Huawei Offers 'Complete and Unrestricted' Source Code Access

An anonymous reader writes "The BBC reports that 'Huawei has offered to give Australia unrestricted access to its software source code and equipment, as it looks to ease fears that it is a security threat. Questions have been raised about the Chinese telecom firm's ties to the military, something it has denied. Australia has previously blocked Huawei's plans to bid for work on its national broadband network. Huawei said it needed to dispel myths and misinformation.' But is this sufficient? Will they be able to obscure any backdoors written into their equipment?"

Source

[bjb_admin]

Does the Australian Govt have anyone that can actually properly security audit this? I am sure they are not going to want to spend the money to hire someone who can. Also, who is to say the binary blob firmware doesn't have a back door. Its not like the Australians are going to compile it and install it themselves.

Re:Source

[Lehk228]

not even the firmware, there could trivially be a on-chip backdoor,

Re:Source

Even if they did have someone capable, if you've ever read any submissions to the Underhanded C Contest, you'll know how difficult it is to detect hidden back doors even when scrutinizing code.

Re:Source

[Max+Littlemore]

This is my concern. Why is the Federal Government singling out Huawei and not subjecting everyone to this scrutiny?

I have a simple idea. Why not make it a condition of purchase that all software/firmware/hardware design be fully and publicly disclosed by all potential vendors and crowd source the security checks? (Hey I know it will never happen but I'm allowed to have my Utopian dream on a Thursday morning)

Re:Source

[ThatsMyNick]

Cant the simply release their chip designs too.

Re:Source

We dont need to compile it ourselves, we have trained kangaroos and drop bears for this purpose.

Re:Source

Yes, but nothing stops them from removing it from the design.

Re:Source

[AK+Marc]

Yes, though there's no evidence of any improper activities from any Huawei gear, and they are already a step ahead of US voting machines.

In the US, voting machines pick the next president. With secret closed-source code in an industry with proven fraud and from companies with proven previous errors.

In Australia, they have the source code for routers running a residential broadband network, and that's not good enough.

Why does something seem wrong with that?

Re:Source

[tibit]

I'd have thought that the entire goal was to compile and install it, otherwise the source code is kinda pointless.

Re:Source

[anomaly256]

Plus it would mean we could just fabricate new asics from their designs and not pay them, something they probably (and rightfully) don't want

Re:Source

[tibit]

Yup, even when you a-priori know in which couple hundred lines to look. In a large application, like you'd find in a router, it's demonstrably impossible of a task unless they use something safer than C -- and even then it'd take a formal method approach.

Re:Source

[RedPhoenix]

Yes; some very good people who evaluate products for use within the Oz government and Defence:
http://www.dsd.gov.au/infosec/epl/index.php

However, the process is usually long, often expensive, and generally targets a particular software/hardware combination; bump your version number, and there's potentially a fairly significant re-evaluation required.

Huawei could take advantage of this program now, but would either need to front up some dough, or have a sponsor to guide them through it.

Re:Source

[socceroos]

The DSD (Defence Signals Directorate) are the ones in Australia who would vet this equipment - they already do it for all equipment used by ASIO, ASIS and other secretive organisations here. The other thing to remember is that it was the DSD that told the Government not to trust Huawei's hardware. Now they get to have a good look at the code without the need to reverse engineer.

Re:Source

[Charliemopps]

You're not understanding where the governments coming from. They want someone, other than themselves, to have legal liability if there is a breach. Since all contracts, agreements, and laws are subject to the whim of the Chinese government, they could just tell Huawei to put code on their hardware and they'd have to do it. Where-as, in Australia, or the United States, there are constitutions that supersede the federal governments. The feds can come in and demand that Cisco put a backdoor on their hardware, and Cisco could turn around and site existing law to say "No, we wont do that, it's illegal." Now, in reality, does it actually work like that? No... Cisco bends over backwards for the feds out of greed because they want them to do things like we're seeing here. But from the federal governments perspective, Cisco is doing their bidding and are therefor "Good guys"... Huawei on the other hand are at the very best an unknown. Politicians rarely see beyond their own term... and while violating our constitutional rights to ensure our safety seems worthwhile at the time... it's what the guy that gets elected after their gone does with these entrenched systems that brings ruin.

Re:Source

Because the rest of those companies weren't founded and run by ex-Chinese military and long-time Chinese Communist Party members?

Re:Source

[mrmeval]

It does not matter one whit if they're releasing everything including the ASIC code, masks, etc.

Don't let foreign assholes make your critical infrastructure. Period. Don't ship anything out of country. Don't rely on the companies in your country not to be idiots. If it is going into critical infrastructure you'd best have control of it.

Yea, it will put a screeching halt to the wonderful progress we've had and that is unfortunate but China and others seem to want to slit our throats so we should slit their profits.

Re:Source

Quite simply because Huawei (and ZTE) is VERY closely tied to a government and military that has proven itself to be at best antagonistic to others, and at worst, hostile.

Put it this way, you needed a gun and a person that was offering you said gun was employed with the very same group that has been beating on your door every night.. just how fast would you say "sure, I'll take it".. you would be opening it up left and right, inspecting it, bringing in experts if you could to make sure that its a safe gun.

At least with others, there is no direct government tie.. (not that it really means much). But would YOU put your money and security and your very life in their hands?

Re:Source

[aliquis]

Just buy Ericsson gear instead (or even Nokia-Siemens), I won't mind. :D

Re:Source

[Abreu]

Not sure if xenophobia is real,
[FuturamaFry.jpg]
or just clever parody

Re:Source

But they're Chinese... in Chinese culture, imitation is the greatest flattery
They should be HAPPY and PROUD that we would fabricate new asics from their designs without paying them...

Re:Source

[hawguy]

It does not matter one whit if they're releasing everything including the ASIC code, masks, etc.

Don't let foreign assholes make your critical infrastructure. Period. Don't ship anything out of country. Don't rely on the companies in your country not to be idiots. If it is going into critical infrastructure you'd best have control of it.

Yea, it will put a screeching halt to the wonderful progress we've had and that is unfortunate but China and others seem to want to slit our throats so we should slit their profits.

Isn't that kind of like saying "Don't trust asshole doctors to treat your complicated medical condition. If you can't treat it yourself, just slit your throat now. Yea, it will kill you right now, and that is unfortunate, but at least the doctors won't profit from it".

Re:Source

[Lehk228]

of course they would, and they would release the version without the backdoor module and ship some with one enabled. unless they are going to stick every single board into an xray before installing it

Re:Source

DSD pay way below market rates... as such they fail to attract the best of the best and instead attract people willing to be paid 1/3 to 1/4 of what they would be paid elsewhere.

Re:Source

" there are constitutions that supersede the federal governments"

I nearly lost it reading that. A piece of paper(like signs) enforce nothing; people do. Those with the means to inflict harm on others are the ones who can enforce positive rules like laws. This means that only the government can positively(I stress positive enforcement here only) enforce law upon itself. A man is not going to enforce a rule upon himself on the insistence of a some scribblings. So, constitutions are entirely ineffectual means to restrict the arbitrary whims of government.

The true limiting mechanism is the scope of power over those a government rules. Small new governments can't do too much, but huge governments like the current USG have near limitless resources at its disposal. Why does it not pull a 1984 and go full north Korea on us? Because that is a poor tax farm management method. It destroys productivity. Politicians only take enough that they don't rock the boat for their fellow immediate rulers. This slows the process as multiple temporary farmers are all checking each others recklessness. Also, those that are ruled can threaten overly abusive rulers but that is a more nuanced issue so I won't go into it.

So what does this rambling mean? It means that governments like ours can absolutely pressure businesses to do such things. Hell, its prevalent. Entire industries are dependent upon privilege and punishment for their existence. Even if a company pulls out the constitution card against some nonsense the government 'suggests', the repercussions of not playing along can devastate a business. It is frustratingly naive to think businesses can shield themselves from the might of the USG all because of a dusty bit of parchment.

Re:Source

Close. It's more like saying "don't trust asshole pharmacies not to poison you, even though they promise to release the ingredients for their binder capsule." Health care techniques are no secret, however, drug components often are trade secrets, and hard to verify.

But yeah, no country should trust any part of their critical infrastructure -- be it food, health care, or secure communications electronics -- to a hostile foreign power. China routinely announces how it has a hostile relationship with America, in its propaganda newspapers, and its best friends are North Korea, and Pakistan. China is bent on world domination, and it is becoming more and more evil as it grows in power.

Thanks, Nixon. You strengthened China, at the expense of the Soviet Union AND the United States. That was your biggest mistake. We should cut all ties to China, and bring manufacturing back to the USA.

Re:Source

[overbaud]

The way this works is: 1. Cisco lobby US gov. 2. US gov put pressure on Aus gov. 3. Aus gov create FUD about cisco rival. 4. Aus gov buy cisco. 5. Profit - cisco and US senators.

Re:Source

[AlphaWolf_HK]

I don't think huawei would deliberately do that, what I do think though is that they are horribly insecure due to cheap engineering. They can release the source code all they want, but it might take years for anybody to make sure its clean. Not only that, but it often turns out that they use cheap components as well that die fast. The company I worked for found a lot of parts coming out of china that were missing the substrate in their IC's.

Re:Source

[tqk]

Politicians rarely see beyond their own term...

Politicians vetting networking equipment manufacturers has to be the silliest joke ever conceived by a human. The US Congress accusing Huawei of incompetence or underhanded conduct is Chutzpah, to the Nth degree!

wrt54g FTW. We freetards will be happy to audit the code, for free.

Is it just me, or is the world getting stupider by the minute? Don't bother to answer. I need to go bang my head against a wall now.

Re:Source

[Penurious+Penguin]

I'm afraid Australia is China's back-door; i.e., resources.

Re:Source

[rtb61]

It can be embedded in other components like capacitors, diodes, resistors etc. etc. etc. Anything that carries an electrical current and can receive a signal can have a digital circuit embedded in it, to do something as simply as be an off switch or far more complex activity. Really the truth is not country can be said to be independent unless it manufactures it's own essential electronic infrastructure, regardless of cost. A single capacitor set to shut down at the receipt of a certain digital signal can readily shut down a whole power station, replace that board with the naughty capacitor of the same brand and you are still off line.

