Beijing won’t receive client data or “back doors” into the technology, International Business Machines Corp. said Friday in a statement.
I assume this means that IBM won't specially code backdoors into the software for the Chinese government to use, but I initially read that sentence to mean that there are backdoors in the software, but IBM won't show them to China. Which kinda defeats the purpose of letting them see the source code.
It seems the Chinese policy is very smart by demanding inspection of software before it goes into deployment/production. It's common sense really. We should demand as much in the US.
Too bad we have laws and agencies that demand the exact opposite:
I wonder who in our government thinks deploying code without review or testing is a good idea? Does anyone know where one might find a full list of these people/agencies?
It is one thing to have the government get access to software, and quite another to have truly open source software. Does the entire Chinese population have access to the source? I seriously doubt it.
This isn't that uncommon, and originally this wasn't even necessarily done form a security POV, office source code was shared so governments could build extensions on it for their own internal use before addon's were introduced or when addon functionality wasn't sufficient.
Windows source code including kernel source code was often shared to pass various inspections, and in many cases to integrate proprietary tech such as hardware encryption into the system.
I'm not sure how many of them actually audited it and how many of them had to get access to the source code to tick a box.
Government contracts for software often include having the rights for the source code in case the vendor goes out of business.
In other cases they might want to audit only certain parts of the OS, or just to integrate their own code at a level that out of the box Windows interoperability doesn't support.
If you say have a hardware encryption & security module which connects directly to the hard hard drive and includes a smart card reader for access you will probably need the ability to run custom code in the BIOS, boot loader and OS levels.
Then again if you have the resources of a US, major European power, Russian or Chinese state agency you might have the ability to also audit the full source code.
I had personal access to the Windows "shared source" system, as a third-party. Issued a smart card for remote access. It's not that hard to get and I know other individuals who maintain that access.
It comes in really handy for figuring out specific bugs or implementation details. I'd imagine any large-enough customer would find similar value.
Maybe it's not really about auditing it, as it is about finding their own flaws to exploit. In the US, it's actually worse, because Microsoft also gives NSA the zerodays it finds on a silver platter, way ahead of fixing them (not necessarily suggesting Microsoft will delay fixing them on purpose, but as we know sometimes fixing a major bug can take many months - see the whole Project Zero vs Microsoft scandal - months in which the NSA can put those bugs to "good use").
Oh btw, Apple and Intel do this, too, now (Intel may have been doing it for years, but we know for a fact Apple "volunteered" to do it, too, this year at Obama's Cyber Summit). As far as we know Google has refused to do it, and hopefully it stays that way.
Microsoft releases security advisories to many large costumers especially in regulated sectors a head of time not just to governments.
Large banks for example will get information about new "zero-day" vulnerabilities from their TAM some times months before a patch is released so they could adjust accordingly.
The NSA doesn't get an exploit they are notified about the vulnerability in good faith, in some cases Microsoft and their partners will release a signature which can enabled host or network bases intrusion detection/prevention systems to mitigate the vulnerability until it's patched.
There are other initiatives by various security vendors the most prominent would be ZDI by TippingPoint (now HP) which actually buy exploits so they could make signatures for their IPS, they notify their partners but in many cases withhold the vulnerability information for upto 6 months from the vendor of the vulnerable product.
Okay, I'm going to out myself here. I don't actually know how code is not available for public inspection. Like, what keeps a closed-source program closed?
'“Strict procedures are in place within these technology demonstration centers to ensure that no software source code is released, copied or altered in any way,”'
So... if I were an IBM shareholder (I'm not), I'd certainly hope that this means the code has been provided as a series of highly-compressed JPEGs of the code in a non-OCRable font (i.e., with randomness injected). Otherwise you can go ahead and set your forecasts for IBM's software sales in China to 0 for 2019 or so and beyond.
Thanks. Hopefully that's what's happening here. The article wasn't clear at all as to whether what's happening is what you describe or simply China getting copies of the source (in some form). What a difference it makes!
Do you really think that a country the size of China cannot afford the intelligence service needed in order to get IBM's source code?
US intelligence officers have been compromised for 6-7 figures, for decades. Yet IBM's gonna make sure well funded countries cannot slip in a hire? Come on.
China requires all industries, including aerospace, cars, energy, FMCG, and IT, to cough up IP for free in return for access to its markets. Yet we provide access to our huge markets, gratis.
Even if Western access to Chinese markets is inevitably sporadic and subject to the whims of regulatory Chinese quangos who can withdraw it at any time they feel like it, equity markets encourage companies to play the game and cough the secrets, in the name of the next quarterly targets.
Unlike the actual human beings involved, equities don't care if the IP moves from one society to the next. They can literally rebalance their portfolios from West to East in seconds.
