Can You Trust Chinese Computer Equipment?

← Back to Stories (view on slashdot.org)

Can You Trust Chinese Computer Equipment?

Posted by kdawson on Friday February 5, 2010 @04:02AM from the or-anybody's-really dept.

Ian Lamont writes "Suspicions about China slipping eavesdropping technology into computer exports have been around for years. But the recent spying attacks, attributed to China, on Google and other Internet companies have revived the hardware spying concerns. An IT World blogger suggests the gear can't be trusted, noting that it wouldn't be hard to add security holes to the firmware of Chinese-made USB memory sticks, computers, hard drives, and cameras. He also implies that running automatic checks for data of interest in the compromised gear would not be difficult." The blog post mentions Ken Thompson's admission in 1983 that he had put a backdoor into the Unix C compiler; he laid out the details in the 1983 Turing Award lecture, Reflections On Trusting Trust: "The moral is obvious. You can't trust code that you did not totally create yourself. (Especially code from companies that employ people like me.) No amount of source-level verification or scrutiny will protect you from using untrusted code. In demonstrating the possibility of this kind of attack, I picked on the C compiler. I could have picked on any program-handling program such as an assembler, a loader, or even hardware microcode. As the level of program gets lower, these bugs will be harder and harder to detect. A well installed microcode bug will be almost impossible to detect."

25 of 460 comments (clear)

Min score:

Reason:

Sort:

Another reason by AnotherUsername · 2010-02-05 04:02 · Score: 3, Insightful

This is just another reason for me to not want to buy Chinese made goods. Unfortunately, so much is made in China that it is nearly impossible to completely avoid the country.

--
I don't like Linux. This doesn't make me a troll.
1. Re:Another reason by TubeSteak · 2010-02-05 04:12 · Score: 5, Insightful
  
  I have a feeling eventually they will catch on that people aren't buying Chinese made stuff and will just put stamps on it from their more friendly neighboring countries.
  It's not as simple as "put stamps on it from their more friendly neighboring countries" when those neighboring countries do not have the high-tech industrial base to produce the hardware in question.
  On a strategic level, the USA really screwed the pooch by chasing the lowest bidder and not building up our domestic capacity to produce these items. And for you small gov't types, this is an example of free market principles colliding with what is effectively a national security issue.
  
  --
  [Fuck Beta]
  o0t!
2. Re:Another reason by TheLink · 2010-02-05 04:21 · Score: 4, Insightful
  
  The Chinese Government is unlikely to be interested in spying on US citizens (or taking control of their computers). They'll be spying on their own citizens.
  
  Similarly, the US Government is more likely to spy on US citizens.
  --
  
  Too many replies beneath your current threshold
3. Re:Another reason by Rogerborg · 2010-02-05 04:34 · Score: 5, Insightful
  
  You know that 2/3 of the phrase "trust but verify" is meaningless oxymoronic bullshit designed to mask the harshness of the only significant word, right? Like "strong but sensitive" or "sexy but geeky".
  
  --
  If you were blocking sigs, you wouldn't have to read this.
4. Re:Another reason by Spazztastic · 2010-02-05 04:40 · Score: 4, Insightful
  
  You know that 2/3 of the phrase "trust but verify" is meaningless oxymoronic bullshit designed to mask the harshness of the only significant word, right? Like "strong but sensitive" or "sexy but geeky".
  It's a good point, but that 2/3 of the phrase is what keeps the potential client from being insulted. The majority of business is sugar coating the harsh truth to keep people on your side and hopefully more of their money going into your wallet.
  
