Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Huawei Offers 'Complete and Unrestricted' Source Code Access

Soulskill posted about 2 years ago | from the as-open-as-a-pr-campaign dept.

Australia 255

An anonymous reader writes "The BBC reports that 'Huawei has offered to give Australia unrestricted access to its software source code and equipment, as it looks to ease fears that it is a security threat. Questions have been raised about the Chinese telecom firm's ties to the military, something it has denied. Australia has previously blocked Huawei's plans to bid for work on its national broadband network. Huawei said it needed to dispel myths and misinformation.' But is this sufficient? Will they be able to obscure any backdoors written into their equipment?"

cancel ×

255 comments

Source (5, Interesting)

bjb_admin (1204494) | about 2 years ago | (#41757655)

Does the Australian Govt have anyone that can actually properly security audit this? I am sure they are not going to want to spend the money to hire someone who can. Also, who is to say the binary blob firmware doesn't have a back door. Its not like the Australians are going to compile it and install it themselves.

Re:Source (5, Informative)

Lehk228 (705449) | about 2 years ago | (#41757697)

not even the firmware, there could trivially be a on-chip backdoor,

Re:Source (1)

ThatsMyNick (2004126) | about 2 years ago | (#41757867)

Cant the simply release their chip designs too.

Re:Source (0)

Anonymous Coward | about 2 years ago | (#41758007)

Yes, but nothing stops them from removing it from the design.

Re:Source (2)

anomaly256 (1243020) | about 2 years ago | (#41758165)

Plus it would mean we could just fabricate new asics from their designs and not pay them, something they probably (and rightfully) don't want

Re:Source (0, Flamebait)

Anonymous Coward | about 2 years ago | (#41758841)

But they're Chinese... in Chinese culture, imitation is the greatest flattery
They should be HAPPY and PROUD that we would fabricate new asics from their designs without paying them...

Re:Source (1)

aliquis (678370) | about 2 years ago | (#41758781)

Just buy Ericsson gear instead (or even Nokia-Siemens), I won't mind. :D

Re:Source (1)

Lehk228 (705449) | about 2 years ago | (#41759005)

of course they would, and they would release the version without the backdoor module and ship some with one enabled. unless they are going to stick every single board into an xray before installing it

Re:Source (5, Insightful)

AK Marc (707885) | about 2 years ago | (#41758091)

Yes, though there's no evidence of any improper activities from any Huawei gear, and they are already a step ahead of US voting machines.

In the US, voting machines pick the next president. With secret closed-source code in an industry with proven fraud and from companies with proven previous errors.

In Australia, they have the source code for routers running a residential broadband network, and that's not good enough.

Why does something seem wrong with that?

Re:Source (3, Insightful)

Charliemopps (1157495) | about 2 years ago | (#41758327)

You're not understanding where the governments coming from. They want someone, other than themselves, to have legal liability if there is a breach. Since all contracts, agreements, and laws are subject to the whim of the Chinese government, they could just tell Huawei to put code on their hardware and they'd have to do it. Where-as, in Australia, or the United States, there are constitutions that supersede the federal governments. The feds can come in and demand that Cisco put a backdoor on their hardware, and Cisco could turn around and site existing law to say "No, we wont do that, it's illegal." Now, in reality, does it actually work like that? No... Cisco bends over backwards for the feds out of greed because they want them to do things like we're seeing here. But from the federal governments perspective, Cisco is doing their bidding and are therefor "Good guys"... Huawei on the other hand are at the very best an unknown. Politicians rarely see beyond their own term... and while violating our constitutional rights to ensure our safety seems worthwhile at the time... it's what the guy that gets elected after their gone does with these entrenched systems that brings ruin.

Re:Source (1)

Anonymous Coward | about 2 years ago | (#41759167)

" there are constitutions that supersede the federal governments"

I nearly lost it reading that. A piece of paper(like signs) enforce nothing; people do. Those with the means to inflict harm on others are the ones who can enforce positive rules like laws. This means that only the government can positively(I stress positive enforcement here only) enforce law upon itself. A man is not going to enforce a rule upon himself on the insistence of a some scribblings. So, constitutions are entirely ineffectual means to restrict the arbitrary whims of government.

The true limiting mechanism is the scope of power over those a government rules. Small new governments can't do too much, but huge governments like the current USG have near limitless resources at its disposal. Why does it not pull a 1984 and go full north Korea on us? Because that is a poor tax farm management method. It destroys productivity. Politicians only take enough that they don't rock the boat for their fellow immediate rulers. This slows the process as multiple temporary farmers are all checking each others recklessness. Also, those that are ruled can threaten overly abusive rulers but that is a more nuanced issue so I won't go into it.

So what does this rambling mean? It means that governments like ours can absolutely pressure businesses to do such things. Hell, its prevalent. Entire industries are dependent upon privilege and punishment for their existence. Even if a company pulls out the constitution card against some nonsense the government 'suggests', the repercussions of not playing along can devastate a business. It is frustratingly naive to think businesses can shield themselves from the might of the USG all because of a dusty bit of parchment.

Re:Source (5, Insightful)

overbaud (964858) | about 2 years ago | (#41759189)

The way this works is: 1. Cisco lobby US gov. 2. US gov put pressure on Aus gov. 3. Aus gov create FUD about cisco rival. 4. Aus gov buy cisco. 5. Profit - cisco and US senators.

Besides (0)

Anonymous Coward | about 2 years ago | (#41757737)

Source code doesn't speak to the character of the company who commissioned its development, anyway.

And, that's really what people don't trust.

Re:Besides (4, Insightful)

fredprado (2569351) | about 2 years ago | (#41757785)

Sorry, but there is absolutely no company in the world that has this thing called "character".

Re:Besides (-1)

Anonymous Coward | about 2 years ago | (#41757843)

You're either painfully clueless, or so full of shit it's leaking out your ears.

Re:Besides (1)

fredprado (2569351) | about 2 years ago | (#41758077)

And you certainly have great wisdom and knowledge and are ready to bath us in the light of your unsurpassed righteousness, Mr. Anonymous Coward.

Re:Besides (-1)

Anonymous Coward | about 2 years ago | (#41758405)

Just because you don't have any doesn't mean it applies to every single company too.

Re:Besides (3, Funny)

fredprado (2569351) | about 2 years ago | (#41758555)

Oh, another offended Anonymous Coward. How cute.

Lesson time (0)

Anonymous Coward | about 2 years ago | (#41758585)

This particular AC has mod points. Cheers.

Re:Lesson time (-1)

Anonymous Coward | about 2 years ago | (#41758721)

This particular AC has mod points. Cheers.

And only a faggot would use mod points negatively because they disagree with a post. Cheers.

Re:Lesson time (1)

fredprado (2569351) | about 2 years ago | (#41758723)

So?

Re:Source (2, Insightful)

Anonymous Coward | about 2 years ago | (#41757803)

Even if they did have someone capable, if you've ever read any submissions to the Underhanded C Contest, you'll know how difficult it is to detect hidden back doors even when scrutinizing code.

Re:Source (3, Insightful)

tibit (1762298) | about 2 years ago | (#41758179)

Yup, even when you a-priori know in which couple hundred lines to look. In a large application, like you'd find in a router, it's demonstrably impossible of a task unless they use something safer than C -- and even then it'd take a formal method approach.

Re:Source (2)

Max Littlemore (1001285) | about 2 years ago | (#41757827)

This is my concern. Why is the Federal Government singling out Huawei and not subjecting everyone to this scrutiny?

I have a simple idea. Why not make it a condition of purchase that all software/firmware/hardware design be fully and publicly disclosed by all potential vendors and crowd source the security checks? (Hey I know it will never happen but I'm allowed to have my Utopian dream on a Thursday morning)

Re:Source (4, Informative)

Anonymous Coward | about 2 years ago | (#41758511)

Because the rest of those companies weren't founded and run by ex-Chinese military and long-time Chinese Communist Party members?

Re:Source (0)

Anonymous Coward | about 2 years ago | (#41758609)

Quite simply because Huawei (and ZTE) is VERY closely tied to a government and military that has proven itself to be at best antagonistic to others, and at worst, hostile.

Put it this way, you needed a gun and a person that was offering you said gun was employed with the very same group that has been beating on your door every night.. just how fast would you say "sure, I'll take it".. you would be opening it up left and right, inspecting it, bringing in experts if you could to make sure that its a safe gun.

At least with others, there is no direct government tie.. (not that it really means much). But would YOU put your money and security and your very life in their hands?

Re:Source (2)

Anonymous Coward | about 2 years ago | (#41757913)

We dont need to compile it ourselves, we have trained kangaroos and drop bears for this purpose.

