Huawei Offers 'Complete and Unrestricted' Source Code Access

← Back to Stories (view on slashdot.org)

Huawei Offers 'Complete and Unrestricted' Source Code Access

Posted by Soulskill on Wednesday October 24, 2012 @09:30AM from the as-open-as-a-pr-campaign dept.

An anonymous reader writes "The BBC reports that 'Huawei has offered to give Australia unrestricted access to its software source code and equipment, as it looks to ease fears that it is a security threat. Questions have been raised about the Chinese telecom firm's ties to the military, something it has denied. Australia has previously blocked Huawei's plans to bid for work on its national broadband network. Huawei said it needed to dispel myths and misinformation.' But is this sufficient? Will they be able to obscure any backdoors written into their equipment?"

25 of 255 comments (clear)

Min score:

Reason:

Sort:

Source by bjb_admin · 2012-10-24 09:35 · Score: 5, Interesting

Does the Australian Govt have anyone that can actually properly security audit this? I am sure they are not going to want to spend the money to hire someone who can. Also, who is to say the binary blob firmware doesn't have a back door. Its not like the Australians are going to compile it and install it themselves.
1. Re:Source by Lehk228 · 2012-10-24 09:37 · Score: 5, Informative
  
  not even the firmware, there could trivially be a on-chip backdoor,
  
  --
  Snowden and Manning are heroes.
2. Re:Source by AK+Marc · 2012-10-24 10:03 · Score: 5, Insightful
  
  Yes, though there's no evidence of any improper activities from any Huawei gear, and they are already a step ahead of US voting machines.
  
  In the US, voting machines pick the next president. With secret closed-source code in an industry with proven fraud and from companies with proven previous errors.
  
  In Australia, they have the source code for routers running a residential broadband network, and that's not good enough.
  
  Why does something seem wrong with that?
  
  --
  Learn to love Alaska
3. Re:Source by tibit · 2012-10-24 10:09 · Score: 3, Insightful
  
  Yup, even when you a-priori know in which couple hundred lines to look. In a large application, like you'd find in a router, it's demonstrably impossible of a task unless they use something safer than C -- and even then it'd take a formal method approach.
  
  --
  A successful API design takes a mixture of software design and pedagogy.
4. Re:Source by RedPhoenix · 2012-10-24 10:09 · Score: 4, Informative
  
  Yes; some very good people who evaluate products for use within the Oz government and Defence:
  http://www.dsd.gov.au/infosec/epl/index.php
  However, the process is usually long, often expensive, and generally targets a particular software/hardware combination; bump your version number, and there's potentially a fairly significant re-evaluation required.
  Huawei could take advantage of this program now, but would either need to front up some dough, or have a sponsor to guide them through it.
5. Re:Source by socceroos · 2012-10-24 10:15 · Score: 5, Informative
  
  The DSD (Defence Signals Directorate) are the ones in Australia who would vet this equipment - they already do it for all equipment used by ASIO, ASIS and other secretive organisations here. The other thing to remember is that it was the DSD that told the Government not to trust Huawei's hardware. Now they get to have a good look at the code without the need to reverse engineer.
6. Re:Source by Charliemopps · 2012-10-24 10:21 · Score: 3, Insightful
  
  You're not understanding where the governments coming from. They want someone, other than themselves, to have legal liability if there is a breach. Since all contracts, agreements, and laws are subject to the whim of the Chinese government, they could just tell Huawei to put code on their hardware and they'd have to do it. Where-as, in Australia, or the United States, there are constitutions that supersede the federal governments. The feds can come in and demand that Cisco put a backdoor on their hardware, and Cisco could turn around and site existing law to say "No, we wont do that, it's illegal." Now, in reality, does it actually work like that? No... Cisco bends over backwards for the feds out of greed because they want them to do things like we're seeing here. But from the federal governments perspective, Cisco is doing their bidding and are therefor "Good guys"... Huawei on the other hand are at the very best an unknown. Politicians rarely see beyond their own term... and while violating our constitutional rights to ensure our safety seems worthwhile at the time... it's what the guy that gets elected after their gone does with these entrenched systems that brings ruin.
7. Re:Source by Anonymous Coward · 2012-10-24 10:35 · Score: 4, Informative
  
  Because the rest of those companies weren't founded and run by ex-Chinese military and long-time Chinese Communist Party members?
8. Re:Source by overbaud · 2012-10-24 11:36 · Score: 5, Insightful
  
  The way this works is: 1. Cisco lobby US gov. 2. US gov put pressure on Aus gov. 3. Aus gov create FUD about cisco rival. 4. Aus gov buy cisco. 5. Profit - cisco and US senators.
  
