Forgot your password?
typodupeerror
Security Hardware

Can You Trust Chinese Computer Equipment? 460

Posted by kdawson
from the or-anybody's-really dept.
Ian Lamont writes "Suspicions about China slipping eavesdropping technology into computer exports have been around for years. But the recent spying attacks, attributed to China, on Google and other Internet companies have revived the hardware spying concerns. An IT World blogger suggests the gear can't be trusted, noting that it wouldn't be hard to add security holes to the firmware of Chinese-made USB memory sticks, computers, hard drives, and cameras. He also implies that running automatic checks for data of interest in the compromised gear would not be difficult." The blog post mentions Ken Thompson's admission in 1983 that he had put a backdoor into the Unix C compiler; he laid out the details in the 1983 Turing Award lecture, Reflections On Trusting Trust: "The moral is obvious. You can't trust code that you did not totally create yourself. (Especially code from companies that employ people like me.) No amount of source-level verification or scrutiny will protect you from using untrusted code. In demonstrating the possibility of this kind of attack, I picked on the C compiler. I could have picked on any program-handling program such as an assembler, a loader, or even hardware microcode. As the level of program gets lower, these bugs will be harder and harder to detect. A well installed microcode bug will be almost impossible to detect."
This discussion has been archived. No new comments can be posted.

Can You Trust Chinese Computer Equipment?

Comments Filter:
  • Re:Another reason (Score:3, Informative)

    by Anonymous Coward on Friday February 05, 2010 @12:08PM (#31035238)

    You can buy stuff made in the USA.. You just have to look harder and spend just a bit more.
    You can also buy from Europe, their quality is much better than Chinese anyway

  • Re:Another reason (Score:2, Informative)

    by Kugala (1083127) on Friday February 05, 2010 @12:13PM (#31035304)
    They already do; counterfeit parts are a massive issue.
  • by Anonymous Coward on Friday February 05, 2010 @12:16PM (#31035352)
    The referenced to article doesn't actually state he included a back door. It was a proof of concept demo apparently: Suppose we wish to alter the C compiler [bell-labs.com]

    "one the creators of Unix, admitted that he had included a backdoor in early Unix versions. Thompson's backdoor gave him access to every Unix system [itworld.com] then in existence"
  • Re:Another reason (Score:3, Informative)

    by maxume (22995) on Friday February 05, 2010 @12:31PM (#31035528)

    Intel is a terrible example, they do most of their chip fabrication in the U.S, with much of the rest of it done in Ireland and Israel.

    They say they do 75% of their chips in the U.S.:

    http://www.intel.com/pressroom/archive/releases/2009/20090210corp.htm [intel.com]

  • Re:Another reason (Score:3, Informative)

    by TheKidWho (705796) on Friday February 05, 2010 @12:31PM (#31035536)

    Yes, except for the fact that the i7s are produced in the USA.

    Oh, and that IBM PowerPC isn't as fast as the i7 and won't run your x86 desktop applications. Different processors for different markets.

  • by Reapman (740286) on Friday February 05, 2010 @12:33PM (#31035562)

    Ummm maybe they're singling out China because of, as the Summary points out, recent events?

    If the US government (or ANY government) was strongly suspected of doing the same thing, and that country was a leading supplier of xyz goods, you'd see a similar article posted. It's how news works.

  • by MpVpRb (1423381) on Friday February 05, 2010 @12:40PM (#31035660)

    Not all Chinese-made products contain Chinese computer code.

    I am a consultant to a US company. Our products are made by Chinese companies, to our specifications.

    I write all of the code, and it is loaded after the products get to the US.

  • by cluemore (1617825) on Friday February 05, 2010 @12:42PM (#31035698)
    talk about yer hardware backdoors ... this one is a pseudo random number generator that can be rigged to generate predictable keys. http://www.antiwar.com/orig/ketcham.php [antiwar.com]
  • Re:Another reason (Score:2, Informative)

    by Wyatt Earp (1029) on Friday February 05, 2010 @12:45PM (#31035746)

    As others are pointing out, thats just BS.

    http://www.intel.com/pressroom/kits/manufacturing/manufacturing_qa.htm#1 [intel.com]

    Fab production sites within the United States are located in Chandler, Ariz.; Santa Clara, Calif.; Colorado Springs, Colo.; Hudson, Mass.; Rio Rancho, N.M.; and Hillsboro, Ore.; and outside the United States in Leixlip, Ireland; Jerusalem, Israel; and Kiryal Gat, Israel. Two new fabs are under construction at existing sites in Arizona and Israel.

