How it got there is unknown. But it is an example of a hardware backdoor.
Have a look at my other comment, not a direct reply; I found out in the company's own press statement that they admitted to inserting it into the design deliberately. Since you were replying to a request for a Chinese backdoor I decided it's a legitimate reply even though I can freely admit that you, yourself, didn't directly mention the Chinese.
A country actively engaging in spying, that has used their products for spying, that did so in firmware....
If China wants to stop being singled out this way they need to not use their corporations for spying like this.
The countries I can think of in this case are the UK (Enigma) and the USA (Skype and Windows). I know of Chinese software based attacks. Do you have a link to a Chinese firmware based attack please?
when we called Lenovo to get them to send someone out for a repair, it always turned into an argument....
Heard of something like this too. I wonder if their local organisations aren't actually front companies owned by local people and they normally fail to pay them for the extra guarantee work or something?
The researchers identified a “Factory Key”
(passcode)
that
was
designed
-
in by Microsemi for
production and failure
analysis use
In other words, there was a backdoor, but it wasn't put there by the Chinese fab, but at the explicit decision of a USA based company. Whether you believe them that it was for their own use or for use by others is another question.
This case was discussed also on Slashdot. However, if I remember correctly, it was never shown that the backdoor" (it had plausible deniability as a bug / stupid debugging feature) was added in the fab and the chip design came from outside China. I would think that if the designer had not put the backdoor in then they would very clearly have denied responsibility.
I'm really interested to know if anyone has any evidence that someone actually found such a backdoor. I'm sure they exist; I'm sure some spy services have found some, however I'm not sure that anyone admitted to doing it (and so giving away the level of their ability) and I don't have any evidence that the bug that was found was created by China (which would be fascinating).
FYI it was the British and Australian defense and intelligence communities that discovered malicious modifications to Lenovo's circuitry.
Link needed. All the links I find seem to point to the old story about a US military chip where the chip design came from the outside China and I never saw a clear statement about who introduced the back door. I will take that to mean that the backdoor was in the original designs and was either a legitimate mistake, "debugging feature" or real backdoor that the manufacturer had no knowledge of.
N.B. just a little message for the national security folks listening in here. If you do know about this and have proof, at some point, after you have done everything needed to show 100% who is doing it or after there isn't any more hope for the investigation you have a clear duty to properly, openly warn the rest of us.
Try comparing with MacBook Pro 15" Retina for example. Almost everything can be replaced and repaired by someone, however if you need to use dangerous solvents to get inside the chips then it's not really repairable in real life by a normal person.
More specifically Taiwan is racially dominated by (Han) Chinese people (98% according to Wikipedia). The USA typically has little problem with dealing with the Taiwanese or the other way round. Same goes for Singapore.
This is really about other things. The obvious stuff about China becoming a threat to the USA's dominance, but to a greater extent the real fact that China represents a threat to many people who live in the area nearby who then support and allow the USA to come in to the area. What the Chinese should do is to try to take leadership over from the states in terms of human rights and democracy. This is probably one of their few chances to do it; their people are mostly fat and happy; the USA has let slip it's mask just a bit too much. Of course, the Chinese leaders are probably not brave enough for this.
Given that kind of situation, you have a real ongoing asymmetric semi-cold war where the USA still has a considerable technical lead and China has almost no choice but to spy. I don't really doubt the accusations against China generally since, if they weren't doing things like this you would have to think their leadership negligent.
There are plenty of us who want Linux Mint and easy to use Linux. The mere fact that Shuttleworth went off on a weird Unity loop and left it for others to commercialise the technology he originally developed doesn't mean we don't want or shouldn't recognise his vision and financial contribution. I think that going direct to the contribution page and booking a cool new Linux device doesn't sound like a major pain for a bunch of us.
If people keep buying the interesting new Linux directed devices then this will keep the hardware designers making them. That can never be bad.
less foreigners == more american STEMs getting hired?
Or the work just gets done overseas. It is probably roughly 50 / 50.
Unlikely. Trade has to be a huge net benefit otherwise it doesn't get done because the companies that are involved in it have to cover huge costs (transport; multinational lawyers; dealing with multiple regulations; insurance; security people; translations; business travel for sales; moving support people etc.). From the point of view of the place that it's done in, all those costs are employed people.
