> Telecom-equipment makers who sell products to carriers "are required by law to build into their hardware ways for authorities to access the networks for lawful purposes," but they "are also required to build equipment in such a way that the manufacturer can't get access without the consent of the network operator," the Journal wrote.
I love this quote. The US is essentially complaining that Huawei has access to the backdoor channels that only the US government was supposed to have.
The features they aren't talking about aren't a "backdoor". It is well a well document feature of most service provider networking equipment that allows for the provider to respond to subpoenas. The data collection is explicitly configured by the service provider. The allegation is that Huawei can activate the lawful intercept feature without authorization from the service provider.
The theory behind the lawful intercept concept is that with the appropriate legal authorization a law enforcement agency can get a capture of a subscribers traffic in a somewhat standard format - that way the LEA doesn't have to have a different way to process the data from each network equipment vendor.
I'm sure the NSA see's this completely differently. While I understand what you mean, it's very hypocritical when you have agencies like the NSA rolling around.
>The US is essentially complaining that Huawei has access to the backdoor channels that only the US government was supposed to have.
How is surprising? The defining characteristic of a nation state is that it has a monopoly on violence within its borders. Having a monopoly on intercepting telecom traffic is a logical consequence of that. For other countries though, yeah I'd prefer if neither China nor US have backdoor access.
In practice, we're not just talking about the US backdooring telecoms systems within their own borders. They were caught red-handed compromising exactly these lawful access systems in the European allies they're now leaning on not to use Huawei telecom systems in order to tap their politicians' phones.
What is more dangerous for an American (or even European) citizen? The US or China spying at them? Even if China is more evil in its domestic affairs a western civilian has much more to fear from the US.
China does not respect the sovereignty of other nations, nor the rule of law. They are not above intimidating, blackmailing, or otherwise exerting their influence on foreign nationals on foreign soil when their views become too politically inconvenient.
Those residing and holding citizenship abroad but that have family back in China (which are many) have proven especially vulnenable.
Stories of China arresting foreign citizens for activities abroad and never allowing consular access, funding and manipulating groups in foreign countries (especially on university campuses) and then directing them to silence others, and more are a dime a dozen.
While the US's hands are quite dirty here as well, China has shown repeatedly that given the opportunity they are more than willing to try and implement the kind of oppression and thought policing they have at home in places abroad. It is more dangerous for the entire world to have China spying on them than it is the US.
This is the same USA which performs extraordinary renditions (ie: kidnapping a citizen of a foreign nation from within that nation’s borders), political assassinations, and abandoning erstwhile allies because their new friends with oil don’t like the old friends?
How is China worse than the USA? Your claim seems to rest entirely on greater reporting of China’s aggressions by the US and their allies.
His claim rests on the reported facts by the US and allies? There are independant agencies outlining so much worse.. like the harvesting of organs on political prisioners.
Probably not, but the US has started more than a few wars which has led to insane amounts of suffering and dragged it's allies into it as well. This, as a European, I fear more than China's foreign policies.
However I am truly afraid of the way Xi has enacted its horror policies in China.
Russia borders Finland, and your air force flies 60+ F/A-18s. I believe that US military power is among the most significant bulwarks of peace and prosperity in your country.
The US routinely massacres innocents in foreign countries then retroactively declares all the victims “terrorists”. China — to my knowledge — doesn’t engage in anywhere near the level of military aggression that the USA does.
When you compare the number of organ harvest victims to the number of “terrorists” slaughtered by incorrectly targeted missiles, who comes out ahead in the ethics game?
Do you think killing people for the sake of imaginary goals is better or worse than killing people to harvest organs?
> While the US's hands are quite dirty here as well,
Acknowledged this already.
The policies the US is trying to enforce with these measures are less bad for most of the Western world than those that China is. That's it.
While the US has taken quite a slide on freedoms over the past couple decades, they're still nowhere near China's level and I find it pretty laughable to even try and put them on the same playing field in that regard.
Well, the PLA has been caught red handed, twice, hacking Western firms and financial insitutions, including installing malware and identify theft which could be used to impersonate and hack members of the public. The USA is far from clean on this issue, but I don't think we know enough to properly characterise the relative threats.
The ideal would be to use open-source hardware and e2e encryption, but if this is not possible I would suggest these scared of the US to use Chinese phones and these scares of China to use US phones.
Millions of Chinese people visit the US. This is who China would be most concerned about monitoring anyway, and who we should be most concerned about protecting.
evil is a good word with a defined meaning. Having it mis-used should not stop us from its correct usage. Yes absoultely be vigilant about its use, the specifics and be very suspicious of generalities of "evil" in nation state politics. It's reasonable to describe the actions of any government as evil when it meets the definition.
Was George Bush Jnr performing the actions of an evil man? Discuss.
I don’t really understand comments like this. US has lots of problems but we do have the semblance of rule of law. We do have the notion of transparency and you do not get sent to a labor camp if you have political views antithetical to the state.
The Chinese can and do simply disappear people without the semblance of due process. Their history also is one of ethnic cleansing as the Han people have pushed out or marginalized most other ethnic groups.
The history of: The Great Leap Forward, The Cultural Revolution, and Tianammen Square is pretty awful.
The US is better in terms of handling its own citizens compared to China but they are much worse in terms of international affairs. Consider https://en.wikipedia.org/wiki/United_States_involvement_in_r... or the bombing of civilians in middle east with killer drones.
Let's check back in a few decades and see if this still holds true. I suspect the current disparity is due the US holding the title of unchecked global super power for the past century while China is still getting up to speed. What happens when Belt & Road initiatives start to be expropriated by radical populist governments in the 2040's?
Do you think it will take that long? Surely China will expect its investments to start paying back before 2040?
This still seems like a strange, "pre-crime" sort of standard to which to hold China. You're almost counting USA misdeeds against China: "since USA did all these horrible things, you can be sure China will do even worse, someday!"
He is right - China is now growing as a super-power and only just beginning to flex their muscle in international affairs. For a proper judgement, you will need to wait a few decades to take a decision on whether they will apply the same principles they use in domestic affairs to international affairs.
Knowing that they treat their third-world neighbours in contempt and tend to regularly infringe on territorial sovereignty, I suspect that answer will be yes. Your media does not tend to cover such affairs.
