Slashdot Mirror
Huawei Laptop 'Backdoor' Flaw Raises Concerns (bbc.com)
A flaw in Huawei Matebook laptops, found by Microsoft researchers, could have been used to take control of machines. From a report: The "sophisticated flaw" had probably been introduced at the manufacturing stage, one expert told BBC News. Huawei is under increasing scrutiny around the world over how closely it is tied to the Chinese government. The company, which denies any collusion with Beijing, corrected the flaw after it was notified about it in January. Prof Alan Woodward, a computer security expert based at Surrey University, told BBC News the flaw had the hallmarks of a "backdoor" created by the US's National Security Agency to spy on the computers of targets. That tool was leaked online and has been used by a wide variety of hackers, including those who are state-sponsored and criminal gangs. "It was introduced at the manufacture stage but the path by which it came to be there is unknown and the fact that it looks like an exploit that is linked to the NSA doesn't mean anything," Prof Woodward said.
Seriously, WHY? Seems clear as day to me that everything they're producing is compromised in one way or another.
What does Cisco have to do with this?
We should probably consider ANY hardware manufactured in a country with an uber-authoritarian, paranoid government to be suspect.
How closely does Apple scrutinize iPhones coming out of Foxconn, I wonder?
If the company was really sophisticated, why would they name a product the "Matebook".
Talk about something that's never likely to be used by anyone serious...
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Because they are the most popular and growing server, smartphone, and network infrastructure company in the world, with the best engineering in the world, and they have never had a provable security issue. I trust them to be 100% secure, because every allegation at them always has a [citation needed] by it.
umm.. EVERYTHING is compromised these days, regardless of where and how - and the compromising parties aren't able to keep that info secure so other parties know of them.
all you're doing is choosing what flavor of compromise - and even then - compromises during manufacture aren't necessarily attributable to the most obvious party.
Curious why you single out Apple when Samsung, Nokia, Dell, Sharp, Google, Amazon, Sony, and everyone else have their stuff made by Foxconn too. All of these companies go over their devices thoroughly as they know any security issue could have HUGE negative repercussions for them.
I'm buying their stuff because I believe them over the hypocritical US government. Oh and also because it's a good value.
Is they write really crappy software and they themselves don't know what it does at times, let alone jabber across the interwebs after hours.
Wow, way to expose yourself as the ignorant, untravelled hometown mook that you are. Foxconn is a Taiwanese company. Taiwan does not have an authoritarian, paranoid government.
Frankly, I would be more concerned about what the United States government is meddling with.
Seriously, them and the Chinese government are so in-bed, that the government is putting increasing pressure on Canada with imaginary claim like Canola being infested with pest and retrial a Canadian just to give him the death penalty right after the whole thing with Huawei's CFO started by request of the US. Among other things.
As a PSA, please remember that Trump overrode the various national intelligence agencies' concerns and removed sanctions on Huawei.
> How closely does Apple scrutinize iPhones coming out of Foxconn, I wonder?
totally.
every corporation in a communist country has a government official on staff
I couldn't give a fuck about the Russians or the Chinese. There is another nation that is far, far worse.
Enjoy.
How do you know this? We donâ(TM)t see articles like this about Cisco.
buy a laptop from the Chinese army?
I'm totally baffled by anybody who claims to be educated and who accepts the Chinese government's own public declarations that they are a communist country, and who can easily discover that the country has made its leader a leader-for-life --- but who then denies that Huawei is part of the government of China and, by virtue of the very basic definitions of that system, integrally related to the army of China [and, of course also the spy services thereof].
There's no independent court system there, no written constitution guaranteeing rights that the government cannot violate on a whim, and no legal right for any "business" to exist there without ties to the government.
Reality is not an opinion; reality is an objective thing.
This is a weird thing to me, because at first actually it seemed like it was much ado about nothing, which was actually more suspicious than this highly predictable revelation. However, I still don't know if there's any way to tell who is backdooring these devices, only that it is now clear Huawei can't protect their supply chain any better than anyone else.
What about a Commodore 64?
We do though. We just haven't as recently.
Curious why you single out Apple when Samsung, Nokia, Dell, Sharp, Google, Amazon, Sony, and everyone else have their stuff made by Foxconn too. All of these companies go over their devices thoroughly as they know any security issue could have HUGE negative repercussions for them.
