Hacker News new | past | comments | ask | show | jobs | submit login
Canada’s ability to test China’s Huawei for security breaches questioned (2018) (theglobeandmail.com)
39 points by colinprince 78 days ago | hide | past | web | favorite | 26 comments

So, logically, it follows that Canada also is too unsophisticated to test and trust US equipement? Canada should ban all US devices.

And, recent history tells us, the US does spy on its allies, its allies' governments and business.

I've always taken the US alarmist position on chinese equipment to at least partially means that they fear not being able to bug the rest of the world as easily once everyone network are not filled with US gears.

> So, logically, it follows that Canada also is too unsophisticated to test and trust US equipement?

IIRC, the US doesn't actually produce any 5G cellular equipment. The alternatives to Chinese equipment are European: Ericsson and Nokia.

How could the Americans have missed the boat on this completely? I find that hard to believe.

EDIT: It appears Intel is working on 5G.

Main point everyone is unsophisticated to just rely on tests (read for justification)

Perhaps not ban, but I would say testing can only tell you so much. It applies to pretty much to any digital system short of exhausting every possible state. Most modern devices can easily have more states than what is possible to test. Moreover most also run software so it's the same as claiming testing is a 100% sure fire way to create bug free software.

Let alone a innocuous back-door. While testing increases the bar for anything malicious to slip by it does not eliminate it entirely. Really it comes down to trust. This applies to all hardware though and I would say everyone is unsophisticated enough to just rely on tests.

Like VHDL was created so the Department of Defense could have something to check ASIC behavior against. I am not saying testing is useless. For instance a malicious actor better be certain that their backdoor can't be found, but they can't be a 100% certain that testing won't find it. It cuts both ways. Testing may not find things, but any adversary may not be sure that their back-door may not be found via testing.


The Five Eyes, often abbreviated as FVEY, is an anglophone intelligence alliance comprising Australia, Canada, New Zealand, the United Kingdom and the United States. These countries are parties to the multilateral UKUSA Agreement, a treaty for joint cooperation in signals intelligence.

It's naive to assume allies don't spy on each other, Canada most definitely spies on the US.

The more pertinent question is who the Canadians trust more, China or the US, given the possibility of undetectable backdoors in equipment sold by both. I'd bet on an ally against an adversary.

As a Canadian, I'd much rather take my chances with Chinese backdoors because China has a lot less influence on my and my country.

A backdoor into the communications of politicians and that could quickly change in China's favor ;)

A backdoor into the communications of politicians and that could quickly change in USA's favor as well. Canada does roughly 80% of its trade with the states last I checked, so having US be privy to our private communications is far more damaging.

Still remember the Bugged Chip story from Bloomberg? One comment under the story tells me that it is very hard to test bugged hardwares. So I guess every country should just by default distrust any communication equipment regardless where the equipment came from.

I find it very unfortunate that Nortel Networks went down, it could have given Canada the ability to develop their own communication solutions, including 5G gear.

Its IPR and technology are still alive

I think it's safe to have some skeptism here. Pierre Paul-Hus said the Americans "laughed" when asked about Canada's ability to test the equipment. Mr Paul-Hus is a member of the opposition party and we are 7 months out from a federal election.

The non-political person in the room, Christopher Parsons, said the Americans expressed “some skepticism”.

I've always assumed that the US hasn't figured out how to use Huawei to spy on others and the company isn't cooperating with US intelligence agencies. Result is a global smear campaign. Then, when that fails, create a diplomatic crisis between Canada and China with an extradition order. Nothing even novel about the approach.

The issue here is complete regulatory capture by the Canadian telecom companies. They own everybody in the government who makes these decisions.

Related: I listened to yesterday's very good Fresh Air interview with David Sanger.


Sanger is a national security correspondent for the NYT and recently wrote a book about cyberwar and cyber-sabotage called "The Perfect Weapon."

One key thing I got out of it is that, even though the U.S. has forbid the use of any Huawei products in the U.S. 5G network build-out, he thinks it would be very difficult for even the U.S. to sufficiently test Huawei's 5G infrastructure products — he points hardest at their software-based switches — to ensure that they are not fundamentally compromised in ways that could give great advantage to the Chinese government.

Audio and transcripts available at the above link.

I would agree, it's the same as claiming testing will find all bugs in software. Some of these devices also have a lot of software. While deep analysis make it harder to hide things. Analysis does not forgo the possibility for exploits or back-doors to exist. Why do you think there are people who wish Intel would sell a CPU without IME, and what have we learned from Meltdown and Spectre is that finding all exploit avenues is tough. Moreover, most software does not have proofs to ensure correctness ect. Silicon designs are tend to have more verification done, but bugs still exist. Look at any errata sheet for a device.

However, this generally applies to all software and hardware. I guess the big question is there a possibility of innocuous back-doors vs your run of the mill exploitable bug.

I will add if Canada has a testing/analysis regime that can conclude such a strong assertion they have made quite a big break through overall when it comes to verification.

Given how bumbling and third-rate many Canadian institutions are today, I would generally doubt the Canadian government's ability to assess anything like this competently.

I'm also not confident in our government's ability to prevent full-on Chinese state actors from tampering with such an assessment.

Added: though this should not be taken as a reason to defer to the U.S. government either. Our institutions regularly fail to serve their purposes, and the first step to solving that is to actually care that it's the case.

Which Canadian institutions would you say are "bumbling and third-rate" today?

You could make a case for everyone being bumbling and third-rate today. Post an edge case and have a lack of information to counter. I think by not addressing concerns head on gov't agencies are inviting for this type of behavior. I don't agree that stating that you have white labs as a defense for possibly tainted equipment is a full answer. I assume there is more coming since having a white lab test of equipment would be unreasonable for every piece of equipment due to workload. Not testing every piece of equipment to be used isn't a solution either since if Huawei is "evil" then they will just taint the box going to the correct provider.

While I don't agree with this approach I can see why it happens. For example I have a smattering of news articles to prove incompetency. https://www.cbc.ca/news/canada/north/nwt-health-data-breach-... https://www.cbc.ca/news/canada/forget-spy-case-where-s-brief... and a bunch of professionals in what amount to a twitter war.

If the Canadian government doesn't want people talking negatively about them then there needs to be more transparency. Not to the level of risking a breach, but something along the lines of a list of safeguards they are implementing. I wouldn't ever consider one safeguard a solution. If somebody feels the need to call out where the information is, I would legitimately like to read it.

Alright, which government institutions worldwide are not "bumbling and third-rate"?

I am a fan of NIST. They seem to be pushing forward with less than average amount of bureaucracy. By definition everything should be public and they don't have any responsiblity for enforcement of the rules which might be a slow pitch to your question.

Drawing from my roots the Canada Wheat board was always surrounded by heated arguments and controversal decisions. There was the UN wheat scandal but that is more a matter of if you believe they are evil and not their level of incompetancy. They received a significant amount of name calling due to their decisions and policies, but I can't recall any significant missteps in their application of the policies they set out to act upon.

Does anyone have way to a prove software is bug free? Familiar with the halting problem? I think that is the crux of the argument here. Testing does not solve the problem.

Like the possible states that hardware and software have can be enormous that only the simplest of devices can be exhaustively tested.

That argument could be applied to the U.S. government's ability to test software and hardware, and also the software and hardware produced by companies other than Huawei and countries other than China.

hence why I said does “anyone”.

The whole story is weird given the fact that they are both 5 eyes

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact