Brits disagree with Paul’s assessment of Huawei’s security threat

https://www.washingtonpost.com/world/national-security/britains-spy-agency-delivers-a-scathing-assessment-of-the-security-risks-posed-by-huawei-to-the-countrys-telecom-networks/2019/03/27/ab16d7d2-50fd-11e9-8d28-f5149e5a2fda_story.html?ICID=ref_fark&noredirect=on&utm_content=link&utm_medium=website&utm_source=fark&utm_term=.04f096f065e5

Conversation 30 comments

  • wp7mango

    29 March, 2019 - 9:42 am

    <p>The Brits specifically stated that they don't believe this is anything to do with the Chinese state.</p><p><br></p><p>Basically, this is a quality issue, not a political issue. If the quality issues can be addressed, it would resolve the security issues.</p>

  • wright_is

    Premium Member
    29 March, 2019 - 9:48 am

    <p>The problem isn't about national security or backdoors.</p><p>The problem is the general lax coding standards. Along the same lines as the TP-Link disclosure today by Google, who released a proof of concept for a zero-day flaw in TP-Link routers.</p><p>Poor coding isn't a sign of Chinese government intervention. It is just poor coding. Cisco isn't much better, for example, either.</p><p>It will be interesting to see what the two milliard dollar investment in improving code security will bring to Huawei kit over the next couple of years.</p><p>As to the Chinese laws forcing companies to cooperate with them, how about the US equivalents, which have been in place much longer. FISA, National Security Letters, Patriot Act anybody?</p><p>It is a slap in the face for Huawei, but it isn't much different to the assessment of most major comms kit from other countries either. Heck, Japanese researchers found dozens of security holes in LTE this week. It certainly doesn't do anything to back up the US position. It just tells Huawei to get their coding act together or else.</p>

    • lvthunder

      Premium Member
      29 March, 2019 - 11:59 am

      <blockquote><em><a href="#416368">In reply to wright_is:</a></em></blockquote><p>Oh so Google is reducing our security and helping the bad guys yet again releasing proof of concept code for a flaw that hasn't been fixed yet. At least I don't own any TP-Link gear.</p>

    • lvthunder

      Premium Member
      29 March, 2019 - 12:01 pm

      <blockquote><em><a href="#416368">In reply to wright_is:</a></em></blockquote><p>Last time I checked the US doesn't throw it's people in concentration camps like the Chinese does with their religious minorities. What you are helping the government do matters.</p>

      • skane2600

        29 March, 2019 - 1:17 pm

        <blockquote><em><a href="#416403">In reply to lvthunder:</a></em></blockquote><p>"Last time I checked the US doesn't throw it's people in concentration camps"</p><p><br></p><p>Well, at least not since WWII. Not every Chinese business is responsible for their government's actions just as not every US business is responsible for our government's actions.</p>

        • lvthunder

          Premium Member
          29 March, 2019 - 2:16 pm

          <blockquote><em><a href="#416436">In reply to skane2600:</a></em></blockquote><p>I should of said currently you are right.</p><p><br></p><p>My comment though is in regards to this </p><p><br></p><p>"As to the Chinese laws forcing companies to cooperate with them, how about the US equivalents, which have been in place much longer. FISA, National Security Letters, Patriot Act anybody?"</p><p><br></p><p>Who you are cooperating with and for what purpose is a big component. I know businesses aren't responsible for their governments actions. I can just judge them on their own behavior. </p>

          • skane2600

            29 March, 2019 - 2:22 pm

            <blockquote><em><a href="#416473">In reply to lvthunder:</a></em></blockquote><p>The biggest component is what companies <em>actually do</em> when they cooperate with their government. We can't just assume without evidence that Chinese companies support their government in evil ways, but US companies are pure.</p>

            • wright_is

              Premium Member
              30 March, 2019 - 3:02 am

              <blockquote><em><a href="#416476">In reply to skane2600:</a></em></blockquote><p>IBM and the Nazis in the 1930s, for example.</p>

      • wright_is

        Premium Member
        30 March, 2019 - 3:01 am

        <blockquote><em><a href="#416403">In reply to lvthunder:</a></em></blockquote><p>Gitmo?</p>

        • skane2600

          30 March, 2019 - 5:01 pm

          <blockquote><em><a href="#416745">In reply to wright_is:</a></em></blockquote><p>I forgot about Gitmo. It's funny how some in the US think that because the prisoners are in Gitmo they must be terrorists. These "enemy combatants" were captured under battle conditions in a foreign country , while here in the US innocent people have gone to prison for years even though they were arrested under ideal conditions. </p><p><br></p><p>The only thing to fear about trying these people in a real court rather than the kangaroo variety is the embarrassment of discovering that the people tortured are found not guilty by a jury. </p>

