Huawei Offers 'Complete and Unrestricted' Source Code Access

An anonymous reader writes "The BBC reports that 'Huawei has offered to give Australia unrestricted access to its software source code and equipment, as it looks to ease fears that it is a security threat. Questions have been raised about the Chinese telecom firm's ties to the military, something it has denied. Australia has previously blocked Huawei's plans to bid for work on its national broadband network. Huawei said it needed to dispel myths and misinformation.' But is this sufficient? Will they be able to obscure any backdoors written into their equipment?"

Source

[bjb_admin]

Does the Australian Govt have anyone that can actually properly security audit this? I am sure they are not going to want to spend the money to hire someone who can. Also, who is to say the binary blob firmware doesn't have a back door. Its not like the Australians are going to compile it and install it themselves.

Re:Source

[Lehk228]

not even the firmware, there could trivially be a on-chip backdoor,

Re:

[ThatsMyNick]

Cant the simply release their chip designs too.

Re:

[Lehk228]

of course they would, and they would release the version without the backdoor module and ship some with one enabled. unless they are going to stick every single board into an xray before installing it

Re:

[TheGratefulNet]

yeah, there's a zero percent chance they give you the real images (chips, software, etc).

there is no trust here and there can't ever be.

and this is TOO COMPLEX a problem to verify.

its a loss.

sorry, but china, you don't get our trust. you have not earned it and it will take a LONG time to earn ours to this degree.

just give it up, ok?

some things are better left to local companies. foreign ones are great for making cheap crap that life does not depend on, but when its critical stuff, sorry, but NO chinese s

Re:

[rtb61]

It can be embedded in other components like capacitors, diodes, resistors etc. etc. etc. Anything that carries an electrical current and can receive a signal can have a digital circuit embedded in it, to do something as simply as be an off switch or far more complex activity. Really the truth is not country can be said to be independent unless it manufactures it's own essential electronic infrastructure, regardless of cost. A single capacitor set to shut down at the receipt of a certain digital signal can

Re:

[TheGratefulNet]

really good point! hiding 'phantom processing' inside passives or collections of passives. wow, that's pretty wild stuff.

fully believable, too.

another reason not to trust the offshore chips with anything life-critical.

Re:Source

[rtb61]

Nothing to do with believable. I came across a disabled prototype on the internet. Based around a larger cheap version of a typical part with a high cost smaller version built into the casing leaving ample room for a chip to be inserted in the power pathway. Simplest function burnout the chip and cut power upon the correct pass code being picked up in the power supply. Imagine inserted that part inserted throughout your infrastructure, upon the code being detected every device using that part is now dead. Attempt to insert a replacement, it receives the signal and dies. You whole supply chain is corrupted and it could take weeks to resolve, especially when it's the telecommunications infrastructure disrupted.

Re:

[anomaly256]

Plus it would mean we could just fabricate new asics from their designs and not pay them, something they probably (and rightfully) don't want

Anything new from Slashdot ?

[Taco Cowboy]

Is there anything new Slashdot can offer, other than this same old China bashing orgy?

If you think that equipments from Huawei is dangerous, what makes you think that Cisco equipment don't come with backdoors?

Which equipment the Stuxnet virus targeted?

Equipment from China or those from the Western countries?

It's easy to bash China - as China has become the poster boy for bashing orgy - from Presidential debate to this one in Slashdot - but I do expect MORE from those who come to Slashdot.

Unlike the tweedledee and tweedeldum on the presidential debate, you guys do have brains.

It's time you use your brain to think, rather than letting others doing the thinking for you.

If Huawei (and all equipments from all Chinese companies) are suspicious, what makes you think that equipments from Germany or Japan or Britain or Korea or Canada or USA aren't?

Re:

[anomaly256]

I never said China was dangerous. I was just stating a fact that releasing the VHDL for their ASICS would be commercial suicide, and that releasing source doesn't prove there's no backdoors in the silicon. It's a futile exercise on the part of *both* sides. It boils down to nothing but America trying to defend it's own businesses and market share - not national security.

Please 'take your own medicine' and apply some critical thinking before making assumptions and lumping me in one category or another.