    The company has six assembly and test sites worldwide and is building a seventh, all of them outside the U.S. Assembly and test sites outside the United States are located in Shanghai, China; Chengdu, China; San Jose, Costa Rica; Kulim, Malaysia; Penang, Malaysia; and Cavite, Philippines. An assembly and testing site in Ho Chi Minh City, Vietnam, is under construction. There is one testing facility and one assembly development facility inside the U.S.

    http://en.wikipedia.org/wiki/GlobalFoundries [wikipedia.org]

    It currently owns eight fabrication plants. Fab 1 (Module 1 & 2) is in Dresden, Germany. Fabs 2 through 7 are in Singapore, and a new plant, Fab 8, will be operational in New York in 2012.

  • by Wyatt Earp (1029) on Friday February 05, 2010 @12:54PM (#31035896)

    Because its obvious that the US can't keep a secret. The Wiretap Memos, WMD claims, Abu Garib, Torture Memos, Bill and Monica, Iran Contra, the Illinois Senate Seat Sale all show clear as day that a big conspiracy in the US gets leaked.

    Comon' for corporate espionage and backroom dealing, Boeing couldn't even bribe the USAF to buy/lease KC-767 tankers without it getting leaked.

    The PRC, a little better at keeping their spying and cyberwarfare on the low down. China is being singled out because they actually do all the human rights violations and anti-disident things that everyone dreams the US does.

  • Re:Another reason (Score:3, Informative)

    by networkBoy (774728) on Friday February 05, 2010 @12:55PM (#31035906) Homepage Journal

    hand tools bought from China have never held up for me as well as American made tools.
    Especially cutting tools like metal shears. The chinese ones nick easier because they use a lower cost (and thus softer) steel rather tan tool steel which is much harder, but more expensive and harder to work.

    Of course I pay a lot more for the better tools

  • by Animats (122034) on Friday February 05, 2010 @12:58PM (#31035966) Homepage

    DoD is really worried about this. They're trying to develop ways to efficiently examine ICs to check for unexpected "features". Right now, it's necessary to open up the IC and put it under a scanning electron microscope, then use software that can extract the logic diagram from the scan.

    One of the obvious places to put in a "back door" is in Ethernet controllers. Many used in servers already have logic for hardware "remote administration" (turn machine off, reboot, load code, etc.). It is supposed to be disabled by default, and work only when initialized with keys during hardware installation. Just build a set of default remote administration keys into the chip, and everyone using that chip is 0wned. Send the right UDP packets, and you can take over the machine. This would be completely invisible until activated.

  • You are incorrect (Score:4, Informative)

    by Sycraft-fu (314770) on Friday February 05, 2010 @12:59PM (#31035984)

    Nearly all Intel CPUs are made in the US. Most of Intel's fabs are located throughout the US. The do have one in Ireland and one in Israel but that's it. None are in China. So your CPU, the actual silicon part, is made in the US most likely (all the new 45nm and 32nm stuff is I think). Now you'll probably see a stamp on it for places like Costa Rica or Singapore or the like. That is where is was packaged, where the silicon was put in the actual metal until you buy. You'll still note, that doesn't happen in China.

    You also might want to have a look at all the other CPU makers out there. AMD, Motorola, IBM, Marvell, all US companies. While some of them do fab in other locations (AMD has most of their fab work done by Global Foundries in Germany), they are US companies and do a great deal (sometimes all) of their design work in the US. In fact the only non-US processor companies I can think of are Hitachi (Japanese) and ARM (British).

