Russian Software Disguised as American Finds Its Way Into US Army, CDC Apps (reuters.com) 38
Thousands of smartphone applications in Apple and Google's online stores contain computer code developed by a technology company, Pushwoosh, that presents itself as based in the United States, but is actually Russian, Reuters reported Monday. From the report: The Centers for Disease Control and Prevention (CDC), the United States' main agency for fighting major health threats, said it had been deceived into believing Pushwoosh was based in the U.S. capital. After learning about its Russian roots from Reuters, it removed Pushwoosh software from seven public-facing apps, citing security concerns. The U.S. Army said it had removed an app containing Pushwoosh code in March because of the same concerns. That app was used by soldiers at one of the country's main combat training bases.
According to company documents publicly filed in Russia and reviewed by Reuters, Pushwoosh is headquartered in the Siberian town of Novosibirsk, where it is registered as a software company that also carries out data processing. It employs around 40 people and reported revenue of 143,270,000 rubles ($2.4 mln) last year. Pushwoosh is registered with the Russian government to pay taxes in Russia. On social media and in U.S. regulatory filings, however, it presents itself as a U.S. company, based at various times in California, Maryland and Washington, D.C., Reuters found.
According to company documents publicly filed in Russia and reviewed by Reuters, Pushwoosh is headquartered in the Siberian town of Novosibirsk, where it is registered as a software company that also carries out data processing. It employs around 40 people and reported revenue of 143,270,000 rubles ($2.4 mln) last year. Pushwoosh is registered with the Russian government to pay taxes in Russia. On social media and in U.S. regulatory filings, however, it presents itself as a U.S. company, based at various times in California, Maryland and Washington, D.C., Reuters found.
Re: (Score:1)
You have proof of your insinuations that what I said was wrong, or are you just talking out of your ass to make yourself feel superior?
Put up or shut up, troll boy.
Re:proof of malfeasance? (Score:5, Informative)
but is there a shred of proof the software is harvesting and beaming information, or is that still mostly a U.S. corporate thing and U.S. NSA thing?
Yes, it's tracking code for marketing. There's no proof that the Russians then used the data because that data is inside Russia, which is exactly why these things have to be banned.
Re: (Score:2)
Not proof, but a company hiding its location is certainly not a sign of being trust worthy.
Re:proof of malfeasance? (Score:4, Insightful)
Apparently they were doing this to circumvent U.S. sanctions against Russia so they can keep access to the north-american and european markets. And they're likely not the only russian company to do this since the start of the war. But still, as another poster has mentionned, a company misrepresenting itself is not very trustworthy.
Systematic spyware (Score:1)
This is what you get when you put spyware (aka "analytics"; aka "tracking"; aka "ads") in your software. The origins don't matter.
Stop doing that.
And why? (Score:2)
And what does it do and what is it supposed to do? Or do people no add 3rd party code randomly in their apps?
And as 2 out of 3 (literally; this is the 3rd post) mentioned: If it is Ad-, targeting or other spyware, it doesn't matter if it's russian or not.
Re:And why? (Score:5, Insightful)
And as 2 out of 3 (literally; this is the 3rd post) mentioned: If it is Ad-, targeting or other spyware, it doesn't matter if it's russian or not.
Of course it matters. If it didn't matter, they wouldn't be trying to conceal their origin.
Re: (Score:2)
Well, there *are* ways in which it matters. E.g. where customers are allowed to live. But the govt. should remove it in either case. It's less clear that everyone should be forced to remove it. On the one hand I'd say "yes", and on the other I'd say "that's excessive government intrusion". And I don't trust Congress, the Executive, OR the judicial system to make the right call.
Re: (Score:2)
I think a good argument could be made for forcing the removal given that Russia is currently a very unfriendly nation under multiple trade sanctions around the world.
An even stronger argument could be made for forced disclosure. Ensuring fair and open dealing in the market is very much a legitimate government function. That would likely have just about the same result.
Re:And why? (Score:4, Interesting)
And what does it do and what is it supposed to do? Or do people no add 3rd party code randomly in their apps?
And as 2 out of 3 (literally; this is the 3rd post) mentioned: If it is Ad-, targeting or other spyware, it doesn't matter if it's russian or not.
It probably seems to do what it's supposed to do... but does it do something else it's not supposed to? Are there secret back doors hidden in the code? And how hard are you going to check?
If you're the US government and it's a US company... then you're probably fine with some basic scrutiny. You can still get hacked [npr.org] but the cost/benefit analysis is probably decent.
But if you find out that the company is actually lying, and it's hosted in Russia, a country with a history of cyberattacks against you, and who is currently claiming to be kinda at war with you....
Then don't be an idiot and get rid of the damn code. With the effort it would take to verify it as safe you could rewrite it a dozen times over.
Re:And why? (Score:4, Interesting)
> And what does it do and what is it supposed to do?
It lets the CDC and US Army avoid hiring US-based developers to make competent and safe apps.