  • Paul Thurrott

    Premium Member
    29 March, 2019 - 9:49 am

    <p>I wrote about this.</p><p><br></p><p>https://www.thurrott.com/cloud/203863/british-report-highlights-security-issues-in-huawei-networking-gear</p><p><br></p><p>And the Brits actually agree with me, btw: They do not want to ban Huawei. They would like the company to respond faster when there are issues. </p><p><br></p><p><br></p>

    • skane2600

      29 March, 2019 - 1:19 pm

      <blockquote><em><a href="#416369">In reply to paul-thurrott:</a></em></blockquote><p>Right, I'm not sure why Bob Nelson didn't just comment on your original story rather than create a forum post.</p>

      • Paul Thurrott

        Premium Member
        29 March, 2019 - 3:10 pm

        <blockquote><em><a href="#416438">In reply to skane2600:</a></em></blockquote><p>Suspect he believes I was ignoring it.</p>

  • Paul Thurrott

    Premium Member
    29 March, 2019 - 9:50 am

    <p>Also this post is offensive so I've cleaned it up. </p>

  • simont

    Premium Member
    29 March, 2019 - 10:35 am

    <p>They also said they didn't find any backdoors. However they did say that the coding was terrible and they found a lot of bugs and the actual build quality wasn't great either. So unintentional holes</p>

    • lvthunder

      Premium Member
      29 March, 2019 - 12:02 pm

      <blockquote><em><a href="#416374">In reply to simont:</a></em></blockquote><p>So why would you want that equipment in your infrastructure?</p>

      • simont

        Premium Member
        29 March, 2019 - 3:59 pm

        <blockquote><em><a href="#416405">In reply to lvthunder:</a></em></blockquote><p>I forget who said this but: If we built houses like the way we build software, the first woodpecker to come along would destroy civilization.</p><p><br></p><p>No, but we don't know how much better other manufacturers code is.</p>

  • madthinus

    Premium Member
    29 March, 2019 - 2:11 pm

    <p>The bigger issue that was highlighted by this report is that the quality of the code is not great and that issues identified 12 months before is still not fixed. To me that is more worrying than current day spying. </p>

    • simont

      Premium Member
      29 March, 2019 - 4:01 pm

      <blockquote><em><a href="#416472">In reply to madthinus:</a></em></blockquote><p>That is an issue. </p><p><br></p><p>And their consumer stuff isn't much better. Someone reported a bug in one consumer router, it was fixed in the specific router but the same bug was found in other router models 3 years later.</p>

  • jules_wombat

    29 March, 2019 - 2:41 pm

    <p>What has been identified is that this is a poor Quality Issue NOT a political issue, as the Americans would make us believe. Obviously we should avoid poor quality products, which may have security code, but no one has justified the US claims of deliberate Chinese state intervention here. </p>

    • lvthunder

      Premium Member
      29 March, 2019 - 2:57 pm

      <blockquote><em><a href="#416479">In reply to Jules_Wombat:</a></em></blockquote><p>Just because it's poor quality doesn't automatically dismiss the claims of the US government. Just because the government isn't publicly saying specifics doesn't mean they don't have them. I'm guessing releasing the details would reveal how they got the information. If spies are involved releasing that information could get someone killed. In fact because it's poor quality it means many nation state actors can get in there. That's even worse then just one country being able to get in.</p>

      • wright_is

        Premium Member
        30 March, 2019 - 3:08 am

        <blockquote><em><a href="#416550">In reply to lvthunder:</a></em></blockquote><p>Then they shouldn't publicy state that there are political problems with Huawei, when they can't back it up in public. It just makes them look silly. "Hauwei is untrustworthy!" "Why?" "Because we say so, so nah!"</p><p>The way the British did it is much more sensible, they looked at the code and pointed out quality problems with the code, that is something that they can point a finger at. "Its full of holes, look!"</p>

