Russia requesting to review source code of Western companies’ security products(reuters.com)
reuters.com
Russia requesting to review source code of Western companies’ security products
http://reuters.com/article/idUSKBN19E0XB
111 comments
It may be reasonable, but it's not a good idea. We shouldn't trust Russsians, and they shouldn't trust us. I'd rather the US companies be forced not to sell if those are the terms. It exposes US companies even more than they are. The Russians should find another product if they aren't happy with it.
> We shouldn't trust Russsians, and they shouldn't trust us.
The problem at the moment is that 'we' can't necessarily trust 'ourselves'. Paradoxically, having the Russians audit may make our products more trustworthy for our own use. See also Open Source.
The problem at the moment is that 'we' can't necessarily trust 'ourselves'. Paradoxically, having the Russians audit may make our products more trustworthy for our own use. See also Open Source.
These companies could sell a product in Russia that is different than the one they sell in the US. Audits by Russia don't mean much unless everyone gets the same binaries.
Only if they tell us what they find.
The identity of the requester is orthogonal to the issue.
Anyone should be able to request the source code. It doesn't matter if it's someone we trust or not.
Anyone should be able to request the source code. It doesn't matter if it's someone we trust or not.
I could get on board with that if that's the way it worked. Here's hoping to that becoming the reality!
Why with the "Us vs. Them" mentality?
Almost the entirety of the 20th and early 21rst centurys' history are defined by Us vs. Them in this case. This isn't some baseless tribalism, there were multiple wars via proxy across the globe. Massive intel and cointel operations. There were several occasions that almost ended human life on earth via nuclear conflict. You'd have to be insanely naive to ignore this in the context of this request.
Because there's been a very recent and very public hacking scandal that was "them vs us"?
I just think it might be more helpful to think about this as "Putin vs The U.S" instead of "them vs us".
You can probably include his network and the oligarchy in there, but the average Russian citizen shouldn't really have a problem with the U.S.
Before Putin started working on actively fear mongering, our relationship was good and trending upward. They have slightly different cultural values than us, but its nothing like it was in the cold war. Our interests are aligned on most significant issues for the average citizen.
If both our countries could get rid of their current leader we could quickly become allies.
You can probably include his network and the oligarchy in there, but the average Russian citizen shouldn't really have a problem with the U.S.
Before Putin started working on actively fear mongering, our relationship was good and trending upward. They have slightly different cultural values than us, but its nothing like it was in the cold war. Our interests are aligned on most significant issues for the average citizen.
If both our countries could get rid of their current leader we could quickly become allies.
I think it's not that simple. Russians are "proud" peoples, as they say. He has high approval rating. An affront to Putin is an affront to Russia. The Clinton "diplomatic" tack and tact was not effective and likely very unproductive and has lead to much distrust at the govt level but also among the average Dmitrys and Marinas on the street.
> Russians are "proud" peoples, as they say.
I doubt that as a people Russians are any more "proud" than any other nation; such a sentiment reminds me of the age of Romanticism, when such kind of analysis of nations, or of national spirit, was commonplace. It is so very human (and so very superficial, too) to want to feel superior to or at least no worse than others, that states exploit this via propaganda. If people are being systematically told that they belong to a great nation (which defeated the Germans in WWII, or was the first to send a man in space, or has a magnificent cultural legacy in XIXth century writers, or has the second largest nuclear arsenal, or other such stuff intended to boost nationalism), they get "proud". When this propaganda stops, they go back to normal again.
I doubt that as a people Russians are any more "proud" than any other nation; such a sentiment reminds me of the age of Romanticism, when such kind of analysis of nations, or of national spirit, was commonplace. It is so very human (and so very superficial, too) to want to feel superior to or at least no worse than others, that states exploit this via propaganda. If people are being systematically told that they belong to a great nation (which defeated the Germans in WWII, or was the first to send a man in space, or has a magnificent cultural legacy in XIXth century writers, or has the second largest nuclear arsenal, or other such stuff intended to boost nationalism), they get "proud". When this propaganda stops, they go back to normal again.
> I doubt that as a people Russians are any more "proud" than any other nation
As a people, rather than as individual people, it's quite plausible that one nationality would be prouder than another; strength and centrality of national identity isn't a universal constant.
Being proud as a people means, essentially, that the individual people have (compared to other groups of the same kind, in this case nationalities) the group identity as a strong/central feature of individual identity.
As a people, rather than as individual people, it's quite plausible that one nationality would be prouder than another; strength and centrality of national identity isn't a universal constant.
Being proud as a people means, essentially, that the individual people have (compared to other groups of the same kind, in this case nationalities) the group identity as a strong/central feature of individual identity.
What I mean is if you criticize Russia in most aspects, even if true, people will tend not to receive it well and take it as a personal attack against them or the people as a whole. So unlike the US where people frequently criticize the country as well as people whole distancing themselves from those "bad" others.
> So unlike the US where people frequently criticize the country as well as people whole distancing themselves from those "bad" others.
People in Russia, like in the US, frequently criticize the country as well as people. What they don't like, like people in US, is "others" criticizing their country and the people.
People in Russia, like in the US, frequently criticize the country as well as people. What they don't like, like people in US, is "others" criticizing their country and the people.
There are people who do, but go too far and you get into trouble. For historical reasons, people don't separate the state from their own identity as much as people do in other countries. It really is different. Even Putin haters will find "good" things in him, oh but he's defending Russia, etc.
Oh, yeah, for sure. Agreed on everything, friends if not allies.
But Russia as a state is pretty much synonymous with Putin as a person, right now. Until that changes, it's splitting hairs.
But Russia as a state is pretty much synonymous with Putin as a person, right now. Until that changes, it's splitting hairs.
This one with no evidence?
There's plenty of non-classified evidence that goes much further than the joint Intel report goes, and was available before it.
It's kind of disappointing this isn't widely understood, but I guess politics gets in the way. Anyway, feel free to share this:
2014 report into ATP-28: https://www.fireeye.com/blog/threat-research/2014/10/apt28-a..., presenting pretty compelling (if circumstantial) evidence that group is Russian state backed.
(July) 2016 report into the DNC hacking, showing it was first breached by ATP-29 (The other Russian state backed hacking group), but the leaks almost certainly came from a second breach by ATP-28 later: https://www.crowdstrike.com/blog/bears-midst-intrusion-democ...
One can of course argue that this is all a conspiracy. However, the fact that this first report was publicly available in 2014 gives some protection against the idea that it is motivated by US internal politics, and the second was also before the election actually occurred.
It's kind of disappointing this isn't widely understood, but I guess politics gets in the way. Anyway, feel free to share this:
2014 report into ATP-28: https://www.fireeye.com/blog/threat-research/2014/10/apt28-a..., presenting pretty compelling (if circumstantial) evidence that group is Russian state backed.
(July) 2016 report into the DNC hacking, showing it was first breached by ATP-29 (The other Russian state backed hacking group), but the leaks almost certainly came from a second breach by ATP-28 later: https://www.crowdstrike.com/blog/bears-midst-intrusion-democ...
One can of course argue that this is all a conspiracy. However, the fact that this first report was publicly available in 2014 gives some protection against the idea that it is motivated by US internal politics, and the second was also before the election actually occurred.
Evidence is downthread.
CIA, FBI and NSA all concur, they all put out unclassified statements with their conclusions, although they obviously kept much of their supporting evidence classified.
CIA, FBI and NSA all concur, they all put out unclassified statements with their conclusions, although they obviously kept much of their supporting evidence classified.
