FBI Software For Analyzing Fingerprints Contains Russian-Made Code, Whistleblowers Say (buzzfeed.com) 174
schwit1 shares an exclusive report via BuzzFeed: The fingerprint-analysis software used by the FBI and more than 18,000 other U.S. law enforcement agencies contains code created by a Russian firm with close ties to the Kremlin, according to documents and two whistleblowers. The allegations raise concerns that Russian hackers could gain backdoor access to sensitive biometric information on millions of Americans, or even compromise wider national security and law enforcement computer systems. The Russian code was inserted into the fingerprint-analysis software by a French company, said the two whistleblowers, who are former employees of that company. The firm -- then a subsidiary of the massive Paris-based conglomerate Safran -- deliberately concealed from the FBI the fact that it had purchased the Russian code in a secret deal, they said. The Russian company whose code ended up in the FBI's fingerprint-analysis software has Kremlin connections that should raise similar national security concerns, said the whistleblowers, both French nationals who worked in Russia. The Russian company, Papillon AO, boasts in its own publications about its close cooperation with various Russian ministries as well as the Federal Security Service -- the intelligence agency known as the FSB that is a successor of the Soviet-era KGB and has been implicated in other hacks of U.S. targets.
Cybersecurity experts said the danger of using the Russian-made code couldn't be assessed without examining the code itself. But "the fact that there were connections to the FSB would make me nervous to use this software," said Tim Evans, who worked as director of operational policy for the National Security Agency's elite cyberintelligence unit known as Tailored Access Operations and now helps run the cybersecurity firm Adlumin. The FBI's overhaul of its fingerprint-recognition technology, unveiled in 2011, was part of a larger initiative known as Next Generation Identification to expand the bureau's use of biometrics, including face- and iris-recognition technology. The TSA also relies on the FBI fingerprint database.
Cybersecurity experts said the danger of using the Russian-made code couldn't be assessed without examining the code itself. But "the fact that there were connections to the FSB would make me nervous to use this software," said Tim Evans, who worked as director of operational policy for the National Security Agency's elite cyberintelligence unit known as Tailored Access Operations and now helps run the cybersecurity firm Adlumin. The FBI's overhaul of its fingerprint-recognition technology, unveiled in 2011, was part of a larger initiative known as Next Generation Identification to expand the bureau's use of biometrics, including face- and iris-recognition technology. The TSA also relies on the FBI fingerprint database.
This is getting ridiculous (Score:5, Insightful)
This anti-Russia hysteria is really jumping the shark about now. A Russian company makes biometric software. Naturally, being Russian, they have 'close ties to the Kremlin', and are no doubt putting in nefarious backdoors to purloin the biometric data of unsuspecting Americans. Because, you know, Russia.
This is worse than the Kaspersky stupidity, which is saying something.
Re: (Score:2)
Except closed source from say Microsoft is no better than from a Russian company.
That depends on your perspective and nationality to some extent.
As a US citizen, I would trust Russian software more than US-produced software if I'm more concerned with securing my data and communications against the US government's domestic spying than I am the FSB actually caring anything at all about me individually. I'm far, far more likely to be personally harmed by and have far, far more to fear from the US government than the Russians or anyone else, for that matter.
Having been born in the '50s and
Re:This is getting ridiculous (Score:4, Insightful)
Re: (Score:1)
won't happen. the sheeples that buy whatever the administration feeds them have to have their cheap chinese imports.. and any ban or action against any manufacturer or developer there would threaten the availability of such products.
Re: (Score:2)
won't happen. the sheeples that buy whatever the administration feeds them have to have their cheap chinese imports.. and any ban or action against any manufacturer or developer there would threaten the availability of such products.
Well then you should be cheering Trump and falling over backwards with his idea that the exporting of labor and manufacturing to 3rd world countries and China is a shit thing for Americans. No wait, I'm sure you're 100% against that now because Trump right?
Re: (Score:2)
I might be cheering Trump - if he actually were to do anything about it. Sure, he got big tax cuts for corporations - but so far has done nothing to stop them from exporting jobs.
And just because I might agree about the harm done by cheap imports doesn't mean I have to cheer a President who tells 180 degree false lies essentially constantly.
Re: (Score:2)
I might be cheering Trump - if he actually were to do anything about it. Sure, he got big tax cuts for corporations - but so far has done nothing to stop them from exporting jobs.
No? Guess you haven't been paying attention. Those tax cuts are one part of it, the other part that you probably didn't hear because the media didn't report on it was the economic outline strategy to remove the trade imbalance with China that are already in-force. AKA using the existing tools and not operating a government-by-fiat like Obama did.