Re:Source (1)

tibit (1762298) | about 2 years ago | (#41758149)

I'd have thought that the entire goal was to compile and install it, otherwise the source code is kinda pointless.

Re:Source (4, Informative)

RedPhoenix (124662) | about 2 years ago | (#41758187)

Yes; some very good people who evaluate products for use within the Oz government and Defence:
http://www.dsd.gov.au/infosec/epl/index.php [dsd.gov.au]

However, the process is usually long, often expensive, and generally targets a particular software/hardware combination; bump your version number, and there's potentially a fairly significant re-evaluation required.

Huawei could take advantage of this program now, but would either need to front up some dough, or have a sponsor to guide them through it.

Re:Source (0)

Anonymous Coward | about 2 years ago | (#41759113)

DSD pay way below market rates... as such they fail to attract the best of the best and instead attract people willing to be paid 1/3 to 1/4 of what they would be paid elsewhere.

Re:Source (5, Informative)

socceroos (1374367) | about 2 years ago | (#41758263)

The DSD (Defence Signals Directorate) are the ones in Australia who would vet this equipment - they already do it for all equipment used by ASIO, ASIS and other secretive organisations here. The other thing to remember is that it was the DSD that told the Government not to trust Huawei's hardware. Now they get to have a good look at the code without the need to reverse engineer.

Re:Source (0, Flamebait)

mrmeval (662166) | about 2 years ago | (#41758593)

It does not matter one whit if they're releasing everything including the ASIC code, masks, etc.

Don't let foreign assholes make your critical infrastructure. Period. Don't ship anything out of country. Don't rely on the companies in your country not to be idiots. If it is going into critical infrastructure you'd best have control of it.

Yea, it will put a screeching halt to the wonderful progress we've had and that is unfortunate but China and others seem to want to slit our throats so we should slit their profits.

Re:Source (1)

Abreu (173023) | about 2 years ago | (#41758791)

Not sure if xenophobia is real,
[FuturamaFry.jpg]
or just clever parody

Re:Source (1)

hawguy (1600213) | about 2 years ago | (#41758885)

It does not matter one whit if they're releasing everything including the ASIC code, masks, etc.

Don't let foreign assholes make your critical infrastructure. Period. Don't ship anything out of country. Don't rely on the companies in your country not to be idiots. If it is going into critical infrastructure you'd best have control of it.

Yea, it will put a screeching halt to the wonderful progress we've had and that is unfortunate but China and others seem to want to slit our throats so we should slit their profits.

Isn't that kind of like saying "Don't trust asshole doctors to treat your complicated medical condition. If you can't treat it yourself, just slit your throat now. Yea, it will kill you right now, and that is unfortunate, but at least the doctors won't profit from it".

Re:Source (0)

Anonymous Coward | about 2 years ago | (#41759171)

Close. It's more like saying "don't trust asshole pharmacies not to poison you, even though they promise to release the ingredients for their binder capsule." Health care techniques are no secret, however, drug components often are trade secrets, and hard to verify.

But yeah, no country should trust any part of their critical infrastructure -- be it food, health care, or secure communications electronics -- to a hostile foreign power. China routinely announces how it has a hostile relationship with America, in its propaganda newspapers, and its best friends are North Korea, and Pakistan. China is bent on world domination, and it is becoming more and more evil as it grows in power.

Thanks, Nixon. You strengthened China, at the expense of the Soviet Union AND the United States. That was your biggest mistake. We should cut all ties to China, and bring manufacturing back to the USA.

paranoia will destroy ya (0)

Anonymous Coward | about 2 years ago | (#41758823)

get over it ...they are saying if you want to see source here ya go and huge hackers in australia i bet there govt has hired a few to "penetration test it"
no govt doesn't have someone qualified and if needed i am sure we canucks can provide you with some....
fact is this just is an attempt at trade embargoing via fear.
plain and simple.

subject (0)

Anonymous Coward | about 2 years ago | (#41757673)

>insert some FUD about hardware bugs followed by that pdf on trust

hardware backdoors (0)

Anonymous Coward | about 2 years ago | (#41757689)

what about hardware based backdoors? how about purposely imposed design flaws that are undetectable, but easily exploitable remotely? Perhaps they have their own CHAMP like device embedded, only activated by some type of remote RF.