Yet much of the IP thus surrendered was created not directly by those Western companies, but by the societies which fostered the freedoms, intellectual, physical, and political, for such discoveries to be possible, encouraged and nurtured. Those freedoms cost dearly, often literally in blood.
That we're selling this patrimony, hard-won by our forefathers, on the cheap, is criminal.
What you say might be going on, but I would not expect this source code sharing to constitute IP transfer. It's an audit or inspection. The government isn't allowed to use the code, and I doubt they intend to or have the ability to.
I haven't been involved in government audits of source code, but I have been involved in private audits. We invite the third party into our offices, where we provide them access to a laptop that has the source code loaded onto it. The laptop's network access has been disabled. They're free to examine it for as long as they wish, but they're not allowed to copy it or remove it from the network.
These kinds of mitigations are presumably what they're referring to when they say: “Strict procedures are in place within these technology demonstration centers to ensure that no software source code is released, copied or altered in any way.” Note the term technology demonstration center, that is, physical location.
This kind of audit is fairly routine when an important customer is considering your product, for a number of reasons. After all of the security events in the news recently, any foreign government would be right to worry about backdoors in technology provided by US firms. Source code access is one way to mitigate those concerns. It's an audit, not a technology transfer.
Last but not least: I could imagine a certain kind of software where it could be damaging, and could reveal IP, to allow anyone to see any part of the code. Imagine if I invent a better audio compression algorithm that's twice as good as typical MP3 compressors, while producing MP3 format. Then showing someone even a snippet of code could give away my trade secret of how it works. However, the source code of large software products like IBM's is unlikely to have any especially valuable secret sauce. The value of the IP comes from the whole, not of any one special part. In that circumstance, allowing someone to peruse the code at their leisure doesn't give much away.
Yes it's true that clients should have a right to inspect code for potential malevolence, especially when geopolitics are at play. However the article is peppered with qualifications:
“As everybody knows, there’s a tacit understanding that if you want to do business in China, you need to show them how this stuff works,”
"there’s definitely a little bit of: ‘Can we reverse engineer this?’"
“For IBM to do this is a little ballsy.”
I think in general we're far too willing, far too often, to dismiss Chinese business tactics as benevolent.
> I think in general we're far too willing, far too often, to dismiss Chinese business tactics as benevolent.
Who are "we" in this context? I don't really think anyone in the western world seriously believes there is anything benevolent about China, full stop. What's happening here, and what IBM's statements clearly indicate, is that western CEOs think they might be able to goose their quarterly earnings for a year or two by kowtowing to whatever China demands. That means bigger bonuses and maybe more valuable stock for the CEOs, possibly (who are we kidding, certainly) lower profits in the long run as everyone knows China steals everything not bolted down and much of what is. But the CEO has no incentive to care about that.
"We" = the vast majority of people whose short term consumption addiction is being financed by China, which conversely is investing in our long term economic serfdom.
I see. That's not assumption of benevolence, it's simple greed. The same "I'll be gone, you'll be gone" attitude that created the mortgage implosion and so much else that's gone wrong throughout human history. Xbox buyers don't really think China is benevolent, they just don't care because they figure most of the harm they do will be visited on others.
Scaling import tariffs tied directly to public human rights data concerning each country of origin.
No elections in past 10 years, +5% tariff, suppressing political parties, +5% tariff, imprisoning journalists, +5% tariff, internet censorship, +5% tariff, etc.
If equities complain just repeatedly assert that they are anti-freedom and support human rights abuses, and can either lobby other nations to improve their records or have tariff free trade with existing democracies instead.
I'll start by saying I agree 100% with everything you said, and it makes me as angry as it makes you. You are dead right in all respects.
However... there is another subtle argument to be made here. The Han culture has no concept of integrity as we know it in the west. If it's easier or cheaper to steal something than to make it or earn it, they will, and there's no stigma for it. It's not surprising, then, that China steals from western corporations at every possible opportunity, and demands access to western inventions as a condition of market access. But suppose that instead we told them to go fuck themselves, accepted not having access to their "market" (such as it is), and let them invent the stuff themselves if they want it that badly. What then? There are only two possibilities: they go skill up and compete, or they go to war. They can't win a war with the US yet, but it's hard to imagine that such a war would be beneficial. And if they skill up and compete, they become much, much stronger. By giving away most of the store, China is kept fat, lazy, and stupid. They can copy, but they still can't actually do anything for themselves. Maybe, just maybe, that's better than either of the alternatives.
I don't really believe this myself, but I've often contemplated it when this kind of stuff comes up. Is anyone in the US (or EU) government thinking this way? Do NATO military leaders think this way? My guess is no, but it's hard to come up with any other rationale for western behavior here. Personal gain notwithstanding, if you don't believe this at least a little, you'd have to argue for simply putting China on the sanctioned countries list and being done with it, right?
