Hewlett Packard Allowed Russian Firm to Review Pentagon Cyberderfense Software

Discussion in 'Business & Economics' started by Tiassa, Oct 3, 2017.

  1. Schmelzer Valued Senior Member

    Why? If it is Open Source, what is the problem if the Pentagon uses it too? I can, say, use Tor, which is well-known to be developed by American military, with the obvious aim to hide, in a better way, their communications with their agents worldwide. If the Pentagon uses Tor too, it means there is more Tor traffic, and that means that my own traffic would be hidden even better than without the Pentagon.
    Which is the point. It makes no sense to hide it.
    Real Russian hackers will be a problem for those attacked. The Russian hacker hysteria in America is an American problem.
    Ok, slow explanation for those unable to understand elementary things. Look at some of the responses here:
    Looks like some people here think this would have been, better, illegal. I would guess the foreign competitors on the cybersecurity market will hope that this becomes illegal in the US.

    If I would think that the people here are reasonable, I would hide this. Because this would slightly increase the probability that it really will be forbidden, and, therefore, the US being harmed. With what I know I can be sure that you will be even more in favor of forbidding it once I argue that to forbid it would be stupid. So, I'm free to make reasonable recommendations and have fun that you will not follow them, harming the US.

    Please Register or Log in to view the hidden image!

    The point being? NSA backdoors are a security issue, for every reasonable person and institution. And one unhandled security issue is one too much.
  2. Google AdSense Guest Advertisement

    to hide all adverts.
  3. Kittamaru Ashes to ashes, dust to dust. Adieu, Sciforums. Valued Senior Member

    Lot of armchair cybersecurity experts here that have obviously had little, if any, experience in the field. Cest la vie I guess.
  4. Google AdSense Guest Advertisement

    to hide all adverts.
  5. iceaura Valued Senior Member

    It isn't open source.
    Things like Tor don't handle many of the Pentagon's cybersecurity issues.
    The hacking is a bigger problem than the hysteria, in America. But so what?
    To whom?
    It makes very good sense to the Pentagon to hide it.
    Why would it make any difference to them? They would have no shot at the cybersecurity Pentagon market either.
    So? This makes two unhandled security issues. That's worse.
    Nobody is following them - certainly no nuclear or military power. Any idea why not?
    Last edited: Oct 10, 2017
  6. Google AdSense Guest Advertisement

    to hide all adverts.
  7. Schmelzer Valued Senior Member

    Open for inspection by the government.
    If this would be true, this would be good news for the FSB, It means, good old espionage methods would be sufficient to hack the Pentagon. https://en.wikipedia.org/wiki/Security_through_obscurity
    The products used by the Pentagon would not be present on external markets. Less competition.

    The FSB will be happy too. It means, the Pentagon has to pay more for the software (once the firms cannot get additional income by selling the same software elsewhere), the result will be less secure (because checked only by the Pentagon, not by a lot of other users). The products of the American firm for the external market will be worse too. Except they cheat and sell the same software using another name.
    ?????? Getting access to the source code handles one key security issue for foreign governments, namely NSA backdoors, which cannot be handled in any other way if one relies on American software. It does not make anything worse in any other security issues.
  8. iceaura Valued Senior Member

    That has none of the benefits of open source.
    And good old espionage methods are made easier by inspecting the source code.
    But that would not affect competition - at least not much.
    We weren't talking about foreign government security. We were talking about Pentagon security, and the security of others using software open to the Russian and Chinese governments. They already had NSA backdoors to worry about - now they have Russian and Chinese hacking operations given a leg up.
  9. Schmelzer Valued Senior Member

    It has the in this context most important one - that you can check for NSA backdoors.
    The good old espionage methods would have to give access to the source code. And, given that according to your claim obscurity is essential, this will be sufficient to hack.

    If, instead, obscurity would not be used, or only as an irrelevant additional layer, then getting the source code would not give anything. Say, the information that I use veracrypt to protect my data does not give an attacker anything.