Re:

[OeLeWaPpErKe]

I imagine a similar argument was made in the USSR about Xerox photocopiers. Oh, right, those spying photocopiers... [lunarpages.com]. Now while you can argue that it's just the US being evil and therefore expecting everyone else to be evil, anyone who deals with the Chinese government has absolutely no illusions about which government is the best of the two.

The Chinese government has been caught red handed on several occasions attacking private companies, so ... what doubt is there, really, that Huawei equipment is too dang

Re:

[Luckyo]

The argument is probably that they're less afraid of CIA/NSA backdoors then Chinese backdoors.

Considering the history, I'd say that fear is quite a bit unwarranted, both are about equally scary, at least at the moment. And anyone who thinks cisco et al don't have backdoors for these organisations is fairly ignorant of how the world works.

It's a whole another issue if these backdoors are actively used. I personally very much doubt it. They're most likely "last resort" kind of backdoors that only few people h

it depends on who you are

[r00t]

If Huawei (and all equipments from all Chinese companies) are suspicious, what makes you think that equipments from Germany or Japan or Britain or Korea or Canada or USA aren't?

If I'm running a business in Australia, each of the listed non-Chinese countries is a minor concern. All have strong intellectual property protection. They mostly don't have a reputation for cloning foreign products. China is a different matter entirely.

If I'm running a business in any of the listed countries, China or otherwise, obviously my own country is preferred. They'd kick in my door if they wanted something; it's easier and more fun than hacking. I'd like protection from the others.

If I'm running a business in Iran, I probably want Korea or Japan. China is trying to pry into my finances for trade negotiation, and everybody else just hates Iran.

Re:Anything new from Slashdot ?

[cold fjord]

If Huawei (and all equipments from all Chinese companies) are suspicious, what makes you think that equipments from Germany or Japan or Britain or Korea or Canada or USA aren't?

Hmmm . . . are there any other one party communist states with aspirations of hegemony, a long history of enmity against democratic government, free enterprise, and personal liberty, that currently have intense foreign espionage efforts directed against the West, that make direct threats against the United States while being armed with intercontinental ballistic missiles armed with nuclear weapons, on the list? No, China. . . make that the People's Republic of China, one of the few remaining Communist dictatorships on earth, is unique in that regard. Isn't that clear? China is reforming economically much faster than politically, although that is coming along in small fits and starts. But fundamentally, China is still a dictatorship run by the Chinese Communist Party.

Which equipment the Stuxnet virus targeted?

That was SCADA controllers made by Siemens, a German company, being used by Iran - a Shia lead theocratic government imposing Sharia law in Iran while they seek hegemony in the region. Iran is using that equipment to run centrifuges to develop highly enriched Uranium, and has been discovered to be engaged in activities applicable to only nuclear weapons development [nytimes.com]. Iran tries to intimidate its neighbors, is a state sponsor of terrorism [cfr.org] world-wide [washingtonpost.com], fund, trains, and arms Hezbollah with tens of thousands of rockets and missiles to control Lebanon and attack Israel until it can make good on it barely veiled threats of genocide against Israel, and general threats against Europe and the United States. Until the Islamic revolution in Iran in 1979, Iran and Israel had been on good terms. It is the theocratic government in Iran that has declared them to be enemies - the conflict isn't Israel's fault - Iran was not part of the Arab-Israeli wars. And yet some people take the bankrupt position that it is Iran that needs protection from Israel. Stuxnet and its kin may be the only reason the world isn't in a shooting war in the region now.

It's easy to bash China - as China has become the poster boy for bashing orgy - from Presidential debate to this one in Slashdot - but I do expect MORE from those who come to Slashdot. Unlike the tweedledee and tweedeldum on the presidential debate, you guys do have brains. It's time you use your brain to think, rather than letting others doing the thinking for you.

Some people use their powers of reason to understand the facts above and their implications, others use their reason to rationalize away uncomfortable facts, like those above.

In much of the West, the well educated have been taught to believe that they can know nothing and that they can draw no independent conclusions about truth, unless they cite a study and "experts" have affirmed it. "Studies show" is to the modern secular college graduate what "Scripture says" is to the religious fundamentalist. -- Dennis Prager

Re:Source

[AK Marc]

Yes, though there's no evidence of any improper activities from any Huawei gear, and they are already a step ahead of US voting machines.

