Slashdot Mirror

← Back to Stories (view on slashdot.org)

Tech Firms Let Russia Probe Software Widely Used by US Government (reuters.com)

Posted by msmash on from the closer-look dept.

Major global technology providers SAP, Symantec, and McAfee have allowed Russian authorities to hunt for vulnerabilities in software deeply embedded across the U.S. government, Reuters reported on Thursday. From the report: The practice potentially jeopardizes the security of computer networks in at least a dozen federal agencies, U.S. lawmakers and security experts said. It involves more companies and a broader swath of the government than previously reported. In order to sell in the Russian market, the tech companies let a Russian defense agency scour the inner workings, or source code, of some of their products. Russian authorities say the reviews are necessary to detect flaws that could be exploited by hackers. But those same products protect some of the most sensitive areas of the U.S government, including the Pentagon, NASA, the State Department, the FBI and the intelligence community, against hacking by sophisticated cyber adversaries like Russia.

58 of 115 comments (clear)

  1. I wish... by Narcocide · · Score: 2

    ... that I could be confident our elected officials were at least smart enough not to believe Russian officials also needed root access to all the production machines in order to complete a source code audit.

    1. Re: I wish... by Narcocide · · Score: 1

      But this statement is false. I don't approve of my own government's behavior in this regard either. I would be amongst the ones voting to pardon Snowden. Not that it will ever come to a vote, the poor sod. And, quite ironically, I'm even less able to influence my own government than those of other countries.

  2. China does the same thing... by Anonymous Coward · · Score: 1

    China demanded the source code for Microsoft stuff, in order to allow them to do business in the country. This isn't anything new. What needs done is the US to go to F/OSS, where everyone scrutinizes bugs, not the hallowed few who have source code access.

    1. Re:China does the same thing... by Bert64 · · Score: 2

      All of whom have their own agendas, and are under NDA...
      But the source code of these application is not available to the general public, so independent researchers cannot review it.
      If a government is going to review code for their own use, they will review open code too as they don't need to jump through hoops to get it. Having restricted access to source code just gives an advantage to those who have it, to the detriment of everyone else.

      Also there are various illegal leaks of closed source code. Being illegal, no legitimate researchers will touch them, but those with criminal intent have no such problem and will happily review the illegal leaks looking for bugs they can exploit.

      --
      http://spamdecoy.net - free throwaway anonymous email - avoid spam!
  3. The US gov't shouldn't use open source software? by Anonymous Coward · · Score: 2, Funny

    So if it's wrong/bad for foreign entities to view the source code of software used by the US government, does that mean that the US government should avoid any and all open source software because foreign entities can easily view its source code?

  4. Actual headline: by king+neckbeard · · Score: 5, Insightful
    Here's what the actual headline should be:
    Tech firms let Russia probe software widely used by US government, following same processes US government, and all other governments, use.

    This is a non-story. They try to make it sound like this is some nefarious method to undermine the US government, when the reality is that they're checking to make sure there aren't NSA backdoors.

    --
    This is my signature. There are many like it, but this one is mine.
    1. Re:Actual headline: by Train0987 · · Score: 2, Insightful

      Gotta keep that Russians!=BAD narrative alive at all costs.

    2. Re:Actual headline: by gweihir · · Score: 5, Insightful

      Indeed. And governments can get access to windows source code as well. It is a good bet that the Russians and the Chinese also have this access.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    3. Re:Actual headline: by Bing+Tsher+E · · Score: 1

      Worse, they used a test operator, not an assignment operator. So the statement says nothing about bad or good, it just takes a true/false value.

    4. Re:Actual headline: by Nethemas+the+Great · · Score: 1

      You'd think the Congress critters would be grateful for the free penetration testing. It's not like Symantec will only patch the vulnerabilities for the Russian edition.

      --
      Two of my imaginary friends reproduced once ... with negative results.
    5. Re:Actual headline: by tinkerton · · Score: 1

      Let the nerdiness of this comment be an example to all.

    6. Re:Actual headline: by viperidaenz · · Score: 1

      It means they're aware of any backdoors they found and have thought of mitigations for them.
      It also means any they have a war chest of their own 0-day exploits they've found.

      It could also mean if they use it, they do so only to appear to trust it.

      So basically, it means nothing at all and you can't base anything on it.

    7. Re:Actual headline: by viperidaenz · · Score: 1

      It means the Russians won't tell Symantec about the vulnerabilities they find.

    8. Re:Actual headline: by Nethemas+the+Great · · Score: 1

      Of course they would, they'd be vulnerable to it the same as everyone else. I know what the assertion is from the critters, but as usual their inability to comprehend technology results in the wrong conclusions being drawn. Security through obscurity isn't...

