
Lenovo: Companies working in China may have to install local backdoors - heidar
https://www.theinquirer.net/inquirer/news/3062910/lenovo-companies-working-in-china-may-have-to-install-local-backdoors
======
walterbell
Purism is working with coreboot to provide laptops where you can verify the
integrity of firmware on your device, within the limits of Intel CPUs.

[https://www.tomshardware.com/news/purism-heads-rootkit-
tampe...](https://www.tomshardware.com/news/purism-heads-rootkit-tampering-
protection,34128.html)

 _" Purism announced that, after almost a year of testing, it was able to
successfully integrate the Heads firmware into its TPM-enabled and Coreboot-
running Librem laptops. The open source firmware, which checks if someone has
tampered with the laptops, allows users to freely inspect and customize the
code. Purism also recently announced that all of its new Librem 13 and 15
laptops now include a TPM by default, so they all come with the Heads firmware
by default, too._"

Previously: Google on "Replacing exploit-ridden firmware with a Linux kernel",
[https://news.ycombinator.com/item?id=15579592](https://news.ycombinator.com/item?id=15579592)

~~~
snaky
Intel microcode updates are encrypted and signed.

~~~
walterbell
Yes, this is about open-source firmware vs OEM (e.g. Lenovo) closed-source
firmware.

~~~
lowry
WAT?

~~~
walterbell
Open-source firmware: [https://coreboot.org](https://coreboot.org)

Purism/coreboot:
[https://puri.sm/posts/category/firmware/](https://puri.sm/posts/category/firmware/)

------
kodablah
> Does Lenovo put backdoors in if the Chinese government asks?

> "If they want backdoors globally? We don't provide them. If they want a
> backdoor in China, let's just say that every multinational in China does the
> same thing.

Even though not a direct answer, close enough. One could only hope to get a
similar statement from Apple wrt iCloud so we aren't left with assumptions
about lack of privacy.

~~~
Laforet
iCloud in China has been hosted by a local licencee for a while. People who
care about privacy are at least aware that the backend is no longer secure.

While we are on the topic, Windows 10 binary for Chinese government contracts
are compiled by a third party company based in China so certain features could
be added/removed at code level without directly giving away the source code.
It may only be a matter of time before this practice permeates into retail and
OEM markets.

~~~
_red
How do I, as a US citizen, know that Apple isn't replicating my data to this
Chinese datacenter?

I know you will say "you have to trust them", but therein lies the problem.
There is no way for consumers to verify anything about their data.

~~~
justtopost
Exactly why I simply cannot trust their supposed 'commitment to privacy'. How
could you take it seriously when they are willing to play ball with this clear
human rights issue? It's madness.

------
mindfulhack
This is gravely concerning to me.

Privacy is a fundamental human right, and it's needed to fight unjust laws and
practice civil disobedience in a safe and comfortable way.

If we had today's surveillance capabilities in the 70's, it would have been
impossible for the LGBTQ community to achieve the societal acceptance they now
have!

We need a fully open-source hardware ecosystem (with downloadable component
blueprints, 3D-printing machines and local co-ops or gumtree-like marketplaces
for obtaining free hardware), to bring much-needed democratisation to our
society like the Internet did at the software / information access level.

We need a Linux of hardware.

~~~
krupan
Please support librecores. It's a small start. I think one thing we are
missing is a Stallman of hardware. Some who is loud, willing to take a stand,
and who has enough technical chops to back it all up.

------
woliveirajr
> "Likewise, if there are countries that want to have access, and there are
> more countries than just China, you provide what they're asking."

Seems that it's kind of obvious and infuriating at the same time: companies
that sell physical goods don't have much choice, they must meet country
regulations for each country they want to sell.

~~~
snaky
Companies that don't sell physical goods don't have much choice too.

> A prototype search engine that Google is designing to meet the scrutiny of
> Chinese officials links users’ phone numbers to the searches they perform

> This report adds to earlier news, also broken by The Intercept about the
> search engine, codenamed “Dragonfly,” which eliminates from results a number
> of terms and topics, like freedom and democracy.

[http://fortune.com/2018/09/14/google-china-search-engine-
lin...](http://fortune.com/2018/09/14/google-china-search-engine-links-phone-
numbers/)

~~~
jackhack
I think they have plenty of choice. They can say "no", tell these regressive
regimes to go to hell, and simply not manufacture/sell their product there,
where-ever "there" may be.

~~~
comboy
Do note, that based on those quotes it is not clear that backdoors requested
by the US gov are not installed in the US. He just said they don't install any
of them globally.

~~~
close04
You're going to be spied on one way or another. I guess it's a matter of
picking the side you want to make life easier for. The one you trust more with
your data :).

