back to article The record shows I took the blows, and did it... Huawei: IT titan will start tackling GCHQ security gripes from June

Stinging from British criticism over its snail's pace, Huawei has promised to start addressing complaints about its products' security, raised Blighty's spy agency, GCHQ, by June. The news comes after GCHQ's National Cyber Security Centre (NCSC) offshoot slammed the Chinese networking equipment maker on Wednesday over the …

  1. BeachBoy

    No Backdoor just an open front door

    Looks like the problem is not that Huawei have actually installed back doors into their devices, its just that the security as implemented is so full of holes that it would be easy to "hack" a device at a later time and install something naughty. Which is probably what the Imperial Kingdom (and all other agencies with letters for names) have actually been up to.

    1. This post has been deleted by its author

    2. BillG
      FAIL

      Re: No Backdoor just an open front door

      But that's how you do it. A company that wants to hack its own kit wouldn't design in a traditional back door, because if its found it's intent is obvious.

      Instead a company like Huawei designs in security holes they themselves can use at a later date (the phrase is "accidentally on purpose") so if caught they can plead "Oops" as a defense instead of "Ah shit, you caught us!". This gives them plausible deniability.

      For example, whenever Google is caught stealing user data, including harvesting body parts, they like to shout "we collect that data and your kidneys to enhance the user experience".

      1. SNAFUology

        Re: No Backdoor just an open front door

        Well yeah, just "Know thy self" very well, and where to jump into if you need to - if they had to share their secrets it might persuade them not to make it fallible.

    3. Yes Me Silver badge

      Re: No Backdoor just an open front door

      Looks like they're just like every other company when they first get outed for unsolved security issues. Nothing to see here, please move on.

  2. This post has been deleted by its author

    1. Anonymous Coward
      Anonymous Coward

      Re: 5G gaffer

      "you do 'exactly' as the gaffer says"

      Unlike Chelsea.

  3. Will Godfrey Silver badge
    Facepalm

    Better

    It seems clearly pointing out problems gets a more cooperative response - Who knew?

    1. Anonymous Coward
      Anonymous Coward

      Re: Better

      Problems have been pointed out for nigh on 10 years now, in perfectly polite and non-politicised fashion. I think NCSC (as they’re now called) have just got fed up with the lack of progress.

      It’s a little bit (and I do mean a little) like MS. Remember not so long ago MS secure coding was an utter car crash? Then they went out of their way to significantly improve security. We got Vista and everything after which (security-wise) is leaps and bounds ahead of XP et al.

      Huawei have yet to make that decision. I honestly think they want to produce more secure gear. They’ve thrown enough money at the problem! The issue appears to be a breakdown somewhere between the top and the coal face (I.e. the programmers). I have no idea why, but the message isn’t getting through/being enforced.

      I can only guess it’s a time scale thing. The priority is new code. Until that changes, rewriting millions upon millions of lines of code ain’t gonna happen, which means the same old shit popping up time and again.

      I don’t think Huawei know how to write properly secure code to be honest, and I don’t think they truly prioritise it. I want to be fit and strong. But do I actively go to the gym?... Same issue with H. It’s one thing to want something, it’s another to put yourself out and do something about it.

  4. Spanners Silver badge
    Black Helicopters

    I'm still more worried by the USA

    There is much more evidence that various criminal groups from the USA (NSA, CIA and so on) have hacked us and other European countries than there is showing Huawei doing so. Between revelations from Edward Snowden and hearing how the people listening to Mrs Merkel's phone were not from the land of Vlad the Invader but rather from what used to be called the Land of the Free.

    It is more worrying that Judges from the US feel they already have authority over me here than that someone from China feels they should.

    1. 33rpm

      Re: I'm still more worried by the USA

      The US companies fall all over themselves installing backdoors just to get the lucrative US gov contracts.

      1. Yet Another Anonymous coward Silver badge

        Re: I'm still more worried by the USA

        While it is now the law that Australian companies install backdoors - looks like Oz companies will be on a banned list by everyone else.

