Huawei's UK code reviewers say Chinese mega-corp is still totally crap at basic software security. Bad crypto, buffer overflows, logic errors...

Re: Can we do this for all manufacturers

Just provide the source code and be done with it. Huawei makes its money selling hardware, by opening its code (even if that is just to its large telco customers) it would increase trust that it does not have back doors.

I doubt that their algorithms are vastly better than the competition.

If it does not want to do that then publish the complete hardware specs and customers could install their own firmware ... OK: something would need to be obtained, but once done, and shared with telcos world wide, we could have something robust.

The same should apply for Nokia, Cisco, etc.

Re: Can we do this for all manufacturers

could we do this with every manufacturer of critical infrastructure?

should ve could we do this with every manufacturer publisher of critical infrastructure software? FTFY

Otherwise you have to define which infrastructure is critical and there is no reason why the manufacturers of consumer electronics, cars or anything else should be able to get away with their current practice to seeing if anyone notices when things break.

Re: Lets hope

Every country tries to exploit vulnerabilities in every other countries' networks. It's not good guys vs bad guys, it's sigint and everyone does it.

Re: Lets hope

>We exploited a few of the vulnerabilities in the Chinese network

The bits of it that are in English at least

Re: Huawei's attitude seems very odd

For me this is an eye-opening insight into the culture of the company. How they build things, and what they care and don't care about.

If this culture is common, it explains the river of terrible quality products flowing out of China.

Re: Not sure about this...

They're reviewing it anyway, so why not point out the problems? If they're hiding them from the public, that would be a problem, but they're not. They point out that there are many problems, and from the sound of it, the problems they have identified aren't exactly hidden. Even a very malicious version of Huawei can't get much out of that report other than that NCSC will read code sent to them and has some technical people in it. Meanwhile, if they actually changed some of this, it would mean that networks in the U.K. using Huawei infrastructure would be more secure.

Re: Not sure about this...

>why are we doing their work for them in drawing the equipment's vulnerabilities to their attention?

Because the department that does this is entirely paid for by Huawei.

Re: Not sure about this...

We are probably still doing the checking as there is hope that Trump loses the election and we can then go back to installing the better Huawei kit we want to install. Even though a Nokia deal has been talked about im sure we are just biding our time in the hope of the sanctions being dropped if Biden wins.

Biden is anti-chinese too and akin to the devil in disguise so it might be a false hope.

Bottom line is we want the cheaper + better Hauwei kit.

Re: Not sure about this...

why are we doing their work for them in drawing "the equipment's vulnerabilities to their attention?"

Because as of yet, we haven't decided to rip up that agreement.

Script kiddies could do much of the hacking, but writing reports is not their strong point.

But that surely is the point - the backdoors are there - only the report calls them "vulnerabilities" and poor coding practices - its called hiding in plain sight.

Exploitation of the backdoors is unfortunately open to all and sundry, including the PLA

Perhaps they are rapidly replacing their staff with ones who haven't yet learnt from experience, a bit like IBM seem to be doing.

What's confusing to me is, if I had regular reports about all the mistakes I was making and how to fix them, I would expect to slowly be making fewer mistakes. This does not appear to be the case here. They must be finding new and exciting ways to fuck up every day.

See:

"There are ongoing concerns about the quality of Huawei's security performance at a technical level, rather than concerns [about] hard evidence of Chinese state interference. That's an ongoing process of remediation. The US sanctions are very tightly defined, they do impact new deployments so that's why there's a bar on new deployments and as part of the package announced in July, contingency plans were made to ensure the existing stuff could be serviced."

Basically, US sanctions make updates (fixes) at the very least very difficult.