Do you know where your software comes from?
Credit to Author: Susan Bradley| Date: Mon, 14 Mar 2022 08:56:00 -0700
Where does your software come from?
That’s one of the questions online users at AskWoody.com have asked in recent weeks. Obviously, this comes up as the world sees what’s going on in Ukraine. For many years, one security software vendor in particular was tagged as possibly having Russian ties — and as far back as 2017, the US Government banned the use of Kaspersky antivirus over fears the security software could spy on defense contractors for Russia.
The concern over foreign software isn’t new. In 2018, the Pentagon put together a “do not buy” list of software companies anyone working with defense contractors should avoid. Specifically, defense officials wanted to ensure that no software with Chinese or Russian provenance would be purchased. Often, to sell software in a particular country, vendors have to provide source code or additional information. But it’s often hard to know exactly where software is coded, given the world-wide nature of technology. Case in point: I once used software in my office network that was sold by Microsoft but partially coded in Shanghai. It’s enough to make you think of the potential code written in places that your country might not have the greatest of relationship with.
The most obvious one that comes to mind is the Russian firm Kaspersky, which has been gotten a lot of complaints about its lack of response to the Ukrainian crisis. For many years, the company’s ties to the Russian government have been a concern. I’ve even wondered about other pieces of software I’ve purchased over the years.
For example, there are password-cracking programs built by developers (or even entire firms) located in Russia. For many years, I’ve used software from Elcomsoft for various tools to break into various software for legitimate reasons. In my firm, we examine various types of files without access to the passwords needed to open them. Rather than play games with attorneys, we’ve found it easier to just use various tools to break the passwords. While some, such as Word documents, may take a long time to crack — and you might need specialized equipment to make the process faster — basic, everyday business software like QuickBooks is relatively easy to break into. Let this be a lesson: never consider your QuickBooks files protected if you lose them because they’re password-protected. Online tools can remove the password and prompt for a new one to be set up; that still gives me full access to a file you thought was protected. For me, these password-cracking tools are for business, not hacking. But the fact that many of these tools come from firms connected to Russia does gives me pause. Even though the firm appears to have relocated to Czechoslovakia, it still leaves me wondering.
Other companies are asking whether they should provide services to Russian firms. Avast antivirus, for example, has openly stated it will no longer offer products to Russian customers. Microsoft has said it will not sell new services to customers in Russia, stopping short of stating it will cut off services to anyone with existing contracts. Microsoft hasn’t yet taken the drastic step of cutting off Windows updates or continuing support and maintenance for existing operating systems.
Microsoft has often opened up its crown jewel source code to government agencies to get sign-off from various governments. Over the years, there have been a number of times hackers have been able to access to the Microsoft source code to study how Windows works at a deeper level. So, even our core Windows operating system has been closely examined by Russian software engineers over the years, even if the underlying software hasn’t been written there.
What should you do if you’re concerned about a software vendor? First, do your due diligence and research where your vendors, and their employees, are located. Clearly, it’s a personal decision to support or sanction a vendor based on their actions or government connections. Use your dollars to find tech vendors that act ethically and responsibly.
Secondly, uninstall potentially problematic software from your system and ensure there are no traces left. Often, vendors are a bit messy when they install software and don’t clean up after themselves. I’ve often had to rely on Revo Uninstaller to clean up after a messy vendor. It’s a good idea to keep this tool in mind when uninstalling software. Many times, registry keys and files are left behind, as are vulnerabilities that won’t be patched. While you don’t need to take the drastic step of reinstalling your operating system, it’s relatively easy to rebuild a computer from scratch with Windows 10. If your computer comes from a major vendor, you can easily download any drivers needed once you rebuild the system.
Even hardware needs to be examined; you may find that a specific laptop or device is built in a country you aren’t comfortable doing business with. (I use a Lenovo laptop even though there have been concerns from some that it could be a source of cyber risk; Lenovo purchased the PC and server businesses from IBM in 2005 and 2014, restively.)
Bottom line: research where your software is coded and where your hardware is built. This isn’t always easy. Vendors can hide where their offices are located and may use a workforce that’s disbursed around the world. You may have to ask on support forums where a vendor is really located. These days, software can, and usually is, coded anywhere. You might be surprised that your favorite tool isn’t developed where you thought it was.
http://www.computerworld.com/category/security/index.rss