Forgot your password?
typodupeerror
Australia Security IT

Huawei Offers 'Complete and Unrestricted' Source Code Access 255

Posted by Soulskill
from the as-open-as-a-pr-campaign dept.
An anonymous reader writes "The BBC reports that 'Huawei has offered to give Australia unrestricted access to its software source code and equipment, as it looks to ease fears that it is a security threat. Questions have been raised about the Chinese telecom firm's ties to the military, something it has denied. Australia has previously blocked Huawei's plans to bid for work on its national broadband network. Huawei said it needed to dispel myths and misinformation.' But is this sufficient? Will they be able to obscure any backdoors written into their equipment?"
This discussion has been archived. No new comments can be posted.

Huawei Offers 'Complete and Unrestricted' Source Code Access

Comments Filter:
  • Source (Score:5, Interesting)

    by bjb_admin (1204494) on Wednesday October 24, 2012 @04:35PM (#41757655)
    Does the Australian Govt have anyone that can actually properly security audit this? I am sure they are not going to want to spend the money to hire someone who can. Also, who is to say the binary blob firmware doesn't have a back door. Its not like the Australians are going to compile it and install it themselves.
    • Re:Source (Score:5, Informative)

      by Lehk228 (705449) on Wednesday October 24, 2012 @04:37PM (#41757697) Journal
      not even the firmware, there could trivially be a on-chip backdoor,
      • Cant the simply release their chip designs too.

        • by Lehk228 (705449)
          of course they would, and they would release the version without the backdoor module and ship some with one enabled. unless they are going to stick every single board into an xray before installing it
          • yeah, there's a zero percent chance they give you the real images (chips, software, etc).

            there is no trust here and there can't ever be.

            and this is TOO COMPLEX a problem to verify.

            its a loss.

            sorry, but china, you don't get our trust. you have not earned it and it will take a LONG time to earn ours to this degree.

            just give it up, ok?

            some things are better left to local companies. foreign ones are great for making cheap crap that life does not depend on, but when its critical stuff, sorry, but NO chinese s

        • by rtb61 (674572)

          It can be embedded in other components like capacitors, diodes, resistors etc. etc. etc. Anything that carries an electrical current and can receive a signal can have a digital circuit embedded in it, to do something as simply as be an off switch or far more complex activity. Really the truth is not country can be said to be independent unless it manufactures it's own essential electronic infrastructure, regardless of cost. A single capacitor set to shut down at the receipt of a certain digital signal can

          • really good point! hiding 'phantom processing' inside passives or collections of passives. wow, that's pretty wild stuff.

            fully believable, too.

            another reason not to trust the offshore chips with anything life-critical.

            • Re:Source (Score:4, Interesting)

              by rtb61 (674572) on Wednesday October 24, 2012 @10:40PM (#41760919) Homepage

              Nothing to do with believable. I came across a disabled prototype on the internet. Based around a larger cheap version of a typical part with a high cost smaller version built into the casing leaving ample room for a chip to be inserted in the power pathway. Simplest function burnout the chip and cut power upon the correct pass code being picked up in the power supply. Imagine inserted that part inserted throughout your infrastructure, upon the code being detected every device using that part is now dead. Attempt to insert a replacement, it receives the signal and dies. You whole supply chain is corrupted and it could take weeks to resolve, especially when it's the telecommunications infrastructure disrupted.

      • Re:Source (Score:5, Insightful)

        by AK Marc (707885) on Wednesday October 24, 2012 @05:03PM (#41758091)
        Yes, though there's no evidence of any improper activities from any Huawei gear, and they are already a step ahead of US voting machines.

        In the US, voting machines pick the next president. With secret closed-source code in an industry with proven fraud and from companies with proven previous errors.

        In Australia, they have the source code for routers running a residential broadband network, and that's not good enough.

