back to article Tech giants flash Russia their code blueprints in exchange for access

Cisco, IBM, HP, McAfee and SAP are among plenty of western technology companies that have been showing their source code to Russian authorities in exchange for the right to sell their products in the country. Documents seen by Reuters state that in the past three years, the Russian FSB (what used to be called the KGB) and its …

  1. GrapeBunch

    Much ado

    USA could certainly prohibit companies from showing Russians NSA source code, but when the code is not supposed to be there in the first place, I suppose that presents a logical conundrum. The original code could be clean, but spying could be present in firmware or software upgrades. I presume that the Russians are allowed to compile the source to make sure that it is byte-identical to the distributed code. I'm not sure that the clean room thing is much help. Russian "programmers" could memorize the code, even tens of thousands of lines, and reproduce it later. Hell, Britain has memorizers who could do the same. That's if you don't want hidden or skull-embedded cameras or screen sensing (which preceded wardriving as a hobby).

    Putting aside attempts to game the outcome, I admire the Russians' chutzpah in calling the TLAs' bluff. It's a propaganda win for them, even if it has nil practical worth.

    1. Anonymous Coward
      Anonymous Coward

      Re: Much ado

      You assume they're doing what they say, rather than using their exposure to the source code to look for unintentional backdoors - i.e. security holes.

      1. The Man Who Fell To Earth Silver badge
        Mushroom

        Re: Much ado

        Looking for vulnerabilities their security services can exploit is almost certainly the real motive. The US should implement a similar policy against Russian software makers such as Kaspersky, which the heads of six U.S. intelligence agencies testified on Capitol Hill that they have treated the company as a threat.

    2. mathew42
      Black Helicopters

      Re: Much ado

      "The enemy of my enemy is my friend."

      If we assume that the NSA has already reviewed the source code and identified issues, then knowing that the Russians have reviewed the same source code may result in the NSA alerting developers to the bugs. Probably way too optimistic.

      On a similar note, I suggest there is merit choosing security software that those you fear most have the least ability to influence. To put it another way would you prefer the local law enforcement agency to have your secrets or an overseas power?

      1. Anonymous Coward
        Anonymous Coward

        Re: Much ado

        To put it another way would you prefer the local law enforcement agency to have your secrets or an overseas power?

        Naturally I would prefer neither, but if these are the only two options, then I'd go with an overseas power. At least they won't be bothered to use the information against me to settle a petty bar argument, or to track me down when my dog poops on the mayor's lawn. In fact an average bloke on the street has nothing to fear from an "overseas power" regardless of what they know about him.

  2. Anonymous Coward
    Anonymous Coward

    "Symantec, has said no to the Russian demands"

    Egos would be bruised and Symantec couldn't handle the ridicule....

    1. Anonymous Coward
      Anonymous Coward

      Re: "Symantec, has said no to the Russian demands"

      I thought it was due to the NSA-Ware included in the product.

  3. Anonymous Coward
    Anonymous Coward

    "You have to ask yourself what it is they are trying to do, ..."

    ... trying to protect themselves from our wholesale slurping of their data. The cheek!

    Frankly, given that we know about the extent of spying and hacking by the US, Russians, British, Germans, Chinese, Norks, and so on, no sane country contemplating pursuing independent policies should use closed-source software supplied by companies outside their direct control. Even with code reviews, the truly sensitive data shiuld not be trusted to systems where you do not control all the components - both hardware and software.

    Which is exactly why both Russians and Chinese do invest in developing fully-independent computing capability. And so they should; and bigger fools are those of us who do not do likewise and continue to rely unreservedly on systems developed by the US.

  4. John Smith 19 Gold badge
    Unhappy

    A pragmatic approach or government grade security theatre?

    As noted above if you can't convert the source through the same tool chain and then do a byte for byte comparison, using your own comparison tools, and account for all discrepancies found then who knows what's actually running in the box?

    And then of course there's the massive open hole of the Intel server admin co processor.....

