I don't see anyone else talking about it. Around January 2018 it came out that China had hacked the African Union headquarters which it had built as a gift to the AU. [1] More recently, reports have come out that implicate Huawei in that hack. [2] There is a law in China that says citizens and corporations are required to cooperate with its intelligence services. While there has been no strong evidence against Huawei released publicly, the logic is that China asked for a backdoor and that Huawei had to comply.
>Ms Cave said Huawei had been implicated in alleged cyber theft of data from the African Union’s Ethiopia headquarters. According to multiple reports this year, data was transferred every night from the building for five years. “There’s no proof that Huawei was asked to participate or turn a blind eye to the breach, but we know that there was a breach and Huawei was the key provider,’’ Ms Cave said.
You forget to mention that both China and the African Union denied the hack, and that the report came from "anonymous sources". Not saying that it didn't happen, but it's far from confirmed, just like the Bloomberg report.
"There is a law in China that says citizens and corporations are required to cooperate with its intelligence services."
The US and its intelligence services have been doing the same with US tech companies. " The US National Security Agency (NSA) infected hard disk firmware with spyware in a campaign valued as highly as Stuxnet that dates back at least 14 years and possibly up to two decades – all according to an analysis by Kaspersky Labs.The campaign infected possibly tens of thousands of Windows computers in telecommunications providers, governments, militaries, utilities, and mass media organisations among others in more than 30 countries. https://www.theregister.co.uk/2015/02/17/kaspersky_labs_equa...
I think there's a lot of unfair finger-pointing at Huawei. China's hacking program is very prolific and has some impressive achievements. There's no reason why the Chinese government couldn't have found vulnerabilities in Huawei equipment and conducted a campaign that way, especially since that equipment is internet-connected at all times.
This implies that US can't reach the data from Huawei.
So it seems that Huawei is the safest option for any US and European citizen.
I'd rather have my data safe with the Chinese government, a country that is on the other side of the globe and has practically zero influence on my life, that sharing it with the US or my own governments, which are there, and can make my life hell for any or no reason at all, and have the means to actually hurt me.
And yes, if I can't avoid it, I'd much rather share my internet search history with an unknown entity on the other side of the world, than with my own wife.
Reminds me of a joke where a sysadmin recommends installing several firewalls from different countries; Huawei to keep out the Americans, Cisco to keep out the Chinese, and something else.
Western countries are very much influenced by China.
>sharing it with the US or my own governments, which are there, and can make my life hell for any or no reason at all, and have the means to actually hurt me.
Given all of your personal private data, anyone around the world with a computer has the means to actually hurt you.
That would appear the best option assuming none of your data has business or monetary value, as their intelligence service is tasked with sharing any trade secrets with relevant state business partners.
This is strictly forbidden in US intelligence policy.
Your logic is smart, but flawed. The best defense is openness when you lack the control to air gap, in which case you should expose your data to the two highest bidders.
> I'd rather have my data safe with the Chinese government, a country that is on the other side of the globe and has practically zero influence on my life, that sharing it with the US or my own governments, which are there, and can make my life hell for any or no reason at all, and have the means to actually hurt me.
That's an interesting take, but you are assuming china's influence won't keep growing.
Or more worrisome, what if china, EU, Russia and the US decide to share data in the future.
The only way to be "safe and free" is legislation curbing intelligence agencies snooping on people. Unfortunately, these intelligence agencies appear to be operating above or beyond the law.
> Some other members of the “Five Eyes,” a five-member intelligence pact among English-speaking countries that includes the U.S., have also publicly challenged Huawei.
Regardless of the content of the article, I found this quote hilarious: one surveillance agency accusing another group of spying.
I remain to be convinced that Apple or Samsung are any more trustworthy than Huawei. It's all made in China. While these manufacturers may not be sneaking backdoors into devices, since this might be caught, they likely are being compelled to disclose designs to be analyzed for weaknesses. It doesn't really matter if some of the design work is done in California.
