Slashdot Mirror

← Back to Stories (view on slashdot.org)

FBI Software For Analyzing Fingerprints Contains Russian-Made Code, Whistleblowers Say (buzzfeed.com)

Posted by BeauHD on from the irony-at-its-finest dept.

schwit1 shares an exclusive report via BuzzFeed: The fingerprint-analysis software used by the FBI and more than 18,000 other U.S. law enforcement agencies contains code created by a Russian firm with close ties to the Kremlin, according to documents and two whistleblowers. The allegations raise concerns that Russian hackers could gain backdoor access to sensitive biometric information on millions of Americans, or even compromise wider national security and law enforcement computer systems. The Russian code was inserted into the fingerprint-analysis software by a French company, said the two whistleblowers, who are former employees of that company. The firm -- then a subsidiary of the massive Paris-based conglomerate Safran -- deliberately concealed from the FBI the fact that it had purchased the Russian code in a secret deal, they said. The Russian company whose code ended up in the FBI's fingerprint-analysis software has Kremlin connections that should raise similar national security concerns, said the whistleblowers, both French nationals who worked in Russia. The Russian company, Papillon AO, boasts in its own publications about its close cooperation with various Russian ministries as well as the Federal Security Service -- the intelligence agency known as the FSB that is a successor of the Soviet-era KGB and has been implicated in other hacks of U.S. targets.

Cybersecurity experts said the danger of using the Russian-made code couldn't be assessed without examining the code itself. But "the fact that there were connections to the FSB would make me nervous to use this software," said Tim Evans, who worked as director of operational policy for the National Security Agency's elite cyberintelligence unit known as Tailored Access Operations and now helps run the cybersecurity firm Adlumin. The FBI's overhaul of its fingerprint-recognition technology, unveiled in 2011, was part of a larger initiative known as Next Generation Identification to expand the bureau's use of biometrics, including face- and iris-recognition technology. The TSA also relies on the FBI fingerprint database.

18 of 174 comments (clear)

  1. This is getting ridiculous by sgage · · Score: 5, Insightful

    This anti-Russia hysteria is really jumping the shark about now. A Russian company makes biometric software. Naturally, being Russian, they have 'close ties to the Kremlin', and are no doubt putting in nefarious backdoors to purloin the biometric data of unsuspecting Americans. Because, you know, Russia.

    This is worse than the Kaspersky stupidity, which is saying something.

    1. Re:This is getting ridiculous by hcs_$reboot · · Score: 3, Insightful

      Absolutely. They should worry at least as much about all the stuff made in China (and there is a lot).

      --
      Slashdot, fix the reply notifications... You won't get away with it...
    2. Re:This is getting ridiculous by AHuxley · · Score: 2

      A Russia story a day keeps the US gov happy.

      --
      Domestic spying is now "Benign Information Gathering"
    3. Re:This is getting ridiculous by 93+Escort+Wagon · · Score: 2

      I imagine the Russians themselves are quite happy with the situation. The more Russian scare stories there are circulating, the more likely it is people will get fatigued with hearing them and start tuning out even the important stories - like Russian election interference.

      --
      #DeleteChrome
    4. Re:This is getting ridiculous by fyzikapan · · Score: 2, Insightful

      Sure, except Russia actually is an autocratic state that crushes free expression within its borders, invades its neighbors, murders political rivals, and actively tries to interfere with and destabilize other countries.

    5. Re:This is getting ridiculous by Bert64 · · Score: 5, Insightful

      A russian company makes software for analyzing fingerprints...

      The FBI have a need to analyze fingerprints, which makes sense given the nature of the organization.
      The FSB performs similar roles to the FBI, and thus they have similar requirements.

      It makes sense that this company would try to sell their software to as many potential customers as possible. Chances are they are at least trying to sell it to law enforcement and intelligence services in all manner of other countries too.

      You just have to do your own sensible due diligence during the procurement process. Insist on buildable sourcecode, thoroughly review what the code does and what else it tries to interact with. If you detect anything nefarious or the company refuses to provide full buildable source, don't do business with them.

      --
      http://spamdecoy.net - free throwaway anonymous email - avoid spam!
    6. Re:This is getting ridiculous by ShanghaiBill · · Score: 3, Interesting

      Even better would be to just go open source, without regard for the country of origin. As long as we can read the code, we can see for ourselves if it is compromised. Why should "fingerprint analysis" need to be proprietary?

    7. Re:This is getting ridiculous by Anonymous Coward · · Score: 2, Insightful

      Just like the United States of America ...

