Showing posts with label firms. Show all posts
Showing posts with label firms. Show all posts
Thursday, December 29, 2016
US government pushed tech firms to hand over source code
US government pushed tech firms to hand over source code
Obtaining a companys source code makes it radically easier to find security flaws and vulnerabilities for surveillance and intelligence-gathering operations.
The US courthouse in Washington DC which houses the secret Foreign Intelligence Surveillance Court, which authorizes the governments surveillance operations.
NEW YORK -- The US government has made numerous attempts to obtain source code from tech companies in an effort to find security flaws that could be used for surveillance or investigations.
The government has demanded source code in civil cases filed under seal but also by seeking clandestine rulings authorized under the secretive Foreign Intelligence Surveillance Act (FISA), a person with direct knowledge of these demands told ZDNet. Were not naming the person as they relayed information that is likely classified.
With these hearings held in secret and away from the public gaze, the person said that the tech companies hit by these demands are losing "most of the time."
When asked, a spokesperson for the Justice Dept. acknowledged that the department has demanded source code and private encryption keys before. In a recent filing against Apple, the government cited a 2013 case where it won a court order demanding that Lavabit, an encrypted email provider said to have been used by whistleblower Edward Snowden, must turn over its source code and private keys. The Justice Dept. used that same filing to imply it would, in a similar effort, demand Apples source code and private keys in its ongoing case in an effort to compel the companys help by unlocking an iPhone used by the San Bernardino shooter.
Asked whether the Justice Dept. would demand source code in the future, the spokesperson declined to comment.
Its not uncommon for tech companies to refer to their source code as the "crown jewel" of their business. The highly sensitive code can reveal future products and services. Source code can also be used to find security vulnerabilities and weaknesses that government agencies could use to conduct surveillance or collect evidence as part of ongoing investigations.
Given to a rival or an unauthorized source, the damage can be incalculable.
We contacted more than a dozen tech companies in the Fortune 500. Unsurprisingly, none would say on the record if they had ever received such a request or demand from the government.
Cisco said in an emailed statement: "We have not and we will not hand over source code to any customers, especially governments."
IBM referred to a 2014 statement saying that the company does not provide "software source code or encryption keys to the NSA or any other government agency for the purpose of accessing client data." A spokesperson confirmed that the statement is still valid, but did not comment further on whether source code had been handed over to a government agency for any other reason.
Microsoft, Juniper Networks, and Seagate declined to comment.
Dell and EMC did not comment at the time of publication. Lenovo, Micron, Oracle, Texas Instruments, and Western Digital did not respond to requests for comment. (If this changes, we will provide updates.)
Apples software chief Craig Federighi said in a sworn court declaration this week alongside the companys latest bid to dismiss the governments claims in the San Bernardino case that Apple has never revealed its source code to any government.
"Apple has also not provided any government with its proprietary iOS source code," wrote Federighi.
"While governmental agencies in various countries, including the United States, perform regulatory reviews of new iPhone releases, all that Apple provides in those circumstances is an unmodified iPhone device," he said.
The declaration was in part to allay fears (and the US governments claims) that it had modified iPhone software to agree to Chinas security checks, which include turning over source code to its inspectors.
But even senior tech executives may not know if their source code or proprietary technology had been turned over to the government, particularly if the order came from the Foreign Intelligence Surveillance Court (FISC).
The secretive Washington DC-based court, created in 1979 to oversee the governments surveillance warrants, has authorized more than 99 percent of all surveillance requests. The court has broad-sweeping powers to force companies to turn over customer data via clandestine surveillance programs and authorize US intelligence agencies to record an entire foreign countrys phone calls, as well as conduct tailored hacking operations on high-value targets.
FISA orders are generally served to a companys general counsel, or a "custodian of records" within the legal department. (Smaller companies that cant afford their own legal departments often outsource their compliance to third-party companies.) These orders are understood to be typically for records or customer data.
These orders are so highly classified that simply acknowledging an orders existence is illegal, even a companys chief executive or members of the board may not be told. Only those who are necessary to execute the order would know, and would be subject to the same secrecy provisions.
Given that Federighi heads the division, it would be almost impossible to keep from him the existence of a FISA order demanding the companys source code.
It would not be the first time that the US government has reportedly used proprietary code and technology from American companies to further its surveillance efforts.
Top secret NSA documents leaked by whistleblower Edward Snowden, reported in German magazine Der Spiegel in late-2013, have suggested some hardware and software makers were compelled to hand over source code to assist in government surveillance.
