Slashdot Mirror

← Back to Stories (view on slashdot.org)

Several Western Govts. Ban Lenovo Equipment From Sensitive Networks

Posted by timothy on from the this-far-and-no-farther dept.

renai42 writes "If you've been in the IT industry for a while, you'll know that Lenovo's ThinkPad brand has a strong reputation with large organisations for quality, dating back to the brand's pre-2005 ownership by IBM. However, all that may be set to change with the news that the defence agencies of key Western governments such as Australia, the US, Britain, Canada and New Zealand have banned Lenovo gear from being used in sensitive areas, because of concerns that the Chinese vendor has been leaving back doors in its devices for the Chinese Government. No evidence has yet been presented to back the claims, but Lenovo remains locked out of sensitive areas of these governments. Is it fearmongering? Or is there some legitimate basis for the ban?"

27 of 410 comments (clear)

  1. Their loss by AmiMoJo · · Score: 5, Insightful

    Thinkpads are very popular with people who need to do their own maintenance. They use them on the ISS for that very reason. Every part is replaceable and you can download a full service manual with excellent step-by-step illustrated instructions.

    Sounds like fear of the boogyman and a bit of racism are really going to hurt the US in the long run.

    --
    const int one = 65536; (Silvermoon, Texture.cs)
    SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    1. Re:Their loss by MickyTheIdiot · · Score: 5, Insightful

      Is it racism to be concerned that our military is using computer parts that can't (or won't) be produced at home?

      If we had to go to "total war" tomorrow like we had to after Pearl Harbor I think we would be in pretty big trouble if our enemy was from the east and all of our sudden our constant shipping was gone. It we Americans are so damn expensive and corporations are at their height of greed and power we've pretty much forgotten how do that manufacturing.

    2. Re:Their loss by dintech · · Score: 5, Insightful

      I think the Chinese probably have a lot more to fear from using American technology than the reverse.

    3. Re:Their loss by bfandreas · · Score: 4, Insightful

      This is hardly new. IIRC Huawei also had similar issues.

      Worse is yet still to come. Given the extent of backdoors, data sharing and data sniffing as has been exposed during the last couple of weeks a lot of service providers in the US may suffer a similar fate. All these service providers operate on trust and trust is at an all time low.

      Now all I have to say when a customer/PHB talks about "cloud" is to counter their BS bingo with "trust". And trust is easier lost than earned.
      The intelligence community in the US, UK and Europe have managed to sow the seed of distrust into everything that is connected to the net. While Joe Public doesn't seem to care, those who do have to care will think twice. The new bonanza will be security/privacy technology while the clouds disperse in the corporate sector.

      --
      20 minutes into the future
    4. Re:Their loss by stevegee58 · · Score: 4, Insightful

      Anyone says anything bad about China/Chinese and some PC do-gooder brings up race.
      It isn't about race, it's about the proven track record of a government tainting their country's products with viruses, trojans and backdoors.

    5. Re:Their loss by moronoxyd · · Score: 5, Insightful

      Proven track record?
      Please enlighten me and give me links to that proof of backdoors. (That's what this is about, not virii or trojans.)

      All I heard on this matter are accusations without any proof.
      On the other hand, we KNOW that the US is spying on everybody...

    6. Re:Their loss by Anonymous Coward · · Score: 5, Insightful

      PRISM: Microsoft, Google, Apple... Need I elaborate or is it sufficient to say that the US government is in the spying business and the Chinese will be doing themselves a favor by banning US products and services?

    7. Re:Their loss by tylikcat · · Score: 5, Insightful

      Well, and let's talk about the US record of viruses (as I believe that's better documented than anything else out there)...

    8. Re:Their loss by Anonymous Coward · · Score: 5, Funny

      And trust is easier lost than earned.

      Indeed. I was trusting the NSA to backup all my data, and now they cannot even find their own emails. I guess I'll have to do my own backup, after all. ;-)

    9. Re: Their loss by Anonymous Coward · · Score: 5, Insightful

      Uhhh, Stuxnet comes to mind

    10. Re:Their loss by moronoxyd · · Score: 5, Insightful

      You didn't really read my comment, did you?
      I was explicitly asking for proof of backdoors, not attacks over the internet with trojans.

