
US asks allies to drop Huawei - petethomas
https://www.nzherald.co.nz/business/news/article.cfm?c_id=3&objectid=12165136
======
TACIXAT
I don't see anyone else talking about it. Around January 2018 it came out that
China had hacked the African Union headquarters which it had built as a gift
to the AU. [1] More recently, reports have come out that implicate Huawei in
that hack. [2] There is a law in China that says citizens and corporations are
required to cooperate with its intelligence services. While there has been no
strong evidence against Huawei released publicly, the logic is that China
asked for a backdoor and that Huawei had to comply.

>Ms Cave said Huawei had been implicated in alleged cyber theft of data from
the African Union’s Ethiopia headquarters. According to multiple reports this
year, data was transferred every night from the building for five years.
“There’s no proof that Huawei was asked to participate or turn a blind eye to
the breach, but we know that there was a breach and Huawei was the key
provider,’’ Ms Cave said.

1\. [https://www.theguardian.com/world/2018/jan/30/china-
african-...](https://www.theguardian.com/world/2018/jan/30/china-african-
union-headquarters-bugging-spying)

2\. [https://www.theaustralian.com.au/national-
affairs/national-s...](https://www.theaustralian.com.au/national-
affairs/national-security/china-used-huawei-to-hack-network-says-secret-
report/news-story/510d3b17c2791cbcac18f047c64ab9d8)

~~~
endorphone
_There is a law in China that says citizens and corporations are required to
cooperate with its intelligence services_

Of course US corporations are just as beholden to government directive. e.g.
[https://foreignpolicy.com/2016/10/04/how-american-
companies-...](https://foreignpolicy.com/2016/10/04/how-american-companies-
enable-nsa-surveillance/)

~~~
tootie
Typically this is done via FISA warrants aside from that period during the
Bush admin. China doesn't guarantee due process and get request information on
anyone for any reason including dissidence. Every government will spy on their
citizens to some degree, but that doesn't make them equivalent.

~~~
moreorless
> Every government will spy on their citizens to some degree, but that doesn't
> make them equivalent.

I only got my girlfriend a little pregnant; not like Joe over there, who got
his girlfriend fully pregnant.

~~~
matthewowen
Yes, some things are binary and some things are not. Your example is binary.
The situation we're talking about is not.

~~~
hellbanner
Frog in the boiling pot

~~~
hannasanarion
Slippery slope

See I can name meaningless aphorisms too.

------
levosmetalo
This implies that US can't reach the data from Huawei.

So it seems that Huawei is the safest option for any US and European citizen.

I'd rather have my data safe with the Chinese government, a country that is on
the other side of the globe and has practically zero influence on my life,
that sharing it with the US or my own governments, which are there, and can
make my life hell for any or no reason at all, and have the means to actually
hurt me.

And yes, if I can't avoid it, I'd much rather share my internet search history
with an unknown entity on the other side of the world, than with my own wife.

~~~
detaro
In the Snowden leaks there was a bunch of evidence that US intelligence at
least had deep access to Huawei: [https://mashable.com/2014/03/22/nsa-
huawei/](https://mashable.com/2014/03/22/nsa-huawei/)

~~~
SwellJoe
A system with a backdoor is a system exploitable by a high capability
attacker, like most major state intelligence agencies.

~~~
Jyaif
Not if the output of the backdoor is encrypted.

~~~
Retric
Depends on if you have the keys or not.

~~~
jamescostian
Unless you have massive computational power and manage to brute-force your way
to get the keys

------
saagarjha
> Some other members of the “Five Eyes,” a five-member intelligence pact among
> English-speaking countries that includes the U.S., have also publicly
> challenged Huawei.

Regardless of the content of the article, I found this quote hilarious: one
surveillance agency accusing another group of spying.

~~~
beloch
I remain to be convinced that Apple or Samsung are any more trustworthy than
Huawei. It's all made in China. While these manufacturers may not be sneaking
backdoors into devices, since this might be caught, they likely are being
compelled to disclose designs to be analyzed for weaknesses. It doesn't really
matter if some of the design work is done in California.

