I don't see anyone else talking about it. Around January 2018 it came out that China had hacked the African Union headquarters which it had built as a gift to the AU. [1] More recently, reports have come out that implicate Huawei in that hack. [2] There is a law in China that says citizens and corporations are required to cooperate with its intelligence services. While there has been no strong evidence against Huawei released publicly, the logic is that China asked for a backdoor and that Huawei had to comply.
>Ms Cave said Huawei had been implicated in alleged cyber theft of data from the African Union’s Ethiopia headquarters. According to multiple reports this year, data was transferred every night from the building for five years. “There’s no proof that Huawei was asked to participate or turn a blind eye to the breach, but we know that there was a breach and Huawei was the key provider,’’ Ms Cave said.
Sure. And I don't think anyone is claiming any different.
And due to the five eyes agreement between US and commonwealth countries there is a lot of espionage data changing hands there. European telephone networks were compromised a long time ago to my understanding
But from a geopolitical ourside vs. their side standpoint Huawei from US point of view is on the wrong side of the fence.
A certain level of spying is always expected. Did Huawei actually breach some unacceptable level, or is this just a manifestation of the US vs. China tradewar, I don't know.
Typically this is done via FISA warrants aside from that period during the Bush admin. China doesn't guarantee due process and get request information on anyone for any reason including dissidence. Every government will spy on their citizens to some degree, but that doesn't make them equivalent.
Just because most requests are granted doesn't mean that the court is a rubber stamp. It's just the opposite.
Most criminal indictments are also end in the state's favor, but that doesn't mean the jury system is rigged, it means that prosecutors don't bring cases that they are likely to lose. Similarly, the FBI doesn't apply for a FISA warrant unless they are certain its well warranted and the court's decision will be easy.
Regardless of how strong the government's case is, we have a right to face our accuser. The existence of the FISA court, and all its decisions, are, if not illegal, morally bankrupt. I don't care how strong the government's case against me is, I want and am entitled to my day in court. No quantity of legal talmudicry by government lawyers can change this fact, and therefore can't change any right-thinking person's mind that FISA, or anything like it, has no place in a democratic society.
A warrant is a warrant. An expression of the governments investigative powers.
The police aren't required to inform you and give you a chance to argue your case in court for why thy shouldn't raid your house for the drugs they're pretty sure you have.
Cops don't need your written permission to point speed radar at your car.
With a "real" warrant, I will eventually find out that it's been issued, either because I'll be served with it, or because the evidence will show up in court and the prosecutor will have to explain how they got it. It's totally possible that literally all people on Earth are currently being surveilled under a single FISA warrant, with any prosecutions in real courts being disguised by "parallel construction". We don't, can't, and probably won't ever know if this is the case.
FISA warrants are rarely denied because the intelligence agencies submit drafts to the court who tell them what is needed to get approval. Hence they never submit a warrant application that they aren't already assured will be approved. Anything insufficient is withdrawn before judgment.
Convenient, and perhaps legitimate, but not provably so. Courts are supposed to be adversarial, that's why we have prosecution vs. defense or grand jury. Judges are meant to be impartial arbiters. In the FISA system, judges play a dual role as both arbiter and defense, which is a conflict of interest.
It'd be a real court if there were a sort of public defender, and the judges simply mediated between both sides. You could see it working in the warrants rejected.
It is provably so. Namely if this is a serious interest I suggest you write to the House or Senate Select Permanent Committee on Intelligence [1] [2] and request documentation of such.
In fact the court is adversarial, though not like you seem to be envisioning. There are many courts in the US, in fact most where no litigation happens because it's inappropriate for the task. So the idea that they are playing "both sides" is a non sequitur.
The role of the court is to ensure that requests are legal and there is sufficient evidence to pursue the task as requested. It's exactly the same as when a judge issues a warrant.
Regardless of that, I think the greater concern is what it means for the rest of the world (the non-citizens). There is no reason to expect any sort of friendly/just process from foreign entities.
FISA warrants don't apply to this situation at all: they only apply within the US.
And even within the US, FISA warrants are only applicable to data collected which is intended to be presented in court. The CIA and NSA have no mandate whatsoever to gather data suitable for presentation in court, and investigatory agencies such as the FBI/DEA/ATF, which do have such a mandate, have lots of ways to launder evidence. In practice, FISA warrants are often issued long after the data has already been collected, and the FISA warrant is only requested as a means of laundering the evidence via one of the exceptions to fruit of the poisonous tree (parallel construction, inevitable discovery, or the good faith exception).
As it applies to this situation, I don't see any reason to believe the US is any less likely to spy on anyone than China. If you don't have the means to produce needed technologies yourself, then I'd choose the US or Chinese manufacturers based on other factors, such as cost, or which nation has incentives to use the data they collect against you.
I think this should be fairly obvious, but if you’re extremely concerned about American intelligence and law enforcement having access to your data, you should avoid American services and products. If you’re concerned about Chinese intelligence and law enforcement, you should avoid Chinese products, etc.
Interestingly, I think this would often mean that Americans who are engaged in illicit activity would probably be better off using Chinese services and vice versa.
The alternative to Huawei for telecommunications equipment isn't a US corporation so framing it as the US vs China serves no purpose. I'll be happy if neither the US nor China made telecommunications equipment for countries.
I don't understand why people feel the need to defend Chinese mega corporations.
edit: I managed to offend a few people with this comment
I’m not sure why this was downvoted so heavily, because it has a point. The US is obviously not a trustworthy partner, but neither is China.
At least American companies still reside in a somewhat democracy where they’ll actually protect our rights, even if we’re European. Sure it’s not for noble goals, they want to make money, and they won’t if they don’t care for data security.
Google cloud is the prime example of this. The European public sector is spending billions on Clouds these years, and none of that is going to Google, because Google doesn’t protect your data the same way Microsoft does.
I can physically visit the Azure instances that house our data, and nothing but our data, and it never leaves the union.
Maybe the NSA still listens in, maybe China does too, but it’s not legal for them to do so the way it would be in the Alibaba or google clouds.
Google cloud is the prime example of this. The European public sector is spending billions on Clouds these years, and none of that is going to Google, because Google doesn’t protect your data the same way Microsoft does.
What does Microsoft do that other cloud providers like Google do not do? If I store my data in GCP region europe-west3 (Frankfurt) are you saying that Google will leak that data to some third party or send it out of that region?
Maybe the NSA still listens in, maybe China does too, but it’s not legal for them to do so the way it would be in the Alibaba or google clouds.
What is the legal difference between the NSA intercepting European GCP traffic and European Azure traffic?
Google wouldn’t guarantee data wouldn’t leave EU for the longest time, and still don’t on some services.
They were also extremely slow to adopt EU legislation required, and still haven’t for all services.
Microsoft by contrast did so immediately, with Amazon doing so as well shortly after.
Still, when I ask our DPO which cloud is better, he’ll point to Azure, then AWS and directly advice against using Google.
Which is a shame, because I’d actually like to use firebase and flutter to up our production effectiveness on mobile. As one example.
It’s also why we solely rely on OpenStreetMap instead of using google maps, even though supporting OSM with server infrastructure to do so is more expensive. At least these days, OSM is a great map service, but we also used it when it wasn’t.
Hi there! Thanks for the info. I'd like to use Google Cloud in the EU - do you have a recent reference for this? I googled but could only find more generic info about GDPR compliance etc.
Strange schizophrenia from Microsoft - having actually presumably secure cloud instances on site, and actively making their other products less secure by monitoring users of their core OS and Office suites even if users specifically want to prevent that, even the top enterprise editions. I understand those are different parts of the company managed by different persons, but at the end, top of the pyramid is the same.
