Now you can have a Huawei mobile you can use to spy on other people whilst it also spies on you.
Reminds me of the Spy v Spy page in the Mad magazines when I was a teenager.
1 Like
The same occurred to me but I would have put it: Whatever you are spying on with your Huawei mobile, you are also allowing the Chinese government to spy on it too at the same time.
2 Likes
I just installed a fresh version of Windows 10 on a PC. If one just accepts all the presets in sharing information with Microsoft, Microsoft owns more of you than Google, and possibly more of you than Google and Huawei combined, and that before you even meet with Google on Windows 10, which with judicious planning is possible to avoid, albeit at some inconvenience to many.
2 Likes
Microsoft is also now heavily pushing its apps for Android (that link is for the latest Windows update news!). So you can have the Windows experience on your Android phone, and Microsoft knows when youâve been sleeping, it knows when youâre awakeâŠ
4 Likes
Another extremely disturbing article regarding Huawei.
As the old saying goes, âBetter to be safe than sorryâ.
Righteo. All is not always as it seems, or as reported.
3 Likes
Fair enough but some points need to be made.
-
telnet is an intrinsically bad protocol to be using because in its normal scenario it offers no integrity or confidentiality protection. (Most enterprise network equipment should support SSH these days.)
-
telnet was exactly the protocol that caused Cisco some serious security grief where Cisco had implemented some non-standard telnet options (that had implementation flaws). So thereâs telnet and then thereâs telnet.
The article makes the claim that the telnet service was LAN facing only. However this âfactâ and/or item 1 above mean that the presence of the telnet service could still be part of a blended attack - using some other vulnerability with the presence of the telnet service to extend the scope of an attack.
The article also does observe: Look, itâs not great that this was hardcoded into the equipment and undocumented â it was, after all, declared a security risk â and had to be removed after some pressure.
In other words, this is definitely a failure by Huawei to follow best practice even if itâs not the smoking gun, as it were.
The article also comments: this [removal of the telnet service] was done to the satisfaction of all involved parties by the end of 2011
But was it really? How would anyone know? Perhaps Huawei just moved it to a different undocumented port (very low tech) or only open the port X hours after booting (getting smarter) or put in a doorknock protocol that will open the port (getting sneakier still).
This is the fundamental trust issue. Itâs closed source. You as the customer will never know for sure. Assurances are pointless in the scenario that is repeatedly alleged about Huawei. You either trust on the basis of faith, or you donât.
The only saving grace for Huawei is that just about all of the above applies to many other vendors too.
Which is one of the points raised.
Huaweiâs unique differential is being Chinese with some relationship to the PLA that causes suspicion but no smoking guns, and Huawei has become an economic and technological threat to US interests. I was in a particular high tech âwarâ between the US and Japan and experienced how and why it is as it is when the US decides their interests are being challenged.
Iâll take it a little further that the US has a goal of keeping itâs own top technology in, and better technology out, and will try its best to âdeal withâ the source of that better technology one way or another.
3 Likes
This isnât the only factor.
Also, the US / Australian government can be near certain that the Chinese government is doing bad âstuffâ via Huawei because the US / Australian governments are doing exactly the same thing themselves via companies.
Australian legislation is on the record. Therefore the Chinese government knows what the Australian government has legislated that it can be doing. It beggars belief that the Chinese government would take the moral high ground and not be doing the same bad âstuffâ - and that is without even thinking about all the other cyber, um, activity that is believed to originate in Chinese government agencies. (The attacks are real and proven. It is only the actor behind the attacks that will forever remain intentionally clouded.)
In some respects it would be reckless of the Australian government not to assume that the Chinese government is doing bad âstuffâ. Proof should not be required. Weâre doing it. Why would we assume that they arenât? However the same applies if you replace Chinese with American or many other governments.
4 Likes
That has been my point, and my bad if I failed to make it. They are all a much of a muchness with equal culpability and trust levels, and various governments manage âothersâ in their own ways. I have tried to do no more than highlight how the US approaches such things.
