> multiple sources familiar with the investigation tell CNN that
there's no question the Huawei equipment has the ability to
intercept not only commercial cell traffic but also the highly
restricted airwaves used by the military
I am a bit out of date on the latest designs, but presumably antenna
resonance, array phase (directionality) and radio spectrum are all
controllable with software now. Any or all of these could be modified
remotely and changed back to civilian cell parameters again in a
matter of seconds. Additionally the firmware, and hence general
capabilities, can be remotely updated.
Hence, one can no longer look at a device like a modern radio cell and
say "this is designed to work in such a way". If you impounded it,
took it to a lab, what you'd see on the bench may have no relation to
how it operated a few days ago. Given also that traffic to and from
the device may be encrypted all the way back to Beijing, the operation
of the devices cannot be attested even in principle.
This is a serious general problem in modern security - one of
unfalsifiability and plasticity of form and function. It applies as
much to Windows and Apple computers as to Huawei.
Unless we quickly reverse the trend toward vendor-trust models that
give over total control to unverifiable remote entities we're all
going to be seriously screwed soon. This is going to play out in the
Intel microcode debacle, in Apple's iron control over devices in the
face of EU interoperability edicts, and on many more fronts...
And last I checked, our clinically insane UK government still hasn't
fully buried the idea the Chinese might build us a nuclear power
station over here!
The solution would be quite easy: Disallow devices (and software, too) from phoning home. Disallow remote firmware updates.
I predict that such a law would also be very popular with the citizens because people hate it when an automated software update breaks their workflow. And remote car firmware changes could be quite dangerous, too. https://twitter.com/anjilslaire/status/1537622856724426752
And some companies have been pretty notorious with their bait and switch, like the ad-free Samsung $10k TVs that got "updated" with popup advertisements a year later.
> The solution would be quite easy: Disallow devices (and software, too) from phoning home. Disallow remote firmware updates.
But then how will network operators outsource all of their infrastructure maintenance to vendors? That's the problem.
We have this naive idea that companies running networks employ staff to manage their networks. In reality, it hasn't been like that in a while because there has been a tremendous push in the industry to outsource everything to third parties. So the person who owns the cell tower likely has no idea who is maintaining it, much less has that person on their payroll.
This should be a political discussion: Do we want US internet infrastructure to be remote-controlled from China, in exchange for cost savings? Or do we mandate US internet infrastructure providers to train their own US-based employees?
Looking at Comcast's 36% gross profit margin, I don't think they would have any issues employing +100 network engineers to maintain their phone systems themselves ;) They just don't want to.
But how could you ever really be sure that the device couldn't take an update assuming it must be connected to a network in order to fulfill its function? Hardware is so complex these days it's not really feasible to prove negatives.
If you catch any of your own device doing that, you report it to a government agency and they'll check in their database if your finding is new, and if it is, they will immediately pay you $10k and announce it publicly.
And then afterwards, the government can fine the manufacturer $100k to recoup their costs.
Also, most of the updates that people hate have been pretty blatant. Like when your TV starts showing ads when it was ad-free before, it is pretty obvious that something changed.
Seems you're more focused on the "my consumer device does new stuff I don't like" issue whereas I'm more focused on the "my nation's telecommunications backbone has a malicious FPGA hidden somewhere so it can man-in-the-middle critical communications" aspect.
>"my nation's telecommunications backbone has a malicious FPGA hidden somewhere so it can man-in-the-middle critical communications"
Not just that, for about a decade now I've had a thought that you could just have a chip "self-destruct" when a signal goes out and bam a chip re-writes itself to be bricked.
If you bake this into some common chip (or just include it in a firmware update), or something used in say backbone level network hardware, or something in millions of cellphones you could send out the instruction in some previously routine traffic to and from the mothership and then a clock starts counting down. You build in long enough of a delay to ensure you get most devices to receive the signal, say a week or even a month, and you suddenly cripple millions of devices and create mild to moderate chaos which gives gives you a leg up for an invasion or has a massive impact on the markets, or cripples internet access for a large area for weeks or months until hardware can be replaced.
