Huaweis Ban and the reprocustions

[Spinit]

Bob makes a good point tech marches on there will be more and more leaps. Everyone would just like to move forward and not concern ourselves about spying. There has always been a lot invested to monitor whoever the government feels the need to monitor.

I would hope there is a agreeable way to take these concerns off the table. When any player has some history which raises issues of trust it is a problem. That is the case for any participant depending on viewpoint. I would like having the option of good to superior cell phones and 5G without the concern about nefarious use of that system. Apple is way too high a cost and they need more competition and so does Huawei.

 

[Spinit]

Well there’s this:

African Union Bugged by China: Cyber Espionage as Evidence of Strategic Shifts | Council on Foreign Relations

Tech supplied and installed by China actively used for espionage.

You are right it is a valid concern. Huawei, Apple, Nokia,NSA, US , China and each one can be singled out as the main concern. There is more that will be learned about the Huawei practices of CEO, employees and the influence of China and it’s military.

 

[guest]

...First, we are talking about telephones. Anyone doing national security over a cell phone is an idjut.

My phone is not just a phone, it's a network connected device. When I get home it connects to my home network. When I go to work it connects to my work network. From my phone I can see the rest of the network, manage the routers, etc.

If someone was to hack my phone, they could gain access to a lot more than my call history- they would have the authentication credentials for my networks, my email, online banking...

5G will be ore than just a phone network- there will be all kinds of stuff connected. Cars, trains, power systems, etc.

The Home Depot hackers got in through the lighting systems. They got into the network of the company that manages the HVAC and lighting controls, from there they went to the Home Depot network, got into the POS system and stole all the customer credit card info.

 

[Mark Rand]

My phone is not just a phone, it's a network connected device. When I get home it connects to my home network. When I go to work it connects to my work network. From my phone I can see the rest of the network, manage the routers, etc.

If someone was to hack my phone, they could gain access to a lot more than my call history- they would have the authentication credentials for my networks, my email, online banking...

5G will be ore than just a phone network- there will be all kinds of stuff connected. Cars, trains, power systems, etc.

The Home Depot hackers got in through the lighting systems. They got into the network of the company that manages the HVAC and lighting controls, from there they went to the Home Depot network, got into the POS system and stole all the customer credit card info.

So why does any of that mean that a network should use another manufacturer instead of Huawei in their 2G/3G/4G/5G rollout?

 

[guest]

So why does any of that mean that a network should use another manufacturer instead of Huawei in their 2G/3G/4G/5G rollout?

I was addressing the comment "anyone doing nat'l security over a phone...".

The point is that the phone stores more info than just a call log. Much of the 5G network will have co-located servers for cloud edge computing, all of this connected to the backbone. There will be plenty of opportunities for bad actors to exploit. No need to invite them in at the ground floor.

The US Gov't has long-standing concerns about both Huawei and ZTE. Have you missed that part, or you just don't believe it?

 

[Spinit]

If a carrier is secure and protects against unauthorized access and is secure from hackers or subversive countries then it is not a problem. That kind of company poses no concern.

 

[Ziggy2]

So why does any of that mean that a network should use another manufacturer instead of Huawei in their 2G/3G/4G/5G rollout?

It is my understanding that it is not the actual cell phones that are the issue but rather the backbone hardware that actually makes up the network.

It is one thing to be using the Huawei modem hardware in your cell phone, that is somewhat a localized risk but if you are using the Huawei hardware to actual do all of the switching in a network then you have at that point a system wide problem.

Here is a case in which the CIA was doing this to the Russians:Spies in the Xerox Machine - Electrical Strategies

Albeit this is a very old story but is a good example of the risks a new technology can expose the end user to.

Whenever you are wholly trusting someones technology without do diligence as to safe guards, you are inviting trojan horse attacks.

 

[Mark Rand]

I was addressing the comment "anyone doing nat'l security over a phone...".

The point is that the phone stores more info than just a call log. Much of the 5G network will have co-located servers for cloud edge computing, all of this connected to the backbone. There will be plenty of opportunities for bad actors to exploit. No need to invite them in at the ground floor.

The US Gov't has long-standing concerns about both Huawei and ZTE. Have you missed that part, or you just don't believe it?

The US government may have long standing concerns about Huawei, but they have no relation whatsoever to security. This is no more or less than a part of the current government's economic warfare against China with a complete disregard to collateral damage.

Try to find any reports of significant security issues with Huawei equipment*. You won't because they are being constantly monitored by government and business concerns just to find those vulnerabilities. The company's Chief security officer in the US has even made the point that other manufacturers should face the same level of inspection that Huawei have in order to force improvement of their products.

