Hewlett Packard Allowed Russian Firm to Review Pentagon Cyberderfense Software

[iceaura]

Why should I repeat trivialities? And you are wrong - it gets some of the advantages. The probability that code inspected by Russian or Chinese agencies contains NSA backdoors is quite low, much lower than for any American completely closed software.

That's not an advantage for the Pentagon - it doesn't even apply: their version is unaffected.
And it's not an advantage for anyone else, either - it makes them more vulnerable to Russian and Chinese hackers, instead.
And the Russians would prefer that other people have the backdoors, likewise the Chinese - they're useful for hacking. So they won't tell.
So it has no Open Source advantage.

To explain why what is presented here as an evil conspiracy of Russian and Chinese hackers is nothing but natural care of Russian and Chinese governments about the security of their citizens.

Nothing is presented here as an evil conspiracy of Russian and Chinese hackers. So you have no reason to yammer on about that, or even bring it up - this is between HP, the American citizenry, and the American government.

 

[Schmelzer]

I am curious how you find his posts abstruse in the slightest... they seem pretty straight forward to me.

I find the idea that "that old fashioned espionage was unstoppable and guaranteed to be successful" abstruse. If you find it straightforward, your decision. To attribute it to me is, anyway, a defamation.

It appears to be tactical; the point is to change the subject of the general discussion.

If one corrects errors, this is often some connected with a change of subject.

I have to admit that I do not care a lot about preservation of the original subject. But to claim that it would be my point to change it is complete nonsense. Confusion of a side effect (one I do not care about) with an aim.

That's not an advantage for the Pentagon - it doesn't even apply: their version is unaffected.

If the Russians and Chinese allow it on their market, there is no reason for change. If they reject it, as dubious and insecure, the Pentagon may learn about this and start to care too.

And it's not an advantage for anyone else, either - it makes them more vulnerable to Russian and Chinese hackers, instead.

First, it is an obvious advantage for everybody who does not want NSA backdoors, and second, it makes them more vulnerable only if a) those government observers cooperate with some hackers and b) if the code is bad, vulnerable anyway, so that it would be better to replace them with safe code (say Open Source code) anyway.

And the Russians would prefer that other people have the backdoors, likewise the Chinese - they're useful for hacking. So they won't tell.

Maybe they won't tell (that's your conspiracy). But they would not allow code with identified NSA backdoors for their own public services. So the fact that they allow it gives away the information that they have not found an NSA backdoor.

Nothing is presented here as an evil conspiracy of Russian and Chinese hackers. So you have no reason to yammer on about that, or even bring it up - this is between HP, the American citizenry, and the American government.

Don't whine. Look at my contributions as if I would defend what HP has done. For HP it is a meaningful strategy, if they have really safe code, which could be as well Open Source if they would not like to sell it, to allow the governments where they want to sell their software, to inspect the code.

 

[Kittamaru]

I find the idea that "that old fashioned espionage was unstoppable and guaranteed to be successful" abstruse. If you find it straightforward, your decision. To attribute it to me is, anyway, a defamation.

Hm... I'm sure you can quote where iceaura said that, since you are trying to attribute that statement to him.

If one corrects errors, this is often some connected with a change of subject.

I have to admit that I do not care a lot about preservation of the original subject. But to claim that it would be my point to change it is complete nonsense. Confusion of a side effect (one I do not care about) with an aim.

It is hardly nonsense when it is a visible pattern of behavior.

If the Russians and Chinese allow it on their market, there is no reason for change. If they reject it, as dubious and insecure, the Pentagon may learn about this and start to care too.

First, it is an obvious advantage for everybody who does not want NSA backdoors, and second, it makes them more vulnerable only if a) those government observers cooperate with some hackers and b) if the code is bad, vulnerable anyway, so that it would be better to replace them with safe code (say Open Source code) anyway.

Maybe they won't tell (that's your conspiracy). But they would not allow code with identified NSA backdoors for their own public services. So the fact that they allow it gives away the information that they have not found an NSA backdoor.

Don't whine. Look at my contributions as if I would defend what HP has done. For HP it is a meaningful strategy, if they have really safe code, which could be as well Open Source if they would not like to sell it, to allow the governments where they want to sell their software, to inspect the code.

Right... and if you truly believe that, I have some beachfront property on Mercury to sell you...

 

[iceaura]

I find the idea that "that old fashioned espionage was unstoppable and guaranteed to be successful" abstruse. If you find it straightforward, your decision. To attribute it to me is, anyway, a defamation.

