HP Enterprise Let Russia Scrutinize The Pentagon's Cyberdefense Software

"A Russian defense agency was allowed to review the cyberdefense software used by the Pentagon to protect its computer networks," writes new submitter quonset. "This according to Russian regulatory records and interviews with people with direct knowledge of the issue." Reuters reports: The Russian review of ArcSight's source code, the closely guarded internal instructions of the software, was part of Hewlett Packard Enterprise's effort to win the certification required to sell the product to Russia's public sector, according to the regulatory records seen by Reuters and confirmed by a company spokeswoman. Six former U.S. intelligence officials, as well as former ArcSight employees and independent security experts, said the source code review could help Moscow discover weaknesses in the software, potentially helping attackers to blind the U.S. military to a cyber attack. "It's a huge security vulnerability," said Greg Martin, a former security architect for ArcSight. "You are definitely giving inner access and potential exploits to an adversary."
It's another example of the problems security companies face when they try to do business internationally, according to Reuters. "One reason Russia requests the reviews before allowing sales to government agencies and state-run companies is to ensure that U.S. intelligence services have not placed spy tools in the software."

Long-time Slashdot reader bbsguru has his own worries. "So, opening your code for review because it is demanded by a potential customer? What could possibly go wrong? HPE may find out, and the U.S. Military is among the many clients depending on the answer."

Re:This is HPE

[stephanruby]

You mean like the network connected smart HP photocopy/scanning machine that are almost everywhere in Fortune 500 companies, government agencies, and FedEx Offices (formerly Kinkos).

Russians having access to that would be some sweet revenge. After all, we used Xerox copiers and Xerox maintenance people to keep copies of all the documents Russian government officials photocopied for years.

HP Inc. != HPE

[Xenographic]

The original Hewlett-Packard split into HP Inc and HPE [wikipedia.org] years ago. The old printer business is on the other side of the split.

Re:

[Xenographic]

Right, but they were talking about printers, which have never been a part of HPE as far as I know.

Re:

[stephanruby]

Thanks for the correction. I would downvote myself if I could.

Ordinary

[Xenographic]

Wait until they figure out who all Microsoft has shared the Windows source code with.

Re:

[MaskedSlacker]

Do they even have source code? I thought it was all chewing gum, baling wire, and gerbils....

Re:

[Hal_Porter]

Or maybe you're just being trolled.

Re:

[ArchieBunker]

Keep laughing. Wait until Poettering dreams up this new brilliant idea. Instead of having /etc and its collection of human readable text files, all system configuration settings will be kept in a binary database named REGISTRY.DAT. Redhat will love this because their business model is selling support.

Re:Ordinary

[fibonacci8]

Wait until they figure out who all Microsoft has shared the Windows source code with.

Or Linux, just look at who they share the source code with!

The Problem is Proprietary Software

[Anonymous Coward]

Security through obscurity doesn't work. Fuzzing will eventually find holes.

It is time to change policies toward open source software. This approach puts security in everyone's best interest.

It is also time to switch to IPv6 only.

It is also time to get critical infrastructure completely off of the Internet.

Security through Obscurity?

[Kaenneth]

A good security product is secure even if attackers know how it works.

Re:

[postbigbang]

That's why side-attacks are so unsuccessful, right? No one could figure out a methodology to spoof the good guys, right? NSA-- never been hacked, right?

IMHO, HPE should be hung out to dry.

Re: Security through Obscurity?

[Anonymous Coward]

If your bank is only secure as long as no one is allowed to see you handle the money, you don't have a very secure bank.

If your software is only secure as long as no one is allowed to see it handle input, then you don't have very secure software.

FYI: Saying that your protection is a smokescreen and magic hand waving is not as good as having good documentation detailing what the protection's limits are and where improvements can be made. The latter can be implemented with those

Re: Security through Obscurity?

[Anonymous Coward]

Damn phone...

The latter can be implemented taking those deficiencies into account, the former can only hope that it holds up when it's needed most. (And isn't compromised at the time of purchase.)

Re:

[postbigbang]

Your metaphors are as foolish as you are. Good grief. It's inferred that various actors used Kaspersky's AV-AM to have a full inventory of an NSA contractor's purloined (oh, sure, he was working at home) software.

ArcSight isn't impregnable. Side-channel and other methods of getting the keys to the Pentagon are a VERY BAD IDEA if you're an American.

Remember the Axis of Evil? Do you think that Russia has reformed? What brought you to that conclusion, if so? What HPE did may have been "legal", I'll grant you,

Re:

[CrankyFool]

I remember the Axis of Evil! It was a term first used by George Bush to describe Iran, Iraq, and North Korea (https://en.wikipedia.org/wiki/Axis_of_evil). What's your point?

Re:

[postbigbang]

Who does Russia supply?