Re:Source

[Hadlock]

No, because the doctor you'd be referencing in this case would be an epidemiologist. National security != personal security

Re:Source

Don't forget that in this election, Romney's son Tagg owns the company that makes the voting machines in Ohio, Hart Intercivic.

I'm expecting all Hart Intercivic voting machines in Ohio will have a record amount of error that is unanimously in favor of Mitt Romney as a result.

Sadly nobody is making a stink about this or doing anything about it.

Re:Source

The Australian Government would need to see the full chip HW/SW this would take years and $$, or they can forget it mate, (it's chinatown)??

Re:Source

It's more akin to letting your "little head" do the thinking instead of the head that has a brain...
Nope, doctor analogy fails hard here :( sucks to be you.

Where you got "doctors from the same country" from a situation involving foreign corporations building critical infrastructure for their competition I'll never know.

Re:Source

or, the Congressmen know because they've funded the US to do the same thing, and get reports on the progress.

Re:Source

[pt73]

In Australia, they have the source code for routers running a residential broadband network, and that's not good enough. Why does something seem wrong with that?

I think you fail to understand the nature of this "residential broadband network". It is to replace the copper telephone network and it will be a monopoly. The government has paid for the copper network to be shut down. The only alternative would be mobile networks, which probably already contain Huawei gear and don't cope very well in times of stress.

So it does actually come down to a national security issue.

Re:Source

[Luckyo]

Audit the code all you want. Smart company will insert a backdoor into chip, and you'll be none the wiser.

Re:Source

[TheGratefulNet]

yeah, there's a zero percent chance they give you the real images (chips, software, etc).

there is no trust here and there can't ever be.

and this is TOO COMPLEX a problem to verify.

its a loss.

sorry, but china, you don't get our trust. you have not earned it and it will take a LONG time to earn ours to this degree.

just give it up, ok?

some things are better left to local companies. foreign ones are great for making cheap crap that life does not depend on, but when its critical stuff, sorry, but NO chinese stuff is going to be trusted by anyone with a brain and experience.

Re:Source

[TheGratefulNet]

really good point! hiding 'phantom processing' inside passives or collections of passives. wow, that's pretty wild stuff.

fully believable, too.

another reason not to trust the offshore chips with anything life-critical.

Re:Source

[jhol13]

Not "trivially".

Making a on-chip backdoor is extremely huge risk. If found, it would open up liability and criminal charges, plus completely ruin all sales - as it cannot be removed without new HW.

Re:Source

Ah, the solution is clear. We need to insert backdoors into our iron ore and coal, so we can get access Huawei equipment and check that it is clean.

Re:Source

[hawguy]

It's more akin to letting your "little head" do the thinking instead of the head that has a brain...
Nope, doctor analogy fails hard here :( sucks to be you.

Where you got "doctors from the same country" from a situation involving foreign corporations building critical infrastructure for their competition I'll never know.

Because just like a single person doesn't have the ability to know anough about medical science to adequately treat any possible ailment, few countries have the resources or political will to fund development of enough industry to support all of their "critical infrastructure" needs.

Do you really expect Australia to develop chip foundaries, component manufacturers, software development, etc to build all of their government's electronics? What about patented chipsets that they may need? Will Cisco pass on their custom ASIC designs so Australia can build their own high capacity routers? Will Qualcomm pass on their patented CDMA chip designs so Australia can build their own government issued cell phones? Should they refuse to buy cell towers from Ericsson because they are "foreign" and spend 10 times more building their own? Should they give up all of the fighter jets in their air force because they are foreign made, and spend hundreds of billions of dollars inventing their own?

Surely they can't trust any foreign country because even though it's friendly now, it doesn't mean that it will be friendly a decade from now.

Re:Source

[mjwx]

Does the Australian Govt have anyone that can actually properly security audit this? I am sure they are not going to want to spend the money to hire someone who can.

Yes, the quality of our politicians is quite low (after all, who joins parliament unless you cant do anything else) but there are quite a few skilled and talented public servants who stay there just for the job security and benefits (8 weeks of holidays, sure Bill).

Also, who is to say the binary blob firmware doesn't have a back door. Its not like the Australians are going to compile it and install it themselves.

Which would be a requirement at this level.

But that's not the issue.

The reason this is an issue at all is that it's for the NBN which is a political hot potato. The opposition party wants to destroy the NBN (mainly because it isn't their policy) and tend to blow everything out of proportion. If NBNco was not making an issue about Huawei being a potential security risk you can bet your bottom dollar Shadow Communications minister, Malcolm Turnbull would be shouting it from every rooftop he can find. But seeing as they have, Mr Turnbull is making a big issue about how NBNco are limiting vendors.

There is more politics than security concerns here (although the concerns raised by the Defence Signals Directorate are quite valid).

Re:Source

[RedPhoenix]

True, though they do contract out some of these tasks to cleared third party defence-focused organisations, who definitely DO pay market rates.

With a focus on graduate recruitment, a culture of esprit de corps, access to awesomly cool geeky tech stuff, and good working conditions, and they tend to hang on to people for a fair bit longer than the government pay grades they are saddled with, would normally imply.

The brain drain does happen eventually.. but that's government, unfortunately.

Re:Source

[Lehk228]

doing it would be trivial, hiding it would be trivial as well. a properly designed hardware backdoor would make the required patch to the kernel when trigger conditions were met. if you want to make it even trickier you can make the patch and the trigger conditions look like an ordinary exploit. such as a nop sled of a specific length (or better, a length determined by some other stimulus)

Re:Source

[rtb61]

Nothing to do with believable. I came across a disabled prototype on the internet. Based around a larger cheap version of a typical part with a high cost smaller version built into the casing leaving ample room for a chip to be inserted in the power pathway. Simplest function burnout the chip and cut power upon the correct pass code being picked up in the power supply. Imagine inserted that part inserted throughout your infrastructure, upon the code being detected every device using that part is now dead. Attempt to insert a replacement, it receives the signal and dies. You whole supply chain is corrupted and it could take weeks to resolve, especially when it's the telecommunications infrastructure disrupted.

Re:Source

[barv]

I think that, given a map of the hardware architecture, it should be possible to write a test program that could find addresses not in the specs.

Of course the real problem is the lack of those in power to know bullshitters from talent.

Re:Source

[AK+Marc]

The only alternative would be mobile networks,

Oops. You were so interested in complaining about my inaccuracy that you started lying. There are multiple ways you can get "private" fibre. Good business connections will take dedicated private fibre (unaffected by NBN), rather than an oversubscribed home-user-based broadband network, as they have been doing for years.

Re:Source

[Lehk228]

the added hardware would not add code to operating memory, it would have it's own registers. in my theoretical example NOP would be hijacked, so it would secretly increment a counter which did not exist in addressable space JMP would behave normally unless the counter was at a certain number, in which case it would trigger a program to be read into cache and executed.

similar to port knocking this would show no signs of existing until triggered, unless someone happened to slice and xray the chip and analyze the entire system. a program running on the chip could not detect the tampering unless it stumbled upon the required sequence

Re:Source

[Rennt]

Why is the Federal Government singling out Huawei and not subjecting everyone to this scrutiny?

Because most other networking companies aren't wholly owned subsidiaries of the Chinese government.

Re:Source

[Lincolnshire+Poacher]

DSD pay way below market rates... as such they fail to attract the best of the best

If your only criterion for working somewhere is top money then... you will be very unhappy all through your working life.

Re:Source

[FumarMata]

If you can't prove that there are backdoors, you are just being RACIST

(Right! Chinese are evil, somebody told me that all their stuff is packed with viruses and stuff. BTW: Let's ban brands that employ black people. Those guys are evil too. Oh! And Australian products? I heard that Australians are the descendants of criminals... can we ban their exports too? [/sarcasm])

Re:Source

[Max+Littlemore]

Idiot anon coward, why is Chinese worse than US or even Isreal (fucking racist by design and founded by terrorists)????????

Re:Source

[Max+Littlemore]

1.8% And then? Are you one of those ex millitary fuckwits I embarrassed at the DOJ? Good.

Re:Source

[Max+Littlemore]

is 1.8% "very close" or whatever. shut up.

Re:Source

I am curious if they'd do the same with Microsoft software.

Re:Source

We dont need to compile it ourselves, we have trained kangaroos and drop bears for this purpose.

frag !

Re:Source

[cavreader]

And what is wrong with the US government favoring US based companies? China's 2 big problems are their willingness to steal any technology they can get their hands on and use currency manipulation to control their export prices in the global market. That being said I don't believe China is an enemy of the US. China already has it's hand full with a huge population that is becoming more assertive as their economy grows. China is not immune when it comes to their citizens reaching a point where they start challenging the status quo. Dirt poor peasants are easy to control but citizens who have seen their economic status improve are another matter. Plus both the US and China are dependent on one another for trade so why rock the boat? The US might import a lot of Chinese products but China imports a large amount of agriculture and food products from the US. Chinese food imports from the US have increased by a factor of 5 just over the past 5 years alone. And put aside all the BS about China lending the US money. The fact is that China invests their money in the US by purchasing US Treasury certificates and bonds because they realize that the US still offers solid returns on their investments in a stable financial system. And all the numb nuts claiming China "owns" the US are full of shit. China only holds about 5-6% of all outstanding government bonds and treasury certificates. And in the unlikely event the US cannot not make good on the Chinese investments or hostilities breakout China better have one hell of a collection agency if they expect to get any of their money back.

The really interesting back doors the US government and tech companies might employ are those related to the military technology they sell to other countries. The first time a non-US country tries to use an American F-15 they purchased to target and shoot an American F-15 would most likely see their missile make a big U-turn and target the aircraft who fired the missile. There are key systems in the weapon systems the US sells to foreign countries that require all maintenance, repair, and replacement parts to be provided by the US.

Re:Source

"...but NO chinese stuff is going to be trusted by anyone with a brain and experience..."

sent from a computing device whose chipset is made in china ;]

Re:Source

More like they will compare the source with their own reverse engineering methods.

Re:Source

[LordLimecat]

Compile the source, compare SHA1 hash of the resultant binary to the one that Huawei is shipping.

Re:Source

There are actually four levels to this problem:
1. Physical hardware design - we need the schematics, board layouts, and BOM.
2. PAL, FPGA, and ASIC design, need specs and source code.
3. Firmware design - need source code.
4. Software drivers and application design - need source.

Do I think Huawei is going to hand over the complete design package for review? Hell no. Would be nice, though.

