To Avoid Being Cut Out Of The Market, US Tech Companies Are Allowing Russian Vetting Of Source Code

from the backdoors-for-all dept

Nobody trusts anybody, and it's probably going to end up affecting end users the most. The Snowden leaks showed the NSA's Tailored Access Operations routinely intercepted network hardware to insert backdoors. The exploits leaked by the Shadow Brokers indicated the NSA was very active on the software exploit front as well.

In response to the Snowden leaks, it appears the Russian hardware/software purchasers are stepping up their due diligence efforts. This comes at a time when the Russian government is suspected of hacking away at the American democratic process, as Reuters reports.

Russian authorities are asking Western tech companies to allow them to review source code for security products such as firewalls, anti-virus applications and software containing encryption before permitting the products to be imported and sold in the country. The requests, which have increased since 2014, are ostensibly done to ensure foreign spy agencies have not hidden any "backdoors" that would allow them to burrow into Russian systems.

According to the article, multiple US officials and company executives are tracing the uptick in review demands to a downturn in US-Russian relations following Russia's 2014 annexation of Crimea. But the NSA's hardware operations were exposed in mid-2014, so it's hard to believe the Snowden effect isn't in play.

[Some] reviews are… conducted by the Federal Service for Technical and Export Control (FSTEC), a Russian defense agency tasked with countering cyber espionage and protecting state secrets. Records published by FSTEC and reviewed by Reuters show that from 1996 to 2013, it conducted source code reviews as part of approvals for 13 technology products from Western companies. In the past three years alone it carried out 28 reviews.

Since these companies aren't willing to give up their share of an $18.4 billion market, compromises are being made. Examinations of code are being done in "clean rooms," with conditions somewhat controlled by the companies being vetted. But this isn't always the case. Nor are these precautions necessarily enough to prevent those doing the vetting -- some linked to the Russian government -- from finding undiscovered security holes and flaws. The vetting may help keep Russian government agencies and private companies from being spied on by the US, but it's not going to do much to keep the Russian government from spying on Russian companies and Russian computer users.

So far, only one company has publicly announced its refusal to submit its software for vetting. Symantec has rejected testing by Echelon, a Moscow-based lab with some tenuous ties to the Russian military.

But for Symantec, the lab "didn't meet our bar" for independence, said spokeswoman Kristen Batch.

“In the case of Russia, we decided the protection of our customer base through the deployment of uncompromised security products was more important than pursuing an increase in market share in Russia,” said Batch, who added that the company did not believe Russia had tried to hack into its products.

The company also provides testing for the Russian Ministry of Defense and multiple law enforcement agencies. Echelon claims it's wholly independent from the Russian government, but those assertions haven't been enough to overcome Symantec's objections. Other companies (the article lists HP and IBM) have allowed their products to be tested by Echelon, but neither were willing to comment on this story.

The Russians are checking for US backdoors while potentially seeking to install their own. US companies are given the choice of possibly aiding in Russian domestic surveillance or being locked out of the market. Any lost sales here can at least be partially chalked up to the Snowden leaks. If so, the fallout from the leaks is still causing harm to US companies, years down the road.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: russia, source code, tech companies


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. identicon
    Anonymous Coward, 27 Jun 2017 @ 6:56pm

    If the Russian agency/reviewer is just being allowed to see the code inside a 'clean' room (and not take it out and build their own copies wholesale) how are the "seeking to install their own" backdoors (unless you mean take advantage of already broken code... which is NOT actually installing a back door).
    Additionally Symantec statement doesn't add up (with the information available in this article). Unless Symantec is using 'security by obscurity'. Again simple letting someone review the code is NOT a weakness in actual secure code (regardless of the nationality of the reviewer).

    link to this | view in thread ]

  2. identicon
    Anonymous Coward, 27 Jun 2017 @ 7:06pm

    Proprietary software is cancer.

    link to this | view in thread ]

  3. identicon
    James, 27 Jun 2017 @ 7:10pm

    And they deserve it

    Any lost sales here can at least be partially chalked up to the Snowden leaks. If so, the fallout from the leaks is still causing harm to US companies, years down the road.

    link to this | view in thread ]

  4. This comment has been flagged by the community. Click here to show it
    identicon
    Anonymous Coward, 27 Jun 2017 @ 7:11pm

    "the Russian government is suspected of hacking away at the American democratic process" -- Oh, good, back to sly innuendo! -- It's ONLY SUSPECTED, not a bit of evidence yet!

    From Drudge today flatly contradicting the MADE UP CRAP that Techdirt spewed for months about "Trump-Russia":

    Three CNN Employees Resign Over Retracted Story on Russia Ties
    "CNN has accepted the resignation of the employees involved in the story's publication," a network spokesperson says. ... The story, which reported that Congress was investigating a "Russian investment fund with ties to Trump officials," cited a single anonymous source."