  --
  Posts not to be taken literally. Almost everything is sarcasm.
5. Re:Another reason by BZ · 2010-02-05 04:42 · Score: 5, Insightful
  
  > You'll note nothing seems to get cheaper to the end user.
  Since we're talking about computer equipment, this is demonstrably false.
6. Re:Another reason by networkBoy · 2010-02-05 04:50 · Score: 5, Insightful
  
  It's not that it is an additional chip, it is a different chip all together.
  For example:
  the ICH (southbridge) on your system likely handles the following things for you:
  keyboard/mouse
  USB
  IDE
  SATA
  FireWire
  Lan on Motherboard
  Boot from BIOS
  WebCam
  Using an ARM/ARC/MIPS core + SRAM added to the circuit of the ICH and fabbed as a "special item" one could conceivably manufacture motherboards with a larger than spec flashrom (to hold NVRam data for the extra proc) and so long as your system was on (possibly even "off" but plugged in if you can make it low enough power to run on standby voltage) you can datalog nearly anything.
  Parse the data for the interesting bits and store that to a hidden file on the HDD (since you're the controller for the HDD this should be trivial, no one will miss 1 meg of sectors you've marked bad).
  When you have an internet connection SSH over to your drop server (you run the ethernet MAC remember) and unload your stash.
  Really not all that far fetched and as long as the government pays for it (the fab of chips) you can sub these into assembly and not even no there was something wrong on the system even with a physical inspection.
  
  --
  whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
7. Re:Another reason by electrosoccertux · 2010-02-05 04:52 · Score: 3, Insightful
  
  economic co-dependency is the best national security there is. We'll never go to war with China; we're both far too dependent on each other. Wars are fought for power. Money is power, and is preferable to war. History has shown we won't fight when there's money involved.
  China only holds ~10% of our national debt; ~70% perhaps more is domestically owned; so the whole "THEY'VE GOT OUR DOLLAR BY THE BALLS" nonsense doesn't count-- they would be shooting themselves in the head by removing our purchasing power-- don't forget they have to keep their workers happy, and to keep them happy they have to keep them employed.
8. Re:Another reason by QuoteMstr · 2010-02-05 04:58 · Score: 4, Insightful
  
  economic co-dependency is the best national security there is
  They said that before World War I too.
9. Re:Another reason by PPalmgren · 2010-02-05 05:14 · Score: 3, Insightful
  
  You think if we had the means to produce them, people would have bought it? I'm sorry, but the reason domestic capacity doesn't exist is because it isn't competitive. Big gov't is not going to solve this in any way shape or form, it would actually make the issue worse by increasing admin overhead (taxes). If what you're advocating is protectionism, then I suggest you go read a bit of history on the subject and its reults.
  There are only three sane ways manufacturing jobs will return to the US: De-globalisation due to peak oil, normalizing quality of life in the US down to the rest of the world, or bringing the rest of the world to the US quality of life. I prefer the third option.
10. Re:Another reason by tiberus · 2010-02-05 05:18 · Score: 3, Insightful
  
  Should have been more specific. Granted prices on tech drop as overall manufacturing costs drop, new more efficient (read fewer defects and less waste) processes have been adopted, etc... So, yes in terms of a blanket statement it would be false.
  The intent was to state, and I'm open to being shown evidence to the contrary, that I have never seen a company's offshore move and resultant reduced operating costs directly result in lower prices. The market bears current pricing until such time that a manufacturer's competitors make similar changes and a price war begins.
11. Re:Another reason by chiguy · 2010-02-05 05:33 · Score: 4, Insightful
  
  That's insightful? That's what's called a false dichotomy.
  It's not mutually exclusive: The Chinese Government is likely to spy BOTH on US citizens AND their own citizens, just for different purposes.
  The US Government does both as well, but US abuses of US citizens are more likely to have discovery and recourse than China's abuse of Chinese.
  Just a bad argument all around.
  
