Under Pressure, Western Tech Firms Including Cisco and IBM Bow To Russian Demands To Share Cyber Secrets (reuters.com) 111
An anonymous reader shares a Reuters report: Western technology companies, including Cisco, IBM and SAP, are acceding to demands by Moscow for access to closely guarded product security secrets, at a time when Russia has been accused of a growing number of cyber attacks on the West, a Reuters investigation has found. Russian authorities are asking Western tech companies to allow them to review source code for security products such as firewalls, anti-virus applications and software containing encryption before permitting the products to be imported and sold in the country. The requests, which have increased since 2014, are ostensibly done to ensure foreign spy agencies have not hidden any "backdoors" that would allow them to burrow into Russian systems. But those inspections also provide the Russians an opportunity to find vulnerabilities in the products' source code -- instructions that control the basic operations of computer equipment -- current and former U.S. officials and security experts said. [...] In addition to IBM, Cisco and Germany's SAP, Hewlett Packard Enterprise Co and McAfee have also allowed Russia to conduct source code reviews of their products, according to people familiar with the companies' interactions with Moscow and Russian regulatory records.
I'd want to know, too. (Score:5, Insightful)
These are reasonable requests and fit perfictly within the Open Source paradigm. So what's the issue?
Oh, yeah it's Russia...
Re: (Score:1)
And the cybercrime mafia that they work with.
Re:I'd want to know, too. (Score:5, Insightful)
If they're sharing the code with everybody, that's good engineering practice. This raises the possibility that a White Hat will discover a bug and report it to the vendor, who can then close the hole.
If they're sharing it with only Russia, this puts them in a privileged position to exploit those bugs without reporting them. Clearly, this increases the odds of a breach. This isn't because it's Russia, either; sharing with any one entity, unless you absolutely trust them to report all the flaws they find, causes the same problem.
Re: (Score:3)
If they're sharing it with only Russia,
What makes you think the US or other western governments didn't ask for the source code and had it inspected?
Re:I'd want to know, too. (Score:5, Insightful)
These are reasonable requests and fit perfectly within the Open Source paradigm. So what's the issue?
The Open Source paradigm is that with many eyes all bugs are shallow. But in this case, there are not many eyes, only a few Russian eyes, and those eyes are at least potentially hostile.
If they want to give the Russians access, it would be wise to also give more source access to friendly eyes, such as Western security experts, along with some bug bounties to incentivise them.
Re:I'd want to know, too. (Score:5, Insightful)
If they want to give the Russians access, it would be wise to also give more source access to friendly eyes, such as Western security experts, along with some bug bounties to incentivise them.
Who says they haven't? My guess is the NSA has looked at the code...
Re: (Score:3, Interesting)
Who says they haven't? My guess is the NSA has looked at the code...
The NSA doesn't report bugs and vulnerabilities back to the tech company.
If I had a choice of disclosing my source code to either the Russians or the NSA, I would pick the Russians.
Re: (Score:2)
Yeah, I'd go with neither - agencies from both nations are going to do the same thing, for the same reasons.
Re: (Score:2, Insightful)
The NSA doesn't report bugs and vulnerabilities back to the tech company.
If I had a choice of disclosing my source code to either the Russians or the NSA, I would pick the Russians.
Be careful what you wish for. The NSA may bust your neighbor for hoarding bomb-making material, or fink you to the FBI for your 15-year collection of kiddy-pr0n. The Russians, OTOH, will cut the power to your town on the hottest day of the year, brick the machine in the hospital that's keeping you alive, make your bank account disappear, make ships, drones and planes crash into each other, and turn your home router into a trove of kiddy-pr0n while finking you out to the FBI, and even rig media and electio
Re: (Score:3)
If I had a choice of disclosing my source code to either the Russians or the NSA, I would pick the Russians.
I strongly disagree, I say this having worked at Cisco when Russian companies were building and selling clones of Cisco gear, and firmware updates with hacked licenses.