Re:Source

GratefulNet you are one kind of idiot, there are many others.

But yours is the most unbelievably hypocritical and lacking thought of value, in your paranoia based on nothing but ethnocentricities and ignorance.

Re:Source

[Tomji]

I am sorry, it was never about security. It's about racism and xenophobia. Am I the only one that can see that is the reasons why gov. have a specific chip on their shoulders regarding anything Chinese.

Re:Source

[barv]

That is somewhat more elegant than I had anticipated, however (off the cuff) I suspect that those NOOPs might show up in the time log. You appreciate that I assume we have a lot of time and talent that can be applied.

Also I do not believe that a black box "watcher" program on the installed system could be circumvented.

Re:Source

[Lehk228]

the noop were a very rough stub, as presumably an ordinary operation environment does not include executing raw CPU instructions coming in over TCP/IP

a more likely trigger would be something watching actions which would be triggered by network protocols, such as sequences of comparisons used to check packet serial numbers, it would have to be something which is a deterministic response within the firmware.

Re:Source

[socceroos]

Indeed. You'll note that DSD gives quite low security ratings to CISCO equipment.

Re:Source

NO chinese stuff is going to be trusted by anyone with a brain and experience.

...then why isn't the Gillard government buying their stuff? .

Re:Source

[barv]

I know that there are a countable number of trigger event types/styles, and each will have only a countable number of options.

Programming to predict those trigger type/styles would be an interesting problem. Cycling through those options is then a fairly straightforward brute force problem.

However in the final analysis, even if you missed finding the trigger, I don't see the how the actual event would not be detected by the BB test, or even the timing cycles lost test.

And if that coding is discovered, it immediately becomes our trojan.

Re:Source

[overbaud]

And what is wrong with the Australian government representing the best interest of its people and not the interest of corp America? Why when Australia was negotiating the Malaysia solution for immigrants was the US putting pressure on Malaysia to tie any deal to plain packaging of cigarette to suit american tobacco interests? As an Australian I say bugger off to America trying to pervert my country and is purchasing interests for its own selfish / corporate reasons. What about America putting the pressure on New Zealand over Kim Dot Com - a raid that turned out illegal? Your rant completely fails to address my point, that it is entirely possible and probably that in many deals with China FUD is introduced by the US to suit its own interests, or Australia is pressured to create FUD to keep the US happy. What the f*ck are you talking about treasury bonds for? Or China investment? Or F15? It's bad enough our boys are being blown up in US wars (Still looking for the WMD, what was that even about? Oh yeah Oil) But to have the US and US coporate interests playing shenanigans for stock holders is a piss poor effort.

Re:Source

[Rennt]

That sounds like quite a tale, my good Sir.

Re:Source

[cavreader]

Why can't Australia make their own decisions and handle their own problems instead of blaming the US? Damn near every country in the world blames their problems on the US so they can avoid admitting their own mistakes. It's much easier to blame someone else for your problems then it is to actually work on solving your own internal problems. Some countries are worse than others but no country passes up the opportunity to shift blame so they can feel good about themselves. The number one goal of every government in the world is to look after it's own first and every other country comes in a distant second place. Of course this causes people denounce US involvement and in the next breath complain that the US is not getting involved.

Re:Source

[pt73]

I didn't mention "business". In terms of "residential broadband network", it will be a monopoly. I don't know of any many residences that will get "private" fibre.

Re:Source

[AK+Marc]

Ah, you replied to multiple of my posts, all with different excuses why it's a national security issue for a residential broadband network to have equipment in it from a company with no proven security vulnerabilities (Huawei) in favor of one with proven backdoors, at least previously (Cisco). Even if the NBN is a monopoly for residential broadband, and the equipment is sole-supplied by Huawei, I still don't see the problem. Is the issue that Australia is planning on starting a war with China?

Re:Source

[Lehk228]

the cycling would require certain sequences, without know what the sequences would be trying every combination of op codes n^x where x is unknown really is impossible.

detection software would be moot becuase on activation the CPU would be loaded with the malicious software and would no longer be running it's ordinary code, it would carry out it's assigned task then depending on the nature of the code it would either resume operations or reboot

Re:Source

Wow! That's a mighty tall high horse you've got there.
Face it, every country does what it believes are in its best interests, and it's the job of other countries to either go along or not, depending.However, if you can't see that a country like china having companies OWNED by the government isn't bad, then I can't help you.

Re:Source

[mrmeval]

It had to be said. That is what it would come to should that echoing of xenophobia prevail. Then would come the refusal to acknowledge foreign IP and perhaps though not likely a refutation of global standards.

What should happen is Huawei gets slapped so hard a politburro (sic) members teeth falls out. Every nation should have a rational policy about software and and hardware disclosure along with internal testing that is economical and prudent yet still allow a global economy.

subject

>insert some FUD about hardware bugs followed by that pdf on trust

hardware backdoors

what about hardware based backdoors? how about purposely imposed design flaws that are undetectable, but easily exploitable remotely? Perhaps they have their own CHAMP like device embedded, only activated by some type of remote RF.

Re:hardware backdoors

[AK+Marc]

OK, lets assume that the routers are rooted. So what? Isn't everything over the Internet presumed to be insecure anyway? At worst, China would get some SSL packets from my bank, or some HTTPS packets between me and an email server. Or see that I'm on Slashdot more that I should be. Yawn.

And, if they did send a copy of every packet to China, do you think the carriers wouldn't notice that traffic pattern? It's an absurd accusation, with no basis in fact. And, if true, would be quickly found if it were ever used. All to compromise an unspecific portion of a residential broadband network.

It's more likely that Huawei was behind the assassination of Kennedy and 9/11 than they are inserting router backdoors in an attempt to remotely control Australia. If you've been to WA, you don't need to sniff their traffic to know what they are doing. 99% porn, 1% skype to family.

Re:hardware backdoors

[moogied]

You're assuming the point is to read the data. Its not. The point is that china would be able to transmit a single set of instructions across the routers that say 'At 2AM tomorrow, DO NOT ALLOW TRAFFIC THROUGH.' and suddenly Aussie's everywhere lose internet. Which could be a massive security issue if China were to attack right then.

Re:hardware backdoors

[coliverhb]

Or they could, you know, take down the entire australian network in an instant by sending a command to all of the rooted routers. (Not an optimal situation especially because these routers also are going to be handling the phonelines too) Think about having the ability to cut off all communication in an entire country - that's a HUGE strategic advantage

They could use these routers to identify specific targets of interest. State sponsored hackers would then have the ability to remove/obfuscate logs to make it so that they're impossible/very very difficult to trace or perhaps even to frame others.

Re:hardware backdoors

[bugs2squash]

Not every router is used solely for the internet. Also, they don;t have to report to China, they just have to be deployed into a critical network and then suddenly stop working when china wants them to. Finally, if they're going to be sneaky, who's to say the software image they provide is made out of the source code they provide ? I don't see them providing the means to compile the source code to an image.

Re:hardware backdoors

[RocketRabbit]

Wow, you're just really naive. Really, really naive.

Even without decrypting the information all the way back in WWII, traffic analysis allowed some major victories on the battlefield. With this technique, being automated and in near real time, one could infer a lot about an adversary without actually decrypting one single thing.

Maybe you're not concerned with privacy, but that's why you're not working in this field!

Re:hardware backdoors

[Hatta]

OK, lets assume that the routers are rooted.

Call router rooter, that's the name. And security goes down the drain!

Re:hardware backdoors

[AK+Marc]

Because residential broadband is a national security resource? Did everyone buy Huawei TVs too? Did you watch Tomorrow When the War Began too many times? I'll give you a hint, it's as likely as Red Dawn (neither happened, and neither will happen).

Re:hardware backdoors

[AK+Marc]

Sure, they'd take it all down. And then what? Invade Australia? That'll start WWIII, same as if they launched a bomb at every network POP. We should be scanning them all to make sure there aren't hidden bombs in every Huawei router, and even if they come back clean, open them all up and make sure. What would happen if the code had every battery in every Huawei phone outside China blow up at the same time? And every Huawei home router shorted , taking our the electric grid? Then they got up, walked to other routers, and assembled themselves into a large robot that calls itself Megatron-san (yes, I know we are talking Chinese and san is Japanese).

Re:hardware backdoors

[AK+Marc]

Maybe you're not concerned with privacy, but that's why you're not working in this field!

I do work in security. One of the things you do in security is realize everything can be compromised in many ways you'll never be able to think of, so you plan on the most likely. Huawei undercutting everyone to sell networking gear into Australia as step 7 in the 30 step process to invade Australia is so unlikely as to not warrant effort protecting against. You might as well put in DNA tests at CO doors to ensure the person trying to get in is human, and not a werewolf or space alien.

Re:hardware backdoors

[RocketRabbit]

If you work in security then I feel very sorry for your employers and customers.

Are you really naive enough to believe that deep surveillance on Australia's communications infrastructure is NOT in the ChiCom's interest?

It's telling that you have to rely upon strawmen to make your point. Very, very telling. Perhaps the ASIO should take a closer look at you and your "security" business.

Re:hardware backdoors

[Luckyo]

Not to be a dick, but you really have no understanding of the concept of "existential threat" and why these threats are handled differently from normal threats, do you?

Re:hardware backdoors

[pt73]

Who said it was "residential broadband"? And even if your understanding were true, you need to consider the full ramifications. It's brief is to connect every "house, school, hospital and business in Australia". It isn't delivering IP. ISPs will do that. It provides the pipe to connect a place to an ISP - or a telephone provider....It is the only network to be delivered to houses and will carry everything, telephone, Internet, pay TV and probably in the future, broadcast TV. What's more, you can't anticipate what will go on top of it in the future. Perhaps mobile (cell) towers will use the NBN for backhaul.

So is that a national security resource?

Re:hardware backdoors

[black3d]

It's got nothing to do with residential broadband. The "national broadband network" is a fibre project, servicing residential, industrial, commercial and government interests. Huawei wants to have an instrumental role in building it. DSD says that's a bad idea. Nothing over-the-top, but an aggressor in that role would be capable of causing considerable damage down the track.

Not for hardware..

The software source code will be fine, but during manufacturing a hardware chip can be added to the NIC's or routers that will phone home independently of what the IO's sees. To make it more fun, they will only add it to a couple of pieces of hardware in the large order, so they can claim it was a manfacturing defect, and they dont know how those got in there..