      --
      Two of my imaginary friends reproduced once ... with negative results.
    9. Re:Actual headline: by tinkerton · · Score: 1

      Nonsense. 'this' is a void pointer that I can make point anywhere I want, including towards itself.

    10. Re:Actual headline: by Anonymous Coward · · Score: 1

      It's well-known that they do, as do many Universities. They've had access for many years now.

      This isn't news, it's propaganda.

    11. Re:Actual headline: by gweihir · · Score: 1

      Exactly.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    12. Re: Actual headline: by Brockmire · · Score: 1

      Yes, confirmed by all the "reported by FSB" in all the bugfix changelogs, amirite?

  5. Re:So what? by Anonymous Coward · · Score: 1

    Are you a full on retard? The russians are very obviously running espionage campaigns against us.

    This has nothing to do with Hillary Clinton. If we want to secure our shit we should obviously not be giving hackers the source code for our security systems.

    Only a hyper partisan fool would think this makes sense.

  6. Enough Of The D&C Bullshit by NicknameUnavailable · · Score: 3, Insightful

    Of course a defense department looking to use a piece of software is going to inspect it for security. Frankly it's more a sign of Russia's lack of security that they would use US software on their systems than anything else. Security through obscurity isn't security so opening the source is irrelevant to anything from a security perspective.

    1. Re:Enough Of The D&C Bullshit by gravewax · · Score: 1

      since when did SAP become an American company?

  7. LINUX IS RUSSIAN TREASON! by Anonymous Coward · · Score: 5, Funny

    That's nothing, Linus Torvalds regularly publishes code that EVERY SINGLE RUSSIAN can access. It's TREASON!

    1. Re:LINUX IS RUSSIAN TREASON! by jon3k · · Score: 1, Insightful

      I'm really surprised so few people on Slashdot understand the difference between open source software (and "given enough eyeballs, all bugs are shallow") and closed source software being reviewed by a select few actors who have a motive to hide their findings.

    2. Re:LINUX IS RUSSIAN TREASON! by Anonymous Coward · · Score: 1

      That's nothing, Linus Torvalds regularly publishes code that EVERY SINGLE RUSSIAN can access. It's TREASON!

      Linus even accepts patches from RUSSIAN DEVELOPERS!111!! He was even born in Finland which very conveniently shares a border with Russia and was part of the Russian Empire at one time!

    3. Re:LINUX IS RUSSIAN TREASON! by gravewax · · Score: 1

      I am sure all those reviewing OSS code have nothing but pure altruistic motives. After all if you can't trust the governments of the world then who can you trust!

  8. Re:The US gov't shouldn't use open source software by Anonymous Coward · · Score: 1

    > So if it's wrong/bad for foreign entities to view the source code of software used by the US government, does that mean that the US government should avoid any and all open source software because foreign entities can easily view its source code?

    Quite the opposite.

    It's a given that other governments -- especially the powerful ones -- will get to view (and review) the source of _closed_ products as a pre-requisite condition to prevent a software product from having its sales vetoed.

    That way, even if you as a common customer cannot see the code, for such governments effectively all code is open source (Windows, iOS, Photoshop, you name it). It's thus foolish to seek security by obscurity. Hence, why not use open source & Free software and leverage the contributions of developers all over the world?

    It's probably also safer.

  9. Re:So what? by Plus1Entropy · · Score: 4, Insightful

    How about you get over Benghazi and her emails? You know the difference between those stories and Russia? The investigations were completed and found nothing.

    If Russia is nothing, then let the investigations complete it and tell us so. Then you can bitch that we're not "over it".

    --
    Only crack the nuts that crack. You don't put the ones that don't crack in the sack.
  10. Yes, so? This is standard practice... by gweihir · · Score: 4, Insightful

    Every large-enough customer can get access to source-code of closed software. This is completely standard and there is nothing nefarious going on here. This only endangers anything US if the US messed up their own review.

    Who writes these demented articles?

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  11. Re:Stupidity by Anonymous Coward · · Score: 1

    Systems that have great need for secrecy should be custom developed in house.

    Systems with a great need for secrecy, yes, should be developed in-house.

    Systems with a great need for security, no, should absolutely NOT be developed in-house.

    It's like home rolling your own crypto algorithm, it only seems like a good idea to those who don't know anything about cryptography.

  12. Re:Stupidity by gweihir · · Score: 1

    Oh, yes! And I know personally, that *gasp* LINUX is used in federal agencies and banks! They failed to make that source code secret and it is apparently completely open! I was able to just _download_ it!

    In other news, the stupidity-level of your posting is staggering.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  13. Smart Russians by Anonymous Coward · · Score: 1

    Well, no wonder. From 3 years ago:

    Russian researchers expose breakthrough in U.S. spying program

    The U.S. National Security Agency has figured out how to hide spying software deep within hard drives made by Western Digital, Seagate, Toshiba and other top manufacturers, giving the agency the means to eavesdrop on the majority of the world’s computers, according to cyber researchers and former operatives.

