Will anything change because of these revelations?
That's all I wonder.
But not too much since I think I know the answer already.
China has demanded an explanation from the US government in the wake of NSA whistleblower Edward Snowden's latest leak, which claims that the agency was spying on telecoms firm Huawei. The US has repeatedly accused Huawei of being a risky bet for network contracts outside of China as it claims that the company is involved in …
"If the NSA wanted to know if Huawei kit is/was sending information back to the Chinese government could they not have determined that technically through looking at the packets being sent, stripping a machine down to look for secret transmitters and so on?"
Yes, and it would have been more effective because they wouldn't have had to break the law and troll through tons of machines and people to find the information they were looking for. On the other hand hacking the vendor enables you to do some corporate espionage and sabotage, I suspect the NSA did both.
The thing that surprises me is that all these awfully powerful apparatchiks who are so keen to FUD Huawei seem to have collectively failed to arrange a demo of some of these alleged backdoors in action. Even if the backdoors don't exist, they could fake them fairly trivially and lend weight to their FUD. Given the half-arsed nature of the attacks on Huawei and the people doing the attacking (ie: apparatchiks with minimal to zero technical credibility) I suspect they really don't know of any backdoors (there could still be some backdoors of course!).
So at the end of the day, there doesn't seem to be any evidence of these alleged backdoors. On the other hand there is circumstantial of evidence of some incentive lubricating the FUD effort in political circles, because all of a sudden we have a bunch of folks who have zero track record of being interested or qualified to comment on hacking speaking up...
"Whether they have backdoor or not, allowing China to put in the communications equipment that our defense and infrastructure rely on is the height of stupidity!
Somethings you don't do , even if they can do it cheaper!"
I hesitate to place my delicate person in front of the freight train of down-votes for the above post but...
The man does have a point. If you have some absolute-funting-lutely-must-not-fail-or-be-hacked traffic, you would naturally prefer to run that traffic over kit that is produced in your own backyard. It's a question of confidence, visibility and control. Producing all the components offshore, in a countries that you are in direct competition with (for resources, power, etc) is taking quite a big risk however you slice it.
Looking at the long game placing your neck on someone else's chopping block is a pretty big show of trust and perhaps that will lead to a more peaceful more productive world over the very long haul... Unless of course a nation gives in to temptation and swings the axe...
Interestingly the Open Compute stuff does offer some short-cuts and a small cost-saving to subsidize the development of that home-grown trust-worthy hardware. Because it's standard form-factor and standard designs, your suppliers can sell the exact same hardware to other customers - and that may go some way towards mitigating the costs through greater volume.
So instead of Huawei building and designing your communications equipment that your defense and infrastructure rely on, you get a US company to design and build it. And then they outsource the designing to half a dozen different companies all working on different parts with little to no oversight and outsource the building to factories in, you guessed it, China.
So yeah, letting Cisco, Alcatel-Lucent or Juniper networks build your military or infrastructure critical gear in China sounds like the height of stupidity. It's also pretty much inevitable at this point and most first world countries cannot afford to build anywhere near the amount of infrastructure gear they need at home. Don't you just love low wage countries and capitalism?
"Yes, and it would have been more effective because they wouldn't have had to break the law"
It is only "illegal" if their secret court says it is.
What really worries me is what the NSA considers illegal, because some of what they consider is legal is really horrible, so imagine what they consider illegal.
"It is only "illegal" if their secret court says it is."
Strictly speaking that is not the case, the laws are set elsewhere and the court is there to oversee that they are adhered to. That said the court clearly doesn't provide adequate oversight.
"What really worries me is what the NSA considers illegal, because some of what they consider is legal is really horrible, so imagine what they consider illegal."
I'm pretty sure they think stuff like whistleblowing on illegal mass surveillance is illegal. Terrible crime that one.
Well yes they could - if you assume that any back door was setup to be always on, and that it had been implemented in a way that made detection possible. As an example, suppose that a piece of kit had an "error" in its SNMP handling such that a badly formed packet, or perhaps a sequence of "random" community strings caused it to execute a buffer overflow which then happened to run a decrypt option on a block of binary data which just happened to then become a back door.
There is form for attackers trying to insert backdoors into the Linux kernel via deliberately incorrect handling of TCP flags which was caught in code review (https://freedom-to-tinker.com/blog/felten/the-linux-backdoor-attempt-of-2003/) - can you imagine trying to find that sort of logic trap purely from compiled object code? Especially if it had been designed to be hard to find and existed only within a code block which was dynamically modified.
So.... if I was worried about this sort of kit possibly shipping with back doors, I certainly wouldn't want to rely purely upon analysis of the kit as deployed.
Trust is a very hard thing to create and ultimately is never 100% and is dependant upon understanding the process by which something is created, tested, distributed and used.