      I don't doubt that the Chinese government is behind some cyber attacks. Just like the US government and/or their partners were behind Stuxnet and Duqu.

      But here we are talking about compromised hardware. And while Western companies and governments have been talking about that for years, I haven't heard of any proof.

      If somebody would find proof that any one Chinese company had in fact backdoors designed into their hardware, not only would that company not be able to make any business outside of China anymore, but many other Chinese companies would struggle as well.

      So I have my doubts that they are that stupid.
      Still, I might be wrong. So: Please share the proof about backdoors (!) in Chinese hardware.

    11. Re:Their loss by Kjella · · Score: 5, Insightful

      If both parties have too much to lose there won't be another war. That's a fortunate consequence of globalization.

      Before WWII I'm sure you could have made many reasonable and credible arguments for why Germany would never attack France or why Japan would never attack the US that are equal or better to "globalization". Many wars have started small and escalated quickly and unpredictably, whether it's North and South Korea, Taiwan, those islands south of Japan or whatever one match can start a kindle that'll start a fire to put the world in flames. I mean it's not like anyone saw the US getting involved because a dictator started annexing a few areas around Germany. In retrospect you can say the Mutually Assured Destruction policy worked in the Cold War but during the Cuban missile crisis.it was a very close call.

      Maybe your perspective is different but my country of Norway took the neutrality route in the 1930s, no military build-up, no signs of military aggression, we were seeking a position of neutrality and being a non-threat to everybody. What happened was the Nazis said "thank you very much" and invaded with minimal resistance. And today I see the same, with the NATO alliance and Russia being a shadow of its former military might we're running the defense with half a skeleton crew on outdated equipment, we're spending some money on elite units for operations abroad but the mass defense? We'd fall like a house of cards, all the money is bet on their not being any war in the first place.

      --
      Live today, because you never know what tomorrow brings
    12. Re:Their loss by dl_sledding · · Score: 5, Insightful

      Agreed!

      And, to go along with this, whose hardware *isn't* produced in China? So, why are we even arguing about it? If this wasn't a targeted attack against Lenovo by the US Gov't, wouldn't they ban *all* hardware made in the PRC, which includes Apple, Dell, etc.?

      Besides, since Big Brother is so all-knowing, why wouldn't they just stop the conversation between the backdoor and the Chinese bad guys? I mean, they have the big brains in their IT departments, don't they? Shouldn't they be able to detect and stop all those naughty conversations? If they can capture, record, and filter all public conversations, can't they keep their own house protected well enough to block something so simple as a covert "E.T. call home"?

      Kind of makes you wonder exactly what they are trying to accomplish (or deflect attention from) with this move... There's an ulterior motive, and another, more interesting, story here behind-the-scenes...

    13. Re:Their loss by jbolden · · Score: 5, Informative

      Well there have been tons of examples of backdoors loaded into firmware then sold with hardware. The Actel/Microsemi ProASIC3 was found last year to have a backdoor in the chip. http://www.scribd.com/doc/95282643/Backdoors-Embedded-in-DoD-Microchips-From-China

      This is a very heavily used chip that got into western weapon systems, western power control system....

    14. Re:Their loss by rtfa-troll · · Score: 4, Interesting

      This case was discussed also on Slashdot. However, if I remember correctly, it was never shown that the backdoor" (it had plausible deniability as a bug / stupid debugging feature) was added in the fab and the chip design came from outside China. I would think that if the designer had not put the backdoor in then they would very clearly have denied responsibility.

      I'm really interested to know if anyone has any evidence that someone actually found such a backdoor. I'm sure they exist; I'm sure some spy services have found some, however I'm not sure that anyone admitted to doing it (and so giving away the level of their ability) and I don't have any evidence that the bug that was found was created by China (which would be fascinating).

