McAfee stops allowing governments to review source code

[Ryujin2003]

#illshowyoumineifyoushowmeyours

 

This one I got from my COMPTIA SmartBrief news letter...

 

With all of the current controversy between the US government and Kaspersky, I guess it's only normal for the behavior of American companies to be hidden from mainstream media.

 

Both McAfee and HPE shared source code with Russia with hopes of entering the Russian Market. There is frar this could leave the US vulnerable to cyber security risks.

Quote

American cybersecurity firm McAfee will no longer allow U.S. or foreign governments to review its products’ source code, a company spokesperson confirmed.

 

The disclosure comes after Reuters reported earlier this year that some American technology companies, including McAfee, IBM and others, had complied with Russian requests to review source code in order to gain access to the Russian market.

 

Hewlett Packard Enterprise (HPE) has come under particular scrutiny after it was revealed that it allowed Moscow to review the source code of its ArcSight cybersecurity product, which is used by the Pentagon to secure its systems.

As far as I'm aware, many government agencies and educational establishments have contracts with McAfee. I find it very untrustworthy for the sudden move to hide the source code for an antivirus software at this level. I would imagine these organizations would want to see this code to make sure they knew what was being out on their system.

 

And if I remember correctly, didn't Kaspersky offer to open up their source code to US officials?

 

Quote

It is unclear precisely when McAfee stopped allowing the reviews, though Reuters reported that they stopped after the company spun off from Intel as an independent company at the beginning of April.

 

“The new McAfee has defined all its own new processes, reflecting business, competitive and threat landscapes unique to our space,” a spokesperson said in a statement. “This decision is a result of this transition effort.”

 

McAfee is a global company with headquarters in Santa Clara, Calif.

I wasn't aware of this. Not sure why Intel would want McAfee. Is the decision not to reveal source code an initiative to safe guard Intel vulnerabilities, proprietary information, or other architectures?

 

US officials are very worried that sharing this information with Russia couldake US assets more vulnerable. The previous sharing of source code with Russia was to be able to gain access to the Russian Market.... However, HP wanted to join in as well.

 

Quote

Following the reports about Hewlett Packard Enterprise, Sen. Jeanne Shaheen (D-N.H.) wrote to Defense Secretary James Mattis last week expressing “deep concerns” that Russia could use the information to breach U.S. military systems.

 

“HPE’s ArcSight system constitutes a significant element of the U.S. military’s cyber defenses. Therefore, the disclosure of ArcSight’s source code presents FSTEC and other Russian military and intelligence entities with the opportunity to exploit a system used on [Department of Defense] platforms,” Shaheen wrote.

Although McAfees sharing seems to have a more legitimate base, the HPE actions seem very questionable.

 

We are constantly talking about internet security, and we seem to out a lot of blame on the US government for it's faults and leaks... However, maybe the issue isn't the government. Maybe it relies on companies that make poor decisions in hope for economic gain?

 

Quote

HPE insisted in early October that the ArcSight testing was conducted in sites controlled by the company to ensure the products were not compromised and that no vulnerabilities were detected.

“HPE has never and will never take actions that compromise the security of our products or the operations of our customers,” the company said.

Does no one think before acting?

 

 

I cannot find anything specific, but what is the financial incentive in the Russian Market? I'm sure Russian government wouldn't use US companies for cyber security.

 

http://thehill.com/policy/cybersecurity/357333-mcafee-stops-allowing-foreign-source-code-reviews

[PlayStation 2]

The financial incentive is rewards for government or citizen information, more than likely.

[Cyracus]

Who cares, mcafee is more virus than antivirus anyway

[TVwazhere]

27 minutes ago, Cyracus said:

Who cares, mcafee is more virus than antivirus anyway

^^^This^^^

 

My company uses it (god f******* knows why) and last year or two years ago McAfee actual caused computers to lose access to files on their hard drives (windows explorer was frozen) and the poor people who decided to restart their computer got stuck in an endless boot cycle....

