Slashdot Mirror
Can You Trust Chinese Computer Equipment?
Ian Lamont writes "Suspicions about China slipping eavesdropping technology into computer exports have been around for years. But the recent spying attacks, attributed to China, on Google and other Internet companies have revived the hardware spying concerns. An IT World blogger suggests the gear can't be trusted, noting that it wouldn't be hard to add security holes to the firmware of Chinese-made USB memory sticks, computers, hard drives, and cameras. He also implies that running automatic checks for data of interest in the compromised gear would not be difficult." The blog post mentions Ken Thompson's admission in 1983 that he had put a backdoor into the Unix C compiler; he laid out the details in the 1983 Turing Award lecture, Reflections On Trusting Trust: "The moral is obvious. You can't trust code that you did not totally create yourself. (Especially code from companies that employ people like me.) No amount of source-level verification or scrutiny will protect you from using untrusted code. In demonstrating the possibility of this kind of attack, I picked on the C compiler. I could have picked on any program-handling program such as an assembler, a loader, or even hardware microcode. As the level of program gets lower, these bugs will be harder and harder to detect. A well installed microcode bug will be almost impossible to detect."
This is just another reason for me to not want to buy Chinese made goods. Unfortunately, so much is made in China that it is nearly impossible to completely avoid the country.
I don't like Linux. This doesn't make me a troll.
No.
Considering where a lot of this stuff comes from, it should probably read, "Can You Trust Computer Equipment?"
Freedom is drinking a beer in the park when you're supposed to be at work.
Of course you can't trust it. Neither can you trust any compiled app, and the underhanded c contests show that you can't really trust open source. It's code. To be sure you have to read it and understand it and no sane person can do anything.
Oh, you mean China's toys are less trustworthy then others? I shall risk it. I'm sure such problems exist but I doubt they are coordinated. Only then it would be truly scary...
im thinking about getting a thinkpad. if im concerned about this, am I left only to choose between hp and dell? (which imo sucks)
Can we trust any computer equipment or code? can we trust Linux, Microsoft, Apple, PGP, based on the blurb if you haven't written the code yourself you shouldn't be trusting anything.
The seeds of the police state are, including the preceding /. article about DNA storage.
"If any question why we died, Tell them because our fathers lied."
If you were the Chinese, why wouldn't you do this?
The referenced to article doesn't actually state he included a back door. It was a proof of concept demo apparently: Suppose we wish to alter the C compiler
"one the creators of Unix, admitted that he had included a backdoor in early Unix versions. Thompson's backdoor gave him access to every Unix system then in existence"
I'm sure the chinese think the same about american (computer) equipment. I'm sure the french think the same about the british hi-tech imports (and vice-versa). I expect everyone country has doubts about the ultimate security (when push becomes ) of any foreign sourced hardware or software that the security of their country is reliant on. If they don't, they're fools
politicians are like babies' nappies: they should both be changed regularly and for the same reasons
I just bought my girlfriend a fancy Chinese-made Tarzan. If only I could find the hidden web-interface.
Cause it's only the chinese that spy on other countries cause the rest of us are all friends and friends don't spy on eachother ... oh wait ... Seems that red paranoia have had a bit of a colour change.
Sure this might be software related so it's write once - copy everywhere but would you really want to do that. Cause if you plant it everywhere, "everyone" will have it leading to a larger chanse it will be found and out blow the entire operation out of the water. But have they really ever found any evidence for this on a large scale? Seems overly complex and prone to failure. Sure if you bug a phone, switch or whatever that is one thing but to plant it in every single device you ship. That would or could seriously mess with the profit margin and nobody is going to stand for that.
If you didn't build it yourself perhaps this is just the risk you run.
Most of computer hardware is made in Asia and much of it in China. Trying to eliminate China out of the equation is impossible. Sure you could buy Intel chips that were made in Costa Rica, but try to tell Intel to only give you CR chips.
Motherboards? You're going to tell Asus that you only want MoBos from Malaysia? Good luck with that.
Whole computers? Hahahahahahaha. Dream on baby.
We're in a Globalized World. There's no turning back. Trying to weed out products based on politics or some ideology is impossible. You couldn't do it even if you had Gates' money.
So, on topic: worrying about trusting Chinese made equipment is a waste of time because you have no choice. I don't know what kind of software precautions you could take to mitigate any insecurity that you perceive unless you go back to paper files and doing shit by hand.
Otherwise the powers that be wouldn't resort to this kind of a sham campaign. For example the Chinese Loongson CPU is very interesting. Not least for the fact there's no windoze MIPS port. It's also quite a technical feat.
The ability to send signals upstream on the power lines worries me -- one could embed signals in the power supply fluctuations and leak data to anyone else on the line.
- Michael T. Babcock (Yes, I blog)
In a general sense, you really can't trust any computer equipment that you didn't build yourself, pretty much from the ground up(as the issues with compilers and microcode suggest). I'm pretty sure that using somebody else's sand to make your silicon is safe; but that's about it.
