Obligatory accreditation system for IT security products
September 22, 2008 11:12 AM   Subscribe

If this sticks, it could be the end for a large class of security-through-obscurity paradigms.
posted by noble_rot at 11:19 AM on September 22, 2008 [1 favorite]

Wait, things exist that aren't made in China?
posted by Artw at 11:22 AM on September 22, 2008 [6 favorites]

Unintended consequence: huge boost for open source projects as manufacturers make special non-trade-secret versions of their software and (and embedded hardware) for China.
posted by zippy at 11:27 AM on September 22, 2008 [2 favorites]

The Chinese government said it needs the source code to prevent computer viruses taking advantage of software vulnerabilities and to shut out hackers.

Open Source: You're doing it wrong.

China: "We found some vulnerabilities in your software, so we have closed up the holes."

Microstuff: "Really? What were they?"

China: "Ain't tellin'"
posted by cimbrog at 11:28 AM on September 22, 2008 [1 favorite]

However, this explanation is unlikely to satisfy concerns that disclosed information might be handed from the Chinese government to Chinese companies.

They say that like it's a bad thing. China bought the product--why can't they look at it?
posted by DU at 11:33 AM on September 22, 2008

"The Chinese government said it needs the source code to prevent computer viruses taking advantage of software vulnerabilities and to shut out hackers."

The Chinese government said it needs the source code to make GameSharks that work with the Wii, so they can finally beat the new Zelda.
posted by klangklangston at 11:35 AM on September 22, 2008 [4 favorites]

> They say that like it's a bad thing. China bought the product--why can't they look at it?

You missed the part where they want to look at the source code of every device that they are making in China. They aren't buying it, in fact they are getting paid to assemble it.

The more discouraging fact is: you give them the source code to your firewall system that is assembled there because well, everything is assembled there and you can't afford to compete on the market making it in the US, which means they can also write their own code or modify yours and insert a backdoor into your product. Now you can have all your security appliances shipped back to your office first, for code inspection (or final flashing) but that would require a lot more overhead than you currently account for with the cost of your device.

Or of course, they can just make your products for you. This is a country where an entire company was pirated, not just their products.
posted by mrzarquon at 11:44 AM on September 22, 2008 [1 favorite]

I like these kinds of things, because it can answer burning questions like "Who would win in a fight, Microsoft or the Chinese Government?" If China wins, I envision something like this happening:

China: Give us the source code for Windows Vista.

Microsoft: Here ya go. Produces a truckload of documents containing the entire 50 million lines of code.

China: Various heads explode.
posted by burnmp3s at 11:44 AM on September 22, 2008 [3 favorites]

This from a country that needs to list ingredients in a simple gallon of milk.
posted by hal9k at 11:46 AM on September 22, 2008 [16 favorites]

Now you can have all your security appliances shipped back to your office first, for code inspection (or final flashing) but that would require a lot more overhead than you currently account for with the cost of your device.

Does it? Have the customer perform the final marrying of hardware to software. For a DVD player, maybe not too onerous. But security appliances? I'm kind of surprised they don't already do this. Or at least provide some kind of checksumming service.
posted by DU at 11:47 AM on September 22, 2008

burnmp3s, did you miss the Olympic opening ceremonies? China has plenty of people to throw at any problem.
posted by nomisxid at 11:47 AM on September 22, 2008 [1 favorite]

This is lightly sourced, so, lacking a second independent source, it is offered in the spirit of Drudge.

*DEMOCRATS GIVE U.S. MANUFACTURING SECRETS TO CHINESE.*
posted by three blind mice at 11:48 AM on September 22, 2008 [3 favorites]

The more discouraging fact is: you give them the source code to your firewall system that is assembled there because well, everything is assembled there and you can't afford to compete on the market making it in the US, which means they can also write their own code or modify yours and insert a backdoor into your product.

They can do that with or without your source code.
posted by callmejay at 11:51 AM on September 22, 2008 [1 favorite]

In fact, no one should receive any copyright protection without source code disclosure. I mean, this is just obvious if you read Thomas Jefferson's original reasoning for such protections.
posted by jeffburdges at 11:54 AM on September 22, 2008 [4 favorites]

du- how are you going to perform a checksum against a compromised system? They could even include the original code and offer that up to whatever checksum service is performed.

Now inserting backdoors into a cisco product may not be worth the time and effort, because cisco will probably include ways to detect changes, and just ship the firmware separately. But how do you test to ensure you aren't sending the customer a DOA device? You can't power it on in the factory to do QA, because it has no firmware. You want to QA test it somewhere before handing it over to the customer.

But making more convincing cisco knockoffs? This helps considerably.
Or as mentioned up thread: finding security holes and not reporting them, filing them away for future use? another good use of it.