    Admitted MOSTLY BULLSHIT by CNN producer:
    http://dailycaller.com/2017/06/27/cnn-producer-calls-trump-russia-story-mostly-bullsht-says -ceo-encouraged-russia-coverage-video/
    In the hidden camera video, John Bonifield, a supervising producer at CNN Health, talks about how CNN uses the Trump-Russia allegations to boost ratings and how directions to focus on it have come from CNN's CEO Jeff Zucker. When asked by the Project Veritas reporter, "But honestly, you think the whole Russia shit is just like, bullshit?" Bonifield replies, "Could be bullshit. I mean, it's mostly bullshit right now. Like we, don't have any big giant proof." IFrame "I just feel like they don't really have it but they want to keep digging. And so I think the president is probably right to say, like, look, you are witch hunting me. Like, you have no smoking gun, you have no real proof," he adds

    And in a long piece, Green Glenwald kicks every last prop from under the whole schmear!
    CNN Journalists Resign: Latest Example of Media Recklessness on the Russia Threat
    https://theintercept.com/2017/06/27/cnn-journalists-resign-latest-example-of-media-recklessnes s-on-the-russia-threat/

    Recklessness PLUS malice here.

    But not even CNN's forced honesty in retracting, just down the memory hole! Not a hint of admitting let alone apology for putting out false news for months. Techdirt changes to new false assertions, is all.

    So, kids, who was right: me or Masnick?

    ------------

    Also, way back on the immigration ban I said "this won't stand", and right again: admin is mostly upheld NINE to ZERO.

    link to this | view in thread ]

  5. identicon
    Anonymous Coward, 27 Jun 2017 @ 7:14pm

    Is there a Clapper in this house? Snowden +1.

    link to this | view in thread ]

  6. identicon
    Anonymous Coward, 27 Jun 2017 @ 7:24pm

    Re: "the Russian government is suspected of hacking away at the American democratic process" -- Oh, good, back to sly innuendo! -- It's ONLY SUSPECTED, not a bit of evidence yet!

    McCain is that you? Pre-election hacks and trump campaign probes are separate issues.

    link to this | view in thread ]

  7. identicon
    Anonymous Coward, 27 Jun 2017 @ 8:32pm

    Re: "the Russian government is suspected of hacking away at the American democratic process" -- Oh, good, back to sly innuendo! -- It's ONLY SUSPECTED, not a bit of evidence yet!

    Yes, the US intelligence community made up the Russia story to boost CNN ratings.

    Yes, a CNN Health producer's random, groundbreaking comments that a 24-hour news network follows the ratings are proof that Donald Trump isn't acting like a guilty person.

    Yes, CNN is currently solely in charge of investigating the Russian interference in our election so naturally they must have all the evidence available already.

    No, this isn't yet another lame Veritas attempt at editing together a bunch of meaningless comments from single members of large companies in order to baselessly smear them.

    link to this | view in thread ]

  8. identicon
    Anonymous Coward, 27 Jun 2017 @ 8:48pm

    Everyone should have been doing this

    Since the first backbone diversion rooms where exposed in 2002, in fact as soon as the patriot act was passed it should have been obvious to everyone that shenanigans where going to start happening with particularly US but all intelligence superstructures, and certainly after stuxnet, It's kind of dumb to be complaining that the russians might be suspicious now cause if they where not before they are dumber than I thought

    link to this | view in thread ]

  9. identicon
    Anonymous Coward, 27 Jun 2017 @ 9:03pm

    Pointless

    Show them fake source, ship code with back door.

    Unless they are going to give them source for them to compile on their own.

    There really are a lot of ways to trick the system.

    link to this | view in thread ]

  10. identicon
    Anonymous Coward, 27 Jun 2017 @ 9:30pm

    Re: "the Russian government is suspected of hacking away at the American democratic process" -- Oh, good, back to sly innuendo! -- It's ONLY SUSPECTED, not a bit of evidence yet!

    Whelp. Time to get out the ole thresher. Looks like we got a bumper crop of derp.

    link to this | view in thread ]

  11. icon
    AEIO_ (profile), 27 Jun 2017 @ 10:17pm

    Re: Pointless

    Yeah, but showing code while supplying a different binary is easy and obvious after thinking for a few seconds. Try THIS on for size.

    "a hack (in every sense), the most subversive ever perpetrated, nothing less than the root password of all evil.

    Ken describes how he injected a virus into a compiler. Not only did his compiler know it was compiling the login function and inject a backdoor, but it also knew when it was compiling itself and injected the backdoor generator into the compiler it was creating. The source code for the compiler thereafter contains no evidence of either virus."

    http://wiki.c2.com/?TheKenThompsonHack

    https://www.ece.cmu.edu/~ganger/712.fall02/paper s/p761-thompson.pdf

    link to this | view in thread ]

  12. identicon
    Anonymous Coward, 27 Jun 2017 @ 10:28pm

    Whoop-de-do.

    Any firewall, antivirus, or encryption software worth anything is open source anyway. The rest is a pretty veneer on an open source core or garbage code that doesn't deserve the label "security software"

    link to this | view in thread ]

  13. icon
    Ninja (profile), 28 Jun 2017 @ 4:25am

    Re: "the Russian government is suspected of hacking away at the American democratic process" -- Oh, good, back to sly innuendo! -- It's ONLY SUSPECTED, not a bit of evidence yet!

