Hewlett Packard Allowed Russian Firm to Review Pentagon Cyberderfense Software

Discussion in 'Business & Economics' started by Tiassa, Oct 3, 2017.

  1. Kittamaru Ashes to ashes, dust to dust. Adieu, Sciforums. Valued Senior Member

    Messages:
    13,938
    One would think that, if the company that said customer is approaching has the reputation worthy of a high-profile client approaching them, said reputation should be sufficient alongside a demonstration of how their software works.

    Releasing the source code, especially to an entity that has a track record of what could, at its most generous, be considered double dealing, when said source code is the basis upon which your other clients depend for their security... well, that seems foolish, at best.

    This is why the company I work for has a multi-tier system in place for new hires that have access to this sort of thing - several rounds of interviews, background checks (including fed security clearances etc), checking and interviews with references (personal and professional), etc.

    Sure, you aren't going to catch every potential issue with 100% certainty... but there are ways to mitigate the risk.

    Giving away the keys to the kingdom... not exactly a good way to keep your software secure.
     
  2. Google AdSense Guest Advertisement



    to hide all adverts.
  3. gmilam Valued Senior Member

    Messages:
    3,522
    Humans are always your weakest link in any security paradigm.
     
  4. Google AdSense Guest Advertisement



    to hide all adverts.
  5. Schmelzer Valued Senior Member

    Messages:
    5,003
    No. This is named "security by obscurity" and considered as the worst thing one can do. For some program to be really secure, it should be Open Source.
     
  6. Google AdSense Guest Advertisement



    to hide all adverts.
  7. Kittamaru Ashes to ashes, dust to dust. Adieu, Sciforums. Valued Senior Member

    Messages:
    13,938
    *blink*

    For a consumer grade program, sure.

    For Department of Defense level security on systems guarding access to, say, secure communications channels, or secure servers, or things like that... yeah, not so much.

    Enigma was impossible to crack... until the Allies got their hands on an Enigma machine.
     
  8. Tiassa Let us not launch the boat ... Valued Senior Member

    Messages:
    37,884
    There is part of me that wants to be really sarcastic, here, so I think the best thing to do is explain why, because, in the end, that's usually how it works.

    Why those kinds of software packages? Republicans. Don't get me wrong, Democrats needed to vote for this stuff, too, but this is how the last ten presidentical cycles have gone.

    The conservative appeal has been to business and wealth. We can unchain your potential as an individual by slashing taxes and deregulating because then the economy will fly, and history shows the only reason anyone ever is dishonest in the business community is because there are laws and regulations, and that forces good people to break rules. Yes, I know, it sounds ridiculous, but that's also what a lot of us have been saying for decades. As (ahem!) someone↑ pointed out, "Privatization of national security tools—what could go wrong?"

    Because that's what happened. When Republicans pushed privatization, Democrats pushed back where they could and buckled where they thought they must. And it's really easy to buckle on these individual points, without any context toward the larger downstream, and cumulative effects. We talk a lot about legislative majorities, like recent arguments about whether Democrats should drop aspects of civil rights advocacy in hopes of peeling off a few midwest votes. Thirty years ago, the easy compromises to make were abortion and privatization.

    Hey, do you remember the idea of kaypee? I'm sure KP exists somewhere in the service, but think of it this way: Once upon a time, soldiers fed themselves and each other. Congressional Republicans looked at the pile of appropriation money for feeding the services and decided it could do a lot more if they gave it to large-scale restaurateurs in order to create a retail marketplace so that the private sector could profit off servicemembers during wartime. I still think that's ridiculous, but ... what? That feels in memory like it was so ingrained that there wasn't really much discussion. I don't remember the transition, but I think it was between our Iraq Adventures.

    Some of what Democrats did was the price of desperately forestalling what we have right now. And while we usually wallow in this aspect, these days, arguing about what Democrats should do next, there is also this: The privatization of government needs and resources is part of a political thesis in this country, and voters have supported it for decades.