In the US, voting machines pick the next president. With secret closed-source code in an industry with proven fraud and from companies with proven previous errors.

In Australia, they have the source code for routers running a residential broadband network, and that's not good enough.

Why does something seem wrong with that?

Re:Source

[Charliemopps]

You're not understanding where the governments coming from. They want someone, other than themselves, to have legal liability if there is a breach. Since all contracts, agreements, and laws are subject to the whim of the Chinese government, they could just tell Huawei to put code on their hardware and they'd have to do it. Where-as, in Australia, or the United States, there are constitutions that supersede the federal governments. The feds can come in and demand that Cisco put a backdoor on their hardware, and Cisco could turn around and site existing law to say "No, we wont do that, it's illegal." Now, in reality, does it actually work like that? No... Cisco bends over backwards for the feds out of greed because they want them to do things like we're seeing here. But from the federal governments perspective, Cisco is doing their bidding and are therefor "Good guys"... Huawei on the other hand are at the very best an unknown. Politicians rarely see beyond their own term... and while violating our constitutional rights to ensure our safety seems worthwhile at the time... it's what the guy that gets elected after their gone does with these entrenched systems that brings ruin.

Re:

[tqk]

Politicians rarely see beyond their own term...

Politicians vetting networking equipment manufacturers has to be the silliest joke ever conceived by a human. The US Congress accusing Huawei of incompetence or underhanded conduct is Chutzpah, to the Nth degree!

wrt54g FTW. We freetards will be happy to audit the code, for free.

Is it just me, or is the world getting stupider by the minute? Don't bother to answer. I need to go bang my head against a wall now.

Re:

[Luckyo]

Audit the code all you want. Smart company will insert a backdoor into chip, and you'll be none the wiser.

Re:Source

[overbaud]

The way this works is: 1. Cisco lobby US gov. 2. US gov put pressure on Aus gov. 3. Aus gov create FUD about cisco rival. 4. Aus gov buy cisco. 5. Profit - cisco and US senators.

Re:

[AlphaWolf_HK]

I don't think huawei would deliberately do that, what I do think though is that they are horribly insecure due to cheap engineering. They can release the source code all they want, but it might take years for anybody to make sure its clean. Not only that, but it often turns out that they use cheap components as well that die fast. The company I worked for found a lot of parts coming out of china that were missing the substrate in their IC's.

Re:

[jhol13]

Not "trivially".

Making a on-chip backdoor is extremely huge risk. If found, it would open up liability and criminal charges, plus completely ruin all sales - as it cannot be removed without new HW.

Re:

[Lehk228]

doing it would be trivial, hiding it would be trivial as well. a properly designed hardware backdoor would make the required patch to the kernel when trigger conditions were met. if you want to make it even trickier you can make the patch and the trigger conditions look like an ordinary exploit. such as a nop sled of a specific length (or better, a length determined by some other stimulus)

Re:

[Anonymous Coward]

Even if they did have someone capable, if you've ever read any submissions to the Underhanded C Contest, you'll know how difficult it is to detect hidden back doors even when scrutinizing code.

Re:Source

[tibit]

Yup, even when you a-priori know in which couple hundred lines to look. In a large application, like you'd find in a router, it's demonstrably impossible of a task unless they use something safer than C -- and even then it'd take a formal method approach.

Re:

[Max Littlemore]

This is my concern. Why is the Federal Government singling out Huawei and not subjecting everyone to this scrutiny?

I have a simple idea. Why not make it a condition of purchase that all software/firmware/hardware design be fully and publicly disclosed by all potential vendors and crowd source the security checks? (Hey I know it will never happen but I'm allowed to have my Utopian dream on a Thursday morning)

Re:Source

[Anonymous Coward]

Because the rest of those companies weren't founded and run by ex-Chinese military and long-time Chinese Communist Party members?

Re:

[Anonymous Coward]

We dont need to compile it ourselves, we have trained kangaroos and drop bears for this purpose.

Re:

[tibit]

I'd have thought that the entire goal was to compile and install it, otherwise the source code is kinda pointless.

Re:Source

[RedPhoenix]

Yes; some very good people who evaluate products for use within the Oz government and Defence:
http://www.dsd.gov.au/infosec/epl/index.php [dsd.gov.au]

However, the process is usually long, often expensive, and generally targets a particular software/hardware combination; bump your version number, and there's potentially a fairly significant re-evaluation required.