    • Bob Nelson

      29 March, 2019 - 3:06 pm

      <blockquote><em><a href="#416479">In reply to Jules_Wombat:</a></em></blockquote><blockquote><br></blockquote><p>Am I the only one who reads linked articles anymore?</p><p><br></p><p>Here you go:</p><p><br></p><p><span style="color: rgb(17, 17, 17);">"Recent laws in China require Chinese firms, if directed, to assist the government in intelligence collection."</span></p><p><br></p><p><span style="color: rgb(17, 17, 17);">“This report’s stark conclusion should give pause to any country considering using Huawei for 5G,’’ said James Lewis, a cyberpolicy expert at the Center for Strategic and International Studies. “It’s pretty damning for the U.K., a country that has done more than any other to reduce the risks of using Huawei, to say it can’t manage the risk of using future Huawei products.”</span></p><p><br></p><p><span style="color: rgb(17, 17, 17);">"The company was founded in 1987 by Ren Zhengfei, who spent about 20 years in the People’s Liberation Army serving in a military-technology division"</span></p><p><br></p><p><span style="color: rgb(17, 17, 17);">GCHQ, which is the British equivalent of our NSA, did everything here except scream from the rooftops "WE VOTE NAY!". I have a feeling they were restrained by the politicians from telling China to pound sand.</span></p><p><br></p><p><span style="color: rgb(17, 17, 17);">And yes, from a technical point of view, they suck. "Matthew Green, a computer scientist at Johns Hopkins Information Security Institute, said GCHQ is essentially saying that “Huawei can’t write software to save their lives.” According to the report, he said, the GCHQ cannot even verify that the software running on its 4G LTE cell towers is the same software provided by Huawei for source-code review."</span></p><p><br></p><p><br></p><p><br></p><p><br></p><p><br></p>

      • skane2600

        29 March, 2019 - 5:14 pm

        <blockquote><em><a href="#416551">In reply to Bob Nelson:</a></em></blockquote><p>Again, the existence of such a law is not evidence that Huawei has backdoors in their equipment or ever will. As I've said before, all relevant evidence to support or deny the existence of a backdoor is embedded in the products themselves. There's no need to rely on interpretations of Chinese laws to answer the question.</p>

      • wright_is

        Premium Member
        30 March, 2019 - 3:13 am

        <blockquote><em><a href="#416551">In reply to Bob Nelson:</a></em></blockquote><p><span style="color: rgb(17, 17, 17);">"Age old laws in the USA require firms on American soil, if directed, to assist the government in intelligence collection."</span></p><p><span style="color: rgb(17, 17, 17);">Careful what you quote, most countries have the same laws.</span></p><p><span style="color: rgb(17, 17, 17);">"The company was founded in 1987 by Ren Zhengfei, who spent about 20 years in the People’s Liberation Army serving in a military-technology division"</span></p><p><span style="color: rgb(17, 17, 17);">And just how many American companies have ex-military types sitting on their boards? It helps them get government and military contracts.</span></p><p><span style="color: rgb(17, 17, 17);">The quality problems are exactly that, quality problems and something Huawei needs to fix pronto, but the political diatribe coming out of the USA seems to reflect USA policy, "look, China has implemented the same laws as us now, so we can't trust Chinese companies any more."</span></p>

  • simont

    Premium Member
    29 March, 2019 - 4:28 pm

    <p>This is a comment from John Pescatore from SANS about this:</p><p><br></p><p>The UK has been inspecting and testing Huawei’s software since late 2010, when the testing center was set up as part of the requirements when British Telecom selected Huawei for a big UK telecoms infrastructure upgrade. I went to a talk by the director of that center back in 2013 or so and he mentioned that the inspections showed that in reality the biggest risk to the UK in using Huawei wasn’t the Chinese government inducing Huawei to sneak in sophisticated backdoors. Rather it was the huge number of well known (OWASP Top 10) software vulnerabilities and sloppy coding practices that were in the Huawei code. Focusing supply chain security on eliminating vendors from particular countries while not even requiring software from other suppliers to be testing is pretty much right up there with screened windows on submarines…</p><p><br></p><p><strong>John Pescatore</strong> was Vice President at Gartner Inc. for almost fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.</p>

    • wright_is

      Premium Member
      30 March, 2019 - 3:15 am

      <blockquote><em><a href="#416577">In reply to simont:</a></em></blockquote><p>Exactly. There is no proof of collusion, but plenty of proof that they need to improve their quality. The UK assessment makes sense, the US argument just sounds like political willy-waving.</p>

      • Paul Thurrott

        Premium Member
        30 March, 2019 - 8:27 am

        <blockquote><em><a href="#416749">In reply to wright_is:</a></em></blockquote><p>Yes. This was in the article I wrote. 🙂 </p>

Windows Intelligence In Your Inbox

Sign up for our new free newsletter to get three time-saving tips each Friday

"*" indicates required fields

This field is for validation purposes and should be left unchanged.

Thurrott © 2024 Thurrott LLC