Slashdot Mirror
Several Western Govts. Ban Lenovo Equipment From Sensitive Networks
renai42 writes "If you've been in the IT industry for a while, you'll know that Lenovo's ThinkPad brand has a strong reputation with large organisations for quality, dating back to the brand's pre-2005 ownership by IBM. However, all that may be set to change with the news that the defence agencies of key Western governments such as Australia, the US, Britain, Canada and New Zealand have banned Lenovo gear from being used in sensitive areas, because of concerns that the Chinese vendor has been leaving back doors in its devices for the Chinese Government. No evidence has yet been presented to back the claims, but Lenovo remains locked out of sensitive areas of these governments. Is it fearmongering? Or is there some legitimate basis for the ban?"
Thinkpads are very popular with people who need to do their own maintenance. They use them on the ISS for that very reason. Every part is replaceable and you can download a full service manual with excellent step-by-step illustrated instructions.
Sounds like fear of the boogyman and a bit of racism are really going to hurt the US in the long run.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
So I wonder which manufacturer that doesn't use Chinese components they'll use instead?
....Microsoft is still getting multi-billion dollar deals.
Why does the U.S. use Windows versions in its tanks. The last thing you want is a bluescreen on the battlefield.
No evidence has yet been presented to back the claims...
Is it fearmongering?
Or is there some legitimate basis for the ban?
How would we know whether or not evidence exists? All we know is that we haven't seen any. Time will tell. If no evidence is preseneted in the next month or so, then we'll know that it's just fearmongering, and not a legitmate basis for a ban.
Costs are higher, but Americans are being employed and paid with tax money. Sounds like a better approach than shipping it directly to someone else's economy.
The problem is the credible fear of a lifecycle attack is sufficient to require that such hardware be avoided. There is a reasonable fear that the chinese might try something using Lenovo kit, therefore the classified networks need to avoid it. Its the same reason why Huawei networking hardware is avoided in some circles.
Of course, with the NSA now clearly off the leash, US IT equipment is now in the same position. Microsoft clearly backdoored Skype to enable easy wiretapping, the NSA is reportedly hacking foreign networks to introduce monitoring (who knows, perhaps it was the NSA responsible for the Athens Affair?), and with any US Cloud service provider subject to PRISM-style requirements, US IT infrastructure is now in the same boat that the Chinese have been struggling with for years now.
Test your net with Netalyzr
The new cold war will be electronic and China has already proven that they are willing to do whatever is necessary to stay ahead there.
This isn't racism, this is a forward looking policy that's saying when, not if but when, we start finding Chinese backdoors in our equipment, they won't be in our sensitive areas.
The down side is that even if our equipment says made in the USA, it means assembled. Most of the parts will have been manufactured in China.
I hope all non-US companies similarly decide to not use US-based vendors, given that there is greater likelihood that the NSA has back doors. What do you think those 200MB HP printer drivers are for, after all?
This is my signature. There are many like it, but this one is mine.
Microsoft and Cisco.
Working in Defence in AU for some time - this was raised as an issue a long time ago (going back to DRM back door issues) - I think it won't be long until we find all sorts of backdoors in chipsets. 'Spurious' RF and perhaps intentional network latency (using 'random' latency to send data). All too often we're watching network packets and assuming we're seeing the whole picture. "Well that didn't go to a questionable IP, so that data is safe". If I were given the task of spying on the West but manufactured every single piece of technology that stored the data I so very much wanted, incredible inside knowledge - I'd be using RF, I'd make it seem spurious and have it skip about in frequency and encoding to it's own entirely unique algorithm. Even using simple HAM radio data protocols, it would be simple enough to skip about frequencies randomly to seem spurious. Without the Algorithm you'd have no idea what frequency holds the next packet of data... to be detected from a long way away. Of course all theories and easy to be shot down until it's on the front page of the paper.
They're only worried about back doors, not back windows. There's no way the Chinese could sneak fat American secrets out through a window.
Does anyone trust the source of these claims? Maybe this gear is disparaged and shut out because Lenovo wouldn't implement backdoors for western governments.