I wouldn't have substantially higher trust in something made in the U.S. or other "five eyes" countries either. These governments do not respect the privacy of their citizens, as evidenced by the NSA's recent breaches. Some countries do slightly better than others (e.g. Canada probably isn't as bad as the U.S. yet). However, on the whole, privacy rights seem to be on the decline in these countries. Treaties and cooperation between the security agencies of these countries drag everyone down to the lowest common denominator.
What's hilarious about that? It's obvious and natural that countries would seek to protect themselves from being spied upon, while at the same time attempt to spy on others. Do you expect the US to say "we are spying on some other countries so we are totally ok with others spying on us"?
I guess if you're just an everyman or everywoman -- one with no info relating to national security on your device -- it could be better to own Huawei to avoid abuses of authorities inside the US[1]?
Particularly if you are a woman, minority, journalist, or business-owner, as [1] highlights, you may be safer from such abuses.
The US government, with its own hacking of other countries as revealed by Snowden, its strategic rivalry with China, and its history of false intelligence such as WMD in Iraq, isn’t a trustworthy source to evaluate Huawei’s security.
Huawei has completely opened its source code and hardware to several governments, including UK, Canada and Germany, for security testing. Their findings are much more informative and objective.
Best security doesn’t come from paranoia of certain countries. It comes from evidence based and rigorous testing and research.
> Huawei has completely opened its source code and hardware to several governments, including UK, Canada and Germany, for security testing. Their findings are much more informative and objective.
What does this even mean? If I give a batch of governments some of my super secret text files and pinky promise that's what's in the hardware I'm giving them, they should believe me?
The US can be trusted to advance its own interests. So can China. Everyone else had best evaluate their threat vectors and find out where their interests conflict with bigger and stronger interests.
Your comment history might have predicted that you'd comment on this topic. You don't have many other interests.
Large international dealings are never about 'truth' - they are about the balance of a web of geopolitical issues.
Also, this is not paranoia, it's a geostrategic fight based on the reality that a) China and US/West are doing a lot to actively spy on one another b) they're in a trade war.
Also China does not have an open market for US/Western products and I don't see any reason why the same rules applied by China to the West should not apply to Chinese companies coming to the West. That would be closer to 'fair free trade'.
But yes - if the hardware and software are both open for inspection - that is a kind of 'truth' as you say.
and companies should then be able to decide for themselves.
Question: is it true though that both hardware and software are in fact fully open? How do they maintain their IP in this case?
I had understood that the current US administration's point of view was that the US had no allies, but only leeches hell bent on ripping off the US? So, I'm wondering which allies they're talking to.
A key difference between Huawei and other Chinese companies like Xiaomi or Alibaba is that they have an opaque shareholding structure with no public investors which makes it hard to know if it is free from the influence of the Chinese government.
When will people learn - 'secure the connections, not the network'. You don't trust the internet, and you shouldn't trust your internal network either.
Every connection between devices should be encrypted as if it's going over the internet. That's the basis of BeyondCorp, and many companies are going that way.
It's far more sensible to secure just two endpoints than it is to also secure all the wireless links, routers, and cables between them.
Now, when the adversary gets control of your routers, it doesn't matter - they can't steal anything of value. The worst they can do is cause a brief outage, for which they'll be immediately detected.
Sure, that’s a great idea. But your transport security is going to show vulnerability sooner or later (see: regular issues in TLS), and it’s worth having a slightly less compromised network fabric.
But they can slow down the traffic or disconnect it completely. If an entire countries 5G infrastructure is built by a single company that can push updates to the infrastructure, then it can completely disable it.
I would've expected better from the current NZ government but this response really illustrates just how utterly compromised the country is when it comes to China. There was a similar muted response a few months ago to Chinese CCTV cameras which had been installed inside government ministries.
