Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Technology

Russian Software Disguised as American Finds Its Way Into US Army, CDC Apps (reuters.com) 38

Thousands of smartphone applications in Apple and Google's online stores contain computer code developed by a technology company, Pushwoosh, that presents itself as based in the United States, but is actually Russian, Reuters reported Monday. From the report: The Centers for Disease Control and Prevention (CDC), the United States' main agency for fighting major health threats, said it had been deceived into believing Pushwoosh was based in the U.S. capital. After learning about its Russian roots from Reuters, it removed Pushwoosh software from seven public-facing apps, citing security concerns. The U.S. Army said it had removed an app containing Pushwoosh code in March because of the same concerns. That app was used by soldiers at one of the country's main combat training bases.

According to company documents publicly filed in Russia and reviewed by Reuters, Pushwoosh is headquartered in the Siberian town of Novosibirsk, where it is registered as a software company that also carries out data processing. It employs around 40 people and reported revenue of 143,270,000 rubles ($2.4 mln) last year. Pushwoosh is registered with the Russian government to pay taxes in Russia. On social media and in U.S. regulatory filings, however, it presents itself as a U.S. company, based at various times in California, Maryland and Washington, D.C., Reuters found.

This discussion has been archived. No new comments can be posted.

Russian Software Disguised as American Finds Its Way Into US Army, CDC Apps

Comments Filter:
  • by Anonymous Coward

    This is what you get when you put spyware (aka "analytics"; aka "tracking"; aka "ads") in your software. The origins don't matter.

    Stop doing that.

  • And what does it do and what is it supposed to do? Or do people no add 3rd party code randomly in their apps?

    And as 2 out of 3 (literally; this is the 3rd post) mentioned: If it is Ad-, targeting or other spyware, it doesn't matter if it's russian or not.

    • Re:And why? (Score:5, Insightful)

      by drinkypoo ( 153816 ) <drink@hyperlogos.org> on Monday November 14, 2022 @11:31AM (#63050563) Homepage Journal

      And as 2 out of 3 (literally; this is the 3rd post) mentioned: If it is Ad-, targeting or other spyware, it doesn't matter if it's russian or not.

      Of course it matters. If it didn't matter, they wouldn't be trying to conceal their origin.

      • by HiThere ( 15173 )

        Well, there *are* ways in which it matters. E.g. where customers are allowed to live. But the govt. should remove it in either case. It's less clear that everyone should be forced to remove it. On the one hand I'd say "yes", and on the other I'd say "that's excessive government intrusion". And I don't trust Congress, the Executive, OR the judicial system to make the right call.

        • by sjames ( 1099 )

          I think a good argument could be made for forcing the removal given that Russia is currently a very unfriendly nation under multiple trade sanctions around the world.

          An even stronger argument could be made for forced disclosure. Ensuring fair and open dealing in the market is very much a legitimate government function. That would likely have just about the same result.

    • Re:And why? (Score:4, Interesting)

      by quantaman ( 517394 ) on Monday November 14, 2022 @12:32PM (#63050775)

      And what does it do and what is it supposed to do? Or do people no add 3rd party code randomly in their apps?

      And as 2 out of 3 (literally; this is the 3rd post) mentioned: If it is Ad-, targeting or other spyware, it doesn't matter if it's russian or not.

      It probably seems to do what it's supposed to do... but does it do something else it's not supposed to? Are there secret back doors hidden in the code? And how hard are you going to check?

      If you're the US government and it's a US company... then you're probably fine with some basic scrutiny. You can still get hacked [npr.org] but the cost/benefit analysis is probably decent.

      But if you find out that the company is actually lying, and it's hosted in Russia, a country with a history of cyberattacks against you, and who is currently claiming to be kinda at war with you....

      Then don't be an idiot and get rid of the damn code. With the effort it would take to verify it as safe you could rewrite it a dozen times over.

    • Re:And why? (Score:4, Interesting)

      by bill_mcgonigle ( 4333 ) * on Monday November 14, 2022 @01:38PM (#63051001) Homepage Journal

      > And what does it do and what is it supposed to do?

      It lets the CDC and US Army avoid hiring US-based developers to make competent and safe apps.

      From https://www.pushwoosh.com/prod... [pushwoosh.com] :

      > No-Code Messaging Solution
      > Do what you do best: create appealing in-app messages with Pushwoosh's easy-to-use editor.
      >
      > No developer or designer skills are required to modify a template and set an in-app live.

      • by Bahbus ( 1180627 )

        Except it's a shitty no-code solution and there are many better ones out there. So, they failed to check out what it was they were even getting themselves interested in and failed to check for solutions.

    • by fermion ( 181285 )
      The company appears to collect specific, though they claim nonsensitive data, on users to be used to drive push notifications. The data is stored on company servers.

      In terms of the military, there is no nonsensitive information. The number of pizza delivered to the pentagon is useful information. The number of soldiers in a location.