Corporations are like people - they don't change. You can put on different mask every day, but underneath its the same flesh and bones (or decision makers in this case). I would be wary of the notion that Microsoft is somehow a good moral company in one specific area, when it is amoral in others.
I agree. However, I don't think you should first at how moral or amoral they seem, but rather try to evaluate how credible their offer is. If their secure products make money, hopefully this kind of product offer will prevail, or at least survive within the beast.
Though, morality is part of corporate culture, and I think different cultures can have different levels of toxicity. Cough Oracle cough. If the corporation is too affected, it may be foolish to even waste time evaluating their, on paper, decent and secure offer. If you have reason to believe they will find a way to throw you under the bus anyway later on.
> Corporations are like people - they don't change. You can put on different mask every day, but underneath its the same flesh and bones (or decision makers in this case).
Yes, Satya Nadella is the CEO of the company, but Azure and Windows are in completely separate organizations, with completely separate senior leadership. The goals of the two organizations are also vastly different, with one is focused on consumer products (Windows) while the other is focused on developer and enterpirse services (Azure). Because of this, the decisions made by one SLT is not at all indicative of another SLT's decisions.
I don't think it's defending chinese companies as much as it is highlighting that companies on both sides are susceptible to more or less the same type of government control.
I personally think it's something worth mentioning when it's the most common reason cited for avoiding a chinese company.
You think the types of governmental control are the same between US and China? It seems clear that at least a few US corporations successfully resist meddling attempts.
Yet we have photos and video of US “customs” intercepting Cisco shipments and loading backdoored firmware or tampering with the hardware. They boast about it.
If it came to a war, the US and China are both going to shut down whatever communications channels their “enemies” are using. This is just one of the reasons that US DoD is so interested in SpaceX’s StarLink.
> Yet we have photos and video of US “customs” intercepting Cisco shipments and loading backdoored firmware or tampering with the hardware. They boast about it.
Having your shipments intercepted en-route by spies is very different than directly cooperating with those spies. None of those interceptions required cooperation by Cisco.
Apple has also famously resisted government demands to develop a backdoor for its hardware. IIRC, all indications were that the government's demands would have been rejected by the court system had the case progressed far enough to provide a definitive answer.
Cisco complained! That does so much... a customer getting a backdoored router doesn't really care if Huawei consented to adding the backdoor or Cisco didn't, they still get a backdoor.
Huawei says, in public, that it's important to their reputation to be known to ship un-backdoored devices. Cisco says the exact same thing.
What we think happened: Cisco complained to the government ... Apple resisted government demands.
What really happened: Intelligence Community: "So, we'll demand you backdoor devices, we'll intercept a few and modify them, and then you'll public complain and resist, and then after the media frenzy has died down..."
You pretty much have no idea what's happening in China. These companies are not happy at all to cooperate believe me. Jack Ma has expressed this many times, as much as he could without getting in bad terms with his own government. These companies are playing around in order not to comply with the government (which is exactly what US companies are doing as well). Pressure from the public or from other countries should get these companies some leverage when negotiating with the gov.
Exactly. iCloud Master Key? Done, no VPN in App Store? Done. List of Banned Keyboards in App Store? Done. iMessages, I assume is still encrypted, but China don't give a damn about it as long as they can get it via iCloud.
Apple was publicly able to say no, but what happened in private?
In fact TLAs would want it to appear that they'd been rebuffed -- there's not much point in them having access to devices that no one will use because they know about that access.
Apple has a vested interest in being honest and transparent about this specifically because nobody would trust them if it was discovered that they'd been secretly cooperating with everything in private while denying it in public. A revelation like that would literally ruin them as a company, and that's generally not the end goal for most companies.
As someone in Europe, I don't think the Chinese government has much of a reach, or even interest, as far as myself goes. I don't like them, but they're more regionally oriented.
Whereas the U.S. government regularly meddles around the globe, no matter where you are.
I don't think they are regionally oriented. If recent attacks on European aerospace intellectual property have shown anything it's that the Chinese government is determined to undermine any foreign technology sector that surpasses its own.
IMO this "attack on intellectual property" is probably used to create their own world class technology. The USA attacked European IP centuries ago to build its own industry.
Probably South Korea and Japan and any other advanced country did the same in the past to learn and to advance ASAP. The world has become a better place because of it.
But compare attacks on IP with politically relevant incidents like these:
You seem to be advocating for the end of all European intellectual property rules. Do you think that European businesses should give up trying to protect their industrial secrets all? I'm guessing you'd say not but that's just a guess.
Maybe the world would be better off but unless that's reciprocated by those Chinese companies creating world class technology based on European work then it's just suicide for European industry.
If Chinese companies are able to steal industrial secrets that allow them to produce better cars cheaper than say VW or BMW that might be very good for the world but not so great for European jobs.
You might be fine with that but I, personally, am not.
You are right that I am against European intellectual property and intellectual property in general.
The industry should be open for or even leading modern lifestyle trends of rich modern free societies. In particular, I think these EU politics are insane and extremely costly and prohibitive and detrimental too a modern society:
Poverty is detrimental to everyone and everything except slave holders and wage slavery.
A rich neighbor is better than a poor neighbor.
Technology removes poverty.
EU manufacturing has been transferred to China because of competition by low wages. As China advances, the people in China will hopefully demand a better quality of life instead of engaging in competition by low wage and low quality of life.
I am European and I hope that Europe will benefit the world by proposing a good lifestyle for modern wealthy societies and related products. I doubt that IP and keeping the rest of the world poorer and less developed is economically and technically and morally the right approach.
Unlike most physical goods, information can benefit everyone at almost no additional cost.
The sooner China and any other country can advance science and world class technology, the better for everyone. Europe will then "steal" from them.
If Chinese companies can produce products like cars and solar panels that help to fight climate change and air pollution and destruction of the environment for fossil fuel then they deserve their profits even more while VW and BMW do not.
> The employee, Roy Jones, 49, who was let go by the hotel giant, has revealed to the Wall Street Journal handled social media accounts from his desk at a customer engagement center in Omaha, Nebraska.
> According to WSJ, Jones says he had no idea that he would lose his $14 per hour job after "liking a tweet".
> > Friends of Tibet congratulate global hotel chain #Marriott International for listing #Tibet as a country along with #HongKong and #Taiwan. pic.twitter.com/SXKWb20v3e— Friends of Tibet (@friendsoftibet) January 9, 2018
> Jones told the WSJ he wasn’t aware of any instructions on dealing with China. He also said he didn’t fully understand what the issue was about.
> “This job was all I had,” Jones also said. “I’m at the age now where I don’t have many opportunities.”
It's not the Iraq war, but it's also not something you would want to happen to you. Currently Marriott employees are on strike... because of wages, nobody gives a shit about that guy. He's just gone, maybe he has another job now, maybe not, who cares.
And for what, again? For liking a tweet, which China doesn't like because they're occupying Tibet so brutally for so long now and think that gives them the right.
Though that employee had no clue what it was about, it boils down to that they want to force you to look the other way. Oh, you can know that other people are being tortured and killed, but you can't speak out, at all. So either you stay ignorant of what you can't help, or you have this on your mind.
But this not just another thing in life, like being disallowed entry into one country of hundreds. A person who is denied the right to speak out against the brutalization of others, is being brutalized themselves every second of their life from here on out. The fact it's in a way we don't recognize and internalize instead, make part of ourselves, makes it so much worse to me. I can't accept that others accept it, their acceptance is futile. They can have the world, they cannot have me.
> Mercedes, which is owned by Daimler, (DDAIF) ran afoul of China's stance when it paired a quote attributed to the Dalai Lama with a photo of one of its luxury sedans on Instagram -- a social media platform that is banned in China.
> "Look at situations from all angles, and you will become more open," the quote read.
> The ad was posted on Monday and garnered nearly 90,000 likes before Mercedes deleted it the following day, according to a screenshot posted by Chinese state media.
> The Global Times, a state-run newspaper that often strikes a nationalistic tone, criticized Mercedes, saying the company was quick to respond to the incident but shouldn't make such mistakes in the first place.
> Mercedes issued a statement in Chinese about the incident on Weibo, China's equivalent of Twitter (TWTR), offering a "sincere apology" three separate times.
They posted a "quote commonly attributed to the Daila Llama", without mentioning the name Dalai Llama, on their instagram, which isn't even accessible in China. And then they apologized three times after deleting it.
Don't just ask what X or Y are currently doing, ask what X and Y are. These two examples aren't the only ones, and I bet you, everything else staying as it is, they won't be the last. If you give totalitarianism the little finger, it cannot help but want the hand, just like a scorpion must sting.
> If the totalitarian conqueror conducts himself everywhere as though he were at home, by the same token he must treat his own population as though he were a foreign conqueror.
-- Hannah Arendt
That's why the Iraq war "predicted Snowden and killbots", if you just squint right.
I think the opposite is also true, if you want to control your people completely, you need to control more than "your" people. That both elements in China and elements in the US (and countries in the EU and many others, let's say all countries for the sake of simplicity) want that is of no help to, uhh, decent folk anywhere. They don't benefit from being used as cannon fodder against this other battleship that uses "its" people as cannon fodder. All oppressive regimes can make an agreement before you can say "oh shit", and then focus on subduing their own populations with the means they built while having other nations as an excuse.
So the fact that "we" or "others" are "doing it too" should make the alarm bells louder, not more quiet.
> Hitler can say that the Jews started the war, and if he survives that will become official history. He can’t say that two and two are five, because for the purposes of, say, ballistics they have to make four. But if the sort of world that I am afraid of arrives, a world of two or three great superstates which are unable to conquer one another, two and two could become five if the fuhrer wished it. That, so far as I can see, is the direction in which we are actually moving, though, of course, the process is reversible.
Every time China is critized, the US is brought up. Maybe just to "highlight" something, but here it takes up several pages before any actual discussion of the story. Every time the US is critized, China isn't brought up. Wouldn't that make great sense, too? "Snowden says the NSA X" "yeah, but China does Y!". I don't think I've seen that once, whereas "but the US!" is a constant companion.
I agree that responsibility matters. Like, I have opinions on things going on in the US or China, but I'm much more responsible for things my government does, or what companies I support with money do.
And in this case, it's even fair to point out the hipocrisy of the US asking allies to drop Huawei for reasons smart allies should also drop US produced things for. But then again, we know all that, and we actually do have threads about that stuff as well, so why not also have one about Huawei.
> as it is highlighting that companies on both sides are susceptible to more or less the same type of government control.
Except they aren't. Just the fact that you mention "both" sides shows your ignorance. The alternative to Huawei, as I have mentioned, is not an American corporation it is a European one (Ericsson or Nokia). This isn't a case of the American government forcing allies to abandon Huawei so an American corporation can profit.
It is my understanding that Nokia _acquired_ Alcatel-Lucent, and the only significant part of that conglomerate still in the US is Bell Labs (which are also now owned by Nokia.)
Alcatel is French-owned, you can buy their equipment.
P.S. using non-U.S. and non-Chinese equipment won't protect you from a hack. Both countries are known to have successful vulnerability exploitation programs.
Very good then, if we do this as Europe I say we do the same for any American company. There is _video_ proof of the NSA doing exactly the same thing they now accuse the Chinese of.
Look there is absolutely no debate that the US post-WW2 has been a force for good _in Europe_. They helped us rebuild, overcome communism and reunite under EU flag. Every single European owes a lot to the effort Americans put in to support us. And yes, I know they also did that because it helps them but you can't deny they've basically kickstarted every country that is now in the OECD. That generation of Americans will go down in history as some of the most influential humans ever. On par with Napoleon spreading the metric system and trade, the UK spreading the industrial revolution etc...
But they are also, really, unpredictable lately. George W. Bush was reelected after(!) starting 2 wars. Donald Trump is...well... unpredictable. And I have yet to see him be ousted in 2020. Let alone what the next Donald Trump looks like.
Imagine if someone came along with the same ideas who actually knows how to get stuff done in Washington.
It's just better to be self-sufficient in anything relating to critical infrastructure. As the Americans themselves say: hope for the best, prepare for the worst.
Ok - there's owes money, and there's owes gratitude.
I owe gratitude for the American soldiers who fought the Nazis - because if they hadn't done that I would live in a very different world. Probably I would not exist. So I am grateful to those people.
There's also the fact that historically those evil Chinese were those that had been attack (from colonial UK and co, then from the axis powers, etc.) and not the ones doing the attack -- whereas at least one European country (Germany) had been under US attack, and many had internal meddling (Gladio, dictatorships, corporate espionage, diplomatic meddling, etc to this day).
First, those are their neighbors with which they have territorial disputes, like every other country (as borders where not there when the Earth was created, nor where they god given). Not some colonial grab, just out of pure greed, thousands of miles away, and with no prior provocation or history between the two countries.
Second, Mongols invaded and dominated China. You got your facts reversed. Ever heard of this guy, Genghis Khan?
Third, if we considered the same for the EU/US for example, we'd add the genocide of native americans, the abduction and slavery of 20+ million blacks for 4 centuries in the US South, colonial grabs and wars all over the planet (at some point 2/3rds of Earth were slaves under European colonial powers, not the inverse), tons of wars, the land grab of Mexico (California, Texas, etc), Hawaii, Phillipines, and Puerto Rico, the genocide of indigenous people of the Americas [1], and so on and so forth, plus 2 world wars, the genocide of the Jews, and the only atomic bombs to even fall (and on civillians).
Sure, most countries have done a lot of bad shit in the past. Using that to convince someone of something is pointless. Since I am as foreign as an actual alien to China, I'll stand by my own country and the West if push come to shove, it's just the way it is...
Corporations are, but their employees and officers aren’t. For example, the US government could compel Lavabit (the company) to hand over signing keys; but they couldn’t compel the employees/founders of Lavabit to keep working there, nor charge them with anything for quitting. It’s not illegal to choose to dissolve a company in protest of a US government directive.
> Corporations are, but their employees and officers aren’t
Employees and officers of US corporations are not immune to government orders. Particularly, NSLs directed at information held by corporations can be, and often are, addresses to particular officers as orders to that officer, who is often ordered to deliver the requested material in person to the relevant government office.
> For example, the US government could compel Lavabit (the company) to hand over signing keys; but they couldn’t compel the employees/founders of Lavabit to keep working there,
No, but that doesn't protect them individually from government orders to provide information, the authority for which applies to any person, not just corporations (corporations are covered because they are juridical persons.)
> It’s not illegal to choose to dissolve a company in protest of a US government directive.
It actually is illegal to do anything (other than filing a sealed challenge in court to the non-disclosure provision) in protest of an NSL with a non-disclosure provision, since such a protest itself violates the non-disclosure provision.
And, yes, even aside from that, it would probsbly also be illegal to voluntarily surrender access to info you have been ordered to provide to the government rather than providing that info as ordered.
There might be a few American companies that may do it but not out of fear, and I suspect many companies and individuals would resist, oppose, leak, resign if this was the case in America as you often hear in the news. There are courts, public opinion, journalists that you could involve in the US. Ever hear of pushback in China from anyone?
Joseph Nacchio, former CEO of Qwest (now owned by CenturyLink), refused to surveil his customers at the NSA's request. Shortly thereafter, the NSA dropped a major contract with Qwest that they had been relying on to meet earnings targets. A few years later, he was chargrd with insider trading on the grounds that he made statements about earnings that were unachievable while selling his own shares. He attempted to claim in court that the charges were retaliation, but his evidence was removed for national security reasons.
His case was covered in the news, and he still went to federal prison for four years. And every other US telecom CEO knows it.
Another narrative, to my mind equally plausible, is that Nacchio was essentially a crook who got caught up in a wave of corporate crime enforcement in the wake of the Enron scandal for making somewhere between 32MM (Nacchio's experts' take) and 100MM (the USG's take) selling stock he knew, sometimes within days, would be worth a fraction of what he was selling it for.
But die by the sword, perhaps live by the sword: the NSA scandal provides Nacchio's best tool for rehabilitating his image.
I think a read of the case on PACER sort of bears out that narrative. You can just skip to the competing sentencing memoranda (note what Nacchio stipulates to) to get the particulars of what he's charged with, and get a sense for how sweeping the behavior was and how likely it was to have been tied specifically to NSA.
I don't like NSA any more than you do, but I think I like corporate crooks even less.
It sounds like you haven't seen the documentaries Silenced (2014), about persecuted US government whistleblowers (i.e. people who were actually in government agencies), or War on Whistleblowers: Free Press and the National Security State (2013).
Sure. But I was horrified how little difference it makes to the people in those documentaries. Their lives are ruined for being patriotic, intelligent, and truthful, for not being corrupt. And there's nothing they can do about it.
Doesn't the Snowden phenomenon kind of make his point? His leaks spawned a shitstorm of US/Western media coverage and even court cases against the government. What happens inside China if a Chinese national flees the country and blows the whistle? Basically no challenge to the government, media blackout, maybe his friends get sent to re-education camps, etc.
You forget to mention that both China and the African Union denied the hack, and that the report came from "anonymous sources". Not saying that it didn't happen, but it's far from confirmed, just like the Bloomberg report.
To balance it out, what motivations might the AU have to lie about a hack, in the case where it did happen? If the Chinese gifted them the embassy then they have to be quite close, maybe the AU leaders are conscious of the Chinese influence and seek to maintain it.
Isn't that standard protocol, don't admit when the other spies win. Confirmed leaked data is worth more than dubious leaked data. Pride comes in to play too.
At this point it seems most likely to me that the Bloomberg story was planted by the US government to sow FUD in a rival superpower. If this one Chinese motherboard had a tiny, quasi-magical chip (certainly technically possible but quite overkill as an engineering solution to achieve the alleged goal), can you trust any hardware purchase from China?
"There is a law in China that says citizens and corporations are required to cooperate with its intelligence services."
The US and its intelligence services have been doing the same with US tech companies. " The US National Security Agency (NSA) infected hard disk firmware with spyware in a campaign valued as highly as Stuxnet that dates back at least 14 years and possibly up to two decades – all according to an analysis by Kaspersky Labs.The campaign infected possibly tens of thousands of Windows computers in telecommunications providers, governments, militaries, utilities, and mass media organisations among others in more than 30 countries. https://www.theregister.co.uk/2015/02/17/kaspersky_labs_equa...
I don't see any evidence that the companies cooperated with this. The process of interdiction, described in the Snowden leaks, sounds more probable. It seems like a small distinction, but it makes a huge difference to the people who work at these companies who would never agree to this practice.
The outcome, of course, is the same. It is rich that the U.S. is asking other countries not to use Huawei equipment, when the Snowden leaks indicate the U.S. government was using interdiction to hack other countries' governments.
That was malware that infected a target product in the customer environment. No government coercion or backdoors. Kaspersky’s own report documents this thoroughly. Not even close to the same.
I think there's a lot of unfair finger-pointing at Huawei. China's hacking program is very prolific and has some impressive achievements. There's no reason why the Chinese government couldn't have found vulnerabilities in Huawei equipment and conducted a campaign that way, especially since that equipment is internet-connected at all times.
This implies that US can't reach the data from Huawei.
So it seems that Huawei is the safest option for any US and European citizen.
I'd rather have my data safe with the Chinese government, a country that is on the other side of the globe and has practically zero influence on my life, that sharing it with the US or my own governments, which are there, and can make my life hell for any or no reason at all, and have the means to actually hurt me.
And yes, if I can't avoid it, I'd much rather share my internet search history with an unknown entity on the other side of the world, than with my own wife.
Doesn't matter (much). High capability attackers can, and do, place agents within major infrastructure companies to figure out stuff like this. If there is a backdoor, it is virtually guaranteed to be compromised by more than one actor eventually, and they're likely to share the data (if not the access) with their intelligence allies.
Sometimes, companies willingly provide the access (e.g. NSA closet at AT&T), other times, it is more sneakily obtained. But, a system with a backdoor is much more likely to be compromised than a system without one.
Edit: I should be clear that any closed source infrastructure is potentially subject to the problem of infiltration. But, a company intentionally putting a hole in the system makes the job even easier. The opportunities for an infiltrator to poke a secret hole into the system are much smaller than the opportunities for obtaining the key to an already existent hole. A hole that is protected from discovery by the company itself is much less likely to be detected by other teams, etc. I mean, to really make a secret hole, you need things like process and network activity statuses to ignore you, logging to not see you, you can't show up in an obvious way on the filesystem, etc. You probably have to have cooperation across at least a few subsystems. It's much easier to exploit an already exploited system, is what I'm trying to say, because you don't actually have to exploit the system, anymore, just the people/organization who builds the system and people are easier to crack than encryption keys.
Reminds me of a joke where a sysadmin recommends installing several firewalls from different countries; Huawei to keep out the Americans, Cisco to keep out the Chinese, and something else.
Western countries are very much influenced by China.
>sharing it with the US or my own governments, which are there, and can make my life hell for any or no reason at all, and have the means to actually hurt me.
Given all of your personal private data, anyone around the world with a computer has the means to actually hurt you.
That would appear the best option assuming none of your data has business or monetary value, as their intelligence service is tasked with sharing any trade secrets with relevant state business partners.
This is strictly forbidden in US intelligence policy.
Your logic is smart, but flawed. The best defense is openness when you lack the control to air gap, in which case you should expose your data to the two highest bidders.
> I'd rather have my data safe with the Chinese government, a country that is on the other side of the globe and has practically zero influence on my life, that sharing it with the US or my own governments, which are there, and can make my life hell for any or no reason at all, and have the means to actually hurt me.
That's an interesting take, but you are assuming china's influence won't keep growing.
Or more worrisome, what if china, EU, Russia and the US decide to share data in the future.
The only way to be "safe and free" is legislation curbing intelligence agencies snooping on people. Unfortunately, these intelligence agencies appear to be operating above or beyond the law.
> Some other members of the “Five Eyes,” a five-member intelligence pact among English-speaking countries that includes the U.S., have also publicly challenged Huawei.
Regardless of the content of the article, I found this quote hilarious: one surveillance agency accusing another group of spying.
I remain to be convinced that Apple or Samsung are any more trustworthy than Huawei. It's all made in China. While these manufacturers may not be sneaking backdoors into devices, since this might be caught, they likely are being compelled to disclose designs to be analyzed for weaknesses. It doesn't really matter if some of the design work is done in California.
