Linked by Thom Holwerda on Tue 16th Jan 2018 22:04 UTC
Legal

US lawmakers have long worried about the security risks posed the alleged ties between Chinese companies Huawei and ZTE and the country's government. To that end, Texas Representative Mike Conaway introduced a bill last week called Defending U.S. Government Communications Act, which aims to ban US government agencies from using phones and equipment from the companies.

Almost all phones and electronics - including most "American" or "European" phones - are made in China. This seems more like a battle in a wider trade war than something related to spying.

Order by: Score:
mistersoft
Member since:
2011-01-05

(to a large extent)
?

I'm not a coder but I thought TLS, SSL etc, i.e. how they work mathematically -- will bypass any/many theoretical CPU "hardware spy bugs"

And if you trust the OS vendor and certification authorities etc then the fear mongering becomes somewhat moot ?

Interested to hear from those who understand the details though

Reply Score: 2

Alfman Member since:
2011-01-28

mistersoft,

I'm not a coder but I thought TLS, SSL etc, i.e. how they work mathematically -- will bypass any/many theoretical CPU "hardware spy bugs"



It sounds like they're aiming to ban chinese phones vendors that control the OS instead of banning phones that use chinese hardware components. If it were the later case, apple's iphone and probably all phones would have to be banned too. They wouldn't let this happen, haha.

And if you trust the OS vendor and certification authorities etc then the fear mongering becomes somewhat moot ?


It's true that the OS vendors need to be trusted. In almost all cased the software vendor has explicit root access to your phone. So if they wanted to, they could grab all your keys and monitor you (heck in some ways microsoft is a peeping-tom with windows 10 telemetry). Long story short, unless you've got a fully open source OS, you are forced to trust the vendor. This is true even if you are a congressman with top secret clearance.


However the trust doesn't stop with the OS, being able to trust the hardware is just as crucial since the software is forced to trust it. With spectre and meltdown, we've seen just recently how badly software defenses can fail when the hardware is broken. Those were accidental, but if engineers wanted to there's no reason they couldn't create explicit hardware backdoors in CPUs or GSM chips.

Reply Score: 2

nicubunu Member since:
2014-01-08

If (a big IF) the hardware and/or low-level software are malicious, then you can't guarantee the high-level software is secure.
Extreme example: your browser of choice may send your password encrypted, but IF your device has a keylogger, that does not matter much, your password was learned already.
This aside, the backdoors can be in silicon and all silicon is made in China, so I am with those seeing this measure more like protectionism and keeping the competition away.

Reply Score: 3

abraxas Member since:
2005-07-07

This aside, the backdoors can be in silicon and all silicon is made in China, so I am with those seeing this measure more like protectionism and keeping the competition away.


You're misunderstanding. Huawei produces their own chips. Even if an American company was producing chips in China they are still using American specs and processes. It's a lot easier to slip spyware into a wholly owned Chinese company. Besides I don't think it is true that ALL silicon is manufactured in China but to be honest I am unsure. I can tell you that this has nothing to do with protectionism though.

Reply Score: 2

abraxas Member since:
2005-07-07

(to a large extent)
?

I'm not a coder but I thought TLS, SSL etc, i.e. how they work mathematically -- will bypass any/many theoretical CPU "hardware spy bugs"

And if you trust the OS vendor and certification authorities etc then the fear mongering becomes somewhat moot ?

Interested to hear from those who understand the details though


Unfortunately that is not the case. There is so much that can be hidden in hardware that software alone cannot mitigate it. Secondly you shouldn't trust certificate authorities based on their track record never mind the various ways they can be undermined even without being breached.

Reply Score: 2

China -- not quite
by cacheline on Wed 17th Jan 2018 01:47 UTC
cacheline
Member since:
2016-06-10

Lots of electronics are made in Taiwan, which doesn't consider itself part of China (despite China's disagreement and protestations). So, it's not necessarily an invalid argument. And I have to wonder about where Samsung/LG components are made/assembled. Is it South Korea or would they send it to China?

Reply Score: 2

Yup
by Poseidon on Wed 17th Jan 2018 02:01 UTC
Poseidon
Member since:
2009-10-31

The cost of verifying the physical and software security must be insane.

I bet engineers rarely think about it unless they’re ex-intelligence. One would also think countries would want some fans in their own countries even if costs go up.

Reply Score: 3

benoitb
Member since:
2010-06-29

Last time I checked I think ZTE was using Qualcomm (US) chipsets and Huawei was using Hi-Silicon (China, their own brand) chipsets.

So I would agree it's probably more about image and trade deals than any real concern on security. If only Huawei was mentioned I could understand.

If they are talking network equipement vendors then it's a different story.

Edited 2018-01-17 08:04 UTC

Reply Score: 2

At one time.
by dusanyu on Wed 17th Jan 2018 23:19 UTC
dusanyu
Member since:
2006-01-21

In order for the Government or the D.O.D. to use a item it had to be manufactures by a U.S. owned company and also Manufactured in the U.S. (as were all parts used in it's manufacture) this was in order to prevent entanglements in supply chain in times of war. Why this rule was ever dropped in the first place makes you wonder what kind of idiots have we been electing?

No wonder the only jobs left in The U.S. are low paying service job that are quickly being replaced by machines.

Edited 2018-01-17 23:21 UTC

Reply Score: 2

RE: At one time.
by abraxas on Thu 18th Jan 2018 20:49 UTC in reply to "At one time."
abraxas Member since:
2005-07-07

The high paying manufacturing jobs were replaced by machines long ago. Low skill jobs have been disappearing because of automation for decades. First it was the high paying, low skill jobs because the most gains could be made there. Now it is the low paying, low skill jobs. Forcing companies to manufacture in the US won't bring back jobs. Those are long gone. It's a new world out there.

Reply Score: 3

More anti-US bias
by abraxas on Thu 18th Jan 2018 20:56 UTC
abraxas
Member since:
2005-07-07

This has nothing to do with "protectionism". China has been stealing technology and spying on the US for a long time. This isn't news. The US cannot afford to take a chance with a wholly owned Chinese company making advanced communication technology whether they are inserting spyware or not. It's just not a reasonable risk to take considering China's history towards the US and the risk involved with these types of devices. Almost every day we are getting reports of spyware in Chinese made cameras, kids toys, and other electronics. We would be fools to not consider the risk of the possibility of spyware in more ubiquitous products like cell phones.

Reply Score: 0