Become a fan of Slashdot on Facebook

 


Forgot your password?
Close
typodupeerror
×
Software Databases Government Privacy Security United States

FBI Software For Analyzing Fingerprints Contains Russian-Made Code, Whistleblowers Say (buzzfeed.com) 174

Posted by BeauHD from the irony-at-its-finest dept.
schwit1 shares an exclusive report via BuzzFeed: The fingerprint-analysis software used by the FBI and more than 18,000 other U.S. law enforcement agencies contains code created by a Russian firm with close ties to the Kremlin, according to documents and two whistleblowers. The allegations raise concerns that Russian hackers could gain backdoor access to sensitive biometric information on millions of Americans, or even compromise wider national security and law enforcement computer systems. The Russian code was inserted into the fingerprint-analysis software by a French company, said the two whistleblowers, who are former employees of that company. The firm -- then a subsidiary of the massive Paris-based conglomerate Safran -- deliberately concealed from the FBI the fact that it had purchased the Russian code in a secret deal, they said. The Russian company whose code ended up in the FBI's fingerprint-analysis software has Kremlin connections that should raise similar national security concerns, said the whistleblowers, both French nationals who worked in Russia. The Russian company, Papillon AO, boasts in its own publications about its close cooperation with various Russian ministries as well as the Federal Security Service -- the intelligence agency known as the FSB that is a successor of the Soviet-era KGB and has been implicated in other hacks of U.S. targets.

Cybersecurity experts said the danger of using the Russian-made code couldn't be assessed without examining the code itself. But "the fact that there were connections to the FSB would make me nervous to use this software," said Tim Evans, who worked as director of operational policy for the National Security Agency's elite cyberintelligence unit known as Tailored Access Operations and now helps run the cybersecurity firm Adlumin. The FBI's overhaul of its fingerprint-recognition technology, unveiled in 2011, was part of a larger initiative known as Next Generation Identification to expand the bureau's use of biometrics, including face- and iris-recognition technology. The TSA also relies on the FBI fingerprint database.
This discussion has been archived. No new comments can be posted.

FBI Software For Analyzing Fingerprints Contains Russian-Made Code, Whistleblowers Say More

FBI Software For Analyzing Fingerprints Contains Russian-Made Code, Whistleblowers Say

Comments Filter:

  • This is getting ridiculous (Score:5, Insightful)

    by sgage ( 109086 ) on Wednesday December 27, 2017 @11:37PM (#55819583)

    This anti-Russia hysteria is really jumping the shark about now. A Russian company makes biometric software. Naturally, being Russian, they have 'close ties to the Kremlin', and are no doubt putting in nefarious backdoors to purloin the biometric data of unsuspecting Americans. Because, you know, Russia.

    This is worse than the Kaspersky stupidity, which is saying something.

    • Re:This is getting ridiculous (Score:4, Insightful)

      by hcs_$reboot ( 1536101 ) on Wednesday December 27, 2017 @11:42PM (#55819605)
      Absolutely. They should worry at least as much about all the stuff made in China (and there is a lot).

      • Re: (Score:1)

        by Anonymous Coward

        won't happen. the sheeples that buy whatever the administration feeds them have to have their cheap chinese imports.. and any ban or action against any manufacturer or developer there would threaten the availability of such products.

        • Re: (Score:2)

          by Mashiki ( 184564 )

          won't happen. the sheeples that buy whatever the administration feeds them have to have their cheap chinese imports.. and any ban or action against any manufacturer or developer there would threaten the availability of such products.

          Well then you should be cheering Trump and falling over backwards with his idea that the exporting of labor and manufacturing to 3rd world countries and China is a shit thing for Americans. No wait, I'm sure you're 100% against that now because Trump right?

          • Re: (Score:2)

            by Rob Y. ( 110975 )

            I might be cheering Trump - if he actually were to do anything about it. Sure, he got big tax cuts for corporations - but so far has done nothing to stop them from exporting jobs.

            And just because I might agree about the harm done by cheap imports doesn't mean I have to cheer a President who tells 180 degree false lies essentially constantly.

            • Re: (Score:2)

              by Mashiki ( 184564 )

              I might be cheering Trump - if he actually were to do anything about it. Sure, he got big tax cuts for corporations - but so far has done nothing to stop them from exporting jobs.