From https://www.pushwoosh.com/prod... [pushwoosh.com] :
> No-Code Messaging Solution
> Do what you do best: create appealing in-app messages with Pushwoosh's easy-to-use editor.
>
> No developer or designer skills are required to modify a template and set an in-app live.
Re: (Score:1)
Except it's a shitty no-code solution and there are many better ones out there. So, they failed to check out what it was they were even getting themselves interested in and failed to check for solutions.
Re: (Score:3)
In terms of the military, there is no nonsensitive information. The number of pizza delivered to the pentagon is useful information. The number of soldiers in a location.
It is possible the firm is no more dangerous than google or facebook. Many legitimate firms use dummy addresses to maximize access.
Re: NSA: Please use our home-grown spyware. (Score:1)
Re: (Score:3, Funny)
American even, /duck
little known fact Anerica is a small town in Siberia....
Also American that is Russian that is American (Score:3)
There are a tonne of companies out there that are nominally American but use primarily Russians to develop their software. One for example is Netcracker that runs many of the world's telecom companies, especially in North America. They are 'from Boston' but their primary programming shop was in at least until very very recently, in Moscow. Maybe it still is. And then never mind all the other companies like IBM, Fujitsu, NEC (who own Netcracker), and Accenture who also outsource a tonne of their work to China and India. If you are trusting major business and financial systems to people who are loyal to other countries, you need your head examined. Especially if they are autocratic countries.
Re: (Score:2, Informative)
And then never mind all the other companies like IBM, Fujitsu, NEC (who own Netcracker), and Accenture who also outsource a tonne of their work to China and India.
Outsource? IBM in particular actually has full-fledged offices in those countries, and practically all of the other ones too. Less than a third of their over-one-third-of-a-million employees work in the USA.
Can we get rid of "headquarters" as a thing? (Score:4, Insightful)
I think you should report where you're earning and spending money. And that should declare where you're located, for taxes, etc.
Starting a Delaware or Nevada corporation when you just pay someone to open your mail... Seems like an outright, obvious lie. Right? Why is that legal? Who cares where the owner wants to declare they exist?
The biggest reason to be suspicious (Score:2)
Based in the "capital"? (Score:2)
Well there's your first problem... they should have chosen the capitol for their base.
Re: (Score:2)
No cap
Re: (Score:2)
Re: (Score:2)
Are you trying to say they should have somehow put their offices in the actual building where Congress meets
Yes - it makes the bribery much simpler.
Elephant in the room: Nginx (Score:3)
33% of the web today is powered by Nginx. A web server written by humans who live in...Russia. Whose offices were raided in Dec 2019 by Russian authorities - a story that most people seem to have forgotten about.
Nginx is one of the few web servers that solve the C10k concurrent connections problem. Apache can (still) only barely handle 120 connections before it starts falling over itself, which makes it fine as a stable backend proxy target but most people just move to Nginx when they hit Apache's major limitations and tweak OS kernel settings as needed. It's a fairly easy switch and the Nginx configuration format is a lot nicer than Apache's weird "XML-like but not XML" configuration format. Most devs aren't even aware of Nginx's country of origin.
Humans can be coerced to do things under not-so-veiled threat of bodily harm, "Oh you want to keep on living and not be put in a dark hole within a freezing cold prison where you won't see the light of day ever again? If you don't want that to happen, surreptitiously add this buffer overflow to your source code." Software devs will generally comply.
Re: Elephant in the room: Nginx (Score:1)
Nginx makes it easy to scale. We used to run start.com on Apache, and yes, it was heavily tweaked but possible to serve thousands of connections per second.
Re: (Score:3)
33% of the web today is powered by Nginx.
nginx is open source. Anyone can look at the code, subject it to analysis, compile it and run it themself, etc.
Apache can (still) only barely handle 120 connections before it starts falling over itself
That hasn't been my experience at all. Did you mean to say 1200? The default config limits it to 150, which it definitely doesn't have any trouble with unless you run it on your smartwatch.
Re: (Score:2)
It's as if where you're from isn't all that important. Russians spy, Americans spy, sometimes Russian companies are fronts for one (or the other), most of the time they're not.
The real question should be, why did major American government institutions feel they needed to put some mystery code called "pushwoosh" in their apps?
Re: (Score:2)
It's as if where you're from isn't all that important.
That's an ignorant view of the situation.
Russians spy, Americans spy,
More whataboutism. Get a real argument.
Re: (Score:2)
Lol. That seems to be your new favourite word. Both Russia and the US have demonstrated that you can't trust them not to spy on you, and both engage in extensive hypocrisy on the topic. That's not "whataboutism" it's a practical observation.
Re: (Score:2)
Whataboutism is one of my old favorite words, but there's been a rash of it lately, so it's been applicable.
Everything you said about their spying is true, and yet it is still whataboutism, because it is a distraction from the discussion of whether there are any additional ramifications to being spied on by a hostile foreign power.
Re: Elephant in the room: Nginx (Score:2)