Huawei could take advantage of this program now, but would either need to front up some dough, or have a sponsor to guide them through it.

Re:

[RedPhoenix]

True, though they do contract out some of these tasks to cleared third party defence-focused organisations, who definitely DO pay market rates.

With a focus on graduate recruitment, a culture of esprit de corps, access to awesomly cool geeky tech stuff, and good working conditions, and they tend to hang on to people for a fair bit longer than the government pay grades they are saddled with, would normally imply.

The brain drain does happen eventually.. but that's government, unfortunately.

Re:Source

[socceroos]

The DSD (Defence Signals Directorate) are the ones in Australia who would vet this equipment - they already do it for all equipment used by ASIO, ASIS and other secretive organisations here. The other thing to remember is that it was the DSD that told the Government not to trust Huawei's hardware. Now they get to have a good look at the code without the need to reverse engineer.

Re:

[Penurious Penguin]

I'm afraid Australia is China's back-door; i.e., resources.

Re:

[mjwx]

Does the Australian Govt have anyone that can actually properly security audit this? I am sure they are not going to want to spend the money to hire someone who can.

Yes, the quality of our politicians is quite low (after all, who joins parliament unless you cant do anything else) but there are quite a few skilled and talented public servants who stay there just for the job security and benefits (8 weeks of holidays, sure Bill).

Also, who is to say the binary blob firmware doesn't have a back door. Its not like the Australians are going to compile it and install it themselves.

Which would be a requirement at this level.

But that's not the issue.

The reason this is an issue at all is that it's for the NBN which is a political hot potato. The opposition party wants to destroy the NBN (mainly because it isn't their po

Re:Besides

[fredprado]

Sorry, but there is absolutely no company in the world that has this thing called "character".

Re:

[Dragonslicer]

Sorry, but there is absolutely no company in the world that has this thing called "character".

I dunno, I always thought Ballmer was quite a character.

Re:

[jhol13]

Oh, yes there are. One example is Olvi Oyj (Finland, "OLVAS" in Nasdaq). The biggest owner isa trust fund which primary goal is to advance beer culture (or something similar).
The company has gone so far as to help small breweries to get their beer to big shops, though it provably affects their sales negatively (marginally though).

There are companies which behave more nicely than other companies. There are companies which advance society and threre are companies which maximize profits - most in the grey area

Re:

[fredprado]

And you certainly have great wisdom and knowledge and are ready to bath us in the light of your unsurpassed righteousness, Mr. Anonymous Coward.

Re:Besides

[fredprado]

Oh, another offended Anonymous Coward. How cute.

Re:

[fredprado]

So?

Re:

[fredprado]

Oh, please, go with your psychobabble and your self-righteousness somewhere else.

Re:

[Abreu]

Not sure if xenophobia is real,
[FuturamaFry.jpg]
or just clever parody

Re:

[hawguy]

It does not matter one whit if they're releasing everything including the ASIC code, masks, etc.

Don't let foreign assholes make your critical infrastructure. Period. Don't ship anything out of country. Don't rely on the companies in your country not to be idiots. If it is going into critical infrastructure you'd best have control of it.

Yea, it will put a screeching halt to the wonderful progress we've had and that is unfortunate but China and others seem to want to slit our throats so we should slit their profits.

Isn't that kind of like saying "Don't trust asshole doctors to treat your complicated medical condition. If you can't treat it yourself, just slit your throat now. Yea, it will kill you right now, and that is unfortunate, but at least the doctors won't profit from it".

Re:

[hawguy]

It's more akin to letting your "little head" do the thinking instead of the head that has a brain...
Nope, doctor analogy fails hard here :( sucks to be you.

Where you got "doctors from the same country" from a situation involving foreign corporations building critical infrastructure for their competition I'll never know.

Because just like a single person doesn't have the ability to know anough about medical science to adequately treat any possible ailment, few countries have the resources or political will to fund development of enough industry to support all of their "critical infrastructure" needs.

Do you really expect Australia to develop chip foundaries, component manufacturers, software development, etc to build all of their government's electronics? What about patented chipsets that they may need? Will Cisco pass on th

Cisco and Motorola may object

[Anonymous Coward]

...seeing as how it's their source code being released.

