Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
Businesses Government Security Politics

McAfee Says It No Longer Will Permit Government Source Code Reviews (reuters.com) 79

Dustin Volz, Joel Schectman, and Jack Stubbs, reporting for Reuters: U.S.-based cyber firm McAfee said it will no longer permit foreign governments to scrutinize the source code of its products, halting a practice some security experts have warned could be leveraged by nation-states to carry out cyber attacks. Reuters reported in June that McAfee was among several Western technology companies that had acceded in recent years to greater demands by Moscow for access to source code, the instructions that control basic operations of computer equipment. The reviews, conducted in secure facilities known as "clean rooms" by Russian companies with expertise in technology testing, are required by Russian defense agencies for the stated purpose of ensuring no hidden "backdoors" exist in foreign-made software. But security experts and former U.S. officials have said those inspections provide Russia with opportunities to find vulnerabilities that could be exploited in offensive cyber operations. McAfee ended the reviews earlier this year after spinning off from Intel in April as an independent company, a McAfee spokeswoman said in an email to Reuters last week.
This discussion has been archived. No new comments can be posted.

McAfee Says It No Longer Will Permit Government Source Code Reviews

Comments Filter:
  • by cloud.pt ( 3412475 ) on Thursday October 26, 2017 @01:30PM (#55438723)

    This is interesting news, I didn't know Russia demanded this, but I guess they wised up before, well, the US.

    I do love the tongue-in-cheek from McAfee: they're blatantly trying to get the Kaspersky US market with the patriotic card by exiting the Russian one, and going backwards on the exact thing Kaspersky has stated they would allow from US!

    Now, in all seriousness - does McAfee really think they are gonna catch any market with this? Does anyone with a 2 digit IQ still install McAfee?

    • Even an unpopular offering will likely experience increased sales when one of their biggest competitors is burning down and everybody is jumping ship.

      For example, there are probably lots of people who dislike Symantec and don't want to install their product, and those people might not know which other companies have a good product. They might only know that McAfee has been around for a long time, and try it.

      McAfee at least is easier to uninstall.

      • Doesn't Windows come with a built-in antivirus these days?

        • Doesn't Windows come with a built-in antivirus these days?

          "It's secure. Trust me."

          After looking at the rather colorful history of the built-in browser, tends to make you wonder just how many times we're gonna believe that line...

      • Yeah you have a fair point!

    • I do love the tongue-in-cheek from McAfee: they're blatantly trying to get the Kaspersky US market...

      McAfee is already on many of the DoD computers I use, working hard to slow them to a crawl...

      • If that is true it makes me cringe a bit. But then again Kaspersky use induced in stolen info so I digress...

    • If the government regulations require an antivirus that meets A,B, and C, and only one company has those, then they win even if the application is a dumpster fire. You won't get any of those govt contract without meeting their requirements.
    • It makes no sense. I'd rather more countries review it, so there's more eyes on it and less likely to have something nefarious that only benefits one or some countries.

      • It makes no sense. I'd rather more countries review it, so there's more eyes on it and less likely to have something nefarious that only benefits one or some countries.

        It is a two edged sword. More people look at the code, the more confidence you have that it isn't hiding anything. But then, you also have more people who understand how to write malware that either attacks the AV app, or is able to bypass it entirely. You can have it both ways of course, if you don't let select countries that have histori
    • McAfee, Norton, and Kaspersky all have the same problem: they're all nonfree software. No one of them is more trustworthy than the others because none of them give users the freedom to run, inspect, share, and modify the program at any time for any reason.

  • by Scarred Intellect ( 1648867 ) on Thursday October 26, 2017 @01:32PM (#55438741) Homepage Journal

    So it's OK for the US to audit Kaspersky's source code for hidden backdoors (and Kaspersky is highly regarded for offering it), but it's not OK for Russia to audit McAfee's source code for hidden backdoors.

    Because Russia.

    Did I get that right?

    • by Anonymous Coward

      There is no right or wrong. There is either wanting to do business or not.

    • by Frosty Piss ( 770223 ) * on Thursday October 26, 2017 @01:48PM (#55438867)

      So it's OK for the US to audit Kaspersky's source code for hidden backdoors (and Kaspersky is highly regarded for offering it), but it's not OK for Russia to audit McAfee's source code for hidden backdoors.