    8. Re:This is getting ridiculous by superwiz · · Score: 2, Interesting

      So any private company in that state writing software must be spies? I mean they could be... But shouldn't that be suggested by some evidence other than their location? I mean, I get it that the oweful summary says Safran bought the code, but doesn't actually say if they bought a license to redistribute or bought the source cod.e Presumably, they can audit the code if they bought the source code. And I find it difficult to believe that Safran would have bought a license to distribute without some fairly severe security sandboxing.

      By the way, French have a history of (state-sanctioned) industrial espionage, so why isn't it a problem in itself that it is the French company that produced the product?

      --
      Any guest worker system is indistinguishable from indentured servitude.
    9. Re: This is getting ridiculous by PoopJuggler · · Score: 2

      Only commies think lost languages are lost knowledge.

    10. Re:This is getting ridiculous by DarkOx · · Score: 2

      Insist on buildable sourcecode, thoroughly review what the code does and what else it tries to interact with.

      That's all well and good but to be perfectly honest a large complex software project is often as difficult to audit for back doors and deliberate weakness in cryptography etc as it would be to write. Honestly its probably smarter to do what you suggest to the degree you can but buy from sources you have more reason to trust.

      We probably should have more and resit waiving buy American provisions where the military and intelligence community is concerned.

      --
      Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
    11. Re:This is getting ridiculous by Gavagai80 · · Score: 3, Insightful

      The left wing isn't anti-Russia at all, only the center (Clinton) wing. His pro-Russia agenda was the only thing I liked about Trump, and it stood in clear contrast to Clinton's desire to create a new cold war and portray herself as the next Ronald Reagan. The left wing has always been against ballooning military spending and pointless international antagonism/interference.

      --
      This space intentionally left blank
    12. Re:This is getting ridiculous by Gavagai80 · · Score: 2

      You seriously think the military industrial complex has a problem with Trump? Hah. One of his main campaign themes was that he would insist on raising the obscene military budget by even more than Clinton would insist on raising it, and his other main campaign theme was to shower big business in tax breaks and other free money. They couldn't be happier. As for the public service sector, they're not elated that Trump won but they're terrified of him being impeached... Pence is far more ideologically inclined to make big public sector cuts than Trump.

      --
      This space intentionally left blank
  2. Re:Aren't we all doomed? by cheesyweasel · · Score: 2

    Also like how nginx is one of the world's biggest HTTP servers and is Russian? Have we been completely pwn3d?

  3. Analyze the code... by Bert64 · · Score: 4, Insightful

    Just because code is written by russians with connections to the FSB doesn't mean it's necessarily bad...

    The fact that russians wrote or at some point had access to the code doesn't automatically give them access to data that the code is later processing, unless there are backdoor in the code allowing them to gain access and there aren't some other mitigating factors (network filters, airgap etc) which prevent them from accessing the backdoor.

    Considering that the code analyzes fingerprints, who would have a need for such code? Chances are the FSB need to analyze fingerprints in much the same way the FBI do. It makes sense to collaborate with others who have similar requirements, as this will decrease your development costs. You just need to check the code thoroughly to ensure it works as you want it to. The russians will be doing their own checks during collaborative development, as they will be equally concerned that some of the code was written by people connected to the FBI.

    The key point is understanding what your doing, and understanding what code you're running. Who wrote it doesn't matter, so long as it does the job it's supposed to.

    Plus consider this, if the FSB wanted to get malicious code onto an american system they would go to great lengths to disguise the origin of the code, which doesn't seem to be the case here.

    --
    http://spamdecoy.net - free throwaway anonymous email - avoid spam!
    1. Re:Analyze the code... by AHuxley · · Score: 3, Interesting

      Re "Who wrote it doesn't matter, so long as it does the job it's supposed to."
      US code only worked with modern quality digital images and file formats.
      The French used Russian code that could accept fingerprints from old paper files.
      The FBI did tests and accepted the French innovations that allows for the accurate importing of old US paper records. The French outsmarted their US competitors by knowing what the FBI wanted.

      --
      Domestic spying is now "Benign Information Gathering"
  4. There is much worse thing by Vitus+Wagner · · Score: 4, Funny

    Note that US Army uses algebra to calculate trajectories of ballistic missiles. And algebra was developed in Islamic aliphate in IX century.

    BTW, Russians in Kremlin use American software such as Wndows or MS Office. Moreover some years ago Russian President Medvedev accepted an iPhone as a gift from Jobs.

  5. The system should be air-gapped regardless by mtraffanstead · · Score: 2

    A system with millions of fingerprints and who knows what other demographic and biometric data should be air-gapped out of principle. That's an information gold mine that will be a prime target for every bad actor on the planet, state-sponsored or not.