Brings new light on the huawei situation too... You can't trust a black box commercial system for anything important. The US suspects china of using huawei for spying because it's exactly the thing they have done themselves. Only the CIA were smart enough to infiltrate supposedly neutral third parties.
Either you develop a system in house from scratch using appropriately vetted and qualified personnel, or you take an open source system and ensure it gets thoroughly reviewed in house by appropriately vetted and qualified personnel.
The open source approach is a lot less work, especially if several rival countries are doing the same thing. A system approved for use by one country could well have backdoors implanted by that country, but a system approved for use by usa/russia/china/iran is far less likely to have any backdoors.
You can't trust a black box commercial system for anything important
Note that this is something we've known for a long time, at least as long as I've known about cryptography, and yet somehow people keep making the same mistake.
Yes, because the people making the purchasing decisions don't understand these things, and/or are unduly influenced by a vendor trying to sell them something.
It's not. They actually use reproducible builds so that they can certify correspondence between source and binary. Huawei engineers did a nice presentation about that back when China was still a friend and people could move between countries.
Which is the whole point of China. I think people don't get this. When it comes to international markets, capitalists values trump all for China. This is because China realizes economic dependency by a foreign nation means security from that nation being too absurd which includes any type of physical conflict, political pressure, etc. This is generally referred to as Chinese "soft power". Once China controls a large portion of your supply chain, they can use economic pressure against you to obtain it's objectives. By providing source code and insight into the ease of building the software, they want everyone to consume their hardware and in turn that dependency which is the real power. There is no need to listen in on the line when they can cripple your ability to maintain your infrastructure... this kind of "small fry" mentality is exactly why America is falling behind and China maintains a steadfast path towards achieving it's objectives.
Likewise there is a very big difference between the internal objectives of the Chinese states and the outward objectives. The nature of these objectives seems to at least go back to Mao's awareness that true communism cannot exist instantaneously within global capitalism. China thus uses this rather sound strategy to build it's economic dominance while raising the quality of life for the Chinese people. Likewise the degree China would uses it's "soft power" to for "nation building" outside China is an open question. It's clear this can be used to pressure against support for certain things (e.g. three Ts) and that it considers all Chinese dissidents effectively still Chinese citizens but it still seems unclear how much it would affect the average American's lifestyle. The assumption here is the power that Chinese gaining will corrupt, as the idiom goes.
Either way, westerners seem to often fail to understand the real nature of Chinese global economics and in an attempt to undermine their growth often seek what is little more than baseless slander to turn markets away from their goods...
Avoiding becoming dependent on foreign goods is a perfectly sensible strategy precisely because of the reasons you've highlighted. Even in the absence of backdoors (and indeed there is no evidence of backdoors in huawei equipment), you don't want to become dependent on a single supplier as that might allow that supplier and/or the country they are based in to have unwanted leverage over you.
Except the numerous occasions then Huawei stole Cisco source code? It's difficult to have confidence in the safety or reliability or source code you didn't write and dare not expose publicly. Examples include:
You surely mean "example". There aren't multiple examples of Huawei stealing Cisco's source code. All reports are from an incident close to 2 decades ago.
The Chinese literally can't do anything right in your eyes, can they? No matter what it is you will find some way to twist it into an evil conspiracy to dominate the world.
This is just normal capitalism. Apple isn't run by Pinky & The Brain, they are not trying to take over the world by making everyone dependent on an iPhone. They are trying to make as much money as possible. Occasionally that even results in good behaviour, like their focus on privacy.
As for interdependence, it's worked out great in Europe. What finally stopped centuries of wars was the EU, economic union that make armed conflict impossible. It goes both ways too, China's economy is dependent on us.
I didn't say China was doing anything wrong or that it was an evil conspiracy. In fact I agree with you, this is just normal capitalism.
