Feeds

back to article The web needs globally backed, verifiable security standards – says Huawei

Chinese networking hardware behemoth Huawei has issued its second annual cybersecurity white paper and is calling for manufacturers around the world to set up testable security standards that will ensure everyone's reading from the same hymn sheet. "The biggest hurdle is that the technology industry doesn't want mandatory global …

COMMENTS

This topic is closed for new posts.
Silver badge
Thumb Up

Verifyable and open standards

Ideally, royalty free ones too, so that all manufacturers have little excuse to adopt the standard, but I guess "FRAND" is a compromise.

Right now it's hard to know what to use, at best what we have now is security through obscurity.

3
0
Silver badge

Re: Verifyable and open standards

I think that all the mathematics that underpins encryption is public domain knowledge. So, if anyone tries to claim IP rights on a particular implementation then everyone else can easily develop a different implementation with the same end result.

2
1
Silver badge

Please understand patents

In theory mathematics is not patentable. In practice anything can be patented. Software is mathematics, so it is not patentable. There is an explicit exemption that makes software unpatentable in the EU. To get a patent on software in the EU, you call it a 'computer implemented invention'. The RSA algorithm for public key cryptography is covered by (expired) U.S. Patent 4,405,829. The disaster with patents is that an infinite number of code monkeys can come up with an infinite number implementations without ever reading any patents, but they can still all be sued for infringement - even if they all have licenses for the litigated expired invalid patents.

The thing is, we have had the basic requirements for security well publicised for decades:

Freedom 0: The freedom to run the program for any purpose.

Freedom 1: The freedom to study how the program works, and change it to make it do what you wish.

Freedom 2: The freedom to redistribute copies so you can help your neighbor.

Freedom 3: The freedom to improve the program, and release your improvements (and modified versions in general) to the public, so that the whole community benefits.

You need all of these to give people the power and incentive to find and fix bugs efficiently, and to distribute the results. Without the source code, and the rights and tools to use it, you can find a thousand exploits, but still have to pay lock-in prices to the supplier to get anything fixed. On top of that, you have to put up with whatever addition features the supplier chooses to include with security updates.

6
0
Silver badge

Re: Verifyable and open standards

I think that all the mathematics that underpins encryption is public domain knowledge.

Agreed … it's how that knowledge is applied that makes things potentially proprietary, and is also a big factor of how to make or break a security implementation.

4096-bit RSA encryption is pretty much useless if you decide to share the private key instead. If the "standard" is a closed proprietary system, you may never know that the very expensive VPN solution, recommended and configured by Highly Paid Consultants uses ultra-secure triple ROT26 encryption to transfer confidential authentication data over public networks.

If it's an open standard, e.g. IPSec, we can scruitanise it for such flaws … then it's down to individual implementations, and being an open standard, we can choose the one we trust and suits our needs, rather than being shackled to any one supplier.

4
0
Silver badge
Holmes

Re: Verifyable and open standards

Yeah, wouldn't it be great if we had a list of verifiable and open standards for the internet.

1
2
Silver badge

Re: Verifyable and open standards

Yeah, wouldn't it be great if we had a list of verifiable and open standards for the internet.

Yep, my point being, the companies need to implement those, rather than trying to re-invent their own oddly-shaped wheels.

Sure, many recently (myself included) discovered someone had indeed re-invented a bicycle using odd-shaped wheels. But even the inventor himself noted it was harder to ride. Hence why most go the dull, boring but ultimately very practical, circular shape that we see everywhere, rather than triangles and pentagons with slightly rounded corners.

SMTP may not be perfect, but the fact anyone can implement it means it has become the standard for email traffic over other systems. Things like VPNs need to follow suit.

1
0
Bronze badge

Re: Verifyable and open standards @Steve Knox

Down voted as whilst RFC's are open to all, the quality of their actual content, from a protocol implementation viewpoint, can leave much to be desired. Although I accept that their quality has improved since the 80's (and some are as good as the old ISO OSI service definitions and protocol specifications). But then very few people actually use the RFC's to implement from scratch, as it is much easier to obtain off-the-shelf source code that has proven interworking.

0
2
Bronze badge

Re: Verifyable and open standards

Ideally, we need a one-stop shop for the pool of standards and IPR necessary to create an interoperable solution and an open pricing policy for using all the IPR - probably something along the lines of the Sewing Machine Combination (pool administration) and the WiFi Alliance (technical governance). FRAND is a compromise which worked well between 'club members' but who's inadequacies have been brought to the fore by recent court battles concerning smartphones.