        Why does something seem wrong with that?
        • Re:Source (Score:4, Insightful)

          by Charliemopps (1157495) on Wednesday October 24, 2012 @05:21PM (#41758327)
          You're not understanding where the governments coming from. They want someone, other than themselves, to have legal liability if there is a breach. Since all contracts, agreements, and laws are subject to the whim of the Chinese government, they could just tell Huawei to put code on their hardware and they'd have to do it. Where-as, in Australia, or the United States, there are constitutions that supersede the federal governments. The feds can come in and demand that Cisco put a backdoor on their hardware, and Cisco could turn around and site existing law to say "No, we wont do that, it's illegal." Now, in reality, does it actually work like that? No... Cisco bends over backwards for the feds out of greed because they want them to do things like we're seeing here. But from the federal governments perspective, Cisco is doing their bidding and are therefor "Good guys"... Huawei on the other hand are at the very best an unknown. Politicians rarely see beyond their own term... and while violating our constitutional rights to ensure our safety seems worthwhile at the time... it's what the guy that gets elected after their gone does with these entrenched systems that brings ruin.
          • by tqk (413719)

            Politicians rarely see beyond their own term...

            Politicians vetting networking equipment manufacturers has to be the silliest joke ever conceived by a human. The US Congress accusing Huawei of incompetence or underhanded conduct is Chutzpah, to the Nth degree!

            wrt54g FTW. We freetards will be happy to audit the code, for free.

            Is it just me, or is the world getting stupider by the minute? Don't bother to answer. I need to go bang my head against a wall now.

            • by Luckyo (1726890)

              Audit the code all you want. Smart company will insert a backdoor into chip, and you'll be none the wiser.

        • Re:Source (Score:5, Insightful)

          by overbaud (964858) on Wednesday October 24, 2012 @06:36PM (#41759189)
          The way this works is: 1. Cisco lobby US gov. 2. US gov put pressure on Aus gov. 3. Aus gov create FUD about cisco rival. 4. Aus gov buy cisco. 5. Profit - cisco and US senators.
      • I don't think huawei would deliberately do that, what I do think though is that they are horribly insecure due to cheap engineering. They can release the source code all they want, but it might take years for anybody to make sure its clean. Not only that, but it often turns out that they use cheap components as well that die fast. The company I worked for found a lot of parts coming out of china that were missing the substrate in their IC's.

      • by jhol13 (1087781)

        Not "trivially".

        Making a on-chip backdoor is extremely huge risk. If found, it would open up liability and criminal charges, plus completely ruin all sales - as it cannot be removed without new HW.

        • by Lehk228 (705449)
          doing it would be trivial, hiding it would be trivial as well. a properly designed hardware backdoor would make the required patch to the kernel when trigger conditions were met. if you want to make it even trickier you can make the patch and the trigger conditions look like an ordinary exploit. such as a nop sled of a specific length (or better, a length determined by some other stimulus)
    • Re: (Score:2, Insightful)

      by Anonymous Coward

      Even if they did have someone capable, if you've ever read any submissions to the Underhanded C Contest, you'll know how difficult it is to detect hidden back doors even when scrutinizing code.

      • Re:Source (Score:4, Insightful)

        by tibit (1762298) on Wednesday October 24, 2012 @05:09PM (#41758179)

        Yup, even when you a-priori know in which couple hundred lines to look. In a large application, like you'd find in a router, it's demonstrably impossible of a task unless they use something safer than C -- and even then it'd take a formal method approach.

    • This is my concern. Why is the Federal Government singling out Huawei and not subjecting everyone to this scrutiny?

      I have a simple idea. Why not make it a condition of purchase that all software/firmware/hardware design be fully and publicly disclosed by all potential vendors and crowd source the security checks? (Hey I know it will never happen but I'm allowed to have my Utopian dream on a Thursday morning)

    • by Anonymous Coward

      We dont need to compile it ourselves, we have trained kangaroos and drop bears for this purpose.

    • by tibit (1762298)

      I'd have thought that the entire goal was to compile and install it, otherwise the source code is kinda pointless.

