164 comments

[ 4.5 ms ] story [ 112 ms ] thread
I wonder how much of this becomes a self-fulfilling prophecy, aided in part by ongoing weaponization of inter-nation trade discussions by targeting firms from China (arrests of executives, bans, etc). Of course, I've seen it argued that China has been targeting US firms for a decade in various ways - which only makes the events this year yet another escalation of action.
Why not resolve the 737 MAX issues first, if we are worried about flying things causing damage?
This is not even the same Department. A government can and should have multiple simultaneous priorities.
A government also can and should prioritize amongst multiple simultaneous priorities.
They do. That's why governments have different departments (DHS and DOT in this case) and associated, prioritized budgets.
No I am talking about more directly. As an obvious example, in wartime everything goes to support the defense of the nation and is shifted to support that goal.
Same branch, but no coordination, right?
Youre only paranoid if youre wrong.
paranoia, it is not just a social condition, it is also a defense mechanism.......
Why not publish a specific threat?

These vague "The Chinese are up to something but we cannot reveal what" isn't really helpful, particularly given the current trade tensions (and political motivations e.g. "bring jobs home").

I'm not really "siding" with the Chinese, they may be up to something, but the US has really done themselves a great deal of damage when their own allies don't really believe them.

Just publish technical information. It isn't hard. It would do huge damage to the Chinese and reinforce the US's whole argument. But yet after over a year, nada.

There have been instances whereby a robotic hoover (Xaomi(sp?) one?) have been sending their generated floor maps back to servers in CN, so I don't think it's unreasonable to assume drones could be doing the same thing.
Sources?
It was on this week's BBC Click program, there was a full room of IoT devices with wireshark showing their packet traces.
I saw a lot of concern about sending data to servers in a specific location such as CN. However, there is no such thing as Custom for Data. So, I think sending data to either CN or any other place is not much different.
Data is subject to export restrictions and customs same as anything else. Some countries even mandate where and how data must be stored.
We're talking national security. I hope nobody is running a Xiaomi robot vacuum at a sensitive or classified site, or any other brand of robot vacuum for that matter...

There's a difference between individual invasions of privacy and national security. There's definitely Chinese apps that invade your privacy. There's also Western apps that do too. The question is of national security however.

There is a difference, and individual privacy is more important.

"National security" is a vague term that is always abused to make money, take away liberties or kill people.

Observing private homes can help select your targets. By observing the inside of the home you may learn if the owner has access to secrets (national security or commercial), what kind and what level. From where you can switch to traditional methods. My 2c.
It gives you the layout of homes, it doesn't allow you to observe their occupants. It is a spinning laser.
Add voice control ("Hey Robot, run a sweep") and WiFi and you have a very capable spy system. Not to mention cameras and GPS which could all be justified in terms of improving the performance of robot vacuums.
Teslas send loads of stuff back to Tesla servers which I'd assume are in the U.S. It's not an unusual thing to do in this cloud-happy day and age.
It's not a debate over whether the US hoovers up information. Most of this US vs China debate centers on one thing: which side do you want to give your information to. That is what is being argued over; that dispute is going to get worse for a while yet as China pushes outward globally in its tech ambitions.

The better alternative: I don't want anyone to have my information - unfortunately is largely not going to be an option. The choice will mostly be between the US and China (or in some cases, European tech providers, which will frequently work with the US). If it's not already that way, it certainly is going to be in the next 10 or 20 years.

The issue is that everyone's burned out by ridiculously long overly-broad EULAs written in impenetrable legalese. The general sentiment even, here on HN where people should know better, is "sure, they SAY they can do those things but (it's just boilerplate | they wouldn't really ever do that stuff | they really just meant this much more benign thing | they need that access to provide the product | it helps them debug problems)". And then people act all shocked when, once again, a company does precisely what it told you it was going to do.

A classic example is the "we collect your data to provide X service" / "you can disable service X" that we see all over the place. Everyone reads it as "you can disable data collection" but that's not what it says, and it's not what really happens.

The better alternative is to not accept this kind of invasiveness but the ease and convenience of giving in is too seductive for most people, so we invent a comfort belief that it's somehow benign or at worst irrelevant.

Sure, I can imagine that's fine for car telemetry and you enter into that knowing. It's common technology, even pool cars will have a black logging box. Do I expect a device in my home to be mapping out the floorspace and sending that back to unknown parties (whatever the location) without consent? Then no, that's different.
Tracking every move outside of your house is A-OK but knowing your floorplan is unimaginable?

Why?

They're covered in cameras too. Imagine finding out your car has been uploading photos of the security detail inside your embassy. Pooh-poohing it away as "car telemetry" is like calling Cambridge Analytica's shenanigans "gathering metrics".
Let's assume that they're encrypting the payload before sending it back home and we've broken their encryption techniques.

You don't think it would do a lot of harm to publish detailed analyses letting them know we've broken their encryption?

You could publish a white paper demonstrating that "unknown" data is being sent and look at the code/device that is sending it (since they're in the US). There's no need to even break encryption if you have the sending device.
Yeah, that's similar to how we can't let Saddam know that we know where his giant WMD factories and storage facilities are, so you just have to take our word for it...
I don't know how old you were at the time of 9/11 - but there were loud, public voices in the Intelligence Community telling everyone that the WMD situation was fabricated. To the point the only person claiming there were WMDs was Cheney and his inner circle, which is why both the Democrats and our international partners had to be brow beaten into supporting the invasion of Iraq.

