From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from smtp80.iad3a.emailsrvr.com (smtp80.iad3a.emailsrvr.com [173.203.187.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by lists.bufferbloat.net (Postfix) with ESMTPS id ABD863B29E for ; Thu, 16 May 2019 10:12:06 -0400 (EDT) Received: from smtp11.relay.iad3a.emailsrvr.com (localhost [127.0.0.1]) by smtp11.relay.iad3a.emailsrvr.com (SMTP Server) with ESMTP id 747CC42E4; Thu, 16 May 2019 10:12:06 -0400 (EDT) X-SMTPDoctor-Processed: csmtpprox beta Received: from smtp11.relay.iad3a.emailsrvr.com (localhost [127.0.0.1]) by smtp11.relay.iad3a.emailsrvr.com (SMTP Server) with ESMTP id 6D35651F8; Thu, 16 May 2019 10:12:06 -0400 (EDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=g001.emailsrvr.com; s=20190322-9u7zjiwi; t=1558015926; bh=A+RVN17+xK4sFg0dlU94GNOdtyHx+V0TzAxdjKK+vRI=; h=Date:Subject:From:To:From; b=wo3rpSdjRA8ngwuJwIA6fARfC3UrvGMB+r/P2YSIEAbfi52fjCcNb5VTKszLCyZ+U fnzo3ewGh6QN++srg9sZ84Z/XdHzwAro/bAITeLRczvruerYHPJR6CwO/QE/grz56W okhAa5YbIugTUpBk63NwBpHoHZ9nQRdUoHjhZ43U= Received: from app50.wa-webapps.iad3a (relay-webapps.rsapps.net [172.27.255.140]) by smtp11.relay.iad3a.emailsrvr.com (SMTP Server) with ESMTP id 33B9042E4; Thu, 16 May 2019 10:12:06 -0400 (EDT) X-Sender-Id: dpreed@deepplum.com Received: from app50.wa-webapps.iad3a (relay-webapps.rsapps.net [172.27.255.140]) by 0.0.0.0:25 (trex/5.7.12); Thu, 16 May 2019 10:12:06 -0400 Received: from deepplum.com (localhost.localdomain [127.0.0.1]) by app50.wa-webapps.iad3a (Postfix) with ESMTP id 1AFE760062; Thu, 16 May 2019 10:12:06 -0400 (EDT) Received: by apps.rackspace.com (Authenticated sender: dpreed@deepplum.com, from: dpreed@deepplum.com) with HTTP; Thu, 16 May 2019 10:12:06 -0400 (EDT) X-Auth-ID: dpreed@deepplum.com Date: Thu, 16 May 2019 10:12:06 -0400 (EDT) From: "David P. Reed" To: "Dave Taht" Cc: "bloat" , "cerowrt-devel" , "Make-Wifi-fast" MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_20190516101206000000_85568" Importance: Normal X-Priority: 3 (Normal) X-Type: html In-Reply-To: References: Message-ID: <1558015926.108614198@apps.rackspace.com> X-Mailer: webmail/16.4.2-RC Subject: Re: [Bloat] [Cerowrt-devel] Huawei banned by US gov... X-BeenThere: bloat@lists.bufferbloat.net X-Mailman-Version: 2.1.20 Precedence: list List-Id: General list for discussing Bufferbloat List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 May 2019 14:12:06 -0000 ------=_20190516101206000000_85568 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable =0AIn my personal view, the lack of any evidence that Huawei has any more g= overnment-controlled or classified compartmented Top Secret offensive Cyber= war exploits than Cisco, Qualcomm, Broadcom, Mellanox, F5, NSO group, etc. = is quite a strong indication that there's no relevant "there" there.=0A =0A= Given the debunking of both the Supermicro and Huawei fraudulent claims (ma= de by high level "government sources" in the intelligence community), this = entire thing looks to me like an attempt to use a fake National Emergency t= o achieve Trade War goals desired by companies close to the US Government a= gencies (esp. now that the Secretary of Defense is a recent Boeing CEO who = profits directly from such imaginary threats).=0A =0ANow, I think that this= "open up the sources" answer is a really good part of a solution. The othe= r parts are having resiliency built in to our systems. The Internet is full= of resiliency today. A balkanized and "sort of air-gapped" US transport ne= twork infrastructure is far more fragile and subject to both random failure= and targeted disruption.=0A =0ABut who is asking me? Fear is being stoked= .