Computer gear hasn't quite reached biological levels of complexity, where trust is even harder(one malformed Prion in a batch of millions can end up eating holes in your brain); but, from the perspective of a user who isn't a tech god, it might as well have.
That being so, the question of whether you can trust Chinese computer equipment is basically a political one. China's general enthusiasm for industrial espionage is well known, so if you have data on interesting technology or military stuff, the answer is almost certainly "no". If you are basically just Joe Consumer, though, your data are just noise obscuring what Chinese intelligence really wants. You would do better to be worried about the botnet your PC is part of, Google, ChoicePoint, Equifax, the NSA, and whoever is taking advantage of CALEA at that particular moment. The world of technology is a ghastly morass of potential backdoors, quite a few of them not even hidden, that most of us are constantly vulnerable to, and, in a great many cases, actively being monitored through.
Bugged Chinese chips are definitely something to think about if you are doing military COTS procurement, or doing security for somebody who has data of real interest; but, for most of us, it's all just one more piece of assymetric transparency. I, for one, don't feel any warmer and fuzzier about the Americans spying on me than the Chinese spying on me(worse, in fact, because some sinister chinese intelligence agency is substantially less likely to sell my information to advertisers, make it harder to get medical insurance, or damage my credit rating than some warm, fuzzy, American multinational corporation).
I really hope that this threat leads to a general recognition of the need for sound and open practices for security(both in the sense of novel CS research on how to do maximally verifiable stuff, test blackboxes, build verified bootstrap compilers, etc, etc. and in the sense of market acceptance of the fact that mysterious binary firmwares, and "just trust us" responses from vendors, and blackbox systems in general just aren't good enough). That would make things better for everybody. I get the unpleasant sense, though, that a lot of this concern is less about "We really need to understand how to build highly complex systems that are dependable and verifiable for those who use them." and more about "Goddam chinks, only we are supposed to have backdoors and surveillance capabilities!"
I'll just return my iPod Touch and my 2 MacBooks to Apple, with a little note about the Chinese manufacturing. I'm sure they will understand and give me my money back.
Reply to That ||
It is a rather simple military rule that you create your own information networks. You don't let your enemy or even your ally. Using Chinese made equipment for any military equipment is a bad idea. This is a no-brainer.
excitingthingstodo.blogspot.com
Hey, where is the story of Jon Schwartz's resignation from sun??
For outsourcing the production to the lowest bidder...
If you are a User, you have no choice but to trust the entire universe of code around you. Your watch could contain a rogue program, your car radio, your cell phone, your microwave oven. Everything is enabled with microprocessors programmed by unknown and unknowable people with unknown and unknowable motivations.
All you can do is hope for the best if you are a User.
However, if you are a Programmer you can only use code that you trust and have personally verified in addition to the rest of the Programmer community. Users don't count for much in this world, because they can't help out, they can only blindly follow. Some Users will have Programmer friends and they can just follow in their footsteps, like a line of soldiers through a minefield. Only Programmers have this power.
Sadly, the way people are wired only a very few are going to be Programmers. The rest simply do not have the skills or the mental faculties. The rest of the human race are doomed to simply be Users.
So, is there any actual evidence backing all this up, or is it just more anti-Chinese vilification?
(Remember, we have always been at war with Eastasia.)
I just did a quick survey of all the computer equipment in easy reach from my office chair:
Mac Pro computer - built in China
Apple Keyboard: Made in China
Wacom digitizer: Made in Japan
Logitech Speaker: Made in China
iSight Camera: Made in China
Vakoss USB Hub: Made in China
Apple Cinema Display: Made in China
Slightly skewed due to all the Apple equipment, but none of the top 4 PC manufacturers builds much of anything in the US or Europe anymore. This skips over the fact that there are components inside the computer from a number of different manufacturers. A lot of these sub-components contain firmware loaded in Chinese factories, as well.
While the USB memory key (in this example) could have low level software to snoop your data, how are they going to get it? Is the USB key going to open a TCP/IP or UDP connection back to their servers without tripping my firewall that a new application is trying to connect? Is my virus scanner going to get tripped that something suspicious is coming out of the key without my interaction?
Most decent virus scanners and firewalls will pick up on this. In a lot of corporate networks USB Mass media is disabled. I'd love to see a proof of concept that can get around these common checks... If anyone has a USB key that can do this, please let me know :-) I'll happily test it.
Ummm maybe they're singling out China because of, as the Summary points out, recent events?
If the US government (or ANY government) was strongly suspected of doing the same thing, and that country was a leading supplier of xyz goods, you'd see a similar article posted. It's how news works.
I am glad to see someone else asking this question. Obviously we can not avoid Chinese goods in all respects, but this does keep me from ever buying a Lenovo.
It seems obvious that if you can't "trust anyone but yourself," then how in the world are you going to get anything done? The whole point of free trade is to let people specialize in what they do best.
Can You Trust Chinese Computer Equipment?
As long as it is not part of the Cruise Control.
Troll is not a replacement for I disagree.
Not all Chinese-made products contain Chinese computer code.
I am a consultant to a US company. Our products are made by Chinese companies, to our specifications.