  --
  Users... the only thing keeping 1st level support from being the bottom feeders.
9. Re:Source by rtb61 · 2012-10-24 15:40 · Score: 3, Interesting
  
  Nothing to do with believable. I came across a disabled prototype on the internet. Based around a larger cheap version of a typical part with a high cost smaller version built into the casing leaving ample room for a chip to be inserted in the power pathway. Simplest function burnout the chip and cut power upon the correct pass code being picked up in the power supply. Imagine inserted that part inserted throughout your infrastructure, upon the code being detected every device using that part is now dead. Attempt to insert a replacement, it receives the signal and dies. You whole supply chain is corrupted and it could take weeks to resolve, especially when it's the telecommunications infrastructure disrupted.
  
  --
  Chaos - everything, everywhere, everywhen
Cisco and Motorola may object by Anonymous Coward · 2012-10-24 09:37 · Score: 5, Funny

...seeing as how it's their source code being released.
Re:Besides by fredprado · 2012-10-24 09:42 · Score: 4, Insightful

Sorry, but there is absolutely no company in the world that has this thing called "character".
The US government did it! by kawabago · 2012-10-24 09:46 · Score: 5, Insightful

When American telecom companies won contracts to supply soviet satellite, I think it was Poland, with telecom equipment, The CIA or NSA or both managed to get back doors into the equipment to both monitor calls and in the event of hostilities, to shut the phone system down completely. If American companies let their Government subvert their technology in foreign countries, China would be foolish not to.
1. Re:The US government did it! by im_thatoneguy · 2012-10-24 12:12 · Score: 3, Insightful
  
  Yes. Because, it's not xenophobic, it's just plain good sense that critical infrastructure is a huge target. It's what every country should want their intelligence agencies doing. I hope every router sent to China has a backdoor in it that we can shut down in the event of a conflict.
  Why do you think China is working so hard to create their own CPU? They know this would be a massive liability and with 10 Billion transistors its' easy to hide things now a days.
  I'm usually dismissive of conspiracy theories because they don't actually result in any parties profiting. But this is exactly the sort of thing that countries not only would profit from--but have already done.
  Imagine if every car in China could be turned off with a switch. That's a weapon I have absolutely no question our military would love to have. And one which *of course* the Chinese military would also want. If they could do it and get away with it--they will (just as we would).
IT'S A TRAP!!! by HPHatecraft · 2012-10-24 09:51 · Score: 3, Funny

-signed Admiral Thomas Dalton Ackbar
Re:hardware backdoors by AK+Marc · 2012-10-24 10:10 · Score: 3, Informative

OK, lets assume that the routers are rooted. So what? Isn't everything over the Internet presumed to be insecure anyway? At worst, China would get some SSL packets from my bank, or some HTTPS packets between me and an email server. Or see that I'm on Slashdot more that I should be. Yawn.

And, if they did send a copy of every packet to China, do you think the carriers wouldn't notice that traffic pattern? It's an absurd accusation, with no basis in fact. And, if true, would be quickly found if it were ever used. All to compromise an unspecific portion of a residential broadband network.

It's more likely that Huawei was behind the assassination of Kennedy and 9/11 than they are inserting router backdoors in an attempt to remotely control Australia. If you've been to WA, you don't need to sniff their traffic to know what they are doing. 99% porn, 1% skype to family.

--
Learn to love Alaska
Not worth a lot.... by gweihir · 2012-10-24 10:15 · Score: 3, Insightful

Backdoors cleverly disguised as obscure implementation bugs are very hard to find, and if you find them, you do not know whether they are bugs or obscure implementation errors. Typically, making sure no backdoors are in a piece of complex software is more effort and more difficult than reimplementing it with trustworthy and competent people.

--
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Re:Besides by fredprado · 2012-10-24 10:38 · Score: 3, Funny

Oh, another offended Anonymous Coward. How cute.
Re:Is this Sufficient? What else could you want? by mhotchin · 2012-10-24 11:24 · Score: 4, Informative

http://cm.bell-labs.com/who/ken/trust.html
If you haven't read it, or even if you haven't read it recently, you really should.
BBC reports only part of the offer by GumphMaster · 2012-10-24 12:20 · Score: 3, Informative

What the BBC is reporting is not quite what was offered. The ABC quotes Mr Lord as:

"Huawei is willing to offer complete and unrestricted access to our software source code and our equipment in such an environment," he said. "And in the interests of national security, we believe all other vendors should be subject to the same high standard of transparency."
The reference to "such an environment" is an industry funded organisation dedicated to vetting this stuff.
The exercise is nothing more than a PR spin. Huawei knows full well that the other players will neither want to fund a centre that effectively lets a competitor back into the race nor subject their own code to such scrutiny and risk rejection. He is the local face of Huawei so he has to say these things, but they will not change anything.

