These vague "The Chinese are up to something but we cannot reveal what" isn't really helpful, particularly given the current trade tensions (and political motivations e.g. "bring jobs home").
I'm not really "siding" with the Chinese, they may be up to something, but the US has really done themselves a great deal of damage when their own allies don't really believe them.
Just publish technical information. It isn't hard. It would do huge damage to the Chinese and reinforce the US's whole argument. But yet after over a year, nada.
Well, the specific concern is that all new tech ships with OTA update capability. Infrastructure should probably never have this in the first place for a variety of reasons, but it does and it will because the of huge cost savings it can enable. When the Chinese government can tightly control the companies under it, and those companies control the OTA update, then nothing produced by those companies can ever be considered safe so longer as China is considered adversarial. The same could absolutely be said about US made products being used in countries that the USA is adversarial against, and that's likely how the USA government started thinking about it.
"Hey, what's a great way to deal with China if we go to war? Whataminute, they could do that to US!"
Just look at the havoc that has happened unintentionally due to bad updates being pushed out on a large scale and extrapolate to what could happen with a malicious actor at full control.
I don't see how the trade war fixes the possible security issue caused by a potential OTA update in a potential conflict, a solution would be to make illegal OTA updates for critical hardware and software without getting the update reviewed. So military or other important things would buy only products that are reviewed and with updates that are signed by the government.
Or even simpler have this hardware and software setup to only get OTA updates and commands only from central command.
This feels so hypocritical considering that many PC around the world run CPUs that have Intel ME or equivalent and there is no media coverage of known backdoors in CPUs(I know technically it is a fully featured remote management feature that had some bugs in the past but Intel assures us that there are no more critical bugs and for sure no intentional bugs and this enterprise feature is also included in all CPUs not only in enterprise ones)
The trade war -- if done right -- would supposedly force China to make some real concessions if they want the trade war to end. For instance, they almost agreed to end the forced tech transfers from US to Chinese companies, but then they changed their minds, which seems to be what actually prompted the recent tariff raise to 25%.
I understand not "making the economic situation worse", but sometimes things have to get worse before they get better. Obama had "good relationship with China" and China trampled all over American companies because of it, pretty much making up whatever demands they wanted if those companies wanted to do business there. Plus, even before the trade war, car imports had 25% tariffs in China, and I think 0-5% in the U.S. for the reverse.
It reminds me of when Google was "open" with the Gmail and GChat APIs, and then Facebook abused it to get all of Gmail's contacts through the mass-invite feature, while Google couldn't do the same with Facebook contacts.
Similarly, Microsoft was working on adding GChat support to Skype - but the reverse (Skype in GChat) wasn't possible. This example illustrates pretty well why you can't always be "open to everyone, no matter what", when some can become hyper-aggressive in exploiting what you have to offer when being so open, but not paying it back in any form.
I believe I also read a recent comment about RISC-V developers giving the Chinese the could shoulder in collaborations, because Chinese developers tend to "take take take" and not contribute anything back, ever.
I even see it all the time with people praising Samsung, etc for "innovating more than Google", forgetting the fact that 95% of the OS is Google's work.
Nonsense!
If a deal hasn't been made, each side could change their mind, right? If we want to make a deal and I take great advantages on you, is it right for me to accuse you if you regrete before the deal is made?
"because Chinese developers tend to "take take take" and not contribute anything back, ever."
It's not ture. For example, Siggraph is the best conference in the computer graphics field. In 2018, the number of papers that contain Chinese or ethnic Chinese is 45%.
Besides, many Chines and ethnic Chinese reasearchers are active in many frontier technology filed such as AI and Computer Vision field.
The acadimic and industry status and constribution of Chines reashers/company are increasing rapidlly.
> the number of papers that contain Chinese or ethnic Chinese is
Nobody cares about any "ethnic Chinese" fraction. We're discussing a trade war between US and PRC, not some racial struggle between Chinese and Caucasians or whatever.
my Chinese friends feel all very similarly. While I don't agree with them, it's not productive to be insensitive to their concerns. That's not how you solve conflict.