To claim these two situations are the same is a very, very large stretch.

>To the point the only person claiming there were WMDs was Cheney and his inner circle, which is why both the Democrats and our international partners had to be brow beaten into supporting the invasion of Iraq.

Just "Cheney" and NYT, and CNN, and the entire establishment, sans some voices. Besides the trillion dollar war efforts went on anyway (also against Afghanistan, a below third world country that has almost nothing to do with the, probably Saudi-funded attack).

>To claim these two situations are the same is a very, very large stretch.

Sure, they're not the same, today things are far worse.

Due to the declining status of the US globally, the fabrications, psy-ops, and "trust us" propaganda has sky-rocketed.

Watching the mainstream news and the silent compliance of all sides on the bogus narratives is like participating in an alternate reality universe (and that's before we even get to the fake news)...

>Just "Cheney" and NYT, and CNN, and the entire establishment, sans some voices. Besides the trillion dollar war efforts went on anyway (also against Afghanistan, a below third world country that has almost nothing to do with the, probably Saudi-funded attack).

That's just a blatant, and easily disproved re-write of history. You can rag on CNN all you want for trying to give both sides of the story an opportunity to present their case, but they absolutely voiced concerns about whether or not there were actually WMDs.

http://edition.cnn.com/2002/WORLD/meast/12/23/sproject.irq.w...

Right...

I see the IAEA expressing concerns, I don’t see CNN or anyone in the USIC doing so.

If they were loud and many, perhaps you can provide a link to a USIC member voicing concerns. Even those who were anonymously quoted about the aluminum tubes debate weren’t quoted as saying there were no WMDs.

This form of argument, “Situation A has substantial differences from Situation B therefore no analogy can be made” strikes me as meritless.

It is only helpful to point out differences if those differences clearly invalidate the analogy. The mere presence of difference is not enough.

The former chief weapons inspector, Scott Ritter, an American, voiced skepticism, but he was treated like a crazy person by the media.
That's a wild reframing of the run up to Iraq. Dick Cheney forced Joe Biden and Hilary Clinton to vote for the war? Democrats had a narrow majority in the Senate, and a majority of them voted for the war. They ran the intelligence committee, so they had plenty of access to the information at the time, and i give them enough credit to have made their choices independent of Dick Cheney's wishes.
You are either with us or against us was directed internally too.
> I don't know how old you were at the time of 9/11 - but there were loud, public voices in the Intelligence Community telling everyone that the WMD situation was fabricated.

Sorry, I didn't hear those voices from US government sources, and not really from major US media outlets. I'm sure they did exist, but if a single mouse speaks up while the lions roar you'll need a good microphone to pick that up.

That time, they correctly figured they didn't even need a new Nayirah to testify, they just made it up and most of the media went into war mode: it doesn't matter if it's true, now is not the time to ask questions, support the troops and embed your journalists. Very few keep their professional distance when the bombs are falling, too luring the heroes' song.

Sorry if it's too harsh but "trust us, this time it's different" doesn't cut it for me, Bush summed up my feelings on that issue quite well: "There's an old saying in Tennessee—I know it's in Texas, probably in Tennessee—that says, 'Fool me once, shame on...shame on you. Fool me — you can't get fooled again.'"

Correct about the WMD:

- Million protesters in London, UK

- 100k protesters in Amsterdam, NL ( me included )

- France wouldn't have any of it

- At the start of the campaign only the UK and NL were in the 'coalition'

We knew the WMD was bullshit : Blix said so, Ritter? said so.

Well, the specific concern is that all new tech ships with OTA update capability. Infrastructure should probably never have this in the first place for a variety of reasons, but it does and it will because the of huge cost savings it can enable. When the Chinese government can tightly control the companies under it, and those companies control the OTA update, then nothing produced by those companies can ever be considered safe so longer as China is considered adversarial. The same could absolutely be said about US made products being used in countries that the USA is adversarial against, and that's likely how the USA government started thinking about it.

"Hey, what's a great way to deal with China if we go to war? Whataminute, they could do that to US!"

Just look at the havoc that has happened unintentionally due to bad updates being pushed out on a large scale and extrapolate to what could happen with a malicious actor at full control.

>> The same could absolutely be said about US made products being used in countries that the USA is adversarial against

Such as, itself.

Well of course. Every country has at some point been hostile to it's own citizens or some segment of it's population. It's something that the citizenry need to push back on and keep the government in check. But by and large, the US is no where near as adversarial to it's citizens, companies, or infrastructure as China.
That claim would need some substantiation. Not sure how you even measure that.

Certainly, if you and I started spending repeated 30 minute looking for examples of adversarial actions taken by the US and China against their people, neither of us would run out of examples before tomorrow.

So what are you claiming exactly?

I was responding to TallShortGuy's snarky assertion that the US conducts espionage on itself. Of course it does, everyone knows it does, and almost every other country does the same. The fact that the US spies on itself does not mean that there is not a greater threat of espionage from China or that the US should ignore the possibility.

I was also asserting that I personally do not believe that a government should conduct espionage on it's own people and that society needs to push back against such actions. Even in cases where another country is highly adversarial to you, the milder home country might be much worse because of their proximity and involvement in your day to day life.

I don't see how the trade war fixes the possible security issue caused by a potential OTA update in a potential conflict, a solution would be to make illegal OTA updates for critical hardware and software without getting the update reviewed. So military or other important things would buy only products that are reviewed and with updates that are signed by the government.

Or even simpler have this hardware and software setup to only get OTA updates and commands only from central command.