> has no concept of integrity as we know it in the west
By west, do you mean Great Britain?
> U.S. commentators complain that China's success has been predicated on chicanery (like the manipulation of the yuan), dubious business practices and wanton disregard for copyrights. In doing so, they echo things that British commentators once said about America's rise, back when New England factories used reverse engineering to mimic the latest Lancashire technological breakthroughs and Dickens complained of making no money from the pirated copies of his novels sold in the country. To use a line often attributed — probably inaccurately — to Mark Twain, history doesn't repeat itself, but it often rhymes. And this is one of those cases.
It's been a long time (or perhaps never) that the source code had any real value. The value is in the organization - as in both meanings of the word. The noun - organization as legal entity. And the verbish meaning - the organization of all that complexity towards getting something accomplished.
Also, I think all software systems tend to be improved by having more people look at the code. It eliminates the temptation of "security through obscurity".
So if you're not willing to show your stuff, you either a) still falsely believe that your code has intrinsic value, or b) you are ashamed of or at least don't have much confidence in your code.
41 comments
[ 2.5 ms ] story [ 78.7 ms ] threadI assume this means that IBM won't specially code backdoors into the software for the Chinese government to use, but I initially read that sentence to mean that there are backdoors in the software, but IBM won't show them to China. Which kinda defeats the purpose of letting them see the source code.
It's unlikely to have entirely reproducible builds, but simply making the callgraphs line up will give you a lot of information.
Too bad we have laws and agencies that demand the exact opposite:
https://www.fsf.org/blogs/licensing/epa-opposed-dmca-exempti...
I wonder who in our government thinks deploying code without review or testing is a good idea? Does anyone know where one might find a full list of these people/agencies?
https://en.wikipedia.org/wiki/Shared_source#Microsoft_Govern...
This isn't that uncommon, and originally this wasn't even necessarily done form a security POV, office source code was shared so governments could build extensions on it for their own internal use before addon's were introduced or when addon functionality wasn't sufficient.
Windows source code including kernel source code was often shared to pass various inspections, and in many cases to integrate proprietary tech such as hardware encryption into the system.
http://www.dailykos.com/story/2015/02/17/1364910/-Breaking-K...
The NSA buys lots of storage, so it's only natural they would demand and have access to poorly tested/reviewed code hiding behind closed sources.
Government contracts for software often include having the rights for the source code in case the vendor goes out of business.
In other cases they might want to audit only certain parts of the OS, or just to integrate their own code at a level that out of the box Windows interoperability doesn't support.
If you say have a hardware encryption & security module which connects directly to the hard hard drive and includes a smart card reader for access you will probably need the ability to run custom code in the BIOS, boot loader and OS levels.
Then again if you have the resources of a US, major European power, Russian or Chinese state agency you might have the ability to also audit the full source code.
It comes in really handy for figuring out specific bugs or implementation details. I'd imagine any large-enough customer would find similar value.
http://arstechnica.com/security/2013/06/nsa-gets-early-acces...
Oh btw, Apple and Intel do this, too, now (Intel may have been doing it for years, but we know for a fact Apple "volunteered" to do it, too, this year at Obama's Cyber Summit). As far as we know Google has refused to do it, and hopefully it stays that way.
Large banks for example will get information about new "zero-day" vulnerabilities from their TAM some times months before a patch is released so they could adjust accordingly.
The NSA doesn't get an exploit they are notified about the vulnerability in good faith, in some cases Microsoft and their partners will release a signature which can enabled host or network bases intrusion detection/prevention systems to mitigate the vulnerability until it's patched.
There are other initiatives by various security vendors the most prominent would be ZDI by TippingPoint (now HP) which actually buy exploits so they could make signatures for their IPS, they notify their partners but in many cases withhold the vulnerability information for upto 6 months from the vendor of the vulnerable product.
Source?
If you have to patch 10,000 machines you don't want to be in a position to hear about it with everyone else on patch Tuesday.
If you a big enough client you'll know it's coming and even might get the update ahead of time.
Super highly unlikely. They worked closely together. Viz http://www.huffingtonpost.com/2014/05/06/nsa-google_n_527343...
https://news.microsoft.com/2004/02/12/statement-from-microso...
This was the company that the code leaked from https://en.wikipedia.org/wiki/Mainsoft
So... if I were an IBM shareholder (I'm not), I'd certainly hope that this means the code has been provided as a series of highly-compressed JPEGs of the code in a non-OCRable font (i.e., with randomness injected). Otherwise you can go ahead and set your forecasts for IBM's software sales in China to 0 for 2019 or so and beyond.
IBM doesn't seem to be very interested in selling software.
US intelligence officers have been compromised for 6-7 figures, for decades. Yet IBM's gonna make sure well funded countries cannot slip in a hire? Come on.