Little known fact: The stock video app in EMUI 8 running found in stock P20 Pros from authorized dealers in Singapore regularly make requests to Facebook over over IPv4 and IPv6 even though it only supports local video content. t.me/paranoic for proofs.
To be fair, Google regularly tries to grab GPS data using its 1e100.net domain (see above # for additional proofs). The only way I've found to block this kind of intrusion is NetGuard in "lockdown" mode.
I haven't seen much about the 'hacks' taking place. Are investigators seeing actual backdoors? Or just poor code being exploited in the wild? If it's the latter then the US could be accused of the same with Cisco in the early 2000's as exposed by FX.
Full disclosure: I am a Huawei employee, take everthing I say with an appropriate amount of salt.
It would be suicidal for Huawei to ship any eqipment to Western carriers with actual backdoors. European governments usually require through audit of the code that runs their networks and vendors are required to have reproducable builds for the same. The UK government for instance has the Huawei Cyber Security Evaluation Centre[1] responsible for vetting the Huawei equipment that gets used by British carriers. Like TFA says, "The U.K. government said in July it found shortcomings in the process." They did't find any backdoors or any actual vunerebilities but did report "variable engineering quality". Like any large and complex codebase produced by thousands of engineers, parts of the code may be downright ugly but that does not make it malicious.
Anyways, the CSEC report did have its intended effect and now significant resources are being expended to refactor legacy code. Nothing motivates management like a possible loss of revenue from bad PR ;)
Then again the NSA hacked into Huawei HQ[2] so they might know something that others don't. Speaking of which, how is the search for WMDs in Iraq coming along?
What's the difference? I'd imagine that any mediocre and above intelligence agency would be smart enough to make it look like the backdoor was "just a random bug".
If they are giving the bug the name "CN_rear_entrance" or anything like it, or talk about how it can be used in code comments, I would say they are a worse than mediocre intelligence agency.
No one talks about the story from financial perspective? How much will Huawei lose, who is the competitor against Huawei? IMO it's the extension of trade war between US and China.
There's also substantial evidence that Huawei was involved in the murder of a US citizen to cover up attempts to acquire classified US military technology:
Within the UK Huawei has won a number of network refresh contracts with BT. I assume this then got levels of concern going within the various agencies, as this was one of the results:
Protection for US 5G Corporations to allow them to catch up.
Then there's the other side of the coin. The Chinese boycotting of US Corporations. China alone has more population and manufacturing than the US and EU combined. Does the West really want to lose a market that's 20% of the whole world? Probably not.
Other telecom actors were steamrolled by the government-backed Huawei telecom network deals. Ericsson for example could not keep up because the EU doesn't believe in protectionism, at least at that level.
[+] [-] TACIXAT|7 years ago|reply
>Ms Cave said Huawei had been implicated in alleged cyber theft of data from the African Union’s Ethiopia headquarters. According to multiple reports this year, data was transferred every night from the building for five years. “There’s no proof that Huawei was asked to participate or turn a blind eye to the breach, but we know that there was a breach and Huawei was the key provider,’’ Ms Cave said.
1. https://www.theguardian.com/world/2018/jan/30/china-african-...
2. https://www.theaustralian.com.au/national-affairs/national-s...
[+] [-] endorphone|7 years ago|reply
Of course US corporations are just as beholden to government directive. e.g. https://foreignpolicy.com/2016/10/04/how-american-companies-...
[+] [-] changchuming|7 years ago|reply
[+] [-] Salamat|7 years ago|reply
[+] [-] linkregister|7 years ago|reply
[+] [-] levosmetalo|7 years ago|reply
So it seems that Huawei is the safest option for any US and European citizen.
I'd rather have my data safe with the Chinese government, a country that is on the other side of the globe and has practically zero influence on my life, that sharing it with the US or my own governments, which are there, and can make my life hell for any or no reason at all, and have the means to actually hurt me.
And yes, if I can't avoid it, I'd much rather share my internet search history with an unknown entity on the other side of the world, than with my own wife.