If there is no evidence, then yes it is scaremongering. Stuxnet and Spying on their own civilians, well for that there is evidence.
The official statement is as follows:
[REDACTED]
The reason is that the NSA has developed, a few years ago, a technique for embedding exactly such backdoors in PCs sold by American companies. They're being installed by the power of National Security Letters (which you can't tell anyone about, even a judge), and have been for the past two or three years.
This comes out right now because Evil Red China has found a way to exploit backdoors in computers used by Americans (and big surprise there!), which they didn't even make. The US fears it is constantly behind on development (which is true), so this change means that the US is victimized not only by its own government, but by the Chinese as well -- whereas buyers of Chinese equipment are only victimized by Evil Red China.
The US knows its own backdoors and can thus guard against their use, perhaps at the network level. It also knows that where US backdoors exist, Chinese backdoors don't. However, the US doesn't know Chinese backdoors. This frightens them greatly.
But well, I'd be frightened too. For instance, if I knew that virtualization environments can be written that completely conceal themselves from the owner by hiding in the motherboard's encrypted BIOS. This is done by applying techniques of nested virtualization -- which aren't trap-and-emulate anymore, as since Sandy Bridge and Piledriver the main x86 CPUs have supported VM host nesting in hardware.
Oh wait, I do know that. Well bloody cock, guess you're all boned then.
All the Chinese need to do is gain access to the NSA backdoors that are in all versions of Windows... That would be far more efficient.. and undoubtedly they already have..
AMT is a backdoor, exists on all x86 chipsets now.
We must just accept this. We don't own ourselves, our children, nor our machines.
Our betters do.
We must simply obey.
Always can be reenabled remotely.
You can have my T61 when you pry it from cold, dead hands.
Someone important's cousin just bought the competition to Lenovo.
Troll is not a replacement for I disagree.
The motherboard may be made in China but the components are not. The chips are largely American in manufacture (most of them are Intel). Now I suppose the company making the motherboards could add a chip, but, well, that would kinda be noticed during the QA process by the company that ordered them. It isn't like you get parts from a Chinese manufacturer and just slap them in a unit sight-unseen. Not because of worries about spying but because quality control with Chinese companies can be... problematic. You have to test the parts and send back the failed ones (1%ish usually, sometimes more).
In terms of BIOS/UEFI? That's all Phoenix Technologies and American Megatrends. They are in California and Georgia respectively.
I wasn't aware the US had annexed Canada, Australia, New Zealand, and the UK. ...or are you just trying to spin something as anti-US when really it is a collection of nations?
There isn't a single US manufacturer of motherboards any more; that would be the most sturdy place to insert any nefariousness (at least, nefariousness by the PC manufacturer.) Who knows where BIOS code is written these days; but I doubt it's the US.
Not to mention the whole stack of drivers you need, like those for on-board peripherals. It'd be just as easy to put a back-door in a Windows I/O driver as it would the BIOS.
You ruined his perfectly good "hate on the US" session! After all, clearly the US is the bad guy if they are doing this. The other countries must have good reasons and/or are just US puppets, it is the US that is evil!
It is amusing how two posters in this thread so far have tried to spin this in to an anti-US rant, when it is rather something happening in a number of nations. On Slashdot, it seems to continue to be trendy to hate on the US, for any or no reason at all.
Well now, it's been my keen observation over the years that people suspect of others the same nefarious behaviour that they indulge in themselves or would do given the opportunity. I am sure that there exist proposals to have Cisco/Juniper/Akami network gear do more than is advertised.
Knowing that the West intelligence services would do (are doing??) what Lenovo & Huawei are suspected of is enough to have those companies banned, at least in CIA/NSA thinking.
It's difficult enough to keep malware out of the network as it is without providing an easy doorway.
eg: stuxnet
However, if evaluation of the policy to ban Lenovo were up to me, I would do a serious risk evaluation and compare Lenovo to others such as Dell. Truth is that state sponsored malware could be introduced at many levels including embedded firmware in say, network or video chipsets.
