Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
China Security

Chinese Agency Linked To Cyber-Espionage Operations Will Review Source Code of Foreign Firms (bleepingcomputer.com) 62

An anonymous reader shares a report: According to a new law voted in 2016 and which came into effect starting June 1, 2017, foreign companies activating in China could be forced to provide access to their source code to a state agency that has been recently linked to China's nation-state cyber-espionage campaigns. China's new cyber-security law (CSL) gives the China Information Technology Evaluation Center (CNITSEC) the legal power to conduct "national security reviews" of foreign companies that want to activate on the Chinese market. According to articles in the CSL, this also includes the power to request access to any app or service's source code. Chinese authorities say this is to protect citizens by searching the source code of foreign companies for secret mechanisms that collect data on Chinese users and send it to foreign servers.
This discussion has been archived. No new comments can be posted.

Chinese Agency Linked To Cyber-Espionage Operations Will Review Source Code of Foreign Firms

Comments Filter:
  • by LeftCoastThinker ( 4697521 ) on Friday September 01, 2017 @03:55PM (#55125831)

    Bend over and prepare to have your software stolen by the world's number one IP rights violator.

    I hope the Trump administration starts putting real teeth in pushback against this kind of crap. As in blanket embargo on all goods imported from China until they start respecting our IP and stop manipulating their currency... I would be happy to buy lifetime guarantee products from the US instead of the chicom trash that stocks most department store shelves.

    • by ShanghaiBill ( 739463 ) on Friday September 01, 2017 @03:59PM (#55125853)

      I would be happy to buy lifetime guarantee products from the US instead of the chicom trash

      I would be happy to buy products with open source, regardless of where they are manufactured.

      • by Penguinisto ( 415985 ) on Friday September 01, 2017 @05:23PM (#55126325) Journal

        This, right here. If its open source, there's nothing to try and steal.

        I am curious, though - what's to stop companies from telling China to piss off, and instead "activate" in India, Vietnam, Taiwan ("...because fuck you Beijing, that's why"), etc... It's not like China has a monopoly on cheap labor (or even on untapped markets...)

        • I am curious, though - what's to stop companies from telling China to piss off, and instead "activate" in India, Vietnam, Taiwan ("...because fuck you Beijing, that's why"), etc...

          If the companies are owned by Chinese people, it's the difficulty of getting the money out of the country. If the companies are owned by someone else, nothing. In fact, rising labor rates in China are already pushing manufacturing out of the country. They'll solve that with robots, but the manufacturing jobs will still be lost, and China already has several entire cities which have been built and are lying empty or mostly empty because they don't have enough citizens who own anything to actually fill them.

    • by Swave An deBwoner ( 907414 ) on Friday September 01, 2017 @04:10PM (#55125913)
      • Huh... Last time I checked, Hong Kong was a limited democracy form of government and not part of mainland China.

        • by XXongo ( 3986865 ) on Friday September 01, 2017 @04:42PM (#55126121) Homepage

          Huh... Last time I checked, Hong Kong was a limited democracy form of government and not part of mainland China.

          Right on the first part (with the "limited" the key word here), but it's been part of mainland China since 1997.
          http://www.bbc.com/news/world-asia-china-40426827

          • by Anonymous Coward

            Hong Kong was handed back to China in name in 1997. It is still autonomous,with it's own government, borders, currency, etc., and not ruled by China, and cannot be controlled by China until 2047 at the earliest, although China has tried to control it in illegal ways, like hacking political parties it disagrees with and kidnapping booksellers writing things critical of China.

            Hong Kong is not a part of mainland China. The reason the term "mainland china" even exists is because Chinese were tired of terms lik

        • by ShanghaiBill ( 739463 ) on Friday September 01, 2017 @04:56PM (#55126199)

          Last time I checked, Hong Kong was a limited democracy form of government and not part of mainland China.

          Check again. Things changed in 1997.

          Also, when you buy clothes "from Hong Kong", that means they are shipped through HK, not made there.

    • Re: (Score:1, Insightful)

      by AmiMoJo ( 196126 )

      You could replace "Chinese" with "American" in the headline.

      The NSA has access to source code, legally or otherwise, and is just as untrustworthy.

      • by LeftCoastThinker ( 4697521 ) on Friday September 01, 2017 @04:36PM (#55126083)

        Not really. Get back to me when source code for software starts walking out the back door of the NSA and starts being sold legally with no recourse under a different brand name in the US. Because that is what we are talking about in China.

        "Get your Wandows 10 here, $10 per license for unlimited use and resale. The same exact thing as Windows 10 at a fraction of the price. Only slightly pirated."

