Can You Trust Chinese Computer Equipment? 460
Ian Lamont writes "Suspicions about China slipping eavesdropping technology into computer exports have been around for years. But the recent spying attacks, attributed to China, on Google and other Internet companies have revived the hardware spying concerns. An IT World blogger suggests the gear can't be trusted, noting that it wouldn't be hard to add security holes to the firmware of Chinese-made USB memory sticks, computers, hard drives, and cameras. He also implies that running automatic checks for data of interest in the compromised gear would not be difficult." The blog post mentions Ken Thompson's admission in 1983 that he had put a backdoor into the Unix C compiler; he laid out the details in the 1983 Turing Award lecture, Reflections On Trusting Trust: "The moral is obvious. You can't trust code that you did not totally create yourself. (Especially code from companies that employ people like me.) No amount of source-level verification or scrutiny will protect you from using untrusted code. In demonstrating the possibility of this kind of attack, I picked on the C compiler. I could have picked on any program-handling program such as an assembler, a loader, or even hardware microcode. As the level of program gets lower, these bugs will be harder and harder to detect. A well installed microcode bug will be almost impossible to detect."
Another reason (Score:3, Insightful)
Re:Another reason (Score:5, Interesting)
This is just another reason for me to not want to buy Chinese made goods. Unfortunately, so much is made in China that it is nearly impossible to completely avoid the country.
Some component of your car, cell phone, computer, etc. is going to be made in China. I have a feeling eventually they will catch on that people aren't buying Chinese made stuff and will just put stamps on it from their more friendly neighboring countries.
Re:Another reason (Score:5, Insightful)
I have a feeling eventually they will catch on that people aren't buying Chinese made stuff and will just put stamps on it from their more friendly neighboring countries.
It's not as simple as "put stamps on it from their more friendly neighboring countries" when those neighboring countries do not have the high-tech industrial base to produce the hardware in question.
On a strategic level, the USA really screwed the pooch by chasing the lowest bidder and not building up our domestic capacity to produce these items. And for you small gov't types, this is an example of free market principles colliding with what is effectively a national security issue.
Re: (Score:3, Insightful)
I couldn't agree more, but then I'm also a big believer in 'trust but verify'. It's worth noting, however, that paranoia is self-fulfilling. :D
I recommend just being careful, verify that your devices are performing safely (as much as possible) and taking your chances. There are really very few alternatives - you have to trust someone.
Re:Another reason (Score:5, Insightful)
Re:Another reason (Score:5, Insightful)
You know that 2/3 of the phrase "trust but verify" is meaningless oxymoronic bullshit designed to mask the harshness of the only significant word, right? Like "strong but sensitive" or "sexy but geeky".
It's a good point, but that 2/3 of the phrase is what keeps the potential client from being insulted. The majority of business is sugar coating the harsh truth to keep people on your side and hopefully more of their money going into your wallet.
Re: (Score:3, Interesting)
Exactly :D
Trust but verify means "we'll agree not to call you a sneaky bastard to your face".
If you take the opposite tack of 'trust no one', then I assume you're going to be wiring up your own circuits, breadboards, and chips, then writing the boot code and machine code by hand before writing the compiler and then finally the test kit?
You certainly have to apply reason and sanity - otherwise you would have to personally build an identical copy of every single item to double check against. Otherwise, you go
Re:Another reason (Score:5, Insightful)
That's a bit sad. I get on quite well with the majority of my neighbours, but most people I know who have wide experience of commercial dealing with Chinese (not to be confused with personal interactions with individuals and their families) have told me of a catalogue of dishonest, conspiratorial and treacherous activities. Basically, it seems their attitude is that "westerners" are fair game, since their rules are just not recognised by the Chinese.
Adopting this attitude in comparatively small business dealings is one thing, but enshrining it in (unofficial) government policy is another. If the Chinese insist on treating other nations as enemies, they should expect the same in return. The fact that our governments and corporations are so ready to kowtow to them for their business is nothing short of sickening.
Re: (Score:3, Funny)
You know that 2/3 of the phrase "trust but verify" is meaningless oxymoronic bullshit designed to mask the harshness of the only significant word, right? Like "strong but sensitive" or "sexy but geeky".
I don't get it.... You're saying "but" is the only meaningful word?
Re: (Score:3, Insightful)
You know that 2/3 of the phrase "trust but verify" is meaningless oxymoronic bullshit designed to mask the harshness of the only significant word, right?
I disagree. First, you are trusting them. Else you wouldn't be employing their services or buying their goods in the first place. Second, the phrase indicates that this trust is not unconditional, that you will be testing them in some way to verify that they did the work that they agreed to do.
Money handling is a classic example. Allowing someone to handle your money (be it a transaction in a store, cashiers in a business you own, or some sort of financial advisor) is a bit of trust in that person. If yo
Re:Another reason (Score:5, Funny)
Re: (Score:3, Funny)
But the free market would never lead us to disaster by chasing the lowest common denominator and exploiting our innately trusting human nature! I also don't see how a 'big government' is required to sufficiently instill the kind of nationalism that forces people to buy higher priced, locally produced goods.
Perhaps you have a newsletter?
Re: (Score:3, Informative)
*"gone global" == "gone Chinese" Source: Whole Foods Blog [wholefoodsmarket.com]
I concede the point that even if this wasn't the case the majority, including myself, still would buy cheap chinese products but it is a moot point because there really is not another option anymore.