I write all of the code, and it is loaded after the products get to the US.
I'm *far* from trying to defend China or claim they're "trustworthy" ... but taken to its logical conclusion, this line of thinking is a dead-end for most individuals and businesses. Ultimately, yes, you can't know for 100% certain a given piece of software is trusted unless you wrote it yourself .... but what's new? That's always been, and always will be the case ... and unless you were able to engineer your own computer processor and other components on the motherboard, etc. - you STILL can't prove you're running a completely trusted system, can you?
In reality, I think people have to possess some awareness of their computing environment, as a whole - and that may realistically be the best we can do. If some piece of gear is "compromised", it still has to communicate the information it stole to a receiver on the other end. That means, your firewall is capable of either blocking or at least logging that connection. There's also, of course, the "strength in numbers" facet to all of this. Maybe YOU as an individual never noticed something strange was going on with a piece of gear, but as thousands or millions of people become customers/users of the same gear, chance increase that SOMEONE will figure it out. Keep an eye on the tech news and Internet forums, and you'll receive pretty quick warnings about such things. (This is probably also a good argument for going with popular products, vs. obscure ones with a far lower installed user-base?)
Throw off those Chinese made instruments of oppression!
On second thoughts. The idea of millions of Americans going naked isn't so appealing.
Deleted
talk about yer hardware backdoors ... this one is a pseudo random number generator that can be rigged to generate predictable keys.
http://www.antiwar.com/orig/ketcham.php
This isn't just for good known to be made in china. This past year we performed an audit of our network infrastructure with Cisco's help. We found almost 10% of our switches were counterfeit. They were all models of layer 2 and layer 3 switches and were virtually indistinguishable from genuine Cisco products down to the enhanced security IOS.
I'll meet you at the intersection of "Should be" and "Reality"
It was more or less common knowledge that in China (as I'm sure it must be elsewhere) that if the military saw a technology it liked it would just take it. If anyone at the factory complained they became organ doners. If the IP owner complained they usually ran into delivery problems, workers strikes or were just kicked out. Think of Lucent's fiber optics fiasco and the observation that most Chinese domestic router manufacturers seem to use router code that looks suspiciously like IOS. It goes without saying that this also applied not just to things that were taken out of a factory but also to things that were brought in. If this were a real concern which it should be, then the different governments who should be concerned about it should implement a standard where this kind of thing is checked for and those clearing it bear a seal of some type. Considering the way the PRC is buying campaigns in the US I doubt it will happen here.
I read something about that where, because of how poorly grounded most keyboards are, the keyboard signal was transmitted along the ground wire and back into the power-outlet. A keylogger could then be plugged in anywhere within 10m of the outlet (as the wires flow) and detect the keystrokes of the keyboard all without compromising the computer at all.
The other one was installing a keylogger into the USB keyboard itself, this required two compromises, one to install, one to retrieve the data. Again, this didn't require hacking the computer itself, just unplugging the keyboard twice.
Seriously, I teach in China, and I've met many, many, MANY Chinese people that "know English," so the good old-fashioned keep-your-documents-in-a-foreign-language routine is probably sufficient enough to ensure that your actual information is safe from Chinese eyes. They translate everything from English to Chinese word by word still, most of them can't actually understand an English sentence without converting it bit by bit to Chinese, where 90% of actual relevant information ends up missing. Just think about it, if the US government really needed any information from a Chinese company (for God knows what reason), we would be scrambling to decrypt some mundane QQ message saying something about going out to drink beer tonight and then bangin some hookers. The information is safe as long as you aren't producing 'sensitive information' type documents in Chinese.
Its not getting any better. Now it seems that it was worse then in "1983" than we thought. Component level plans were well underway.
The Chinese have things in perspective... " its not an event its a process"
Seriously, everyone acts like, "OMG, China is like sooooo evil man. They spy on us. Bastards!".
Do you really think that China is any worse than say..AT&T or the NSA? What about the CIA? Do you think they are no spying on you?
At least China does not hind it behind a veil of "freedom".
Because its obvious that the US can't keep a secret. The Wiretap Memos, WMD claims, Abu Garib, Torture Memos, Bill and Monica, Iran Contra, the Illinois Senate Seat Sale all show clear as day that a big conspiracy in the US gets leaked.
Comon' for corporate espionage and backroom dealing, Boeing couldn't even bribe the USAF to buy/lease KC-767 tankers without it getting leaked.
The PRC, a little better at keeping their spying and cyberwarfare on the low down. China is being singled out because they actually do all the human rights violations and anti-disident things that everyone dreams the US does.
DoD is really worried about this. They're trying to develop ways to efficiently examine ICs to check for unexpected "features". Right now, it's necessary to open up the IC and put it under a scanning electron microscope, then use software that can extract the logic diagram from the scan.
One of the obvious places to put in a "back door" is in Ethernet controllers. Many used in servers already have logic for hardware "remote administration" (turn machine off, reboot, load code, etc.). It is supposed to be disabled by default, and work only when initialized with keys during hardware installation. Just build a set of default remote administration keys into the chip, and everyone using that chip is 0wned. Send the right UDP packets, and you can take over the machine. This would be completely invisible until activated.
