So unsafe
If they give the greenlight, we can be sure that it is UNSAFE, at least from UK spooks.
A board put together to double-check the work of a British government team set up to investigate Huawei has given the Chinese giant a clean bill of health. The Huawei Cyber Security Evaluation Centre (HCSEC) Oversight Board was established in early 2014 on the recommendation of the UK National Security Adviser. The board is …
Huawei kit is blacklisted by US spooks based on the NSA's ability to either intercept or force disclosure of critical vulnerabilities that are reported to CISCO about CISCO's kit. At least one yet-to-be-patched vulnerability gives spooks backdoor access to typically all kit of that supplier. US spooks assume that the Chinese Gov't has either a similar intercept or forced disclosure agreement in place with Huawei, (or that they will develop this in the near future).
Therefore all Huawei kit has to be considered insecure. (Same for CISCO etc just a different adversary).
The UK government have basically done a "what are your processes for patch implementation" which of course passed. The US Govt can't warn the UK Govt about this "type" of risk because that would mean disclosing that they have the same capabilities over kit made by US suppliers.
The UK govt can't say it's insecure without the public demanding that Chinese made kit is all ripped out of every govt/police/school/hospital which might cost a few quid - and be followed by a Chinese ban on Downton Abbey tea-towels or whatever it is we export to China
What I would really like to get my hands on is a network switch with firmware I can examine. I have everything else, but I need a smart switch so I can enable/disable ports on remote.
I'd be obliged if anyone can point me at a supplier who uses firmware that can be evaluated.
" I have everything else,"
Really? I bet you don't have access to the firmware on your hard discs. Are you really using a free and open BIOS? I assume you are running Linux or a BSD and presumably you have compiled it yourself from scratch, via a trusted compiler. Note that even using Gentoo is considered cheating here.
Unless all you have is a switch with nothing connected to it, then I don't believe you. On the other hand if you do have anything more complex than a toothpick plugged into it, you have more to worry about than your switch's firmware.
Really? I bet you don't have access to the firmware on your hard discs. Are you really using a free and open BIOS? I assume you are running Linux or a BSD and presumably you have compiled it yourself from scratch, via a trusted compiler.
Sigh. OK, let me complete that sentence then: "I have everything else to a level that I consider an acceptable risk" - and by that I mean kit with firmware that I have the sources to, and the hardware designs. The reason for that is simple: it's mine.
I still don't have an in-depth view of what goes on inside the actual CPU and disk firmware is a black box, but I know what's in my BIOS. I also know from the very early Internet firewalling days just what a ruddy pain in the rear it is to write something that must access information several layers higher up the stack because it becomes a painful game of variables - I'm not so worried there.
But I still need a switch I can trust, or at least take apart to a level that I can trust it to do what I want and nothing more.
Now can we have the same rigour applied to Cisco, Juniper et al? Or should they be considered as automatically above board because they are not Chinese?
Given the attitude we see from the FBI, the NSA and all the kids singing that same tune (yes, Cameron, it's you I'm talking about) it seems anything American is best not considered trustworthy. But that is by now no longer news, is it?
Which is simply a poor stunt, because dealing with dead-drops is what the spooks do best. And they'd have people embedded all the way from sales to despatch anyhow.
However when a government ***owns*** part of a company, you have to consider the attack vectors and decide accordingly. Buying cheap kit means more than getting poor software, third party professionalism and potential compromises in security- it can mean poor hardware construction, testing and an ability to catch design flaws before they impact the customer.
Not that Cisco are the alternative- I'm just saying that a great deal of suppliers are barely doing half the job they should...
Living next door to the world's workshop - China - is exciting ... and money saving.
ZTE and Huawei names adorn many of pieces of equipment we have both in our premises as well as in the wider word in VietNam.
Now that the UK has rejected the admonitions of Obama and the US Government, surprise, surprise, hopefully the Huawei will penetrate Europe and bring commensurate savings with it.
A hotel group my wife is a member of has recommended they standardise on Huawei and TP-Link equipment.
Good grief! Giving Huawei a clean bill of health is letting the fox in the henhouse. Heck, 37 years ago I was putting foolproof back doors into the RSTS timesharing system I had installed in my home and from which I ran my 1978 race for the U.S. Congress. The revelation that NSA put back doors into the firmware on US-manufactured disk controllers ought to be proof enough that any reasonably competent developer can create absolutely undetectable hooks. Somebody (probably multiple somebodies) on Her Majesty's Cyber Security team has been well and truly…bought.