Re: (Score:2, Interesting)
On a strategic level, the USA really screwed the pooch by chasing the lowest bidder and not building up our domestic capacity to produce these items.
It goes much deeper than that, too many Americans are overly litigiousness, not at fault and to desperately seek the almighty dollar. Corporations have gone off shore to seek lower cost materials and labor in pursuit of higher profits. You'll note nothing seems to get cheaper to the end user.
Sadly at this point in the game, what other options are there?
And for you small gov't types, this is an example of free market principles colliding with what is effectively a national security issue.
Free Market, pah. As the guy at the end of the supply chain, of mega-corporations, multi-nationals, world-wide supply chains and so on, I don't see the Fr
Re:Another reason (Score:5, Insightful)
> You'll note nothing seems to get cheaper to the end user.
Since we're talking about computer equipment, this is demonstrably false.
Re: (Score:3, Insightful)
Should have been more specific. Granted prices on tech drop as overall manufacturing costs drop, new more efficient (read fewer defects and less waste) processes have been adopted, etc... So, yes in terms of a blanket statement it would be false.
The intent was to state, and I'm open to being shown evidence to the contrary, that I have never seen a company's offshore move and resultant reduced operating costs directly result in lower prices. The market bears current pricing until such time that a manufact
Re:Another reason (Score:4, Insightful)
economic co-dependency is the best national security there is. We'll never go to war with China; we're both far too dependent on each other. Wars are fought for power. Money is power, and is preferable to war. History has shown we won't fight when there's money involved.
China only holds ~10% of our national debt; ~70% perhaps more is domestically owned; so the whole "THEY'VE GOT OUR DOLLAR BY THE BALLS" nonsense doesn't count-- they would be shooting themselves in the head by removing our purchasing power-- don't forget they have to keep their workers happy, and to keep them happy they have to keep them employed.
Re:Another reason (Score:5, Insightful)
They said that before World War I too.
Re: (Score:3, Informative)
Not strictly true. In order to prevent war in Europe, two superblocs developed: the UK, the French and the Russians on one side, and the Germans and Austro-Hungary on the other. The idea was to have two vast opposing armies, each acting as the other's deterrent. That way there could never be a war. Unfortunately, there was one tiny flaw in the plan.
It was bollocks.
(With apologies to Richard Curtis and Ben Elton)
Re:Secret agreements (Score:5, Insightful)
The ultimate hinge point in WWI was when Germany executed a war plan that called for a two front war when their treaty obligations only called for a one front war. Simply because the plans called for them to invade Russia and France simultaneously they did so even though Russia was the only one that had declared war (and France wasn't even involved). The generals at the time in Germany couldn't even imagine diverging from the war plan and the war plan called for invading France. Rather than stand up to his Generals the Kaiser caved and allowed the invasion of France (I believe he uttered the phrase "rolling the iron dice").
This is the entire reason France and the UK blamed Germany for the war and imposed all the war's costs on Germany (thereby causing WWII). The mindset in WWI Germany is incomprehensible today but the reason WWI happened (a much smaller war could have happened) is because there was a plan that wasn't applicable but the people in charge couldn't imagine deviating from the plan and the guy in ultimate charge wouldn't stand up to the ones tasked with fighting the war. The German/Russian/Austrian front of the war was minuscule in comparison to what happened on the French/German/Dutch border where entire armies (and two generations of French/German/English) were ground into hamburger in modern warfare. The greatest lesson of WWI is plans are great to have but they aren't the blueprint for the war that must be followed, iron adherence to a plan regardless of situation is suicide.
Re: (Score:3, Insightful)
You mean like if your country were to be attacked by terrorists in Afghanistan and you decided to attack Iraq because that's the country you had a plan for?
Yeah your right. That could NEVER happen today.
Re:Another reason (Score:4, Insightful)
It's not so much the workers you have to keep happy, it's the military and the bureaucracy. If worker wealth disappears, wealth for the mid-level bureaucrat (e.g. party officials, regional governors, etc.) disappears, albeit more slowly. Once that happens, corruption turns up to 11 and nobody is willing to really sustain the country anymore. This happened to East Germany near the end - so much wealth was gone that nobody had a vested interest in maintaining the status quo anymore.
One sends American wealth to China. The other sends Chinese wealth into the ocean. When American dollars are sent to China, they can trade those dollars for other, more useful things (oil, raw materials, and so on), provided the dollar is actually worth something. If the Chinese just start dumping surplus industrial output into the ocean, they won't get anything back to purchase new raw materials with, which would effectively shut down the factories sooner or later anyway.
Re: (Score:3, Insightful)
I was joking about the dumping in the ocean... How about having another set of workers recycle the products back into raw materials for a complete loop.
The losses along the way can be made up by exporting some products to non-US countries to buy more resources with.
The point is that a large amount of the dollars they get from the US they don't use to buy resources with, they use them to buy US treasuries to keep the US afloat to keep consuming their products. Though they have been making a mad "better spend
Re: (Score:3, Insightful)
Sorry to threadjack, but speaking of Chinese ownership of rare metals, I have to wonder, don't our landfills now contain enough rare earth metals to keep us going for quite a while?
I mean, even if they somehow cut us off, wouldn't we just start reprocessing our waste? That's the one advantage of buying all of their cheap exports - we're effectively stockpiling their refined resources.
