[Cerowrt-devel] [Bloat] plenty of huawei in the news today

David P. Reed dpreed at deepplum.com
Thu Mar 28 18:23:40 EDT 2019


Yes, yes, yes, yes!
 
Defense in depth is also good. We long ago learned that you don't design any large scale system without a lot of attention avoiding single-point catastrophes.  One really major example is to achieve content protection with end-to-end security and authentication based on solid key distribution systems. Then "APT" in the switching gear and routing masquerading to send traffic to a MITM can't succeed. Doesn't matter what vendor you buy from!
Another defense in depth approach for telecommunications is decentralized and redundant routing, rather than centralized static routing.  Then the system components can route-around-damage.
 
And this doesn't depend on the Nationality of the designers, manufacturers, etc. At least for any system that has lots of components assembled by the operator, as telecom does.
 
The whole idea is nonsense that in today's world "National Allegiance" is the core frame for thinking about systems reliability and security. I don't think anyone in the world should trust companies infiltrated by NSA (Cisco) or GCHQ (BT) or companies who build infrastructure for governments (Google for US DoD and China, Amazon for vast swaths of USG) fully.
 
That's not because these companies or governments are "Russian" or "Chinese" or "American". They aren't. They have power within and power over, but they don't answer to us humans. They answer to themselves or their "owners".
 
Just don't trust them.  You can buy their stuff and use it because it is pretty darn functional, but don't put your life entirely in their hands, even if they have similar facial features to you.
 
-----Original Message-----
From: "Jim Gettys" <jg at freedesktop.org>
Sent: Thursday, March 28, 2019 2:44pm
To: "David P. Reed" <dpreed at deepplum.com>
Cc: "Dave Taht" <dave.taht at gmail.com>, "cerowrt-devel" <cerowrt-devel at lists.bufferbloat.net>, "bloat" <bloat at lists.bufferbloat.net>
Subject: Re: [Bloat] [Cerowrt-devel] plenty of huawei in the news today





It's worth looking at the UK government oversight report:
[ https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/790270/HCSEC_OversightBoardReport-2019.pdf ]( https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/790270/HCSEC_OversightBoardReport-2019.pdf )
Not clear that Huawei is worse than other 5g vendors, if our experience with other embedded system vendors is any clue.  Certainly I was unimpressed by ALU's software engineering practices when I was at Bell Labs.  The ownership structure of Huawei is "interesting", to say the least.
My solution is more radical: all the vendors should be held to much higher standards, including reproducible builds (something that the UK government has been trying to get them to do for years, and failed).
- Jim


On Thu, Mar 28, 2019 at 2:32 PM David P. Reed <[ dpreed at deepplum.com ]( mailto:dpreed at deepplum.com )> wrote:
Look, the existence of security flaws in software isn't news. Real news would be if there were systems discovered to have no flaws at all...
 
So what does this article really say? 
 
It says that Britain and the US intelligence officials are now going after Huawei in a new way, because the idea that Huawei just steals intellectual property no longer flies - they actually have great technology that the non-Chinese never had.
 
And there is a massive Trade War currently aimed between Trump and China.
 
And recently, the UK, including GCHQ, said it was NOT going to stop plans to deploy Huawei telecom gear, because it saw no particular flaws worth worrying about if UK operators wanted to use Huawei "5G" gear because it was better and cheaper.
 
You can see, of course, that the US diplomatic efforts under Pompeo might go into high gear to get some kind of supportive public response from somewhere in the UK, even if the UK government itself wasn't going to support the US.
 
Hence, the PR guys figured out how to get a story into the NYTimes and other papers that appears to contradict the UK decision. 
 
This is how the game is played.
 
This is how Trade Wars are conducted (we haven't seen them for decades, so we aren't used to them, but we had the big fearmongering about Japan back in the '80's that was similar, and the Japanese "lead" with its "Fifth Generation Computing" effort required major tax dollars to protect the US from becoming a third world country)
 
Humans don't think. They react emotionally, and tribally.
 
