Nope so far the people criticising Huawei have not provided any evidence of malpractice. Huawei on the other hand have been very open and review by independent third party auditors [1].
When you consider that the only one in the world who seems to have a problem with Huawei security is NSA and GCHQ who have both encouraged the use of broken security so that they can hack their own citizens I think its clear this is just baseless western propaganda.
Thanks thats a much better article with some evidence of poor security.
But I still feel the GCHQ claims are not substantiated enough, for example the criticism that they don't use reproducible builds, fair enough but then who does outside open source? For GCHQ to exaggerate this as shoddy I think shows the true intentions of the review.
I don't want my data siphoned or even sampled by the CCP who controls their own Han Chinese citizens with surveillance AI. Or a regime that imprisons the Falun Gong, Uighur, or political dissidents.
If you think this is some nonsense Western propaganda then it's simple, you're a collaborationist. I work with plenty of Chinese nationals who confirm all of what is said by Western "propaganda". One of them from a very well off family actually said "how much freedom do people actually need"?
So, if I have to live in a world that picks NSA surveillance or Chinese surveillance, then I choose NSA.
As I understand it, the issue is not whether Huawei radically worse/better than other competitors. The issue is whether the code is of high enough quality that UK auditors can perform additional verification that it's safe to use.
To provide some context for this, UK officials have a real (and reasonable) concern that building out their 5G infrastructure with Huawei equipment will expose them to attacks by the Chinese government. They have this fear because this is exactly the sort of thing that the "Five Eyes" nations (including the UK) have been doing to other nations. (You can argue about right and wrong and hypocrisy, but at the end of the day those arguments aren't going to make the UK's concerns illegitimate, and they won't assuage those concerns.)
At the same time, UK companies want to take advantage of the cost savings they can get from deploying Huawei equipment. To try and square this circle, the UK government established a local cybersecurity operation dedicated reviewing Huawei's software. This organization -- composed of UK citizens, some with security clearance, and overseen by NCSC -- was supposed to resolve these concerns by performing deep source audits of Huawei products before they were deployed. The problem that inspired this article is that Huawei's software is not of high enough quality to make this kind of "trust but verify" review work. So the compromise isn't functioning, and this article is someone ringing the alarm bell.
Is Huawei's stuff radically worse than other vendors'? Maybe, maybe not. Is it true that Huawei is being held to a higher code-quality standard than, say, Cisco just because the UK feels that's the only safe way to bring a nation-state competitors' software/hardware into their critical infrastructure? Absolutely yes, that is true. In some abstract sense it's also unfair. However, is the UK wrong to ask for this? I can't really say that they are.
Sometimes life isn't fair. These are nation states trying to protect themselves from non-theoretical risks, and Huawei happens to be caught in the middle. What's important is that these complaints about code quality should not be read as claims that Huawei is backdooring their software. They should instead be read as arguments that Huawei needs to significantly up their code quality game if they want access to these big markets.
I agree with what you said, as a UK citizen I do worry about other countries spying on me in the same way that the UK spys on them.
I want our infrastructure to be secure but a biased evaluation will give biased results not secure ones.
If the UK was really worried about foreign powers invading their infrastructure(they should be) the real solution is to evaluate the security of that infrastructure (anything foreign in an unbiased way) or roll your own. Instead of doing this we play security pantomime with no more substance than "maybe the chinks are up to something?" thats not security its the government trying to make the public feel safe, and it's a massive failing of my nanny state government.
Cut GCHQ budget pour it into rolling our own silicon thats how to protect UK infrastructure and economy.
The security researcher in the article says: “””
Asked about how Huawei compares with its competitors, Levy said: “Certainly nothing is perfect, certainly Huawei is shoddy, the others are less shoddy.”
“””
I also read the article, but I wanted to know whether I should trust that security researcher since I can hardly imagine worse practices than those leading repeatedly to logins with hardcoded passwords (aka backdoors).
> You wouldn’t expect to have, in six months since we published that report, less than that, them coming out going ‘we’ve fixed it.’ That would be unachievable.
The security researcher also states they will hold that viewpoint regardless of Huawei's actions. I don't think their viewpoint is based on the competition or security standards.
There's more to shoddy than just security. I'm personally familiar with Huawei storage for example - implementation and support are _significantly_ below competitive norms.
Example: critical configuration processes involved filling out an Excel 97 (yes 97 and this was last year) spreadsheet and uploading it to the storage system. Yuck!
I remember an occasion a few years back where a colleague of mine was getting a VPN connection from the UK to a middle east site working - the Cisco partner couldn't get it to work and said "We don't understand why it doesn't work as it's basically the same as this one that does work" and sent us the config file for another one of their customers complete with credentials etc.
This article, like others before it, doesn't give any technical information. I'm still waiting to see a published report detailing the extent of the "shoddy standards" or backdoors in Huawei devices.
Some years ago, a technical report was published about backdoors found in Samsung Galaxy devices [1], yet Samsung devices are still sold all over the world today.
Thanks. This is closer to what I was looking for but it still lacks technical information like what hardware contains backdoors and how those backdoors are being accessed.
How about "UK companies should be more picky about buying products with high-security standards". All the UK ISPs appear to use Huawei stuff, they chose it, there seems to be quite a range of choices. Clearly if the ISPs are choosing the worst security products they should get some of the blame, they're supposedly experts too, it's not like selling to consumers who you can't expect to know better.
Presenter {in summary, 16m44s}: "So, according to GCHQ the threat of spying that we've heard so much about recently is, overblown, but there is another threat ..."
