Former Pentagon Analyst: China Has Backdoors To 80% of Telecoms

An anonymous reader writes "A former Pentagon analyst reports the Chinese government has 'pervasive access' to about 80 percent of the world's communications, and it is looking currently to nail down the remaining 20 percent. Chinese companies Huawei and ZTE Corporation are reportedly to blame for the industrial espionage. 'Not only do Huawei and ZTE power telecom infrastructure all around the world, but they're still growing. The two firms are the main beneficiaries for telecommunication projects taking place in Malaysia with DiGi, Globe in the Philippines, Megafon in Russia, Etisalat in the United Arab Emirates, America Movil in a number of countries, Tele Norte in Brazil, and Reliance in India.'"

Wait, what?

[girlintraining]

This "former pentagon analyst"... Did he have access to intelligence reports of this nature? If so, and he's disclosing this now, I'm assuming the relevant documentation would be available via a Freedom of Information Act request? Since disclosing classified intelligence would be an act of treason, you know.

Just out of curiousity, this "former pentagon analyst" wouldn't happen to be employed with a defense firm now that would stand to profit from any products the company offers to combat this threat, would it? As many a scientist has uttered before, "Extraordinary claims require extraordinary proof." That doesn't change because we're discussing a matter of national security: You still have to put up, or shut up.

Re:Wait, what?

I'm sure there is someone profiting off this. I'm also sure it's true. The problem is we don't require the source code to be free and readily available. THIS STUFF SHOULD BE PUBLIC INFORMATION!

It might not stop hackers although it would give us the opportunity to lock down infrastructure. The code should be reviewed by security experts.

Re:Wait, what?

[k(wi)r(kipedia)]

Right. The not so Fine Article is low on details. It makes a grand connection between two rather uncontroversial facts: (1) Chinese net equipment can be found in an overwhelming majority of countries around the world and (2) the Chinese engage in cyberwarfare (as does the US and a few other advanced countries). Conclusion:

The Chinese government and the People's Liberation Army are so much into cyberwarfare now that they have looked at not just Huawei but also ZTE Corporation as providing through the equipment that they install in about 145 countries around in the world, and in 45 of the top 50 telecom centers around the world, the potential for backdooring into data.

Emphasis added on the word potential. Now where's the proof (preferably from a chip teardown by a reputable hardware hacker or hacking group)?

Re:Wait, what?

[gtall]

Apparently, he writes stuff for www.wnd.com...kind of hard to tell what they are but they seem to be a net media company. Anyhow, the fellow saying these things, Michael Maloof, seems to be saying a lot of things on WND. It is hard to believe that he'd be revealing secret information because he'd be arrested for that sort of thing. So maybe he's just running off at that mouth? It wouldn't surprise me that Huawei (I think's that's pronounced Way-Way) has back doors in their equipment given their relationships with the PLA.

So at least on the surface your knee-jerk reaction appears to be unsubstantiated, he's not overtly working for a defense contractor.

Re:Wait, what?

[girlintraining]

Emphasis added on the word potential. Now where's the proof (preferably from a chip teardown by a reputable hardware hacker or hacking group)?

There won't be any. Anyone with the capability of analyzing and reverse-engineering thousands of ICs would need deep pockets -- Either a large corporation or a government. A hacking group won't have the resources, even a well-funded one. You're talking about several hundred highly trained engineers from a dozen different disciplines working for years on the project, with no return on investment. There's no reason for a large corporation to conduct such business domestically -- they already have comparable products, and the Chinese equipment doesn't have any capabilities that aren't commonly available elsewhere. That leaves governments with a GDP in excess of a hundred billion USD per year. Short list. Said governments wouldn't disclose the results of such a search either, as it's a legitimate intelligence asset that would need to remain classified -- you don't want your enemy to know what you know, especially not before you come up with a way to defend against the attack or co-opt the infrastructure for your own purposes.

Second, forensically analyzing tens of thousands of chips and microprocessors would be pointless anyway: There still has to be some method of communicating the information back, and they can't compromise the entire communications chain, which is what would be required. Telecommunications equipment is designed to be evesdropping-friendly; Complete with port mirroring, trace and audit logs, selective forwarding based on rules... it's all standard. We're not even talking about the law enforcement black boxes, this is just stuff used for legitimate business purposes. The moment any such 'bug' went active, it would set off alarms -- by necessity, the communications would have to occur over the provider's own network. Unless their network admins are idiots they should notice the abberant traffic.

China would have to be very stupid to leverage such an intelligence asset for peanuts; It's basically a one-shot, and it would cost them billions in telecommunications contracts domestically. So if they do have such a capability, they're not going to use it until the value of the intelligence they would gain from it equals or exceeds that amount.

So there's two arguments right there based just on the economics of the situation. I strongly suspect that this unnamed pentagon analyst is being paid to spread disinformation. Such disinformation would serve the purpose of keeping the american public sucking the tit of the Department of Homeland Security's fear juice, and exaggerating our actual intelligence capabilities -- rather than waste hundreds of millions on a reverse engineering project that could never be made public, we'll just insinuate that "We know. We're on to you," and rattle our sabre a little. Maybe it deters them, maybe it forces them to expend resources to find out whether we're telling the truth or not, but it costs us nothing to make such a statement.

Re:Wait, what?

Hello Miss South Carolina Teen USA!

Re:Wait, what?

[number11]

This "former pentagon analyst" is a writer for WND, a rightwing web news site with all the credibility of the National Enquirer.

Not to say that China wouldn't build backdoors into telco gear, of course they would. The US requires telcos to provide access for it to spy on calls, it wouldn't particularly surprise me if the Chinese just built it in without talking publicly about it. After WWII, many countries purchased Swiss encryption gear, and many years later it was divulged that the US had inserted a backdoor into that gear. Why would China, or telco gear, be any different?

The fact is, around the world everyone should assume that anything done over a telephone is shared with unknown parties. Unless they've got trustworthy gear to encrypt calls end-to-end.

Re:Wait, what?

[k(wi)r(kipedia)]

So if they do have such a capability, they're not going to use it until the value of the intelligence they would gain from it equals or exceeds that amount.

Too many backdoors and the house is wide open to the public. So basically we shouldn't be terrified of backdoors being installed in off-the-shelf products but of backdoors being installed in some custom-built equipment that manages to sneak into the office. Security-wise, this makes it more important to do a background check on people installing and administering critical hardware than doing random hardware audits. Hardware would still need to be checked, of course, for bugs and defects that would affect performance.

Re:Wait, what?

[LordLimecat]

Article read like FUD.

As a consequence, sources say that any information traversing "any" Huawei equipped network isn't safe unless it has military encryption.

Wow, military grade encryption? Would that be, like, AES, one of the most widely deployed, tested, and recognized encryption schemes out there? Wow man, that stuff is hard to come by.

I also like the implication that unless you have a VPN, it will still magically find its way out to Huawei regardless of what other network controls you have in place. Having backdoors is one thing, getting thru a firewall is something completely different.

Sources add that most corporate telecommunications networks use "pretty light encryption" on their virtual private networks, or VPNs.

Proprietary information could be not only spied upon but also could be altered and in some cases could be sabotaged.

Someone want to explain to me the difference between "altered in transit" and "sabotaged"?

Im sorry, when so many of the assertions in the article read like uninformed drivel, its kind of hard to take the headline seriously. I have a strong feeling that the person who wrote this doesnt understand any of the terms hes going on about.

Re:Wait, what?

[Luckyo]

He's just ignoring the convenient fact that US has access to 100% by the same measuring stick.

Re:Wait, what?

There are a few companies that are specialized in reverse engineering chips and does not require hundreds of engineers. e.g. Chipworks

Re:Wait, what?

If I were China, I would put spying devices into hardware we build for well known American Telecom companies. Everything is made in China these days, with all the CAD files, firmware binaries, hardware schematics etc. all handed over to the factories in China.

Why ruin your own brands when the American brands can get into more places.

Re:Wait, what?

National Enquirer, the "non-credible" news source that first ran the story on John Edward's affair and child out of his marriage while on the campaign trail. The same news source that broke the story on Jessie Jackson's illegitimate child that he was funnelling hundreds of thousands from his organization to keep the mother quiet.

While 10 years ago I would have agreed with that comment of yours, they are now more accurate and truthful than NBC has been over the last few years. NBC had both of those stories I listed, but decided to bury them leaving the Enquirer the only news outlet that would run them, and both turned out completely accurate.

Re:Wait, what?

[mysidia]

If the source code were free and publicly available.... still... how do you verify the code on the device was compiled from the source you were given, and there's not a hardware component that changes the code after it's in memory?

Re:Wait, what?

[jcr]

Since disclosing classified intelligence would be an act of treason, you know.