Re:

[RivenAleem]

So you're saying that when/if Aus does an inspection of the source code, they WILL find backdoors.

Is this Sufficient? What else could you want?

[NinjaTekNeeks]

Australia: "You are a security threat we need to see your code!"
Huawei: "Ok, here is our full source code"

Sensationalism Department: "There must be obscure back doors they might hide in their code!!!"

Just because the US Congress, which is still in the stone ages as far as understanding of technology, decries them as a threat using classified information doesn't mean it's true. It just means the US likes to cock block China as often as it possibly can, not withstanding the shady backroom deals that enti

Re:

[Todd Knarr]

Hardly obscure. The only thing needed is to make it so the code used to build the firmware isn't the code you provided for everyone else to look at. I can think of a dozen ways to do that, starting with the obvious "patch file not in version control and not provided to anyone, applied manually between checkout and compile". If you're doing that, the back-doors don't have to be obscure at all because they won't be present in anything anyone can see.

The only way to truly tell is to build your own binaries fro

Re:

[fredprado]

But then again it would be the fault of those that should be verifying such things. If security is important these checks should be made no matter which manufacturer they choose.

Re:

[Arker]

The only way to truly tell is to build your own binaries from the supplied code and then diff the vendor-supplied firmware against your build.

Of course that's the first thing that would have to be done. Compile the binaries with the same compiler and scripts, see if the binaries match. If they do not, something is wrong.

Next step, do you trust the compiler? If not, recompile with a compiler you do trust, and use those binaries instead. Simple.

Either way, once you have verified the binaries and the source

Re:

[Luckyo]

Except that that's not how any sane backdoor would work. Hell, even shitty botnets do it better.

Re:

[AK Marc]

And even good botnets are easily detected by a heuristic firewall. Again, you couldn't use it and remain undetected.

Re:

[AK Marc]

No, just piles of A/Cs are, for alll I know, just one person disagrees.

Huawei has been around for years. There has been only one major security problem with Huawei gear, and it was because they copied Cisco so well, that they accidentally copied Cisco's backdoor. If there's a company that's sold out to the government it's Cisco in the US, not Huawei in China (though they have sold out to the government, as have all corporations in China, they have not done so in a way that harms customers, as the US comp

Re:

[SEE]

Mere source code disclosure is worthless as proof of trustworthiness, and has been known to be worthless to that end to everyone with the slightest knowledge of the subject ever since Ken Thompson gave his Reflections on Trusting Trust speech 29 years ago.

The real question is, given anyone who knows anything about the subject knows the source code disclosure proves nothing, why did Huawei offer to disclose the source?

Re:Is this Sufficient? What else could you want?

[mhotchin]

http://cm.bell-labs.com/who/ken/trust.html [bell-labs.com]

If you haven't read it, or even if you haven't read it recently, you really should.

Why stop there? Why not go for public review?

[badger.foo]

Much like I assume a lot of other /. readers, my trust in the equipment I use to do what it's supposed to do comes from my access and ability to read the source code. There have been minor dust-ups in the open source world about allegations that other governments than China inserted back doors in widely used software, and we still see those allegations surfacing from time to time, but never with anything solid to back them up. I believe searches on the obvious keywords will turn up stories linked from here, as well as links to source code repositories of very high quality indeed. So my advice for Huwaei is, let the world see your source code, and please set up a mechanism for reviewing your own code and patches.

Compiler Vulnerability

[charon69]

Is Australia planning on building their own code from that source?

Because how would they know that what they were running was actually the source code they were provided?

And would Australia even be interested in jumping through that extra hoop considering that there are other vendor options available where Australia feels this isn't necessary? The price difference between Huawei and other vendors would have to be fairly sizable to warrant that.

Or, even more insidious, I've heard of the possibility to includ

Re:

[fredprado]

Obviously they would have to compile and compare to audit, and obviously they shouldn't trust any compiling tool given by the very person being audited...

Re:

[funkboy]

And would Australia even be interested in jumping through that extra hoop considering that there are other vendor options available where Australia feels this isn't necessary? The price difference between Huawei and other vendors would have to be fairly sizable to warrant that.

It is. Depending on how well you negotiate with various vendors, it can be half the price of Cisco, AlcaLu, Juniper, etc.