    1. Anonymous Coward
      Anonymous Coward

      Re: A pragmatic approach or government grade security theatre?

      ... if you can't convert the source through the same tool chain and then do a byte for byte comparison ...

      That's not a guarantee of anything in particular. If on the other hand, you can reproduce the binaries from a reviewed source using a cross-compiler under your complete control, you known that the backdoor is not in the source or the toolchain. However, this still does not guarantee the absence of a backdoor - it still could exist in the firmware, in the CPU microcode, or in one of the peripheral devices or controllers.

      I somehow suspect that when Russian FSB reportedly switched to mechanical typewriters for their most sensitive data, the decision was not borne out of the idle paranoia.

  5. Pascal Monett Silver badge

    Why is there even a discussion ?

    At a government level, there is only one solution : download a Linux distro and compile the source code. That is the only guarantee against backdoors and other nasties.

    For the life of me I can't understand why companies today keep with the Windows treadmill. Yes, historically I get it, Windows is everywhere and everyone is using and/or coding for that platform. But for today's companies, most of what they really need is on Linux, and what's left can just as well be coded for that platform instead of Windows, so why all the heartache over Windows ?

    The only reason I see is that Windows is easy. Not in the sense that Linux isn't, but in the sense that the current managerial crop thinks it knows it, and then there's all that legacy environment. Okay for the business side of things, but government should not have that problem.

    Should being the operating word.

    1. Anonymous Coward
      Anonymous Coward

      Re: Why is there even a discussion ?

      "government should not have that problem.

      Should being the operating word."

      At a recent public sector role, raised the idea of using non-Windows machines for people whose primary applications were browser-based, and on a network where Citrix was already being used for delivering Office.

      Was given a point blank "no", as it the screen "looks different, right from when they switch it on", it will be called a change and everyone affected would need a minimum half-day familiarisation course, with more for those who "feel they need" - and even that would only be allowed if the Union reps agreed it was not a material change in working practices. I thought that was an exaggeration, just one senior manager's view, until a member of staff walking past saw my demo desktop, and categorically (and quite emphatically) shared his view that "management ar*holes better not be thinking about changing our PCs unless they ask the unions first". (italics mine, his emphasis was more .... direct)

      1. Anonymous Coward
        Anonymous Coward

        Re: Why is there even a discussion ?

        @AC: I always thought the public service was the last resting place of the useless c*nt. I have now witnessed this first hand by consulting in quasi public service organisations in order to help fix up their shit. The amount of piss poor excuses I have witnessed for not doing your job is seemingly endless. If they really dislike working so much they should quit. From "my machine looks different" to "has this been cleared with the union" to "I need a stand-up desk costing several thousand because old-mate over there has one". Utter mouth-breathing productivity detractors - like driving with the handbrake on.

  6. alain williams Silver badge

    This is why it is so stupid ...

    of the likes of GCHQ and the NSA to hoard vulnerabilities that they find. The Russians, and likely other ''bad guys'', are probably going to find the same set of vulnerabilities.

    If they really wanted to do their job of protecting us they would tell the vendor and we would all be a lot safer.

    1. John Smith 19 Gold badge
      Unhappy

      "he likes of GCHQ and the NSA to hoard vulnerabilities that they find. "

      But, like every group of 'leet Black hats (and AFAIK they are all Black hats if they are trying to get into my system) they are totally convinced that no one is as smart as they are at finding these vulns.

      Now I could see that if a group stakes out a specific piece of a system that most people haven't considered as a way in this might possibly be true.

      But for all the common pathways is it really plausible that one side has developed vuln finding tools that are so much better than any other groups, even those who are also have state backing?

      Just a small point. Every vuln the NSA finds in Windows reinforces Windows reputation as a safe OS.

      While still leaving the Intel supplied gaping hole of the management server co processor in the ISP's they can attack with no credentials at will (provided of course no one else has got there first).

  7. mark l 2 Silver badge

    What I read was that Symantec know their code is so crappy and full of holes they don't want the Russians or anyone else seeing it.