    Here is what I have replied to:
    Which is not about the Pentagon at all, but about foreign country security. If a foreign country can do nothing against NSA backdoors, it has no security at all. In this case, even pure Open Source code, which is for free, would be the better solution, as against NSA, as against Russian and Chinese hackers. So, it is natural that foreign countries can, and will, insist that they get access to the source code. And once they get it, it is clear that other countries get it too. In particular Russia and China too.

    If you introduce special rules for evil countries like Russia and China, the FSB will be happy too. Forbidding to use Windows in Russia would be very good. For the Russian security. There are far too many Russian firms using this collection of NSA spy programs named Windows.
  10. Kittamaru Ashes to ashes, dust to dust. Adieu, Sciforums. Valued Senior Member

    You seem to be operating on the assumption that Russia has someone "on the inside" that has the ability to not only access the source code of HP's product, but copy it and send it back somewhere to be analyzed...

    That, or you are assuming the program and the source code are the same thing, and thus that having access to the compiled program gives you the same benefits as access to the original source code. Certainly, with some software this may be the case - however, at least in my experience, most competent developers make it rather difficult, if not nearly impossible, to cleanly decompile the program back to the source code, and attempting to do so results in a lot more garbage code than usable code.

    Hold on... I need to go buy more tin foil...
  11. iceaura Valued Senior Member

    That is not a security benefit for the Pentagon. That is an indication of vulnerability, a liability.
    The thread is about Pentagon and US government security, and its blatant compromise by contracted software developers.
    Tangentially, it involves others as well:
    But the security of the Russian and Chinese governments is of no interest here.
    Or not, depending on the competence of the oversight.

    They failed to accomplish that and similar much-desired inroads in the good old fashioned past, notice. And they seem to have no such confidence in their abilities now, either - else why demand what amounts to an expensive special feature and service of no real benefit, and thereby limit one's field of choice? Why allow the Pentagon to know for sure that their security source code has been compromised, and give up the advantage of them not being alert?

    So we have clear evidence, if we actually needed any, in the behavior of its enemies, that opening the source code of its security software to the governments of its military foes compromises Pentagon security.

    And we have all become a little bit stupider by marshaling arguments in support of the fact. Thank you for that.
    Last edited: Oct 11, 2017
  12. Schmelzer Valued Senior Member

    I'm assuming that some Russian specialists are allowed to see the source code. And, I would guess, they will be also allowed to compile it, to compute some check sum or so, so that the firm cannot give them fake source code and then sell them something compiled from other source code.

    I know what was possible long ago regarding decompilation. Nasty job, and I never thought it makes sense, except in special cases. I'm sure this is much simpler today, because most programming is much better structured and modularized today. I doubt today people do a lot of things to make this impossible.
    For the claim of an NSA backdoor in Windows? Ok, trust Windows if you like.
    Not sure that they like each other, but this is not my point. For almost every other country, NSA backdoors are nothing one would like to have.
    It is the natural explanation why they insist on this before allowing such things to sell in Russia and China. If they would find, by some accident, an error, ok, one can suspect that they tell about this not the American firm, but the FSB to allow it to hack the Pentagon. But this would be a nice side effect. The aim of this insistence is the own security.
    The point is that classical espionage methods have some nonzero probability to reach success. And a much larger one than brute force attacks on reliable Open Source code. So, if classical espionage would define a security loophole, bad luck for the Pentagon. Using Open Source would be more safe.
    Simply because the aim of this measure is not hacking the Pentagon, but protection of Russia from buying software with NSA backdoors.
    Fine. Everything works like I have thought.
  13. iceaura Valued Senior Member

    So? Irrelevant. NSA backdoors are nothing Americans like to have either. Russian and Chinese hacking on top of that makes things worse.
    Creating more threats from Russian and Chinese hackers, on top of NSA backdoors, is bad for everyone except the Russians and Chinese.
    So? Why should the US government care about Russian or Chinese security?
    So? If it's low enough, we're good. Making it higher is bad. Opening the source code to one's potential enemies makes it higher. That's bad.
    So? That isn't adequate, first, but it also isn't relevant - the code involved isn't open source, and this security threat isn't bad luck.
    So? Why are you yammering on about supposed motives? Nobody cares what the "aim" was. The mind-boggling irresponsibility of allowing it - allowing corporations to sell out (literally sell, for money) US military and governmental security like that - is the issue for Americans.
    Last edited: Oct 12, 2017
  14. Kittamaru Ashes to ashes, dust to dust. Adieu, Sciforums. Valued Senior Member

