
Spy agencies ban Lenovo PCs on security grounds - rlvesco7
http://www.afr.com/p/technology/spy_agencies_ban_lenovo_pcs_on_security_HVgcKTHp4bIA4ulCPqC7SL
======
ihsw
One can also interpret this as Lenovo refusing to install American backdoors
that Western-sourced devices have, but that's entering conspiracy-theory
territory...

~~~
chrischen
We're already in conspiracy-theory territory.

~~~
lifeisstillgood
Just lean back and enjoy the view :-)

------
glesica
Wait, so they'll still buy a Dell or HP that is manufactured in China, by a
Chinese company, but has the nameplate of an American company slapped on the
front, but they won't buy a Lenovo? I'm so confused.

~~~
samspenc
IMHO, there's a big difference between American companies that manufacture in
China and can ensure certain functionality (I for one support "made in USA"
and buy that if I can)... and Chinese companies, esp. ones with CCP
connections, who can build electronics any which way they would like to.

~~~
nawitus
>I for one support "made in USA" and buy that if I can

I'd never understood this kind of nationalism. I don't care if the items I
purchase happen to have been made in the country I happen to live. I want to
buy the product that best suits my needs regardless of where it was
manufactured.

Sure, if an American product happens to have a higher quality and I'm looking
for that, then I can choose to buy it. In that case you can abstract away the
manufacturing country, so "made in country X" shouldn't be a factor in any
case.

If anything, Western people should buy products from poor countries. It's the
best aid they can get.

~~~
mcantelon
>I'd never understood this kind of nationalism.

Some people want to support their own community and some are concerned about
labor/environment standards, human rights, civil liberties, etc.

~~~
nawitus
>Some people want to support their own community

I don't think that's necessary nor ethically justified (though I understand
why some people support it). It's like a some kind abstract form of 'cartel',
i.e. "I support you, you support me".

However, it's taking money away from poor countries (in this context). I don't
think some 'rich' Westerner who happens to live near me is more deserving of
my money than a poor person in a third-world country.

>some are concerned about labor/environment standards, human rights, civil
liberties, etc.

Ironically, the only way those poor countries will have labour/environment
standards, human rights and civil liberties is throug economic growth. If
you're poor, you can't afford workplace safety.

~~~
vmarsy
> I don't think that's necessary nor ethically justified

Let's say there was a fictional country that was the exact opposite of your
country : Some kind of dictatorship, with censorship everywhere, people
enslaved , etc.

Of course you would not buy a laptop from them, you don't want to give more
money/power to this awful country.

Now, if you consider 1 country to be the best, with a score of 100, and that
worst country to have a score of 0.

Every other country would have a score between 0 and 100.

Depending on people views about where this country fits , some will be more
supporting than other : They would be OK to pay 20% more for the same laptop
to a country with a score of 95 instead of 80.

The analogy with the coffee shop of JonFish85 would be : you know your brother
is kind with his employees and give them good salaries, whereas the other
coffee shop's owner harass his employees and pay them badly. But in both
coffee shops , the product is the same, with the same price.

>Ironically, the only way those poor countries will have labour/environment
standards, human rights and civil liberties is throug economic growth. If
you're poor, you can't afford workplace safety.

Not really, if some company has twice more money, they would just hire more
low-cost employees. To have a better workplace safety, either the employees
must act, or citizens of that country ( including the employees ) assuming the
country is a good democracy. If none of them can, other country can help solve
the problem by boycotting products or enforcing regulations.

~~~
Hinrik
My country of birth is small enough that practically none of the nontrivial
products I want to buy or consume are made locally, so hearing about this sort
of preference (e.g. for "made in $my_country" products) makes me think. Since
I can't fall back on a no-brainer nationalist preference on a daily basis
(except for a few locally grown vegetables) like the citizens of a country as
large as the United States, what should I prefer, if anything?

>Of course you would not buy a laptop from them, you don't want to give more
money/power to this awful country.