Re:Not for hardware..

[michelcolman]

Or worse, they might just have been recruiting winners of the International Obfuscated Code Contest. How big is this software package? There's probably plenty of room to slip in a hard to find security hole.

Cisco and Motorola may object

...seeing as how it's their source code being released.

Re:Cisco and Motorola may object

[RivenAleem]

So you're saying that when/if Aus does an inspection of the source code, they WILL find backdoors.

Re:Cisco and Motorola may object

[sincewhen]

So, you're saying this is a clever move by China to have Australia pay for the exertise required to find the backdoors in the code which Huawei "obtained" from US companies with backdoors inserted by the NSA et al so they can clean it before they use it for their own networks?

Brilliant!

Answer

[Matt.Battey]

No. Yes. In that order.

Re:Answer

[AK+Marc]

It's more than Cisco or anyone else was willing to do. Huawei does everything asked of them, and gets attacked for it. Why? Looks like Australia is developing an anti-immigrant stance, and so many that go to Australia are Chinese.

Re:Answer

[Matt.Battey]

That may be true, but based on past events, like when counterfeit Cisco routers were produced in China and sold world wide, even to US military institutions, the fear is very real. Besides the attempt to maximize profit by selling falsely produced patented and copyrighted digital equipment, there is the nefarious aspect that these systems could have any sort of direct back-door, data rewriting, or side channel attacks built-in.

The question comes down to this: Do you purchase digital computing products constructed in a Communist country that is actively engaged with you in digital warfare? This is the cyber equivalent to smallpox blankets.

Re:Answer

[WindBourne]

Really? So, top ppl at Huawei can come from ANY nation? Nope. Only CHinese are allowed. ALL employees own stock in the company? Nope. Only Chinese are allowed. Manufacturing is around the planet? Nope, just in China.

Huawei has not shown that they are an INTERNATIONAL company. They are a private company in the same way that Air America was a private company.

Re:Answer

[Matt.Battey]

Exactly my point. Thanks WindBourne.

Besides

Source code doesn't speak to the character of the company who commissioned its development, anyway.

And, that's really what people don't trust.

Re:Besides

[fredprado]

Sorry, but there is absolutely no company in the world that has this thing called "character".

Re:Besides

[fredprado]

And you certainly have great wisdom and knowledge and are ready to bath us in the light of your unsurpassed righteousness, Mr. Anonymous Coward.

Re:Besides

[fredprado]

Oh, another offended Anonymous Coward. How cute.

Re:Besides

[Dragonslicer]

Sorry, but there is absolutely no company in the world that has this thing called "character".

I dunno, I always thought Ballmer was quite a character.

Re:Besides

[jhol13]

Oh, yes there are. One example is Olvi Oyj (Finland, "OLVAS" in Nasdaq). The biggest owner isa trust fund which primary goal is to advance beer culture (or something similar).
The company has gone so far as to help small breweries to get their beer to big shops, though it provably affects their sales negatively (marginally though).

There are companies which behave more nicely than other companies. There are companies which advance society and threre are companies which maximize profits - most in the grey area obviously.

Unless, of course, you want only to argue the semantics of word "character", which I'll skip.

Re:Besides

You forgot to tick the AC box. You're referring to yourself, right? I'm the above AC, and was not offended at all.

Re:Besides

[fredprado]

Oh I am quite sure that there are on occasion CEOs who have the high moral standards we classify as "character", The companies themselves have none though, and a CEO change is all that is needed to turn its moral alignment 180 degrees.

Is this Sufficient? What else could you want?

[NinjaTekNeeks]

Australia: "You are a security threat we need to see your code!"
Huawei: "Ok, here is our full source code"

Sensationalism Department: "There must be obscure back doors they might hide in their code!!!"

Just because the US Congress, which is still in the stone ages as far as understanding of technology, decries them as a threat using classified information doesn't mean it's true. It just means the US likes to cock block China as often as it possibly can, not withstanding the shady backroom deals that enticed this in the first place.

Re:Is this Sufficient? What else could you want?

[Todd+Knarr]

Hardly obscure. The only thing needed is to make it so the code used to build the firmware isn't the code you provided for everyone else to look at. I can think of a dozen ways to do that, starting with the obvious "patch file not in version control and not provided to anyone, applied manually between checkout and compile". If you're doing that, the back-doors don't have to be obscure at all because they won't be present in anything anyone can see.

The only way to truly tell is to build your own binaries from the supplied code and then diff the vendor-supplied firmware against your build. That of course suffers from problems with a large number of benign differences due to embedded source-code paths, timestamps due to the build being done at a different time, slight variations in the exact version of third-party libraries and so on.

Re:Is this Sufficient? What else could you want?

[firewrought]

You're right: it probably is just scaremongering to get an economic advantage for someone. Well, maybe not all of it. The U.S. has certainly done its share of espionage tricks, including delivery of a spiked Boeing for China's version of Air Force One. Suspicions tends to mirror one's own tactics.

However, if you really don't trust Huawei, there's no way for them to prove it to you: the backdoor could be hidden in the software, in the compiler, in the CPU microcode, in the BIOS, in some axillary firmware, or in some subtle combination of all of these. You'd have to build it yourself, compile it yourself, install it yourself, update it yourself, and you still wouldn't have great confidence because these things can be really damn subtle. Classy of them to reveal the source, but it's a meaningless gesture.

Re:Is this Sufficient? What else could you want?

[fredprado]

But then again it would be the fault of those that should be verifying such things. If security is important these checks should be made no matter which manufacturer they choose.

Re:Is this Sufficient? What else could you want?

[AK+Marc]

Or, trust but verify. If your traffic is 10 Mbps from Perth to Melbourne and you see your stats showing 10 Mbps between P and M, with a corresponding spike in traffic going to China, then maybe something is up. It wouldn't be hard to find a backdoor if one was in, it would have to *do* something, and that would be seen, especially if they are looking for it. Insane security measures to secure residential Internet (presumed insecure anyway) seems, well, insane.

Re:Is this Sufficient? What else could you want?

[SEE]

Mere source code disclosure is worthless as proof of trustworthiness, and has been known to be worthless to that end to everyone with the slightest knowledge of the subject ever since Ken Thompson gave his Reflections on Trusting Trust speech 29 years ago.

The real question is, given anyone who knows anything about the subject knows the source code disclosure proves nothing, why did Huawei offer to disclose the source?

Re:Is this Sufficient? What else could you want?

That and the binaries are not signed, the fab process is closed... its not classy, its a tactical move. Its not paranoid to be suspicious of this situation. Look at the political scene with regards the military's involvement in those companies, the shear number of hack attempts coming from China, the rapid rise of the military and their goals of "owning" the whole APAC region and tell me you would not be at least a little cautious.

Re:Is this Sufficient? What else could you want?

[mhotchin]

http://cm.bell-labs.com/who/ken/trust.html

If you haven't read it, or even if you haven't read it recently, you really should.

Re:Is this Sufficient? What else could you want?

[Arker]

The only way to truly tell is to build your own binaries from the supplied code and then diff the vendor-supplied firmware against your build.

Of course that's the first thing that would have to be done. Compile the binaries with the same compiler and scripts, see if the binaries match. If they do not, something is wrong.

Next step, do you trust the compiler? If not, recompile with a compiler you do trust, and use those binaries instead. Simple.

Either way, once you have verified the binaries and the source match, you can audit the source and be confident of the results.

It might well wind up making more sense to simply rewrite all the software from scratch using known good people, instead of trying to thoroughly audit the existing code. EVEN IN THAT CASE having the original source code available, from which to generate specifications, would still be a big positive.

Re:Is this Sufficient? What else could you want?

[AK+Marc]

No, just piles of A/Cs are, for alll I know, just one person disagrees.

Huawei has been around for years. There has been only one major security problem with Huawei gear, and it was because they copied Cisco so well, that they accidentally copied Cisco's backdoor. If there's a company that's sold out to the government it's Cisco in the US, not Huawei in China (though they have sold out to the government, as have all corporations in China, they have not done so in a way that harms customers, as the US companies do, they just do so to send profits back to the leaders).

Re:Is this Sufficient? What else could you want?

[Luckyo]

Except that that's not how any sane backdoor would work. Hell, even shitty botnets do it better.

Re:Is this Sufficient? What else could you want?

And spending the resources to do it, and hoping a later patch doesn't add a backdoor - etc. How about we just buy Cisco or Juniper?

Re:Is this Sufficient? What else could you want?

[AK+Marc]

And even good botnets are easily detected by a heuristic firewall. Again, you couldn't use it and remain undetected.

Why stop there? Why not go for public review?

[badger.foo]

Much like I assume a lot of other /. readers, my trust in the equipment I use to do what it's supposed to do comes from my access and ability to read the source code. There have been minor dust-ups in the open source world about allegations that other governments than China inserted back doors in widely used software, and we still see those allegations surfacing from time to time, but never with anything solid to back them up. I believe searches on the obvious keywords will turn up stories linked from here, as well as links to source code repositories of very high quality indeed. So my advice for Huwaei is, let the world see your source code, and please set up a mechanism for reviewing your own code and patches.

Compiler Vulnerability

[charon69]

Is Australia planning on building their own code from that source?

Because how would they know that what they were running was actually the source code they were provided?

And would Australia even be interested in jumping through that extra hoop considering that there are other vendor options available where Australia feels this isn't necessary? The price difference between Huawei and other vendors would have to be fairly sizable to warrant that.

Or, even more insidious, I've heard of the possibility to include backdoors via the compiler rather than via the source code.

http://en.wikipedia.org/wiki/Backdoor_(computing)

Quote from that article:
It is also possible to create a backdoor without modifying the source code of a program, or even modifying it after compilation. This can be done by rewriting the compiler so that it recognizes code during compilation that triggers inclusion of a backdoor in the compiled output. When the compromised compiler finds such code, it compiles it as normal, but also inserts a backdoor (perhaps a password recognition routine). So, when the user provides that input, he gains access to some (likely undocumented) aspect of program operation. This attack was first outlined by Ken Thompson in his famous paper Reflections on Trusting Trust (see below).

If Huawei's code requires anything more than generic gcc, Australia may not be able to verify 100% security, regardless... unless they're given the source code to the compiler as well.

