The Chinese Telecom That Spooks the World 153
wrekkuh writes "The Economist has printed an interesting look at the concerns and speculations of the fast-growing Chinese telecom giant Huawei, and its spread into western markets. Of particular concern is Huawei's state funding, and the company's founder, Ren Zhengfei, who once served as an engineer in the People's Liberation Army (PLA). However, another article from The Economist goes into greater detail about the steps Huawei has taken to mitigate some of these concerns in England — including co-operating with the GCHQ in Britain, the UK's signals-intelligence agency, to ensure equipment built by Huawei is not back-doored."
Is that even possible? (Score:5, Insightful)
How can you be absolutely sure they are not back-doored?
Re:Is that even possible? (Score:5, Funny)
Re: (Score:3, Funny)
But Cisco's have backdoors! i don't get it
Re: (Score:1)
well, in Cisco, I can tell you, any static passwords (like root accounts with anything not set by customer), it is simply, not allowed, and if done by developer, it is fixed, and public is notified as soon as possible. (there are controls, that by mistake my fail to detect, so yes, there are examples of this)
adding a backdoor would get the product under BIG heat from PSIRT
Re: (Score:2)
What about that access to home routers by the cloud, set up by an auto-update. You have to give the website your password in order to get to your router.
Re: (Score:2)
hell. What about those home routers that require net access just to log-in with the damn default? I've got a Netgear unit that frankly worries me because of this exact feature and I have to wonder just how much of my traffic is being sent past their effen servers for monitoring by whatever TLA agency you care to name
Re: (Score:2)
Re: (Score:1)
You have to give the website your password in order to get to your router.
I can't seem to find that feature in OpenWRT.
Re: (Score:2)
well, in Cisco, I can tell you, any static passwords (like root accounts with anything not set by customer), it is simply, not allowed, and if done by developer, it is fixed, and public is notified as soon as possible. (there are controls, that by mistake my fail to detect, so yes, there are examples of this)
adding a backdoor would get the product under BIG heat from PSIRT
There is a major supply chain problem though. Sure that router or PC left the manufacturer without backdoors, but you have no guarantee that someone in the supply chain didn't tamper with it. At the very least, you wipe the OS and reinstall from know good sources. There are plenty of examples of PCs arriving pre-infected with malware (not counting the standard crap that Dell and HP add on) and there have been instances of Cisco gear showing up with a tampered IOS.
Re: (Score:2)
Those "mistakes" are only a small part of Cisco "features" - there are even more unknown exploits embedded inside Cisco hardware, courtesy of NSA and other 3-letter spy agencies working for Uncle Sam
Re: (Score:1, Offtopic)
Because that makes it be more like your mom?
Re: (Score:1)
Does that translate into a fuck in the ass, consensual vs. non consensual?
Re:Is that even possible? (Score:5, Insightful)
Even if they did 1:1 copy software side, hardware can have its own backdoors, hidden in the chips, completely invisible from software side.
And if you think that cisco doesn't have backdoors, I have land on the moon to sell you.
Re: (Score:3)
Unless everyone forgets: http://crysp.uwaterloo.ca/courses/cs458/F08-lectures/local/www.acm.org/classics/sep95/ [uwaterloo.ca]
Reflections on Trusting Trust by Ken Thompson
Re: (Score:1)
Re: (Score:2)
Re: (Score:3)
USA seems to have done fine in this task, going from 1:1 copies of European technology to eventually developing and improving it, to USA it is today.
Re: (Score:2)
Re: (Score:1)
Re: (Score:1)
By scanning chips.
By watching how they work under microscope.
Nothing can be hidden from this even with the best of technology.
Random testing will prevent special boards from reaching testing agencies.
It is paranoia at best. More so when it comes from the US because they already do such a thing.
China, strangely, are completely innocent in comparison to the US.
Re: (Score:3)
It is paranoia at best. More so when it comes from the US because they already do such a thing.
China, strangely, are completely innocent in comparison to the US.
China is not completely innocent - but compare to US, in term of spying technology, true, China is like a kindergarten kid as compare to Uncle Sam, a University Professor teaching PhD post graduate students
Re: (Score:2)
How can you be absolutely sure they are not back-doored?
The same way that we can absolutely be sure that you're not a pedophile. We just can't.