This feels so hypocritical considering that many PC around the world run CPUs that have Intel ME or equivalent and there is no media coverage of known backdoors in CPUs(I know technically it is a fully featured remote management feature that had some bugs in the past but Intel assures us that there are no more critical bugs and for sure no intentional bugs and this enterprise feature is also included in all CPUs not only in enterprise ones)

The trade war won't fix issues with OTA as a vulnerability. It is useful for the US to point it out to tip things in their favor so it gets a lot of coverage.

I also agree with you that the solution to OTA updates is tight control, but that isn't realistic either. They are talking about drones in the article. These are devices bought and run by companies that build infrastructure in the US but are not directly related to the government. They want OTA because it has legitimate benefits in worker time and cost savings and helps keep their "fleet" running with all the latest features.

Now, an example attack might be an OTA update for the drone controller to shunt mapping data back to home base in China to give them high quality military maps of infrastructure for attack planning. The attack might be unrealistic, but the spying threat isn't. Alternatively, if car autopilot takes off, imagine the economic damage an OTA attack could do that causes 30% of the traffic in the US to just stop. To prevent this sort of attack, you would have to review ALL code coming out of China since you can't directly hold them responsible after the fact when they are out of your sovereign jurisdiction. The kind of dedicated and educated workforce required to code check all firmware/software updates for such huge classes of consumer products is just not going to happen and it can only get worse.

Intel ME is an abomination, but it's also well known and gets a lot of coverage. It's just not in the mainstream news right this minute.

>Intel ME is an abomination, but it's also well known and gets a lot of coverage. It's just not in the mainstream news right this minute.

It was probably only a topic on technical forums.

Technical question, can't you build a drone that does not need OTA updates from manufacturer ? You have it connect only to your trusted IPs.

Also sending the high definition photos to China won't appear on anybody network traffic? You just need 1 person to detect it and you have the some kind of proof(though when a similar thing happened with Amazon Alexa it was blamed as a bug and not espionage).

>Technical Question

Of course you can, but even then you're still trusting the firmware that is being put out by the potentially hostile company even if you gate keep it. To check it would require a software team at least as large as the potentially hostile one for any serious attack. That's a big economic incentive to trust the manufacturer.

>sending the high definition photos

Or you could just send metadata, telemetry, and flight diagnostics that can be used to build up sensitive information under the guise of metrics. Remember that the NSA was mostly just using metadata too.

>it was blamed as a bug and not espionage

In these cases, the two look exactly the same in software, so proving one or the other is very difficult.

So from your points all Chinese products should be made illegal until China will not be a threat to US, this means until China collapses or kisses US butt.
> You have it connect only to your trusted IPs.

Wi-Fi makes that pretty damn hard to verify. In theory, malicious firmware could even opportunistically link up with other malicious firmware acting as a bridge via some undocumented protocol that would only be detectable by looking at the raw spectrum.

yeah, but we should think and implement security measures in all systems indifferent of politics and economics. Imagine some terrorists hacks Tesla server and sends a command for all cars to crash. We would need all important systems to be designed in the assumption that something bad will eventually happened(hackers, company goes out of business, stupidly(see Firefox addons issue) ) etc
The trade war -- if done right -- would supposedly force China to make some real concessions if they want the trade war to end. For instance, they almost agreed to end the forced tech transfers from US to Chinese companies, but then they changed their minds, which seems to be what actually prompted the recent tariff raise to 25%.

I understand not "making the economic situation worse", but sometimes things have to get worse before they get better. Obama had "good relationship with China" and China trampled all over American companies because of it, pretty much making up whatever demands they wanted if those companies wanted to do business there. Plus, even before the trade war, car imports had 25% tariffs in China, and I think 0-5% in the U.S. for the reverse.

It reminds me of when Google was "open" with the Gmail and GChat APIs, and then Facebook abused it to get all of Gmail's contacts through the mass-invite feature, while Google couldn't do the same with Facebook contacts.

Similarly, Microsoft was working on adding GChat support to Skype - but the reverse (Skype in GChat) wasn't possible. This example illustrates pretty well why you can't always be "open to everyone, no matter what", when some can become hyper-aggressive in exploiting what you have to offer when being so open, but not paying it back in any form.

I believe I also read a recent comment about RISC-V developers giving the Chinese the could shoulder in collaborations, because Chinese developers tend to "take take take" and not contribute anything back, ever.

I even see it all the time with people praising Samsung, etc for "innovating more than Google", forgetting the fact that 95% of the OS is Google's work.

Your economic facts(though some of them don't sound real) are of topic in the security discussion. If a real war starts between A and B the fact that A and B respected all the trade agreements is irrelevant. Ex: US spies on their allies, so you can respect all trades, be allies and still have espionage. The solution would be to have security features, like open source the code, firewall critical components etc.
Nonsense! If a deal hasn't been made, each side could change their mind, right? If we want to make a deal and I take great advantages on you, is it right for me to accuse you if you regrete before the deal is made?

"because Chinese developers tend to "take take take" and not contribute anything back, ever." It's not ture. For example, Siggraph is the best conference in the computer graphics field. In 2018, the number of papers that contain Chinese or ethnic Chinese is 45%.

Besides, many Chines and ethnic Chinese reasearchers are active in many frontier technology filed such as AI and Computer Vision field.

The acadimic and industry status and constribution of Chines reashers/company are increasing rapidlly.