Long story short, this just seems like a huge hassle that Australia is probably going to avoid anyway.

Just my 2 cents...

Re:Compiler Vulnerability

[fredprado]

Obviously they would have to compile and compare to audit, and obviously they shouldn't trust any compiling tool given by the very person being audited...

Re:Compiler Vulnerability

This got me thinking. What the Australian government needs to do is make sure they can compile the code themselves and that they can flash the result to equipment themselves and that the equipment works as required once the flashing is complete. This way they'd have insurance: if the Chinese government decides to use some sly backdoors, the Australian government's worse problem will be how fast they can recompile and reflash everything, which is better than back to the stone age while all the equipment is replaced with competing products. Backup, reflash, restore should be an option.

Captcha: ointment. Apparently what AU.gov might need.

Re:Compiler Vulnerability

[AK+Marc]

And would Australia even be interested in jumping through that extra hoop considering that there are other vendor options available where Australia feels this isn't necessary? The price difference between Huawei and other vendors would have to be fairly sizable to warrant that.

Why indeed. Why spend so much justifying why they are planning on over-paying to a company run by white people, when there has never been an "incident" with Huawei gear? Australia is spending millions trying to make sure they spend their money with white people, in order to secure an "insecure" residential Internet network. You tell me, why is Australia inventing all these hoops?

Re:Compiler Vulnerability

[funkboy]

And would Australia even be interested in jumping through that extra hoop considering that there are other vendor options available where Australia feels this isn't necessary? The price difference between Huawei and other vendors would have to be fairly sizable to warrant that.

It is. Depending on how well you negotiate with various vendors, it can be half the price of Cisco, AlcaLu, Juniper, etc.

Re:Compiler Vulnerability

[Sez+Zero]

You tell me, why is Australia inventing all these hoops?

Because they don't trust Chinese companies?

Re:Compiler Vulnerability

is it racism too when China insists domestic companies get 51% control of a partnership? Or is that just being smart, and only 'white people' can be racist?

Re:Compiler Vulnerability

Fuck you, racist.
Take your transparent chinese propaganda and shove it up your ass.

No, you may NOT have Taiwan, and if you reach for it, your gobi desert wasteland will seem a paradise compared to your nuked out cities.
Back the fuck off, or we WILL destroy you.

Re:Compiler Vulnerability

[johntromp]

If Huawei's code requires anything more than generic gcc, Australia may not be able to verify 100% security, regardless... unless they're given the source code to the compiler as well.

That wouldn't help, since the compiler recognizes its own source as well, and puts the compiler backdoor in the resulting compiler executable. So the bad compiler source code is only needed initially to create a compromised compiler executable, and can be cleaned up afterwards.

Re:Compiler Vulnerability

That's clearly racism, our government would go with Huawei in a heartbeat if a few million were slipped under their door just like the other "white people" do....

Re:Compiler Vulnerability

[AK+Marc]

That's racism too. Why are you so confused?

Re:Compiler Vulnerability

[AK+Marc]

I'm not Chinese. I'm American. I just don't think China intends to militarily conquer the world.

Re:Compiler Vulnerability

And would Australia even be interested in jumping through that extra hoop considering that there are other vendor options available where Australia feels this isn't necessary? The price difference between Huawei and other vendors would have to be fairly sizable to warrant that.

Why indeed. Why spend so much justifying why they are planning on over-paying to a company run by white people, when there has never been an "incident" with Huawei gear? Australia is spending millions trying to make sure they spend their money with white people, in order to secure an "insecure" residential Internet network. You tell me, why is Australia inventing all these hoops?

Why? As China get more and more noticeable, many foreign people start to look into this country. Like learning the Chinese language or finding translated information from China. And people will know how Chinese people view the rest of the world. (See those arrogant/aggressive opinions on Chinese forum, you know.) Anybody other than Chinese people would feel uncomfortable.

Re:Compiler Vulnerability

[Luckyo]

Even building firmware from ground up wouldn't help this issue. You can install backdoor on a chip. It's all about trusting the vendor not to have these, or have these but only for trusted organisations.

China and its security apparatus is simply not on the trusted list in Australia, while CIA/NSA appears to be.

The US government did it!

[kawabago]

When American telecom companies won contracts to supply soviet satellite, I think it was Poland, with telecom equipment, The CIA or NSA or both managed to get back doors into the equipment to both monitor calls and in the event of hostilities, to shut the phone system down completely. If American companies let their Government subvert their technology in foreign countries, China would be foolish not to.

Re:The US government did it!

[DNS-and-BIND]

I'm not sure - are you actually arguing in favor of this xenophobic, racist policy?

Re:The US government did it!

[im_thatoneguy]

Yes. Because, it's not xenophobic, it's just plain good sense that critical infrastructure is a huge target. It's what every country should want their intelligence agencies doing. I hope every router sent to China has a backdoor in it that we can shut down in the event of a conflict.

Why do you think China is working so hard to create their own CPU? They know this would be a massive liability and with 10 Billion transistors its' easy to hide things now a days.

I'm usually dismissive of conspiracy theories because they don't actually result in any parties profiting. But this is exactly the sort of thing that countries not only would profit from--but have already done.

Imagine if every car in China could be turned off with a switch. That's a weapon I have absolutely no question our military would love to have. And one which *of course* the Chinese military would also want. If they could do it and get away with it--they will (just as we would).

Re:The US government did it!

[macbeth66]

Not sure why you were modded 'Troll', as you do have a point. However, it isn't an issue with a people or a group of people. It is an issue of this being a Communist Government with money. A lot of money. That is an insanely dangerous situation.

Re:The US government did it!

[Luckyo]

China has ceased being "communist" about twenty years ago. It's far closer to pure capitalism then West at this point.

Re:The US government did it!

[WindBourne]

LOL. Do you understand that only PART of China is Capitalists? In addition, do you know that that part is not just heavily subsidized, but has the yuan fixed to the dollar so that it is trivial to 'compete'. And do you know that there is a difference between Capitalism with Democracy vs. a Totalitarian gov. combined with a mixture of Communist and Capitalist?

Re:The US government did it!

[WindBourne]

Sorry, but this is NOT xenophobic NOR racist to say that you will not accept equipment that has backdoors. Sorry, but it is insane to use communication equipment from China (or nations like North Korea, Iran, Venezuela, etc).

Re:The US government did it!

[TheLink]

That's the USA though.

If Australia is that paranoid about China they should be even more paranoid about the USA too. Seems to me Australia should be asking Cisco and all the other US companies for their source code etc. In the global market Australia is not really a competitor with China, whereas Australia competes with the USA in many areas.

China doesn't need to do stuff like this. Why would they want to shutdown Australia? China doesn't even have enough nukes for a decent nuclear offense.

Re:The US government did it!

[Luckyo]

You use all those terms, but I don't think you actually understand what they mean. For example, in what way is improving competitiveness through regulating currency value not capitalist or specifically communist? It's neither, instead its a country vs country competitiveness issue.

Finally you make a very basic mistake in confusing political system with a financial one, as well as confusing republic with a democracy.

Re:The US government did it!

[Robert+Zenz]

Do you have a source to that? And if this was during the Cold War, then should any of use be surprised?

Hardware

You'd bury the covert functionality in the hardware. Good luck finding it.

Horseshit - complete horseshit.

If the Chinese Government said the sky was blue,I'd doubt it.

IT'S A TRAP!!!

[HPHatecraft]

-signed Admiral Thomas Dalton Ackbar

Re:IT'S A TRAP!!!

[oodaloop]

We can't repel overused movie quotes of that magnitude!

Not without spending a lot of time and money

Search for "Reflections on Trusting Trust" by Ken Thompson. At the end of his paper, he talks specifically about hiding code in firmware that never appears in the sources. The only way to be sure is to validate every single bit in the firmware, and every single gate on the silicon.

it's the same as the cisco code

[Joe_Dragon]

it's the same as the cisco code they just changed some names around.

See? We Yo Friends!

[CanHasDIY]

We no put secret backdoor code in yo phone! We no pee-pee in your Coke!


So... Anybody know anything about any launch coooooooooodes?

Re:See? We Yo Friends!

[Required+Snark]

You are a racist fuck. Get the hell off Slashdot, you ignorant pig.

Re:See? We Yo Friends!

[CanHasDIY]

You are a racist fuck.

Because I made a(n admittedly bad) joke? Or perhaps the reference to an old SNL skit? Quite the rigorous criteria you have there. Besides, how do you know I'm not Chinese myself, you idiotic, assumptive fuck?

Get the hell off Slashdot, you ignorant pig.

Nah.

Trusting trust

http://cm.bell-labs.com/who/ken/trust.html

Reflections on trusting trust

Do we get access to the compiler's source code too?

Who are the alternative bidders?

[PPH]

Is their h/w and s/w being audited for back doors and spyware?

No need to audit US sourced equipment. Thanks to CALEA we are 100% certain its been bugged.

Re:Who are the alternative bidders?

[Luckyo]

It's not the issue of being bugged as much as the issue of trust. You can be fairly certain that not only US, but pretty much all major world powers insert such bugs into equipment they manufacture.

So in the end, it's about trusting the source government and its agencies.

Re:Who are the alternative bidders?

CALEA doesn't utilize backdoors. This is conspiracy theory gone rampant--again. Whenver CALEA is used, there is an intermediary device that is sent to an ISP that they're fully aware of exists (because they typically have to rack mount it for 90 days or so). It isn't some crazy firewall / router bypassing technology that the FBI or NSA have. The ISP typically has to set up mirrored ports for this equipment. Too many slashdotters are wearing tinfoil hats and drinking the koolaid these days.

and is this the code loaded on your device?

how do you know that this code they are giving out is the code that is compiled and loaded on their devices?

Re:Shame!

Why is it that we suppose China's telecoms are spying for their government? Is it because they have slanty eyes? How unlikely a way to do espionage. I guess it's because the US thought up the idea, and of course, caused a good deal of trouble with stux. WE are the sneaky bastards.

Thought up the idea? You can't be serious... this practice is hundreds of years old. The U.S. and China are just the latest in a long line of powerful nations trying to get a leg up any way they can.

Simple answer

[Alsee]

Will they be able to obscure any backdoors written into their equipment?"

Yes.

-

Re:Simple answer

Plus considering that this a hardware vendor, they could do something completely absurd like have a chip that responds to a series of increments and decrements by shorting ground to vcc. The ways of disabling a system are to numerous to count.

