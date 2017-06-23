Under Pressure, Western Tech Firms Including Cisco and IBM Bow To Russian Demands To Share Cyber Secrets (reuters.com) 53
An anonymous reader shares a Reuters report: Western technology companies, including Cisco, IBM and SAP, are acceding to demands by Moscow for access to closely guarded product security secrets, at a time when Russia has been accused of a growing number of cyber attacks on the West, a Reuters investigation has found. Russian authorities are asking Western tech companies to allow them to review source code for security products such as firewalls, anti-virus applications and software containing encryption before permitting the products to be imported and sold in the country. The requests, which have increased since 2014, are ostensibly done to ensure foreign spy agencies have not hidden any "backdoors" that would allow them to burrow into Russian systems. But those inspections also provide the Russians an opportunity to find vulnerabilities in the products' source code -- instructions that control the basic operations of computer equipment -- current and former U.S. officials and security experts said. [...] In addition to IBM, Cisco and Germany's SAP, Hewlett Packard Enterprise Co and McAfee have also allowed Russia to conduct source code reviews of their products, according to people familiar with the companies' interactions with Moscow and Russian regulatory records.
These are reasonable requests and fit perfictly within the Open Source paradigm. So what's the issue?
Oh, yeah it's Russia...
If they're sharing the code with everybody, that's good engineering practice. This raises the possibility that a White Hat will discover a bug and report it to the vendor, who can then close the hole.
If they're sharing it with only Russia, this puts them in a privileged position to exploit those bugs without reporting them. Clearly, this increases the odds of a breach. This isn't because it's Russia, either; sharing with any one entity, unless you absolutely trust them to report all the flaws they find, causes the same problem.
These are reasonable requests and fit perfectly within the Open Source paradigm. So what's the issue?
The Open Source paradigm is that with many eyes all bugs are shallow. But in this case, there are not many eyes, only a few Russian eyes, and those eyes are at least potentially hostile.
If they want to give the Russians access, it would be wise to also give more source access to friendly eyes, such as Western security experts, along with some bug bounties to incentivise them.
If they want to give the Russians access, it would be wise to also give more source access to friendly eyes, such as Western security experts, along with some bug bounties to incentivise them.
Who says they haven't? My guess is the NSA has looked at the code...
Who says they haven't? My guess is the NSA has looked at the code...
The NSA doesn't report bugs and vulnerabilities back to the tech company.
If I had a choice of disclosing my source code to either the Russians or the NSA, I would pick the Russians.
Yeah, I'd go with neither - agencies from both nations are going to do the same thing, for the same reasons.
The NSA doesn't report bugs and vulnerabilities back to the tech company.
If I had a choice of disclosing my source code to either the Russians or the NSA, I would pick the Russians.
Be careful what you wish for. The NSA may bust your neighbor for hoarding bomb-making material, or fink you to the FBI for your 15-year collection of kiddy-pr0n. The Russians, OTOH, will cut the power to your town on the hottest day of the year, brick the machine in the hospital that's keeping you alive, make your bank account disappear, make ships, drones and planes crash into each other, and turn your home router into a trove of kiddy-pr0n while finking you out to the FBI, and even rig media and electio
I mean Cisco don't HAVE to sell to Russia and Russia doesn't have to buy their stuff.
Corporations like Cisco do not have an allegiance except to the dollar.
How about a Hitler analogy: If Hitler were alive and a rising star in Germany today Cisco would be all over it providing the infrastructure for the IoT computer network for the ovens...
Do you honestly think that US agencies don't have access to the source code of US products?
Do you honestly think that these agencies are "friendly eyes"?
Truly. If they're sharing them with Russia, they should share with EVERYONE - draw an open-source license.
IBM et al. are biting the bullet because they want to sell to the Russian market... perhaps because if they don't, someone else will and make lots of oil-soaked rubles and countless Russian intangibles. But if they give away these "secrets" to the Russians, we can pretty much assume such secrets are in the wild, perhaps immediately handed to the teams of patriotic but not-at-all-affiliated with the gov
Daily
With former FBI, NSA and CIA directors acknowledging the One Party Promoting Hacks
You might want to mention that to President Trump and current Homeland Security officials. He seems to think it was real. Also, to those left-wing Democratic operatives over at Voice of America.
They should be standard procedure by every authority dealing with security sensitive systems.
I'm glad the US, British and western governments never do such things.
/s
Western technology companies, including Cisco, IBM and SAP, are acceding to demands by concerned citizens in many countries for access to closely guarded product security secrets
Weird that the companies value making a buck today over the possibility that a hostile foreign power could undermine the security of their products tomorrow. I see it as these companies throwing everyone who depends on these systems under the bus.
a hostile foreign power would maybe matter to a national company, multinationals have no conflict except lack of growth.
Before, no-one would have cared about Russia at all. Many openly mocked Romney years ago for saying Russia was still a threat...
Now Russia actually concerns people, not just on the right anymore but also the left. FINALLY we have some agreement that we need to be more cautious with security around Russia and that they are a major player in security breaches.
Mind you, the left has probably gone overboard on the Russia concern, but they are way closer to the correct degree of paranoia than they once were eve
... the Russians let me know if my Cisco router is a piece of shit.
... certainly be doing the same for IoT.
Regulation in this administration/congress/senate? Why don't you just go punch out God while you're at it?
I'd rather tip a unicorn.
Well, its not as if Cisco and Co are obliged to reveal their code. They choose to agree to the demand so as to be able to sell their products there. So that is just plain commercial interest - nothing inherently wrong there.
On a political level the adversary has a chance to spot and exploit possible flaws in said code to do Bad Things... different pair of shoes, isn't it, Donald.
Importing crypto to Russia requires two licenses.
One from their equivalent of the State Department, and one from their equivalent of the NSA.
The NSA part stopped granting licenses a while back, which is why the Chromebook crypto development group was disbanded in Moscow (and most of them ended up moving West to Finland, and started working on the same code again).
You weren't allowed to import or export computers with TPM hardware.
Hard to work on Chromebooks when you can't get Chromebooks.
I thought there were export controls on security/encryption software, specifically to prevent this technology from falling into the hands of international rivals.
I thought there were export controls on security/encryption software, specifically to prevent this technology from falling into the hands of international rivals.
You file paperwork with the government and get permission, per product. This is normal.