Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Thursday August 08 2019, @10:01PM   Printer-friendly
from the many-eyes dept.

Networking equipment is one of the last bastions of technology where opaque, proprietary, closed-source hardware continues to thrive. This opacity—combined with networking equipment functioning as the backbone of enterprise computing—creates a fertile breeding ground for fear, uncertainty, and doubt to proliferate. As a result of this, Huawei has spent nearly a decade embattled by accusations of spying for the Chinese government, and since May, a blacklisting.

[...] There's an aphorism named "Linus's Law" which states "Given enough eyeballs, all bugs are shallow." This plausibly applies to Huawei's circumstances: Publishing the full source code to Huawei products is a simplistic—and maximalist—way of dealing with security vulnerabilities and undercut accusations of spying that have plagued Huawei for years.

Opening Huawei products to third-party scrutiny would—at a minimum—surface situations where third-party open-source libraries are not being properly updated, if not allow security researchers the ability to identify vulnerabilities in Huawei-developed code. Such an initiative could also be used to create a shared build platform, making security updates easier to deploy across different device models.

https://www.techrepublic.com/article/huawei-doesnt-see-open-source-as-the-fix-for-spying-accusations-but-they-should/


Original Submission

Related Stories

Huawei Sues FCC to Stop Ban on Huawei Gear in US-Funded Networks 6 comments

https://arstechnica.com/tech-policy/2019/12/huawei-sues-fcc-to-stop-ban-on-huawei-gear-in-us-funded-

Huawei has sued the Federal Communications Commission over the agency's order that bans Huawei equipment in certain government-funded telecom projects.

[...] The FCC voted unanimously on November 22 to ban Huawei and ZTE equipment in projects paid for by the commission's Universal Service Fund (USF). The order will affect many small telecom providers that rely on the companies' network gear.

[...] "The US government has never presented real evidence to show that Huawei is a national security threat," Song said. "That's because this evidence does not exist. When pushed for facts, they respond that 'disclosing evidence might also undermine US national security.' This is complete nonsense."

[...] "We've built networks in places where other vendors would not go. They were too remote, or the terrain was difficult, or there just wasn't a big enough population," he said. "In the US, we sell equipment to 40 small wireless and wireline operators. They connect schools, hospitals, farms, homes, community colleges, and emergency services."

Hoftstra University law professor Julian Ku said that "even a small [Huawei] victory in the case, one that makes the FCC go and start the process over again, would be a huge victory for them," according to The New York Times. But it may be a difficult case for Huawei to win because US courts usually give federal agencies "a tremendous amount of deference," Ku said.

Previously:


Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 3, Insightful) by Anonymous Coward on Thursday August 08 2019, @10:10PM (5 children)

    by Anonymous Coward on Thursday August 08 2019, @10:10PM (#877643)

    So share your source code, commies.

    • (Score: 1, Insightful) by Anonymous Coward on Thursday August 08 2019, @10:18PM (4 children)

      by Anonymous Coward on Thursday August 08 2019, @10:18PM (#877651)

      China isn't communist, they're free market capitalists.

  • (Score: 2, Funny) by Anonymous Coward on Thursday August 08 2019, @10:17PM

    by Anonymous Coward on Thursday August 08 2019, @10:17PM (#877649)

    Huawei Doesn't See Open Source as the Fix for Spying Accusations (but They Should)

    That "but they Should" is a disgusting practice and needs to stop.

  • (Score: 2, Touché) by Anonymous Coward on Thursday August 08 2019, @10:25PM (6 children)

    by Anonymous Coward on Thursday August 08 2019, @10:25PM (#877653)

    The point is, ladies and gentlemen, that greed, for lack of a better word, is good. Greed is right, greed works. Greed clarifies, cuts through and captures the essence of the evolutionary spirit. Greed in all of its forms.

    The article makes no response to the claims that even if the firmware was completely open sourced that Huawei would then just be accused of implementing hardware-based spying. So if the company can still be accused what does it get them to go open source? Not respect, see two sentences ago. Can one prove that if they went open source they'd start earning more money? So why should they do it for any other reason than altruism?

    • (Score: 2) by MostCynical on Thursday August 08 2019, @11:12PM

      by MostCynical (2589) on Thursday August 08 2019, @11:12PM (#877673) Journal

      Like cisco?

      --
      "I guess once you start doubting, there's no end to it." -Batou, Ghost in the Shell: Stand Alone Complex
    • (Score: 5, Interesting) by driverless on Friday August 09 2019, @12:29AM

      by driverless (4770) on Friday August 09 2019, @12:29AM (#877691)

      "Given enough eyeballs, all bugs are shallow."

      That's Linus' Fallacy, not Linus' Law. It only works if the eyes are motivated to look, which only really occurs if there's a noticeable bug and it affects you directly. There have been glaring security holes in major packages for ten years or more that were only noticed by accident.