Furthermore, one country trades with many. Thus, for California which is effectively a trade hub, especially for IT services, the benefit is disproportionate.
In any case, this is unlikely in any way to influence the influx of poorer than you Indian workers coming for money. It's rather going to influence richer than you German and Swiss companies trying to buy things off you. When the company heads know that their customers might be spied on then they are breaking the law by outsourcing to the US. They may end up in jail and they have to move their work away from the US.
Difficult case in my view. The US approach that you shouldn't let your data be gathered, but once it is you have no control is not working. The European approach that the data should be under full control of the person who owns it clearly doesn't work properly for secret services. No idea how you restore trust now.
then what, nothing in OSS land takes responsibility for itself
Red Hat does. Even Ubuntu will to some extent. Any time you want you can get paid support for OSS and, given the right support contract and money they really will take care of you properly. The definitely take responsibility for the things they promise. (N.B. your two dollar desktop license really doesn't promise much at all).
Its free it (sort of works) if it doesnt fix it your self or fuck off
And this is the thing. We have seen before that people were sent to jail for bugs in breathalyzers. In some cases people who claimed these bugs were in courts that demanded source; they were set free. In other cases the proprietary software companies behind the machines managed to get them locked away without a fair trial.
If the shit hits the fan with OSS you always have one more option and the possibility to approach multiple support suppliers. This won't happen for free and it likely won't be included in any existing agreements, however you may be happy for the chance to spend $15000 on software consultancy and not spend the rest of your life in some US State hellhole. Your proprietary software vendor will be thinking of all the other people that might sue about a bug like that and will never ever help you out of the problem.
The question of securing your data shouldn't be about good or evil, or any particular moral judgment, but simply about how to make sure you're critical and confidential data doesn't end up being ripped off.
There's a certain level that you can go that way. However, in the end, to be useful data has to be loaded into people's heads. People can then unload part of it elsewhere. A very important part of securing the data is making sure that those people who could do that choose not to because they see the value of your mission. Those people who surround them also see the value and put social pressure not to reveal secrets. When the US loses it's moral authority by doing things identical to acts it has previously criticised this is obviously going to increase the risk of a leak.
Give yourself full remote administrative control over it from your home system. At that point you can use all the standard "Where's my IP" tools to track down where it is; can use the webcam etc.
There is a very specific command in the evacuation instructions to leave your hand baggage behind. There are extremely good reasons for this; if, for example a strap catches on a seat and your bag ends up blocking the exit it may be almost impossible to remove due to the pressure of people. IMHO that means it is never acceptable to carry off a bag since you are putting other people's lives at risk.
If your item has sufficient value that it would be worth endangering the lives of tens of people then it should be on its own separate guarded flight, possibly in a special crash survivable container. If you choose to take it on the flight then you are accepting the limited risk of it being destroyed in the event of an aircraft accident.
I don't know what you wanted to refer to. I do know that Red Hat distributes Berkley DB, and so you can get bug fixes from them independently of Oracle. That means that your statement is very different from my statement.
those people need to get off their dead asses and make something of themselves.
I get the impression that many of the ones that were capable of and motivated to do that have already done so. They've all left for California and Texas years ago. When all of those people go, what are you going to do with the rest of them? Execute them? Mixed in with the fundamentally lazy and useless are a bunch of people who have honest to god mental health problems, bad luck stories and serious family problems. If you (and I'm talking to the Americans here) want to be seen as civilised you have to work out some way to deal with this. You cannot just count on an ever decreasing minority of active and effective people in Detroit to be able to deal with this. Even if it's evacuating the whole city or whatever, there has to be some overall agreed solution to deal with places that are starting to go bad.
Except again, from TFA, the city of Detroit was paying an enormous sum of money to a reputable vendor to maintain the system. How does that coalesce with this third world, wealth inequality theory?
Paying for things which don't get delivered is exactly how the third world manages to stay the way it is. Do you think the people there are lazy or genetically incapable or something? Basically what creates first world countries is a large group of people who are well enough paid and educated to understand what needs to be done and make sure it happens whilst at the same time not being rich enough to cut themselves off from the society and so having to care that everything gets done. These are exactly the people, in the middle, who are disappearing as wealth inequality increases.