Re:hardware backdoors (3, Informative)

AK Marc (707885) | about 2 years ago | (#41758191)

OK, lets assume that the routers are rooted. So what? Isn't everything over the Internet presumed to be insecure anyway? At worst, China would get some SSL packets from my bank, or some HTTPS packets between me and an email server. Or see that I'm on Slashdot more that I should be. Yawn.

And, if they did send a copy of every packet to China, do you think the carriers wouldn't notice that traffic pattern? It's an absurd accusation, with no basis in fact. And, if true, would be quickly found if it were ever used. All to compromise an unspecific portion of a residential broadband network.

It's more likely that Huawei was behind the assassination of Kennedy and 9/11 than they are inserting router backdoors in an attempt to remotely control Australia. If you've been to WA, you don't need to sniff their traffic to know what they are doing. 99% porn, 1% skype to family.

Re:hardware backdoors (1)

moogied (1175879) | about 2 years ago | (#41758347)

You're assuming the point is to read the data. Its not. The point is that china would be able to transmit a single set of instructions across the routers that say 'At 2AM tomorrow, DO NOT ALLOW TRAFFIC THROUGH.' and suddenly Aussie's everywhere lose internet. Which could be a massive security issue if China were to attack right then.

Re:hardware backdoors (1)

coliverhb (886806) | about 2 years ago | (#41758451)

Or they could, you know, take down the entire australian network in an instant by sending a command to all of the rooted routers. (Not an optimal situation especially because these routers also are going to be handling the phonelines too) Think about having the ability to cut off all communication in an entire country - that's a HUGE strategic advantage

They could use these routers to identify specific targets of interest. State sponsored hackers would then have the ability to remove/obfuscate logs to make it so that they're impossible/very very difficult to trace or perhaps even to frame others.

Re:hardware backdoors (1)

bugs2squash (1132591) | about 2 years ago | (#41758457)

Not every router is used solely for the internet. Also, they don;t have to report to China, they just have to be deployed into a critical network and then suddenly stop working when china wants them to. Finally, if they're going to be sneaky, who's to say the software image they provide is made out of the source code they provide ? I don't see them providing the means to compile the source code to an image.

Re:Maos backdoor (1)

noshellswill (598066) | about 2 years ago | (#41759401)

Enemy slants ... keep out the Chi.com product ... snooping routers, flimsy forks, national flags ... reject every product. Cause every nickel ( $0.05) you pay Huawei will come back on your grandkids as an attack-sub or nuclear weapon. You may bet-yo-bits on that.

Not for hardware.. (0)

Anonymous Coward | about 2 years ago | (#41757691)

The software source code will be fine, but during manufacturing a hardware chip can be added to the NIC's or routers that will phone home independently of what the IO's sees. To make it more fun, they will only add it to a couple of pieces of hardware in the large order, so they can claim it was a manfacturing defect, and they dont know how those got in there..

Cisco and Motorola may object (5, Funny)

Anonymous Coward | about 2 years ago | (#41757701)

...seeing as how it's their source code being released.

Answer (1)

Matt.Battey (1741550) | about 2 years ago | (#41757725)

No. Yes. In that order.

Re:Answer (0)

AK Marc (707885) | about 2 years ago | (#41758295)

It's more than Cisco or anyone else was willing to do. Huawei does everything asked of them, and gets attacked for it. Why? Looks like Australia is developing an anti-immigrant stance, and so many that go to Australia are Chinese.

Is this Sufficient? What else could you want? (1)

NinjaTekNeeks (817385) | about 2 years ago | (#41757755)

Australia: "You are a security threat we need to see your code!"
Huawei: "Ok, here is our full source code"

Sensationalism Department: "There must be obscure back doors they might hide in their code!!!"

Just because the US Congress, which is still in the stone ages as far as understanding of technology, decries them as a threat using classified information doesn't mean it's true. It just means the US likes to cock block China as often as it possibly can, not withstanding the shady backroom deals that enticed this in the first place.

Re:Is this Sufficient? What else could you want? (2)

Todd Knarr (15451) | about 2 years ago | (#41757875)

Hardly obscure. The only thing needed is to make it so the code used to build the firmware isn't the code you provided for everyone else to look at. I can think of a dozen ways to do that, starting with the obvious "patch file not in version control and not provided to anyone, applied manually between checkout and compile". If you're doing that, the back-doors don't have to be obscure at all because they won't be present in anything anyone can see.

