Slashdot Mirror
Several Western Govts. Ban Lenovo Equipment From Sensitive Networks
renai42 writes "If you've been in the IT industry for a while, you'll know that Lenovo's ThinkPad brand has a strong reputation with large organisations for quality, dating back to the brand's pre-2005 ownership by IBM. However, all that may be set to change with the news that the defence agencies of key Western governments such as Australia, the US, Britain, Canada and New Zealand have banned Lenovo gear from being used in sensitive areas, because of concerns that the Chinese vendor has been leaving back doors in its devices for the Chinese Government. No evidence has yet been presented to back the claims, but Lenovo remains locked out of sensitive areas of these governments. Is it fearmongering? Or is there some legitimate basis for the ban?"
Thinkpads are very popular with people who need to do their own maintenance. They use them on the ISS for that very reason. Every part is replaceable and you can download a full service manual with excellent step-by-step illustrated instructions.
Sounds like fear of the boogyman and a bit of racism are really going to hurt the US in the long run.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
So I wonder which manufacturer that doesn't use Chinese components they'll use instead?
....Microsoft is still getting multi-billion dollar deals.
Why does the U.S. use Windows versions in its tanks. The last thing you want is a bluescreen on the battlefield.
nothing happening over here.
The DOD has been doing this for years, the Dell/HP/Cisco/Other-Big-Military-supplier equipment are not built in the standard Chinese sweatshop but actually made in plants within the US or the EU. Costs are higher but who cares, it's for national security right?
No evidence has yet been presented to back the claims...
Is it fearmongering?
Or is there some legitimate basis for the ban?
How would we know whether or not evidence exists? All we know is that we haven't seen any. Time will tell. If no evidence is preseneted in the next month or so, then we'll know that it's just fearmongering, and not a legitmate basis for a ban.
You make me lol
So they'll be banning Microsoft Windows too?
The problem is the credible fear of a lifecycle attack is sufficient to require that such hardware be avoided. There is a reasonable fear that the chinese might try something using Lenovo kit, therefore the classified networks need to avoid it. Its the same reason why Huawei networking hardware is avoided in some circles.
Of course, with the NSA now clearly off the leash, US IT equipment is now in the same position. Microsoft clearly backdoored Skype to enable easy wiretapping, the NSA is reportedly hacking foreign networks to introduce monitoring (who knows, perhaps it was the NSA responsible for the Athens Affair?), and with any US Cloud service provider subject to PRISM-style requirements, US IT infrastructure is now in the same boat that the Chinese have been struggling with for years now.
Test your net with Netalyzr
The new cold war will be electronic and China has already proven that they are willing to do whatever is necessary to stay ahead there.
This isn't racism, this is a forward looking policy that's saying when, not if but when, we start finding Chinese backdoors in our equipment, they won't be in our sensitive areas.
The down side is that even if our equipment says made in the USA, it means assembled. Most of the parts will have been manufactured in China.
I hope all non-US companies similarly decide to not use US-based vendors, given that there is greater likelihood that the NSA has back doors. What do you think those 200MB HP printer drivers are for, after all?
This is my signature. There are many like it, but this one is mine.
Microsoft and Cisco.
Working in Defence in AU for some time - this was raised as an issue a long time ago (going back to DRM back door issues) - I think it won't be long until we find all sorts of backdoors in chipsets. 'Spurious' RF and perhaps intentional network latency (using 'random' latency to send data). All too often we're watching network packets and assuming we're seeing the whole picture. "Well that didn't go to a questionable IP, so that data is safe". If I were given the task of spying on the West but manufactured every single piece of technology that stored the data I so very much wanted, incredible inside knowledge - I'd be using RF, I'd make it seem spurious and have it skip about in frequency and encoding to it's own entirely unique algorithm. Even using simple HAM radio data protocols, it would be simple enough to skip about frequencies randomly to seem spurious. Without the Algorithm you'd have no idea what frequency holds the next packet of data... to be detected from a long way away. Of course all theories and easy to be shot down until it's on the front page of the paper.
I would venture to think that the western governments fear that the laptops might not be bugged by their respective agencies, or at least an agency willing to share the information.
Does anyone trust the source of these claims? Maybe this gear is disparaged and shut out because Lenovo wouldn't implement backdoors for western governments.