> the number of papers that contain Chinese or ethnic Chinese is

Nobody cares about any "ethnic Chinese" fraction. We're discussing a trade war between US and PRC, not some racial struggle between Chinese and Caucasians or whatever.

my Chinese friends feel all very similarly. While I don't agree with them, it's not productive to be insensitive to their concerns. That's not how you solve conflict.
It doesn't even make any sense. Do they think America is similarly engaged in a trade war with our own ethnic Chinese citizens? One of our most strident anti-China hawks is named Gordon Chang. And we aren't in any struggle against Taiwan.

No, I don't have to be sensitive to such delusions.

Yes, they are Chinese Americans and they feel this country discriminates heavily against them (for example in college admissions).
I don't understand for example why 5g infrastructure can't work like WSUS. All your devices point at your own update servers, and on the update servers you can approve and decline the distribution of certain upstream updates.
> Just publish technical information. It isn't hard. It would do huge damage to the Chinese and reinforce the US's whole argument.

I doubt that it would damage China. The existence of the threat is already well publicized.

I think that U.S. intelligence does not talk about specific threats because the attack vectors would probably misunderstood and underestimated by the general public. There would inevitably be pushback like "Gee, we have to give up our drones just because of X?!"

The consequences from these types of events aren't felt immediately, and many people perceive that as being equivalent to no consequences at all.

This has nothing to do with convincing the general public. The US is struggling to convince their own allies that the threat is real, and definitely haven't convinced the technical community they need to stop buying e.g. Huawei hardware.

> The existence of the threat is already well publicized.

Parroting the same vague "there's a threat, but the threat is secret so we cannot tell you about it" isn't well publishing anything. It is bordering on fear mongering. A well publicized threat would be a series of white papers describing in technical terms the weaknesses/backdoors/etc in Chinese manufactured hardware.

No allies doubt the Chinese engage in hacking and other forms of digital espionage. Do other nations need a white paper detailing our weapons systems to believe in our capability? The world doesn’t owe you proof of anything and government intelligence agencies know more than you. Sorry but nobody is going to give you a white paper.
You don't need a whitepaper to say "Any device with over-the-air updates (or server-side processing) controlled by a Chinese company can receive anytime new software (thus a payload) controlled by the Chinese intelligence services".

This is what's implied.

This is a great argument against all OTA devices.

But if the US actually took that threat seriously, half of the Valley would be out of a job tomorrow.

> This is a great argument against all OTA devices

Indeed. And for life safety uses it's appropriate. In safety-conscious settings such as those involving line voltages requiring NRTL (UL for ex) listing OTA updates are forbidden: One must have physical access to the device to perform a permitted [0] code update.

[0] And the code updates themselves are subject to IEC 60730/UL 1998 or it's back to the NRTL for more testing

It's a great argument for devices made in the US. We can't trust Chinese tech yet we don't make our own.
It feels more likely to imply that "we have no hard evidence". So the argument still boils down to "because China", not "because spying". Which isn't a strong argument if you like to (at least try to) draw your own conclusion and not be fed one.

Are you worried that your iPhone or Tesla will be hijacked the same way? You already know this happened before with the knowledge of the companies involved (secret subpoenas or national security letters) or without it (beacon implants).

Lets be real here "because China" is a decent enough argument in the US at the moment. Just swallow the propaganda.
> It feels more likely to imply that "we have no hard evidence".

There is hard evidence of the vulnerability, which logically follows from any OTA update capability, but there may be no hard evidence of exploitation yet.

Think of it this way: if your software has a RCE, you fix or mitigate it regardless if it's actively being exploited or not.

> Are you worried that your iPhone or Tesla will be hijacked the same way?

That's a very valid concern for some people.

Ultimately, software security boils down to "who do you trust?". Say what you will about the US, but your goals and values are very likely less incompatible with those of the US than with those of authoritarian China [1] [2].

[1] https://www.nytimes.com/2013/08/20/world/asia/chinas-new-lea...

[2] https://en.wikipedia.org/wiki/Document_Number_Nine

The lesser evil. The enemy of my enemy is my friend. History is full of examples where people followed short term aligned interests straight into long term suffering.

Do you think it's more about your values or somebody's ego and interests?

> The US is struggling to convince their own allies that the threat is real

The US has to convince their allies that buying from China is more dangerous than buying from the US. I don't think anybody doubts there isn't a threat.

> I think that U.S. intelligence does not talk about specific threats because the attack vectors would probably misunderstood and underestimated by the general public.

I doubt intelligence agencies care about convincing public one way or another. I suspect they are worried about revealing details of their methods and thus have a blanket "say nothing" default mindset.

> "I doubt intelligence agencies care about convincing public one way or another"

Why say anything at all then? Saying nothing is one thing, but they are saying something. Why the half-hearted messaging? I honestly don't get it.

> I doubt that it would damage China. The existence of the threat is already well publicized.

It'd certainly damage Chinese companies and curtail those companies' utility as sources of intelligence. How many drones do you think DJI would sell if it became known that flight logs and aerial photos were being uploaded to the Chinese government? (This is all purely hypothetical but the DJI app is very aggressive about permissions and updates, so they absolutely could if they wanted to. I have a dedicated phone for mine which never gets to connect to the internet, for this very reason.)

> How many drones do you think DJI would sell if it became known that flight logs and aerial photos were being uploaded to the Chinese government

Roughly about as many as today. A recreational or content production drone is sitting dead without a battery >>95% of the time. This is a much weaker threat model (both objectively and in the perception of consumers) than all those connected, always-on microphones and cameras installed in homes, offices and pockets.