Forbes article on the topic.

Including the Bloomberg article about 'back doors'

PS:- One of the reasons I get het up over this is that I spent over 30 years as programmer, then System administrator, then network administrator for a multi-national company. At one point I was in charge of the Wide Area Network for 65,000 people (Ok, it gave me a nervous breakdown and I ended up on anti-depressants).

 

[Mark Rand]

Whenever you are wholly trusting someones technology without do diligence as to safe guards, you are inviting trojan horse attacks.

See post 5 in this thread.

 

[guest]

It is my understanding that it is not the actual cell phones that are the issue but rather the backbone hardware that actually makes up the network.

It really has to be all of it. The way mobile networks work, the push updates are almost continuous.

You can do all the security testing in the world today, tomorrow a new software update is pushed down and you are right back at square one.

The dependence on these networks increases every day, and with each iteration the risks increase as well. It's not something that can ever be eliminated- it's a cat and mouse game.

 

[PeteM]

The US government may have long standing concerns about Huawei, but they have no relation whatsoever to security. . .

You've raised some good points, Mark. Still, it shouldn't be hard to understand the security concern:

1) Huawei's founder was a former military technologist for the People's Liberation Army.

2) The company has gotten to a dominant position, in part, by repeatedly stealing other companies' technology. The company culture is alls-fair-in-war.

3) It has been deceptive in the Iran trade sanctions issue -- taking great pains to cover its lies about compliance.

4) The most optimistic case on what influence the Chinese government might have on coding in things like backdoors or utilizing known-only-to-them vulnerabilities is that the Xi-President-for-Life government would never do anything like that -- despite passing a law that explicitly requires it should Xi so choose.

5) The potential damage in a 5G oriented world is likely orders of magnitude beyond the hacks we've seen to date. Clearly the European and South Korean etc. suppliers of 5G equipment will also require extraordinary review -- and it isn't clear who's up for paying the tab.

Hard to know where all this is headed. Apparently China's latest move, to support Huawei, is a threat to ban the export of all rare earth metals. Meanwhile the governments of both Australia, New Zealand, and France seem to share a concern. You'd likely know more about your own government's stance, but the UK and Germany share at least some concern.

 

[guest]

The US government may have long standing concerns about Huawei, but they have no relation whatsoever to security. This is no more or less than a part of the current government's economic warfare against China with a complete disregard to collateral damage.

Try to find any reports of significant security issues with Huawei equipment*. You won't because they are being constantly monitored by government and business concerns just to find those vulnerabilities.

This is your Government's report for 2019. You have been making this same assessment every year for the past 5 years.

The report is about security issues with Huawei equipment in the UK.

Start at page 15 for the findings.

https://assets.publishing.service.g...le/790270/HCSEC_OversightBoardReport-2019.pdf

 

[CarbideBob]

.....

5) The potential damage in a 5G oriented world is likely orders of magnitude beyond the hacks we've seen to date. Clearly the European and South Korean etc. suppliers of 5G equipment will also require extraordinary review -- and it isn't clear who's up for paying the tab.
.....

Please explain this in terms an old school hacker can understand. I don't get the tens times danger or the hype.
Bob

 

[CalG]

This entire business is a matter of trust.
No different than BREXIT
No different than the last US election.

 

[BillE]

And 5 eyes can suck my dick. "The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated ..."

Fuck off, US gubmint.

Apparently you can blame us - How Australia led the US in its global war against Huawei

Unreasonable searches, ha, this joint is probably one of the most intrusive places short of Cold War East Germany now....but both major parties support this crap too!

 

[Mark Rand]

This is your Government's report for 2019. You have been making this same assessment every year for the past 5 years.

Which I linked to in post 5 of this thread..

As noted in that post "The centre set up in the UK to analyse Huawei hardware and software has found some sloppy code, but no back doors in eight years of investigation." The problems indicated in the report are documented and worked on with both the HCSEC and Huawei.

Every single network device I've ever worked with that was bright enough to need software/firmware with has had software/firmware bugs. Just as with computer operating systems, evaluating and installing patches is an important part of operating a system.

The fact that there is such intense scrutiny of the company's products is good. It would be better if other manufacturers also underwent the same level of inspection.