      In the particular case of Huawei, GCHQ in the UK has the HCSEC (Huawei Cyber Security Evaluation Centre) created specifically to go over Huawei's code in the most paranoid manner possible. These guys are experts, paid to look at the code and given expensive tools to help them in their work. Posting it to Github where a few random geeks might glance at it for an hour or two until other work calls isn't going to add anything to that.

    • (Score: 3, Funny) by driverless on Friday August 09 2019, @12:32AM (2 children)

      by driverless (4770) on Friday August 09 2019, @12:32AM (#877692)

      The article makes no response to the claims that even if the firmware was completely open sourced that Huawei would then just be accused of implementing hardware-based spying.

      And if they open-sourced the hardware they'd be accused of manipulating the laws of physics to backdoor them. Those dastardly Chinamen, no matter how hard you look they're always a step ahead of you. The fact that we haven't found any smoking-gun backdoor yet (apart from the usual lax security that pretty much every vendor has issues with) just goes to show how clever they are.

      • (Score: 2) by c0lo on Friday August 09 2019, @01:09AM (1 child)

        by c0lo (156) Subscriber Badge on Friday August 09 2019, @01:09AM (#877707) Journal

        The fact that we haven't found any smoking-gun backdoor yet (apart from the usual lax security that pretty much every vendor has issues with) just goes to show how clever they are.

        If one is afraid of the clever, what does that makes the one?

        --
        https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
        • (Score: 0) by Anonymous Coward on Saturday August 10 2019, @03:31AM

          by Anonymous Coward on Saturday August 10 2019, @03:31AM (#878099)

          Copper top?

    • (Score: 0) by Anonymous Coward on Friday August 09 2019, @12:23PM

      by Anonymous Coward on Friday August 09 2019, @12:23PM (#877861)

      Huawei is accused by the US gov because they are successful, taking market share away from US companies that own the US gov. Opening up source code won't change that, it will just be different accusations.
      Let's all be clear on this, the US gov is the only entity on the planet accusing Huawei. I do not know of any evidence, not even of 'bad' evidence, haven't heard anyone discuss or point to evidence. It's just accusations.

      All US allies are continuing to use Huawei, these allies include the 5-eye partners that are probably aware/briefed/... if something real would be going on.

  • (Score: 3, Insightful) by hopdevil on Thursday August 08 2019, @10:39PM

    by hopdevil (3356) on Thursday August 08 2019, @10:39PM (#877658) Journal

    Open source is a double edged sword when it comes to security. You hope more people honorably look at your source code and report vulnerabilities than those that will exploit then. In truth this model needs more of an active community of developers than security folks. I don't think that is Huawei's business model.
    Besides, binaries are easy enough to reverse engineer. When you have hardware based hidey holes, it is unlikely anyone but a government sized budget will find you.

  • (Score: 3, Insightful) by c0lo on Thursday August 08 2019, @10:55PM (3 children)

    by c0lo (156) Subscriber Badge on Thursday August 08 2019, @10:55PM (#877664) Journal

    If not, why not?

    --
    https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
    • (Score: 2, Funny) by Anonymous Coward on Thursday August 08 2019, @11:08PM (2 children)

      by Anonymous Coward on Thursday August 08 2019, @11:08PM (#877671)

      Cisco isn't run by Chinamen, so they can be trusted.

      • (Score: 0) by Anonymous Coward on Friday August 09 2019, @12:03AM

        by Anonymous Coward on Friday August 09 2019, @12:03AM (#877683)
        I think your trust model is a bit askew.
      • (Score: 2) by c0lo on Friday August 09 2019, @01:05AM

        by c0lo (156) Subscriber Badge on Friday August 09 2019, @01:05AM (#877706) Journal

        Yeah, I s'ppose the NSA storage cloud is more reliable... and it's already paid by taxes, so it should be cheaper.

        --
        https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
  • (Score: 2) by Hartree on Thursday August 08 2019, @11:06PM

    by Hartree (195) on Thursday August 08 2019, @11:06PM (#877670)

    What? You'd expect Facebook to open source it's code to alleviate privacy concerns?

    Like Facebook working diligently to improve your privacy, Huawei is working diligently to remove extensions to their code that the Chinese government didn't ask them to add. Open source is not needed and counterproductive for their efforts to do that.

  • (Score: 5, Interesting) by Rupert Pupnick on Thursday August 08 2019, @11:58PM (3 children)

    by Rupert Pupnick (7277) on Thursday August 08 2019, @11:58PM (#877682) Journal

    I have to say as a hardware guy that the concept of open source confuses me, especially in the context of a highly competitive marketplace like telecom. No one who has poured money into R&D will want to open the kimono, especially not in exchange for the some dubious claim of market access. Also, at least for the telecom supplier I worked for, equipment sold to American carriers has to have NSA compliant hardware, and I’m not sure how you’d make that work with Huawei. They’d be giving up too much in exchange for essentially nothing that can be guaranteed.