              No? Guess you haven't been paying attention. Those tax cuts are one part of it, the other part that you probably didn't hear because the media didn't report on it was the economic outline strategy to remove the trade imbalance with China that are already in-force. AKA using the existing tools and not operating a government-by-fiat like Obama did.

              And just because I might agree about the harm done by cheap imports doesn't mean I have to cheer a President who tells 180 degree false lies essentially constantly.

              And what lies are those? And what are you going to do with the extra $2k in your paycheque? Think Obama gave that to you? How about you no longer being forced

      • Re:This is getting ridiculous (Score:4, Interesting)

        by ShanghaiBill ( 739463 ) on Thursday December 28, 2017 @01:08AM (#55819915)

        Even better would be to just go open source, without regard for the country of origin. As long as we can read the code, we can see for ourselves if it is compromised. Why should "fingerprint analysis" need to be proprietary?

    • Re: (Score:3)

      by AHuxley ( 892839 )
      A Russia story a day keeps the US gov happy.

    • Anti *Putin* hysteria (Score:1)

      by Anonymous Coward

      Face it, its Putin that's the problem here, blaming this to a wider Russian problem is not correct. Putin fears elections because he jails his opponents, so he isn't representative of the whole of Russia.

      What's needed is regime change in Russia.

      It's Putin that ordered the attack on the US elections, it's Putin that is cocky enough to threaten the major democracies around the world, it's *Putin*, it's Putin's paymaster that Erick Prince met in the Seychelles, again and again it's Putin and his little circle

    • I imagine the Russians themselves are quite happy with the situation. The more Russian scare stories there are circulating, the more likely it is people will get fatigued with hearing them and start tuning out even the important stories - like Russian election interference.

    • Re:This is getting ridiculous (Score:5, Insightful)

      by Bert64 ( 520050 ) <bert@[ ]shdot.fi ... m ['sla' in gap]> on Thursday December 28, 2017 @01:07AM (#55819911) Homepage

      A russian company makes software for analyzing fingerprints...

      The FBI have a need to analyze fingerprints, which makes sense given the nature of the organization.
      The FSB performs similar roles to the FBI, and thus they have similar requirements.

      It makes sense that this company would try to sell their software to as many potential customers as possible. Chances are they are at least trying to sell it to law enforcement and intelligence services in all manner of other countries too.

      You just have to do your own sensible due diligence during the procurement process. Insist on buildable sourcecode, thoroughly review what the code does and what else it tries to interact with. If you detect anything nefarious or the company refuses to provide full buildable source, don't do business with them.

      • Re: (Score:3)

        by DarkOx ( 621550 )

        Insist on buildable sourcecode, thoroughly review what the code does and what else it tries to interact with.

        That's all well and good but to be perfectly honest a large complex software project is often as difficult to audit for back doors and deliberate weakness in cryptography etc as it would be to write. Honestly its probably smarter to do what you suggest to the degree you can but buy from sources you have more reason to trust.

        We probably should have more and resit waiving buy American provisions where the military and intelligence community is concerned.

    • This is worse than the Kaspersky stupidity, which is saying something.

      Kaspersky identified and tagged the Safran software as highly suspect. Problem solv..... Never mind.

    • Re: (Score:1)

      by Anonymous Coward

      Disturbing valid potential explanation. They know their own spooks are putting it in outgoing code. CIA department but given that they'd be remiss not to suspect others to do the same thing.

      Admittedly no proof but when there is a long history of doing shady shit you are naive to not consider the possibility. The CIA sold drugs in their home country and weapons to non-friendly foreign powers without proper authorization to obtain illicit funding for anti rebels (Iran-Contra).

    • for the U.S. The vast majority of the world's software is made and sold by U.S. companies. If these software paranoia stories incite a global panic so that every country only "trusts" software made domestically, the biggest loser is going to be the U.S.
    • Can you prove they don't have close ties to the Kremlin?

    • Re: (Score:2)

      by Megol ( 3135005 )

      Cold war v2.01

    • This anti-Russia hysteria is really jumping the shark about now. A Russian company makes biometric software. Naturally, being Russian, they have 'close ties to the Kremlin', and are no doubt putting in nefarious backdoors to purloin the biometric data of unsuspecting Americans. Because, you know, Russia.

      This is worse than the Kaspersky stupidity, which is saying something.

      If it's anything like the way the US seems to be heading, they'll have close ties to the Kremlin whether they like it or not. It's even possible they won't know that they have those ties.