Power corrupts and absolute power corrupts absolutely. China has total control over its citizens/illegally occupied territories and look how its abused its power. It doesn't take a genius to figure out what would happen if China had global dominance that US currently enjoys - just someone disengenuous to pretend to ignore it.
I'm guessing the reference is to Taiwan, mainly, but there is no shortage of disputed territories, including Tibet and a number of border regions near India.
China plays a much longer game than the US. But sure, let's say next decade then. Your analogy is poor. I'm describing the behavior of all hegemonic empires in history. You seem to think the US is a special case. Why is that?
You're beating around the bush. If you agree that hegemonic states engaging in imperialism isn't "special", why are you so resistant to the idea that China will behave that way once it has the opportunity? If you ask those in Tibet and Xinjiang they would argue that they already are.
You have a lively imagination with respect to what I hypothetically might intend to say. In fact, I only intended to record the oddity of your objection to thread parent [0]. Apparently we agree that large militarized states are a plague upon humanity. China is too large to see justice in governance, as USA is. However, it will have to change a great deal in twenty years in order to menace the world in the way that USA does. China might be our equal in terms of news and social media totally committed to fear and mistrust of other nations, but they fall far short in terms of a vast rent-seeking self-dealing industrial armaments sector. I'm not even sure that such a sector can arise in the sort of polity they have...
One-dimensional arguments are rarely applicable in trying to discover reasons for, and implications of, foreign policy.
China is one of the most exploitative world powers in its relations with resource-rich developing countries. And it's no stretch to say that without the Soviet push for communism to take root in Latin America, the USA would have had little need to support authoritarian right-wing governments there.
And the USA is the most exploitative country. By far.
It's odd watching US Americans (I presume) attack China while defending their own country's horrendous record (witness your cavalier setting aside of the CIA's evil doings in South and Central America). You simply don't appear to understand that a large number of people don't like super-states and that includes both the USA and China (and also the USSR up until its dissolution).
I don't think that's true at all. If you have a grievance, you can bring a case in American court and be assured of at least a reasonably fair hearing. Far better than in China, at any rate.
I'm sure you enjoy imported goods in your European country no? Imported goods that were likely shipped to you via pirate-free shipping lanes courtesy of the US Navy?
The US has the strongest military in the world by...a lot. And they're probably your ally. It's better if your ally has semblance of rule of law rather than the alternative.
As a European, you benefit immensely from being a member of NATO, you might be a part of Russia otherwise. To think US and China are equally bad requires an astonishing degree of naivety
The US allows suspension of the law when and where it suits the people who are tasked with serving and protecting it.
Our problem is often of federation. We can't just tell every state to do a thing and expect it to happen - the whole powers enumerated thing in the Constitution made sure of that. We'd have to get every district involved, replace the DAs, vote out governor's, appoint all new officials to get people who won't just uphold the status quo. Change happens from the bottom up.
We also have our own domestic and state sponsored massacres. We have mass shootings and healthcare crises and blacksites and a troubled history with eugenics and ethnic cleansing and medical and military experiments on the unassuming public.
We have labor camps for prisoners in the form of contracted call centers and menial work that pays inmates cents per hour (and "sentenced to hard labor" wasn't that long ago), and a private prison system that colludes with courts and police to keep cells full by any means, no matter the harm to it's occupants. Cash for Kids was an American Enterprise.
You might say these are lesser or more distant wrongs in the face of fresher "foreign evils", but they are no less blemishes for where or when they are perpetuated. Not fighting against them here because there's worse happening there is pretty un-American to me. Setting the example you want upheld is a pretty simple way to live.
don't worry, if American hadn't done these, it will. for starters, how about make Chinese govt. the evil force and every Chinese a potential threat?
seriously, I'm not even going to blame America. it's the tragedy of great power politics. to maintain its hegemony, it will and has done whatever takes. any illusion of moral superiority, is just illusion.
And I don't understand how you don't understand. It was a very simple point that was being made - that the US has projected far more violence outside its borders over the last century than China. It's an irrefutable point and, from the perspective of people who live neither inside China or the US and so don't have to worry for themselves about how violent those governments are inside their borders, a very pertinent one.
If you don't include proxy wars fought between China and the US, and you don't include wars where the US came to the aid of allies after intense fighting was already underway, and you don't include wars where the US was retaliating to a direct attack on its soil, then I don't actually believe your assertion to be true.
The scales here are extremely different. Millions of uighurs are being detained en masse for their race and religion. Guantanamo has 40 inmates who are related to national security. It's a false equivalence and disrespectful to uighurs to compare them to terrorists.
There are no terrorists at Guantanamo - at least not until such time as we hold a trial to determine whether they are. In this case that's not splitting hairs, the failure to observe the Bill of Rights is quite the point.
I have no idea whether I agree with your post, because I'm not going to bother to follow the links. If it's not worth your time to at least write a sentence introducing the links, then it's not worth my time to follow them.
As a non-American, should I be more worried about a state that attacks its own people or one that has a demonstrated history of invading other countries and forced regime changes in those countries?
From a pragmatic perspective, I'd choose the former.
Hmm, I get 1 or 2 for the US depending on whether 'last century' means the 20th Century or the last 100 years. Current Chinese government has started more than that against just against other Chinese.
Well, you could think about it this way: its better to possibly leak data to a foreign interest if they don't work well with your country. Sure, they may have some data, but they wont share it.
>The defining characteristic of a nation state is that it has a monopoly on violence within its borders.
Pedantry FYI, that’s just a state. The term “nation” has more to do with distinct communities and culture. And so a “nation state” is when those overlap.
Pedantry squared FYI, but because the United States calls their provinces "states", it's helpful to disambiguate by adding the word "nation".
Furthermore, since a nation is a group of people bound together by shared culture, values, religion, language, etc., while a state is a piece of land with a defined border, then nations and states are not necessarily the same thing.
A "nation-state" is the intersection of the two, where cultural boundaries align with political and geographical boundaries, and not a redundant synonym of "state".
>The defining characteristic of a nation state is that it has a monopoly on violence within its borders.
That seem like a good reasons for people within US borders to prefer to be spied on by the Chinese government rather than the US government and for people within Chinese borders to prefer to be spied on by the US government rather than the Chinese government.
If I have to be spied on, I will choose whoever is less likely to subject me to violence.