And just because I might agree about the harm done by cheap imports doesn't mean I have to cheer a President who tells 180 degree false lies essentially constantly.
And what lies are those? And what are you going to do with the extra $2k in your paycheque? Think Obama gave that to you? How about you no longer being forced
Re:This is getting ridiculous (Score:4, Interesting)
Even better would be to just go open source, without regard for the country of origin. As long as we can read the code, we can see for ourselves if it is compromised. Why should "fingerprint analysis" need to be proprietary?
Re:This is getting ridiculous (Score:4, Insightful)
The left wing isn't anti-Russia at all, only the center (Clinton) wing. His pro-Russia agenda was the only thing I liked about Trump, and it stood in clear contrast to Clinton's desire to create a new cold war and portray herself as the next Ronald Reagan. The left wing has always been against ballooning military spending and pointless international antagonism/interference.
Re: (Score:2)
Speaking for the left wing, we don't like countries like Russia, with its crony capitalism, its authoritarianism, and its lack of respect for human rights. We do tend to dislike certain kinds of confrontation, and excessive military spending, but that's orthogonal to whether we like a country or not.
Re: (Score:2, Insightful)
Re: (Score:2, Insightful)
Just like the United States of America ...
Re: (Score:3, Interesting)
So any private company in that state writing software must be spies? I mean they could be... But shouldn't that be suggested by some evidence other than their location? I mean, I get it that the oweful summary says Safran bought the code, but doesn't actually say if they bought a license to redistribute or bought the source cod.e Presumably, they can audit the code if they bought the source code. And I find it difficult to believe that Safran would have bought a license to distribute without some fairly
Re: (Score:2)
Re: (Score:2)
To be honest, I'm not real keen on closed-source/proprietary software written in any other country for certain government purposes. Some countries like Russia are more suspect, since we have greater reason to believe in government intervention, but none are above suspicion.
Re: (Score:2)
I hate electing relatives as much as anyone, but it's unfortunately a normal practice in democratic countries around the world. The Bushes were not the first to think of keeping the presidency in the family either. Unfortunately, having a famous name (Bush, Clinton, Trump) gets you halfway to the presidency regardless of qualifications because most voters are idiots.
Re: (Score:2)
Re: (Score:1)
I talked to your trans friend, and she confirms that you are not a biggie.
Re: (Score:2)
In this context, "micro" aggression is quite appropriate.
Re: (Score:3)
Re: (Score:2)
Re: This is getting ridiculous (Score:3)
Anti *Putin* hysteria (Score:1)
Face it, its Putin that's the problem here, blaming this to a wider Russian problem is not correct. Putin fears elections because he jails his opponents, so he isn't representative of the whole of Russia.
What's needed is regime change in Russia.
It's Putin that ordered the attack on the US elections, it's Putin that is cocky enough to threaten the major democracies around the world, it's *Putin*, it's Putin's paymaster that Erick Prince met in the Seychelles, again and again it's Putin and his little circle
Re: (Score:3)
I imagine the Russians themselves are quite happy with the situation. The more Russian scare stories there are circulating, the more likely it is people will get fatigued with hearing them and start tuning out even the important stories - like Russian election interference.
Re:This is getting ridiculous (Score:5, Insightful)
A russian company makes software for analyzing fingerprints...
The FBI have a need to analyze fingerprints, which makes sense given the nature of the organization.
The FSB performs similar roles to the FBI, and thus they have similar requirements.
It makes sense that this company would try to sell their software to as many potential customers as possible. Chances are they are at least trying to sell it to law enforcement and intelligence services in all manner of other countries too.
You just have to do your own sensible due diligence during the procurement process. Insist on buildable sourcecode, thoroughly review what the code does and what else it tries to interact with. If you detect anything nefarious or the company refuses to provide full buildable source, don't do business with them.
Re: (Score:3)
Insist on buildable sourcecode, thoroughly review what the code does and what else it tries to interact with.
That's all well and good but to be perfectly honest a large complex software project is often as difficult to audit for back doors and deliberate weakness in cryptography etc as it would be to write. Honestly its probably smarter to do what you suggest to the degree you can but buy from sources you have more reason to trust.
We probably should have more and resit waiving buy American provisions where the military and intelligence community is concerned.
Re: (Score:2)
This is worse than the Kaspersky stupidity, which is saying something.
Kaspersky identified and tagged the Safran software as highly suspect. Problem solv..... Never mind.
Re: (Score:1)
Disturbing valid potential explanation. They know their own spooks are putting it in outgoing code. CIA department but given that they'd be remiss not to suspect others to do the same thing.
Admittedly no proof but when there is a long history of doing shady shit you are naive to not consider the possibility. The CIA sold drugs in their home country and weapons to non-friendly foreign powers without proper authorization to obtain illicit funding for anti rebels (Iran-Contra).
