Slashdot Mirror
Huawei Offers 'Complete and Unrestricted' Source Code Access
An anonymous reader writes "The BBC reports that 'Huawei has offered to give Australia unrestricted access to its software source code and equipment, as it looks to ease fears that it is a security threat. Questions have been raised about the Chinese telecom firm's ties to the military, something it has denied. Australia has previously blocked Huawei's plans to bid for work on its national broadband network. Huawei said it needed to dispel myths and misinformation.' But is this sufficient? Will they be able to obscure any backdoors written into their equipment?"
Does the Australian Govt have anyone that can actually properly security audit this? I am sure they are not going to want to spend the money to hire someone who can. Also, who is to say the binary blob firmware doesn't have a back door. Its not like the Australians are going to compile it and install it themselves.
...seeing as how it's their source code being released.
No. Yes. In that order.
Australia: "You are a security threat we need to see your code!"
Huawei: "Ok, here is our full source code"
Sensationalism Department: "There must be obscure back doors they might hide in their code!!!"
Just because the US Congress, which is still in the stone ages as far as understanding of technology, decries them as a threat using classified information doesn't mean it's true. It just means the US likes to cock block China as often as it possibly can, not withstanding the shady backroom deals that enticed this in the first place.
Much like I assume a lot of other /. readers, my trust in the equipment I use to do what it's supposed to do comes from my access and ability to read the source code. There have been minor dust-ups in the open source world about allegations that other governments than China inserted back doors in widely used software, and we still see those allegations surfacing from time to time, but never with anything solid to back them up. I believe searches on the obvious keywords will turn up stories linked from here, as well as links to source code repositories of very high quality indeed.
So my advice for Huwaei is, let the world see your source code, and please set up a mechanism for reviewing your own code and patches.
-- That grumpy BSD guy - http://bsdly.blogspot.com/
Sorry, but there is absolutely no company in the world that has this thing called "character".
Is Australia planning on building their own code from that source?
Because how would they know that what they were running was actually the source code they were provided?
And would Australia even be interested in jumping through that extra hoop considering that there are other vendor options available where Australia feels this isn't necessary? The price difference between Huawei and other vendors would have to be fairly sizable to warrant that.
Or, even more insidious, I've heard of the possibility to include backdoors via the compiler rather than via the source code.
http://en.wikipedia.org/wiki/Backdoor_(computing)
Quote from that article:
It is also possible to create a backdoor without modifying the source code of a program, or even modifying it after compilation. This can be done by rewriting the compiler so that it recognizes code during compilation that triggers inclusion of a backdoor in the compiled output. When the compromised compiler finds such code, it compiles it as normal, but also inserts a backdoor (perhaps a password recognition routine). So, when the user provides that input, he gains access to some (likely undocumented) aspect of program operation. This attack was first outlined by Ken Thompson in his famous paper Reflections on Trusting Trust (see below).
If Huawei's code requires anything more than generic gcc, Australia may not be able to verify 100% security, regardless... unless they're given the source code to the compiler as well.
Long story short, this just seems like a huge hassle that Australia is probably going to avoid anyway.
Just my 2 cents...
When American telecom companies won contracts to supply soviet satellite, I think it was Poland, with telecom equipment, The CIA or NSA or both managed to get back doors into the equipment to both monitor calls and in the event of hostilities, to shut the phone system down completely. If American companies let their Government subvert their technology in foreign countries, China would be foolish not to.
If the Chinese Government said the sky was blue,I'd doubt it.
-signed Admiral Thomas Dalton Ackbar
it's the same as the cisco code they just changed some names around.
Is their h/w and s/w being audited for back doors and spyware?
No need to audit US sourced equipment. Thanks to CALEA we are 100% certain its been bugged.
Have gnu, will travel.
And you certainly have great wisdom and knowledge and are ready to bath us in the light of your unsurpassed righteousness, Mr. Anonymous Coward.
Will they be able to obscure any backdoors written into their equipment?"
Yes.
-
- - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
OK, lets assume that the routers are rooted. So what? Isn't everything over the Internet presumed to be insecure anyway? At worst, China would get some SSL packets from my bank, or some HTTPS packets between me and an email server. Or see that I'm on Slashdot more that I should be. Yawn.
And, if they did send a copy of every packet to China, do you think the carriers wouldn't notice that traffic pattern? It's an absurd accusation, with no basis in fact. And, if true, would be quickly found if it were ever used. All to compromise an unspecific portion of a residential broadband network.
It's more likely that Huawei was behind the assassination of Kennedy and 9/11 than they are inserting router backdoors in an attempt to remotely control Australia. If you've been to WA, you don't need to sniff their traffic to know what they are doing. 99% porn, 1% skype to family.