I'm pretty sure if you offer a high enough bounty, some of the people working to deploy your infrastructure will go searching for those FPGAs.
Also, I expect enthusiast users and large companies to purchase similar devices as small telcos. Scorned network administrators are probably even better bounty hunters.
But yes, I was focusing mostly on the end-user aspect because if you want to create such a law, you need your citizens to like the idea.
IMO proposing we "disallow remote updates" because we don't know what backdoors could be sneaked into devices is akin to proposing we outlaw fudging spreadsheets because we don't trust accountants.
It's not really practical or enforceable. If a world power wants to hide something nasty in silicon or software, a bug bounty program isn't going to cut it. Maybe if the government had a genius-savant who could stare at silicon dies and find malicious circuits.
That was the same argument anti 5g people used for 5g arrays, they suggested the normal operation is safe but they can be turned up or focused on targets using software.
> That was the same argument anti 5g people used for 5g arrays, they
suggested the normal operation is safe but they can be turned up or
focused on targets using software.
That's fascinating from a psyops/infowar perspective.
As they say, "where there's smoke there's fire".
I've never followed any of the 5G conspiracy tommyrot, but isn't it
odd that in all likelihood they're quite literally correct, but for
simply the wrong ends?
Were I to don my master-manipulators black Pilgrim hat and apply some
extra-strength twisting wax to my comedy moustache... I'd be be just
delighted to insert such "almost true" ideas amongst a bunch of
credulous idiots in order to suppress belief in my actual plan.
US nuclear comms is, without exaggeration, one of the highest risks to every life on the entire planet. I'd be surprised if it was just the Chinese.
It is unfortunate but the situation with Huawei is a matter of great FUD. On the one hand, they probably are dodgy as any organisation & in league with the People's Liberation Army. The major risk they pose is doing precisely what the the US is doing with their spy network and the risks of that are well understood.
But on the other hand, while this may be a real story, but it is just one thread of a bigger story where the Asia keeps challenging the US's high-tech edge. CNN + the FBI is not a combination known for fair, honest and reasonable journalism and this could well just be stirring up muck, trying to discredit a superior Chinese solution.
I'm way more worried about Russian nukes than American ones. They can't keep truck tires maintained, who knows what sorry state their nuclear infrastructure is in?
The Chinese government has overt control over any Chinese corporation of consequence. This alone should be enough to disqualify Chinese telecom equipment from critical areas in my opinion. I'd expect the CCP to take similar precautions where feasible.
It's true that modern nukes do not go off accidentally. But solid fueled rocket propellant in ICBMs can be pretty touchy and they have a shelf life.
Or the failure could be on the command and control side like what happened in 1983 [1]. Soviet early warning systems malfunctioned and reported multiple ICBM launches. The officer in charge basically decided to ignore it and single handedly prevented the end of human civilisation. This was at the height of the Cold War before the Russian army was drained of competence. I can't imagine those systems are working as well as they did back then.
They keep challenging the high-tech edge because they bypass billions of dollars of research development.
If a newcomer is able to bypass those costs it will kneecap the cycle of innovation which requires certain profit margin‘s to afford armies of PhD‘s. Otherwise game theory says the system goes ‘poof’.
Saddam Hussein did quite a bit more then just “challenge the bully”…
I suppose genocide of the Kurds is acceptable on the internet as long as your suitably anti-American while you do it. Those darn American imperialists!
When Iraq gassed a Kurdish village in 1988, the US actually blocked condemnation of Iraq in the UN Security Council and tried to redirect blame towards Iran.
The US only started making a big deal of Iraq's attacks on the Kurds years later, when Iraq had gone from being an ally to an enemy.
