Tech Firms Let Russia Probe Software Widely Used by US Government

Major global technology providers SAP, Symantec, and McAfee have allowed Russian authorities to hunt for vulnerabilities in software deeply embedded across the U.S. government, Reuters reported on Thursday. From the report: The practice potentially jeopardizes the security of computer networks in at least a dozen federal agencies, U.S. lawmakers and security experts said. It involves more companies and a broader swath of the government than previously reported. In order to sell in the Russian market, the tech companies let a Russian defense agency scour the inner workings, or source code, of some of their products. Russian authorities say the reviews are necessary to detect flaws that could be exploited by hackers. But those same products protect some of the most sensitive areas of the U.S government, including the Pentagon, NASA, the State Department, the FBI and the intelligence community, against hacking by sophisticated cyber adversaries like Russia.

I wish...

[Narcocide]

... that I could be confident our elected officials were at least smart enough not to believe Russian officials also needed root access to all the production machines in order to complete a source code audit.

Re:

[superwiz]

Since when have Russian elections been elections? Putin arrests opponents, bans them, substitutes fake proxy opponents, and even then the votes taleys are fake as fuck.

And all Obama did was illegally listen to the phone calls of the Trump's campaign. Not excusing Putin... don't really care about Putin. But to suggest that the last election was not rigged for Clinton is absurd. Hillary Clinton just happens to be so incompetent that she lost an election despite rigging it.

Re:

[Narcocide]

But this statement is false. I don't approve of my own government's behavior in this regard either. I would be amongst the ones voting to pardon Snowden. Not that it will ever come to a vote, the poor sod. And, quite ironically, I'm even less able to influence my own government than those of other countries.

China does the same thing...

[Anonymous Coward]

China demanded the source code for Microsoft stuff, in order to allow them to do business in the country. This isn't anything new. What needs done is the US to go to F/OSS, where everyone scrutinizes bugs, not the hallowed few who have source code access.

Re:

[Bert64]

All of whom have their own agendas, and are under NDA...
But the source code of these application is not available to the general public, so independent researchers cannot review it.
If a government is going to review code for their own use, they will review open code too as they don't need to jump through hoops to get it. Having restricted access to source code just gives an advantage to those who have it, to the detriment of everyone else.

Also there are various illegal leaks of closed source code. Being ill

The US gov't shouldn't use open source software?

[Anonymous Coward]

So if it's wrong/bad for foreign entities to view the source code of software used by the US government, does that mean that the US government should avoid any and all open source software because foreign entities can easily view its source code?

Re:

[Anonymous Coward]

> So if it's wrong/bad for foreign entities to view the source code of software used by the US government, does that mean that the US government should avoid any and all open source software because foreign entities can easily view its source code?

Quite the opposite.

It's a given that other governments -- especially the powerful ones -- will get to view (and review) the source of _closed_ products as a pre-requisite condition to prevent a software product from having its sales vetoed.

That way, even if you

Re:

[Altrag]

The problem isn't that foreign entities can review the source code. The problem is that nobody else gets to, so the foreign entities have the capacity to find bugs and simply not report them. You know, the kind of thing the NSA absolutely never ever would do because the US is so much better than anyone else..

Actual headline:

[king neckbeard]

Here's what the actual headline should be:
Tech firms let Russia probe software widely used by US government, following same processes US government, and all other governments, use.

This is a non-story. They try to make it sound like this is some nefarious method to undermine the US government, when the reality is that they're checking to make sure there aren't NSA backdoors.

Re:

[Train0987]

Gotta keep that Russians!=BAD narrative alive at all costs.

Re:

[Bing Tsher E]

Worse, they used a test operator, not an assignment operator. So the statement says nothing about bad or good, it just takes a true/false value.

Re:

[tinkerton]

Let the nerdiness of this comment be an example to all.

Re:

[tinkerton]

Nonsense. 'this' is a void pointer that I can make point anywhere I want, including towards itself.

Re:Actual headline:

[gweihir]

Indeed. And governments can get access to windows source code as well. It is a good bet that the Russians and the Chinese also have this access.

Re:

[Anonymous Coward]

It's well-known that they do, as do many Universities. They've had access for many years now.