Learn to love Alaska
It's not an unlikely way to do espionage you clod, it's the simplest way to do it. What's simpler than having direct access to all the communications infrastructure, accessible from anywhere in the world?
A successful API design takes a mixture of software design and pedagogy.
I'll believe it when I see it. Many, if not most, of their products run on VxWorks, a proprietary closed-source real-time operating system. All it takes is for someone to find a way to access the t-shell and you own the box. I believe this was recently shown to be trivial to do with access to the web interface (no login needed). Once you are in the t-shell you own the box. In VxWorks the t-shell is like root on steroids. You can call any function, access at any global variables or any memory location that you choose.
VxWorks historically has not been a secure operating system, leaving security entirely up to the applications developer.
VxWorks is not like a traditional operating system where you load programs off of a filesystem and execute them, with a clear separation between the OS and applications. Instead, everything is linked together into a single binary blob. Now it's possible it has changed significantly since I last used it, but I doubt it.
This post is encrypted twice with ROT-13. Documenting or attempting to crack this encryption is illegal.
I am sure that the recipe for tainted food does not list lead, bacteria, or any other deadly contaminants.
Backdoors cleverly disguised as obscure implementation bugs are very hard to find, and if you find them, you do not know whether they are bugs or obscure implementation errors. Typically, making sure no backdoors are in a piece of complex software is more effort and more difficult than reimplementing it with trustworthy and competent people.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Source code access is never enough to guarantee that something is free backdoors? How adds it to the hardware? How can I verify the devices coming in (from China in this case) has the right binaries installed? and don't forget about hardware backdoors. It is like trusting a PC manufacturer with a preloaded Linux installation because I have the source code of it on a DVD to review. If you can't trust the manufacturer there is no source that can help
You're assuming the point is to read the data. Its not. The point is that china would be able to transmit a single set of instructions across the routers that say 'At 2AM tomorrow, DO NOT ALLOW TRAFFIC THROUGH.' and suddenly Aussie's everywhere lose internet. Which could be a massive security issue if China were to attack right then.
So basically, -1 troll/offtopic is really slashdots way of saying "I hate that you thought of something before me."
Or they could, you know, take down the entire australian network in an instant by sending a command to all of the rooted routers. (Not an optimal situation especially because these routers also are going to be handling the phonelines too) Think about having the ability to cut off all communication in an entire country - that's a HUGE strategic advantage
They could use these routers to identify specific targets of interest. State sponsored hackers would then have the ability to remove/obfuscate logs to make it so that they're impossible/very very difficult to trace or perhaps even to frame others.
Not every router is used solely for the internet. Also, they don;t have to report to China, they just have to be deployed into a critical network and then suddenly stop working when china wants them to. Finally, if they're going to be sneaky, who's to say the software image they provide is made out of the source code they provide ? I don't see them providing the means to compile the source code to an image.
Nullius in verba
Oh, another offended Anonymous Coward. How cute.
First consider the halting problem; you really can't tell what complex code can do.. although many eyes are better than none. Then you have to check every code release and compare all the hardware to software, etc. this is (the halting problem) a complex/hard problem.
Second, you have to see everything from the OS, the programs, programmable chips, firmware, etc.
Third, you have to hope there isn't anything type of "malware/spyware" that is loaded remotely post install, and that you see all the updates, etc. This would include the fear of back doors and automatic doors (default passwords, etc.).
In the 1800's every major telegraph wire ran through England and while they said they wouldn't spy, the spied on EVERY msg. The benefit of spying to great for China/PLA not to attempt something in the past, present or future.
http://www.hawknest.com/
I'm sure the US government will step and tell Australia not to, and I'm sure our PM will knuckle her forehead and say "By your command".
.. know what I mean.... nudge nudge ... know what I mean.....
This would set a dangerous precedent for source code to be made available and I can't see the US government thinking it's a good idea for American companies to have to do so.
Not that I'm saying they've got US government backdoors in them, no I'm not
So?
Who is to say that Cisco gear does not have a backdoor for the CIA or the NSA to spy as well?
I'd much rather have the Chinese government listening in on my communications than the US government (who no doubt would have access if US equipment is bought instead).
At least they won't extradite me for copyright violations.
Just because you can see the source code doesn't mean the binaries were compiled from it.
"I believe in Karma. That means I can do bad things to people all day long and I assume they deserve it." : Dogbert
This reminded me of The Underhanded C Contest -- where the goal is to introduce malicious-acting but innocent-looking bugs that, even upon discovery as bugs, could be passed of as programming errors and not intentional backdoors. This should be required reading for anyone reading potentially-hostile code that's trying to pass an audit.
Surely Huawei has a large enough networking codebase to put enough of these in that Oz won't find them, and even if they do find them all -- how do you prove that a bug with an unintended leak/security concern was malicious?