> I also checked your account and it's nothing but right wing propaganda. Damn, dude
That’s odd, as I generally vote Democrat and the only post here I’ve submitted is to a math blog post I enjoy.
At any rate, let’s try to avoid having this website turn into yet another Reddit or Twitter in terms of quality of comments and obsession about anything seen as not left leaning enough.
I think we’ll just have to agree to disagree about the merits of Saddam Hussein, here. Have a good weekend.
It does look like your account has been using HN primarily for ideological battle. Please don't. We ban accounts that do that, regardless of their ideology, because it's not what this site is for, and it destroys what it is for.
> let’s try to avoid having this website turn into yet another Reddit or Twitter in terms of quality of comments and obsession about anything seen as not left leaning enough
>>Almost 99% is attacking liberals, leftists, and the EU. Literally.
I see 26 posts in FreqSep's comment history. I see posts about relatively non-political topics like iPads, IoT, vaping, and surge pricing among those 26 posts.
I think you need to show your math. You might have misplaced a decimal point somewhere or something.
> According to multiple sources familiar with the matter, the FBI determined the equipment was capable of capturing and disrupting highly restricted Defense Department communications, including those used by US Strategic Command, which oversees the country's nuclear weapons.
If you write that they could capture these communications, it sounds like they could be read. But these comms must be encrypted, right? This story is a bit clickbaity - by that standard, some hobbyist with an antenna can "capture" DoD comms. And they could "disrupt" them as well with a cheap signal jammer near the receiver.
> And they could "disrupt" them as well with a cheap signal jammer near the receiver.
Amateurs aren't running around the country placing transmitters near all the government comms. Also there's many types of encryption (onion routing for example) that depend on being able to intercept communications at multiple locations. Also there's still metadata that can be learned even without being able to read the comms directly, for example who's broadcasting at any moment. Even amateurs were able to figure out when Russia was launching missiles at Ukraine even from their encrypted comms, if you have a more advanced surveillance system in-country you can learn a lot more.
It's like getting several spooks to say your network card could intercept or disrupt all your internet traffic. It's making the equipment's purpose sound scary.
Construction materials in diplomatic pouches… understandable for an embassy, but for a non-diplomatic building abroad? What in the world were they trying to build with? US customs isn’t going to hold up any properly labeled containers of building materials, especially if the Chinese embassy asks the state department for help.
I have to ask a dumb question here. Lets say that a piece of equipment was installed, with a secret backdoor chip to send data to another country. Surely the unexpected network flow would be detected outbound and investigated? I mean, if my firewall detects outbound traffic to weirdness.com, its going to stop it and alert, because weirdness is not in the predefined envelope of expected places to send things to.
Exfiltration can be masked in any channel with a signal. So the exfiltration can be hard to detect when it is only sending a bit every 23 minutes for example. Longer time is harder to trace. Think of very intelligent algorithms using multiple channels for exfiltration.
If it only sends a bit every 23 minutes, the bitrate will be so low that nothing of interest can be sent.
These sorts of vague accusations have been made against Huawei for several years now, but to date, no one has ever produced a shred of evidence that Huawei installs backdoors on its telecommunications equipment. Huawei devices are installed all over the place, and it's not as if there's been a lack of scrutiny. In the UK, Huawei even submitted to regular audits by British intelligence, and nothing was ever found. Every claim that's been made has turned out to be along the lines of, "We discovered that Huawei uses industry-standard tools to update firmware on its devices, and the network operators have the ability to oversee the updates."
The accusations are pure assertions, backed up by a general suspicion of everything Chinese. This really began with Trump, and it's been sad to watch Western countries fall ever deeper into paranoia and hatred towards China. It's Yellow Peril v2.0.
> The accusations are pure assertions, backed up by a general suspicion of everything Chinese.
> This really began with Trump, and it's been sad to watch Western countries fall ever deeper into paranoia and hatred towards China. It's Yellow Peril v2.0.