  • Re:Another reason (Score:3, Informative)

    by SBrach (1073190) on Friday February 05, 2010 @01:18PM (#31036278)
    High priced organics at whole foods aren't locally produced. According to Whole Foods themselves, sourcing organics has "gone global."*

    *"gone global" == "gone Chinese" Source: Whole Foods Blog [wholefoodsmarket.com]

    I concede the point that even if this wasn't the case the majority, including myself, still would buy cheap chinese products but it is a moot point because there really is not another option anymore.
  • Re:Another reason (Score:3, Informative)

    by ElectricTurtle (1171201) on Friday February 05, 2010 @01:23PM (#31036330)
    Yes, that's why I mentioned the relationship as I did (I said 'very Chinese' in a cultural way, which is made clear by the parenthetical political contrast), although both the PRC/CCP and the KMT would disagree with you.
  • Re:Another reason (Score:1, Informative)

    by Anonymous Coward on Friday February 05, 2010 @01:54PM (#31036772)

    There are only three sane ways manufacturing jobs will return to the US: De-globalisation due to peak oil, normalizing quality of life in the US down to the rest of the world, or bringing the rest of the world to the US quality of life. I prefer the third option.

    Though it seems like the second is the current processor or the most likely since the third is extremely unlikely nor in any capitalists interests.

  • by SmallFurryCreature (593017) on Friday February 05, 2010 @02:16PM (#31037052) Journal

    Because the entire point of someone a LOT smarter then you, is that if the very tool you use is compromised, then how can you ever check it? Your write your program to the memory, but the memory controller itself is corrupted. So you check everything, and you never see anything wrong.

    A compromised system can never be trusted and if you don't control the system, then you can never know it is compromised unless you verify every last detail, down to grinding the top of the chip and seeing exactly what the layout is. And do this for every last element.

    How do you know there is not a simple element in the USB connector that records everything? How do you know the simple chip in your ethernet card doesn't transmit everything? How do you know your router hasn't been hardcoded to ignore such traffic?

    You don't. Granted, putting it all together seems like an enormous task and there are far simpler ways of spying. But it is possible.

  • by smellsofbikes (890263) on Friday February 05, 2010 @03:20PM (#31037908) Journal
    You're entirely right. I'm making a presumption that by 'backdoor' we mean a hostile organization is altering a trusted design to include unintended functionality. But as with the security implications of physical access to a computer, if you're buying hardware from a potentially hostile organization, it's innately untrustworthy. (Is it a backdoor if the organization designs it in, intentionally, and only the end user doesn't know about it? If so, I'm misusing the word.)

    There are some fantastic design houses in China. One of our best designers is Chinese, and he's a genius. I may be wrong about this, but it appears to me that it's easier to learn chip design than it is to learn how to build and run a fab efficiently, and China already knows how to do that, very very well.

  • Re:You are incorrect (Score:1, Informative)

    by Anonymous Coward on Friday February 05, 2010 @03:28PM (#31038018)

    Intel does have a FAB in China FAB 68 [arstechnica.com]

  • by dirtyhippie (259852) on Friday February 05, 2010 @03:51PM (#31038370) Homepage

    The post makes it sound like Thompson actually put a backdoor in the version of CC that shipped with unix. He did not. What he *did* was demonstrate that he could have in an earlier version and you would be none the wiser by inspecting the source of said compiler.

  • by Jay L (74152) * <.mf.yaj. .ta. .hsals+yaj.> on Friday February 05, 2010 @05:11PM (#31039448) Homepage

    I have not heard of the relevant laws being butchered *that* much.

    Seriously? You haven't heard about the whole telecom warrantless-wiretapping thing? Any of it?

  • Re:Another reason (Score:3, Informative)

    by jimicus (737525) on Friday February 05, 2010 @05:13PM (#31039472)

    Not strictly true. In order to prevent war in Europe, two superblocs developed: the UK, the French and the Russians on one side, and the Germans and Austro-Hungary on the other. The idea was to have two vast opposing armies, each acting as the other's deterrent. That way there could never be a war. Unfortunately, there was one tiny flaw in the plan.

    It was bollocks.

    (With apologies to Richard Curtis and Ben Elton)

Real Programmers don't write in PL/I. PL/I is for programmers who can't decide whether to write in COBOL or FORTRAN.

Working...