 

Our IT guy was so mad. I dont know why he doesn't switch us to something better

[KenjiUmino]

so ... government A is scared that government B could find flaws in the code of an antivirus program (or any other software) and use those flaws against A - is this what it boils down to?

 

and who can guarantee that government A does not do the exact same thing already to have an advantage over other governments? 

 

i can completely understand the decission to stop allowing code reviews alltogether. 

 

either everybody should be allowed to look at the code or nobody at all. simple as that. 

 

 

 

 

 

 

[Cyracus]

14 minutes ago, KenjiUmino said:

so ... government A is scared that government B could find flaws in the code of an antivirus program (or any other software) and use those flaws against A - is this what it boils down to?

governments love to find flaws in software and build exploits to take advantage of them, don't you remember wannacry? That was a NSA exploit

[KenjiUmino]

Just now, Cyracus said:

governments love to find flaws in software and build exploits to take advantage of them, don't you remember wannacry? That was a NSA exploit

dunno why it was called NSA exploit - it's not like they put it in there on purpose.

 

AFAIK the NSA knew that this weakness existed but never told anybody about it so they, and only THEY can benefit from its existence.

 

the "problem" with keeping things like that a secret is that there is always someone else out there that will also find it out sooner or later.

 

the other thing that allowed wannacry to hit so hard was a weakness in layer 8 - the exploit eventually got fixed but users did not keep their shit up to date (and looking at how fucked up and inconventient windows update works, i can understand why) 

 

 

 

 

[Cyracus]

3 minutes ago, KenjiUmino said:

dunno why it was called NSA exploit - it's not like they put it in there on purpose.

 

AFAIK the NSA knew that this weakness existed but never told anybody about it so they, and only THEY can benefit from its existence.

 

the "problem" with keeping things like that a secret is that there is always someone else out there that will also find it out sooner or later.

 

the other thing that allowed wannacry to hit so hard was a weakness in layer 8 - the exploit eventually got fixed but users did not keep their shit up to date (and looking at how fucked up and inconventient windows update works, i can understand why) 

It was called an NSA exploit because they identified it and made tools to exploit it, those tools got leaked and used to perform the attacks. Not sure what you mean about that windows update inconvenience stuff though, freaking cake walk compared to Linux (though some distros are pretty decent these days)

[KenjiUmino]

1 minute ago, Cyracus said:

Not sure what you mean about that windows update inconvenience stuff though, freaking cake walk compared to Linux (though some distros are pretty decent these days)

what i mean is that windows update is really annoying with constant pop up notifications and requiring restarts.

 

downloading and installing updates takes way too long and even after anything is downloaded and "installed" and you finally cave in to windows constantly nagging and begging to be restarted, the OS is usually wasting even more precious time to show a nice slow moving percentage counter during shut down and boot up when it is FINALLY installing updates for real.

 

meanwhile, over on my linux mint laptop, all i ever get is a little icon in the tray telling me that new updates are available (but no popups or anything)

 

i can download and install them when i decide that i have time for it, but i would not mind having it done automatically in the background because it literally does not take half as long as on windows and i don't have to deal with forced or required restarts on linux. it just updates like that. 

 

i call bullshit on all the restartery windows seems to need all the time because on linux i can even update or patch the kernel itself while the system is still running 

 

if linux can do kernel live patching - why does windows "need" to be restarted to update even the most irrelevant programs and services ? why? why did nobody care to do something about this ever since windows fucking NT 4.0 ???

 

[Sauron]

The sad thing is, this is all just paranoia. Sharing the source with the government doesn't make it less secure, especially considering anti virus software use constantly updated virus definition databases and don't actually hardcore most of their "weapons".

[dfsdfgfkjsefoiqzemnd]

1 hour ago, KenjiUmino said:

either everybody should be allowed to look at the code or nobody at all. simple as that. 