>although they obviously kept much of their supporting evidence classified.
Was anything not classified? I have trust issues stemming from an unnecessary war based on false premises when I was a child.
Most of my hesitation stems from a lack of information about it. "Russians hacked Podesta's emails and released them to Wikileaks."
"Russians hacked voting machines."
Those are very targeted statements, and I'd feel better about the whole thing if more questions were answered.
Have the hackers successfully been linked to the Russian Government? How?
How long has this been going on? Since before this election cycle? If so, why is it only now an issue worthy of public attention?
Have other Government entities, China, North Korea, etc, done the same?
Have we seen similar attacks from inside the US?
Was anything not classified? I have trust issues stemming from an unnecessary war based on false premises when I was a child.
Most of my hesitation stems from a lack of information about it. "Russians hacked Podesta's emails and released them to Wikileaks."
"Russians hacked voting machines."
Those are very targeted statements, and I'd feel better about the whole thing if more questions were answered.
Have the hackers successfully been linked to the Russian Government? How?
How long has this been going on? Since before this election cycle? If so, why is it only now an issue worthy of public attention?
Have other Government entities, China, North Korea, etc, done the same?
Have we seen similar attacks from inside the US?
Motivations matter.
When we had the march to war in Iraq, suspect intel was being selectively and deceitfully pulled out of context specifically to build a case for war in Iraq. By politicians, not by intel professionals. A bunch of former intel people went on record calling BS on it.
Right now, nobody's making a case for war with Russia. Retaliatory sanctions at best. They mostly just want to harden our election process and systems to prevent it from happening again, or worse.
Yet we see constantly moving goalposts from people who don't want that hardening to happen. What's their motivation?
When we had the march to war in Iraq, suspect intel was being selectively and deceitfully pulled out of context specifically to build a case for war in Iraq. By politicians, not by intel professionals. A bunch of former intel people went on record calling BS on it.
Right now, nobody's making a case for war with Russia. Retaliatory sanctions at best. They mostly just want to harden our election process and systems to prevent it from happening again, or worse.
Yet we see constantly moving goalposts from people who don't want that hardening to happen. What's their motivation?
See this for non-classified evidence: https://news.ycombinator.com/item?id=14620389
I don't believe there are any claims Russia successfully hacked voting machines (I may have missed developments in the last week though). I believe there are claims they did successfully attack voter registration databases, but there are no real claims (except by left-wing conspiracy theory people) that they changed those databases - just stole data. I believe there is no non-classified evidence of this though (although I didn't read the document that Reality Winner sent to the Intercept, so that may document some evidence).
China has a well known hacking group (ATP-1) - see [1] for further information. There is no evidence or real claims they are involved in political interference within the US. OTOH they are quite good at industrial espionage and tracking Chinese dissidents.
I'm not very familiar with North Korea's group, but it is widely believed to be responsible for the Sony hack. I found that bizarre, but NK actions often are.
[1] https://www.fireeye.com/content/dam/fireeye-www/services/pdf...
I don't believe there are any claims Russia successfully hacked voting machines (I may have missed developments in the last week though). I believe there are claims they did successfully attack voter registration databases, but there are no real claims (except by left-wing conspiracy theory people) that they changed those databases - just stole data. I believe there is no non-classified evidence of this though (although I didn't read the document that Reality Winner sent to the Intercept, so that may document some evidence).
China has a well known hacking group (ATP-1) - see [1] for further information. There is no evidence or real claims they are involved in political interference within the US. OTOH they are quite good at industrial espionage and tracking Chinese dissidents.
I'm not very familiar with North Korea's group, but it is widely believed to be responsible for the Sony hack. I found that bizarre, but NK actions often are.
[1] https://www.fireeye.com/content/dam/fireeye-www/services/pdf...
The fall of communism was the perfect time to start building trust.
The Russians foolishly trusted the west. Look up the astonishing policies initiated by 'harvard economists' in association with the usual suspects IMF and World Bank that directly led to the loot of hundreds of billions of dollars of Russian state assets and the rise of the oligarchy to understand how obsessive self interest and sabotage operate. Putin exists for a reason. 'Trust' is a naive to dangerous idea in this context.
No one is a doe eyed innocent upholding some moral high ground in international politics, people who affect that should be treated with extreme suspicion.
The Russians foolishly trusted the west. Look up the astonishing policies initiated by 'harvard economists' in association with the usual suspects IMF and World Bank that directly led to the loot of hundreds of billions of dollars of Russian state assets and the rise of the oligarchy to understand how obsessive self interest and sabotage operate. Putin exists for a reason. 'Trust' is a naive to dangerous idea in this context.
No one is a doe eyed innocent upholding some moral high ground in international politics, people who affect that should be treated with extreme suspicion.
Because when dealing with nation states, it usually is "Us vs. Them" to at least some extent, even between stalwart allies?
> We shouldn't trust Russsians, and they shouldn't trust us.
WHAT will it take to end this tiresome, counter-productive, primitive tribalism, really?
WHAT will it take to end this tiresome, counter-productive, primitive tribalism, really?
Humans becoming trustworthy? In other words, you have to fix human nature.
Most of "human nature" is taught and learned.
If you think "untrustworthiness" is part of our fundamental animal instincts, then just look at how most cultures have managed to repress one of the most basic animal instincts – sex – through indoctrination.
Why can't the same be done for violence and maliciousness?
Check out the Green Sky Trilogy (aka Below The Root) books, which depict a world where pacifism has been more or less achieved, through teaching children to abhor violence the same way our world does for sex and stuff.
[0] https://en.wikipedia.org/wiki/Green_Sky_Trilogy
If you think "untrustworthiness" is part of our fundamental animal instincts, then just look at how most cultures have managed to repress one of the most basic animal instincts – sex – through indoctrination.
Why can't the same be done for violence and maliciousness?
Check out the Green Sky Trilogy (aka Below The Root) books, which depict a world where pacifism has been more or less achieved, through teaching children to abhor violence the same way our world does for sex and stuff.
[0] https://en.wikipedia.org/wiki/Green_Sky_Trilogy
It's a good idea, but too limited in scope. Everyone should have the ability to inspect the source code of the software they use. At the very least, government-used software should be accompanied with source code for potential independent audit.
Transparency is a dependency of trust.
Transparency is a dependency of trust.
I'm not sure the shareholders of those companies would agree with you. They may find another product - I can't imagine there isn't an incentive to seed a competitor to US companies in Russian jurisdiction. Russia has the capital and talent to do it, and I can't imagine the will is that far off.
At a certain point it becomes a national security risk. And we have to choose, money or security. Until our overall cybersecuirty improves I vote against the profit incentive. And I say we don't leave that decision to shareholders because they don't act with our nations best interest in mind all the time.
I don't know if this has been said already, but to me the hazard is that it makes it ok for any country to make demands on software creators. I think it's a dangerous precedent. Really, all software should be publicaly reviewable or it should be the sole choice of the creator.
You can always not comply and then not sell your product in Russia. I don't see what the problem is.
"Western" does not equal US.
They are requesting source code from products originating from any country not equal to Russia, essentially.
So apparently they only trust their own morals, if those.
They are requesting source code from products originating from any country not equal to Russia, essentially.
So apparently they only trust their own morals, if those.
Does the concept of security need to be connected to morality?
In an ideal world, yes. The OP injected morality in a sphere where it's usually not a primary concern. In an ideal world, the FBs and GOOGs would not profit off of user information, for example, but we do not live in that world so we kind of accept this quid pro quo.