    Is this what they call brain cramps?

    link to this | view in thread ]

  14. icon
    Ninja (profile), 28 Jun 2017 @ 4:28am

    Re:

    This. I'd argue that there's a strong driving force towards open source. I wonder how companies will monetize their work in this brave new world.

    link to this | view in thread ]

  15. identicon
    Anonymous Coward, 28 Jun 2017 @ 5:19am

    Re: Re:

    I wonder how companies will monetize their work in this brave new world.

    Programming and general problem solving skills are very sellable, just ask Red Hat.

    link to this | view in thread ]

  16. icon
    ShadowNinja (profile), 28 Jun 2017 @ 5:30am

    Re: And they deserve it

    Yes, lets shoot the messenger.

    Never mind the bad people the messenger was exposing the wrong doing of, lets totally ignore them.

    link to this | view in thread ]

  17. icon
    Ninja (profile), 28 Jun 2017 @ 7:17am

    Re: Re: Re:

    I'm guessing that's what Microsoft has been considering. They could charge a small monthly fee from home users to enable more personalized support and automatic updates. I'd pay for that (considering the price is sane). You could get extra perks from their systems such as automated backup and file versioning (encrypted please) all in an easy, intuitive way (they are generally good on making their things easy to use). There are plenty of services they can offer that would rack in tons of money even if Windows is open sourced.

    link to this | view in thread ]

  18. identicon
    Anonymous Coward, 28 Jun 2017 @ 7:28am

    Re: Re: Pointless

    Also see:

    If a country's really doing this to protect its citizens, they should require reproducible builds and have the inspection team supply their own compiler. That would reduce the attack surface... but then see the Underhanded C contest.

    link to this | view in thread ]

  19. identicon
    Anonymous Coward, 28 Jun 2017 @ 9:18am

    Re: Re: Re: Re:

    I think the problem that Microsoft would have with open sourcing windows is the loss of control that goes with it. Beside which, their code base will need a lot of work to get in modular enough for open sourcing to gain them any real benefit. That is one of the benefits of the free software ecosystem, modularity, with well defined interfaces and low coupling is what allows the fast interaction and rapid development.
    As for ease of use, Linux is often, because you have a graphics and command/line text editor way of doing the same thing. Microsoft's ease of use often vanishes when you want to do more than simple things, as you end up having to plod through layer after layer of menu, searching for the action that you want.

    link to this | view in thread ]

  20. identicon
    Thad, 28 Jun 2017 @ 10:10am

    Re: Re: Re: Re: Re:

    Beside which, their code base will need a lot of work to get in modular enough for open sourcing to gain them any real benefit.

    Not to mention that it's not all their code.

    When AMD decided to open-source its Linux graphics driver stack, it realized it had so much proprietary code from other vendors (or code covered by NDAs from other vendors) that it would be easier to rewrite the entire thing from scratch than to open-source the code it already had. And it still hasn't been able to open all of its new driver stack; there are critical portions that are still proprietary. AMD's still working on untangling the proprietary parts to release a fully open-source driver.

    Now scale that up to an entire operating system. One that's been around for decades and contains all kinds of old code.

    link to this | view in thread ]

  21. identicon
    Thad, 28 Jun 2017 @ 10:13am

    Re: Whoop-de-do.

    Right. Security through obscurity is nonsense.

    People and groups that want to make secure software don't say "We'd better not show the code to anybody, they might find holes in it"; they say "We'd better show the code to everybody, in case they find holes in it."

    link to this | view in thread ]

  22. icon
    Alphonse Tomato (profile), 28 Jun 2017 @ 10:19am

    Re: "the Russian government is suspected of hacking away at the American democratic process" -- Oh, good, back to sly innuendo! -- It's ONLY SUSPECTED, not a bit of evidence yet!

    Mind you, anybody who uses Drudge as a primary source is pretty dim.

    But sure the Russians tried. If their intelligence services are any good, one of their jobs is to do stuff like that. Just the same as the US intelligence agencies try to influence elections in other countries. As Captain Renault said, I am shocked, shocked!

    Were they successful? That's harder to say. But US computer security related to elections is fragmented among many jurisdictions, and conducted by the low bidder (if at all). If they were able to suborn campaign staff (or candidate), that would certainly give them a lever. For example, if the Russians had the financial clout to influence anyone. Not that any candidate or staff would use Russian money in their non-campaign jobs.

    link to this | view in thread ]

  23. icon
    freedomfan (profile), 28 Jun 2017 @ 10:50am

    Ahem..

    From the last paragraph...

    If so, the fallout from the [Snowden] leaks is still causing harm to US companies, years down the road.

    Let me clarify that a tad

    If so, the fallout from US companies' participation in US government surveillance programs is still causing harm to US companies, years down the road.

    link to this | view in thread ]

  24. identicon
    Wendy Cockcroft, 29 Jun 2017 @ 2:30am

    Re: Ahem..

    ^This.

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.