  --
  passetspike!
12. Re:Another reason by Anonymous Coward · 2010-02-05 05:51 · Score: 3, Insightful
  
  hand tools bought from China have never held up for me as well as American made tools.
  Especially cutting tools like metal shears. The chinese ones nick easier because they use a lower cost (and thus softer) steel rather tan tool steel which is much harder, but more expensive and harder to work.
  Of course I pay a lot more for the better tools
  Yes, but is this because Chinese goods are inherently bad, or because there is a correlation between goods made in China and manufacturers looking to cut every last dollar of cost? If the only tools that are still economic to make in the US are the pro-quality top-of-the-range ones, then of course the US tools are going to appear better compared to the competition.
  It's like the way that people blame outsourcing to India for crappy customer service. The real problem is often that the customer service department has been reorganized around the principle of least cost and least effort and the service would be equally indifferent anywhere.
13. Re:Another reason by BrokenHalo · 2010-02-05 06:07 · Score: 5, Insightful
  
  I'd trust the Chinese further than most of my neighbours.
  
  That's a bit sad. I get on quite well with the majority of my neighbours, but most people I know who have wide experience of commercial dealing with Chinese (not to be confused with personal interactions with individuals and their families) have told me of a catalogue of dishonest, conspiratorial and treacherous activities. Basically, it seems their attitude is that "westerners" are fair game, since their rules are just not recognised by the Chinese.
  
  Adopting this attitude in comparatively small business dealings is one thing, but enshrining it in (unofficial) government policy is another. If the Chinese insist on treating other nations as enemies, they should expect the same in return. The fact that our governments and corporations are so ready to kowtow to them for their business is nothing short of sickening.
14. Re:Another reason by oatworm · 2010-02-05 06:45 · Score: 3, Insightful
  
  Why does a totalitarian regime have to keep the workers happy? Squishing them with tanks when they complain seems simpler.
  It's not so much the workers you have to keep happy, it's the military and the bureaucracy. If worker wealth disappears, wealth for the mid-level bureaucrat (e.g. party officials, regional governors, etc.) disappears, albeit more slowly. Once that happens, corruption turns up to 11 and nobody is willing to really sustain the country anymore. This happened to East Germany near the end - so much wealth was gone that nobody had a vested interest in maintaining the status quo anymore.
  
  And what is difference to the worker if instead of selling the stuff built with their labor to the US, the Chinese government just buys it directly from them with freshly printed yuan and dumps it in the ocean? What changes, other than China not collecting IOUs that it exchanges for more IOUs.
  One sends American wealth to China. The other sends Chinese wealth into the ocean. When American dollars are sent to China, they can trade those dollars for other, more useful things (oil, raw materials, and so on), provided the dollar is actually worth something. If the Chinese just start dumping surplus industrial output into the ocean, they won't get anything back to purchase new raw materials with, which would effectively shut down the factories sooner or later anyway.
15. Re: Another Reason by soren100 · 2010-02-05 07:03 · Score: 3, Insightful
  
  the reason domestic capacity doesn't exist is because it isn't competitive.
  
  One of the reasons for that is because China is artificially holding down the value of its currency so that we will destroy our own manufacturing base in a mad rush to make a quick buck. For the other countries, often American companies are the ones building the facilities and training the workers over there just for the cheap wages. Our own technology is given away for their cheap labor.
  
  If what you're advocating is protectionism, then I suggest you go read a bit of history on the subject and its reults.
  
  It seems to be working very well in many countries around the world that are smart enough to protect their own industries and work to keep out ours. Why do you think China is creating such problems for Google, and that Baidu is doing so well over there? The point is that if you don't go to extremes, you do very well. The extreme that America has gone into (not protecting our own domestic industries in favor of temporary profits) has really hurt us.
  
  normalizing quality of life in the US down to the rest of the world
  
  You mean make America a 3rd world country? That strategy seems to be working.
16. Re:Another reason by Troed · 2010-02-05 07:07 · Score: 3, Insightful
  
  It's mathematically impossible for every person on earth to burn this much oil, eat this much meat, and live on this much land.
  Technological development, however, makes it mathematically possible for every person on earth (and a lot more) to have the equivalent of the life you describe.
  