Re:Another reason (Score:4, Insightful)
You think if we had the means to produce them, people would have bought it? I'm sorry, but the reason domestic capacity doesn't exist is because it isn't competitive. Big gov't is not going to solve this in any way shape or form, it would actually make the issue worse by increasing admin overhead (taxes). If what you're advocating is protectionism, then I suggest you go read a bit of history on the subject and its reults.
There are only three sane ways manufacturing jobs will return to the US: De-globalisation due to peak oil, normalizing quality of life in the US down to the rest of the world, or bringing the rest of the world to the US quality of life. I prefer the third option.
Re: Another Reason (Score:4, Insightful)
the reason domestic capacity doesn't exist is because it isn't competitive.
One of the reasons for that is because China is artificially holding down the value of its currency so that we will destroy our own manufacturing base in a mad rush to make a quick buck. For the other countries, often American companies are the ones building the facilities and training the workers over there just for the cheap wages. Our own technology is given away for their cheap labor.
If what you're advocating is protectionism, then I suggest you go read a bit of history on the subject and its reults.
It seems to be working very well in many countries around the world that are smart enough to protect their own industries and work to keep out ours. Why do you think China is creating such problems for Google, and that Baidu is doing so well over there? The point is that if you don't go to extremes, you do very well. The extreme that America has gone into (not protecting our own domestic industries in favor of temporary profits) has really hurt us.
normalizing quality of life in the US down to the rest of the world
You mean make America a 3rd world country? That strategy seems to be working.
Re:Another reason (Score:4, Insightful)
It's mathematically impossible for every person on earth to burn this much oil, eat this much meat, and live on this much land.
Technological development, however, makes it mathematically possible for every person on earth (and a lot more) to have the equivalent of the life you describe.
Re: (Score:3, Insightful)
Which would matter if wealth were absolute. It isn't though, it's relative. By medieval standards almost everyone in the US today is "wealthy." But no one cares. What matters is how much wealth you have compared to others now.
By the time technology gets around to making what GP has available to the underclass of developing nations, the upper middle classes of the developed industrialized nations will have much, much more, so technology buys you nothing here.
Social problems rarely have technological solution
Re:Another reason (Score:5, Insightful)
Look, we need to remember something here - it's not like we were manufacturing high-quality goods in the US when we were still manufacturing goods. There's a reason people stopped buying American cars, for example. Sure, you can point at something made in the US from 50 years ago and say, "Ah ha! See? Our stuff was better!", but that's just selection bias. Of course the stuff that made it to today from 50 years ago is more durable than the stuff we have lying around our house now. That's why it's over 50 years old.. All the crappy stuff that fell apart instantly fell apart fifty years ago.
Back in the day, we made TVs. In those days, TVs were so expensive, TV repair was a legitimate career path. Nowadays, TVs are so cheap that it just doesn't make sense, which is why you don't see too many black & white TVs running around these days. Heck, the transition from analog TV to high definition TV will probably take less time for most families than the transition from black & white to color, if only because the cost of high definition TVs is falling so fast and so far that, when people's analog TVs die every 3-5 years (or so), they'll be able to easily afford a high definition one. How long did it take for VCRs to disappear once DVDs came out? The reason we can make these transitions so quickly these days is because of inexpensive manufactured goods.
That said, back in the day, we were pretty much the only industrialized country on the planet. After World War 2, the US was the only country around that had a significant industrial base that hadn't been bombed into the Stone Age (at least the only one of a decent size - obviously Australia, Canada, and New Zealand were still in decent shape, too). Guess who was the world's China? That's right - the US, which is why, even if we switch to a protectionist stance, we're never getting back to a world in which the United States is 10x more prosperous than every other country on the planet. There's simply too much competition these days. Of course, back in the day, China was starving - that's less of an issue now. Back in the day, Mexico was a backwards, lawless hellhole. Nowadays, they possess the 13th highest GDP in the world, just ahead of Australia, with a slightly lower per capita GDP than Russia and Turkey. That's still not great, mind you, but it's still more than double China's and a heck of a lot better than it was at the turn of the last century. Japan is now a world-leading economic power; going into World War 2, they were just a regional power, roughly along the lines of South Africa today and with roughly the same amount of regional and international pull. South Korea? They weren't even a regional power when they gained independence from Japan after World War 2.
Besides, life in the '50s and '60s wasn't that great in the US anyway, especially if you actually possessed melanin or were unfortunate enough to live in the South. Even if you were white, middle class meant something very different in '50s-era Birmingham than it meant in, say, '50s-era Detroit or Cleveland. Even if you were fortunate enough to live in an industrial city with lots of well-paying union jobs, what'd you get for it back then? A cookie-cutter suburban home sans-grounded wiring, a car that would rust or fail every three years or 50,000 miles, a TV if you really saved up for it, and lots and lots of canned food. Back then, frozen food was considered so novel and interesting that four-star restaurants in New York used to advertise that they used frozen product. Seriously, if you compared '50s America with today's... oh... Jamaica, you'd find yourself picking Jamaica in a heartbeat, and not just because of the weather.
Re: (Score:3, Insightful)
Re: (Score:2, Informative)
Re: (Score:3, Interesting)
They already do; counterfeit parts are a massive issue.
Yeah, someone I work with bought three T1 WICs (Cisco) for their SOHO. Two of the three were counterfeit.
