Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security Encryption Privacy Technology

Under Pressure, Western Tech Firms Including Cisco and IBM Bow To Russian Demands To Share Cyber Secrets (reuters.com) 111

An anonymous reader shares a Reuters report: Western technology companies, including Cisco, IBM and SAP, are acceding to demands by Moscow for access to closely guarded product security secrets, at a time when Russia has been accused of a growing number of cyber attacks on the West, a Reuters investigation has found. Russian authorities are asking Western tech companies to allow them to review source code for security products such as firewalls, anti-virus applications and software containing encryption before permitting the products to be imported and sold in the country. The requests, which have increased since 2014, are ostensibly done to ensure foreign spy agencies have not hidden any "backdoors" that would allow them to burrow into Russian systems. But those inspections also provide the Russians an opportunity to find vulnerabilities in the products' source code -- instructions that control the basic operations of computer equipment -- current and former U.S. officials and security experts said. [...] In addition to IBM, Cisco and Germany's SAP, Hewlett Packard Enterprise Co and McAfee have also allowed Russia to conduct source code reviews of their products, according to people familiar with the companies' interactions with Moscow and Russian regulatory records.
This discussion has been archived. No new comments can be posted.

Under Pressure, Western Tech Firms Including Cisco and IBM Bow To Russian Demands To Share Cyber Secrets

Comments Filter:
  • by Frosty Piss ( 770223 ) * on Friday June 23, 2017 @01:45PM (#54677167)

    These are reasonable requests and fit perfictly within the Open Source paradigm. So what's the issue?

    Oh, yeah it's Russia...

    • by Anonymous Coward

      And the cybercrime mafia that they work with.

    • by rmandevi ( 2168940 ) <`ude.ipw.mula' `ta' `ednamer'> on Friday June 23, 2017 @01:53PM (#54677215)

      If they're sharing the code with everybody, that's good engineering practice. This raises the possibility that a White Hat will discover a bug and report it to the vendor, who can then close the hole.

      If they're sharing it with only Russia, this puts them in a privileged position to exploit those bugs without reporting them. Clearly, this increases the odds of a breach. This isn't because it's Russia, either; sharing with any one entity, unless you absolutely trust them to report all the flaws they find, causes the same problem.

      • by Tom ( 822 )

        If they're sharing it with only Russia,

        What makes you think the US or other western governments didn't ask for the source code and had it inspected?

    • by ShanghaiBill ( 739463 ) on Friday June 23, 2017 @01:54PM (#54677217)

      These are reasonable requests and fit perfectly within the Open Source paradigm. So what's the issue?

      The Open Source paradigm is that with many eyes all bugs are shallow. But in this case, there are not many eyes, only a few Russian eyes, and those eyes are at least potentially hostile.

      If they want to give the Russians access, it would be wise to also give more source access to friendly eyes, such as Western security experts, along with some bug bounties to incentivise them.

      • by Frosty Piss ( 770223 ) * on Friday June 23, 2017 @02:05PM (#54677295)

        If they want to give the Russians access, it would be wise to also give more source access to friendly eyes, such as Western security experts, along with some bug bounties to incentivise them.

        Who says they haven't? My guess is the NSA has looked at the code...

        • Re: (Score:3, Interesting)

          Who says they haven't? My guess is the NSA has looked at the code...

          The NSA doesn't report bugs and vulnerabilities back to the tech company.

          If I had a choice of disclosing my source code to either the Russians or the NSA, I would pick the Russians.

          • by sl3xd ( 111641 )

            Yeah, I'd go with neither - agencies from both nations are going to do the same thing, for the same reasons.

          • Re: (Score:2, Insightful)

            by WheezyJoe ( 1168567 )

            The NSA doesn't report bugs and vulnerabilities back to the tech company.

            If I had a choice of disclosing my source code to either the Russians or the NSA, I would pick the Russians.

            Be careful what you wish for. The NSA may bust your neighbor for hoarding bomb-making material, or fink you to the FBI for your 15-year collection of kiddy-pr0n. The Russians, OTOH, will cut the power to your town on the hottest day of the year, brick the machine in the hospital that's keeping you alive, make your bank account disappear, make ships, drones and planes crash into each other, and turn your home router into a trove of kiddy-pr0n while finking you out to the FBI, and even rig media and electio

          • If I had a choice of disclosing my source code to either the Russians or the NSA, I would pick the Russians.

            I strongly disagree, I say this having worked at Cisco when Russian companies were building and selling clones of Cisco gear, and firmware updates with hacked licenses.

      • by Anonymous Coward

        Do you honestly think that US agencies don't have access to the source code of US products? I can't imagine the department of defense running Cisco routers without inspecting the source code at first. Can you imagine US agencies running Chinese products and wouldn't it be reasonable to ask them to disclose their source code before you buy from them ?