And the Russians clearly don't have a desire to hack US systems, which of course is much easier if you can see the source code. The alternative of course is build your own products and don't buy anything from the US.
For a lot of software, Open Source solutions might be a workable alternative.
There's not fantastic "go so" solutions in every product category though. :/ Though, if enough US companies do decide not to do business with Russian, it might kickstart the filling-in of some the holes.
There's not fantastic "go so" solutions in every product category though. :/ Though, if enough US companies do decide not to do business with Russian, it might kickstart the filling-in of some the holes.
[deleted]
During a visit to Cisco's product security R&D division, I was told that Cisco already has a system in place for customers who want to check for backdoors.
Firstly, they provide customers with all internal documentation on every single device, component, and software. Secondly, if the customer is still sceptical, they invite a team to Cisco HQ. They provide the team with a closed-room environment containing all source code (including HDL) for inspection. The customer can also bring their own devices to test the outputs against that of the reference device they are inspecting.
So, in the case of Cisco, I'm not sure why this is news, since this system has been in place since the Snowden leak.
Firstly, they provide customers with all internal documentation on every single device, component, and software. Secondly, if the customer is still sceptical, they invite a team to Cisco HQ. They provide the team with a closed-room environment containing all source code (including HDL) for inspection. The customer can also bring their own devices to test the outputs against that of the reference device they are inspecting.
So, in the case of Cisco, I'm not sure why this is news, since this system has been in place since the Snowden leak.
One has to wonder who the customers this is setup to appease. If something is later found, corporate customers have litigation options - so more likely this is for nation-states.
Well, even for corporate customers, litigation will not wind back the clock and erase the compromised data the [insert 3 letter agency] already got ahold of.
> The US has shown time and time again that it has absolutely ZERO morals with regards to monitoring/spying/breaking security products at whim, when it suits us, and often even when it's a REALLY bad fucking idea and everybody knows it.
> Despite the clear slant in this article to associate this with more malicious goals... This is an ENTIRELY reasonable request.
So does Russia and China. And given the fact Russia launched a massive cyber attack against the voting system and the DNC, the purpose of the request is certainly offensive in nature regardless of the excuses made.
> Despite the clear slant in this article to associate this with more malicious goals... This is an ENTIRELY reasonable request.
So does Russia and China. And given the fact Russia launched a massive cyber attack against the voting system and the DNC, the purpose of the request is certainly offensive in nature regardless of the excuses made.
> And given the fact Russia launched a massive cyber attack against the voting system and the DNC
Sorry but this is pure speculation ( or fake news if you like the term ) by CNN, MSN and WaPo. Show the proof if you have any.
Sorry but this is pure speculation ( or fake news if you like the term ) by CNN, MSN and WaPo. Show the proof if you have any.
In addition to other commenters providing sources for this assertion, there is also the fact that Russia's current strategic doctrine is to disrupt and delegitimize governing institutions of rival states, and Russia considers pretty much everyone a rival. Moscow's operating assumption is that the current international stage is chaotic, resource-poor, and intensely competitive, such that sustainable cooperation between between major powers is not only unlikely, but also that attempts at development or stabilization of an international cooperative order would be potentially catastrophic.
This is to say: Russia has a powerful incentive to do everything up to and including manipulating foreign elections, but in the eyes of Putin it is sufficient to be seen to be manipulating foreign elections. Arguably, this has a greater effect on the capacities of his adversaries, because democratic systems don't really work without a general consensus that elections are legitimate. Russia does not want an alliance with a strong US and EU, they want no alliance with a greatly weakened US and EU.
This is to say: Russia has a powerful incentive to do everything up to and including manipulating foreign elections, but in the eyes of Putin it is sufficient to be seen to be manipulating foreign elections. Arguably, this has a greater effect on the capacities of his adversaries, because democratic systems don't really work without a general consensus that elections are legitimate. Russia does not want an alliance with a strong US and EU, they want no alliance with a greatly weakened US and EU.
Proof will likely never come and those news outlet sources are the intelligence experts saying so. All the intelligence experts say they cannot prove it, all except one group believed it was Russia. Comey was particularly vocal about it.
This is the kind of thing we might never get objective proof of, hacking is too easy to cover up or contract out. In cases like this where not acting could be detrimental and we already have an enemy we were acting against attributing malicious activities to them is reasonable. Trying to screw with your enemy's government's transitions of power is a common tactic at least since the early cold war.
If you had asked me 5 years ago when relations were better and before Putin got all Ukraine and Syria crazy, I would have said "I don't know, it is too premature to act". But right now Russia feels threatened by us and sees weakness in our elections this makes them hacking us fit too well. With that being as close to proof as we are likely to get it is the information we have to work with.
This is the kind of thing we might never get objective proof of, hacking is too easy to cover up or contract out. In cases like this where not acting could be detrimental and we already have an enemy we were acting against attributing malicious activities to them is reasonable. Trying to screw with your enemy's government's transitions of power is a common tactic at least since the early cold war.
If you had asked me 5 years ago when relations were better and before Putin got all Ukraine and Syria crazy, I would have said "I don't know, it is too premature to act". But right now Russia feels threatened by us and sees weakness in our elections this makes them hacking us fit too well. With that being as close to proof as we are likely to get it is the information we have to work with.
You have the speculators wrong, it's the assessment of the US intelligence community:
https://www.dni.gov/files/documents/ICA_2017_01.pdf
https://www.dni.gov/files/documents/ICA_2017_01.pdf
http://abcnews.go.com/US/russian-hackers-targeted-half-state...
"There's no doubt that some bad actors have been poking around," FBI Director James Comey told lawmakers Wednesday, without offering any more specifics.
He acknowledged there have been “some attempted intrusions at voter registration databases” since August, when the FBI issued a bulletin to state governments warning that hackers had infiltrated the Illinois State Board of Elections and tried to breach election systems in Arizona.
"There's no doubt that some bad actors have been poking around," FBI Director James Comey told lawmakers Wednesday, without offering any more specifics.
He acknowledged there have been “some attempted intrusions at voter registration databases” since August, when the FBI issued a bulletin to state governments warning that hackers had infiltrated the Illinois State Board of Elections and tried to breach election systems in Arizona.
There's plenty of actual non-classified evidence. See my comment up thread: https://news.ycombinator.com/item?id=14620389
> Sorry but this is pure speculation ( or fake news if you like the term ) by CNN, MSN and WaPo. Show the proof if you have any.
Are you kidding me? This has been known for months and is in declassified DNI reports.
https://www.dni.gov/files/documents/ICA_2017_01.pdf
> Cyber Espionage Against US Political Organizations.
> The General Staff Main Intelligence Directorate (GRU)probably began cyber operations aimed at the US election by March 2016. We assess that the GRU operations resulted in the compromise of the personal e-mail accounts of Democratic Party officials and political figures. By May, the GRU had exfiltrated large volumes of data from the DNC.
> Russia’s effort to influence the 2016 US presidential election represented a significant escalation in directness, level of activity, and scope of effort compared to previous operations aimed at US elections. We assess the 2016 influence campaign reflected the Kremlin’s recognition of the worldwide effects that mass disclosures of US Government and other private data such as those conducted by WikiLeaks and others have achieved in recent years, and their understanding of the value of orchestrating such disclosures to maximize the impact of compromising information.
> We assess Moscow will apply lessons learned from its campaign aimed at the US presidential election to future influence efforts in the United States and worldwide, including against US allies and their election processes. We assess the Russian intelligence services would have seen their election influence campaign as at least a qualified success because of their perceived ability to impact public discussion.