It doesn't even make any sense. Do they think America is similarly engaged in a trade war with our own ethnic Chinese citizens? One of our most strident anti-China hawks is named Gordon Chang. And we aren't in any struggle against Taiwan.
No, I don't have to be sensitive to such delusions.
Your economic facts(though some of them don't sound real) are of topic in the security discussion. If a real war starts between A and B the fact that A and B respected all the trade agreements is irrelevant. Ex: US spies on their allies, so you can respect all trades, be allies and still have espionage. The solution would be to have security features, like open source the code, firewall critical components etc.
The trade war won't fix issues with OTA as a vulnerability. It is useful for the US to point it out to tip things in their favor so it gets a lot of coverage.
I also agree with you that the solution to OTA updates is tight control, but that isn't realistic either. They are talking about drones in the article. These are devices bought and run by companies that build infrastructure in the US but are not directly related to the government. They want OTA because it has legitimate benefits in worker time and cost savings and helps keep their "fleet" running with all the latest features.
Now, an example attack might be an OTA update for the drone controller to shunt mapping data back to home base in China to give them high quality military maps of infrastructure for attack planning. The attack might be unrealistic, but the spying threat isn't. Alternatively, if car autopilot takes off, imagine the economic damage an OTA attack could do that causes 30% of the traffic in the US to just stop. To prevent this sort of attack, you would have to review ALL code coming out of China since you can't directly hold them responsible after the fact when they are out of your sovereign jurisdiction. The kind of dedicated and educated workforce required to code check all firmware/software updates for such huge classes of consumer products is just not going to happen and it can only get worse.
Intel ME is an abomination, but it's also well known and gets a lot of coverage. It's just not in the mainstream news right this minute.
>Intel ME is an abomination, but it's also well known and gets a lot of coverage. It's just not in the mainstream news right this minute.
It was probably only a topic on technical forums.
Technical question, can't you build a drone that does not need OTA updates from manufacturer ? You have it connect only to your trusted IPs.
Also sending the high definition photos to China won't appear on anybody network traffic? You just need 1 person to detect it and you have the some kind of proof(though when a similar thing happened with Amazon Alexa it was blamed as a bug and not espionage).
Of course you can, but even then you're still trusting the firmware that is being put out by the potentially hostile company even if you gate keep it. To check it would require a software team at least as large as the potentially hostile one for any serious attack. That's a big economic incentive to trust the manufacturer.
>sending the high definition photos
Or you could just send metadata, telemetry, and flight diagnostics that can be used to build up sensitive information under the guise of metrics. Remember that the NSA was mostly just using metadata too.
>it was blamed as a bug and not espionage
In these cases, the two look exactly the same in software, so proving one or the other is very difficult.
So from your points all Chinese products should be made illegal until China will not be a threat to US, this means until China collapses or kisses US butt.
Wi-Fi makes that pretty damn hard to verify. In theory, malicious firmware could even opportunistically link up with other malicious firmware acting as a bridge via some undocumented protocol that would only be detectable by looking at the raw spectrum.
yeah, but we should think and implement security measures in all systems indifferent of politics and economics. Imagine some terrorists hacks Tesla server and sends a command for all cars to crash. We would need all important systems to be designed in the assumption that something bad will eventually happened(hackers, company goes out of business, stupidly(see Firefox addons issue) ) etc
Well of course. Every country has at some point been hostile to it's own citizens or some segment of it's population. It's something that the citizenry need to push back on and keep the government in check. But by and large, the US is no where near as adversarial to it's citizens, companies, or infrastructure as China.
That claim would need some substantiation. Not sure how you even measure that.
Certainly, if you and I started spending repeated 30 minute looking for examples of adversarial actions taken by the US and China against their people, neither of us would run out of examples before tomorrow.