I meant more in terms of someone putting the "MADE IN TAIWAN" stamp on a Chinese made part to trick people into thinking that it's from a country with a better reputation.
Re: (Score:2)
that's already happened :)
Re:Another reason (Score:5, Insightful)
It's not that it is an additional chip, it is a different chip all together.
For example:
the ICH (southbridge) on your system likely handles the following things for you:
keyboard/mouse
USB
IDE
SATA
FireWire
Lan on Motherboard
Boot from BIOS
WebCam
Using an ARM/ARC/MIPS core + SRAM added to the circuit of the ICH and fabbed as a "special item" one could conceivably manufacture motherboards with a larger than spec flashrom (to hold NVRam data for the extra proc) and so long as your system was on (possibly even "off" but plugged in if you can make it low enough power to run on standby voltage) you can datalog nearly anything.
Parse the data for the interesting bits and store that to a hidden file on the HDD (since you're the controller for the HDD this should be trivial, no one will miss 1 meg of sectors you've marked bad).
When you have an internet connection SSH over to your drop server (you run the ethernet MAC remember) and unload your stash.
Really not all that far fetched and as long as the government pays for it (the fab of chips) you can sub these into assembly and not even no there was something wrong on the system even with a physical inspection.
Intel has their own backdoor. HP builds it in. (Score:4, Interesting)
I think it would be difficult to do a company like HP. Any additional chip means additional cost, and HP would notice this right away. It would have to be a company that collaborates in the design stage.
Intel has their own network-facing backdoor built into their chips. HP uses them in its laptops - and HP's outsouced-IT service organization supplies these machines to the companies which hire them.
Look up "Intel AMT" on the web. There's lots of stuff on it available there. It's a "feature" intended for large companies' IT operations to use to remotely administer the workers' laptop and desktop machines: Remote update software, detect malware, cut misbehaving machines off the LAN or shut them down, monitor workers' behavior, ...
It is "below" the main CPU(s) and OS. It runs even if the main machine is off. It is a man-in-the-middle on the network interface, accepting its own connections from the "mother ship" and configurable to "phone home" when on the road. It can monitor and twiddle all the network traffic, monitor all the I/O (including keystroke logging), access the hard drive, stop the processor, monitor applications for watchdog events and shut them down if they "misbehave", halt and restart the main processors, yadda yadda yadda.
It can also present one of its own intercepted connections-from-afar to the main processor as if it were a terminal interface on another chip. The recommended way to configure Linux or Unix on the box is for this interface to be given a login process with root login privileges.
How do you know if it's disabled? The BIOS TELLS you it's disabled. (If you believe that, especially after the next BIOS firmware update, would you be interested in some land in Nevada?)
Re: (Score:3, Informative)
You can buy stuff made in the USA.. You just have to look harder and spend just a bit more.
You can also buy from Europe, their quality is much better than Chinese anyway
Re:Another reason (Score:5, Interesting)
Re: (Score:3, Insightful)
Re: (Score:3, Informative)
Re: (Score:2)
Yes, except for all of those x86, PowerPC and ARM CPUs produced in the USA.
Forget about the military CPUs.
Re: (Score:3, Funny)
Weaksauce. He uses ready-made logic gates. Have him build a CPU out of discrete BC547 transistors and I'll be impressed.
You are incorrect (Score:4, Informative)
Nearly all Intel CPUs are made in the US. Most of Intel's fabs are located throughout the US. The do have one in Ireland and one in Israel but that's it. None are in China. So your CPU, the actual silicon part, is made in the US most likely (all the new 45nm and 32nm stuff is I think). Now you'll probably see a stamp on it for places like Costa Rica or Singapore or the like. That is where is was packaged, where the silicon was put in the actual metal until you buy. You'll still note, that doesn't happen in China.
You also might want to have a look at all the other CPU makers out there. AMD, Motorola, IBM, Marvell, all US companies. While some of them do fab in other locations (AMD has most of their fab work done by Global Foundries in Germany), they are US companies and do a great deal (sometimes all) of their design work in the US. In fact the only non-US processor companies I can think of are Hitachi (Japanese) and ARM (British).
Not really. (Score:2)
I just did a quick survey of all the computer equipment in easy reach from my office chair:
Mac Pro computer - built in China
Apple Keyboard: Made in China
Wacom digitizer: Made in Japan
Logitech Speaker: Made in China
iSight Camera: Made in China
Vakoss USB Hub: Made in China
Apple Cinema Display: Made in China
Sli
Re: (Score:3, Informative)
hand tools bought from China have never held up for me as well as American made tools.
Especially cutting tools like metal shears. The chinese ones nick easier because they use a lower cost (and thus softer) steel rather tan tool steel which is much harder, but more expensive and harder to work.
Of course I pay a lot more for the better tools
Re: (Score:3, Insightful)
hand tools bought from China have never held up for me as well as American made tools.
Especially cutting tools like metal shears. The chinese ones nick easier because they use a lower cost (and thus softer) steel rather tan tool steel which is much harder, but more expensive and harder to work.
Of course I pay a lot more for the better tools
Yes, but is this because Chinese goods are inherently bad, or because there is a correlation between goods made in China and manufacturers looking to cut every last dollar of cost? If the only tools that are still economic to make in the US are the pro-quality top-of-the-range ones, then of course the US tools are going to appear better compared to the competition.