Likewise I agree about the interdependency between China and the US economy and in general it can improve value in supply chains. Tesla is clearly looking to utilize it. Apply utilizes it. Many think China will be replaced by other markets like Vietnam in a race to the bottom but I think this underplays again the first point, China shows wisdom at the long term aspects of g
As long as it's a dictatorship controlled by the CCP, I tend to agree with him. In democracies you don't have ruling party, which can order any corporation to do its bidding.
What I wonder about is why people choose to forget, that it's a communist country? That's kinda important.
Well, you may have inadvertently made an argument against globalization when it involves very disparate political systems, i.e. only democratic capitalist societies can join..:)
Check out what's going on btwn Australia and China; fully supports your comment.
When it comes to international markets, capitalists values trump all for China.
When it comes to China, authoritarianism trumps all. Their economic policies are predictable; everyone makes deals they think will benefit them the most. As long as the world fails to hold them to account, they will continue to get away with whatever they can, just like everyone else. The fundamental problem is that human greed leads others to enable them so that they can get a piece of that sweet slave labor profit.
My understanding is that whereas Huawei have indeed shared source code with various governments and customers, they've been having trouble with the reproduceability of their builds, such that it was difficult for the reviewers of the provided source code to determine whether the binaries had indeed been built from that source code (and from nothing else besides).
I'm sorry but unless you are able to hire your own coding team to vet the open source system your thinking is flawed, because it makes several assumptions that you have no proof of being true. You are assuming 1.- There are no bad actors in the entire FOSS ecosystem you are looking at, 2.- Every package is being constantly vetted, 3.- Those vetting it are qualified enough in information security to spot obfuscated malware, possibly written by professional state actors, and 4.- That there are no pieces of th
Hence the qualifying statement "appropriately vetted and qualified personnel". Governments most definitely are able to hire such coding teams, and the cost isn't going to be prohibitive for critical systems, especially if you're sensible and keep the systems as small as possible.
The only alternative to auditing existing code yourself, is writing new code from scratch which is likely to be even more time consuming.
Your examples show malware that was detected, the mere fact that these things were detected quickly shows that processes are working. I'm far more concerned about compromises or malware that hasn't been detected.
Also while source being available doesn't mean that someone has looked at it, it only means that someone could have. The alternative with closed source is worse, you know that no independent security researchers have looked at it. Any researchers who have looked at it (if any) are likely under NDA, and the source could have been acquired via nefarious means and distributed to blackhat groups. So it's in a better position, not perfect but still better. Unless you can find a better alternative, we have to take what's available.
So in other words "Unless you are the head of a country which has the unlimited resources to vet these millions of lines of code the FOSS hypothesis is based on bullshit" because again you show NO EVIDENCE to back up your assumption that every bit of code in the ecosystem you are looking at has been properly vetted.
So unless you can provide actual evidence that every.single.piece. in that distro or large piece of software has been properly vetted? You don't have anymore of a clue whether its been compromise
So in other words "Unless you are the head of a country which has the unlimited resources to vet these millions of lines of code the FOSS hypothesis is based on bullshit" because again you show NO EVIDENCE to back up your assumption that every bit of code in the ecosystem you are looking at has been properly vetted.
Oh shit, shut the fuck up immediately. The value proposition of FOSS has never been "that every bit of code in the ecosystem you are looking at has been properly vetted" and by moving the goalposts there you are being a disingenuous douchebag.
The idea is that many eyes have more chances to catch bugs than proprietary software, where the code is often looked at by only a couple people, and more importantly can only be looked at by a couple people. The proposition of FOSS is that if you want and/or can afford to, you can fix the problems with it yourself. If it is critical to your business then you can hire some talent to do the work, even if you don't have the skills yourself.
We know there are long-lasting holes in FOSS because we find them. But closed-source software is a black box. We can poke at it with tools designed to analyze binaries, but we can't do the same kind of analysis which would be possible with the sources. It's safest to assume that it has the same kinds of holes in it, but nobody finds and fixes them because it is not of commercial relevance. They're on to the new thing. But the people who do know how to analyze binaries for security faults are still doing their thing, and still finding security holes in that software through all the usual means like fuzzing, injection, etc.