I wouldn't have substantially higher trust in something made in the U.S. or other "five eyes" countries either. These governments do not respect the privacy of their citizens, as evidenced by the NSA's recent breaches. Some countries do slightly better than others (e.g. Canada probably isn't as bad as the U.S. yet). However, on the whole, privacy rights seem to be on the decline in these countries. Treaties and cooperation between the security agencies of these countries drag everyone down to the lowest common denominator.
Pardon my ignorance here. Putting the US or other five eyes countries on the same plane as China is a false equivalency. People can at least take it to streets and demand facts, which is not possible when we are talking about China. Hypothetically, if Apple and Samsung made their phones in the US or other five eyes countries we can assume some level of oversight on their practices , which is not quite possible in China.
> People can at least take it to streets and demand facts, which is not possible when we are talking about China.
I agree the US is better about permitting public protest. But if the directors of these US agencies can lie to Congress[0] without consequence then does it really matter?
They wouldn't be allowed to lie to Congress if Congress didn't allow them to lie, and Congress wouldn't allow them to lie if the American people expressed a clear desire for their elected government to reign the appointed organs back in. That's what the protests are for.
There is a lot of institutional momentum in the US to keep doing bad things, including a crushing blanket of a media that cares a lot more about pop culture than anything else. But it is nice to not fear much for writing this.
What would you consider expressing a clear desire to look like? The two examples that come to mind for me, the TEA party and Occupy Wall Street, both got shut down with extreme prejudice and enthusiastic support from half the electorate.
Occupy and the Tea party weren't issues, they were groups. Groups are subject to many dangers, internally and externally, that have little to do with their goals. "Put our representatives back in charge," could be carried to Washington by anybody from a billionaire to Bernie Sanders.
Congress could investigate, or keep talking about it, or push for something to be done to negatively impact the parties that did it, or anything really. Even the slightest deviation from the present course of "don't say out loud that it happened and hope everyone forgets," would be a welcome show of some backbone.
>And how will that be different from trial by media?
Look at history to see the many things Congress can do when someone tries to pull something on them. They have options, they just aren't taking any.
Mostly we know about it because of now jailed or internationally-wanted 'traitors' or 'enemies of state'; the journalists who agreed to publish the initial stories are few and far between.
When they say "Huawei kit is backdoored by the PRC" the implicit message is "but probably not us."
For some audiences, there's definitely a case to be made for "well, every officer in the PRC government from a truancy-officer on up can read your email, but the FBI (or any local LEO who can construct some flimsy National Security premise t them) can't."
What's hilarious about that? It's obvious and natural that countries would seek to protect themselves from being spied upon, while at the same time attempt to spy on others. Do you expect the US to say "we are spying on some other countries so we are totally ok with others spying on us"?
At a guess, the hilarity comes from the 'challenge' part. It makes it sound like Huawei is being challenged to do something different - which is pretty laughable by any standard the US intelligence agencies apply to themselves.
It is a bit like an Olympic athlete losing a race and seriously complaining that the competition trained too hard and challenging them to 'live a little more' (imagining that scene with a slightly miffed but condescending athlete cracks me up) - I mean, theoretically maybe, but the attitude that the competition should just give up is pretty funny.
The "challenge" to Huawei are legal steps those countries are taking to block Huawei from spying on them, not some argument about the universal morality of espionage. Interpreting this as hypocricity is a result of a conceptual confusion: countries exists to defend their interests, not to enforce a level playing field. Of course it is in the interest of the US to be allowed to do things that others countries aren't allowed to do. For example: the US wants to have nuclear weapons while preventing potential enemies from getting nuclear weapons. Does this seem equally "hilarious" to you?
> For example: the US wants to have nuclear weapons while preventing potential enemies from getting nuclear weapons. Does this seem equally "hilarious" to you?
I find it far more hilarious that you think the US, or any other country, should strive for a balanced playing field between it and its enemies, or that the world would actually be a better place because of that.
I guess if you're just an everyman or everywoman -- one with no info relating to national security on your device -- it could be better to own Huawei to avoid abuses of authorities inside the US[1]?
Particularly if you are a woman, minority, journalist, or business-owner, as [1] highlights, you may be safer from such abuses.
The US government, with its own hacking of other countries as revealed by Snowden, its strategic rivalry with China, and its history of false intelligence such as WMD in Iraq, isn’t a trustworthy source to evaluate Huawei’s security.
Huawei has completely opened its source code and hardware to several governments, including UK, Canada and Germany, for security testing. Their findings are much more informative and objective.
Best security doesn’t come from paranoia of certain countries. It comes from evidence based and rigorous testing and research.
> Huawei has completely opened its source code and hardware to several governments, including UK, Canada and Germany, for security testing. Their findings are much more informative and objective.
What does this even mean? If I give a batch of governments some of my super secret text files and pinky promise that's what's in the hardware I'm giving them, they should believe me?
The US can be trusted to advance its own interests. So can China. Everyone else had best evaluate their threat vectors and find out where their interests conflict with bigger and stronger interests.
Your comment history might have predicted that you'd comment on this topic. You don't have many other interests.
To add to this, what is described is called Shared Source, not Open Source or Libre Software. Microsoft does shared source with numerous governments and universities, but your placing complete trust in the vendor that the code they show you is what is in their distributed binaries, esp. with how many compilers output different binaries when recompiled with the same code.
The only way to even start considering any of the current telecom vendors (including Huawei, NSN, etc) as not malicious is to have them offer their code under a libre license that bars tivoization, otherwise there is no guarantee that you can load the firmware they gave you the source to onto the LTE base stations sold your company.
The testing centers have more sophisticated methods to address your concern. They procure Huawei equipment from various vendors and check if they have the same hardware and software. In fact, the recent report from UK did find minor shortcomings related to binary mismatch in huawei products.
My point is not testing centers can provide 100% guarantee; such guarantee does not exist in the security field. However, shared hardware and rigorous testing provide far better security than blind trust and paranoia.
Also, what's wrong with being interested in sino-US technological relationship?
I'd be interested in further details about the testing. If any manufacturer actively wants to backdoor their hardware I'm skeptical that anything but an extremely expensive teardown of an infected device would find it.
It is simply incorrect to imply that reading vendor provided source can usefully decrease the possibility of a targeted attack. Comparing (hardware provided?) software checksums is not a real improvement. Juxtaposed with your "interest" in the topic, such an argument naturally arouses suspicion (sorry).
There is obviously nothing "wrong" with being interested in this fascinating clash of powerful interests, the amount of interest each discussion gets shows you are not alone.
So I'm not just hammering at what you've said, I'll make my own statement: There's absolutely nothing you can do to defend against a motivated attacker providing you with complex computer hardware (let's say anything that has software/firmware). Corollary: It's a fool's game to use hardware from those whose interests conflict with your own.
China and the US have a massive conflict of their interests. Each should not use hardware provided by the other. The risk for each is real and unavoidable.
Hardware testing is much more than firmware checksum comparison. Once you have the blueprint, you can physically compare it against samples using various methods such as x-ray, acoustic and electric profiling to detect any differences. Furthermore, hardware is generally retained for a long time and can be checked with future anti-tampering technologies.
These measures does not offer perfect security. It simply makes the cost of hacking and chance of being caught very high, even for state actors. We could achieve fairly strong security at an affordable cost for most civilian uses. At least, tested Huawei hardware may be a good alternative to untested hardware from another vendor (which is probably manufactured in China too) at an inflated price.
Of course, if you are still concerned, why not take a course on microprocessor and build your own CPU? ;)
It looks like you're moving the verification goalposts away from what is actually running on the hardware and simultaneously walking this back from government to civilian uses. These are completely different discussions (though I might add that governments rely heavily on the private sector, so some pressure there is expected).