I was responding to TallShortGuy's snarky assertion that the US conducts espionage on itself. Of course it does, everyone knows it does, and almost every other country does the same.
The fact that the US spies on itself does not mean that there is not a greater threat of espionage from China or that the US should ignore the possibility.
I was also asserting that I personally do not believe that a government should conduct espionage on it's own people and that society needs to push back against such actions. Even in cases where another country is highly adversarial to you, the milder home country might be much worse because of their proximity and involvement in your day to day life.
I don't understand for example why 5g infrastructure can't work like WSUS. All your devices point at your own update servers, and on the update servers you can approve and decline the distribution of certain upstream updates.
> Just publish technical information. It isn't hard. It would do huge damage to the Chinese and reinforce the US's whole argument.
I doubt that it would damage China. The existence of the threat is already well publicized.
I think that U.S. intelligence does not talk about specific threats because the attack vectors would probably misunderstood and underestimated by the general public. There would inevitably be pushback like "Gee, we have to give up our drones just because of X?!"
The consequences from these types of events aren't felt immediately, and many people perceive that as being equivalent to no consequences at all.
This has nothing to do with convincing the general public. The US is struggling to convince their own allies that the threat is real, and definitely haven't convinced the technical community they need to stop buying e.g. Huawei hardware.
> The existence of the threat is already well publicized.
Parroting the same vague "there's a threat, but the threat is secret so we cannot tell you about it" isn't well publishing anything. It is bordering on fear mongering. A well publicized threat would be a series of white papers describing in technical terms the weaknesses/backdoors/etc in Chinese manufactured hardware.
You don't need a whitepaper to say "Any device with over-the-air updates (or server-side processing) controlled by a Chinese company can receive anytime new software (thus a payload) controlled by the Chinese intelligence services".
It feels more likely to imply that "we have no hard evidence". So the argument still boils down to "because China", not "because spying". Which isn't a strong argument if you like to (at least try to) draw your own conclusion and not be fed one.
Are you worried that your iPhone or Tesla will be hijacked the same way? You already know this happened before with the knowledge of the companies involved (secret subpoenas or national security letters) or without it (beacon implants).
> It feels more likely to imply that "we have no hard evidence".
There is hard evidence of the vulnerability, which logically follows from any OTA update capability, but there may be no hard evidence of exploitation yet.
Think of it this way: if your software has a RCE, you fix or mitigate it regardless if it's actively being exploited or not.
> Are you worried that your iPhone or Tesla will be hijacked the same way?
That's a very valid concern for some people.
Ultimately, software security boils down to "who do you trust?". Say what you will about the US, but your goals and values are very likely less incompatible with those of the US than with those of authoritarian China [1] [2].
The lesser evil. The enemy of my enemy is my friend. History is full of examples where people followed short term aligned interests straight into long term suffering.
Do you think it's more about your values or somebody's ego and interests?
> This is a great argument against all OTA devices
Indeed. And for life safety uses it's appropriate. In safety-conscious settings such as those involving line voltages requiring NRTL (UL for ex) listing OTA updates are forbidden: One must have physical access to the device to perform a permitted [0] code update.
[0] And the code updates themselves are subject to IEC 60730/UL 1998 or it's back to the NRTL for more testing
> The US is struggling to convince their own allies that the threat is real
The US has to convince their allies that buying from China is more dangerous than buying from the US. I don't think anybody doubts there isn't a threat.
> I think that U.S. intelligence does not talk about specific threats because the attack vectors would probably misunderstood and underestimated by the general public.
I doubt intelligence agencies care about convincing public one way or another. I suspect they are worried about revealing details of their methods and thus have a blanket "say nothing" default mindset.
> I doubt that it would damage China. The existence of the threat is already well publicized.
It'd certainly damage Chinese companies and curtail those companies' utility as sources of intelligence. How many drones do you think DJI would sell if it became known that flight logs and aerial photos were being uploaded to the Chinese government? (This is all purely hypothetical but the DJI app is very aggressive about permissions and updates, so they absolutely could if they wanted to. I have a dedicated phone for mine which never gets to connect to the internet, for this very reason.)
