To Avoid Being Cut Out Of The Market, US Tech Companies Are Allowing Russian Vetting Of Source Code
from the backdoors-for-all dept
Nobody trusts anybody, and it's probably going to end up affecting end users the most. The Snowden leaks showed the NSA's Tailored Access Operations routinely intercepted network hardware to insert backdoors. The exploits leaked by the Shadow Brokers indicated the NSA was very active on the software exploit front as well.
In response to the Snowden leaks, it appears the Russian hardware/software purchasers are stepping up their due diligence efforts. This comes at a time when the Russian government is suspected of hacking away at the American democratic process, as Reuters reports.
Russian authorities are asking Western tech companies to allow them to review source code for security products such as firewalls, anti-virus applications and software containing encryption before permitting the products to be imported and sold in the country. The requests, which have increased since 2014, are ostensibly done to ensure foreign spy agencies have not hidden any "backdoors" that would allow them to burrow into Russian systems.
According to the article, multiple US officials and company executives are tracing the uptick in review demands to a downturn in US-Russian relations following Russia's 2014 annexation of Crimea. But the NSA's hardware operations were exposed in mid-2014, so it's hard to believe the Snowden effect isn't in play.
[Some] reviews are… conducted by the Federal Service for Technical and Export Control (FSTEC), a Russian defense agency tasked with countering cyber espionage and protecting state secrets. Records published by FSTEC and reviewed by Reuters show that from 1996 to 2013, it conducted source code reviews as part of approvals for 13 technology products from Western companies. In the past three years alone it carried out 28 reviews.
Since these companies aren't willing to give up their share of an $18.4 billion market, compromises are being made. Examinations of code are being done in "clean rooms," with conditions somewhat controlled by the companies being vetted. But this isn't always the case. Nor are these precautions necessarily enough to prevent those doing the vetting -- some linked to the Russian government -- from finding undiscovered security holes and flaws. The vetting may help keep Russian government agencies and private companies from being spied on by the US, but it's not going to do much to keep the Russian government from spying on Russian companies and Russian computer users.
So far, only one company has publicly announced its refusal to submit its software for vetting. Symantec has rejected testing by Echelon, a Moscow-based lab with some tenuous ties to the Russian military.
But for Symantec, the lab "didn't meet our bar" for independence, said spokeswoman Kristen Batch.
“In the case of Russia, we decided the protection of our customer base through the deployment of uncompromised security products was more important than pursuing an increase in market share in Russia,” said Batch, who added that the company did not believe Russia had tried to hack into its products.
The company also provides testing for the Russian Ministry of Defense and multiple law enforcement agencies. Echelon claims it's wholly independent from the Russian government, but those assertions haven't been enough to overcome Symantec's objections. Other companies (the article lists HP and IBM) have allowed their products to be tested by Echelon, but neither were willing to comment on this story.
The Russians are checking for US backdoors while potentially seeking to install their own. US companies are given the choice of possibly aiding in Russian domestic surveillance or being locked out of the market. Any lost sales here can at least be partially chalked up to the Snowden leaks. If so, the fallout from the leaks is still causing harm to US companies, years down the road.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: russia, source code, tech companies
Reader Comments
Subscribe: RSS
View by: Time | Thread
Additionally Symantec statement doesn't add up (with the information available in this article). Unless Symantec is using 'security by obscurity'. Again simple letting someone review the code is NOT a weakness in actual secure code (regardless of the nationality of the reviewer).
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
Programming and general problem solving skills are very sellable, just ask Red Hat.
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re:
As for ease of use, Linux is often, because you have a graphics and command/line text editor way of doing the same thing. Microsoft's ease of use often vanishes when you want to do more than simple things, as you end up having to plod through layer after layer of menu, searching for the action that you want.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
Not to mention that it's not all their code.
When AMD decided to open-source its Linux graphics driver stack, it realized it had so much proprietary code from other vendors (or code covered by NDAs from other vendors) that it would be easier to rewrite the entire thing from scratch than to open-source the code it already had. And it still hasn't been able to open all of its new driver stack; there are critical portions that are still proprietary. AMD's still working on untangling the proprietary parts to release a fully open-source driver.
Now scale that up to an entire operating system. One that's been around for decades and contains all kinds of old code.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
And they deserve it
[ link to this | view in chronology ]
Re: And they deserve it
Never mind the bad people the messenger was exposing the wrong doing of, lets totally ignore them.
[ link to this | view in chronology ]
"the Russian government is suspected of hacking away at the American democratic process" -- Oh, good, back to sly innuendo! -- It's ONLY SUSPECTED, not a bit of evidence yet!
Three CNN Employees Resign Over Retracted Story on Russia Ties
"CNN has accepted the resignation of the employees involved in the story's publication," a network spokesperson says. ... The story, which reported that Congress was investigating a "Russian investment fund with ties to Trump officials," cited a single anonymous source."