Re:

[postbigbang]

Obscurity, even opaqueness is part of the value of a product. Yes, I like open source software. There are a few areas, however, where poking and probing shouldn't have to follow the modules in libs or heaven forbid, dot-Net.

Wouldn't you like to know that an avowed enemy of the US DIDN'T get to peek at the source to security software protecting the Pentagon? Security is layers and probabilities. These days, penetrating layers is a big business, and using everything from fuzzing software to weird adjacent mem

Re:

[Anonymous Coward]

There's a big difference between relying on obscurity for your security, and making your enemies jobs harder.

I'd never trust a cypher that isn't published and properly reviewed. It's far too easy to make a mistake designing or implementing encryption systems, and the encryption community are very good at rooting out bad ideas and bad code.

However, there's no need to be open about which open tool you're using.

Lets say I encrypt a file, and send it to you without the key. It's basically random bytes, and you

Re:

[Frobnicator]

Many people think in an a mutually exclusive way. EITHER a secure tool, OR a system using obscurity. Good security systems employ both. Lock it with the best tools that can be found, AND obscure all the details.

What is described sounds just fine. A security company revealed their source code to be used by a government to show it is backdoor-free. That's typical in the security industry, and is generally not inherently a problem. The organizations should, as you described, not tell the world exactly whic

Re:

[stooo]

Yep,
I second that. Obscurity doesn't work for security.
Furtnermore, a good security product can only become good when the source is reviewed by many many parties.

Capitalism

[stooo]

What happens when you worship only money? Capitalism!

Re:

[Anonymous Coward]

At the end of the day they'll sit down with their fellow global citizens and hash it all out.

I doubt it. They'd never be able to agree upon who among them should rule the world. Human history is full of those able and willing to kill in pursuit of domination and despite all of our efforts the veneer of civilization remains thin indeed. The savage instinct is still alive and well in modern man and it doesn't take much to bring it clawing back to the surface.

Usually to the detriment of those of us still dependent on nation-states.

Power trumps wealth. Wealth can be stripped but real power is absolute and although the two are often found together they ought not to be confus

You've got it backwards

[rsilvergun]

wealth _is_ power. But you're also assuming their greed is unlimited. It's not. They get along just fine with each other and take care of their own. Why do you think Golden Parachutes and bail outs exist? Why are their loans always guaranteed by the tax payer?

They're the ruling class and they know it. They also know who their equals are and, unlike the working class, they take care of their own. It's why they're winning and we're losing.

The two "C"s ...

[CaptainDork]

Citizenship vs capitalism.

HPE acts like it doesn't have the sense god gave a pissant, but, sadly, it does.

So you're in favor of "security through obscurity"

[tlambert]

So you're in favor of "security through obscurity".

I can't say that that's in any way a good technical argument.

You share code with the Russians, their people look at it, and suggest changes before they are willing to buy it.

You share code with the U.S. government, their people look at it, and suggest changes before they are willing to buy it.

Everyone wins.

Re:

[RightwingNutjob]

You're serious?

How about: their people look at, come up with some changes they'd need before trusting their systems to it, then give one back to the vendor and keep some to themselves for later.

COTS is the devil when it comes to American defense procurement. Yeah you don't need to commission a new programming language and compiler for every single solitary project like they had to do back in the 70s and 80s, but then at the same time you don't really want to be buying an OS from a company where the single

Re:

[Tom]

How about: their people look at, come up with some changes they'd need before trusting their systems to it, then give one back to the vendor and keep some to themselves for later.

Yes, the "threat model" is that they discover a bug and don't tell anyone.

Which means that the NSA (who is responsible for keeping US government infrastructure and systems safe) didn't find that bug when they did their source code review.

Additional information: There are many ways to find bugs in software aside from code reviews. So not showing them the code would have had two effects: a) they would've probably bought some other software and b) they would've given the binary to their binary testing team.

Re:So you're in favor of "security through obscuri

[RightwingNutjob]

Source code can contain information the binary doesn't. Like why mistakes are made and who made them, to give an example. So if there's an exploit in the binary, you find it either way. If the source code with the mistake contains comments from Sanjay at CompuGlobalHyperMegaNet in Mumbai, that tells you where else that mistake could be. If there's no mistakes in Sanjay's code, you still have a potential recruitment target. Paranoid? Yes. Unlikely? Can't say. Implausible? No.

Re:

[Tom]

It is possible to remove comments from source code before handing it in to code review.
It is also possible to establish sane comment guidelines, especially when you are a security company.
And it is quite trivial to figure out who actually writes the software for a software company, without comments in source code.