This isn't news, it's propaganda.

Re:

[gweihir]

Exactly.

Re:

[freeze128]

So if the Russian Government uses Windows 10, does that mean that it's certified by the Russian Government to *NOT* contain an NSA backdoor? If so, then I feel better about using it.

Re:

[viperidaenz]

It means they're aware of any backdoors they found and have thought of mitigations for them.
It also means any they have a war chest of their own 0-day exploits they've found.

It could also mean if they use it, they do so only to appear to trust it.

So basically, it means nothing at all and you can't base anything on it.

Re:

[Nethemas the Great]

You'd think the Congress critters would be grateful for the free penetration testing. It's not like Symantec will only patch the vulnerabilities for the Russian edition.

Re:

[viperidaenz]

It means the Russians won't tell Symantec about the vulnerabilities they find.

Re:

[Nethemas the Great]

Of course they would, they'd be vulnerable to it the same as everyone else. I know what the assertion is from the critters, but as usual their inability to comprehend technology results in the wrong conclusions being drawn. Security through obscurity isn't...

Re: Actual headline:

[Brockmire]

Yes, confirmed by all the "reported by FSB" in all the bugfix changelogs, amirite?

Stupidity

[DaMattster]

Stupidity is absolutely everywhere. Yes, let's just give away the keys to the castle. Maybe the US Government will start building its own systems instead of relying on shitty vendors like Oracle or SAP. Systems that have great need for secrecy should be custom developed in house.

Re:

[Anonymous Coward]

Systems that have great need for secrecy should be custom developed in house.

Systems with a great need for secrecy, yes, should be developed in-house.

Systems with a great need for security, no, should absolutely NOT be developed in-house.

It's like home rolling your own crypto algorithm, it only seems like a good idea to those who don't know anything about cryptography.

Re:

[gweihir]

Oh, yes! And I know personally, that *gasp* LINUX is used in federal agencies and banks! They failed to make that source code secret and it is apparently completely open! I was able to just _download_ it!

In other news, the stupidity-level of your posting is staggering.

Re:

[Nethemas the Great]

Stupidity is absolutely everywhere.

I agree. Perhaps closer than you realize.

Re:

[h4ck7h3p14n37]

It's going to be awful hard for the U.S. government to create their own systems that are superior to commercial offerings when they can't acquire or retain talent because the pay is too low and the working conditions suck.

Enough Of The D&C Bullshit

[NicknameUnavailable]

Of course a defense department looking to use a piece of software is going to inspect it for security. Frankly it's more a sign of Russia's lack of security that they would use US software on their systems than anything else. Security through obscurity isn't security so opening the source is irrelevant to anything from a security perspective.

Re:

[gravewax]

since when did SAP become an American company?

LINUX IS RUSSIAN TREASON!

[Anonymous Coward]

That's nothing, Linus Torvalds regularly publishes code that EVERY SINGLE RUSSIAN can access. It's TREASON!

Re:

[jon3k]

I'm really surprised so few people on Slashdot understand the difference between open source software (and "given enough eyeballs, all bugs are shallow") and closed source software being reviewed by a select few actors who have a motive to hide their findings.

Re:

[gravewax]

I am sure all those reviewing OSS code have nothing but pure altruistic motives. After all if you can't trust the governments of the world then who can you trust!

Re:

[Anonymous Coward]

That's nothing, Linus Torvalds regularly publishes code that EVERY SINGLE RUSSIAN can access. It's TREASON!

Linus even accepts patches from RUSSIAN DEVELOPERS!111!! He was even born in Finland which very conveniently shares a border with Russia and was part of the Russian Empire at one time!

Yes, so? This is standard practice...

[gweihir]

Every large-enough customer can get access to source-code of closed software. This is completely standard and there is nothing nefarious going on here. This only endangers anything US if the US messed up their own review.

Who writes these demented articles?

Smart Russians

[Anonymous Coward]

Well, no wonder. From 3 years ago:

Russian researchers expose breakthrough in U.S. spying program [reuters.com]

The U.S. National Security Agency has figured out how to hide spying software deep within hard drives made by Western Digital, Seagate, Toshiba and other top manufacturers, giving the agency the means to eavesdrop on the majority of the world’s computers, according to cyber researchers and former operatives.