The temptation of being paid to do something and not actually doing it is a standard thing that has been known for years. It's only when we get to the "full outsourcing" that our MBAs are so fond of that anyone would even consider getting rid of or selling off the people responsible for measuring and ensuring that the things that are paid for actually get delivered.
Go blow it out your ass, you smug little prick. What have you contributed to cryptography that is so great and awesome?
Probably.. nothing. And that's exactly the point. By contributing nothing he has put nobody's life in danger. Crypto systems are essentially security and safety systems which have to work right. When they are done wrong people think they are safe and take risks they would not take otherwise.
And, you know, anyone who wants to actually have bugfixes and updates for BerkleyDB from Oracle.
TFTFY. And you will notice it also became a much smaller problem.
Re:For those of you like me who don't have a clue.
on
World's First Tizen Tablet
·
· Score: 4, Informative
Thank you for making up for Slashdot's lack.
What he said is true but it misses the main points. The main thing you need to know is that it's based on the Meego system that powered Nokia's last successful phone, the Nokia N9. Like most of the new systems coming in (FirefoxOS for example) there is no hope of it immediately catching up Android and iOS on apps. HTML5 is becoming the cross platform way to quickly get that range so that's what they always push.
Tizen is more than that; It's NTT DoCoMo's new main smartphone platform and since NTT DoCoMo is where much of mobile innovation starts that makes it important. As ever, the best analysis is he one from Tommi Ahonen. NTT DoCoMo was strongly into Symbian and pushing Tizen will be their revenge for it being killed.
Now, the statement "to get a useful proportional reduction in perceived trip time from relativistic effects we would need much better propulsion.." would be true. The problem is not, however, with the maximum rate of acceleration; we already do many G acceleration and 1G continuous might be a very good way to go. The problem is that we have no reasonable way of fuelling such a rocket
You are right in you claim in that that the US is measured as the largest manufacture. The thing is that the measurements are done wrongly. You buy a Chinese toy dog for $0.2; you add a little label at a cost of $0.03 with $0.07 of labour ; you sell it for $2. You claim to have done $1.70 of manufacturing. The real truth is that the Chinese factory did $2 worth of manufacturing but doesn't yet have the contacts to realise that value.
NEGATIVE. You have no expectation of privacy in public.
Stop repeating this nonsense. Even in public, you have some privacy. Someone can't go around flipping up women's skirts, for instance; people expect that that won't happen. That's just one example.
Well said.
This "no expectation of privacy in public" is one of the most evil privacy memes going around. Traditionally people have had little expectation of privacy in private since they lived close together with their families and neighbours where everything could be overheard. They would go out into the country / forest and be alone and talk; have political gatherings etc. There was always a risk of spies but the "expectation" was "privacy".
Now, we all live closer together. The expectation of privacy becomes something only for the Rich. They can afford to live alone in large houses with walled gardens and private recreation facilities. You might have enough space to have your own house with your family. Most people end up with no possible place where they can expect privacy except in what the grandparent would call public.
Biggest irony: the US supreme court; an institution created by people who met "secretly" in "public" to plot about the overthrow of their British rulers would agree with the grandparent. That does not make it right. That just means that their enforcement of the US constitution is quite selective and that they should be seen by most Americans as a dubious or possibly criminal institution.
Might as well outsource the journalists as well and just collate tweets while we're at it..
I think you have misunderstood the situation completely. That has already been done. The plan now applies to all the Snookie Kardasian surprised coming out of the shower with Justin Beiber-Lopez stories. For those the use of a DSLR makes the whole thing look staged and will also breach the maximum resolution "privacy" agreements with the celebrities. That's why an iPhone is perfectly suited to this.
Slashdot Mirror
How it got there is unknown. But it is an example of a hardware backdoor.
Have a look at my other comment, not a direct reply; I found out in the company's own press statement that they admitted to inserting it into the design deliberately. Since you were replying to a request for a Chinese backdoor I decided it's a legitimate reply even though I can freely admit that you, yourself, didn't directly mention the Chinese.
A country actively engaging in spying, that has used their products for spying, that did so in firmware ....
If China wants to stop being singled out this way they need to not use their corporations for spying like this.
