To Avoid Being Cut Out Of The Market, US Tech Companies Are Allowing Russian Vetting Of Source Code

from the backdoors-for-all dept

Nobody trusts anybody, and it’s probably going to end up affecting end users the most. The Snowden leaks showed the NSA’s Tailored Access Operations routinely intercepted network hardware to insert backdoors. The exploits leaked by the Shadow Brokers indicated the NSA was very active on the software exploit front as well.

In response to the Snowden leaks, it appears the Russian hardware/software purchasers are stepping up their due diligence efforts. This comes at a time when the Russian government is suspected of hacking away at the American democratic process, as Reuters reports.

Russian authorities are asking Western tech companies to allow them to review source code for security products such as firewalls, anti-virus applications and software containing encryption before permitting the products to be imported and sold in the country. The requests, which have increased since 2014, are ostensibly done to ensure foreign spy agencies have not hidden any “backdoors” that would allow them to burrow into Russian systems.

According to the article, multiple US officials and company executives are tracing the uptick in review demands to a downturn in US-Russian relations following Russia’s 2014 annexation of Crimea. But the NSA’s hardware operations were exposed in mid-2014, so it’s hard to believe the Snowden effect isn’t in play.

[Some] reviews are… conducted by the Federal Service for Technical and Export Control (FSTEC), a Russian defense agency tasked with countering cyber espionage and protecting state secrets. Records published by FSTEC and reviewed by Reuters show that from 1996 to 2013, it conducted source code reviews as part of approvals for 13 technology products from Western companies. In the past three years alone it carried out 28 reviews.

Since these companies aren’t willing to give up their share of an $18.4 billion market, compromises are being made. Examinations of code are being done in “clean rooms,” with conditions somewhat controlled by the companies being vetted. But this isn’t always the case. Nor are these precautions necessarily enough to prevent those doing the vetting — some linked to the Russian government — from finding undiscovered security holes and flaws. The vetting may help keep Russian government agencies and private companies from being spied on by the US, but it’s not going to do much to keep the Russian government from spying on Russian companies and Russian computer users.

So far, only one company has publicly announced its refusal to submit its software for vetting. Symantec has rejected testing by Echelon, a Moscow-based lab with some tenuous ties to the Russian military.

But for Symantec, the lab “didn’t meet our bar” for independence, said spokeswoman Kristen Batch.

“In the case of Russia, we decided the protection of our customer base through the deployment of uncompromised security products was more important than pursuing an increase in market share in Russia,” said Batch, who added that the company did not believe Russia had tried to hack into its products.

The company also provides testing for the Russian Ministry of Defense and multiple law enforcement agencies. Echelon claims it’s wholly independent from the Russian government, but those assertions haven’t been enough to overcome Symantec’s objections. Other companies (the article lists HP and IBM) have allowed their products to be tested by Echelon, but neither were willing to comment on this story.

The Russians are checking for US backdoors while potentially seeking to install their own. US companies are given the choice of possibly aiding in Russian domestic surveillance or being locked out of the market. Any lost sales here can at least be partially chalked up to the Snowden leaks. If so, the fallout from the leaks is still causing harm to US companies, years down the road.

Filed Under: , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “To Avoid Being Cut Out Of The Market, US Tech Companies Are Allowing Russian Vetting Of Source Code”

Subscribe: RSS Leave a comment
Anonymous Coward says:

If the Russian agency/reviewer is just being allowed to see the code inside a ‘clean’ room (and not take it out and build their own copies wholesale) how are the “seeking to install their own” backdoors (unless you mean take advantage of already broken code… which is NOT actually installing a back door).
Additionally Symantec statement doesn’t add up (with the information available in this article). Unless Symantec is using ‘security by obscurity’. Again simple letting someone review the code is NOT a weakness in actual secure code (regardless of the nationality of the reviewer).

Ninja (profile) says:

Re: Re: Re: Re:

I’m guessing that’s what Microsoft has been considering. They could charge a small monthly fee from home users to enable more personalized support and automatic updates. I’d pay for that (considering the price is sane). You could get extra perks from their systems such as automated backup and file versioning (encrypted please) all in an easy, intuitive way (they are generally good on making their things easy to use). There are plenty of services they can offer that would rack in tons of money even if Windows is open sourced.

Anonymous Coward says:

Re: Re: Re:2 Re:

I think the problem that Microsoft would have with open sourcing windows is the loss of control that goes with it. Beside which, their code base will need a lot of work to get in modular enough for open sourcing to gain them any real benefit. That is one of the benefits of the free software ecosystem, modularity, with well defined interfaces and low coupling is what allows the fast interaction and rapid development.
As for ease of use, Linux is often, because you have a graphics and command/line text editor way of doing the same thing. Microsoft’s ease of use often vanishes when you want to do more than simple things, as you end up having to plod through layer after layer of menu, searching for the action that you want.

Thad (user link) says:

Re: Re: Re:3 Re:

Beside which, their code base will need a lot of work to get in modular enough for open sourcing to gain them any real benefit.