    You'd be surprised - a lot of code doesn't decompile cleanly, sometimes because of external program calls to other supporting items (such as environmental variables, or calls to OS level items, etc), sometimes because of code specifically designed to throw garbage when decompiled (think of it like a decompression bomb), etc.

    More the idea that Windows is a primary vector that the US gather intelligence in such countries...
  15. Schmelzer Valued Senior Member

    The only thing which could surprise me is that you think the information you have given can surprise me. I even know a simple method to create code which does not decompile, from the time than this method was really used and really useful: Writing code in assembler.
    The idea that ii is primary exists in your fantasy only.
    For the Americans who care about NSA backdoors, there is the natural choice to use Open Source software. And it protects from Russian and Chinese hackers too. If they decide nonetheless to use other software, it would be in their interest to use such software which not only the Pentagon, but also other countries, including Russia and China, allow to be used in their government sector, because they all have the ability to inspect the source code and decided that it is not dangerous for their contries, despite coming from an American firm.
    Learn to read. It is not the US government, but the Russian government, which cares that the software used in Russia is not full of NSA backdoors. And the Chinese government which cares that the software used in China is not. And both have a natural way to do this: The legal requirement to allow inspection of the source code by their own specialists before allowing it to be used in any public office on their own territory.
    Means you have not understood the whole point of Open Source security. It makes the risks lower, because the whole world can participate in the search for vulnerabilities - and does it, because it improves their own security.
    And you clearly don't understand that using Open Source software makes the risk much lower than that of foreign espionage breaking the security of usual police state security methods.
    Once other governments have access to it, it is a restricted form of Open Source. Name it Government Open Source. The "security thread" is of the same type as making a software used by the Pentagon completely Open Source. Namely, if there are really loopholes in the code, they can be used by enemies too. Once you don't understand the advantages of using for everything security-relevant Open Source, you will not understand that this security thread is negligible in comparison with the advantages,
    I'm not yammering at all. I try to explain you that what happened is completely normal, reasonable, and unproblematic for Pentagon security, and that those who see here security threats for the Pentagon are fools. I hope that you continue, simply for contradicting me, continue to behave like fools and, in this way, weakening US security. I'm quite satisfied, no reason at all for yammering.
  16. Kittamaru Ashes to ashes, dust to dust. Adieu, Sciforums. Valued Senior Member

    Then the fact that you are arguing this at all simply goes to show one of two things:
    1) You don't actually know as much as you claim you do
    2) You are being argumentative for the sake of being argumentative, and don't really have a point to make

    ... come to think of it, that seems pretty typical of you, Schmelzer...

    The idea that it matters, at all, in the grand scheme of collecting information is your fantasy.

    Right, because open source software is so much harder to hack than anything else. No, the real reason there isn't much in the way of malicious software for these systems is simple - ROI. Right now, the return on a bit of malicious code for Windows is massive, primarily because of the large market share Windows holds. Simply put, if you were going to put the time and effort into coding a bit of malware that went out and installed backdoors and keyloggers on systems, would you write it to target the OS that runs 75% of computers in use today, or the OS that runs 3 to 4 percent?


    Windows seven, despite being no longer supported, holds nearly 50% of market share. Windows 10 holds an additional 26%. Windows 8, 8.1, and XP make up another 10%... so right there, nearly 86% of computers run some varient of Windows...

    It is simple math, really. Of COURSE windows is the most vulnerable... when you're the king of the mountain, everyone is looking to knock you down.

    Of course, Windows has another huge disadvantage - it has to run on a multitude of different hardware configurations, and support those configurations - Mac/Apple doesn't, they control the hardware and software, and if you install it on an unsupported device, you don't get support. Open Source software has no support beyond the community at large. So, Windows has to be able to adapt which, as always, means more vulnerability.