That long-sought and closely guarded ability was part of a cluster of spying programs discovered by Kaspersky Lab, the Moscow-based security software maker that has exposed a series of Western cyberespionage operations.

Stuxnet, the hard drive firmware exploits, last year the upload of malware from a NSA developer, and others discoveries of state developed spyware have definitely made KL and other Russian based software companies targets to be hurt economically.

Easy Solution

[perry64]

Make all security software open source, so everyone can look at it, and the many eyeballs cause problems to be fixed quicker.

Bleeding eyeballs

[stooo]

Not sure we want to see all this crappy source code.
Many eyeballs would bleed.

Somebody's Gotta Say It

[Anonymous Coward]

How do you like the global economy now?

The highest rated commenters are confused

[Zontar_Thing_From_Ve]

Unlikely != Impossible .

The highly rated commenters all think it's impossible that this access benefits the Russians in nefarious ways. It's not impossible. Basically the point of the article is that greedy companies let Mother Russia send her experts in to examine the code of various programs that the US government also uses so they could get sales in Russia. There are lots of smart Russians. I wouldn't say there is no chance that the Russians could find an exploit in such a code review and just c

Could the Rlussians be Stopped?

[LifesABeach]

I think not. Am I comfortable about, I think not.

as reported by the British Reuters

[superwiz]

Reuters is a British corportation and its US branch exists and operates only as a subsidiary. Its stock trades in the US as a depository share (similar to Alibaba -- a Chinese company). Despite a common language, Britain is NOT part of the US. It has, at times, priorities which are opposed to those of the US (as was clearly evidenced by Britain's Jerusalem embaassy vote in the UN).

Re:

[Gibgezr]

Genuinely interested, not trying to be a jerk or anything, just want to know: your point is ...?

Re:

[superwiz]

That a British corporation is trying to pretend that we should take in the stride as we take other US corporations while it reports on dealings of Russian corporations. Both Britain and Russia are foreign nations with their own interests which sometimes align with ours and sometimes go contrary to ours.

Re:

[Gibgezr]

we should take in the stride as we take other US corporations

Can you explain what you mean by that? I'm familiar with the expression "take in stride", but I'm totally lost on what you are trying to express. What are we taking in stride? What about other U.S. corporations do we take in stride? Are you referring to their inspection of software? And what does Reuters being British have to do with the report? Actually, Reuters isn't British: the headquarters are in the U.K., but Reuters is a division of the Toronto-based Canadian media company Thomson Reuters, so it's a

Re:

[superwiz]

If being Russian should raise a level of suspicions, then so should being British. The fact that British speak the same language as we do does not make them our fellow countrymen.

Re:

[Anonymous Coward]

Are you a full on retard? The russians are very obviously running espionage campaigns against us.

This has nothing to do with Hillary Clinton. If we want to secure our shit we should obviously not be giving hackers the source code for our security systems.

Only a hyper partisan fool would think this makes sense.

Re: So what?

[muffen]

Claiming the Russians got Trump elected is a cover for the clear corruption of the Clintons and the DNC.

Putin preferred Trump over Clinton. Putin put his machine to work to help get Trump elected. So far, that's fairly agreed upon. The question is if Trump knew or not.

Re:

[superwiz]

Putin preferred Trump over Clinton.

Yeah. Ok. That's why he gave hundreds of mllions of dollars of dollars to Clintons in the open. So that he could spend $100k on ads for the Trump campaign. Fuck off, retard.

Re:

[superwiz]

Trump is a Republican. So on the internets that means he has the burden of proving his innoncence, don't you know that yet? Hundreds of millions of dollars given to Clintons are not an indication of Russian influence. Because it's not proven. But an accusation by 17.. ummm 4.. oh, who cares.. ALL intelligence agencies against Trump has to be disproven before it's false. Get with the program or you are a Kremlin spy, too. Go back to performing some gross sexual act of poster's choice.... Ivan!

Re:

[BlueStrat]

Every country with an intelligence agency is running espionage campaigns against every other country. That's what intelligence agencies do, and have done since the beginning of time.

