Hewlett Packard Allowed Russian Firm to Review Pentagon Cyberderfense Software

That's not an advantage for the Pentagon - it doesn't even apply: their version is unaffected.
And it's not an advantage for anyone else, either - it makes them more vulnerable to Russian and Chinese hackers, instead.
And the Russians would prefer that other people have the backdoors, likewise the Chinese - they're useful for hacking. So they won't tell.
So it has no Open Source advantage.

Nothing is presented here as an evil conspiracy of Russian and Chinese hackers. So you have no reason to yammer on about that, or even bring it up - this is between HP, the American citizenry, and the American government.

 

Log in or Sign up to hide all adverts.

I find the idea that "that old fashioned espionage was unstoppable and guaranteed to be successful" abstruse. If you find it straightforward, your decision. To attribute it to me is, anyway, a defamation.

If one corrects errors, this is often some connected with a change of subject.

I have to admit that I do not care a lot about preservation of the original subject. But to claim that it would be my point to change it is complete nonsense. Confusion of a side effect (one I do not care about) with an aim.

If the Russians and Chinese allow it on their market, there is no reason for change. If they reject it, as dubious and insecure, the Pentagon may learn about this and start to care too.

First, it is an obvious advantage for everybody who does not want NSA backdoors, and second, it makes them more vulnerable only if a) those government observers cooperate with some hackers and b) if the code is bad, vulnerable anyway, so that it would be better to replace them with safe code (say Open Source code) anyway.

Maybe they won't tell (that's your conspiracy). But they would not allow code with identified NSA backdoors for their own public services. So the fact that they allow it gives away the information that they have not found an NSA backdoor.

Don't whine. Look at my contributions as if I would defend what HP has done. For HP it is a meaningful strategy, if they have really safe code, which could be as well Open Source if they would not like to sell it, to allow the governments where they want to sell their software, to inspect the code.

 

Log in or Sign up to hide all adverts.

Hm... I'm sure you can quote where iceaura said that, since you are trying to attribute that statement to him.

It is hardly nonsense when it is a visible pattern of behavior.

Right... and if you truly believe that, I have some beachfront property on Mercury to sell you...

 

Log in or Sign up to hide all adverts.

You don't mean "abstruse".
The idea is straight from your posting, such as post #44. Sure it looks stupid and therefore defamatory, but you posted it.

No, it isn't. They are not privy to the Russian or Chinese findings, and not informed about their own version of the code.

This isn't Open Source we're discussing. Not Open Source. Not Open Source. Please try to bear down a little here.

Nonsense. They are now more vulnerable to Russian and Chinese hacking, on top of the possible NSA backdoors. Their security by obscurity has been compromised.

Of course they wouldn't, normally. Why would they? That's not "conspiracy", that's just common sense.

Silly boy. If they find a backdoor, it's very much in their interest to keep the finding secret - not even tell HP - as long as they can control it. If they can't, having HP remove it from just their version - and not tell anyone - would be their next best advantage. The only way they would tell others what they found is if there was absolutely no advantage otherwise, and the only value was the bad publicity they could generate for the US.

The Pentagon is not getting its information about its security software from the Russians and Chinese. At least, I hope not.

For the US, the Pentagon, and the others who depend on secure code from HP, it is a betrayal and a threat.

 

No problem:

There I wrote:

So I have to explain you the difference between a method which has some chance of success which can be expected in the order of, say, 10% (where even 0.1% would be much much more than the chance to break modern Open Source encryption), and one which is "unstoppable and guaranteed to be successful"?

If HP wants to hide this, maybe. But this would be stupid.

Don't forget simple security measures which the Russians will insist to do: They will compile the code they have seen, and get compute some checksum. With this checksum they can check if what is sold to Russian public offices is really from the code they have seen, not another one with a backdoor. HP can simply make this checksum public too, without making the code itself Open Source.

Yes. But this is, in comparison with the security of modern Open Source codes, an irrelevant loss.

First, they certainly would not allow it to be used in their own public offices. Because this would make them vulnerable to NSA.
What would they do? Ok, they would give the FSB two weeks or how much they need to attack whatever is vulnerable and worth to be attacked around the world. Then they would decide how to use what they have found. On the one hand, they can make some irresistible offer to the firm. Or you do this or that, or we make the NSA backdoor public. Or they would simply make it public. And use it to discredit as HP, as the NSA worldwide in the infowar.

I hope too. Because not using all accessible (with whatever means, legal or illegal) information would be stupid. So, if they would ignore the information that the Russian and Chinese, after looking at the code, forbid it to be sold to their public offices, they would be stupid. For me, not a problem at all.

The only American stupidity I would have to be afraid of would be the belief that they can win a nuclear war.