I mention this as a precedent: to many people out there, "the Chinese government" isn't a lot more foreign than "some American tech empire" and data-derived unpleasantries are far more likely to have practical implications for them with US immigration than with the Chinese communist party (because the US is still more open). And yet those people still buy westcoast-designed (and connected) devices like hotcakes.

Nobody wants to give up cheap Chinese goods and buy expensive American goods (which are all made in China just the same hilariously) simply because America asks so nicely. Yeah I just ordered a Xiaomi mi9 and I feel fine.

If there was indeed a threat to national security I trust my own government to make decisions not the US.

>These vague "The Chinese are up to something but we cannot reveal what" isn't really helpful, particularly given the current trade tensions (and political motivations e.g. "bring jobs home").

Isn't that the purpose? To fuel the trade tensions for the home team.

Don't expect truth in trade wars...

I think the purpose is to drum up FUD for the MIC. If China were really this Big, Bad Threat, we'd cease all trade with them. Nations don't trade with their enemies.
Microsoft did such a write up about a laptop.
Is it that they're pointing to vulnerabilities, not exploits?

1. This class of device has known vulnerabilities

2. These devices are still sufficiently novel that they make economical new and different types of attacks

3. Organizations should consider how these vulnerabilities could potentially compromise your current security plans.

This reminds me of "believe us they have bio-weapons and need to attack Iraq" trope followed in the recent past. This is just building up media narrative and trying to brainwash people, similar to what happened in the past.
I agree 100%. At this point I am strongly isolationist. If terrorists from another country really start hijacking our planes, let's come up with a solution other than war.

War only serves further destabilizes the country, and it definitely shouldn't be on the table unless someone is actually sending troops on our soil.

Last resort would be banning incoming visitors from that country. Not ideal, but a MUCH better solution than war in my opinion.

Because the techniques the Chinese are using in their phones and other tech were most likely pioneered by the NSA and remain classified.
Pretty sure Chinese people would be perfectly capable of developing their own tech if they wanted to
I wonder if public discourse and pop culture in the US will switch from paranoia as a bad or laughable thing (tinfoil hats! area 51!) to paranoia as a civic duty (to some degree, as in WWII and the Cold War).

Though it's more jingoistic, I find the latter less infantilizing, when it's coupled with a guarded paranoia about the US too.

These vague "The Chinese are up to something but we cannot reveal what" isn't really helpful, particularly given the current trade tensions

This is exacerbated by the very poor levels of security in these devices in general: DEF CON 23 - Robinson and Mitchell - Knocking my neighbors kids cruddy drone offline

https://www.youtube.com/watch?v=5CzURm7OpAA

However, to put things into perspective, purpose built security cameras -- even expensive ones from well reputed industry brands -- have had similar very poor levels of very poor security for many years.

https://www.youtube.com/watch?v=B8DjTcANBx0

It's not really a problem of drones. It's a problem with the poor levels of security in consumer devices in general. It's "as if" the situation has been engineered to let bad actors do lots of spying.

They deserve some credit.

The following is a contrived analogy, admittedly not a great one, to illustrate why I suspect they can't give specifics.

Imagine if you have a gigantic elephant standing near a village. It's so big that you can only see one of the following, depending on where you stand: a trunk that can suck people up, legs that can smash, a tail that can create a wind that tosses people about. Three people are standing in different places to see each of these: Alice (trunk), Bob (legs), and Charlie (tail - poor Charlie). Someone comes running into the village and leaves an anonymous note saying a huge being is a threat and it is going to smash houses.

Except the villagers, if they can figure out who was standing where and what they could see, can tell who left the anonymous note. It was Bob, who could see the legs.

Giving the specifics they know about a threat reveals what they know, and what they don't know, and reveals how they might have gotten the information.

You analogy is a perfect demonstration of the US government's tendency to make vague, ominous predictions to stoke fear in its populace so that they will unquestioningly go along with its nefarious intents (ie regime change, chemical warfare, airstrikes on innocent people).
It does always seems like the US government is using mass media as it's mouthpiece to spout propaganda about the boogeyman de-jour.

Anything to deflect away from US matters at home or abroad, anything to keep the populace in constant fear and suspicion - ooh, look what the nasty commies are doing, red danger, oh oh, now it's those terrible immigrants.. oh, now it's those dastardly commies again!

This puts to rest all illusions and fantasies of 'free markets', competition, choice and free trade. Markets are political constructs and there is nothing inherently free or fair about them.

There is clearly one set of rules in operation for a chosen few whose companies get access to global markets without fearmongering and thus can grow uninhibited and then the real world where evidence-free scaremongering, demonization and sanctions are used to limit market access, sabotage others and destroy competition before it forms.

And citizens of the former get the privilege of articulating a set of free market values in a depoliticized context free world that don't hold in the real world. But its better this happens than it doesn't so the rest of the world can see through the self serving hypocrisy and plan accordingly. Those with this mindset will always find a way to limit others.

Agreed. Saying "there is something" but not revealing what it is only keeps the consumers in the dark. The Chinese would go through their entire chain to make sure they hide their tracks again, etc, so it's not like opportunities like counter-surveillance will remain. It's literally stupid to say they can't reveal what it is because there's no benefit and only makes me think Homeland services are idiots.
They don't say what the threat is because it is the same threat that we are facing from US companies... I'm pretty sure that you can guess it.
It's about what could also. Every Chinese company with > 50 employees has a representative of the Communist party on the board.