Re:

[Luckyo]

Even building firmware from ground up wouldn't help this issue. You can install backdoor on a chip. It's all about trusting the vendor not to have these, or have these but only for trusted organisations.

China and its security apparatus is simply not on the trusted list in Australia, while CIA/NSA appears to be.

Re:

[Sez Zero]

You tell me, why is Australia inventing all these hoops?

Because they don't trust Chinese companies?

Re:

[AK Marc]

I'm not Chinese. I'm American. I just don't think China intends to militarily conquer the world.

The US government did it!

[kawabago]

When American telecom companies won contracts to supply soviet satellite, I think it was Poland, with telecom equipment, The CIA or NSA or both managed to get back doors into the equipment to both monitor calls and in the event of hostilities, to shut the phone system down completely. If American companies let their Government subvert their technology in foreign countries, China would be foolish not to.

Re:

[TheLink]

That's the USA though.

If Australia is that paranoid about China they should be even more paranoid about the USA too. Seems to me Australia should be asking Cisco and all the other US companies for their source code etc. In the global market Australia is not really a competitor with China, whereas Australia competes with the USA in many areas.

China doesn't need to do stuff like this. Why would they want to shutdown Australia? China doesn't even have enough nukes for a decent nuclear offense.

Re:The US government did it!

[im_thatoneguy]

Yes. Because, it's not xenophobic, it's just plain good sense that critical infrastructure is a huge target. It's what every country should want their intelligence agencies doing. I hope every router sent to China has a backdoor in it that we can shut down in the event of a conflict.

Why do you think China is working so hard to create their own CPU? They know this would be a massive liability and with 10 Billion transistors its' easy to hide things now a days.

I'm usually dismissive of conspiracy theories because they don't actually result in any parties profiting. But this is exactly the sort of thing that countries not only would profit from--but have already done.

Imagine if every car in China could be turned off with a switch. That's a weapon I have absolutely no question our military would love to have. And one which *of course* the Chinese military would also want. If they could do it and get away with it--they will (just as we would).

Re:

[macbeth66]

Not sure why you were modded 'Troll', as you do have a point. However, it isn't an issue with a people or a group of people. It is an issue of this being a Communist Government with money. A lot of money. That is an insanely dangerous situation.

Re:

[Luckyo]

China has ceased being "communist" about twenty years ago. It's far closer to pure capitalism then West at this point.

Re:

[WindBourne]

LOL. Do you understand that only PART of China is Capitalists? In addition, do you know that that part is not just heavily subsidized, but has the yuan fixed to the dollar so that it is trivial to 'compete'. And do you know that there is a difference between Capitalism with Democracy vs. a Totalitarian gov. combined with a mixture of Communist and Capitalist?

IT'S A TRAP!!!

[HPHatecraft]

-signed Admiral Thomas Dalton Ackbar

Re:

[oodaloop]

We can't repel overused movie quotes of that magnitude!

it's the same as the cisco code

[Joe_Dragon]

it's the same as the cisco code they just changed some names around.

Who are the alternative bidders?

[PPH]

Is their h/w and s/w being audited for back doors and spyware?

No need to audit US sourced equipment. Thanks to CALEA [wikipedia.org] we are 100% certain its been bugged.

Re:

[Luckyo]

It's not the issue of being bugged as much as the issue of trust. You can be fairly certain that not only US, but pretty much all major world powers insert such bugs into equipment they manufacture.

So in the end, it's about trusting the source government and its agencies.

Simple answer

[Alsee]

Will they be able to obscure any backdoors written into their equipment?"

Yes. [ioccc.org]

-

Not possible

[AaronW]

I'll believe it when I see it. Many, if not most, of their products run on VxWorks, a proprietary closed-source real-time operating system. All it takes is for someone to find a way to access the t-shell and you own the box. I believe this was recently shown to be trivial to do with access to the web interface (no login needed). Once you are in the t-shell you own the box. In VxWorks the t-shell is like root on steroids. You can call any function, access at any global variables or any memory location that you choose.

VxWorks historically has not been a secure operating system, leaving security entirely up to the applications developer.

VxWorks is not like a traditional operating system where you load programs off of a filesystem and execute them, with a clear separation between the OS and applications. Instead, everything is linked together into a single binary blob. Now it's possible it has changed significantly since I last used it, but I doubt it.

