
IBM Gives the Chinese Government Access to Software Code - pavornyoh
http://www.bloomberg.com/news/articles/2015-10-16/ibm-gives-limited-access-of-software-code-to-chinese-government
======
dogma1138
Microsoft and many other companies share code with governments and not just
the US.

[https://en.wikipedia.org/wiki/Shared_source#Microsoft_Govern...](https://en.wikipedia.org/wiki/Shared_source#Microsoft_Government_Security_Program)

This isn't that uncommon, and originally this wasn't even necessarily done
form a security POV, office source code was shared so governments could build
extensions on it for their own internal use before addon's were introduced or
when addon functionality wasn't sufficient.

Windows source code including kernel source code was often shared to pass
various inspections, and in many cases to integrate proprietary tech such as
hardware encryption into the system.

~~~
pohungc
How would you even reliably audit something as big and complex as the Windows
source code?

~~~
mtgx
Maybe it's not really about auditing it, as it is about finding their own
flaws to exploit. In the US, it's actually worse, because Microsoft also gives
NSA the zerodays it finds on a silver platter, way ahead of fixing them (not
necessarily suggesting Microsoft will delay fixing them on purpose, but as we
know sometimes fixing a major bug can take many months - see the whole Project
Zero vs Microsoft scandal - months in which the NSA can put those bugs to
"good use").

[http://arstechnica.com/security/2013/06/nsa-gets-early-
acces...](http://arstechnica.com/security/2013/06/nsa-gets-early-access-to-
zero-day-data-from-microsoft-others/)

Oh btw, Apple and Intel do this, too, now (Intel may have been doing it for
years, but we know for a fact Apple "volunteered" to do it, too, this year at
Obama's Cyber Summit). As far as we know Google has refused to do it, and
hopefully it stays that way.

~~~
nnx
> but we know for a fact Apple "volunteered" to do it, too, this year at
> Obama's Cyber Summit

Source?

~~~
dogma1138
I would be surprised if they didn't, their customers wouldn't like it very
much.

If you have to patch 10,000 machines you don't want to be in a position to
hear about it with everyone else on patch Tuesday.

If you a big enough client you'll know it's coming and even might get the
update ahead of time.

------
vegabook
China requires all industries, including aerospace, cars, energy, FMCG, and
IT, to cough up IP for free in return for access to its markets. Yet we
provide access to our huge markets, gratis.

Even if Western access to Chinese markets is inevitably sporadic and subject
to the whims of regulatory Chinese quangos who can withdraw it at any time
they feel like it, equity markets encourage companies to play the game and
cough the secrets, in the name of the next quarterly targets.

Unlike the actual human beings involved, equities don't care if the IP moves
from one society to the next. They can literally rebalance their portfolios
from West to East in seconds.

Yet much of the IP thus surrendered was created not directly by those Western
companies, but by the societies which fostered the freedoms, intellectual,
physical, and political, for such discoveries to be possible, encouraged and
nurtured. Those freedoms cost dearly, often literally in blood.

That we're selling this patrimony, hard-won by our forefathers, on the cheap,
is criminal.

~~~
Pyxl101
What you say might be going on, but I would not expect this source code
sharing to constitute IP transfer. It's an audit or inspection. The government
isn't allowed to use the code, and I doubt they intend to or have the ability
to.

I haven't been involved in government audits of source code, but I have been
involved in private audits. We invite the third party into our offices, where
we provide them access to a laptop that has the source code loaded onto it.
The laptop's network access has been disabled. They're free to examine it for
as long as they wish, but they're not allowed to copy it or remove it from the
network.

These kinds of mitigations are presumably what they're referring to when they
say: “Strict procedures are in place within these technology demonstration
centers to ensure that no software source code is released, copied or altered
in any way.” Note the term _technology demonstration center_ , that is,
physical location.

This kind of audit is fairly routine when an important customer is considering
your product, for a number of reasons. After all of the security events in the
news recently, any foreign government would be right to worry about backdoors
in technology provided by US firms. Source code access is one way to mitigate
those concerns. It's an audit, not a technology transfer.

Last but not least: I could imagine a certain kind of software where it could
be damaging, and could reveal IP, to allow anyone to see any part of the code.
Imagine if I invent a better audio compression algorithm that's twice as good
as typical MP3 compressors, while producing MP3 format. Then showing someone
even a snippet of code could give away my trade secret of how it works.
However, the source code of large software products like IBM's is unlikely to
have any especially valuable secret sauce. The value of the IP comes from the
whole, not of any one special part. In that circumstance, allowing someone to
peruse the code at their leisure doesn't give much away.