It's nothing personal. It's just that proving a negative can be really difficult at times. Until we know more, let me suggest that we don't let you near any children, as a just to be safe, we really don't know, precautionary measure.
Re: (Score:3, Interesting)
They practically are backdoored: they're insecure as hell. http://phenoelit.org/stuff/Huawei_DEFCON_XX.pdf [phenoelit.org]
racism much? (Score:5, Insightful)
Why is it ok that all internet equipment cc's a copy to the usa, but not ok to send the same copy to china?
Re: (Score:2, Interesting)
Citation needed.
Right... because when the CIA backdoors equipment, they always post a page about it on Wikipedia.
You could start with this, though [wired.com], to get the general idea of what they want.
Re: (Score:1)
Citation needed.
Here are a couple of places to look to get you started. This practice is generally disguised as "Lawful Intercept". The net effect is that any government agency can trap any data that they want to. If you look at the Google search, you will see Cisco configuration guides on how to set this feature up.
https://www.google.com/search?q=cisco+lawful+intercept [google.com]
http://www.blackhat.com/presentations/bh-dc-10/Cross_Tom/BlackHat-DC-2010-Cross-Attacking-LawfulI-Intercept-wp.pdf [blackhat.com]
Keep in mind, this is just the publ
Re:racism much? (Score:5, Insightful)
Why was this modded negative? It is a reasonable question. So is it fine for the NSA to spy everything, but not china? Double value.
Re: (Score:2)
I think the reason we aren't as worried about the US industrial espionage as we are about chinese espionage has nothing to do with race, it has to do with the fact that we have a stake in the outcome.
Re: (Score:2)
For starters, because he labeled it racism, which is a misnomer of the highest order. Race has absolutely nothing to do with this discussion, and its exhausting to have it brought up at every opportunity.
Re: (Score:2)
Re: (Score:2)
Even if so, that's nationalism, not racism.
That's the particular concern? (Score:4, Informative)
Not that they're total shit from a security POV? [phenoelit.org] (warning: pdf)
Re: (Score:1)
Not that they're total shit from a security POV? [phenoelit.org] (warning: pdf)
Lies! Lies! Lies! Lies!
This testing is useless... (Score:5, Insightful)
Re: (Score:2)
Or you hide backdoor in the hardware, invisible from the actual hardware until initialized externally.
Re: (Score:3)
Not necessary at all. You do know the classic text on this, right? Reflexions on Trusting Trust [bell-labs.com], by Ken Thompson.
Re: (Score:2, Interesting)
Read this.
http://www.theparliament.com/latest-news/article/newsarticle/cyber-security-john-suffolk/ [theparliament.com]
CSEC get to see and test the source code (first line of penultimate paragraph). They aren't just pen-testing black boxes.
I'm posting purely public information as Anon because I know far more about this than I'm allowed to say.
Re: (Score:2)
I would be lots more impressed with this if parliaments could even design their code (laws) without bugs or loopholes.
Re: (Score:2)
I would be lots more impressed with this if parliaments could even design their code (laws) without bugs or loopholes.
Those aren't bugs, they are features.
Re:This testing is useless... (Score:5, Interesting)
Looking at source code is even more useless in this case than examining the black boxes that are actually being deployed. It's difficult to prove that the source they're looking at is what is on the actual sold devices. And looking at the source gives no information about backdoors implemented in hardware.
Re: (Score:2)
You are right, but:
IF the OS and patches on these is open source, AND the users are in control of installing these items and updates, AND the source is kept on a public repository, then there is a chance it could be legit.
Re: (Score:3)
You are right, but:
IF the OS and patches on these is open source, AND the users are in control of installing these items and updates, AND the source is kept on a public repository, then there is a chance it could be legit.
Didn't you forget the compiler [wikipedia.org]?
Re: (Score:3)
Re:This testing is useless... (Score:5, Informative)
GCHQ is hardly a security watchdog - the closest US equivalent would be the NSA.
They're the signals intercept and codebreaker agency of the UK government. One presumes they know their shit when they're looking for backdoors planted by the chinese intelligence servives.
Re: (Score:3)
GCHQ is hardly a security watchdog - the closest US equivalent would be the NSA.
They're the signals intercept and codebreaker agency of the UK government. One presumes they know their shit when they're looking for backdoors planted by the chinese intelligence servives.