The only way to truly tell is to build your own binaries from the supplied code and then diff the vendor-supplied firmware against your build. That of course suffers from problems with a large number of benign differences due to embedded source-code paths, timestamps due to the build being done at a different time, slight variations in the exact version of third-party libraries and so on.

Re:Is this Sufficient? What else could you want? (1)

fredprado (2569351) | about 2 years ago | (#41758117)

But then again it would be the fault of those that should be verifying such things. If security is important these checks should be made no matter which manufacturer they choose.

Re:Is this Sufficient? What else could you want? (0)

AK Marc (707885) | about 2 years ago | (#41758331)

Or, trust but verify. If your traffic is 10 Mbps from Perth to Melbourne and you see your stats showing 10 Mbps between P and M, with a corresponding spike in traffic going to China, then maybe something is up. It wouldn't be hard to find a backdoor if one was in, it would have to *do* something, and that would be seen, especially if they are looking for it. Insane security measures to secure residential Internet (presumed insecure anyway) seems, well, insane.

Re:Is this Sufficient? What else could you want? (1)

firewrought (36952) | about 2 years ago | (#41758103)

You're right: it probably is just scaremongering to get an economic advantage for someone. Well, maybe not all of it. The U.S. has certainly done its share of espionage tricks, including delivery of a spiked Boeing [telegraph.co.uk] for China's version of Air Force One. Suspicions tends to mirror one's own tactics.

However, if you really don't trust Huawei, there's no way for them to prove it to you: the backdoor could be hidden in the software, in the compiler, in the CPU microcode, in the BIOS, in some axillary firmware, or in some subtle combination of all of these. You'd have to build it yourself, compile it yourself, install it yourself, update it yourself, and you still wouldn't have great confidence because these things can be really damn subtle. Classy of them to reveal the source, but it's a meaningless gesture.

Re:Is this Sufficient? What else could you want? (0)

Anonymous Coward | about 2 years ago | (#41758703)

That and the binaries are not signed, the fab process is closed... its not classy, its a tactical move. Its not paranoid to be suspicious of this situation. Look at the political scene with regards the military's involvement in those companies, the shear number of hack attempts coming from China, the rapid rise of the military and their goals of "owning" the whole APAC region and tell me you would not be at least a little cautious.

Re:Is this Sufficient? What else could you want? (1)

SEE (7681) | about 2 years ago | (#41758497)

Mere source code disclosure is worthless as proof of trustworthiness, and has been known to be worthless to that end to everyone with the slightest knowledge of the subject ever since Ken Thompson gave his Reflections on Trusting Trust speech 29 years ago.

The real question is, given anyone who knows anything about the subject knows the source code disclosure proves nothing, why did Huawei offer to disclose the source?

Re:Is this Sufficient? What else could you want? (4, Informative)

mhotchin (791085) | about 2 years ago | (#41759075)

http://cm.bell-labs.com/who/ken/trust.html [bell-labs.com]

If you haven't read it, or even if you haven't read it recently, you really should.

Why stop there? Why not go for public review? (2)

badger.foo (447981) | about 2 years ago | (#41757771)

Much like I assume a lot of other /. readers, my trust in the equipment I use to do what it's supposed to do comes from my access and ability to read the source code. There have been minor dust-ups in the open source world about allegations that other governments than China inserted back doors in widely used software, and we still see those allegations surfacing from time to time, but never with anything solid to back them up. I believe searches on the obvious keywords will turn up stories linked from here, as well as links to source code repositories of very high quality indeed. So my advice for Huwaei is, let the world see your source code, and please set up a mechanism for reviewing your own code and patches.

Compiler Vulnerability (2)

charon69 (458608) | about 2 years ago | (#41757795)

Is Australia planning on building their own code from that source?

Because how would they know that what they were running was actually the source code they were provided?

And would Australia even be interested in jumping through that extra hoop considering that there are other vendor options available where Australia feels this isn't necessary? The price difference between Huawei and other vendors would have to be fairly sizable to warrant that.

Or, even more insidious, I've heard of the possibility to include backdoors via the compiler rather than via the source code.

http://en.wikipedia.org/wiki/Backdoor_(computing) [wikipedia.org]

Quote from that article:
It is also possible to create a backdoor without modifying the source code of a program, or even modifying it after compilation. This can be done by rewriting the compiler so that it recognizes code during compilation that triggers inclusion of a backdoor in the compiled output. When the compromised compiler finds such code, it compiles it as normal, but also inserts a backdoor (perhaps a password recognition routine). So, when the user provides that input, he gains access to some (likely undocumented) aspect of program operation. This attack was first outlined by Ken Thompson in his famous paper Reflections on Trusting Trust (see below).

