One can also interpret this as Lenovo refusing to install American backdoors that Western-sourced devices have, but that's entering conspiracy-theory territory...
Wait, so they'll still buy a Dell or HP that is manufactured in China, by a Chinese company, but has the nameplate of an American company slapped on the front, but they won't buy a Lenovo? I'm so confused.
You're confused because you didn't read the article very well. It's reporting allegations of specifically identified malicious elements of Lenovo hardware and firmware.
IMHO, there's a big difference between American companies that manufacture in China and can ensure certain functionality (I for one support "made in USA" and buy that if I can)... and Chinese companies, esp. ones with CCP connections, who can build electronics any which way they would like to.
>I for one support "made in USA" and buy that if I can
I'd never understood this kind of nationalism. I don't care if the items I purchase happen to have been made in the country I happen to live. I want to buy the product that best suits my needs regardless of where it was manufactured.
Sure, if an American product happens to have a higher quality and I'm looking for that, then I can choose to buy it. In that case you can abstract away the manufacturing country, so "made in country X" shouldn't be a factor in any case.
If anything, Western people should buy products from poor countries. It's the best aid they can get.
I don't think that's necessary nor ethically justified (though I understand why some people support it). It's like a some kind abstract form of 'cartel', i.e. "I support you, you support me".
However, it's taking money away from poor countries (in this context). I don't think some 'rich' Westerner who happens to live near me is more deserving of my money than a poor person in a third-world country.
>some are concerned about labor/environment standards, human rights, civil liberties, etc.
Ironically, the only way those poor countries will have labour/environment standards, human rights and civil liberties is throug economic growth. If you're poor, you can't afford workplace safety.
It's a pretty natural want though. I'll go to a coffee shop owned by my brother before I go to a random other coffee shop. Especially if products are more or less interchangeable. What's wrong with wanting to give your business to someone you know well, and whose product/work has a direct influence on your life? Do what you want, obviously, but I don't think it's a weird moral problem whether you want to support those closer to you.
And yet I could fly thousands of miles to Washington state or California and "know" people much better than if I flew thousands of miles to Latin America, Iceland, etc.
There is more to 'closeness to people' than distance, there is also shared culture, civics, values, etc. etc.
You'll find a lot more common culture between people in NYC and London than you'll find between Atlanta and Portland, or Little Rock and San Francisco.
As someone who's moved both across the US and across the ocean, stopping to embed myself culturally for several years each time, I think you overestimate this bond.
> It's like a some kind abstract form of 'cartel', i.e. "I support you, you support me".
It's called "families" and "communities" and is the basis for human civilization. My children aren't going to grow up around poor third world people, nor marry them or raise their own families with them. Some poor third world person isn't going to come to my aid if I'm in trouble. They're not going to be my friends, my coworker, or even the guy who might find my phone and return it to me. They won't be voting for the government that governs me. Any rational person has tremendous incentive to make sure the people closest to them, and more broadly the people in their own body politic are cared for before others.
Communities are not "political cliques." The vast majority of collaboration happens with people immediately around you. That's why people go to San Francisco to do startups and not to Boise Idaho.
> I don't think that's necessary nor ethically justified
Let's say there was a fictional country that was the exact opposite of your country : Some kind of dictatorship, with censorship everywhere, people enslaved , etc.
Of course you would not buy a laptop from them, you don't want to give more money/power to this awful country.
Now, if you consider 1 country to be the best, with a score of 100, and that worst country to have a score of 0.
Every other country would have a score between 0 and 100.
Depending on people views about where this country fits , some will be more supporting than other : They would be OK to pay 20% more for the same laptop to a country with a score of 95 instead of 80.
The analogy with the coffee shop of JonFish85 would be : you know your brother is kind with his employees and give them good salaries, whereas the other coffee shop's owner harass his employees and pay them badly. But in both coffee shops , the product is the same, with the same price.
>Ironically, the only way those poor countries will have labour/environment standards, human rights and civil liberties is throug economic growth. If you're poor, you can't afford workplace safety.
Not really, if some company has twice more money, they would just hire more low-cost employees.
To have a better workplace safety, either the employees must act, or citizens of that country ( including the employees ) assuming the country is a good democracy. If none of them can, other country can help solve the problem by boycotting products or enforcing regulations.
My country of birth is small enough that practically none of the nontrivial products I want to buy or consume are made locally, so hearing about this sort of preference (e.g. for "made in $my_country" products) makes me think. Since I can't fall back on a no-brainer nationalist preference on a daily basis (except for a few locally grown vegetables) like the citizens of a country as large as the United States, what should I prefer, if anything?
>Of course you would not buy a laptop from them, you don't want to give more money/power to this awful country.
The approach you describe entails rating countries of manufacture based on labour/environmental/civil standards. So, without more detailed knowledge of the factories in question, an American who follows this approach should prefer a product made in (say) Germany or Sweden, rather than one made in the USA, since it could be argued that the former countries treat their workers better, and take better care of their environment.
I think a reasonable proviso to this policy might be to source high-volume/frequency items locally (e.g. produce) when possible to reduce pollution from transportation (or any other wasteful overhead), assuming almost everything else is equal. Which also means that if this hypothetical American resident is close to a land border, s/he might want to buy something from Canada or Mexico rather than a U.S. state at the other end of the country.
People on HN are talking about boycotting U.S. cloud-based services due to the NSA, which is a logical extension of this principle of supporting people and business who you perceive to be "closer" to you.
The wealthier a country becomes, the better standards will become. In short (understatement), because there are a finite number of people in the country (you cannot hire an infinite number of "low-cost employees").
For me, I support US manufacturers because I think a lot of American talent these days is wasted on zero-sum industries such as finance, and I would much rather we work on actually producing real value.
I'd never understood this kind of nationalism. I don't care if the items I purchase happen to have been made in the country I happen to live.
If you want, you can construe entirely selfish motives out of it.
It is better if everyone in your community has a job- it brings down crime, for one. So you can personally benefit from buying locally- just in a "trickle down" sort of way rather than a direct one.
To follow the similar selfish motive, why would you care to help third world countries anyway? Even if they collapse in themselves the effect on you will be minimal compared to your city collapsing around you (hi, Detroit)
Some needs functions include more than just the product at hand. Somewhere in the utility calculation, it's conceivable that by purchasing a marginally worse object there is marginally less unemployment in my town and thus I can partake in all sorts of other things that happen when more money is inside my small system.
Whether or not it's worth it in the end: no comment.
It sounds to me like they are saying that they don't care about the economic and social benefits. (S)he would rather those benefits go to people worse off.
True, but look at it this way: I'd rather spend money that goes back into my own country, so that there will be more infrastructure, production and specialists here instead of overseas. This will benefit me and everyone else in the future: faster and cheaper shipping, better customer/tech support, more customization, cheaper upgrades, etc.
Things which are harder to get when you pay an American company,which then pays a Nevis company, which then pays a Chinese company, which then pays Taiwanese and Chinese companies and so on...
It's just a more macro version of the buy local movement, I think.
In some places it's feasible, in others not so much. But, to each their own, I think. If that's what makes them feel better. Just like if it makes people feel better that their veggies are grown locally vs shipped in, even if the local veggies require more 'human subsidies' (energy, water, fertilizer, etc.) that in places where they grow more readily, so be it.
How can Dell check for back doors when the entire design and manufacturing process is done by Chinese subcontractors? That makes no sense..
Through testing, just like the governments did to discover alleged backdoors in Lenovo chips. Did you read the article before you posted multiple times criticizing it?
The ban was introduced in the mid-2000s after intensive laboratory testing of its equipment allegedly documented “back-door” hardware and “firmware” vulnerabilities in Lenovo chips.
> A technology expert at the Washington-based Brookings Institution, Professor John Villasenor, said the globalisation of the semi-conductor market has “made it not only possible but inevitable that chips that have been intentionally and maliciously altered to contain hidden ‘Trojan’ circuitry will be inserted into the supply chain.
So we aren't necessarily talking about every single machine being back-doored. My point is that Dell and HP aren't necessarily any more secure just because they're American companies. The home-country of the company whose badge is on the machine is pretty much meaningless in a globalized world.
The article also contains some suggestion that this was motivated by rivalry in addition to security, so there's that as well.
I see such back doors as less of a problem for the general public than it is for intelligence agencies because because even a single malicious device could result in a major security breach and so randomized testing mightn't be as effective. If trying to snoop on the general public on an ongoing basis though then it would be hard to avoid randomized testing (presuming someone is actually doing such testing).
Careful marketing is tricky the phrase "made in America" may not mean what you think it means. I'd say you're looking for "Product of USA" which means a totally different thing i.e. actually made in the USA.
I know here in Canada on investigative consumer shows it's been shown "made in" may simply mean a product was assembled from parts made in another country or maybe 51% of the product was made in your country.
Preying on a person's nationalistic feelings is a powerful marketing tool to get people to buy a product.
The fact is that "oh no, CHINA!" has most-favored-nation status with the US and is a major major partner in pretty much every way, including positive ones. The rending of garments like this is just a couple of boardroom loudmouths posturing, like Facebook and Google taking potshots at each other. Competitors, not enemies.
I don't know for certain, but having dealt with Dell before (as an institutional customer), I know the government buys off-the-shelf Dells. Now, maybe the intelligence agencies have special arrangements, I don't know, but it seems unlikely to me. I'm sure they do more than just unpack the box and plop it onto the desk, but I doubt Dell or HP have special manufacturing facilities for intelligence agency machines.
From the article, for the commenters who don't seem to have read it and have a side discussion going about "how do we know Dell or HP hardware isn't compromised?" (answer: nobody knows that, but that's not the reason for the article)...
The ban [on Lenovo hardware for classified networks by multiple western intel agencies] was introduced in the mid-2000s after intensive laboratory testing of its equipment allegedly documented “back-door” hardware and “firmware” vulnerabilities in Lenovo chips.
There are six countries mentioned - China, US, UK, Australia, New Zealand, and Canada.
Do each of those know the actual exploits, or do they just know that exploits exist and to not use these computers?
Assuming they all know, that's a lot of people who can have scary access to Lenovos. I'd be interested to see if that's going to affect the generally good image Lenovo had. My old thinkpad has a bunch of nice security stuff. I still think it's the most secure computer I use, certainly more tamper proof than most other machines I use.
I have a Lenovo X201, would love to see some details, and try to "hack" my own computer, to see what's there.
Very little information about the actual details in the article. If really was a backdoor there and publicly banning a company because of that, wouldn't it make more sense to show the results publicly too? Otherwise it feels more like FUD than responsible research.
Jonathan Brossard gave a great talk about this at defcon last year. Around the 2:30 mark in the video he talks a bit about the idea of China backdooring hardware.
Anyone recall how the USG was requiring backdoors into all routers/switches? I was told about this in 1997 from a Cisco employee who told me they were required to provide a method for the USG to be able to log into all devices they make.
This is documented. Routers are required to have the ability to intercept traffic in response to a warrant, but the router's administrator must manually create an intercept and grant the government access to data. There is no "backdoor."
It's possible that they were talking about CALEA, which has some wiretap capability mandates on hardware (and associated technical standards).
If I had the choice between communicating over CALEA-compliant or non-CALEA-compliant infrastructure, I would far prefer the latter, but these particular backdoors aren't required to operate in an automatic, unattended, or surreptitious way (though some implementations might well have bugs that allow them to do so).
USG? I've seen that show up quite often the last couple of days, but never explained. Google says it's USG Corporation or University System of Georgia.
Posturing so that they can convince others that it's true. And then shovel their own chips filled with backdoors.
It's sad to admit, but I would be more suspecting of an American computer than a Chinese one at this point. Constantly pointing their fingers and everyone else so they can do the same things when everyone has their back turned.
Not to mention that these spy agencies will pass the information to each other no problem, as long as the price is right. Maybe that's what this is, though: a tell that (perhaps due to recent developments in the US intelligence sphere) China has raised its prices.
They are only paranoid because they know they have introduced backdoors into products their countries produce. Do you really think the US/UK/AUS has not introduced something into a Cisco product or some other hardware manufacturer in their respective country.
Just look at what has come to light with the PRISM program. They already have access to the major software companies what makes people think they havent done some secret FISA order to Dell/Cisco/HP/Apple etc.
Banning Lenovos PCs seems somewhat unreasonable, given that they are made mostly from parts you can buy on Newegg that are not suspicious, running Windows.
The actual risk is in infrastructure, stuff like Huawei routers or telephone backends, most of which today are a fully functional computer on their own, with generally no access for the end consumer.
I would guess that in the game of spy vs. spy, you never show your hand. If I declare that a chip has a backdoor, then the enemy knows, and won't use it. New chips and doors will be created. But if I sit on it, then the bad guys may try something, and you can intercept it, or defend against it, or even exploit it yourself.
Only sane way to reduce the risk of back doors is to have proper open architecture for at least the basic motherboard functionality, and then fully utilize IOMMU to limit what the devices can do.
Very interesting actually. I would enjoy reading about how well you manage to pull that off; it seemed to me that support for IOMMU is still broken in both software and firmware, but I very well might be wrong.
I also suspect that "Designed by Apple in California" puts their name between two words that have positive associations around the world. (I'm assuming here that "California" is held in higher regard than "America" or "United States".)