Claiming the Russians got Trump elected is a cover for the clear corruption of the Clintons and the DNC. It's designed to keep you on the plantation, not convince Trump voters to vote Democrat.

The reason that all this Russian corruption (and a metric shit-ton of other government corruption/criminality) hardly ever results in anyone going to prison, Agencies/Departments/Bureaus/etc purged, is that *both sides are dirty as hell*. Both sides have taken money from and worked with Russians (and other foreign governments) for their own and their Party's/ideology's gain, and against the interests of the American people.

The DoJ, FBI, IRS, NSA, and likely more TLAs are corrupt and compromised. They have b

Re:So what?

[Plus1Entropy]

How about you get over Benghazi and her emails? You know the difference between those stories and Russia? The investigations were completed and found nothing.

If Russia is nothing, then let the investigations complete it and tell us so. Then you can bitch that we're not "over it".

Re:

[h4ck7h3p14n37]

The Benghazi and mishandling of classified information investigations found plenty.

We found out that Hillary knew Benghazi was a terrorist attack and that Susan Rice went on the mainstream news programs the next day and lied to the American People about it being caused by some amateur video about Prophet Muhammad.

We found out that not only did Hillary retain classified information on unauthorized, insecure systems, but she gave copies on a thumb drive to attorneys that lacked the proper security clearance

Re:

[Anonymous Coward]

Found plenty, bullshit 3 investgations found bugger all. More alt right alt facts from the RWNJs

Re:

[Miles_O'Toole]

Nice set of right wing snowflake talking points, comrade. Now why don't you tell us about the 12 MILLION emails Cheney erased.

Re:

[superwiz]

Nice set of right wing snowflake talking points, comrade.

The comrade is in your mirror. You are carrying water for the neo-communist criminal cartel that is the Democratic party.

Re:

[superwiz]

Putin preferred Trump over Clinton.

No. Just, no. Not going to happen. Next question.

You know the difference between those stories and Russia?

Yes. Those stories are true. And the Russian collusion story is a fabrication made up to divert attention from them.

The investigations were completed and found nothing.

No, they found her guilt. And then the Obama-led administration let her off the hook because she knows where the proverbial bodies are buried.

If Russia is nothing, then let the investigations complete it and tell us so.

It's been completed a long time ago. It's not even looking at the collusion anymore. It's looking at the abstraction of justice which legal scholars (as opposed to news reporters) don't think is po

Re:

[Plus1Entropy]

Almost everything in your comment is a big fat lie. The first thing you supposedly quoted from my comment:

Putin preferred Trump over Clinton.

I didn't say that. Why lie about something so trivial? Pathetic.

Re:

[superwiz]

Yeah, that was a missed "copy" in the copy-n-paste. The Slashdot javascript intercepts keystrokes slower than I actually type. There are characters missing from wrods or sometimes full words missing all the time. The quote I was replying to was this:

How about you get over Benghazi and her emails?

And, of course, you can't edit your posts after the fact. This is just the format which drives Slashdot. It's what makes it, at times, uniquely psychotic in its own special way.

Re:

[superwiz]

Oh, and just because I copied a quote from a previous comment to which I was replying, doesn't change the fact that you are in the tank for the Criminal Democratic party. Let me tell you something every Libertarian who switched their vote from Johnson to Trump thinks: I kept the criminal Clinton out of office and I sleep fine.

Re:

[Agripa]

How about you get over Benghazi and her emails? You know the difference between those stories and Russia? The investigations were completed and found nothing.

Go read the results of the FBI investigation into Vince Foster's death and tell me they found nothing.

Re:

[Plus1Entropy]

No, you know what, you're right. Seriously, I'm not being sarcastic.

We should care about Benghazi if Benghazi refers to the terrorist attack against the US Consulate in 2011. But that's not actually what you give a shit about.

Re:

[Train0987]

The Clinton Machine is still talking about her a lot. She's going to run again in 2020.

Re:

[h4ck7h3p14n37]

We'll see. The Clinton Foundation is under investigation and felons are ineligible for public office.

Re:

[superwiz]

Funny that she was allowed to leave the jurisdiction. She is still being investigated. That makes her a potential fugitive on the run.