This is dangerously naieve and short-sighted. Look at how readily China already uses our own corporations against us. ESPN showed a map of china with the nine-dash-line. Hollywood won't dare to offend the Chinese government. Our tech companies are willingly censoring themselves. Our corporations influence our politicians, and China is exerting influence on our corporations.
If they have access to an enormous volume of potential blackmail or datamining, you think they won't use that against us for political gains? They could blackmail a programmer to insert a subtle vulnerability into a piece of code by threatening to expose his extramarital affair, or threatening to tell his employer/family/friends what kind of porn he watches. Or they could easily datamine and target those with monetary issues to see who is vulnerable to a bribe. Or they could threaten to frame you for child porn using their backdoor access.
This is from a government that isn't afraid to 'disappear' political dissidents, send people to "re-education" camps, harvest organs from their own people. You think they're going to be friendlier to American citizens?
So then the solution is to ensure NO GOVERNMENT has the ability to spy on people
Not to lambast china while excusing the US Government that requires that type of spying by law.
Do you believe that the US Government is above " blackmail or data mining" or "won't use that against us for political gains", both of which has been proven to be true
Everyone is Soo fucking afraid of foreign influence on our politics they ignore the domestic influence of the same nature.
Personally I believe the NSA and CIA to be more dangerous to our liberties than China or Russia.
As Lincoln said many many moons ago, If we lose our freedoms it will because we destroyed ourselves
As far as the tech companies / Hollywood censoring because of china, for the product in china sure but they censor their products here because they want to, china is just a convenient excuse that naive people believe. It is a way to shit shift the blame "no no we did not want to, big bad china made us" bullshit
hm.. China backs their multinational corporations into competing with other businesses globally. For example TikTok or all the construction firms that compete in Africa, Asia, etc.
Now let's imagine I am an American citizen/businessman competing with a Chinese businessman. I have a better product, better networks. Let's also imagine the scenario where the Chinese govt has more power and dominance than anybody else in the world. Do you still think an American citizen is none of their business?
How about if an American citizen happens to write an article criticizing Chinese govt? What would happen in the above scenario?
China, and the US for that matter, will generally do what they think they can get away with to further their interests. Regardless of a bunch of imaginary lines drawn on a map.
That argument really only works if you're a political activist or even an average citizen. However, if you're a high level executive, defense contractor, or a high ranking government employee, do you really want the Chinese government to have access to your comms AND know your movements?
In western countries you can, in general, publicly mock your leaders on the front steps of your legislature. Try dancing in a Winnie-the-Pooh costume in front of the Great Hall of the People and see what happens...
True. I completely misread the comment to which I replied. Oops!
However, my preference is still to live in a socialist country where the government can be openly criticized.
That is a naive view to look at a situation where an armed man is telling you at gunpoint to "move a little way down the street" with the implied ending to the statement being or I will shoot you, or forcibly remove you to an iron cage
People always seem to forget, all government actions and regulations no matter how small are acts of violence. They are not voluntary and are backed by the threat of legal violence to anyone that dare resist.
I don't like the ridiculous idea of "free speech zones" but law enforcement does need to be able to move people who block streets or doorways. It should be independent of why the person is there. Of course they shouldn't shoot them.
Let’s say it is hypocritical — and China is fully within its rights as a nation to attempt to do this — that doesn’t mean the us should just let them get away with it.
Let China keep the nsa out of their networks and we’ll keep China out of ours.
Note: The following might be considered off-topic. On the otherhand, there might be something nefarious in the SMS network.
I found something strange that affects SMS in Canada. You can send the lower case text "secure communication", but it will never be recieved by the recipient. I am not sure if this behavior is reproducible outside of Canada. It might be a software defect, or perhaps there is something capturing the text and trying to interpret it as a command. The issue is more difficult to reproduce if both the sender and recipient devices are iphone's due to the default behavior of sending via iText.
I originally posted about this late last year [1]. I intend to investigate this issue more deeply, but my time has been consumed by another more pressing matter. The original HN post links to my blog post [2]. Originally I jumped to the conclusion that it was a case of censorship, but I backtracked on that because the issue is case sensitive. I would love confirmation if this is reproducible in other countries.
It's a bit of a leap to assume that behavior like that is evidence of nefarious activity; ask yourself, if you were implementing some sort of secret signalling layer, would you design one that uses simple English words, and whose failure state reveals its presence?
Consider the other cases - it could be something like an anti-spam system; back when MSN Messenger was a thing, it would abruptly close any conversations in which certain virus-related keywords were said (mostly including ".exe", which is how I discovered it), presumably in an attempt to stop them spreading.
Or it could be a bug - there have been plenty of these, from simple strings causing mass IRC disconnections, to eerie conspiracy theories (see "bush hid the facts"[0], a conspiracy caused by a bug in Notepad).
Or it could just be a bit of debug code accidentally being triggered. This past week, I had to explain to some users why a website was talking about "DEAD BEEF". The reason was innocent (glitch in a web server config), but to the end user it was incomprehensible.
All that said, if you want to investigate further, it's simple to disable iMessage on iOS devices. If you go to Settings->Messages, there's a toggle for it.
> back when MSN Messenger was a thing, it would abruptly close any conversations in which certain virus-related keywords were said
On MSN Messenger, one way around swear words in your username/status was to use the ASCII equivalent for a letter, which would get skip the filter but render as the letter.
So I looked a little down in my chart and hoped that 0x7 for BELL would do something, but it didn’t.
But 0x0 for NULL would cause all members of your contact list to immediately sign out and back in ad Infinitum.
I am not assuming that it is nafarious, I appologize if I was not clear enough on that point. There are many possible ways it could be the result of a defect and you provided some interesting examples. In either case, it is a curiosity worth investigating.
Thanks for pointing out an easy way to disable imessage on iphone. Apparently after doing that iphone defaults to MMS. It still might be best to just turn off data and wifi.
> I found something strange that affects SMS in Canada. You can send the lower case text "secure communication", but it will never be recieved by the recipient.
This reminds me of how, until just a few years ago (as late as 2016), people were wondering why you couldn't tweet the phrase "Get better".
It turned out that you can't tweet any phrase that begins with "Get" because... you guessed it, posting tweets from the web interface still shared backend code with the SMS-based system[0]. So it would interpret "Get foo" as an API request to fetch tweets, not a tweet itself.