The approach you describe entails rating countries of manufacture based on
labour/environmental/civil standards. So, without more detailed knowledge of
the factories in question, an American who follows this approach should prefer
a product made in (say) Germany or Sweden, rather than one made in the USA,
since it could be argued that the former countries treat their workers better,
and take better care of their environment.

I think a reasonable proviso to this policy might be to source high-
volume/frequency items locally (e.g. produce) when possible to reduce
pollution from transportation (or any other wasteful overhead), assuming
almost everything else is equal. Which also means that if this hypothetical
American resident is close to a land border, s/he might want to buy something
from Canada or Mexico rather than a U.S. state at the other end of the
country.

~~~
mpyne
> what should I prefer, if anything?

Whatever you want. That's the point.

People on HN are talking about boycotting U.S. cloud-based services due to the
NSA, which is a logical extension of this principle of supporting people and
business who you perceive to be "closer" to you.

------
harshreality
From the article, for the commenters who don't seem to have read it and have a
side discussion going about "how do we know Dell or HP hardware isn't
compromised?" (answer: nobody knows that, but that's not the reason for the
article)...

 _The ban [on Lenovo hardware for classified networks by multiple western
intel agencies] was introduced in the mid-2000s after intensive laboratory
testing of its equipment allegedly documented “back-door” hardware and
“firmware” vulnerabilities in Lenovo chips._

~~~
DanBC
This is fascinating to me.

There are six countries mentioned - China, US, UK, Australia, New Zealand, and
Canada.

Do each of those know the actual exploits, or do they just know that exploits
exist and to not use these computers?

Assuming they all know, that's a lot of people who can have scary access to
Lenovos. I'd be interested to see if that's going to affect the generally good
image Lenovo had. My old thinkpad has a bunch of nice security stuff. I still
think it's the most secure computer I use, certainly more tamper proof than
most other machines I use.

~~~
imrehg
I have a Lenovo X201, would love to see some details, and try to "hack" my own
computer, to see what's there.

Very little information about the actual details in the article. If really was
a backdoor there and publicly banning a company because of that, wouldn't it
make more sense to show the results publicly too? Otherwise it feels more like
FUD than responsible research.

------
er0k
Jonathan Brossard gave a great talk about this at defcon last year. Around the
2:30 mark in the video he talks a bit about the idea of China backdooring
hardware.

[http://www.youtube.com/watch?v=yRxDvkKBMTc](http://www.youtube.com/watch?v=yRxDvkKBMTc)

[http://www.slideshare.net/endrazine/defcon-hardware-
backdoor...](http://www.slideshare.net/endrazine/defcon-hardware-backdooring-
is-practical)

[http://www.scribd.com/doc/101181012/Rakshasa-
Whitepaper](http://www.scribd.com/doc/101181012/Rakshasa-Whitepaper)

------
tnuc
This is the same bullshit that was thrown around when IBM sold off their PCs
to Lenovo.

A British spy agency coming out with information like this but not in public?
Sounds like bullshit to me.

Britain would be well advised to steer clear of US branded computers as the
NSA might have access.

~~~
samstave
>... __ _as the NSA might have access_ __

Might?

Anyone recall how the USG was requiring backdoors into all routers/switches? I
was told about this in 1997 from a Cisco employee who told me they were
required to provide a method for the USG to be able to log into all devices
they make.

~~~
mrweasel
USG? I've seen that show up quite often the last couple of days, but never
explained. Google says it's USG Corporation or University System of Georgia.

~~~
pja
United States Government in this context I think.

------
samspenc
Finally. Given how Huawei routers are riddled with "Security 101"
vulnerabilities [1], I doubt that Lenovo is any better.

[1] [http://news.cnet.com/8301-1009_3-57482813-83/expert-
huawei-r...](http://news.cnet.com/8301-1009_3-57482813-83/expert-huawei-
routers-are-riddled-with-vulnerabilities/)

------
harrytuttle
Seriously, shit or get off the pot.

Its speculation and posturing until there is evidence.

