
Can you trust Chinese computer equipment? - abennett
http://www.itworld.com/security/95398/can-you-trust-chinese-computer-equipment
======
Tichy
I've been wondering the same thing. But would it be so hard to detect?
Presumably the information would have to be sent to some server sometime.
While I personally don't really monitor outgoing traffic, I think some people
do. So they should have noticed something by now?

~~~
lanstein
I have also been thinking about this. Makes me want to null-route any traffic
headed for China/Russia. However, I'm much more paranoid about the ripoff
Cisco equipment made by Huawei.

~~~
Tichy
I wouldn't assume the server is stationed in China.

~~~
hga
No, but it's a start. Raises the barrier, especially in a potential future
crisis where the PRC is disconnected from the net.

~~~
pyre
> _especially in a potential future crisis where the PRC is disconnected from
> the net._

I don't follow. How does blocking out-bound traffic from going to China going
to help you in a future where China is no longer even connected to the 'net?

~~~
hga
Ah, now I think I remember what I was thinking:

If you force the PRC to establish command and control nodes outside of the
country, then you're more likely to know of them ahead of disconnecting the
whole country, plus their MO in setting them up and using them, so that
finding the inevitable sleeper nodes will be easier.

------
lmkg
The first thing I thought of was Trusting Trust[1]. If the system is
untrustworthy down to its lowest levels, it can also cover its tracks
completely or nearly-completely.

[1]
[http://en.wikipedia.org/wiki/Backdoor_(computing)#Reflection...](http://en.wikipedia.org/wiki/Backdoor_\(computing\)#Reflections_on_Trusting_Trust)

~~~
angelbob
Actually, as another poster points out, it's hard to fully mask outgoing
network traffic unless you control the hub/router as well.

~~~
JoachimSchipper
Yes, but e.g. data tunneled over DNS is pretty hard to detect. I'm sure the
Chinese government could spare some (a lot of) domain names.

Also note that a network card with DMA access has pretty much free reign of
the computer.

However, all this is a lot more complicated than just hacking the latest
Windows hole; I doubt it would be cost-effective.

------
runinit
Can you trust American computer equipment? As far as i know, there are KNOWN
backdoors in Cisco routing equipment.

<http://www.networkworld.com/community/node/57070>

~~~
westbywest
Simple answer, no.

<http://www.wired.com/science/discoveries/news/2006/06/71022>

When the writer asked a vendor of eavesdropping equipment about the legality
of his products, the response ...

"Do you think this stuff doesn't happen in the West? Let me tell you
something. I sell this equipment all over the world, especially in the Middle
East. I deal with buyers from Qatar, and I get more concern about proper legal
procedure from them than I get in the USA."

------
joeyo
The fine people at DARPA are working on this problem:
<http://www.darpa.mil/MTO/Programs/trust/index.html>

------
msie
Excerpt:

 _Do I think this is happening? I honestly don't know. I have no proof. What I
do know though is that it's easy to do, hard to detect, and the Chinese
government appears to be engaging in a massive IT espionage. That's a
worrisome combination.

If I were in charge of any enterprise where I thought I had any reason to
think that these Chinese authorities might be interested in what I was doing,
I'd stop buying Chinese computer products today. Until this issue of Chinese
cyber-espionage has been cleared up and cleaned up, I simply couldn't justify
buying or using hardware that might be working against me. If you consider it
for a minute, I think you'll agree._

Who is his audience? Dumb heads of IT?

~~~
jrockway
Don't you know that a Chinese-made circuit board can take over your processor
and network card to steal your information? If not, clearly you know nothing
about how computers work!!11!

Oh wait...

~~~
pyre
That's child's play!

[http://farm3.static.flickr.com/2114/2083501630_d6ecff43e4.jp...](http://farm3.static.flickr.com/2114/2083501630_d6ecff43e4.jpg)

------
DenisM
My iPhone to-do app phones home with usage stats. After I sold 5000 copies I
had a user inquiring about the suspicious network traffic. There is
practically zero chance that something like this goes undetected - you just
can't hide this stuff.

------
louislouis
I am truly psychic! <http://news.ycombinator.com/item?id=1095965>

------
joe_the_user
This kind of thing is playing with fire but that doesn't mean it can't happen.

There were reports that the Chinese attack on Google involved leveraging the
law-enforcement door that is in some Google servers. And there's the problem -
any time one entity opens a back door, they run the risk of letting another
entity take advantage of it. Despite competing with the West and liking the
idea of a quiet back door, the Chinese state would likely be unhappy with
something the telegraphs their willing to completely steal all Western IP.
That would put a bit of damper on Western investment (why Western companies
ever imagined that the Chinese wouldn't just take their IP is beyond me, but I
think a lot of companies still think their safe in China and that's a benefit
to the Chinese economy).

------
there
i guess the us state department was ahead of the curve on banning thinkpads
once ibm sold the division to lenovo...

[http://www.engadget.com/2006/05/19/state-dpartment-bans-
leno...](http://www.engadget.com/2006/05/19/state-dpartment-bans-lenovo-pcs-
from-classified-work/)

~~~
rdtsc
So are there any laptops completely manufactured in US? At least such parts as
hard drives, CPUs, motherboards, keyboards, displays...

------
msie
Paranoia will destroy ya. Maybe you shouldn't trust anything you didn't build.

~~~
recampbell
No, just don't trust those who have proven themselves untrustworthy.

~~~
msie
Yes, that extends to US-manufacturers as well as the Chinese.

If you are dealing with sensitive information then you should be doing some
security audit of all the software, hardware and personnel that touch that
information. This article adds nothing new and is close to being hysterical
about Chinese manufacturers. I don't deal with sensitive information so I have
less to worry about when it comes to where my USB key is made.

------
dnsworks
I can't help but wonder if this article kicked off a ddos from China. They've
been pretty brutal about attacking anyone who questions or criticizes them for
the past few years.

------
r_u_i
Evidence please?

~~~
msie
Some people don't need evidence when their mind is already made up.

