Do people already need a reminder of the Juniper JunOS situation?
I don't think this is a good thing.
On one had we have Huawei which is untrusted by default, everyone assumes it has a backdoor but yet there are no reports of said backdoor and no evidence that networks using the hardware have suffered from exfiltration or infiltration.
On the other hand Juniper was very publicly compromised and networks running their hardware were most definitely subject to attack.
That said; this is probably primarily focused on wireless networks and if they are replacing Huawei it will be with Ericson or Nokia gear which I think we can have some manner of trust in.
EDIT: My point is I think the Huawei equipment being assumed untrusted is a better model than assumed "trusted" suppliers that can easily be back doored because no-one is looking as hard.
I don't know if Huawei firmware has backdoors, but I can tell you I've looked at it (when evaluating their network switches) and it's a humongous mess of NIH. They even wrote their own SSH server and userspace IP stack (but still use the Linux one internally). It's rather buggy; simply scp'ing a file off of the switch leaked memory leading to a crash and reboot. It's just very poor quality.
Backdoors or not, I have very little doubt their equipment is full of exploitable security issues.
In the UK we have an agreement with Huwawei and access to firmware, which can be bit-for-bit compared to what ships. We don't for other manufacturers. But guess which one we're told not to trust.
I don't know what you're talking about with "allegedly".
Bloomberg "allegedly" found HW backdoors in huawei, Vodafone also "allegedly" found backdoors in their equipment from huawei back in the day(i think about a decade ago).
When you go talk to your red-team pentester friends, you quickly find out that the black market is full of 0days or full-blown backdoors for huawei equipment, from routers to consumer-grade mobile phones.They're not the only ones, but there's a clear discrepancy.
While in the consumer space Huawei might not be ever fully-banned (imo even though they should, because people are f*cking stupid and it's already too late), in gov & military(especially NATO) infrastructure, i'm guaranteeing they're already(US,AUS,JP,PL,RO) or soon to be banned.
Now the what-about argument is gonna follow here, saying "how about western companies that also engage in privacy-violating and espionage policies?".Yes that's also obviously true, but to a much lesser degree, and those companies/corporations main concern is money&profit,unlike Huawei.They might collude with governments and institutions, but they're not fully controlled by one, like in the fascistic China at the moment.And i say fascistic because chinese companies conveniently use 'free'-markets inside China and Western countries up to the point where their gov. notices and dictates their every move.
On the one hand, your trusted and long-term partner shares a credit card and bank account with you, so you're aware that they know how and where you're spending money. You spend a lot of time together at home, so it's likely they're listening into your phone calls.
On the other hand, a malicious individual has infiltrated your bank account and installed surveillance equipment in your home.
We might not like everything our partners do, but there's a reason we have a basis of trust with them and not with clearly adversarial and malicious entities.
There is hard proof that both Belgium and Germany had various networks/major telcos compromised. And I would not be at all surprised if there were others.
Of course they're interested in my welfare; even a pawn has value to the state. Moreover, the five eyes are all representative democracies; China is not.
A pawn has value to the state as a tool. One such example is to be used as cannon fodder.
The US democracy is fake. Entrenched interests hold
virtually all power.
You have 6 trillion dollars and thousands of lives lost over fake wars. Where are those WMDs? Why didn't we pull out after getting bin Laden in Pakistan?
Go back a generation to the Vietnam War. 50k American lives lost.
History keeps on repeating itself and people are oblivious.
Even tools have value; better to be a tool of the state than an obstacle of an adversary.
I'm not American, and I'm rather proud that my elected representatives voted against joining the USA in the Iraq invasion. Americans voted for the Iraq invasion. It was popular[0]. It still remains reasonably popular, with slightly more Americans opposing it than supporting it in 2018[1]. Despite two decades of expenditure, pain and suffering.
"A superglue story also jacks up the Us > Them values. The story needs to be all about good guys and bad guys, with a crisp, clear distinction between the two. The good guys must be good in every way—in knowledge, talent, motivation, and virtue. They’re good now, they were always good in the past, and they’ll continue to be good in the future. The bad guys are the opposite—they are and always have been stupid, ignorant, malicious, and morally backwards. Strife between the good guys and bad guys is always the fault of the bad guys"
There's nothing shocking about that many representatives voting in favor of something that had over two thirds public support. In fact, it looks appropriate.
As for the media, the foreign and public press weren't so in favor. But I'll be the last to suggest that American media isn't terrible. It is.
And all the protests accomplished jackshit. Can't you see that that is the point? Your opinion and protests have no effect. Your protests are just plausible deniability.
The protests failed to invigorate change, not unlike anti mask protests today, because the message wasn't persuasive enough to sufficiently many people.
That's democracy. It's not great, but it's better than the alternatives.
Especially if we’re talking about five eyes countries, the other countries involved are on board with this sort of thing. It’s not about what’s being done but who has control when we’re talking about national security. As for how much it matters to the citizens what the difference is…well I’m probably less likely to get in trouble if China has my information actually.
Antopomorphism of giant bureaucracies is either naivity or schisophrenia.
Just like "Consumers Have Human-like Relationships with Brands". I work in a big corp, it's a constant battle to make it treat humans as humans, and a losing one.
If you have an agreement with [country A] to work together in pursuit of the same goals, and you don't have an agreement with [country B] to work together in pursuit of the same goals. Which one would you trust more?
Building alliances is nearly synonymous with building trust.
Any country that doesn't want others to read its communications is going to have to produce its own telecoms equipment, because the temptation of a country to put backdoors in it is just too high.
Shouldn't be too much of a worry since the next 2 largest vendors of telecom equipment are European (Nokia and Ericsson). Although, Nokia owns the remnants of a bunch of US companies like Lucent and Motorola Networks so they may be more connected to the US.
The Greek wiretapping case involving Ericsson equipment was not due to a “trapdoor” but a malicious implant installed by a threat actor. This is documented in an excellent article by the IEEE [1]
Darknet Diaries produced a podcast on the whole affair which makes for great listening. The podcast episode includes additional details which have surfaced after the IEEE article mentioned [2]
I would say the biggest and most important chunks of both came from Nortel. Vast majority of what we consider as 4G and 5G was developed at Nortel and during the collapse was scooped up by Ericson/Nokia and Huawei (though the latter mostly just hired ex-Nortel researchers and engineers).
Not 5G. The reason why Huawei became a leader in 5G is that they created all their technology around the discoveries of Erdal Arikan and bet the whole farm on it:
Even if we assume that all Huawei products are currently backdoored, the security of commercial IT products is so bad that they pose no impediment to any organization more talented than a group of script kiddies. A complete replacement of all Huawei equipment does not in any way materially improve security of the network against a competent nation state attacker. At most it might cause their operational budget to increase by 0.1% to fund exploit development of the replacement equipment on the off chance that they are utterly incompetent and do not already have a hoard of hundreds of exploits in all existing systems like the CIA did as revealed in the Vault 7 hack.
A material increase in security would require switching from Huawei to systems around 1000x better than prevailing systems otherwise you should have exactly zero trust that the security of the network can even minimally impede an adversary like China.
> Even if we assume that all Huawei products are currently backdoored, the security of commercial IT products is so bad that they pose no impediment to any organization more talented than a group of script kiddies.
The primary issue that the USG has with Huawei equipment is not technical security. It’s trust and governance.
I’ll give you a really simplistic hypothetical example: Let’s say a Cisco and a Huawei box have the same exact vulnerability, and the US and China engage in an all-out cyber war. China can simply block Huawei’s support staff with sanctions. They don’t need a back door. Meanwhile the Cisco tech is already patching the Cisco box. Equal technology, unequal results.
Not all issues regarding technology are about purely technical issues. Technology has to be implemented, maintained, patched, supported, etc. Those are primarily concerns of trust.
If we really cared about trust, we would mandate that all national infrustructure be open source and, at a minimum, independantly security reviwed, and written in a safe language.
This comes across just political posturing as usual.
Not very likely IMO. Even if they US paid for the hardware many (most?) users of Huawei tele equipment would not want to touch it (especially not US made). Huawei had a much better reputation (and in my experience they still do with people that actually touch the hardware) for listening to requests from users/buyers than pretty much any other manufacture. There's a reason their equipment is widespread and unlike what most seem to believe price is at best on par with them being better. The difference in what I have heard and read from people that work with this and the mainstream-media etc. is mindbogglingly different. Only in a few articles in mainstream-media have I seen those people even asked their opinion and then the picture is much, much less one-sided.
The next question will be how much trust can we place in the networks of our allies that still use compromised equipment from Huawei?