I wouldn't have substantially higher trust in something made in the U.S. or
other "five eyes" countries either. These governments do not respect the
privacy of their citizens, as evidenced by the NSA's recent breaches. Some
countries do slightly better than others (e.g. Canada _probably_ isn't as bad
as the U.S. yet). However, on the whole, privacy rights seem to be on the
decline in these countries. Treaties and cooperation between the security
agencies of these countries drag everyone down to the lowest common
denominator.

~~~
anonymous_i
Pardon my ignorance here. Putting the US or other five eyes countries on the
same plane as China is a false equivalency. People can at least take it to
streets and demand facts, which is not possible when we are talking about
China. Hypothetically, if Apple and Samsung made their phones in the US or
other five eyes countries we can assume some level of oversight on their
practices , which is not quite possible in China.

~~~
paulryanrogers
> People can at least take it to streets and demand facts, which is not
> possible when we are talking about China.

I agree the US is better about permitting public protest. But if the directors
of these US agencies can lie to Congress[0] without consequence then does it
really matter?

[0] [https://www.washingtonpost.com/news/the-
switch/wp/2014/01/27...](https://www.washingtonpost.com/news/the-
switch/wp/2014/01/27/darrell-issa-james-clapper-lied-to-congress-about-nsa-
and-should-be-fired/)

~~~
whatshisface
They wouldn't be allowed to lie to Congress if Congress didn't allow them to
lie, and Congress wouldn't allow them to lie if the American people expressed
a clear desire for their elected government to reign the appointed organs back
in. That's what the protests are for.

There is a lot of institutional momentum in the US to keep doing bad things,
including a crushing blanket of a media that cares a lot more about pop
culture than anything else. But it is nice to not fear much for writing this.

~~~
SuoDuanDao
What would you consider expressing a clear desire to look like? The two
examples that come to mind for me, the TEA party and Occupy Wall Street, both
got shut down with extreme prejudice and enthusiastic support from half the
electorate.

~~~
whatshisface
Occupy and the Tea party weren't issues, they were groups. Groups are subject
to many dangers, internally and externally, that have little to do with their
goals. "Put our representatives back in charge," could be carried to
Washington by anybody from a billionaire to Bernie Sanders.

------
majia
The US government, with its own hacking of other countries as revealed by
Snowden, its strategic rivalry with China, and its history of false
intelligence such as WMD in Iraq, isn’t a trustworthy source to evaluate
Huawei’s security.

Huawei has completely opened its source code and hardware to several
governments, including UK, Canada and Germany, for security testing. Their
findings are much more informative and objective.

Best security doesn’t come from paranoia of certain countries. It comes from
evidence based and rigorous testing and research.

~~~
yitosda
> Huawei has completely opened its source code and hardware to several
> governments, including UK, Canada and Germany, for security testing. Their
> findings are much more informative and objective.

What does this even mean? If I give a batch of governments some of my super
secret text files and pinky promise that's what's in the hardware I'm giving
them, they should believe me?

The US can be trusted to advance its own interests. So can China. Everyone
else had best evaluate their threat vectors and find out where their interests
conflict with bigger and stronger interests.

Your comment history might have predicted that you'd comment on this topic.
You don't have many other interests.

~~~
majia
The testing centers have more sophisticated methods to address your concern.
They procure Huawei equipment from various vendors and check if they have the
same hardware and software. In fact, the recent report from UK did find minor
shortcomings related to binary mismatch in huawei products.

My point is not testing centers can provide 100% guarantee; such guarantee
does not exist in the security field. However, shared hardware and rigorous
testing provide far better security than blind trust and paranoia.

Also, what's wrong with being interested in sino-US technological
relationship?

~~~
yitosda
I'd be interested in further details about the testing. If any manufacturer
actively wants to backdoor their hardware I'm skeptical that anything but an
extremely expensive teardown of an infected device would find it.

It is simply incorrect to imply that reading vendor provided source can
usefully decrease the possibility of a targeted attack. Comparing (hardware
provided?) software checksums is not a real improvement. Juxtaposed with your
"interest" in the topic, such an argument naturally arouses suspicion (sorry).

There is obviously nothing "wrong" with being interested in this fascinating
clash of powerful interests, the amount of interest each discussion gets shows
you are not alone.

