back to article Huawei, your way, whichever way. We're cool with being locked out, defiant biz insists

Huawei execs insisted today that they have no problem with being shut out of certain countries' networks, even as their US CSO gently scorned a famous Ronald Reagan saying that heralded the end of the Cold War. Speaking to the world's press after the opening of Huawei's Brussels-based Cyber Security Transparency Centre earlier …

  1. thames

    Reproducible Builds

    @El Reg said: "In the past GCHQ/NCSC had obliquely floated the idea that they weren't certain if what was being tested was what was being deployed."

    This is a problem in the software world in general, where people conduct code audits but have no way of knowing if the executable binary built by someone else is made from the same source code as they audited.

    Debian developers have been working on the issue of "reproducible builds". That is, to get the exact same binary time after time, so you can check if a pre-built binary given to you was made from the same source code as one you audited.

    I suspect that Huawei will need to do something like that. Once they do that, then the auditors can post hashes which customers who care about these issues can check against a binary which they receive through their supplier support channel.

  2. sprograms

    I'm a bit puzzled by the mixed reaction to "Hua Wei - Should We or Shouldn't We?" ambivalence. I grant that many people in, for example, Spain, love the low prices for phones. But, the Hua Wei debate is about network hardware and software, produced in China by a Chinese mainland company. We know that CCP Mandate requires unquestioning compliance with any requests it makes of its "private sector." We know that exploits can be planted with nearly the value of back doors, that they may take years to discover, and are completely deniable if the exploiters are well-camouflaged.

    I have a simple question would the same ambivalence exist if the company were a Russian organization based in the 1970's Soviet Union? Of course not. And yet the CPR and CCP operate at a "surveil & command" power incomparably more efficient and complete than that of the former Soviets. A fair use excerpt from a current Ars posting:

    "A February 22 China National Computer Emergency Response Team (CNCERT) alert warned that 486 MongoDB database servers out of approximately 25,000 such servers connected to the Internet had "information leakage risks." Apparently, some of those MongoDB servers were part of a social media and messaging collection and processing system used by Chinese law enforcement and security personnel to monitor and investigate citizens' communications......................(ed)....... But in exploring the data, it became rapidly evident who was using the system. The surveillance infrastructure, consisting of a large number of synchronized MongoDB servers, apparently collects social media profiles and instant messages from six different platforms segmented by province, according to Gevers. He adds that the infrastructure pulls in approximately 364 million profiles along with their private chat messages and file transfers daily." .........."The exposed databases revealed not only the collection of the data from social media accounts on services such as TenCent's QQ and WeChat platforms, Alibaba Group's WangWang, and the YY video and streaming platform, but also the workflow behind the collection. "These accounts get linked to a real ID/person," Gevers wrote in a Twitter post on the data. "The data is then distributed over police stations per city/province to separate operator databases with the same surveillance network name." "

    The ever-intensifying one-way command structure of the unitary authoritarian state in China today suggests a path that ex-China IT should follow. I don't think ambiguous thinking should be part of it. Germany says "show us the proof of ill actions by Hua Wei." Would Germany say the same if mainland Chinese Guided Missile salesmen come calling. Just remarkable.

    1. thames

      We know for a fact that the US is doing everything they claim that Huawei might be doing. The NSA monitors communications on a mass scale. The US routinely hacks into the communications infrastructure of Europe to spy on senior European politicians. The US NSA has direct access to major data links which connect data centres in the US, giving them access to unencrypted data stored there, and they do take advantage of it. US networking hardware gets equipped with backdoors in a targetted fashion. Under US law, American companies must hand over any data they have access to to the US security services on demand, and they can be imprisoned if they tell anyone about it. This has all been in the news over the past few years and so isn't in dispute.

      Should the rest of the world therefore ban all US networking equipment and US companies from anything related to communications or critical IT systems? I mean if you are going to be consistent, then that is pretty much where your argument leads.

      Meanwhile the US has declared Canada to be a "national security threat" because Canadian steel and aluminium might do something bad to the US. They also say that Germany is a "national security threat" because German cars might suddenly start goose stepping down American streets when Angela Merkel presses a button on her desk.