In short, we know that the FOSS model pays dividends specifically because we see its failures, and see them corrected. And we have reason to believe that it produces better results because of what we know of the closed source development process, which is not fundamentally different except that less people have eyes on the code. And also in short, you are grossly mischaracterizing the argument to make yourself sound more intelligent than you really are.
Where did i claim that "every bit of code in the ecosystem you are looking at has been properly vetted" ? I claimed that source code being available gives you the opportunity to audit the code if you have the motivation and resources to do so. This is an undeniable fact, and relevant to this article. Did the crypto companies provide customers with the source code to their backdoored products?
I even advocated that governments should perform their own reviews of the code irrespective of what existing checks ha
I don't think you ever worked for government funded projects. They are ALWAYS under-budgeted, over-budget and cut costs everywhere possible. I'm involved with dozens of government projects today, Windows XP, Windows 7, is the order of the day. A few weeks ago I had to rescue a floppy drive that still gets used daily (so it wore out). Today, I had a heated argument with one pointy haired team lead who blamed me for Adobe Creative Suite no longer activating, they literally did not budget in the last 10 years
Whenever a system becomes completely defined, some damn fool discovers
something which either abolishes the system or expands it beyond recognition.
black box, suckers (Score:5, Insightful)
imagine not using an open source cryptography system
Re: black box, suckers (Score:5, Insightful)
Brings new light on the huawei situation too... You can't trust a black box commercial system for anything important. The US suspects china of using huawei for spying because it's exactly the thing they have done themselves. Only the CIA were smart enough to infiltrate supposedly neutral third parties.
Either you develop a system in house from scratch using appropriately vetted and qualified personnel, or you take an open source system and ensure it gets thoroughly reviewed in house by appropriately vetted and qualified personnel.
The open source approach is a lot less work, especially if several rival countries are doing the same thing. A system approved for use by one country could well have backdoors implanted by that country, but a system approved for use by usa/russia/china/iran is far less likely to have any backdoors.
Re: black box, suckers (Score:4, Interesting)
You can't trust a black box commercial system for anything important
Note that this is something we've known for a long time, at least as long as I've known about cryptography, and yet somehow people keep making the same mistake.
Re: black box, suckers (Score:4, Insightful)
Yes, because the people making the purchasing decisions don't understand these things, and/or are unduly influenced by a vendor trying to sell them something.
Re: black box, suckers (Score:4, Informative)
You can't trust a black box commercial system
Huawei provided source code to at least several governments.
Re: (Score:2)
but its doubtful the source they are giving for inspection is the source they are running....
Re: black box, suckers (Score:4, Informative)
Re: black box, suckers (Score:4, Insightful)
Which is the whole point of China. I think people don't get this. When it comes to international markets, capitalists values trump all for China. This is because China realizes economic dependency by a foreign nation means security from that nation being too absurd which includes any type of physical conflict, political pressure, etc. This is generally referred to as Chinese "soft power". Once China controls a large portion of your supply chain, they can use economic pressure against you to obtain it's objectives. By providing source code and insight into the ease of building the software, they want everyone to consume their hardware and in turn that dependency which is the real power. There is no need to listen in on the line when they can cripple your ability to maintain your infrastructure... this kind of "small fry" mentality is exactly why America is falling behind and China maintains a steadfast path towards achieving it's objectives.
Likewise there is a very big difference between the internal objectives of the Chinese states and the outward objectives. The nature of these objectives seems to at least go back to Mao's awareness that true communism cannot exist instantaneously within global capitalism. China thus uses this rather sound strategy to build it's economic dominance while raising the quality of life for the Chinese people. Likewise the degree China would uses it's "soft power" to for "nation building" outside China is an open question. It's clear this can be used to pressure against support for certain things (e.g. three Ts) and that it considers all Chinese dissidents effectively still Chinese citizens but it still seems unclear how much it would affect the average American's lifestyle. The assumption here is the power that Chinese gaining will corrupt, as the idiom goes.