It's defined by law and law works very differently in China.

Security researchers in the field have been talking about this for several years. DJI absolutely dominates the consumer/pro UAV market so this is a real issue.

Source: I had a UAV related startup several years ago and got to know some of the security folks.

> I had a UAV related startup several years ago and got to know some of the security folks.

Oh, excellent, you are confirming that 'spying' issue is real and you seem to be the one who can give us some real insight - can you provide names of "the security folks", maybe some links to their research where we all could see proof for all these claims?

The real issue is security or the real issue is a non-US company dominating in a tech field?
Now they know how everyone else feels
It seems like they're just saying:

- China makes most of the drones

- A lot of them aren't very secure

Which isn't surprising to me considering the state of things like DVR cameras (also mostly made by China, also plagued with security issues) and similar tech.

The real problem is that consumers want cheap but quality and security aren't cheap. The cost of security isn't obvious and consumers don't really know how to evaluate it.

But, when things like drones and cameras start communicating over the 5G backbone then we should maybe be concerned about who controls both of them.

> start communicating over the 5G backbone

5G operates at OSI layer 1 (and maybe has some impact on layer 2). I've never heard of any aspect of it changing higher layers, which is where the concerns about control come in. Is there something I'm missing?

If not, 5G has nothing to do with application-level control (eg: controlling a drone's movements, intercepting a camera feed, etc). We'll still use TCP/IP, HTTPS, and everything else we use today. It may or may not be a concern right now (due to inadequate security at the higher OSI layers), but 5G -- or any other type of network topology -- does not change this. Please don't spread this type of psuedo-technical nonsense by making statements like this, especially with anything "5G" which is a current media fascination for some reason (starting to get bored with "IoT" maybe?).

That's not what I was suggesting at all.

If you control the cell infrastructure you absolutely can put cellular capabilities into products that aren't explicitly advertised. That would be a bigger risk for surveillance tech.

Your complaint ignores my original statement about controlling both components (cellular and device). There is no need to tamper with someone else's TLS-secured communications or anything, you can just plant cellular capabilities into the devices.

I didn't pick up that's what you meant by "both of them" so sorry for my misunderstanding.

However I still don't think 5G is an important factor here. If you control both ends at a higher layer of the stack (eg, it's your own software connecting to your own servers) you can do whatever you'd like. If you have OTA software updates, you can do whatever you like at any point in the future. If this channel is properly secured with TLS no one can intercept or fake it, and if you want, you can design the devices so it won't work without this connectivity present (see: most cloud-based "smart home" devices on the market today).

> If you control the cell infrastructure you absolutely can put cellular capabilities into products that aren't explicitly advertised. That would be a bigger risk for surveillance tech.

So many devices already have internet connectivity built-in, and if money is not a concern you can already incorporate a GSM modem and pay for a link to the existing cellular networks -- it's not like AT&T (or whoever) is going to care what you are doing with the connection, so long as you're paying for it. You can also use other short-range radio links.

I'll grant you that 5G introduces the possibility to have this link without AT&T's knowledge -- at least assuming they don't have the ability to also detect the traffic coming out the tower's uplink. The big downside of this attack vector, aside from the immense cost and complexity of building this into 5G carrier equipment and all these devices, is if detected and blocked at the uplink all that effort is suddenly for nothing.

Basically, the 5G-specific attack vector is expensive and brittle, and thus pretty unlikely. The attack vector at application level is easy and cheap (no hardware-related costs), gets you almost all the same capabilities, and in many cases can be done today on existing in-field products with OTA software updates.

> The real problem is that consumers want cheap but quality and security aren't cheap.

I think it's well accepted that there's high quality standards in China (there's the whole range of quality) - for drones DJI has been a reference for example.

But tech security is such an intangible thing that most of the population doesn't understand it.

And in all honesty it seems that there's no protocol, or standard procedure, or evaluation of tech goods that come to the market and must pass security testing.

For example, with GDPR, at least a framework came out for data protection and protocols were set in place. The adoption was and still is chaotic for a lot of organizations, and it has plenty of flaws - but it is indeed something that's working towards a goal.

So far, in terms of security, it's like there's nothing in place.

"I'm not being paranoid", said every paranoid ever
The fact you are paranoid does not mean they are not after you.
But makes it more likely that you'd be seeing stuff that isn't there. And stating one is not paranoid does not convey any kind of useful information since the most paranoid are usually the ones who will be more convinced they aren't. Case in point, I don't know if US is being paranoid on this or not and I couldn't care less. I was just pointing out the general case of how ironic it is for someone to argue that they are not being paranoid.
People used to say "Five Eyes" is just a conspiracy theory. And then Snowden showed up.
Isn't this the US's fault for letting manufacturing move to China in the 1980-present? Any large global migration of industry will have this same threat eventually.
Lack of foresight is a collective trait of the human condition. It'd be interesting to see who the protestors of said outsourcing in the 80s were, and see what they say now. How did they foresee it in the first place? Is the current outcome better or worse than they thought it'd be? What's their current prediction for the state of things in another 40 years? A good article topic for the journalists out there.
Lots of people saw it. It was obvious if your job was being outsourced or if your factory was being closed, quite apparent if no new machinery was being invested in.

At the time Ronald Reagan and Margaret Thatcher were around and all of this was discussed. The predicted decline happened. There are capitalist rent seeker types that are okay with it, they also voted for the lunatic politicians. The people not so happy about it don't get to write for the capitalist newspapers giving the illusion to people with no skin in the game that 'nobody predicted this calamity'.