~~~
vegabook
Yes it's true that clients should have a right to inspect code for potential
malevolence, especially when geopolitics are at play. However the article is
peppered with qualifications:

    
    
      “As everybody knows, there’s a tacit understanding that if you want to do business in China, you need to show them how this stuff works,”
    
      "there’s definitely a little bit of: ‘Can we reverse engineer this?’"
    
      “For IBM to do this is a little ballsy.”
    

I think in general we're far too willing, far too often, to dismiss Chinese
business tactics as benevolent.

~~~
fredkbloggs
> I think in general we're far too willing, far too often, to dismiss Chinese
> business tactics as benevolent.

Who are "we" in this context? I don't really think anyone in the western world
seriously believes there is anything benevolent about China, full stop. What's
happening here, and what IBM's statements clearly indicate, is that western
CEOs think they might be able to goose their quarterly earnings for a year or
two by kowtowing to whatever China demands. That means bigger bonuses and
maybe more valuable stock for the CEOs, possibly (who are we kidding,
_certainly_ ) lower profits in the long run as everyone knows China steals
everything not bolted down and much of what is. But the CEO has no incentive
to care about that.

~~~
vegabook
"We" = the vast majority of people whose short term consumption addiction is
being financed by China, which conversely is investing in our long term
economic serfdom.

~~~
fredkbloggs
I see. That's not assumption of benevolence, it's simple greed. The same "I'll
be gone, you'll be gone" attitude that created the mortgage implosion and so
much else that's gone wrong throughout human history. Xbox buyers don't really
think China is benevolent, they just don't care because they figure most of
the harm they do will be visited on others.

~~~
vegabook
The assumption of benevolence is convenient for everyone, consumers and
capital alike.

------
tacotuesday
It seems the Chinese policy is very smart by demanding inspection of software
before it goes into deployment/production. It's common sense really. We should
demand as much in the US.

Too bad we have laws and agencies that demand the exact opposite:

[https://www.fsf.org/blogs/licensing/epa-opposed-dmca-
exempti...](https://www.fsf.org/blogs/licensing/epa-opposed-dmca-exemptions-
that-could-have-revealed-volkswagen-fraud)

I wonder who in our government thinks deploying code without review or testing
is a good idea? Does anyone know where one might find a full list of these
people/agencies?

~~~
noarchy
It is one thing to have the _government_ get access to software, and quite
another to have truly open source software. Does the entire Chinese population
have access to the source? I seriously doubt it.

------
AdmiralAsshat
_Beijing won’t receive client data or “back doors” into the technology,
International Business Machines Corp. said Friday in a statement._

I assume this means that IBM won't specially code backdoors into the software
for the Chinese government to use, but I initially read that sentence to mean
that there _are_ backdoors in the software, but IBM won't show them to China.
Which kinda defeats the purpose of letting them see the source code.

~~~
pjc50
It increases the effort required; if you can make the binary line up with 99%
of the source code, the remaining 1% is where the back door is.

It's unlikely to have entirely reproducible builds, but simply making the
callgraphs line up will give you a lot of information.

------
douche
Would have maybe been somewhat informative if the article had said _what
products_ IBM was giving source code for.

~~~
blumkvist
I opened the link just to read that...

------
intrasight
It's been a long time (or perhaps never) that the source code had any real
value. The value is in the organization - as in both meanings of the word. The
noun - organization as legal entity. And the verbish meaning - the
organization of all that complexity towards getting something accomplished.

Also, I think all software systems tend to be improved by having more people
look at the code. It eliminates the temptation of "security through
obscurity".

So if you're not willing to show your stuff, you either a) still falsely
believe that your code has intrinsic value, or b) you are ashamed of or at
least don't have much confidence in your code.

------
haosdent
I believe nobody could understand those stale and tricky code.

------
fredkbloggs
'“Strict procedures are in place within these technology demonstration centers
to ensure that no software source code is released, copied or altered in any
way,”'

So... if I were an IBM shareholder (I'm not), I'd certainly hope that this
means the code has been provided as a series of highly-compressed JPEGs of the
code in a non-OCRable font (i.e., with randomness injected). Otherwise you can
go ahead and set your forecasts for IBM's software sales in China to 0 for
2019 or so and beyond.

~~~
brianwawok
Pretty sure they could just hire 20k people to type in the OCR proof code..
i.e. the turk solution.

~~~
fredkbloggs
Still best to make it as expensive as possible.