This the interesting thing about GCHQ's remit. It is actually twofold. They are tasked with securing the UK's government communications and also breaking other peoples.
The most interesting story I ever heard about them involved the guy who is currently their chief mathematician: http://en.wikipedia.org/wiki/Clifford_Cocks [wikipedia.org]
Particularly relevant is that when they figured out the Public Key Cryptography was actually possible, they expressly did not let anyone else know what they had found even though they decid
A Few Possible Points (Score:1)
and have them install a critical software update to avoid exploits.
I love how Cisco did something along these lines recently, [slashdot.org] including the siphoning off of web history, along with a slew of other privacy violations completely in the clear, with no permission whatsoever.
Another possible point of hypocrisy is the CIA's partial funding of Facebook, [zdnet.com] which seems to suggest that if a foreign company wants to build a network in the US, that is government funded, it's a National Security issue... but if a domestic company, which is funded by the US government, wants to build a
Re: (Score:1)
So, they are being tested by the security watchdog in the U.K. Big deal, they load up a specially prepped software image (like they do for all their customers) and pass the test. Next step is to have all operators buy their heavily discounted gear for almost nothing, implement it and have them install a critical software update to avoid exploits. Have that image backdoored and they are one step closer to total world domination.
If they do what you suggest they may do, and they are found out, their market will become negative, with customers leaving like flies
The reason (Score:5, Interesting)
If you don't want to be spied on, encrypt it.
Re:The reason (Score:5, Insightful)
If you don't want to be spied on, encrypt it.
Even if you encrypt your communications, they can still see who you are talking to. Sometimes knowing who you are talking to can be almost as valuable as knowing what you are saying.
Re: (Score:2)
However, if you don't encrypt your stuff, you might as well be broadcasting it (if it is encrypted, broadcasting might not be a bad idea. Makes it harder to discover the intended target).
Re:The reason (Score:4, Informative)
an un-encryPted public message with nO specific desTination mAy in acTuality cOntain a Encrypted private message.
Re:The reason (Score:4, Funny)
Re: (Score:2)
We're all capable of mistakes, but I do not care to enlighten you on the mistakes we may or may not have made.
Re: (Score:2)
Just run an encrypted torrent client in the background with a few Linux isos.
Not just the US (Score:2, Informative)
post WW2, the UK sold enigma-based encryption machines to Empire/Commonwealth countries. Of course, they didn't tell the recipients that the UK could crack enigma encryption with ease.... Its why the wartime decoding of enigma remained a state secret until the early 70s, when even the most poverty-stricken Commonwealth countries had moved onto something a bit more sophisticated!
Its important to know what both "friends" and enemies are saying about you!
Re: (Score:1)
If you don't want to be spied on, encrypt it.
Doesn't help if you've been backdoored with Windows Update and the equivalents on other OS'
Re: (Score:1)
backdoors (Score:2, Insightful)
Re: (Score:1)
To quote Mankiew: What's your trade deficit with your barber?
Re: (Score:3)
Exporting manufactured goods is what makes Germany what it is, and the shift of them from US to anywhere else, well.... see the lower class of the two countries and then we talk.
Re: (Score:3, Insightful)
Short sighted poster forgets 10 years ago when Germany was the "sick old man of Europe" and the government took incredibly unpopular measures to jump start the economy. Please don't speak like building an entirely export based economy is a silver bullet method to success. How is Germany doing today? They joined a common currency with a bunch of knuckleheads and got rich off lowered trade barriers for their goods. Now all the money has dried up and their economy limps on because the domestic markets aren't n
Re: (Score:2)
ummm, actually trade really is pretty much a zero sum game. you might want to take an intro to international econ class or something...
Only in the long run. And you know what Keynes had to say about the 'long run'...
Re: (Score:2)
Yes, but unlike Keynes, I have kids, and would like them to live in a country that's not totally fucked up from a disregard for long term thinking.
Re: (Score:2)
The latter part of your comment would make you unique in just about any corporate boardroom in the US, and, for certain industries, the world.
Sadly.
Re: (Score:1)
Only in the long run. And you know what Keynes had to say about the 'long run'...
It tastes like chicken?