It's like the way that people blame outsourcing to India for crappy customer service. The real problem is often that the customer service departm
Re: (Score:2, Insightful)
US goods are riddled with backdoors too, I think it is much healthier for you to mistrust your own government apart from the Chinese one.
Re: (Score:2)
Re:Another reason (Score:5, Insightful)
Similarly, the US Government is more likely to spy on US citizens.
Re:Another reason (Score:5, Insightful)
That's insightful? That's what's called a false dichotomy.
It's not mutually exclusive: The Chinese Government is likely to spy BOTH on US citizens AND their own citizens, just for different purposes.
The US Government does both as well, but US abuses of US citizens are more likely to have discovery and recourse than China's abuse of Chinese.
Just a bad argument all around.
Re: (Score:3, Funny)
Don't those US citizens normally just brag about such secrets after a few drinks? ;) .
In further news: General Tso, head of Chinese Special Intelligence, was quoted as stating "A double agent is always just a browjob away"
Re: (Score:3, Funny)
Re: (Score:2, Insightful)
Listen, Do you want a $200 Intel i7 made in China/Taiwan/Korea. Or you can Buy american and get a $1000 IBM chip made over at East fishkill.
oh and they're about the same speed.
Re: (Score:3, Informative)
Intel is a terrible example, they do most of their chip fabrication in the U.S, with much of the rest of it done in Ireland and Israel.
They say they do 75% of their chips in the U.S.:
http://www.intel.com/pressroom/archive/releases/2009/20090210corp.htm [intel.com]
Re: (Score:3, Informative)
Yes, except for the fact that the i7s are produced in the USA.
Oh, and that IBM PowerPC isn't as fast as the i7 and won't run your x86 desktop applications. Different processors for different markets.
Re: (Score:2)
I wonder why you would be particularly concerned about china made goods, as opposed to usa made goods. There exists more data to say Microsoft puts in backdoors than that China puts in backdoors. Not that the details are particularly convincing in either case. And security on many dimensions is so problematic that it is not clear why you want to focus on this particular threat.
So what is the real deal? Big time world-historic international politics. Figure the reason the blog got written comes directly
Re: (Score:3, Insightful)
Then there is the conspiracy theory mind set. There is always something going on that somehow there is one piece that is beyond our comprehension on how they do it.
I am sure there are solid american geeks out there when they plug in their USB Device will find odd communication going to china and probably report it on the internet with the exact test case to show it.
As well many of the China made components are made of US made specs and if they are not working as planned then there is a problem.
For the most
Short and Sweet (Score:2, Insightful)
Re:Short and Sweet (Score:5, Funny)
Re: (Score:3, Insightful)
Re: (Score:3, Insightful)
That China is a corrupt dictatorship that brutally oppresses its own citizens and has a history of "cyber-attacks" worldwide? Yeah, real shaky presuppositions there, Bertrand Russell.
Bad Headline (Score:5, Insightful)
Re: (Score:2)
Can you trust anybody?
The whole point of trust is that it relies on unproven assumptions.
Re: (Score:3, Funny)
I'm sorry lyinhart, I don't think I can let you post that.
I honestly think you ought to sit down calmly, take a stress pill, and think things over.
Fake Cisco (Score:4, Interesting)
There is a fairly large amount of counterfeit Cisco gear floating around
http://www.networkworld.com/news/2006/102306counterfeit.html [networkworld.com]
http://www.networkworld.com/community/node/13213 [networkworld.com]
http://www.andovercg.com/services/cisco-counterfeit-wic-1dsu-t1.shtml [andovercg.com]
And we all know where this stuff is made.
OTOH we just bought a huge pile of new Juniper stuff at work, every single piece "Made in China".
Can we trust (Score:2)
Can we trust any computer equipment or code? can we trust Linux, Microsoft, Apple, PGP, based on the blurb if you haven't written the code yourself you shouldn't be trusting anything.
The seeds of the police state are, including the preceding /. article about DNA storage.
put a backdoor into the Unix C compiler ? (Score:5, Informative)
"one the creators of Unix, admitted that he had included a backdoor in early Unix versions. Thompson's backdoor gave him access to every Unix system [itworld.com] then in existence"
No, he didn't, as best we can tell. (Score:5, Insightful)
I was a gung-ho CS student when this article came out, and we spent a LOT of time hashing it over. He specifically did not say that he had done this, and while I don't remember him making an outright denial, we concluded that he hadn't. After all, the C compilers of that day were still small enough to be understood by a single human, and comparing C code to the assembly code generated from it (or comparing that assembly code to generated machine instructions) was not very challenging.
Maybe the Jargon File entry is right, and he did implement it as a proof-of-concept, but it wasn't widely distributed. It was easy enough for an interested (and bored) undergrad to check out over a weekend, but hard enough that compiler distributions weren't routinely examined.
With today's optimizing compilers and layers upon layers of abstraction, though, it seems like there's more than enough room for plenty such exploits. Pham Nuwen can still have his backdoor into the localizers.
s/chinese/any_country/ (Score:2)
Oh my god (Score:2)
Yellow paranoia (Score:2, Insightful)
Cause it's only the chinese that spy on other countries cause the rest of us are all friends and friends don't spy on eachother ... oh wait ... Seems that red paranoia have had a bit of a colour change.
