Surely, if we have people smart enough to analyse the source code and tell us whether its safe, we could just have written that software ourselves, no?
Cyber arm of UK spy agency left without PGP for four months
UK spy agency GCHQ’s cyber security arm, CESG, was left without PGP encryption for more than four months, according to a government report. This "prevent[ed] direct electronic receipt of evaluation reports", it emerged in the Huawei Cyber Security Evaluation Centre (HCSEC) Oversight Board (PDF) annual report. “Internal …
COMMENTS
-
-
Monday 24th July 2017 16:15 GMT Anonymous Coward
To quote the internet - 'Ain't nobody got time for that'
It's a nice thing to going and roll your own all the time but it takes time, in this case it's much quicker and easier for a competent developer to read over source code and figure out how it works than write it, bug check it, system test, acceptance test, merge and then release (before then having to patch it because you missed something).
Though, yes if you do have the time and money then by all means roll your own (but remember Rome was neither built in a single day nor by a single pair of hands).
-
-
-
Monday 24th July 2017 19:31 GMT Anonymous Coward
Re: Source
Is it uniquely Huawei whose kit they are using without source? Or might they also use other Usual Suspects like Apple, MS, Samsung, etc on the same basis?
Which makes one seriously wonder why they bother with this HCSEC nonsense? Why don't they just buy critical networking kit from strategic allies like the US?
After all, virtually every personal computer in the country runs closed source operating systems produced by American corporations and even our nuclear warheads are mounted on American missiles. Buying American network kit for critical national infrastructure wouldn't make us any more vulnerable than we are now. Is Huawei kit really so much cheaper/better than Western stuff?
-
-
Tuesday 25th July 2017 12:55 GMT Anonymous Coward
Re: Source
"Why don't they just buy critical kit from strategic allies like the US?"
Because allies are not friends. Do not put all your eggs in one basket.
I don't think the "eggs in one basket" analogy works here. The proper analogy is about how many people have "keys to the kingdom". Minimising the number of people who can potentially damage your infrastructure is surely the good thing to do, not maximising it.
-
-
-
-
-
Monday 24th July 2017 18:23 GMT Martin Summers
Re: Yes Minister rules yet again.
Currently binge watching Yes Minister, never realised just how good it was. It's a paradox whether to laugh at it as you know just how near the mark it probably is even today or be frightened and pissed at how near the mark it probably is even today.
I'm also geeking out at the moment as I'm right next to GCHQ Bude and have an excuse to mention it.
-
-
Monday 24th July 2017 18:42 GMT Philip Hands
GPG? on Debian say?
If one were paying attention at all to these matters (and I think they do so in parts of GCHQ), you'd know that things like Debian come with full source, and that includes GPG which can deal with OpenPGP messages just as well as PGP.
I guess that sort of special knowledge is only shared on a need to know basis (or perhaps it took whoever it was who failed to get the licenses paid for four months to pluck up the courage to ask anyone what they could do about it).
-
Tuesday 25th July 2017 08:23 GMT cantankerous swineherd
“The incomplete delivery of source code obviously means that HCSEC cannot provide assurance or risk management artefacts for the additional code.
"While this is a matter of significant concern, the [National Cyber Security Centre] does not believe this process is in any way malicious, but is based solely on Huawei supplying source code for the features procured and used by UK operators."
these people are simpletons.
-
Monday 31st July 2017 10:39 GMT B0rg
I don't geddit. We suspect the Chinese are spying on us because they are heavily embedded in our infrastructure, so instead of ditching them we just ask for reassurance that they're not spying on us?
http://news.sky.com/story/gchq-to-monitor-huawei-amid-cyber-spying-fears-10424292
Yes minister; the Chinese were doing such a good job of spying on our population already we asked if we could be let in on the intel too. It's much cheaper than re-inventing the wheel and compromising the networks ourselves!
-
Tuesday 21st November 2017 14:26 GMT Severus
Ever heard of the precautionary principle?
Of course the Chinese are spying on us, they are our enemies! Why don't GCHQ start with the precautionary principle? The principle implies that there is a social responsibility to protect the public from exposure to harm, when there is insufficient evidence to show that something is safe. These protections can be relaxed only if further scientific findings emerge that provide sound evidence that no harm will result.