So naturally they don't trust others. It says more about the governments which block Lenovo than it says about Lenovo.
If there is no evidence, then yes it is scaremongering. Stuxnet and Spying on their own civilians, well for that there is evidence.
It's only English speaking Western governments. Is there some sort of Anglo-Saxon paranoia at work or are these countries by way of a common language simply the closest satellite states of the US?
[Citation Needed]
Neither TFA nor the article they quoted actually cite their sources and it really reads like FUD. I'd love to see some actual statements from any of the governments involved.
Wipe the drive and install the OS yourself from a trusted source. That gets rid of not only bloatware, but also spy stuff that was added on.
That leaves only bios/firmware, and putting serious spy stuff there is hard. They can conceivably have made something that works with a current version of windows, but the bios is limited and a quick hack there won't necessarily work with another version, another os or another filesystem.
Also, such things are easily detected. Spyware - governmental or private - have to "call home". Easily detected by a firewall that logs outgoing connections.
In other News UK has installed Huawei equipement for censorship.
The reason is that the NSA has developed, a few years ago, a technique for embedding exactly such backdoors in PCs sold by American companies. They're being installed by the power of National Security Letters (which you can't tell anyone about, even a judge), and have been for the past two or three years.
This comes out right now because Evil Red China has found a way to exploit backdoors in computers used by Americans (and big surprise there!), which they didn't even make. The US fears it is constantly behind on development (which is true), so this change means that the US is victimized not only by its own government, but by the Chinese as well -- whereas buyers of Chinese equipment are only victimized by Evil Red China.
The US knows its own backdoors and can thus guard against their use, perhaps at the network level. It also knows that where US backdoors exist, Chinese backdoors don't. However, the US doesn't know Chinese backdoors. This frightens them greatly.
But well, I'd be frightened too. For instance, if I knew that virtualization environments can be written that completely conceal themselves from the owner by hiding in the motherboard's encrypted BIOS. This is done by applying techniques of nested virtualization -- which aren't trap-and-emulate anymore, as since Sandy Bridge and Piledriver the main x86 CPUs have supported VM host nesting in hardware.
Oh wait, I do know that. Well bloody cock, guess you're all boned then.
All the Chinese need to do is gain access to the NSA backdoors that are in all versions of Windows... That would be far more efficient.. and undoubtedly they already have..
AMT is a backdoor, exists on all x86 chipsets now.
We must just accept this. We don't own ourselves, our children, nor our machines.
Our betters do.
We must simply obey.
Always can be reenabled remotely.
You can have my T61 when you pry it from cold, dead hands.
Someone important's cousin just bought the competition to Lenovo.
Troll is not a replacement for I disagree.
The motherboard may be made in China but the components are not. The chips are largely American in manufacture (most of them are Intel). Now I suppose the company making the motherboards could add a chip, but, well, that would kinda be noticed during the QA process by the company that ordered them. It isn't like you get parts from a Chinese manufacturer and just slap them in a unit sight-unseen. Not because of worries about spying but because quality control with Chinese companies can be... problematic. You have to test the parts and send back the failed ones (1%ish usually, sometimes more).
In terms of BIOS/UEFI? That's all Phoenix Technologies and American Megatrends. They are in California and Georgia respectively.
I wasn't aware the US had annexed Canada, Australia, New Zealand, and the UK. ...or are you just trying to spin something as anti-US when really it is a collection of nations?
There isn't a single US manufacturer of motherboards any more; that would be the most sturdy place to insert any nefariousness (at least, nefariousness by the PC manufacturer.) Who knows where BIOS code is written these days; but I doubt it's the US.
Not to mention the whole stack of drivers you need, like those for on-board peripherals. It'd be just as easy to put a back-door in a Windows I/O driver as it would the BIOS.
You ruined his perfectly good "hate on the US" session! After all, clearly the US is the bad guy if they are doing this. The other countries must have good reasons and/or are just US puppets, it is the US that is evil!
It is amusing how two posters in this thread so far have tried to spin this in to an anti-US rant, when it is rather something happening in a number of nations. On Slashdot, it seems to continue to be trendy to hate on the US, for any or no reason at all.
Well now, it's been my keen observation over the years that people suspect of others the same nefarious behaviour that they indulge in themselves or would do given the opportunity. I am sure that there exist proposals to have Cisco/Juniper/Akami network gear do more than is advertised.