Canadians have been skeptical of Huawei since at least 2012.
I think it's a reasonable security posture to treat technology from a country you don't trust with suspicion. Especially when they have long history of hostile espionage.
If you don't want to use stuffs from a country you viewed as adversary in your infra, government, army etc. that's totally reasonable, but just man up and say that out loud. Having these vague accusations thrown around like "Huawei phone is spying on you, and so is other Chinese brands like Xiaomi, so don't use them" is honestly just insulting as a customer when there's not a single shred of concrete evidence that something nefarious is going on.
> you don't want to use stuffs from a country you viewed as adversary in your infra, government, army etc. that's totally reasonable, but just man up and say that out loud. Having these vague accusations thrown around like "Huawei phone is spying on you, and so is other Chinese brands like Xiaomi, so don't use them" is honestly just insulting as a customer when there's not a single shred of concrete evidence that something nefarious is going on.
People are saying both of those things, for the same reason. Do you not think that having unprecedented access to the data of civilians poses a risk to national security?
Modern technology (smart phones, apps, websites, etc.) collects a terrifying amount of information on people. It also exerts a tremendous amount of influence, be it Facebook or China.
I also think that writing off the concern as "vague accusations" misses the point. As the current top comment points out[0], it's nearly impossible to verify what a device is doing. And even if you were to somehow do a complete software audit, malicious behaviour could be patched in at any time in the future.
> I also think that writing off the concern as "vague accusations" misses the point. As the current top comment points out[0], it's nearly impossible to verify what a device is doing.
This is not an excuse to make accusations without any evidence. At some point, the people making these accusations have a responsibility to either show evidence for their claims or to stop making them.
Huawei chips are installed all over the place, and foreign governments (namely, the US and its allies) are intensely interested in what Huawei is doing. We even know from Snowden that the NSA hacked into Huawei's internal networks and read sensitive communications between executives.[1] If Huawei is actually surreptitiously intercepting and sending foreign communications back to China, there should be evidence of that. Just saying that anything is hypothetically possible doesn't cut it.
I'm sure the Pentagon could properly save alot of money off-shoring the F-35 factory but for some of reason or other that's not going to happen.
Perhaps communications infrastructure has similar req'ts no one wants to acknowledge?
I guess a city-wide network of cell towers could surreptitiously function as a phased array missile detection and air traffic radar too? The resolution but deep across enemy lines.
every country should manufacture its own entire telco stack - clearly anything foreign made is a higher security risk than one that is domestically made. Imagine an adversary being able to remotely trigger a nuclear war by issuing commands to a router
> every country should manufacture its own entire telco stack - clearly anything foreign made is a higher security risk than one that is domestically made. Imagine an adversary being able to remotely trigger a nuclear war by issuing commands to a router
You're weirdly implying every country is an adversary of every other. There's no good reason for "every country should manufacture its own entire telco stack," but it is reasonable for them to only source equipment from ideologically-aligned natural allies.
> You're weirdly implying every country is an adversary of every other.
Isn't it? Ideology is a lie, people are all the same all over the world (except maybe for some peculiarities like western chauvinism). Everyone wants to live contented lives, be free, raise kids in peace and so on.
Every country should have it's own sovereign tech stacks simply to avoid effects of corruption or irresponsibility of global elites. Otherwise we see stuff like US' economic and sanction wars, which create pools of poverty, which inherently cause plunge of observance of human rights, which causes immense suffering of ordinary folk -- all that so someone could make money on something like cheap rare earth metals mining for selling electric car batteries.
Can you expand on what you mean by western chauvinism? My time in eastern Asia has taught me that many of them see members of others Asian (and non-Asian) races/countries as inherently inferior.
huge risk to rely on any other country though, friends today may become enemies tomorrow.
Have we already forgotten that US dropped atomic weapons on Japan yet are now fast allies or that US supported the Islamic fundamentalism in Afganistan before now becoming enemies. US + Saddam bosom buddies in the Iran vs Iraq war.