Nearly all Intel CPUs are made in the US. Most of Intel's fabs are located throughout the US. The do have one in Ireland and one in Israel but that's it. None are in China. So your CPU, the actual silicon part, is made in the US most likely (all the new 45nm and 32nm stuff is I think). Now you'll probably see a stamp on it for places like Costa Rica or Singapore or the like. That is where is was packaged, where the silicon was put in the actual metal until you buy. You'll still note, that doesn't happen in China.
You also might want to have a look at all the other CPU makers out there. AMD, Motorola, IBM, Marvell, all US companies. While some of them do fab in other locations (AMD has most of their fab work done by Global Foundries in Germany), they are US companies and do a great deal (sometimes all) of their design work in the US. In fact the only non-US processor companies I can think of are Hitachi (Japanese) and ARM (British).
I vote we identify exactly which manufactured computers are secretly feeding information back to China, and then we take full advantage of this loophole and send them explicit information about our deviant pr0n addictions! All Tubgirl/Goatse/2-girls-and-cup/Mogging/Gainer_furries all the time! Let's spam their secret government agency servers with so much perversion, filth, horror, and revolting-yet-strangely-exciting deviant sexual behavior that they have no choice but to shut down their entire spyware program to spare what's left of their sanity!
and then we can unleash the Scientologists upon them to help "cure" their scarred psyches! We can kill two birds with one stone! Who's with me????
Here's to hot beer, cold women, and Glaswegian kisses for all.
IMO people are worrying far too much about an exploit mechanism that is simply not needed if the Chinese want to spy on the West, or anyone else for that matter.
The problem with building backdoors into the hardware or firmware is that such backdoors are traceable. You know where it was made. The right forensics people can probably tell you the exact factory it came out of. And how many people would buy chips from a Chinese fab once someone found a hardware backdoor inserted into a product? The Chinese want to make money first and foremost, not shoot themselves in the foot adding a backdoor that might have a one-in-a-million shot of giving them access to a system they even cared about, but would destroy an entire industry if they were caught. It's not worth the risk.
The smart thing to do is what they (and everyone else) are doing right now - use software exploits over the net to gain access. The attack can be targeted, the attackers can easily hide their tracks, the attacks can be modified as needed, and you have plausible deniability if you're caught. That's the smart way to subvert your enemies, and as long as governments and businesses keep running Windows, it's the way that they'll keep using.
That is where Intel's big 45nm fab is. So if you buy a 45nm Intel chip, good chance it was fabbed in Arizona. The wafers are then sent off to other locations for packaging and testing, Costa Rica is one you'll see a lot, but the actual silicon is laid down in the US most of the time (they've also got a fab in Ireland and Israel but those are flash mostly I believe).
They'll be spying on their own citizens.
And foreign governments, their militarys and high-tech industries.
And they wouldn't be the first or the last. We have an obligation to protect ourselves, and if they sow the seeds of distrust then really that reflects on them.
Like all pain, suffering is a signal that something isn't right
Imagine hiding some nefarious code inside the SMBIOS, the contents of which are typically hidden from the operating system. Imagine including some hardware on the motherboard to trigger the system management interrupt and gate the SMBIOS to allow the CPU to to see and execute the code...
Hmm... Fun thought.
It could be quite challenging to even find out if it is there.
No sig. Move along - nothing to see here.
... because hardware means accountability and traceability. Software intrusions are much more convenient for them because the attacks are practically anonymous and nobody can really prove who in China carried them out.
Of course, personally, I would not buy tech products such as telecom equipment sold from China. And I said FROM China. There are plenty of American made products but sold from China on Ebay, for example. My fear is that they can be altered not just on the software level but also hardware. They killed my dog with the dog food I fed him. Now they are going to try to poison our kids. If you make everyone dumber, you'll end up more intelligent than the rest. That, folks, is what I think they are trying to do next.
Q. Can You Trust Chinese Computer Equipment?
A. Heck no!
If it doesn't blow up and set your whole machine room on fire, it's almost guaranteed to come trojaned straight from the factory.
When will we learn?
Comment removed based on user account deletion
There is a fairly large amount of counterfeit Cisco gear floating around
http://www.networkworld.com/news/2006/102306counterfeit.html
http://www.networkworld.com/community/node/13213
http://www.andovercg.com/services/cisco-counterfeit-wic-1dsu-t1.shtml
And we all know where this stuff is made.
OTOH we just bought a huge pile of new Juniper stuff at work, every single piece "Made in China".
Give a man a fish and you have fed him for today. Teach a man to fish, and he'll say "WHERE'S MY FISH, YOU IDIOT?"