[0] Twitter was originally designed to work on dumbphones! You could text your tweet to 40404 and it would post for you, or you could fetch tweets by saying "GET chimeracoder" and it would fetch the latest tweets from user @chimeracoder.
Your [0] is funny to me because that was how I used and communicated with friend groups back in the early 2000s. Years later when Twitter blew up for real it was strange that facet was forgotten and the culture moved on. That's also the reason for the 140 char length vs the 160 or whatever the SMS limit is. The other characters were reserved for their username.
Yes, if the words "secure communication" in all lower case appear anywhere in the message, then the message won't be delivered. There can even be text appended to the beginning and end of the words [0]. i.e. foosecure communicationbar will also not be received. However; there must be exactly one blank space between the words.
Having said that, this is not working for everyone. I am trying to gather data on this to figure out where the issue might stem from. Would you be comfortable disclosing the make/model and carrier service of the sender and receiver. If you would prefer, you may contact me directly with this information and I won't include your identity in the record. My email is linked in the header of the blog post. I also have a public key [2] if you feel so inclined to send me a secure communication :-P
On a related note, if you start an SMS with "!", then the leading exclamation point will be stripped, and a delivery confirmation SMS will automatically be sent (not sure if it's from the mobile network or the receiving phone). This makes it possible to send zero-character SMSes.
Turn off your data and disconnect from wifi, then try again. I believe that will force it to send via SMS. You might need to go through your client's app settings.
The Google Android client is nice because it displays what protocol it is sending over. It is important to confirm that it is sent over SMS. Also, it is important that the words "secure communication" are sent in all lower case which I see that you did.
Thank you for taking the time to test this. If you are sure it is being sent over SMS then I will add your entry as an example where it can be both sent and received
What client region was the twilio data center? What was the exact text sent? Are you comfortable to disclose the make / model of the receiving cell phone as well as its carrier service?
I found that an international SMS containing the entire text for a Wells Fargo SMS 2-factor code from the US to the UK doesn't deliver. Found that interesting.
Yes please! Also, if you have US contacts that would be willing to test US-->US and US-->Canada that information would also be valuable and appreciated.
Please include as much of this information as participants are willing to provide:
- OS+version of mobile device
- if WiFi / data was on or off
- Carrier of sender / receiver
- region
- exact text sent
I will update my records tomorrow morning with anyones accounts so long as they are confident the text went over SMS. It seems that not everyone can reproduce this issue, so that might help narrow down where the issue likely is.
I appreciate the time taken by the community to test this issue on their own devices and submit detailed results. I have updated the article with yesterdays submissions [1]. Please feel free to email me or comment on my blog. All comments on the blog require me to manually commit them to my GitHub repo which might take up to a day depending on how busy I am.
> required by law to build into their hardware ways for authorities to access the networks for lawful purposes
A bit of a tangent but ...
How I hate this term "lawful purposes". It's a non-sequitor / dark pattern deployed to confuse consumers into not understanding that they mean "spy on you". "Lawful" just means compliant with the law. In other words, they are are NOT saying "necessary to enforce the law" which is what they want you to think. They are only saying, hey, we won't break the law when we use this feature, aren't we great? Like breaking the law would ever be OK and as if this disclaimer somehow adds any sort of reassurance. The implied logic is "normally we would just break the law to access your data but in this special case we'll follow it.
Are you sure you’d want to live in a society that was incapable of spying on you when they decided it was necessary?
(This argument hinges on that pesky word “necessary”. But it’s worth thinking about which conditions you’d be ok with the state surveilling others, and who exactly “others” refers to.)
Sadly, that is exactly how ideas like that promulgate. It won't affect me. It will only affect the others, the undesirables, the trouble makers, and misc. whippersnappers.
I know it will not affect me and people like me, because implemented rules will ensure that.
My parents lived in a society you seem to yearn for. Hard pass.
I think that's a perfectly reasonable debate to have.
However that's exactly why I think they should not use deceptive language to confuse people. People need to understand exactly what is being done to have trust in it and to debate it so they can form reasonable opinions - not be deceived into thinking one thing is happening when actually something much more intrusive is going on.
NSA: Yeah, their spyware install totally broke our spyware install!!1!
Joking, but I honestly wonder- If the software is compiled in California... and the hardware is made in China. You could have two implants in the same gear. Now that's Thinking Green! Twice the government implants in one product.
Why does it make sense for Cisco then? China is certainly a law enforcement agency, with just as much right to require it as the US does under CALEA (local US law).
Inside their own borders as well. States are creatures of violence. They are created by violence and require continuous violence to remain in existence.
"Because I can log into my sshd, so can everyone else"...? We are not talking about weak crypto here (though AFAIK 5G crypto is designed to be decidedly not E2E), but rather access to the data processed by these systems. There is no particular reason why granting e.g. the NSA access to a stream of CDRs would immediately give others access.
I don't think anyone is saying immediately, but these are long-lived fairly static systems.
I'm going to assume that you probably update your server's SSHd at least semi-regularly and that if SSH turns out to be broken 20 years down the line, you will probably be switching to something better either manually or when you eventually replace your hardware and reinstall the OS.
This kind of infrastructure is meant to last for decades. Imagine if the original GSM contained a backdoor with the state-of-the-art crypto of the time. Would it still hold up today? Hell, you don't have to imagine - a mid-range smartphone these days can crack a lot of GSM traffic.
Besides that, there's also the problem that not only are these things usually not done with state-of-the-art tech, but leaks happen all the time and it only takes one mistake* for the privkeys to become known.
Why would the UK or Germany be interested in granting the NSA access? Those are some of the places where the US government is spending lots of effort to keep Huawei out.
So yes, any intervention like that seems to me to be less about "the Chinese can snoop" and more about "we can't".
If you're able to retrieve the private key, then yes, you're able to generate a working public key. If they even use a (pre-generated) private key. Often, passwords are even hard-coded in "firmware".
Back in the day calea compliance meant you had to provide network connectivity and a signaling mechanism to specify what you wanted to be replicated to you. That meant voice calls and in some cases defining a network acl for packets (I knew folks who had to implement at router manufacturers - it was a hack that reused some of their multicast code base). The key part was an operator couldn't login to a device to see a calea intercept in progress or who was targeted. However due to the nature of how the replication/intercept was implemented you could see the results of it. High cpu, traffic leaving the box that didn't make sense, etc. I know one vendor who actually provided the trigger to the govt in the form of a snmpv3 query (and the communtiy string was hard coded in the os/binary...).
just so we're clear, are we talking about lawful intercept (ie. capabilities built into the system so the telecom can comply with warrants), or dragnet or otherwise warantless surveillance? I'm not against "backdoors" for the former, but am against "backdoors" for the latter.
