprints and who knows what other demographic and biometric data should be air-gapped out of principle. That's an information gold mine that will be a prime target for every bad actor on the planet, state-sponsored or not.
History has proven that every propaganda frenzy tries to use information with a relation to reality where beneficial, but doesn't really care much.
In this case hacking is a good example: states hack other states all the time. It's the accepted 'normal' state of affairs. When you're building up a campaign part of your agenda will be taken by taking these 'base level nastiness' from your opponent and whipping up mock outrage about them.
It's just part of the toolkit. Another part is innuendo and connecting the dots. This allows to build up the mindset where the slightest reference to Russians is enough to reinforce the mccarthian campaign. Most of what the press does autonomously is jumping on bandwagons and helping to build up momentum. In this case every hint of a connection to anything russian is enough for a story implying a nefarious Russian plan without actually stating it as a fact. After a while you get to the stage of 'everybody knows'. Maybe you've heard of The Mighty Wurlitzer.
History has proven McCarthy was an extremely harmful person.
Note how whisthleblower used to mean someone who exposes internal problems as a last resort to get them fixed , for the greater benefit, and at huge personal cost.
Now every official (anonymous) leaker becomes a whistleblower. The original whistleblower is just a traitor.
These guys, Hala and Desbois, are ex employees who make a problem out of nothing. Why are they considered whistleblowers?
And the rest of the world uses computers, smartphones, cpus and gadgets with software-code partly made in USA... So should the rest of the world stop using technology alltogether?!?
Well, someone did - Safran.
Almost all the internet connected devices in America are made in China, including most of the stuff used by FBI. Which gives more opportunities for mischief? A source code or unseeable embedded device controlling software?
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
That sounds like Safran's job first, and I see no reason to assume they didn't do it. Seriously, what company is going to buy code and then not read it?
And as it happens, the unnecessarily lengthy article quotes the FBI saying that yes, they did audit the code. The whistleblowers, on the other hand, did not work on the code so they can't actually speak to it's content. Which they aren't, the whistle is being blown because buying Russian code and hiding that fact is a no-no.
Why? The FBI already audited it. It's in the full article. Which is way too long and seems intent on creating baseless fears.
So you're saying the FBI isn't smart enough to be able to put this software in a machine on an untrusted network, and firewall it so that it can only connect to a specific host, and not leak info back to any possible other sites in the world?
It's obvious this is just more Red Baiting, straight from the 1950s. Fsck that noise.
But they could have got a free trip to the EU. Thats the point of using French software. The visits to the EU to keep up with what the FBI wants and needs.
Whats the point of using a French company if the code gets audited in the USA?
Get a few months in France to observe the audit.
Work in a fact-finding mission to Germany, Italy and Ireland to see what French software they use with their police.
Then to the UK to understand why not to trust any French software.
Domestic spying is now "Benign Information Gathering"
"known as the FSB that is a successor of the Soviet-era KGB" both FSB (federal security agency) and KGB (national security committee) properly translate to English (what people actually understand beneath each word) as a National Security Agency.
Except closed source from say Microsoft is no better than from a Russian company.
That depends on your perspective and nationality to some extent.
As a US citizen, I would trust Russian software more than US-produced software if I'm more concerned with securing my data and communications against the US government's domestic spying than I am the FSB actually caring anything at all about me individually. I'm far, far more likely to be personally harmed by and have far, far more to fear from the US government than the Russians or anyone else, for that matter.
Having been born in the '50s and witnessed a lot of recent history firsthand, I don't think the current political fashion trend over the last few decades of basically giving the feds more money and powers to "fix" things whenever there's any problem...real or perceived...is going so well.
The Rule of Law has most definitely suffered to the point that it is now in ICU on life support. Unless people wake up, and real soon, the prognosis is fucking horrifying and bloody.
Tick-Tock
Strat
Progressivism (aka US 'Liberalism'): Ideas so good they need a police/surveillance-state to enforce.
Well, thin excuses to take a vacation on the taxpayer's dime aside...
Who in the DoJ really wants another drive out to the tri state area to talk with a safe, boring, normal, loyal US contractor?
Win a French company wins, everyone win. A few flights to the EU over the use and upgrade of that software.
Domestic spying is now "Benign Information Gathering"