Either way, westerners seem to often fail to understand the real nature of Chinese global economics and in an attempt to undermine their growth often seek what is little more than baseless slander to turn markets away from their goods...
Re: (Score:3, Insightful)
Avoiding becoming dependent on foreign goods is a perfectly sensible strategy precisely because of the reasons you've highlighted. Even in the absence of backdoors (and indeed there is no evidence of backdoors in huawei equipment), you don't want to become dependent on a single supplier as that might allow that supplier and/or the country they are based in to have unwanted leverage over you.
Re: (Score:2)
Except the numerous occasions then Huawei stole Cisco source code? It's difficult to have confidence in the safety or reliability or source code you didn't write and dare not expose publicly. Examples include:
> https://www.wsj.com/articles/S... [wsj.com]
Re: (Score:1)
You surely mean "example". There aren't multiple examples of Huawei stealing Cisco's source code. All reports are from an incident close to 2 decades ago.
Re: (Score:2)
How is this an exception to what i said?
Re: black box, suckers (Score:4, Interesting)
The Chinese literally can't do anything right in your eyes, can they? No matter what it is you will find some way to twist it into an evil conspiracy to dominate the world.
This is just normal capitalism. Apple isn't run by Pinky & The Brain, they are not trying to take over the world by making everyone dependent on an iPhone. They are trying to make as much money as possible. Occasionally that even results in good behaviour, like their focus on privacy.
As for interdependence, it's worked out great in Europe. What finally stopped centuries of wars was the EU, economic union that make armed conflict impossible. It goes both ways too, China's economy is dependent on us.
Re: (Score:2)
I didn't say China was doing anything wrong or that it was an evil conspiracy. In fact I agree with you, this is just normal capitalism.
Likewise I agree about the interdependency between China and the US economy and in general it can improve value in supply chains. Tesla is clearly looking to utilize it. Apply utilizes it. Many think China will be replaced by other markets like Vietnam in a race to the bottom but I think this underplays again the first point, China shows wisdom at the long term aspects of g
Re: (Score:1)
As long as it's a dictatorship controlled by the CCP, I tend to agree with him.
In democracies you don't have ruling party, which can order any corporation to do its bidding.
What I wonder about is why people choose to forget, that it's a communist country? That's kinda important.
Re: (Score:1)
Well, you may have inadvertently made an argument against globalization when it involves very disparate political systems, i.e. only democratic capitalist societies can join.. :)
Check out what's going on btwn Australia and China; fully supports your comment.
Re: (Score:3)
When it comes to international markets, capitalists values trump all for China.
When it comes to China, authoritarianism trumps all. Their economic policies are predictable; everyone makes deals they think will benefit them the most. As long as the world fails to hold them to account, they will continue to get away with whatever they can, just like everyone else. The fundamental problem is that human greed leads others to enable them so that they can get a piece of that sweet slave labor profit.
Re: (Score:2)
Sorry, typical american idiot.
"China" simply wants to be left alone, that is all.
But you push them into a corner they don't want be in and don't belong into. Obviously they push back.
No idea where this China hatred is coming from, recent 10 years. Why can you not let them find their own way?
During the end of cold war, west Germany approached east Germany via negotiants, whole Germany approached Russia via negotiants.
It worked. Why the funk you want to make a country, you can not compete with anyway, your en
Re: (Score:2)
I don't hate China. I actually love and hope to spend the rest of my life in China.
I don't really have a response to the rest of your comment.
Re: (Score:1)
My understanding is that whereas Huawei have indeed shared source code with various governments and customers, they've been having trouble with the reproduceability of their builds, such that it was difficult for the reviewers of the provided source code to determine whether the binaries had indeed been built from that source code (and from nothing else besides).
