Rhett Jones
July 2 2017
Over the last couple of weeks, there’s been a disturbing trend of governments demanding that private tech companies share their source code if they want to do business. Now, the US government is giving the same ultimatum and it’s getting what it wants.
On Sunday, the CEO of security firm Kaspersky Labs, Eugene Kaspersky, told the Associated Press that he’s willing to show the US government his company’s source code. “Anything I can do to prove that we don’t behave maliciously I will do it,” Kaspersky said while insisting that he’s open to testifying before Congress as well.
Jeanne Shaheen, a New Hampshire Democrat tells ABC News, that there is “a consensus in Congress and among administration officials that Kaspersky Lab cannot be trusted to protect critical infrastructure.”
The fears follow years of suspicion from the FBI that Kaspersky Labs is too close to the Russian government. The company is based in Russia but has worked with both Moscow and the FBI in the past, often serving as a go-between to help the two governments cooperate. “As a private company, Kaspersky Lab has no ties to any government, and the company has never helped, nor will help, any government in the world with its cyber-espionage efforts,” an official statement from Kaspersky Labs reads.
The proposal prompted an official response from Russian Communications Minister Nikolay Nikiforov. He warned that any “unilateral political sanctions” would prompt retaliation from Russia. He emphasized that his government uses “a huge proportion of American software and hardware solutions in the IT sphere, even in very sensitive areas.”
* The fight over source code comes at a moment when Americans are deeply distrustful of the Russian government. The Russians alleged involvement in the hacking of the 2016 election combined with numerous suspicious ties to our president’s campaign has everyone on edge. But setting the precedent of gaining trust through source code access is dangerous, as is capitulating to those demands.
*(The daily morning BS report as told by the American MSM.)
Russia has been making the same requests of private companies recently. Major technology companies like Cisco, IBM, Hewlett Packard Enterprise, McAfee, and SAP have agreed to give the Russian government access to “code for security products such as firewalls, anti-virus applications and software containing encryption,” according to Reuters.
Security firm Symantec pointedly refused to cooperate with Russian demands last week. “It poses a risk to the integrity of our products that we are not willing to accept,” a Symantec spokesperson said in a statement.
The risks are the same whether it’s the US or Russia being given access to source code. It gives these governments an opportunity to locate security vulnerabilities that they might not be able to find otherwise.
Obviously, Russia has been accused of numerous cyberattacks lately, including the Yahoo email breach and the hacking of the DNC. (AMERICA - LOOK FIRST AT THE ACCUSERS FOR THEIR GUILT - NOT AT RUSSIA - THEN YOU WILL FIND THE GUILTY PARTIES IN THE HACKING ACCUSATIONS. MSM NEVER PROVIDES TRUTH TO THE AMERICANS.)
But the US also hoarded security vulnerabilities for years to use as cyberweapons. Recent global outbreaks in ransomware have been traced back to tools from the NSA that were leaked by a group known as the Shadow Brokers.
In a statement following the WannaCry ransomware attacks, Microsoft said “an equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen.” It’s obvious that the US can’t be trusted with this knowledge and companies shouldn’t help them gain it.
In the same way that experts say that you shouldn’t pay the ransom when hit by ransomware. Tech companies need to block this coercion before it gets out of control.
[Associated Press]
Comment:
While I appreciate this article, a lot of people might not understand why showing your source code can expose security weaknesses:
Programmers like myself build systems that can span hundreds of files and millions of lines (billions for some things). Every time that we use conditional statements to check things, or reach for code outside of our own (especially libraries on your computer that may change over time) or create patterns in the way that we access, change, or store data on your computer, we may create a point of weakness for someone to exploit. Much of the time we are trusting that because the specifics of those operations are obscured by how much harder it is to find them after the program has been build and how scattered the machine code is. By showing source code to a party that may choose to be malicious with that knowledge later, it becomes possible for them to use the source code like a road map to test those potential points of weakness and come up with detailed hacks that cheat the system much faster because they are not forced to figure things out through trial and error or painstaking (often fruitless) reading of the assembly code.
https://gizmodo.com/in-worrisome-move-kaspersky-agrees-to-turn-over-source-1796587120
No comments:
Post a Comment