  --
  it's in my head
17. Re:Another reason by oatworm · 2010-02-05 07:11 · Score: 5, Insightful
  
  Actually, it's probably going to be a little bit of both.
  
  Look, we need to remember something here - it's not like we were manufacturing high-quality goods in the US when we were still manufacturing goods. There's a reason people stopped buying American cars, for example. Sure, you can point at something made in the US from 50 years ago and say, "Ah ha! See? Our stuff was better!", but that's just selection bias. Of course the stuff that made it to today from 50 years ago is more durable than the stuff we have lying around our house now. That's why it's over 50 years old.. All the crappy stuff that fell apart instantly fell apart fifty years ago.
  
  Back in the day, we made TVs. In those days, TVs were so expensive, TV repair was a legitimate career path. Nowadays, TVs are so cheap that it just doesn't make sense, which is why you don't see too many black & white TVs running around these days. Heck, the transition from analog TV to high definition TV will probably take less time for most families than the transition from black & white to color, if only because the cost of high definition TVs is falling so fast and so far that, when people's analog TVs die every 3-5 years (or so), they'll be able to easily afford a high definition one. How long did it take for VCRs to disappear once DVDs came out? The reason we can make these transitions so quickly these days is because of inexpensive manufactured goods.
  
  That said, back in the day, we were pretty much the only industrialized country on the planet. After World War 2, the US was the only country around that had a significant industrial base that hadn't been bombed into the Stone Age (at least the only one of a decent size - obviously Australia, Canada, and New Zealand were still in decent shape, too). Guess who was the world's China? That's right - the US, which is why, even if we switch to a protectionist stance, we're never getting back to a world in which the United States is 10x more prosperous than every other country on the planet. There's simply too much competition these days. Of course, back in the day, China was starving - that's less of an issue now. Back in the day, Mexico was a backwards, lawless hellhole. Nowadays, they possess the 13th highest GDP in the world, just ahead of Australia, with a slightly lower per capita GDP than Russia and Turkey. That's still not great, mind you, but it's still more than double China's and a heck of a lot better than it was at the turn of the last century. Japan is now a world-leading economic power; going into World War 2, they were just a regional power, roughly along the lines of South Africa today and with roughly the same amount of regional and international pull. South Korea? They weren't even a regional power when they gained independence from Japan after World War 2.
  
  Besides, life in the '50s and '60s wasn't that great in the US anyway, especially if you actually possessed melanin or were unfortunate enough to live in the South. Even if you were white, middle class meant something very different in '50s-era Birmingham than it meant in, say, '50s-era Detroit or Cleveland. Even if you were fortunate enough to live in an industrial city with lots of well-paying union jobs, what'd you get for it back then? A cookie-cutter suburban home sans-grounded wiring, a car that would rust or fail every three years or 50,000 miles, a TV if you really saved up for it, and lots and lots of canned food. Back then, frozen food was considered so novel and interesting that four-star restaurants in New York used to advertise that they used frozen product. Seriously, if you compared '50s America with today's... oh... Jamaica, you'd find yourself picking Jamaica in a heartbeat, and not just because of the weather.
Bad Headline by lyinhart · 2010-02-05 04:08 · Score: 5, Insightful

Considering where a lot of this stuff comes from, it should probably read, "Can You Trust Computer Equipment?"

--
Freedom is drinking a beer in the park when you're supposed to be at work.
Computers are information networks by gurps_npc · 2010-02-05 04:29 · Score: 3, Insightful

It is a rather simple military rule that you create your own information networks. You don't let your enemy or even your ally. Using Chinese made equipment for any military equipment is a bad idea. This is a no-brainer.

