The Register® — Biting the hand that feeds IT

Feeds

Beijing security know-how rules irk suppliers

Secret sauce

By John Leyden, 29th April 2010
  • print
  • alert

Regcast training : Hyper-V 3.0, VM high availability and disaster recovery

Chinese government rules due to come into force on Saturday would oblige security vendors to disclose encryption information.

The regulations mean that suppers of six categories of products - including smart cards, firewall and routers - will need to submit trade secrets to a government panel in order to receive a license to sell to government departments.

EU officials have described the move as both protectionist and commercially risky. One concern is that security know-how supplied to the government panel might be disclosed to local firms.

Handing over encryption information is "something companies cannot and will not do," said president of the European Union Chamber of Commerce Jorg Wuttke, The Wall Street Journal reports. US authorities are also opposed to Chinese demands, AP adds.

Details of the scheme are a little murky. It's unclear whether EU and US would be obliged to simply disclose encryption techniques, such as AES, which are publicly documented, or cryptographic keys, which must be kept secret.

Source code review of security products is carried out under security certification schemes run by CESG in the UK, for example, and by itself is certainly no bad thing. In the past Chinese authorities have asked for malware samples before allowing anti-virus vendors to sell technology into the country, a move into much murkier areas of security ethics. ®

Agentless Backup is Not a Myth

COMMENTS

House Rules Send Corrections
All Reader Comments (37)
Highly Rated
Stone Fox
Reply Icon

RE: Place your bets

I would love to say I'd bet ten years pay against your tonail clippings no-one is that utterly retarded but unfortuately my faith in the general intelligence of my fellow man died around the time Apple computers became trendy.

7
1
I didn't do IT.
Reply Icon

Please keep to the right

There is no assumption that only US products can be safe that I can see. RSA's name is bandied about, but probably only because they developed the most famous implementation of elliptical (public) key encryption.

As stated in the article, if they want to know the implementation (to see if there are any backdoors), no worries at all - the techniques are publically documented. That would merely be a code review that standards are met and no hanky-panky is taking place.

If, instead, the Chinese govt wants the private (trade secret) *keys* for every product, THEN its just to make sure they can review the contents of everything encrypted in China. THEN it is a matter for concern. The fact that they leave it that ambigous is not promising for good intentions...

5
0
PerfectBlue

So?

A few years back Washington kicked up a massive fuss when they found out that their purchasing department had signed a contract to buy hndreds of Lenovo PCS and laptops.

A Lenovo computer basially a rebranded IBM computer. It's made in the same factories, it's service engineers are the same service engineers, and a lot of the work done on them is done in a plant in Monterey. But Lenovo is bankrolled from China.

Washingotn blew a gasket and there were all these fears about secret bugging devices and attack code. It was all total bull, but it really upset the Chinese government which reveled that it had just placed a massive order for Dell PCs for its own government departments without nearly so many hoops to jump through and without all of the claimand conspiracy and counter claim.

Now, China is just doing what Washington has been doing for several decades. It's brining in rules to ensure that wireless devices and encrypted software aren't sending out data that they aren't supposed to be.

This is nothing new. In fact many countries go even further.

For example, the British government routinely demands the code for software produced for its military systems (It's often a contractual requirement before you can even get started writting it). This isn't encryption, it's the whole show. Drivers, APIs, every single line of code.

It's one of the things that was holding up the F22 program. The British government refused to comit to purchasing it until it could see the code for the weapons and radar systems to ensure that the CIA or somebody else hadn't put a disabling code in to it that could shut it down remotely. That's actual US military secrets that they were demanding.

6
2

More from The Register

breaking news
Number of cops abusing Police National Computer access on the rise
Only a telegram from the Queen can get you off it
130
breaking news
NSA PRISM snoop-gate: Won't someone think of the children, wails Apple
10,000 things probed, mostly about missing kids, Alzheimer patients, we're told
96
Flash flaw potentially makes every webcam or laptop a PEEPHOLE
But it's a Google problem - Chrome only, insists Adobe
59
breaking news
NSA PRISM-gate: Relax, GCHQ spooks 'keep us safe', says Cameron
Whatever they are up to, it's all above board, we're told
90
PRISM snitch claims NSA hacked Chinese targets since 2009
Snowden suddenly looks safer in Hong Kong after revelations
33
breaking news
US chief spook: Look, we only want to spy on 6.66 BEELLLION of you
Americans assured they are not in the NSA's sights
68
Speech-to-text drives motorists to distraction
Will talking to you mean I crash into that car up ahead, Siri?
30
breaking news
Yahoo! joins! rivals! in! PRISM! data! request! admission!
Keep calm and carry on using American tech firms, folks
36
DHS warns of vulns in hospital medical equipment
Has your doctor's anasthesia machine been hacked?
17
breaking news
'BadNews is malware' says outfit that found it
Google says code harmless but Lookout says code base is evolving
15