So I'm not just hammering at what you've said, I'll make my own statement:
There's absolutely nothing you can do to defend against a motivated attacker
providing you with complex computer hardware (let's say anything that has
software/firmware). Corollary: It's a fool's game to use hardware from those
whose interests conflict with your own.

China and the US have a massive conflict of their interests. Each should not
use hardware provided by the other. The risk for each is real and unavoidable.

~~~
majia
Hardware testing is much more than firmware checksum comparison. Once you have
the blueprint, you can physically compare it against samples using various
methods such as x-ray, acoustic and electric profiling to detect any
differences. Furthermore, hardware is generally retained for a long time and
can be checked with future anti-tampering technologies.

These measures does not offer perfect security. It simply makes the cost of
hacking and chance of being caught very high, even for state actors. We could
achieve fairly strong security at an affordable cost for most civilian uses.
At least, tested Huawei hardware may be a good alternative to untested
hardware from another vendor (which is probably manufactured in China too) at
an inflated price.

Of course, if you are still concerned, why not take a course on microprocessor
and build your own CPU? ;)

~~~
yitosda
It looks like you're moving the verification goalposts away from what is
actually running on the hardware and simultaneously walking this back from
government to civilian uses. These are completely different discussions
(though I might add that governments rely heavily on the private sector, so
some pressure there is expected).

Another completely different line of discussion is whether I personally am
concerned at all (I'm not), and what I should do about it (nothing, but
governments certainly should build their own CPU).

> We could achieve fairly strong security at an affordable cost

No. We cannot achieve strong security in a device that comes with software.
You also cannot (at the time of this writing) prove that the actual hardware
you personally are running is trustworthy without spending enough that the
"affordable cost" becomes a moot point.

A wide swath of civilian uses can probably come out on top of the cost/benefit
analysis just because their interests don't get in the way of governmental
conflicts (or they can make enough money in the meantime). It's only from the
perspective of a government that this conversation makes any sense at all.

------
danmaz74
I had understood that the current US administration's point of view was that
the US had no allies, but only leeches hell bent on ripping off the US? So,
I'm wondering which allies they're talking to.

~~~
ThomPete
That the wrong understanding.

------
anilshanbhag
A key difference between Huawei and other Chinese companies like Xiaomi or
Alibaba is that they have an opaque shareholding structure with no public
investors which makes it hard to know if it is free from the influence of the
Chinese government.

~~~
taneq
If a company operates in China then it's under the influence of the Chinese
government.

~~~
beefsack
To be fair, you can say any company operating in a specific country works
under the influence of that government. Many US companies run or ran warrant
canaries for this specific reason.

~~~
JumpCrisscross
> _you can say any company operating in a specific country works under the
> influence of that government_

This collapses the continuum of the rule of law into a false binary. Americans
and foreigners alike can successfully challenge the U.S. government in
independent courts. None of those elements exist in China.

~~~
endorphone
How is the FISA court independent? The US government can strong-arm corporate
partners to do virtually anything they want, and can not only threaten jail if
you ever talk about it, they cloak the whole thing -- even for the most banal
thing -- as classified so it's impossible to contest.

This seems like pretending there is nuance that there simply isn't. The system
is a charade around the reality that US intelligence has virtually identical
inroads to US corporations.

~~~
ajdlinux
Sure, the FISC isn't amazing from a rule-of-law and transparency point of
view. But it's still a court made up of judges whose day jobs are serving in
the regular courts, and if you compare the amount of public literature, legal
analysis and news reporting on the operation of FISA and the US natsec
apparatus in general to China...

------
londons_explore
When will people learn - 'secure the connections, not the network'. You don't
trust the internet, and you shouldn't trust your internal network either.

Every connection between devices should be encrypted _as if_ it's going over
the internet. That's the basis of BeyondCorp, and many companies are going
that way.

It's far more sensible to secure just two endpoints than it is to also secure
all the wireless links, routers, and cables between them.