Sorry, but there is absolutely no company in the world that has this thing called "character".
I dunno, I always thought Ballmer was quite a character.
What the BBC is reporting is not quite what was offered. The ABC quotes Mr Lord as:
"Huawei is willing to offer complete and unrestricted access to our software source code and our equipment in such an environment," he said. "And in the interests of national security, we believe all other vendors should be subject to the same high standard of transparency."
The reference to "such an environment" is an industry funded organisation dedicated to vetting this stuff.
The exercise is nothing more than a PR spin. Huawei knows full well that the other players will neither want to fund a centre that effectively lets a competitor back into the race nor subject their own code to such scrutiny and risk rejection. He is the local face of Huawei so he has to say these things, but they will not change anything.
Patent litigation: A doctrine of Mutually Assured Destruction... in which everyone seems willing to push the button
I'm not an authority on such equipment and usually take SF as simply entertainment value, but after watching BSG remake, I always wondered if such computer systems sold to USA has this kind of code inside.
mfwright@batnet.com
Wow, you're just really naive. Really, really naive.
Even without decrypting the information all the way back in WWII, traffic analysis allowed some major victories on the battlefield. With this technique, being automated and in near real time, one could infer a lot about an adversary without actually decrypting one single thing.
Maybe you're not concerned with privacy, but that's why you're not working in this field!
Oh, please, go with your psychobabble and your self-righteousness somewhere else.
Who needs a back door when you have a range of security vulnerabilities to choose from.
Here's the slide deck from the talk on Huawei talk at Defcon 20 this year. At the end of the talk the presenter addressed the topic of backdoors by saying (my paraphrase) given the state of the code, who knows if a given hole is a backdoor or unintential security vulnerability.
The deck is worth a read if only for the fortune cookie slides, which contain actual quotes from the object code:
http://phenoelit.org/stuff/Huawei_DEFCON_XX.pdf
Min
On the whole, I find that I prefer Slashdot posts to twitter ones because I don't get limited to 140 chars before
OK, lets assume that the routers are rooted.
Call router rooter, that's the name. And security goes down the drain!
Give me Classic Slashdot or give me death!
Is there anything new Slashdot can offer, other than this same old China bashing orgy?
If you think that equipments from Huawei is dangerous, what makes you think that Cisco equipment don't come with backdoors?
Which equipment the Stuxnet virus targeted?
Equipment from China or those from the Western countries?
It's easy to bash China - as China has become the poster boy for bashing orgy - from Presidential debate to this one in Slashdot - but I do expect MORE from those who come to Slashdot.
Unlike the tweedledee and tweedeldum on the presidential debate, you guys do have brains.
It's time you use your brain to think, rather than letting others doing the thinking for you.
If Huawei (and all equipments from all Chinese companies) are suspicious, what makes you think that equipments from Germany or Japan or Britain or Korea or Canada or USA aren't?
Muchas Gracias, Señor Edward Snowden !
Because residential broadband is a national security resource? Did everyone buy Huawei TVs too? Did you watch Tomorrow When the War Began too many times? I'll give you a hint, it's as likely as Red Dawn (neither happened, and neither will happen).
Learn to love Alaska
Sure, they'd take it all down. And then what? Invade Australia? That'll start WWIII, same as if they launched a bomb at every network POP. We should be scanning them all to make sure there aren't hidden bombs in every Huawei router, and even if they come back clean, open them all up and make sure. What would happen if the code had every battery in every Huawei phone outside China blow up at the same time? And every Huawei home router shorted , taking our the electric grid? Then they got up, walked to other routers, and assembled themselves into a large robot that calls itself Megatron-san (yes, I know we are talking Chinese and san is Japanese).
Learn to love Alaska
Maybe you're not concerned with privacy, but that's why you're not working in this field!
I do work in security. One of the things you do in security is realize everything can be compromised in many ways you'll never be able to think of, so you plan on the most likely. Huawei undercutting everyone to sell networking gear into Australia as step 7 in the 30 step process to invade Australia is so unlikely as to not warrant effort protecting against. You might as well put in DNA tests at CO doors to ensure the person trying to get in is human, and not a werewolf or space alien.
Learn to love Alaska
If you work in security then I feel very sorry for your employers and customers.
Are you really naive enough to believe that deep surveillance on Australia's communications infrastructure is NOT in the ChiCom's interest?
It's telling that you have to rely upon strawmen to make your point. Very, very telling. Perhaps the ASIO should take a closer look at you and your "security" business.
Not to be a dick, but you really have no understanding of the concept of "existential threat" and why these threats are handled differently from normal threats, do you?
So is that a national security resource?
