Agree and what it shows is their opinions are based on speculation rather than facts. If we make all decisions based on speculation of what could happen in a worst case scenario or outcome, then more of us would still ‘be still living in caves’.
2 Likes
An article regarding Google’s submission to the Senate inquiry into foriegn interference in Australia.
2 Likes
Better to use open source - then you can verify, and everyone else can verify, whether the software has backdoors or other defects. Open source ought to be the stalemate solution to the current wave of backdooring.
As you wrote above, as a niche, embedded device, your inverter is unlikely ever to be open-sourced. Therefore it will forever remain unverifiable. Therefore it should not be allowed on the internet. 
Closed source software represents a massive risk to almost everyone. The ripples, as it were, are much bigger than Ripple20.
2 Likes
Unfortunately for open source to be safe there has to be someone checking it. In too many cases, this does not occur. Additionally, supply chain attacks are likely to be easier with open source software.
Ability to check the code does not necessarily mean that it gets checked, or that it is secure from bugs/exploit vectors. Very few open source projects are ever audited - in fact I can only recall a single example (though there may have been more since then). And of course, that one has since been abandoned.
3 Likes
If it were a 1kB block of micro code from 1980, it might be possible whether open sources or not.
The level of complexity that can be provided today in any EOT or intelligent device increases the difficulty exponentially. There are likely some very clever ways to try and narrow down whether a device might contain code with alternate functions.
Does that leave us with a decision about whom to trust and on what basis?
It’s difficult to imagine how any regulation or procedure might ensure (compared to assure) digital safety and security. Especially when the most notable recent discussion has focused on legislation to ensure absolute security of data is not.
I’ll just note that censorship of correspondence, and Government opening mail has been legal for at least a century. We’ve some post cards from the WW1 western front as a reminder. ‘D-Notices’ also remain a government tool. We are just playing digital catch up. How and where the lines are drawn in each instance relies on trust too.
2 Likes
THe UK gives Huawei the boot.
I would rephrase it to ‘UK folds to US pressure’
3 Likes
Mr Dowden said Britain’s National Cyber Security Centre could no longer guarantee the stable supply of Huawei equipment after the US introduced fresh sanctions on the company’s chip technology.
Looks like a trade war, walks like a trade war, smells like a trade war…
3 Likes
It is beyond just a trade war. It is the US out to destroy any competitor with better technology than its own related in any way to ‘national security’. That can be anything from military to scientific to high technology to economic.
Evidence in this case spans from withholding parts supply to heavying other countries to comply. As many have learned the failure to comply with American authority can be fatal.
3 Likes
As always there are other potential factors at work.
- The UK can be pissed off at China in its own right i.e. Hong Kong - China reneging on a deal between China and the UK, nothing to do with the US.
- The proliferation of backdoor legislation means that you will never know whether in fact all of the claims about Huawei are correct. Common sense says that in the absence of proof, security considerations lead to giving Huawei the boot. Taking that to the limit though would mean that the UK should develop its own 5G equipment, since US equipment is equally suspect.
3 Likes
The value of that ‘deal’ was somewhat limited. The UK wanted Hong Kong to govern itself - and so changed its constitution just before handing the territory back to China.
As for why Hong Kong was part of the British Empire in the first place, that is a much more sordid tale.
No, Common sense says find the proof before acting upon it. It is pretty much impossible to prove a negative (e.g. there are no bugs in a piece of software), and the absence of any evidence of wrong-doing by Huawei strongly points to this being all about protectionism.
2 Likes
The challenge may be also if Huawei would or could comply with backdoor requirements. The Chinese government could produce its own regulations to prevent this occurring as a result of the west’s actions. It may chose this approach to stop western governments being able to ‘spy’ on Chinese citizens using 5G, especially when travelling.
In this case, it could prove to be more secure than alternatives.
Whose backdoor requirements? The Chinese government’s? Our government’s?