You don't mean "abstruse".
The idea is straight from your posting, such as post #44. Sure it looks stupid and therefore defamatory, but you posted it.

First, it is an obvious advantage for everybody who does not want NSA backdoors,

No, it isn't. They are not privy to the Russian or Chinese findings, and not informed about their own version of the code.

This isn't Open Source we're discussing. Not Open Source. Not Open Source. Please try to bear down a little here.

and second, it makes them more vulnerable only if a) those government observers cooperate with some hackers and b) if the code is bad, vulnerable anyway, so that it would be better to replace them with safe code (say Open Source code) anyway.

Nonsense. They are now more vulnerable to Russian and Chinese hacking, on top of the possible NSA backdoors. Their security by obscurity has been compromised.

Maybe they won't tell (that's your conspiracy).

Of course they wouldn't, normally. Why would they? That's not "conspiracy", that's just common sense.

But they would not allow code with identified NSA backdoors for their own public services. So the fact that they allow it gives away the information that they have not found an NSA backdoor.

Silly boy. If they find a backdoor, it's very much in their interest to keep the finding secret - not even tell HP - as long as they can control it. If they can't, having HP remove it from just their version - and not tell anyone - would be their next best advantage. The only way they would tell others what they found is if there was absolutely no advantage otherwise, and the only value was the bad publicity they could generate for the US.

If the Russians and Chinese allow it on their market, there is no reason for change. If they reject it, as dubious and insecure, the Pentagon may learn about this and start to care too.

The Pentagon is not getting its information about its security software from the Russians and Chinese. At least, I hope not.

. For HP it is a meaningful strategy, if they have really safe code, which could be as well Open Source if they would not like to sell it, to allow the governments where they want to sell their software, to inspect the code.

For the US, the Pentagon, and the others who depend on secure code from HP, it is a betrayal and a threat.

 

[Schmelzer]

Hm... I'm sure you can quote where iceaura said that, since you are trying to attribute that statement to him.

No problem:

It's all completely irrelevant, except for your assertion that old fashioned espionage was unstoppable and guaranteed to be successful in these matters, which is fantasy (and disproved by Russian and Chinese demands to inspect the source code).

You don't mean "abstruse".
The idea is straight from your posting, such as post #44. Sure it looks stupid and therefore defamatory, but you posted it.

There I wrote:

If this would be true, this would be good news for the FSB, It means, good old espionage methods would be sufficient to hack the Pentagon. https://en.wikipedia.org/wiki/Security_through_obscurity

So I have to explain you the difference between a method which has some chance of success which can be expected in the order of, say, 10% (where even 0.1% would be much much more than the chance to break modern Open Source encryption), and one which is "unstoppable and guaranteed to be successful"?

No, it isn't. They are not privy to the Russian or Chinese findings, and not informed about their own version of the code.

If HP wants to hide this, maybe. But this would be stupid.

Don't forget simple security measures which the Russians will insist to do: They will compile the code they have seen, and get compute some checksum. With this checksum they can check if what is sold to Russian public offices is really from the code they have seen, not another one with a backdoor. HP can simply make this checksum public too, without making the code itself Open Source.

They are now more vulnerable to Russian and Chinese hacking, on top of the possible NSA backdoors. Their security by obscurity has been compromised.

Yes. But this is, in comparison with the security of modern Open Source codes, an irrelevant loss.

Of course they wouldn't, normally. Why would they? That's not "conspiracy", that's just common sense. Silly boy. If they find a backdoor, it's very much in their interest to keep the finding secret - not even tell HP - as long as they can control it. If they can't, having HP remove it from just their version - and not tell anyone - would be their next best advantage. The only way they would tell others what they found is if there was absolutely no advantage otherwise, and the only value was the bad publicity they could generate for the US.

First, they certainly would not allow it to be used in their own public offices. Because this would make them vulnerable to NSA.
What would they do? Ok, they would give the FSB two weeks or how much they need to attack whatever is vulnerable and worth to be attacked around the world. Then they would decide how to use what they have found. On the one hand, they can make some irresistible offer to the firm. Or you do this or that, or we make the NSA backdoor public. Or they would simply make it public. And use it to discredit as HP, as the NSA worldwide in the infowar.

The Pentagon is not getting its information about its security software from the Russians and Chinese. At least, I hope not.

I hope too. Because not using all accessible (with whatever means, legal or illegal) information would be stupid. So, if they would ignore the information that the Russian and Chinese, after looking at the code, forbid it to be sold to their public offices, they would be stupid. For me, not a problem at all.