I mean, I am not in favor of security through obscurity, and I think this will make companies have to reconsider outsourcing all of their production to another country, because now there are even more externalities for them to calculate.

Which will be cheaper: Drop DRM from your products, so there is no closed source to hand over or manufacture all your products domestically.

My iPhone was assembled in China, I am sure Apple would be kind of upset if they had to give them their entire source code stack (as the kernel is not open source last I checked for the iPhone), including the itunes DRM authentication part.
posted by mrzarquon at 12:00 PM on September 22, 2008 [1 favorite]

It's almost as if now they have everybody over a barrel they feel they can start making completely unreasonable requests.
posted by Artw at 12:03 PM on September 22, 2008 [4 favorites]

This is an interesting and possibly brilliant move. The WTO is probably going to look at it as protectionism, (because everything - even attempting to save endangered turtles - is protectionism to the WTO) and may rule against it, but... perhaps a case could be made, in which case it's win-win for China: If you comply and sell to China under these conditions, they (and to an arguable extent, we) win. And if you don't, it's a trade barrier that benefits China's domestic sellers (in the short term - protectionism weakens industry in the long term).
posted by -harlequin- at 12:06 PM on September 22, 2008

Sounds like more jingoist Sinophobia.

See also: European Union wants to make open source the law; wants own OSI license
posted by godisdad at 12:11 PM on September 22, 2008

Pfft. Fear-mongering. The last thing China needs right now is a mass exodus of contract manufacturing with the attendant loss in employment. They cannot possibly be that stupid.

...of course, if they are, then there's cash money to be made elsewhere in the region. Easier stuff has recently been shifting to Vietnam & Cambodia anyway, I'm sure they'd just love to get their hands on a few more "special export zones". It was going to happen eventually, this would just speed it up by a few years.

Remember how everything *used* to be made in Japan? Then how everything was made in Taiwan?

It'll be the same with China. It's the cycle of manufacturing life.
posted by aramaic at 12:13 PM on September 22, 2008 [5 favorites]

European Union wants to make open source the law; wants own OSI license

Imagine that, a market in which the EU is not really competitive (software) and they want to kill it.

OSS doesn't need government intervention. It's doing great in the marketplace already. The competition between proprietary and OSS models is also competition, and if Europe kills that they've done software a disservice, as it will drive talented programmers to more lucrative fields (some of us are both good at it AND in it for the money, despite the OSS canard that the good ones will do it either way. Although currently I'm getting paid to write OSS, so there you go). Europe's just sore that they have so few good software companies.

China is doing it for slightly different reasons, I think. They're not as concerned about "reusing ideas", and they seem as paranoid as the U.S. is about security threats, so I'm sure someone has convinced themselves there this is needed for National Security or something.
posted by wildcrdj at 12:20 PM on September 22, 2008

This has the Japanese very, very concerned at the moment but US industry doesn't seem to have reacted yet. US companies that export IT products have to disclose a lot of internal information to the Dept. of Commerce's Bureau of Industry and Security (BIS) in order to get export authorization. The same information must also sent to the NSA. BIS has a made it clear that they will share no proprietary information with anyone and the NSA, well, they don't talk. To anyone. I don't believe the Chinese government inspires the same level of confidence.

Interestingly, Russia and France have import restrictions on security products but you don't hear a lot of complaints about them, do you? It may have to do with the level of disclosure required or the lack of manufacturing in those two countries.
posted by tommasz at 12:22 PM on September 22, 2008 [2 favorites]

Who cares?

I mean really, I can't see why anyone could really care about this. It makes sense for the Chinese to worry about it, especially with security appliances.

And yeah, if you've got super-secret stuff, you can always have a special version for the Chinese market.
posted by delmoi at 12:30 PM on September 22, 2008

Also, this is not about exporting from china, but rather importing into. In other words, you could still make stuff in China, unloaded with software, load it up with software back in your home country and sell it everywhere but China.

Unless someone has some other information, that's what the FPP itself said.
posted by delmoi at 12:33 PM on September 22, 2008

This is actually the same reason the full MagLev in Shanghai fell through. Ther Germans built the experimental one to Longyang, and laid out their pland for the full one to the middle of the city. The officials were like "uh, yea, we're only going to buy another kilometer worth... and you're going to have to give all your tech to your JV to get paid." And thus the kickass hovertrain will remain a useless 4 minute ride.
posted by FuManchu at 12:38 PM on September 22, 2008

Given that most developers cannot understand the code they wrote themselves a month ago I wish China good luck with that. Also, it's trivially easy to obfuscate source code so that it compiles perfectly but is essentially unreadable. Strip the comments, change all the variable names to "a" and 'b", etc. This will create a huge headache for manufacturers and deliver the Chinese government the square root of nothing.
posted by GuyZero at 12:47 PM on September 22, 2008