        I mean Cisco don't HAVE to sell to Russia and Russia doesn't have to buy their stuff. They can go for Huwaweii instead and I am pretty sure they will get the so

        • I mean Cisco don't HAVE to sell to Russia and Russia doesn't have to buy their stuff.

          Corporations like Cisco do not have an allegiance except to the dollar.

          How about a Hitler analogy: If Hitler were alive and a rising star in Germany today Cisco would be all over it providing the infrastructure for the IoT computer network for the ovens...

        • Do you honestly think that US agencies don't have access to the source code of US products?

          Do you honestly think that these agencies are "friendly eyes"?

      • by Anonymous Coward

        BWAAAHHHAAA. They HAVE given the US and other supposedly 'friendly eyes' access. Hell, we KNOW the CIA had some Cisco routers diverted to have spyware installed on them. The problem here is your definition of 'friendly eyes'. You're assuming WE'RE the 'good guys' and 'our side' would do nothing wrong if given that access. How may times does the NSA & CIA have to get caught with their hands in the cookie jar before people wake up to the fact that these agencies are NOT our 'friends'.

        They may work for us

      • The Open Source paradigm is that with many eyes all bugs are shallow. But in this case, there are not many eyes, only a few Russian eyes, and those eyes are at least potentially hostile.

        - not only these are 'not many eyes', these are very *specific* eyes looking at the code.

        The code is not given to just anybody in Russia, it's provided to the government, which hires people specifically to break into systems. This does not reduce security problems, it increases them.

        Of-course I believe that NSA, (and by extention CIA, FBI, DHS, etc.) also have seen this code and the same exact problem applies there as well.

      • by Tom ( 822 )

        only a few Russian eyes, and those eyes are at least potentially hostile.

        That is exactly why they want to see the source code. Because they are considered hostile, which makes it highly likely that those security products are being fitted with backdoors.

        It shows they're not complete idiots.

        If you want to know if something is a bullshit and you are the victim of propaganda, simply reverse the roles. If big Russian IT companies, known for working closely with the Russian government, would sell security products to the USA, how would you judge that the US government asks to see the

    • Re: (Score:2, Insightful)

      by WheezyJoe ( 1168567 )

      Truly. If they're sharing them with Russia, they should share with EVERYONE - draw an open-source license.

      IBM et al. are biting the bullet because they want to sell to the Russian market... perhaps because if they don't, someone else will and make lots of oil-soaked rubles and countless Russian intangibles. But if they give away these "secrets" to the Russians, we can pretty much assume such secrets are in the wild, perhaps immediately handed to the teams of patriotic but not-at-all-affiliated with the gov

    • Since China has been stealing not only our IP but also doing identity theft on Americans, it's hardly fair to let them have a monopoly on that. I fully support Russia horning in on the action. But they should give us land in Siberia for the privilege

    • Because the items in question are presumably not Open Source, they're

      closely guarded product security secrets

      Meaning that the open-source support community hasn't had a chance to vet these resources for either accidental security holes, deliberate back doors, or weak spots that this quarter's budget didn't allow fixing.

      So an unfriendly power can see things that the American public cannot see, giving them an advantage in terms of exploits and exploit counter-measures.

  • by Hentes ( 2461350 ) on Friday June 23, 2017 @01:50PM (#54677193)

    They should be standard procedure by every authority dealing with security sensitive systems.

  • This story is the best reply to all those who claim that closed source offers intrinsically better security than open source: close source code is only closed for you.
    • In Soviet Russia, code repository forks you!

      Incidentally, this is why my next router is going to be a generic linux SBC and not an appliance.

  • US Government does this. China does this. Others do. I'm only surprised they didn't start sooner.
  • A headline you'll never see...

    Western technology companies, including Cisco, IBM and SAP, are acceding to demands by concerned citizens in many countries for access to closely guarded product security secrets

    Weird that the companies value making a buck today over the possibility that a hostile foreign power could undermine the security of their products tomorrow. I see it as these companies throwing everyone who depends on these systems under the bus.

    • by zlives ( 2009072 )

      a hostile foreign power would maybe matter to a national company, multinationals have no conflict except lack of growth.

  • Before, no-one would have cared about Russia at all. Many openly mocked Romney years ago for saying Russia was still a threat...

    Now Russia actually concerns people, not just on the right anymore but also the left. FINALLY we have some agreement that we need to be more cautious with security around Russia and that they are a major player in security breaches.

    Mind you, the left has probably gone overboard on the Russia concern, but they are way closer to the correct degree of paranoia than they once were even if they overshot.

    • by nnet ( 20306 ) on Friday June 23, 2017 @04:01PM (#54678037) Journal
      McCarthy wasn't always wrong. What goes around comes around. Welcome to the New Cold War, same as the Old Cold War.
      • by geek ( 5680 )

        McCarthy thought there were about 20 to 30 Russian spies working int he US government. When the USSR fell and their files opened up we learned they had closer to 300 spies in extremely high places in the government.