3 Likes
To be honest I am surprised that someone hasnât just reverse engineered some Huawei firmware and at least proven one way or the other whether that particular device at that particular time is secure or not. Or maybe our / US security services already have done that and arenât letting the Chinese know what they know. 
1 Like
Many companies in many countries past and present have had associations that have raised suspicions âŠ
Smoking guns donât always look like guns, some donât even make noise, or even smoke - in public anyway âŠ
3 Likes
It isnât necessarily âassociationsâ. Companies that insert backdoors at the Australian governmentâs bidding donât have to have an association. If I recall correctly, similar legislation exists in China.
2 Likes
The US tech sector would not exist without a (very rewarding) relationship with the US government. From GPS to the Internet to the desktop computer and the software it runs, the US has always been ready to support its own while copying and ruining others.
The problem at the moment is that it experienced 20 years as a monopoly superpower, and is now finding that its status is slipping. The US seems willing to do almost anything to maintain its monopoly - and that is terrifying to any sensible person, especially when dealing with a country that spends more money on war and associated devices than all other countries combined! The fact that a significant minority of the US population (including the current Vice President - one heart attack away from the magic buzzer) are looking forward to The End of The World and their âRaptureâ makes it even worse.
Our choice as consumers is simply about who is going to be spying on us. We already know our own government is, and the US is - Iâm not sure that adding China to the mix would make my life significantly less private. Nonetheless, our government has already chosen clear sides in this particular fight for dominance, and we simply make do with the consequences - for trade, individual privacy, national security and regional harmony.
5 Likes
They have and do and has been linked to by @draughtrider
and my response to a part of the report:
âThe statement in the report âNCSC does not believe that the defects identified are a result of Chinese state interferenceâ seem to reflect more on the ability or perhaps better said inability of the Huawei company to produce good code and sustain a level of good practice.â
3 Likes
If you have no association with China then you are likely right. If you have an association with China well weâve seen how that story can play out - best to avoid Chinese surveillance.
I would guess that the Australian government is not worried about whether China is surveilling you. A massive Denial of Service attack could be a bigger concern. Using it as a launching pad for other cyber activities could be a bigger concern.
1 Like
Thatâs Russia!
(And the US, but it and its pet media tend to keep fairly quiet on that.)
4 Likes
Any nation state in the world that doesnât like us at any point in time could and would do it (and probably at times has done so) and they donât need any particular countryâs tech to enable it. The holes already exist and many of the US secret agencies already know a few and wonât release details so they can subvert us now. I like the not so subtle message in the movie âThe Man who knew too littleâ, to keep their little empires going two âenemy agenciesâ working together to keep the game afloat.
Does that mean they are the only ones with this knowledge, I very seriously doubt it, they arenât the only brains trust in town. Nor are they most benevolent of them, anything that strengthens their hold on our data is what they seek no matter where you live in the world nor do I believe any Govt or Kingdom in the world other than perhaps and only perhaps Bhutan are any more benevolent.
4 Likes
The holes are not just accessible to large nation-states. While Hacking Team claims it only sells its collection of zero day vulnerabilities to ânice guyâ countries, that is clearly false (based upon their own⊠data breach 
).
Oh boy - Uganda alone has apparently spent âŹ52m for exploits!
Then thereâs a little exploit kit whose users include Australia:
4 Likes
I agree and the following paragraph mentions that " Does that mean they are the only ones with this knowledge, I very seriously doubt it, they arenât the only brains trust in town".
Anyone who has a strongly enough perceived need to see what the next person, country, business, organisation has stored will try to collect that information by whatever means they can. Just so much is stored via the internet these days it is the largest target to aim at to get that information. Similar to why Windows is exploited by viruses and other hacks as much as it is as it is the biggest juicy target out there. As Apple or Linux advance they too become targets and they have already had vulnerabilities exploited.
4 Likes