It sounds more like someone is not happy they're not in control of the
hardware.

~~~
CaveTech
Posturing so that they can convince others that it's true. And then shovel
their _own_ chips filled with backdoors.

It's sad to admit, but I would be more suspecting of an American computer than
a Chinese one at this point. Constantly pointing their fingers and everyone
else so they can do the same things when everyone has their back turned.

~~~
rhizome
Not to mention that these spy agencies will pass the information to each other
no problem, as long as the price is right. Maybe that's what this is, though:
a tell that (perhaps due to recent developments in the US intelligence sphere)
China has raised its prices.

------
lifeisstillgood
If this is not a reason for government backed Open Source hardware I don't
know what is. If you know the hardware design you can check it

And I am willing to bet there is a way to take a circuit "fingerprint"

------
wil421
They are only paranoid because they know they have introduced backdoors into
products their countries produce. Do you really think the US/UK/AUS has not
introduced something into a Cisco product or some other hardware manufacturer
in their respective country.

Just look at what has come to light with the PRISM program. They already have
access to the major software companies what makes people think they havent
done some secret FISA order to Dell/Cisco/HP/Apple etc.

edit: typo

------
revelation
Banning Lenovos PCs seems somewhat unreasonable, given that they are made
mostly from parts you can buy on Newegg that are not suspicious, running
Windows.

The actual risk is in infrastructure, stuff like Huawei routers or telephone
backends, most of which today are a fully functional computer on their own,
with generally no access for the end consumer.

~~~
harrytuttle
Windows is a bigger problem, especially when they admitted to handing zero
days over to the TLAs (three letter agencies) before patching.

------
guelo
> The alleged presence of these hardware “back doors” remains highly
> classified.

Why wouldn't they want to warn citizens and businesses about this?

~~~
darkchasma
I would guess that in the game of spy vs. spy, you never show your hand. If I
declare that a chip has a backdoor, then the enemy knows, and won't use it.
New chips and doors will be created. But if I sit on it, then the bad guys may
try something, and you can intercept it, or defend against it, or even exploit
it yourself.

~~~
mpyne
Bingo. As Mortal Kombat 3 said (for some reason), "There is no Knowledge,
which is not Power".

------
kazagistar
Only sane way to reduce the risk of back doors is to have proper open
architecture for at least the basic motherboard functionality, and then fully
utilize IOMMU to limit what the devices can do.

... hahahaha, yeah right.

~~~
marshray
Believe it or not, I recently got a new Lenovo laptop with the intention of
IOMMU-ing it as much as I can internally.

I haven't let it talk to a network or much USB yet, so I'm hoping it's still
secure.

~~~
kazagistar
Very interesting actually. I would enjoy reading about how well you manage to
pull that off; it seemed to me that support for IOMMU is still broken in both
software and firmware, but I very well might be wrong.

~~~
marshray
OK, I'll try to document my journey. It'll be at extendedsubset.com, which is
down right now, but I'll bring it back in the next few days.

------
bowlofpetunias
Given that the rest of the planet is more worries about American spying, I
wonder if Apple may want to rethink their "made in California" slogan.

~~~
mhurron
Their slogan is to target jingoists who look at 'made in america' as something
special.

The slogan is "Designed by Apple in California." The new MacPro will be able
to add 'Assembled in the US' if they wish, and I expect that they will.

It's still all made in China, but flag wavers get to ignore that. Apple is not
the only company that does this.

~~~
zachrose
I also suspect that "Designed by Apple in California" puts their name between
two words that have positive associations around the world. (I'm assuming here
that "California" is held in higher regard than "America" or "United States".)

------
keithpeter
OK, so Lenovo is not being bought.

What is? Anyone got any information?

Most UK govt/corporate types I see have Thinkpads and and a Civil Service
Blackberry but they are not covert.

------
RexRollman
Considering the pressure the US is applying to gain access to people's data, I
think I am equally critical of anything from from a US company.

------
lsiebert
So are these alleged hw backdoors low level enough that os doesn't matter?

