Hacker News new | past | comments | ask | show | jobs | submit login
US government pushed tech firms to hand over source code (zdnet.com)
204 points by tshtf on March 17, 2016 | hide | past | favorite | 38 comments



""" IBM referred to a 2014 statement saying that the company does not provide "software source code or encryption keys to the NSA or any other government agency for the purpose of accessing client data."

A spokesperson ... did not comment further on whether source code had been handed over to a government agency for any other reason. """

I'm glad the author pressed them further ("for any other reason"). So many times we see such statements like this from companies but nobody bothers to ask the obvious (to me) follow-up question.


Well, the obvious one is that IBM Federal Systems does an enormous amount of system-building (including programming) for the Federal government. I would presume that the Feds get the code for every one of those contracts. There are probably others.

Trying to list all the circumstances when the Feds get IBM source code, without having it look like the Feds just get everything, might be problematic...


I assure the Feds don 'think get the source code. Vast swaths of leadership in government are unaware there is a difference between compiled code and source.


It's not a secret that Microsoft provides Windows' source code to some governments. Here are some reports from the same ZDNet:

http://www.zdnet.com/article/microsoft-opens-source-code-to-...

http://www.zdnet.com/article/does-microsofts-sharing-of-sour...


And many universities also have access. it's no secret nor requires a state actor.


There's a difference between providing some source code and providing the entire source code. I do not believe anyone outside of Microsoft has access to the entire source code.


Not a single person inside Microsoft would have access to it either, because some parts of the system have other companies' trade secrets, like HDCP keys or hardware drivers.


My point exactly, no one person has access and even if they did, the keys are the truly sensitive components that no one person probably has access to directly.


I'd bet that no one inside Microsoft has access to the full source. Or if so, it's one or two engineers in charge of doing builds.


In terms on encryption, it is well-known that security by obscurity is a bad idea. A well-designed encryption system should be safe even if it open-source. E.g. PGP. Having the source code should not help one bit.

However, access to the OS source code does let people search for various yet-undiscovered exploits, and use them for evil.


The source code alone is less problem than the private keys.

If the agencies have private keys of the creators of your OS, who then signed the "signed updates" you've got?

Example, recently from Microsoft:

In their forums: "Is Update KB3103709 Fake?"

http://answers.microsoft.com/en-us/protect/forum/protect_oth...

On their site: " Try searching for what you need This page doesn’t exist."

https://support.microsoft.com/en-gb/kb/3103709


> "There is zero chance that someone could rewrite the [hard drive] operating system using public information," said one of the researchers.

hmm... http://spritesmods.com/?art=hddhack


Serious question, would source code be useful to a government agency? Is there enough knowledge and expertise that exists outside of the organization that builds the software to be able to make much use of software as complex as iOS?


In Windows NT 4.0 in 1999 they found this when Microsoft accidentally released the debug symbols: https://en.wikipedia.org/wiki/NSAKEY

Who you believe is up to you.


This is one of the oldest conspiracy theories on the Internet. It has been comprehensively and repeatedly debunked. It doesn't even make sense as a backdoor, given its function. Here's the best link on HN about it:

https://news.ycombinator.com/item?id=9297787

You also didn't need the source code to find it; you could have found it with "strings".


That was just a naming convention. When asked why it was called NSAKEY, Microsoft said this:

>This is simply an unfortunate name. The NSA performs the technical review for all US cryptographic export requests. The keys in question are the ones that allow us to ensure compliance with the NSA's technical review. Therefore, they came to be known within Microsoft as "the NSA keys", and this was used as a variable name for one of the keys. However, Microsoft holds these keys and does not share them with anyone, including the NSA.


> https://en.wikipedia.org/wiki/NSAKEY

Wow.. How come nobody is bringing THIS up whenever the FBI tries to assure us that the bypass they want from Apple will never get leaked into the wrong hands?


The NSA can apparently find vulnerabilities in iOS without the source code so I would assume they could find (more of) them more easily with the source code.


Well first they ask for iOS source code, then they ask for the update or app signing key (kind of how they asked for Lavabit's SSL key). Then the real fun begins.

However, it's a little funny that the US gov uses the Lavabit case as an example - Lavabit shut down to avoid giving it the key.


Afair Lavabit handed over the private key. It was shut down subsequently to avoid user compromise.


The demand for source code would likely include accompanying documentation necessary to build/use.


Documentation and getting to build/use it feels to me like support, and I feel that needs to be billable. The source code is the raw product, which is also of value/crown jewels. But it is easier to give it to someone, then to support it.

So can the government force companies to assist them and to what extent? From the article it is suggested that Dell, Huawei, and Juniper have already done so.

But how where they compensated, because engineering time is not cheap, or where they given software backdoors and told to integrate them.

I don't think we will ever know. But would be interesting to know how managers had to explain to the bean counters, that limited resources was spent on project "top secret" instead of a real project making money.


> ...and I feel that needs to be billable.

They get paid. Telecoms do as well, they actually have billing schedules for wiretaps.

> ...managers had to explain to the bean counters...

You've got it backwards, the lawyers explain to the executives who then explain to the department head who then explains to a manager who then explains to a senior team leader who then assigns the work. At the end of the telephone game it looks like any other incomprehensible contract requirement.


It's hard and really expensive, I don't think any big company would like to do that. For large shops, source code building is non-trivial. It may require proprietary toolchains, metadata stored in some other dbs, or specific hardware / environments. And the toolchain may even not work outside the shop, e.g., depending on internal infras.


Related: There's currently a proposal ("Reg AT") from the CFTC (which regulates futures trading in the US) that would require all algorithmic traders to provide routine access to their source code, without a court order.

[1] http://www.sidley.com/news/2015-12-14-investment-funds-updat...


But ECU and medical device code doesn't need to be published....


... or voting machines. I must say I don't particularly like the rather unpleasant arguments that almost make themselves from those particular facts. That money indeed is considered more important than both safety and fair voting.


Source code for casino video games also must be submitted to the relevant authorities: http://www.wired.com/2014/10/cheating-video-poker/


All it takes is one brave soul to gain standing and the entire FISA system goes belly up in a real court. As long as everyone cooperates the farce goes on. Generally people who work at big companies and get these NSLs (likely lawyers) are unlikely to be that person.


Unfortunately, establishing standing is the hard part of the equation. And by hard, I mean effectively impossible. Clapper showed that quite clearly. And even in those instances where it might be possible, the DOJ will drop the case in question before they risk an undesirable ruling.


Aren't the FISA judges appointed by the Chief Justice of SCOTUS? What happens when the case gets to that "real court"? My guess is, not a whole lot.


I'm actually not so concerned about this, provided no signing keys are given out. OS vulnerabilities being discovered are a risk I'm willing to take.

Can always run linux and level the playing field.


There are layers below Linux, which unfortunately are often proprietary. Do you have the source code for your computer's firmware? For your hard disk's firmware? For your CPU's microcode? If you don't have all of these (and more), the playing field has not been completely leveled.


Stallman looks more and more prescient every day.


I have to say it, this wouldn't be a problem it they wrote free software instead. Security by obscurity was never a good way to go.


It's not about the source but the private keys. See my other comment here. The same problem is real with the Linux distribution and the owners of the distributions too. Nobody reads the source of everything that is changed with every signed update.

That's why there's signing in the first place.


I guess if it's all Open Source they have a problem.


You HN people don't really understand sarcasm, do you?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: