China Showdown Huawei vs ZTE

Saku Ytti saku at ytti.fi
Tue Apr 24 20:10:51 UTC 2018


On 24 April 2018 at 21:45, Naslund, Steve <SNaslund at medline.com> wrote:


Hey,

> The US Government considers Huawei and ZTE to have "close ties" to the Chinese government according to the Director of National Intelligence along with the heads of CIA, FBI, and the NSA as stated in testimony before the Senate Intelligence Committee.  The founder of Huawei is the former engineering officer of the People's Liberation Army of China.
>
> Now, this only applies to US Government agencies according to their acquisition rules but there have been moves by the FCC to ban these devices from US cellular network.  I am not advocating for or against any of these policies and you can run what you want (assuming it can be imported).  I myself would be nervous running Huawei code in a device if a cyber war broke out between the US and China.

Thank you for the insight, quite interesting.

Call me naive, but I don't think sticker in device has any
implications on security, as components and code are sourced through
complicated chains through various jurisdictions. Let's assume for a
moment that attacker is NSA, I don't think that NSA would want to even
push project through Cisco or Apple via official channels, even if
legally allowed, to get some secret backdoor installed, because too
many people would be involved in the project and controlling the
information would become challenging. Two years from now lot of those
involved people might be in different company or different country,
how to avoid them from exposing the information?
It seems much better vector would be to target individual person with
commit rights, ensure you have leverage over them, then ask them to
commit specific set of abstruse code, which is likely to pass code
review but introduce functionality which benefits your agenda. Even if
this one person would talk, would they know it was NSA, if they knew,
would anyone believe them? Why would China work differently? Why not
pwn one Cisco employee in India to get the code in that the party sees
beneficial?

-- 
  ++ytti


More information about the NANOG mailing list