I mean, now you're just talking about intent, and thus have to trust that the intent is as claimed. Crypto doesn't discriminate on whether you have a warrant or not.
> Crypto doesn't discriminate on whether you have a warrant or not.
Actually, backdoors could be implemented to require a cryptographically signed warrant. Think e.g. lawful intercept on mobile network routers, US (or any other nation's) law could just add this as a requirement. You could even develop a complicated scheme to apply this to E2E crypto.
But of course skewing the RNG to be predictable, or implanting some hardware backdoor, is much easier and has the added bonus of being usable to spy not only on your own citizens, but also on other nations.
>Crypto doesn't discriminate on whether you have a warrant or not.
Okay, let's say the telecom equipment doesn't have a backdoor for lawful intercept. What happens if the telecom is served with a warrant? Are you expecting that the telecoms will refuse to cooperate with the authorities?
I'm not really making a statement about that. All I'm saying is that if you have a backdoor that can do the former, it must necessarily also be a backdoor that can do the latter.
They'd probably be able to co-operate anyway, but it'd require manual intervention by telco employees. What makes these US-mandated lawful intercept backdoors particularly nasty is that they provide an automatic way of exfiltrating data that is designed to conceal its use from employees - in essence, a built-in rootkit that compromises the integrity of telecoms systems even in countries that don't actually want this kind of backdoor. This isn't a hypothetical issue; the US has reactivated this feature to spy on politicians in countries that didn't actually want or need it on their exchanges in the first place.
"Or explaining why they allow those backdoors exist in the first place?"
Nobody that matters needs to be convinced of the value 'back doors'. Only a minority of the American public and privacy types are very concerned.
Certainly the other government agencies i.e. UK/Germany would take it as a given in terms of 'why' such back doors are there.
There's a reference above to the WaPo article yesterday revealing the longest-running and best surveillance program by the US. It was run out of Germany. The Germans were wary of using it too broadly, but they were otherwise fully behind it, and their intel agencies balked at closing it down.
It's not really even very political: certainly, Democrats would be 'mostly' onboard - there isn't really much of a political base against it other than perhaps the Libertarian crowd.
I should add, some major US industrialists like Apple and Google probably do care a lot, and they do matter and do have influence. But probably not enough.
So while many of us may disagree, it's not at the end of the day as controversial as we may think it is.
China's intelligence law requires people or companies to spy when asked.
>“request relevant organs, organisations, and citizens provide necessary support, assistance, and cooperation”. According to Article 16, intelligence officials “may enter relevant restricted areas and venues; may learn from and question relevant institutions, organisations, and individuals; and may read or collect relevant files, materials or items”
There are some specific carve-outs for telecom companies that their networks must have the ability to tap into specific traffic when a government agency comes knocking with a warrant.
But, as you point out, backdoor-free e2e encryption is not yet illegal, and the US gov't can't force e.g. Apple to put a backdoor in iMessage or in iOS's device encryption.
I expect that this is not the case in China; if the CCP tells a company to do something, anything, to allow them to spy on their users, they do it, or they get destroyed.
Bills like the EARN IT Act scare the hell out of me, but at least there's a process by which it becomes law, and we can affect that process and (hopefully) kill it. That's just not possible in China.
I love the delusions here that spy craft is worth more than commerce.
China risks one of their largest companies, knowing they will eventually get caught, over one department in the US just puts out a statement they are 'spying' and everyone believes it without proof.
We don't actually live in a Hollywood movie.
"US officials said they have been aware of Huawei's backdoor access "since observing it in 2009 in early 4G equipment," the Journal wrote."
So the USA admits it's allowed all these counties, many allies, be spied on? Really? We are excepted to believe that?
I'm sure there's a technical 'thing' here. But whether they have fked up on the USA side or the Chine side we can only know from the US actually saying what this is. But then the US might lose it's 'Huawei is spying' attack on Chinese commerce.
While we're on the subject, is Signal still the best way for me to communicate privately? I've got all the people I communicate with daily using it now, and I feel relatively confident that the communications are private. Are they?
Open Whisper Systems has one of the most secure messaging services on the planet. The US military is rumored to have been telling operatives to use it instead of text on their government phones[1].
Wire.com E2E encryption does not require phone number or social graph. They are also working to standardize the wire protocol via IETF MLS, with cryptographers from multiple companies.
OWS is working on foundations to allow people to use usernames and link them with FCM / push notifications without the central signal server being any wiser than currently with just phone numbers.
My hope is to be able to add ephemeral user ids so to my work folks I'm JustMe but family folks I'm FamilyMe and internet blog readers I'm MyProfessionalMe
I don't hate that someone is investing in tools & research in this.
I'd certainly pay a 20% premium on my hardware for verifiable protection from phone-home. I'd probably pay that premium for the manufacturer to claim that the device doesn't phone home.
Obv different situation for infrastructure hardware where the end-user (me) isn't the same as the buyer (german telecoms, apparently). But I suspect some of the verification / testing tools will be similar.
I'm happy these topics are getting press, whoever the players are.
If you had to assume that U.S. 5G equipment manufacturers would provide backdoors to U.S. officials, and Chinese 5G equipment manufacturers would provide backdoors to Chinese officials, and Europeans had to use one or the other, which would you choose?
Some European agencies want the US government to spy on European citizens because it is illegal for them to do it themselves but it's not illegal for them to obtain information about European citizens from US spies. Whether the European citizens want to be spied on is another matter.
If you're a European citizen or company you might well prefer to be spied on by the Chinese because there's little danger of the Chinese getting you kidnapped/extradited. Also, if your competitors and business contacts are more US than Chinese then the possibility of Chinese commercial espionage is perhaps less worrying than the possibility of US commercial espionage. It seems likely that US agencies sometimes provide information to Boeing to help them compete against Airbus, for example. I'm thinking more of contract negotiations than technological secrets, of course.
