Ramblings of an old Doc
Pentagon’s Security Software Source Codes Provided to Russian Defense Agency
Published on October 8, 2017 By DrJBHL In Personal Computing

 

Where have we gotten? Seriously. Bravo HP Enterprise. Darwin Award of the century goes to you, hands down.

"Last year, Hewlett Packard Enterprise (HPE) allowed a Russian defense agency to analyze the source code of a cybersecurity software used by the PentagonReuters reports. The software, a product called ArcSight, is an important piece of cyber defense for the Army, Air Force and Navy and works by alerting users to suspicious activity -- such as a high number of failed login attempts -- that might be a sign of an ongoing cyber attack. The review of the software was done by a company called Echelon for Russia's Federal Service for Technical and Export Control as HPE was seeking to sell the software in the country. While such reviews are common for outside companies looking to market these types of products in Russia, this one could have helped Russian officials find weaknesses in the software that could aid in attacks on US military cyber networks." - Engadget

But, no worries...

"HPE told Reuters that reviews are done at an HPE facility under the supervision of HPE staff and that no vulnerabilities were found during this particular review." - Engadget

While it's true this wouldn't allow the GRU to log on to the Pentagon computers, it could make an ongoing attack harder to spot.

This is priceless:

"A Pentagon Defense Information Systems Agency spokesperson told Reuters that HPE didn't let the Pentagon know about the review but that it also wasn't required to. The ArcSight review may not have unearthed any backdoors or resulted in any additional cyber infiltrations, but at the very least it seems that, when it comes to the US military, using popular off-the-shelf security software might be a vulnerability in itself." - Engadget

 

Again...why does this strike me as absolute idiocy?


Comments
on Oct 08, 2017

... Again...why does this strike me as absolute idiocy?

 

Because it is! But what else would you expect from our high paid "intelligence" officers? rotflmao

on Oct 08, 2017

Money talks and people's safety means not a damn thing. Anywhere else charges of treason would be immediate. 

on Oct 08, 2017


Again...why does this strike me as absolute idiocy?

Hmmm, it reminds me of the slight variation on Murphy's Law:  If anything can go wrong it will... because idiots are running the show.  Yup, if you want something messed up, give it to a politician, a high ranking public servant or a high ranking officer in the military.... cos if anybody knows how to disappoint, it's that bunch.

on Oct 08, 2017

Pentagon contractor lets FSB examine its cyber defenses.

IRS hires Equifax to secure taxpayer data.

 

Yeah, we're pretty much done.  Swamp wins.

on Oct 08, 2017

Entirely normal and believable. Govt contractors typically sell to other countries too. Sometimes there are restrictions on what features they are permitted to offer (particularly in weapons software), sometimes not. This is not unique to HP.

The DOD can of course require the same sort of reviews, or prohibit sale to other countries in any contracts it makes, though that will obviously have an impact on the cost, and there is only so much that can be restricted on software that isn't custom-made.

on Oct 08, 2017


Entirely normal and believable. Govt contractors typically sell to other countries too.

So what you're saying is that gov't contractors could sell to north Korea, Iran and other rogue nations [if they can get away with it]?

Seems to me, the US needs to tighten up its rules and regulations so there are no ifs and buts regarding what gov't contractors can and can't do... once the current idiots are replaced by decision makers who would put in place and oversee better practices.

on Oct 09, 2017

Entirely normal that enemies see source code for security software. I don't think so.

For allies - that would be another matter. Sorry, but normalizing that kind of thing for the almighty buck is prima facia ridiculous.

Think about it: Effective security software for sale to enemies because who would want the enemy hacked, and who wouldn't want our materials and methods to be rendered ineffective?

on Oct 09, 2017

So what you're saying is that gov't contractors could sell to north Korea, Iran and other rogue nations [if they can get away with it]?

If there is no law, sanction, or export control governing the sale? Yes. The US government has been involved with this product for more than a decade; if they wanted to restrict its sale, they'd have done so by now.

This is not military-grade or custom software. It is off-the-shelf big-data reporting software used by a number of financial and medical institutions. It's marketed as security software, and the media is interested in ginning up outrage over that point, but in the end it's just a reporting tool; it only helps with understanding data that is already collected by other systems.

The DOD made the choice to use off-the shelf software, rather than develop internally or contract custom work. The DOD is well within its rights to demand the same sort of reviews and reject any products it finds insecure, though buying off-the-shelf software does mean there is less governance over who the same software can be sold to in the same manner.

Source code reviews are very common for major off-the-shelf products sold to governments. Microsoft even has policies for that specific purpose--just about any customer big or valuable enough can review the Windows source code, and we know that many of them (such as China) has.

 

For allies - that would be another matter. Sorry, but normalizing that kind of thing for the almighty buck is prima facia ridiculous.

Given what this software actually does, I don't agree that it applies in this case, but you are under the misconception that 'normal and believable' and 'stupid and short-sighted' are mutually exclusive when dealing with governments and large companies.

 

 

 

 

on Oct 09, 2017

Under no such illogic.

Just know Murphy's Law and HP greed...at all our cost. After all, why would it matter at all if the Pentagon IT (now there's a misnomer) doesn't detect an attack quickly, right?

But oh yeah...bring on deregulation, because corporations have a conscience. lol.

 

on Oct 09, 2017

DrJBHL

corporations have a conscience

An oxymoron if there ever was one.