After all we did that to the Russians in the 80's causing one of their large oil pipelines to explode. Does it make you feel better that Microsoft gave China a peek at the full source code for Windows? http://www.builderau.com.au/architect/work/soa/US-software-blew-up-Russian-gas-pipeline-/0,339024596,320283135,00.htm
"I'm not a quack, I'm a mad scientist! There's a difference." - Dr. Cockroach
On a strategic level, the USA really screwed the pooch by chasing the lowest bidder and not building up our domestic capacity to produce these items. And for you small gov't types, this is an example of free market principles colliding with what is effectively a national security issue.
I'm confused by what you are suggesting. Are you suggesting that because a government should secure a domestic pipeline for military resources that it shouldn't also acquire things cheaply? Or are you suggesting that the government should outlaw all international trade out of fear?
Or are you suggesting that a "small gov't type" wouldn't see the obvious problem in outsourcing national security?
One last thing: Sometimes I wonder; "Is that someone's signature? Or do they type that at the end of each post?"
Now if you dump Asus, Gigabyte, MSI, Soyo, hmm.. I guess Intel "makes" motherboards, but look closely at all the components on there and I don't think there would be an industry without China (and Taiwan).
Just stop talking about other peoples countries and mind your own business.
Wait, I didn't write that!
and before thinking that "this is crazy, a U.S. firm wouldn't possibly do that" bear in mind that i've already had some experience of receiving a very weird series of SPAM messages, following which my machine started acting very very weird.
my guess is that simply by receiving that SPAM message, there was encoded within it some power-fluctuations or signal fluctuations which the CPU could pick up and "activate" whatever it was that was wanted to be activated by whomever it was that sent the SPAM message.
To be fair, the "Troll" mod is also used as a substitute for "Batshit-Crazy".
WARNING! This post is encoded with power and signal fluctuations that which will cause your machine to start acting very very weird. Again, if your computer starts acting very very weird after you read this it is because of this post.
Now that I think about it, I'm pretty sure everything I just said is completely wrong.
We're justified in accusing Boeing of bugging our government officials' planes?
Western/American hypocrisy on display right here, as usual.
Just wait until we are driving Chinese made cars, and their back door into the braking and accelerating software allows remote control!
You think traffic is bad now?
All around on the interwebs, people say that the American government has a secret agenda in ruling the world more than it does now. There is the CIA, the NSA and other 3 letters that makes anyone fear. Since they are all American and all are evil according even to some American people, should I trust things that come from that the USA?
A 200 euro laptop, 1.5gb of ram, 16GB SSD. Compare that to a laptop 20 years ago, half the screen size, works with floppies costs 2000+
Account for inflation, and you are saying things aren't getting cheaper?
Moped then (50cc scooter) 900 euro, used to be 1900 or more 10 years ago.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
Oh wait, Israel and Ireland, that MUST be a conspiracy. Both start with I. So does Intel... coincidence? I think not.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
Yes,no,no,Yes. There are to many eyes on linux for anything to slip through. Given that even closed source is prodded from all sides, I am sure there are people who read Linux code for no other reason then because. I am not smart enough to read kernel code myself but have read through PHP packages, just because. Japanese read manga, americans comic, europeans strips and nerds source code. It is fun, and we need something to do with the time normal humans spend on mating.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
I understand you poor Americans ARE terrified and scared because you can feel the power slipping away from your fingers but this is getting ridiculous, dont yo think? The level of FUD on China oat /. is reaching USA gov levels. Come on now, how bullshiting can you get and how low can you go??? A LOT lower than I ever imagined. Shame on you, shame!
This is MY last message here, I am deleting my account and NEVER coming back here.
You have officially become complete bullshitters.
I got permanently modded -1 because I dared to question Israel on
Because the entire point of someone a LOT smarter then you, is that if the very tool you use is compromised, then how can you ever check it? Your write your program to the memory, but the memory controller itself is corrupted. So you check everything, and you never see anything wrong.
A compromised system can never be trusted and if you don't control the system, then you can never know it is compromised unless you verify every last detail, down to grinding the top of the chip and seeing exactly what the layout is. And do this for every last element.
How do you know there is not a simple element in the USB connector that records everything? How do you know the simple chip in your ethernet card doesn't transmit everything? How do you know your router hasn't been hardcoded to ignore such traffic?
You don't. Granted, putting it all together seems like an enormous task and there are far simpler ways of spying. But it is possible.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
I wonder if I can trust my PowerBook 180?
I just happen to keep such a USB key on a shelf next to my beaker of acid that will eat through anything.
There's a 68.71% chance you're right.
I'm amazed at the number of responses saying, 'Well, the US spies on its citizens too.'
Folks, there are laws in the US that restrict surveillance of US citizens. They are allowed to collect aggregate data, and they have far-reaching powers when a subpoena exists due to suspected crime or terrorism. But just spying on regular citizens as a normal function of government -- that should never happen in the US.
I say 'should' because it's possible it does happen in some black project somewhere. But I guarantee you it's much, much smaller and more benevolent than how China spies on its citizens.
If you're comparing Big Brothers, the US one has one eye closed and only sneaks a peek when the cops aren't watching. The Chinese practically live in a panopticon; their government probably keeps track of what color underwear they have on.
Genocide Man -- Life is funny. Death is funnier. Mass murder can be hilarious.