        McCarthy wasn't just right, he was actually less paranoid than he should have been. Yet today, despite all the proof to the contrary leftists still use his name like he was the boogeyman, all because Hollywood got exposed as the anti-American shit stains they were/are.

      • by Tom ( 822 )

        How much of the Cold War do you think was created by people believing and/or wanting to have a Cold War?

        McCarthy certainly caused many of the things he was afraid of to happen. For example, communists within the USA went underground due to his prosecutions. Before him, communism was simply another political option, like the Green party is today.

  • by Anonymous Coward

    "We will hang the capitalists with the rope that they sell us."

    W.I. Lenin

  • ... the Russians let me know if my Cisco router is a piece of shit.

  • ... certainly be doing the same for IoT.

  • by evolutionary ( 933064 ) on Friday June 23, 2017 @02:38PM (#54677537)
    Okay, do we really want business with Russia so badly we are going to potentially exposure ourselves so freely? Wonder how Trump is enjoying this.
  • Well, its not as if Cisco and Co are obliged to reveal their code. They choose to agree to the demand so as to be able to sell their products there. So that is just plain commercial interest - nothing inherently wrong there.

    On a political level the adversary has a chance to spot and exploit possible flaws in said code to do Bad Things... different pair of shoes, isn't it, Donald.

  • Importing crypto to Russia requires two licenses.

    One from their equivalent of the State Department, and one from their equivalent of the NSA.

    The NSA part stopped granting licenses a while back, which is why the Chromebook crypto development group was disbanded in Moscow (and most of them ended up moving West to Finland, and started working on the same code again).

    You weren't allowed to import or export computers with TPM hardware.

    Hard to work on Chromebooks when you can't get Chromebooks.

    • What's there to stop the Russians from creating Chromebook VMs? That's easy to do on standard, more powerful computers. They can then work on those VMs.
      • Because a VM isn't real hardware and you miss out on a lot of platform issues when you never run your software on the real platform.

        • I'd get the point if you're talking about hardware that's very different from the host hardware. Like if you were talking about a Solaris/SPARC VM on a Windows Server. But in the case of Chromebooks, the hardware is a feature subset of the host: it's usually an Atom based netbook running ChromeOS. So the hardware should be rather trivial to duplicate on the VM, even if the OS is very different.

          • Except the TPM, of course. And the Cellular modem. And the camera controller. And the PMU.

            An emulator isn't the same as a simulator.

      • If you can do a TPM in a VM, it's strong cryptography.

        Which you are not allowed to have without a license from two agencies in Russia.

        It's also a waste of time, when you have actual hardware available, but you are not allowed to take it into or out of the country.

        If the things will never be allowed to be sold in Russia, why pay a Russian team to work on something that's never going to impact their market? How can they be expected to come up with clever or innovative new things, when all they have is their

  • I thought there were export controls on security/encryption software, specifically to prevent this technology from falling into the hands of international rivals.

    • I thought there were export controls on security/encryption software, specifically to prevent this technology from falling into the hands of international rivals.

      You file paperwork with the government and get permission, per product. This is normal.

    • The world is probably pretty even on this. Like the OpenBSD project is Canadian, not American, and their stuff is pretty much open. Chances are that not only do the Russians & Chinese have the latest & greatest, but even our Muslim enemies do. Export controls won't do a thing

    • by gweihir ( 88907 )

      These always were BS. What would happen today is that they would just build their own equivalents not much later.

  • by Alain Williams ( 2972 ) <addw@phcomp.co.uk> on Friday June 23, 2017 @04:24PM (#54678157) Homepage

    of the likes of GCHQ and the NSA to hoard vulnerabilities that they find. The Russians, and likely other ''bad guys'', are probably going to find the same set of vulnerabilities.

    If they really wanted to do their job of protecting us they would tell the vendor and we would all be a lot safer.

    • by gweihir ( 88907 )

      Indeed. And even of the others do not get the source code, these reviews can be done on lower level as well. Just a bit more expensive.

      Incidentally, for most purposes, the NSA and the GCHQ must be classified as "bad guys" these days.

  • And these reviews are nothing to fear. Cone to think of it, maybe have such reviews of your products done independently and regularly anyways?

    I can see nothing bad here, the Russians are doing it right.

  • What a misleading headline, wow.

    Yes, you would want to see the source code of security products, especially if they are made in a country that constantly paints you as its #1 cyber enemy and that is known for having its secret services work closely with its IT companies. If the Kremlin had hired me for consulting, getting the source code and carefully inspecting it would've definitely been on the list of things I'd recommend.

    What's next? "Russian authorities enforce self-bondage laws on all citizens, requir

"The pathology is to want control, not that you ever get it, because of course you never do." -- Gregory Bateson

Working...