Sure this might be software related so it's write once - copy everywhere but would you really want to do that. Cause if you plant it everywhere, "everyone" will have it leading to a larger chanse it will be found and out blow the entire operation out of the water. But have they really ever found any evidence
It really depends on who "you" are... (Score:5, Interesting)
Computer gear hasn't quite reached biological levels of complexity, where trust is even harder(one malformed Prion in a batch of millions can end up eating holes in your brain); but, from the perspective of a user who isn't a tech god, it might as well have.
That being so, the question of whether you can trust Chinese computer equipment is basically a political one. China's general enthusiasm for industrial espionage is well known, so if you have data on interesting technology or military stuff, the answer is almost certainly "no". If you are basically just Joe Consumer, though, your data are just noise obscuring what Chinese intelligence really wants. You would do better to be worried about the botnet your PC is part of, Google, ChoicePoint, Equifax, the NSA, and whoever is taking advantage of CALEA at that particular moment. The world of technology is a ghastly morass of potential backdoors, quite a few of them not even hidden, that most of us are constantly vulnerable to, and, in a great many cases, actively being monitored through.
Bugged Chinese chips are definitely something to think about if you are doing military COTS procurement, or doing security for somebody who has data of real interest; but, for most of us, it's all just one more piece of assymetric transparency. I, for one, don't feel any warmer and fuzzier about the Americans spying on me than the Chinese spying on me(worse, in fact, because some sinister chinese intelligence agency is substantially less likely to sell my information to advertisers, make it harder to get medical insurance, or damage my credit rating than some warm, fuzzy, American multinational corporation).
I really hope that this threat leads to a general recognition of the need for sound and open practices for security(both in the sense of novel CS research on how to do maximally verifiable stuff, test blackboxes, build verified bootstrap compilers, etc, etc. and in the sense of market acceptance of the fact that mysterious binary firmwares, and "just trust us" responses from vendors, and blackbox systems in general just aren't good enough). That would make things better for everybody. I get the unpleasant sense, though, that a lot of this concern is less about "We really need to understand how to build highly complex systems that are dependable and verifiable for those who use them." and more about "Goddam chinks, only we are supposed to have backdoors and surveillance capabilities!"
Re:NSA (Score:3, Interesting)
Can you trust the NSA to not simply forward all the commercially viable information to a corporation, if it serves their interests?
They have apparently used sigint to aid US corporations in the past, whats to stop them now.
I feel no guarantee that the NSA is going to be any more careful about using personal information than the Chinese will be. I am opposed to both of them knowing my personal details. Really the only defense I have is the fact that I am undoubtedly of little interest to either.
It's no problem (Score:2, Funny)
Computers are information networks (Score:4, Insightful)
Contratulations (Score:2)
For outsourcing the production to the lowest bidder...
Programmers vs. Users (Score:3, Interesting)
If you are a User, you have no choice but to trust the entire universe of code around you. Your watch could contain a rogue program, your car radio, your cell phone, your microwave oven. Everything is enabled with microprocessors programmed by unknown and unknowable people with unknown and unknowable motivations.
All you can do is hope for the best if you are a User.
However, if you are a Programmer you can only use code that you trust and have personally verified in addition to the rest of the Programmer community. Users don't count for much in this world, because they can't help out, they can only blindly follow. Some Users will have Programmer friends and they can just follow in their footsteps, like a line of soldiers through a minefield. Only Programmers have this power.
Sadly, the way people are wired only a very few are going to be Programmers. The rest simply do not have the skills or the mental faculties. The rest of the human race are doomed to simply be Users.
Evidence? (Score:3, Interesting)
So, is there any actual evidence backing all this up, or is it just more anti-Chinese vilification?
(Remember, we have always been at war with Eastasia.)
Re:Evidence? (Score:4, Insightful)
Looks completely made up to me. Why just think about the times that the consumer has ran across hidden malware such as the Sony Rootkit incident. Experts saw unusual traffic and traced it back to a CD. Same thing would happen if a piece of equipment had hidden malware in it, someone would notice the suspicious traffic and trace it back to the source.
Sure... (Score:5, Insightful)
While the USB memory key (in this example) could have low level software to snoop your data, how are they going to get it? Is the USB key going to open a TCP/IP or UDP connection back to their servers without tripping my firewall that a new application is trying to connect? Is my virus scanner going to get tripped that something suspicious is coming out of the key without my interaction?
Most decent virus scanners and firewalls will pick up on this. In a lot of corporate networks USB Mass media is disabled. I'd love to see a proof of concept that can get around these common checks... If anyone has a USB key that can do this, please let me know :-) I'll happily test it.
Chinese made, not always = Chinese code (Score:3, Informative)
Not all Chinese-made products contain Chinese computer code.
I am a consultant to a US company. Our products are made by Chinese companies, to our specifications.
I write all of the code, and it is loaded after the products get to the US.
Have you read the fucking article? (Score:4, Informative)
Because the entire point of someone a LOT smarter then you, is that if the very tool you use is compromised, then how can you ever check it? Your write your program to the memory, but the memory controller itself is corrupted. So you check everything, and you never see anything wrong.
A compromised system can never be trusted and if you don't control the system, then you can never know it is compromised unless you verify every last detail, down to grinding the top of the chip and seeing exactly what the layout is. And do this for every last element.
How do you know there is not a simple element in the USB connector that records everything? How do you know the simple chip in your ethernet card doesn't transmit everything? How do you know your router hasn't been hardcoded to ignore such traffic?
You don't. Granted, putting it all together seems like an enormous task and there are far simpler ways of spying. But it is possible.
At the end of the day, you gotta trust SOMEONE (Score:3, Interesting)
I'm *far* from trying to defend China or claim they're "trustworthy" ... but taken to its logical conclusion, this line of thinking is a dead-end for most individuals and businesses. Ultimately, yes, you can't know for 100% certain a given piece of software is trusted unless you wrote it yourself .... but what's new? That's always been, and always will be the case ... and unless you were able to engineer your own computer processor and other components on the motherboard, etc. - you STILL can't prove you're running a completely trusted system, can you?
In reality, I think people have to possess some awareness of their computing environment, as a whole - and that may realistically be the best we can do. If some piece of gear is "compromised", it still has to communicate the information it stole to a receiver on the other end. That means, your firewall is capable of either blocking or at least logging that connection. There's also, of course, the "strength in numbers" facet to all of this. Maybe YOU as an individual never noticed something strange was going on with a piece of gear, but as thousands or millions of people become customers/users of the same gear, chance increase that SOMEONE will figure it out. Keep an eye on the tech news and Internet forums, and you'll receive pretty quick warnings about such things. (This is probably also a good argument for going with popular products, vs. obscure ones with a far lower installed user-base?)
israeli's have been doing this for 20 years (Score:4, Informative)
Cisco (Score:5, Interesting)
This isn't just for good known to be made in china. This past year we performed an audit of our network infrastructure with Cisco's help. We found almost 10% of our switches were counterfeit. They were all models of layer 2 and layer 3 switches and were virtually indistinguishable from genuine Cisco products down to the enhanced security IOS.
Back doors in hardware (Score:5, Informative)
DoD is really worried about this. They're trying to develop ways to efficiently examine ICs to check for unexpected "features". Right now, it's necessary to open up the IC and put it under a scanning electron microscope, then use software that can extract the logic diagram from the scan.
One of the obvious places to put in a "back door" is in Ethernet controllers. Many used in servers already have logic for hardware "remote administration" (turn machine off, reboot, load code, etc.). It is supposed to be disabled by default, and work only when initialized with keys during hardware installation. Just build a set of default remote administration keys into the chip, and everyone using that chip is 0wned. Send the right UDP packets, and you can take over the machine. This would be completely invisible until activated.
Re:Back doors in hardware (Score:5, Interesting)
DoD is really worried about this. They're trying to develop ways to efficiently examine ICs to check for unexpected "features". Right now, it's necessary to open up the IC and put it under a scanning electron microscope, then use software that can extract the logic diagram from the scan.
One of the obvious places to put in a "back door" is in Ethernet controllers. Many used in servers already have logic for hardware "remote administration" (turn machine off, reboot, load code, etc.). It is supposed to be disabled by default, and work only when initialized with keys during hardware installation. Just build a set of default remote administration keys into the chip, and everyone using that chip is 0wned. Send the right UDP packets, and you can take over the machine. This would be completely invisible until activated.
Whenever this subject comes up, I post about it and either get a +5 insightful or get flamed to hell and told I don't know what I'm talking about, so let's see what happens this time. I work in semiconductor design. In a CPU or memory chip there are some sections of the chip that have duplicate/spare circuitry that can be brought into play if some of the main circuitry is defective. This is what people refer to when they talk about trimming memory chips. I don't do this sort of stuff so I don't actually know for sure, but people who post on slashdot claiming to know, say that it would be "easy" to jigger some of the spare circuitry to provide added/surreptitious functionality to the chip.
Thing is: I don't see that this is very useful since it's in ram or the cpu, and it seems to me to be possible, maybe even likely, to see surreptitious traffic from them heading outwards to the ethernet controller chip.
I think -- as apparently do you -- that the most likely places to try to put in backdoors are the I/O chips because it's hard for you to determine what they're doing. But then they have to include some serious functionality, to implement at least a little intelligence to decide what to send, unless they want to send everything, which again would be pretty obvious to someone looking at the hardware.
And since I work at a place that *does* design ethernet controller chips, although that's not what *I* do, I can say with at least some assurance that it's really, really, really unlikely that they could be backdoored.
Let me explain why: on analog and small digital chips, die size is *unbelievably* important because it is directly related to your profit margin. I've done chip layout. We will go to any lengths whatsoever to make the die smaller, even if it means completely relaying out the chip. There isn't any space for extra circuitry at all. Every square mil is loaded.
On top of that, we then run our prototype chips on planet runs, where a bunch of proto chips from various designers are all masked onto a chunk of silicon, in either our own local fab or our tiny owned fab in Europe, and then characterize the returned chip, and do metal changes and maybe a complete new mask set, and only *then* does it go out to the big fabs. And when we get *those* back, we spend months characterizing *them*, making sure that every individual pin has the same leakage current and ESD protection characteristics, as the ones we got back from our local fab, to ensure the chips will actually work in the field.
In order for a Chinese fab to put a backdoor into one of our designs they'd have to increase the die area, which would be really amazingly obvious, or remove existing circuitry, which would be really amazingly obvious. Even if they're so incredibly clever as to redesign the chip better than we can design it in the first place, giving them space to add their circuitry, it's very unlikely that the current draw on every pin during operation and when forced into test mode and pushed to failure, would be within 1% of the chips we got from fabs that we control.