[+] [-] detaro|7 years ago|reply
[+] [-] kccqzy|7 years ago|reply
[+] [-] wu-ikkyu|7 years ago|reply
>I'd rather have my data safe with the Chinese government
What makes you think (y)our data wouldn't be sold to the highest global bidder or hacked?
>a country that is on the other side of the globe
It's called the world wide web for a reason.
https://en.m.wikipedia.org/wiki/PLA_Unit_61398
>practically zero influence on my life
Western countries are very much influenced by China.
>sharing it with the US or my own governments, which are there, and can make my life hell for any or no reason at all, and have the means to actually hurt me.
Given all of your personal private data, anyone around the world with a computer has the means to actually hurt you.
[+] [-] mensetmanusman|7 years ago|reply
This is strictly forbidden in US intelligence policy.
[+] [-] Gorbzel|7 years ago|reply
[+] [-] clatan|7 years ago|reply
[+] [-] balibebas|7 years ago|reply
[+] [-] ziont|7 years ago|reply
[+] [-] liftbigweights|7 years ago|reply
That's an interesting take, but you are assuming china's influence won't keep growing.
Or more worrisome, what if china, EU, Russia and the US decide to share data in the future.
The only way to be "safe and free" is legislation curbing intelligence agencies snooping on people. Unfortunately, these intelligence agencies appear to be operating above or beyond the law.
[+] [-] saagarjha|7 years ago|reply
Regardless of the content of the article, I found this quote hilarious: one surveillance agency accusing another group of spying.
[+] [-] beloch|7 years ago|reply
I wouldn't have substantially higher trust in something made in the U.S. or other "five eyes" countries either. These governments do not respect the privacy of their citizens, as evidenced by the NSA's recent breaches. Some countries do slightly better than others (e.g. Canada probably isn't as bad as the U.S. yet). However, on the whole, privacy rights seem to be on the decline in these countries. Treaties and cooperation between the security agencies of these countries drag everyone down to the lowest common denominator.
[+] [-] pavelrub|7 years ago|reply
[+] [-] ObsoleteNerd|7 years ago|reply
[+] [-] le_clochard|7 years ago|reply
[+] [-] wallace_f|7 years ago|reply
Particularly if you are a woman, minority, journalist, or business-owner, as [1] highlights, you may be safer from such abuses.
1 - https://theweek.com/speedreads/651668/hundreds-police-office...
[+] [-] majia|7 years ago|reply
Huawei has completely opened its source code and hardware to several governments, including UK, Canada and Germany, for security testing. Their findings are much more informative and objective.
Best security doesn’t come from paranoia of certain countries. It comes from evidence based and rigorous testing and research.
[+] [-] yitosda|7 years ago|reply
What does this even mean? If I give a batch of governments some of my super secret text files and pinky promise that's what's in the hardware I'm giving them, they should believe me?
The US can be trusted to advance its own interests. So can China. Everyone else had best evaluate their threat vectors and find out where their interests conflict with bigger and stronger interests.
Your comment history might have predicted that you'd comment on this topic. You don't have many other interests.
[+] [-] sonnyblarney|7 years ago|reply
Also, this is not paranoia, it's a geostrategic fight based on the reality that a) China and US/West are doing a lot to actively spy on one another b) they're in a trade war.
Also China does not have an open market for US/Western products and I don't see any reason why the same rules applied by China to the West should not apply to Chinese companies coming to the West. That would be closer to 'fair free trade'.
But yes - if the hardware and software are both open for inspection - that is a kind of 'truth' as you say.
and companies should then be able to decide for themselves.
Question: is it true though that both hardware and software are in fact fully open? How do they maintain their IP in this case?
[+] [-] e3b0c|7 years ago|reply
Does China government have the incentives to take the advantages when it has the opportunity?
Does Huawei have the incentives/disincentives to/not to respond to the demands of the government?