Now, when the adversary gets control of your routers, it doesn't matter - they
can't steal anything of value. The worst they can do is cause a brief outage,
for which they'll be immediately detected.

~~~
libdjml
Sure, that’s a great idea. But your transport security is going to show
vulnerability sooner or later (see: regular issues in TLS), and it’s worth
having a slightly less compromised network fabric.

I agree with your general sentiment though.

------
ajdlinux
The Director-General of ASD vs a Huawei employee on Twitter today:
[https://twitter.com/MikePBurgess/status/1065375012125761536](https://twitter.com/MikePBurgess/status/1065375012125761536)

~~~
socceroos
Yeah, ASD haven't got the best relationship with Huawei. For years they've
been in the PM's ear about keeping clear of them for NBN infrastructure.

To be honest, no manufacturer can be truly trusted, but given the vastly
different political and social ideologies between China and the West it seems
reasonable that they're picking their poison.

------
dbcooper
There is a dispute in NZ between telcos and the government over Huawei at the
moment.

[https://www.nzherald.co.nz/business/news/article.cfm?c_id=3&...](https://www.nzherald.co.nz/business/news/article.cfm?c_id=3&objectid=12165136)

[https://www.nzherald.co.nz/business/news/article.cfm?c_id=3&...](https://www.nzherald.co.nz/business/news/article.cfm?c_id=3&objectid=12153225)

------
tjpnz
I would've expected better from the current NZ government but this response
really illustrates just how utterly compromised the country is when it comes
to China. There was a similar muted response a few months ago to Chinese CCTV
cameras which had been installed inside government ministries.

~~~
pilsetnieks
At least those you can quarantine on a network level; it's much harder (or
really impossible) when it's networking equipment that's suspect.

------
balibebas
Little known fact: The stock video app in EMUI 8 running found in stock P20
Pros from authorized dealers in Singapore regularly make requests to Facebook
over over IPv4 and IPv6 even though it only supports local video content.
t.me/paranoic for proofs.

~~~
balibebas
To be fair, Google regularly tries to grab GPS data using its 1e100.net domain
(see above # for additional proofs). The only way I've found to block this
kind of intrusion is NetGuard in "lockdown" mode.

------
client4
I haven't seen much about the 'hacks' taking place. Are investigators seeing
actual backdoors? Or just poor code being exploited in the wild? If it's the
latter then the US could be accused of the same with Cisco in the early 2000's
as exposed by FX.

~~~
unmole
Full disclosure: I am a Huawei employee, take everthing I say with an
appropriate amount of salt.

It would be suicidal for Huawei to ship any eqipment to Western carriers with
actual backdoors. European governments usually require through audit of the
code that runs their networks and vendors are required to have reproducable
builds for the same. The UK government for instance has the _Huawei Cyber
Security Evaluation Centre_ [1] responsible for vetting the Huawei equipment
that gets used by British carriers. Like TFA says, "The U.K. government said
in July it found shortcomings in the process." They did't find any backdoors
or any actual vunerebilities but did report "variable engineering quality".
Like any large and complex codebase produced by thousands of engineers, parts
of the code may be downright ugly but that does not make it malicious.

Anyways, the CSEC report did have its intended effect and now significant
resources are being expended to refactor legacy code. Nothing motivates
management like a possible loss of revenue from bad PR ;)

Then again the NSA hacked into Huawei HQ[2] so they might know something that
others don't. Speaking of which, how is the search for WMDs in Iraq coming
along?

1:
[https://assets.publishing.service.gov.uk/government/uploads/...](https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/626110/20170413_HCSEC_Oversight_Board_Report_2017_-_FINAL.pdf)

2: [https://www.nytimes.com/2014/03/23/world/asia/nsa-
breached-c...](https://www.nytimes.com/2014/03/23/world/asia/nsa-breached-
chinese-servers-seen-as-spy-peril.html)

~~~
le_clochard
This is not the first time. Huawei was banned from supplying for India's
National Broadband Network in 2012, and has again been banned from supplying
for India's 5G revamp.

Not all employees would be in on the espionage attempts either. It'd have to
be a very limited circle that knows about it.

~~~
unmole
> _banned_ from supplying for India's 5G revamp

That is bordering on _fake news_. Huawei was not part of the inital group of
companies invited by DoT. I have no idea why Huawei was exculed earlier and
then invited later.[1] Bu then again, that's Indian babudom for you.

> Not all employees would be in on the espionage attempts either. It'd have to
> be a very limited circle that knows about it.

My point was entirely about what would be in any company's rational self-
interest and the findings of Western countries that evaluate Huawei equipment.
Honestly, I wish the Indian governemnt would do something similar with all
vendors.

1: [https://www.thehindubusinessline.com/info-tech/huawei-
gets-g...](https://www.thehindubusinessline.com/info-tech/huawei-gets-
government-nod-for-5g-trials/article25137732.ece)

~~~
Joakal
Huawei has been banned by government for fibre internet (NBN) tenders over
security concerns.