I'd strongly suggest you read "Reflections on Trusting Trust" and then consider if you still think its possible to achieve a good level of assurance purely from observation of behaviour within a test environment (http://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdf)
That works right until your vehicle hits the concrete barrier called reality. To wit that almost all kit is made in China to begin with. I'd also toss in that the provenance of parts and the NSA's TAO intercepts of shipped material demonstrate what should be bleeding obvious. If the NSA can readily accomplish this, then rest assured most any global power can. I'd also offer the multinationals and larger national enterprises for consideration as well. The latest is Microsoft but HP and NotW are pretty disgusting. Trust is as much a fool's game as paranoia. (Trust: that precondition necessary for betrayal.) Privacy, even as practiced by nation states, privately held corporations, or persons is D-E-A-D. Move along to the next stage of grief.
"If the NSA wanted to know if Huawei kit is/was sending information back to the Chinese government could they not have determined that technically through looking at the packets being sent, stripping a machine down to look for secret transmitters and so on?"
That is assuming the dodgy kit is installed on every box, leaving everyone the ability to find it out, which I don't find credible at all. No-one is that stupid, those days.
No, presumably, it is only installed on request (locally or remotely) when the kit is to be used by a target, thus the need to find out at manufacturer's end.
End of the day, average kit is totally clean ...
That is not what the NSA want to know. They want to know how to backdoor Huawei gear - and obviously it looks like it could be hard and might take a while - because otherwise the NSA would send it along with their warmest recommendations to their closest, most loyal allies, exactly like they did before with their back-doored crypto.
From Garry Moore, "Looking Back":
I was looking back to see
If she was looking back to see
If I was looking back at her.
As someone who has grown up behind the Iron Curtain I can tell you straight away that the "latest revelation" shows cluelelessness of pangalactic proportions. After all this money wasted on this band of idiots located in Virginia they still do not understand how a Communist country business entity works.
The power structure is a as follows.
Layer 1. Business as usual (same as in the West), CEO, CTO, CFO, middle management, worker bees etc.
Layer 2. Communist party committee, its secretary and subordinates - forms a separate hierarchy in parallel to Layer 1. If they say jump, Layer 1 asks "how high?"
Layer 3. Double payroll - informants reporting to state internal security apparatus while officially on the company payroll. Does not really command, but that is where you can get the best aggregated information on a company.
Layer 4. Communist party hierarchy for Layer 3. If you manage to subvert/hack that... Well... That is the only layer which really knows everything on what is going on.
According to the latest revelation NSA has tried to spy at Layer 1. On the execs. Talking about clueless...
According to the latest revelation NSA has tried to spy at Layer 1.
Makes sense, the Americans are well known for their obvious lack of cultural understanding and an unchangeable belief that on the inside of every foreigner there is really an American struggling to get out. So, naturally they assume that corporate cronies runs the political system in China, because that is the way things work in the US.
This American way of thinking makes people wary of blaming the Russians for things, like bombing the plane with half the Polish government on board - on the very 70'years anniversary of Stalin's murder of the Polish elites. The CIA logic would dictate that the Polish should go nuts over this and start an uprising, requiring NATO intervention or whatever their little plan was. Well, they didn't, the Poles still blame the Russians and .... who knows?
Sometimes it is not the thing that is important but rather how it was reported.
For example the Ukraine person last week on BBC reported as Prime Minister of Ukraine is now being reported as Interim Prime Minister of Ukraine. RT also reports him as Interim Prime Minister - both seem recent changes so both seem to suggest unreported conclusions are demonstrated by act rather than news (if u no wot i meen arry)
Beside NSA only eavesdrops whereas China and Russia actually spy and GCHQ only assists, helps and reports, so there!
The US, through Obama and Mike 'Mouthy' Rogers, claims that the Chinese government is linked to Huawei through former military CEO Ren Zhengfei, but that CISCO is different notwithstanding it hired Lt. Gen. Steven W. Boutelle upon retirement as the Army's chief information officer and appointed vice president of the Global Government Solutions Group at Cisco Systems.
Typical two-faced hypocrisy from the US Government.
ALSO, Edward Snowden HAS NOT LEAKED ANY DOCUMENTS SUBSEQUENT TO HIS SOJOURN IN RUSSIA - journalists are responsible for the timing of disclosures at this time. See https://firstlook.org/theintercept/2014/03/23/facts-nsa-stories-reported/.
This post has been deleted by its author
If I wanted to check out if Huawei was back dooring their boxes i would just buy 1 & probe its ass-pipes.
Even if you were 100% thorough and effective in such 'probing', you would have learned this, and only this: the specific piece of hardware you have does/does not contain a back door.
If you find that it does then you have good grounds to believe that there are backdoors in other kit. If you don't find anything, however, it tells you nothing about any other piece of hardware.
Huawei bid for major government and enterprise contracts. If the control from the Gov is there then there is no reason why hardware produced to fulfill a given contract would get special backdoors tailored to the application.
We all know how much the Chinese government forbids hackers and criminal gangs from operating on their networks. Their networks are a shining example of perfect maintenance, with every single record in APNIC providing accurate ownership, administration, and contact information plus the e-mail address of their security task forces.
Installing back doors to Huawei's network, what will they call that then?
Why, of course that is a "cyber-security operation", performed in the interest of Liberty, Democracy and the goodwill among nations. Much like the practice of dropping tons of explosives on the heads of other people, when done by America®, is labelled "defence".
Gotta love them newspeak.