Nothing to be curious about. When Slashdotters hate Apple, anything is fodder for for their angst and anger. The fact that other companies use FoxConn is irrelevant.
The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
A flaw in Huawei Matebook laptops, found by Microsoft researchers, could have been used to take control of machines.
Windows 10?
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Also, lots of slashdotters hate Apple.
We've done so for a long, long time.
It isn't angst or anger, btw. It's an understanding of what kind of company Apple has been for a long time.
I would hope they load all their own firmware all the way down to bare metal and not let any 3rd-party company have anything to do with it.
Gee, what a surprise...
Yeah, and how did the NSA get their software on their computers?
Which government has the power to completely fuck up your life?
The answer to that question is usually the government of the country that you live in. I don't live in the US, China, or Russia myself, yet it is my home country that has by far the most power over me.
Price? Looks just like an offering from another computer company named after fruit, but costs much less.
At least that is my guess.
LOL
Facts.
If you are honest, it comes down to which governments will you make it easy to spy on you. Telecoms are backdooring/MITM cells anyway, so no advantages there.
What about PC and tablets?
Windows, Android, Apple? The US already has your shit.
Huawei, etc? China does too.
Russia's backward economy doesn't actually make electronics products worth importing anywhere else, but they have decent software skills, hence Kaspersky.
Europe's got a few things...Airbus?, but no real marquee stuff in tech. RIP Nokia, which is now basically an Android subcontractor.
If you live in China, and aren't politically active or ambitious, absolutely get a Huwei and save a 20% up to a hundred bucks vs a Nokia with equivalent specs.
If Russia already has your data, sure, go ahead and run Kaspersky to keep the Chinese out. Might be good for Russian aligned Linux users too.
But here is the real, practical deal:
If you use what 99% of other people use (aka not Gentoo) the US can get your stuff pretty easily.
So it comes down to what companies ALSO get your data. Running office and chrome on your mac book? Apple, MS and Google all have your stuff. Hell even without chrome all your Gmail friends each gave their half of shit to Google anyway.
The US has my stuff. MS has my stuff. But Google doesn't and apple doesn't. Beat I can do. And even Google or Apple will get my phone stuff in a year when WinPhone is dead dead. What am I going to do? Not use a smartphone? Live like an animal on a cave? F that.
The US has been the most trustworthy of the admittedly low bar set by China, Russia and the US. Even with #orangemanbad stuff, the US is only dropping towards the other two. I'd love for some other empire to exist and be better, but right now, the obnoxious bumbling America is still better than the other two bidders.
If you read a bit of the summary you'd realize the experts are pointing at the NSA rather than the Chinese.
Also, lots of slashdotters hate Apple.
We've done so for a long, long time.
It isn't angst or anger, btw. It's an understanding of what kind of company Apple has been for a long time.
Sure it is. I've used Apples and Windows and before that MS-DOS for a long time. Your idea that you have some understanding of Apple's special evil merely shows you don't have an understanding of everyone elses.
The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
Free trade.
The US and Uk "have" to accept equal and tech trade products from China.
Thats how its getting in to the USA and EU.
Domestic spying is now "Benign Information Gathering"
Would you please quit playing around? We've got work to do.
If the universe is someone's simulation -- does that mean the stars are just stuck pixels?
Apple is US company that has devices manufactured in China that are approved. Also well known and liked by many idiots that talk privacy.
Hilarious; when the researchers are from Microsoft.
+1 on that; US government is among the most hypocritical.
This conversation really needs to shift to who you prefer to be spied on by.
Chinese companies keep being accused of being compromised. It is a reasonable assumption and most likely true.
US companies have proven to be comprised. See the Snowdon files, or if you like case in point, Cisco: https://www.tomshardware.com/news/cisco-backdoor-hardcoded-accounts-software,37480.html
If you've used MS DOS, then you should be able to remember when Slashdot was for Linux enthusiasts. Then you should also remember that MS was the root of all evil in those days. Then you should also know that Apple and Google are today's Microsoft, in Slashdot world.
Foxconn plants are in mainland China, you ignorant person. Chinese territory = Chinese laws and rules.