Espionage, not treason. Under American law, there's a very specific definition of treason.

-jcr

Re:Wait, what?

[erp_consultant]

Exactly. More DHS scaremongering in yet another lame attempt to justify their existence. Started nine years ago it is now one of the largest departments in the entire federal government with 260,000 employees. Under the guise of combating "terrorism" - a very broad term that can mean whatever they want it to - and bolstered by the Patriot Act, this agency violates the rights of American citizens on a daily basis. And just like every other federal agency, it's never going away. It will only get larger.

Re:Wait, what?

[dbIII]

What is it again - playing chess against Russians :)
I know selling weapons via Iran to a terrorist group that has just killed 220 US marines doesn't count, North was still calling himself a patriot after that.

Re:Wait, what?

True enough.

Admittedly, the image that came to mind was getting fear juice direct from Janet Napolitano.... and then wondering what might be on the nutritional label.

Re:Wait, what?

[sg_oneill]

I wouldnt actually be surprised if there was some substance. A while back, when Australia was doing its tendering for constructing the national broadband network (fibre to the home + backbone upgrade), it excluded these companies on the grounds of "security concerns" but declined to state why. It was puzzling as australia is as close to china as we are to the united states, and perhaps more so economically.

Perhaps the US Pentagon had a word to Australian intelligence about the concerns, and this guy has heard those concerns too.

Re:Wait, what?

[Fjandr]

There wouldn't necessarily be alarms. After all, the use of Cisco's IOS backdoors, last I saw, had the problem of being so quiet that surreptitious use by black hats could not be detected easily. If the people who actually constructed the backdoors were using them appropriately and designed them for completel transparency, I wouldn't make a bet against them being able to use them unnoticed. It's been done before, as recently as 2010 (the last time I read an updated report of IOS LEA intercept problems).

Re:Wait, what?

[cold+fjord]

Strange Loops: Ken Thompson and the Self-referencing C Compiler
Reflections on Trusting Trust - Ken Thompson

Re:Wait, what?

[erp_consultant]

Good grief...that's a frightening thought.

Re:Wait, what?

[Galactic+Dominator]

NBC had both of those stories I listed, but decided to bury them leaving the Enquirer the only news outlet that would run them, and both turned out completely accurate.

I assume you mean NBC had the ability to break the story, not cover it because they certainly did. So they didn't break the story...do you have evidence for this? Do you have evidence NBC wasn't simply practicing journalistic integrity and was seeking a second source? In general, how much credulity do you posses on conspiracy theories? In your opinion, is a quality news organization one that breaks news first regardless of source?

Have you looked www.nationalenquirer.com recently? Can you give more a detailed reasoning on why anyone should take your statements seriously?

Re:Wait, what?

[Solandri]

Even if you verify the source code is clean and compile it yourself, you're still vulnerable. The compiler could have a trojan hidden in it which inserts a backdoor when it detects certain functions are being compiled. And if you compile your compiler yourself? Well what's to say the compiler you use to do that doesn't have a trojan which inserts the trojan I just mentioned into your new compiler? And so on.

Basically, if you want to be 100% sure your code is clean, you have to write it (including any compilers you use) from scratch. Perhaps the most pertinent quote from that paper: "As the level of program gets lower, these [deliberately inserted] bugs will be harder and harder to detect. A well installed [hardware] microcode bug will be almost impossible to detect."

Re:Wait, what?

[Solandri]

Sorry for the broken link. Here is the correct link. It should be required reading for anyone involved in computer security.

Re:Wait, what?

[jcr]

Treason against the United States, shall consist only in levying War against them, or in adhering to their Enemies, giving them Aid and Comfort.

It's pretty hard to make a case for treason without a declared war in progress. Julius and Ethel Rosenberg, for example, were convicted of espionage, not treason, because the USA wasn't technically at war with the Soviet Union.

-jcr

Re:Wait, what?

[Alex+Belits]

Right, and "everyone involved in computer security" knows that this is completely unrealistic because modern compilers do not share common origin.

Re:Wait, what?

[repvik]

Bogus backdoor: http://erratasec.blogspot.no/2012/05/bogus-story-no-chinese-backdoor-in.html

Re:Wait, what?

[kasperd]

Anyone with the capability of analyzing and reverse-engineering thousands of ICs would need deep pockets

No need to look at thousands of ICs. Looking at a few of the most interesting targets is still going to be valuable.

A hacking group won't have the resources, even a well-funded one. You're talking about several hundred highly trained engineers from a dozen different disciplines working for years on the project

I know one person who using just off the shelf equipment was able to read the ROM from a microcontroller in his sparetime. All it took was a cheap microscope and a webcam.

There still has to be some method of communicating the information back, and they can't compromise the entire communications chain, which is what would be required.

Covert channels can be very hard to detect. You don't need to compromise the entire chain. You just need to piggyback on a legitimate communication for hops between compromised equipment. For example VPN hardware could piggyback on legitimate connections by using some encrypted data instead of random values for sending packets over the Internet. A compromised router anywhere on the path the VPN connection takes could pick out the data. Now the data is on a router on the public Internet. There are plenty of ways to get the data from there. First of all the attacker could very well have a legitimate connection going through that router, now it just needs a covert channel to send data from that router.

Sending data from the router without risk of being noticed is slightly more tricky. The question is, would you take the risk of modifying packets in the hope that nobody is actually comparing the packets going into the router and out of the router? If you modified the IPID field of every packet going through the router, that would produce a feasible covert channel. It would not be immediately detected, but would be visible if you carefully inspected the traffic. Notice that it would not be sufficient to look at the traffic through the router in a lab before deployment, because the router wouldn't be sending any covert data until instructed to do so.

A more stealth method would be to just use the IPID field of packets generated by the router. There is no incoming packet to compare against. But extracting data that way without being visible takes time. You can run a traceroute that happen to pass through the router, then it will need to send three response packets (with the common settings). Each time you run a traceroute passing through that router, you could extract 6 bytes of data.

China would have to be very stupid to leverage such an intelligence asset for peanuts; It's basically a one-shot, and it would cost them billions in telecommunications contracts domestically.

Valid point, however even if it was noticed, it would be hard to prove who was behind.

Re:Wait, what?

One thing is programming a compiler to insert a trojan when it compiles itself, another completely different thing is to program a compiler to recognize it is compiling a newly programmed compiler, devise how to morph the trojan so it plugs into the unpreviously known compiler and insert it. That's far harder.

Re:Wait, what?

[sociocapitalist]

In security, you have to make assumptions based on what is possible or likely, not what is proven. You don't have to prove that your first layer of firewalls can be breached - you assume that they might be and you put another layer of security behind it.

With regard to security of information that China would like very much to have access to, such resource location information (oil, minerals, etc) and industrial designs, military and otherwise, you have to assume that they will do what they can to get at such information.

Buying equipment and/or software from manufacturers/developers that are more or less owned by the country in question, in this case China, you should assume that such equipment is compromised from the get go even if such hasn't been proven, because the possibility and the motivation both strongly exist.

Re:Wait, what?

[sociocapitalist]

treason/trzn/
Noun:
1) The crime of betraying one's country, esp. by attempting to kill the sovereign or overthrow the government.
2) The action of betraying someone or something.

Disclosing classified intelligence can certainly fall under the definition of treason.

Re:Wait, what?

Anyone with the capability of analyzing and reverse-engineering thousands of ICs would need deep pockets

If there really are backdoors to 80%, why would you need to reverse engineer thousands? If you don't find any after a few random samples of the popular ones then either the Chinese are really very sneaky at hiding it, or this is all bogeyman bullshit.

Re:Wait, what?

[rainer_d]

Telecommunications equipment is designed to be evesdropping-friendly; Complete with port mirroring, trace and audit logs, selective forwarding based on rules... it's all standard. We're not even talking about the law enforcement black boxes, this is just stuff used for legitimate business purposes. The moment any such 'bug' went active, it would set off alarms -- by necessity, the communications would have to occur over the provider's own network. Unless their network admins are idiots they should notice the abberant traffic.

I thought, ETSI LI regulations require that the LI (lawful interception) can occur even without the Telco knowing it happens.

That said, concerning the notion brought forward in the article: it just means that there's another nation spying on the telco-infrastructure.
AFAIK, most LI-equipment is developed by companies that are more or less obvious front companies for the nations' intelligence agencies, often run by former intelligence-agency staff.
To truly believe that there's no system behind this is, is akin to believing in the tooth-fairy.

Re:Wait, what?

[gabrieltss]

The National Enquirer - entertainment for people who don't understand Hee-Haw.

Re:Wait, what?

I would argue that the money for this sort of thing (both installing the spying tech and discovering and working around it) is always available for sufficiently large and powerful nations. It's a silent war that has been going on for centuries, preceding the existence of the US.