Sure you get additional information from code, especially if good documentation explains the thinking behind algorithms. However, to go into a panic because another country made a source code revie

Re:

[RightwingNutjob]

I'm not going into a panic because another country is doing source review. I'm saying the US government shouldn't be using code that's neither open source nor fully closed source. If it's fully open source, everything I said doesn't matter because it's got more eyeballs on it. If it's fully closed source and only domestic users review it, then that attenuates the risk. This here is a no-man's land in between where you don't get any of the benefits and have to assume that everyone's got their thinking hats o

Re:

[Tom]

I'm saying the US government shouldn't be using code that's neither open source nor fully closed source.

While there are theoretical advantages to Free Software in this context, they do not manifest to the degree that many Free Software advocates think. And I say that as a stern believer in Free Software (to the degree that I refuse to call it "Open Source").

OpenBSD is about the only project that actually does this right - by not relying on the assumption that Free Software actually gets read, but making sure it happens and running regular code reviews.

From a security perspective, I'd rather take a piece of cl

Re:

[RightwingNutjob]

I think we're agreeing here.

Not just code review...

[Junta]

I think code review is unlikely to discern mistakes at the scale of a large piece of software.

On the other hand, breaking up the chunks of the monolithic application into pieces to do unit testing can presumably make fuzzing easier. So the ability to re-build the project in a different way can be helpful.

Re:

[Anonymous Coward]

Obscurity can be a perfectly valid defense layer for an attacker, so I'm not sure why you think there's no technical argument for it.

Tanks have armor, but they are often painted to match their terrain to obscure their location. Painting the vehicle does nothing to harm the armor, and it does help prevent targeting by the enemy -- through difficulty to see on reconnaissance. Invisible tanks would be even better.

By allowing an enemy to see government-run computer code, we're not only identifying what syste

Re:

[king neckbeard]

The higher the standards of security, the more we need FOSS, because it's the superior security model. If you need it with zero bugs, you write it in something like Ada Spark.

Re:

[tlambert]

Obscurity can be a perfectly valid defense layer for an attacker, so I'm not sure why you think there's no technical argument for it.

The real equivalent to camouflage paint on the Internet is to not show up on nmap and other port scans. That's not obscurity, that's not offering an unnecessary attack surface -- just as with tank visibility against backgrounds.

I guarantee you that the desert camouflage stands out like a sore thumb in Leningrad in the winter.

You make a terrible assumption that the Russians would TELL the vendor of exploits they'd find as well as bother to use the software internally themselves.

If the Russians get so far as to sign a letter of intent, in order to get access to audit the source code ...and then decline to purchase ...that's a pretty strong positive indicator o

Obligatory relevant quote

[Rick Zeman]

"The capitalists will sell us the rope with which we will hang them."

V.I Lenin

Radical Idea

[Murdoch5]

Why not assure the software is secure and bullet proof to start with? If Russia finds a bug or opening to exploit the US, it only shows the US didn't do it's job in reviewing and securing the software / infrastructure.

what is wrong with you?

[Tom]

Sensationalist crap if I ever saw one.

Making a source-code review is standard operation procedure for high security settings. In fact, I recommend exactly this to some of my clients (I've worked in IS before the abbreviation had a second meaning about murderous religious idiots).

If this allowed them to discover weaknesses in the software, then maybe the US departments should've done a source-code review themselves and discovered those same weaknesses? What is wrong with the author of this crap to shout wolf because someone is doing proper security?

"omg, the Russians tested the same rifle that our army uses! Maybe they discovered at what temperature it explodes!"

Guys, you need to wake up over there before you find yourself plundged into a new Cold War by nonsense propaganda. Ask yourself who profits from such shit, who gets to sell more stuff thanks to articles like this, and who gets to gain more influence from the fear.

Re:

[chill]

Exactly. Both Russia and China have demanded -- and gotten -- source code reviews of code from Microsoft, Cisco, IBM, and SAP. This is, and has been, standard practice for over a decade.

This isn't news, it is sensationalist headline clickbait.

https://venturebeat.com/2017/06/23/tech-firms-including-cisco-ibm-and-sap-allow-russian-authorities-to-review-product-source-code/ [venturebeat.com] (2017)

http://www.zdnet.com/article/microsoft-opens-source-code-to-russian-secret-service/ [zdnet.com] (2010)

https://www.computerworld.com/article/2581 [computerworld.com]

Bullshit

[stooo]

>> But with closed source software, the person that has access to the code has access to the vulnerability.

That's bullshit.
With closed source software, the person with access to the binary has access to the vuln.

Re:

[Tom]

It's not standard operational procedure to hand your code over to an attacking foreign power.

Are you especially dense or paid?

Ok, let's turn this around: Russian company wants to sell security product to US government.

Would you or would you not expect the US to ask for source code and review it?

No further questions.

Maybe the world should be perfect, but it isn't, live in the real world.