Even if Western access to Chinese markets is inevitably sporadic and subject to the whims of regulatory Chinese quangos who can withdraw it at any time they feel like it, equity markets encourage companies to play the game and cough the secrets, in the name of the next quarterly targets.
Unlike the actual human beings involved, equities don't care if the IP moves from one society to the next. They can literally rebalance their portfolios from West to East in seconds.
Yet much of the IP thus surrendered was created not directly by those Western companies, but by the societies which fostered the freedoms, intellectual, physical, and political, for such discoveries to be possible, encouraged and nurtured. Those freedoms cost dearly, often literally in blood.
That we're selling this patrimony, hard-won by our forefathers, on the cheap, is criminal.
I haven't been involved in government audits of source code, but I have been involved in private audits. We invite the third party into our offices, where we provide them access to a laptop that has the source code loaded onto it. The laptop's network access has been disabled. They're free to examine it for as long as they wish, but they're not allowed to copy it or remove it from the network.
These kinds of mitigations are presumably what they're referring to when they say: “Strict procedures are in place within these technology demonstration centers to ensure that no software source code is released, copied or altered in any way.” Note the term technology demonstration center, that is, physical location.
This kind of audit is fairly routine when an important customer is considering your product, for a number of reasons. After all of the security events in the news recently, any foreign government would be right to worry about backdoors in technology provided by US firms. Source code access is one way to mitigate those concerns. It's an audit, not a technology transfer.
Last but not least: I could imagine a certain kind of software where it could be damaging, and could reveal IP, to allow anyone to see any part of the code. Imagine if I invent a better audio compression algorithm that's twice as good as typical MP3 compressors, while producing MP3 format. Then showing someone even a snippet of code could give away my trade secret of how it works. However, the source code of large software products like IBM's is unlikely to have any especially valuable secret sauce. The value of the IP comes from the whole, not of any one special part. In that circumstance, allowing someone to peruse the code at their leisure doesn't give much away.
Who are "we" in this context? I don't really think anyone in the western world seriously believes there is anything benevolent about China, full stop. What's happening here, and what IBM's statements clearly indicate, is that western CEOs think they might be able to goose their quarterly earnings for a year or two by kowtowing to whatever China demands. That means bigger bonuses and maybe more valuable stock for the CEOs, possibly (who are we kidding, certainly) lower profits in the long run as everyone knows China steals everything not bolted down and much of what is. But the CEO has no incentive to care about that.
No elections in past 10 years, +5% tariff, suppressing political parties, +5% tariff, imprisoning journalists, +5% tariff, internet censorship, +5% tariff, etc.
If equities complain just repeatedly assert that they are anti-freedom and support human rights abuses, and can either lobby other nations to improve their records or have tariff free trade with existing democracies instead.
However... there is another subtle argument to be made here. The Han culture has no concept of integrity as we know it in the west. If it's easier or cheaper to steal something than to make it or earn it, they will, and there's no stigma for it. It's not surprising, then, that China steals from western corporations at every possible opportunity, and demands access to western inventions as a condition of market access. But suppose that instead we told them to go fuck themselves, accepted not having access to their "market" (such as it is), and let them invent the stuff themselves if they want it that badly. What then? There are only two possibilities: they go skill up and compete, or they go to war. They can't win a war with the US yet, but it's hard to imagine that such a war would be beneficial. And if they skill up and compete, they become much, much stronger. By giving away most of the store, China is kept fat, lazy, and stupid. They can copy, but they still can't actually do anything for themselves. Maybe, just maybe, that's better than either of the alternatives.
I don't really believe this myself, but I've often contemplated it when this kind of stuff comes up. Is anyone in the US (or EU) government thinking this way? Do NATO military leaders think this way? My guess is no, but it's hard to come up with any other rationale for western behavior here. Personal gain notwithstanding, if you don't believe this at least a little, you'd have to argue for simply putting China on the sanctioned countries list and being done with it, right?
By west, do you mean Great Britain?
> U.S. commentators complain that China's success has been predicated on chicanery (like the manipulation of the yuan), dubious business practices and wanton disregard for copyrights. In doing so, they echo things that British commentators once said about America's rise, back when New England factories used reverse engineering to mimic the latest Lancashire technological breakthroughs and Dickens complained of making no money from the pirated copies of his novels sold in the country. To use a line often attributed — probably inaccurately — to Mark Twain, history doesn't repeat itself, but it often rhymes. And this is one of those cases.
http://content.time.com/time/magazine/article/0,9171,2029400...
This is the exact same strategy that the US used to get ahead (including the high tariffs too). To chastise china for this is hypocrisy.
Also, I think all software systems tend to be improved by having more people look at the code. It eliminates the temptation of "security through obscurity".
So if you're not willing to show your stuff, you either a) still falsely believe that your code has intrinsic value, or b) you are ashamed of or at least don't have much confidence in your code.