I recall (from the early 1980s IIRC) a situation that happened in Silicon Valley. Back then all of the phone calls to or from Sili Valley went through a microwave tower situated on Telegraph Hill in San Francisco. The USSR had a consulate in one of the mansions on the hill. I forget how it was discovered but someone figured out that the mansion was in one of the side lobes of the microwave transmission field where it could pick up at least one side of every transmission. The consulate had a basement full of equipment that looked at the phone numbers of every call going through that tower, and recorded calls to or from companies of interest. Then those calls were sent via satellite back to USSR for translation, usually the same day. So for some time (years?) every long distance call to major tech companies was being listened to by the sneaky Roossians. As I recall, upon discovery the consul and all of the staff were invited to return to USSR and the consulate was shut down or moved. No stink, just quietly cleaning up the situation.

I don't recall how or where I learned this but it was not long after it supposedly happened. And certainly similar things have happened. One that did make the news was the brand spanking new US Embassy in USSR, which was discovered to have been filled with bugs of various sorts during construction, so was essentially useless. I think we never even moved into it. And I think that from then on we always used US construction firms and labor for building embassies.

Then there's the story that broke not too long ago about the US submarines that had special equipment that allowed them to listen in on the fiber optic cables running under the Baltic Sea, so we could snoop on Soviet/russian military and tech data and voice transmissions. (I think that might have been using the fact that when one bends a fiber optic, some of the signal leaks out and can be picked up.) That was probably a few hundred million dollars.

Re:Wait, what?

[ultranova]

A well installed [hardware] microcode bug will be almost impossible to detect.

It's also almost impossible to write. A simple one will be found, since it'll end up inserting weird bugs to programs (or be so conservative that a change in compiler options will defeat it), and a complex one would need to perform high-level code function analysis and adaptive rewriting - and if you can write that in microcode, why are you wasting your time with cloak-and-dagger business? You'd do much better for yourself and your country by running a legit business.

Re:Wait, what?

[dbIII]

Sorry, I was just being an annoying prick and reacting more to other people that scream "treason" at the drop of a hat by giving them an example of something extreme which still isn't considered extreme enough. I know that even Hezbolla and Iran were not declared enemies so North wouldn't have been convicted of that either, and I cannot remember what charges he was pardoned for.

Re:Wait, what?

[Compaqt]

Well, the source is actually not ZDNet, but rather an article on WND, which is as reliable as Socialist Workers newspapers are (meaning it's quite eager to publish stuff agreeing with its worldview).

Re:Wait, what?

[girlintraining]

No need to look at thousands of ICs. Looking at a few of the most interesting targets is still going to be valuable.

Analyzing only the elephant's trunk tells us very little about the elephant.

I know one person who using just off the shelf equipment was able to read the ROM from a microcontroller in his sparetime. All it took was a cheap microscope and a webcam.

So a cheap microscope and a webcam is capable of resolution down to 18 nanometers, and can see through multiple layers of silicon etchings. How come everyone isn't doing it then? Oh right: Because a cheap ROM tacked onto a low power microcontroller is a very different beast from a modern SOC chip.

You don't need to compromise the entire chain. You just need to piggyback on a legitimate communication for hops between compromised equipment.

You just failed basic network engineering. The packets have to leave the network somewhere. If you don't control that border router, then even if everything else is compromised, the data can't leave undetected.

A compromised router anywhere on the path the VPN connection takes could pick out the data.

Most telecommunications equipment doesn't talk to the public internet or access the public internet; Those access points are carefully controlled at what are called Network Access Points, or NAPs. Most of the telecommunications network is controlled only by the company. Just because you hook something up to the internet doesn't mean it borgifies and cross-connects every node on your network. Again, engineering fail.

Sending data from the router without risk of being noticed is slightly more tricky.

By slightly, you mean impossibly more tricky if the router isn't compromised.

Bottom line here is, it's a digital communications medium. The bit is either there, or it isn't there. You can't hide that fact if you have properly setup your equipment and laid out your network with that in mind.

Re:Wait, what?

[kasperd]

If you don't control that border router, then even if everything else is compromised, the data can't leave undetected.

You should research how covert channels work, before you pretend to know about it.

By slightly, you mean impossibly more tricky if the router isn't compromised.

No, you are wrong. That is not what I mean. I already explained how it could be done, I don't understand how you can misread that as it being impossible.

The bit is either there, or it isn't there. You can't hide that fact if you have properly setup your equipment and laid out your network with that in mind.

You are making the assumption that the receiving end at some hop of the communication know what value that bit is supposed to have. If you assume, this hop know what every bit it receives should have been, then there is no point in sending the bits in the first place, because the receiver already knows, and can pass it on without receiving it first. So your assumption is clearly wrong.

Communication protocols have lots of fields that the sender can initialize however it please. Some of those fields are specifically supposed to be random. No amount of inspecting such packets can reveal if the bits are actually random.

Re:Wait, what?

[rtfa-troll]

Strange Loops: Ken Thompson and the Self-referencing C Compiler Reflections on Trusting Trust - Ken Thompson

Those are old and outdated papers from before diverse double compilation techniques were described. Source code is the fundamental requiement for both auditing and efficient discovery of exploits. This is the reason why the Chinese government insists on and gets access to Microsoft Windows source.

Re:Wait, what?

[girlintraining]

You should research how covert channels work, before you pretend to know about it.

I know how covert channels worked. I have done work for the government where they were used. Communication between two devices sharing the same physical medium can be covert. Transmitting data over links that have been secured by a third party that doesn't have your channel-enabling technology will not. It's digital. It encodes and decodes, and forwards, based on what it can read. If the device can't see it, it cannot forward it. So compromise every device in the network, but if your device at the contact point to the outside work hasn't been, your covert channel does you exactly dick.

Communication protocols have lots of fields that the sender can initialize however it please. Some of those fields are specifically supposed to be random. No amount of inspecting such packets can reveal if the bits are actually random.

Yes, and most of those fields can be zeroed or hard-coded by your border router, eliminating said 'randomness'. Everything about the packet's header can be rewritten dynamically in an IP-based network (which is what most telecom equipment is). In fact, when setting up secured communication facilities, the default configuration strips most of this data out or rewrites it so that it is consistent to prevent such sidechannel attacks. It's standard operating procedure. The only thing you can't modify in a packet without causing problems is the payload (if it's encrypted). If it's not encrypted, then you can diddle the bits all you want. Take voice codecs; the LSB is often targetted for stego attack, but it's just as easily defeated by randomizing that data. The original payload goes through... your 'covert channel' is overwritten with noise.

Look, I know you've read a few wiki pages on this, and you'd like to think you're an expert, but you're not. You haven't been paid to do this kind of testing, and had it vetted by a team of people who's job depends on making sure it was done right. I have. If you do it right, there's no way for covert communication to leave your network. Now if you're allowing 3rd party traffic through, and it's encrypted (like a VPN), then it's no longer a covert channel. If a channel can be modified in situ undetected, then you have bigger problems.

This isn't a question of whether or not it can be secured. It's a question of whether or not it's cost-effective. And yes, a lot of times, amateurs like yourself can be tapped to setup such equipment, and it'll work well enough for its intended purpose, but it can also provide exactly the channels you're describing. But if it's designed by a professional, then no. You can put a thousand compromised devices on a network I've setup. Not a one of them will go undetected once activated.

Re:Wait, what?

[sticky.pirate]

Whoa, not so fast... there may be a way around that, see http://www.acsa-admin.org/2005/abstracts/47.html

Re:Wait, what?

[k(wi)r(kipedia)]

Buying equipment and/or software from manufacturers/developers that are more or less owned by the country in question, in this case China, you should assume that such equipment is compromised from the get go even if such hasn't been proven, because the possibility and the motivation both strongly exist.

Where security budgets are unlimited, that would be the best approach. But where the budget is limited and even going down, the better approach is to focus on critical hardware (again, what is critical depends on the budget) and the people who install and administer the hardware/software. The most secure hardware still usable by a human being is easily compromised by a person given the right privileges (passwords, etc.). So why not focus on the people given access privileges, and leave that router in the lobby alone until it starts emitting a flood of suspicous data?

An exaggerated analogy. We all know that a large asteroid impacting the Earth is thousands of times more lethal than any known weapon of mass destruction. So why aren't countries alloting the whale's share of their military or homeland security budget toward the elimination of such threat? Because the probability of such fatal impact is low in human or historical terms (even if high in geological or prehistoric terms).

Re:Wait, what?

[gmanterry]

Strange Loops: Ken Thompson and the Self-referencing C Compiler
Reflections on Trusting Trust - Ken Thompson

Wish I had points because I found these links really interesting. Thanks.

Re:Wait, what?