If nobody is allowed, someone will still find a flaw and exploit that.  If everyone is allowed, more people are looking into flaws instead of a small team of coders who are likely to miss their faults because they made them in the first place. 

 

If Lastpass hadn't been open-source, Tavis Ormandy wouldn't have found so many issues with it and allowed them to fix them. 

Signal is open source and generally considered the most secure private messaging platform.

Linux has an army of neckbeards checking for vulnerabilities and ready to jump on any problem that gets reported.  That's why a vulnerability that is found on Saturday evening will usually be patched by Sunday morning. 

 

Security through obscurity rarely ever works out in the long term. 

[2FA]

5 minutes ago, KenjiUmino said:

what i mean is that windows update is really annoying with constant pop up notifications and requiring restarts.

 

downloading and installing updates takes way too long and even after anything is downloaded and "installed" and you finally cave in to windows constantly nagging and begging to be restarted, the OS is usually wasting even more precious time to show a nice slow moving percentage counter during shut down and boot up when it is FINALLY installing updates for real.

 

meanwhile, over on my linux mint laptop, all i ever get is a little icon in the tray telling me that new updates are available (but no popups or anything)

 

i can download and install them when i decide that i have time for it, but i would not mind having it done automatically in the background because it literally does not take half as long as on windows and i don't have to deal with forced or required restarts on linux. it just updates like that. 

 

i call bullshit on all the restartery windows seems to need all the time because on linux i can even update or patch the kernel itself while the system is still running 

 

if linux can do kernel live patching - why does windows "need" to be restarted to update even the most irrelevant programs and services ? why? why did nobody care to do something about this ever since windows fucking NT 4.0 ???

 

Let's compare two completely different kernels that couldn't be farther apart and then complain about it. Linux kernel was designed to be modular/separated from the start, the Windows kernel was designed to integrate with everything from the start. They're two entirely separate things.

[Sauron]

22 minutes ago, KenjiUmino said:

if linux can do kernel live patching - why does windows "need" to be restarted to update even the most irrelevant programs and services ? why? why did nobody care to do something about this ever since windows fucking NT 4.0 ???

Backwards compatibility. Windows NT was not built as a unix-like and it's too late to convert it now. Windows really does need the reboot.

[KenjiUmino]

20 minutes ago, DeadEyePsycho said:

Let's compare two completely different kernels that couldn't be farther apart and then complain about it. Linux kernel was designed to be modular/separated from the start, the Windows kernel was designed to integrate with everything from the start. They're two entirely separate things.

i know. i just wanted to point out some of the reasons why users might disable automatic windows updates. you know ... that rant was from a users perspective. 

 

the difference on the front end is basically this: 

 

"OH COOL, new updates, let's install this stuff while i wait for my video to finish encoding"

 

 

"OH NO, please, i don't have time for that shit. can't afford a restart now that will fuck up my encode job"

 

and THIS needs to improve on windows

[Ryujin2003]

43 minutes ago, Sauron said:

The sad thing is, this is all just paranoia. Sharing the source with the government doesn't make it less secure, especially considering anti virus software use constantly updated virus definition databases and don't actually hardcore most of their "weapons".

I would agree with this.

 

I hate McAfee, and still don't know why Intel wanted them.

 

As for the source code... If one antivirus is the weak link on your chain, then you've got some serious issues.

 

With the rise in cyber attacks (what was it, rabbid rabbit it something like that recently) and no clue of origination, you're left work a bunch of people starting another cold war.

 

No country trust an other. Each one is there to be the first to knock the others down...

 

As an end user, I really don't know if I want software on my system like an antivirus that goes from being ok with sharing source code to not. Last thing anyone wants is another garbage software data mining.

 

The HP thing blows my mind. They are supposed to be near the Pinnacle of professional competing services, and to make a rookie mistake is crazy. Granted were probably missing a bunch of context, but still, why would you jeopardize security like that. So irritating.

 

Does any one really care about our security online other than it individual selves?

 

 

Anyone with McAfee concerned with any of this?