    • Re: (Score:1)

      by DarkOx ( 621550 )

      Its really ridiculous. This entire thing came out of a desperate attempt to 1) Excuse / Rationalize Hillary's (the worst candidate of all time) ability to defeat Trump ( the second worst candidate of all time ), 2) Remove a lawfully elected president because he won't go along with some of what the entrenched public service sector / military industrial complex wants.

      The military industrial complex is NOT a conspiracy theory. Its a reality the President and former General Eisenhower warned us about. Its no

      • You seriously think the military industrial complex has a problem with Trump? Hah. One of his main campaign themes was that he would insist on raising the obscene military budget by even more than Clinton would insist on raising it, and his other main campaign theme was to shower big business in tax breaks and other free money. They couldn't be happier. As for the public service sector, they're not elated that Trump won but they're terrified of him being impeached... Pence is far more ideologically inclined

    • Seriously, as if the last thing a software company would do when buying code is read it.

      Cybersecurity experts said the danger of using the Russian-made code couldn't be assessed without examining the code itself.

      Well, someone did - Safran.

  • I thought that architecture and the base code in the Linux networking protocol stack was mostly written by some guy in Russia. Can anyone here confirm that?

    If true, it therefore must follow that Putin has my browser history. And yours. Also everything we ever did online.

    That seems to be about the standard for panic being followed. here.

    • Also like how nginx is one of the world's biggest HTTP servers and is Russian? Have we been completely pwn3d?

    • Re: (Score:2)

      by AHuxley ( 892839 )
      Do people working on the Linux in the USA know Russian code changes are been made to their Linux outside normal working hours?
      Have the ip ranges of such intrusion attempts from Russia been investigated?
      Was the Linux altering code submitted between 9 and 5 Moscow time?
      Did the comments to this new Russian code contain any strange languages? Could Russians have been using Linux code comments to communicate with networks deep in the USA for years?
      Changes to the Linux could be a direct communications netwo
  • Can nobody with skills be found in the USA to be trusted to work on US computer systems for US law enforcement?
    Do people in the US private sector get invited to work on US law enforcement sensitive software?
    Does the FBI not trust US experts with security clearances to write quality code on time for the FBI?
    Has the FBI had some bad past experiences software created and supported domestiaclly?
    Did the US workers sell or copy code from law enfacement for another nations/criminal groups/their own use so

    • I fear you may be looking at this all wrong. Those are all valid questions, but I think you left out one very important one: WHAT WAS THE FBI HIDING BY DOING THIS? It seems obvious to me that the whole point of them getting software from 3rd party foreign nationals is specifically to obscure the auditing process of what they bought, not improve it. It also helps shift the blame away from them too, if you add a heaping dose of plausible deniability.

      • Re: (Score:2)

        by AHuxley ( 892839 )
        Re "obscure the auditing process of what they bought, not improve"
        Could the French be the only people the FBI could really trust if the project was to sensitive too let US workers near?
        Say the US domestically was doing police collect it all and got in a US company with its staff and their own in house legal team.
        The US workers might see an integration of voice prints, private/gov/mil CCTV, social media images, private sector databases, passenger/driver faces, fingerprints, US driver's license images, ce
  • npm deploy tinfoil-hat --save-dev There's no Russian code on github, is there?

  • ..all roads lead to russia

    (about time we start a new meme dont you think?)

  • When you outsource everything there is not much more left Made in USA. The only choice you have left is if you want a code from Russia, post-Russian countries, China, or India.

  • Analyze the code... (Score:5, Insightful)

    by Bert64 ( 520050 ) <bert@[ ]shdot.fi ... m ['sla' in gap]> on Thursday December 28, 2017 @01:02AM (#55819903) Homepage

    Just because code is written by russians with connections to the FSB doesn't mean it's necessarily bad...

    The fact that russians wrote or at some point had access to the code doesn't automatically give them access to data that the code is later processing, unless there are backdoor in the code allowing them to gain access and there aren't some other mitigating factors (network filters, airgap etc) which prevent them from accessing the backdoor.

    Considering that the code analyzes fingerprints, who would have a need for such code? Chances are the FSB need to analyze fingerprints in much the same way the FBI do. It makes sense to collaborate with others who have similar requirements, as this will decrease your development costs. You just need to check the code thoroughly to ensure it works as you want it to. The russians will be doing their own checks during collaborative development, as they will be equally concerned that some of the code was written by people connected to the FBI.

