
HP Enterprise let Russia scrutinize cyberdefense system used by Pentagon - rbanffy
http://www.reuters.com/article/us-usa-cyber-russia-hpe-specialreport/special-report-hp-enterprise-let-russia-scrutinize-cyberdefense-system-used-by-pentagon-idUSKCN1C716M?utm_source=twitter&utm_medium=Social
======
rmchugh
"The U.S. military agency itself did not require a source code review before
purchasing ArcSight and generally does not place such requirements on tech
companies for off-the-shelf software like ArcSight, the Pentagon spokeswoman
said. Instead, DISA evaluates the security standards used by the vendors, she
said."

So the Russian government has higher security standards than the US?

~~~
Retric
I don't know if that's really true. DoD gets the Windows source code for
example.

~~~
MikusR
So does Russia.

~~~
Retric
I don't see how that's relevant.

Tools exist to audit anything on the windows CLR. So, from a security
standpoint they have everything they need and can request the source code if
any red flags show up.

Sure, the source code is great if you want to maintain code. But, for a
security audit it's often more deceptive than useful.

------
sschueller
Isn't that standard practice?

HP wants to sell their product so they do this. If the Pentagon doesn't want
this they would need to purchase exclusive rights to it or the state
department would need to forbid the sale of the software overseas.

------
WhatsName
Why do so many people still believe in security-by-obscurity?

    
    
      "Some security experts say that studying the source code of a product would make it far easier for a reviewer to spot vulnerabilities in the code, even if they did not leave the site with a copy of the code."
    

I would like to meet those experts that advocate, that not looking at the code
makes the product more secure.

~~~
yaps8
Well, if you compare the situation where an adversary has access to source
code with a situation where they don't - everyting else being the same - ,
they have higher chance of finding vulnerabilities in the first.

The "security-by-obscurity" point does apply when you compare "going open-
source with many observers" to "being closed-source with no one looking", but
this is not the case here.

~~~
inetknght
...now enter fuzz testing and your first statement goes out the window.

~~~
evgen
Fuzz testing is far, far easier and more complete if you have the source code.
It is not required to have the source to fuzz, but white-box fuzzing can be
combined with code coverage analysis to make sure you hit all code paths,
including ones that would rely upon a more structured sequencing of the
inputs. Black-box fuzzing could eventually reach the same end result, but it
would take far longer or far more resources.

------
AsyncAwait
I have to admit, the constant articles with the word 'Russia' in them just to
make you go, 'oh, it must be something super nefarious that they're doing' is
getting a bit on my nerves lately. Report on something worth raising a stink
about or admit that you're just red-baiting.

~~~
jmnicolas
What saddens me is that it works. Most of the people I know don't see through
the propaganda.

~~~
cafard
The very odd thing is how the susceptibility to the name has switched
political sides. Now the populists/conservatives don't want to hear about
Russian stuff, and the liberals are sure that Putin elected Trump. I
caricature, but not by much.

------
chicob
Even if they didn't disclose the source code, they could always reverse
engineer/brute force a single install.

I guess the Pentagon not only did the same thing, it also secured its right to
patch without HPE's knowledge or approval.

If we put ourselves in the shoes of the Russians, they are about to get
software the US already uses, which gives the Pentagon a head start in knowing
the eventual security flaws. Like the US wouldn't use that kind of knowledge
if they wanted...

Also, why do all hacking news graphs/stock images show people in hoodies?

------
philjohn
This is a piece of software that aggregates logs and allows you to look for
patterns to flag up suspicious activity ... it's not like it's the source to
your firewall, total non story.

------
bluesign
This is totally normal practice.

Also most likely ArcSight used by pentagon can be totally different beast then
ArcSight used by private companies.

Also most likely ArcSight doesnt cover most of US cyberwarfare arsenal.

~~~
heisenbit
ArcSight processes security events. These typically come from devices or
server log files. Events are filtered and tagged with context before being
sent to the server where they are further processed. The primary processing is
correlation done in-memory which is a strength of the product.

Each installation is different - deployment site of probes, filter, tagging
and correlation rules. There is not much be gained by looking at the code vs.
knowing the Pentagon uses ArcSight.

The one security relevant aspect is the fact that ArcSight processes data from
the internet. Programming error in that code may contain vectors allowing a
RCE. On the other hand the product has been around for a while and _should_ be
safe.

ArcSight is not only used by the Pentagon but by many tier-1 companies to
monitor their networks. Unless it falls under ITAR companies can sell their
product in whatever manner they like.

------
grandinj
In other news, Ford let Russia inspect the same sedan they sell to the US
Armed Forces!

------
fbelzile
Access to root accounts on some ArcSight boxes only involve challenge-response
codes that we were supposed to get from HPE support. Because of how annoying
this was, a clever ArcSight colleague of mine was able to create a simple Java
program we would run to get the response code ourselves, saving us lots of
time. Not sure exactly how he did it, but it only took him a weekend.

Source code or not, some ArcSight servers were already very vulnerable.
Whether or not that was done on purpose, who knows.

------
l33th4x0r
HP Enterprise (now Micro Focus) has responded to this:
[https://community.saas.hpe.com/t5/Protect-Your-
Assets/Nation...](https://community.saas.hpe.com/t5/Protect-Your-
Assets/National-Market-Certification-A-common-practice-and-our-
high/ba-p/1617529#.WdzYihNSxjI)

------
markh
This appears to be a case of patriotism vs the Almighty Dollar, albeit with
shades of nuance. Is it standard practice for security software vendors to
provide enterprise clients with audit rights? And could a restriction in
future market opportunity lead technology companies to avoid doing business
with the government?

------
shell_scripter
Oh, an article about Russia from US media. I'm surprised they didn't include
the usual stock photos of people in hoodies typing away as matrix text scrolls
behind them.

------
transverse
The real problem is that there seemingly isn't a great FOSS alternative for
ArcSight. Whatever it does couldn't really be that extraordinary.

------
fiokoden
What a joke.

Surely this has completely destroyed the value of this software.

Hard to imagine any good software written by HP anyway.

Don't they employ lowest cost programmers? Heck the probably designed it using
UML or something silly like that, with hundreds of business analysts and vast
numbers of stakeholder meetings all working to reach consensus, before getting
all those lowest cost programmers to try to write what they think the spec
might mean - all truly inspired software is written this way.

~~~
mugsie
ArcSight was an acquisition if I remember correctly, and it would have avoided
a lot of the HP/E Software issues as a result.