#ifndef _FORSNAUDITORS_
#define _FORSNAUDITORS_

class Graft : public Approval
{
private: float bagOfCashIsInBusStationLocker6531() const :
{
return approval;
}
}
#endif


posted by benzenedream at 12:51 PM on September 22, 2008 [3 favorites]

In other words, you could still make stuff in China, unloaded with software

That depends on how they define things. Personally, I'd bet that if (if!) they were to do this kind of thing, they'd leave the rules intentionally vague so that they can threaten companies at will. Play ball (or be well-connected), and "software" only includes software in the classic sense. Don't play along or piss them off by including Taiwan on a map, and "software" suddenly includes the layout files for all of your ASICs and anything else that instantiates logic.

I really doubt they actually care about software per se. They just want a new bludgeon.
posted by aramaic at 12:56 PM on September 22, 2008

Woo! State sanctioned industrial espionage! A step closer to Neuromancer every day.
posted by Caduceus at 1:21 PM on September 22, 2008

I can't wait to become a street samurai.
posted by Caduceus at 1:21 PM on September 22, 2008 [2 favorites]

Could be more going on than we realize. A number of years back, Windows had a key embedded, which let any and all code run with full trust and without prompting, called NSAKEY. This was hastily removed in later iterations, and Microsoft assured us it didn't really have anything to do with the NSA. There was plenty of scoffing that anyone could possibly distrust a key with that name, mysteriously added to the root store.

China, however, is obviously silly and paranoid, and perhaps, just perhaps, they think that embedded devices being sold in their country might have backdoors that could work to their detriment. If I were a police state, I know what I'd be thinking about NSAKEY, and by extension, any product with American involvement.

Admittedly, this was a long time ago, but there's lots going on that we don't hear about, and perhaps China has found an eavesdropping device in a place they weren't expecting one, or they had a leak they believe wasn't from a human. They've been kind of low-grade paranoid about Windows for a long time, and I see this policy as an extension of that, rather than something new.

And yes, I do understand that this could simply be to steal our source code. But China has an excellent infowar division; they're all over the US government's systems, including, apparently into nuclear data. Most companies don't have terribly good IT security; network security is really hard. It seems like they'd be able to just break into many companies and take what they want directly.

Theft of code is much, much more valuable if the target doesn't know that it's been stolen; when it's being submitted to an untrusted government agency, the target is going to be very watchful. If they aren't aware it's been lifted, the number of fun and interesting abuses (from the Chinese perspective) increases manyfold.

Basically: I don't think industrial espionage suffices as a motive. There are too many other ways to do that. There must be more going on here.
posted by Malor at 1:38 PM on September 22, 2008 [1 favorite]

A number of years back, Windows had a key embedded, which let any and all code run with full trust and without prompting, called NSAKEY.

Do you know how Windows works? Running code without prompting and with full permissions is the default behaviour. Thus the entire market for anti-virus software.
posted by GuyZero at 2:05 PM on September 22, 2008

a country that needs to list ingredients in a simple gallon of milk.

Have you read the ingredients list on a gallon of buttermilk recently? Hint: it's difficult to find vegetarian buttermilk now - they put gelatin in it these days.
posted by dilettante at 2:31 PM on September 22, 2008

Heh. My phones MP3 capabilities are so crapply implemented I forget it even has them.
posted by Artw at 2:35 PM on September 22, 2008

I'll tell them what's in my iPod if they tell me what's in their dim sum.
posted by turgid dahlia at 2:37 PM on September 22, 2008

Do you know how Windows works?

Oh, I work with it, now and again.

I misremembered slightly: NSAKEY was a default cryptographic trust source. Authenticating code before running was added later; I'm not sure Win2k even had any facility for that.

There were a number of innocent possible explanations, but I pointed it out because, whatever the truth actually IS, China's likely to take a pretty dim view of OSes that have had NSAKEYs in them. They may be trying to implement these changes, not to spy, but to stop outside spying.
posted by Malor at 5:37 PM on September 22, 2008

dangerous times up ahead if China does this.
posted by leybman at 7:36 PM on September 22, 2008

When you consider the effort that governments have put into codebreaking and spying in the past, I find it inconceivable that the NSA hasn't put some backdoor into Windows and OSX. Anyone who has read Ken Thompson's Reflections on Trusting Trust would know there are some very sneaky ways indeed to hide malevolent code.
posted by salmacis at 3:09 AM on September 23, 2008

delmoi writes "In other words, you could still make stuff in China, unloaded with software, load it up with software back in your home country and sell it everywhere but China. "

This will add substantially to your cost though as you'll have to handle each unit plus package and ship it twice.
posted by Mitheral at 9:17 AM on September 23, 2008