37 comments

[ 5.0 ms ] story [ 24.1 ms ] thread
Isn't that standard practice?

HP wants to sell their product so they do this. If the Pentagon doesn't want this they would need to purchase exclusive rights to it or the state department would need to forbid the sale of the software overseas.

This is totally normal practice.

Also most likely ArcSight used by pentagon can be totally different beast then ArcSight used by private companies.

Also most likely ArcSight doesnt cover most of US cyberwarfare arsenal.

ArcSight processes security events. These typically come from devices or server log files. Events are filtered and tagged with context before being sent to the server where they are further processed. The primary processing is correlation done in-memory which is a strength of the product.

Each installation is different - deployment site of probes, filter, tagging and correlation rules. There is not much be gained by looking at the code vs. knowing the Pentagon uses ArcSight.

The one security relevant aspect is the fact that ArcSight processes data from the internet. Programming error in that code may contain vectors allowing a RCE. On the other hand the product has been around for a while and should be safe.

ArcSight is not only used by the Pentagon but by many tier-1 companies to monitor their networks. Unless it falls under ITAR companies can sell their product in whatever manner they like.

This is a piece of software that aggregates logs and allows you to look for patterns to flag up suspicious activity ... it's not like it's the source to your firewall, total non story.
This appears to be a case of patriotism vs the Almighty Dollar, albeit with shades of nuance. Is it standard practice for security software vendors to provide enterprise clients with audit rights? And could a restriction in future market opportunity lead technology companies to avoid doing business with the government?
Even if they didn't disclose the source code, they could always reverse engineer/brute force a single install.

I guess the Pentagon not only did the same thing, it also secured its right to patch without HPE's knowledge or approval.

If we put ourselves in the shoes of the Russians, they are about to get software the US already uses, which gives the Pentagon a head start in knowing the eventual security flaws. Like the US wouldn't use that kind of knowledge if they wanted...

Also, why do all hacking news graphs/stock images show people in hoodies?

Why do so many people still believe in security-by-obscurity?

  "Some security experts say that studying the source code of a product would make it far easier for a reviewer to spot vulnerabilities in the code, even if they did not leave the site with a copy of the code."
I would like to meet those experts that advocate, that not looking at the code makes the product more secure.
Exactly.

Although I believe SBO does work, this is simply not the case for using it.

SBO buys time.

"POSTing a script that looks like a custom FORTRAN-esque language" probably sounds a lot like "slower than expected progress" in Russian.

All cyber-security is just a way of buying time.

Depth is king. The attacker must be made to fight for every inch.

However long it takes a new hire to be able to do useful things is about how long it takes an attacker to do useful things without being bull in a China shop loud about it (this is also why key rotation is important).

Good attackers deserve credit though. They have to understand stacks that most of HN would just wrap and treat as a black box (and then pull their hair out wondering why their JS app breaks on edge cases).

> I would like to meet those experts that advocate, that not looking at the code makes the product more secure.

Pretty much every proprietary platform vendor ever.

Well, if you compare the situation where an adversary has access to source code with a situation where they don't - everyting else being the same - , they have higher chance of finding vulnerabilities in the first.

The "security-by-obscurity" point does apply when you compare "going open-source with many observers" to "being closed-source with no one looking", but this is not the case here.

...now enter fuzz testing and your first statement goes out the window.
Fuzz testing is far, far easier and more complete if you have the source code. It is not required to have the source to fuzz, but white-box fuzzing can be combined with code coverage analysis to make sure you hit all code paths, including ones that would rely upon a more structured sequencing of the inputs. Black-box fuzzing could eventually reach the same end result, but it would take far longer or far more resources.
security by obscurity does not make something secure, but it does make it more difficult to figure out what security holes something has. Which is what the experts said - if I give you the source code you can figure out my thinking and what attacks to start up. otherwise you have to run a bunch of stuff first and expend resources and money to get to the same spot you can get to just by reading for a bit.
Yes, although access to the system allows you to probe it without necessarily alerting the defenders; you can prepare your zero-day and learn from all the crashes and other things that the defenders might have noticed etc.
"The U.S. military agency itself did not require a source code review before purchasing ArcSight and generally does not place such requirements on tech companies for off-the-shelf software like ArcSight, the Pentagon spokeswoman said. Instead, DISA evaluates the security standards used by the vendors, she said."

So the Russian government has higher security standards than the US?

The Russians do. They even use typewriters in some dept.
I don't know if that's really true. DoD gets the Windows source code for example.
So does Russia.
I don't see how that's relevant.

Tools exist to audit anything on the windows CLR. So, from a security standpoint they have everything they need and can request the source code if any red flags show up.

Sure, the source code is great if you want to maintain code. But, for a security audit it's often more deceptive than useful.

What a joke.

Surely this has completely destroyed the value of this software.

Hard to imagine any good software written by HP anyway.

Don't they employ lowest cost programmers? Heck the probably designed it using UML or something silly like that, with hundreds of business analysts and vast numbers of stakeholder meetings all working to reach consensus, before getting all those lowest cost programmers to try to write what they think the spec might mean - all truly inspired software is written this way.

ArcSight was an acquisition if I remember correctly, and it would have avoided a lot of the HP/E Software issues as a result.
I have to admit, the constant articles with the word 'Russia' in them just to make you go, 'oh, it must be something super nefarious that they're doing' is getting a bit on my nerves lately. Report on something worth raising a stink about or admit that you're just red-baiting.
I remember a similar build up of fears leading up to the Iraq war, many of the same people in the house and senate are banging that old war drum as well. John McCain effectively switched parties to join in on the fun.
McCain was first elected as a Republican, no?
He was and still officially is one on paper but evidently he now supports the ACA and war with Russia. If he ran on those ideas its possible that many constituents would of voted differently. If you simply outlined his policies he doesn't differ all that much from Clinton.
Did I accidentally click on the_donald?
What saddens me is that it works. Most of the people I know don't see through the propaganda.
(comment deleted)
The very odd thing is how the susceptibility to the name has switched political sides. Now the populists/conservatives don't want to hear about Russian stuff, and the liberals are sure that Putin elected Trump. I caricature, but not by much.
In other news, Ford let Russia inspect the same sedan they sell to the US Armed Forces!
(comment deleted)
Oh, an article about Russia from US media. I'm surprised they didn't include the usual stock photos of people in hoodies typing away as matrix text scrolls behind them.
Access to root accounts on some ArcSight boxes only involve challenge-response codes that we were supposed to get from HPE support. Because of how annoying this was, a clever ArcSight colleague of mine was able to create a simple Java program we would run to get the response code ourselves, saving us lots of time. Not sure exactly how he did it, but it only took him a weekend.

Source code or not, some ArcSight servers were already very vulnerable. Whether or not that was done on purpose, who knows.

The real problem is that there seemingly isn't a great FOSS alternative for ArcSight. Whatever it does couldn't really be that extraordinary.