> Russian Cyber Intrusions Into State and Local Electoral Boards.Russian intelligence accessed elements of multiple state or local electoral boards. Since early 2014, Russian intelligence has researched US electoral processes and related technology and equipment.
> Public Disclosures of Russian Collected Data. > We assess with high confidence that the GRU used > the Guccifer 2.0 persona, DCLeaks.com, and WikiLeaks to release US victim data obtained in > cyber operations publicly and in exclusives to media outlets.
> Content that we assess was taken from e-mail accounts targeted by the GRU in March 2016 appeared on DCLeaks.com starting in June
Btw this is the GRU:
https://en.wikipedia.org/wiki/Main_Intelligence_Directorate
Are you kidding me? This has been known for months and is in declassified DNI reports.
https://www.dni.gov/files/documents/ICA_2017_01.pdf
> Cyber Espionage Against US Political Organizations.
> The General Staff Main Intelligence Directorate (GRU)probably began cyber operations aimed at the US election by March 2016. We assess that the GRU operations resulted in the compromise of the personal e-mail accounts of Democratic Party officials and political figures. By May, the GRU had exfiltrated large volumes of data from the DNC.
> Russia’s effort to influence the 2016 US presidential election represented a significant escalation in directness, level of activity, and scope of effort compared to previous operations aimed at US elections. We assess the 2016 influence campaign reflected the Kremlin’s recognition of the worldwide effects that mass disclosures of US Government and other private data such as those conducted by WikiLeaks and others have achieved in recent years, and their understanding of the value of orchestrating such disclosures to maximize the impact of compromising information.
> We assess Moscow will apply lessons learned from its campaign aimed at the US presidential election to future influence efforts in the United States and worldwide, including against US allies and their election processes. We assess the Russian intelligence services would have seen their election influence campaign as at least a qualified success because of their perceived ability to impact public discussion.
> Russian Cyber Intrusions Into State and Local Electoral Boards.Russian intelligence accessed elements of multiple state or local electoral boards. Since early 2014, Russian intelligence has researched US electoral processes and related technology and equipment.
> Public Disclosures of Russian Collected Data. > We assess with high confidence that the GRU used > the Guccifer 2.0 persona, DCLeaks.com, and WikiLeaks to release US victim data obtained in > cyber operations publicly and in exclusives to media outlets.
> Content that we assess was taken from e-mail accounts targeted by the GRU in March 2016 appeared on DCLeaks.com starting in June
Btw this is the GRU:
https://en.wikipedia.org/wiki/Main_Intelligence_Directorate
Pardon me, but this is not a satisfying answer to the request "show me the proof". Unless I am missing something, the paragraphs you cite are conclusions made by some authority bodies - based on evidence, perhaps, but without any demonstration of the process how such conclusions have been arrived at or of the evidence itself. Which makes these statements not independently verifyable. They can not therefore be regarded as proof - merely as an opinion.
> Pardon me, but this is not a satisfying answer to the request "show me the proof". Unless I am missing something, the paragraphs you cite are conclusions made by some authority bodies - based on evidence, perhaps, but without any demonstration of the process how such conclusions have been arrived at or of the evidence itself. Which makes these statements not independently verifyable. They can not therefore be regarded as proof - merely as an opinion.
As you are a Russian, please provide me access to the GRU's classified intelligence and I'll happily enlighten you on what you want to know.
No?
Well, how delightfully odd that you cannot provide that information. It is almost as if intelligence gathering and the related evidence is frequently kept secret to protect methodology/sources while the end result of that intelligence is all that is made public for decades.
I'm curious, can you say anything negative about Putin in relation to his human rights violations?
http://www.independent.co.uk/news/world/europe/russia-ukrain...
https://qz.com/336047/an-appalling-list-of-human-rights-abus...
http://thehill.com/blogs/pundits-blog/international-affairs/...
https://www.hrw.org/world-report/2017/country-chapters/russi...
As you are a Russian, please provide me access to the GRU's classified intelligence and I'll happily enlighten you on what you want to know.
No?
Well, how delightfully odd that you cannot provide that information. It is almost as if intelligence gathering and the related evidence is frequently kept secret to protect methodology/sources while the end result of that intelligence is all that is made public for decades.
I'm curious, can you say anything negative about Putin in relation to his human rights violations?
http://www.independent.co.uk/news/world/europe/russia-ukrain...
https://qz.com/336047/an-appalling-list-of-human-rights-abus...
http://thehill.com/blogs/pundits-blog/international-affairs/...
https://www.hrw.org/world-report/2017/country-chapters/russi...
> As you are a Russian, please provide me access to the GRU's classified intelligence and I'll happily enlighten you on what you want to know.
This is wrong (I mean not morally wrong, but rhetorically, or logically wrong) on so many levels that I don't even know how to begin. I guess I'll just leave it at that.
I totally agree with your point about intelligence being kept secret. Sadly, this is indeed the case. I do not invite US secret services to reveal their sources. I am only saying that if they choose to keep evidence secret, it is not reasonable then to expect people to believe them. In absence of evidence, there is no way of knowing whether you are being told truth, or deliberate lie, or anything in between. Like someone else in the comment above said, this is essentially a matter of trust. And frankly, secret services do not deserve our blind trust (no-one does, but especially not them, because misinformation is, by definition, part of their trade).
Let me be clear: I am not here to defend Russia, or Putin (I am sick and tired of our ossified, unchangeable government, but I prefer not to think about them too much; they are disgusting, like many other politicians, perhaps much more so). I am only trying to defend reason, and critical thinking, and the importance of making valid arguments.
This is wrong (I mean not morally wrong, but rhetorically, or logically wrong) on so many levels that I don't even know how to begin. I guess I'll just leave it at that.
I totally agree with your point about intelligence being kept secret. Sadly, this is indeed the case. I do not invite US secret services to reveal their sources. I am only saying that if they choose to keep evidence secret, it is not reasonable then to expect people to believe them. In absence of evidence, there is no way of knowing whether you are being told truth, or deliberate lie, or anything in between. Like someone else in the comment above said, this is essentially a matter of trust. And frankly, secret services do not deserve our blind trust (no-one does, but especially not them, because misinformation is, by definition, part of their trade).
Let me be clear: I am not here to defend Russia, or Putin (I am sick and tired of our ossified, unchangeable government, but I prefer not to think about them too much; they are disgusting, like many other politicians, perhaps much more so). I am only trying to defend reason, and critical thinking, and the importance of making valid arguments.
> Let me be clear: I am not here to defend Russia, or Putin (I am sick and tired of our ossified, unchangeable government, but I prefer not to think about them too much; they are disgusting, like many other politicians, perhaps much more so). I am only trying to defend reason, and critical thinking, and the importance of making valid arguments.
And yet, the only time you demand proof is related to Russia and your account was inactive for over a month before that. You protest and deflect far too much for me to believe you are genuine.
Sorry.
> I totally agree with your point about intelligence being kept secret. Sadly, this is indeed the case. I do not invite US secret services to reveal their sources. I am only saying that if they choose to keep evidence secret, it is not reasonable then to expect people to believe them. In absence of evidence, there is no way of knowing whether you are being told truth, or deliberate lie, or anything in between. Like someone else in the comment above said, this is essentially a matter of trust. And frankly, secret services do not deserve our blind trust (no-one does, but especially not them, because misinformation is, by definition, part of their trade).
It isn't blind trust. Russia has an established pattern of behavior of such meddling in countries like Georgia, Ukraine, etc. as well.
http://www.nbcnews.com/storyline/hacking-in-america/timeline...