Knowing that the West intelligence services would do (are doing??) what Lenovo & Huawei are suspected of is enough to have those companies banned, at least in CIA/NSA thinking.
It's difficult enough to keep malware out of the network as it is without providing an easy doorway.
eg: stuxnet
However, if evaluation of the policy to ban Lenovo were up to me, I would do a serious risk evaluation and compare Lenovo to others such as Dell. Truth is that state sponsored malware could be introduced at many levels including embedded firmware in say, network or video chipsets.
I suspect that the multinational component sourcing makes banning Lenovo analogous to plugging a small hole in a screen door while leaving all the windows open.
To find your answer, what brand are the paranoid Chinese using?
Simple, right?
WARNING: Smartphones have side effects--most of them undocumented.
If they can't detect such subterfuge and publicly show that it does exist, then it says something: either it is completely unjustified fear mongering for other purposes or these security agencies are saying they are too incompetent to catch it if it was deployed.
We dispense of the messy and "expensive" tasks of manufacturing and delegate to the lowest cost labor force. Makes sense untill one needs to be able to defend oneself. Once war does not make financial sense, we might be OK. Not sure if we can count on that though.
With all the options available to them, better safe than sorry.
Jaxinabox
Which Lenovo are they talking about? Because the Lenovo I see all the time are the piece of crap that are 3rd worst in laptop failure rates and have cheap buttons, awful builds, terrible batteries, and low quality screens. I think they have them confused with Toshiba.
all Microsoft products are spyware....
...to be able to crack into ThinkPads
Telling yourself that the government somehow can't is just giving yourself a false sense of security. Or maybe that's what you're after. Maybe you're working for some government, posting this to giving people a false sense of security, so that:
a) More people will buy ThinkPads, thinking they're safer when in reality it makes it easier for the CHINESE government to spy on them
b) Lower people's guard against future government cracking (by the Chinese or any other government)
Since the backdoor is simply an allegation, likely made through wise PR use by a failing competitor such as Dell or HP, the governments much have a different agenda than businesses. Prove the allegation first, then publicize it. This tactic stinks of common corruption.
How many times have classified US military networks been broken into?
How many major financial/OS/etc. firms have been broken into?
I'd sooner ask Nicole Simpson for home security tips than listen to laymen and commercial IT personnel talk about what is necessary to secure a network against a Chinese military cyber-attack.
Right, so Lenovo does have (unproven) backdoors. But Clevo, Foxconn, Quanta, Winstron, Pegatron who produce 90% of laptops in the world (including Dell, HP, Apple) somehow cannot have Chinese backdoors, even though their HQs are in Taiwan, and most factories probably in China?
Besides, what about spying by USA? I believe USA products, including Microsoft Windows have backdoors. _NSAKEY was found in 1999: http://en.wikipedia.org/wiki/NSA_key
Given the climate today, I'd be as fearful of spying by USA government as China. Given the list of countries however, well, they are the closest buddies with USA and already share intelligence data. And spying on own citizens never mattered to any of them.
--Coder
Thinkpads are very popular with people who need to do their own maintenance. They use them on the ISS for that very reason.
ISS stands for INTERNATIONAL Space Station so we're not talking about especially sensitive gear. And thinkpads are hardly the only feasible option. They were used because until 2005 IBM produced them. Since that is no longer true in some cases it may be prudent to look for alternative vendors.
Sounds like fear of the boogyman and a bit of racism are really going to hurt the US in the long run.
Little bit eager to throw out the race card aren't you? Only an imbecile would trust a computer system built by a rival nation with sensitive information. There is a very good reason that the military ensures contractors take reasonable precautions regarding where they source equipment. The US would be foolish to trust China and China would be foolish to trust the US. For many uses it doesn't matter who made the laptops but when it does matter, it matters a LOT.
When you see a superpower and their close allies shuting down the market instead of actually trying to compete. They can whine all they want and come up with all the lies, but tomorrow millions of Chinese will go to their factories as usual and produce all the products we want at cheap prices.
If there's one thing we can't abide, it's that there might possibly maybe be Chinese backdoors in computers manufactured in China, unless they're from the Chinese factories of American companies. Those are okay, somehow.
While you're worried about it, pay no attention to the NSA backdoors in those American computers. Those are for your protection, unlike those evil Chinese backdoors.