So predictions for forty years hence? It does not work like that, does it? Back in the 1980's you just knew that if manufacturing was gone that there would be no market for locally made goods, no possibility of exporting quality stuff on the world market and that we would not be able to drive prosperity on the back of financial services forever.

If you push someone over a cliff you are not sure whether they will break their neck, crack their head open or get impaled on a spike, all you know is that the outcome will not be a good one.

Right now we are using far too much in the way of fossil fuels, the climate is not right and it is getting worse. I don't know how ravaged the world will be in forty years hence, all I do know is that carrying on as we do is not a good idea.

One concept that always struck me as bizarre, was "we'll move the manufacturing overseas, but the manufacturing engineering will remain in the US". Years later, I asked a Harvard economics professor about it. He said yes, he'd taught that... "the ideas were in the air" (paraphrase - it's been years).

So one problem I have with much analysis of Trump populism, is its failure to recognize that subcultures doing group-think, believe absurdities, and tolerating being lied to, are a broader problem, worthy of more fundamental analysis, and an opportunity for broader remediation.

Sure, but even when it's your own fault, you have to fix something bad happening to you.
I think America was perfectly happy with China's ascent as long as outcome appeared to be a country with generally compatible values. Instead, we see a maturing country with values starkly different from America. Now that this is evident, and China's path certain, American policy is adjusting accordingly.
The solution to this problem are laws that require devices like this to support self-hosted servers for OTA, data, or anything else. You should not be required to use a vendor’s services AND the vendor should not be allowed to implement permanent back-doors.

The problem, of course, is that runs afoul of US espionage and law enforcement demands that they have access to such data themselves.

They want it both ways in a world where you literally, cannot have it both ways. US cyber policy on this front has been a disaster.

You don't need laws for that. You just need companies offering it and consumers choosing it. Which won't happen until it's easy to do.

Consumers can change a lightbulb and little else. Make it that simple.

Something I've wondered- why hasn't Lenovo received the same flack that DJI and Huawei received?
It's because Lenovo don't dominate their market as much as DJI dominate the drone market or Huawei the telecom.
Lenovo does nothing more than assemblying, and their acts on PC can be easily identified.
No, assembling means more security risks, as it could temper more parts.

However, trump saying that Huawei could be part of the trade deal means banning Chinese companies has nothing to do with security. The US didn’t go after Lenovo simply because assembling isn’t a high value add process and doesn’t threat US tech leadership. Huawei got banned because its tech is too advanced.

(comment deleted)
Isn't it the same with the US government? They can request info from any US company using the well known NSA letters.

It looks like the US technology is a national security risk for any other sovereign nation.

Says the country whose NSA scoops up on every piece of data and spies on everyone, including their own citizens.
Why don't you learn more about "Prism Event"?
World: We're not being paranoid. US drones kill innocent civilians around the world.

They're really beating the drum on China. Be intensely suspicious. China is a trading partner that does some shitty things (e.g. in Xinjiang province), but the nation focused on world domination is the one right here.

You're comparing apples and oranges. US drones aren't doing fully autonomous killing, they're killing through policies of leaders you help elect. That's the apples. The oranges is tech we purchase (drones in particular) having backdoors. Why do you think these two are comparable?
yeah, it's more comparable to Androids and iPhones.

the US government could deploy an update to turn any phone into a spy device because both apple and Google are headquartered in the US

You say that like it's a settled issue and I don't think it is. If the capability is there, companies can be compelled to use it. If the capability doesn't exist, it isn't clear that companies can be compelled to invent it.
It's unfortunately a reality for us down under though - so it's not beyond the realm of imagination
If you are presented with two candidates that both are pro killing, you have no free choice, it's a managed democracy.
I really hate that I had to upvote this.
Concentration camps are just "some shitty things".
> "The Communist Party of China now has in their law the ability to interfere and take information from virtually every Chinese company,"

I think that not only the Communist Party of China but all the political systems around the world have the ability to demand lawful access to information from virtually every company that is supposed to comply with their laws.

The problem (or a problem) is that the rule of law in China is apparently capricious and unpredictable.
"We're not being paranoid"

No, but the amount of suggestive "Might" "Could" etc titles/articles now out there shows a whole other picture. China is now the new enemy. And everybody must know apparently.

Even respectable news outlets can't resist the temptation of completely unfounded copying of the American media machine.

I'm not stating China is so innocent, but sorry there is only one country in the world systematically spying, bombing and manipulating friend AND enemies alike. And that's the USA.

So please, my dear Americans. Stop it yourself and we might lend you our ear again. Sincerely, a fellow world citizen, located in Europe.

> there is only one country in the world systematically spying, bombing and manipulating friend AND enemies alike

Your premise is clearly wrong.

NATO bombed Libya. Every member of NATO is guilty. There are 29 nations in NATO. Here they are:

Belgium, Canada, Denmark, France, Iceland, Italy, Luxembourg, the Netherlands, Norway, Portugal, the United Kingdom the United States, Greece, Turkey, Germany, Spain, Czech, Hungary, Poland, Bulgaria, Estonia, Latvia, Lithuania, Romania, Slovakia, Slovenia, Albania, Croatia, and Montenegro.

Those nations are all very happy to have the US as their superpower shield to be pointed at a target when it's convenient (see the recent past: Kosovo; the US rapidly stopped a genocide the Europeans couldn't or wouldn't deal with in their own backyard).