Re: I'd want to know, too. (Score:3, Insightful)
Do you honestly think that US agencies don't have access to the source code of US products? I can't imagine the department of defense running Cisco routers without inspecting the source code at first. Can you imagine US agencies running Chinese products and wouldn't it be reasonable to ask them to disclose their source code before you buy from them ?
I mean Cisco don't HAVE to sell to Russia and Russia doesn't have to buy their stuff. They can go for Huwaweii instead and I am pretty sure they will get the so
Re: (Score:1)
I mean Cisco don't HAVE to sell to Russia and Russia doesn't have to buy their stuff.
Corporations like Cisco do not have an allegiance except to the dollar.
How about a Hitler analogy: If Hitler were alive and a rising star in Germany today Cisco would be all over it providing the infrastructure for the IoT computer network for the ovens...
Re: (Score:3)
Do you honestly think that US agencies don't have access to the source code of US products?
Do you honestly think that these agencies are "friendly eyes"?
Re: (Score:1)
BWAAAHHHAAA. They HAVE given the US and other supposedly 'friendly eyes' access. Hell, we KNOW the CIA had some Cisco routers diverted to have spyware installed on them. The problem here is your definition of 'friendly eyes'. You're assuming WE'RE the 'good guys' and 'our side' would do nothing wrong if given that access. How may times does the NSA & CIA have to get caught with their hands in the cookie jar before people wake up to the fact that these agencies are NOT our 'friends'.
They may work for us
Re: (Score:1)
The Open Source paradigm is that with many eyes all bugs are shallow. But in this case, there are not many eyes, only a few Russian eyes, and those eyes are at least potentially hostile.
- not only these are 'not many eyes', these are very *specific* eyes looking at the code.
The code is not given to just anybody in Russia, it's provided to the government, which hires people specifically to break into systems. This does not reduce security problems, it increases them.
Of-course I believe that NSA, (and by extention CIA, FBI, DHS, etc.) also have seen this code and the same exact problem applies there as well.
Re: (Score:2)
only a few Russian eyes, and those eyes are at least potentially hostile.
That is exactly why they want to see the source code. Because they are considered hostile, which makes it highly likely that those security products are being fitted with backdoors.
It shows they're not complete idiots.
If you want to know if something is a bullshit and you are the victim of propaganda, simply reverse the roles. If big Russian IT companies, known for working closely with the Russian government, would sell security products to the USA, how would you judge that the US government asks to see the
Re: (Score:2, Insightful)
Truly. If they're sharing them with Russia, they should share with EVERYONE - draw an open-source license.
IBM et al. are biting the bullet because they want to sell to the Russian market... perhaps because if they don't, someone else will and make lots of oil-soaked rubles and countless Russian intangibles. But if they give away these "secrets" to the Russians, we can pretty much assume such secrets are in the wild, perhaps immediately handed to the teams of patriotic but not-at-all-affiliated with the gov
Re: (Score:2)
Since China has been stealing not only our IP but also doing identity theft on Americans, it's hardly fair to let them have a monopoly on that. I fully support Russia horning in on the action. But they should give us land in Siberia for the privilege
Re: (Score:2)
Because the items in question are presumably not Open Source, they're
closely guarded product security secrets
Meaning that the open-source support community hasn't had a chance to vet these resources for either accidental security holes, deliberate back doors, or weak spots that this quarter's budget didn't allow fixing.
So an unfriendly power can see things that the American public cannot see, giving them an advantage in terms of exploits and exploit counter-measures.
Re: (Score:2)
You might want to mention that to President Trump and current Homeland Security officials. He seems to think it was real. Also, to those left-wing Democratic operatives over at Voice of America.
Re: (Score:2, Troll)
Re: (Score:1)
Re: (Score:2)
Maybe you should find a better way to waste your time than responding to an obvious ringer?
(ProTip: Posts from real Slashdot editor accounts are badged with the Slashdot logo [fsdn.com].)