    • Re:Source (Score:5, Informative)

      by RedPhoenix (124662) on Wednesday October 24, 2012 @05:09PM (#41758187)

      Yes; some very good people who evaluate products for use within the Oz government and Defence:
      http://www.dsd.gov.au/infosec/epl/index.php [dsd.gov.au]

      However, the process is usually long, often expensive, and generally targets a particular software/hardware combination; bump your version number, and there's potentially a fairly significant re-evaluation required.

      Huawei could take advantage of this program now, but would either need to front up some dough, or have a sponsor to guide them through it.

    • Re:Source (Score:5, Informative)

      by socceroos (1374367) on Wednesday October 24, 2012 @05:15PM (#41758263)
      The DSD (Defence Signals Directorate) are the ones in Australia who would vet this equipment - they already do it for all equipment used by ASIO, ASIS and other secretive organisations here. The other thing to remember is that it was the DSD that told the Government not to trust Huawei's hardware. Now they get to have a good look at the code without the need to reverse engineer.
    • I'm afraid Australia is China's back-door; i.e., resources.
    • by mjwx (966435)

      Does the Australian Govt have anyone that can actually properly security audit this? I am sure they are not going to want to spend the money to hire someone who can.

      Yes, the quality of our politicians is quite low (after all, who joins parliament unless you cant do anything else) but there are quite a few skilled and talented public servants who stay there just for the job security and benefits (8 weeks of holidays, sure Bill).

      Also, who is to say the binary blob firmware doesn't have a back door. Its not like the Australians are going to compile it and install it themselves.

      Which would be a requirement at this level.

      But that's not the issue.

      The reason this is an issue at all is that it's for the NBN which is a political hot potato. The opposition party wants to destroy the NBN (mainly because it isn't their po

  • by Anonymous Coward on Wednesday October 24, 2012 @04:37PM (#41757701)

    ...seeing as how it's their source code being released.

    • So you're saying that when/if Aus does an inspection of the source code, they WILL find backdoors.

  • Australia: "You are a security threat we need to see your code!"
    Huawei: "Ok, here is our full source code"

    Sensationalism Department: "There must be obscure back doors they might hide in their code!!!"

    Just because the US Congress, which is still in the stone ages as far as understanding of technology, decries them as a threat using classified information doesn't mean it's true. It just means the US likes to cock block China as often as it possibly can, not withstanding the shady backroom deals that enti
    • by Todd Knarr (15451)

      Hardly obscure. The only thing needed is to make it so the code used to build the firmware isn't the code you provided for everyone else to look at. I can think of a dozen ways to do that, starting with the obvious "patch file not in version control and not provided to anyone, applied manually between checkout and compile". If you're doing that, the back-doors don't have to be obscure at all because they won't be present in anything anyone can see.

      The only way to truly tell is to build your own binaries fro

      • But then again it would be the fault of those that should be verifying such things. If security is important these checks should be made no matter which manufacturer they choose.
      • by Arker (91948)

        The only way to truly tell is to build your own binaries from the supplied code and then diff the vendor-supplied firmware against your build.

        Of course that's the first thing that would have to be done. Compile the binaries with the same compiler and scripts, see if the binaries match. If they do not, something is wrong.

        Next step, do you trust the compiler? If not, recompile with a compiler you do trust, and use those binaries instead. Simple.

        Either way, once you have verified the binaries and the source

    • by SEE (7681)

      Mere source code disclosure is worthless as proof of trustworthiness, and has been known to be worthless to that end to everyone with the slightest knowledge of the subject ever since Ken Thompson gave his Reflections on Trusting Trust speech 29 years ago.

      The real question is, given anyone who knows anything about the subject knows the source code disclosure proves nothing, why did Huawei offer to disclose the source?

  • Much like I assume a lot of other /. readers, my trust in the equipment I use to do what it's supposed to do comes from my access and ability to read the source code. There have been minor dust-ups in the open source world about allegations that other governments than China inserted back doors in widely used software, and we still see those allegations surfacing from time to time, but never with anything solid to back them up. I believe searches on the obvious keywords will turn up stories linked from here, as well as links to source code repositories of very high quality indeed. So my advice for Huwaei is, let the world see your source code, and please set up a mechanism for reviewing your own code and patches.
  • Is Australia planning on building their own code from that source?