Re:Shame!

[tibit]

It's not an unlikely way to do espionage you clod, it's the simplest way to do it. What's simpler than having direct access to all the communications infrastructure, accessible from anywhere in the world?

and the rest

What is the chance of seeing cisco and others do the same?

Not possible

[AaronW]

I'll believe it when I see it. Many, if not most, of their products run on VxWorks, a proprietary closed-source real-time operating system. All it takes is for someone to find a way to access the t-shell and you own the box. I believe this was recently shown to be trivial to do with access to the web interface (no login needed). Once you are in the t-shell you own the box. In VxWorks the t-shell is like root on steroids. You can call any function, access at any global variables or any memory location that you choose.

VxWorks historically has not been a secure operating system, leaving security entirely up to the applications developer.

VxWorks is not like a traditional operating system where you load programs off of a filesystem and execute them, with a clear separation between the OS and applications. Instead, everything is linked together into a single binary blob. Now it's possible it has changed significantly since I last used it, but I doubt it.

Re:Not possible

I work for a company selling network security appliances and incidentally we also use vxWorks in many products.
We have the whole source code, ditto for the build tools. vxWorks lend itself well to being trimmed down; we mostly kept just the scheduler. In particular, the shell has never been part of any production code.
There is no "application" nor any way to install one, just a lean, dedicated-purpose, signed system "blob" running the show. We believe that the result is substancially harder to subvert (not to mention more responsive, more predictable, easier to audit and test) than what we could do based on some more generic -- and therefore far more complex -- OS.

As Safe As Approving Food Based Upon The Recipe

I am sure that the recipe for tainted food does not list lead, bacteria, or any other deadly contaminants.

Not worth a lot....

[gweihir]

Backdoors cleverly disguised as obscure implementation bugs are very hard to find, and if you find them, you do not know whether they are bugs or obscure implementation errors. Typically, making sure no backdoors are in a piece of complex software is more effort and more difficult than reimplementing it with trustworthy and competent people.

Re:Not worth a lot....

[Beardo+the+Bearded]

Brilliant! You give the source code AND you put in flaws in the verification that you already know about, so you can trivially pwn the boxen.

Not enough

[robmv]

Source code access is never enough to guarantee that something is free backdoors? How adds it to the hardware? How can I verify the devices coming in (from China in this case) has the right binaries installed? and don't forget about hardware backdoors. It is like trusting a PC manufacturer with a preloaded Linux installation because I have the source code of it on a DVD to review. If you can't trust the manufacturer there is no source that can help

Re:Not enough

You hit the target with a precision laser. Nobody has a way to know if they have the same binaries installed.

Re:Not enough

[thygate]

Easy to checksum and verify the firmware binaries. You could also recompile and flash the new firmware yourself. I'd be more worried about obscure "bugs". As has been said above, going over the sourcecode, or generated machine language in case the toolchain is also to be untrusted, is much more work and more expensive than just reimplementing the whole darn thing from scratch with competent people.

Re:Not enough

[Arker]

You are right, simply having access guarantees nothing. It's necessary, but not sufficient. You verify that the source generated the binary by compiling it with the same compiler and settings and comparing the resulting binary to the one they shipped you. Hardware backdoors are not, of course, eliminated, but you can check for those in other ways (access to the hardware isnt a problem like access to source often is, obviously) and most hardware backdoors that would actually do something interesting would need a software component as well.

Re:Not enough

Yep exactly. Also everything could be perfectly installed and "secure", but the Chinese govt may just have a copy of all the passwords.

Re:Not enough

An ethernet controller chip is the perfect place for a software-untraceable backdoor.

Can source code be trusted

If you think that you can trust source code, read Brian Kernighan 1984 Turning reward lecture.
http://cm.bell-labs.com/who/ken/trust.html

calling cisco's lawyers...

Didn't a black hat presentation show that they were basically running an ancient ripped off version of cisco ios? May as well just invite cisco to sue.

Re:calling cisco's lawyers...

[Agent+ME]

Er, no, the presenter stated that Huawei just imitated the hell out of Cisco's interface.

I do wonder why everyone is worried about Huawei adding in backdoors specifically, when that presentation already shows that their stuff is vulnerable as hell and practically backdoored unintentionally.

It isn't worth the risk.

[hhawk]

First consider the halting problem; you really can't tell what complex code can do.. although many eyes are better than none. Then you have to check every code release and compare all the hardware to software, etc. this is (the halting problem) a complex/hard problem.

Second, you have to see everything from the OS, the programs, programmable chips, firmware, etc.

Third, you have to hope there isn't anything type of "malware/spyware" that is loaded remotely post install, and that you see all the updates, etc. This would include the fear of back doors and automatic doors (default passwords, etc.).

In the 1800's every major telegraph wire ran through England and while they said they wouldn't spy, the spied on EVERY msg. The benefit of spying to great for China/PLA not to attempt something in the past, present or future.

Lesson time

This particular AC has mod points. Cheers.

Re:Lesson time

[fredprado]

So?

Re:Lesson time

The behavior in this sub-thread is wretched. The insults and baseless assertions only trap the participants in a useless self-perpetuating abuse pattern, where they give up any goal of truth and virtue. It demonstrates a lack of self-awareness that only serves to reinforce a sort of deterministic reactionary victim-aggressor dance where each side is trying to gain the moral high ground of being the victim so they can then virtuously attack the aggressor.

It is not healthy for you. Whats more, it is indicative of greater psychological traumas that should be addressed.

Re:Lesson time

[fredprado]

Oh, please, go with your psychobabble and your self-righteousness somewhere else.

Re:Lesson time

In a thread about character, wow.

I can't see this happening

[hoolaparara]

I'm sure the US government will step and tell Australia not to, and I'm sure our PM will knuckle her forehead and say "By your command".

This would set a dangerous precedent for source code to be made available and I can't see the US government thinking it's a good idea for American companies to have to do so.

Not that I'm saying they've got US government backdoors in them, no I'm not .. know what I mean.... nudge nudge ... know what I mean.....

paranoia will destroy ya

get over it ...they are saying if you want to see source here ya go and huge hackers in australia i bet there govt has hired a few to "penetration test it"
no govt doesn't have someone qualified and if needed i am sure we canucks can provide you with some....
fact is this just is an attempt at trade embargoing via fear.
plain and simple.

So much noise about the Chinese....

[Cute+and+Cuddly]

Who is to say that Cisco gear does not have a backdoor for the CIA or the NSA to spy as well?

Re:So much noise about the Chinese....

No one. That's the whole point. If you want something done right, you fucking do it yourself.

As an Australian...

I'd much rather have the Chinese government listening in on my communications than the US government (who no doubt would have access if US equipment is bought instead).
At least they won't extradite me for copyright violations.

Every Country

Every first world country needs to know how to build it's own communication equipment. Any less, and I don't think you should be called first world.

Just Because

[hduff]

Just because you can see the source code doesn't mean the binaries were compiled from it.

Re:Just Because

[Arker]

Just because you can see the source code doesn't mean the binaries were compiled from it.

Once you have the source, the binaries, and the compiler, you can verify or deny whether that source produced that binary.

Underhanded C Contest anyone??

[Wrath0fb0b]

This reminded me of The Underhanded C Contest -- where the goal is to introduce malicious-acting but innocent-looking bugs that, even upon discovery as bugs, could be passed of as programming errors and not intentional backdoors. This should be required reading for anyone reading potentially-hostile code that's trying to pass an audit.

Surely Huawei has a large enough networking codebase to put enough of these in that Oz won't find them, and even if they do find them all -- how do you prove that a bug with an unintended leak/security concern was malicious?

Re:Underhanded C Contest anyone??

[rwise2112]

Ah so it's - 'it's not a feature, it's a bug!'. An interesting twist!

No - read 'Reflections on Trusting Trust'

http://cm.bell-labs.com/who/ken/trust.html "The moral is obvious. You can't trust code that you did not totally create yourself."

BBC reports only part of the offer

[GumphMaster]

What the BBC is reporting is not quite what was offered. The ABC quotes Mr Lord as:

"Huawei is willing to offer complete and unrestricted access to our software source code and our equipment in such an environment," he said. "And in the interests of national security, we believe all other vendors should be subject to the same high standard of transparency."

The reference to "such an environment" is an industry funded organisation dedicated to vetting this stuff.

The exercise is nothing more than a PR spin. Huawei knows full well that the other players will neither want to fund a centre that effectively lets a competitor back into the race nor subject their own code to such scrutiny and risk rejection. He is the local face of Huawei so he has to say these things, but they will not change anything.

Will it show "Cylon Kill Switch" subroutine?

[k6mfw]

I'm not an authority on such equipment and usually take SF as simply entertainment value, but after watching BSG remake, I always wondered if such computer systems sold to USA has this kind of code inside.

Wait till the update trojan

Great so the original source code MIGHT be clean but any update at any time could install just about anything.

Do as the Japanese

Require them to pay $20 milllion to have the software and hardware evaluated. This evaluation process takes at least 3 years and will OF COURSE result in hundreds or thousands of "concerns" that must be addressed (fixed) before the hardware or software in approved for sale. By the time the equipment is fully vetted the process takes at least 7 years and of course everything is obsolete. rinse repeat as necessary.

Who needs a back door?

[Minupla]

Who needs a back door when you have a range of security vulnerabilities to choose from.

Here's the slide deck from the talk on Huawei talk at Defcon 20 this year. At the end of the talk the presenter addressed the topic of backdoors by saying (my paraphrase) given the state of the code, who knows if a given hole is a backdoor or unintential security vulnerability.

The deck is worth a read if only for the fortune cookie slides, which contain actual quotes from the object code:
http://phenoelit.org/stuff/Huawei_DEFCON_XX.pdf

Min

Re:Who needs a back door?

[wer32r]

When I read through the PDF I started to suspect that these "bugs" must have been put there on purpose. The most convincing slide (IMHO) that supports this is the slide about the Web UI session vulnerability.

* Uses a Session-ID, called UID: the hex representation of a 32Bit value
* We only need to test 11 Bit of the UID in order to gain access
* We can log in with a simple Perl script

Who would leave such a door open by mistake?

Re:Who needs a back door?

Defcon speech was about H3C, which is now owned by American company (HP). Huawei ARx9 was OEM version of H3C routers.