Another completely different line of discussion is whether I personally am concerned at all (I'm not), and what I should do about it (nothing, but governments certainly should build their own CPU).
> We could achieve fairly strong security at an affordable cost
No. We cannot achieve strong security in a device that comes with software. You also cannot (at the time of this writing) prove that the actual hardware you personally are running is trustworthy without spending enough that the "affordable cost" becomes a moot point.
A wide swath of civilian uses can probably come out on top of the cost/benefit analysis just because their interests don't get in the way of governmental conflicts (or they can make enough money in the meantime). It's only from the perspective of a government that this conversation makes any sense at all.
There are many academiclly verified attack vectors that can not be verified to exist with any known external test even if one had the layout of the billions of transistors. Bit flips through sequential activation of memory addresses for example.
Large international dealings are never about 'truth' - they are about the balance of a web of geopolitical issues.
Also, this is not paranoia, it's a geostrategic fight based on the reality that a) China and US/West are doing a lot to actively spy on one another b) they're in a trade war.
Also China does not have an open market for US/Western products and I don't see any reason why the same rules applied by China to the West should not apply to Chinese companies coming to the West. That would be closer to 'fair free trade'.
But yes - if the hardware and software are both open for inspection - that is a kind of 'truth' as you say.
and companies should then be able to decide for themselves.
Question: is it true though that both hardware and software are in fact fully open? How do they maintain their IP in this case?
Uh, hardware being open means nothing. Your supplier can swap your standard chip for a spy chip and open hardware will not be able to help you catch that.
This isn't really about spying. The reality is that Huawei's equipment is the best in the world for the money. It's not even close. Given a free market (remember that?) there's really no doubt that Huawei will go on to completely dominate this market over the next decade. It's already the largest telecom equipment maker in the world [1] and its size only makes its products and architects more and more competitive with each day. It's a virtuous cycle at work that nobody can deny anymore. The numbers don't lie: what you have here is a technologically sophisticated market where the West cannot compete with China at all. This is supposed to be impossible!
Now there is a legitimate national security concern about having the world's telecom equipment manufactured by a single company. But there's only so much can do under existing trade treaties. It's also really not a good look for the US and the West to be seen actively trying to disrupt the free market at work. And so we get this concocted story about spying. It's concocted because nobody, despite spending millions and millions of dollars investigating Huawei and studying its boxes, has ever shown the company participating in anything like espionage. Most people can see through this blatant protectionist hypocrisy [2]. Ironically all the security research on Huawei has only served to make their products much more secure than the competition.
Huawei is a state-backed organization working from a closed, controlled economy where not even information, let alone products, services and capital flow freely.
So if the cost of having to inspect every single piece of Huawei gear, plus check and load the software still keeps them 'competitive' then it might be worth it to outsiders, but probably not.
Given that it's commodity gear, perhaps someone will come along, say from Taiwan ... and produce the same thing at competitive costs, wherein security is not a factor and then, yes, that entity would be poised to dominate on price.
Huawei does have disincentive not to respond to the demands of Chinese governments because its hardware is opened and checked by other governments. Installing a backdoor has a good chance to be caught.
You probably underestimate the mindset difference between the American's skepticism toward the government (as this thread shows) and how the Chinese tend to see their government as a parental role. When a U.S company refuses to be complicit in unjustified spying, you would see the public opinions inclined to praise the brave and blame on the government.
On the other hand, it is much tougher for a Chinese company to be disobedient to the authority, especially when it comes to kinds of stuff like national security. The best case is you are not regarded as a betrayal and getting boycotting aggressively by the patriotic zealots who are coincidentally the political correctness most of the time.
Let alone the Chinese government has much more 'versatile' means to make you suffer without being accountable by the public opinion/opposition parties/media.
I had understood that the current US administration's point of view was that the US had no allies, but only leeches hell bent on ripping off the US? So, I'm wondering which allies they're talking to.
A key difference between Huawei and other Chinese companies like Xiaomi or Alibaba is that they have an opaque shareholding structure with no public investors which makes it hard to know if it is free from the influence of the Chinese government.
To be fair, you can say any company operating in a specific country works under the influence of that government. Many US companies run or ran warrant canaries for this specific reason.
Most of the big US companies embed US laws into their practices abroad too.
For example, making and distributing pornography with children is legal in about 20% of the world, yet no US-based international social media sites allow it, even the ones with an 'adult' focus.
We can't expect companies in other countries not to embed their host countries laws and customs into their products either.
Of all the laws you had to pick the ones about child porn to make your point?
I think you'll have a better time making the argument by talking about how US-based social media sites treat female nipples as pornographic. That said, your argument breaks down because unlike e.g. cloud providers, social media sites generally have no incentive to have isolated regional data centers that would allow hosting content that would be illegal to host in the US (as the way I understand the laws, mere possession of child porn is already illegal even without intent to distribute).
There are good reasons for child porn to be illegal even without taking US laws into account (e.g. that it usually depicts child abuse, that it's by definition non-consensual and that it violates the victim's right to their own image and their right to privacy).
Arguments exist why certain things should or shouldn't be considered child porn (e.g. fictional drawings/renderings) or how those laws should be enforced. Also some jurisdictions may not have specific laws against child porn but consider it illegal because of other, more general laws (see above).
A quick google search[1] suggests that most of the countries that don't consider child porn illegal likely also consider many things legal others would rightfully (i.e. there's plenty of evidence to back this view up) consider child abuse (e.g. FGM, child marriage, child labor, etc). So even without US laws I bet most companies would prefer taking the ethical stance of not permitting every "legal activity" for users in those countries.
I deliberately chose a law most people strongly agree with to make the 2nd half of my argument stronger - if you can't expect our companies to change their policies to be inclusive of things acceptable in other countries, you shouldn't expect companies from other countries to do the same in the other direction (eg. offering strong privacy, which is also illegal in many places).
"Hundreds of Chinese companies have revised their corporate charters to allow a deeper management role for the Communist Party, a sign the ruling party is tightening its control over the private sector."
.
"Changes include acknowledging a central role for the party and establishing internal party committees to be consulted on important decisions. Some stipulate that corporate chiefs also serve as the heads of in-house party organs. Despite the Communist Party's dominance over the Chinese state, it is unusual for publicly listed businesses to explicitly give the party a role in decision-making, much less write it into their charters."
https://asia.nikkei.com/Politics/More-companies-are-writing-...
> you can say any company operating in a specific country works under the influence of that government
This collapses the continuum of the rule of law into a false binary. Americans and foreigners alike can successfully challenge the U.S. government in independent courts. None of those elements exist in China.
How is the FISA court independent? The US government can strong-arm corporate partners to do virtually anything they want, and can not only threaten jail if you ever talk about it, they cloak the whole thing -- even for the most banal thing -- as classified so it's impossible to contest.
This seems like pretending there is nuance that there simply isn't. The system is a charade around the reality that US intelligence has virtually identical inroads to US corporations.
Sure, the FISC isn't amazing from a rule-of-law and transparency point of view. But it's still a court made up of judges whose day jobs are serving in the regular courts, and if you compare the amount of public literature, legal analysis and news reporting on the operation of FISA and the US natsec apparatus in general to China...
While FISA courts are technically under the judicial branch, I agree they’re an affront to the rule of law. Most cases don’t go through the FISA courts, however. In China, everything goes through the equivalent of a FISA court. (Arguable worse, since China’s courts report to the party.)