The proximal causes of WWI were a combination of the secrecy of the treaties and the necessity of starting mobilization N days before any attack by an aggressor.
It was a system-level failure : prudent mobilizations for defense were indistinguishable from those intended for offensive operations, and no country could foresee the effects of their foreign policy actions.
Of course, we can't now, either. Multi-lateral international diplomacy with war is a game that makes 3D or 3-way chess look like tic-tac-toe. Nobody plays 3D or 3-way chess, as you can't play enough games in a lifetime to know whether you are getting better or not.
"The Constitution, the WHOLE Constitution, and nothing but the CONSTITUTION."
"CHINA claims to have found almost 30 surveillance bugs, including one in the headboard of the presidential bed, on a Boeing 767 that had just been delivered from America to serve as President Jiang Zemin's official aircraft."
http://www.telegraph.co.uk/news/worldnews/northamerica/usa/1382116/China-finds-spy-bugs-in-Jiangs-Boeing-jet.html
like this?
http://www.msnbc.msn.com/id/4394002
would they not be fools to turn down such an opportunity?
I submitted the story three years ago but it never got picked up.
http://www.computerworld.com/s/article/9046424/Update_Maxtor_drives_contain_password_stealing_Trojans?intsrc=hm_list
In short, Maxtor drives that were produced in Taiwan contained trojan source code that phone home to two servers located in China. There wasn't any conclusive evidence to tie the incident directly to the Chinese (wink wink, nudge nudge).
Would you buy an oil pipleine control unit and software from the US if you're russian?
And why would I trust other countries like the US ?
"there are laws in the US that restrict surveillance of US citizens." And shrub ignored every single one. You don't get out much, do you.
It just occurred to me that my five string banjo was made in China! Cripes almighty. They've probably already stolen my patented method of playing 'Baltimore Fire' with a slide at the beginning.
I have nothing compelling to say
And slashdot is leaking Chinese problems. Ergo the Chinese government are as open to being outed as the US ones. PS there are still plenty of USians who believe that Shrub was right and Iraq caused the 11/9 attacks. Despite being outed on this.
Why bother hiding malpractice after it's too late to stop, when your power base will ignore anything that says you did wrong?
No.
There, that's all there is to it. Chinese, Korean, Vietnamese, American, British, Indian, or other.
You can't trust the companies, and you can't trust the governments. Everywhere a corrupt person _could_ have (or create) access to data they shouldn't, there _will_ be a corrupt person working at it.
Maybe it's the Chinese government, maybe it's a hacker at a chip factory, maybe it's the Russian mafia, maybe it's a rogue NSA operative (or the NSA itself), but SOMEONE will do this eventually. They may not be after your data, but if it becomes useful (i.e. valuable) to them, then they'll use it.
"People who do stupid things with hazardous materials often die." -- Jim Davidson on alt.folklore.urban
I was a gung-ho CS student when this article came out, and we spent a LOT of time hashing it over. He specifically did not say that he had done this, and while I don't remember him making an outright denial, we concluded that he hadn't. After all, the C compilers of that day were still small enough to be understood by a single human, and comparing C code to the assembly code generated from it (or comparing that assembly code to generated machine instructions) was not very challenging.
Maybe the Jargon File entry is right, and he did implement it as a proof-of-concept, but it wasn't widely distributed. It was easy enough for an interested (and bored) undergrad to check out over a weekend, but hard enough that compiler distributions weren't routinely examined.
With today's optimizing compilers and layers upon layers of abstraction, though, it seems like there's more than enough room for plenty such exploits. Pham Nuwen can still have his backdoor into the localizers.
there was an incident with the CIA and Lenovo pcs, they were able to download the data and send it home to China. thats why there was a big issue over the a Chinese company buying 3COM, it was part of the deal that if they bought 3COM, then 3Com would pay ot have all of there network stuff replaced with Cisco or other US Company equivalent.
Everybody laughed! Now the NSA officially moves in to Google. ( Probably from the Back-Office now going in throught the Front-Door ) The perfect and low budget replacement with added target-ability saving the Services the hassle to scan through the mud of nonsense flowing in the communication traffic worldwide, the inclusion of a Trojan Boot Loader (TBL) in Network Devices.
Put it in Routers and Switches in the form of a dirty programmed self-modifying routine nobody is able to detect it.
When you hear that company XYZ or University MNO or government of BigBrotherHome has something interesting, you wake it up via a reply from a search engine, addressed by the serial number of the device. This TrojanBootLoader then receives its orders from Gockel or any other and everybody has the fifth colonne right in his house - even paying for it himself!
ECHELON is by far too expensive!
Put a TBL into Zischko Routers and you are the listener on the net everywhere.
Only on slashdot...
The post makes it sound like Thompson actually put a backdoor in the version of CC that shipped with unix. He did not. What he *did* was demonstrate that he could have in an earlier version and you would be none the wiser by inspecting the source of said compiler.
I don’t think US equipment is much better.
Microsoft *cough*backdoor*cough* Windows, for example.