-- "So they told me that using the download page to download something was not something they anticipated." - Bill Gates
In Gerrold's depiction, the US had lost a war, but worked its way into being the world's arms manufacturer - and clandestinely integrated chips that "chirped" on random intervals (so it sounded like noise), revealing their position. Also could be triggered to stop working or explode, remotely.
"Ahh! I see you're in that indeterminate Schrodinger state where - oh, uh
Doesn't anybody remember a few years back when the Chinese-chipped military helicopters were discovered to have backdoors? Not a good thing. Would you want several tons of equipment, much of it explosive, moving at high speeds, featuring a huge spinning propeller, and belonging to the U.S. military, to ever, ever be accessible to the Chinese? Probably not! Probably a really bad idea, so it's a good thing they caught that and it's especially good that they're keeping on top of the game.
Screw a Lenovo. Who cares about brandiness? It's not about being some pseudo prosumer or being brand-loyal. There are loyalties some people have to serve to their countries, first.
Screw any crappy Chinese junk, especially their junk automotives. It might not matter to you where you buy from but then again, you're probably doing business with them anyways. You probably just chuckle and send the part in for another replacement, serially, when you find that they used hot glue instead of solder or don't know the difference between permanent and temporary magnets. Go ahead and let your kids play with lead toys all day, go jump off a cliff, etc.
What the U.S. Military should do is insist on 100% U.S. made equipment manufactured by 100% in-house fabrication. Ditch all the fabless companies, fine, let them prey on the average consumer/prosumer. What's a year in American technology without the revelation of yet another Samsung device spying on you or your social network selling your personal data to domestic spies, cops, and other people who don't value your rights? Using a compromised piece of equipment is just fine for your brand loyalists who really don't have anybody to answer to but yourselves.
What the military should do is only buy equipment from Texas Instruments, manufactured at National Semiconductor. If some other great American company with its own in-house fabrication can also fulfill the contracts, they should get business, too, but I doubt they have the track record or the ability to fill orders like TI.
"Stratigraphically the origin of agriculture and thermonuclear destruction will appear essentially simultaneous" -- Lee
You know, they could just request a copy of the SMBIOS and EC firmware, and ditch the UEFI stuff entirely, as Linux doesn't need it. If you run Windows, you're already compromised anyway.
What is really strange is that, at least for the real ThinkPads, all the firmware (BIOS, EC) is made in *Japan*, not china, at the Yamato Labs. It would be easy to set up a trusted path for the firmware, from Japan to the US. The EC, processors and chipsets are all made in the USA or Japan, so the risk of hardware bugs there are the same you will find in, e.g. Cisco gear (so, it is non-zero, but low).
It is probably easier to get a safe thinkpad than it is to get a china-built Dell, becahse at least the thinkpad works...
I think you overstate the amount of attention that computer assemblers like HP and etc. pay to what their 3rd party suppliers provide to them. Now with that said, even if we assume that HP would actually spend the time to catalog every single component on their motherboards (which they don't), it's still entirely possible that something malicious could be placed inside of what appeared to be an innocent IC that would go unnoticed.
As far as BIOSes go, you don't have an entirely complete knowledge of how those work. Phoenix and etc. basically just provide reference code for motherboard makers and chipset vendors to use and tweak for their own purposes. They (Phoenix and etc.) don't have time to design a specialized BIOS for every new motherboard that comes out.
look at all the backdoors and stuff that the NSA and CALEA involve.
when the front door is wide, wide open?
why should any company buy equipment from the US, Europe, or Australia these days? These governments have *repeatedly* proven themselves to snoop on all traffic and impose some significant back doors of their own.
Pot, Kettle.
However if the Chinese are ever coming for the USA, it will be through the courts with a small army of debt collectors.
Cute sound bite but the US has the Chinese over a barrel here. China has bought about $1.1 trillion dollars of US debt which is about 9% of total US debt. (Japan has a similar amount an total foreign debt obligations are around $5.8 tillion) Most of this debt was purchased to maintain the yuan's peg to the dollar in order to keep their exports cheap. (a weak currency helps exports) Exactly how do you propose the Chinese force the US to pay? The courts can't force the US government to do a thing. They can't sell the debt to someone else. No one else wants or could buy that much debt. If they let their currency get stronger (buys more dollars per yuan) then it hurts their exports by making them more expensive abroad. Since their economy is heavily export based, any action they could take carries a strong probability of badly damaging their economy. No the Chinese are in a tough spot. They have lent a lot of money to the US to keep their currency cheap and to ward off currency speculators. There is no way they could collect in a short time without a mushroom cloud appearing over their economy.