        • by AmiMoJo ( 196126 )

          I seem to recall the NSA had some kind of leak a few years ago. Windows is massively pirated in the West already.

          In any case, I think you vastly overestimate the value of Windows source code.

          • or maybe selective reading? The fact that Windows gets pirated does not mean that there is no legal recourse for Microsoft when they catch people pirating. In fact MS does have legal recourse, almost exclusively in "the West". MS does not have open legal access to sites in China to inspect, they get the access they are given by the Chinese Government and pay the fines agreed to by the Chinese Government instead of the penalized fees seen in "the West."

            I think you are vastly underestimating the value of W

    • by Anonymous Coward

      Why should the Chinese respect American IP, do you respect theirs? Almost every company that bitches about their product being stolen by the Chinese never bothered to patent it IN CHINA.

      • Just because somebody neglects to file the patent in another country doesn't mean it wasn't technically stolen. Legality, however, is another question, and probably differs between the originating country and the country where the piracy is occuring.

      • Almost every company that bitches about their product being stolen by the Chinese never bothered to patent it IN CHINA.

        That is not what most of them are bitching about. They are complaining when that Chinese company starts exporting to America.

      • Almost every company that bitches about their product being stolen by the Chinese never bothered to patent it IN CHINA.

        Probably because it isn't necessary to patent it in China. China is a signatory on the Patent Law Treaty and Patent Cooperation Treaty, and is bound to recognize the patents of the other signatories of those treaties.

    • Also I'm sure they'll look for any vulnerabilities they can exploit for cyberhacking and cybercrime.
    • You do realize that they don't manipulate their currency right?.. that has been proven many MANY times over.

      And its not a matter of respecting IP that's the issue.. The larger cause for concern is basically an espionage group having the ability to review and possibly steal/alter code. IP is stolen all the time.. (from everyone)..

      And a blanket embargo won't do anything other than make the local citizens hurt.. (its not like wages rise as fast as COL).. And salaries have been depressed for the last 30

      • You do realize that they don't manipulate their currency right?.. that has been proven many MANY times over.

        And its not a matter of respecting IP that's the issue.. The larger cause for concern is basically an espionage group having the ability to review and possibly steal/alter code. IP is stolen all the time.. (from everyone)..

        And a blanket embargo won't do anything other than make the local citizens hurt.. (its not like wages rise as fast as COL).. And salaries have been depressed for the last 30 years.

        Actually, the value of their currency is defined by the central bank which is controlled by the government. It has been well documented that they have manipulated their currency. As AC said: "The RMB is a managed float and by definition is manipulated by the central bank to fulfill the "managed". That doesn't even consider the impacts of other policies they institute, such as those on foreign/domestic investment."

        https://www.forbes.com/sites/j... [forbes.com]
        http://foreignpolicy.com/2016/... [foreignpolicy.com]

        As far as IP theft goes, pl

    • by Knightman ( 142928 ) on Friday September 01, 2017 @06:17PM (#55126563)

      You are aware that the US economy only functions because of China, right?

      China owns about $1.1 trillion of the US debt, Japan about as much too, in total about 11% of the total US national debt.

      A majority of the consumer goods imported to the US comes from China, an embargo will make a huge impact on the economy and getting into a pissing contest with China will mostly hurt the US badly.

      • But do you know who owns more US debt than anyone else in the world?

        Americans.

      • You seem to be confused about how debt works. Debt is only collectible if the governmental authority enforces it to be collected. If I were Trump, I would take that $1.1T and let the Chinese know that if they don't shape up, we will deduct that debt against the value of the IP and business they stole from the US using hacking and currency manipulation for the last 20 years. Care to figure out how much that would add up to? Any debt that China holds can be declared by the US government to be invalid and

        • Both hinge on if China beats us to having working hypersonic missiles with EMP warheads. We have the missiles (being tested now, their propulsion and first flight tests already worked), now we just need the warheads. They are working on gaining the missiles, but are not anywhere close to having the warheads.

          Whomever has these can literally snuff out the economy (and power grid) of any rival in a virtual instant in this age of everything being computer controlled. Modern vehicles of all stripes? Toast. Resea

          • Last time I checked, EMP weapons had been around for a long time (basically all you have to do is detonate a nuclear device in the ionosphere.) Most of the US military equipment is hardened against such an attack. I would have to think that China's military, including their ICBMs is also hardened against EMP attack. Hardening means that while the equipment directly in the blast zone of maybe 10 miles still gets fried, everything outside that radius still works. Also, to take out the entire US or China,

      • "the US economy only functions because of China"

        The US GDP in 2016 was $18.57 trillion. The US net trade deficit with China in 2016 was $347 billion. The US GDP growth rate in 2016 was 1.6%. The loss of trade with China would represent only 14 months of lost growth at the 2016 rate, assuming no replacement (i.e. no new domestic production to replace former imports, no alternate customers for exports, etc.).