    Because how would they know that what they were running was actually the source code they were provided?

    And would Australia even be interested in jumping through that extra hoop considering that there are other vendor options available where Australia feels this isn't necessary? The price difference between Huawei and other vendors would have to be fairly sizable to warrant that.

    Or, even more insidious, I've heard of the possibility to includ

    • Obviously they would have to compile and compare to audit, and obviously they shouldn't trust any compiling tool given by the very person being audited...
    • by funkboy (71672)

      And would Australia even be interested in jumping through that extra hoop considering that there are other vendor options available where Australia feels this isn't necessary? The price difference between Huawei and other vendors would have to be fairly sizable to warrant that.

      It is. Depending on how well you negotiate with various vendors, it can be half the price of Cisco, AlcaLu, Juniper, etc.

    • by Luckyo (1726890)

      Even building firmware from ground up wouldn't help this issue. You can install backdoor on a chip. It's all about trusting the vendor not to have these, or have these but only for trusted organisations.

      China and its security apparatus is simply not on the trusted list in Australia, while CIA/NSA appears to be.

  • by kawabago (551139) on Wednesday October 24, 2012 @04:46PM (#41757817)
    When American telecom companies won contracts to supply soviet satellite, I think it was Poland, with telecom equipment, The CIA or NSA or both managed to get back doors into the equipment to both monitor calls and in the event of hostilities, to shut the phone system down completely. If American companies let their Government subvert their technology in foreign countries, China would be foolish not to.
    • by TheLink (130905)
      That's the USA though.

      If Australia is that paranoid about China they should be even more paranoid about the USA too. Seems to me Australia should be asking Cisco and all the other US companies for their source code etc. In the global market Australia is not really a competitor with China, whereas Australia competes with the USA in many areas.

      China doesn't need to do stuff like this. Why would they want to shutdown Australia? China doesn't even have enough nukes for a decent nuclear offense.
  • by HPHatecraft (2748003) on Wednesday October 24, 2012 @04:51PM (#41757917)
    -signed Admiral Thomas Dalton Ackbar
  • it's the same as the cisco code they just changed some names around.

  • by PPH (736903) on Wednesday October 24, 2012 @05:01PM (#41758057)

    Is their h/w and s/w being audited for back doors and spyware?

    No need to audit US sourced equipment. Thanks to CALEA [wikipedia.org] we are 100% certain its been bugged.

    • by Luckyo (1726890)

      It's not the issue of being bugged as much as the issue of trust. You can be fairly certain that not only US, but pretty much all major world powers insert such bugs into equipment they manufacture.

      So in the end, it's about trusting the source government and its agencies.

  • Will they be able to obscure any backdoors written into their equipment?"

    Yes. [ioccc.org]

    -

  • by AaronW (33736) on Wednesday October 24, 2012 @05:13PM (#41758239) Homepage

    I'll believe it when I see it. Many, if not most, of their products run on VxWorks, a proprietary closed-source real-time operating system. All it takes is for someone to find a way to access the t-shell and you own the box. I believe this was recently shown to be trivial to do with access to the web interface (no login needed). Once you are in the t-shell you own the box. In VxWorks the t-shell is like root on steroids. You can call any function, access at any global variables or any memory location that you choose.

    VxWorks historically has not been a secure operating system, leaving security entirely up to the applications developer.

    VxWorks is not like a traditional operating system where you load programs off of a filesystem and execute them, with a clear separation between the OS and applications. Instead, everything is linked together into a single binary blob. Now it's possible it has changed significantly since I last used it, but I doubt it.

  • by gweihir (88907) on Wednesday October 24, 2012 @05:15PM (#41758265)

    Backdoors cleverly disguised as obscure implementation bugs are very hard to find, and if you find them, you do not know whether they are bugs or obscure implementation errors. Typically, making sure no backdoors are in a piece of complex software is more effort and more difficult than reimplementing it with trustworthy and competent people.