--
Patent litigation: A doctrine of Mutually Assured Destruction... in which everyone seems willing to push the button
Re:hardware backdoors by RocketRabbit · 2012-10-24 12:48 · Score: 3, Insightful

Wow, you're just really naive. Really, really naive.
Even without decrypting the information all the way back in WWII, traffic analysis allowed some major victories on the battlefield. With this technique, being automated and in near real time, one could infer a lot about an adversary without actually decrypting one single thing.
Maybe you're not concerned with privacy, but that's why you're not working in this field!
Who needs a back door? by Minupla · 2012-10-24 12:56 · Score: 4, Informative

Who needs a back door when you have a range of security vulnerabilities to choose from.
Here's the slide deck from the talk on Huawei talk at Defcon 20 this year. At the end of the talk the presenter addressed the topic of backdoors by saying (my paraphrase) given the state of the code, who knows if a given hole is a backdoor or unintential security vulnerability.
The deck is worth a read if only for the fortune cookie slides, which contain actual quotes from the object code:
http://phenoelit.org/stuff/Huawei_DEFCON_XX.pdf
Min

--
On the whole, I find that I prefer Slashdot posts to twitter ones because I don't get limited to 140 chars before
Anything new from Slashdot ? by Taco+Cowboy · 2012-10-24 13:28 · Score: 4, Insightful

Is there anything new Slashdot can offer, other than this same old China bashing orgy?
If you think that equipments from Huawei is dangerous, what makes you think that Cisco equipment don't come with backdoors?
Which equipment the Stuxnet virus targeted?
Equipment from China or those from the Western countries?
It's easy to bash China - as China has become the poster boy for bashing orgy - from Presidential debate to this one in Slashdot - but I do expect MORE from those who come to Slashdot.
Unlike the tweedledee and tweedeldum on the presidential debate, you guys do have brains.
It's time you use your brain to think, rather than letting others doing the thinking for you.
If Huawei (and all equipments from all Chinese companies) are suspicious, what makes you think that equipments from Germany or Japan or Britain or Korea or Canada or USA aren't?

--
Muchas Gracias, Señor Edward Snowden !
1. Re:Anything new from Slashdot ? by cold+fjord · 2012-10-24 18:40 · Score: 3, Informative
  
  If Huawei (and all equipments from all Chinese companies) are suspicious, what makes you think that equipments from Germany or Japan or Britain or Korea or Canada or USA aren't?
  Hmmm . . . are there any other one party communist states with aspirations of hegemony, a long history of enmity against democratic government, free enterprise, and personal liberty, that currently have intense foreign espionage efforts directed against the West, that make direct threats against the United States while being armed with intercontinental ballistic missiles armed with nuclear weapons, on the list? No, China. . . make that the People's Republic of China, one of the few remaining Communist dictatorships on earth, is unique in that regard. Isn't that clear? China is reforming economically much faster than politically, although that is coming along in small fits and starts. But fundamentally, China is still a dictatorship run by the Chinese Communist Party.
  
  Which equipment the Stuxnet virus targeted?
  That was SCADA controllers made by Siemens, a German company, being used by Iran - a Shia lead theocratic government imposing Sharia law in Iran while they seek hegemony in the region. Iran is using that equipment to run centrifuges to develop highly enriched Uranium, and has been discovered to be engaged in activities applicable to only nuclear weapons development. Iran tries to intimidate its neighbors, is a state sponsor of terrorism world-wide, fund, trains, and arms Hezbollah with tens of thousands of rockets and missiles to control Lebanon and attack Israel until it can make good on it barely veiled threats of genocide against Israel, and general threats against Europe and the United States. Until the Islamic revolution in Iran in 1979, Iran and Israel had been on good terms. It is the theocratic government in Iran that has declared them to be enemies - the conflict isn't Israel's fault - Iran was not part of the Arab-Israeli wars. And yet some people take the bankrupt position that it is Iran that needs protection from Israel. Stuxnet and its kin may be the only reason the world isn't in a shooting war in the region now.
  
  It's easy to bash China - as China has become the poster boy for bashing orgy - from Presidential debate to this one in Slashdot - but I do expect MORE from those who come to Slashdot. Unlike the tweedledee and tweedeldum on the presidential debate, you guys do have brains. It's time you use your brain to think, rather than letting others doing the thinking for you.
  Some people use their powers of reason to understand the facts above and their implications, others use their reason to rationalize away uncomfortable facts, like those above.
  In much of the West, the well educated have been taught to believe that they can know nothing and that they can draw no independent conclusions about truth, unless they cite a study and "experts" have affirmed it. "Studies show" is to the modern secular college graduate what "Scripture says" is to the religious fundamentalist. -- Dennis Prager
  
  --
  much of left-wing thought is a kind of playing with fire by people who don't even know that fire is hot - George Orwell
it depends on who you are by r00t · 2012-10-24 16:25 · Score: 3, Insightful

If Huawei (and all equipments from all Chinese companies) are suspicious, what makes you think that equipments from Germany or Japan or Britain or Korea or Canada or USA aren't?
If I'm running a business in Australia, each of the listed non-Chinese countries is a minor concern. All have strong intellectual property protection. They mostly don't have a reputation for cloning foreign products. China is a different matter entirely.
If I'm running a business in any of the listed countries, China or otherwise, obviously my own country is preferred. They'd kick in my door if they wanted something; it's easier and more fun than hacking. I'd like protection from the others.
If I'm running a business in Iran, I probably want Korea or Japan. China is trying to pry into my finances for trade negotiation, and everybody else just hates Iran.