Of course there is nuance, many times the Chinese government owns parts of these companies, they have zero choice. In the US corporations have much more power to resist the government. At the very least corporations can lobby Congress to get beneficial reform passed, in China it is all entirely opaque.
You do know CCP cronies and sons of party high officials hold stock in Alibaba right?
Basically if you are a big enough company in China, you aren't gonna get away from this, either by introducing red capital yourself, or the red capital is gonna force their way in when you want to go public(you need to apply for it in China and the quota is very limited).
The most interesting thing going on in that respect with Chinese companies such as Alibaba, is that the government is forcing public companies to accept board members from the government. They've also taken nominal stakes in the companies as cover. [1][2][3]
There was endless speculation [4][5] that Jack Ma was forced out of power at Alibaba, by the government over concerns about the tech giants becoming too central to the Chinese economy and communications. Jack Ma was probably the most powerful person in China next to Xi.
Maybe I didn't frame it the right way, but there's an inherent difference between simply hold stock, and let red capital profit exponentially in exchange for political risk minimization and shadow clout.
When will people learn - 'secure the connections, not the network'. You don't trust the internet, and you shouldn't trust your internal network either.
Every connection between devices should be encrypted as if it's going over the internet. That's the basis of BeyondCorp, and many companies are going that way.
It's far more sensible to secure just two endpoints than it is to also secure all the wireless links, routers, and cables between them.
Now, when the adversary gets control of your routers, it doesn't matter - they can't steal anything of value. The worst they can do is cause a brief outage, for which they'll be immediately detected.
Sure, that’s a great idea. But your transport security is going to show vulnerability sooner or later (see: regular issues in TLS), and it’s worth having a slightly less compromised network fabric.
But they can slow down the traffic or disconnect it completely. If an entire countries 5G infrastructure is built by a single company that can push updates to the infrastructure, then it can completely disable it.
Yeah, ASD haven't got the best relationship with Huawei. For years they've been in the PM's ear about keeping clear of them for NBN infrastructure.
To be honest, no manufacturer can be truly trusted, but given the vastly different political and social ideologies between China and the West it seems reasonable that they're picking their poison.
I would've expected better from the current NZ government but this response really illustrates just how utterly compromised the country is when it comes to China. There was a similar muted response a few months ago to Chinese CCTV cameras which had been installed inside government ministries.
Little known fact: The stock video app in EMUI 8 running found in stock P20 Pros from authorized dealers in Singapore regularly make requests to Facebook over over IPv4 and IPv6 even though it only supports local video content. t.me/paranoic for proofs.
To be fair, Google regularly tries to grab GPS data using its 1e100.net domain (see above # for additional proofs). The only way I've found to block this kind of intrusion is NetGuard in "lockdown" mode.
I haven't seen much about the 'hacks' taking place. Are investigators seeing actual backdoors? Or just poor code being exploited in the wild? If it's the latter then the US could be accused of the same with Cisco in the early 2000's as exposed by FX.
Full disclosure: I am a Huawei employee, take everthing I say with an appropriate amount of salt.
It would be suicidal for Huawei to ship any eqipment to Western carriers with actual backdoors. European governments usually require through audit of the code that runs their networks and vendors are required to have reproducable builds for the same. The UK government for instance has the Huawei Cyber Security Evaluation Centre[1] responsible for vetting the Huawei equipment that gets used by British carriers. Like TFA says, "The U.K. government said in July it found shortcomings in the process." They did't find any backdoors or any actual vunerebilities but did report "variable engineering quality". Like any large and complex codebase produced by thousands of engineers, parts of the code may be downright ugly but that does not make it malicious.
Anyways, the CSEC report did have its intended effect and now significant resources are being expended to refactor legacy code. Nothing motivates management like a possible loss of revenue from bad PR ;)
Then again the NSA hacked into Huawei HQ[2] so they might know something that others don't. Speaking of which, how is the search for WMDs in Iraq coming along?
I agree on the variable engineering quality; something endemic to any company with more than 1 engineer. It would also be important to consider a well placed bribe or spy could maliciously change code at multiple points in the process.
Largely the allegations against Huawei could be leveled against any company, thus it feels like a competitor has hired enough lobbyist firms in DC to create the FUD necessary to sanction specifically Huawei.
This is not the first time. Huawei was banned from supplying for India's National Broadband Network in 2012, and has again been banned from supplying for India's 5G revamp.
Not all employees would be in on the espionage attempts either. It'd have to be a very limited circle that knows about it.
That is bordering on fake news. Huawei was not part of the inital group of companies invited by DoT. I have no idea why Huawei was exculed earlier and then invited later.[1] Bu then again, that's Indian babudom for you.
> Not all employees would be in on the espionage attempts either. It'd have to be a very limited circle that knows about it.
My point was entirely about what would be in any company's rational self-interest and the findings of Western countries that evaluate Huawei equipment. Honestly, I wish the Indian governemnt would do something similar with all vendors.
I buy Huawei gear and dislike my government attempting to limit my free market choices. Cisco was (is) just as vulnerable, people just don't talk about it because they have so many lawyers. https://artkond.com/2017/04/10/cisco-catalyst-remote-code-ex...
Free market choices in this case have hidden costs. Huawei was selling hardware with user manuals from cisco because they were exact copies. When IP is stolen, countries lose incentive to invest in R&D. Note almost every major Bell-labs era research center has been shut down or dramatically weakend, the most recent being Dow/Dupont.
That is true and a good point. But when you think about it, with a large enough budget you could create hardware backdoors in microprocessors in the manufacturing plant without the chip designer ever knowing about it.
Then you're in a weird world, where a flagship smartphone has backdoors created by Samsung, Google, three different governments and the weird guy that worked with the chip design in team #7.
It interestingly starts off with a disclaimer about working for Huawei that could indicate that they're going to speak against their parent company, and then just defends them completely and says that because of the American/Iraqi WMD fiasco about 20 years ago their company is above-board (how this is related or provides some sort of defense is beyond me). It's certainly devoid of all of the criticism of Huawei and cherry-picks a single audit of their code.
Taken with an appropriate amount of salt indeed... a metric ton.
What's the difference? I'd imagine that any mediocre and above intelligence agency would be smart enough to make it look like the backdoor was "just a random bug".
If they are giving the bug the name "CN_rear_entrance" or anything like it, or talk about how it can be used in code comments, I would say they are a worse than mediocre intelligence agency.
No one talks about the story from financial perspective? How much will Huawei lose, who is the competitor against Huawei? IMO it's the extension of trade war between US and China.
There's also substantial evidence that Huawei was involved in the murder of a US citizen to cover up attempts to acquire classified US military technology:
Within the UK Huawei has won a number of network refresh contracts with BT. I assume this then got levels of concern going within the various agencies, as this was one of the results:
Protection for US 5G Corporations to allow them to catch up.
Then there's the other side of the coin. The Chinese boycotting of US Corporations. China alone has more population and manufacturing than the US and EU combined. Does the West really want to lose a market that's 20% of the whole world? Probably not.
Other telecom actors were steamrolled by the government-backed Huawei telecom network deals. Ericsson for example could not keep up because the EU doesn't believe in protectionism, at least at that level.
There are too many double standards here, about capitalism, free trade, technological progress. There is a legitimate reason to be concerned about backdoors and spyware, but why should this 'concern' be limited to a single country in this self serving way?
What this really says is that some companies and countries can access all markets without concerns but when others try to grow their market access will be restricted with scaremongering, bullying and political games perpetuating an artificial marketplace.
Its the ideologues who always argue on 'free markets' and
'competition' in absolute terms who should wake up to how little the real world has to do with their idealized constructs.