> May 2014: Three days before Ukraine’s presidential election, a Russia-based hacking group, took down the country’s election commission in an overnight attack. Even a back-up system was taken down, but Ukrainian computer experts were able to restore the system before election day. Ukrainian police say they arrested hackers who were trying to rig the results. The attack was aimed at creating chaos and hurting the nationalist candidate while helping the pro-Russian candidate. Russia’s preferred candidate lost.
> May 2015: German investigators discovered hackers had penetrated the computer network of the German Bundestag, the most significant hack in German history. The BfV, German’s domestic intelligence service, later said Russia was behind the attack and that they were seeking information not just on the workings of the Bundestag, but German leaders and NATO, among others. Security experts said hackers were trying to penetrate the computers of Chancellor Angela Merkel’s Christian Democratic party.
> December 2016: Earlier this month, BfV head Hans-Georg Maasen warned "There is growing evidence of attempts to influence the federal election next year," referring to German parliamentary elections likely to take place in September 2017. Maasen specifically cited Russia as the source of the attacks, adding, "We expect a further increase in cyber attacks in the run-up to the elections." Experts believe the Russians are trying to damage incumbent Chancellor Merkel, who supported sanctions against Putin’s personal associates after Russia annexed Crimea.
Are you saying the entire Western world is engaged in a conspiracy to blame Russia for cyber attacks against multiple countries, some of which include elections?
Because, either this conspiracy exists or the fact that Ukraine, Germany, US, etc. all come to the same conclusion is based on actual evidence.
And yet, the only time you demand proof is related to Russia and your account was inactive for over a month before that. You protest and deflect far too much for me to believe you are genuine.
Sorry.
> I totally agree with your point about intelligence being kept secret. Sadly, this is indeed the case. I do not invite US secret services to reveal their sources. I am only saying that if they choose to keep evidence secret, it is not reasonable then to expect people to believe them. In absence of evidence, there is no way of knowing whether you are being told truth, or deliberate lie, or anything in between. Like someone else in the comment above said, this is essentially a matter of trust. And frankly, secret services do not deserve our blind trust (no-one does, but especially not them, because misinformation is, by definition, part of their trade).
It isn't blind trust. Russia has an established pattern of behavior of such meddling in countries like Georgia, Ukraine, etc. as well.
http://www.nbcnews.com/storyline/hacking-in-america/timeline...
> May 2014: Three days before Ukraine’s presidential election, a Russia-based hacking group, took down the country’s election commission in an overnight attack. Even a back-up system was taken down, but Ukrainian computer experts were able to restore the system before election day. Ukrainian police say they arrested hackers who were trying to rig the results. The attack was aimed at creating chaos and hurting the nationalist candidate while helping the pro-Russian candidate. Russia’s preferred candidate lost.
> May 2015: German investigators discovered hackers had penetrated the computer network of the German Bundestag, the most significant hack in German history. The BfV, German’s domestic intelligence service, later said Russia was behind the attack and that they were seeking information not just on the workings of the Bundestag, but German leaders and NATO, among others. Security experts said hackers were trying to penetrate the computers of Chancellor Angela Merkel’s Christian Democratic party.
> December 2016: Earlier this month, BfV head Hans-Georg Maasen warned "There is growing evidence of attempts to influence the federal election next year," referring to German parliamentary elections likely to take place in September 2017. Maasen specifically cited Russia as the source of the attacks, adding, "We expect a further increase in cyber attacks in the run-up to the elections." Experts believe the Russians are trying to damage incumbent Chancellor Merkel, who supported sanctions against Putin’s personal associates after Russia annexed Crimea.
Are you saying the entire Western world is engaged in a conspiracy to blame Russia for cyber attacks against multiple countries, some of which include elections?
Because, either this conspiracy exists or the fact that Ukraine, Germany, US, etc. all come to the same conclusion is based on actual evidence.
Depending on how the intelligence services determined it was Russia behind the attacks, it might not be very hard for a single country to masquerade as Russia to achieve their own political goals. It doesn't need to be a multi-nation conspiracy.
Taking the tinfoil off, Russia is probably behind the attacks but espionage is all about using misinformation; so who knows. Without the methodology behind how they've determined Russia was behind those attacks, we can never know.
Taking the tinfoil off, Russia is probably behind the attacks but espionage is all about using misinformation; so who knows. Without the methodology behind how they've determined Russia was behind those attacks, we can never know.
> Depending on how the intelligence services determined it was Russia behind the attacks, it might not be very hard for a single country to masquerade as Russia to achieve their own political goals. It doesn't need to be a multi-nation conspiracy.
> Taking the tinfoil off, Russia is probably behind the attacks but espionage is all about using misinformation; so who knows. Without the methodology behind how they've determined Russia was behind those attacks, we can never know.
What would be the purpose in launching a cyberattack against Ukraine followed by essentially an invasion by another nation?
Who would benefit from Trump's election with nation-state like capability? Russia.
Who wouldn't benefit? Literally everyone else.
But sure, give me an alternative narrative that makes any kind of sense under your theory. I suspect you'll go with the China/TPP angle since its anything else. The problem with that is Clinton was also willing to drop the TPP. There isn't any other nation state with anything resembling a motive AND the capability.
EDIT due to rate limits:
> Do you know what the Russian defense was? It was the "who would benefit" argument.
Whatboutism. Thank you.
I'm well aware of what their defense was.
That doesn't change the fact this isn't one incident but a 10+ year pattern of behavior.
EDIT again:
> I have no political leanings, I'm neither American or Russian. Your biases are showing, w.r.t your hatred of Trump and your unfounded claim/assumption that Russia would benefit from a Trump presidency.
> Why does it matter so much who leaked the emails, rather than the content of them? If the DNC has nothing to hide...
1) That wasn't the only thing I mentioned. A list of war-like acts by a foreign nation isn't a partisan issue. (i.e. interfering with domestic elections is a war-like act)
2) Rather than meeting a challenge you know is impossible to meet (because there isn't an alternative villain that meets the scenario you propose) you chose to focus on attacking me. Cute but ultimately irrelevant.
3) Thank you for admitting the best defense you could compose was "WELL YOU ARE A DEMONRAT!" which is odd for a "Canadian". Good day.
4) As for the benefits, Trump wants to be friendly with Putin, keep NATO at arm's length, drop sanctions, etc. Its absurd to argue you he isn't a pro-Russian president.
> Taking the tinfoil off, Russia is probably behind the attacks but espionage is all about using misinformation; so who knows. Without the methodology behind how they've determined Russia was behind those attacks, we can never know.
What would be the purpose in launching a cyberattack against Ukraine followed by essentially an invasion by another nation?
Who would benefit from Trump's election with nation-state like capability? Russia.
Who wouldn't benefit? Literally everyone else.
But sure, give me an alternative narrative that makes any kind of sense under your theory. I suspect you'll go with the China/TPP angle since its anything else. The problem with that is Clinton was also willing to drop the TPP. There isn't any other nation state with anything resembling a motive AND the capability.
EDIT due to rate limits:
> Do you know what the Russian defense was? It was the "who would benefit" argument.
Whatboutism. Thank you.
I'm well aware of what their defense was.
That doesn't change the fact this isn't one incident but a 10+ year pattern of behavior.
EDIT again:
> I have no political leanings, I'm neither American or Russian. Your biases are showing, w.r.t your hatred of Trump and your unfounded claim/assumption that Russia would benefit from a Trump presidency.
