India, China Try Import Regulations As Security Tools 108
An anonymous reader writes "The Register reports that the Chinese government is forcing vendors to cough up the source code to their encryption alogrithms before they can sell their equipment to the Chinese government. The EU doesn't seem to like it, but if I were in their position I'd want the same thing."
China's biggest neighbor goes further; another anonymous reader writes "Telco equipment from China could have spyware that gives access to telcom networks in India. The Indian government has officially told mobile operators not to import any equipment manufactured by Chinese vendors, including Huawei and ZTE. The ban order follows concerns raised by the Home Ministry that telecom equipment from some countries could have spyware or malware that gives intelligence agencies across the border access to telecom networks in India. The biggest gainers from the move could be Ericsson, Nokia, and Siemens, which have been losing market share to aggressive Chinese equipment-makers in India."
The only encryption algorithms worth a damn (Score:5, Insightful)
Trust (Score:4, Insightful)
I can't blame the Chinese government for wanting to have the encryption information
Copying (Score:5, Insightful)
If you're going to give your source code to the Chinese, you know for certain they will copy it and never buy a product from you again.
What a novel concept (Score:5, Insightful)
Re:Trust (Score:5, Insightful)
I'm just reminded of the old security-oriented definition of Trust: the person you trust is the person who can break your security. It's a perfectly healthy attitude to trust people (/businesses/nations) as little as possible when the security of your data is at risk. In arena of IT security, we need less "trust" and more "verify".
Re:The only encryption algorithms worth a damn (Score:4, Insightful)
Re:Trust (Score:1, Insightful)
Nobody wins when no one trusts each other.
It certainly helps maintain some diversity, which is otherwise all but killed off by globalization. Without diversity, there's no competition.
What's the point exactly? (Score:5, Insightful)
Re:The only encryption algorithms worth a damn (Score:2, Insightful)
Regardless of whether that's why they want to view it or not, the net effect is that only robust algorithms will be exported to China. Everybody can get the code to GPG, but that doesn't make the keys invalid.
Re:Trust (Score:2, Insightful)
I can't blame the Chinese government for wanting to have the encryption information ... and I can't blame India for not trusting Chinese technology. Nobody wins when no one trusts each other.
What about the domestic producers of encryption equipment? Don't they stand to gain a little through sales to their government, whether it be India, China, or the U.S.A.?
For my part, I don't understand why any government trusts producers of other countries for their critically sensitive information. In the U.S., we know that our "friends", like Israel, engage in espionage, and I'm pretty sure we spy on them (although I have no evidence to back it up other than fuzzy recollections of news articles over the years). How do I know that a U.S.-produced item doesn't have a back door for NSA to use?
Timing of Indian ban - just in time for 3G auction (Score:4, Insightful)
Yes, India is, like, right now [bbc.co.uk] in the process of auctioning 3G licenses. This will really bring benefits to Ericsson and Nokia Siemens.
Re:What's the point exactly? (Score:4, Insightful)
It should be common sense that you have to verify that the source code you were given actually compiles to a bit-identical executable in order for the exercise to mean anything at all.
big bussines is all about politics (Score:2, Insightful)
But isn't this strange? They put a ban because chinese "could have spyware or malware" in their equipment. Isn't this like putting someone in jail because he might do something bad in the future?
Here is my conspiracy theory: big companies export corruptions in the developing countries (this is a fact). Some companies could just not compete with the cheap Huawei so they paid officials for the ban. Problem solved! either this or the chinese really have spyware on their machines.
Re:The only encryption algorithms worth a damn (Score:3, Insightful)
If only the State governments were that smart. Who the hell knows what's inside the Diebold voting machines? When working with the Defense Department we're expected to provide all the code for review.
Comment removed (Score:3, Insightful)
Re:Trust (Score:5, Insightful)
Au contraire, when it comes to security, everyone wins when no one trusts each other.
The chinese move, at least, is long overdue. No one should ever trust a device whose source code is secret.
Re:What's the point exactly? (Score:4, Insightful)
Re:China good, India bad (Score:1, Insightful)
I would recommend every government, company or institution to use especially network devices only, if they can review and then compile the code themselves which is to be run in the device.
So as to avoid Trojan Boot Loaders within their networks.
Re:The only encryption algorithms worth a damn (Score:3, Insightful)
The effect of giving the Windows source code to China seems to have been that people in China used it to break into Google and tens of other major corporations. Why should this be any different? There are expert groups in China who will find vulnerabilities in the systems and then, instead of having to have trojanised equipment from their own vendors, they will be able to attack the other vendor's equipment just as well.
What's really funny is that India is stopping buying Chinese made teleco equipment whilst other countries like the US; also great friends of China (when will you stop blocking their discipline against the rebel province of Taiwan???) still continue to buy Chinese.
Re:big bussines is all about politics (Score:3, Insightful)
but Indian goverment is not buying the stuff. It's the telecom operators that buy it and use it to sell services to regular citizens. The goverment could buy trusted equipment for their needs.
The teleco stuff is the stuff you will use to call for help and communicate during a war. Since the idea of total war [wikipedia.org] it has been clear that your civilian infrastructure may be targeted in war. The idea of something which lets your opposition remotely disable most of your industrial capacity is crazy. That's what Chinese exchanges represent for India.
same thing happened in manufacturing... (Score:3, Insightful)
in the 80's and 90's American manufacturers gave away their technology to the Chinese to get a piece of the huge Chinese market. This allowed the Chinese to modernize their manufacturing technology by decades in a few years. Then instead of opening their markets, China flooded the world markets and decimated the foreign competition.
One might hope managers of corporations would learn from the past...
Re:Trust (Score:1, Insightful)
How do I know that a U.S.-produced item doesn't have a back door for NSA to use?
Always assume that it does. If you are wrong, good. If you are right, you are prepared.
Re:Actually it's security as an import regulation (Score:3, Insightful)
The headline suggests that China is using import rules to bolster security. I think it is the other way round. They are using the demand for source code as a barrier to trade to (unfairly) help domestic firms. Not very many overseas firms are going to provide source code, leaving the market open to Chinese firms.
I would agree with you if you didn't say "(unfairly)".
Access to source code is a legitimate security concern. Fair trade doesn't mean that you can't set high standards if foreign providers can't reach them.
Re:Good India is worried on this instead of sewage (Score:3, Insightful)