    • (Score: 0) by Anonymous Coward on Friday August 09 2019, @12:47AM (1 child)

      by Anonymous Coward on Friday August 09 2019, @12:47AM (#877700)

      Then they blame the foundry, or the PCB maker, like the fiasco accusing Supermicro, not so long ago.

      • (Score: 2) by Rupert Pupnick on Friday August 09 2019, @01:49AM

        by Rupert Pupnick (7277) on Friday August 09 2019, @01:49AM (#877716) Journal

        That whole Supermicro thing could have been verified or debunked literally within hours simply by comparing suspect hardware with the original design databases. Impossible to sneak changes into production hardware without leaving a gigantic trail of corresponding documentation and database changes. Bloomberg’s credibility took a big hit on that one.

    • (Score: 4, Interesting) by Common Joe on Friday August 09 2019, @10:10AM

      by Common Joe (33) <reversethis-{moc ... 1010.eoj.nommoc}> on Friday August 09 2019, @10:10AM (#877831) Journal

      Also, at least for the telecom supplier I worked for, equipment sold to American carriers has to have NSA compliant hardware

      Huh. I didn't know commercially based NSA compliant hardware was a thing. I'll refrain from linking directly the NSA website on Soylent News but a quick google of "nsa compliant hardware" yielded a couple of interesting links for those who are curious.

      I have to say as a hardware guy that the concept of open source confuses me, especially in the context of a highly competitive marketplace like telecom.

      It wouldn't be so confusing if all commercial software and hardware designs were made public and royalty free. Reasonably time limited patents and copyrights would help ensure a competitive market place, profits, and freedom to copy (after the expiration of the patent / copyright). This idea also means a reasonable patent / copyright system helps ensure good ideas go into public domain. Because we currently have no reasonable time limits on either, "Open Source Hardware" is the short-term response to this problem. The proper answer, of course, is to make it all reasonable.

  • (Score: 1, Informative) by Anonymous Coward on Friday August 09 2019, @03:32AM (1 child)

    by Anonymous Coward on Friday August 09 2019, @03:32AM (#877756)

    "Given enough eyeballs, all bugs are shallow."

    There aren't enough eyeballs and even if there were good luck spotting the critical security bug from the infinite number of crap typed out by the infinite number of monkeys.

    Basically you need enough competent eyeballs to spot security bugs.

    "Normal level" bugs can be spotted by normal users but even those too often get WONTFIX/WORKSFORME.

    Open Source software hasn't really been significantly more secure than closed source software. You can see security bugs in OSS that were present for many years without being spotted:

    https://wccftech.com/linux-security-bug-unnoticed-for-9-years/ [wccftech.com]

    Google researcher Kees Cook published a research last week showing that it takes an average of 5 years before a Linux bug is discovered and fixed. “The systems using a Linux kernel are right now running with security flaws. Those flaws are just not known to the developers yet, but they’re likely known to attackers,” Cook said.

    • (Score: 0) by Anonymous Coward on Friday August 09 2019, @08:50AM

      by Anonymous Coward on Friday August 09 2019, @08:50AM (#877819)

      Merely hack the hackers, follow through on popular implementations of the flaw, to find the bugs faster than 5 years.

  • (Score: 1, Interesting) by Anonymous Coward on Friday August 09 2019, @09:02AM (1 child)

    by Anonymous Coward on Friday August 09 2019, @09:02AM (#877821)

    Between HTTPS, encrypted DNS and end-to-end encryption, why does it even matter? Way I see it, only the Americans that want to cripple their security with legally required backdoors would be concerned about this. The rest of the world just assumes a man-in-the-middle is possible and makes sure to have actually secure systems.

    • (Score: 0) by Anonymous Coward on Friday August 09 2019, @07:01PM

      by Anonymous Coward on Friday August 09 2019, @07:01PM (#877998)

      HTTPS is a joke - you're not stopping MITM attacks, you're just changing the vector. We need protocols designed from the ground up for security rather than bolted-on, optional, half-hearted attempts at papering-over the problems.

  • (Score: 2) by Alfred on Friday August 09 2019, @01:39PM

    by Alfred (4006) on Friday August 09 2019, @01:39PM (#877889) Journal
    sure thing Oz
  • (Score: 0) by Anonymous Coward on Friday August 09 2019, @06:19PM

    by Anonymous Coward on Friday August 09 2019, @06:19PM (#877990)

    oh shucks! open-sourcing the code would mean a endless onslaught of bug fixes and improvements.
    wowway is in the busyness of making money that is: deliver a code-wise blackbox that works and can be used by ISPs (and whatnot) to fleece the customer.

    nobody wants a "perfect" router or switch or whatnot. profit's the name of the game!
    buy, use, hide away the code so nobody can look at it.
    ISP don't want to add another "cost element" into their profit calculation called "endless, ongoing network equipment software updates".

    as for "linus's law": one underestimates the will and determination someone will go to, to make his/her packets representing a bullet (better yet! rocket) fired at a virtual opponent get switched/routed faster! ^_^

(1)