> Why does it matter so much who leaked the emails, rather than the content of them? If the DNC has nothing to hide...
1) That wasn't the only thing I mentioned. A list of war-like acts by a foreign nation isn't a partisan issue. (i.e. interfering with domestic elections is a war-like act)
2) Rather than meeting a challenge you know is impossible to meet (because there isn't an alternative villain that meets the scenario you propose) you chose to focus on attacking me. Cute but ultimately irrelevant.
3) Thank you for admitting the best defense you could compose was "WELL YOU ARE A DEMONRAT!" which is odd for a "Canadian". Good day.
4) As for the benefits, Trump wants to be friendly with Putin, keep NATO at arm's length, drop sanctions, etc. Its absurd to argue you he isn't a pro-Russian president.
> Who would benefit...
Remember the downing of Malaysia Airlines Flight MH17 over the Eastern Ukraine in 2014?
Do you know what the Russian defense was? It was the "who would benefit" argument. Who would benefit from shooting down that plane, they asked? Why, the Ukrainians, of course — they would show the rest of the world what vicious monsters the pro-Russian separatists and their Russian overlords are. Who wouldn't benefit? Why, Russia of course! Don't you see, they said, what an outrageous provocation that is?
Well, as the time went by, it became almost certain that the plane was shot down by a Buk missile launcher, probably manned by a Russian crew, that had crossed the Russian-Ukrainian border some time before.
Incidentally, for that particular case we have a pretty convincing body of evidence. I encourage everyone to look at that particular incident and at the investigation that followed as an example of arguing a case.
Remember the downing of Malaysia Airlines Flight MH17 over the Eastern Ukraine in 2014?
Do you know what the Russian defense was? It was the "who would benefit" argument. Who would benefit from shooting down that plane, they asked? Why, the Ukrainians, of course — they would show the rest of the world what vicious monsters the pro-Russian separatists and their Russian overlords are. Who wouldn't benefit? Why, Russia of course! Don't you see, they said, what an outrageous provocation that is?
Well, as the time went by, it became almost certain that the plane was shot down by a Buk missile launcher, probably manned by a Russian crew, that had crossed the Russian-Ukrainian border some time before.
Incidentally, for that particular case we have a pretty convincing body of evidence. I encourage everyone to look at that particular incident and at the investigation that followed as an example of arguing a case.
> Do you know what the Russian defense was? It was the "who would benefit" argument.
> Whatboutism. Thank you.
I am sorry, but this is not a whataboutism (a logical fallacy so widespread that it is treated at length in Wikipedia). It is an illustration of the weakness of the _cui bono_ argument.
> Whatboutism. Thank you.
I am sorry, but this is not a whataboutism (a logical fallacy so widespread that it is treated at length in Wikipedia). It is an illustration of the weakness of the _cui bono_ argument.
I have no political leanings, I'm neither American or Russian. Your biases are showing, w.r.t your hatred of Trump and your unfounded claim/assumption that Russia would benefit from a Trump presidency.
The irony is that if a Chelsea Manning/Edward Snowden character leaked the DNC emails people would be praising them for exposing the shitshow that was going on behind the scenes.
It kind of takes the heat off of the Dems, it wasn't them who were tampering with the election (which they were); it was the Russians!
Why does it matter so much who leaked the emails, rather than the content of them? If the DNC has nothing to hide...
The irony is that if a Chelsea Manning/Edward Snowden character leaked the DNC emails people would be praising them for exposing the shitshow that was going on behind the scenes.
It kind of takes the heat off of the Dems, it wasn't them who were tampering with the election (which they were); it was the Russians!
Why does it matter so much who leaked the emails, rather than the content of them? If the DNC has nothing to hide...
> And yet, the only time you demand proof is related to Russia and your account was inactive for over a month before that. You protest and deflect far too much for me to believe you are genuine.
> Sorry.
It's funny. We don't know each other; yet you actually had enough interest in me as a person (not in my words related to this particular discussion) to examine my commenting history at Hacker News and to come to a conclusion. Which is based on circumstantial evidence (my commenting history). And which — whatever opinion you may have formed of me — is most likely wrong.
As a programmer (not a very experienced one), I've been reading Hacker News for quite some time. I have always found discussions here interesting and instructive, unlike on any other internet forum that I know of. I have never had a reason to jump in and leave a comment until I saw someone's criticism of someone else's example of functional programming, which sounded to me laughably wrong. This is when I decided to actually register and leave a comment to that person. I just couldn't resist.
And then, a day later, I saw a very similar discussion about Russia hacking the U.S. elections. I had been following the analysis of this story in the U.S. media since the story broke out. I have been annoyed by how easily this story got woven into the mainstream narrative; how easily the stories about DNC hacks, Podesta emails, and Wikileaks became to be regarded as acts of aggression of one country against another. I was dumbstruck by how easily political motivations of making Russia (which is not a lamb, by any standard) into a scapegoat get overlooked (believe you me, our media has a very similar tendency of blaming various events, including the Ukranian revolution of 2014, on the U.S.). That's why when I saw a comment of an intelligent human being that expressed an idea that so much irked me, I left mine. That people see it as evidence of my hidden motives, is both sad and amusing at the same time.
I am not qualified to talk about Georgia, or Ukraine, or Germany. I am not following their news. I do not follow Russian news, for that matter, either (they are depressing and sickening). I am not saying that Russia is innocent of anything, and that the whole world is in conspiracy against it. I simply do not know. I am only focusing here on the recent story regarding the U.S. elections, and on the quality of arguments surrounding it.
P.S.: > And yet, the only time you demand proof...
I was not even demanding proof :-) I was merely pointing out that the document you quoted cannot be regarded as such.
> Sorry.
It's funny. We don't know each other; yet you actually had enough interest in me as a person (not in my words related to this particular discussion) to examine my commenting history at Hacker News and to come to a conclusion. Which is based on circumstantial evidence (my commenting history). And which — whatever opinion you may have formed of me — is most likely wrong.
As a programmer (not a very experienced one), I've been reading Hacker News for quite some time. I have always found discussions here interesting and instructive, unlike on any other internet forum that I know of. I have never had a reason to jump in and leave a comment until I saw someone's criticism of someone else's example of functional programming, which sounded to me laughably wrong. This is when I decided to actually register and leave a comment to that person. I just couldn't resist.
And then, a day later, I saw a very similar discussion about Russia hacking the U.S. elections. I had been following the analysis of this story in the U.S. media since the story broke out. I have been annoyed by how easily this story got woven into the mainstream narrative; how easily the stories about DNC hacks, Podesta emails, and Wikileaks became to be regarded as acts of aggression of one country against another. I was dumbstruck by how easily political motivations of making Russia (which is not a lamb, by any standard) into a scapegoat get overlooked (believe you me, our media has a very similar tendency of blaming various events, including the Ukranian revolution of 2014, on the U.S.). That's why when I saw a comment of an intelligent human being that expressed an idea that so much irked me, I left mine. That people see it as evidence of my hidden motives, is both sad and amusing at the same time.
I am not qualified to talk about Georgia, or Ukraine, or Germany. I am not following their news. I do not follow Russian news, for that matter, either (they are depressing and sickening). I am not saying that Russia is innocent of anything, and that the whole world is in conspiracy against it. I simply do not know. I am only focusing here on the recent story regarding the U.S. elections, and on the quality of arguments surrounding it.
P.S.: > And yet, the only time you demand proof...
I was not even demanding proof :-) I was merely pointing out that the document you quoted cannot be regarded as such.