Every day. I actually to IS for a living, you know? This is standard operational procedure. If you don't believe when a professional firefighter tells you "ya, throwing large quantities of water on something that's burning really is quite normal" then I really can't help you.

You need to wake up to what Putin's up to.

You need to

Re:

[SvnLyrBrto]

> Should we panic and see evil communists on every
> corner?

No, we shouldn't panic or indulge in paranoia. But we should be cognizant of who our enemies are, and be vigilant and wary of them. It's not like we're talking about HP giving up source code to the UK, Japan, Canada, or Germany here.

Vladimir Putin openly pines for his good old days in the KGB and Soviet Union; having called the dissolution of the latter the "greateast geopolitical catastrophe of the 20thcentury.". This is not paranoia or sp

Re:

[Tom]

But we should be cognizant of who our enemies are

That we should be.

So what, exactly, has Russia as a country, or the Russian government, done to make your life worse?

Compared to, say, the corporations that poison our water and air, the politicians who demolish our social security systems, the banks who stole unbelievable amount of tax payer money to cover up their gambling that lead to the financial crisis?

And he's been invading neighboring countries like Georgia and Ukraine. He's not our friend and he's not someone we should be helping.

The correct method for this is a trade embargo, i.e. don't sell them security software at all. But our leaders don't want that, because they are not in

Re:

[Tom]

Russians examining the rifle that US army uses is very unlikely to lead to them discovering a way to disable it remotely. Not so with security software.

The NSA is tasked with the security of the US government and military infrastructure. I'm quite sure that they've done a code review of this same software a long time ago. You'd think they would have spotted such a way, don't you?

In summary: nice Russian troll. How's the weather in St. Petersburg, Ivan?

According to the Internet, about 10 degrees, cloudy with a good chance of rain in the evening. Your mommy doesn't let you visit weather webpages?

What are the options?

[poity]

1. Use off-the-shelf product to save money, but another big customer might also audit the code (the current predicament)
2. Use custom product so it's unavailable to others, but ultimately relying on obscurity
3. Go open source and have politicians and media have a heart attack about how "now everyone can access the source code / Trump is giving our source code away for free"
4. Export ban on this software while you use it, again relying on obscurity

If this is actually secure...

[aklinux]

it shouldn't make any difference who looks at it. Linux and Unix are generally considered more secure than Windows but all the source code is available for anyone to look at.

ArcSight is SIEM

[Anonymous Coward]

Security consultant here with experiences in SIEM's. ArcSight is a security information and event management (SIEM), which means all it does is collecting logs from other security devices together and deciding if sequence of events has higher priority compared to individual event.
For example, connection from unknown address, crashed antivirus service and unusually high disk activity is likely to be cryptolocker.
There is nothing valuable in source code of SIEM's, its a bunch of regex to parse incoming logs f

It's just arcsight.

[ebvwfbw]

Move along, nothing to worry about. It's just arcsight. You're better off using owasp. We have the HP product, it's crap. False positives and they don't listen to customer feedback. Almost as bad as Tenable. They think they know better than the experts, such as the Crypto experts on a vulnerability that was patched almost a decade ago. They don't even follow their own rules and they don't listen to their customers either.

Re:Trump lets them own the oval office...

[gravewax]

What treason? This story is utter garbage, HP weren't revealing US secrets, they were submitting their OWN software for review to win sales. Every large company does this for governments and sometimes private sector as well. Microsoft, IBM, Apple, Oracle etc etc all do this and if they didn't they would all be a fraction of the size they are now as none of them would get international government business.

They're after Slashdotters, in other words.

[Xenographic]

They're going after people who read only headlines and who don't know what any of this stuff means.

Kind of like that utter nonsense Slashdot published months ago where someone spying on network requests found collusion between a 3rd party Trump company marketing site and a Russian bank. Except it was stray DNS queries caused by Russian spam. Few people bothered to question what the people spying on that network traffic were doing, exactly.

Re:

[king neckbeard]

Actually, by referencing the 17 agencies propganda, you've just exposed yourself as being misinformed, at the very least, if not a shill.

Re:

[Xenographic]

The report came from the politically appointed directors of the ODNI. It doesn't appear that the Coast Guard & the rest of the agencies had much input into the report. The analysis was simplistic and slipshod. They failed to analyze a number of very obvious things, like the fact that the IP addresses were Tor exit nodes and the fact that the malware used was some freeware called P.A.S.

Re:

[Xenographic]

Your link has nothing to do with the ODNI report, and ignores this part:

Burr told reporters the committee plans to conduct 25 more interviews with witnesses this month, but described his goal of finishing this year the main congressional investigation into Russian meddling as only “aspirational” at this point.

But there are no actual facts about anything in that article, so I can't say that I would bother to listen to it anyhow. People's opinions don't really matter to me at all, I care about ac