back to article The web needs globally backed, verifiable security standards – says Huawei

Chinese networking hardware behemoth Huawei has issued its second annual cybersecurity white paper and is calling for manufacturers around the world to set up testable security standards that will ensure everyone's reading from the same hymn sheet. "The biggest hurdle is that the technology industry doesn't want mandatory …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Thumb Up

    Verifyable and open standards

    Ideally, royalty free ones too, so that all manufacturers have little excuse to adopt the standard, but I guess "FRAND" is a compromise.

    Right now it's hard to know what to use, at best what we have now is security through obscurity.

    1. frank ly

      Re: Verifyable and open standards

      I think that all the mathematics that underpins encryption is public domain knowledge. So, if anyone tries to claim IP rights on a particular implementation then everyone else can easily develop a different implementation with the same end result.

      1. Flocke Kroes Silver badge

        Please understand patents

        In theory mathematics is not patentable. In practice anything can be patented. Software is mathematics, so it is not patentable. There is an explicit exemption that makes software unpatentable in the EU. To get a patent on software in the EU, you call it a 'computer implemented invention'. The RSA algorithm for public key cryptography is covered by (expired) U.S. Patent 4,405,829. The disaster with patents is that an infinite number of code monkeys can come up with an infinite number implementations without ever reading any patents, but they can still all be sued for infringement - even if they all have licenses for the litigated expired invalid patents.

        The thing is, we have had the basic requirements for security well publicised for decades:

        Freedom 0: The freedom to run the program for any purpose.

        Freedom 1: The freedom to study how the program works, and change it to make it do what you wish.

        Freedom 2: The freedom to redistribute copies so you can help your neighbor.

        Freedom 3: The freedom to improve the program, and release your improvements (and modified versions in general) to the public, so that the whole community benefits.

        You need all of these to give people the power and incentive to find and fix bugs efficiently, and to distribute the results. Without the source code, and the rights and tools to use it, you can find a thousand exploits, but still have to pay lock-in prices to the supplier to get anything fixed. On top of that, you have to put up with whatever addition features the supplier chooses to include with security updates.

      2. Anonymous Coward
        Anonymous Coward

        Re: Verifyable and open standards

        I think that all the mathematics that underpins encryption is public domain knowledge.

        Agreed … it's how that knowledge is applied that makes things potentially proprietary, and is also a big factor of how to make or break a security implementation.

        4096-bit RSA encryption is pretty much useless if you decide to share the private key instead. If the "standard" is a closed proprietary system, you may never know that the very expensive VPN solution, recommended and configured by Highly Paid Consultants uses ultra-secure triple ROT26 encryption to transfer confidential authentication data over public networks.

        If it's an open standard, e.g. IPSec, we can scruitanise it for such flaws … then it's down to individual implementations, and being an open standard, we can choose the one we trust and suits our needs, rather than being shackled to any one supplier.

    2. Steve Knox
      Holmes

      Re: Verifyable and open standards

      Yeah, wouldn't it be great if we had a list of verifiable and open standards for the internet.

      1. Anonymous Coward
        Anonymous Coward

        Re: Verifyable and open standards

        Yeah, wouldn't it be great if we had a list of verifiable and open standards for the internet.

        Yep, my point being, the companies need to implement those, rather than trying to re-invent their own oddly-shaped wheels.

        Sure, many recently (myself included) discovered someone had indeed re-invented a bicycle using odd-shaped wheels. But even the inventor himself noted it was harder to ride. Hence why most go the dull, boring but ultimately very practical, circular shape that we see everywhere, rather than triangles and pentagons with slightly rounded corners.

        SMTP may not be perfect, but the fact anyone can implement it means it has become the standard for email traffic over other systems. Things like VPNs need to follow suit.

      2. Roland6 Silver badge

        Re: Verifyable and open standards @Steve Knox

        Down voted as whilst RFC's are open to all, the quality of their actual content, from a protocol implementation viewpoint, can leave much to be desired. Although I accept that their quality has improved since the 80's (and some are as good as the old ISO OSI service definitions and protocol specifications). But then very few people actually use the RFC's to implement from scratch, as it is much easier to obtain off-the-shelf source code that has proven interworking.

        1. grammarpolice

          Re: Verifyable and open standards @Steve Knox

          I'm going to call bullshit on both of those statements as I have implemented directly from RFCs perfectly easily before and know many others who have; and generally the "off-the-shelf" source code is targeted towards the app it was written for rather than being a generic library, and in the case where it is a generic library it's often too generic for the purpose or usues the wrong paradigm (e.g. push rather than pull).

    3. Roland6 Silver badge

      Re: Verifyable and open standards

      Ideally, we need a one-stop shop for the pool of standards and IPR necessary to create an interoperable solution and an open pricing policy for using all the IPR - probably something along the lines of the Sewing Machine Combination (pool administration) and the WiFi Alliance (technical governance). FRAND is a compromise which worked well between 'club members' but who's inadequacies have been brought to the fore by recent court battles concerning smartphones.