When you owe the bank a little money, you have a problem. When you owe the bank a lot of money, the bank has a problem.
I don't exactly work for a large organization, but we do have folks working all over the world so service and support is very important to us. We had been using Dell but switched to Lenovo for a year because we could get systems from them with less lead time. We couldn't switch back fast enough. We paid extra for 3 year onsite NBD warranties (vs return to depot warranties) but when we called Lenovo to get them to send someone out for a repair, it always turned into an argument about whether we were entitled to onsite service.
Dell has always had excellent service, over the past 10 years or so I can probably count the number of times they didn't have a hardware problem fixed the next business day on one hand. It also seemed like we had a higher incidence of problems with the Lenovo systems. We bought maybe 20 of them and of that 20 probably half had to have their system boards replaced because a USB connector snapped off.
Are there any laptops that don't have components made or assembled in china?
Do they ban cell phones too?
Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
This seems to be about politics and or irrational fear. Components for modern laptops are sourced from all over the world any number of which could be capable of any number of wicked things. If your goal is to mitigate risk from foreign governments then simply picking a new laptop vendor is not an effective solution.
Why not produce your own computers on the NSA fab? You know...put it to use use for something other than spying on your own people.
In areas of high sensitivity, there is no such thing as "fearmongering." Only fear, and justifiable risk. That it's being publicized in this way, without the inclusion of some context in the summary of the real security needs of the governments, who have to worry about TEMPEST emissions and other crap no one would dream of caring about, is the "fearmongering." I trust that our governments know what their requirements are in this regard, and that avoiding Lenovo is not going to keep them from accomplishing their mission. So that choice is a no-brainer.
I doubt however, that avoiding that particular brand will help, when everything else is also made in China, and the minerals are sourced from China. That's the real dilemma. How do you maintain security when you produce very little as a nation? There's no substitute for "made at home" in these cases. I wonder in what case, if any, that is actually truly achievable.
"some overclocked overheating whitebox frankenmachine full of dust and nicotine" like the Surface they were using at the product launch?
http://youtu.be/N1zxDa3t0fg
Didn't something similar happen at CES 2012?
So much fun:
http://youtu.be/jMToNsCyFQU
I'll make this one easy on you
Gee thanks. I'm really glad I have you to explain this to me since I merely have a master's degree in finance and am a certified accountant with 10 years experience in global sourcing. Good thing I have smart people like you to explain how currency trading works. [/sarcasm]
Defaulting on even a small amount of debt to China would collapse this system and US and world economy would not survive the fallout
The US doesn't have to default on the debt. That was the whole point. China will get paid in due time and they have very little leverage over the US regarding when and how. China bought that much US debt because they had to, not because they particularly wanted to. The notion that China now "owns" the US, or that they could take the US to some court over the matter is just nonsense. China (probably rightly) regards US debt as a safe investment but the China is in a much more precarious position than the US even without the exercise of some fiscal nuclear option.
Have a look at your board some day. It is pretty easy to identify all the chips, and their origin. There also aren't all that many. Chips cost money. So ya, there are other chips like the audio chip (made by Realtek, of Taiwan), NIC (Realtek, Broadcom or Intel), sometimes extra USB chips (NEC) etc. All these are on there because the company the board was made for spec'd them and they know what they do and who they are from.
So you would be claiming that China would be making chips that duplicated the functionality and form factor of these chips, but also had extra evil functions, and then had Foxconn secretly stick them on boards. And that nobody ever noticed. Ummm, ya. That is entering in to truther territory in terms of believability.
I think part of the problem is people have this false idea that "everything is made in China". No, not really. A lot of stuff is made in China as in put together there, but it turns out the rest of the world makes a lot of products, many of which are components that go in to the things made in China. The US is second only to China in terms of manufactured goods. That right there should tell you something about the belief that the US "doesn't make anything".