Implicitly manufacturing American confidence in domestic brands with such headlines while economically harming China, this obviously doesn't need to have a shred of evidence to be worthwhile.
the article mentions concerns over telco equipment; so it seems to be about their routers, not the phones.
I wonder if they will spin off the phone business, as it seems to be turning into 'collateral damage', at least in Nato countries, that is.
(disclaimer: bought Huawei phones for my kids - pretty good phones at reasonable prices)
Sure, in the way that assuming all food is rotten is the only way to completely avoid food poisoning.
If, however, you don't subscribe to the starving lifestyle, such blanket assumption are useless.
Same for phones: do you just not use a phone? Does the poster above you rely on the heuristic that people using the term "pwned" generally don't have much of relevance to say anyway?
Because if everything is terrible, and everyone is corrupt, and there is absolutely no use in considering the probability that some options are less terrible than others, and that there may be signs the public can pick up on to make decisions, then congratulations: those believes do help in feeling really smug about your cynicism. But they don't really help otherwise.
Without NetGuard or similar all smartphones, everywhere, are indeed pwnd. The mistake made in using a food analogy is that, while both are consumables (consuming attention in the case of a phone) only one is a necessity to life.
is there any hard evidence that huawei is a legitimate security concern? Checking the wiki it seems like this is the commerce department trying to piss in the cheerios of a company that doesnt subscribe to the jackboot regimes of US foreign and copyright policy. theyve sold to iran, and have been accused of industrial espionage, but Symantec sold to iran and violated the GPL numerous times without so much as a scolding.
> is there any hard evidence that huawei is a legitimate security concern?
Yes, quite a bit [1]. Here’s an apolitical example:
“In July 2012, Felix Lindner and Gregor Kopf gave a conference at Defcon to announce that they uncovered several critical vulnerabilities in Huawei routers (models AR18 and AR29)which could be used to get remote access to the device. The researchers said that Huawei ‘doesn't have a security contact for reporting vulnerabilities, doesn't put out security advisories and doesn't say what bugs have been fixed in its firmware updates’, and as a result, the vulnerabilities have not been publicly disclosed.”
In summary, the best case is Huawei is incompetent.
To be fair, their main competitor, Cisco, has had a significant number of hardcoded password backdoors found in their products. While their reporting and patching story is better, their security track record is still awful. It's believable that Huawei as awful security and backdoors, but that is just as bad as Cisco. The real difference would be if they were actively aiding espionage, which has been talked about a lot but never backed up with evidence.
> It's believable that Huawei as awful security and backdoors, but that is just as bad as Cisco
Given “Cisco [has previosuly] revealed parts of [an] independent expert's report produced for [a] case which proved that Huawei had stolen Cisco code and directly copied it into their products,” that wouldn’t be surprising.
At the end of the day, you have a company with strong links (down to its founder) to the military of an adversarial dictatorship and which has been proven to have violated international sanctions with Iran, North Korea, Syria and Venezuela. This isn’t a “beyond reasonable doubt” criminal case. It’s a reasonable weighing of odds determination.
Also not wrong. But the US, while not a dictatorship, and with its own share of problematic foreign policy, has been caught with its hand in the security cookie jar.
DUAL_EC_DRBG was included in BSAFE and Juniper products. So even if we assume the worst of Huawei, it's really a matter of which back door you want in your networking equipment. My hope is that these constant accusations make Huawei drive big improvements in reproducible builds, source-available software, and verifiable hardware. But I'm not holding my breath.
Then again, at the end of the day, you have companies with strong links to an adversarial government and which has been proven to have conducted economic espionage for the benefit of domestic companies, regularly violated (and violates) human rights, overthrown elected governments, invaded countries under false pretenses, and sentence people to death without a fair trial. If that's your line of logic, then there's more than enough shit to go around. Both sides are shitty.
The point being made is that industry-level security is not real evidence of malicious behavior on huawei's part. If you want people to avoid huawei, present proof.
> At the end of the day, you have a company with strong links (down to its founder) to the military
This sort of pure propaganda just undermines your case. The founder of Huawei was never more than a low level engineer in the military, was forbidden from joining the CCP for many years [1].
It's one thing Huawei's products have severe vulnerabilities (as every other IT companies do), and another thing the company is actively engaging in espionage.
If this is the best hard evidence the US can bring forward, then the whole allegation sounds entirely political-driven.
It's this kind of logic: it depends on whether you believe the US is as big of a security or IP-theft threat to you as China is. Your premise relies on the US == China. If that isn't the case, your premise collapses in one form or another.
Taiwan, Japan and South Korea aren't afraid of the US. They are afraid of China.
Finland, Romania, Poland, Ukraine and Estonia aren't afraid the US will invade and annex their territory. They are afraid of Russia's territorial ambitions in Eastern Europe.
For example, how do you think Australia feels about it right now?
"China’s peak security agency has directed a surge in cyber attacks on Australian companies over the past year, breaching an agreement struck between Premier Li Keqiang and former Prime Minister Malcolm Turnbull to not steal each other’s commercial secrets."
All I and others are asking for is some hard evidence. Either the company is engaged in unsavory behavior or it is not. You can't be ambiguous about this and expect people to play along.
Given how easy it should be for a capable government like the US to find something like this (especially given how common huawei gear is) and how "friendly" the US has been with China, I would expect to have seen at least some evidence surface by now. In fact, I would take the lack of evidence as a testimony to the innocence of huawei and the security of their hardware.
If you think that demonstrates a legitimate security concern then every telecom manufacturer is a security concern. Spend some time comparing the known security issues with Huawei routers to Cisco's routers for example.
> is there any hard evidence that huawei is a legitimate security concern?
As someone with a lot of huawei in their infrastructure, this is what I really want to know as well.
The US government has lost a lot of credibility over the last few decades with its lopsided foreign policies that completely tip towards self-serving and agenda-pushing rather than decency and public good. There is nothing indicating that this particular issue is any different.
Unless the US government shows hard evidence that the company is harming us, we're not ditching them.
Innocent until proven guilty applies to entities you don't like too.
The difference is when the US government does something nasty, it's relatively transparent and accountable. It is not the case for the China government.
Do you actually have any firsthand experience with Chinese internet culture? There's plenty of discontent and protestation about government policy, it's everywhere.
No, there's absolutely no evidence that Huawei equipment is a legitmate security concern. In fact it's just the opposite. Huawei equipment has been extensively and continuously studied by the best security researchers in the world. Britain, alone, spent roughly $25 million dollars going over all Huawei equipment with a fine tooth comb and their "big conclusion" was that they can only offer "limited assurances" of Huawei equipment [1]. USA and France and Germany and Brazil have also extensively analyzed Huawei equipment and come up with nothing. Ironically, as the discussion in India and Japan and the Phillipines now show, the Western obsession with Huawei and has only made the case for Huawei's equipment much, much stronger.
There is none in recent years. Huawei even offered to open its complete source code to the US government for inspection but got turned down.
There is evidence that the US spy agency hacked in Huawei HQ for years and still the US cannot produce evidence of Huawei wrongdoing. But then again it's possible the US don't want to disclose it's intel source.
>Ms Cave said Huawei had been implicated in alleged cyber theft of data from the African Union’s Ethiopia headquarters. According to multiple reports this year, data was transferred every night from the building for five years. “There’s no proof that Huawei was asked to participate or turn a blind eye to the breach, but we know that there was a breach and Huawei was the key provider,’’ Ms Cave said.
1. https://www.theguardian.com/world/2018/jan/30/china-african-...
2. https://www.theaustralian.com.au/national-affairs/national-s...