  2. Anonymous Coward
    Black Helicopters

    Unfortunately, there's nobody to trust right now

    Encryption standards do need to be thoroughly tested by independent, credible non-governmental organizations. If found wanting, they need to be redone by a credible non-governmental process. I wouldn't trust Huawei to fit in that process.

    1. Cryo

      Re: Unfortunately, there's nobody to trust right now

      Of course, even if the standards are "thoroughly tested", that doesn't mean that governments won't be able to invest billions of dollars into finding vulnerabilities in the code that they keep secret to themselves, perhaps found through the assistance of quantum supercomputers or other technology that the non-governmental organizations won't have access to, or might not even know exists. And who is to say that these organizations aren't secretly working with one government or another? And even if the encryption standards are seemingly "secure", what if the hardware manufacturers are doing things within their chipsets to purposely circumvent or weaken the encryption in a particular way?

  3. Anonymous Coward
    Anonymous Coward

    And you were expecting him to say something else ?

    '...flatly denied that his employers give any data to the Chinese government and their agencies.'

    A statement well worth the paper it is written on...

    1. Yet Another Anonymous coward Silver badge

      Re: And you were expecting him to say something else ?

      On the other hand you probably can trust that they didn't give any to the NSA!

  4. Anonymous Coward
    Anonymous Coward

    A global security standard would just be a race for the country who inserted most holes and backdoors to win.

    Unless it's open source and everybody is allowed to check the input from everybody else then the one thing a Global Security Standard wouldn't be is secure.

  5. Fill

    There's is no 'global' authority

    I've said this many times in regards to security, wars, laws, etc. There simply is no higher enforcement authority than at the Nation level, period. At *best* there are agreements between nations, but there's no higher authority (besides your make-believe man in the sky type, of course).

    1. Anonymous Coward
      Anonymous Coward

      Re: There's is no 'global' authority

      What about 'The West', 'The International Community' and The Vatican ?

      1. Denarius
        Joke

        Re: There's is no 'global' authority

        what about the fantasy known as the UN ?

        Also lots of international organisations such as ITU, IEEE, IETF etc. Lets be really ahead of the ball here. How about standards for spooks, so the quality of snooping and selfserving justification b*sh* can be assessed ? Now that might be security. As well as another source of entertainment.

  6. Steve Knox
    Thumb Down

    Read the fine print

    If you read the whitepaper, his major beef is that "the problem with standards is that they are not standard." He then follows this with no real examples.

    This is the same exact BS that Microsoft put forth to explain their butchering of HTML and CSS in IE4-6. Even when it was proved logically, semantically, and grammatically that their implementation was non-compliant with the specifications as written, they maintained that it was "open to interpretation".

    The fact is that we have plenty of good standards. We have a few that are okay but have some potential for misinterpretation due to how they are written. But the vast majority of issues with standards is how they are read by the people responsible for implementing them. That's not something you fix by changing standards (or by changing the standard). That's something you fix by changing the people.

    1. Charles 9

      Re: Read the fine print

      And if you learn you basically can't change the people because the standard's too high a stake for human nature (and the inherent desire to control) to leave unaltered?

      It's like when someone suddenly invents the Next Big Thing and suddenly realizes that it's SO valuable that people will KILL for it, meaning no one can be trusted to do things for the greater good.

  7. John Smith 19 Gold badge
    Unhappy

    *Ultimate* security needs open source standard x open source implementation.

    So you can trace the flow from the idea to the software that carries it out.

    For the full "tin foil hat experience" you will need to avoid the banally obvious hole of a compromised compiler, so yes you will need to verify your compiler, which you will have personally boot strapped from a copy of the source code by directly keying the bits into the file (can't be sure the assembler has been compromised, can we?)

    For the rest of us the first 2 items and free communications between testers should suffice.

    But remember 2 things. 1) Mono cultures are susceptible to single (but complex) attacks, hitting everyone at the same time. 2)Patching, proper staff training, limiting what parts of your stuff are visible to the global internet and requiring your apps suppliers not need to run with root privileges for basically trivial tasks will (probably) end most of the security issues of most companies and institutions.

    But that's too much like work for too many PHB's

  8. Anonymous Coward
    Anonymous Coward

    Unfortunately...

    As far as human trust goes, while most of us barely trust our own governments, but I'm sure I'd speak for most when I say we sure as hell won't trust governments of foreign nations.

    Thus when it comes to encryption security standards, the only real person you can trust is yourself and your specific target audience - that's been the way since ancient times - no different now.

    The irony here is Huawei, or rather the Chinese idea of security is different from the west, heck the idea of security is different for every country in the west, but I won't go into detail here.

    Bottomline is some people are way too naive to think there can be a global standard when it comes to security. Perhaps one day if the whole world was ruled by the PRC's communist party or some other bunch of slavers ideological power hungry manipulative maniacs. But then I'd be too worried about the lack of representation 'cause everyone's forced to become domesticated sheeps.

