McAfee Says It No Longer Will Permit Government Source Code Reviews (reuters.com) 79
Dustin Volz, Joel Schectman, and Jack Stubbs, reporting for Reuters: U.S.-based cyber firm McAfee said it will no longer permit foreign governments to scrutinize the source code of its products, halting a practice some security experts have warned could be leveraged by nation-states to carry out cyber attacks. Reuters reported in June that McAfee was among several Western technology companies that had acceded in recent years to greater demands by Moscow for access to source code, the instructions that control basic operations of computer equipment. The reviews, conducted in secure facilities known as "clean rooms" by Russian companies with expertise in technology testing, are required by Russian defense agencies for the stated purpose of ensuring no hidden "backdoors" exist in foreign-made software. But security experts and former U.S. officials have said those inspections provide Russia with opportunities to find vulnerabilities that could be exploited in offensive cyber operations. McAfee ended the reviews earlier this year after spinning off from Intel in April as an independent company, a McAfee spokeswoman said in an email to Reuters last week.
Re:Maybe if Russia stops meddling in our elections (Score:5, Insightful)
You mean, stop bribing Secretary of States, former presidents under the watchful eye of the Robert Mueller FBI ?
Re: (Score:1)
Found Trump's cockholster
You keep telling yourself that.
The "RUSSIANS STOLE THE ELECTION!!!" narrative is blowing up in Democrat's faces.
Exclusive: In Hill interviews, top Dems denied knowledge of payments to firm behind Trump dossier [cnn.com]
Sitting next to Podesta during the interview: his attorney Marc Elias, who worked for the law firm that hired Fusion GPS to continue research on Trump on behalf of the Clinton campaign and DNC, multiple sources said. Elias was only there in his capacity as Podesta's attorney and not as a witness.
On Tuesday, that law firm, Perkins Coie, wrote in a letter that it had retained Fusion GPS as part of its representation of the Clinton campaign and the DNC. The disclosure of the Democratic funding source for Fusion GPS is raising new questions for the congressional Russian investigators.
Note also that Perkins Coie hiring Fusion GPS would have been required to be reported to the FEC:
Hillary Clinton's Campaign Wasn't Honest About Paying for Trump Dossier [newsweek.com]
Hillary Clinton's presidential campaign has been hit with a new complaint that alleges it tried to cover up the fact that it helped pay for the infamous "Trump Russia Dossier."
The Washington-based Campaign Legal Center (CLC) said in a Wednesday complaint to the Federal Election Commission (FEC) that Hillary for America and the Democratic National Committee (DNC) broke campaign finance law by trying to hide payments related to the dossier...
Note that those are CNN and Newsweek - hardly right-wing news outlets.
That's not even getting into how Robert Meuller's FBI helped hi
Re: (Score:3)
The amount of Russian Meddling in our elections is by far, much less than the Obama Administration Meddling in Israeli elections.Perhaps the world should stop doing business with the US who meddles everywhere all the time, then whines when 100,000 facebook ad campaign is all the "proof" of meddling by Russians shows up.
Re: (Score:1)
Re: (Score:2)
In antivirus, hack Russia you!
Re: (Score:2, Insightful)
Of course, the US govt doesn't need to review mcafee's source code, they already know exactly what back doors they have inserted into it, just like they claim Russia has done
Re: (Score:2)
https://www.clamav.net/ [clamav.net]
The fact is, researching new viruses and maintaining up-to-date signatures requires constant work, which means the need for paid employees. This is really something that should be a collaboration between all the governments of the world and provide for free, thus facilitating far greater FOSS anti-virus solutions. As it is, it's just not something that's interesting enough for anyone to want to do as a hobby. Add to that the fact that those of us running FOSS operating systems don'
The Antivirus War is On (Score:4, Insightful)
This is interesting news, I didn't know Russia demanded this, but I guess they wised up before, well, the US.
I do love the tongue-in-cheek from McAfee: they're blatantly trying to get the Kaspersky US market with the patriotic card by exiting the Russian one, and going backwards on the exact thing Kaspersky has stated they would allow from US!
Now, in all seriousness - does McAfee really think they are gonna catch any market with this? Does anyone with a 2 digit IQ still install McAfee?
Re: (Score:2)
Even an unpopular offering will likely experience increased sales when one of their biggest competitors is burning down and everybody is jumping ship.
For example, there are probably lots of people who dislike Symantec and don't want to install their product, and those people might not know which other companies have a good product. They might only know that McAfee has been around for a long time, and try it.
McAfee at least is easier to uninstall.
Re: (Score:2)
Doesn't Windows come with a built-in antivirus these days?
Re: (Score:2)
Doesn't Windows come with a built-in antivirus these days?
"It's secure. Trust me."
After looking at the rather colorful history of the built-in browser, tends to make you wonder just how many times we're gonna believe that line...
Re: (Score:2)
Yeah you have a fair point!
Re: (Score:2)
I do love the tongue-in-cheek from McAfee: they're blatantly trying to get the Kaspersky US market...
McAfee is already on many of the DoD computers I use, working hard to slow them to a crawl...
Re: (Score:2)
If that is true it makes me cringe a bit. But then again Kaspersky use induced in stolen info so I digress...
Re: (Score:2)
Re: (Score:2)
Another fair point indeed.
Re: (Score:2)
It makes no sense. I'd rather more countries review it, so there's more eyes on it and less likely to have something nefarious that only benefits one or some countries.