Better title (Score:5, Funny)
The Chinese Telecom That Spooks the Spooks
underhanded code (Score:5, Insightful)
As anyone familiar with the underhanded code contest [xcott.com] knows, it's possible to create code that looks fine, easily passes reviews from people even who are on the lookout for back doors, yet still contains back doors.
It's essentially impossible to prove that your equipment is NOT backdoored, unless you designed and built it in-house and believe that your own engineering staff is trustworthy (its own problem, when there is a history of governments buying off employees within companies that have access to critical data and processes).
Hum (Score:2)
They don't need back doors! (Score:5, Informative)
I normally don't post anonymously but my employer deals with Huawei.
According to Recurity Labs they don't need a back door when the front door is locked with a piece of masking tape that says in faded yellow ink "Do not enter". Huawei's security is a joke. Their software is riddled with buffer overflows, including buffers allocated on the stack making hacking their stuff trivial. Huawei has virtually zero security. Much of their stuff runs on VxWorks which is quite insecure. (I spent many years writing software for VxWorks). All you have to do is get to the T-shell and you're basically god. In the T-shell you can look at and modify variables and memory and call C functions directly, passing whatever arguments you want.
Even without the T-shell it looks like it's easy to get to the shell with full admin privileges on Huawei's boxes. See their DEFCON presentation at: http://www.phenoelit.org/stuff/Huawei_DEFCON_XX.pdf [phenoelit.org]
If you value security, stay far away from Huawei. Their stuff is cheap but you get what you pay for. I guess it's good for the US that Huawei is mostly used in the Middle East and Asia. It makes life easy for the NSA.
Philanthropist agencies REMOVE backdoors for once? (Score:2)
Sure, eliminating eavesdropping opportunities is just the kind of business that SigInt spooks kindly engage in all the time...
Not the first country to hate on Huwei (Score:2)
Not just a handicap against them, and no reason given. It's not like there are a lot of world class Australian router companies. They are buying Taiwanese, French-ish, and US-ish, so it isn't nationalism. Just seems to be anti-China sentiment, with no substance backing it up, in this case, or the Aussie NBN.
AMDOCS is the backdoor' (Score:1)
How Israeli Backdoor Technology Penetrated the U.S. Government's Telecom System and Compromised National Security
An Israeli Trojan Horse
http://www.counterpunch.org/2008/09/27/an-israeli-trojan-horse/ [counterpunch.org]
Dear Chinese people: (Score:3, Insightful)
We do not distrust you, we do not dislike you.
We distrust and dislike your authoritarian government. We do not want your government to have more power in the world. Not because we are afraid of or oppose the empowerment of China on the world stage, or have anything against Chinese culture or Chinese people. But because we oppose authoritarian government, of any kind, from any part of the world.
We DO have a built in prejudice against your government (not against you), because your government clearly attempts to control and manipulate communication channels. Yes, they also manipulate communication channels in the West, but not for state control of political dialogue.
We in the West believe the ability to express our political opinions freely is very important to the health of our society, that is how and why we call our society free (despite the fact some of our media companies are trying to hurt our freedoms on our communication structure in the effort to prop a media business model that only works in a world without the Internet: don't worry, they will clearly fail, their efforts are the death throes of a dying way of business).
You will see some responses to this comment of mine attempting to falsely equate Chinese authoritarian control of political opinion with various vile things the West does. Don't get me wrong: the West does plenty of evil things and there is plenty I criticize about my government. The difference is: they can express this political opinion of theirs freely, here in the West, and ironically, as they indulge false equivalency, they do not admit or do not know they would experience fear and intimidation if they tried to equally criticize Beijing, from within China.
I myself disagree with those who falsely believe that the West is just as bad as China in regards to suppression of freedoms, but I fully support their right to spout their nonsense, unhindered by fear of government backlash. Here in the West, we believe that the natural competition of ideas that only comes from every single one of them being freely expressed, NATURALLY leads to the flawed opinions sinking and the good opinions rising. Only in this natural competition of ideas do good ones endure the test of criticism and one fail it. If the state attempts to impose its own idea son the people, the state itself might wind up imposing ideas that are flawed, because they are unexamined. The people know better than the state, in this way. In other words, state control of politicla thought is a form of weakness that will eventually harm China.