0
0

Re: Verifyable and open standards @Steve Knox

I'm going to call bullshit on both of those statements as I have implemented directly from RFCs perfectly easily before and know many others who have; and generally the "off-the-shelf" source code is targeted towards the app it was written for rather than being a generic library, and in the case where it is a generic library it's often too generic for the purpose or usues the wrong paradigm (e.g. push rather than pull).

1
0
Silver badge
Black Helicopters

Unfortunately, there's nobody to trust right now

Encryption standards do need to be thoroughly tested by independent, credible non-governmental organizations. If found wanting, they need to be redone by a credible non-governmental process. I wouldn't trust Huawei to fit in that process.

2
1

Re: Unfortunately, there's nobody to trust right now

Of course, even if the standards are "thoroughly tested", that doesn't mean that governments won't be able to invest billions of dollars into finding vulnerabilities in the code that they keep secret to themselves, perhaps found through the assistance of quantum supercomputers or other technology that the non-governmental organizations won't have access to, or might not even know exists. And who is to say that these organizations aren't secretly working with one government or another? And even if the encryption standards are seemingly "secure", what if the hardware manufacturers are doing things within their chipsets to purposely circumvent or weaken the encryption in a particular way?

0
0
Anonymous Coward

And you were expecting him to say something else ?

'...flatly denied that his employers give any data to the Chinese government and their agencies.'

A statement well worth the paper it is written on...

2
0
Silver badge

Re: And you were expecting him to say something else ?

On the other hand you probably can trust that they didn't give any to the NSA!

1
0
Silver badge

A global security standard would just be a race for the country who inserted most holes and backdoors to win.

Unless it's open source and everybody is allowed to check the input from everybody else then the one thing a Global Security Standard wouldn't be is secure.

3
1

There's is no 'global' authority

I've said this many times in regards to security, wars, laws, etc. There simply is no higher enforcement authority than at the Nation level, period. At *best* there are agreements between nations, but there's no higher authority (besides your make-believe man in the sky type, of course).

2
0
Anonymous Coward

Re: There's is no 'global' authority

What about 'The West', 'The International Community' and The Vatican ?

0
0
Bronze badge
Joke

Re: There's is no 'global' authority

what about the fantasy known as the UN ?

Also lots of international organisations such as ITU, IEEE, IETF etc. Lets be really ahead of the ball here. How about standards for spooks, so the quality of snooping and selfserving justification b*sh* can be assessed ? Now that might be security. As well as another source of entertainment.

1
1
Silver badge
Thumb Down

Read the fine print

If you read the whitepaper, his major beef is that "the problem with standards is that they are not standard." He then follows this with no real examples.

This is the same exact BS that Microsoft put forth to explain their butchering of HTML and CSS in IE4-6. Even when it was proved logically, semantically, and grammatically that their implementation was non-compliant with the specifications as written, they maintained that it was "open to interpretation".

The fact is that we have plenty of good standards. We have a few that are okay but have some potential for misinterpretation due to how they are written. But the vast majority of issues with standards is how they are read by the people responsible for implementing them. That's not something you fix by changing standards (or by changing the standard). That's something you fix by changing the people.

4
0
Silver badge

Re: Read the fine print

And if you learn you basically can't change the people because the standard's too high a stake for human nature (and the inherent desire to control) to leave unaltered?

It's like when someone suddenly invents the Next Big Thing and suddenly realizes that it's SO valuable that people will KILL for it, meaning no one can be trusted to do things for the greater good.

1
0
Gold badge
Unhappy

*Ultimate* security needs open source standard x open source implementation.

So you can trace the flow from the idea to the software that carries it out.

For the full "tin foil hat experience" you will need to avoid the banally obvious hole of a compromised compiler, so yes you will need to verify your compiler, which you will have personally boot strapped from a copy of the source code by directly keying the bits into the file (can't be sure the assembler has been compromised, can we?)

For the rest of us the first 2 items and free communications between testers should suffice.

But remember 2 things. 1) Mono cultures are susceptible to single (but complex) attacks, hitting everyone at the same time. 2)Patching, proper staff training, limiting what parts of your stuff are visible to the global internet and requiring your apps suppliers not need to run with root privileges for basically trivial tasks will (probably) end most of the security issues of most companies and institutions.

But that's too much like work for too many PHB's

1
0
Anonymous Coward

Unfortunately...

As far as human trust goes, while most of us barely trust our own governments, but I'm sure I'd speak for most when I say we sure as hell won't trust governments of foreign nations.

Thus when it comes to encryption security standards, the only real person you can trust is yourself and your specific target audience - that's been the way since ancient times - no different now.

The irony here is Huawei, or rather the Chinese idea of security is different from the west, heck the idea of security is different for every country in the west, but I won't go into detail here.