[sociocapitalist]

Buying equipment and/or software from manufacturers/developers that are more or less owned by the country in question, in this case China, you should assume that such equipment is compromised from the get go even if such hasn't been proven, because the possibility and the motivation both strongly exist.

Where security budgets are unlimited, that would be the best approach. But where the budget is limited and even going down, the better approach is to focus on critical hardware (again, what is critical depends on the budget) and the people who install and administer the hardware/software. The most secure hardware still usable by a human being is easily compromised by a person given the right privileges (passwords, etc.). So why not focus on the people given access privileges, and leave that router in the lobby alone until it starts emitting a flood of suspicous data?

An exaggerated analogy. We all know that a large asteroid impacting the Earth is thousands of times more lethal than any known weapon of mass destruction. So why aren't countries alloting the whale's share of their military or homeland security budget toward the elimination of such threat? Because the probability of such fatal impact is low in human or historical terms (even if high in geological or prehistoric terms).

Budgets have to be driven by requirements, not the other way around. I suggest turning it around, then, and looking at it from the perspective that the budget for security (or in this case network equipment from the aspect of security) must depend on the risk and impact analysis. Has it been proven that the holes are there? No. Is the risk there that such holes exist? Yes. Is the impact considerable in the event that the holes exist and are taken advantage of? Yes.

Companies are no longer on a level playing field for security. There is no real separation between business and government in China (for example) and so western business and government agencies that aren't paying enough attention are finding themselves constantly compromised at many levels in no small part due to Chinese military resource and government 'blind eye'.

The other way around - could Iran have proven that their software was infected with Stuxnet? No, probably not. Should they have assumed that it was compromised? Arguably yes. If you get your resources from a real or potential enemy, be it physical or economic war, you have to assume that what you get has holes in it even if you can't prove that they're there.

I understand the point that you're making, but arguably the probability of there being holes in Chinese provided network equipment is probably higher than the probability of a significant asteroid hitting the earth.

Re:Wait, what?

[Alex+Belits]

This is not true, however even if it was the case, there still was no way to predict how the future compilers are going to be implemented and how the backdoor is supposed to work in all those implementations. The chain would be broken once a compiler will fail to recognize that it is supposed to modify the code that is a part of a compiler it is building.

Re:Wait, what?

[RockDoctor]

The unstated sub-text is that the CIA / GCHQ etc are most pissed off about someone else approaching their level of penetration of other people's communications.

New Legislation in the works

[the+eric+conspiracy]

CISPA for telephony.

Re:"Don't ever invade China"

Never fight a LAN war in Asia.

Re:"Don't ever invade China"

[Teresita]

All Your Base Are Belong To Us!

Australian govt bans huawei from national network

[bug1]

There was a story a few months ago about how Australia banned Huawei from involvment in a big project, they didnt say why.

http://tech.slashdot.org/story/12/03/24/0424215/australian-govt-bans-huawei-from-national-network-bids

The U.S. has like 99% listening coverage.

[cpu6502]

We even have the power to shutdown foreign companies like Megaupload w/o needing to prove they did anything wrong. But we're the "good" guys. So that makes it okay. After all we only killed 300,000 people this last decade, versus China who killed..... ummm..... wait there's something wrong with my theorem.

Re:The U.S. has like 99% listening coverage.

China has killed tens of millions of their own people under communism in the last 60-70 years. Huh? You think China's the nice or good guys??? Sarcasm doesn't bold well here.

Re:The U.S. has like 99% listening coverage.

[WindBourne]

Yes, things from 200-400 years ago, is certainly relevant to the conversation. And I hate to say this, esp. to another AC troll, but the slaves were captured by Africans, brought and instituted here by the europeans, and it was our war to say NO to it that costs us.

OTOH, a civil war, is not the same thing as going after your citizens to make them support you 100% or die.

Re:The U.S. has like 99% listening coverage.

[fredprado]

The problem is, once the guy is extradited to anywhere else within US he can end in Minnesota or Texas, or whatever place they decide to send him in.

US may not be as bad as North Korea, but it is every bit as bad as China these days. Both are countries were justice is unreachable for common people, and where dominant groups do basically whatever they want. China censures information, US floods it in an ocean of propaganda and disinformation. In the end all is the same.

Re:The U.S. has like 99% listening coverage.

But we're the "good" guys. So that makes it okay.

Interesting question: How much of China's ability to compromise our telecom systems is based on leveraging the CALEA-mandated backdoors we built into it, naively believing that only the "good" guys would use it.

If we'd built our communications systems to be secure, they'd have to actually do work to break them; depending on how good our mathematicians are, possibly intractable amounts of work. Instead, all our adversaries have to do is implant a mole (using the sorts of routine espionage techniques that have been around since before there were computers) and use the backdoors we built into the system.

Moral of the story: If you're pass a law that mandates all communications systems are to be insecure by design, you've given up any right to act surprised when it gets pwn3d.

Re:The U.S. has like 99% listening coverage.

[Sarten-X]

China executes roughly 5000-8000 people each year for various crimes. The United States has been declining since 1999, and is currently somewhere around 40 per year. Accounting for (rather than ignoring) scale, China executes about 30 to 40 times as much of its own population as the United States. Of course, that's just one metric, but it's pretty illustrative.

China is big, but it's not big enough to dilute its atrocities.

Re:The U.S. has like 99% listening coverage.

[WindBourne]

No. The communist invasion and takeover of China did not last that long. In fact, it was over in 1949. From 1949 until about 1979, the Chinese were gutted by the communist party. In many ways, it was worse than stalinism. To this day, the Chinese communist party still runs with a constitution that says what rights the citizen has (which are VERY limited) and that all else, belongs to the state. More importantly, China runs roughshod over those rights unless it becomes an issue in the LOCAL papers or businesses.

To try and compare this to slavery from over 250 years ago, or to a 4 year civil war, is ridiculous.

Re:The U.S. has like 99% listening coverage.

[cold+fjord]

The problem is, once the guy is extradited to anywhere else within US he can end in Minnesota or Texas, or whatever place they decide to send him in.

That is nonsense - absolute rubbish. American states are sovereign, each with their own laws and legal system. If you commit a crime under Minnesota law you can't and won't be handed over to Texas for trial for the crime in Minnesota. If the prosecution is for a federal crime, then the location doesn't matter - the law is the same.

US may not be as bad as North Korea, but it is every bit as bad as China these days.

And yet, for some odd reason, Chinese people keep moving to the United States.

Both are countries were justice is unreachable for common people, and where dominant groups do basically whatever they want.

At a trivial level that is trite. At a more profound level it is nonsense.

China censures information, US floods it in an ocean of propaganda and disinformation. In the end all is the same

So, the Chinese government jailing or oppressing people for expressing themselves on common topics, such as politics, is the same as Americans expressing themselves freely?

 

Re:The U.S. has like 99% listening coverage.

[fredprado]

There is federal law, and as soon as you are accused of anything in any state the federal government can make further accusations. It is remarkably easy to find something that you may have done that may be considered a federal crime. If you don't believe me I suggest that you watch this:

http://www.youtube.com/watch?v=6wXkI4t7nuc

US law is made to allow the government to manipulate it to its own ends and it can easily ruin innocent people's lives if it really wants to.

Chinese people keep moving to US because US economy is still better. The same motive why Mexican people do the same. It has very little to do with politics or governments.

So, the Chinese government jailing or oppressing people for expressing themselves on common topics, such as politics, is the same as Americans expressing themselves freely?

US incarceration rate is the highest in the world. It far surpasses China's:

http://en.wikipedia.org/wiki/United_States_incarceration_rate

A little excerpt from the article above:

"While Americans only represent about 5 percent of the world's population, nearly one-quarter of the entire world's inmates have been incarcerated in the United States in recent years"

As I said you have been fed propaganda and disinformation. Your country does basically the same things China do, but in more subtle ways.

Re:The U.S. has like 99% listening coverage.

[cold+fjord]

Well said. To which I will add this reference:

The Black Book of Communism - translated by Jonathan Murphy and Mark Kramer - available at Barnes & Nobel and Amazon.

Review by Daniel J. Mahoney, American Enterprise, of: The Black Book of Communism

The six contributors to this book are all French, and all hail from the Left. The book's original publication in France created a sensation, because its cumulative effect is to establish that Communism is the twentieth century's fiercest practitioner of state violence and "crimes against humanity." It forthrightly challenges the claim that Nazism has a monopoly on "absolute political evil" in our time.

