
Huawei Says It Would Offer Access To Its Source Code - techinsidr
http://www.securityweek.com/huawei-says-it-would-offer-access-its-source-code-independent-testing-center
======
xyzzy123
I think it's a nice political move, but I will be surprised if it makes much
difference in the end.

It is impossible to demonstrate trustworthiness to someone who isn't willing
to believe it.

Some issues which would get raised by your friends if they didn't want you to
buy Huawei:

Firstly, you have the problem of underhanded code (e.g
<http://underhanded.xcott.com/>) e.g. deniable backdoors. Auditing a large C
codebase to the point where you have confidence in it is Expensive and Time
Consuming.

Secondly, version control gets to be a huge problem. If you are going to rely
on the results of your audit, now you have to build the firmware yourself with
a trusted toolchain. This is going to be a lot of work. Especially since you
now have to do this for every firmware release for every product you use. Most
organisations aren't getting patching and release management right even as
things stand right now.

Thirdly: do we need to look at the FPGAs, ASICs and "auxiliary" firmware? Are
all the parts standard? Where were they fabbed? Can we trust _those_ guys? Is
the router we get next month going to be the same board revision, with parts
from the same vendors?

Fourthly: how comfortable are the players in various countries going to be
with a Chinese state-owned company having their detailed network designs for
telcos and core networks? (I mean, pretending they don't already ;)

Paranoid hat mode: I do wonder whether the huge mistrust of Huawei is standard
anti-competitiveness... or because everyone's agencies have been using
{backdoors, bugs, info} provided by various companies and "friendly employees"
for years - and buying Huawei kit just seems like it's making things too easy
for certain parties.

If you are interested in these kinds of shenigans:
[http://spectrum.ieee.org/telecom/security/the-athens-
affair/...](http://spectrum.ieee.org/telecom/security/the-athens-affair/0) is
a fascinating read.

~~~
danielweber
Thank you. "Ability to read the source code" is amazingly low for knowing if
the code is trustworthy.

And don't forget we have to trust the compiler that compiled the compiler.
_EDIT_ : I see you mention "trusted toolchain" in your second point.

------
ari_elle
In my opinion it's the right way to address this.

They enter the US market to have their reputation instantly destroyed by
official US institutions, that are filing concern about possible spying
through their products at a moment where they haven't even looked at it, to
later conclude that there were security risks found but none of the
allegations were true.

I don't know how big the final damage for Huawei is, but that in order to
avoid this just to let them look at their source code seems like a good way of
addressing this.

And that is actually one of the big pro free software arguments in general:

By having the source code openly* available you know when you are screwed
over.

Congrats Huawei for an in my opinion right way to address this issue!

* _in the scenario of Huawei they only want to make source code available for analyzing purposes by governmental institutions. That does not change the statement issued above though_

~~~
binarymax
I see a flaw here. How would we know that the source code made available to US
officials is the actual code built and shipped on their devices? They could be
showing officials 'cleaned' code, and then ship different code with
spyware/malware baked in. The only way to really trust the code is if an end
user can download the source, review it, build it, and install it on their
device.

~~~
ari_elle
I see a flaw in your flaw.

1st) small chance that spying features are implemented that a paranoid
analyzing by US officials wouldn't have revealed* (or that the US would have
said the products are good, while still having reasonable concerns about
potential spying)

2nd) i don't know how they would give their source code to government
officials but i guess it's fair to assume that it can be done in private and
trusting nature (also they probably are able to test if a piece of hardware
runs the code given or not)

3rd) risk of secretive spying features being found is high * * (even if you
want to argue it might be lower than described by myself above -> see 1st),
therefore generally would lead to one of the biggest company scandals in the
21st history and completely destroy all of Huawei's business in all of the
Western World (not worth it)

* _somebody shall correct me if i might be wrong, but wouldn't it be pretty hard to hide spyware in software being used worldwide by millions of users and that is center of attention by governments for a long time_

* * _think of the amount of Huawei contractors, the sheer quantity of their sales_

~~~
xyzzy123
It doesn't have to be "spyware" per se. It just has to be a bug or problem
that you (and your friends) know about that your customer doesn't.

------
Zarathust
Still, it would be very hard to make sure that the provided code is indeed the
one running on the suspicious machines. The only way I see to make sure of
that would be to provide tools to compile and flash the hardware, which
doesn't make much business sense. This also gives no protection to silicon
based backdoors that has nothing to do with OS code.

------
seivan
Has anyone compared Ericssons tech with Huawei? Honest question. I feel like
if you're setting up infrastructure, take it from the countries that does it
the best. Ericsson is Swedish and _THE_ first country to roll out with 4G
(around my parents place, even).

~~~
jsnell
The technology isn't really relevant. Sure, organizations with unlimited
budget would probably choose some other vendor than Huawei. But that really
doesn't include most mobile operators in the world. And then what starts
mattering is that Ericsson or NSN charges twice as much for the same capacity.
Or that Huawei is willing to give financing on good terms (including on parts
of the network supplied by other vendors).

~~~
seivan
I beg the differ. It is very relevant if you want proper infrastructure with
reliability and speed.

3G sucks in Singapore, but the 4g is amazing. Ericsson is in charge of the 4g
infrastructure here. It's not fully done, but for me it feels like island wide
coverage.

[http://www.techinasia.com/wake-disastrous-rainstorm-
beijing-...](http://www.techinasia.com/wake-disastrous-rainstorm-beijing-text-
message-warning-system-impossible/)

------
jivatmanx
Let's not forget: Aliyun OS is an admitted illegal closed-source Linux fork
(And likely an Android ripoff).

Perhaps China should comply with basic U.S. law if they want to sell things
here.

~~~
ari_elle
The point is that you can't judge a company solely on where they are from and
that simply because of the company's origin to not only state concern, but to
actually completely ruin their reputation by issuing serious concerns about
possible spying activities, before having analyzed the products in suspicion,
is just wrong.

That is btw exactly what you are doing.

Aliyun OS is illegal, so Huawei has to suffer?

 _This is at least what is the logic i draw from your statement in connection
with the article_

Note: And after having destroyed part of their reputation in the US and having
analyzed their products, the official conclusion was that there were security
risks found, but no possible spying or anything.

~~~
tuananh
I guess at some points I can judge a company based on where it's from,
especially with the political system in China.

------
late2part
For the US would never allow spying in the telecommunications infrastructure,
would they?

------
pfortuny
Yes, and get all the bugs they want to fix fixed for free, is it not? And
leave open those they deem worth leaving.

~~~
ari_elle
Huawei wants to enter US market

 _- > spying suspicions_

Huawei makes source code open

 _- > all they want is free bug fixing_

Is that really fair?

Note: Have you even read the article? They say they would make the source code
available for official governmental institutions to analyze it if they wanted,
they don't say anything about making it completely open-source!

~~~
DannyBee
Making the source code open doesn't help unless you can flash the devices,
since you have no guarantee the source code is what's on the devices.

Plus, if the backdoors are in hardware (say the hardware AES implementation
has a small key scheduling "bug" or something) , not software, source code
wouldn't help.

~~~
techinsidr
Exactly. And any update feature, which is typically built into most networking
products, could enable a backdoor to be installed at a later date. Could be
clean now, but doesn't mean always!