> How many drones do you think DJI would sell if it became known that flight logs and aerial photos were being uploaded to the Chinese government
Roughly about as many as today. A recreational or content production drone is sitting dead without a battery >>95% of the time. This is a much weaker threat model (both objectively and in the perception of consumers) than all those connected, always-on microphones and cameras installed in homes, offices and pockets.
I mention this as a precedent: to many people out there, "the Chinese government" isn't a lot more foreign than "some American tech empire" and data-derived unpleasantries are far more likely to have practical implications for them with US immigration than with the Chinese communist party (because the US is still more open). And yet those people still buy westcoast-designed (and connected) devices like hotcakes.
Nobody wants to give up cheap Chinese goods and buy expensive American goods (which are all made in China just the same hilariously) simply because America asks so nicely. Yeah I just ordered a Xiaomi mi9 and I feel fine.
If there was indeed a threat to national security I trust my own government to make decisions not the US.
>These vague "The Chinese are up to something but we cannot reveal what" isn't really helpful, particularly given the current trade tensions (and political motivations e.g. "bring jobs home").
Isn't that the purpose? To fuel the trade tensions for the home team.
I think the purpose is to drum up FUD for the MIC. If China were really this Big, Bad Threat, we'd cease all trade with them. Nations don't trade with their enemies.
This reminds me of "believe us they have bio-weapons and need to attack Iraq" trope followed in the recent past. This is just building up media narrative and trying to brainwash people, similar to what happened in the past.
I agree 100%. At this point I am strongly isolationist. If terrorists from another country really start hijacking our planes, let's come up with a solution other than war.
War only serves further destabilizes the country, and it definitely shouldn't be on the table unless someone is actually sending troops on our soil.
Last resort would be banning incoming visitors from that country. Not ideal, but a MUCH better solution than war in my opinion.
This puts to rest all illusions and fantasies of 'free markets', competition, choice and free trade. Markets are political constructs and there is nothing inherently free or fair about them.
There is clearly one set of rules in operation for a chosen few whose companies get access to global markets without fearmongering and thus can grow uninhibited and then the real world where evidence-free scaremongering, demonization and sanctions are used to limit market access, sabotage others and destroy competition before it forms.
And citizens of the former get the privilege of articulating a set of free market values in a depoliticized context free world that don't hold in the real world. But its better this happens than it doesn't so the rest of the world can see through the self serving hypocrisy and plan accordingly. Those with this mindset will always find a way to limit others.
These vague "The Chinese are up to something but we cannot reveal what" isn't really helpful, particularly given the current trade tensions
This is exacerbated by the very poor levels of security in these devices in general: DEF CON 23 - Robinson and Mitchell - Knocking my neighbors kids cruddy drone offline
However, to put things into perspective, purpose built security cameras -- even expensive ones from well reputed industry brands -- have had similar very poor levels of very poor security for many years.
It's not really a problem of drones. It's a problem with the poor levels of security in consumer devices in general. It's "as if" the situation has been engineered to let bad actors do lots of spying.
There have been instances whereby a robotic hoover (Xaomi(sp?) one?) have been sending their generated floor maps back to servers in CN, so I don't think it's unreasonable to assume drones could be doing the same thing.
It's not a debate over whether the US hoovers up information. Most of this US vs China debate centers on one thing: which side do you want to give your information to. That is what is being argued over; that dispute is going to get worse for a while yet as China pushes outward globally in its tech ambitions.
The better alternative: I don't want anyone to have my information - unfortunately is largely not going to be an option. The choice will mostly be between the US and China (or in some cases, European tech providers, which will frequently work with the US). If it's not already that way, it certainly is going to be in the next 10 or 20 years.