The NSAs catalog of implants and software backdoors suggest that some companies, including Dell, Huawei, and Juniper -- which was publicly linked to an "unauthorized" backdoor -- had their servers and firewall products targeted and attacked through various exploits. Other exploits were able to infiltrate firmware of hard drives manufactured by Western Digital, Seagate, Maxtor, and Samsung.
Last year, antivirus maker and security firm Kaspersky later found evidence that the NSA had obtained source code from a number of prominent hard drive makers -- a claim the NSA denied -- to quietly install software used to eavesdrop on the majority of the worlds computers.
"There is zero chance that someone could rewrite the [hard drive] operating system using public information," said one of the researchers.
Available link for download
Wednesday, November 23, 2016
Want a custom built Raspberry Pi Firms get to bake their own
Want a custom built Raspberry Pi Firms get to bake their own
Businesses will be able to tailor the $35 credit-card sized board to suit anything from Internet of Things devices to consumer appliances.
The Raspberry Pi 2.
The Raspberry Pi started out as a computer to get kids to code but its low cost and hackability has won over seven million users of all ages.
Now a new way to buy the boards has paved the way for businesses to get serious about using the Pi and start building it into a host of new products.
Firms will be able to order bespoke versions of the credit-card sized machine - customised to control a production line, drive a consumer appliance or whatever else takes their fancy.
The decision to make tailormade Raspberry Pis available to organisations ordering more than 3,000 boards was taken following repeated requests from firms that already build around the Pi.
"Right now weve got about one million units per year of Raspberry Pi going into other products - being used in industrial, embedded or consumer devices,"said Raspberry Pi co-creator Eben Upton.
Many of these businesses create prototype products and appliances using the Raspberry Pi compute module, which packs the processor and memory of the Pi onto a slim board the size of a memory module.
But there is a limit to how scalable a product run is if it relies on a Pi compute module plugged into a separate board, said Upton, adding that once firms hit that wall they now can switch to a custom board.
"Weve never had an order for more than 20,000 compute modules from any given customer. Were aware theres a volume point where people start to get reluctant to have this two-board solution. Its really trying to provide that next rung up."
Raspberry Pi boards are also already used as the basis for an increasing range of products, from the pi-top laptop to the Pi-Raq appliance for monitoring servers. Uptons even spotted the Pi in products whose price tag dwarves that of the machine.
"Last year I was in a factory and saw a piece of really expensive telecoms hardware being built with a Raspberry Pi as a controller. Thats $50,000 of telecoms hardware being controlled by a $35 Raspberry Pi," he said.
"That was really nice because that suggested that people arent buying the Pi because its cheap anymore, theyre buying it because its stable."
Upton said that firms prototype using the Pi because its "cheap and available" but are compelled to use the board in the final product by the platforms stability, forged by years of scrutiny from the Pis millions of users.
The custom option will let firms tweak the Pis hardware to better suit their needs. Changes can include reconfiguring the board layout, adding functionality such as new I/O, wireless connectivity or integrated power management and swapping out interfaces. Previously making such changes would typically require investing in bulky add-on boards - something firms may be loathe to do.
"This gives you a way of doing it in a better form factor and obviously because youre integrating it all onto one board you can do it at a more attractive cost point," said Upton.
"Even a little bit of customisation can suddenly mean the Pis perfect for a vertical."
Customisations neednt be complex: since the soft launch of the bespoke service in June this year the simplest request received has been to rotate the Ethernet port by 90 degrees. In that time the majority of custom orders have been from small and medium-sized businesses.
Any of the Raspberry Pi boards - generation one or two, model A or B, the compute module, the camera or display boards - can be customised and the only restrictions mentioned relate to the Pis GPU, which cannot be changed.
To produce the custom boards, the Raspberry Pi Foundation, the charity behind the Pi, has teamed up with electronics distributor element14, which will design and manufacture these one-off boards. Some customisations may require an order of at least 5,000, with the lower limit depending on the nature of the change.
Upton admits that he doesnt know who the majority of the Pis business customers are and is looking forward to learning more about exactly who is using the board in their products.
"We wondered whether theres scope for some sort of branding - though I think we might steer away from Raspberry Pi Inside, it sounds a bit like another company.
"But wed love it if people wanted to talk about the fact theyre building their businesses and their products on the Raspberry Pi platform."
Available link for download
Subscribe to:
Posts (Atom)