The countries I can think of in this case are the UK (Enigma) and the USA (Skype and Windows). I know of Chinese software based attacks. Do you have a link to a Chinese firmware based attack please?
when we called Lenovo to get them to send someone out for a repair, it always turned into an argument....
Heard of something like this too. I wonder if their local organisations aren't actually front companies owned by local people and they normally fail to pay them for the extra guarantee work or something?
Doesn't anybody remember a few years back when the Chinese-chipped military helicopters were discovered to have backdoors?
No. Presumably you have a link to some facts?
I assume this was some cheap non-OEM replacement part. Not 'the helicopter'.
It's probably a link back to the famed chip with a hardware backdoor which turned out to be inserted by it's US manufacturer. If there is another story then please post the link as AC requested.
Following this up, it turns out that the backdoor being linked to was actually inserted in the USA, not China. A link to any evidence of a Chinese inserted hardware backdoor is really needed to support any of these allegations.
Wasn't this found to be a hoax? Or not so so much as a backdoor, but your everyday common bug, that could lead to a hack?
http://blog.erratasec.com/2012/05/bogus-story-no-chinese-backdoor-in.html
Because the idea of discuising a back door as a bug has never been come up with before?
I just found the key quote:
In other words, there was a backdoor, but it wasn't put there by the Chinese fab, but at the explicit decision of a USA based company. Whether you believe them that it was for their own use or for use by others is another question.
This case was discussed also on Slashdot. However, if I remember correctly, it was never shown that the backdoor" (it had plausible deniability as a bug / stupid debugging feature) was added in the fab and the chip design came from outside China. I would think that if the designer had not put the backdoor in then they would very clearly have denied responsibility.
I'm really interested to know if anyone has any evidence that someone actually found such a backdoor. I'm sure they exist; I'm sure some spy services have found some, however I'm not sure that anyone admitted to doing it (and so giving away the level of their ability) and I don't have any evidence that the bug that was found was created by China (which would be fascinating).
FYI it was the British and Australian defense and intelligence communities that discovered malicious modifications to Lenovo's circuitry.
Link needed. All the links I find seem to point to the old story about a US military chip where the chip design came from the outside China and I never saw a clear statement about who introduced the back door. I will take that to mean that the backdoor was in the original designs and was either a legitimate mistake, "debugging feature" or real backdoor that the manufacturer had no knowledge of.
N.B. just a little message for the national security folks listening in here. If you do know about this and have proof, at some point, after you have done everything needed to show 100% who is doing it or after there isn't any more hope for the investigation you have a clear duty to properly, openly warn the rest of us.
Try comparing with MacBook Pro 15" Retina for example. Almost everything can be replaced and repaired by someone, however if you need to use dangerous solvents to get inside the chips then it's not really repairable in real life by a normal person.
More specifically Taiwan is racially dominated by (Han) Chinese people (98% according to Wikipedia). The USA typically has little problem with dealing with the Taiwanese or the other way round. Same goes for Singapore.
This is really about other things. The obvious stuff about China becoming a threat to the USA's dominance, but to a greater extent the real fact that China represents a threat to many people who live in the area nearby who then support and allow the USA to come in to the area. What the Chinese should do is to try to take leadership over from the states in terms of human rights and democracy. This is probably one of their few chances to do it; their people are mostly fat and happy; the USA has let slip it's mask just a bit too much. Of course, the Chinese leaders are probably not brave enough for this.
Given that kind of situation, you have a real ongoing asymmetric semi-cold war where the USA still has a considerable technical lead and China has almost no choice but to spy. I don't really doubt the accusations against China generally since, if they weren't doing things like this you would have to think their leadership negligent.
There are plenty of us who want Linux Mint and easy to use Linux. The mere fact that Shuttleworth went off on a weird Unity loop and left it for others to commercialise the technology he originally developed doesn't mean we don't want or shouldn't recognise his vision and financial contribution. I think that going direct to the contribution page and booking a cool new Linux device doesn't sound like a major pain for a bunch of us.
If people keep buying the interesting new Linux directed devices then this will keep the hardware designers making them. That can never be bad.
less foreigners == more american STEMs getting hired?
Or the work just gets done overseas. It is probably roughly 50 / 50.