      And now the US president has recently announced that he wants US industry to lead the world in 5G technology. I think it's pretty clear how the US determines what constitutes a "national security threat". It's called mercantilism, and it dominates US policy making these days.

      Most of the rest of the world seems to be saying "thanks but no thanks", as they don't see any reason for making themselves poorer in order to bail out American companies who have fallen behind in the technology race.

      If there is a genuine argument to be made for security in telecommunications hardware, then it is an argument which says that each country should only being installing kit made within their own borders by companies controlled by their own citizens and monitored closely by their own security services acting under the control of their own parliaments. Perhaps that doesn't sound like the best of ideas, but it's exactly where this anti-Huawei argument leads for those willing to be honest and consistent about it.

      1. sprograms

        "Should the rest of the world therefore ban all US networking equipment and US companies from anything related to communications or critical IT systems? I mean if you are going to be consistent, then that is pretty much where your argument leads."

        No. I did not and would not make that argument. It leads nowhere but to constant source-code checking by many eyes, and conducting of the builds, and design/fab examination of chip sets, etc...which is impractical in the nearest decade. My argument recognizes that the US (and Germany and the UK, et al) are daily engaged in broad network eavesdropping and targetted investigation. My argument is that ultimately the overall structure of government and intenton of each producing nation needs to be taken into account. My argument recognizes that thorough frequent checking of source code, chip designs and microcode, and so forth, will not be practical any time soon. Ultimately, I'm saying, each country and government has to decide, make choices, as to which other nations and manufacturers pose the most serious threat. No solution is provided by saying "every major manufacture is equally a threat." I'm saying "no, they're not." Every western nation offers the possibility, even likelihood, that information abuse will be outed and rectified. The PRC offers no such hope. If you (or Merkel) wants evidence of that, it certainly is available.

      2. big_D Silver badge

        In the end, you need to have a national provider for all telecoms equipment. The USA is bad and they claim (but can't prove, it seems), that Hauwei is just as bad. Other countries are probably doing the same thing.

        That only leaves home-grown, state sponsored kit... But what about them syping on their own people?

        As a non-US resident, I have the choice betwene multiple evils, is an unproven evil (Huawei) really worse than a proven evil (USA)?

    2. Yes Me Silver badge
      WTF?

      Guided Missile salesmen

      "Would Germany say the same if mainland Chinese Guided Missile salesmen come calling"?

      Why wouldn't they? They should ask exactly the same questions about every sensitive product they consider buying, whether it's a network switch or a guided missile, whether it comes from China, the USA, or Baden-Württemberg. Show us that the device is well designed and safe. If there are any allegations against the manufacturer, show us the proof.

      Incidentally, the phrase "mainland Chinese" is anachronistic to say the least. it reminds me of the Cold War, which ended 30 years ago.

      1. sprograms

        Re: Guided Missile salesmen

        The government of the PRC still refers to the mainland and province of Taiwan. Perhaps the Cold War is till on? It is. All that has changed is that the largest communist tyranny got a pass because corporations wanted to exploit the combination of vast labor force joined to an absolutely effective worker suppression system, aka the Party apparatus and its police. That is a very ugly fact. How did it arise? It was a bit like the Prisoners' Dilemma: Neither North America nor the EU nor Japan was willing to be the economy that gave up the profit opportunity. Competition being what it was/is, either all had to forgo it, or none would. The rest is history.

    3. big_D Silver badge

      As opposed to the NSA, which was caught meddling with HP kit and Cisco which has been busily removing dozens of backdoors from various systems over the last 12 months?

  3. big_D Silver badge
    Black Helicopters

    TNO

    TNO, Trust No One / Trust Nobody, is, or rather should be, standard practice when it comes to IT security.

  4. Frosted Flake

    They are not going to just tell you

    It sounds exactly like racist BS. But in fact recent Chinese law makes every corporation and every citizen a part of the state security apparatus.

    That are all spies now. Every single one of them.

    1. _LC_
      Thumb Down

      Re: They are not going to just tell you

      You're right, "it sounds exactly like racist BS". ;-)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like