    Thus, "why is the Pentagon using an off the shelf software package?" Republicans. Congress. Voters. Priorities. We did this consciously and deliberately. It was not an accident. "Saving money" as a public proposition while routing public money to private interests is a long Republican plank, and voters have really liked it. Kind of like trimester abortion bans, or the D&X ban, crossover Democrats occasionally think they're doing the right thing voting in support, but mostly feel they're taking a dangerous compromise in order to fend off greater danger.

    And that's one of the things that hasn't worked; if you've been following questions of the Democratic Party and Appeasement, it's one of the subtexts people on the left side of the dispute keep presenting. The idea that public schools are incomplete unless they are indoctrinating new consumers to brand loyalty is pretty awful, but when you lose enough elections that the other side is about to get away with starving people, you'll take what scraps you get.

    This is how we've done it in these United States the whole time my political conscience has been awake. History tells me the only real change compared to what came before me is that these fake compromises, these intentional sieges against the American potential and proverbial American Dream, used to be a little more opaque and obscure. Right now, we're openly playing simpleton swindles.

    And this is one of them.

    There have in our American politics been some smoldering rumors and suspicions, over the course of decades, and what contained the heat was a simple proposition of general decency, that you don't go randomly accusing people of being so terrible.

    And as many have pointed out in recent months, there really isn't anything surprising about the utter disrepair and mean spirit about the Republican Party in the Trump Era; this is not a deviation, but a culmination. This is their big throw. And thirty years ago? Yeah, we all knew there were pockets of white supremacism in the conservative movement, but they were never supposed to get their way. And that's an example of the concession to general decency. Yeah, we've kind of "known" the whole time that these were a bunch of white supremacists, but my entire life there has been enough sympathy for them that saying so was considered inflammatory.

    We had an incident at Sciforums some years ago that almost perfectly encapsulates the attitude: A moderator wrote a political post denouncing Mexicans for being an army that was invading the United States and stealing jobs and economy from good, decent Americans. (You know, because we born Americans are just lining up for the privilege of that awesome job picking strawberries the rest of the world would prefer to not allow on their shelves for the dangerous manner in which they are grown.) Someone picked apart the racist tropes, explaining why they were racist. The moderator, elevated specifically for his political outlook—increasing conservative representation because, you know, we need to be "fair"—struck the post criticizing his own and instituted an unwritten rule that accusing racism is off limits for being ad-hom. As far as I know it was never enforced again.

    And that's kind of the way supremacists are. There is actually a white nationalist in the Pacific Northwest who meets a particular criterion of mine, though I have no idea what that means since the point was generally rhetorical. At any rate, this guy acknowledges he's a racist, a supremacist, and so on. He just thinks the world should be that way, and wants the area where I live for a "white" homeland. (And as "white" people start dealing with words like genotype and phenotype—it would be funny if it wasn't so tragically stupid—after sending away for their DNA analysis because they want to be proud of their white purity, freak out upon learning they are sixteen percent black and eight percent Jewish, perhaps white-homeland advocacy is preparing to die with its current leading generation.) This particular white supremacist, though, seems something of an outlier. Most supremacists are really sensitive about the propriety or impropriety of supremacism, and what is different about now compared to some not so long ago then is that we're having some manner of societal discussion about supremacism in conservative quarters. And that contrast is the point of this digression.

    Because the magnitude of various strange controversies ever since the economy blew up in '07, which, depending on one's preferred narrative is either significant or presumptive of oversignificance, as nothing ever begins, have really sort of erased, much like the years of war preceding the meltdown, what was once a weird but useful middling compromise of normalcy. And in that normalcy was a move to privatize everything, and compared to everything else that was going on, shrinking government was a pretense Democrats really, really needed to be in on because it could swing close districts.