If Huawei's code requires anything more than generic gcc, Australia may not be able to verify 100% security, regardless... unless they're given the source code to the compiler as well.

Long story short, this just seems like a huge hassle that Australia is probably going to avoid anyway.

Just my 2 cents...

Re:Compiler Vulnerability (2)

fredprado (2569351) | about 2 years ago | (#41758153)

Obviously they would have to compile and compare to audit, and obviously they shouldn't trust any compiling tool given by the very person being audited...

Re:Compiler Vulnerability (0)

Anonymous Coward | about 2 years ago | (#41758279)

This got me thinking. What the Australian government needs to do is make sure they can compile the code themselves and that they can flash the result to equipment themselves and that the equipment works as required once the flashing is complete. This way they'd have insurance: if the Chinese government decides to use some sly backdoors, the Australian government's worse problem will be how fast they can recompile and reflash everything, which is better than back to the stone age while all the equipment is replaced with competing products. Backup, reflash, restore should be an option.

Captcha: ointment. Apparently what AU.gov might need.

Re:Compiler Vulnerability (1, Informative)

AK Marc (707885) | about 2 years ago | (#41758431)

And would Australia even be interested in jumping through that extra hoop considering that there are other vendor options available where Australia feels this isn't necessary? The price difference between Huawei and other vendors would have to be fairly sizable to warrant that.

Why indeed. Why spend so much justifying why they are planning on over-paying to a company run by white people, when there has never been an "incident" with Huawei gear? Australia is spending millions trying to make sure they spend their money with white people, in order to secure an "insecure" residential Internet network. You tell me, why is Australia inventing all these hoops?

Re:Compiler Vulnerability (1)

Sez Zero (586611) | about 2 years ago | (#41759121)

You tell me, why is Australia inventing all these hoops?

Because they don't trust Chinese companies?

Re:Compiler Vulnerability (0)

Anonymous Coward | about 2 years ago | (#41759157)

is it racism too when China insists domestic companies get 51% control of a partnership? Or is that just being smart, and only 'white people' can be racist?

Re:Compiler Vulnerability (0)

Anonymous Coward | about 2 years ago | (#41759231)

Fuck you, racist.
Take your transparent chinese propaganda and shove it up your ass.

No, you may NOT have Taiwan, and if you reach for it, your gobi desert wasteland will seem a paradise compared to your nuked out cities.
Back the fuck off, or we WILL destroy you.

Re:Compiler Vulnerability (1)

funkboy (71672) | about 2 years ago | (#41758467)

And would Australia even be interested in jumping through that extra hoop considering that there are other vendor options available where Australia feels this isn't necessary? The price difference between Huawei and other vendors would have to be fairly sizable to warrant that.

It is. Depending on how well you negotiate with various vendors, it can be half the price of Cisco, AlcaLu, Juniper, etc.

Re:Compiler Vulnerability (1)

johntromp (565732) | about 2 years ago | (#41759335)

If Huawei's code requires anything more than generic gcc, Australia may not be able to verify 100% security, regardless... unless they're given the source code to the compiler as well.

That wouldn't help, since the compiler recognizes its own source as well, and puts the compiler backdoor in the resulting compiler executable. So the bad compiler source code is only needed initially to create a compromised compiler executable, and can be cleaned up afterwards.

The US government did it! (5, Insightful)

kawabago (551139) | about 2 years ago | (#41757817)

When American telecom companies won contracts to supply soviet satellite, I think it was Poland, with telecom equipment, The CIA or NSA or both managed to get back doors into the equipment to both monitor calls and in the event of hostilities, to shut the phone system down completely. If American companies let their Government subvert their technology in foreign countries, China would be foolish not to.

Re:The US government did it! (0, Troll)

DNS-and-BIND (461968) | about 2 years ago | (#41758119)

I'm not sure - are you actually arguing in favor of this xenophobic, racist policy?

Hardware (0)

Anonymous Coward | about 2 years ago | (#41757853)

You'd bury the covert functionality in the hardware. Good luck finding it.

Shame! (-1)

Anonymous Coward | about 2 years ago | (#41757871)

Why is it that we suppose China's telecoms are spying for their government? Is it because they have slanty eyes? How unlikely a way to do espionage. I guess it's because the US thought up the idea, and of course, caused a good deal of trouble with stux. WE are the sneaky bastards.

