Re: Real point here
We need to stop building critical infrastructure on literal quicksand. We need to re-think software development procedures and structures, legally mandate companies to share their code and have independent audits done. Software development is broken, the products that stuff runs on are broken by extension.
Looking over the report feels all too familiar to stuff that I have written after audit gigs.
Point 3.11 in the paper mentions unprotected stack overflows. That is largely preventable these days. fuzzing and auditing attack surfaces. But barely anyone does it properly.
3.19 in the report says that it is next to impossible to get a reproducible build. Yes, that is bad. And it is basically industry standard.
Configuration management and management of third party libraries and their versions? Well, who here has it figured out conclusively?
3.31 sounds a lot like "15 year old codebase, no one ever bothered to do a clean-up". Never touch a running system attitude. Not exactly unknown in the industry.
We indeed have a problem. But it's not just Huawei.
And the most irritating thing about that report... a codebase like this is basically an auditors dream. You could just grep for memcpy anf sprintf and the potential issues would fall out like cockroaches scrambling for cover when the light is turned on.
The fact that they do not mention those actual bugs makes me thing that the report was not even penned by security folk, but by compliance people. Complaining about non-reproducible builds while pre-auth remote stack issues are present is like complaining about minor rust spots on a motor vehicle while the engine is on fire and wheels are rolling away in all 4 directions. "Not particularly relevant at this point..."