The Anti-Antivirus war is on (Score:2)
It is a two edged sword. More people look at the code, the more confidence you have that it isn't hiding anything. But then, you also have more people who understand how to write malware that either attacks the AV app, or is able to bypass it entirely. You can have it both ways of course, if you don't let select countries that have histori
Re: (Score:2)
2 digit, _positive_ IQ
I laughed kinda hard on that one. Good job!
Re: (Score:2)
I guess joke's on me for not making it clear. I obviously meant "at least a 2 digit IQ". And to answer your question as is: no. I believe last time I tested it I was safely on the 3 digits, and it was less than 10 years ago.
In my defense I'm no native English speaker. I kind of assumed "at least" could be implied, when you say stuff like "anyone with ", when used in a question at least.
Re: (Score:2)
Had no idea of this. Tantalizing. Reminds me of my junior high, where all PCs also had it
It's a "war" amongst equally untrustworthy parties (Score:2)
McAfee, Norton, and Kaspersky all have the same problem: they're all nonfree software. No one of them is more trustworthy than the others because none of them give users the freedom to run, inspect, share, and modify the program at any time for any reason.
Double standard, anyone? (Score:3, Insightful)
So it's OK for the US to audit Kaspersky's source code for hidden backdoors (and Kaspersky is highly regarded for offering it), but it's not OK for Russia to audit McAfee's source code for hidden backdoors.
Because Russia.
Did I get that right?
Re: (Score:1)
There is no right or wrong. There is either wanting to do business or not.
Re:Double standard, anyone? (Score:5, Insightful)
So it's OK for the US to audit Kaspersky's source code for hidden backdoors (and Kaspersky is highly regarded for offering it), but it's not OK for Russia to audit McAfee's source code for hidden backdoors.
McAfee does not set the policies of Kaspersky as to if they let people look at the code. Whether or not it's "OK" for one company to choose one thing and another company to choose another thing is a false dynamic. Both can choose to do whatever they like.
Re: (Score:1)
Yes. And coming from an ex-Eastern Block country that seems to be a damn good reason.
Re: (Score:2)
Re: (Score:2)
> If you are relying on code obscurity for a security product you are already fucked.
If your relying on anti-virus for your primary security, you are already fucked. It is the barn door was left open and the horse is out, try and close the barn door solution. It is important that it doesn't have back doors, but everything else is just a last hope that it saves you.
Providing the source to eyes that may make malware, if they don't also provide vulnerability feedback or sales to mcafee is useless. Especi
Re: (Score:3)
Really it doesn't make much difference either way.
Unless you are as familiar with the codebase as its authors are (and you definitely won't be) and unless you are doing all of the compilation from source yourself (which you probably won't be), you're still more or less at the mercy of the software vendor.
Even if you read all of the source code they provide you with to "prove" the program doesn't do anything nefarious, there is no guarantee that the binary you install on your computers was based on the sourc
Re: (Score:2)
Really it doesn't make much difference either way.
Unless you are as familiar with the codebase as its authors are (and you definitely won't be) and unless you are doing all of the compilation from source yourself (which you probably won't be), you're still more or less at the mercy of the software vendor.
Even if you read all of the source code they provide you with to "prove" the program doesn't do anything nefarious, there is no guarantee that the binary you install on your computers was based on the source code you read, and not some other version of that source code with a back-door installed.
So it comes down to the same thing -- you either trust your Anti-virus company not to spy on you, or you don't.
A world full of social media narcissists who post every detail about their lives online via dozens of apps that abuse 100 back-channels of telemetry and data aggregation is worried about Nation States stealing shit via hidden anti-virus code.
Fucking hell.
If you're looking for a horror story, read a EULA sometime.
Re: (Score:2)
A world full of social media narcissists who post every detail about their lives online via dozens of apps that abuse 100 back-channels of telemetry and data aggregation is worried about Nation States stealing shit via hidden anti-virus code.
I was thinking more of the NSA, DOD, and other government agencies that have made the (questionable) decision to run their critical infrastructure on Windows, and now find themselves in the position of depending on Kaspersky/McAfee/etc to protect their computers against malware, and therefore having to trust said companies not to be installing malware themselves.
Whether government agencies are full of social media narcissists or not, I don't know... I try not to spend a lot of time at government agencies :)
Re: (Score:2)
So it's OK for the US to audit Kaspersky's source code for hidden backdoors (and Kaspersky is highly regarded for offering it), but it's not OK for Russia to audit McAfee's source code for hidden backdoors.
Because Russia.
Did I get that right?
And Russia is perfectly welcome to not install McAfee on THEIR government computers. Infact, it would be wise if they didn't.
How do code reviews do anything? (Score:3)
Enterprise software is so complex that there must be thousands of source files with hundreds of thousands of lines of code. How does a code review catch anything? If a company has a backdoor, why on earth would they provide it in a source review? Just remove the backdoor, submit the files, and pass. Source review seems like a waste of time, how do they, or did they ensure the source they were reviewing is the source that's in the application? Perhaps they did the review, compiled, packaged, then copied to memory for installation?
Re: (Score:2)
Enterprise software is so complex that there must be thousands of source files with hundreds of thousands of lines of code. How does a code review catch anything? If a company has a backdoor, why on earth would they provide it in a source review? Just remove the backdoor, submit the files, and pass. Source review seems like a waste of time, how do they, or did they ensure the source they were reviewing is the source that's in the application? Perhaps they did the review, compiled, packaged, then copied to memory for installation?
I think at a minimum, the best practices for any source code review include compiling and packaging, and at least calculating a hash of the executable and comparing it to a hash of the distributed product executable.
I agree, you shouldn't immediately trust distributed software just because they open sourced it, but rather, the point is that you can roll your own and/or compare it to the distributed version to make sure they're the same.