Then again who can you really trust anyway?
There’s no point in listing who you don’t trust. That’s like making a firewall solely based on a blacklist. It makes no sense as it will never work.
It makes more sense, and is more efficient, to list only those you trust.
Frankly, in IT security, I don’t know any single human, I would trust to be competent enough, and to be on my side, at the same time.
Any sufficiently advanced intelligence is indistinguishable from stupidity.
If you "americans" weren't such arseholes then you wouldn't have to worry about other people screwing you up. Hey - the US-haters far outnumber you today so why don't we just bomb the shit out of your country and be done with it? There's nothing to salvage there anyway - your economy is shot to shit and the only thing you're #1 at anymore is being a bunch of tosser arseholes.
Well.. the news in question is from over 2 decades ago, from an article over 5 years old. Not really sure the relevance here... It was also during the height of a (Cold) War. This happened a lot back then.
Americans will never cease to amuse me ! ...
Who has the biggest eavesdropping agency of the world ?
What are the nationalities of the top 10 software giants that wrote the code we are using everyday ?
Who controls the internet (and still talks about net neutrality like they give a shit) ?
Wich country invest more than the rest of the world combined in its army ?
Wich country has troops "assuring the security" on five continents ?
And I could go on and on
Wake up, America is an evil nation, despite all its effort to hide it behind democracy and human rights.
If we are talking about military level equipment, do not get stuff made in china, end of story, if we are talking about stuff for the home, we live in a society where the cheaper the better, so it will be impossible not to buy stuff made in china (ahem....linksys routers as example)...and would be even more impossible to stop using them all together, however, if you are smart about what you do, and when, you can avoid transmitting your info...you still need active connection, so if you don't leave your internet on 24/7 then you might have a chance. Leave it on all day long, even with the best firewalls...you still come up short.
I feel that your viewpoint is flawed. If we had smaller gov't then we wouldn't have such massive and blatant moves by Western companies to produce in the East and sell in the West. Big Gov't made it so that it was almost impossible to continue to produce in the US, because they gave such incentives to companies to produce overseas.
If the gov't were truly small and stuck their nose in the business of ensuring domestic tranquility and protecting our borders, and quit trying to incentivize trade with foreign countries based on tariffs and quit trying to determine the politics of foreign countries for them (I'm looking at you 1970's->1980's-American-Governance-who-dictated-the-policy-that-todays-leaders-are-almost-forced-to-follow-and-set-us-up-for-so-much-turmoil-in-the-interest-of-a-dollar -- was that too bold of a statement for a sub-parenthetical thought?), then we might finally see a chance for peace.
So, in closing, (because now is NOT the time for me to try and build up steam on a rant) I think that smaller gov't all along would have been a better idea. Can we please try gov't our way? (small gov't that is)
2^3 * 31 * 647
I remember reading an excerpt from his speech, it was just an example how easy one could do, not that he actually did. Nothing to admit there.
Lets see: Xerox machines in the Kremlin with cameras. AT&T handing information over for the asking. Warrantless wiretaps. The Patriot Act. Asshats from Microsoft saying it would be a good idea for everybody on the Internet to have an I.D. (your papers please?). The Chinese government is just one more hole in the Swiss cheese. Oh wait, never mind, it's perfectly fine if WE do it. *sigh*
.. if God is a communist, after all.
I think it would be difficult to do a company like HP. Any additional chip means additional cost, and HP would notice this right away. It would have to be a company that collaborates in the design stage.
Intel has their own network-facing backdoor built into their chips. HP uses them in its laptops - and HP's outsouced-IT service organization supplies these machines to the companies which hire them.
Look up "Intel AMT" on the web. There's lots of stuff on it available there. It's a "feature" intended for large companies' IT operations to use to remotely administer the workers' laptop and desktop machines: Remote update software, detect malware, cut misbehaving machines off the LAN or shut them down, monitor workers' behavior, ...
It is "below" the main CPU(s) and OS. It runs even if the main machine is off. It is a man-in-the-middle on the network interface, accepting its own connections from the "mother ship" and configurable to "phone home" when on the road. It can monitor and twiddle all the network traffic, monitor all the I/O (including keystroke logging), access the hard drive, stop the processor, monitor applications for watchdog events and shut them down if they "misbehave", halt and restart the main processors, yadda yadda yadda.
It can also present one of its own intercepted connections-from-afar to the main processor as if it were a terminal interface on another chip. The recommended way to configure Linux or Unix on the box is for this interface to be given a login process with root login privileges.
How do you know if it's disabled? The BIOS TELLS you it's disabled. (If you believe that, especially after the next BIOS firmware update, would you be interested in some land in Nevada?)
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
I feed my dog only Chinese dogfood.
Come to think about it, the dog hasn't eaten for the last couple of years.
This (TA) is just prewar propaganda.
Can you trust the NSA to not simply forward all the commercially viable information to a corporation, if it serves their interests?
They have apparently used sigint to aid US corporations in the past, whats to stop them now.