 

The end is neigh. Maybe games like PUBG are getting us trained for the best future /s.

[DroidIt!]

As far as Linux update scheme vs. Win. Generally even to get Linux installed takes a little more know-how than Win. Run on a VM, dual boot, separate partitions, what about system resources to allocate to it? For those reasons and more, I think it's fairly assumed those running Linux are a bit more tech savvy than the average person. So, maybe it's assumed the Linux crowd will proactively check more frequently for updates. Making some assumptions, but I think probably pretty valid ones.

As far as personal security. All our infos are so spread out all over the place, I'm not even sure hacking is needed anymore. Surprised somebody doesn't just build an advanced scraper to take publicly available info for a target/crowd and run with it. You could probably do just as much damage. I'll personally still update and use best practices, how effective even is that anymore?

[captain_to_fire]

7 hours ago, Ryujin2003 said:

And if I remember correctly, didn't Kaspersky offer to open up their source code to US officials?

They did https://eugene.kaspersky.com/2017/09/14/five-years-trudging-through-the-evolving-geopolitical-minefield/

[NvidiaIntelAMDLoveTriangle]

How about this: Governments stop spying on citizens and other governments and companies, and actually do what they are supposed to be doing in the first place, make the lives of the people who put them in charge; easier, safer and protect them.

[Humbug]

49 minutes ago, DroidIt! said:

Generally even to get Linux installed takes a little more know-how than Win. Run on a VM, dual boot, separate partitions, what about system resources to allocate to it?

????

 

Installing the popular Linux distros entails inserting a bootable USB drive, clicking next a few times, entering a username and selecting some minor options from a simple GUI like time zone and which disk to install on. No more difficult that installing windows....

[DroidIt!]

1 minute ago, Humbug said:

????

 

Installing the popular Linux distros entails inserting a bootable USB drive, clicking next a few times, entering a username and selecting some minor options from a simple GUI like time zone and which disk to install on. No more difficult that installing windows....

Agreed. It's simple for setup after first boot. Most people I know don't go through the trouble because they either need to set up a VM or partition. Sure a clean install is simple, but most people would rather not wipe Win off their machines for Linux. Heck, I won't do it because gaming.

[captain_to_fire]

8 hours ago, TVwazhere said:

Our IT guy was so mad. I dont know why he doesn't switch us to something better

Typically AV companies do bidding with businesses or governments and more often than not, they prefer the ones offering it very cheap. I think the top ranking enterprise AVs are more expensive than let’s say McAfee. But given the WannaCry ransomware infection has proven, only 30% of AVs were able to detect and block WannaCry even without signatures and McAfee isn’t one of them. 

[Ryujin2003]

11 hours ago, NvidiaIntelAMDLoveTriangle said:

How about this: Governments stop spying on citizens and other governments and companies, and actually do what they are supposed to be doing in the first place, make the lives of the people who put them in charge; easier, safer and protect them.

I would be more worries about companies. They are the ones with databases full of all of your information. And when they refuse to show how and what their methods are, then it's time to worry.

[vorticalbox]

18 hours ago, TVwazhere said:

Our IT guy was so mad. I dont know why he doesn't switch us to something better

it costs money in the new software and paying someone to do it.

 

[Ryujin2003]

1 minute ago, vorticalbox said:

it costs money in the new software and paying someone to do it.

 

Plus, probably making sure it didn't interfere with your previously existing software. McAfee just showed everything down. It won't flag any thing for viruses because it super sucks.

[vorticalbox]

33 minutes ago, Ryujin2003 said:

Plus, probably making sure it didn't interfere with your previously existing software. McAfee just showed everything down. It won't flag any thing for viruses because it super sucks.

tbh recently windows defender has had very good results, https://chart.av-comparatives.org/chart1.php

as you can see Microsoft blocked 99.7% of malware tested and the last 0.3% was down to used choice.

 

That's very good for something that Microsoft built.