The chapters on the Soviet Union and China are as powerful as they are in large part because their authors, Nicolas Werth and Jean-Louis Margolin, avoid excessive polemics and allow the evidence to simply speak for itself. If anything, Werth is excessively conservative in his estimates, drawing almost exclusively from not always reliable "official" party and state archival materials to verify politically--inspired deaths and incarcerations in the Soviet Union. Despite the limits of this method, Werth concludes that the Bolshevik regime was responsible, directly or indirectly, for the deaths of 20 million people between 1918 and 1956, and for the imprisonment in camps of millions more. He demolishes the notion of a good Lenin and a bad Stalin by showing that terror defined the Soviet regime from its inception. And he concludes that there is no basis for the claim that the terror of the 1930s was driven by overzealous Party and police officials acting independently of orders.

Likewise, Margolin's chapter on China shows that the crimes of Maoism are rooted in ideological hubris and a denial of the humanity of political or class "enemies." Margolin demonstrates that Mao committed crimes unprecedented in Chinese history, and damaged the nation in everything from economics to ethics. The devastating consequences of Mao's rule: 65 million lost lives. Perhaps the deepest reason The Black Book has sparked controversy is that it argues Communism is as intrinsically perverse as Nazism. Editor Stephane Courtois argues that Communist crimes, like Nazi ones, partake of the desire to eliminate groups of people on the basis of their origins, not because of any individual culpability or responsibility. He denies that Communism's crimes have any right to be excused or qualified because they were committed in the name of egalitarian principles. Courtois shows that Communism is an exterminationist ideology which selects its enemies on the basis of class. Aleksandr Solzhenitsyn suggested in The Gulag Archipelago that the USSR's war against the independent peasantry--the so-called "de-kulakization" campaign --was the first systematic effort to eliminate an entire class of people for ideological reasons. In this sense, Hitler was Lenin's and Stalin's faithful pupil.

Why Doesn't Communism Have as Bad a Name as Nazism?

Re:The U.S. has like 99% listening coverage.

[fredprado]

A lot of them didn't do anything wrong, or at least nothing that would incarcerate them in other saner countries. If you watch the video I linked above you will see that there are around 10K federal laws alone they can use against you. Add that to state laws and you double that. You will be hard pressed to find a single person that is innocent of all of them, especially if there is interest to make it stick to you.

Re:The U.S. has like 99% listening coverage.

[cpu6502]

>>>>China has killed tens of millions of their own people under communism in the last 60-70 years. Huh? You think China's the nice or good guys???

I very clearly said IN THE LAST DECADE. The American Empire has killed 300,000 innocent men, women, and children through its wars of aggression (and about 50,000 actual soldiers/combatants). The Chinese government has not killed anywhere near that number since 2002. As of the last ten years China is actually "nicer" than the hostile U.S.

Re:The U.S. has like 99% listening coverage.

[WindBourne]

Communism SHOULD NOT have a bad name.
The fact is, that other than Israels little communes, and perhaps some hippy packs, Communism has never occurred.

What SHOULD have a bad name is the totalitarianism as practiced by USSR and what is STILL practiced by China.
Even now, ppl like to claim that China is capitalist. Nothing could be further from the truth. Unless you are involved in exporting, then Chinese gov. still controls the economy. For example, they control the bulk of the coal mines (though it is via a 'corporation'). The laws say what is the MAX pay for gov. owned corps, while there is a MINIMUM wage for foreign partial owned, and the minimum is > the max.

China is nothing but a totalitarian nation who is in a cold war with the west. Sadly, the American leaders, esp. the neo-cons, have done more to help Chinese leaders than they have for Chinese ppl.

Re:The U.S. has like 99% listening coverage.

[WindBourne]

I hate to point this out, but we have all of those rights. There are free lawyers for criminal issues.

Re:The U.S. has like 99% listening coverage.

[poity]

Both are countries were justice is unreachable for common people, and where dominant groups do basically whatever they want.

I can tell you've never spoken with Chinese people.

Re:The U.S. has like 99% listening coverage.

[Zontar+The+Mindless]

No. The communist invasion and takeover of China did not last that long. In fact, it was over in 1949.

Which says absolutely nothing about how long it lasted, does it?

The Chinese Civil War lasted for nearly 25 years, having begun in 1927.

What else do you not know about history?

Re:The U.S. has like 99% listening coverage.

[couchslug]

>>>>>>>> China is no longer Maoist.

China is assertive as befits any large, developed country. ALL countries have a duty to spy on all potential competitors and opponents.

Note that:

The US, for ZERO benefit to its own citizens, spends trillions of dollars on military forces in Asia which exist for the sole purpose of coercing China to do what American politicians want of it. We go into debt to "defend" Asian countries who are rich and could more than defend themselves, all in return for....nothing except looting our taxpayers.

There are no "good" or "nice" guys.

Re:The U.S. has like 99% listening coverage.

[fredprado]

I did, but I can tell you haven't.

Re:What the report did not say...

[gtall]

Why would you say this?

Can You See The FNORDs?

[Crypto+Gnome]

So some random guy who used to work in Place With A BIG Name mouths off about "phaer teh commies".

And then proceeds to cite absolutely ZERO evidence to back up his claims.

In most circles this would be considered libel of the worst kind (libel because it was written, slander is the same thing when applied orally), he deserves to be sued out of existence.

NOT that I have any reason to disagree with the core of his argument "Don't trust them, they're backed by the government of someone we used to hate vehemently". But only because I mostly agree with the primary tenet of The X-Files (ie Trust No-One. at least not where the issue of trust *really really* matters).

Re:"Don't ever invade China"

[Cute+Fuzzy+Bunny]

The 1.5B screaming Chinese charging at the lines will be a bit effective as well.

FUD ?

[Kohath]

There's something of a cottage industry in spreading FUD about Huawei and ZTE. Why should anyone believe this stuff? (Or, for that matter, why should we believe much of anything in the news or on web sites?)

Re:FUD ?

[hjf]

So you buy Cisco and are subject to US backdoors.

Re:FUD ?

[mysidia]

I'm not sure it matters whether we believe it or not. Cisco stuff is manufactured in China. Can you prove that every single component is manufactured to American specs, with no 'spurious unknown compromising parts' or hardware microcode patches burned in 'by accident' ?

Re:FUD ?

[dbIII]

And abuses of the legal system. The company that Cisco is today are utter bastards that fit well with the "might makes right" mentality of China.
I'd trust even the more bribable dark corners of US intelligence more than Cisco any day.

Re:Australian govt bans huawei from national netwo

[Crypto+Gnome]

Actually they DID say why: specifically it boiled down to "because we cannot be *absolutely certain* that the Chinese Government does not have such a close relationship with Huawei that deploying their equipment would not (ever) compromise our national security".

Seems to me that someone in The Australian Government has learned a few important life lessons from The X-Files. (ie trust No-One).

Either that (a) or (b) they're just playing The Obvious "Devil You Know / Devil You Don't" card; and/or decisions were influenced by vendor-$ and Huawei could-not/would-not/weren't-given-a-chance-to cough up enough.

Personally Option (b) sounds more typical of government.

I for one will be eternally surprised to see any government making a well researched, informed, well reasoned decision - they're almost always a pack of retarded monkeys interested in looking after themselves and their friends.

Go On Mr Government - PROVE ME WRONG - I Dares Ya!

Re:"Don't ever invade China"

[ChunderDownunder]

Do LAN even fly to Asia?

I know they fly all over South America, to Europe and AUS/NZ...

Re:espionage?

[tomhath]

Last I checked the NSA wasn't bidding on contracts to build telecommunication infrastructure. Of course they might have shell companies that do, kind of like China has Huawei and ZTE

And what about Israel?

[quantic_oscillation7]

How Israeli Backdoor Technology Penetrated the U.S. Government's Telecom System and Compromised National Security
An Israeli Trojan Horse

http://www.counterpunch.org/2008/09/27/an-israeli-trojan-horse/

almost as much as the US....

[mschaffer]

... or does the US just use the front door?

Common Knowledge for Years!

[GiantRobotMonster]

I'm surprised at all the surprise?!
I thought it was pretty common knowledge that Huawei and ZTE were run and funded by the Chinese Military.
They have been using their financial muscle to undercut and bribe their equipment into as many countries telecoms infrastructure as they possibly can for over five years now.

Re:Common Knowledge for Years!

[Kohath]

That settles it then. "Common knowledge" is always right. Especially when there's an exclamation point !

Re:Common Knowledge for Years!

[marcosdumay]

The day is coming...

What day? The day the Chinese army will be so busy fighting their own people that they'll have to stop spying overseas? Because that's the war they are currently fighting.

Re:Common Knowledge for Years!

[dbIII]

I thought it was pretty common knowledge that Huawei and ZTE were run and funded by the Chinese Military.