    The key point is understanding what your doing, and understanding what code you're running. Who wrote it doesn't matter, so long as it does the job it's supposed to.

    Plus consider this, if the FSB wanted to get malicious code onto an american system they would go to great lengths to disguise the origin of the code, which doesn't seem to be the case here.

    • Re:Analyze the code... (Score:4, Interesting)

      by AHuxley ( 892839 ) on Thursday December 28, 2017 @01:17AM (#55819945) Journal
      Re "Who wrote it doesn't matter, so long as it does the job it's supposed to."
      US code only worked with modern quality digital images and file formats.
      The French used Russian code that could accept fingerprints from old paper files.
      The FBI did tests and accepted the French innovations that allows for the accurate importing of old US paper records. The French outsmarted their US competitors by knowing what the FBI wanted.

    • Just because code is written by russians with connections to the FSB doesn't mean it's necessarily bad...

      The fact that russians wrote or at some point had access to the code doesn't automatically give them access to data that the code is later processing, unless there are backdoor in the code allowing them to gain access and there aren't some other mitigating factors (network filters, airgap etc) which prevent them from accessing the backdoor.

      I found it!

      //Da comrade! Insert phone home code here. We love Trump!

  • Some of the Indians that are doing contracting work on western software are putting in backdoors for Russians, who then replace it with a different one and then let the code sit for a bit. This is why Microsoft has done tons of work to secure windows and yet the penetration rate on the most advanced continues to stay high. If CIOs continue to pay other nations such low money, then it should not be surprising that this has been going on for over 10 years.
  • Some 20 years I worked on a big budget (it involved Satellites...) project. One of my co-workers was from Russia, and was his wife. Once you ran his code through indent it was pretty sweet stuff. He was a great guy, his wife was a wonderful woman, and last I saw of him his wife was 8 months pregnant. The joys of being a consultant at the end of the project.
    / we used to joke that in Russia they charged for whitespace
    // Seriously, Alex indented 1 column at a time, no blank lines anywhere, no whitespac

  • There is much worse thing (Score:5, Funny)

    by Vitus Wagner ( 5911 ) <vitus@wagner.pp.ru> on Thursday December 28, 2017 @02:49AM (#55820133) Homepage Journal

    Note that US Army uses algebra to calculate trajectories of ballistic missiles. And algebra was developed in Islamic aliphate in IX century.

    BTW, Russians in Kremlin use American software such as Wndows or MS Office. Moreover some years ago Russian President Medvedev accepted an iPhone as a gift from Jobs.

    • It gave very good insight in Russian government internals, but problem appeared before election, because his iphone battery aged, and you know...
  • A system with millions of fingerprints and who knows what other demographic and biometric data should be air-gapped out of principle. That's an information gold mine that will be a prime target for every bad actor on the planet, state-sponsored or not.

    • Re: (Score:2)

      by AHuxley ( 892839 )
      If its air gapped how can the FBI track people in real time?
      The FBI wants the face on CCTV, the face of a driver and their passenger, social media, cell phone collection, voice prints. Any face doing a first amendment audit in real time.
      Such an upgraded networks needs to be ready for a field interview, chat down.
      For some reason the FBI thought it would be great to share the keys to all US persons of interest with the French.

  • Note how whisthleblower used to mean someone who exposes internal problems as a last resort to get them fixed , for the greater benefit, and at huge personal cost.
    Now every official (anonymous) leaker becomes a whistleblower. The original whistleblower is just a traitor.
    These guys, Hala and Desbois, are ex employees who make a problem out of nothing. Why are they considered whistleblowers?

  • And the rest of the world uses computers, smartphones, cpus and gadgets with software-code partly made in USA... So should the rest of the world stop using technology alltogether?!?

  • Almost all the internet connected devices in America are made in China, including most of the stuff used by FBI. Which gives more opportunities for mischief? A source code or unseeable embedded device controlling software?

  • So you're saying the FBI isn't smart enough to be able to put this software in a machine on an untrusted network, and firewall it so that it can only connect to a specific host, and not leak info back to any possible other sites in the world?

    It's obvious this is just more Red Baiting, straight from the 1950s. Fsck that noise.

  • "known as the FSB that is a successor of the Soviet-era KGB" both FSB (federal security agency) and KGB (national security committee) properly translate to English (what people actually understand beneath each word) as a National Security Agency.

Slashdot Top Deals

BLISS is ignorance.

Close