Russia-based Pushwoosh tricks US Army and others into running its code – for a while US government agencies including the Army and Centers for Disease Control and Prevention pulled apps running Pushwoosh code after learning the software company – which presents itself as American – is actually Russian, according to Reuters. Pushwoosh is a software company that provides code and data analysis for developers so …
When everything was Going Global?
Those wonderful times when the work I was doing at Intel was transferred to a group from Nizhny Novgorod?** Or the Philips Medical project I was participating in was (overnight) outsourced to Shenzhen? Halcyon Days, indeed.
(**Judging by the team that was sent over for us to train it's apparently Russia's answer to Manchester (before it went all Media City and Trendy). The project was subsequently transferred to "somewhere in Poland". The Chinese got the job from the group in the Rust Belt with so little notice that our Project Engineer turned up for the acceptance test only to discover the whole place in turmoil (you think Elon Musk has a monopoly of this sort of thing?), everything gone and we had to start over with a neophyte Chinese group.....teach 'em everything, that sort of thing.)
I detest government almost as much as remote 'by the spreadsheet' management. Not surprising since they're all cut from the same cloth. Now we've decided that all this stuff is Poison. It might have been open source code of little import but to these know nothing suits its just Time To Panic.
Leaving aside the US Army not even knowing what is in their own app (!), all the others "knew* they were "surveiling" their users (aka spying on them, data rape etc) but that was ok because they are all Good Guys.
But as soon as there is even a hint that the Russians could be getting the same data, throw their hands up in feigned shock "who could be so dastardly?"
So, are they going to give up spying on their own users or just find a good old US replacement and carry on, business as usual?
Though one bit I liked: members of the NRA don't need to feel paranoid any more, now they know who was watching them.
Also, it took me ages to learn how to say "Novosibirsk" with confidence, glad to have an excuse to trot it out again.
In many companies this is a major driver. I did run into that, but could demonstrate I had the need for some FOSS software in a project. And our devs are completely capable of dealing with that software, thank you very much, this is why I have them in my team. And this is why you see SuSE or DeadHat (whatever their paid for thingy is called...) boxes and no Debian servers in some places. The Powers That Be want somebody to yell at when things go wrong (it is also something with having certain guarantees by vendors, though we all know that those are probably not quite reliable, but since they exist on paper, manglement is happy).
As in effect this policy seems like a big justification for staying on overpriced crap pitched by lobbyists with a large budget for kickbacks a revolving door for former contract issuers and regulators installed in their HR/Hiring office.
This problem wouldn't have been any better if they were paying for it. What the person did is admit it was removed by dumb luck and bureaucratic obstructionism, not competence on anyone's part. When one branch of government (like the CDC) decided it was a problem, they didn't have a way to inform the rest of it and boot it from everyone's deployments at the same time.
Worse is the fact the US has just given up managing it's own incompetence as far as securing devices for military personnel. The DoD was unable to issue a secure radio/phone for us troops, so they just let the have off the shelf smart phones. Mystery meat backend libraries like this "Telemetry" (spyware by another name) or ad server code obfuscates these companies, and the idiots working on mobile apps don't look into them at all before rolling them in. So most of our military are wandering around with mobile spyware in their pockets.
Big surprise that both the USgov, UK Labor, and NRA all fell into the same hole. They are all part of the same brain addled international coalition selling fake conservatism and fake news that has proven time and time again to be vulnerable to pro Russian talking points.
I don't do business with liars. It's hard enough with honest people.
Not sure if users were "tricked", or just failed to do their due diligence...
While it doesn't list a company address anywhere on the website - it notes offices in "multiple countries" but doesn't name any of them – Pushwoosh is headquartered in Novosibirsk, a city in southwestern Siberia, the newswire claimed.
Should have been reason enough not to use the sofware, especially in any sensitive roles. For me, it's a red flag if any website fails to show an 'About Us', disclaimer or some legal T&Cs that state the actual entity involved. So I'd expect to be able to easily find the legal entity, be that company or charity. ISTR that's also a legal requirement in most commerce websites. And as it's software, I'd assume there'd be some licence agreement that also shows the entity.
Sure, that could be a Delaware llc that's a subsidiary of some other entity that's wholey owned by shadyaf.ru but at least there is, or should be some regulatory paper trail to follow.
"Sure, that could be a Delaware llc that's a subsidiary of some other entity that's wholey owned by shadyaf.ru but at least there is, or should be some regulatory paper trail to follow."
LOL, and sometime after you posted that, the story was updated to state almost exactly that :-)
LOL, and sometime after you posted that, the story was updated to state almost exactly that :-)
The update makes it interesting from a security perspective. So you could do your due diligence and see there's no 'hostile' nation in the ownership chain. But it would be a whole lot harder to find where any IT supplier is outsourcing development, or other potentially senstive services.
I have the Honeywell "Residio" Android app for my heatpump thermostat.
I also have the AdAway ad blocker on my phone.
Imagine my surprise when I'm debugging one of my apps, and the debugger log shows the Honeywell app complaining it can't send the list of my installed apps to the mothership, because AdAway is blocking it!
I am not the least surprised by what you just said. I bought one of their smart thermostats on the hopes it would be slightly less evil than my old roomate's Nest. (Which I caught turning the AC on in the middle of the day, when it also said it new no one was home, when it was in 'eco' mode, just to run up the power bill apparently.)
After taking one look at their mobile app, I had already decided to just firewall it off from the intenet. But I hoped it would still work out better than the Nest.
Boy was I wrong. I still think the Nest is a POS, but Honeywell is gonna be sued. I bought the thermostat with an install kit, in case I needed the adapter it came with. Turns out I didn't, but when I called them during set-up they asked if I was using their provided adapter. When I told them no they stated that my install was unsupported and refused to talk to me, at all about anything, insisting that I had to return the whole unit to the point of sale and get a different kit, even though the part of the install the adapter was for was already working. I have run into this stuff at other companies, but they took it two a whole new level.
The flagged the serial number of the thermostat(used to get past the auto-attendant system when you call) and PERMANENTLY BLOCKED IT. If you try to call in, they refuse to talk to you. The best part is that by the time they decided to screw me over, it was already impossible to return. So I have been screwed out of several hundred dollars for a thermostat that is sitting in a box even though it's 100% fine, plus the money I have wasted when the 25$ POS the landlord installed to replace it runs through a set of batteries in a month, or leaves the heat/AC on by accident.
There isn't a smart thermostat on the market worth the term, and I'd gladly rip the POS off the wall and replace it with a rPi or Arduino. I can literally control the whole thing with a couple of jumper clips, why is this so hard for them? Also, why the hell don't any of these things support something other than 2.4 WiFi? In an apartment there are literally 3 networks on each of the channels, and reliable connections are impossible. Most of the neighbors have no idea what a DFS channel is, so I have plenty of space up there. Most of this crap should just be PoE anyway, and I think my switch is rated for more power output than the transformer driving the 80's era central air unit on the roof.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2023