------
mothsonasloth
I miss the early 90s and 2000s when governments were still struggling to
understand what the internet was, rather than trying to control it.

~~~
danieldk
Did that time ever really exist?

[https://en.wikipedia.org/wiki/Clipper_chip](https://en.wikipedia.org/wiki/Clipper_chip)

[https://en.wikipedia.org/wiki/Export_of_cryptography_from_th...](https://en.wikipedia.org/wiki/Export_of_cryptography_from_the_United_States)

I also remember writing some (naive) crypto tools as a kid and I had to report
it to permit re-export from the US.

Also, the DMCA is from the nineties:

[https://en.wikipedia.org/wiki/Digital_Millennium_Copyright_A...](https://en.wikipedia.org/wiki/Digital_Millennium_Copyright_Act)

~~~
p1necone
The ban on the export of cryptography strikes me as a great example of the US
Government misunderstanding technology - I don't see how it's remotely
possible for a ban on exporting ideas to affect bad actors in any way.

~~~
kakarot
This is an example of you misunderstanding the US Government's motives for
labeling crypto as a non-exportable weapon. ;)

If they had been able to keep it up, they would have. Unfortunately for them,
practicality won over here once it began to threaten corporate profits.

~~~
128563782935
And this is an example of a meta-misunderstanding that the motives for
labeling crypto as non-exportable with clamorous pleas for backdoors to get
the public frightened and then finally reassuringly concede to overwhelming
defeat with the eventuality of the practical vision held by academia,
industry, and especially prescient revolutionary anarchist-libertarians for
ironclad strength of a ubiquitous crypto primitive monoculture praised for its
open standards detailing specifically its applicability for hierarchical
control, designed by a completely unbiased select group of security
researchers whose proposals are judged to consensus, tweaked to optimal
security parameters for the benefit of all with lovingly chosen constants that
couldn't possibly be related to undisclosed attacks the previous standards
that were replaced suffered from requiring update once a few undesirables got
wind, who rightly espouse a fundamental belief in the professional exclusivity
of implementation and analysis while making sure to mentor the next generation
in extensive confidence with complexity conjectures based on buried
assumptions, gently redirecting their pupils towards the future away from the
glaring history of churned systems, compromised research, and perverse
financial/legal/social incentives of keeping the ball rolling gently, are not
just two sides of the same coin.

------
rodgerd
This is not unique to China. New Zealand has the TICSA requirement that
network operators must provide intercept capabilities to security agencies,
and all network operator designs must be approved by security agencies before
deployment.

I would imagine other five eyes countries have or soon will have similar
requirements.

~~~
krylon
Wasn't there this announcement recently that the Five Eyes was "asking"
vendors to provide backdoors voluntarily, or else?

And all the governments engaging in this kind of behavior are at the same time
giving each other excuses, "because every one else is doing it, too". So if
China does this, you can be sure other countries will point to China's example
and require their own backdoors. Let's just hope all those backdoors are
mutually incompatible.

------
reaperducer
Maybe this will finally make Apple rethink its manufacturing.

It can either be the bastion of freedom in consumer electronics, as it likes
to brag, or not. Time to decide.

~~~
mc32
It doesn’t seem this would mske a diff: exports outside of China would not be
affected (indifferent) imports into China would still require this regardless
of mfg origin.

Their only option is to not sell in that market —which seems highly unlikely.

------
ComputerGuru
And apparently also confirmed that they’ve done it for other countries too,
without providing any names.

~~~
paulsutter
Easier to make a list of countries that don’t want backdoors. It’s for the
children you know, to stop those pesky evildoers.

------
chooseaname
Eventually you just won't be able to buy a trustworthy computer.

~~~
snaky
Eventually?

~~~
craftyguy
My hope is that eventually we would be able to buy a trustworthy computer.

~~~
snaky
To print all the chips on your own mini-fab - maybe. Eventually.

~~~
RcouF1uZ4gsC
But your mini-fab might be backdoored and create chips with backdoors.

~~~
snaky
That's harder thing to do on every iteration down to the first principles. So
in theory you maybe could do the hammer, which is made so as to specifically
clog nails with a deviation of 5.2 degrees to the left, which leads to the
light bulbs distortions in the chip designer room which eventually leads to
particular backdoor in the chip he designed - but this is really hard.

~~~
BuildTheRobots
Isn't this just the physical manifestation of "Trusting Trust" \- the seminal
paper on backdooring compilers?

It might be difficult, but who really inspects their own prints at a
100-micron resolution?

[https://www.archive.ece.cmu.edu/~ganger/712.fall02/papers/p7...](https://www.archive.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdf)
\- there's plenty of HN discussions to be found too.

~~~
floren
The example in Trusting Trust was a very specific case: he modified the C
compiler to replace a known bit of code in the login program. Along those same
lines, you could possibly set up your minifab such that it inserts a backdoor
into a particular RISC-V implementation. However, if I sat down and made my
own chip, how would the fab figure out how to insert a backdoor? If you have
code which can analyze a processor layout and seamlessly insert a backdoor,
please come forward and collect your Turing Award.

~~~
groby_b
"made my own chip"

You are aware that making a chip with any reasonable processing power either
requires using existing designs, or teams of hundreds of people for several
years, yes?

You're back to trusting trust. Or using toy computers.