      2. devTrail

        Re: I'm still more worried by the USA

        The US companies fall all over themselves installing backdoors just to get the lucrative US gov contracts

        You're turning a blind eye to the interests they have in Europe. May I remind you about the advance tax ruling in the Netherlands that helped Starbucks avoid a lot of taxes on profits? May I remind you that Apple has a fund in Ireland managing over $120 bn accumulated in many years of friendly advance tax rulings?

    2. K
      Big Brother

      Re: I'm still more worried by the USA

      @Spanners - Agreed. I'm of the opinion, I'd rather have a chinese spy in my pocket, for 2 reasons, its cheaper (even if subsidised by the PLA) and I see less personal risk/chance of spying on me, than our "allies" (Who don't even have the common decency to offer a comparable discount for the privilege)

      Also, with the recent pressure applied by the US administration and absolutely no proof to backup their claims, I can only conclude that they are just using absurd accusations simply to damage Huawei, and personally, I suspect this is more to do with, they can't offer comparable technology (yet) and they're scared chinese manufacturers will corner the 5G market before they can.

      So basically, the current leader of the free-world, free-markets and chief promoter of capitalism is lying, threatening and actively throwing a tantrum as they are being beaten at their own game.

      Big brother, because western intelligence seems to operate under the principle its "Better to ask for forgiveness than seek permission" ->

  5. alain williams Silver badge

    And what about the rest of them ...

    the other soft/hard ware vendors that have security problems, some mandated by government, eg:

    * Microsoft telemetry that sends who-knows-what back to the USA

    * Cisco kit with backdoors installed by the NSA

    * Spyware from the CIA mandated by the Patriot Act

    * Spyware from GCHQ under the Investigatory Powers bill

    * Australia: The Assistance and Access Bill 2018

    and more

  6. amanfromMars 1 Silver badge

    Available for AI Systems from urVirtual App Store

    .... for Colossal Series Virtual Machine Evolution into SMARTR Being

    Huawei has made repeated public references to spending $2bn on a variety of issues, including cyber security.

    Cyber Security .....for the Protection and Provision of Almighty Assets ... Dispensing Heavenly Bounty with Just Worthy Rewards to Prove and Improve Prime Premium Product/Programs/Pogroms/Greater IntelAIgent Games.

    You gotta be sure Huawei are mightily invested in that Great Game Changer. Is it in Huawei DNA.

    You have to admit, Cyber Security is a whole new head game, with bubbles aplenty to prick and systems to burst with novel information and intelligent flows of Innocent Prose and Proprietary Intellectual Property..... Core Virgin Source Supply to Present Future Processing AIMachinery.

    Host and Post Fantastic Pictures of Fabulous Tales and One Instantaneously Creates Immensely Brave New Worlds to Order, for Order and for the Clusters of Deep Cloistered Orders in Currents of Disorder and Disarray/Self Destruction and Decay should that be the Holy See to Review and Revise.

    Is that what Huawei stuff does? Connects one to all the right networks without fear of being discovered as anything less that a true broker and eternal friend?

    Excuse me, but what's not to like?

  7. devTrail

    Huawei has promised to start addressing GCHQ security fears

    Huawei has promised to start addressing security fears from the country's spy agency, GCHQ, by June

    We are jumping out of the frying pan into the fire.

    1. Yes Me Silver badge

      Re: Huawei has promised to start addressing GCHQ security fears

      If I understood which frying pan and which fire you meant, I might not have downvoted you.

      If you mean that Huawei have security gaps like any other vendor, then it seems reasonable to choose the cheapest frying pan when there's a choice. If you understand what I mean.

  8. devTrail

    German attitude

    The European Union has been largely indifferent to Western concerns over Huawei, with Germany in particular

    It seems that frau Merkel memory is short lived. I hope that at least her security experts after this news will rush to take over her phone.

  9. Anonymous Coward
    Trollface

    Just change the name

    Easy fix, just rename the company Xzoghxay, pronounced 'TingTong OK!", and all will be well.