=0A =0A =0AOn Thursday, May 16, 2019 5:58am, "Dave Taht" said:=0A=0A=0A=0A> And we labor on...=0A> =0A> https://tech.slashdot.o= rg/story/19/05/15/2136242/trump-signs-executive-order-barring-us-companies-= from-using-huawei-gear=0A> =0A> To me, the only long term way to even start= to get out of this=0A> nightmare (as we cannot trust anyone else's gear ei= ther, and we have=0A> other reminders of corruption like the volkswagon sca= ndal) is to=0A> mandate the release of source code, with reproducible build= s[1], for=0A> just about everything connected to the internet or used in sa= fety=0A> critical applications, like cars. Even that's not good enough, but= it=0A> would be a start. Even back when we took on the FCC on this issue, = (=0A> http://www.taht.net/~d/fcc_saner_software_practices.pdf ) I never=0A>= imagined it would get this bad.=0A> =0A> 'round here we did produce one re= ally trustable router in the cerowrt=0A> project, which was 100% open sourc= e top to bottom, which serves as an=0A> existence proof - and certainly any= piece of gear reflashed with=0A> openwrt is vastly better and more secure = than what we get from the=0A> manufacturer - but even then, I always worrie= d that my build=0A> infrastructure for cerowrt was or could be compromised = and took as=0A> many steps as I could to make sure it wasn't - cross checki= ng builds,=0A> attacking it with various attack tools, etc.=0A> =0A> Friend= s don't let friends run factory firmware, we used to say. Being=0A> able to= build from sources yourself is a huge improvement in potential=0A> trustab= ility - (but even then the famous paper on reflections on=0A> trusting trus= t applies). And so far, neither the open source or=0A> reproducable builds = concepts have entered the public debate.=0A> =0A> Every piece of hardware n= owadays is rife with binary blobs and there=0A> are all sorts of insecuriti= es in all the core cpus and co-processors=0A> designed today.=0A> =0A> And = it isn't of course, just security in huawei's case - intel just=0A> exited = the business - they are way ahead of the US firms in general in=0A> so many= areas.=0A> =0A> I have no idea where networked computing can go anymore, p= articularly=0A> in the light of the latest MDS vulns revealed over the past= few days (=0A> https://lwn.net/Articles/788522/ ). I long ago turned off= =0A> hyperthreading on everything I cared about, moved my most critical=0A>= resources out of the cloud, but I doubt others can do that. I know=0A> peo= ple that run a vm inside a vm. I keep hoping someone will invest=0A> someth= ing major into the mill computing's cpu architecture - which=0A> does no sp= eculation and has some really robust memory and stack=0A> smashing protecti= on features (=0A> http://millcomputing.com/wiki/Protection ), and certainly= there's hope=0A> that risc-v chips could be built with a higher layer of t= rust than any=0A> arm or intel cpu today (but needs substancial investment = into open=0A> on-chip peripherals)=0A> =0A> This really isn't a bloat list = thing, but the slashdot discussion is=0A> toxic. Is there a mailing list wh= ere these sorts of issues can be=0A> rationally discussed?=0A> =0A> Maybe i= f intel just released all their 5G IP into the public domain?=0A> =0A> /me = goes back to bed=0A> =0A> [1] https://en.wikipedia.org/wiki/Reproducible_bu= ilds=0A> =0A> --=0A> =0A> Dave T=C3=A4ht=0A> CTO, TekLibre, LLC=0A> http://= www.teklibre.com=0A> Tel: 1-831-205-9740=0A> ______________________________= _________________=0A> Cerowrt-devel mailing list=0A> Cerowrt-devel@lists.bu= fferbloat.net=0A> https://lists.bufferbloat.net/listinfo/cerowrt-devel=0A> ------=_20190516101206000000_85568 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable

In my personal view, t= he lack of any evidence that Huawei has any more government-controlled or c= lassified compartmented Top Secret offensive Cyberwar exploits than Cisco, = Qualcomm, Broadcom, Mellanox, F5, NSO group, etc. is quite a strong indicat= ion that there's no relevant "there" there.

=0A

&nbs= p;

=0A

Given the debunking of both the Supermicro an= d Huawei fraudulent claims (made by high level "government sources" in the = intelligence community), this entire thing looks to me like an attempt to u= se a fake National Emergency to achieve Trade War goals desired by companie= s close to the US Government agencies (esp. now that the Secretary of Defen= se is a recent Boeing CEO who profits directly from such imaginary threats)= .

=0A

 

=0A

Now, I think= that this "open up the sources" answer is a really good part of a solution= . The other parts are having resiliency built in to our systems. The Intern= et is full of resiliency today. A balkanized and "sort of air-gapped" US tr= ansport network infrastructure is far more fragile and subject to both rand= om failure and targeted disruption.

=0A

 

= =0A

But who is asking me?  Fear is being stoked.=0A

 

=0A

 

=0AOn Thursday, May 16, 2019 5:58am, "Dave Taht" <dave.t= aht@gmail.com> said:

=0A
= =0A

> And we labor on...
>
> https:= //tech.slashdot.org/story/19/05/15/2136242/trump-signs-executive-order-barr= ing-us-companies-from-using-huawei-gear
>
> To me, the onl= y long term way to even start to get out of this
> nightmare (as we= cannot trust anyone else's gear either, and we have
> other remind= ers of corruption like the volkswagon scandal) is to
> mandate the = release of source code, with reproducible builds[1], for
> just abo= ut everything connected to the internet or used in safety
> critica= l applications, like cars. Even that's not good enough, but it
> wo= uld be a start. Even back when we took on the FCC on this issue, (
>= ; http://www.taht.net/~d/fcc_saner_software_practices.pdf ) I never
&g= t; imagined it would get this bad.
>
> 'round here we did = produce one really trustable router in the cerowrt
> project, which= was 100% open source top to bottom, which serves as an
> existence= proof - and certainly any piece of gear reflashed with
> openwrt i= s vastly better and more secure than what we get from the
> manufac= turer - but even then, I always worried that my build
> infrastruct= ure for cerowrt was or could be compromised and took as
> many step= s as I could to make sure it wasn't - cross checking builds,
> atta= cking it with various attack tools, etc.
>
> Friends don't= let friends run factory firmware, we used to say. Being
> able to = build from sources yourself is a huge improvement in potential
> tr= ustability - (but even then the famous paper on reflections on
> tr= usting trust applies). And so far, neither the open source or
> rep= roducable builds concepts have entered the public debate.
>
&= gt; Every piece of hardware nowadays is rife with binary blobs and there> are all sorts of insecurities in all the core cpus and co-processor= s
> designed today.
>
> And it isn't of course, ju= st security in huawei's case - intel just
> exited the business - t= hey are way ahead of the US firms in general in
> so many areas.>
> I have no idea where networked computing can go anymore,= particularly
> in the light of the latest MDS vulns revealed over = the past few days (
> https://lwn.net/Articles/788522/ ). I long ag= o turned off
> hyperthreading on everything I cared about, moved my= most critical
> resources out of the cloud, but I doubt others can= do that. I know
> people that run a vm inside a vm. I keep hoping = someone will invest
> something major into the mill computing's cpu= architecture - which
> does no speculation and has some really rob= ust memory and stack
> smashing protection features (
> htt= p://millcomputing.com/wiki/Protection ), and certainly there's hope
&g= t; that risc-v chips could be built with a higher layer of trust than any> arm or intel cpu today (but needs substancial investment into open=
> on-chip peripherals)
>
> This really isn't a bl= oat list thing, but the slashdot discussion is
> toxic. Is there a = mailing list where these sorts of issues can be
> rationally discus= sed?
>
> Maybe if intel just released all their 5G IP into= the public domain?
>
> /me goes back to bed
> > [1] https://en.wikipedia.org/wiki/Reproducible_builds
> > --
>
> Dave T=C3=A4ht
> CTO, TekLibre, LLC=
> http://www.teklibre.com
> Tel: 1-831-205-9740
> = _______________________________________________
> Cerowrt-devel mai= ling list
> Cerowrt-devel@lists.bufferbloat.net
> https://l= ists.bufferbloat.net/listinfo/cerowrt-devel
>

=0A
 ------=_20190516101206000000_85568--