Just last year it was announced on MSM that military and Gov't hardware derived from China had deliberate holes in it. A fellow Systems Engineer and myself have been predicting this for about 6 years or so now, as soon as we heard some major network players were outsourcing to China for production. Embedding a backdoor at the chip level is much harder to detect, you have to really be actively looking for it. Especially if it's something very simple, like a command to simply shut down that component, say. So, instead of something complicated and overt to hack data, they may simply be infiltrating all the hardware they can, so if\when the time comes, they can simply shut most everything off....think on that a bit. All you need to is make one component on a board shut down, and that board is essentially a brick. Make no mistake, China is a totalitarian Communist state, they will NEVER be our friends. In fact, as they reach carrying capacity (Especially industrial resources), we are a pretty fat cow resource-wise to try to take...in the long term. Remember, they are very patient people, and play the game for the LONG haul. We would be fools to ignore the potential threat. Touting racism, saying we're crying wolf, are all just hollow rants. They are a clear and long term danger to this nation, make no mistake.
http://defensetech.org/2012/05/30/smoking-gun-proof-that-military-chips-from-china-are-infected/
Seriously people, take a little time to hop on over to the US Treasury site and learn a little about US debt instruments. It isn't hard, they'll explain it all, and even sell them to you directly if you want some.
So, this is not a loan shark situation, where the US goes to China and says "Please give us some money!" and China says "Ok you can have money, and at some point, you don't know when, I'll come and collect and you don't know how much for." Rather the US auctions off securities, bonds, notes, etc, and China chooses to buy some. They are sold to the highest bidder, which in this case means the entity that bids the interest rate down the lowest.
Now some things to note about them:
1) They pay out in US dollars. They are not denoted on foreign currency, they are in US dollars, meaning they have value only if the dollar does, and their value is dependant on the dollar.
2) They pay out only after a given period. There is no provision to call in the money early. They have a defined cycle depending on what you buy. Some t-bills have a maturity date as short as a couple weeks, some bonds a maturity date as long as 30 years. They pay out the principal only when they mature, not before (bonds pay out interest every 6 months). The only way to get money early is to sell them to someone else who wants them, for a price that group is willing to pay.
3) They aren't physical things you have, they are just entries in a computer at the treasury. They are completely under the control of the US government and if you did something that allowed them to seize your assets, there is fuck all you could do to stop it.
So no, China can't come "through the courts with a small army of debt collectors." Their case would be dismissed in summary judgement and they'd be charged court costs. You can't sue the government to try and get them to pay out their treasury securities early as it is EXPLICITLY stated that they pay out only at a given time. You can't demand they pay you in another currency, as they are sold in US dollars. You can't act as though they took your money without you knowing as you had to go and bid on them.
Seriously, none of this is a big secret or complex. Go look it up. Go participate in it, if you like. Treasurydirect is the government's site for individuals to buy securities. You can participate in the auctions and buy government debt for yourself, if you wish. Just don't think you can then run down to the court house and demand the government pay you. The terms of your payment are explicit up front. If you don't like it, don't buy.
well trades terrorists on that one.
Let's assume a remotely-exploitable backdoor. How are the Chinese getting these packets into or out of secure networks? Is there somehow an undiscovered RF part with a high-gain antenna? Because if there is, I'd like to hook my Lenovo's Centrino WiFi up to it.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
Reliable my ass.
unless otherwise proven.
No, " National Security Secrets " and any statements having to do with children will not be accepted.
Proof, or it's bullshit.
Government bonds have very strict terms on repayment and that is for a reason - they need to be exceptionally predictable and reliable to function in their primary role of being reliable bonds.
Who said anything about postponing payment? Although that is in many cases an indirect option. Many bonds have terms that permit early retirement (not all but more than a few) and others are coming due regularly and the US can buy these bonds back and issue new ones with new payment terms. The Fed does this all the time entirely within the terms of the bonds issued. The only caveat is that you need someone interested in buying the debt. 90% of the buyers of US debt are not China and more than half are inside the USA.
All of above events would cause severe harm to US, and by extension world economy, which is why they are unlikely to occur. We are effectively in a state of financial MAD in credit system.
Correct. And my point is that China is if anything in a worse position. They have a MUCH larger poor population and their economy would likely be hurt far worse than the US economy in the event of a problem. China simply doesn't have a sufficiently developed domestic market yet. No one is suggesting that the US default in any way. What I am stating point-blank however is that the notion of the Chinese coming to collect the $1.1 trillion in debt they hold is absurd. They cannot do it even if they wanted to.
