from the we-want-to-look-at-who-is-looking-at-you dept.
Submitted via IRC for BoyceMagooglyMonkey
The U.S. government is stepping up its sensitivity to foreign governments insisting on reviews of software company's source code.
The section of the bill that passed the Senate with an 87-10 vote stipulates that the Department of Defense cannot use any software product in a range of its systems unless the manufacturer fully discloses the software reviews by foreign governments that it has previously allowed or is under obligation to allow in the future. The language of the order is typically convoluted, and it does not include all foreign governments, only governments that are placed on a forthcoming list of cyber threats that is due within 180 days after the bill is signed. The president still has to sign off on the legislation, something he's expected to do, but you never know with this guy.
It appears that the section was prompted by a Reuters investigation from last year that found Hewlett Packard Enterprise permitted a company to review its source code for a piece of cyber defense technology on the behalf of the Russian government. The software is also used by the Pentagon. A subsequent report found that SAP, Symantec, and McAfee had also given the Russian government permission to dig through their code for software that's also used by the DOD.
Source: https://gizmodo.com/congress-votes-to-force-software-makers-to-reveal-if-th-1828064013
(Score: 2) by Snotnose on Monday August 06 2018, @05:47PM (1 child)
Having an outside agency do a code review should be a good thing, especially if the outside agency is required to disclose the results to the vendor.
I came. I saw. I forgot why I came.
(Score: 3, Touché) by bob_super on Monday August 06 2018, @08:02PM
SOP: The agency discloses to the vendors all the vulnerabilities which have a high risk of being found by competing agencies.
(Score: 3, Insightful) by Anonymous Coward on Monday August 06 2018, @06:11PM (4 children)
My question would be - how does this play in to open-source software? Foreign governments can obviously review those products. Did they just make it impossible to use anything with source available in DoD projects?
(Score: 0) by Anonymous Coward on Monday August 06 2018, @06:21PM
Well it only seems to require disclosure. Does it say anything about how the disclosed results should impact any decision making?
(Score: -1, Troll) by Anonymous Coward on Monday August 06 2018, @08:50PM
Only incels write software that lets communists read its source code. When the source code is published for anybody to review, it excludes women, because incels hate women and can't get laid!
Incel GNU software is a conspiracy to prevent women from learning programming by making the source code freely available!
(Score: 5, Insightful) by RS3 on Monday August 06 2018, @09:25PM (1 child)
This is pure speculation, but I imagine DoD worries it could be running buggy code where foreign govt. knows about the bugs, but DoD and supplier haven't noticed yet. So foreign govt. could exploit the bugs, and DoD are none the wiser.
Open source is a different animal. There could be bugs not yet caught by DoD or contractor, but foreign govt. has found and will exploit. However, being open source, many many people are reviewing and testing code, so there are likely fewer bugs, and quicker patching.
(Score: -1, Troll) by Anonymous Coward on Tuesday August 07 2018, @08:27AM
Hilarious. Many "user experience" bugs might be spotted but from history there were plenty of security vulnerabilities and exploits in OSS that were not spotted for quite a long while. Example:
https://www.theregister.co.uk/2016/10/13/sshowdown_botnet/ [theregister.co.uk]
https://www.helpnetsecurity.com/2018/06/15/cve-2018-12020-digital-signature-spoofing/ [helpnetsecurity.com]
Most people won't notice a security bug even if a dialog box popped up and told them there was one.
(Score: 0) by Anonymous Coward on Monday August 06 2018, @06:18PM
"All software can be reviewed by anyone at any time".
There, all OSS is now permitted to be used. In fact, doesn't this bureaucracy favour OSS usage, or a push towards building software in-house (surely a good thing)?
I also note this seems to only apply to what DoD want to use.
(Score: 5, Insightful) by jmorris on Monday August 06 2018, @06:19PM (2 children)
Instead of buying pigs in pokes and worrying whether somebody else got a peek in the sack and you didn't, just insist on open source and let everybody see what is in it and audit it. And if it can't be Open Sourced at least only buy Source code and build it yourself and audit it. Selling opaque binaries are merely an artifact of the way computers worked a generation ago, now they try to maintain that fell tradition by building obfuscators for scripting languages and shit. Enough. A copyrightable work should only be the human readable sources and binaries a "derived work" not independently capable of receiving copyright protection. Copyright and Patent protection are only permitted to "advance the progress of science and the useful arts" and closed binaries do the opposite and harm progress.
(Score: 1, Troll) by MichaelDavidCrawford on Monday August 06 2018, @06:40PM
You must be unfamiliar with Open Source.
Have you actually seen any lately?
I'm not talking about Richard Stallman's source. That's Free Software. Open Source is quite a different thing.
No, I'm talking about Eric Raymond's source.
Yes I Have No Bananas. [gofundme.com]
(Score: 2) by Azuma Hazuki on Tuesday August 07 2018, @12:13AM
Modded up. You've, for once, said something that makes sense and is at least tangentially related to the real world and the betterment thereof. Plz2do more often.
I am "that girl" your mother warned you about...
(Score: 3, Interesting) by Anonymous Coward on Monday August 06 2018, @10:03PM
License the code to a joint-venture. You're not under obligation and you're not showing it to a government or to a person on that governemnt's behalf. You ARE willingly showing it to a foreign person as part of a deal between companies. But the law didn't request you to disclose that particular arrangement. And that applies to both the custom-developed code as well as the mass-market code.
Pretty obvious someone got paid rather well to make this "honest" mistake.
(Score: 2) by legont on Tuesday August 07 2018, @01:20AM
Forget about the source code. The company I work for outsourced all the support into various parts of the world. They have administrative access that we don't. If China wants to hack us, they are just a few clicks away, including the source code.
If DoD wants it secure, they'd have to do it old fashioned way - in house and behind the barb wire - similar to Manhattan Project (which was also penetrated at least twice).
Those monkeys can't win and the largest evil is hit the hardest (wikileaks design).
"Wealth is the relentless enemy of understanding" - John Kenneth Galbraith.
(Score: 0) by Anonymous Coward on Tuesday August 07 2018, @05:12AM
"...but for anything WE peep on, this secret letter will keep your trap shut."