But it's ok for Huawei to sell to Australian businesses and consumers. So much
for government protecting its own people.

~~~
client4
I buy Huawei gear and dislike my government attempting to limit my free market
choices. Cisco was (is) just as vulnerable, people just don't talk about it
because they have so many lawyers. [https://artkond.com/2017/04/10/cisco-
catalyst-remote-code-ex...](https://artkond.com/2017/04/10/cisco-catalyst-
remote-code-execution/)

~~~
mensetmanusman
Free market choices in this case have hidden costs. Huawei was selling
hardware with user manuals from cisco because they were exact copies. When IP
is stolen, countries lose incentive to invest in R&D. Note almost every major
Bell-labs era research center has been shut down or dramatically weakend, the
most recent being Dow/Dupont.

------
TsomArp
I don't get it. Isn't everything or almost everything being built in china
nowadays? If you don't trust them, build in house.

------
johannkokos
No one talks about the story from financial perspective? How much will Huawei
lose, who is the competitor against Huawei? IMO it's the extension of trade
war between US and China.

------
StefanKarpinski
There's also substantial evidence that Huawei was involved in the murder of a
US citizen to cover up attempts to acquire classified US military technology:

[https://en.wikipedia.org/wiki/Death_of_Shane_Todd](https://en.wikipedia.org/wiki/Death_of_Shane_Todd)

Financial Times story about the case:

[http://ig-legacy.ft.com/content/afbddb44-7640-11e2-8eb6-0014...](http://ig-
legacy.ft.com/content/afbddb44-7640-11e2-8eb6-00144feabdc0)

Discussion on HN:

[https://news.ycombinator.com/item?id=5230585](https://news.ycombinator.com/item?id=5230585)

------
oger
Pick your poison.

------
cbzbc
Within the UK Huawei has won a number of network refresh contracts with BT. I
assume this then got levels of concern going within the various agencies, as
this was one of the results:

[https://www.gov.uk/government/publications/huawei-cyber-
secu...](https://www.gov.uk/government/publications/huawei-cyber-security-
evaluation-centre-oversight-board-annual-report-2015)

A factory within the UK, owned by Huawei's UK arm - with restrictions entry,
that is then used for security assurance of the products BT uses.

------
simonblack
Protection for US 5G Corporations to allow them to catch up.

Then there's the other side of the coin. The Chinese boycotting of US
Corporations. China alone has more population and manufacturing than the US
and EU combined. Does the West really want to lose a market that's 20% of the
whole world? Probably not.

"Trade Wars are good and easy to win." /s

------
vectorEQ
haha good luck , whole countries networks / isp networks get managed by them.
sure US will cover for those costs of changing with their fiat currency.

~~~
toxik
Other telecom actors were steamrolled by the government-backed Huawei telecom
network deals. Ericsson for example could not keep up because the EU doesn't
believe in protectionism, at least at that level.

------
throw2016
There are too many double standards here, about capitalism, free trade,
technological progress. There is a legitimate reason to be concerned about
backdoors and spyware, but why should this 'concern' be limited to a single
country in this self serving way?

What this really says is that some companies and countries can access all
markets without concerns but when others try to grow their market access will
be restricted with scaremongering, bullying and political games perpetuating
an artificial marketplace.

Its the ideologues who always argue on 'free markets' and 'competition' in
absolute terms who should wake up to how little the real world has to do with
their idealized constructs.

------
nradov
Huawei has been spending a lot more advertising their consumer electronics in
the USA lately. Probably trying to build some goodwill.

------
moretosee
I think Germany will definitely refuse the propose as Merkel's phone was
tapped by US.

[https://www.telegraph.co.uk/news/worldnews/europe/germany/10...](https://www.telegraph.co.uk/news/worldnews/europe/germany/10407282/Barack-
Obama-approved-tapping-Angela-Merkels-phone-3-years-ago.html)

------
Havoc
In other news - my Huawei tablet arrived today & this was one of the first
articles I read on it

oh the irony

------
unixhero
Welp. It's fairly ubiquitous.

------
vorticalbox
Next they will be calling to ban all toy imports in case they continue
microphones.