France aggressively lobbied the US to stay in the military conflict in Syria. In fact, Macron's lobbying is the only thing that kept the US involved as long as it was.

South Korea and Japan are mostly happy every day that the US has its military present - and nuclear shield - to protect them from China and North Korea.

Besides that, Russia was quite happy to put its military to use in Syria for its self-interest.

When it comes to spying, the five eyes are all obviously guilty. Beyond that, every country of consequence spies to the extent it's able to. The European powers are all guilty of it.

Germany sat out the bombing of Libya, much to the chagrin of the United States.
> Kosovo; the US rapidly stopped a genocide ...

The bombing part may have been rapid – especially when they bombed a civilian train[1] and misleadingly sped up the video of the event – but dealing with the aftermath[2] doesn't seem to be going as rapidly:

"A decade on from the Nato bombing campaign, more than 90,000 Serbs are still in danger from unexploded cluster munitions, according to a recent report funded by the Norwegian foreign ministry.

...

"At the current pace, it is estimated that it will take another 20 years to get rid of unexploded ordnance from Serbia."

[1] https://en.wikipedia.org/wiki/Grdelica_train_bombing

[2] http://news.bbc.co.uk/2/hi/europe/7960116.stm

I feel like your comment resonates with deep anti-American prejudice by making lofty unsubstantiated claims and has a bit of condescending elitist sentiment. The reason why I read HN comments is for informative, objective and interesting arguments.
"Alexa, please ask NSA to provide me with the traces of network exchanges initiated by my chinese drone"
Hmmm, it's almost like all this sensor-loaded, networked hardware, whose signing keys are held abroad, could be realistically adapted for intelligence-gathering by a push of a few buttons if a government the company couldn't blow off compelled it so, but if a script kiddie hacked them for entertainment it could still be pretty bad.

It's really not that different from the FUD about Kaspersky [1] or the still-ongoing saga of Huawei. In the past, such capability had to be deliberately planted at great effort, while these days we buy it voluntarily and spread it in our homes and businesses, fly them above our cities, and put them in networking closets to sit in the middle of all of our communication.

Sure it's FUD, but it's the government and military coming to terms with the implications of what just happened, and trying to shape the future to lessen a risk. This is orthogonal to whether they want the exact same capability for friendly-made goods, or whether there's any industry of comparable domestic goods left. Other countries, when they have a spare moment after dealing with domestic needs, are also well within their rights to feel the same kind of unease about Cisco, Juniper, Intel... hell, Tesla? Have you seen the number of cameras on that thing, and the fact that it can drive on its own?

This is the evolution of 'loose lips sink ships', where the capability of people to spread information has multiplied, but soon people won't even be necessary for information to be disclosed. Their consumer goods will do it for them.

[1] https://news.ycombinator.com/item?id=17193172#17193475

(comment deleted)
The problem that US is facing is the loss of credibility over time. It reminds me of The Boy Who Cried Wolf. US doesn't have the credibility to convince the world anymore, even if the threat is real..

There is a lot of rebuilding the US has to do. First fix the politics which is rife with petty interests, lobbying, political imbalance very skewed towards corporations over citizens, extreme polarization, 2 party system, hypocrisy,etc..

But all that, with great effort, can be fixed. A purge is needed, not just try to shove the dirt under a carpet and pretend all is nice and dandy.

The other thing that has happened is the internet and the free flow of information. It is no longer the case of manipulating 3-4 media outlets. People get their information at thousands of different places. I think its not really a loss of credibility, but the normalization of credibility based on a huge pool of information, rather than a restricted one.
I was referring to past actions of the US that proved to be unjustified and disastrous: WMDs in Iraq, Libya, Afghanistan, etc.. This is related to the normalization of credibility based on information ubiquity, but I think it's mainly US's actions speaking for themselves. After the WWII us has become a policing force that more or less , with the exception of the Vietnam war, wasn't as active in foreign wars as they've been recently. The Vietnam war fuckup was largely forgotten or attributed to a different America that had changed. But the recent wars were also pointless and proved otherwise.

Once again, US has the ability to change, but it will take a lot of effort to do so and will have to start leading by example.

The newspapers and their online equivalents get their information from the same newswires. You only have to manipulate those few original and allegedly reputable sources and the media echo chamber makes it appear there is a 'free press' with every journalist doing investigative journalism. In reality it is a copy and paste operation, newspapers just take what there is on the newswire and dumb it down a bit for their audience.
> I think its not really a loss of credibility, but the normalization of credibility based on a huge pool of information

That's a great point. It's like the "credibility bubble" burst due to the increased inflow of information, and the public is correcting toward a more realistic valuation - which is to say, recognizing propaganda for what it is, and rightfully being critical of mass media.

I'm also seeing that there are massive investments being made to regain the trust bubble through social media. Historically, the public seems to have short-term memory though..

I just got a DJI Mavic Air to take pictures and videos when we go hiking. Now I feel weird.
>"[If] you fly a drone above a pipeline, there's a pretty good chance someone is gonna see it up there," he said, but "a spy satellite just takes a picture from 120 miles up or whatever. Then, of course, no one's going to know what happened."

You have to be kidding, no one is going to notice a white drone 3km[0] above them, if there even is anyone around to notice. Sure, a spy sat is better, but it's also orders of magnitude more expensive, can't loiter[1], and might still have inferior imaging. This is just embarrassing.

[0]: https://en.wikipedia.org/wiki/DJI_(company)#Phantom [1]: Spy satellites pretty much always orbit faster than the earth turns in order to have better coverage.