I suspect that the multinational component sourcing makes banning Lenovo analogous to plugging a small hole in a screen door while leaving all the windows open.
To find your answer, what brand are the paranoid Chinese using?
Simple, right?
WARNING: Smartphones have side effects--most of them undocumented.
We dispense of the messy and "expensive" tasks of manufacturing and delegate to the lowest cost labor force. Makes sense untill one needs to be able to defend oneself. Once war does not make financial sense, we might be OK. Not sure if we can count on that though.
With all the options available to them, better safe than sorry.
Jaxinabox
Which Lenovo are they talking about? Because the Lenovo I see all the time are the piece of crap that are 3rd worst in laptop failure rates and have cheap buttons, awful builds, terrible batteries, and low quality screens. I think they have them confused with Toshiba.
Right, so Lenovo does have (unproven) backdoors. But Clevo, Foxconn, Quanta, Winstron, Pegatron who produce 90% of laptops in the world (including Dell, HP, Apple) somehow cannot have Chinese backdoors, even though their HQs are in Taiwan, and most factories probably in China?
Besides, what about spying by USA? I believe USA products, including Microsoft Windows have backdoors. _NSAKEY was found in 1999: http://en.wikipedia.org/wiki/NSA_key
Given the climate today, I'd be as fearful of spying by USA government as China. Given the list of countries however, well, they are the closest buddies with USA and already share intelligence data. And spying on own citizens never mattered to any of them.
--Coder
Thinkpads are very popular with people who need to do their own maintenance. They use them on the ISS for that very reason.
ISS stands for INTERNATIONAL Space Station so we're not talking about especially sensitive gear. And thinkpads are hardly the only feasible option. They were used because until 2005 IBM produced them. Since that is no longer true in some cases it may be prudent to look for alternative vendors.
Sounds like fear of the boogyman and a bit of racism are really going to hurt the US in the long run.
Little bit eager to throw out the race card aren't you? Only an imbecile would trust a computer system built by a rival nation with sensitive information. There is a very good reason that the military ensures contractors take reasonable precautions regarding where they source equipment. The US would be foolish to trust China and China would be foolish to trust the US. For many uses it doesn't matter who made the laptops but when it does matter, it matters a LOT.
When you see a superpower and their close allies shuting down the market instead of actually trying to compete. They can whine all they want and come up with all the lies, but tomorrow millions of Chinese will go to their factories as usual and produce all the products we want at cheap prices.
If there's one thing we can't abide, it's that there might possibly maybe be Chinese backdoors in computers manufactured in China, unless they're from the Chinese factories of American companies. Those are okay, somehow.
While you're worried about it, pay no attention to the NSA backdoors in those American computers. Those are for your protection, unlike those evil Chinese backdoors.
-- "So they told me that using the download page to download something was not something they anticipated." - Bill Gates
In Gerrold's depiction, the US had lost a war, but worked its way into being the world's arms manufacturer - and clandestinely integrated chips that "chirped" on random intervals (so it sounded like noise), revealing their position. Also could be triggered to stop working or explode, remotely.
"Ahh! I see you're in that indeterminate Schrodinger state where - oh, uh
.... so I bet your first order of security would be to ensure that none of the sensitive equipment was manufactured by the triad, or by extension any Chinese company at all.
"Stratigraphically the origin of agriculture and thermonuclear destruction will appear essentially simultaneous" -- Lee
Use SE Linux. It's not like it was created from an untrusted source. The NSA developed it!
http://en.wikipedia.org/wiki/Security-Enhanced_Linux#Overview
There are two types of people in the world: Those who crave closure
Wtfe! Even the article's claim that Lenovo is "quality" makes this whole entire thread REEK of corporate propaganda!
"Stratigraphically the origin of agriculture and thermonuclear destruction will appear essentially simultaneous" -- Lee
when the front door is wide, wide open?
why should any company buy equipment from the US, Europe, or Australia these days? These governments have *repeatedly* proven themselves to snoop on all traffic and impose some significant back doors of their own.