Thinkpads are generally the only laptops available with non-touchpad pointing devices. Forcing government employees to use crappy touchpads is inhumane.
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
the "5 eyes" have quiet some buying power (with their bloated eavesdropping apparatchiks) and ...
this is just to punish China company for not joining and becoming the "sixth eye" methinks.
also, windowsOS is probably easier to backdoor then hardware
By extension, any IT product made in China should be banned as well. That includes a LOT of 'American' brands.
That is, if the real concern is that China might insert a security hole.
We always have been at war with China
Ain't these five governments the same ones that are part of the Five Eyes (Echelon)
The problem that i see in your argument is that the code in place may be silent until a very specific event. A thought experiment:
Someone wrote a tiny bit of code into firmware, or worse: hardcoded, that does absolutely nothing until a very specific data payload is detected coming through an ethernet interface regardless of the header information. Once the chip sees the trigger it shorts itself or floods the network or maybe even overvoltages the network lines in hopes of breaking other non-compromised equipment after a propagation delay period. In order to test that this is not the case on the system you are using right now, you would have to effectively brute force a 12,000-bit password.
Worse, this would need to be done for every single new chipset, on every new system, every revision, and even then there would be no way to be sure that the same technique isn't being used via other communication mediums like video, audio, adobe updates, just about anything really.
Question to all hardware experts out there. Software backdoor - sure possible when you don't have source code for your operating system. Hardware backdoor with physical access - possible. But is hardware backdoor without physical access possible? Suppose I buy lenovo or whatever, I write random data to memory and disks 100 times, I install an open-source operating system and use only open-source drivers. Is backdoor possible? What if I also replace Network Interface Controller with one I trust?
Can anyone name a brand that isn't manufactured in China?
Doubt if there's anything from the USA but even if you give that as read, the UK and Australia are using stuff from a foreign agent (The USA) where we KNOW they have written back doors into their commercial offerings before.
This is a very reasonable suggestion -- test the device -- and perhaps someone did exactly that.
We just don't know what information the intelligence agencies may have. We can't even be sure this report is accurate.
However, if the agencies of 5 different countries all have adopted similar policies, as the report claims, then I suspect that someone has found a significant concern here.
But then why the FUCKING FUCK did you ask for them, then?
Lenovo has a massive education discount, about 40%. To use it, you choose a university from a drop-down menu and click through a Terms-of-Service. I've always wondered if that was subsidized by the Chinese government.
.: Semper Absurda
Yay
Your testing assumes that it would be active. It could contain some vulnerability that is passive in nature, that will do nothing until hit with the right pattern of incoming traffic at the right time. This need not be a straightforward routed IP packet. It could be any weird thing in the world (e.g. a bizzare waveform induced in grid power recognized by circuitry in PSU inducing some i2c traffic to a chip that negotiated some relationship with a BIOS injected rootkit).
Even assuming it is in the universe of active things your testing procedure can catch, can you imagine the resources to test every single instance of thousands of pieces of IT equipment that these organizations make use of? An EMC chamber is massively expensive, testing is intensive, and determining of the emmisions that do exist (there will certainly be there), are any of them noise or intentional? Keep in mind, even accidental RF noise will frequently have a non-random character to it.
Ditto on the layer1 layer of the fabric. If you are testing things within typical tolerance for layer1 communications, there is some wiggle room that a malicious combination of networking equipment and computer can hide communications in.
In short, if you explicitly *mistrust* your vendor and the vendor isn't facing terrible repurcussions if caught, you cannot forge ahead using testing to provide assurance of vendor behavior. The world is just too complicated. Of course, all the important stuff happens in Taiwan and China anyway, and relying upon American leadership, designers, or manufacturing to protect against attacks doesn't help much, so singling out Huawei and Lenovo doesn't get you far.
The selection of tried and true USA top-down IT equipment is exceedingly small. IBM POWER/mainframe servers are the one example I can think of where everything from chip fabrication, board manufacture, firmware development, and OS development are USA product.
What about Dell and HP? All made in China, all used by big government. Ah! HP and Dell are US companies, so that's OK.
There was an unknown error in the submission.