    The question of cutting costs is what it is; can we actually prove that hiring out is really less expensive and more secure than raising a Joint Service Technical Corps specifically for the purpose of programming the nation's defense? Remember that, even setting aside the Snowden issue, that firm would eventually be revealed to have pretty terrible vetting standards. Letting the private sector have a piece might seem like a good idea, but we should also remember that proper security protocol is expensive and therefore bad for business.

    And as we learn more about the Kaspersky connection to an NSA loss, doesn't it seem like certain things really ought to be clear? That is, yeah, this guy took stuff home, and that's how it landed in the Kaspersky index, but then we have to put out memos telling departments to get rid of the software that makes an index of what is on a computer and relays it to a server to check against another index, that was developed in another country, in this case, Russia. I would have thought the part about software that makes an index of what is on a computer and transmits that list elsewhere would have made an obvious point about software developed under a foreign purview.

    However, when we talk about what is good for the economy or bad for business, yes, this level of apparent ¿huh? is a fundamental part of how we've been doing it in these United States for a while. Many who lament that the parties are the same would be including Democratic buckling on business and commerce among the enumerated offenses.

    More than cutting costs, what they mean is cutting expenses spent on federal action. In some conservative theses of government, the idea is that the government supports the society by providing for its defense and supporting its trade and commerce; the point is to take taxpayer money and give it to preferred rich people, and has nothing to do with cutting costs.

    The fact that this is even possible," as Iceaura↑ noted, "tells us all we need to know."
     
  9. iceaura Valued Senior Member

    Messages:
    30,994
    So?
    Since it isn't open source, and can't be (because they would have nothing to sell, and the Pentagon would be unable to secure military stuff, among other issues), we still have the situation that exists.

    And it's an absurd, dysfunctional mess. Bad governance. So we ask why and how.
     
  10. gmilam Valued Senior Member

    Messages:
    3,522
    I figured it was already obvious, hence my first comment in this thread. But then again, we are the country that outsources supply lines for our troops.

    I remember when the second Gulf war started I was talking to a friend of mine who said, "We will go in there and find those WMDs just like Bush says." My reply, "We will not find a damn thing and Halliburton will make a fortune." And here we are, still traveling that same road.
     
  11. The God Valued Senior Member

    Messages:
    3,546
    Giving away source code is not something new. Sometimes it could be a part of contract that the source code will not be shared with anyone else. So the first question is, was it part of contract with HP? If no, then what binds HP from showing it to any Tom?
     
  12. Kittamaru Ashes to ashes, dust to dust. Adieu, Sciforums. Valued Senior Member

    Messages:
    13,938
    For starters, one just has to look at the ongoing process of malware vs antimalware (or cheats vs anticheat software) to see why giving away the source code is a Bad Idea. It gives the ones trying to subvert your security suite a LOT of information that helps them defeat it.
     
  13. The God Valued Senior Member

    Messages:
    3,546
    Technical aspect apart, if it is not prohibited by the contract, then I see no reason, why source code cannot be shown to future clients. Why HP should not demonstrate and show its inventory to prospective client? It was the failure of US not to include prohibition clause in the contract. If it is so.
     
  14. Kittamaru Ashes to ashes, dust to dust. Adieu, Sciforums. Valued Senior Member

    Messages:
    13,938
    Uh... no? The technical aspect cannot and should not be separated, as it is kind of the whole idea?

    That much is obvious...

    Demonstrating the software and inventory does not necessitate giving out the source code behind the software. There are demos of PhotoShop you can download, and they most certainly don't come with the source code...

    Right... so now it is up to the buyer to put into the contract every possible scenario that exists, rather than an expectation of the other actor behaving in good faith and according to industry norms?

    Let me try and make an analogy you'll understand, since this is regarding security software:

    A company, such as HPE, giving the source code for the security software one of their clients is using to a hostile foreign actor can be compared to a company that makes high security doors with key locks giving a copy of the master key template for all of its locks used by a client to a competitor of said client.
     
  15. The God Valued Senior Member

    Messages:
    3,546
    I liked your key lock example.

    The prevalent argument seems great that HP developed a security wall and now sharing its source code with the other country which could be hostile to US?