[+] [-] danmaz74|7 years ago|reply
[+] [-] ThomPete|7 years ago|reply
[+] [-] anilshanbhag|7 years ago|reply
[+] [-] londons_explore|7 years ago|reply
Every connection between devices should be encrypted as if it's going over the internet. That's the basis of BeyondCorp, and many companies are going that way.
It's far more sensible to secure just two endpoints than it is to also secure all the wireless links, routers, and cables between them.
Now, when the adversary gets control of your routers, it doesn't matter - they can't steal anything of value. The worst they can do is cause a brief outage, for which they'll be immediately detected.
[+] [-] libdjml|7 years ago|reply
I agree with your general sentiment though.
[+] [-] aembleton|7 years ago|reply
[+] [-] shawn|7 years ago|reply
[deleted]
[+] [-] ajdlinux|7 years ago|reply
[+] [-] dbcooper|7 years ago|reply
https://www.nzherald.co.nz/business/news/article.cfm?c_id=3&...
https://www.nzherald.co.nz/business/news/article.cfm?c_id=3&...
[+] [-] tjpnz|7 years ago|reply
[+] [-] pilsetnieks|7 years ago|reply
[+] [-] balibebas|7 years ago|reply
[+] [-] balibebas|7 years ago|reply
[+] [-] client4|7 years ago|reply
[+] [-] unmole|7 years ago|reply
It would be suicidal for Huawei to ship any eqipment to Western carriers with actual backdoors. European governments usually require through audit of the code that runs their networks and vendors are required to have reproducable builds for the same. The UK government for instance has the Huawei Cyber Security Evaluation Centre[1] responsible for vetting the Huawei equipment that gets used by British carriers. Like TFA says, "The U.K. government said in July it found shortcomings in the process." They did't find any backdoors or any actual vunerebilities but did report "variable engineering quality". Like any large and complex codebase produced by thousands of engineers, parts of the code may be downright ugly but that does not make it malicious.
Anyways, the CSEC report did have its intended effect and now significant resources are being expended to refactor legacy code. Nothing motivates management like a possible loss of revenue from bad PR ;)
Then again the NSA hacked into Huawei HQ[2] so they might know something that others don't. Speaking of which, how is the search for WMDs in Iraq coming along?
1: https://assets.publishing.service.gov.uk/government/uploads/...
2: https://www.nytimes.com/2014/03/23/world/asia/nsa-breached-c...
[+] [-] mtgx|7 years ago|reply
What's the difference? I'd imagine that any mediocre and above intelligence agency would be smart enough to make it look like the backdoor was "just a random bug".
If they are giving the bug the name "CN_rear_entrance" or anything like it, or talk about how it can be used in code comments, I would say they are a worse than mediocre intelligence agency.
[+] [-] TsomArp|7 years ago|reply
[+] [-] johannkokos|7 years ago|reply
[+] [-] StefanKarpinski|7 years ago|reply
https://en.wikipedia.org/wiki/Death_of_Shane_Todd
Financial Times story about the case:
http://ig-legacy.ft.com/content/afbddb44-7640-11e2-8eb6-0014...
Discussion on HN:
https://news.ycombinator.com/item?id=5230585
[+] [-] oger|7 years ago|reply
[+] [-] cbzbc|7 years ago|reply
https://www.gov.uk/government/publications/huawei-cyber-secu...
A factory within the UK, owned by Huawei's UK arm - with restrictions entry, that is then used for security assurance of the products BT uses.
[+] [-] simonblack|7 years ago|reply
Then there's the other side of the coin. The Chinese boycotting of US Corporations. China alone has more population and manufacturing than the US and EU combined. Does the West really want to lose a market that's 20% of the whole world? Probably not.
"Trade Wars are good and easy to win." /s
[+] [-] unknown|7 years ago|reply
[deleted]
[+] [-] vectorEQ|7 years ago|reply
[+] [-] toxik|7 years ago|reply