Pot, Kettle.
However if the Chinese are ever coming for the USA, it will be through the courts with a small army of debt collectors.
Cute sound bite but the US has the Chinese over a barrel here. China has bought about $1.1 trillion dollars of US debt which is about 9% of total US debt. (Japan has a similar amount an total foreign debt obligations are around $5.8 tillion) Most of this debt was purchased to maintain the yuan's peg to the dollar in order to keep their exports cheap. (a weak currency helps exports) Exactly how do you propose the Chinese force the US to pay? The courts can't force the US government to do a thing. They can't sell the debt to someone else. No one else wants or could buy that much debt. If they let their currency get stronger (buys more dollars per yuan) then it hurts their exports by making them more expensive abroad. Since their economy is heavily export based, any action they could take carries a strong probability of badly damaging their economy. No the Chinese are in a tough spot. They have lent a lot of money to the US to keep their currency cheap and to ward off currency speculators. There is no way they could collect in a short time without a mushroom cloud appearing over their economy.
When you owe the bank a little money, you have a problem. When you owe the bank a lot of money, the bank has a problem.
I don't exactly work for a large organization, but we do have folks working all over the world so service and support is very important to us. We had been using Dell but switched to Lenovo for a year because we could get systems from them with less lead time. We couldn't switch back fast enough. We paid extra for 3 year onsite NBD warranties (vs return to depot warranties) but when we called Lenovo to get them to send someone out for a repair, it always turned into an argument about whether we were entitled to onsite service.
Dell has always had excellent service, over the past 10 years or so I can probably count the number of times they didn't have a hardware problem fixed the next business day on one hand. It also seemed like we had a higher incidence of problems with the Lenovo systems. We bought maybe 20 of them and of that 20 probably half had to have their system boards replaced because a USB connector snapped off.
Are there any laptops that don't have components made or assembled in china?
Do they ban cell phones too?
Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
This seems to be about politics and or irrational fear. Components for modern laptops are sourced from all over the world any number of which could be capable of any number of wicked things. If your goal is to mitigate risk from foreign governments then simply picking a new laptop vendor is not an effective solution.
Why not produce your own computers on the NSA fab? You know...put it to use use for something other than spying on your own people.
In areas of high sensitivity, there is no such thing as "fearmongering." Only fear, and justifiable risk. That it's being publicized in this way, without the inclusion of some context in the summary of the real security needs of the governments, who have to worry about TEMPEST emissions and other crap no one would dream of caring about, is the "fearmongering." I trust that our governments know what their requirements are in this regard, and that avoiding Lenovo is not going to keep them from accomplishing their mission. So that choice is a no-brainer.
I doubt however, that avoiding that particular brand will help, when everything else is also made in China, and the minerals are sourced from China. That's the real dilemma. How do you maintain security when you produce very little as a nation? There's no substitute for "made at home" in these cases. I wonder in what case, if any, that is actually truly achievable.
"some overclocked overheating whitebox frankenmachine full of dust and nicotine" like the Surface they were using at the product launch?
http://youtu.be/N1zxDa3t0fg
Didn't something similar happen at CES 2012?
So much fun:
http://youtu.be/jMToNsCyFQU
I'll make this one easy on you
Gee thanks. I'm really glad I have you to explain this to me since I merely have a master's degree in finance and am a certified accountant with 10 years experience in global sourcing. Good thing I have smart people like you to explain how currency trading works. [/sarcasm]
Defaulting on even a small amount of debt to China would collapse this system and US and world economy would not survive the fallout
The US doesn't have to default on the debt. That was the whole point. China will get paid in due time and they have very little leverage over the US regarding when and how. China bought that much US debt because they had to, not because they particularly wanted to. The notion that China now "owns" the US, or that they could take the US to some court over the matter is just nonsense. China (probably rightly) regards US debt as a safe investment but the China is in a much more precarious position than the US even without the exercise of some fiscal nuclear option.