      --
      =~ s,(.*),<sarcasm>$1</sarcasm>,g if any_point_you_wish();
    15. Re:Their loss by Tweezak · · Score: 5, Interesting

      If you read the ORIGINAL article from Financial Review you may note this:

      "Members of the British and Australian defence and intelligence communities say that malicious modifications to Lenovo’s circuitry – beyond more typical vulnerabilities or “zero-days” in its software – were discovered that could allow people to remotely access devices without the users’ knowledge. The alleged presence of these hardware “back doors” remains highly classified."

      So, they found hardware vulnerabilities but they aren't stating what they are. Probably because they know that people would start exploiting them immediately. There's a reason this stuff stays quiet. Also note that the ban started in 2006. This is pretty old...it only getting reported now.

  2. So instead? by john.burton1765 · · Score: 5, Insightful

    So I wonder which manufacturer that doesn't use Chinese components they'll use instead?

    1. Re:So instead? by SJHillman · · Score: 5, Insightful

      Having components from China is different from having the entire machine, or at least key parts that can phone home, from China is very different. They don't give a damn if your capacitors or even the entire DVD drive are from China.

  3. Welcome to Cisco and MS's future... by nweaver · · Score: 5, Interesting

    The problem is the credible fear of a lifecycle attack is sufficient to require that such hardware be avoided. There is a reasonable fear that the chinese might try something using Lenovo kit, therefore the classified networks need to avoid it. Its the same reason why Huawei networking hardware is avoided in some circles.

    Of course, with the NSA now clearly off the leash, US IT equipment is now in the same position. Microsoft clearly backdoored Skype to enable easy wiretapping, the NSA is reportedly hacking foreign networks to introduce monitoring (who knows, perhaps it was the NSA responsible for the Athens Affair?), and with any US Cloud service provider subject to PRISM-style requirements, US IT infrastructure is now in the same boat that the Chinese have been struggling with for years now.

    --
    Test your net with Netalyzr
  4. Re:Hmmm... by SJHillman · · Score: 4, Funny

    They're only worried about back doors, not back windows. There's no way the Chinese could sneak fat American secrets out through a window.

  5. Re:New Cold War by SJHillman · · Score: 4, Informative

    "Made in the USA" does carry a specific legal meaning and is different than "Assembled in the USA"

    http://business.ftc.gov/documents/bus03-complying-made-usa-standard

  6. Re:In that case... by Anonymous Coward · · Score: 4, Informative

    Unlike most US companies, The Chinese government owns the largest share (38%) of Lenovo's parent company Legend which owns the largest share of Lenovo (34%).

    FYI it was the British and Australian defense and intelligence communities that discovered malicious modifications to Lenovo's circuitry. Just in case you actually believe that the US intelligence was proactive for once, it was the British intelligence findings that encouraged congress to react.

  7. What a load of crap by sirwired · · Score: 4, Interesting

    There isn't a single US manufacturer of motherboards any more; that would be the most sturdy place to insert any nefariousness (at least, nefariousness by the PC manufacturer.) Who knows where BIOS code is written these days; but I doubt it's the US.

    Not to mention the whole stack of drivers you need, like those for on-board peripherals. It'd be just as easy to put a back-door in a Windows I/O driver as it would the BIOS.

  8. Suspicious kettles and pots by dogsbreath · · Score: 4, Insightful

    Well now, it's been my keen observation over the years that people suspect of others the same nefarious behaviour that they indulge in themselves or would do given the opportunity. I am sure that there exist proposals to have Cisco/Juniper/Akami network gear do more than is advertised.

    Knowing that the West intelligence services would do (are doing??) what Lenovo & Huawei are suspected of is enough to have those companies banned, at least in CIA/NSA thinking.

    It's difficult enough to keep malware out of the network as it is without providing an easy doorway.

    eg: stuxnet

    However, if evaluation of the policy to ban Lenovo were up to me, I would do a serious risk evaluation and compare Lenovo to others such as Dell. Truth is that state sponsored malware could be introduced at many levels including embedded firmware in say, network or video chipsets.

    I suspect that the multinational component sourcing makes banning Lenovo analogous to plugging a small hole in a screen door while leaving all the windows open.