Normally I'd expect such an opinion to be based on facts and not fear-mongering produced without proof. Here we are served an article without technical data, without any actual information at all but the speculation of some unknown person (to me at least) in combination with scary words from an obviously nontechnical writer. No links, no description of the exploit, no reason to actually believe the unknown person.
Sorry
Sure it is. I've used Apples and Windows and before that MS-DOS for a long time. Your idea that you have some understanding of Apple's special evil merely shows you don't have an understanding of everyone elses.
I have a special place in my heart just for hating Apple. For you see they basically hate developers and are determined to make lives miserable for everyone who actually wants to do things professionally.
They won't let you compile on other machines and they won't sell decent servers.
There's a special place in hell for Apple, this hell to be precise http://smbc-comics.com/comic/p...
Plus their adverts are insufferable pretentious.
SJW n. One who posts facts.
and which company is producing anything that is not compromised in some way? this is the reality of the highly complex integrated world we live in. Consumers won't pay the price that would be required for true verification and security that would guarantee no compromises.
450 advertisers on smbc? And you have to opt-out of every single one?????
(sniff) Bye bye smbc. :( I will miss you or at least find them on a mirror/blog that doesn't have your trackers.
We should probably consider ANY hardware manufactured in a country with an uber-authoritarian, paranoid government to be suspect.
Given how we actively know the NSA has sought exactly these kinds of back doors you can just remove all adjectives and say:
"We should probably consider ANY hardware manufactured in a country with a government to be suspect."
Samsung {...} Sony, and everyone else have their stuff made by Foxconn too.
Not every single company manufactures its stuff exclusively in China.
For example, Sony still manufactures in Japan.
(And Samsung obviously manufactures a lot in South Korea)
Those non-China-made products include their smartphones (and other high-tech, hi-priced gadgets), they'll prefer outsourcing less sensitive accessories (wall wart charger).
disclaimer: both of my latest two smartphones are Japan-made Sony Xperias. Though I still flashed an entirely different OS (not Android) on them.
So it's not *China*'s spyware you're going to find installed in there.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
They go over it and send it back if their root exploit doesn't work. Thanks Sony.
Don't fight for your country, if your country does not fight for you.
And when you write
everything they're producing is compromised in one way or another
Are you referring to american companies, that introduce back-doors for the NSA?
That tool was leaked online and has been used by a wide variety of hackers, including those who are state-sponsored and criminal gangs. "It was introduced at the manufacture stage but the path by which it came to be there is unknown and the fact that it looks like an exploit that is linked to the NSA doesn't mean anything," Prof Woodward said.
And if you comprehend the summary, it says everybody now uses it because it was leaked. And they insinuate that its not the NSA, I assume because it was found.
I have a special place in my heart just for hating Apple. For you see they basically hate developers and are determined to make lives miserable for everyone who actually wants to do things professionally.
I've written a tiny little bit for iOS. Just different rules. But if you wanna hate, by all means have at it.
The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
Pathetic that slashdot has gotten to this point, but the original article has no link to any meaningful information.
in summary:
- this is an exploit in a windows program written by huawei called pcmanager.
- Dell, HP, and even Lenovo have had security bugs in their software as well. The fact that this is a huawei bug means every news outlet gets to ratched up the terror factor for clicks.
- googling the name Alan Woodward returns the exact same article title at nearly 2 dozen news sites, but nothing meaningful about the guy outside of his singular report.
https://www.huawei.com/en/psir...
Good people go to bed earlier.
If you've used MS DOS, then you should be able to remember when Slashdot was for Linux enthusiasts. Then you should also remember that MS was the root of all evil in those days. Then you should also know that Apple and Google are today's Microsoft, in Slashdot world.
Well, I wasn't on Slashdot until some time in the early Y2K's. By that time Applehate was well established.
The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
If you read the summary you'd realize that the experts said that they have no idea who put the backdoor in.
It's amusing to see all the whataboutism on /., but, really, although the U.S. has problems, it's nothing compared to mainland China.
https://www.nbcnews.com/news/china/disappearances-forced-confessions-china-targets-dissent-n505046
https://www.vox.com/2018/8/15/17684226/uighur-china-camps-united-nations
https://en.wikipedia.org/wiki/Human_rights_in_China
https://freedomhouse.org/blog/china-s-quiet-drive-normalize-repression
https://www.theguardian.com/world/2017/jul/17/chinas-growing-intolerance-for-dissent-will-come-at-a-high-price
We should probably consider ANY hardware manufactured in a country with an uber-authoritarian, paranoid government to be suspect.