Re:Shame! (0)

Anonymous Coward | about 2 years ago | (#41758085)

Why is it that we suppose China's telecoms are spying for their government? Is it because they have slanty eyes? How unlikely a way to do espionage. I guess it's because the US thought up the idea, and of course, caused a good deal of trouble with stux. WE are the sneaky bastards.

Thought up the idea? You can't be serious... this practice is hundreds of years old. The U.S. and China are just the latest in a long line of powerful nations trying to get a leg up any way they can.

Re:Shame! (1)

tibit (1762298) | about 2 years ago | (#41758227)

It's not an unlikely way to do espionage you clod, it's the simplest way to do it. What's simpler than having direct access to all the communications infrastructure, accessible from anywhere in the world?

Horseshit - complete horseshit. (1)

Anonymous Coward | about 2 years ago | (#41757903)

If the Chinese Government said the sky was blue,I'd doubt it.

IT'S A TRAP!!! (3, Funny)

HPHatecraft (2748003) | about 2 years ago | (#41757917)

-signed Admiral Thomas Dalton Ackbar

Re:IT'S A TRAP!!! (2)

oodaloop (1229816) | about 2 years ago | (#41758559)

We can't repel overused movie quotes of that magnitude!

Not without spending a lot of time and money (0)

Anonymous Coward | about 2 years ago | (#41757937)

Search for "Reflections on Trusting Trust" by Ken Thompson. At the end of his paper, he talks specifically about hiding code in firmware that never appears in the sources. The only way to be sure is to validate every single bit in the firmware, and every single gate on the silicon.

it's the same as the cisco code (1)

Joe_Dragon (2206452) | about 2 years ago | (#41757945)

it's the same as the cisco code they just changed some names around.

See? We Yo Friends! (0)

CanHasDIY (1672858) | about 2 years ago | (#41757973)

We no put secret backdoor code in yo phone! We no pee-pee in your Coke!


So... Anybody know anything about any launch coooooooooodes?

Trusting trust (0)

Anonymous Coward | about 2 years ago | (#41757995)

http://cm.bell-labs.com/who/ken/trust.html

Reflections on trusting trust (0)

Anonymous Coward | about 2 years ago | (#41757999)

Do we get access to the compiler's source code too?

Who are the alternative bidders? (2)

PPH (736903) | about 2 years ago | (#41758057)

Is their h/w and s/w being audited for back doors and spyware?

No need to audit US sourced equipment. Thanks to CALEA [wikipedia.org] we are 100% certain its been bugged.

and is this the code loaded on your device? (0)

Anonymous Coward | about 2 years ago | (#41758061)

how do you know that this code they are giving out is the code that is compiled and loaded on their devices?

Simple answer (1)

Alsee (515537) | about 2 years ago | (#41758175)

Will they be able to obscure any backdoors written into their equipment?"

Yes. [ioccc.org]

-

Re:Simple answer (0)

Anonymous Coward | about 2 years ago | (#41758309)

Plus considering that this a hardware vendor, they could do something completely absurd like have a chip that responds to a series of increments and decrements by shorting ground to vcc. The ways of disabling a system are to numerous to count.

and the rest (0)

Anonymous Coward | about 2 years ago | (#41758231)

What is the chance of seeing cisco and others do the same?

Not possible (2)

AaronW (33736) | about 2 years ago | (#41758239)

I'll believe it when I see it. Many, if not most, of their products run on VxWorks, a proprietary closed-source real-time operating system. All it takes is for someone to find a way to access the t-shell and you own the box. I believe this was recently shown to be trivial to do with access to the web interface (no login needed). Once you are in the t-shell you own the box. In VxWorks the t-shell is like root on steroids. You can call any function, access at any global variables or any memory location that you choose.

VxWorks historically has not been a secure operating system, leaving security entirely up to the applications developer.

VxWorks is not like a traditional operating system where you load programs off of a filesystem and execute them, with a clear separation between the OS and applications. Instead, everything is linked together into a single binary blob. Now it's possible it has changed significantly since I last used it, but I doubt it.

As Safe As Approving Food Based Upon The Recipe (1)

Anonymous Coward | about 2 years ago | (#41758251)

I am sure that the recipe for tainted food does not list lead, bacteria, or any other deadly contaminants.