    1. Cliff Thorburn

      Re: Just change the name

      Or ‘Uoiofyuodyioyo’ as seems to be the trend at the moment (*domain name pending)

      https://apple.news/AJzTktflAT8quqB0j0lu5GA

      Seems East v West which is best still seems to be the order of the day, with poor old Blighty caught in a seemingly rock and hardplace almighty conundrum.

      Wouldn’t the world be such a nicer place without such game thoery/zero sum games, where we all lived in a Star Trekesque New World order?, without panopticon punts and pointless tasks?

      1. rcw88

        Re: Just change the name

        I think it would - the days of cutting off your enemy's head are over.

        Unless you live in a totalitarian state.

        It is all a question of trust, and on a simple level, you wouldn't put the keys to the safe in the hands of an organisation physically located and ultimately controlled by governments who's response to demands for freedom is to put dissenters in salt mines or run over them with tanks.

        Equally I wouldn't run chunks of critical national infrastructure with systems originating from the same places.

  10. Anonymous Coward
    Anonymous Coward

    "Wouldn’t the world be such a nicer place without such game thoery/zero sum games, where we all lived in a Star Trekesque New World order?, without panopticon punts and pointless tasks?"

    Agreed but the trillion dollar question is, will what you describe ever happen realistically. The answer is very simple, NO, not ever will this come to pass. You know those who do the work no matter where you go is around 20% of the people involved. If the system we are trying to push these days about equality (communism) never last because there are large swaths of people who do nothing (somewhere between 30 to 40%) and about the same numbers for the group that seem quite happy being modern day indentured slaves and the last chunk minus 2 to 5% that do about 80% of the work and get screwed by the last tiny bit that owns everything and do very little for that wealth.

    This actual outcome of what ever beliefs we have today will never allow for a startrek type world to ever exist... check out any primary/high school anywhere in the world it is a microcosm of what adulthood is in most place in the world. Lets just be honest, racism, hatred, unfairness, greed, and what ever else that is negative will never and I mean NEVER! go away. That said lets start making laws around this fact and no longer have any law that uses "good faith" to enforce behaviour. Corporations are designed to be predatory by nature, they are behaving as they are designed to... ruthless and without conscience with a sole goal of perpetually increase stock value. Understanding this we should implement laws that take into account these behaviours and have punitive outcomes that actually punish these companies. And the excuse that "oh but the employee's will be impacted" excuse to coerce governments to yield should serve as a lesson to not work for companies that take too questionable risks and out right predatory choices.

    The world is not capitalist we are an oligarchy, in true capitalism the consumer almost always wins. I personally believe we should have true capitalism with a dash of socialism... not too much though (as a Canadian) because there can be massive waist and fraud otherwise. People are always trying to have an unfair advantage over others, this is how it has ALWAYS BEEN and will ALWAYS BE.

    1. Cliff Thorburn

      Where do we go from here ....

      I was once asked.

    2. amanfromMars 1 Silver badge

      Oh Ye of Zero Faith ....... You haven't been paying attention, have you? Things have changed.

      "Wouldn’t the world be such a nicer place without such game thoery/zero sum games, where we all lived in a Star Trekesque New World order?, without panopticon punts and pointless tasks?"

      Agreed but the trillion dollar question is, will what you describe ever happen realistically. The answer is very simple, NO, not ever will this come to pass. .... Anonymous Coward

      Crikey/FFS AC. What parts of Available for AI Systems from urVirtual App Store do you not understand to freely believe such has indeed come to pass and moved on considerably?

      Would you agree a trillion dollars is cheap to pay for ...... well, such would be easily rightly classified .... Immaculate Provision, surely ?

  11. Anonymous Coward
    Anonymous Coward

    Using old PCs

    May not be as stupid as it sounds. Rebuild it from a pressed disk with a standalone vetted and tested update pack on locked media then image it

    onto a disk and lock it with a boot checksum once everything works correctly using the clock freeze mod to ensure that traps based on hitting a target

    date can't run.