Not worth a lot....

[gweihir]

Backdoors cleverly disguised as obscure implementation bugs are very hard to find, and if you find them, you do not know whether they are bugs or obscure implementation errors. Typically, making sure no backdoors are in a piece of complex software is more effort and more difficult than reimplementing it with trustworthy and competent people.

Re:

[Beardo the Bearded]

Brilliant! You give the source code AND you put in flaws in the verification that you already know about, so you can trivially pwn the boxen.

Not enough

[robmv]

Source code access is never enough to guarantee that something is free backdoors? How adds it to the hardware? How can I verify the devices coming in (from China in this case) has the right binaries installed? and don't forget about hardware backdoors. It is like trusting a PC manufacturer with a preloaded Linux installation because I have the source code of it on a DVD to review. If you can't trust the manufacturer there is no source that can help

Re:

[Arker]

You are right, simply having access guarantees nothing. It's necessary, but not sufficient. You verify that the source generated the binary by compiling it with the same compiler and settings and comparing the resulting binary to the one they shipped you. Hardware backdoors are not, of course, eliminated, but you can check for those in other ways (access to the hardware isnt a problem like access to source often is, obviously) and most hardware backdoors that would actually do something interesting would ne

It isn't worth the risk.

[hhawk]

First consider the halting problem; you really can't tell what complex code can do.. although many eyes are better than none. Then you have to check every code release and compare all the hardware to software, etc. this is (the halting problem) a complex/hard problem.

Second, you have to see everything from the OS, the programs, programmable chips, firmware, etc.

Third, you have to hope there isn't anything type of "malware/spyware" that is loaded remotely post install, and that you see all the updates, etc.

Just Because

[hduff]

Just because you can see the source code doesn't mean the binaries were compiled from it.

Re:

[Arker]

Just because you can see the source code doesn't mean the binaries were compiled from it.

Once you have the source, the binaries, and the compiler, you can verify or deny whether that source produced that binary.

Underhanded C Contest anyone??

[Wrath0fb0b]

This reminded me of The Underhanded C Contest [xcott.com] -- where the goal is to introduce malicious-acting but innocent-looking bugs that, even upon discovery as bugs, could be passed of as programming errors and not intentional backdoors. This should be required reading for anyone reading potentially-hostile code that's trying to pass an audit.

Surely Huawei has a large enough networking codebase to put enough of these in that Oz won't find them, and even if they do find them all -- how do you prove that a bug with a

BBC reports only part of the offer

[GumphMaster]

What the BBC is reporting is not quite what was offered. The ABC quotes Mr Lord [abc.net.au] as:

"Huawei is willing to offer complete and unrestricted access to our software source code and our equipment in such an environment," he said. "And in the interests of national security, we believe all other vendors should be subject to the same high standard of transparency."

The reference to "such an environment" is an industry funded organisation dedicated to vetting this stuff.

The exercise is nothing more than a PR spin. Huawei knows full well that the other players will neither want to fund a centre that effectively lets a competitor back into the race nor subject their own code to such scrutiny and risk rejection. He is the local face of Huawei so he has to say these things, but they will not change anything.

Will it show "Cylon Kill Switch" subroutine?

[k6mfw]

I'm not an authority on such equipment and usually take SF as simply entertainment value, but after watching BSG remake, I always wondered if such computer systems sold to USA has this kind of code inside.

Who needs a back door?

[Minupla]

Who needs a back door when you have a range of security vulnerabilities to choose from.

Here's the slide deck from the talk on Huawei talk at Defcon 20 this year. At the end of the talk the presenter addressed the topic of backdoors by saying (my paraphrase) given the state of the code, who knows if a given hole is a backdoor or unintential security vulnerability.

The deck is worth a read if only for the fortune cookie slides, which contain actual quotes from the object code:
http://phenoelit.org/stuff/Huawei_DEFCON_XX.pdf [phenoelit.org]

Min

If a company tries this hard to make you look at .

[WindBourne]

something, then it is a sign that something else is going on. If anybody in the west uses ANY of these Chinese telcos or their hardware companies, they deserve to be massively cracked. It is long past time for the west to bring back ALL important manufacturing, and much of the rest.