Oh, yes there are. One example is Olvi Oyj (Finland, "OLVAS" in Nasdaq). The biggest owner isa trust fund which primary goal is to advance beer culture (or something similar).
The company has gone so far as to help small breweries to get their beer to big shops, though it provably affects their sales negatively (marginally though).
There are companies which behave more nicely than other companies. There are companies which advance society and threre are companies which maximize profits - most in the grey area obviously.
Unless, of course, you want only to argue the semantics of word "character", which I'll skip.
something, then it is a sign that something else is going on. If anybody in the west uses ANY of these Chinese telcos or their hardware companies, they deserve to be massively cracked. It is long past time for the west to bring back ALL important manufacturing, and much of the rest.
I prefer the "u" in honour as it seems to be missing these days.
Or have we found plenty of backdoors on Chinese equipment? I would say the later.
I prefer the "u" in honour as it seems to be missing these days.
If Huawei (and all equipments from all Chinese companies) are suspicious, what makes you think that equipments from Germany or Japan or Britain or Korea or Canada or USA aren't?
If I'm running a business in Australia, each of the listed non-Chinese countries is a minor concern. All have strong intellectual property protection. They mostly don't have a reputation for cloning foreign products. China is a different matter entirely.
If I'm running a business in any of the listed countries, China or otherwise, obviously my own country is preferred. They'd kick in my door if they wanted something; it's easier and more fun than hacking. I'd like protection from the others.
If I'm running a business in Iran, I probably want Korea or Japan. China is trying to pry into my finances for trade negotiation, and everybody else just hates Iran.
All sufficiently complex software has security holes. Huawei's software undoubtedly has several. By simply employing their own "Red Team" to actively look for exploits in their normally-produced source code, but then always leaving 2-3 good remote exploits unpatched, they guarantee themselves a non-obvious backdoor. As development continues and new flaws are uncovered, they can bugfix some of the older witheld flaws, trading them for new ones.
If the code were open-source, at least the outside world would be on a level playing field with them, but when it's proprietary they have the advantage by a landslide (since the rest of the world has the additional burden of reverse engineering and/or fuzzing the equipment to find what they can grep code for). Providing just Australia one-shot access to review the source doesn't really change the situation much.
11*43+456^2
You are a racist fuck. Get the hell off Slashdot, you ignorant pig.
Why is Snark Required?
Er, no, the presenter stated that Huawei just imitated the hell out of Cisco's interface.
I do wonder why everyone is worried about Huawei adding in backdoors specifically, when that presentation already shows that their stuff is vulnerable as hell and practically backdoored unintentionally.
It's got nothing to do with residential broadband. The "national broadband network" is a fibre project, servicing residential, industrial, commercial and government interests. Huawei wants to have an instrumental role in building it. DSD says that's a bad idea. Nothing over-the-top, but an aggressor in that role would be capable of causing considerable damage down the track.
"The true measure of a person is how they act when they know they won't get caught." - DSRilk
Or worse, they might just have been recruiting winners of the International Obfuscated Code Contest. How big is this software package? There's probably plenty of room to slip in a hard to find security hole.
i would think that there is exactly ZERO chance of making a rigged simple component without making it look different from what is normal.
now you might be able to dink with an IC (by using a smaller process than the chip requires) but at the resistor/cap/diode level there is NO ROOM.
even if you somehow "bugged" a component tolerances would be murder.
Any person using FTFY or editing my postings agrees to a US$50.00 charge
http://cm.bell-labs.com/who/ken/trust.html
They need extensive testing and an object level code audit, along with tool chain certification to insure what they are running is what the code represents.
Blogging because I can...
You are a racist fuck.
Because I made a(n admittedly bad) joke? Or perhaps the reference to an old SNL skit? Quite the rigorous criteria you have there. Besides, how do you know I'm not Chinese myself, you idiotic, assumptive fuck?
Get the hell off Slashdot, you ignorant pig.
Nah.
An enigma, wrapped in a riddle, shrouded in bacon and cheese
Oh I am quite sure that there are on occasion CEOs who have the high moral standards we classify as "character", The companies themselves have none though, and a CEO change is all that is needed to turn its moral alignment 180 degrees.
As an Internet systems administrator, I am personally aware of the thousands of attacks per day on my systems from various places in China. If Huawei is so great, how come they tolerate and allow chinese hackers to attack our country on such a grand scale. There is of course the question of whether these attacks are sanctioned by the Communist Party. And I guess as well we should ask if we want to buy critical infrastructure components from a communist country. As far as the UnitedStates is concerned, I think we should by equipment made in the USA. And our neighbor to the north might want to consider that as well.. Chinese telecom equipment is in no way superior to our own, and perhaps only cheaper. But do we want to skimp on such important infrastructure?