    I have yet to see *any* malware that can defeat a mechanical switch and you can still buy 256MB SD cards which can be configured to boot

    a reliable OS such as DSL or some variant of Ubuntu as a backup.

    Incidentally watch out for the well known method of attacking a machine using the programmable chips in LCD panels and RAM, also network ID chip and

    CPU microcode both in the motherboard controller and actual processor, also the USB ports can be configured with autorun turned off by default.

    Mitigation: use chips known to be locked at the factory and read them using a few lines of debug code just to be sure.

  12. Anonymous Coward
    Anonymous Coward

    Quote: "Other countries in the Five Eyes espionage alliance have taken much stronger action in their private as well as public sectors."

    So the backdoors are in place -- Bruce (Australia), Jeremy (UK) and some Chinese bureaucrat (courtesy of Huawei) all have their own way of reading traffic.

    But what if the bad guys have already used THEIR OWN CIPHER before they send the message? This writer, an amateur programmer, has implemented a simple book cipher in 1200 lines of code. Encipher/decipher takes a few seconds for a short message. Why are the great and the good worrying about the Chinese.....what all these backdoors will see is something like the below. Let's see how weak this "amateur" cipher is:

    0xq21TBt0V8p0Xj$13OC0Ny30caD0MgI0cHB0V6Q

    0kxz0P5U1qF41FIs1fvC1A6$1qh61qIt0rll0Tb8

    0AvJ1Kk31RPB1V6S0GPS0TH10D7o0VzT1OVs0Btw

    1feX1L670rvO1YmV0KOq1dWf0IeZ0gXb08v$09I3

    19UQ0qE71eaD13wC1XfU0xKe0Ns208ne1AOA17qM

    1ml00cQ9033F064R1mrV0zJh0Fbt0mYX18n31VWT

    0q5M0lE11EIq0fRR0spr0wSL1JvR0iyA0euv13um

    0E1=0JtB18jL02o60G$W0G=s0zBP0uxw1I=T0rNY

    10LM0KhR198B018$1XEj0cfa0ip11IaS0ufn0cbb

    0dUP0Vyj10p30ItA1d4U0v860LDf1jrt1kG81T0N

    0GQ$010b0RPA0zde0uGr1BmI0lxY1UMA1Ys70362

    0rYK1fEb1i9$0JYX184N0t1i0ak60kFk031h1Tbl

    0TRT1Nyt01WK0FnU12K11q4m0TAl04QA1U651CBS

    0qJd16Er1JV312ty03km1RVn

    -- Good luck!

    1. Anonymous Coward
      Anonymous Coward

      1200 lines of code? A simple implementation of RC4 can be done in less than 20. Now I’m not claiming RC4 is the strongest crypt in the world but at least it wouldn’t result in every 4th character being either 0 or 1.

      1. Anonymous Coward
        Anonymous Coward

        1200 lines of code versus 20 lines of code

        @Anonymous_Coward

        Couple of points....

        1. Maybe the zeros and ones are pointers to a book cipher and a list of numbers (c.f. Beale papers)?

        2. The 20 lines of RC4 code presumably call some library code (which you didn't write). Are you sure the library code is secure?

  13. Anonymous Coward
    Anonymous Coward

    What's the deal

    I thought the deal was that GB would plant the backdoors and share the results with Huawei. That's why the Americans are getting so ratty.

  14. spold Silver badge

    Man for the job?

    Well Huawei's global CISO was formerly the CISO for the UK government so they would appear to have the appropriate skills...

  15. Charlie van Becelaere
    Megaphone

    I'm not seeing the problem here

    Ding also said he thought "a 5G market without Huawei is just like the English Premier League without Manchester United".

    EPL sans Man U? Sign me up!

    #COYS

  16. Tail Up

    23 февраля!

    Hope it's OK to congratulate the respected audiency.

    Happy day of Defender of Fatherland, comrades/everyone contracted/drafted/once been to military service.

    С Днем защитника Отечества, товарищи!

  17. Primus Secundus Tertius

    What does Russia do?

    Do the Russians buy Huawei kit?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like