        "China owns about $1.1 trillion of the US debt"

        Why do you think federal budget debt has anything to wi

  • ...they're just adding this to their list of technology transfers they require of lots of companies. Within 20 years, max, we'll truly start to appreciate the damage we've done by giving China a monopoly on manufacturing.
  • Chinese authorities say this is to protect citizens by searching the source code of foreign companies for secret mechanisms that collect data on Chinese users and send it to foreign servers.

    Isn't that the whole purpose of what Microsoft Windows 10 Telemetry does . . . ?

    Maybe the Chinese authorities have a deal with Microsoft, so that Microsoft collects the data on Chinese users and sends it directly to Chinese authorities' servers . . . ?

    Maybe the Chinese authorities have a deal with Microsoft, so that Microsoft collects the data on US users and sends it directly to Chinese authorities' servers . . . ?

    • by Altrag ( 195300 )

      Microsoft collects the data on Chinese users and sends it directly to Chinese authorities' servers

      Could be. Who knows. The Chinese government isn't exactly known for protecting citizens' rights and I don't know why privacy would be given any higher standing than other (lack of) rights.

      Microsoft collects the data on US users and sends it directly to Chinese authorities' servers

      Extremely unlikely. That would literally be treason and even Microsoft's bankroll would have trouble keeping people out of jail if they were caught doing this. Its one thing to fuck over your country for profit, its quite another to fuck over your country to promote another nation's interests, especially one that while

      • It would not be treason unless the information revealed was defense secrets of the country. Not what web sites people are looking at. And even then, it would probably be espionage rather than treason unless we happened to be at war with China at the time.

        It is not inconceivable that Microsoft could be providing information to China on the behavior of US consumers, without breaking any US law.

        • It would not be treason unless the information revealed was defense secrets of the country.

          Under the Constitution, it wouldn't be treason even then. The US has an extremely narrow definition of "treason" (that narrow definition is a feature, not a bug).

          A big part of the definition is it has to involve an entity that the US has declared an "enemy". China is not categorized as such.

  • by Gravis Zero ( 934156 ) on Friday September 01, 2017 @04:45PM (#55126141)

    Chinese authorities say this is to protect citizens by searching the source code of foreign companies for secret mechanisms that collect data on Chinese users and send it to foreign servers.

    What they really want is for the mechanisms to be on Chinese servers so that they can have access to all your information on their own citizens, lest one of them have some wrongthink.

  • by JohnFen ( 1641097 ) on Friday September 01, 2017 @05:26PM (#55126329)

    Russia and the US have had requirements like that for years now. China's a late-comer to this game.

    • I'm sorry but citation needed please.
      • I have no citation, only personal experience (which I can't go into detail about because NDAs).

        However, I've been a part of several teams where we met with representatives of both the US and Russian governments in order to walk them through source code. They don't get to take the code with them, but they do get pretty much as much supervised time to look it over, on our premises, as they wish.

        • I'm going to take a wild guess and say that your company was probably trying to sell their product(s) to the federal government (in the US at least), not just displaying the code for random consumer software.

          In the case discussed here I think that China is demanding access to any code that runs within the country. So the average person who wants to run "CandyLand" on their phone can rest assured that the code isn't stealing their PII or, worse, that they are exchanging encrypted political opinions with
      • by AHuxley ( 892839 )
        Re "citation needed please."
        How the Electronic Communications Privacy Act of 1986 (ECPA) was used.
        https://en.wikipedia.org/wiki/... [wikipedia.org]
        Prism https://en.wikipedia.org/wiki/... [wikipedia.org] and what it could access.
        Some US states might have changed laws but federally its all about access.
        US states might offer some electronic device searches, real-time GPS tracking protections or the use of cell site simulators.
        For all that access to work in the USA someone in the gov/mil is getting help or been giving help.
        Diffe
  • foreign companies activating in China could be forced to provide access to their source code to a state agency

    But local companies will be free to include malware without review?

  • Simply impose the same requirements on Chinese goods. Problem solved.

  • by mentil ( 1748130 ) on Saturday September 02, 2017 @12:11AM (#55127551)

    The source code is being reviewed by the state cyberwarfare division? Sounds like they're scouring the code to find exploits they can use to attack enemies/spy on everyone.

  • by Anonymous Coward

    several U.S. agencies linked to cyber-espionage and sabotage do the same. You may know them as NSA, CIA, etc.

To the landlord belongs the doorknobs.

Working...