Not to mention that it’s not all their code.

When AMD decided to open-source its Linux graphics driver stack, it realized it had so much proprietary code from other vendors (or code covered by NDAs from other vendors) that it would be easier to rewrite the entire thing from scratch than to open-source the code it already had. And it still hasn’t been able to open all of its new driver stack; there are critical portions that are still proprietary. AMD’s still working on untangling the proprietary parts to release a fully open-source driver.

Now scale that up to an entire operating system. One that’s been around for decades and contains all kinds of old code.

Anonymous Coward says:

"the Russian government is suspected of hacking away at the American democratic process" -- Oh, good, back to sly innuendo! -- It's ONLY SUSPECTED, not a bit of evidence yet!

From Drudge today flatly contradicting the MADE UP CRAP that Techdirt spewed for months about “Trump-Russia”:

Three CNN Employees Resign Over Retracted Story on Russia Ties
“CNN has accepted the resignation of the employees involved in the story’s publication,” a network spokesperson says. … The story, which reported that Congress was investigating a “Russian investment fund with ties to Trump officials,” cited a single anonymous source.”

Admitted MOSTLY BULLSHIT by CNN producer:
In the hidden camera video, John Bonifield, a supervising producer at CNN Health, talks about how CNN uses the Trump-Russia allegations to boost ratings and how directions to focus on it have come from CNN’s CEO Jeff Zucker. When asked by the Project Veritas reporter, “But honestly, you think the whole Russia shit is just like, bullshit?” Bonifield replies, “Could be bullshit. I mean, it’s mostly bullshit right now. Like we, don’t have any big giant proof.” IFrame “I just feel like they don’t really have it but they want to keep digging. And so I think the president is probably right to say, like, look, you are witch hunting me. Like, you have no smoking gun, you have no real proof,” he adds

And in a long piece, Green Glenwald kicks every last prop from under the whole schmear!
CNN Journalists Resign: Latest Example of Media Recklessness on the Russia Threat

Recklessness PLUS malice here.

But not even CNN’s forced honesty in retracting, just down the memory hole! Not a hint of admitting let alone apology for putting out false news for months. Techdirt changes to new false assertions, is all.

So, kids, who was right: me or Masnick?


Also, way back on the immigration ban I said “this won’t stand”, and right again: admin is mostly upheld NINE to ZERO.

Anonymous Coward says:

Re: "the Russian government is suspected of hacking away at the American democratic process" -- Oh, good, back to sly innuendo! -- It's ONLY SUSPECTED, not a bit of evidence yet!

Yes, the US intelligence community made up the Russia story to boost CNN ratings.

Yes, a CNN Health producer’s random, groundbreaking comments that a 24-hour news network follows the ratings are proof that Donald Trump isn’t acting like a guilty person.

Yes, CNN is currently solely in charge of investigating the Russian interference in our election so naturally they must have all the evidence available already.

No, this isn’t yet another lame Veritas attempt at editing together a bunch of meaningless comments from single members of large companies in order to baselessly smear them.

Alphonse Tomato says:

Re: "the Russian government is suspected of hacking away at the American democratic process" -- Oh, good, back to sly innuendo! -- It's ONLY SUSPECTED, not a bit of evidence yet!

Mind you, anybody who uses Drudge as a primary source is pretty dim.

But sure the Russians tried. If their intelligence services are any good, one of their jobs is to do stuff like that. Just the same as the US intelligence agencies try to influence elections in other countries. As Captain Renault said, I am shocked, shocked!

Were they successful? That’s harder to say. But US computer security related to elections is fragmented among many jurisdictions, and conducted by the low bidder (if at all). If they were able to suborn campaign staff (or candidate), that would certainly give them a lever. For example, if the Russians had the financial clout to influence anyone. Not that any candidate or staff would use Russian money in their non-campaign jobs.

Anonymous Coward says:

Everyone should have been doing this

Since the first backbone diversion rooms where exposed in 2002, in fact as soon as the patriot act was passed it should have been obvious to everyone that shenanigans where going to start happening with particularly US but all intelligence superstructures, and certainly after stuxnet, It’s kind of dumb to be complaining that the russians might be suspicious now cause if they where not before they are dumber than I thought

AEIO_ (profile) says:

Re: Pointless

Yeah, but showing code while supplying a different binary is easy and obvious after thinking for a few seconds. Try THIS on for size.

"a hack (in every sense), the most subversive ever perpetrated, nothing less than the root password of all evil.

Ken describes how he injected a virus into a compiler. Not only did his compiler know it was compiling the login function and inject a backdoor, but it also knew when it was compiling itself and injected the backdoor generator into the compiler it was creating. The source code for the compiler thereafter contains no evidence of either virus."

Anonymous Coward says:

Re: Re: Pointless

Also see:

If a country’s really doing this to protect its citizens, they should require reproducible builds and have the inspection team supply their own compiler. That would reduce the attack surface… but then see the Underhanded C contest.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...