Anything new from Slashdot ?

[Taco+Cowboy]

Is there anything new Slashdot can offer, other than this same old China bashing orgy?

If you think that equipments from Huawei is dangerous, what makes you think that Cisco equipment don't come with backdoors?

Which equipment the Stuxnet virus targeted?

Equipment from China or those from the Western countries?

It's easy to bash China - as China has become the poster boy for bashing orgy - from Presidential debate to this one in Slashdot - but I do expect MORE from those who come to Slashdot.

Unlike the tweedledee and tweedeldum on the presidential debate, you guys do have brains.

It's time you use your brain to think, rather than letting others doing the thinking for you.

If Huawei (and all equipments from all Chinese companies) are suspicious, what makes you think that equipments from Germany or Japan or Britain or Korea or Canada or USA aren't?

Re:Anything new from Slashdot ?

[anomaly256]

I never said China was dangerous. I was just stating a fact that releasing the VHDL for their ASICS would be commercial suicide, and that releasing source doesn't prove there's no backdoors in the silicon. It's a futile exercise on the part of *both* sides. It boils down to nothing but America trying to defend it's own businesses and market share - not national security.

Please 'take your own medicine' and apply some critical thinking before making assumptions and lumping me in one category or another. And FYI, my wife is Chinese and I go there a lot to visit my delightful in-laws. I'm also American. Amazing eh? ...

Re:Anything new from Slashdot ?

[Luckyo]

The argument is probably that they're less afraid of CIA/NSA backdoors then Chinese backdoors.

Considering the history, I'd say that fear is quite a bit unwarranted, both are about equally scary, at least at the moment. And anyone who thinks cisco et al don't have backdoors for these organisations is fairly ignorant of how the world works.

It's a whole another issue if these backdoors are actively used. I personally very much doubt it. They're most likely "last resort" kind of backdoors that only few people have access to. But with China being a rising power, it's an unknown in terms of its policy towards such backdoors and their usage. And unknown is always scarier to those in power then known, because you can compensate for known threats fairly well in your plans.

Re:Anything new from Slashdot ?

[ozmanjusri]

what makes you think that Cisco equipment don't come with backdoors?

Cisco gear does have backdoors. Google "Cisco lawful intercept". No doubt there are more.

http://www.cisco.com/en/US/docs/routers/7600/ios/12.2SR/configuration/lawful_intercept/76LIch1.html

Re:Anything new from Slashdot ?

[evilviper]

There are no American companies that compete with Huawei. The last American telcom hardware company went out of business long ago. Their competitors are several European firms, like Siemens and Alcatel.

If you'd like to claim that the US government is trying to protect European companies... you not only need proof, but some theory of motive, too.

Re:Anything new from Slashdot ?

[anomaly256]

Yeah I guess Motorola are defunct, right?

Re:Anything new from Slashdot ?

[anomaly256]

And Cisco and ..

Re:Anything new from Slashdot ?

[gadget+junkie]

The argument is probably that they're less afraid of CIA/NSA backdoors then Chinese backdoors.

Considering the history, I'd say that fear is quite a bit unwarranted, both are about equally scary, at least at the moment. [...]

No.
It's like the Soviet Union of old. Western government are rightfully scared, because most of the research and technology work is still done in the traditional institutions in western society, and those billions of dollars in research money would go down the drain.The Russian secrete services are still active, probably because of that. It happened in reverse....a few centuries back, when a monk brought back from China the silkworm, which was considered by the Chinese a trade secret.
Also, most of our economy's infrastructure is internet based, and you cannot scare people about Cyberattacks and then disregard the hardware aspect. Many sane people, if explained the situation this way, would utter "..And you waited until NOW to tell me?!?!?", and go crash some Chinese solar panels.

Moreover, it's not called "the hermit kingdom for nothing, and Huawei exists at the behest of an unelected elite wichi is scared by its own people, and that limits political speech in any way possible, remember the great wall of China.
Having said that, other goverments disregard the risk, not because it's not there, but because as an information gathering machine it's too blunt to be of much use, and most of it would not be actionable in democratic societies.

Re:Anything new from Slashdot ?

[cold+fjord]

If Huawei (and all equipments from all Chinese companies) are suspicious, what makes you think that equipments from Germany or Japan or Britain or Korea or Canada or USA aren't?

Hmmm . . . are there any other one party communist states with aspirations of hegemony, a long history of enmity against democratic government, free enterprise, and personal liberty, that currently have intense foreign espionage efforts directed against the West, that make direct threats against the United States while being armed with intercontinental ballistic missiles armed with nuclear weapons, on the list? No, China. . . make that the People's Republic of China, one of the few remaining Communist dictatorships on earth, is unique in that regard. Isn't that clear? China is reforming economically much faster than politically, although that is coming along in small fits and starts. But fundamentally, China is still a dictatorship run by the Chinese Communist Party.

Which equipment the Stuxnet virus targeted?

That was SCADA controllers made by Siemens, a German company, being used by Iran - a Shia lead theocratic government imposing Sharia law in Iran while they seek hegemony in the region. Iran is using that equipment to run centrifuges to develop highly enriched Uranium, and has been discovered to be engaged in activities applicable to only nuclear weapons development. Iran tries to intimidate its neighbors, is a state sponsor of terrorism world-wide, fund, trains, and arms Hezbollah with tens of thousands of rockets and missiles to control Lebanon and attack Israel until it can make good on it barely veiled threats of genocide against Israel, and general threats against Europe and the United States. Until the Islamic revolution in Iran in 1979, Iran and Israel had been on good terms. It is the theocratic government in Iran that has declared them to be enemies - the conflict isn't Israel's fault - Iran was not part of the Arab-Israeli wars. And yet some people take the bankrupt position that it is Iran that needs protection from Israel. Stuxnet and its kin may be the only reason the world isn't in a shooting war in the region now.

It's easy to bash China - as China has become the poster boy for bashing orgy - from Presidential debate to this one in Slashdot - but I do expect MORE from those who come to Slashdot. Unlike the tweedledee and tweedeldum on the presidential debate, you guys do have brains. It's time you use your brain to think, rather than letting others doing the thinking for you.

Some people use their powers of reason to understand the facts above and their implications, others use their reason to rationalize away uncomfortable facts, like those above.

In much of the West, the well educated have been taught to believe that they can know nothing and that they can draw no independent conclusions about truth, unless they cite a study and "experts" have affirmed it. "Studies show" is to the modern secular college graduate what "Scripture says" is to the religious fundamentalist. -- Dennis Prager

Re:Anything new from Slashdot ?

I work for the Aus Government (not saying where). Needless to say, I can tell you with great confidence that the vast, vast majority of attempted intrusions on our networks are attributed to China and its agents. This is the prime reason why the Australian Government is so paranoid about electronic equipment that is sourced from China.

It's only bashing if its baseless.

Re:Anything new from Slashdot ?

Thank you for this post, and thanks to the mods that modded you up, it's nice to see that there is still some intelligence on Slashdot nowadays.

Between UN bashing and China bashing I thought it'd basically become nothing more than a bastion for right-wing American circle jerks.

Re:Anything new from Slashdot ?

[OeLeWaPpErKe]

I imagine a similar argument was made in the USSR about Xerox photocopiers. Oh, right, those spying photocopiers.... Now while you can argue that it's just the US being evil and therefore expecting everyone else to be evil, anyone who deals with the Chinese government has absolutely no illusions about which government is the best of the two.

The Chinese government has been caught red handed on several occasions attacking private companies, so ... what doubt is there, really, that Huawei equipment is too dangerous, even if it's not outright sabotaged from the start ?

Re:Anything new from Slashdot ?

And has there ever been any verifiable find of a backdoor on Chinese network equipment? As far as I can tell all publications depend on insinuation rather than facts.

Re:Anything new from Slashdot ?

Great post ! The question is not so much whether states would sabotage hardware/software they sell to other states, the real question is "would you mind if $state would have control over your computer infrastructure ?".

And for any sane human being :
US - prefer not, but not going to kill me
China - you're dead

In much of the West, the well educated have been taught to believe that they can know nothing and that they can draw no independent conclusions about truth, unless they cite a study and "experts" have affirmed it. "Studies show" is to the modern secular college graduate what "Scripture says" is to the religious fundamentalist. -- Dennis Prager

This is sad, but it is obvious why that is. We always keep saying that science works (as opposed to, say, religion X or Y) because you can derive everything from first principles. The sad truth is that that stopped being a reasonable position about 60 years ago. You cannot correctly derive mathematics from first principles, and by extension it doesn't work for anything else either. (excepting certain parts of pure logic, but it is literally as bad that "1,2,3,..." cannot be shown to be correct, and in fact out of the last 5 theories for natural numbers, 4 have been shown to be incorrect (chances are, btw, that the axioms you've learned in school more than 10 years ago, contain the choice axiom (which states that any property defines a set, which is not true, there are mathematical objects that neither are sets, nor can they be part of a set at all) and are thus flat-out wrong. This, of course, despite that we know the choice axiom to be inconsistent for more than 30 years))

The problem is that in reality this has lead to entire fields of study ignoring the axioms of mathematics alltogether. People think there is no problem for climate science to use statistics on number series that don't obey the central limit theorem. But social pressure is used to make people ignore this, presumably because of the goal. Same thing goes for, say medicine. Everybody knows the placebo effect : what boils down to being falsely convinced you'll get better can, for surprisingly many diseases and conditions, improve the odds of a full recovery by a factor of 2 (on the low end) up to a factor of 90 in some cases, WITHOUT any actual treatment. The problem with that is that the effectiveness of the placebo effect far outstrips the effect of most medications in widespread use. The statistics used in medicine literally have to compensate for this. I don't know about you but I'm saying "WTF", and the more I learn about it the more unanswerable questions I find. Assuming, for example, that a good quack is able to evoke the placebo effect, that alone would give that person a better patient record than a modern oncologist (which is unfair, since that oncologist would only get called in the hard cases, but still it's amazing it works at all, and only God knows how much diseases can be cured by religion). But it's not just "soft" sciences' statistics that fall apart under mathematical scrutiny. Some sciences are plain contradictory, in physics the equations for relativity and qcd, the most advanced theories we have, are no better than a presidential speech : a first year student can immediately name 5 blatant contradictions ... and (s)he's right about them !

