back to article Roses are red, so is ketchup, 'naked' Huawei tells its critics to belt up

Eric Xu, one of three rotating chairmen at Huawei, has said the company is "naked" before the British security services with whom it shares its most intimate secrets: its source code. "HCSEC has access to Huawei's source code, so they can easily tell whether those source codes are written in a way that's readable, easy to …

  1. Stevie Silver badge

    Bah!

    Ahem:

    Roses are red

    Hearts sometimes ripped

    Naked Huawei tells critics

    To keep their traps zipped.

    .

    .

    Gissajob.

    1. ArrZarr Silver badge
      Happy

      Re: Bah!

      Roses are Red

      Violets are Blue

      Huawei have said

      Our tech can woo.

  2. Scroticus Canis
    Big Brother

    "... improve our code readability and modifiability as well as the process of producing code ..."

    So they can slip their own 'special' code in? Hell yes! What spook doesn't want to be able to do that?

  3. Bitsminer

    Just like Windows?

    "It's like Windows software as well. The legacy code base keeps building up"

    So, Windows had 36 remote code exploits this month, which means of course they have lots of back doors. They just haven't found them all yet. When they need one you know that they will find one.

    Huawei is a risk. Just like Windows is a risk.

    1. Anonymous Coward
      Anonymous Coward

      Re: Just like Windows?

      Moreover, source code isn't everything. Unlike Microsoft, they also make the hardware... and while it could be easier to compare software with a reference implementation, how to you vet each and every device hardware?

      1. Jack of Shadows Silver badge

        Re: Just like Windows?

        Toss in a software update to flip on one of those hardware features and it's game on! All you know at the wot the day is what's documented.

  4. 89724102172714182892114I7551670349743096734346773478647892349863592355648544996312855148587659264921

    A Windows XP source code release would likely destroy Windows 10 metastasis; multitudes of unofficial builds overnight, there will be - Huawei up the consequences...

  5. astounded1

    Backdoor, Frontdoor, Sidedoor, Petdoor, Roof vent, Sewer Line...

    So many holes. So many ways to turn them on. So long as the cyber spooks have access to the same spying as everyone else, the only losers are the civilians.

  6. Anonymous Coward
    Anonymous Coward

    If a company can't produce products at western wages and benefits it shouldn't be able to sell them in the western countries. Same for call centres, programming or anything else. How has the east gotten away with this for so long?

  7. DougS Silver badge

    Looking at the source code is nice and all

    I mean you can rule out the existence of functions called allow_spying_by_chinese_secret_police() but given that serious remote exploits can lurk in open source code for years in some cases, how the heck is providing the source code any guarantee? It would be easy to slip in some "bugs" modeled after bugs that have been seen in the wild, giving them plausible deniality in the unlikely event one were found - having several means there will always be a few undiscovered ones waiting for the government order to be received.

    1. Nick Kew Silver badge

      Re: Looking at the source code is nice and all

      Bugs can lurk.

      But would you try to slip something deliberate in to an open codebase where every commit goes out immediately to a bunch of active developers, as well as of course being on public display to security researchers and AI tools? That's an altogether different proposition!

      Compare the amount of (hostile) scrutiny Huawei is getting to any of its rivals, and tell us which is the safer bet?

      With (say) Cisco, you have all the same risks as Huawei, plus the additional risk that someone is smuggling in a backdoor (NSA made them an offer they can't refuse) invisible to anyone outside a small team within the company. That makes the hurdles to finding it thousands of times higher: you need a Snowden instead.

      1. DougS Silver badge

        Re: Looking at the source code is nice and all

        Huawei's code isn't open source, where did you get the idea that there will be "a lot of active developers" looking at each commit? They are making it available to a particular organization in the UK (and presumably other countries) but aren't going to be seeing every commit. They'll get one version, and then they'll get the next version, with potentially thousands of commits in between. Good luck seeing something they have deliberately hidden amongst huge haystacks of real code changes (and that's assuming the first version they deliver doesn't already include all the backdoors, carefully disguised as "oops, that's a bug")

        The odds of finding it may be slightly better than with Cisco, but the odds of the government being able to control whether Huawei plants something are 100%, while the odds of the US government being able to do with same with Cisco are less. Maybe you think they are high, or low, but they are nowhere near 100%.

  8. Anonymous Coward
    Anonymous Coward

    for me it's what they can't do !

    "please Mr Huawei in the interest of national security can you please provide us with a backdoor and promise not to use it yourself and not tell anyone otherwise we'll be very upset"

    vs

    "heh Mr Cisco/Nokia/etc - we need a backdoor,

    do as your told or we'll throw the 5-eyes rule book at you and eat you alive"

  9. Big_Boomer

    USA vs China

    Personally, I wouldn't trust either of these. The NSA seemed to have all kinds of backdoors and such if the recent release of their stuff is to be believed so I assume GCHQ are trying to catch up.

    Nah, I trust countries, companies, groups, associations and affiliates about as far as I can throw a main battle-tank. Individuals can sometimes be trusted but even then not always.

  10. Down not across Silver badge

    30 years

    "CSEC is saying, all right, your code base is not beautiful. You know, this is a code base that has been there for 30 years. And this is the characteristic of the communications industry.

    Really? The company was founded 1987 and in the early days was pretty much PBXs etc so I'd expect the router software codebase to be much younger than that.

  11. Spanners Silver badge
    Devil

    So the US is accused of using their spooks to help their megacorps?

    That must be the most unsurprising news of the year. US intelligence (sic) services have been used against British and European companies. Why should a Chinese one be exempt?

  12. tygrus.au

    Point of view

    Put simply "Government intelligence/military/law-enforcement agencies don't like bugs and security holes unless their the ones using them or adding them".

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019