Bottomline is some people are way too naive to think there can be a global standard when it comes to security. Perhaps one day if the whole world was ruled by the PRC's communist party or some other bunch of slavers ideological power hungry manipulative maniacs. But then I'd be too worried about the lack of representation 'cause everyone's forced to become domesticated sheeps.

I'd say put this bug down as "won't fix", not until we drop the idea of national borders at least.

2
1
Silver badge

Utterly ridiculous

> Suffolk --- flatly denied that his employers give any data to the Chinese government

Seriously, give me a fucking break. China's security service runs Baidu and Renren, and half the board of Huawei have ties to the military and secret service. It's the purest fantasy that Huawei doesn't give everything it has to the Chinese secret service.

1
4
Bronze badge

Re: Utterly ridiculous

The question is are you referring the Huawei (China) or Huawei (UK).

Whilst we may assume that Huawei (China) has been implementing backdoors for the Chinese secret service. Huawei (UK) has a slight problem, as it can made to reveal any backdoors in it's products, plus would NSA/GCHQ request Huawei (UK) to implement backdoors in the full knowledge that Huawei (UK) and Huawei (China) share source code etc.

0
1

Wow!

Company slagged off by own-citizen-snooping governments appears to be taking the sort of lead once expected of the 'free world'.

Don't times change.

1
1
Silver badge

Hahaha

>taking the sort of lead once expected of the 'free world'

What, you mean outright lying? Because that's what Huawei is doing here.

1
2

Re: Hahaha

What, you mean outright lying? Because that's what Huawei is doing here.

[citation needed]

0
1

All animals are equal, but some animals are more equal than others

"As far as human trust goes, while most of us barely trust our own governments, but I'm sure I'd speak for most when I say we sure as hell won't trust governments of foreign nations."

Upvoted you.

But, I don't confine my mistrust to foreign governments any more.

I've been pushed increasingly towards the observation that, regardless of political or nationalistic flavour, most politicians, leaders, etc., have much more in common with each other than they do with the citizens they purportedly 'lead' (*) or 'serve' (*). Some might be self-serving from the start, others might start with good intent, but by the time they're on the 'ascendency' (*) most think themselves into believing that serving their own career ends above everything else is moral, ethical, desirable, best for everyone. And that any citizen who thinks otherwise is at best misguided and at worst a dangerous enemy of the state.

That's why my trust evaporated along with the faux differences between regime, party, etc.

(*) These words apostrophised to distance myself from politicians' understanding of them.

5
0
Silver badge
Facepalm

The world needs....

...people to actually install and UPDATE their A/V.

That would fix most of the damn problems right there.

1
0
ST7

Huawie, GCHQ, BT21CN and the NSA

When the contract to manufacture 21CN hardware for BT was given to the Chinese, Huawie didn't know (or care) what backdoors were hardwired in, they had a spec and a price.

Later, BT discovered that the Chinese Gov had hacked Martlesham after 21CN had been running for some time, this meant that Chin.gov had the same access to the packet data that UK.gov and US.gov had hardware access to.

Queue UK/US.gov outrage over Chin.gov spying.

The UK and US governments think it is ok that they should spy on the most intimate details of their own citizens and are willing to compromise the data collected by outsourcing the manufacture of the data gathering devices to the lowest bidder.

They frighten you into paying up because of the bogeyman of 'terrorism' yet will only buy kit on the basis of the biggest kickback.

GCHQ and the NSA are corruption incarnate (BT is just a whore), they have 'NEVER' prevented a terrorist outrage and yet they manage to burn through billions of dollars of taxpayers money keeping themselves in gold plated tax free jobs.

Perhaps we should just close them down and spend the money on reducing child mortality in the grim bits of the world.

5
0
Anonymous Coward

Re: Huawie, GCHQ, BT21CN and the NSA

"they have 'NEVER' prevented a terrorist outrage "

how would we know if they had?

0
0
Silver badge

Re: Huawie, GCHQ, BT21CN and the NSA

They would make damn sure everyone knows!

0
0
Gold badge

Standards

Standards to cover almost any situation exist -- IPSec for connection-oriented crypto, ssh, https, and so on, and network products tends to support any of them that are applicable. Before gov'ts butt in, perhaps best practices should be devleoped (or just an RFC) -- which of the numerous security standards are important to use here and now?

0
0
Anonymous Coward

Pot kettle john, pot kettle. Or is there a GOOD reason why Huawei incorporate a proprietory encryption schema between their element manager and network elements that they cannot release details on when pressed?

We know its because it will be pants, and its just a tool to hide how pants it is. The same goes for many many other vendors and their "proprietory" secret protocols and products.

0
0

Verifyable

Verifyable in NSA means breakable!

0
0
This topic is closed for new posts.