The only American stupidity I would have to be afraid of would be the belief that they can win a nuclear war.

 

[Kittamaru]

No problem:


There I wrote:

So I have to explain you the difference between a method which has some chance of success which can be expected in the order of, say, 10% (where even 0.1% would be much much more than the chance to break modern Open Source encryption), and one which is "unstoppable and guaranteed to be successful"?

None of which supports your statement. You said:

I find the idea that "that old fashioned espionage was unstoppable and guaranteed to be successful" abstruse. If you find it straightforward, your decision. To attribute it to me is, anyway, a defamation.

Thus, you make it sound as though Iceaura said "old fashioned espionage was unstoppable and guaranteed to be successful".

Nowhere did he make that claim - what he said was, as you quoted him (correctly this time), that you had asserted it.

Setting up a strawman to try and knock down by deliberately misquoting someone is rather bad form Schmelzer...

 

[Schmelzer]

None of which supports your statement. You said:
Thus, you make it sound as though Iceaura said "old fashioned espionage was unstoppable and guaranteed to be successful".

What I said, in the reply to this:

It's all completely irrelevant, except for your assertion that old fashioned espionage was unstoppable and guaranteed to be successful in these matters, which is fantasy (and disproved by Russian and Chinese demands to inspect the source code).

was:

You are correct, this is fantasy. Your fantasy. I have no connection to such an abstruse idea.

If you don't understand the meaning of this, I will explain: This means that the thesis that this nonsense is my assertion is iceaura's fantasy, or, more accurate, defamation. Iceaura has understood this very well, and repeated and defended this defamation in #64

The idea is straight from your posting, such as post #44. Sure it looks stupid and therefore defamatory, but you posted it.

So, this is in no way a strawman, but your inability to correctly interpret the text. Ok, maybe my formulation was a little bit misleading you, but given that iceaura has correctly understood the point, it was good enough.

 

[Kittamaru]

What I said, in the reply to this:

was:

If you don't understand the meaning of this, I will explain: This means that the thesis that this nonsense is my assertion is iceaura's fantasy, or, more accurate, defamation. Iceaura has understood this very well, and repeated and defended this defamation in #64

So, this is in no way a strawman, but your inability to correctly interpret the text. Ok, maybe my formulation was a little bit misleading you, but given that iceaura has correctly understood the point, it was good enough.

Now you seem to be backpedaling...

You started with the premise that "security by obscurity" is bad security:

No. This is named "security by obscurity" and considered as the worst thing one can do. For some program to be really secure, it should be Open Source.

Your posts between that one and post #52 seem to indicate you think that the bigger threat is inside agents and backdoors, rather than knowing the security system. You are, in essence, building the argument that the "old fashioned espionage" was the real worry, not foolishly displaying source code to other nations.

That is your premise... how do you wish to posit that this is somehow a contrived scheme concocted by Iceaura is... well, honestly, not surprising. The closest you can come is where he said:

And good old espionage methods are made easier by inspecting the source code.

Which is true - having intimate knowledge of the backend of what you are trying to break into makes thing vastly easier for any competent cracker.

So, I ask again - where did iceaura claim "that old fashioned espionage was unstoppable and guaranteed to be successful" ? Specifically, where did he say they were unstoppable or guaranteed to succeed? Nowhere, in this thread, have I seen him utter anything close to that phrase. That's been your premise.

 

[Schmelzer]

You started with the premise that "security by obscurity" is bad security.

It is.

Your posts between that one and post #52 seem to indicate you think that the bigger threat is inside agents and backdoors, rather than knowing the security system. You are, in essence, building the argument that the "old fashioned espionage" was the real worry, not foolishly displaying source code to other nations.

No. If you use "security by obscurity", good old espionage is dangerous, foolishly displaying the source code too. If you use good crypto, like that of Open Source, good old espionage gives nothing, foolishly displaying Open Source code to other nations is also not dangerous. No difference between the two.

Both things are stoppable, so that you have a chance that security by obscurity will not be broken. But there is also a sufficiently large probability that it will be broken, at least if breaking it is sufficiently interesting for foreign security agencies. Hard to estimate the probabilities, I would say something between 10% and 50%. One can look at classical history of how much about the enemy has been known and how much remained hidden, and would find that quite a lot was known. With the internet, espionage becomes technically much simpler, things which were extremely dangerous in the past are easy today. But this would not make classical espionage unstoppable or so. What matters is that there is a probability that it succeeds, and this probability is large enough that one would better not ignore it.