And what worries me most is this : every year there is more social pressure for "believing" in all theories, whether we're talking climate science or string theory, and less room for discussions. Deciding which theory is right is much more a social/political thing than an experimental thing.

What the hell is happening ?

Re:Anything new from Slashdot ?

Cisco gear does have backdoors. Google "Cisco lawful intercept". No doubt there are more.

http://www.cisco.com/en/US/docs/routers/7600/ios/12.2SR/configuration/lawful_intercept/76LIch1.html

This isn't really a backdoor, just something ISPs and college campus networks are required to have available. The ISP is still responsible for having it properly set up and accessible. Even then, it's enabled on a case by case basis with cooperation from the ISP.

Additionally, the actual collection of information from a LEA is performed on a separate device, usually a server they send you for a period of time. See http://en.wikipedia.org/wiki/Communications_Assistance_for_Law_Enforcement_Act

An example of a real backdoor would be a way for the FBI / NSA to gain access to networks behind a Cisco device owned by an ISP without an ISP's network admin being aware of the access.

Re:Anything new from Slashdot ?

Of all the countries to suspect, Taco is correct.... CHINA? It makes no sense.
This isn't the 60's anymore.

The volume of their output is massive. If even a tiny fraction WERE bugged, it'd be a MASSIVE blow to their economy when we found out.
And to suspect THEM, when WE are putting out malware campaigns? Are we retards here in the states, or what?

Not to mention how intimately tied our electronics markets ARE... try to do ANYTHING without Chinese hardware. Go on.
If you can send one TCP packet without something made in China, I'll be frankly fucking impressed and ask how you managed.

Re:Anything new from Slashdot ?

Because I've work in the telecom equipment industry for many years. I'll give you a nice example- a Huawei employee was caught at a trade show pulling cards out of our equipment in our booth after hours and taking pictures of the hardware. And after he was arrested and the camera was examined there were pictures of other vendors hardware on there as well. If that happened in my company I would immediately be fired.

I'm sorry if you think that their culture norm of "it's ok to steal" doesn't equal an invalidation of trust. I know people who have worked for Huawei.and the stories they tell are of the same ilk where employee will rifle through there own customer's desks after hours. I also know people who have worked for many other vendors including from companies and countries you mentioned and I don't hear anything like that and I KNOW it's not like that at my company.

So take you righteous indignation somewhere else. Reality proves you utterly wrong.

Re:Anything new from Slashdot ?

Dear Taco Cowboy,

Australia went to war under false pretences (a faked dossier). Do you think we gave a crap? Nope. We blindly hand cheques to certain western countries. Our previous PM (who blindly supported this) even destroyed a few careers (quite publicly) along the way. We're even happy to hang Assange and Hicks out to dry without even a trial. What makes you think we give a toss about Huawei that's not US based^h^h^h^h^h^h^h^h a western company.

Note: Huawei is linked to some organisations that may not help their cause...
http://en.wikipedia.org/wiki/Huawei#Security_concerns

Re:Anything new from Slashdot ?

[evilviper]

Neither Motorola nor Cisco make the telcom equipment we're talking about. LTE base stations for example are a big one.

Re:Anything new from Slashdot ?

[sincewhen]

Here's an interesig thought - given that there is a high probability of such a backdoor in Cisco equipment, how long until some black hat invests the time needed to find and exploit it. At which point he can hold much of the global network infrastructure to ransom.

Re:Anything new from Slashdot ?

As an Asian, I have to say yes, this is picking on China, but for a reason. They do a lot of things that totally disregard of ethics. Really can't trust them. One single example is using politics to block out many major IT companies (Google, Facebook etc) so that their local companies have time to grow and copy the exact strategies and IP of the blocked companies.

Re:Anything new from Slashdot ?

[Luckyo]

You forget the classis XKCD on security: https://xkcd.com/538/

Relevant organisations are very interested in keeping their backdoors to themselves. Wrench to the head works the other way around too.

Backdoor is not the issue

The USA has put the word out that Huawei cannot be trusted. Why would they do that? Is it because the USA has lots of backdoor experience or is it because the USA wants to eliminate competitors?

Re:Backdoor is not the issue

[WindBourne]

Or have we found plenty of backdoors on Chinese equipment? I would say the later.

Is China really the worst enemy?

It seems that news sites like /. have been filled with discussion regarding doubts about chinese manufacturers, but how many of you really believe there _wouldn't_ be any goverment backdoors in US or European made equipment? Whom of us can really say that products of major manufacturers like Cisco and HP would be completely backdoor free? Yeah tought so...

its a ploy for china

usa is jealous of china cuz its taking the place of usa in global market share.so usa creates false news and ploy for china.china should take legal action against usa.

If a company tries this hard to make you look at .

[WindBourne]

something, then it is a sign that something else is going on. If anybody in the west uses ANY of these Chinese telcos or their hardware companies, they deserve to be massively cracked. It is long past time for the west to bring back ALL important manufacturing, and much of the rest.

it depends on who you are

[r00t]

If Huawei (and all equipments from all Chinese companies) are suspicious, what makes you think that equipments from Germany or Japan or Britain or Korea or Canada or USA aren't?

If I'm running a business in Australia, each of the listed non-Chinese countries is a minor concern. All have strong intellectual property protection. They mostly don't have a reputation for cloning foreign products. China is a different matter entirely.

If I'm running a business in any of the listed countries, China or otherwise, obviously my own country is preferred. They'd kick in my door if they wanted something; it's easier and more fun than hacking. I'd like protection from the others.

If I'm running a business in Iran, I probably want Korea or Japan. China is trying to pry into my finances for trade negotiation, and everybody else just hates Iran.

Re:it depends on who you are

[sFurbo]

It also depends on where the competition is situated. The US intelligence have shown their willingness to do industrial espionage, so if your direct competition is a big American company, US produced gear is as suspect as Chinese would be if your main competition was Chinese. This probably goes for most other countries as well.

Doesn't mean much

[photon317]

All sufficiently complex software has security holes. Huawei's software undoubtedly has several. By simply employing their own "Red Team" to actively look for exploits in their normally-produced source code, but then always leaving 2-3 good remote exploits unpatched, they guarantee themselves a non-obvious backdoor. As development continues and new flaws are uncovered, they can bugfix some of the older witheld flaws, trading them for new ones.

If the code were open-source, at least the outside world would be on a level playing field with them, but when it's proprietary they have the advantage by a landslide (since the rest of the world has the additional burden of reverse engineering and/or fuzzing the equipment to find what they can grep code for). Providing just Australia one-shot access to review the source doesn't really change the situation much.

not all in the source

While the source code (both drivers and firmware) can show a lot, you can embed software in silicon. There is no access to it in either rom or ram. A fusible link for example can be just a chip on a board (in a multi-level board it can be hidden between layers). Accessing the board can be done with a very long/specific key sequence. But even if they don't do this, its not hard to access a public phone network (if you are on a wireless phone then they can receive all information wirelessly), and they can add tempest eavesdropping equipment along lines and switching equipment. Most phone conversations aren't encrypted (the government insists!). So we are worried about the Chinese listening, but the local national government? Why do we give them a pass?

Re:If a company tries this hard to make you look a

totally understandable that they'd like a slice of the $47billion NBN pie, plus the possibility of ongoing service contracts and upgrade/replacement equipment. I imagine the gear bought from Cisco etc are already pwned by ASIO and the NSA if required....

The source that makes it to customers?

If its anything like the linux kernel sourcecode they release for their android phones, then it won't compile to what actually gets onto the phones, same as zte.

Sure, every country might backdoor chips

But Australia is allied with US very tightly, they share a lot, it would present a risk to the operations of that alliance.

If you don't think China take every opportunity they can get to perform corporate and government espionage, then my boyo, you are living in the past.

Integrating with the NBN would present a truly golden opportunity for espionage for the government run and owned company Huawei. Why do you think they are trying so hard after being told No, No, and No.

So, you ask, what makes the difference with Germany or Japan or Britain or Korea or Canada or USA??? They are all our allies, and we already share information as allies do.

It's like some people don't realise that there is a geopolitical power struggle with two main sides....

And the USA does????

"sorry, but china, you don't get our trust"

But the USA *does*???

open source

I live in new zealand and my ISP gave me a huwei modem, nothing special, usual ISP junk. What was interesting was that it included a crudely photocopied and chopped up note that stated it contained open source programs and gave me a yahoo.cn email address for where I could obtain the source code and documentation.

Of course, to this day I have not had a reply.

Reverse engineered

Perhaps they got rejected because there were NO backdoors.

Dude please put down the Bong

[RobertLTux]

i would think that there is exactly ZERO chance of making a rigged simple component without making it look different from what is normal.

now you might be able to dink with an IC (by using a smaller process than the chip requires) but at the resistor/cap/diode level there is NO ROOM.

even if you somehow "bugged" a component tolerances would be murder.

Re:Dude please put down the Bong

[rtb61]

Think old school before the internet and software took over and intelligence agencies around the world did everything the hard way via hard ware. They still have the budgets and the staff and the skill. Look how tiny and complex RFID chips are. So what if one component looks slightly bigger than the others, who is going to check every single part on every single board, hell, you can even insert inside the board itself with connectors going right through the board power is no problem and chances of finding them are pretty much zero, except perhaps xraying the board prior to assembly. Rather than doing this on the assembly line you simply intercept the supply chain and replace the safe with the unsafe based upon destination. So watch who owns or controls the supply chain rather than manufacturers.

No. Consider this:

[PotatoHead]

http://cm.bell-labs.com/who/ken/trust.html

They need extensive testing and an object level code audit, along with tool chain certification to insure what they are running is what the code represents.

No way we should allow this

[Douglas+Goodall]

As an Internet systems administrator, I am personally aware of the thousands of attacks per day on my systems from various places in China. If Huawei is so great, how come they tolerate and allow chinese hackers to attack our country on such a grand scale. There is of course the question of whether these attacks are sanctioned by the Communist Party. And I guess as well we should ask if we want to buy critical infrastructure components from a communist country. As far as the UnitedStates is concerned, I think we should by equipment made in the USA. And our neighbor to the north might want to consider that as well.. Chinese telecom equipment is in no way superior to our own, and perhaps only cheaper. But do we want to skimp on such important infrastructure?

China is America?

Then how soon will it become necessary to learn to chinese? oh never mind they already speak english after taking our money to learn it...