Bah!
Ahem:
Roses are red
Hearts sometimes ripped
Naked Huawei tells critics
To keep their traps zipped.
.
.
Gissajob.
Eric Xu, one of three rotating chairmen at Huawei, has said the company is "naked" before the British security services with whom it shares its most intimate secrets: its source code. "HCSEC has access to Huawei's source code, so they can easily tell whether those source codes are written in a way that's readable, easy to …
"It's like Windows software as well. The legacy code base keeps building up"
So, Windows had 36 remote code exploits this month, which means of course they have lots of back doors. They just haven't found them all yet. When they need one you know that they will find one.
Huawei is a risk. Just like Windows is a risk.
I mean you can rule out the existence of functions called allow_spying_by_chinese_secret_police() but given that serious remote exploits can lurk in open source code for years in some cases, how the heck is providing the source code any guarantee? It would be easy to slip in some "bugs" modeled after bugs that have been seen in the wild, giving them plausible deniality in the unlikely event one were found - having several means there will always be a few undiscovered ones waiting for the government order to be received.
Bugs can lurk.
But would you try to slip something deliberate in to an open codebase where every commit goes out immediately to a bunch of active developers, as well as of course being on public display to security researchers and AI tools? That's an altogether different proposition!
Compare the amount of (hostile) scrutiny Huawei is getting to any of its rivals, and tell us which is the safer bet?
With (say) Cisco, you have all the same risks as Huawei, plus the additional risk that someone is smuggling in a backdoor (NSA made them an offer they can't refuse) invisible to anyone outside a small team within the company. That makes the hurdles to finding it thousands of times higher: you need a Snowden instead.
Huawei's code isn't open source, where did you get the idea that there will be "a lot of active developers" looking at each commit? They are making it available to a particular organization in the UK (and presumably other countries) but aren't going to be seeing every commit. They'll get one version, and then they'll get the next version, with potentially thousands of commits in between. Good luck seeing something they have deliberately hidden amongst huge haystacks of real code changes (and that's assuming the first version they deliver doesn't already include all the backdoors, carefully disguised as "oops, that's a bug")
The odds of finding it may be slightly better than with Cisco, but the odds of the government being able to control whether Huawei plants something are 100%, while the odds of the US government being able to do with same with Cisco are less. Maybe you think they are high, or low, but they are nowhere near 100%.
"please Mr Huawei in the interest of national security can you please provide us with a backdoor and promise not to use it yourself and not tell anyone otherwise we'll be very upset"
vs
"heh Mr Cisco/Nokia/etc - we need a backdoor,
do as your told or we'll throw the 5-eyes rule book at you and eat you alive"
Personally, I wouldn't trust either of these. The NSA seemed to have all kinds of backdoors and such if the recent release of their stuff is to be believed so I assume GCHQ are trying to catch up.
Nah, I trust countries, companies, groups, associations and affiliates about as far as I can throw a main battle-tank. Individuals can sometimes be trusted but even then not always.
"CSEC is saying, all right, your code base is not beautiful. You know, this is a code base that has been there for 30 years. And this is the characteristic of the communications industry.
Really? The company was founded 1987 and in the early days was pretty much PBXs etc so I'd expect the router software codebase to be much younger than that.