    I'd say put this bug down as "won't fix", not until we drop the idea of national borders at least.

  9. Vociferous

    Utterly ridiculous

    > Suffolk --- flatly denied that his employers give any data to the Chinese government

    Seriously, give me a fucking break. China's security service runs Baidu and Renren, and half the board of Huawei have ties to the military and secret service. It's the purest fantasy that Huawei doesn't give everything it has to the Chinese secret service.

    1. Roland6 Silver badge

      Re: Utterly ridiculous

      The question is are you referring the Huawei (China) or Huawei (UK).

      Whilst we may assume that Huawei (China) has been implementing backdoors for the Chinese secret service. Huawei (UK) has a slight problem, as it can made to reveal any backdoors in it's products, plus would NSA/GCHQ request Huawei (UK) to implement backdoors in the full knowledge that Huawei (UK) and Huawei (China) share source code etc.

  10. WhoaWhoa

    Wow!

    Company slagged off by own-citizen-snooping governments appears to be taking the sort of lead once expected of the 'free world'.

    Don't times change.

    1. Vociferous

      Hahaha

      >taking the sort of lead once expected of the 'free world'

      What, you mean outright lying? Because that's what Huawei is doing here.

      1. grammarpolice

        Re: Hahaha

        What, you mean outright lying? Because that's what Huawei is doing here.

        [citation needed]

  11. WhoaWhoa

    All animals are equal, but some animals are more equal than others

    "As far as human trust goes, while most of us barely trust our own governments, but I'm sure I'd speak for most when I say we sure as hell won't trust governments of foreign nations."

    Upvoted you.

    But, I don't confine my mistrust to foreign governments any more.

    I've been pushed increasingly towards the observation that, regardless of political or nationalistic flavour, most politicians, leaders, etc., have much more in common with each other than they do with the citizens they purportedly 'lead' (*) or 'serve' (*). Some might be self-serving from the start, others might start with good intent, but by the time they're on the 'ascendency' (*) most think themselves into believing that serving their own career ends above everything else is moral, ethical, desirable, best for everyone. And that any citizen who thinks otherwise is at best misguided and at worst a dangerous enemy of the state.

    That's why my trust evaporated along with the faux differences between regime, party, etc.

    (*) These words apostrophised to distance myself from politicians' understanding of them.

  12. ecofeco Silver badge
    Facepalm

    The world needs....

    ...people to actually install and UPDATE their A/V.

    That would fix most of the damn problems right there.

  13. Anonymous Coward
    Anonymous Coward

    Huawie, GCHQ, BT21CN and the NSA

    When the contract to manufacture 21CN hardware for BT was given to the Chinese, Huawie didn't know (or care) what backdoors were hardwired in, they had a spec and a price.

    Later, BT discovered that the Chinese Gov had hacked Martlesham after 21CN had been running for some time, this meant that Chin.gov had the same access to the packet data that UK.gov and US.gov had hardware access to.

    Queue UK/US.gov outrage over Chin.gov spying.

    The UK and US governments think it is ok that they should spy on the most intimate details of their own citizens and are willing to compromise the data collected by outsourcing the manufacture of the data gathering devices to the lowest bidder.

    They frighten you into paying up because of the bogeyman of 'terrorism' yet will only buy kit on the basis of the biggest kickback.

    GCHQ and the NSA are corruption incarnate (BT is just a whore), they have 'NEVER' prevented a terrorist outrage and yet they manage to burn through billions of dollars of taxpayers money keeping themselves in gold plated tax free jobs.

    Perhaps we should just close them down and spend the money on reducing child mortality in the grim bits of the world.

    1. Anonymous Coward
      Anonymous Coward

      Re: Huawie, GCHQ, BT21CN and the NSA

      "they have 'NEVER' prevented a terrorist outrage "

      how would we know if they had?

      1. Chris G

        Re: Huawie, GCHQ, BT21CN and the NSA

        They would make damn sure everyone knows!

  14. Henry Wertz 1 Gold badge

    Standards

    Standards to cover almost any situation exist -- IPSec for connection-oriented crypto, ssh, https, and so on, and network products tends to support any of them that are applicable. Before gov'ts butt in, perhaps best practices should be devleoped (or just an RFC) -- which of the numerous security standards are important to use here and now?

  15. Anonymous Coward
    Anonymous Coward

    Pot kettle john, pot kettle. Or is there a GOOD reason why Huawei incorporate a proprietory encryption schema between their element manager and network elements that they cannot release details on when pressed?

    We know its because it will be pants, and its just a tool to hide how pants it is. The same goes for many many other vendors and their "proprietory" secret protocols and products.

  16. William Higinbotham

    Verifyable

    Verifyable in NSA means breakable!

This topic is closed for new posts.

Other stories you might like