At 21m06 onwards the presenter, Kelly, talks about the report with Levy.
Levy, GCHQ: "We don't believe the things we are reporting on are Chinese state malfeasance ... they're just poor engineering"
I don't get you, they're responding to the USA contention that Huawei is effectively an agent of Chinese security services - the reason they've not published on it before is probably because they're not a watchdog for code quality in telecoms businesses.
I guess if some country tells us not to use Microsoft because they spy for USA then GCHQ would tell us about their incompetence too. And maybe actual spying? (Backdoors in 'secure boot' or Exchange server, or whatever).
> I guess if some country tells us not to use Microsoft because they spy for USA then GCHQ would tell us about their incompetence too. And maybe actual spying?
Right this is their job and this is the first time they have done it, whats not to get?
26 comments
[ 3.4 ms ] story [ 79.9 ms ] threadWhen you consider that the only one in the world who seems to have a problem with Huawei security is NSA and GCHQ who have both encouraged the use of broken security so that they can hack their own citizens I think its clear this is just baseless western propaganda.
[1] https://disruptive.asia/huawei-german-source-code-review-lab...
[1] https://news.ycombinator.com/item?id=19612473
But I still feel the GCHQ claims are not substantiated enough, for example the criticism that they don't use reproducible builds, fair enough but then who does outside open source? For GCHQ to exaggerate this as shoddy I think shows the true intentions of the review.
If you think this is some nonsense Western propaganda then it's simple, you're a collaborationist. I work with plenty of Chinese nationals who confirm all of what is said by Western "propaganda". One of them from a very well off family actually said "how much freedom do people actually need"?
So, if I have to live in a world that picks NSA surveillance or Chinese surveillance, then I choose NSA.
To provide some context for this, UK officials have a real (and reasonable) concern that building out their 5G infrastructure with Huawei equipment will expose them to attacks by the Chinese government. They have this fear because this is exactly the sort of thing that the "Five Eyes" nations (including the UK) have been doing to other nations. (You can argue about right and wrong and hypocrisy, but at the end of the day those arguments aren't going to make the UK's concerns illegitimate, and they won't assuage those concerns.)
At the same time, UK companies want to take advantage of the cost savings they can get from deploying Huawei equipment. To try and square this circle, the UK government established a local cybersecurity operation dedicated reviewing Huawei's software. This organization -- composed of UK citizens, some with security clearance, and overseen by NCSC -- was supposed to resolve these concerns by performing deep source audits of Huawei products before they were deployed. The problem that inspired this article is that Huawei's software is not of high enough quality to make this kind of "trust but verify" review work. So the compromise isn't functioning, and this article is someone ringing the alarm bell.
Is Huawei's stuff radically worse than other vendors'? Maybe, maybe not. Is it true that Huawei is being held to a higher code-quality standard than, say, Cisco just because the UK feels that's the only safe way to bring a nation-state competitors' software/hardware into their critical infrastructure? Absolutely yes, that is true. In some abstract sense it's also unfair. However, is the UK wrong to ask for this? I can't really say that they are.
Sometimes life isn't fair. These are nation states trying to protect themselves from non-theoretical risks, and Huawei happens to be caught in the middle. What's important is that these complaints about code quality should not be read as claims that Huawei is backdooring their software. They should instead be read as arguments that Huawei needs to significantly up their code quality game if they want access to these big markets.
I want our infrastructure to be secure but a biased evaluation will give biased results not secure ones.
If the UK was really worried about foreign powers invading their infrastructure(they should be) the real solution is to evaluate the security of that infrastructure (anything foreign in an unbiased way) or roll your own. Instead of doing this we play security pantomime with no more substance than "maybe the chinks are up to something?" thats not security its the government trying to make the public feel safe, and it's a massive failing of my nanny state government.
Cut GCHQ budget pour it into rolling our own silicon thats how to protect UK infrastructure and economy.
So, apparently from that person’s viewpoint, yes.
The security researcher also states they will hold that viewpoint regardless of Huawei's actions. I don't think their viewpoint is based on the competition or security standards.
Example: critical configuration processes involved filling out an Excel 97 (yes 97 and this was last year) spreadsheet and uploading it to the storage system. Yuck!
So subjective
Some years ago, a technical report was published about backdoors found in Samsung Galaxy devices [1], yet Samsung devices are still sold all over the world today.
[1] https://redmine.replicant.us/projects/replicant/wiki/Samsung...
---------
https://www.reuters.com/article/us-netherlands-huawei-tech-i...
This one? https://www.gov.uk/government/publications/huawei-cyber-secu...
I have no idea about HW, but I heard that they are there also ahead of the competition.
Dr Ian Levy, quoted in the OP, was interviewed recently by BBC Click, https://youtu.be/yCzNHi9TBCQ?t=921.
Presenter {in summary, 16m44s}: "So, according to GCHQ the threat of spying that we've heard so much about recently is, overblown, but there is another threat ..."
At 21m06 onwards the presenter, Kelly, talks about the report with Levy.
Levy, GCHQ: "We don't believe the things we are reporting on are Chinese state malfeasance ... they're just poor engineering"
The first time GCHQ tells the public about poor engineering. What an amazing coincidence.
I guess if some country tells us not to use Microsoft because they spy for USA then GCHQ would tell us about their incompetence too. And maybe actual spying? (Backdoors in 'secure boot' or Exchange server, or whatever).
Right this is their job and this is the first time they have done it, whats not to get?