undefined | Better HN

0 pointsw77y ago0 comments

That doesn't make sense to me. Especially given the GHCQ's break down of Huawei gear finding that Huawei can't even do version control right (they had revisions of firmware with the same version id for the same hardware with different build characteristics), and magically reintroducing vulnerabilities from 2006. Personally I feel that Huawei gear would be ripe for exploitation and then misdirection.

I don't get why people are so hung up on proof though. There doesn't have to be proof. No one who I've talked to in the networking industry cares about proof (this includes myself). Hell China already bans companies at will. The only thing that matters is enough of a non-zero chance of Huawei releasing malicious firmware updates to select targets in the future. Judging by their inability to have firmware revisions that completely match in functionality who knows if they're already doing so at a smaller scale.

0 comments

5 comments · 2 top-level

majia7y ago· 3 in thread

> I don't get why people are so hung up on proof though.

The reason you look for proof is not that it gives you 100% security. It is the process of finding proof that helps us understand how secure a product is and what vulnerabilities need to be addressed. GHCQ's through examination of Huawei devices found problems with version control, and Huawei promised to fix those problems. This is how security could improve.

I think you also vastly underestimated how difficult it is to do version control for hardware due to extremely complex supply chain. If you examine products from any other brand, the situation is likely to be worse. I'm not suggesting Huawei's problems are acceptable. However, it is a misguided approach to decide which products are secure purely based on national origin rather technical merits.

w7OP7y ago

I don't think anything ever gives 100% security. I was simply talking about people thinking proof is needed for justification of the ban.

Anyone using factory shipped firmware for the entire life cycle of a device is negligent. I don't think I've had firmware functionality mismatches with Cisco/Juniper/Arista/etc gear especially since we track hashes and store images locally.

You don't simply leave a gate open because the attacker can scale the walls. I don't see any reason to make it easier for the Chinese government to implant itself in our networking infrastructure. Being able to directly provide and modify Huawei's firmware sans resistance allows them far greater flexibility than what they would have attempting to compromise <insert_us_vendor>'s development resources (not that it's impossible, not even remotely saying that).

rrix27y ago

These also sound like the sort of problems that could be solved without a global sales ban, people seem to really like the Hand of the Market for stuff like this when it's not down nationalist lines.

JamesBarney7y ago

This isn't why they were banned. They were banned for conducting corrupt espionage, violating the Iran sanctions, and lying about it to federal authorities.

raxxorrax7y ago

I don't think GCHQ is a reliable source, but from what they have reported here, they paint a very realistic picture on your average tech company.

I don't like the idea of having important infrastructure like this in the hands of any foreign manufacturer. Not while there is indeed evidence that government try to enforce backdoors in tech equipment.

j / k navigate · click thread line to collapse