[deleted]
[deleted]
It's reasonable of them to be suspicious of our software and want to review it.
It's reasonable of us to be suspicious of ulterior motives.
Modern day mexican standoff.
It's reasonable of us to be suspicious of ulterior motives.
Modern day mexican standoff.
The request is pointless for that purpose. Unless a government is using the source code to create their own trusted builds using an environment under their control then there is no guarantee that a particular set of source code has any bearing on the compiled product image.
...And you've largely been made aware of these things (and not similar things being done by the FSB) because Russian affiliated individuals have told you so.
The affairs of state are never moral.
The affairs of state are never moral.
All that is true, but the same is true of the eastern bloc, and they laughed at the thought for the same request.
Kaspersky comes to mind.
Kaspersky comes to mind.
Governments are not moral. It's not really even a concept that applies. And to single the US out for this kind of stuff is kind of silly. Every country with the means to do so spies on other countries.
http://www.spiegel.de/international/germany/german-intellige...
http://www.spiegel.de/international/germany/german-intellige...
Yeah, let's just completely ignore WHO is making that request.
> The companies say they only allow Russia to review their source code in secure facilities that prevent code from being copied or altered.
So how do the Russians know that the code they see is the one generating the binaries sold in Russia? This is where reproducible builds would help, but without source code it's hopeless. They should at least build the product inthe lab, make sha1 of every file and check if they match with the ones on sale. But then there would be an inspection before every release and patch.
So how do the Russians know that the code they see is the one generating the binaries sold in Russia? This is where reproducible builds would help, but without source code it's hopeless. They should at least build the product inthe lab, make sha1 of every file and check if they match with the ones on sale. But then there would be an inspection before every release and patch.
So how do the Russians know that the code they see is the one generating the binaries sold in Russia?
Maybe this is more about training and retaining Russian tech talent, creating friction for foreign vendors, and spreading a proto-fascist FUD and distrust of governments all over the world.
Because yes, I would think inspecting binaries (probably secretly) would be more productive in pursuit of the stated goal.
Maybe this is more about training and retaining Russian tech talent, creating friction for foreign vendors, and spreading a proto-fascist FUD and distrust of governments all over the world.
Because yes, I would think inspecting binaries (probably secretly) would be more productive in pursuit of the stated goal.
You build binaries and make sure SHA1 matches. Obviously malicious vendor can have custom compiler that inserts backdoor code during compilation and obfuscated stuff like that but it dramatically increases complexity and number of engineers who have to know about backdoor. Realistically most companies are not CIA and are not set up for this kind of ops. Essentially it makes it much more risky for company to insert backdoor and gives more incentives for pushing against NSA/etc.
The stated goal of these inspections may not be the actual goal - from the article's third paragraph:
"But those inspections also provide the Russians an opportunity to find vulnerabilities in the products' source code - instructions that control the basic operations of computer equipment - current and former U.S. officials and security experts said."
"But those inspections also provide the Russians an opportunity to find vulnerabilities in the products' source code - instructions that control the basic operations of computer equipment - current and former U.S. officials and security experts said."
At least half the point is checking whether the source code is total crap. Detecting intentional, malicious backdoors is a lot more difficult, but the threat of a static analysis tool finding something is probably enough to keep vendors in line.
[deleted]
Is this really surprising? Most big/old corporations already require the same level of scrutiny when auditing a new piece of security software, so it really isn't that shocking to hear of a _government_ requesting the same thing.
Hell, most corporations require high scrutiny for _any_ software, let alone security software.
Hell, most corporations require high scrutiny for _any_ software, let alone security software.
I'm reminded of Microsoft giving access to source code to certain clients for code review:
"Microsoft lets EU governments inspect source code for security issues" [2015]: http://www.pcworld.com/article/2931212/microsoft-lets-eu-gov...
https://www.microsoft.com/en-us/sharedsource/
I wonder how people think you get military clients without allowing deep inspection of the product? Oh, yeah, sure just hook your "super secure, rushed-to-market black box" on the same network as our cruise missile targeting systems. We trust you.
"Microsoft lets EU governments inspect source code for security issues" [2015]: http://www.pcworld.com/article/2931212/microsoft-lets-eu-gov...
https://www.microsoft.com/en-us/sharedsource/
I wonder how people think you get military clients without allowing deep inspection of the product? Oh, yeah, sure just hook your "super secure, rushed-to-market black box" on the same network as our cruise missile targeting systems. We trust you.
It's surprising to the people here. If this were a forum for tech workers for banks and defense contractors it would be a different story.
I worked with an international shipping insurance company for a little while as a QA tester (contracted). They required almost this level of scrutiny for just testing software.
I find it funny that they are afraid to show the code because it might lead to hacks, as if there were intentional bugs in the code that can be abused.
If your product contains bugs it is up to you to fix them. If some "Russian hackers" can find them by looking at the code in a clean lab but you can't, well, you aren't supposed to be in this business.
If your product contains bugs it is up to you to fix them. If some "Russian hackers" can find them by looking at the code in a clean lab but you can't, well, you aren't supposed to be in this business.
I wouldn't consider a security product unless it came with full source.
I wouldn't consider a security product secure unless it was compiled from the source code by oneself.
This is security Inception. There have been many PoCs for compilers and linkers being modified to then insert backdoors into compiled/linked output.
At some point you have to trust your toolchain.
At some point you have to trust your toolchain.
You're referring to the Thompson hack:
https://dl.acm.org/citation.cfm?id=358210
The system needs to be bootstrapped in such a way that the compiler can be trusted. This may include compiling e.g. gcc through a multi-stage process starting from a simple, easily-audited compiler with a small set of features and working your way up to a full-featured C compiler. It might mean double-compilation---comparing output from multiple compilers.
Combining that with reproducible builds, you can (one day) trust your toolchain and your system. Hardware is another story.
https://reproducible-builds.org/events/athens2015/bootstrapp...
Hopefully this will be all sorted out and standard practice in the near future.
https://dl.acm.org/citation.cfm?id=358210
The system needs to be bootstrapped in such a way that the compiler can be trusted. This may include compiling e.g. gcc through a multi-stage process starting from a simple, easily-audited compiler with a small set of features and working your way up to a full-featured C compiler. It might mean double-compilation---comparing output from multiple compilers.
Combining that with reproducible builds, you can (one day) trust your toolchain and your system. Hardware is another story.
https://reproducible-builds.org/events/athens2015/bootstrapp...
Hopefully this will be all sorted out and standard practice in the near future.
Unless it's bit-for-bit reproducible.
With regards to opinions on whether or not specific entities like Russia should be permitted to examine source code: we can also consider the Apple v. FBI case.
For those who don't recall, one of the concerns was the government trying to compel Apple to make changes to iOS to permit brute forcing the San Bernardino attacker's PIN. This is a violation of First Amendment rights (compelled speech), so this drew a lot of opposition, including from people that are part of free software and open source communities. The alternative was to have the FBI make changes to the software instead of compelling Apple to do so.
For those who agree with the free software philosophy, it's important to remove consideration of _who_ is trying to exercise the four freedoms. In the case of the FBI, from a free software perspective, of course they should be able to modify the software---we believe that all software should be free. (But that doesn't mean they should be able to install it on _someone else's_ device.)
In this case, Russia doesn't have to ask to examine free software. And if they did, it shouldn't be a concern. Restricting who can use and examine software is a slippery slope:
https://www.gnu.org/philosophy/programs-must-not-limit-freed...