Hopefully it will soon be common knowledge that a lot of industries in China are run and funded by the Chinese Military so this connection really means nothing in isolation. They are probably about as big and diversified in their holdings as coca-cola these days if not bigger, and 99% of the time they are in it for the money. Those childrens toys made by a company owned by the Chinese Military are not there so they can spy on our kids, they are there to help pay for a new aircraft carrier. The separation of state and private companies that we are used to seeing in democracies is instead a tangled web in China, with odd gaps such as entire huge open cut coal mines with thousands of miners that the government has zero involvement with (to the point where they are not even on a map, let alone taxed).

Re:Common Knowledge for Years!

[cold+fjord]

Exactly!

Re:Common Knowledge for Years!

[Zontar+The+Mindless]

They think, plan, prepare, etc. and do everything with long term goals.

How'd that work out for the Cultural Revolution?

It produced a generation of Chinese who've lost touch with much of their cultural heritage and who don't really believe in much of anything other than looking out for themselves and to blazes with anyone else, so I'd say it was largely a success.

Re:at least they dont have control over my server!

[Farmer+Tim]

Yes, yours is server of highest security, without so-named rear entrance contained within network controller cards. Please continue use with utmost faithin separation between the wise and glorious Communist party and our approved manufacurers.

Yours sincerely,
Ministry of State Security, PRC.

Re:"Don't ever invade China"

[sconeu]

That's INCONCEIVABLE!!!

Oh no, the yellow peril is upon us!

[Jeremy+Erwin]

The second link is to "World Net Daily", a site that has about as much credibility as the John Birch Society.

Re:Oh no, the yellow peril is upon us!

[cold+fjord]

The second link is to "World Net Daily", a site that has about as much credibility as the John Birch Society.

Allow me -

Chinese step up computer espionage against United States
The Evolution of Espionage: Beijing’s Red Spider Web
Chinese telecom firm tied to spy ministry

It is a LIE

[WindBourne]

There are all sorts of ppl that are on this site, and others, saying to look the other way. The Chinese would NEVER spy on the west, or put in backdoors to use for an offensive attack. I mean, these ppl all know that the communist China are the good guys. Likewise, that bunch of Chinese naval ships caught 50 miles off the phillipines coast is a non-issue is well. The fact that they were close to a number of telecom trunks has no bearing on anything.

So, relax. China will not try what they did to India. And the communists are heading towards being capitalists so there is no chance that they are working to kill off the west.

Re:It is a LIE

[dbIII]

And the communists are heading towards being capitalists

They already are quite extreme capitalists without many of the checks and balances on capitalism in the west, but that doesn't stop them from wanting to dominate the west in every way they can.
BTW, what do you mean by "China will not try what they did to India"? Do you mean the hacking of the computers owned by the group supporting the Dalai Lama in India or something a lot bigger I've missed or forgotten about?

To most of the world, China are not the good guys but since they are the ones propping up economies built on exporting raw materials there are plenty of countries lining up to kiss Chinese backside and say they are the good guys. Australia for one is China's bitch, the right in politics (eg. the mining companies that bankroll the right) far more than the left (which many in the USA would consider raw communism even if it's still a million miles from it).
As for the espionage angle, the incident where a lot of Los Alamos nuclear weapons research ended up in China was less than ten years ago wasn't it? How do people forget that so quickly? We can be sure that everything someone like Bradley Manning could get would have been in the hands of China long ago. With so many people with so much access anyone who cared enough to put up a small bribe would have better access than some intelligence staff.

Re:It is a LIE

[WindBourne]

China would be propping up economies only IF it were buying other goods from other nations. Instead, it cheats by fixing their money to western money, subsidizing and dumping on foreign markets thereby destroying western economies, and then blocking everything except for nations that they want to woo, or have raw resources.

China's action are a big part of why we are having a meltdown in the global economy 5 years ago and now again.

Re:It is a LIE

[dbIII]

The money doesn't flow evenly so some places do well even though on average everyone is screwed over. So to some with things to gain they are the "good guys", just like Japan was to some in Australia right up until Pearl Harbour and Singapore.
We really can't blame China for the silly Goldman Sachs games that they were not dumb, shortsighted and greedy enough to take part in. They could see the financial meltdown coming just like every finance column in every newspaper outside the USA was predicting, and they took advantage of it, but I don't think they did anything to cause it. There's a lot of things wrong with China but that's not one of them, and everyone who can has played the currency game right back to Roman times if not before.
The fragility of the US economy created by such things as moving a lot of manufacturing offshore is the fault of IMHO an insane management fad and should be blamed on poor management alone and not Mexico, China, Thailand etc.

Re:It is a LIE

[WindBourne]

Yes, yes, yes. I know. You live in Europe and we are oppressing you. I am so sorry to hear it.

Re:"Don't ever invade China"

[WindBourne]

Actually, it is far more likely for China to launch an attack. In addition, their wonderful Chinese great network wall is designed for TWO ways. IOW, it will also serve to protect their own infrastructure. Sadly, the west is going to allow it because the GD neo-cons want cheap goods as well as more money from Chinese gov. in their slimy pockets.

Re:Australian govt bans huawei from national netwo

[WindBourne]

Or they knew the situation.

Now imagine if the US had this

[future+assassin]

they'd be extraditing people for breaking US laws in their own countires left and right.

Re:espionage?

[WindBourne]

Sigh. How much global telecom info does NSA look at?

Personally, I would be more upset about the ability of China to shut down our infrastructure just prior to an attack, then their ability to listen. Listening is about 'Trust, but Verify'. Shutting down infrastructure is what you do to your enemies that are stupid enough to trust your word (esp. when you have been breaking it all along).

Re:What the report did not say...

[WindBourne]

And you can confirm this how? My guess is that you are making a BIG assumption that you should not.

So?

[fullback]

And the US has used Echelon for industrial espionage against even its "allies" for 30 years.

U.S. government agencies pass wiretapped and intercepted information to American companies all the time. Trade secrets of non-U.S. energy companies have been passed to American companies, cell phone technology, labor negotiation strategies of non-U.S. companies with factories in the U.S. and intellectual property has been stolen and transferred for decades.

Re:So?

[dbIII]

The allies got thrown a crumb of intelligence every now and again (apparently) and were to an extent complicit. The amusing thing is the existence of Echelon was confirmed by an idiot in Australian politics that complained it didn't give him forewarning of events in nearby PNG despite complete coverage of the telecommunications systems in that country. PNG had the system forced on them as part of an aid deal, so were not complicit, but their government knew it was there and avoided discussing issues of international interest on the telephone.

I may be oversimplifying but...

[1karmik1]

I don't understand how can this subject be brought up without talking about CALEA-compliant hardware?

The compliance to this wiretapping law may be usually implemented at a much-higher and easier-to-circument level but in spirit it very much achieves the same.

All Network hardware *is* backdoored, regardless of the manufacturer's country and that's a FACT. The only thing we can do is improve awareness of this so we system engineers, developers, system integrators can design, code and implement around that, as much as humanly possible.

The related news about cellphones as trackers helps drawing the bigger picture just as well.

My 2c.

Re:"Don't ever invade China"

[jamstar7]

Correlary: Nobody ever won a LAN war in Asia without controlling the opium trade.

Reach me over my heroin, please. The Kardashians are coming on...

Re:Australian govt bans huawei from national netwo

[jamstar7]

Or they didn't get a big enough bribe.

Er. excuse me. 'Campaign contribution'. Yeah, that's the ticket...

Re:paid for publicity

[jamstar7]

You are going to have to work hard to convince me this is anything more than an article paid for by a lobbying firm working for a US company trying to win a supply contract.

Most likely. But the question is begged, where does this unnamed American company buy its gear? Highly unlikely they make their own in the US...

Re:He's right.

[jcr]

Yeah, it's so evil the way they sell us stuff we want for far better prices than anyone else would charge. The nerve of some people.

-jcr

Credibility

[manu0601]

One one hand, this is credible. China has shown an extraordinary appetite for industrial espionage. On the other hand, the story seems to come from the same source that descredited itself lying about the existence of weapons of mass destruction in order to justify Irak invasion.

Really?

[InspectorGadget1964]

Coming from a "former" Pentagon analyst, can this information be trusted? Or has the same flavor as the weapons of mass destruction that Iraq had that triggered the invasion?

Re:He's right.

[cold+fjord]

Penny wise, pound foolish.

Nobody Seems To Notice and Nobody Seems To Care

Nobody Seems To Notice and Nobody Seems To Care

How many rootkits does the US[2] use officially or unofficially?

How much of the free but proprietary software in the US spies on you?

Which software would that be?

Visit any of the top freeware sites in the US, count the number of thousands or millions of downloads of free but proprietary software, much of it works, again on a proprietary Operating System, with files stored or in transit.

How many free but proprietary programs have you downloaded and scanned entire hard drives, flash drives, and other media? Do you realize you are giving these types of proprietary programs complete access to all of your computer's files on the basis of faith alone?