Getting equipment from several suppliers seems like the best plan, generally. You can then play them off against each other not just for price but also for openness and forcing the supplier to allow security audits. I've heard that Huawei has been very helpful in that respect, because of the pressure they're under.
> Some European agencies want the US government to spy on European citizens because it is illegal for them to do it themselves but it's not illegal for them to obtain information about European citizens from US spies.
Bingo, data sharing agreements between intelligence services.
NSA can't spy on US citizens but GCHQ can, and GCHQ can't spy ok UK citizens but NSA can.
Then just come up with a sharing agreement, and you're "golden".
>> sometimes provide information to Boeing to help them compete against Airbus, for example.
I've always wondered how that works so that employees dont know about the gov involvement. I suppose they could hire a "consultant", but someone in the company still needs to know dont they?
Between US and China? US, definitely. I don't exactly love the US, and would never want to live there, but China seems way more malicious than the US to me.
A cynic would say America probably already has half a dozen back doors, so what's one more?
There's no point choosing a Chinese back door over an American one if people you talk to are going to entrust your private messages to gmail/ icloud/ aws/ backblaze/ whatsapp.
The answer is you choose the one which is the closer ally. Which, given the lack of US 5G manufacturers, is exactly the choice the US has already made.
The closer ally is likely to have SIGINT sharing agreements with your government.
FVEY exists so that the UK or Canada can legally spy on my communications and turn that data over to my government - which couldn’t otherwise get it without warrants and other pesky civil rights protections.
I think I’d rather take my chances with an adversarial government. I know they’d be spying but their ability to act on it is far more limited.
Are you American? If so, that is a false statement. DODI 5240.1-R says "[DoD components] Will not participate in or request any person or entity to undertake any activities that are forbidden by E.O. 12333 or this issuance." [1] The NSA, which has the SIGINT authority from EO 12333 [2], is a component of the DoD. A non-DoD entity, such as FBI, Treasury, etc, would (a) not have a foreign intelligence mission and would therefore go through normal court procedures to obtain warrants to collect your communications or (b) would need to coordinate through the executive agency (NSA in the case of SIGINT) to request support for foreign communications, which brings us back to the referenced DOD instruction requiring FISA approval.
The scenario you mention is an illegal anecdotal failure of the system to work as intended.
If we're still comparing the US and China, I'd say it's working a great deal better than whatever system is currently (not) protecting Uighurs from systematic unjust search and seizure.
That it's illegal doesn't mean that we should pretend that it's not happening.
Moreover, there's much more than anecdotal evidence. The recently-released report on the Trump investigation proves this. Even if you hate Trump, there's no getting around the fact that the FBI completely abused the FISA court system, getting warrants by lying and misleading the court. This is a systemic problem.
I don't understand how it's relevant to point out that US government actions are illegal. The fact is that it's really happening, so in point of fact, the US is not categorically different from China. The difference, if any, is solely one of degree.
It being illegal is relevant because it is at least considered wrong to do. The degree of difference in what is considered acceptable (and also what is happening) between the two is so staggeringly different it isn't even comparable.
I will continue to disagree, until you can show me that someone is being punished for the illegal actions, and that further steps are being taken to prevent such transgressions in the future.
Today in America it is de facto legal for law enforcement to do this stuff. The fact that a piece of paper somewhere might say otherwise has no bearing on what's actually happening.
> The National Security Agency (NSA) has formally recommended that the White House drop the phone surveillance program that collects information about millions of US phone calls and text messages. The Wall Street Journal reports that people familiar with the matter say the logistical and legal burdens of maintaining the program outweigh any intelligence benefits it brings.
But I'm still very certain that I trust China's approach to data privacy a little less, since they currently do all of the following to happen, without suspicion of a crime:
* mass collection of blood and hair DNA samples for citizens living in minority regions
* literal government occupation of people's homes to take photos and collect information
* installing government cameras inside of peoples homes
* using that information to track, detain, and send ~1 million minorities to re-education camps without being charged or accused of a crime... where they are subjected to forced sterilization and torture.
The institutional attitudes to privacy are simply not comparable to the US. US authorities are not nonchalant enough about privacy that they think anything close to that that is remotely acceptable in the US.
You do make some good points there, but ultimately I don't buy it. The key thing is your citation of punishments for cops who "misused databases".
This isn't actually what's at issue here. The existence of law enforcement databases is a very different thing than the facility for spying on communications. And I still see no evidence that anyone has been punished for that, or that any active measures have been taken to protect abuses of those programs.
I would assume I am afforded less legal protections than a Chinese citizen!
But here's the thing: with the platonic ideal of "civil liberties" in mind that might bother me, but practically speaking? Chinese legal protections or threats have no bearing on me. None whatsoever.
I don't have a secret clearance. I don't know anyone who does. I don't know anything of significant value to the Chinese state that they couldn't use their existing sources to steal. My "deepest darkest secrets", at worst, would get me in trouble with my local government. They're not enough of a lever to make me an agent of China.
If, however, the information that could get me in trouble with my local government made it to my local government? That might be more of a concern for me.
Do you see why I might not care in the slightest what China knows about me, while simultaneously caring a great deal what my local government knows?
You're only thinking about it in the context of your own personal information, though.
There will also be effects on your peers, neighbors, and society around you. There are nation-state actors currently using stolen data for blackmail, extortion, and propaganda campaigns, to influence the economic and political stability of other nations.
Whether or not you are a direct target, you will be affected in some way. While you feel much more closely connected to your local government, they are not generally acting out of malice.
Even if I believed you - which I absolutely don’t - it’s completely irrelevant.
The intent of my government or of a foreign government has almost zero bearing on my life, for the life of any other average American – someone who does not have a secret clearance, is not committing major felonies, etc.
What matters is material condition, and the ability of that government to project force and change a person’s material condition.
If Chinese intelligence knows who my weed dealer is, or that I on occasion drive my car faster than the posted speed limit, agents of the MSS aren’t going to tail my car and pull me over. If proof that I’m pirating DVDs hits the great firewall I’m not going to get an email threatening me with legal action.
I don’t care if my government really thinks that weed purchases should be illegal or that driving 5 over the speed limit is a societal crisis or that pirating DVDs is a moral wrong: I care that they can project force against me and impact my life.
Sure, if you're not important, the data will not be used against you directly.
I'm sure you can concede that it will, however, be used against organizations, institutions, and people who are important.