So Chinese people: since you cannot likewise criticize your own government freely within China, do you not have a problem with this fact? If you are proud to be Chinese, as you should be, do you not believe you should be free to speak your mind like I can in your effort to make China strong as a Chinese patriot?
Chinese people: please understand that we in the West respect the Chinese people and wish you prosperity and freedom. And so we await the day you respect yourselves as well to not be treated like slaves by your own government, and to throw off the yolk of the efforts at mind control which exists in Beijing, pointed against the Chinese people and the free expression of your own thoughts, an effort whose only purpose is to serve the continuation of a power structure that is not necessarily good for China, only good for a few rich and connected Chinese at the detriment of all other Chinese.
Sure, this authoritarian power structure has done great things for you economically. But growth doesn't last forever, and when your economy fully matures, I am confident you finally turn your attention to freeing yourselves from the authoritarian government who wants to control your mind and your thoughts.
Dear USA people: (Score:4, Insightful)
We do not distrust you, we do not dislike you.
We distrust and dislike your authoritarian government. We do not want your government to have more power in the world. Not because we are afraid of or oppose the empowerment of USA on the world stage, or have anything against USA culture or USA people. But because we oppose authoritarian government, of any kind, from any part of the world.
We DO have a built in prejudice against your government (not against you), because your government clearly attempts to control and manipulate communication channels. Yes, they also manipulate communication channels in Europe, but not for state control of political dialogue.
Re:Dear USA people: (Score:5, Funny)
from the comment you are responding to:
see how I inoculated my comment against yours?
it's so easy to see you braindead false equivalency idiots coming a mile away. i'm sure you didn't even read my comment before formulating your useless mental vomit
Re: (Score:2, Interesting)
see how I inoculated my comment against yours?
It doesn't make what you say true. At least China only censors within China, while the USA censors within the whole world.
So there is no equivalence indeed: the USA is widely considered the larger threat.
Re: (Score:1)
i respect your right to spout factually wrong, dimwitted nonsense
Notice how you resorted to an ad-hominem attack as soon as it was pointed out that YOUR country does things just as bad as what China does? The truth hurts, doesn't it?
Re: (Score:1)
can you read?
Re: (Score:1, Troll)
hurrr durrr snort
it's not a team sport, moron, this is not a football game
i said my country has done plenty evil in the world. now do you want to move beyond the nationalist tribal chest thumping nonsense?
where are you from? perhaps some magical land squeaky clean and without any evil actions in its history?
but maybe, since such a country does not exist, maybe you yourself should refrain your comments to principles and ideas, and not project mindless hate in the name of nationalist rancor as you currently d
Re: (Score:2)
Let me guess... you are not from the USA?
So stop us.
If you think we are getting to uppity by asking for Julian Assange to be extradited, say 'no'.
If you think Apple's lawsuits are ridiculous, say 'no'.
If you think you shouldn't help our military activities, say 'no'.
If you think McDonald's is a blight on your local cuisine, say 'no'.
If you think Bud is pisswater that shouldn't be allowed in your country, say 'no'.
The USA is like a vampire. We only have power in your home when you invite us in. Close the doo
Re: (Score:2)
Er, this is, at least historically, a very naive way to put it. I'm sure you've noticed the control the US has over world institutions like the World Bank and the IMF, and the pressure put on countries to 'pursue free market reforms' that generally involve inviting in US companies? And the corruption of various US-backed governments in insisting on supporting pro-US policies despite the opposition of the public? Most people in most countries can no more stop supporting the US than the US public can reduce A
Re: (Score:2)
Well... the rest of the world thinks YOU are the problem.
Well, how has that worked for the rest of the world? I don't see the US trying even the slightest to force you to have a different opinion.
Look to your own house first please before criticizing others.
I find it fascinating how the people who actually are looking to their own house, particularly the tea partiers, are derided by those who supposedly favor freedom.
Re: (Score:2)
Oh, the AC read it. Copy pastaed it in fact. The first two 'graphs. Right up until continuing would have appeared even dumber than what he did copy.
Re: (Score:2)
good point. the power of irony?
Re: (Score:2)
i'm sure you didn't even read my comment before formulating your useless mental vomit
I'm sure he would be happy to throw your words right back at you.
Re: (Score:1)
Wow, this is just rich coming from the country of "extraordinary rendition", torturing its political enemies, locking up its whistle blowers, and planting false crimes against people who embarrass it.
Re: (Score:1)
false equivalency
find where i mention that concept in the comment you are responding to
understand the stupidity of it
thank you
Re: (Score:1)
thank you for your gross mischaracterization. when you mature psychologically and intellectually, do try to participate more constructively. unless sounding like a jackass is your primary goal. in which case "Mission Accomplished" ;-)
Re: (Score:3)
When they grow mature, they will surely use drones and missiles to kill the guntoting hillbillies of North Dakota. They will call it a "counter-terrorist operation".
Ya know, could you at least pick the right targets? The gun toting hillbillies are in North Carolina. I should know, I'm descended from them.
Bombing the wrong targets just turns you into the thing you claim to hate.
thank you for your hate (Score:2)
asshole
Uphill PR Battle: Those Concerns are Growing (Score:5, Interesting)
It doesn't matter (Score:1)
They can't catch Chinese athletes that are doping, I doubt they can tell if Huawei gear is not back-doored.
Huawei putting in back-doors is not the problem. (Score:5, Interesting)
I work for a telco supplier, so have had glimpses into the weird world of what happens behind the shonky service and bills.
Huawei when they started out produced kit that was 'very similar' to Cisco. Now you suggest that perhaps they were paying too much homage to their US competitor, but it did mean their kit was pretty easy to deploy. You can setup a VPN in IOS, you can switch to Huawei kit and barely notice the difference.
Next bit of their success was how they engaged with the customer. Legacy vendors have whole stacks of sales all hell-bent on shafting the telco for as much money as possible. Huawei wanted a foothold, kit was cheaper, but they really put in some effort to push the sale - Buy your new network from us, and we'll let you buy it on lease over a decade, our engineers will install/config/support it for you, we'll tweak stuff if it currently doesn't do what you want etc. Legacy vendors might have got a bit of a kicking from the dot.com crash, but they still dragged in the overly-complex vendor structure that makes that makes the proposal of similar flexible solutions somewhat difficult. Simply meant that if you were a small player with a valid business model, picking Huawei allowed you to very easily work out what the kit was going to cost you.
With regards to spying, if they were, it wouldn't be let anywhere near the tier zeros. As far as I can make out, there's no real evidence of China using Huawei to spy and most of the allegations come from the incumbents/vested interests, trying to come up with a reason to oppose the shift in purchasing.
If you're worried about back-doors - don't. They're already everywhere. I've been in plenty of offices which have the 'special room' that everything has to go through and telco employees don't even have the keys to. So just to carry on with this, if your kit DOESN'T have a back-door, it ain't going to be deployed. The only real topic of interest is just working out who holds the back-door-keys.
Re: (Score:3)
Re: (Score:2, Interesting)
it would be very easy for them to introduce something far smaller, and far more dangerous. For example, a kill switch.
They could, sure. And some people think the CIA has AES cracked. These people didn't think before forming an opinion. You don't put a backdoor on a sytem you yourself use, because if you do an enemy (who might not use your system) will be able to shut you down once it finds the backdoor.
A private, for-profit company would never invest in such things
Oh, boy, aren't you naive. Companies will do anything for money. A big company is not much different from a big government - both have great power and a great urge to abuse that power. Search for Room 641A.
Re: (Score:2)
A private, for-profit company would never invest in such things
Oh, boy, aren't you naive. Companies will do anything for money. A big company is not much different from a big government - both have great power and a great urge to abuse that power. Search for Room 641A.
Whaaat? But of course they are diferent... in terms of the efficiency they can screw you... the big companies will do it faster, with a lower cost and potentially at a larger scale.
Why, you only need to look on how US rednecks defaulting on their loans make all world's retirement funds worth nothing: even if they'd try the hardest they could, the US govt would have taken decades for the same outcome.
It's GCHQ who are back-dooring Huawei (Score:3)
Shouldn't that be the steps Huawei has taken to ensure equipment built by Huawei can be back-doored by GCHQ as easily as the spooks can back-door western companies.
"Internet Security Systems researcher Tom Cross unveiled research on how easily the "lawful intercept" function in Cisco's IOS operating system can be exploited" Feb 2010 [forbes.com]
Back-doored for GCHQ, though, surely. (Score:1)