    • Brilliant! You give the source code AND you put in flaws in the verification that you already know about, so you can trivially pwn the boxen.

  • by robmv (855035) on Wednesday October 24, 2012 @05:17PM (#41758285)

    Source code access is never enough to guarantee that something is free backdoors? How adds it to the hardware? How can I verify the devices coming in (from China in this case) has the right binaries installed? and don't forget about hardware backdoors. It is like trusting a PC manufacturer with a preloaded Linux installation because I have the source code of it on a DVD to review. If you can't trust the manufacturer there is no source that can help

    • by Arker (91948)
      You are right, simply having access guarantees nothing. It's necessary, but not sufficient. You verify that the source generated the binary by compiling it with the same compiler and settings and comparing the resulting binary to the one they shipped you. Hardware backdoors are not, of course, eliminated, but you can check for those in other ways (access to the hardware isnt a problem like access to source often is, obviously) and most hardware backdoors that would actually do something interesting would ne
  • First consider the halting problem; you really can't tell what complex code can do.. although many eyes are better than none. Then you have to check every code release and compare all the hardware to software, etc. this is (the halting problem) a complex/hard problem.

    Second, you have to see everything from the OS, the programs, programmable chips, firmware, etc.

    Third, you have to hope there isn't anything type of "malware/spyware" that is loaded remotely post install, and that you see all the updates, etc.

  • Just because you can see the source code doesn't mean the binaries were compiled from it.

    • by Arker (91948)

      Just because you can see the source code doesn't mean the binaries were compiled from it.

      Once you have the source, the binaries, and the compiler, you can verify or deny whether that source produced that binary.

  • This reminded me of The Underhanded C Contest [xcott.com] -- where the goal is to introduce malicious-acting but innocent-looking bugs that, even upon discovery as bugs, could be passed of as programming errors and not intentional backdoors. This should be required reading for anyone reading potentially-hostile code that's trying to pass an audit.

    Surely Huawei has a large enough networking codebase to put enough of these in that Oz won't find them, and even if they do find them all -- how do you prove that a bug with a

  • by GumphMaster (772693) on Wednesday October 24, 2012 @07:20PM (#41759591)

    What the BBC is reporting is not quite what was offered. The ABC quotes Mr Lord [abc.net.au] as:

    "Huawei is willing to offer complete and unrestricted access to our software source code and our equipment in such an environment," he said. "And in the interests of national security, we believe all other vendors should be subject to the same high standard of transparency."

    The reference to "such an environment" is an industry funded organisation dedicated to vetting this stuff.

    The exercise is nothing more than a PR spin. Huawei knows full well that the other players will neither want to fund a centre that effectively lets a competitor back into the race nor subject their own code to such scrutiny and risk rejection. He is the local face of Huawei so he has to say these things, but they will not change anything.

  • I'm not an authority on such equipment and usually take SF as simply entertainment value, but after watching BSG remake, I always wondered if such computer systems sold to USA has this kind of code inside.
  • by Minupla (62455) <minupla&gmail,com> on Wednesday October 24, 2012 @07:56PM (#41759851) Homepage Journal

    Who needs a back door when you have a range of security vulnerabilities to choose from.

    Here's the slide deck from the talk on Huawei talk at Defcon 20 this year. At the end of the talk the presenter addressed the topic of backdoors by saying (my paraphrase) given the state of the code, who knows if a given hole is a backdoor or unintential security vulnerability.

    The deck is worth a read if only for the fortune cookie slides, which contain actual quotes from the object code:
    http://phenoelit.org/stuff/Huawei_DEFCON_XX.pdf [phenoelit.org]

    Min

  • something, then it is a sign that something else is going on. If anybody in the west uses ANY of these Chinese telcos or their hardware companies, they deserve to be massively cracked. It is long past time for the west to bring back ALL important manufacturing, and much of the rest.

Support bacteria -- it's the only culture some people have!

Working...