Admitted MOSTLY BULLSHIT by CNN producer:
http://dailycaller.com/2017/06/27/cnn-producer-calls-trump-russia-story-mostly-bullsht-says -ceo-encouraged-russia-coverage-video/
In the hidden camera video, John Bonifield, a supervising producer at CNN Health, talks about how CNN uses the Trump-Russia allegations to boost ratings and how directions to focus on it have come from CNN's CEO Jeff Zucker. When asked by the Project Veritas reporter, "But honestly, you think the whole Russia shit is just like, bullshit?" Bonifield replies, "Could be bullshit. I mean, it's mostly bullshit right now. Like we, don't have any big giant proof." IFrame "I just feel like they don't really have it but they want to keep digging. And so I think the president is probably right to say, like, look, you are witch hunting me. Like, you have no smoking gun, you have no real proof," he adds
And in a long piece, Green Glenwald kicks every last prop from under the whole schmear!
CNN Journalists Resign: Latest Example of Media Recklessness on the Russia Threat
https://theintercept.com/2017/06/27/cnn-journalists-resign-latest-example-of-media-recklessnes s-on-the-russia-threat/
Recklessness PLUS malice here.
But not even CNN's forced honesty in retracting, just down the memory hole! Not a hint of admitting let alone apology for putting out false news for months. Techdirt changes to new false assertions, is all.
So, kids, who was right: me or Masnick?
------------
Also, way back on the immigration ban I said "this won't stand", and right again: admin is mostly upheld NINE to ZERO.
[ link to this | view in chronology ]
Re: "the Russian government is suspected of hacking away at the American democratic process" -- Oh, good, back to sly innuendo! -- It's ONLY SUSPECTED, not a bit of evidence yet!
[ link to this | view in chronology ]
Re: "the Russian government is suspected of hacking away at the American democratic process" -- Oh, good, back to sly innuendo! -- It's ONLY SUSPECTED, not a bit of evidence yet!
Yes, a CNN Health producer's random, groundbreaking comments that a 24-hour news network follows the ratings are proof that Donald Trump isn't acting like a guilty person.
Yes, CNN is currently solely in charge of investigating the Russian interference in our election so naturally they must have all the evidence available already.
No, this isn't yet another lame Veritas attempt at editing together a bunch of meaningless comments from single members of large companies in order to baselessly smear them.
[ link to this | view in chronology ]
Re: "the Russian government is suspected of hacking away at the American democratic process" -- Oh, good, back to sly innuendo! -- It's ONLY SUSPECTED, not a bit of evidence yet!
[ link to this | view in chronology ]
Re: "the Russian government is suspected of hacking away at the American democratic process" -- Oh, good, back to sly innuendo! -- It's ONLY SUSPECTED, not a bit of evidence yet!
[ link to this | view in chronology ]
Re: "the Russian government is suspected of hacking away at the American democratic process" -- Oh, good, back to sly innuendo! -- It's ONLY SUSPECTED, not a bit of evidence yet!
But sure the Russians tried. If their intelligence services are any good, one of their jobs is to do stuff like that. Just the same as the US intelligence agencies try to influence elections in other countries. As Captain Renault said, I am shocked, shocked!
Were they successful? That's harder to say. But US computer security related to elections is fragmented among many jurisdictions, and conducted by the low bidder (if at all). If they were able to suborn campaign staff (or candidate), that would certainly give them a lever. For example, if the Russians had the financial clout to influence anyone. Not that any candidate or staff would use Russian money in their non-campaign jobs.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Everyone should have been doing this
[ link to this | view in chronology ]
Pointless
Unless they are going to give them source for them to compile on their own.
There really are a lot of ways to trick the system.
[ link to this | view in chronology ]
Re: Pointless
Yeah, but showing code while supplying a different binary is easy and obvious after thinking for a few seconds. Try THIS on for size.
"a hack (in every sense), the most subversive ever perpetrated, nothing less than the root password of all evil.
Ken describes how he injected a virus into a compiler. Not only did his compiler know it was compiling the login function and inject a backdoor, but it also knew when it was compiling itself and injected the backdoor generator into the compiler it was creating. The source code for the compiler thereafter contains no evidence of either virus."
http://wiki.c2.com/?TheKenThompsonHack
https://www.ece.cmu.edu/~ganger/712.fall02/paper s/p761-thompson.pdf
[ link to this | view in chronology ]
Re: Re: Pointless
Also see:
If a country's really doing this to protect its citizens, they should require reproducible builds and have the inspection team supply their own compiler. That would reduce the attack surface... but then see the Underhanded C contest.
[ link to this | view in chronology ]
Whoop-de-do.
[ link to this | view in chronology ]
Re: Whoop-de-do.
Right. Security through obscurity is nonsense.
People and groups that want to make secure software don't say "We'd better not show the code to anybody, they might find holes in it"; they say "We'd better show the code to everybody, in case they find holes in it."
[ link to this | view in chronology ]
Ahem..
From the last paragraph...
Let me clarify that a tad
[ link to this | view in chronology ]
Re: Ahem..
[ link to this | view in chronology ]