I think it is well understood that a tech company can be in an impossible situation i.e. of being hit with conflicting backdoor requirements that are impossible to resolve. Which requirements it therefore chooses to abandon are up to it - and the consequences that flow from the choice in each case.
I’m not so worried about bugs (in the normal meaning of the word i.e. unintentional defects). I am worried about intentional defects.
Open sourcing may be adequate proof of no intentional defects. In particular, the beauty of open source is that if some piece of code is so convoluted that noone can be satisfied that it is or is not a subtle backdoor (intentional defect) then the foreign government (i.e. ours in this case, or anyone else) is free to rewrite that part of the code.
Perception is reality though. My comment was made only in the context of explaining why the UK might make a decision that will annoy the Chinese government and do so without any external pressure to do so.
Who knows whether the Chinese copy of the treaty even says the same as the English copy.
Think of it this way: Before you sell a car or electrical equipment or medicine in Australia, the onus should be on the seller or the manufacturer to prove that the item is safe and meets all Australian rules, regulations and standards.
We don’t just let them sell the item up until the time that someone dies.
I am extending that idea to all ITC equipment, given that we know that various countries have passed or are passing or will pass laws requiring ITC equipment to be defective by design. (The practical reality is that we are not in a position to do this for all equipment, but we can make a start.)
1 Like
Actually we do.
Should, but is not the case in spite of how common sense it might be. Profits and lack of ‘red tape’ are most important to those ‘we’ elect. We can always trust business, or so some of a particular political persuasion tell us. Perhaps unless it is a hand sanitiser?
ADRs have been watered down for ‘universality’, and the TGA focuses on safety not efficacy as the tips of the icebergs. Then more locally a licensed [fill in a trade] can do whatever and nobody cares nor does anybody seem to have responsibility since he is ‘licensed’.
5 Likes
Except that it is well known that governments involve themselves clandestinely in open source projects. Of course, it is also all-but-certain that government agents manage to find employment in many large hardware and software makers; there has been the suggestion that the iOS goto fail bug may have been deliberate. (Comments in the link, or go to the 15th occurrence of the term “goto fail” in this podcast transcript, and read the next several lines.)
They can prove that it meets regulations - they cannot prove that it is safe. Just ask Ford how it would design the Pinto if it had another go-around. (Yes, US reference. If you want something that had an effect in Australia then go with thalidomide - which went through the crazy-pants drug approval process.)
Oh yes we do! (Pauses briefly for someone to say “oh no we don’t”, then remembers that pantomime really doesn’t work too well in online comment threads.)
Of course it generally takes more than one or two deaths for us (including our representative governments) to actually take any notice of problems - as shown by the examples above. Even when there are known dangers (Chernobyl, Karen Silkwood, climate change, smoking causes cancer), as long as they can be effectively swept under the carpet society ploughs on towards a disaster of its own making.
1 Like
Yes the Brits have no translators capable of reading other languages, this has come from the 17th century when they said to world ‘let the beggars all learn English’.
2 Likes
Shortly before the Brits got a German (Hanoverian) king who never learned to speak English. At least they removed the Germanic surname… in 1917!
1 Like
George was such a PC lad, what’s wrong Saxe Coburg Gotha I ask you?
1 Like
True. That’s why I said that “open source” is “adequate proof”. In that case, they would have complied with the regulations but it would be up to someone else to examine the source.
You can’t really compare
a) closed source - black box - zero level of confidence
with
b) open source - yes, it’s not perfect but it’s a helluva lot better than having zero level of confidence.
Open source also has the more subtle advantage of making it less likely that anyone would even try to make the product defective by design - because the risk of getting caught is so much higher.
I don’t think that the failure in the case of e.g. thalidomide suggests to us therefore that we should not have safety standards.
I think that in some cases companies are allowed to self-certify, and that is clearly an invitation for cutting corners if not outright fraud.
The main point here though is that since everyone can see how badly we need product safety standards in all kinds of areas, it isn’t a big stretch to extend that to all ITC products.
Face saving, blame shifting, or most likely this is how it goes.
4 Likes