> huge risk to rely on any other country though, friends today may become enemies tomorrow.
Real life isn't some RTS game. If a flip like that happens, it won't happen very quickly.
Also autarky isn't even possible for most countries, and is probably a weakness for most of those that could pull it off.
> Have we already forgotten that US dropped atomic weapons on Japan yet are now fast allies...
That's an example of an enemy becoming an ally, so not exactly relevant.
> or that US supported the Islamic fundamentalism in Afganistan before now becoming enemies. US + Saddam bosom buddies in the Iran vs Iraq war.
Those are allies of geopolitical necessity, not "ideologically-aligned natural allies." For the latter, I'm thinking of things like NATO (maybe sans a couple of members) and "the Anglosphere."
I don't know why all comms infrastructure doesn't require all hardware/software designs to be handed over to US gov. with some kind of security review for all updates.
Obviously there are competitive problems there, but it's better than the alternative.
Either that, or, more easily, no 'critical' infrastructure from China, Russia etc..
You gotta buy it form US, Canada, Europe etc..
You can buy grain, toys and beef from China, just not 5G gear.
Come on, the Chinese already produce the majority of all components for major US infrastructure. What's the harm in giving them a little more? Heck they made John fuckin' Cena learn Chinese to apologize to Xi for saying he supports democracy. China won.
> Where are these said comments? They've either been deleted or you're trying to stir things up for no reason. At time of posting there are no comments critical of the report.
You need to have show-dead enabled to be able to view them.
I'm right-leaning but CNN is not universally bad. You should be paying attention to who the writer is more than what platform it's published on.
Full hatred of one news website versus another is as absurd as complete allegiance to a single political party no matter what they do.
Fox News and CNN are both legitimate news sites.
Also since when is being anti-China a US political party issue? Last I checked it was one of the few things with broad agreement among US political parties.
This seems like an absurd claim to me (as a Western European social democrat). The comments on Hacker News skew very far to the right on everything from fiscal policy to taxation to gun rights to employment rights to unions to data protection to corporate regulation.
The only areas where HN could be considered centrist is the hot-button social issues in the States like LGBT+ or abortion rights. Certainly not left-leaning, anyway.
The site is definitely filled with left leaning individuals. I think the only reason why HN is not more blatantly left leaning (like Twitter, reddit) is because the average HN poster works in tech and likely makes a lot of cash. I know I definitely got a lot less radical in my liberal beliefs once I jumped up a couple tax brackets after college.
Other sites like reddit are filled with left leaning individuals from all walks of life. It's easier for a barista living barely above the poverty line to have more far left beliefs out of pure resentment for the structures that allowed them to go $150k into debt after majoring in something like Eastern Gender Studies.
> shut down a high-profile regional consulate believed by the US government to be a hotbed of Chinese spies
Every consulate - Chinese, American, you name it - is a hotbed of spies. The closure of the Houston consulate was just a political move by the Trump administration.
What you're casually dismissing as "just a political move" seemed to be a very well understood target which required state department cooperation to act against.
> HOUSTON AS A GLOBAL S&T HUB Before its closure in the summer of 2020, the Chinese Consulate in Houston, Texas was a major hub in China’s global S&T information gathering operation. From January 2015 to July 2020, Houston Consulate staff identified more S&T projects than any other PRC diplomatic post in the world, and referred 89 percent of the projects originating from the United States.56 During that time, the United States was the largest source of information technology projects targeted by Chinese S&T diplomats.57 From 2017 to 2019, the Houston Consulate cosponsored a series of “matchmaking” events with several Chinese technology transfer centers, attracting approximately three hundred U.S. businesses each year.58 Since the consulate’s closure in July 2020, the MOST bulletin of “international technical cooperation opportunities” has registered only one additional project from the United States, a virtual reality therapy company in Massachusetts.59
Houston is not a particularly important science and technology hub in the US. The idea that Houston would be the most important focus of Chinese industrial espionage is non-sensical.