Some of those will directly impact your life. This isn't a new idea, the power of both espionage and propaganda are well studied and long established to be effective.
If you're not in their jurisdiction, or neighboring jurisdictions (I've heard some rumors of events in e.g. Vietnam), they're not going to do anything to you. USA cannot make the same claim.
Private information can absolutely be used to coerce/blackmail/extort/compromise/propagandize from abroad. It happens many thousands of times every day.
That link seems to refer to the actions of some other nation, which nation is considered by many foolish people to be an ally of USA. But sure, if I were worth twelve figures and I didn't want my wife to find out about my mistress, I would avoid recording my infidelity on electronic devices.
No. But I regard my biggest threat as my own government, and if my choice per the GPs hypothetical is “less information to my government and some information to a foreign power” or “all collected data to my government and none to a foreign power”, the first choice is best for me.
Now, it may be fair to argue that the information collected from a 5G radio doesn’t mean much at all to my government. But I’d still rather depend on defense in depth.
I don't have an answer for this question but just to play devil's advocate, is this universally true or just sometimes true for governments and certain corporations? For example, as a citizen, is my data really better off with an ally, who can use it to exploit me instantly and personally? E.g. searches for medical information increasing insurance costs.
As regular nobodies, our data is probably distributed in the hands of both allies and non-allies. As long as there's such a strong push, both commercially and institutionally, for tracking and data mining, our only recourse is going offline.
No one wants our specific dental bills, mortgages or tax returns, but governments and corporations love mass statistics.
As soon as you're a "problem", e.g. because of a large insured event or ownership of property that someone wants to buy below the market, you're on someone's radar. At that point you no longer get the "regular nobody" defense.
I would probably choose the the opposite. My most likely state-actor adversary would be "my" government so I would prefer to not to make it easier for them to spy on me.
At one time, Motorola, Ericsson and Nokia all made GSM/UMTS cellular infrastructure. Are any of them still? Other than Huawei, what other manufacturers are there?
That's the point of the EU - defend interests of the union of relatively small countries against giants like China. NATO is only suited for military action, and who knows how long it's going to last anyway.
Also, probably the point of whatever the fuck Russia is doing with the EAEU (really should've picked a better name if they want it to stick).
The answer is simple: do not buy foreign made network technology. That is difficult but the intra European market (if there is trust there) should be big enough for e.g. Ericsson to keep up their Network tech group
Definitely the Chinese, simply because their foreign policy is much less violent than that of the US, and they don't try to forcefully export their political and economic system to other countries.
Because the fact that China has not engaged in non-local applications of violence, they must be better than the US? That seems to be an amazingly narrow standard, because by that measure any country which carries out atrocities on its own population is 'better' than the US. I understand, even if I may not agree, some individual's dislike of American foreign policy, but to equate America's actions in the last 20 years at a global level with a nation-state which is (according to press reports) imprisoning and potentially torturing and killing those of its own population who meet certain ethnic and demographic criteria seems absent any amount of perspective.
> Because the fact that China has not engaged in non-local applications of violence
Yet.
The PRC has been internationally relevant for a few decades. The US has been internationally relevant practically since its founding.
And for whatever reason, people don't think the PRC has continuity with pre-Mao China -- which has been internationally relevant since long before the US existed, and which doesn't have a very nice track record.
>Millennia later, during the Second World War, Mao Zedong seized on this historical vignette to announce that the Chinese Communist forces would not abide by any political, military, or moral limitations in its fight against the Japanese, stating: “We are not Duke Xiang of Song and have no use for his asinine ethics.”
>Opium profits funded many leading Boston institutions. Thomas Perkins and a brother helped found Massachusetts General Hospital, left, and Perkins donated one of his homes for a new school that ...
The US, I suppose.... The thing with back doors is that others might also find them so it is quite unsafe in any case. Also, the future is unpredictable so who says the US is going to continue to be more-or-less an ally and China is going to continue to not be one?
> so who says the US is going to continue to be more-or-less an ally and China is going to continue to not be one?
Geopolitics is much less unpredictable than "the future." Even the current administration is not so short-sighted to alienate the US to the point of having no powerful allies. If Europe is not considered an ally (it is, not "more or less," it 100% is), where would the US turn? Even if you take a scenario where Trump and Russia are allies, and the US positions itself closer to Russia, Russia's allies are anathema to US interests and ideals, and will be for the foreseeable future.
I just can't see any reality outside of borderline sci-fi where the US is not a close ally to just about every Western European country.
One could ask why the US and european countries are allies. I think it is because both are technologically advanced, both are rich, both are societies with human rights, both are democratic. (Relatively speaking, at least.) These things can change. Now that I name four factors it may sounds like a lot would need to change. But the first two as well as the second two are closely related. And at some point the former two are also related to the latter two. If China wants to keeps developing it will at some point need to improve its human rights situation as well.
Answer from one European individual - USA of course. It doesn't even require a split second of consideration for me.
The major and decisive difference between USA and China is not what they have done, are doing or might do. It is simply that the USA is a democracy and China is not.
In the USA, most of the people in positions of power /have to leave that position/ and /can't do whatever they want/ even when they have it.
That fact alone makes all the difference and is so substantial that it in my mind totally invalidates any whataboutism in this question and any other comparison between the USA and any dictatorship.
Even if a democracy happens to do more evil things in a period of time than a dictatorship, they are the better choice simply because they are a democracy and thus enables the people to both protest and also actually end the evil, through the legal system in the nation. (This does not mean that evil actions are OK when democracies are guilty of them of course, I'm not saying that.)
If and when the day comes that China has had at least two transfers of power to new leaders as a result of internationally observed and validated democratic elections by the people of China, then it would be something to think about. But not as of now.
Based on the premise that I have to choose a spying nation, of course, which I'd rather not do in real life! :)
As an American, I choose European / EU 5G equipment in all scenarios over Chinese 5G equipment. I don't care what the cost is.
Europe, broadly (other than Russia primarily), is aligned with the US in all the ways that matter and will continue to be. China is not in almost any regard. The sole things the US and China have in common is trade and that the next century will be defined by persistent US-China superpower tension all around the world and in most all respects.
For most Americans "I don't care what the cost is" immediately makes it an unrealistic scenario. And if history is any indication, for the vast majority of Americans choosing a privacy-focused solution is usually an accident. Price is the determining factor almost always.