Have a look at your board some day. It is pretty easy to identify all the chips, and their origin. There also aren't all that many. Chips cost money. So ya, there are other chips like the audio chip (made by Realtek, of Taiwan), NIC (Realtek, Broadcom or Intel), sometimes extra USB chips (NEC) etc. All these are on there because the company the board was made for spec'd them and they know what they do and who they are from.
So you would be claiming that China would be making chips that duplicated the functionality and form factor of these chips, but also had extra evil functions, and then had Foxconn secretly stick them on boards. And that nobody ever noticed. Ummm, ya. That is entering in to truther territory in terms of believability.
I think part of the problem is people have this false idea that "everything is made in China". No, not really. A lot of stuff is made in China as in put together there, but it turns out the rest of the world makes a lot of products, many of which are components that go in to the things made in China. The US is second only to China in terms of manufactured goods. That right there should tell you something about the belief that the US "doesn't make anything".
I don't see them built into manufactured equipment?
Change is certain; progress is not obligatory.
Seriously people, take a little time to hop on over to the US Treasury site and learn a little about US debt instruments. It isn't hard, they'll explain it all, and even sell them to you directly if you want some.
So, this is not a loan shark situation, where the US goes to China and says "Please give us some money!" and China says "Ok you can have money, and at some point, you don't know when, I'll come and collect and you don't know how much for." Rather the US auctions off securities, bonds, notes, etc, and China chooses to buy some. They are sold to the highest bidder, which in this case means the entity that bids the interest rate down the lowest.
Now some things to note about them:
1) They pay out in US dollars. They are not denoted on foreign currency, they are in US dollars, meaning they have value only if the dollar does, and their value is dependant on the dollar.
2) They pay out only after a given period. There is no provision to call in the money early. They have a defined cycle depending on what you buy. Some t-bills have a maturity date as short as a couple weeks, some bonds a maturity date as long as 30 years. They pay out the principal only when they mature, not before (bonds pay out interest every 6 months). The only way to get money early is to sell them to someone else who wants them, for a price that group is willing to pay.
3) They aren't physical things you have, they are just entries in a computer at the treasury. They are completely under the control of the US government and if you did something that allowed them to seize your assets, there is fuck all you could do to stop it.
So no, China can't come "through the courts with a small army of debt collectors." Their case would be dismissed in summary judgement and they'd be charged court costs. You can't sue the government to try and get them to pay out their treasury securities early as it is EXPLICITLY stated that they pay out only at a given time. You can't demand they pay you in another currency, as they are sold in US dollars. You can't act as though they took your money without you knowing as you had to go and bid on them.
Seriously, none of this is a big secret or complex. Go look it up. Go participate in it, if you like. Treasurydirect is the government's site for individuals to buy securities. You can participate in the auctions and buy government debt for yourself, if you wish. Just don't think you can then run down to the court house and demand the government pay you. The terms of your payment are explicit up front. If you don't like it, don't buy.
Doesn't anybody remember a few years back when the Chinese-chipped military helicopters were discovered to have backdoors?
No. Presumably you have a link to some facts?
I assume this was some cheap non-OEM replacement part. Not 'the helicopter'.
It's probably a link back to the famed chip with a hardware backdoor which turned out to be inserted by it's US manufacturer. If there is another story then please post the link as AC requested.
=~ s,(.*),<sarcasm>$1</sarcasm>,g if any_point_you_wish();
Let's assume a remotely-exploitable backdoor. How are the Chinese getting these packets into or out of secure networks? Is there somehow an undiscovered RF part with a high-gain antenna? Because if there is, I'd like to hook my Lenovo's Centrino WiFi up to it.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
And yet, that is far less invasive than is China, Russia, UK, France, Germany, Japan, etc.
I prefer the "u" in honour as it seems to be missing these days.
Government bonds have very strict terms on repayment and that is for a reason - they need to be exceptionally predictable and reliable to function in their primary role of being reliable bonds.