If you are an atheist, the comparison is that you believe in code you cannot see to detect and contain malware on the basis of faith! So you do believe in something invisible to you, don't you?

I'm now going to touch on a subject most anti-malware, commercial or free, developers will DELETE on most of their forums or mailing lists:

APT malware infecting and remaining in BIOS, on PCI and AGP devices, in firmware, your router (many routers are forced to place backdoors in their firmware for their government) your NIC, and many other devices.

Where are the commercial or free anti-malware organizations and individual's products which hash and compare in the cloud and scan for malware for these vectors? If you post on mailing lists or forums of most anti-malware organizations about this threat, one of the following actions will apply: your post will be deleted and/or moved to a hard to find or 'deleted/junk posts' forum section, someone or a team of individuals will mock you in various forms 'tin foil hat', 'conspiracy nut', and my favorite, 'where is the proof of these infections?' One only needs to search Google for these threats and they will open your malware world view to a much larger arena of malware on devices not scanned/supported by the scanners from these freeware sites. This point assumed you're using the proprietary Microsoft Windows OS. Now, let's move on to Linux.

The rootkit scanners for Linux are few and poor. If you're lucky, you'll know how to use chkrootkit (but you can use strings and other tools for analysis) and show the strings of binaries on your installation, but the results are dependent on your capability of deciphering the output and performing further analysis with various tools or in an environment such as Remnux Linux. None of these free scanners scan the earlier mentioned areas of your PC, either! Nor do they detect many of the hundreds of trojans and rootkits easily available on popular websites and the dark/deep web.

Compromised defenders of Linux will look down their nose at you (unless they are into reverse engineering malware/bad binaries, Google for this and Linux and begin a valuable education!) and respond with a similar tone, if they don't call you a noob or point to verifying/downloading packages in a signed repo/original/secure source or checking hashes, they will jump to conspiracy type labels, ignore you, lock and/or shuffle the thread, or otherwise lead you astray from learning how to examine bad binaries. The world of Linux is funny in this way, and I've been a part of it for many years. The majority of Linux users, like the Windows users, will go out of their way to lead you and say anything other than pointing you to information readily available on detailed binary file analysis.

Don't let them get you down, the information is plenty and out there, some from some well known publishers of Linux/Unix books. Search, learn, and share the information on detecting and picking through bad binaries. But this still will not touch the void of the APT malware described above which will survive any wipe of r/w media. I'm convinced, on both *nix and Windows, these pieces of APT malware are government in origin. Maybe not from the US, but most of the 'curious' malware I've come across in poisoned binaries, were writte

Re:Nobody Seems To Notice and Nobody Seems To Care

[repvik]

I've found your tinfoil hat.

Re:Nobody Seems To Notice and Nobody Seems To Care

[Maritz]

So basically, any anomaly of any kind is evidence for your theory. Well, that's me won over. Thanks.

Re:Nobody Seems To Notice and Nobody Seems To Care

[Maritz]

If your objective is to convince people to accept this, you shouldn't spam. It's a massive red flag that you're a nut. Just a tip for you.

Too many secrets...

[ckret]

... anyone?

Re:He's right.

[arth1]

No, THEY have. We keep getting the stuff they make, and they get US dollars.

They don't always get dollars - due to the trade imbalance, they get IOUs. Our debt to China increases every year, and China can't cash in on it, because that would crash our economy completely, and they would get even less.

We're like an old exiled royal who lives on debt - nobody dares to call him out on being insolvent and having a snowball's chance in hell of ever getting to his former riches, because that would make the chits and IOUs people hold (much of it from when he was solvent) worthless. So everyone continues to lend him money to keep the pretence of solvency and prevent him from defaulting, yet will quietly sell off the debt to new players if given a chance.

Re:espionage?

[jvillain]

No but if they can keep Cisco from becomming irrelevant they have done their part.

Bollocks

[1u3hr]

The source article is on http://www.wnd.com/, which is a pretty wacky looking right wing "news" site. Its top stories currently are :

Gun shop veto draws legal fight
Traveler says no to U.S. internal checkpoints
Blogger: Why don't blacks behave?
Cross-bearing Texas teen arrives In D.C.
Reviewer: It doesn't look like we're repenting
Poll: Majority favor extending all Bush tax rates

Detecting a trend?
Anyway the article in question simply says that 1) Chinese companies make most of the telecom switching gear. 2) Therefore, China's military has backdoored it all and is spying on every byte anyone transmits.

Of course, this is conceivable, but there isn't a shred of evidence. Spying on such a huge scale would require huge infrastructure and data transmission, basically duplicating the entire Internet. That might be detectable.

Re:Bollocks

[Mashiki]

Detecting a trend?

Note to self, use this post as a reference the next time that someone uses huffpo as a story basis on /. again.

Re:He's right.

[pdabbadabba]

What, according to this theory, accounts for the fact that everyone in the world, including China, continue to buy newly issued U.S. debt at historically low interest rates?

Re:Australian govt bans huawei from national netwo

[WindBourne]

Australia does not have the same issues as the USA. Here in the USA, our politicians are available to ANY foreign nation, as long as they pay in dollars. In all of the rest of the western nations, the politicians are at least somewhat loyal to their nation.

Re:He's right.

[cold+fjord]

Pervasive espionage.

Chinese step up computer espionage against United States
FBI estimates there are currently more than 3,000 corporations operating in the United States that have ties to the PRC and its government technology collection program.
Chinese telecom firm tied to spy ministry

The report by the CIA-based Open Source Center states that Huawei’s chairwoman, Sun Yafang, worked for the Ministry of State Security (MSS) Communications Department before joining the company.

The report on Huawei’s board members states that Ms. Sun used her connections at MSS to help Huawei through “financial difficulties” when the company was founded in 1987.

Based in part on Chinese media reports and Huawei’s website, the report reveals that the Beijing government paid Huawei $228.2 million for research and development during the past three years.

I'm sure you can figure out why this might be important. . . well, maybe not.

almost as many backdoors as the CIA..!?!?

[johnrpenner]

The CIA owns everyone of any significance in the major media. (Former CIA Director, William Colby)

the chineese can build backdoors into the chips, because they do the manufacturing, but this sort of spying activity is not so much different than the american government / snoops requiring installation of their IP sniffers at google and every major ISP.. :-\\

they are both a form of censorship / control of communication — however, whereas the chineese govt tries to simply block dissenting traffic, the americans allow the traffic to flow, in order to allow it to lead them to the identify of whom they're after..

Re:He's right.

[cold+fjord]

Chine has been buying up hard assets.

Re:Australian govt bans huawei from national netwo

[TheKidWho]

Rivals? Hah, try exceeds by a significant margin. China as a whole is incredibly corrupt on a level beyond the western world.

WND credibility

[AliasMarlowe]

This "former pentagon analyst" is a writer for WND, a rightwing web news site with all the credibility of the National Enquirer.

Has WND told us the truth yet about the two-headed slime aliens anal-probing the kidnapped Elvis on the Moon (preferably with grainy photos)? Until then, WND has only a fraction of the credibility of the National Enquirer.

National Enquirer website

[AliasMarlowe]

Have you looked www.nationalenquirer.com recently? Can you give more a detailed reasoning on why anyone should take your statements seriously?

"The content of this website is not available in your area."
I definitely can't take the National Enquirer seriously. In fact, I can't take it at all!

Re:National Enquirer website

[Galactic+Dominator]

I would guess you live somewhere libel laws are quite strict. The kind of country who would rather have censorship than gossip.

Re:National Enquirer website

[AliasMarlowe]

I would guess you live somewhere libel laws are quite strict. The kind of country who would rather have censorship than gossip.

Not really. To be actionable in Finland, a libel or other form of defamation must be known to be false by the person making it in addition to being injurious to its target. Forget megabuck settlements also, as Finnish courts tend to award actual damages (without any wild-eyed interpretation of "actual") rather than exemplary or punitive amounts.

It's far more likely that either (i) some of the content at www.nationalenquirer.com is licensed by its providers only for the US and maybe Canada and some other English-speaking countries, or (ii) Finland is just in a blanket exclusion due to incompetence by the web site developers.

BTW, there are decent translations into English of the primary laws of Finland, but secondary laws (i.e. regulations set by government agencies), case law, and bills of parliament are only in Finnish and Swedish at FinLex. Regulations are sometimes translated by the relevant authority, and are often set quite sensibly - even reasonably - such as for private copying of all copyright materials published in Finland.

Re:National Enquirer website

[Teun]

The same message on a Danish connection.

Re:National Enquirer website

[Zontar+The+Mindless]

And on a Swedish one.

Re:National Enquirer website

[koxkoxkox]

And in China ...

Re:National Enquirer website

[Hognoxious]

a libel or other form of defamation must be known to be false by the person making it in addition to being injurious to its target.