Software xenophobia has a very bad end state (Score:2)
Re: This is getting ridiculous (Score:2)
Re: (Score:2)
Cold war v2.01
Re: (Score:2)
This anti-Russia hysteria is really jumping the shark about now. A Russian company makes biometric software. Naturally, being Russian, they have 'close ties to the Kremlin', and are no doubt putting in nefarious backdoors to purloin the biometric data of unsuspecting Americans. Because, you know, Russia.
This is worse than the Kaspersky stupidity, which is saying something.
If it's anything like the way the US seems to be heading, they'll have close ties to the Kremlin whether they like it or not. It's even possible they won't know that they have those ties.
Re: (Score:1)
Its really ridiculous. This entire thing came out of a desperate attempt to 1) Excuse / Rationalize Hillary's (the worst candidate of all time) ability to defeat Trump ( the second worst candidate of all time ), 2) Remove a lawfully elected president because he won't go along with some of what the entrenched public service sector / military industrial complex wants.
The military industrial complex is NOT a conspiracy theory. Its a reality the President and former General Eisenhower warned us about. Its no
Re: (Score:3)
You seriously think the military industrial complex has a problem with Trump? Hah. One of his main campaign themes was that he would insist on raising the obscene military budget by even more than Clinton would insist on raising it, and his other main campaign theme was to shower big business in tax breaks and other free money. They couldn't be happier. As for the public service sector, they're not elated that Trump won but they're terrified of him being impeached... Pence is far more ideologically inclined
Yup, the article is garbage. (Score:2)
Well, someone did - Safran.
Re: (Score:2)
History, based on the Soviet archives and the Venona intercepts, has proven McCarthy was broadly and often specifically, correct.
Re: (Score:2)
History has proven that every propaganda frenzy tries to use information with a relation to reality where beneficial, but doesn't really care much.
In this case hacking is a good example: states hack other states all the time. It's the accepted 'normal' state of affairs. When you're building up a campaign part of your agenda will be taken by taking these 'base level nastiness' from your opponent and whipping up mock outrage about them.
It's just part of the toolkit. Another part is innuendo and connecting the
Re: (Score:1)
You're onto something there. The question I think we should be asking though is why wasn't there an audit?
Re: (Score:2)
Think of the trade implications if the USA used secure US software and did not allow EU software equal access to make code for the US gov.
France would be upset at the USA for not considering French software.
Re: (Score:2)
And as it happens, the unnecessarily lengthy article quotes the FBI saying that yes, they did audit the code. The whistleblowers, on the other hand, did not work on the code so they can't actually speak to it's content. Which they aren't, the whistle is being blown because buying Russian code and hiding that fact is a no-no.
Re: (Score:2)
Who knows the ways of the French programmes really well?
The English.
They live next door to France and are subjected to their computer programmes every year.
People working for the FBI should take the French code over to the experts in the UK.
A few months of intensive code work to find the Russian code litter in the French code while staying in the UK should get results for the US.
Re: (Score:2)
Re: (Score:2)
Whats the point of using a French company if the code gets audited in the USA?
Get a few months in France to observe the audit.
Work in a fact-finding mission to Germany, Italy and Ireland to see what French software they use with their police.
Then to the UK to understand why not to trust any French software.
Re: (Score:2)
Re: (Score:2)
Win a French company wins, everyone win. A few flights to the EU over the use and upgrade of that software.
Re: (Score:2)
Aren't we all doomed? (Score:2)
I thought that architecture and the base code in the Linux networking protocol stack was mostly written by some guy in Russia. Can anyone here confirm that?
If true, it therefore must follow that Putin has my browser history. And yours. Also everything we ever did online.
That seems to be about the standard for panic being followed. here.
Re: (Score:2)
Re: (Score:2)
Have the ip ranges of such intrusion attempts from Russia been investigated?
Was the Linux altering code submitted between 9 and 5 Moscow time?
Did the comments to this new Russian code contain any strange languages? Could Russians have been using Linux code comments to communicate with networks deep in the USA for years?
Changes to the Linux could be a direct communications netwo
FBI needs French software? (Score:2)
Do people in the US private sector get invited to work on US law enforcement sensitive software?
Does the FBI not trust US experts with security clearances to write quality code on time for the FBI?
Has the FBI had some bad past experiences software created and supported domestiaclly?
Did the US workers sell or copy code from law enfacement for another nations/criminal groups/their own use so
Re: (Score:1)
I fear you may be looking at this all wrong. Those are all valid questions, but I think you left out one very important one: WHAT WAS THE FBI HIDING BY DOING THIS? It seems obvious to me that the whole point of them getting software from 3rd party foreign nationals is specifically to obscure the auditing process of what they bought, not improve it. It also helps shift the blame away from them too, if you add a heaping dose of plausible deniability.