If you credit Wired, the problem isn't that Huwei is compromised by the Chinese government (although it probably is. Their government holds very tight control over everything.).
The problem is that their software QC is slipshod.
From https://www.wired.com/story/huawei-threat-isnt-backdoors-its-bugs/:
"Though the geopolitical discourse has gotten heated, the report concluded that the flaws in Huawei's code are related to "basic engineering competence and cyber security hygiene" and could be exploited by anyone."
MacOS model's not done: Stop IMPERSONATING me lying & proof portfilter err's can't happen https://news.slashdot.org/comm... in my work!
u IMPERSONATE me & also ADMIT u have a /. acct & STALK me by UNIDENTIFIABLE ac https://hardware.slashdot.org/... - YOU got ISSUES.
That's "best ya got"?
u WISH u were ME (as ur POOR imitation = the sincerest form of flattery) WASTING ur life STALKING me by UNIDENTIFIABLE anon OR IMPERSONATING me!
APK
P.S.=> I BLOW U AWAY https://tech.slashdot.org/comm... + https://it.slashdot.org/commen... + https://yro.slashdot.org/comme...
What's the point of inspecting your products when they arrive from the Chinese factory when your own government just intercepts them during shipment to customers/vendors and installs malware? The US was caught red handed doing that, and pretty much nothing has been done about it.
Also security issues have no repercussions for any of these big tech companies. Dozens of celebrities' private photos were stolen from Apple's servers, didn't touch their stock price. Sony deliberately installed malware on people's computers, and hardly anyone even heard of it at the time.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
Did you notice the part in the summary that states that this flaw looks like an NSA backdoor?
Why is that? It's funny how they are all given a pass, in particular Apple who ignore all reports and have been on record with waiting as much as 10 months before they finally fix the security holes. The security hole in this driver was patched very quickly.
But hey keep fooling yourself.
Probably just a garden variety fuck-up. Like when Apple accidentally published the private signing key for their battery firmware, allowing anyone to create a malicious update that permanently backdoored the machine and could not be removed without tearing the laptop apart. Or the infamous GOTO FAIL bug.
Or how about Intel's Management Engine flaws, which similarly allow an attacker to permanently pwn the machine?
Maybe they were all NSA implants into the codebase. The GOTO FAIL one looks particularly suspicious. But there is also a high probability that they are just human error.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
Dozens of celebrities' private photos were stolen from Apple's servers, didn't touch their stock price.
That's because it wasn't Apple's fault. Those celebrities were using bad passwords.
Sony deliberately installed malware on people's computers, and hardly anyone even heard of it at the time.
That was a bit more puzzling. I feel like a lot of nerds didn't do their job on that one, and make their non-nerd friends understand the repercussions.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Correct. We did have a similar to Huawei exploit from Intel in the not too distant past. Difference is 'Mericans want to crucify Huawei because 'Merica.
brandelf -t FreeBSD
You are more concerned about the US government than the Chinese government.
Absolutely.
Talk about ignorant. Or you are a Chinese or Russian plant.
How many countries have you lived in (one year or more)? Have you lived in both the United States and China? I have, among six other countries.
The problem with Americans, is they make up shit about other places as if they know those places when they probably haven't even left their place of birth. Try travelling, kid. It'll open your eyes and make you not so prejudiced and bigoted.
Still a Taiwanese company, so it's pretty silly to think they aren't going to be inspecting their own products.
Have you ever been there? Taiwan is not Chinese territory, you ignorant little boy.
Gotta love how someone tried to mod this as a troll. It's OK to talk all the shit you want about other countries, but when the flaws in the USA are pointed out, it's suddenly trolling. LOL.
The United States is one of the WORST countries I have ever lived in. Americans believe that they have rights, but when compared to other places, it's just an illusion. The USA is one of the least free countries I have ever been to where one can be prosecuted for anything and must undergo religious indoctrination in order to deal with the legal system or government.
The most logical conclusion is that the USA NSA put it there. It is unquestionably their creation, so that is the most accurate conclusion.