So I can put up posters all over your home town accusing you of being a pediodiddlerist as long as I didn't access your police record to actually find out?

Allowing ignorance as a defense is not a good idea; it creates a perverse incentive whereby anyone driving with their eyes shut has a get out of jail free card.

Either your interpretation is wrong or Finns aren't as smart as I thought they were.

Re:National Enquirer website

[AliasMarlowe]

Allowing ignorance as a defense is not a good idea; it creates a perverse incentive whereby anyone driving with their eyes shut has a get out of jail free card.

Unless there is evidence to the contrary, it is assumed that one expresses an opinion only on subjects where one is sufficiently informed. In this case, ignorance is not assumed unless it is plausible to a judge or backed up by evidence. Willfully maintaining the semblance of ignorance in order to preserve deniability is tantamount to an admission of guilt. Your example shows why.

Either your interpretation is wrong or Finns aren't as smart as I thought they were.

Your interpretation is wrong, as it presumes that Finnish law follows the bizarre practices of US law. It does not.

China panic!

[AliasMarlowe]

Now all we need is a "former sports analyst" to say that China has access to 80% of the world's athletes as they have implanted nano-technology in the clothing. :)

Well, they're already supplying the uniforms of the US team...

This just in...

The US government has backdoors into every telecom switch in the USA for CALEA wiretaps on the PSTN. This is not a secret.

Tinfoil Hat

[Drishmung]

That settles it. I'm just going to have to move to the desert and wear a tinfoil hat to protect myself from the orbital mind control lasers.

But, wait. What if the tinfoil was made in China? Or made from metal that was recycled in China? What if all the world's tinfoil contains secret Chinese backdoors to stop the proper functioning of tinfoil hats?

/me whimpers in corner.

Re:Tinfoil Hat

[Mr+Z]

Calm down. There is a way! What you need to do is buy at least three different varieties of aluminum foil: Reynolds, the store's in-house brand, and one other name brand (any name brand will do, so long as it is NOT the store brand and NOT Reynolds). IMPORANT: Make sure you buy the regular thickness aluminum foil, not the heavy duty! For best results, make sure all roles are at least 12" wide. (Standard Reynolds is about 12.5", which is perfect.)

The goal is to trigger cross interference between the different coherent sources that may be affecting you through a single brand of foil. This is why you need three different brands: Like color filters, if you combine magenta and cyan, you get red; if you combine cyan and yellow, you get green; if you combine magenta and yellow you get blue. But, if you combine all three, you get black -- all light absorbed. Mind you, that's not exactly what we're doing here since mind control lasers don't work exactly like that, but it's a useful metaphor.

The most effective method I know is to pull off strips of foil from each roll. Make each strip approximately 8" long, and then fold it in half 3 times, to make a strip approximately wide. You will need at least 8 such strips from each of the three rolls. IMPORTANT: Do not mix up the strips! Ordering is important!

Now, weave the strips together into a mesh, alternating strips from each of the three rolls -- one strip of Reynolds, one strip of store brand, one strip of other brand. There should be 12 horizontal strips and 12 vertical strips in the mesh altogether.

The resulting mesh will have overlap points for all possible combinations of the three mind control signals. This will fractalize the signals, causing them to decohere, rendering them effectively inoperative.

Good luck, my friend. Be strong!

Surprised?

[Vladius]

Lie cheat and most importantly steal. It's the Chinese motto. Of course they likely learned it from us. The irony is that they have probably become better at it that we ever were. It's sad that we maintain trade relations with such an openly dishonest country.

Re:Surprised?

[Bysshe]

If you refused to business with the bad guys, you would never do business.

Re:He's right.

[arth1]

What, according to this theory, accounts for the fact that everyone in the world, including China, continue to buy newly issued U.S. debt at historically low interest rates?

It's already answered in the very post you reply to.
But, in smaller spoonfuls, consider this:

You lend $100,000 to John, an upstanding fellow. Then John loses his job and starts drinking. He then comes to you and says "I fear I'm going to default on my loans and have to file for bankruptcy unless someone can lend me $5,000 at low interest".
You now have the choice of:
(a) lending him the money and hope that either
    (a1) you get to sell the debt at a smaller loss before he goes bankrupt, or that
    (a2) John manages to get back in shape enough to pay his interest rates. ... or
(b) refusing his plea, and watch him file for bankruptcy, making it
    (b1) a certainty that you'll lose the entire $100,000, and
    (b2) a distinct possibility that John gets so pissed that he carpet bombs your house.

Your best bet may be to lend him the money and try to convince others that he's solvent.

This isn't a new type of dilemma - it's happened quite a few times in history, often in the final time before bubbles burst.

Re:He's right.

[Zontar+The+Mindless]

Borrow a few thousand dollars, and the bank owns you.

Borrow a billion, and you own the bank.

So what?

[Joey+Vegetables]

The Chinese are not likely to waterboard me, or murder everyone in my neighborhood by an "accidental" drone attack, because of something I said on the Internet. The U.S. government very well might. I fear the U.S. government far more than the Chinese, and I would even if I were a Chinese citizen living in China. Not that the Chinese human rights record is great; it is somewhere between appalling and worse; but it still does not begin to compare with the U.S. government and its 200+ year long history of torturing, enslaving, and murdering innocent people both here and abroad. If by stealing its secrets the Chinese manage to prevent a war against the U.S. government - or to prevail, should they be unable to avoid it - the world, and even the U.S., will be much better off.

This guy is right.

[r00t]

Imagine a chip, made in China, that has a network connection (to China) and can DMA to/from your RAM.

Oh, hey, you have one: your Ethernet chip. Shit. We're fucked.

Also notice the chips in your wireless router, cable modem, cell phone, cell tower, USB stick, USB port, etc.

you aren't thinking like a nation-state attacker

[r00t]

The moment any such 'bug' went active, it would set off alarms -- by necessity, the communications would have to occur over the provider's own network. Unless their network admins are idiots they should notice the abberant traffic.

No way. How exactly are you going to view that traffic? You can't usefully plug an Ethernet cable into your head. You'll need an Ethernet chip, made by GUESS WHO...

Yep, the magic packets will NOT be reported to your OS. Either they get dropped, or they get sent directly (via DMA) to some other Chinese chip. Nothing will show up in Wireshark.

So what would the equivalent percentage be

[walter_f]

for the U.S. government including agencies like NSA, CIA, etc.?

Re:"Don't ever invade China"

[tqk]

The 1.5B screaming Chinese charging at the lines will be a bit effective as well.

That didn't work out all that well in Korea ca. sixty years ago, and weaponry has advanced quite a bit since then. That tactic is as obsolete now as those used in the US' War For Independence (static lines of infantrymen advancing on each other with single shot muskets and fixed bayonets).

The Spartans at Thermopylae were a heck of a lot more clued in than all those involved in the above.

It should be noted

[Casandro]

that virtually all the found backdoors originated in the US. Virtually no Chinese back doors have been found yet.

Re:He's right.

[pdabbadabba]

Well, remember that the interest rates are set at auction, and in the absence of any specific evidence to this effect I don't see how you can claim that we "demand" low interest rates.

So the better analogy is this: I lend John $100,000. He loses his job and starts drinking, hits hard times and comes to me looking for a $5,000 loan. I offer him one at, say, 5% interest. At this point, John is good to go; nobody needs to step in to rescue John. But, nonetheless, you show up and offer to lend him the money at 2.5% interest. Why the hell would you do that if you didn't think John could repay? You wouldn't, of course.

Compare this to a simpler explanation: while our deficit is very large, it is relatively easy for us to pay down if we make it a priority. There are a bunch of specific proposals floating around out there, any one of which would bring us back into the black. We could, for example, repeal Bush's tax cuts. Or, we could privatize social security. Or we could cut defense spending to something less than 16x anyone else's. Either one of those (among many others) would do the trick in pretty much one fell swoop. So the problem isn't that we are in so deep we can't get out -- very far from it. The problem is simply that our leaders can't agree on the right way to do it.

Of course, that might be because many of us think that now isn't the time to prioritize paying down the dept at all. We should come up with a plan to do it, of course, but in the immediate term we should take advantage of the fact that we are able to borrow at much lower rates than most other countries and plow it all into infrastructure investment. That way when the global economy rebounds we're ready to lead for another 50 years (and, yes, pay down the debt) because we've been investing while everyone else has been in austerity mode. Unfortunately, the political climate today means we have to let this golden (and obvious) opportunity pass us by.

Re:He's right.

[pdabbadabba]

Oh, and here's another fun fact: did you know that the U.S. currently gets away with paying negative interest on its short-term sovereign debt? If countries are paying us to borrow take their money...why shouldn't we, exactly?