
Tech firms let Russia probe software widely used by U.S. government - tonyztan
https://www.reuters.com/article/us-usa-cyber-russia/tech-firms-let-russia-probe-software-widely-used-by-u-s-government-idUSKBN1FE1DT
======
dfox
For me to some extent the fact that it is supposedly bad thing says more about
the article author than about the firms that allowed that.

~~~
blakesterz
That's what I thought too... like this quote:

“Even letting people look at source code for a minute is incredibly
dangerous,” said Steve Quane, executive vice president for network defense at
Trend Micro, which sells TippingPoint security software to the U.S. military.

~~~
ineedasername
It can be dangerous... I once caught a glimpse of some befunge source code,
and haven't had a sound night's sleep since.

------
blakesterz
Would it also be fair to say most likely these same places (SAP, Symantec and
McAfee) probably let other governments "probe" their software as well? I'd be
surprised if 5 Eyes countries weren't all over it as well.

~~~
auntienomen
You would hope so. Longstanding practice in crypto is to assume that 'the
enemy knows the system'. It should apply here, as well.

------
cat199
In other news:

Thompson-reuters finds procedural flaw in outsourcing of critical software to
uninterested 3rd party companies; uses to frame russia as malicious and and
create lingering mental justification for trade embargoes

------
dsl
"Probing" software in this context means doing security audits. Nothing would
have stopped the Russians from breaking into a big company like Ford or
General Electric and stealing a copy of the software for them to then look for
vulnerabilities.

This is like the Oracle rat hole where they tried to claim that security
audits of their products could only be done with prior approval. That cat is
way out of the bag.

------
ldiracdelta
If the firms are allowed to sell their software to non-US entities, why would
Russia buy it if they couldn't inspect it. We already know from Snowden that
the United States Government tries to pwn the entire world. Why would they
trust anything from the U.S.A. without doing a very careful code review and
then compiling it themselves?