I bet the "leak" was on purpose after the NSA planted their backdoor code into loads of computers and devices and they only "leaked" it so they could lie and claim innocence. "We made the backdoor, but it was only for...uh...research! Yeah, research! We never used it and some commie Chinese spy infiltrated our super-duper, top notch intelligence organisation, stole our code and leaked it....yeah, that's the ticket!"
Sorry, I ain't buying it.
I don't give a shit what you or your government say. I have no reason to trust you.
Your OS doesn't matter. ME can spy from below your platform visibility.
ME network access is disabled? Look for TPM, sound card/gpu firmware/microcode, and cpu microcode exploits. Unless you are running registered memory, rowhammer is still a concern even if all the 'new' DDR4 mitigations work acceptably on unbuffered memory.
Even if none of those work, the SPI flash used since one generation after SPI flash became standard has a SERIOUS flaw. The chips write protect pin ONLY works if a software command is sent to write protect it after power on. If a piece of software can power glitch the chip to reset without resetting the whole system the write protect goes away. The PCH on Intel hardware added a memory region masking function to work around that, but it in turn is part of the suspect hardware platform.
AMD, ARM, Cisco, Huawei, Oracle/Fujitsu SPARC, even IBM and their PowerPC (although a lot more transparent than the aforementioned.) None of these are really trustworthy. With every passing day one more piece of hardware requires proprietary or signed firmware. Many are part of a DRM solution, usually to the customer's detriment. Some even allow remote surveillance or software updates.
Top to bottom, modern hardware is untrustworthy and insecure. In order to secure it, we effectively need to start from the ground up. Without the backing of major corporations or wealthy individuals, this means taking a step back on performance and efficiency, to ~2003 era hardware. As the main guy at Parallax can tell you, masks for the propeller 2 chip were ~200k USD on that process, meaning a larger cpu might be in the million dollar range, which is entirely doable given dedicated crowdfunding efforts. If you can tolerate Pentium 3 bus speeds, there are FPGAs today with partially or fully open toolchains (iCE40, ECP5, and there was Spartan 2 work at one time.) Those FPGAs are just wide enough and fast enough to run a channel of SDRAM or a PCI/AGP bus, both of which should be patent free now. Given the benefit of 20 years of engineering and research, some of which may not be patented, unlike newer bus designs and display technologies, building a platform sufficient for day to day productivity and digital security, utilizing modern storage and peripheral devices at reduced speeds is possible. A Pentium 3 with a 5TB hard drive, a 500mb/s SSD, and a PCI to PCI express bridge plugged into a dedicated 32 bit 66mhz PCI slot would give more than enough performance for Gigabit Ethernet, access to modern PCIe graphics cards (at reduced performance), and most of the other conveniences of modern technology. Registered SDRAM dimms supporting 1 or 2GB apiece are possible, allowing up to 8GB off a single SDRAM channel (Up to 1 Gigabyte per second peak bandwidth.)
Compared to the 40+GB/s of a modern system or the 1TB/s of HBM based solutions, it won't be anything special. But having a socketed processor, socketed memory, and a patent free bus, plus the ability to reconfigure the memory controller or i/o hub if functionality or security can be improved would be a huge coup for the individual security conscious user.
This is the only way forward where we can claw our control back from our corporate and government overlords. Choose to stride differently, or walk lockstep into the new world order!
You have ranted and raved, yet offered not a single coherent, logical, rational argument.
Are you on the payroll of Huawei?
I ask, not in the way anti-trumpers ask if any opponent is a Russian, but as a genuine question about why this topic seems to make you so angry and/or irrational while seemingly involving no rational reasoning. If you would make any simple, logical argument for your attacks on the previous posts there would at least be some apparent reasoning involved.
I've written a tiny little bit for iOS. Just different rules.
A tiny bit, quite. Try developing an actual product. It's really hard to do CI remotely well when you can't get anything approaching decent servers. For android it's trivial: just spin up a bunch of VMs on your cloud or local platform of choice running any of the usual systems.
For apple: fuck you.
SJW n. One who posts facts.
Actually I'm an Apple user and enjoy their products.
I used them as an example because they're one of the largest companies with extremely popular products that most people trust, yet are made in China.