      It is possible the firm is no more dangerous than google or facebook. Many legitimate firms use dummy addresses to maximize access.

  • There are a tonne of companies out there that are nominally American but use primarily Russians to develop their software. One for example is Netcracker that runs many of the world's telecom companies, especially in North America. They are 'from Boston' but their primary programming shop was in at least until very very recently, in Moscow. Maybe it still is. And then never mind all the other companies like IBM, Fujitsu, NEC (who own Netcracker), and Accenture who also outsource a tonne of their work to China and India. If you are trusting major business and financial systems to people who are loyal to other countries, you need your head examined. Especially if they are autocratic countries.

    • Re: (Score:2, Informative)

      by drinkypoo ( 153816 )

      And then never mind all the other companies like IBM, Fujitsu, NEC (who own Netcracker), and Accenture who also outsource a tonne of their work to China and India.

      Outsource? IBM in particular actually has full-fledged offices in those countries, and practically all of the other ones too. Less than a third of their over-one-third-of-a-million employees work in the USA.

    • by OneOfMany07 ( 4921667 ) on Monday November 14, 2022 @07:52PM (#63051799)

      I think you should report where you're earning and spending money. And that should declare where you're located, for taxes, etc.

      Starting a Delaware or Nevada corporation when you just pay someone to open your mail... Seems like an outright, obvious lie. Right? Why is that legal? Who cares where the owner wants to declare they exist?

  • Most applications collect MUCH more information about users than necessary to "improve product performance" or "enhance user experience". The big tell that this particular firm is up to no good is the deliberate obfuscation of its location. The best case scenario is that the company knows its product cannot be purchased legitimately in the United States, so they hid the truth to be able to get it to market. Worst case? Well...
  • Well there's your first problem... they should have chosen the capitol for their base.

    • by mrex ( 25183 )

      No cap

    • Are you trying to say they should have somehow put their offices in the actual building where Congress meets, or do you not know the difference between 'capital' and 'capitol'?
      • Are you trying to say they should have somehow put their offices in the actual building where Congress meets

        Yes - it makes the bribery much simpler.

  • by bustinbrains ( 6800166 ) on Monday November 14, 2022 @02:38PM (#63051109)

    33% of the web today is powered by Nginx. A web server written by humans who live in...Russia. Whose offices were raided in Dec 2019 by Russian authorities - a story that most people seem to have forgotten about.

    Nginx is one of the few web servers that solve the C10k concurrent connections problem. Apache can (still) only barely handle 120 connections before it starts falling over itself, which makes it fine as a stable backend proxy target but most people just move to Nginx when they hit Apache's major limitations and tweak OS kernel settings as needed. It's a fairly easy switch and the Nginx configuration format is a lot nicer than Apache's weird "XML-like but not XML" configuration format. Most devs aren't even aware of Nginx's country of origin.

    Humans can be coerced to do things under not-so-veiled threat of bodily harm, "Oh you want to keep on living and not be put in a dark hole within a freezing cold prison where you won't see the light of day ever again? If you don't want that to happen, surreptitiously add this buffer overflow to your source code." Software devs will generally comply.

    • Nginx makes it easy to scale. We used to run start.com on Apache, and yes, it was heavily tweaked but possible to serve thousands of connections per second.

    • 33% of the web today is powered by Nginx.

      nginx is open source. Anyone can look at the code, subject it to analysis, compile it and run it themself, etc.

      Apache can (still) only barely handle 120 connections before it starts falling over itself

      That hasn't been my experience at all. Did you mean to say 1200? The default config limits it to 150, which it definitely doesn't have any trouble with unless you run it on your smartwatch.

      • by ceoyoyo ( 59147 )

        It's as if where you're from isn't all that important. Russians spy, Americans spy, sometimes Russian companies are fronts for one (or the other), most of the time they're not.

        The real question should be, why did major American government institutions feel they needed to put some mystery code called "pushwoosh" in their apps?

        • It's as if where you're from isn't all that important.

          That's an ignorant view of the situation.

          Russians spy, Americans spy,

          More whataboutism. Get a real argument.

          • by ceoyoyo ( 59147 )

            Lol. That seems to be your new favourite word. Both Russia and the US have demonstrated that you can't trust them not to spy on you, and both engage in extensive hypocrisy on the topic. That's not "whataboutism" it's a practical observation.

            • Whataboutism is one of my old favorite words, but there's been a rash of it lately, so it's been applicable.

              Everything you said about their spying is true, and yet it is still whataboutism, because it is a distraction from the discussion of whether there are any additional ramifications to being spied on by a hostile foreign power.

    • Nginx is only better than apache if your site is mostly static assets. Static assets should be on a cdn anyway, so it's kinda moot. Nginx doesn't have any scalability advantage for dynamic pages. I liked nginx at first, but I bailed on it once they started pushing their commercial offering.

The unfacts, did we have them, are too imprecisely few to warrant our certitude.

Working...