I feel no guarantee that the NSA is going to be any more careful about using personal information than the Chinese will be. I am opposed to both of them knowing my personal details. Really the only defense I have is the fact that I am undoubtedly of little interest to either.
"The first time I got drunk, I got married. The second time I bought a chimpanzee, after that I stayed sober" Arian Seid
failed on me. the irony
metal cables are more for stopping theft then that and why you see them in schools and on other public pcs / public pcs are locked in a cabinet.
No country has a more comprehensive spy program then the United States. Whatever China can do, the US can do much better in that department. I think the recent aligations against China for hacking gmail accounts is an example. If the US did this to Chinese citizens emails... China would be unlikely to know about it... let alone the email hosting company finding out about it (like Google did).
As far as having network hardware modified to include malware, Trojan, viruses, bots or whatever... the US has done and admitted as much with pride. It was used in the first Gulf War via specially infected network printers. Check it out.
Other printer companies do this without telling the public. These are commercial printers made by several US manufacturers and are widely dispersed across the world in business and residence. These printers attach "invisible" watermarks on the printed output which can later be used to identify the original and individual printer used to create that page. This is also common knowledge and you can prove it to yourself if you have one of these printers and some minor additional equipment.
I would suggest that if such "tampered" hardware is coming from China that it was more likely that China put said component in said device was because some US company or agency requested it be so.
I don't deny China is in the surveillance business (like all International trade countries). But having said this, China is not the one to worry about. Assuming you live within the US, your primary concern for illegal surveillance of your network data is the US government itself.
The current mood appears to be highly forgiving of such by their citizens. Or maybe it is the media who doesn't properly portray the real sentiment of their people. Strange.
I've seen the latter on our campus. In what appeared to be the central switchboard, all the racks of what looked like digital telephone boards were in locked cabinets, and there was a laptop that was sitting at a coffee-table height in a solid steel wide mesh cage. Always wondered what that was for.
Vintage computer adverts: http://www.vintageadbrowser.com/computers-and-software-ads
How do I know that in the name of war on terror that American equipment is not compromised?
Oh please. Give it a rest. The US has been facilitating back-door access for their intelligence agencies to products manufactured there for ages. It's nothing new. Accept your new master and move on.
Slashdot is a "corporate medium" in the sense that, in spite of its pretence, it constantly peddles lies and disinformation along the lines needed by the rulers of its country.
1. One most persistent lie is about Chinese censorship. Google, a central spying and censorship hub for large masses of users across the Globe, have consistently censored information. For example, it routinely denies some information from some countries (e.g. Germany about WWII and geopolitics around it), which is available in other (e.g. USA). However, the propaganda has it that it's the Chinese that censor, and that the big, big, absolutely unforgivable shame must be placed on Google when it censors in accordance with the agreements with the Chinese government.
The truth behind the latter case us that the USA is waging a propaganda war against China and is attempting internal subversion (similar to what it did with radio-war and dissident war in the USSR in the pre-Internet era). Therefore some amply funded "funds" and "societies" develop Tor-like schemes to allow the Chinese internal subverters to jump over the Great Chinese Firewall.
So in US propaganda Google (of all places, the corporate mega-spy Google!) is "guilty" in "appeasing the Chinese".
Let me repeat: while routinely censoring Germany etc. etc.
2. Now the current article is as much of a lie, as the previous one.
Not only backdoors are built in US-deloped software (Microsoft OS, Checkpoint firewall, etc. etc. etc.), but the US is actively pursuing the docrtine of "Total Information Awareness", not passed a while ago, and split into sub-doctrines now being introduced quite successfully.
Current corporate coordinate policy is towards what Stallman correctly identifies as "treacherous computing".
And Slashdot peddles war disinfo - maybe designed to cover the US agencies forcing hardware backdoors - that it is not US, but China is the big, big villain of the piece.
3. The most amazing part of Slashdot discussions, of course, is that lemmings NEVER QUESTION THE PREMISES of the title post and happily twitter further developing the points of the launched propaganda piece
How utterly disgusting
can you trust USA made equipment? I don't see any difference
No, seriously. Trust starts with yourself; if you don't trust yourself, you can't trust others.
The other side is of course whether others are trustworthy; experience will tell you. But in the beginning it is necessary to decide that you will try it out.
So can we trust Chinese computers? I can; I don't know if you can - it depends on your own choices. If you meet other people with suspicion, you will always find your suspicion is confirmed; because you will keep prying until you find something to hang it on, and in the process you will turn people against you, who might otherwise have become your best friends.
Regarding the wider issue of being able to trust one's own hardware, given that some government is in a position to corrupt it, I wonder if FPGAs would be a solution? Of course, you'd have to trust the software you use to program them, and the hardware on which it runs. But there are limits to how complex malware can reasonably be.
Well, I don't know whats the big deal about chinese computers and eavesdropping built into it is? Can you really trust American software? Ever heard of key escrow?
and then we can unleash the Scientologists upon them to help "cure" their scarred psyches! We can kill two birds with one stone! Who's with me????
You sir are a magnificent evil bastard! Where can I subscribe to your newsletter?