    This isn't some grand conspiracy Schmelzer... and if you were actually half a competent as you like to claim, you would know this. Does the NSA take advantage of backdoors that exist? Of that I have no doubt... but then again, I would wager so does every single intelligence agency in every first world nation around the world. The question is... what do they do with that access.

    More to the point, and to get back on the topic of this thread - where as a group like the NSA, FBI, CIA, and other 3-letter-acronym agencies have tons of resources to throw at cracking these open and exploiting them... simply offering them up on a silver platter to a hostile entity is hardly good for those who already depend on your software for security.
  17. Schmelzer Valued Senior Member

    The idea that Windows has an NSA backdoor is quite natural and simple. The idea that for other countries it matters if a lot of software used in this country has an NSA backdoor is as well natural and simple. If you like to name this my fantasy, I can live with this.

    Writing some trivialities about the role of the Windows market share - that the big market share makes it an attractive target, and that supporting almost all hardware make it an easier one - Kittamaru makes the following claim:
    I know this. In particular, I know that the explanation that Linux is much less attacked is not only that it is Open Source, but also its small market share. But I also know that this is not as important as you seem to think. So, I'm not at all afraid of using Open Source security software which has a leading position. So, to encrypt my data I used truecrypt, which was what everybody was recommending and using, without being afraid that it may have a leadership position.
  18. iceaura Valued Senior Member

    Your "explanation" makes no sense.
    You seem to think that the Pentagon's reliance on "obscurity" for some security aspects is substandard and avoidably vulnerable, ok - so what? That makes no difference to the current issue, even if you are correct. It makes absolutely no difference to the current matter whether Open Source would be better, whether Russia is legitimately worried about NSA backdoors (I agree with you completely about that), or whether any of the rest of your chaff adds up. It's all completely irrelevant, except for your assertion that old fashioned espionage was unstoppable and guaranteed to be successful in these matters, which is fantasy (and disproved by Russian and Chinese demands to inspect the source code).
    Repeat after me: It's not Open Source. Not Open Source. Not Open Source. Got it?
    It acquires absolutely none of the features or advantages of Open Source software through being inspected by Russian or Chinese agencies.
    And the Russian government security is completely irrelevant to this thread. Why do you keep bringing it up?
  19. Kittamaru Ashes to ashes, dust to dust. Adieu, Sciforums. Valued Senior Member

    *shakes head* I don't know why I'm arguing with someone who, by all appearances, is at best a Russian shill... a paid propagandist at worst.
  20. Schmelzer Valued Senior Member

    You are correct, this is fantasy. Your fantasy. I have no connection to such an abstruse idea.
    Why should I repeat trivialities? And you are wrong - it gets some of the advantages. The probability that code inspected by Russian or Chinese agencies contains NSA backdoors is quite low, much lower than for any American completely closed software. If this is an advantage even for the Pentagon or not, ask the Pentagon. I'm not sure they are happy to have NSA backdoors everywhere, but who knows. The average American firm will be, I think, happy about not having them.
    Once you distort what I write, I have to correct this. So, I often enough have to repeat myself. And the correction of distortions is relevant in every thread. The original aim was simple: To explain why what is presented here as an evil conspiracy of Russian and Chinese hackers is nothing but natural care of Russian and Chinese governments about the security of their citizens.
  21. Kittamaru Ashes to ashes, dust to dust. Adieu, Sciforums. Valued Senior Member

    I am curious how you find his posts abstruse in the slightest... they seem pretty straight forward to me.

    I can only guess that when things don't align with your desired narrative, it causes some sort of cognitive dissonance that makes it difficult (or impossible) for you to grasp the concepts being discussed?
  22. Tiassa Let us not launch the boat ... Staff Member

    It appears to be tactical; the point is to change the subject of the general discussion. He even says so↑, explicitly:

  23. Kittamaru Ashes to ashes, dust to dust. Adieu, Sciforums. Valued Senior Member

    Yeah... yeah, I guess he did.

Share This Page