~~~
snaky
In the traditional world of raw Verilog, gate-level tuning, verification
systems with millions of lines of code and all that, that's true. By the way,
those hundreds of people will need a bunch of million dollar tools, hardware
and software. And a lawyers dealing with the license and patents, if you are
going to sell your chips - and of course you are going to sell your chips in
traditional hardware world, except you are DoD or NASA.

But maybe the hardware world is not have to be this way and this way only.

> No part of Kami need be trusted beside the formalization of low-level
> (Verilog-style) circuit descriptions; all other aspects have end-to-end
> correctness proofs checked by Coq. Hardware designs are broken into
> separately verified modules, reasoned about with a novel take on labeled
> transition systems. Furthermore, Coq provides a natural and expressive
> platform for metaprogramming, or building verified circuit generators, as
> for a memory caching system autogenerated for a particular shape of cache
> hierarchy, or a CPU generated given a number of concurrent cores as input.

> We have been developing a candidate official formal specification for
> RISC-V, which stands a good shot at being ratified soon as such by the
> RISC-V Foundation. The spec now includes virtual memory and is able to pass
> all the official RISC-V machine-code tests that aren't marked as specific to
> particular extensions. We should be able to boot Linux on the specification
> soon, running as a simulator.

> A verified processor exists providing all that functionality, though we are
> still working on debugging the specification, since the current version
> isn't quite able to boot an operating system (so the specification must be
> out-of-synch with software expectations somehow).

[https://deepspec.org/entry/Project/Kami](https://deepspec.org/entry/Project/Kami)

~~~
groby_b
You still extend trust - in this case to the RISC-V foundation. (We're not
even scratching the surface on the fact that the Coq proofs do not, IIUC,
cover side channels)

At some point, you have to trust somebody - "build from first principles" is
really only available for extremely well-funded players.

Also: "the specification must be out-of-synch with software expectations
somehow". I see the hardware world hasn't changed at all :)

------
08-15
Interesting choice of language there:

" _we_ don't put in backdoors [...] _we_ follow the ethics"

but then

"if there are countries that want to have access [...] _you_ provide what
they're asking"

No, Mr. YY, it's _you_ who's providing what "they" are asking, and that makes
_you_ evil, not me. ("Them" too, naturally.)

------
greymeister
I'm sure they have plenty of examples to go by, all they need to do is consult
Yahoo, Google or any of the telecoms for good strategies.

I guess on the plus side at least we know now that it is happening despite the
lies the Federal government told us. I worry that as bad as it is for whistle
blowers in the US what chance does China have?

~~~
claydavisss
Exactly. HN is great at armchair-quarterbacking the PRC but is too busy
fawning over US tech corps to see the parallels.

------
foxrob92
> "Likewise, if there are countries that want to have access, and there are
> more countries than just China, you provide what they're asking."

So..the US as well? The UK? I wonder who else is "asking".

------
AnthonyWnC
They are just stealing the concept from US (lawful intercept/CALEA)..

------
mtgx
May?

It's just now getting official.

------
claydavisss
Meanwhile in the US we also have a long history of monitoring internet
traffic, installing backdoors and allowing private third-parties to filter
what we see online.

Where do we get off critiquing the PRC? We should clean our own house first.

~~~
HenryBemis
Last I checked, in the EU or the USA you don't disappear in the middle of the
night never to be seen again because you are:

-follower of different religion

-saying the word "democracy"

-critisizing a politician/the government

so yes, first things first.

~~~
iforgotpassword
Really, does HN deserve that kind of idiotic post?

You can walk around China an say "democracy" all day. You think they don't
report on eg elections in the US on TV there? People in China complain about
the government and laws all day.

There is a lot wrong with China that they deserve to be called out for, but
what's your goal with a post like that? Show the world that you don't have a
clue about anything besides tech? It boggles my mind how many people happily
buy any FUD that helps them painting a simple black and white image of the
world just so they can feel good about their own country.

~~~
07d046
True. It would be a more accurate post if it listed "having a watch set to the
wrong time zone" instead (mentioned in the HRW report).

It is unfortunate that there is a lot of misinformation about China out there.
Winnie the Pooh isn't banned. The social credit system apparently isn't like
how it's commonly reported in the West. But I also chafe at the suggestion
that China is little worse than the US on these points. There are few
countries on earth that have more control over their population and shape the
way they think than China.

[https://www.hrw.org/report/2018/09/09/eradicating-
ideologica...](https://www.hrw.org/report/2018/09/09/eradicating-ideological-
viruses/chinas-campaign-repression-against-xinjiangs)

------
netwanderer2
Are they telling me other companies in the West are not doing this and only
Lenovo in China does it? I would find that hard to believe. You see, the
reality is once your opponent has made the move first in an attempt to gain a
competitive advantage, no matter how unethical that move is, you are forced to
do the same or even more. If not you'll be quickly left so far behind and
won't ever have the chance to come back in the race. Despite whatever anyone
has told you, that's how the real world works. Our companies may not readily
admit what they're doing but in reality they have little choices. It's similar
to countries that don't possess nuclear weapons are always second class in the
world's power order. The time limit to join first class was gone a long time
ago and it will never come back.