    That long-sought and closely guarded ability was part of a cluster of spying programs discovered by Kaspersky Lab, the Moscow-based security software maker that has exposed a series of Western cyberespionage operations.

    Stuxnet, the hard drive firmware exploits, last year the upload of malware from a NSA developer, and others discoveries of state developed spyware have definitely made KL and other Russian based software companies targets to be hurt economically.

  14. Easy Solution by perry64 · · Score: 1

    Make all security software open source, so everyone can look at it, and the many eyeballs cause problems to be fixed quicker.

  15. Re:So what? by Train0987 · · Score: 1

    The Clinton Machine is still talking about her a lot. She's going to run again in 2020.

  16. Somebody's Gotta Say It by Anonymous Coward · · Score: 1

    How do you like the global economy now?

  17. Re: So what? by muffen · · Score: 3, Insightful

    Claiming the Russians got Trump elected is a cover for the clear corruption of the Clintons and the DNC.

    Putin preferred Trump over Clinton. Putin put his machine to work to help get Trump elected. So far, that's fairly agreed upon. The question is if Trump knew or not.

  18. Re:Stupidity by Nethemas+the+Great · · Score: 1

    Stupidity is absolutely everywhere.

    I agree. Perhaps closer than you realize.

    --
    Two of my imaginary friends reproduced once ... with negative results.
  19. Re:RIP Vile Rat by Plus1Entropy · · Score: 1

    No, you know what, you're right. Seriously, I'm not being sarcastic.

    We should care about Benghazi if Benghazi refers to the terrorist attack against the US Consulate in 2011. But that's not actually what you give a shit about.

    --
    Only crack the nuts that crack. You don't put the ones that don't crack in the sack.
  20. Re:Stupidity by h4ck7h3p14n37 · · Score: 1

    It's going to be awful hard for the U.S. government to create their own systems that are superior to commercial offerings when they can't acquire or retain talent because the pay is too low and the working conditions suck.

  21. Re:So what? by Anonymous Coward · · Score: 1

    Found plenty, bullshit 3 investgations found bugger all. More alt right alt facts from the RWNJs

  22. The highest rated commenters are confused by Zontar_Thing_From_Ve · · Score: 1

    Unlikely != Impossible .

    The highly rated commenters all think it's impossible that this access benefits the Russians in nefarious ways. It's not impossible. Basically the point of the article is that greedy companies let Mother Russia send her experts in to examine the code of various programs that the US government also uses so they could get sales in Russia. There are lots of smart Russians. I wouldn't say there is no chance that the Russians could find an exploit in such a code review and just carry it back in their memories and at home hammer on the program until they get it working. Of course the US government could be doing the same thing as a result of their own code review.

  23. Could the Rlussians be Stopped? by LifesABeach · · Score: 1

    I think not. Am I comfortable about, I think not.

  24. Bleeding eyeballs by stooo · · Score: 1

    Not sure we want to see all this crappy source code.
    Many eyeballs would bleed.

    --
    aaaaaaa
  25. Re:So what? by Miles_O'Toole · · Score: 1

    Nice set of right wing snowflake talking points, comrade. Now why don't you tell us about the 12 MILLION emails Cheney erased.

    --
    Only two things are infinite, the universe and human stupidity, and I'm not sure about the former.
  26. as reported by the British Reuters by superwiz · · Score: 1

    Reuters is a British corportation and its US branch exists and operates only as a subsidiary. Its stock trades in the US as a depository share (similar to Alibaba -- a Chinese company). Despite a common language, Britain is NOT part of the US. It has, at times, priorities which are opposed to those of the US (as was clearly evidenced by Britain's Jerusalem embaassy vote in the UN).

    --
    Any guest worker system is indistinguishable from indentured servitude.
    1. Re:as reported by the British Reuters by Gibgezr · · Score: 1

      Genuinely interested, not trying to be a jerk or anything, just want to know: your point is ...?

    2. Re:as reported by the British Reuters by superwiz · · Score: 1

      That a British corporation is trying to pretend that we should take in the stride as we take other US corporations while it reports on dealings of Russian corporations. Both Britain and Russia are foreign nations with their own interests which sometimes align with ours and sometimes go contrary to ours.

      --
      Any guest worker system is indistinguishable from indentured servitude.
    3. Re:as reported by the British Reuters by Gibgezr · · Score: 1

      we should take in the stride as we take other US corporations

      Can you explain what you mean by that? I'm familiar with the expression "take in stride", but I'm totally lost on what you are trying to express. What are we taking in stride? What about other U.S. corporations do we take in stride? Are you referring to their inspection of software? And what does Reuters being British have to do with the report? Actually, Reuters isn't British: the headquarters are in the U.K., but Reuters is a division of the Toronto-based Canadian media company Thomson Reuters, so it's actually Canadian.