But not all software is free/libre. But by extending that philosophy---there would be no _ethical_ concerns with a foreign power wanting to inspect proprietary source code. But proprietary software might have something of concern to hide: it might be something malicious like a backdoor, or it might be something like a lack of security or poor development practices.
For those who don't recall, one of the concerns was the government trying to compel Apple to make changes to iOS to permit brute forcing the San Bernardino attacker's PIN. This is a violation of First Amendment rights (compelled speech), so this drew a lot of opposition, including from people that are part of free software and open source communities. The alternative was to have the FBI make changes to the software instead of compelling Apple to do so.
For those who agree with the free software philosophy, it's important to remove consideration of _who_ is trying to exercise the four freedoms. In the case of the FBI, from a free software perspective, of course they should be able to modify the software---we believe that all software should be free. (But that doesn't mean they should be able to install it on _someone else's_ device.)
In this case, Russia doesn't have to ask to examine free software. And if they did, it shouldn't be a concern. Restricting who can use and examine software is a slippery slope:
https://www.gnu.org/philosophy/programs-must-not-limit-freed...
But not all software is free/libre. But by extending that philosophy---there would be no _ethical_ concerns with a foreign power wanting to inspect proprietary source code. But proprietary software might have something of concern to hide: it might be something malicious like a backdoor, or it might be something like a lack of security or poor development practices.
I find it rather revealing how much weight is given to the concerns of the tech firms, while entirely ignoring the concerns of consumers that run closed code, and are at the mercy of Intel and AMD's management engines, and the reported cases of backdoored routers, smart TV's sending your filenames back to HQ, cars and appliances with regulatory defeat devices, etc.
The negative spin put on asking to know how our devices work, and what they do, is frankly disgusting.
Edit: Is posting identical comments in identical submissions, where one submission is upvoted and the other buried, not allowed? What should one do instead, if one's opinion on the story hasn't changed?
The negative spin put on asking to know how our devices work, and what they do, is frankly disgusting.
Edit: Is posting identical comments in identical submissions, where one submission is upvoted and the other buried, not allowed? What should one do instead, if one's opinion on the story hasn't changed?
Does that also happen with, say, German or French governments? Or US government? What about the Chinese?
Do they not ask to review source code of the tools they buy and use?
Do they not ask to review source code of the tools they buy and use?
I've seen "merely" large corporations, let alone governments, insist on root access to boxes customers are not normally given shell access to at all, for auditing purposes. To answer the implicit question, no, I don't think this is really all that abnormal, it's just that even many HN denizens may not be aware that this sort of thing happens more often than they realize.
The idea that they're doing it to develop backdoors is at least sort of silly, on the grounds that they are perfectly capable of dumping the firmware of these boxes once they import one and developing exploits against the actual image. In fact, that's not even a "nation-state" level of capability, there are plenty of individuals who can and do accomplish that for merely "bug bounty" money. Given the restrictions they have at looking at the source code it's not clear to me that it's going to be much easier for them than just doing it based on firmware dumps.
The idea that they're doing it to develop backdoors is at least sort of silly, on the grounds that they are perfectly capable of dumping the firmware of these boxes once they import one and developing exploits against the actual image. In fact, that's not even a "nation-state" level of capability, there are plenty of individuals who can and do accomplish that for merely "bug bounty" money. Given the restrictions they have at looking at the source code it's not clear to me that it's going to be much easier for them than just doing it based on firmware dumps.
A counter example is the F35 -- it is a fighter that is hugely contingent upon its software, but the US has denied partners (the people who also cofunded development) access to it. Given that software controls everything, that should invalidate it as an option for any other military at the outset.
Not everyone else can build something equivalent. That leaves them two options: Trust the hidden software, or fly inferior planes. It's not clear which one is the correct answer.
Defo the UK and US does
[deleted]
It's a natural consequence of the US trying to bug / backdoor hardware. A plain 2nd order effect.
Seems more like a natural evolution of the digital landscape. The US certainly doesn't have a monopoly on covertly compromising hardware/software. Considering China, Israel, and Russia's posture, the US would be laggards at this point if they weren't doing it.
It would be good if anyone could review the source code of any program they are using.
I am curious what it would take to make a law prohibiting the sale of software without source code and build scripts.
Some would fight it tooth and nail, but it would be better for society. It would be end the idea of selling prepackaged software, but it would end whole categories of viruses and malware.
Some would fight it tooth and nail, but it would be better for society. It would be end the idea of selling prepackaged software, but it would end whole categories of viruses and malware.
I wonder how much the author was involved with actual tests. My guess is that it was exactly zero.
I was heading the team overseeing these tests for a large western European company.
The reviews are done on the customer's company computers, with no access to network. After that the Russians only get a hash of the binary compiled with the reviewed code, that's all. They then compare this hash to the sw they get (on firmware for instance) to make sure that it comes from the code they reviewed.
I am paranoid but this is a very reasonable requirement we do not, unfortunately, normally have in Europe for "friendly" software coming from "friend" US companies (and probably vice versa but I do not care that way). Snowden proved that the BFF approach does not work.
I was heading the team overseeing these tests for a large western European company.
The reviews are done on the customer's company computers, with no access to network. After that the Russians only get a hash of the binary compiled with the reviewed code, that's all. They then compare this hash to the sw they get (on firmware for instance) to make sure that it comes from the code they reviewed.
I am paranoid but this is a very reasonable requirement we do not, unfortunately, normally have in Europe for "friendly" software coming from "friend" US companies (and probably vice versa but I do not care that way). Snowden proved that the BFF approach does not work.
> But those inspections also provide the Russians an opportunity to find vulnerabilities in the products' source code -
this is the biggest part of the article. If the Russians are trying to hack US govt/corps/people its really helpful to have the US security companies show how they check.
this is the biggest part of the article. If the Russians are trying to hack US govt/corps/people its really helpful to have the US security companies show how they check.
[deleted]
Some specialists, if you have time, please explain me in few words, why they can't just disassemble products they need to check?
After code is written it goes through a compilation step that makes it easier for machines to read and harder for humans to understand.
Think of the index of a reference book. Where every pertinent word is listed along with a page number. Imagine you wanted to read a complicated and meaniful book like Tolstoy or Kafka and really understand it. Walk away with a sense of exactly what it meant. To gain that understanding you only have an index and you had to reconstruct the book's meaning from there. Technically you can, but it is massively more difficult.
Edit: A more accurate analogy would be that you aren't even given an index of words, but an index of phonetic sounds that you have to piece together to create words.
Think of the index of a reference book. Where every pertinent word is listed along with a page number. Imagine you wanted to read a complicated and meaniful book like Tolstoy or Kafka and really understand it. Walk away with a sense of exactly what it meant. To gain that understanding you only have an index and you had to reconstruct the book's meaning from there. Technically you can, but it is massively more difficult.
Edit: A more accurate analogy would be that you aren't even given an index of words, but an index of phonetic sounds that you have to piece together to create words.
It would be substantially more expensive to audit the assembly and verify its security
The more slow-moving government will get involved, the more industry will be pulled towards open source where there is no need to get government approval.
Sure - it won't be easy and will come with other pitfalls, but in some circumstances these may be easier hurdle than waiting months/years for some government to approve your product sale.
Sure - it won't be easy and will come with other pitfalls, but in some circumstances these may be easier hurdle than waiting months/years for some government to approve your product sale.
How many people here use Kaspersky privately or at work?
The US has shown time and time again that it has absolutely ZERO morals with regards to monitoring/spying/breaking security products at whim, when it suits us, and often even when it's a REALLY bad fucking idea and everybody knows it.