 

[PeteM]

Please explain this in terms an old school hacker can understand. I don't get the tens times danger or the hype.
Bob

Bob, My take is that the higher speeds and low latency of 5G mean that it can (and thus will) be used in all sorts of automation scenarios: driverless trucks and cars, automated traffic routing, putting trains on the right tracks, factory automation, all sorts of augmented reality apps by government and quasi govt. agencies (e.g. live mapping of underground utilities before digging, ambulance dispatch on the best routes, real time fire and security monitoring systems, faster Wall St. trades, etc.) Even remote surgery is being planned, using tele-operators. Imagine the equivalent of a denial of service attack in the midst of that. Or better yet, a fleet of driver-less trucks gone AWOL?

We already have entire hospitals, companies, and municipal governments being held ransom by hackers. Plus the usual financial fraud that's likely already up in the trillion range worldwide. And foreign actors hoping (and sometimes succeeding) in disrupting disrupt the entire Internet, financial transactions, voting systems, companies (e.g. Sony and a zillion others), uranium enrichment centrifuges (sure, our fault or credit), etc. But as we add real-time 5G-enabled services, any sort of hostile attack could have much greater impact. And we have lots of very capable hackers (Russia, Ukraine, China, North Korea, Iran etc.) more than happy to oblige for either personal gain or ideological idiocy.

I'm not by nature an alarmist. Back in Y2K days I was so confident it would not be a problem, that I invited all sorts of friends to a Y2K party. Back then we had a fair amount of redundant systems. Now, however, I think there's a real threat as we become more dependent on net-enabled systems.

In the old hacker days, individual company servers/networks were at risk. Today, it's anyone connected to the net and a bit careless. Tomorrow it's any device with a computer inside (now even light bulbs and toasters) in a world with about as many cell phones in it as people. There are thousands of companies hoping to become rich with the "Internet of things" -- and that Internet will be pretty much 5G connected.

Be happy to learn if this concern isn't real . . .

 

[Ziggy2]

This is your Government's report for 2019. You have been making this same assessment every year for the past 5 years.

The report is about security issues with Huawei equipment in the UK.

Start at page 15 for the findings.

https://assets.publishing.service.g...le/790270/HCSEC_OversightBoardReport-2019.pdf

Is my read correct in that there appear to be serious issues and doubts over the long term supportability of the hardware buried in the committee report fluff? It also appears that some of these have existed for several years without being remediated.

Or is my understanding of the report incorrect?

 

[guest]

..The problems indicated in the report are documented and worked on with both the HCSEC and Huawei.

The same issues were identified in the 2018 report, and the 2019 report says no significant progress has been made.

Every single network device I've ever worked with that was bright enough to need software/firmware with has had software/firmware bugs. Just as with computer operating systems, evaluating and installing patches is an important part of operating a system.

They say software is not able to be properly checked because they cannot compile a consistent binary from the source code.

It has always been part of the mitigation strategy to ensure that the source code examined by HCSEC is precisely that which is compiled to the binaries executing in UK network equipment. Without a process to show that the source code and build environments examined by HCSEC uniquely produce he binary deployed in the UK’s networks, it is impossible to provide end-to-end assurance in the security and integrity of the products in use.

...

HCSEC was tasked with understanding the issues confronting Huawei in creating repeatable builds. The issue in all cases is with Huawei’s underlying build process which provides no end-to-end integrity, no good configuration management, no lifecycle management of software components across versions, use of deprecated and out of support tool chains (some of which are non-deterministic) and poor hygiene in the build environments, many of which cannot be easily recreated by HCSEC.

It is unclear whether there is any utility in continuing the binary equivalence programme given the fundamental issues in the underlying build process and the customer management and engineering processes that drive it.

It remains the NCSC intent that all products deployed in the UK will have repeatable builds and that HCSEC will be able to routinely show equivalence between the binary installed in UK networks and the binary that can be built from the source code held by HCSEC, as is usual with a well-managed software engineering process.

The recent work with the four pilot products demonstrates that this is currently impractical at any useful scale given Huawei’s current build process. The NCSC has advised the Oversight Board that it will only be possible to offer limited assurance for equipment currently deployed in the UK unless and until the build process has fundamentally changed.

That doesn't sound like any vote of confidence I have ever read.

 

[guest]

Is my read correct in that there appear to be serious issues and doubts over the long term supportability of the hardware buried in the committee report fluff? It also appears that some of these have existed for several years without being remediated.

Or is my understanding of the report incorrect?

I can't find anything in the report that would make me want to choose Huawei for anything. It's really something. Outdated and unsupported components, fragments of different versions of OpenSSL with numerous known vulnerabilities, it just goes on and on.

Basically translates to "untestable products".

The more of it I read, the more convinced I am that we got this one right. The UK can't even mitigate the risks in their existing Huawei LTE infrastructure. Why in the world would they want Huawei build out the 5G?