I didn't hear all this crying when the chinese decided to create their own linux distro because they didn't trust the existing ones? It works both ways people. There is nothing wrong about a country taking steps to ensure some minimal level of security for sensitive data. The funny part is what do they plan on using? NSA has several fab plants they can create a small run of chips from but Australia? Maybe they'll use BBC micros and Acorn RISCs they scrounge from garage sales LOL
The politicians who approved the legislation are heavily invested in Dell and HP stock.
I do not fail; I succeed at finding out what does not work.
The problem isn't that Lenovo has backdoors; the problem is that Lenovo has backdoors that the US doesn't have the keys to.
A modern CPU contains hundreds of millions of transistors.
Proof-of-concept exploits to embed in CPU designs have been tested and found to be workable using only A FEW HUNDRED transistors. You can make a remotely-triggered ring0 privilege escalation exploit using a few hundred transistors. Send a particular sequence of bytes over the network to that computer. When the CPU processes the packet, the specific sequence of bytes will be brought into the cache. The exploit will trigger and will violate the security invariants of the CPU design in some particular way (for example, crippling the memory protection hardware in a very specific, exploitable way).
This has actually been explored by researchers and found to be very possible. Just google "no knock authentication" and then imagine its the CPU hardware itself that reacts to the knock packet, rather than a piece of software. In this case, even when the CPU is running entirely software you wrote, it can still be compromised only by someone who knows the correct "knock" packet. But you have almost no chance to detect this by testing or by scrutinizing the hundreds of millions of transistors in the chip design looking for a little bug that shouldn't be there.
"Just as the liar's punishment is, not in the least that he is not believed, but that he cannot believe any one else; so a guilty society can more easily be persuaded that any apparently innocent act is guilty than that any apparently guilty act is innocent." -George Bernard Shaw
Is it really surprising? The world is heading back to Cold War era spy games very fast.
- Otaku no naka no otaku, otaking da!!!
Does this mean I'll be able to get ThinkPad for half a price?
The Chinese or the NSA. I'm not so sure what is worse in my situation (located in Europe).
The Chinese may know things about me, but I'm not within their reach nor sphere of interest.
For European companies, e.g. swiss banks, the same might be true.
They may have good reasons to fear the NSA more than the Chinese.
China has a BIG image problem.
Locked boot loaders tangle this stuff to no end.
Truth is stranger than fiction, but it is because Fiction is obliged to stick to possibilities; Truth isn't. Mark Twain.
Well I can't speak to backdoors in lenovos I did just recently purchase on eBay a replacement battery for my Sony VAIO... Auction page had "made in USA" plastered all over it, description was written in broken engrish. Upon receiving the battery I discovered it did not work, I contacted the seller with a return request and got an email back in even worse broken engrish from a "Mary Smith" with a link to a URL (hosted within china) to a driver installer and instructions for "instarration". I was to intarr the exe with the laptop plugged in to power and ethernet, reboot and leave power and Ethernet on "overnight" to fully charge the battery. Backdoor attack campaign with Chinese origin? Gosh.. I dunno... what do YOU think?
Very convenient discovery after the Snowden affair and China refusing to extradite him to the U.S. Seems like plain old-fashioned spite. I wonder how they will hit back at Russia?
Of course, it could just be the CIA and MI6 ( it's actually S.I.S.but we Brits are not supposed to know that so hush everybody !) departments of misinformation trying to divert attention from NSA, PRISM and of course MICROSOFT.The latter raises serious questions though. To use Microsoft software Lenovo equipment needs to be Windows -Certified and since we know all about Microsoft leaving backdoors for the American Security Services, what are we talking about here,-collusion, treason or just plain Texas Bullshit?
Back doors or no back doors, if you ask me all military sourcing should be localized down to at least major components, computational units and other complex systems this should also include assembly sub/makeup components unless designated as critical fail components. It make senses logistically and from a security perspective, but we won't so my recommendation would be to at least to perform unannounced and randomized testing.
I think that it's a precaution. Govts like to make statements anyway. I met someone who broke the security of a company back in the day as a test by placing a block of silly putty in a PC and shipping it to the dept. The silly putty represented the security breach. He was hired by the owner of the co as the VP of IT!
Given the evidence behind the national security concerns, the sale of IBM PCD should have been rightfully blocked.
Twitter supports and protects racists - by smearing their critics with the "Hate Speech" label.