The issue is that everyone's burned out by ridiculously long overly-broad EULAs written in impenetrable legalese. The general sentiment even, here on HN where people should know better, is "sure, they SAY they can do those things but (it's just boilerplate | they wouldn't really ever do that stuff | they really just meant this much more benign thing | they need that access to provide the product | it helps them debug problems)". And then people act all shocked when, once again, a company does precisely what it told you it was going to do.
A classic example is the "we collect your data to provide X service" / "you can disable service X" that we see all over the place. Everyone reads it as "you can disable data collection" but that's not what it says, and it's not what really happens.
The better alternative is to not accept this kind of invasiveness but the ease and convenience of giving in is too seductive for most people, so we invent a comfort belief that it's somehow benign or at worst irrelevant.
Sure, I can imagine that's fine for car telemetry and you enter into that knowing. It's common technology, even pool cars will have a black logging box. Do I expect a device in my home to be mapping out the floorspace and sending that back to unknown parties (whatever the location) without consent? Then no, that's different.
They're covered in cameras too. Imagine finding out your car has been uploading photos of the security detail inside your embassy. Pooh-poohing it away as "car telemetry" is like calling Cambridge Analytica's shenanigans "gathering metrics".
We're talking national security. I hope nobody is running a Xiaomi robot vacuum at a sensitive or classified site, or any other brand of robot vacuum for that matter...
There's a difference between individual invasions of privacy and national security. There's definitely Chinese apps that invade your privacy. There's also Western apps that do too. The question is of national security however.
Observing private homes can help select your targets. By observing the inside of the home you may learn if the owner has access to secrets (national security or commercial), what kind and what level. From where you can switch to traditional methods. My 2c.
Add voice control ("Hey Robot, run a sweep") and WiFi and you have a very capable spy system. Not to mention cameras and GPS which could all be justified in terms of improving the performance of robot vacuums.
I saw this via BBC Click, this weekend. There was a room full of IoT devices and they were showing how chatty they all were via wireshark. They specifically said floormaps had been found being sent back to servers in CN.
I saw a lot of concern about sending data to servers in a specific location such as CN. However, there is no such thing as Custom for Data. So, I think sending data to either CN or any other place is not much different.
The following is a contrived analogy, admittedly not a great one, to illustrate why I suspect they can't give specifics.
Imagine if you have a gigantic elephant standing near a village. It's so big that you can only see one of the following, depending on where you stand: a trunk that can suck people up, legs that can smash, a tail that can create a wind that tosses people about. Three people are standing in different places to see each of these: Alice (trunk), Bob (legs), and Charlie (tail - poor Charlie). Someone comes running into the village and leaves an anonymous note saying a huge being is a threat and it is going to smash houses.
Except the villagers, if they can figure out who was standing where and what they could see, can tell who left the anonymous note. It was Bob, who could see the legs.
Giving the specifics they know about a threat reveals what they know, and what they don't know, and reveals how they might have gotten the information.
You analogy is a perfect demonstration of the US government's tendency to make vague, ominous predictions to stoke fear in its populace so that they will unquestioningly go along with its nefarious intents (ie regime change, chemical warfare, airstrikes on innocent people).
I wonder if public discourse and pop culture in the US will switch from paranoia as a bad or laughable thing (tinfoil hats! area 51!) to paranoia as a civic duty (to some degree, as in WWII and the Cold War).
Though it's more jingoistic, I find the latter less infantilizing, when it's coupled with a guarded paranoia about the US too.
It does always seems like the US government is using mass media as it's mouthpiece to spout propaganda about the boogeyman de-jour.
Anything to deflect away from US matters at home or abroad, anything to keep the populace in constant fear and suspicion - ooh, look what the nasty commies are doing, red danger, oh oh, now it's those terrible immigrants.. oh, now it's those dastardly commies again!
Agreed. Saying "there is something" but not revealing what it is only keeps the consumers in the dark. The Chinese would go through their entire chain to make sure they hide their tracks again, etc, so it's not like opportunities like counter-surveillance will remain. It's literally stupid to say they can't reveal what it is because there's no benefit and only makes me think Homeland services are idiots.