      McAfee does not set the policies of Kaspersky as to if they let people look at the code. Whether or not it's "OK" for one company to choose one thing and another company to choose another thing is a false dynamic. Both can choose to do whatever they like.

    • by dabadab ( 126782 )

      Because Russia.

      Did I get that right?

      Yes. And coming from an ex-Eastern Block country that seems to be a damn good reason.

      • If you are relying on code obscurity for a security product you are already fucked. All this does is reduce their own market. Almost every country in the world demands these security reviews/checks before use by government.
        • > If you are relying on code obscurity for a security product you are already fucked.

          If your relying on anti-virus for your primary security, you are already fucked. It is the barn door was left open and the horse is out, try and close the barn door solution. It is important that it doesn't have back doors, but everything else is just a last hope that it saves you.

          Providing the source to eyes that may make malware, if they don't also provide vulnerability feedback or sales to mcafee is useless. Especi

    • by Jeremi ( 14640 )

      Really it doesn't make much difference either way.

      Unless you are as familiar with the codebase as its authors are (and you definitely won't be) and unless you are doing all of the compilation from source yourself (which you probably won't be), you're still more or less at the mercy of the software vendor.

      Even if you read all of the source code they provide you with to "prove" the program doesn't do anything nefarious, there is no guarantee that the binary you install on your computers was based on the sourc

      • Really it doesn't make much difference either way.

        Unless you are as familiar with the codebase as its authors are (and you definitely won't be) and unless you are doing all of the compilation from source yourself (which you probably won't be), you're still more or less at the mercy of the software vendor.

        Even if you read all of the source code they provide you with to "prove" the program doesn't do anything nefarious, there is no guarantee that the binary you install on your computers was based on the source code you read, and not some other version of that source code with a back-door installed.

        So it comes down to the same thing -- you either trust your Anti-virus company not to spy on you, or you don't.

        A world full of social media narcissists who post every detail about their lives online via dozens of apps that abuse 100 back-channels of telemetry and data aggregation is worried about Nation States stealing shit via hidden anti-virus code.

        Fucking hell.

        If you're looking for a horror story, read a EULA sometime.

        • by Jeremi ( 14640 )

          A world full of social media narcissists who post every detail about their lives online via dozens of apps that abuse 100 back-channels of telemetry and data aggregation is worried about Nation States stealing shit via hidden anti-virus code.

          I was thinking more of the NSA, DOD, and other government agencies that have made the (questionable) decision to run their critical infrastructure on Windows, and now find themselves in the position of depending on Kaspersky/McAfee/etc to protect their computers against malware, and therefore having to trust said companies not to be installing malware themselves.

          Whether government agencies are full of social media narcissists or not, I don't know... I try not to spend a lot of time at government agencies :)

    • So it's OK for the US to audit Kaspersky's source code for hidden backdoors (and Kaspersky is highly regarded for offering it), but it's not OK for Russia to audit McAfee's source code for hidden backdoors.

      Because Russia.

      Did I get that right?

      And Russia is perfectly welcome to not install McAfee on THEIR government computers. Infact, it would be wise if they didn't.

  • by llZENll ( 545605 ) on Thursday October 26, 2017 @03:41PM (#55439877)

    Enterprise software is so complex that there must be thousands of source files with hundreds of thousands of lines of code. How does a code review catch anything? If a company has a backdoor, why on earth would they provide it in a source review? Just remove the backdoor, submit the files, and pass. Source review seems like a waste of time, how do they, or did they ensure the source they were reviewing is the source that's in the application? Perhaps they did the review, compiled, packaged, then copied to memory for installation?

    • Enterprise software is so complex that there must be thousands of source files with hundreds of thousands of lines of code. How does a code review catch anything? If a company has a backdoor, why on earth would they provide it in a source review? Just remove the backdoor, submit the files, and pass. Source review seems like a waste of time, how do they, or did they ensure the source they were reviewing is the source that's in the application? Perhaps they did the review, compiled, packaged, then copied to memory for installation?

      I think at a minimum, the best practices for any source code review include compiling and packaging, and at least calculating a hash of the executable and comparing it to a hash of the distributed product executable.

      I agree, you shouldn't immediately trust distributed software just because they open sourced it, but rather, the point is that you can roll your own and/or compare it to the distributed version to make sure they're the same.

Long computations which yield zero are probably all for naught.

Working...