With all that said, my company recently closed our Chinese fabs, and went with another southeast asian country, but it wasn't because we were worried about backdoors, it was because we didn't have enough business to justify running six fabs (and, I'm led to believe, because we were tired of having chips with our names, but lacking functional testing, being sold on the gray market.)
Re:Back doors in hardware (Score:5, Interesting)
In order for a Chinese fab to put a backdoor into one of our designs...
If just the IC fab is outsourced, with masks provided, that's true. Many Ethernet chips are designed in Taiwan and fabbed in China, but so far I can't find ones developed entirely on the mainland. That can't be far off; eventually, engineering and design moves near the fab. There are competent IC design houses in China; HiSilicon and C2 Microsystems are sizable design companies. But neither makes an Ethernet controller. The focus of the Chinese design companies tends to be entertainment electronics and portable devices.
Re: (Score:3, Informative)
There are some fantastic design
Overblown fears (Score:3, Insightful)
IMO people are worrying far too much about an exploit mechanism that is simply not needed if the Chinese want to spy on the West, or anyone else for that matter.
The problem with building backdoors into the hardware or firmware is that such backdoors are traceable. You know where it was made. The right forensics people can probably tell you the exact factory it came out of. And how many people would buy chips from a Chinese fab once someone found a hardware backdoor inserted into a product? The Chinese want to make money first and foremost, not shoot themselves in the foot adding a backdoor that might have a one-in-a-million shot of giving them access to a system they even cared about, but would destroy an entire industry if they were caught. It's not worth the risk.
The smart thing to do is what they (and everyone else) are doing right now - use software exploits over the net to gain access. The attack can be targeted, the attackers can easily hide their tracks, the attacks can be modified as needed, and you have plausible deniability if you're caught. That's the smart way to subvert your enemies, and as long as governments and businesses keep running Windows, it's the way that they'll keep using.
In hardware it is harder for them then in software (Score:3, Interesting)
... because hardware means accountability and traceability. Software intrusions are much more convenient for them because the attacks are practically anonymous and nobody can really prove who in China carried them out.
Comment removed (Score:3, Insightful)
I wouldn't be surprised. (Score:3, Interesting)
There is no comparison! (Score:3, Funny)
I'm amazed at the number of responses saying, 'Well, the US spies on its citizens too.'
Folks, there are laws in the US that restrict surveillance of US citizens. They are allowed to collect aggregate data, and they have far-reaching powers when a subpoena exists due to suspected crime or terrorism. But just spying on regular citizens as a normal function of government -- that should never happen in the US.
I say 'should' because it's possible it does happen in some black project somewhere. But I guarantee you it's much, much smaller and more benevolent than how China spies on its citizens.
If you're comparing Big Brothers, the US one has one eye closed and only sneaks a peek when the cops aren't watching. The Chinese practically live in a panopticon; their government probably keeps track of what color underwear they have on.
Re: (Score:3, Insightful)
"But I guarantee you..."
That's a hell of a guarantee to make, especially given how extensively the US is currently known to spy on its citizens.
Not defending China here at all, nor saying that things in the western world are _that_ bad, but I think they are much closer than you claim.
Re: (Score:3, Informative)
Seriously? You haven't heard about the whole telecom warrantless-wiretapping thing? Any of it?
Can you trust computer equipment? (Score:3, Insightful)
No.
There, that's all there is to it. Chinese, Korean, Vietnamese, American, British, Indian, or other.
You can't trust the companies, and you can't trust the governments. Everywhere a corrupt person _could_ have (or create) access to data they shouldn't, there _will_ be a corrupt person working at it.
Maybe it's the Chinese government, maybe it's a hacker at a chip factory, maybe it's the Russian mafia, maybe it's a rogue NSA operative (or the NSA itself), but SOMEONE will do this eventually. They may not be after your data, but if it becomes useful (i.e. valuable) to them, then they'll use it.
No backdoor in unix CC (Score:3, Informative)
The post makes it sound like Thompson actually put a backdoor in the version of CC that shipped with unix. He did not. What he *did* was demonstrate that he could have in an earlier version and you would be none the wiser by inspecting the source of said compiler.
Re: (Score:2)
The ability to send signals upstream on the power lines worries me -- one could embed signals in the power supply fluctuations and leak data to anyone else on the line.
Re:Ahem *cough* why is "china" singled out?? (Score:4, Informative)
Ummm maybe they're singling out China because of, as the Summary points out, recent events?
If the US government (or ANY government) was strongly suspected of doing the same thing, and that country was a leading supplier of xyz goods, you'd see a similar article posted. It's how news works.
Re:Ahem *cough* why is "china" singled out?? (Score:4, Insightful)
and before thinking that "this is crazy, a U.S. firm wouldn't possibly do that" bear in mind that i've already had some experience of receiving a very weird series of SPAM messages, following which my machine started acting very very weird.
my guess is that simply by receiving that SPAM message, there was encoded within it some power-fluctuations or signal fluctuations which the CPU could pick up and "activate" whatever it was that was wanted to be activated by whomever it was that sent the SPAM message.
To be fair, the "Troll" mod is also used as a substitute for "Batshit-Crazy".
WARNING! This post is encoded with power and signal fluctuations that which will cause your machine to start acting very very weird. Again, if your computer starts acting very very weird after you read this it is because of this post.