Who said anything about postponing payment? Although that is in many cases an indirect option. Many bonds have terms that permit early retirement (not all but more than a few) and others are coming due regularly and the US can buy these bonds back and issue new ones with new payment terms. The Fed does this all the time entirely within the terms of the bonds issued. The only caveat is that you need someone interested in buying the debt. 90% of the buyers of US debt are not China and more than half are inside the USA.
All of above events would cause severe harm to US, and by extension world economy, which is why they are unlikely to occur. We are effectively in a state of financial MAD in credit system.
Correct. And my point is that China is if anything in a worse position. They have a MUCH larger poor population and their economy would likely be hurt far worse than the US economy in the event of a problem. China simply doesn't have a sufficiently developed domestic market yet. No one is suggesting that the US default in any way. What I am stating point-blank however is that the notion of the Chinese coming to collect the $1.1 trillion in debt they hold is absurd. They cannot do it even if they wanted to.
Make no mistake, China is a totalitarian Communist state, they will NEVER be our friends.
Perhaps not friends. But thanks to the NSA and their comrades, we appear to be doing our damnedest to catch up with them. Perhaps its like high school girls at the prom. They all compete to see who has the hottest dress and dish dirt on each other in the process.
Have gnu, will travel.
Thinkpads are generally the only laptops available with non-touchpad pointing devices. Forcing government employees to use crappy touchpads is inhumane.
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
By extension, any IT product made in China should be banned as well. That includes a LOT of 'American' brands.
That is, if the real concern is that China might insert a security hole.
Question to all hardware experts out there. Software backdoor - sure possible when you don't have source code for your operating system. Hardware backdoor with physical access - possible. But is hardware backdoor without physical access possible? Suppose I buy lenovo or whatever, I write random data to memory and disks 100 times, I install an open-source operating system and use only open-source drivers. Is backdoor possible? What if I also replace Network Interface Controller with one I trust?
Lenovo has a massive education discount, about 40%. To use it, you choose a university from a drop-down menu and click through a Terms-of-Service. I've always wondered if that was subsidized by the Chinese government.
.: Semper Absurda
What about Dell and HP? All made in China, all used by big government. Ah! HP and Dell are US companies, so that's OK.
There was an unknown error in the submission.
The politicians who approved the legislation are heavily invested in Dell and HP stock.
I do not fail; I succeed at finding out what does not work.
"Just as the liar's punishment is, not in the least that he is not believed, but that he cannot believe any one else; so a guilty society can more easily be persuaded that any apparently innocent act is guilty than that any apparently guilty act is innocent." -George Bernard Shaw
Is it really surprising? The world is heading back to Cold War era spy games very fast.
- Otaku no naka no otaku, otaking da!!!
Does this mean I'll be able to get ThinkPad for half a price?
The Chinese or the NSA. I'm not so sure what is worse in my situation (located in Europe).
The Chinese may know things about me, but I'm not within their reach nor sphere of interest.
For European companies, e.g. swiss banks, the same might be true.
They may have good reasons to fear the NSA more than the Chinese.
Locked boot loaders tangle this stuff to no end.
Truth is stranger than fiction, but it is because Fiction is obliged to stick to possibilities; Truth isn't. Mark Twain.
Well I can't speak to backdoors in lenovos I did just recently purchase on eBay a replacement battery for my Sony VAIO... Auction page had "made in USA" plastered all over it, description was written in broken engrish. Upon receiving the battery I discovered it did not work, I contacted the seller with a return request and got an email back in even worse broken engrish from a "Mary Smith" with a link to a URL (hosted within china) to a driver installer and instructions for "instarration". I was to intarr the exe with the laptop plugged in to power and ethernet, reboot and leave power and Ethernet on "overnight" to fully charge the battery. Backdoor attack campaign with Chinese origin? Gosh.. I dunno... what do YOU think?
There's a brand manufacturing in Japan and the United States. Lenovo.
Kill all hipsters.
Given the evidence behind the national security concerns, the sale of IBM PCD should have been rightfully blocked.
Twitter supports and protects racists - by smearing their critics with the "Hate Speech" label.