> From 2017 to 2019, the Houston Consulate cosponsored a series of “matchmaking” events with several Chinese technology transfer centers, attracting approximately three hundred U.S. businesses each year.
This is a very good example of how completely normal diplomatic activity is being cast as somehow malign. The Chinese government seeks foreign investment. Part of that involves the type of public events this passage is describing, in which the government invites a bunch of companies to a trade fair and pitches the idea of investing in China. The US does this abroad. Pretty much everyone does. This document is trying to blur the line between espionage and normal diplomatic activity.
There is actual espionage that occurs out of embassies and consulates around the world. This isn't it.
>Houston is not a particularly important science and technology hub in the US.
I'm sorry, what? The city that hosts the Christopher C. Kraft Jr. Mission Control Center is not a science and technology hub? There is science and technology outside of social media apps and internet ad surveillance tech.
> The city that hosts the Christopher C. Kraft Jr. Mission Control Center is not a science and technology hub?
Yes, it's not a particularly important hub in the US. Boston, SF, and countless other cities are more important hubs. Having one space mission control center does not make a city into the foremost American science and technology hub.
The Trump administration decided to close down one Chinese consulate as a political message. They probably chose Houston because closing the consulate there is less disruptive than closing, say, the NY consulate. When the Chinese retaliated, they also chose a relatively unimportant US consulate to close.
Your response is absurd. You think China would only focus on a few cities? They likely have multiple efforts going in every major city all at the same time. They have more than enough money and motivation to do that. To dismiss Houston just because it’s not Silicon Valley is absurd. Any strategic advantage is still an advantage. They have the luxury of not having to worry about profits and losses like a corporation.
The document that was cited above claims that Houston was a major global hub of Chinese science and technology espionage. That's what's absurd.
Practically every consulate and embassy around the world is crawling with spies. "Diplomatic cover" is a standard way of sending spies to a foreign country. That's not why the US would close down a foreign embassy.
The closure of the Chinese embassy, with a big announcement and almost no forewarning, was meant as a political statement. It came in the middle of an escalating trade war, initiated by the Trump administration.
The post facto rationalizations about the Houston embassy being some extraordinary hotbed of espionage were absurd on their face, and I'm surprised by the level of naiveté in this thread towards these sorts of official government explanations for what are obviously political moves.
If it is it is NOT a political move but a necessarily state vs state diplomats or spy protection action.
Ignore the trump part. Protect USA interest. Just like china protect theirs. And when Taiwan invasion occurs see how much protection USA has may I note.
Trump is a dirty hand, a wake up call, … ignore the dirty and call part. Need the hand and the wake up guy.
I am a bit out of date on the latest designs, but presumably antenna resonance, array phase (directionality) and radio spectrum are all controllable with software now. Any or all of these could be modified remotely and changed back to civilian cell parameters again in a matter of seconds. Additionally the firmware, and hence general capabilities, can be remotely updated.
Hence, one can no longer look at a device like a modern radio cell and say "this is designed to work in such a way". If you impounded it, took it to a lab, what you'd see on the bench may have no relation to how it operated a few days ago. Given also that traffic to and from the device may be encrypted all the way back to Beijing, the operation of the devices cannot be attested even in principle.
This is a serious general problem in modern security - one of unfalsifiability and plasticity of form and function. It applies as much to Windows and Apple computers as to Huawei.
Unless we quickly reverse the trend toward vendor-trust models that give over total control to unverifiable remote entities we're all going to be seriously screwed soon. This is going to play out in the Intel microcode debacle, in Apple's iron control over devices in the face of EU interoperability edicts, and on many more fronts...
And last I checked, our clinically insane UK government still hasn't fully buried the idea the Chinese might build us a nuclear power station over here!