Unlikely. Trade has to be a huge net benefit otherwise it doesn't get done because the companies that are involved in it have to cover huge costs (transport; multinational lawyers; dealing with multiple regulations; insurance; security people; translations; business travel for sales; moving support people etc.). From the point of view of the place that it's done in, all those costs are employed people.
Furthermore, one country trades with many. Thus, for California which is effectively a trade hub, especially for IT services, the benefit is disproportionate.
In any case, this is unlikely in any way to influence the influx of poorer than you Indian workers coming for money. It's rather going to influence richer than you German and Swiss companies trying to buy things off you. When the company heads know that their customers might be spied on then they are breaking the law by outsourcing to the US. They may end up in jail and they have to move their work away from the US.
Difficult case in my view. The US approach that you shouldn't let your data be gathered, but once it is you have no control is not working. The European approach that the data should be under full control of the person who owns it clearly doesn't work properly for secret services. No idea how you restore trust now.
then what, nothing in OSS land takes responsibility for itself
Red Hat does. Even Ubuntu will to some extent. Any time you want you can get paid support for OSS and, given the right support contract and money they really will take care of you properly. The definitely take responsibility for the things they promise. (N.B. your two dollar desktop license really doesn't promise much at all).
Its free it (sort of works) if it doesnt fix it your self or fuck off
And this is the thing. We have seen before that people were sent to jail for bugs in breathalyzers. In some cases people who claimed these bugs were in courts that demanded source; they were set free. In other cases the proprietary software companies behind the machines managed to get them locked away without a fair trial.
If the shit hits the fan with OSS you always have one more option and the possibility to approach multiple support suppliers. This won't happen for free and it likely won't be included in any existing agreements, however you may be happy for the chance to spend $15000 on software consultancy and not spend the rest of your life in some US State hellhole. Your proprietary software vendor will be thinking of all the other people that might sue about a bug like that and will never ever help you out of the problem.
The question of securing your data shouldn't be about good or evil, or any particular moral judgment, but simply about how to make sure you're critical and confidential data doesn't end up being ripped off.
There's a certain level that you can go that way. However, in the end, to be useful data has to be loaded into people's heads. People can then unload part of it elsewhere. A very important part of securing the data is making sure that those people who could do that choose not to because they see the value of your mission. Those people who surround them also see the value and put social pressure not to reveal secrets. When the US loses it's moral authority by doing things identical to acts it has previously criticised this is obviously going to increase the risk of a leak.
Give yourself full remote administrative control over it from your home system. At that point you can use all the standard "Where's my IP" tools to track down where it is; can use the webcam etc.
There is a very specific command in the evacuation instructions to leave your hand baggage behind. There are extremely good reasons for this; if, for example a strap catches on a seat and your bag ends up blocking the exit it may be almost impossible to remove due to the pressure of people. IMHO that means it is never acceptable to carry off a bag since you are putting other people's lives at risk.
If your item has sufficient value that it would be worth endangering the lives of tens of people then it should be on its own separate guarded flight, possibly in a special crash survivable container. If you choose to take it on the flight then you are accepting the limited risk of it being destroyed in the event of an aircraft accident.
I don't know what you wanted to refer to. I do know that Red Hat distributes Berkley DB, and so you can get bug fixes from them independently of Oracle. That means that your statement is very different from my statement.
those people need to get off their dead asses and make something of themselves.
I get the impression that many of the ones that were capable of and motivated to do that have already done so. They've all left for California and Texas years ago. When all of those people go, what are you going to do with the rest of them? Execute them? Mixed in with the fundamentally lazy and useless are a bunch of people who have honest to god mental health problems, bad luck stories and serious family problems. If you (and I'm talking to the Americans here) want to be seen as civilised you have to work out some way to deal with this. You cannot just count on an ever decreasing minority of active and effective people in Detroit to be able to deal with this. Even if it's evacuating the whole city or whatever, there has to be some overall agreed solution to deal with places that are starting to go bad.
Except again, from TFA, the city of Detroit was paying an enormous sum of money to a reputable vendor to maintain the system. How does that coalesce with this third world, wealth inequality theory?