Re: (Score:2, Interesting)
Daily
With former FBI, NSA and CIA directors acknowledging the One Party Promoting Hacks
Re: (Score:3)
everyone NOT in the Faux "News" moonbat directory.
What news source isn't in the moonbat directory right now? They've all gone off the deep end as far as I can tell.
Re: (Score:2)
Code audits shouldn't be suspicious (Score:4, Interesting)
They should be standard procedure by every authority dealing with security sensitive systems.
I soviet russia the source code opens you (Score:2)
Re: (Score:2)
In Soviet Russia, code repository forks you!
Incidentally, this is why my next router is going to be a generic linux SBC and not an appliance.
Many governments do this (Score:1)
Re: (Score:3)
A headline you'll never see... (Score:3)
Western technology companies, including Cisco, IBM and SAP, are acceding to demands by concerned citizens in many countries for access to closely guarded product security secrets
Weird that the companies value making a buck today over the possibility that a hostile foreign power could undermine the security of their products tomorrow. I see it as these companies throwing everyone who depends on these systems under the bus.
Re: (Score:2)
a hostile foreign power would maybe matter to a national company, multinationals have no conflict except lack of growth.
Re: (Score:2)
I work for one of those companies in that list and have been a part of an on-site visit by the foreign government entities. Its done in a VERY controlled manner.
Under the conditions you describe I can see how it would be difficult to duplicate the source code, or glean much in the way of useful information
to ensure foreign spy agencies have not hidden any "backdoors" that would allow them to burrow into Russian systems.
. Personally, I couldn't sit down, scan over 1 million lines of code and spot any backdoors, but somebody obviously can.
I didn't catch where the reviews you were part of were conducted. The article says reviews were done in a "clean room" and mentions Echelon, a Moscow-based technology testing company. Normally I'd be a little skeptical, but I guess when Ech
This is the absolute best effect of Trump elected (Score:3)
Before, no-one would have cared about Russia at all. Many openly mocked Romney years ago for saying Russia was still a threat...
Now Russia actually concerns people, not just on the right anymore but also the left. FINALLY we have some agreement that we need to be more cautious with security around Russia and that they are a major player in security breaches.
Mind you, the left has probably gone overboard on the Russia concern, but they are way closer to the correct degree of paranoia than they once were even if they overshot.
Re:This is the absolute best effect of Trump elect (Score:5, Insightful)
Re: (Score:1)
McCarthy thought there were about 20 to 30 Russian spies working int he US government. When the USSR fell and their files opened up we learned they had closer to 300 spies in extremely high places in the government.
McCarthy wasn't just right, he was actually less paranoid than he should have been. Yet today, despite all the proof to the contrary leftists still use his name like he was the boogeyman, all because Hollywood got exposed as the anti-American shit stains they were/are.
Re: (Score:1)
Every single person McCarthy exposed was later proven to be a Russian spy. Every. Single. One.
Re: (Score:3)
How much of the Cold War do you think was created by people believing and/or wanting to have a Cold War?
McCarthy certainly caused many of the things he was afraid of to happen. For example, communists within the USA went underground due to his prosecutions. Before him, communism was simply another political option, like the Green party is today.
Re: (Score:2)
Yeah like you are going to do any business in Russia without going through the Russian Mafia to some degree - who cares?? The Russian Mafia is old news compared to Russian Government. Get a new hobby as yours is driving you CRAY CRAY.
Greed will destroy the west (Score:1)
"We will hang the capitalists with the rope that they sell us."
W.I. Lenin
Re: (Score:2)
I just hope ... (Score:2)
... the Russians let me know if my Cisco router is a piece of shit.
The USA should ... (Score:2)
... certainly be doing the same for IoT.
Re: (Score:2)
Regulation in this administration/congress/senate? Why don't you just go punch out God while you're at it?
Re: (Score:2)
I'd rather tip a unicorn.