Not worth a lot.... (3, Insightful)

gweihir (88907) | about 2 years ago | (#41758265)

Backdoors cleverly disguised as obscure implementation bugs are very hard to find, and if you find them, you do not know whether they are bugs or obscure implementation errors. Typically, making sure no backdoors are in a piece of complex software is more effort and more difficult than reimplementing it with trustworthy and competent people.

Re:Not worth a lot.... (1)

Beardo the Bearded (321478) | about 2 years ago | (#41758615)

Brilliant! You give the source code AND you put in flaws in the verification that you already know about, so you can trivially pwn the boxen.

Not enough (2)

robmv (855035) | about 2 years ago | (#41758285)

Source code access is never enough to guarantee that something is free backdoors? How adds it to the hardware? How can I verify the devices coming in (from China in this case) has the right binaries installed? and don't forget about hardware backdoors. It is like trusting a PC manufacturer with a preloaded Linux installation because I have the source code of it on a DVD to review. If you can't trust the manufacturer there is no source that can help

Re:Not enough (0)

Anonymous Coward | about 2 years ago | (#41758495)

You hit the target with a precision laser. Nobody has a way to know if they have the same binaries installed.

Can source code be trusted (0)

Anonymous Coward | about 2 years ago | (#41758395)

If you think that you can trust source code, read Brian Kernighan 1984 Turning reward lecture.
http://cm.bell-labs.com/who/ken/trust.html

calling cisco's lawyers... (0)

Anonymous Coward | about 2 years ago | (#41758519)

Didn't a black hat presentation [phenoelit.org] show that they were basically running an ancient ripped off version of cisco ios? May as well just invite cisco to sue.

It isn't worth the risk. (1)

hhawk (26580) | about 2 years ago | (#41758573)

First consider the halting problem; you really can't tell what complex code can do.. although many eyes are better than none. Then you have to check every code release and compare all the hardware to software, etc. this is (the halting problem) a complex/hard problem.

Second, you have to see everything from the OS, the programs, programmable chips, firmware, etc.

Third, you have to hope there isn't anything type of "malware/spyware" that is loaded remotely post install, and that you see all the updates, etc. This would include the fear of back doors and automatic doors (default passwords, etc.).

In the 1800's every major telegraph wire ran through England and while they said they wouldn't spy, the spied on EVERY msg. The benefit of spying to great for China/PLA not to attempt something in the past, present or future.

I can't see this happening (1)

hoolaparara (1952522) | about 2 years ago | (#41758623)

I'm sure the US government will step and tell Australia not to, and I'm sure our PM will knuckle her forehead and say "By your command".

This would set a dangerous precedent for source code to be made available and I can't see the US government thinking it's a good idea for American companies to have to do so.

Not that I'm saying they've got US government backdoors in them, no I'm not .. know what I mean.... nudge nudge ... know what I mean.....

So much noise about the Chinese.... (1)

Cute and Cuddly (2646619) | about 2 years ago | (#41758873)

Who is to say that Cisco gear does not have a backdoor for the CIA or the NSA to spy as well?

Re:So much noise about the Chinese.... (0)

Anonymous Coward | about 2 years ago | (#41759283)

No one. That's the whole point. If you want something done right, you fucking do it yourself.

As an Australian... (1)

Anonymous Coward | about 2 years ago | (#41759019)

I'd much rather have the Chinese government listening in on my communications than the US government (who no doubt would have access if US equipment is bought instead).
At least they won't extradite me for copyright violations.

Every Country (0)

Anonymous Coward | about 2 years ago | (#41759205)

Every first world country needs to know how to build it's own communication equipment. Any less, and I don't think you should be called first world.

Just Because (1)

hduff (570443) | about 2 years ago | (#41759321)

Just because you can see the source code doesn't mean the binaries were compiled from it.

Underhanded C Contest anyone?? (1)

Wrath0fb0b (302444) | about 2 years ago | (#41759395)

This reminded me of The Underhanded C Contest [xcott.com] -- where the goal is to introduce malicious-acting but innocent-looking bugs that, even upon discovery as bugs, could be passed of as programming errors and not intentional backdoors. This should be required reading for anyone reading potentially-hostile code that's trying to pass an audit.

Surely Huawei has a large enough networking codebase to put enough of these in that Oz won't find them, and even if they do find them all -- how do you prove that a bug with an unintended leak/security concern was malicious?

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...