
US government pushed tech firms to hand over source code - tshtf
http://www.zdnet.com/article/us-government-pushed-tech-firms-to-hand-over-source-code/
======
jlgaddis
""" IBM referred to a 2014 statement saying that the company does not provide
"software source code or encryption keys to the NSA or any other government
agency for the purpose of accessing client data."

A spokesperson ... did not comment further on whether source code had been
handed over to a government agency for any other reason. """

I'm glad the author pressed them further ("for any other reason"). So many
times we see such statements like this from companies but nobody bothers to
ask the obvious (to me) follow-up question.

~~~
AnimalMuppet
Well, the obvious one is that IBM Federal Systems does an enormous amount of
system-building (including programming) for the Federal government. I would
presume that the Feds get the code for every one of those contracts. There are
probably others.

Trying to list _all_ the circumstances when the Feds get IBM source code,
without having it look like the Feds just get everything, might be
problematic...

~~~
niels_olson
I assure the Feds don 'think get the source code. Vast swaths of leadership in
government are unaware there is a difference between compiled code and source.

------
conductor
It's not a secret that Microsoft provides Windows' source code to some
governments. Here are some reports from the same ZDNet:

[http://www.zdnet.com/article/microsoft-opens-source-code-
to-...](http://www.zdnet.com/article/microsoft-opens-source-code-to-russian-
secret-service/)

[http://www.zdnet.com/article/does-microsofts-sharing-of-
sour...](http://www.zdnet.com/article/does-microsofts-sharing-of-source-code-
with-china-and-russia-pose-a-security-risk/)

~~~
aioprisan
There's a difference between providing some source code and providing the
entire source code. I do not believe anyone outside of Microsoft has access to
the entire source code.

~~~
astrange
Not a single person inside Microsoft would have access to it either, because
some parts of the system have other companies' trade secrets, like HDCP keys
or hardware drivers.

~~~
aioprisan
My point exactly, no one person has access and even if they did, the keys are
the truly sensitive components that no one person probably has access to
directly.

------
acqq
The source code alone is less problem than the private keys.

If the agencies have private keys of the creators of your OS, who then signed
the "signed updates" you've got?

Example, recently from Microsoft:

In their forums: "Is Update KB3103709 Fake?"

[http://answers.microsoft.com/en-
us/protect/forum/protect_oth...](http://answers.microsoft.com/en-
us/protect/forum/protect_other-protect_start/is-update-
kb3103709-fake/c9fea314-1469-4d6f-b22f-d1fa0c11c503?auth=1)

On their site: " Try searching for what you need This page doesn’t exist."

[https://support.microsoft.com/en-
gb/kb/3103709](https://support.microsoft.com/en-gb/kb/3103709)

------
0x0
> "There is zero chance that someone could rewrite the [hard drive] operating
> system using public information," said one of the researchers.

hmm...
[http://spritesmods.com/?art=hddhack](http://spritesmods.com/?art=hddhack)

------
bko
Serious question, would source code be useful to a government agency? Is there
enough knowledge and expertise that exists outside of the organization that
builds the software to be able to make much use of software as complex as iOS?

~~~
anon987
In Windows NT 4.0 in 1999 they found this when Microsoft accidentally released
the debug symbols:
[https://en.wikipedia.org/wiki/NSAKEY](https://en.wikipedia.org/wiki/NSAKEY)

Who you believe is up to you.

~~~
tptacek
This is one of the oldest conspiracy theories on the Internet. It has been
comprehensively and repeatedly debunked. It doesn't even make sense as a
backdoor, given its function. Here's the best link on HN about it:

[https://news.ycombinator.com/item?id=9297787](https://news.ycombinator.com/item?id=9297787)

You also didn't need the source code to find it; you could have found it with
"strings".

------
evanpw
Related: There's currently a proposal ("Reg AT") from the CFTC (which
regulates futures trading in the US) that would require all algorithmic
traders to provide routine access to their source code, without a court order.

[1] [http://www.sidley.com/news/2015-12-14-investment-funds-
updat...](http://www.sidley.com/news/2015-12-14-investment-funds-update)

~~~
swiley
But ECU and medical device code doesn't need to be published....

~~~
mickronome
... or voting machines. I must say I don't particularly like the rather
unpleasant arguments that almost make themselves from those particular facts.
That money indeed is considered more important than both safety and fair
voting.

------
coldcode
All it takes is one brave soul to gain standing and the entire FISA system
goes belly up in a real court. As long as everyone cooperates the farce goes
on. Generally people who work at big companies and get these NSLs (likely
lawyers) are unlikely to be that person.

~~~
Bluestrike2
Unfortunately, establishing standing is the hard part of the equation. And by
hard, I mean effectively impossible. _Clapper_ showed that quite clearly. And
even in those instances where it might be possible, the DOJ will drop the case
in question before they risk an undesirable ruling.

------
serge2k
I'm actually not so concerned about this, provided no signing keys are given
out. OS vulnerabilities being discovered are a risk I'm willing to take.

Can always run linux and level the playing field.

~~~
cesarb
There are layers below Linux, which unfortunately are often proprietary. Do
you have the source code for your computer's firmware? For your hard disk's
firmware? For your CPU's microcode? If you don't have all of these (and more),
the playing field has not been completely leveled.

~~~
Asparagirl
Stallman looks more and more prescient every day.

------
jeena
I have to say it, this wouldn't be a problem it they wrote free software
instead. Security by obscurity was never a good way to go.

~~~
acqq
It's not about the source but the private keys. See my other comment here. The
same problem is real with the Linux distribution and the owners of the
distributions too. Nobody _reads the source_ of everything that is changed
with every signed update.

That's why there's signing in the first place.

------
pmlnr
I guess if it's all Open Source they have a problem.

~~~
pmlnr
You HN people don't really understand sarcasm, do you?