Re: (Score:2)
Could the French be the only people the FBI could really trust if the project was to sensitive too let US workers near?
Say the US domestically was doing police collect it all and got in a US company with its staff and their own in house legal team.
The US workers might see an integration of voice prints, private/gov/mil CCTV, social media images, private sector databases, passenger/driver faces, fingerprints, US driver's license images, ce
There's a library for that. (Score:1)
in trump america.. (Score:2)
..all roads lead to russia
(about time we start a new meme dont you think?)
Re: (Score:1)
To be fair, I think it's reasonable to expect that our trade partnership with China is much more profitable to them than another cold war. This actually can't really be said for our trade partnership with Russia even on a good day. (And I don't necessarily think that's Russia's fault, but I don't see how this behavior is going to fix anything, either.)
a little to late? (Score:2)
Analyze the code... (Score:5, Insightful)
Just because code is written by russians with connections to the FSB doesn't mean it's necessarily bad...
The fact that russians wrote or at some point had access to the code doesn't automatically give them access to data that the code is later processing, unless there are backdoor in the code allowing them to gain access and there aren't some other mitigating factors (network filters, airgap etc) which prevent them from accessing the backdoor.
Considering that the code analyzes fingerprints, who would have a need for such code? Chances are the FSB need to analyze fingerprints in much the same way the FBI do. It makes sense to collaborate with others who have similar requirements, as this will decrease your development costs. You just need to check the code thoroughly to ensure it works as you want it to. The russians will be doing their own checks during collaborative development, as they will be equally concerned that some of the code was written by people connected to the FBI.
The key point is understanding what your doing, and understanding what code you're running. Who wrote it doesn't matter, so long as it does the job it's supposed to.
Plus consider this, if the FSB wanted to get malicious code onto an american system they would go to great lengths to disguise the origin of the code, which doesn't seem to be the case here.
Re:Analyze the code... (Score:4, Interesting)
US code only worked with modern quality digital images and file formats.
The French used Russian code that could accept fingerprints from old paper files.
The FBI did tests and accepted the French innovations that allows for the accurate importing of old US paper records. The French outsmarted their US competitors by knowing what the FBI wanted.
Re: (Score:2)
Just because code is written by russians with connections to the FSB doesn't mean it's necessarily bad...
The fact that russians wrote or at some point had access to the code doesn't automatically give them access to data that the code is later processing, unless there are backdoor in the code allowing them to gain access and there aren't some other mitigating factors (network filters, airgap etc) which prevent them from accessing the backdoor.
I found it!
Re: (Score:2)
Think that's a problem? (Score:2)
So? (Score:2)
/ we used to joke that in Russia they charged for whitespace
There is much worse thing (Score:5, Funny)
Note that US Army uses algebra to calculate trajectories of ballistic missiles. And algebra was developed in Islamic aliphate in IX century.
BTW, Russians in Kremlin use American software such as Wndows or MS Office. Moreover some years ago Russian President Medvedev accepted an iPhone as a gift from Jobs.
Re: (Score:1)
The system should be air-gapped regardless (Score:2)
Re: (Score:2)
The FBI wants the face on CCTV, the face of a driver and their passenger, social media, cell phone collection, voice prints. Any face doing a first amendment audit in real time.
Such an upgraded networks needs to be ready for a field interview, chat down.
For some reason the FBI thought it would be great to share the keys to all US persons of interest with the French.
Whistleblowers (Score:2)
Note how whisthleblower used to mean someone who exposes internal problems as a last resort to get them fixed , for the greater benefit, and at huge personal cost.
Now every official (anonymous) leaker becomes a whistleblower. The original whistleblower is just a traitor.
These guys, Hala and Desbois, are ex employees who make a problem out of nothing. Why are they considered whistleblowers?
And the rest of the world... (Score:2)
And the rest of the world uses computers, smartphones, cpus and gadgets with software-code partly made in USA... So should the rest of the world stop using technology alltogether?!?
China made electronics (Score:2)
FBI doesn't know about firewalls? (Score:2)
So you're saying the FBI isn't smart enough to be able to put this software in a machine on an untrusted network, and firewall it so that it can only connect to a specific host, and not leak info back to any possible other sites in the world?
It's obvious this is just more Red Baiting, straight from the 1950s. Fsck that noise.
Fun fact... (Score:1)
Re: (Score:2)
Go fuck yourself, you damn dirty ape.
Re: (Score:2)
Hey man, you are good.