-----Original Message-----
From: "Dave Taht" <[ dave.taht at gmail.com ]( mailto:dave.taht at gmail.com )>
Sent: Thursday, March 28, 2019 2:16pm
To: "David P. Reed" <[ dpreed at deepplum.com ]( mailto:dpreed at deepplum.com )>
Cc: "cerowrt-devel" <[ cerowrt-devel at lists.bufferbloat.net ]( mailto:cerowrt-devel at lists.bufferbloat.net )>, "bloat" <[ bloat at lists.bufferbloat.net ]( mailto:bloat at lists.bufferbloat.net )>
Subject: Re: [Cerowrt-devel] plenty of huawei in the news today



Well, it's a widely placed story in every newspaper.

On Thu, Mar 28, 2019 at 11:16 AM David P. Reed <[ dpreed at deepplum.com ]( mailto:dpreed at deepplum.com )> wrote:
>
> The NYTimes has become a mouthpiece for those who want to see China as the new evil empire. Recent pieces by David Sanger have hyped the idea that the US has a "5G Gap" and that China (Huawei) will threaten to conquer the world with 5G superiority, so we should be vigilantly opposing Huawei.
>
>
>
> Worth noting that Cisco, ALU, ... are not any better than Huawei appears to be in these matters. But they aren't getting headlines in the NYTimes.
>
>
>
> Remember, Judith Miller wrote NYTimes headlines based on "leaks from senior intelligence officials" that Saddam Hussein was on the verge of deploying dirty bombs, nuclear missiles and biowarfare agents.
>
>
>
> Recently, Bloomberg got scammed by "leaks from senior intelligence officials" that Supermicro (Chinese) had built and sold server motherboards that had special chips soldered into them that didn't belong there [the stories were completely debunked by the companies supposedly targeted].
>
>
>
> Personally, I think the cynical fearmongering here does the legitimate security engineering community no good at all. It's just more "wag the dog" psyops, designed to let all the pseudo-security-experts take over the story and get their 15 minutes in the headlines.
>
>
>
> The Qualcomms and Ciscos of the US are happy to get the USG to help scare countries off of Chinese brandnames. But the open secret is that Qualcomm and Cisco's systems are designed and made in China, too. There's no US manufacturing of switches, and precious few entirely American hardware design centers, either.
>
>
>
> So be a little skeptical. Check the story behind the story. Don't believe stories based on "intelligence agency" leaks.
>
>
>
> -----Original Message-----
> From: "Dave Taht" <[ dave.taht at gmail.com ]( mailto:dave.taht at gmail.com )>
> Sent: Thursday, March 28, 2019 1:55pm
> To: "cerowrt-devel" <[ cerowrt-devel at lists.bufferbloat.net ]( mailto:cerowrt-devel at lists.bufferbloat.net )>, "bloat" <[ bloat at lists.bufferbloat.net ]( mailto:bloat at lists.bufferbloat.net )>
> Subject: [Cerowrt-devel] plenty of huawei in the news today
>
> [ https://www.nytimes.com/2019/03/28/technology/huawei-security-british-report.html ]( https://www.nytimes.com/2019/03/28/technology/huawei-security-british-report.html )
>
> --
>
> Dave Täht
> CTO, TekLibre, LLC
> [ http://www.teklibre.com ]( http://www.teklibre.com )
> Tel: 1-831-205-9740
> _______________________________________________
> Cerowrt-devel mailing list
> [ Cerowrt-devel at lists.bufferbloat.net ]( mailto:Cerowrt-devel at lists.bufferbloat.net )
> [ https://lists.bufferbloat.net/listinfo/cerowrt-devel ]( https://lists.bufferbloat.net/listinfo/cerowrt-devel )



-- 

Dave Täht
CTO, TekLibre, LLC
[ http://www.teklibre.com ]( http://www.teklibre.com )
Tel: 1-831-205-9740_______________________________________________
 Bloat mailing list
[ Bloat at lists.bufferbloat.net ]( mailto:Bloat at lists.bufferbloat.net )
[ https://lists.bufferbloat.net/listinfo/bloat ]( https://lists.bufferbloat.net/listinfo/bloat )
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.bufferbloat.net/pipermail/cerowrt-devel/attachments/20190328/ab2d2a24/attachment-0001.html>


More information about the Cerowrt-devel mailing list