Paying for things which don't get delivered is exactly how the third world manages to stay the way it is. Do you think the people there are lazy or genetically incapable or something? Basically what creates first world countries is a large group of people who are well enough paid and educated to understand what needs to be done and make sure it happens whilst at the same time not being rich enough to cut themselves off from the society and so having to care that everything gets done. These are exactly the people, in the middle, who are disappearing as wealth inequality increases.
The temptation of being paid to do something and not actually doing it is a standard thing that has been known for years. It's only when we get to the "full outsourcing" that our MBAs are so fond of that anyone would even consider getting rid of or selling off the people responsible for measuring and ensuring that the things that are paid for actually get delivered.
Go blow it out your ass, you smug little prick. What have you contributed to cryptography that is so great and awesome?
Probably.. nothing. And that's exactly the point. By contributing nothing he has put nobody's life in danger. Crypto systems are essentially security and safety systems which have to work right. When they are done wrong people think they are safe and take risks they would not take otherwise.
And, you know, anyone who wants to actually have bugfixes and updates for BerkleyDB from Oracle .
TFTFY. And you will notice it also became a much smaller problem.
Thank you for making up for Slashdot's lack.
What he said is true but it misses the main points. The main thing you need to know is that it's based on the Meego system that powered Nokia's last successful phone, the Nokia N9. Like most of the new systems coming in (FirefoxOS for example) there is no hope of it immediately catching up Android and iOS on apps. HTML5 is becoming the cross platform way to quickly get that range so that's what they always push.
Tizen is more than that; It's NTT DoCoMo's new main smartphone platform and since NTT DoCoMo is where much of mobile innovation starts that makes it important. As ever, the best analysis is he one from Tommi Ahonen. NTT DoCoMo was strongly into Symbian and pushing Tizen will be their revenge for it being killed.
Tizen can support QT apps so the same ones that will work on Sailfish and Blackberry can easily work here. Also Tizen seems to be source code compatible with Bada which has been very successful in the newer mobile phone markets.
Anyway, to get relativistic effects, we would need much better propulsion than anything we have thought of so far. Science fiction for now.
So so informative seeming. So so wrong. Relativistic effects are clearly visible in the GPS system.
Now, the statement "to get a useful proportional reduction in perceived trip time from relativistic effects we would need much better propulsion.." would be true. The problem is not, however, with the maximum rate of acceleration; we already do many G acceleration and 1G continuous might be a very good way to go. The problem is that we have no reasonable way of fuelling such a rocket
You are right in you claim in that that the US is measured as the largest manufacture. The thing is that the measurements are done wrongly. You buy a Chinese toy dog for $0.2; you add a little label at a cost of $0.03 with $0.07 of labour ; you sell it for $2. You claim to have done $1.70 of manufacturing. The real truth is that the Chinese factory did $2 worth of manufacturing but doesn't yet have the contacts to realise that value.
NEGATIVE. You have no expectation of privacy in public.
Stop repeating this nonsense. Even in public, you have some privacy. Someone can't go around flipping up women's skirts, for instance; people expect that that won't happen. That's just one example.
Well said.
This "no expectation of privacy in public" is one of the most evil privacy memes going around. Traditionally people have had little expectation of privacy in private since they lived close together with their families and neighbours where everything could be overheard. They would go out into the country / forest and be alone and talk; have political gatherings etc. There was always a risk of spies but the "expectation" was "privacy".
Now, we all live closer together. The expectation of privacy becomes something only for the Rich. They can afford to live alone in large houses with walled gardens and private recreation facilities. You might have enough space to have your own house with your family. Most people end up with no possible place where they can expect privacy except in what the grandparent would call public.
Biggest irony: the US supreme court; an institution created by people who met "secretly" in "public" to plot about the overthrow of their British rulers would agree with the grandparent. That does not make it right. That just means that their enforcement of the US constitution is quite selective and that they should be seen by most Americans as a dubious or possibly criminal institution.
Might as well outsource the journalists as well and just collate tweets while we're at it..
I think you have misunderstood the situation completely. That has already been done. The plan now applies to all the Snookie Kardasian surprised coming out of the shower with Justin Beiber-Lopez stories. For those the use of a DSLR makes the whole thing look staged and will also breach the maximum resolution "privacy" agreements with the celebrities. That's why an iPhone is perfectly suited to this.