~~~
rexpop
A classic Phildickian premise; see his 1959 story "War Game."

------
newnewpdro
Implicitly manufacturing American confidence in domestic brands with such
headlines while economically harming China, this obviously doesn't need to
have a shred of evidence to be worthwhile.

But don't forget all smartphones are pwned.

~~~
friedman23
>But don't forget all smartphones are pwned.

This is the safest assumption

~~~
matt4077
Sure, in the way that assuming all food is rotten is the only way to
completely avoid food poisoning.

If, however, you don't subscribe to the starving lifestyle, such blanket
assumption are useless.

Same for phones: do you just not use a phone? Does the poster above you rely
on the heuristic that people using the term "pwned" generally don't have much
of relevance to say anyway?

Because if everything is terrible, and everyone is corrupt, and there is
absolutely no use in considering the probability that some options are less
terrible than others, and that there may be signs the public can pick up on to
make decisions, then congratulations: those believes do help in feeling really
smug about your cynicism. But they don't really help otherwise.

~~~
balibebas
Without NetGuard or similar all smartphones, everywhere, are indeed pwnd. The
mistake made in using a food analogy is that, while both are consumables
(consuming attention in the case of a phone) only one is a necessity to life.

------
friedman23
I find it interesting that nobody arguing in favor of Huawei attempts to
dispute the fact that data transmitted over Huawei hardware is insecure.

~~~
rubatuga
That would mean knowing the intricacies of Huawei source code, which would
imply that they are a shill

------
kushti
American regime is truly terrible. I boycott all the American for years, and
wonder how many people are doing the same in 2018.

------
ojbyrne
Pretty hard argument to make after the US decided Canadian steel is a threat
to national security.

~~~
lamarpye
Maybe if you treat "Canada as a national security treat" as a posture during
trade negotiations, it might not be such a hard argument.

------
stanulilic
Good move.

------
throwaway487548
Where Huawei got the IP? From Nortel? How much royalty fees it paid? None?
That is why.

------
nimbius
is there any hard evidence that huawei is a legitimate security concern?
Checking the wiki it seems like this is the commerce department trying to piss
in the cheerios of a company that doesnt subscribe to the jackboot regimes of
US foreign and copyright policy. theyve sold to iran, and have been accused of
industrial espionage, but Symantec sold to iran and violated the GPL numerous
times without so much as a scolding.

~~~
JumpCrisscross
> _is there any hard evidence that huawei is a legitimate security concern?_

Yes, quite a bit [1]. Here’s an apolitical example:

“In July 2012, Felix Lindner and Gregor Kopf gave a conference at Defcon to
announce that they uncovered several critical vulnerabilities in Huawei
routers (models AR18 and AR29)which could be used to get remote access to the
device. The researchers said that Huawei ‘doesn't have a security contact for
reporting vulnerabilities, doesn't put out security advisories and doesn't say
what bugs have been fixed in its firmware updates’, and as a result, the
vulnerabilities have not been publicly disclosed.”

In summary, the best case is Huawei is incompetent.

[1]
[https://en.m.wikipedia.org/wiki/Huawei#Controversies](https://en.m.wikipedia.org/wiki/Huawei#Controversies)

~~~
neomax
It's one thing Huawei's products have severe vulnerabilities (as every other
IT companies do), and another thing the company is actively engaging in
espionage.

If this is the best hard evidence the US can bring forward, then the whole
allegation sounds entirely political-driven.

~~~
jchw
If you can't tell, does it matter? If you're hoping for espionage to be
obvious and blatant, I think you must be underestimating people's creativity.

~~~
jake_the_third
Then we shouldn't deal with Cisco, Juniper, and pretty much every other
network equipment manufacturer.

What kind of logic is that?

~~~
jchw
Trust is not binary.

~~~
jake_the_third
I fail to see how this ties into your original point.