--
excitingthingstodo.blogspot.com
Sure... by ironicsky · 2010-02-05 04:31 · Score: 4, Insightful

While the USB memory key (in this example) could have low level software to snoop your data, how are they going to get it? Is the USB key going to open a TCP/IP or UDP connection back to their servers without tripping my firewall that a new application is trying to connect? Is my virus scanner going to get tripped that something suspicious is coming out of the key without my interaction?
Most decent virus scanners and firewalls will pick up on this. In a lot of corporate networks USB Mass media is disabled. I'd love to see a proof of concept that can get around these common checks... If anyone has a USB key that can do this, please let me know :-) I'll happily test it.
Re:Evidence? by Jeng · 2010-02-05 04:44 · Score: 3, Insightful

Looks completely made up to me. Why just think about the times that the consumer has ran across hidden malware such as the Sony Rootkit incident. Experts saw unusual traffic and traced it back to a CD. Same thing would happen if a piece of equipment had hidden malware in it, someone would notice the suspicious traffic and trace it back to the source.

--
Don't know something? Look it up. Still don't know? Then ask.
Re:Ahem *cough* why is "china" singled out?? by Arthur+Grumbine · 2010-02-05 05:45 · Score: 3, Insightful

and before thinking that "this is crazy, a U.S. firm wouldn't possibly do that" bear in mind that i've already had some experience of receiving a very weird series of SPAM messages, following which my machine started acting very very weird.
my guess is that simply by receiving that SPAM message, there was encoded within it some power-fluctuations or signal fluctuations which the CPU could pick up and "activate" whatever it was that was wanted to be activated by whomever it was that sent the SPAM message.
To be fair, the "Troll" mod is also used as a substitute for "Batshit-Crazy".

WARNING! This post is encoded with power and signal fluctuations that which will cause your machine to start acting very very weird. Again, if your computer starts acting very very weird after you read this it is because of this post.

--
Now that I think about it, I'm pretty sure everything I just said is completely wrong.
No, he didn't, as best we can tell. by jeffb+(2.718) · 2010-02-05 07:32 · Score: 5, Insightful

I was a gung-ho CS student when this article came out, and we spent a LOT of time hashing it over. He specifically did not say that he had done this, and while I don't remember him making an outright denial, we concluded that he hadn't. After all, the C compilers of that day were still small enough to be understood by a single human, and comparing C code to the assembly code generated from it (or comparing that assembly code to generated machine instructions) was not very challenging.
Maybe the Jargon File entry is right, and he did implement it as a proof-of-concept, but it wasn't widely distributed. It was easy enough for an interested (and bored) undergrad to check out over a weekend, but hard enough that compiler distributions weren't routinely examined.
With today's optimizing compilers and layers upon layers of abstraction, though, it seems like there's more than enough room for plenty such exploits. Pham Nuwen can still have his backdoor into the localizers.
Re:Secret agreements by rahvin112 · 2010-02-05 08:01 · Score: 4, Insightful

The ultimate hinge point in WWI was when Germany executed a war plan that called for a two front war when their treaty obligations only called for a one front war. Simply because the plans called for them to invade Russia and France simultaneously they did so even though Russia was the only one that had declared war (and France wasn't even involved). The generals at the time in Germany couldn't even imagine diverging from the war plan and the war plan called for invading France. Rather than stand up to his Generals the Kaiser caved and allowed the invasion of France (I believe he uttered the phrase "rolling the iron dice").
This is the entire reason France and the UK blamed Germany for the war and imposed all the war's costs on Germany (thereby causing WWII). The mindset in WWI Germany is incomprehensible today but the reason WWI happened (a much smaller war could have happened) is because there was a plan that wasn't applicable but the people in charge couldn't imagine deviating from the plan and the guy in ultimate charge wouldn't stand up to the ones tasked with fighting the war. The German/Russian/Austrian front of the war was minuscule in comparison to what happened on the French/German/Dutch border where entire armies (and two generations of French/German/English) were ground into hamburger in modern warfare. The greatest lesson of WWI is plans are great to have but they aren't the blueprint for the war that must be followed, iron adherence to a plan regardless of situation is suicide.