    So we will have to see how far the situation is true or it is just the media hype?

    Neither US as a purchaser is foolish nor HP is small time organization who would risk it's image as an ethical business entity. But keep in mind sharing source code or putting prohibition in the contract is not something unusual in software industry.
     
  16. iceaura Valued Senior Member

    Messages:
    30,994
    Your optimism is noted, but we have a long record of foolish purchasing behavior by the US and unethical behavior by big time "business entities" - we also have many records of unethical purchasing behavior by the US and foolish behavior by big time business entities.

    We have a record of what money, big money, said when it talked, in other words.

    And unlike when big money talks to the likes of us, when big money talks to folks who can help it become bigger money its vocabulary expands beyond "bend over".
     
  17. Schmelzer Valued Senior Member

    Messages:
    5,003
    Enigma was security by obscurity. It was not really safe.

    Modern encryption is safe. If implemented without errors. Even "consumer grade" is, say, safe enough to protect your data from access by the LEA. Here I do not mean, of course, the "consumer grade" products of US firms which are not Open Source, so that one can be sure the NSA has a backdoor.

    Instead, if the government software is not Open Source, it can be hacked much easier, and you will never know about this. Some evil (of course Russian) spies can modify the code, who will check this to find this out, if to look at it you need high level security clearance?

    In other words, the security you can obtain based on the classical police state methods are, in comparison with the security which can be obtained with modern Open Source software, much worse.
     
  18. iceaura Valued Senior Member

    Messages:
    30,994
    Enigma was safe, if implemented without errors.
    So?
    What's that got to do with HP's travesty here?
     
    Last edited: Oct 8, 2017
  19. Tiassa Let us not launch the boat ... Valued Senior Member

    Messages:
    37,884
    Nothing. He's trying to change the subject.
     
  20. Kittamaru Ashes to ashes, dust to dust. Adieu, Sciforums. Valued Senior Member

    Messages:
    13,938
    Is that unexpected, given the source?
     
  21. Schmelzer Valued Senior Member

    Messages:
    5,003
    If you want to sell cybersecurity software in Russia, you have to open your source code to the Russian specialists. Russia does not want to allow security software with NSA backdoors sold in Russia. But, if they can see the source code, it does not matter that the Pentagon is using the same software - it will be allowed on the Russian market. And if HP does not have NSA backdoors in their code, but really secure software, and want to sell it on the Russian market, what would be the point of hiding the source code?

    That the US is actually going insane about Russian hackers is an American problem. Forbid to open the source code to American firms, your choice. The international competition will be happy that there will be no longer any American competitors - in all countries which are not so stupid to allow security software with NSA backdoors.
     
    Last edited: Oct 9, 2017
  22. iceaura Valued Senior Member

    Messages:
    30,994
    Sure. But that means - if you are sane - you don't use that same software for cybersecurity at the Pentagon.
    They didn't hide the source code.
    So? Russian hackers are an American problem, of course. They are also problems for other countries.
    Now what are you babbling about?
    Few countries are stupid enough to think that NSA backdoors are the only security issues they have to worry about.

    But yeah - NSA backdoors like the current ones are a bad idea, and Americans clearly need to quit electing Republicans and roll back some of the damage d0ne.
     
  23. The God Valued Senior Member

    Messages:
    3,546
    Cyber security software source code shown. So what?

    I think one of the participants here should be a software expert. Mere showing the code (it has encryption decryption and other aspect which will always be buyer specific) will not cause any easy hacking of US installations. Infact it is as good or as bad as having nothing for those who wish to hack it. Those hackers are not some run of the mill coders, they know much more than the basic premises and I am sure that's what is shown to Russians, and of course Russians are not stupid to ask HP to show them how to get into US systems and HP is not that stupid to demonstrate to them how to have access to Pentagon files residing in US secure servers. It's crazy.

    I am sure even HP will not be able to hack it.
     

Share This Page