
Why is Google selling potentially compromised Chinese security keys? - LinuxBender
https://www.zdnet.com/article/google-launches-titan-security-keys-but-recommends-keys-from-chinese-firm-with-military-links-in/
======
triviaforfun
We live in an interesting time and place where China could declare war on the
democratic countries in the next 5 years...let me explain. China is in a very
bad situation where it has accumulated too much debt in its national and local
governments, and corporations. Inflation is going through the roof - rent has
increased 30% from 2017 in Beijing and other cities, and food costs are going
up because of the tariffs. And incomes are declining - top income for tsinghua
graduates, the top university in China, has fallen 20% from 2016. There have
been various protests from veterans about decreased/stopped pays.

All this will eventually lead to a point where the CCP has to appease its
citizens for the crashing economy. Either it will choose to subdue its own
people - either with more police state, lockdowns, or jailing, and do so for
the next 10-20 years while the bad debts slowly gets resolved (ala Japan), or
it will choose to redirect its focus abroad (ala Germany 1930) and starts to
aggressively expanding and taking over countries as puppet states (which it is
already doing now with various African states and Southeast countries) or use
its growing military to attack nearby countries (Taiwan, Vietnam)

That makes the (cyber)defenses against China even more important today. Thus
we have US/Australia banning Huawei and ZTE, and Japan is thinking about
banning them as well from the network. The free, democratic countries of the
world are starting to realize how dangerous giving China backdoors into the
networks is.

We need to monitor all our security breaches that exposes us to Chinese cyber
espionages, so we can prevent theft of important technologies.

~~~
yAnonymous
What you described is more likely to happen in a society where citizens are
used to high standards and these standards can't be maintained. Correct me if
I'm wrong, but I think most Chinese workers only eat, sleep and work. How
would you get them to the point of violent protest? It doesn't matter how bad
the inflation gets when you're already at the very bottom.

Western countries are actually starting to imitate that system, because it
allows for a somewhat peaceful submission of society at low living standards.

~~~
testvox
You might be correct, but that still leaves the Chinese middle class which is
about the same size as the entire population of the United States.

------
sofaofthedamned
It's a good point, even if it is a shit article.

Exactly how does a Feitian key differ from a Google one? Where is the SoC
produced? How secure is the enclave equivalent and that bit which produces the
private key? What is the chain of trust?

I don't trust the UK or US governments, but why on earth would I trust China?

------
ac29
There are zero genuine technical complaints here. Its just a long winded
article saying "but China" (implying anything manufactured there could be
compromised). That concern, legitimate or not, covers >99% of electronics,
including the computer or smartphone these keys are intended to be used with.

------
sanityvampire
While I freely admit that I use a lot of Google services, have an Android
phone, and so on... I can't fathom why anyone would think it's a good idea to
buy security hardware from an advertising company.

~~~
trevyn
Because it is an extremely high-value target that has proven capable of
defending itself from numerous sophisticated attacks, and it has a vested
interest in keeping its users and customers secure as well.

~~~
craftyguy
It's under US jurisdiction, so it has failed at least one major attack by
default.

~~~
jasonvorhe
Is anyone actually taking this serious? As if all other countries are any
better.

Uh, German data protection laws, yadda yadda - they didn't stop the police
from raiding several activist non profit organizations a couple of months ago,
with no repercussions.

The "US jurisdiction"-line is just tiresome and weak. Show me the country that
guards user data that isn't part of 5 eyes and where attempts of the state to
gain access to said data is actually penalized.

~~~
craftyguy
You present an excellent example of a fallacy of relative privation.

------
kardianos
Go read the U2F FIDO spec. I'll wait.

How exactly do you expect anyone to backdoor these devices?

~~~
Filligree
It would be difficult, but the one thing I've learned to trust in security is
that there's _no_ such thing as a system that can't be broken.

For U2F, the first thing that comes to mind is timing channels, or perhaps
building in a radio and letting anyone nearby use the key as if it were
theirs.

~~~
ac29
The existence of a hidden radio should be trivial to confirm - at minimum it
would require a battery and an antenna.

If I we're the paranoid type, I'd avoid bluetooth security keys all together.
NFC should be fine for use with a mobile phone, and while there are attacks
that let you read NFC from a few meters away, if you credibly think you have
an adversary who can identify you in public, and has this type of specialized
hardware, you're dealing with someone who would have a much easier time just
throwing you in the back of a van to extract whatever they wanted out of you.

------
ryanmcdonough
The fact is google are very good as managing security of their supply chain
and if you’re worried about China interfering with hardware then I’m wondering
where you think your phones, laptops, tv, tablets, IoT fridges are made...
they are full of parts from China, almost impossible to check everything
inside your laptop - however a single hardware device provided by Google?

~~~
therealtbs
They don't mean the Google Titan security key but rather the one that's
offered to you when signing up to their advanced protection program.

People in the UK are sent directly to a chinese online store which means at
that point Google has no control over anything anymore.

~~~
Eridrus
The threat model for most people in the advanced protection program is "I'm a
human rights activist and a government sent me a phishing link that looked
like a Google docs login, and I'm not that careful, so I put my password in
it", not "I run a backbone network that Intel agencies would love to tap and
they're willing to expend lots of money/risk for that".

