US should seriously consider doing something similar since FBI is already warning about fake Cisco routers which could (i.e. most likely do) have backdoors.
Link: http://blogs.zdnet.com/projectfailures/?p=740
> US should seriously consider doing something similar
As should all other powers. The possibility of backdoors in computing equipment means that all software in critical functions needs to have been a developed in an environment where the country can have a reasonable assurance that there are no backdoors.
Just because something is "developed" in the US doesn't mean that all of the developers are US citizens or even based in the US. Outsourcing makes it incredibly difficult to ensure that no backdoors, malware, etc. are inserted into source.
> Just because something is "developed" in the US doesn't mean that all of the developers are US citizens or even based in the US.
Absolutely.
> Outsourcing makes it incredibly difficult to ensure that no backdoors, malware, etc. are inserted into source.
If a program is (1) open source, and (2) widely used, there are likely to have been lots of eyeballs looking at it. It would probably be harder to put a backdoor in Linux of GCC, without people finding out, than in MS Windows or Microsoft's CLR. I'm leaning towards the point of view that security6 critical software should run on popular open source platforms (by platforms I mean OSes, Languages and APIs).
Do we have info on what backdoors in major commercial programs look like? I'm going to guess a large company isn't going to embed a whole large backdoor -- too much liability and risk of discovery.
Instead, wouldn't it be better to make the backdoor another mundane security hole? And open soure can certainly ship plenty of those (FireFox?).
So, really, in both cases, you need an experienced developer that can code in a security hole without being caught during review. Not every boring feature checked in gets the same level of "eyeballs".
This reminded me of Ken Thompson's Turing paper about how a malicious compiler could make back doors invisible even to those who can look at the source.
Exactly. No-one's going to call an API openBackdoor(). It'll be something like the vmsplice exploit on Linux (which despite being Open Source yadda yadda made it into a lot of running production systems).
I think this is a great move, and India is also playing fair by allowing any vendor with a government security approval to do business in India. But this will also give rise to the currently rampant corruption in so many government audit agencies.
The only reason there isn't widespread tampering and adulteration of goods made in China (or anywhere) is that it's usually cheaper to do things right. Manufacturing Cisco routers exactly as they are told to is easier than making ones that are undetectably compromisable. Today.
In other cases where doing it wrong is cheaper, we've already seen what happens. Lead paint is cheap. So, of course, we end up with kids' toys with lead paint that flakes off.
But hey, at least it's one cent cheaper.
(And just so it doesn't sound like I'm being anti-foreign-goods or whatever, we do the same thing domestically. HFCS is slightly cheaper than sugar, so it's used in everything, even though the production is harmful to the environment and the health effects versus sugar are in question. But hey, at least the profit margin on sugar water is even higher now!)
Good move. China does not seem to hide the fact that they are interested in 20th century espionage via hacking and everyone knows they are an impressive police state that monitors everything.
The U.S. should definitely make the same move, but well, then there is that whole mess with China owning most of our debt...
This is not surprising considering the number of news we read about Chinese 'interest' in Indian websites - everything ranging from Nuclear programs to Tibet.
There is another reason - cheap Chinese mobiles without IMEI numbers were flooding the market.
Last year the government banned imports of Chinese handsets without the International Mobile Equipment Identity, or IMEI, number, again citing security reasons such as the use of stolen handsets to make terror or hoax calls.
Chinese manufacturers cloning IMEIs? Never!
The big question is, can India's government really enforce this?
IBM selling their computer line to China was a major mistake and should have been blocked on national security concerns. The fact that half the government uses Lenovo laptops that used to be Thinkpads is criminal.
It does not take a genius to realize that China is using all their power and cunning to infiltrate everyone everywhere. When your firewall and your packet filter and your router all come from the same place how can you be sure that you don't have a backdoor?
I know people who work in this area and the bottom line is that it is not whether or not you are paranoid, but are you paranoid enough?