Will somebody with access to WSJ please corroborate this quote in OP which is attributed to WSJ?
> Telecom-equipment makers who sell products to carriers "are required by law to build into their hardware ways for authorities to access the networks for lawful purposes," but they "are also required to build equipment in such a way that the manufacturer can't get access without the consent of the network operator," the Journal wrote.
1 thought for all MNOs and their vulnerability management programs:
Most of your infrastructure has multiple interfaces. Bearer. OAM, Backup, etc.
If your vulnerability scanning program only scans Bearer interfaces, you are fucking up. You can spin up vulnerable services on only one interface. If you don't scan ALL interfaces, you don't know all your entry points.
If you work for an MNO and are reading this, you should take action after reading this content.
People will still continue to use Huawei gear unless tangible evidence is presented. The US government has been caught far too many times with its pants down to be trusted.
I wouldn't say your 'e' is at tin-foil hat level. But your assertion that since Trump is president any attempt to establish that Huawei is flawed from a security perspective is some 'corrupt' plot by Trump to benefit him financially is pure political imagination. Go ahead and take issues with Trump, his policies, his words, his actions, I don't care, but please do not pretend like just because Trump is president that magically the PRC and companies which are essentially controlled by its government are some kind of benign actors. Trump and has taken a hard-line against anything China since he ran in 2015, his anti-Huawei is very much in line with that stance. Also, Trump was pretty clear he wanted an American first economic policy, which makes it obvious he would be anti-expansion of any Chinese technological products.
TR;DL Trump being president has not a thing to do with whether or not Huawei and the PRC are attempting to infiltrate the network and data infrastructure of the world at large.
"If they had proof they would have showed it already. "
A) They did show 'proof' ostensibly, to the specific agencies of interest i.e. UK/Germany.
B) Your 'a' and 'b' are missing the most important point, in that the revelation of their knowledge may compromise some ongoing intelligence program. The information may very well have been provided by spies who'd be put at risk.
Literally yesterday WaPo published a story on the most comprehensive US intelligence program ever and it quite nicely illustrated the challenges of how to reveal how much you know, and the consequences therein.
This is not 'open source land' where we like complete transparency, it's a different game.
C) There's also another issue, and that this may not be 'black and white'. For example, the ostensible 'back door' may not be clear cut: it may be that it doesn't yet exist, but there are elements in the design prepared for backdoors to be very easily added at a later date.
When was this? Just because in around Nov 2019 a GCHQ spokesman said Chinese backdoors went an issue with UK's dependency on Huawei for 5G (but other risks, network shutdown in times of conflict might be present).
Could you (or anyone) link a source where the NSA, or other USA agencies discuss this with technical detail?
" saying "we totally have proof!" without providing proof is effectively meaningless."
They've provided ostensible 'proof' to the authorities in Germany and the UK who are the entities they are trying to convince of the issue, which is reasonable.
We'll have to wait to see how the Europeans respond.
The British response has been to still go ahead with using Huawei for potentially over 30% of their non-core infrastructure.
In any case, my point is not that they aren't plausible reasons why they might not make any proof public. My point is that they aren't above using those plausible reasons to propagate disinformation. So their statements are meaningless to us (the public) because it's impossible to discern truth from lies without further information.
"that they aren't plausible reasons why they might not make any proof public."
This might be wrong in a couple of ways.
First - without knowing any details, there certainly are many good reasons why the information might not made public, most obviously because it would possibly compromise their methods of acquiring such information. There's a 100% chance that any information they divulged will be acrimoniously parsed by the Chinese to determine the means by which the US obtained the information. The information will likely betray how the Americans are thinking about the problem as well. (Reference yesterday's WaPo article on US/Germany surveillance program and how it was compromised).
Second - there's very limited upside in making the information public, are many downsides. The US, UK, and German agencies don't care about you, or I or any other privacy advocate, or really the knowledge that might arise from a number of public voices piping in. This isn't like open-source SSL software, where it makes sense from a security perspective to be open about it.
Also, I'm doubtful if the 'evidence' the US presented is purely technical in nature. My guess is that this is not a situation of "hey, look at this source code, on like 501, there you go, back door!", it's probably much more complicated. If you read the article, you'll indicate that the US has evidence that China is using its gear to surveil state actors, etc..
Revealing the 'evidence' almost surely involves sensitive information regarding state officials from other countries, insight into US spy programs etc..
If the US is legitimately trying to convince UK/Germany that Huawei gear is a legit threat, then providing them with the necessary information in confidence is obviously the rational thing to do.
As far as I know Germany also did not exclude Huawei from 5G projects in general. Maybe they have a really good understanding where and where not working with Huawei poses a serious risk, maybe the provided evidence was not convincing, maybe they just don't care.
> The British response has been to still go ahead with using Huawei for potentially over 30% of their non-core infrastructure.
The British badly need to negotiate pst-Brexit trade deals with all major powers. Pissing off the CCP before the negotiations won’t help the UK’s plans.
Nor will pissing off USA, which presumably is why they timed the issue carefully when any failure in trade will make the biggest mark on the public view of post-Brexit trade potential.
Like 'you know how your mobile phone system works quite well, let us help ruin that for you by messing with it politically', great.
UK has problem of ex-parliament being on board of UK division of Huawei. Doubt they'd shoot themselves in the foot and would probably do much in their power to prevent deals not going through.
I had totally thought after Apple and Microsoft were caught working on PRISM Americans and corporations would be doing drastic steps to avoid their communication being intercepted.
This isn't necessarily about access to the calls themselves. It could be about being about to retrieve network configuration information, call history, maintenance logs, and being able to alter the configuration of the network. The article isn't specific enough.
In other words, do they just want to intercept calls, or steal customer information, or crash the network?
I'm usually impressed with HN comments, but this thread is currently dominated by insubstantiated conspiratorial mongering against American institutions.
They started it! Perhaps if they presented some substance people would have more to go on. Do you think anything about USA appears trustable at the moment to those outside?
The problem is of those institutions own making. Many Americans lost their lives hunting for Saddam’s WMDs - something that was fabricated by said institutions.
“Trust us” is no longer something we can blindly accept.
I love this quote. The US is essentially complaining that Huawei has access to the backdoor channels that only the US government was supposed to have.