    4. Re:as reported by the British Reuters by superwiz · · Score: 1

      If being Russian should raise a level of suspicions, then so should being British. The fact that British speak the same language as we do does not make them our fellow countrymen.

      --
      Any guest worker system is indistinguishable from indentured servitude.
  27. Re: So what? by superwiz · · Score: 1

    Putin preferred Trump over Clinton.

    Yeah. Ok. That's why he gave hundreds of mllions of dollars of dollars to Clintons in the open. So that he could spend $100k on ads for the Trump campaign. Fuck off, retard.

    --
    Any guest worker system is indistinguishable from indentured servitude.
  28. Re: So what? by superwiz · · Score: 1

    Trump is a Republican. So on the internets that means he has the burden of proving his innoncence, don't you know that yet? Hundreds of millions of dollars given to Clintons are not an indication of Russian influence. Because it's not proven. But an accusation by 17.. ummm 4.. oh, who cares.. ALL intelligence agencies against Trump has to be disproven before it's false. Get with the program or you are a Kremlin spy, too. Go back to performing some gross sexual act of poster's choice.... Ivan!

    --
    Any guest worker system is indistinguishable from indentured servitude.
  29. Re:So what? by superwiz · · Score: 1

    Putin preferred Trump over Clinton.

    No. Just, no. Not going to happen. Next question.

    You know the difference between those stories and Russia?

    Yes. Those stories are true. And the Russian collusion story is a fabrication made up to divert attention from them.

    The investigations were completed and found nothing.

    No, they found her guilt. And then the Obama-led administration let her off the hook because she knows where the proverbial bodies are buried.

    If Russia is nothing, then let the investigations complete it and tell us so.

    It's been completed a long time ago. It's not even looking at the collusion anymore. It's looking at the abstraction of justice which legal scholars (as opposed to news reporters) don't think is possible in this case. Look in the mirror. You'll see someone defending a criminal enterprise that the Democratic party has become. Live with it.

    --
    Any guest worker system is indistinguishable from indentured servitude.
  30. Re:So what? by superwiz · · Score: 1

    Nice set of right wing snowflake talking points, comrade.

    The comrade is in your mirror. You are carrying water for the neo-communist criminal cartel that is the Democratic party.

    --
    Any guest worker system is indistinguishable from indentured servitude.
  31. Re:So what? by superwiz · · Score: 1

    Funny that she was allowed to leave the jurisdiction. She is still being investigated. That makes her a potential fugitive on the run.

    --
    Any guest worker system is indistinguishable from indentured servitude.
  32. Re:Regime change *needed* in Russia by superwiz · · Score: 1

    Since when have Russian elections been elections? Putin arrests opponents, bans them, substitutes fake proxy opponents, and even then the votes taleys are fake as fuck.

    And all Obama did was illegally listen to the phone calls of the Trump's campaign. Not excusing Putin... don't really care about Putin. But to suggest that the last election was not rigged for Clinton is absurd. Hillary Clinton just happens to be so incompetent that she lost an election despite rigging it.

    --
    Any guest worker system is indistinguishable from indentured servitude.
  33. Re:So what? by Plus1Entropy · · Score: 1

    Almost everything in your comment is a big fat lie. The first thing you supposedly quoted from my comment:

    Putin preferred Trump over Clinton.

    I didn't say that. Why lie about something so trivial? Pathetic.

    --
    Only crack the nuts that crack. You don't put the ones that don't crack in the sack.
  34. Re:So what? by superwiz · · Score: 1
    Yeah, that was a missed "copy" in the copy-n-paste. The Slashdot javascript intercepts keystrokes slower than I actually type. There are characters missing from wrods or sometimes full words missing all the time. The quote I was replying to was this:

    How about you get over Benghazi and her emails?

    And, of course, you can't edit your posts after the fact. This is just the format which drives Slashdot. It's what makes it, at times, uniquely psychotic in its own special way.

    --
    Any guest worker system is indistinguishable from indentured servitude.
  35. Re:So what? by superwiz · · Score: 1

    Oh, and just because I copied a quote from a previous comment to which I was replying, doesn't change the fact that you are in the tank for the Criminal Democratic party. Let me tell you something every Libertarian who switched their vote from Johnson to Trump thinks: I kept the criminal Clinton out of office and I sleep fine.

    --
    Any guest worker system is indistinguishable from indentured servitude.
  36. Re:So what? by Agripa · · Score: 1

    How about you get over Benghazi and her emails? You know the difference between those stories and Russia? The investigations were completed and found nothing.

    Go read the results of the FBI investigation into Vince Foster's death and tell me they found nothing.