And Why are we saying "yes"? (Score:3)
Anything for money (Score:2)
Whose Problem is This, Really? (Score:1)
Well, its not as if Cisco and Co are obliged to reveal their code. They choose to agree to the demand so as to be able to sell their products there. So that is just plain commercial interest - nothing inherently wrong there.
On a political level the adversary has a chance to spot and exploit possible flaws in said code to do Bad Things... different pair of shoes, isn't it, Donald.
Importing crypto to Russia requires two licenses. (Score:2)
Importing crypto to Russia requires two licenses.
One from their equivalent of the State Department, and one from their equivalent of the NSA.
The NSA part stopped granting licenses a while back, which is why the Chromebook crypto development group was disbanded in Moscow (and most of them ended up moving West to Finland, and started working on the same code again).
You weren't allowed to import or export computers with TPM hardware.
Hard to work on Chromebooks when you can't get Chromebooks.
Re: (Score:2)
Re: (Score:2)
Because a VM isn't real hardware and you miss out on a lot of platform issues when you never run your software on the real platform.
Re: (Score:2)
I'd get the point if you're talking about hardware that's very different from the host hardware. Like if you were talking about a Solaris/SPARC VM on a Windows Server. But in the case of Chromebooks, the hardware is a feature subset of the host: it's usually an Atom based netbook running ChromeOS. So the hardware should be rather trivial to duplicate on the VM, even if the OS is very different.
Re: (Score:2)
Except the TPM, of course. And the Cellular modem. And the camera controller. And the PMU.
An emulator isn't the same as a simulator.
Re: (Score:2)
If you can do a TPM in a VM, it's strong cryptography.
Which you are not allowed to have without a license from two agencies in Russia.
It's also a waste of time, when you have actual hardware available, but you are not allowed to take it into or out of the country.
If the things will never be allowed to be sold in Russia, why pay a Russian team to work on something that's never going to impact their market? How can they be expected to come up with clever or innovative new things, when all they have is their
What about export controls? (Score:2)
I thought there were export controls on security/encryption software, specifically to prevent this technology from falling into the hands of international rivals.
Re: (Score:2)
I thought there were export controls on security/encryption software, specifically to prevent this technology from falling into the hands of international rivals.
You file paperwork with the government and get permission, per product. This is normal.
Re: (Score:2)
The world is probably pretty even on this. Like the OpenBSD project is Canadian, not American, and their stuff is pretty much open. Chances are that not only do the Russians & Chinese have the latest & greatest, but even our Muslim enemies do. Export controls won't do a thing
Re: (Score:2)
These always were BS. What would happen today is that they would just build their own equivalents not much later.
Re: (Score:2)
This is why it is so stupid ... (Score:4, Insightful)
of the likes of GCHQ and the NSA to hoard vulnerabilities that they find. The Russians, and likely other ''bad guys'', are probably going to find the same set of vulnerabilities.
If they really wanted to do their job of protecting us they would tell the vendor and we would all be a lot safer.
Re: (Score:2)
Indeed. And even of the others do not get the source code, these reviews can be done on lower level as well. Just a bit more expensive.
Incidentally, for most purposes, the NSA and the GCHQ must be classified as "bad guys" these days.
Maybe do produce products with bad code then? (Score:2)
And these reviews are nothing to fear. Cone to think of it, maybe have such reviews of your products done independently and regularly anyways?
I can see nothing bad here, the Russians are doing it right.
Re: (Score:2)
That should have been "do not" in the title...
wow, misleading headline (Score:2)
What a misleading headline, wow.
Yes, you would want to see the source code of security products, especially if they are made in a country that constantly paints you as its #1 cyber enemy and that is known for having its secret services work closely with its IT companies. If the Kremlin had hired me for consulting, getting the source code and carefully inspecting it would've definitely been on the list of things I'd recommend.
What's next? "Russian authorities enforce self-bondage laws on all citizens, requir