You could publish a white paper demonstrating that "unknown" data is being sent and look at the code/device that is sending it (since they're in the US). There's no need to even break encryption if you have the sending device.
I don't know how old you were at the time of 9/11 - but there were loud, public voices in the Intelligence Community telling everyone that the WMD situation was fabricated. To the point the only person claiming there were WMDs was Cheney and his inner circle, which is why both the Democrats and our international partners had to be brow beaten into supporting the invasion of Iraq.
To claim these two situations are the same is a very, very large stretch.
> I don't know how old you were at the time of 9/11 - but there were loud, public voices in the Intelligence Community telling everyone that the WMD situation was fabricated.
Sorry, I didn't hear those voices from US government sources, and not really from major US media outlets. I'm sure they did exist, but if a single mouse speaks up while the lions roar you'll need a good microphone to pick that up.
That time, they correctly figured they didn't even need a new Nayirah to testify, they just made it up and most of the media went into war mode: it doesn't matter if it's true, now is not the time to ask questions, support the troops and embed your journalists. Very few keep their professional distance when the bombs are falling, too luring the heroes' song.
Sorry if it's too harsh but "trust us, this time it's different" doesn't cut it for me, Bush summed up my feelings on that issue quite well: "There's an old saying in Tennessee—I know it's in Texas, probably in Tennessee—that says, 'Fool me once, shame on...shame on you. Fool me — you can't get fooled again.'"
That's a wild reframing of the run up to Iraq. Dick Cheney forced Joe Biden and Hilary Clinton to vote for the war? Democrats had a narrow majority in the Senate, and a majority of them voted for the war. They ran the intelligence committee, so they had plenty of access to the information at the time, and i give them enough credit to have made their choices independent of Dick Cheney's wishes.
>To the point the only person claiming there were WMDs was Cheney and his inner circle, which is why both the Democrats and our international partners had to be brow beaten into supporting the invasion of Iraq.
Just "Cheney" and NYT, and CNN, and the entire establishment, sans some voices. Besides the trillion dollar war efforts went on anyway (also against Afghanistan, a below third world country that has almost nothing to do with the, probably Saudi-funded attack).
>To claim these two situations are the same is a very, very large stretch.
Sure, they're not the same, today things are far worse.
Due to the declining status of the US globally, the fabrications, psy-ops, and "trust us" propaganda has sky-rocketed.
Watching the mainstream news and the silent compliance of all sides on the bogus narratives is like participating in an alternate reality universe (and that's before we even get to the fake news)...
>Just "Cheney" and NYT, and CNN, and the entire establishment, sans some voices. Besides the trillion dollar war efforts went on anyway (also against Afghanistan, a below third world country that has almost nothing to do with the, probably Saudi-funded attack).
That's just a blatant, and easily disproved re-write of history. You can rag on CNN all you want for trying to give both sides of the story an opportunity to present their case, but they absolutely voiced concerns about whether or not there were actually WMDs.
American establishment media, including the New York Times and the Washington Post, were strongly pro-war. After the invasion, the New York Times even issued a half-hearted apology for their terrible coverage:
I see the IAEA expressing concerns, I don’t see CNN or anyone in the USIC doing so.
If they were loud and many, perhaps you can provide a link to a USIC member voicing concerns. Even those who were anonymously quoted about the aluminum tubes debate weren’t quoted as saying there were no WMDs.
These vague "The Chinese are up to something but we cannot reveal what" isn't really helpful, particularly given the current trade tensions (and political motivations e.g. "bring jobs home").
I'm not really "siding" with the Chinese, they may be up to something, but the US has really done themselves a great deal of damage when their own allies don't really believe them.
Just publish technical information. It isn't hard. It would do huge damage to the Chinese and reinforce the US's whole argument. But yet after over a year, nada.