> The president signed an executive order effectively barring US companies from using foreign telecoms believed to pose a security risk to the country.
So let's just back up a little: A Chinese equipment manufacturer left a telnet daemon running on a single version of a single device and a national emergency is declared, Cisco leaves SSH credentials (public and private keys leaked) hard coded into multiple generations of routers over several years and not a peep..?
When is the US going to tell us what these Chinese manufacturers are up to? Heck when are they going to tell the UK's own security services? Just telling us why we should be concerned seems far more productive and effective than their current strategy that is marred by accusations of protectionism.
I'm not even saying the US are wrong. I am saying the lack of specific technical information undercuts their whole position.
I've repeatedly seen a lack of interest in geopolitical issues on HN. This whole thing is akin to "Should the US be reliant on a hardware manufacturer that can be considered a non-independent subsidiary of the Chinese government?" Replace Chinese with Russian, Iranian, North Korean, Saudi Arabian, etc. These are all countries, like China, that would love to have that kind of potential leverage and power over US infrastructure and political processes because of the benefits these would bestow.
I've said in a recent comment: It doesn't matter if Huawei is entirely innocent right now. China is a major competitor to the US as a global power - militarily. politically, economically. If people think they wouldn't at some point in the future use Huawei's ties deep into cellular infrastructure to serve China's needs, they're incredibly naive.
Hell, none of this is unprecedented. The whole debacle with all the ties between Republican representatives or people in Trump's campaign and Russia alone should give pause. Or Russia's meddling in the US election. Or Russia's meddling in Eastern Europe (Ukraine wishes somebody would give a geopolitical shit right now). And somehow Huawei, and by extension China, are supposed to be impartial and innocent and not a potential threat? Really?
If the U.S. were serious about any of this they'd be funding initiatives for open, verified hardware and software. Other than INRIA, the French research group, and CSIRO, from where seL4 comes, where else is this work being done?
I don't just mean theoretical work. I mean production ready stuff that is useable, like most commercialized solutions are, but also actually secure. Doing both is difficult. seL4 is useable and in fact is being tested in U.S. drones. Why didn't the NSA do something like seL4? Instead we get seLinux which isn't even secure--anything running on Linux is as a practical matter exploitable on the first day it ships.
Our communications and control systems are so fundamentally insecure it hardly matters whether it's sourced from Huawei or not--it's six of one or a half-dozen of the other, except one of those cartons is at least substantially cheaper than the other.
The fact of the matter is that the commercial industry will never develop and deliver secure products on their own. They've never done this well, and are probably fundamentally incapable of doing so because most of the benefits of a secure product inure to the public generally. Commercial vendors can't capture the value provided by secure solutions. It's up to the public--government, academia, open source community, etc--to invest in and develop the fundamental building blocks of secure systems.
Importantly, the entire stack doesn't need to be secure. We can write secure networked systems for the Internet because we presume the network is hostile. There's no reason that cellular radios should be a trusted component of a wireless cellular network. They are because (1) it's just cheaper to do it that way (see above) and (2) the U.S. government spent decades sabotaging cryptography generally and cellular standards specifically, which means even 5G standards are fundamentally broken from a design perspective.
So the whole Huawei controversy deserves a giant eye roll. All of the arguments about why Huawei can't be trusted are irrelevant. Huawei shouldn't be trusted, but neither should Qualcomm or any of these other vendors. Rather, we should set transparency standards and verify that they're being met. But doing so requires a ridiculous amount of work up and down the software and hardware stack, starting from the design stage; work that the U.S. government isn't actually doing but, in fact, still sabotaging!
The US government has been murmuring about security risks of Huawei gear for years now, mostly without citing any particular technical threats. The report of the open telnet server was the first thing a lot of us have seen which gives technical substance to those complaints, but it almost certainly didn't motivate the policy response -- which was, in any case, a continuation of pressure tactics that were already underway, domestically and overseas. For example, Michael Hayden, former head of the CIA and NSA, was publicly calling them a security risk as far back as 2013.
The title (written by the BBC) seems to be ambiguous. This is not about hardening US computer systems, this is about banning US companies from using Huawei 5G technology. The United States has been lobbying other countries to not use Chinese 5G technology for a while now, while it doesn't seem like there are currently any viable alternatives. This makes it a nation-wide ban.
Huawei has set a historical precedent of being a bad actor in regards to corporate espionage. How outlandish is it to think that they would also be participating in national espionage for the Chinese government?
I remember watching a video about how old/antiquated the technology used by the IRS is (i.e. a behemoth computer system built in the 60's)... Our government's IT infrastructure needs a massive overhaul.
Just to be clear, since the article isn't: the EO does not ban products from all foreign companies, only foreign companies who "poses an undue risk of sabotage to or subversion of the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of information and communications technology or services in the United States" (Direct quote from EO).
So Ericsson, Nokia, Samsung, etc. will not be affected.
"The president signed an executive order effectively barring US companies from using foreign telecoms believed to pose a security risk to the country."
"Mr Trump does not name any company specifically in the order."
I'm guessing they are called emergencies as they await for the threat to emerge. Which kinda seems at odds with my definition of emergencies - which would be a defined clear-cut issue that needs addressing.
All this effectively does is hurt and curtail legit business with fair and good foreign telecom providers who have now been bundeled via red-tape into the same collection as those unnamed less fair and good foreign telecom providers.
Expect a fall-out of how this will hurt and impact legit businesses over the coming days and weeks. Let alone touch upon the possible impact upon Americans using their provider SIM and roaming abroad.