[yitosda]

> Huawei has completely opened its source code and hardware to several governments, including UK, Canada and Germany, for security testing. Their findings are much more informative and objective.

What does this even mean? If I give a batch of governments some of my super secret text files and pinky promise that's what's in the hardware I'm giving them, they should believe me?

The US can be trusted to advance its own interests. So can China. Everyone else had best evaluate their threat vectors and find out where their interests conflict with bigger and stronger interests.

Your comment history might have predicted that you'd comment on this topic. You don't have many other interests.

[StudentStuff]

To add to this, what is described is called Shared Source, not Open Source or Libre Software. Microsoft does shared source with numerous governments and universities, but your placing complete trust in the vendor that the code they show you is what is in their distributed binaries, esp. with how many compilers output different binaries when recompiled with the same code.

The only way to even start considering any of the current telecom vendors (including Huawei, NSN, etc) as not malicious is to have them offer their code under a libre license that bars tivoization, otherwise there is no guarantee that you can load the firmware they gave you the source to onto the LTE base stations sold your company.

[majia]

The testing centers have more sophisticated methods to address your concern. They procure Huawei equipment from various vendors and check if they have the same hardware and software. In fact, the recent report from UK did find minor shortcomings related to binary mismatch in huawei products.

My point is not testing centers can provide 100% guarantee; such guarantee does not exist in the security field. However, shared hardware and rigorous testing provide far better security than blind trust and paranoia.

Also, what's wrong with being interested in sino-US technological relationship?

[yitosda]

I'd be interested in further details about the testing. If any manufacturer actively wants to backdoor their hardware I'm skeptical that anything but an extremely expensive teardown of an infected device would find it.

It is simply incorrect to imply that reading vendor provided source can usefully decrease the possibility of a targeted attack. Comparing (hardware provided?) software checksums is not a real improvement. Juxtaposed with your "interest" in the topic, such an argument naturally arouses suspicion (sorry).

There is obviously nothing "wrong" with being interested in this fascinating clash of powerful interests, the amount of interest each discussion gets shows you are not alone.

So I'm not just hammering at what you've said, I'll make my own statement: There's absolutely nothing you can do to defend against a motivated attacker providing you with complex computer hardware (let's say anything that has software/firmware). Corollary: It's a fool's game to use hardware from those whose interests conflict with your own.

China and the US have a massive conflict of their interests. Each should not use hardware provided by the other. The risk for each is real and unavoidable.

[majia]

Hardware testing is much more than firmware checksum comparison. Once you have the blueprint, you can physically compare it against samples using various methods such as x-ray, acoustic and electric profiling to detect any differences. Furthermore, hardware is generally retained for a long time and can be checked with future anti-tampering technologies.

These measures does not offer perfect security. It simply makes the cost of hacking and chance of being caught very high, even for state actors. We could achieve fairly strong security at an affordable cost for most civilian uses. At least, tested Huawei hardware may be a good alternative to untested hardware from another vendor (which is probably manufactured in China too) at an inflated price.

Of course, if you are still concerned, why not take a course on microprocessor and build your own CPU? ;)

[yitosda]

It looks like you're moving the verification goalposts away from what is actually running on the hardware and simultaneously walking this back from government to civilian uses. These are completely different discussions (though I might add that governments rely heavily on the private sector, so some pressure there is expected).

Another completely different line of discussion is whether I personally am concerned at all (I'm not), and what I should do about it (nothing, but governments certainly should build their own CPU).

> We could achieve fairly strong security at an affordable cost

No. We cannot achieve strong security in a device that comes with software. You also cannot (at the time of this writing) prove that the actual hardware you personally are running is trustworthy without spending enough that the "affordable cost" becomes a moot point.

A wide swath of civilian uses can probably come out on top of the cost/benefit analysis just because their interests don't get in the way of governmental conflicts (or they can make enough money in the meantime). It's only from the perspective of a government that this conversation makes any sense at all.

[mensetmanusman]

There are many academiclly verified attack vectors that can not be verified to exist with any known external test even if one had the layout of the billions of transistors. Bit flips through sequential activation of memory addresses for example.