 

None of which supports your statement. You said:

Thus, you make it sound as though Iceaura said "old fashioned espionage was unstoppable and guaranteed to be successful".

Nowhere did he make that claim - what he said was, as you quoted him (correctly this time), that you had asserted it.

Setting up a strawman to try and knock down by deliberately misquoting someone is rather bad form Schmelzer...

 

What I said, in the reply to this:

was:

If you don't understand the meaning of this, I will explain: This means that the thesis that this nonsense is my assertion is iceaura's fantasy, or, more accurate, defamation. Iceaura has understood this very well, and repeated and defended this defamation in #64

So, this is in no way a strawman, but your inability to correctly interpret the text. Ok, maybe my formulation was a little bit misleading you, but given that iceaura has correctly understood the point, it was good enough.

 

Now you seem to be backpedaling...

You started with the premise that "security by obscurity" is bad security:

Your posts between that one and post #52 seem to indicate you think that the bigger threat is inside agents and backdoors, rather than knowing the security system. You are, in essence, building the argument that the "old fashioned espionage" was the real worry, not foolishly displaying source code to other nations.

That is your premise... how do you wish to posit that this is somehow a contrived scheme concocted by Iceaura is... well, honestly, not surprising. The closest you can come is where he said:

Which is true - having intimate knowledge of the backend of what you are trying to break into makes thing vastly easier for any competent cracker.

So, I ask again - where did iceaura claim "that old fashioned espionage was unstoppable and guaranteed to be successful" ? Specifically, where did he say they were unstoppable or guaranteed to succeed? Nowhere, in this thread, have I seen him utter anything close to that phrase. That's been your premise.

 

It is.

No. If you use "security by obscurity", good old espionage is dangerous, foolishly displaying the source code too. If you use good crypto, like that of Open Source, good old espionage gives nothing, foolishly displaying Open Source code to other nations is also not dangerous. No difference between the two.

Both things are stoppable, so that you have a chance that security by obscurity will not be broken. But there is also a sufficiently large probability that it will be broken, at least if breaking it is sufficiently interesting for foreign security agencies. Hard to estimate the probabilities, I would say something between 10% and 50%. One can look at classical history of how much about the enemy has been known and how much remained hidden, and would find that quite a lot was known. With the internet, espionage becomes technically much simpler, things which were extremely dangerous in the past are easy today. But this would not make classical espionage unstoppable or so. What matters is that there is a probability that it succeeds, and this probability is large enough that one would better not ignore it.

Learn to read. How many times I have to repeat the point that I have never claimed that iceaura has said that espionage is unstoppable. Iceaura has defamed me, suggesting that I have made such a stupid claim. This defamation I have named iceaura's fantasy.

Here, again, is iceaura's defamation:

 

There you go with absolutes again, which is what got you into this mess.

Oh, I can read quite well, I assure you. Comparatively, I would advise you to say what you bloody well mean to say, because I concur with Iceaura's interpretation of what you said. I see no hint of defamation there, and only a paltry attempt by yourself to deflect your words away from yourself.

 

Loss of security is not irrelevant. It's the central matter. Open Source codes are irrelevant - this is not Open Source code.

You have to explain to me why you used "sufficient" if you didn't mean it - and similar references in other posts - in making an argument I summarized accurately.
You also have to quit trying to hide behind irrelevancies like the existence of Open Source code. We aren't talking about Open Source code. Nobody uses it for military or governmental security, and nobody involved in this incident uses it - not the Russians, not the Chinese, not anybody. It's irrelevant.

No, it wouldn't. It would put them in control of what the NSA thinks it knows (as long as the NSA doesn't know they found it).
Meanwhile, they have info on all the other vulnerabilities they found in this widely used code, and they can plug their own backdoor and others whenever they want to.

Why only two weeks? Knowing the NSA backdoor would be a permanent advantage for them - as long as nobody knows they have it - on top of whatever else they found.

That would not be informative to the Pentagon.

No, it would not. It would be profitable, and good for business, and the expected outcome.

Your imaginary world of very stupid Russians and equally oblivious Pentagon security folk is a waste of time.

And since that is the situation, we have what appears to be complete agreement on the universal folly displayed in HP's betrayal of US and Pentagon security.
- - - -
So what are you posting about the rest of the time here?

In post 44, among others, you made the relevant claim - including right here, where you backtrack a bit:

In the first place, a sufficiently large probability of a breach is a breach - it has to be treated as a breach. In the second, making the breach probability higher is a bad thing - a betrayal - no matter what it is.

Meanwhile: If you're worried about being defamed, quit posting ridiculous crap like that estimate of the odds of "breaking" - whatever that means - the Pentagon's cybersecurity system. Nothing I post sends you up higher than that kind of stuff.