Re: (Score:1, Flamebait)
I'm sorry but unless you are able to hire your own coding team to vet the open source system your thinking is flawed, because it makes several assumptions that you have no proof of being true. You are assuming 1.- There are no bad actors in the entire FOSS ecosystem you are looking at, 2.- Every package is being constantly vetted, 3.- Those vetting it are qualified enough in information security to spot obfuscated malware, possibly written by professional state actors, and 4.- That there are no pieces of th
Re: black box, suckers (Score:4, Interesting)
Hence the qualifying statement "appropriately vetted and qualified personnel".
Governments most definitely are able to hire such coding teams, and the cost isn't going to be prohibitive for critical systems, especially if you're sensible and keep the systems as small as possible.
The only alternative to auditing existing code yourself, is writing new code from scratch which is likely to be even more time consuming.
Your examples show malware that was detected, the mere fact that these things were detected quickly shows that processes are working. I'm far more concerned about compromises or malware that hasn't been detected.
Also while source being available doesn't mean that someone has looked at it, it only means that someone could have. The alternative with closed source is worse, you know that no independent security researchers have looked at it. Any researchers who have looked at it (if any) are likely under NDA, and the source could have been acquired via nefarious means and distributed to blackhat groups.
So it's in a better position, not perfect but still better. Unless you can find a better alternative, we have to take what's available.
Re: (Score:1, Flamebait)
So in other words "Unless you are the head of a country which has the unlimited resources to vet these millions of lines of code the FOSS hypothesis is based on bullshit" because again you show NO EVIDENCE to back up your assumption that every bit of code in the ecosystem you are looking at has been properly vetted.
So unless you can provide actual evidence that every.single.piece. in that distro or large piece of software has been properly vetted? You don't have anymore of a clue whether its been compromise
Re: black box, suckers (Score:4, Informative)
So in other words "Unless you are the head of a country which has the unlimited resources to vet these millions of lines of code the FOSS hypothesis is based on bullshit" because again you show NO EVIDENCE to back up your assumption that every bit of code in the ecosystem you are looking at has been properly vetted.
Oh shit, shut the fuck up immediately. The value proposition of FOSS has never been "that every bit of code in the ecosystem you are looking at has been properly vetted" and by moving the goalposts there you are being a disingenuous douchebag.
The idea is that many eyes have more chances to catch bugs than proprietary software, where the code is often looked at by only a couple people, and more importantly can only be looked at by a couple people. The proposition of FOSS is that if you want and/or can afford to, you can fix the problems with it yourself. If it is critical to your business then you can hire some talent to do the work, even if you don't have the skills yourself.
We know there are long-lasting holes in FOSS because we find them. But closed-source software is a black box. We can poke at it with tools designed to analyze binaries, but we can't do the same kind of analysis which would be possible with the sources. It's safest to assume that it has the same kinds of holes in it, but nobody finds and fixes them because it is not of commercial relevance. They're on to the new thing. But the people who do know how to analyze binaries for security faults are still doing their thing, and still finding security holes in that software through all the usual means like fuzzing, injection, etc.
In short, we know that the FOSS model pays dividends specifically because we see its failures, and see them corrected. And we have reason to believe that it produces better results because of what we know of the closed source development process, which is not fundamentally different except that less people have eyes on the code. And also in short, you are grossly mischaracterizing the argument to make yourself sound more intelligent than you really are.
Re: (Score:2)
Where did i claim that "every bit of code in the ecosystem you are looking at has been properly vetted" ?
I claimed that source code being available gives you the opportunity to audit the code if you have the motivation and resources to do so. This is an undeniable fact, and relevant to this article. Did the crypto companies provide customers with the source code to their backdoored products?
I even advocated that governments should perform their own reviews of the code irrespective of what existing checks ha
Re: (Score:2)
I don't think you ever worked for government funded projects. They are ALWAYS under-budgeted, over-budget and cut costs everywhere possible. I'm involved with dozens of government projects today, Windows XP, Windows 7, is the order of the day. A few weeks ago I had to rescue a floppy drive that still gets used daily (so it wore out). Today, I had a heated argument with one pointy haired team lead who blamed me for Adobe Creative Suite no longer activating, they literally did not budget in the last 10 years