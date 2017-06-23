Under Pressure, Western Tech Firms Including Cisco and IBM Bow To Russian Demands To Share Cyber Secrets (reuters.com) 8
An anonymous reader shares a Reuters report: Western technology companies, including Cisco, IBM and SAP, are acceding to demands by Moscow for access to closely guarded product security secrets, at a time when Russia has been accused of a growing number of cyber attacks on the West, a Reuters investigation has found. Russian authorities are asking Western tech companies to allow them to review source code for security products such as firewalls, anti-virus applications and software containing encryption before permitting the products to be imported and sold in the country. The requests, which have increased since 2014, are ostensibly done to ensure foreign spy agencies have not hidden any "backdoors" that would allow them to burrow into Russian systems. But those inspections also provide the Russians an opportunity to find vulnerabilities in the products' source code -- instructions that control the basic operations of computer equipment -- current and former U.S. officials and security experts said. [...] In addition to IBM, Cisco and Germany's SAP, Hewlett Packard Enterprise Co and McAfee have also allowed Russia to conduct source code reviews of their products, according to people familiar with the companies' interactions with Moscow and Russian regulatory records.
I'd want to know, too. (Score:2)
These are reasonable requests and fit perfictly within the Open Source paradigm. So what's the issue?
Oh, yeah it's Russia...
Re: (Score:1)
If they're sharing the code with everybody, that's good engineering practice. This raises the possibility that a White Hat will discover a bug and report it to the vendor, who can then close the hole.
If they're sharing it with only Russia, this puts them in a privileged position to exploit those bugs without reporting them. Clearly, this increases the odds of a breach. This isn't because it's Russia, either; sharing with any one entity, unless you absolutely trust them to report all the flaws they find,
Re: (Score:3)
These are reasonable requests and fit perfectly within the Open Source paradigm. So what's the issue?
The Open Source paradigm is that with many eyes all bugs are shallow. But in this case, there are not many eyes, only a few Russian eyes, and those eyes are at least potentially hostile.
If they want to give the Russians access, it would be wise to also give more source access to friendly eyes, such as Western security experts, along with some bug bounties to incentivise them.
Code audits shouldn't be suspicious (Score:2)
They should be standard procedure by every authority dealing with security sensitive systems.