  8. Eugene Crosser
    Thumb Up

    If security of their products rely on secrecy of the source code, they have a bigger problem that Russian spies. I'd say, it's a good thing if it at least somewhat incentives them to go and clean up their source code.

  9. Mike 16

    The real question

    is one I asked (well, submitted on a card) at a talk given by Bill Gates. (it did not "make the cut" to be actually asked). He had mentioned giving Windows Source to the Chinese government, and I wanted to know if they had in turn ever submitted any bug reports. What's better than having _one_ TLA hoarding vulns? How about seven or more?

  10. Chris G

    Double standards

    So American companies can sell their tech to Russia if they wish but I can't even send a second hand PSP to my Brother in Law in Moscow because the Spanish post office says it contravenes the rules of the trade embargo between the West and Russia.

    My Brother in Law is a military engineer with the rank of Major so he is lkely to be a user of those products but can't play World of War while he's waiting for the bus?

    1. Anonymous Coward
      Anonymous Coward

      Re: Double standards

      > because the Spanish post office says

      How far does it get? You ship it but it gets returned, or the clerk does not accept the parcel?

      Be aware, btw, that in Spain postmasters fulfil an intelligence role in addition to their proper duties.

      And btw, what is a PSP?

      1. Chris G

        Re: Double standards

        PSP = Play Station, the post office requires a customs declaration form for Russia and likes to see what is in the packet before you seal it,anything they don't like won't be accepted.

        Spain in general is unhappy with the embargo as prior to it they exported a vastamount of Agri goods to Russia, the embargo has cost Spain big time but PO workers are little jobsworths.

        All government workers in Franco's Spain were expected to report on anything and everything they thought dodgy.

        I have had the odd drink with the Commissioner of Police and used to know the Commissioner of the Secret Police on one of the Islands

  11. Milton

    Mm, nice choices

    1. Russian-"vetted" versions of Western software will have spyware, backdoors and security weaknesses identified and cleaned out.

    2. Russian-reengineered versions of Western software will creep back to the West, riddled with Russian spyware, backdoors and sabots.

    3. If software is selling in Russia, that becomes a sign it cannot be trusted in the West.

    4. So we return to status ante: the only software anyone can trust is open-source stuff you can inspect and compile yourself.

    5. The infotech equivalent of the condom!

  12. Anonymous Coward
    Anonymous Coward

    Just playing the game

    Maybe they read this: https://arstechnica.com/tech-policy/2017/06/obama-reportedly-ordered-hacking-operation-targeting-key-russian-networks

  13. Anonymous Coward
    Anonymous Coward

    Any chance we can see huawei's source code?

    Not that I own an aluminium boater. (I know it should be tin but aluminium is better at reflecting the frey effect used by governments to control the masses.)

  14. amanfromMars 1 Silver badge

    Chasing ghosts and phantoms and daemons ..... the calling of fools running errands for tools?

    Then again, that may change if more evidence of Russian involvement in government hacking comes to light. …. Iain Thomson in San Francisco 24 Jun 2017 at 00:57

    Hmmmm? Hi, Iain, is that not more accurately reported …. Then again, that may change if any evidence of Russian involvement in government hacking comes to light.

    1. amanfromMars 1 Silver badge

      Re: Chasing ghosts and phantoms and daemons ..... the calling of fools running errands for tools?

      Meanwhile ..... in the West are cyber shenanigans that feed hosts of trolls feted ....... http://www.zerohedge.com/news/2017-06-25/obama-ordered-cyberweapons-implanted-russias-infrastructure

      IT's a Mad, Mad, Mad, Mad World and getting even crazier. You can be sure that there are greater things to be worried about than Russians.

      1. Anonymous Coward
        Anonymous Coward

        Re: Chasing ghosts and phantoms and daemons ..... the calling of fools running errands for tools?

        > You can be sure that there are greater things to be worried about than Russians.

        Britain's favourite pastimes are gossiping about the neighbours and criticising the Russians, not necessarily in that order.

        Do you have many neighbours in Mars?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like