Re:hardware backdoors

[AK Marc]

OK, lets assume that the routers are rooted. So what? Isn't everything over the Internet presumed to be insecure anyway? At worst, China would get some SSL packets from my bank, or some HTTPS packets between me and an email server. Or see that I'm on Slashdot more that I should be. Yawn.

And, if they did send a copy of every packet to China, do you think the carriers wouldn't notice that traffic pattern? It's an absurd accusation, with no basis in fact. And, if true, would be quickly found if it were ever used. All to compromise an unspecific portion of a residential broadband network.

It's more likely that Huawei was behind the assassination of Kennedy and 9/11 than they are inserting router backdoors in an attempt to remotely control Australia. If you've been to WA, you don't need to sniff their traffic to know what they are doing. 99% porn, 1% skype to family.

Re:

[moogied]

You're assuming the point is to read the data. Its not. The point is that china would be able to transmit a single set of instructions across the routers that say 'At 2AM tomorrow, DO NOT ALLOW TRAFFIC THROUGH.' and suddenly Aussie's everywhere lose internet. Which could be a massive security issue if China were to attack right then.

Re:

[AK Marc]

Because residential broadband is a national security resource? Did everyone buy Huawei TVs too? Did you watch Tomorrow When the War Began too many times? I'll give you a hint, it's as likely as Red Dawn (neither happened, and neither will happen).

Re:

[bugs2squash]

Not every router is used solely for the internet. Also, they don;t have to report to China, they just have to be deployed into a critical network and then suddenly stop working when china wants them to. Finally, if they're going to be sneaky, who's to say the software image they provide is made out of the source code they provide ? I don't see them providing the means to compile the source code to an image.

Re:

[RocketRabbit]

Wow, you're just really naive. Really, really naive.

Even without decrypting the information all the way back in WWII, traffic analysis allowed some major victories on the battlefield. With this technique, being automated and in near real time, one could infer a lot about an adversary without actually decrypting one single thing.

Maybe you're not concerned with privacy, but that's why you're not working in this field!

Re:

[AK Marc]

Maybe you're not concerned with privacy, but that's why you're not working in this field!

I do work in security. One of the things you do in security is realize everything can be compromised in many ways you'll never be able to think of, so you plan on the most likely. Huawei undercutting everyone to sell networking gear into Australia as step 7 in the 30 step process to invade Australia is so unlikely as to not warrant effort protecting against. You might as well put in DNA tests at CO doors to ensure the person trying to get in is human, and not a werewolf or space alien.

Re:

[Luckyo]

Not to be a dick, but you really have no understanding of the concept of "existential threat" and why these threats are handled differently from normal threats, do you?

Re:

[Hatta]

OK, lets assume that the routers are rooted.

Call router rooter, that's the name. And security goes down the drain!

Re:

[AK Marc]

Sure, they'd take it all down. And then what? Invade Australia? That'll start WWIII, same as if they launched a bomb at every network POP. We should be scanning them all to make sure there aren't hidden bombs in every Huawei router, and even if they come back clean, open them all up and make sure. What would happen if the code had every battery in every Huawei phone outside China blow up at the same time? And every Huawei home router shorted , taking our the electric grid? Then they got up, walked to

Re:

[tibit]

It's not an unlikely way to do espionage you clod, it's the simplest way to do it. What's simpler than having direct access to all the communications infrastructure, accessible from anywhere in the world?

Re:

[Matt.Battey]

That may be true, but based on past events, like when counterfeit Cisco routers were produced in China and sold world wide, even to US military institutions, the fear is very real. Besides the attempt to maximize profit by selling falsely produced patented and copyrighted digital equipment, there is the nefarious aspect that these systems could have any sort of direct back-door, data rewriting, or side channel attacks built-in.

The question comes down to this: Do you purchase digital computing products cons

Re:

[WindBourne]

Really? So, top ppl at Huawei can come from ANY nation? Nope. Only CHinese are allowed. ALL employees own stock in the company? Nope. Only Chinese are allowed. Manufacturing is around the planet? Nope, just in China.

Huawei has not shown that they are an INTERNATIONAL company. They are a private company in the same way that Air America was a private company.

Re:

[WindBourne]

Or have we found plenty of backdoors on Chinese equipment? I would say the later.