  9. Not likely by sjbe · · Score: 4, Insightful

    However if the Chinese are ever coming for the USA, it will be through the courts with a small army of debt collectors.

    Cute sound bite but the US has the Chinese over a barrel here. China has bought about $1.1 trillion dollars of US debt which is about 9% of total US debt. (Japan has a similar amount an total foreign debt obligations are around $5.8 tillion) Most of this debt was purchased to maintain the yuan's peg to the dollar in order to keep their exports cheap. (a weak currency helps exports) Exactly how do you propose the Chinese force the US to pay? The courts can't force the US government to do a thing. They can't sell the debt to someone else. No one else wants or could buy that much debt. If they let their currency get stronger (buys more dollars per yuan) then it hurts their exports by making them more expensive abroad. Since their economy is heavily export based, any action they could take carries a strong probability of badly damaging their economy. No the Chinese are in a tough spot. They have lent a lot of money to the US to keep their currency cheap and to ward off currency speculators. There is no way they could collect in a short time without a mushroom cloud appearing over their economy.

    When you owe the bank a little money, you have a problem. When you owe the bank a lot of money, the bank has a problem.

  10. China has limited leverage by sjbe · · Score: 5, Insightful

    I'll make this one easy on you

    Gee thanks. I'm really glad I have you to explain this to me since I merely have a master's degree in finance and am a certified accountant with 10 years experience in global sourcing. Good thing I have smart people like you to explain how currency trading works. [/sarcasm]

    Defaulting on even a small amount of debt to China would collapse this system and US and world economy would not survive the fallout

    The US doesn't have to default on the debt. That was the whole point. China will get paid in due time and they have very little leverage over the US regarding when and how. China bought that much US debt because they had to, not because they particularly wanted to. The notion that China now "owns" the US, or that they could take the US to some court over the matter is just nonsense. China (probably rightly) regards US debt as a safe investment but the China is in a much more precarious position than the US even without the exercise of some fiscal nuclear option.

  11. Sigh, someone else who doesn't understand debt by Sycraft-fu · · Score: 5, Informative

    Seriously people, take a little time to hop on over to the US Treasury site and learn a little about US debt instruments. It isn't hard, they'll explain it all, and even sell them to you directly if you want some.

    So, this is not a loan shark situation, where the US goes to China and says "Please give us some money!" and China says "Ok you can have money, and at some point, you don't know when, I'll come and collect and you don't know how much for." Rather the US auctions off securities, bonds, notes, etc, and China chooses to buy some. They are sold to the highest bidder, which in this case means the entity that bids the interest rate down the lowest.

    Now some things to note about them:

    1) They pay out in US dollars. They are not denoted on foreign currency, they are in US dollars, meaning they have value only if the dollar does, and their value is dependant on the dollar.

    2) They pay out only after a given period. There is no provision to call in the money early. They have a defined cycle depending on what you buy. Some t-bills have a maturity date as short as a couple weeks, some bonds a maturity date as long as 30 years. They pay out the principal only when they mature, not before (bonds pay out interest every 6 months). The only way to get money early is to sell them to someone else who wants them, for a price that group is willing to pay.

    3) They aren't physical things you have, they are just entries in a computer at the treasury. They are completely under the control of the US government and if you did something that allowed them to seize your assets, there is fuck all you could do to stop it.

    So no, China can't come "through the courts with a small army of debt collectors." Their case would be dismissed in summary judgement and they'd be charged court costs. You can't sue the government to try and get them to pay out their treasury securities early as it is EXPLICITLY stated that they pay out only at a given time. You can't demand they pay you in another currency, as they are sold in US dollars. You can't act as though they took your money without you knowing as you had to go and bid on them.

    Seriously, none of this is a big secret or complex. Go look it up. Go participate in it, if you like. Treasurydirect is the government's site for individuals to buy securities. You can participate in the auctions and buy government debt for yourself, if you wish. Just don't think you can then run down to the court house and demand the government pay you. The terms of your payment are explicit up front. If you don't like it, don't buy.