So, I ask again - where did iceaura claim "that old fashioned espionage was unstoppable and guaranteed to be successful" ? Specifically, where did he say they were unstoppable or guaranteed to succeed?

Learn to read. How many times I have to repeat the point that I have never claimed that iceaura has said that espionage is unstoppable. Iceaura has defamed me, suggesting that I have made such a stupid claim. This defamation I have named iceaura's fantasy.

Here, again, is iceaura's defamation:

It's all completely irrelevant, except for your assertion that old fashioned espionage was unstoppable and guaranteed to be successful in these matters, which is fantasy (and disproved by Russian and Chinese demands to inspect the source code).

 

[Kittamaru]

No. If you use "security by obscurity", good old espionage is dangerous, foolishly displaying the source code too. If you use good crypto, like that of Open Source, good old espionage gives nothing, foolishly displaying Open Source code to other nations is also not dangerous. No difference between the two.

There you go with absolutes again, which is what got you into this mess.

Learn to read. How many times I have to repeat the point that I have never claimed that iceaura has said that espionage is unstoppable. Iceaura has defamed me, suggesting that I have made such a stupid claim. This defamation I have named iceaura's fantasy.

Here, again, is iceaura's defamation:

Oh, I can read quite well, I assure you. Comparatively, I would advise you to say what you bloody well mean to say, because I concur with Iceaura's interpretation of what you said. I see no hint of defamation there, and only a paltry attempt by yourself to deflect your words away from yourself.

 

[iceaura]

Yes. But this is, in comparison with the security of modern Open Source codes, an irrelevant loss.

Loss of security is not irrelevant. It's the central matter. Open Source codes are irrelevant - this is not Open Source code.

So I have to explain you the difference between a method which has some chance of success which can be expected in the order of, say, 10% (where even 0.1% would be much much more than the chance to break modern Open Source encryption), and one which is "unstoppable and guaranteed to be successful"?

You have to explain to me why you used "sufficient" if you didn't mean it - and similar references in other posts - in making an argument I summarized accurately.
You also have to quit trying to hide behind irrelevancies like the existence of Open Source code. We aren't talking about Open Source code. Nobody uses it for military or governmental security, and nobody involved in this incident uses it - not the Russians, not the Chinese, not anybody. It's irrelevant.

First, they certainly would not allow it to be used in their own public offices. Because this would make them vulnerable to NSA.

No, it wouldn't. It would put them in control of what the NSA thinks it knows (as long as the NSA doesn't know they found it).
Meanwhile, they have info on all the other vulnerabilities they found in this widely used code, and they can plug their own backdoor and others whenever they want to.

What would they do? Ok, they would give the FSB two weeks or how much they need to attack whatever is vulnerable and worth to be attacked around the world.

Why only two weeks? Knowing the NSA backdoor would be a permanent advantage for them - as long as nobody knows they have it - on top of whatever else they found.

. So, if {the Pentagon} would ignore the information that the Russian and Chinese, after looking at the code, forbid it to be sold to their public offices, they would be stupid.

That would not be informative to the Pentagon.

If HP wants to hide this, maybe. But this would be stupid.

No, it would not. It would be profitable, and good for business, and the expected outcome.

Don't forget simple security measures which the Russians will insist to do:

Your imaginary world of very stupid Russians and equally oblivious Pentagon security folk is a waste of time.

No. If you use "security by obscurity", good old espionage is dangerous, foolishly displaying the source code too.

And since that is the situation, we have what appears to be complete agreement on the universal folly displayed in HP's betrayal of US and Pentagon security.
- - - -
So what are you posting about the rest of the time here?

Iceaura has defamed me, suggesting that I have made such a stupid claim.

In post 44, among others, you made the relevant claim - including right here, where you backtrack a bit:

But there is also a sufficiently large probability that it will be broken, at least if breaking it is sufficiently interesting for foreign security agencies. Hard to estimate the probabilities, I would say something between 10% and 50%. One can look at classical history of how much about the enemy has been known and how much remained hidden, and would find that quite a lot was known.

In the first place, a sufficiently large probability of a breach is a breach - it has to be treated as a breach. In the second, making the breach probability higher is a bad thing - a betrayal - no matter what it is.

Meanwhile: If you're worried about being defamed, quit posting ridiculous crap like that estimate of the odds of "breaking" - whatever that means - the Pentagon's cybersecurity system. Nothing I post sends you up higher than that kind of stuff.