I've found many "weird" repos in github with full codebases that should be secret (like SDKs, linux device drivers, etc) that were posted by Chinese people. I never understood the reason. I wonder if it's related to this?
can't say. But from my personal experience working for NEV's and attending nearly every ETSI workshop on 5G, SDN and other Future-Network topics I dare to claim that the IP theft, at least as reported by the media isn't true and most certainly smells politically motivated. Let me explain: from the late 90ies to the mid 2000 there were several rounds of mergers, consolidations in Telco, Siemens-COM, Nokia, A/LU, Ericsson all consolidated by shutting down major R&D departments by moving to China. In some cases across cheaper EU countries e.g. Italy, Croatia, etc sites just disappeared without moving but simply the consolidation of the portfolio led to a lot of people losing their jobs (again Italy especially had a lot of people working for NEV's). Some employees left the country, others managed to find a similar job with operators (but only in areas of acceptance testing, O&M, etc but not actual R&D). When Huawei swooped in to the rescue at these sites they could simply employ these guys who did the same job for the other players (after all it's all the same tech thanks to ETSI/3GPP standards so skills+experience are highly portable). And when you ask somebody to work on a system who has actually built an almost identical thing for the competitor (again identical because of standards) you have a head start.
What I want to say is that this wasn't some cloak+dagger operation as the US media paints it. When I say US media one must also consider the amplification of these news from other FVEY members - especially Australia who were very vocal about Huawei being a security risk - all very heavily involved in amplifying this manufactured outrage.
Another reason why the IP-theft angle (as reported in the West) is true but still exaggerated is that from what I have seen at the standardization meetings (again since mid-2000 till today - which is when LTE/-a were conceived is that Huawei was unlike their Western competitors very aggressive in innovating. I can't say the same thing about the delegates from Ericsson, A/LU, Siemens, Nokia which sent (quite old) people that were promoted away internally to look after these bureaucratic process. Huawei outperformed all of them (especially in 4G, 5G, SDN and the Future-Netwerks/IGN even M2M/IoT topics). They invested incredible amounts of time and money in innovation (through the standards path) almost like a start-up, which can't be said for the others and set up bodies in China (CENELEC) to ensure being on par with ETSI regs.
What hurt the established (big) guys most is that they actually thought like a start-up. If you worked at Huawei as a junior in Italy and other sites, you were allowed to move across departments and fields getting a well rounded picture of how the telco-sector works. If you wanted to gain the same experience with the big guys you'd have to stay 15-20 years in the company as opposed to 3-5 with Huawei. This is why Huawei engineers are highly sought after by other telco firms.
Lastly Huawei has been always competing on price. I got downvoted for saying this before here because people only saw the price-tags of the latest UEs like the P-range etc, but this isn't what we're talking about when we speak about NEV's (and from a security pov the risk isn't so much in the handsets but the rest of the infrastructure that makes the lions share of the R&D work). Huawei kit was (and still is) the worst and most shoddy equipment you can get in terms of Interoparability. (IOT means "interoperability testing" in this context and the industry used to employ whole departments in this field of work). Despite the crap quality they could sell their wares very cheaply across Africa and emerging countries (often to questionable regimes, ... but so did all the others only that their prices eventually ended up being to high once Huawei entered that regional market). So if it wouldn't be Huawei selling custom-made Lawful-Intercept (LI) to these dictators it would still be the established players doing it ...
The only thing that has changed in this game is the perception of how China is viewed in the world. Trust is a fickle thing and once you start playing with protectionism and trade-war that trust is over and from a security POV you have no other choice than re-think your supply-chain. Also to be fair to the established NEVs: Huawei sold their kit across the globe and still operates R&D centers across Europe employing thousands, the established players entered China and moved a large amount of innovation into China, the playing field wasn't equal. Huawei could tap into the know-how overseas and back home, while the established players operating in China faced a lot of restrictions.
Damn this is getting long, last point: if you are able to undercut your competitor at a loss (because you're propped up by your own government) there is simply no way for the others to compete with you. This is the kicker IMO and not the topic of Huawei being a natsec threat (which only is a symptom once trust broke down).
EDIT: TL;DR I'm not saying they didn't steal things but the information is twisted the way it is reported. And if we speak about backdoors we'd have to equally speak about threat-models and here backdoors are only tangentially interesting since the vulns that stem from shoddy engineering (hello crappy ASN1 parsers) are much cheaper to harness than some hypothetical purpose-made backdoor that costs millions to implement and keep covered-up. (Occam's razor)
Use to work in this space more in the 2G-3G era and a bit of 4G in packet core networks.
Interesting space and would love to know about how I can keep up (will shoot you an email if you do not mind)
A few semi-random thoughts:
-Initially Huawei had that reputation of stealing back in the days when they were caught reverse engineering Cisco router OS code
-They are also known to throw tons of people to any network issue including bespoke on the spot fixes (which would be a nightmare for support engineers, imagine a worst case where every client is running a specific version of code from all the hot fixes and custom patchs)
-Growth in revenue has been unbelievable from the above. And yet their core equipment is banned in a few countries (US, Canada, Australia). A true Chinese success story.
Other thoughts:
-NEV is a tough space, margin rates are so low yet your hip phone manufacturers are making bank $
-The patent wars are very real with a number of companies that are not not equipment makers (e.g. interdigital) that just collect royalties
please do, always happy to get mail from fellow HN'ers
> Initially Huawei had that reputation of stealing back in the days when they were caught reverse engineering Cisco router OS code
agree, they did that :( What always puzzles me is how the West keeps underestimating Asian countries / societies abilities to outperform them. They did not see this coming after the lesson from Japan (e.g. Toyota) establishing a beach-head in the West and by initially copying them, later they move to upmarket by perfecting what they have and beat them with confidence. My uncle bought a Mazda in the 80ies and he was ridiculed for buying such a cheap-ass car. (iirc the word "rice bowl" was used to make fun of the quality). When it comes to telcos/tech it seems that we are witnessing the same thing again. When I remember the outcries over moving sites to China and giving them access to our repos - with the only promise in return "that the market will eventually be opened to them", it seems obvious that the established NEV's made huge mistakes here. People in the lower ranks have been vocal over this but their cries were drowned out by those pushing for cost-reduction at all cost (since it meant short term gains in their balance sheet which the mgmt could cash in on). Especially in this field which is all carved up by big players and no room for small innovators the strategy has always been short-sighted. I could go on and on, ... Now they're all crying and pointing fingers at the Chinese boogie man when the root cause of this is their own incompetence. When it comes to vulns CISCO is probably an interesting case. They literally sold countless backdoors as undocumented features over the years. I don't know of any company that violated basic security principles as much as them.
> -NEV is a tough space, margin rates are so low yet your hip phone manufacturers are making bank $
it's really hard for NEVs and has been for years because operators are reduced to utilities. (the phrase "dumb pipes" has been thrown around in the industry ever since youtube/streaming took off). And they're all pushed to reduce costs while at the same time innovating. Within the NEV's the mergers were always justified with "Huawei is on the rise and this is the only way to compete". It started with the Alcatel + Lucent merger and the rest is history. Now it seems NEV's don't even think about organic innovation anymore and only view it through the angle of merge with the second largest to stay ahead of Huawei. There is very little IP that is created these days internally. At least when you compare their core R&D headcount to patents it's quite a joke. :-/
Getting back into this game today should nevertheless be much easier than it was when you were working on 2/3G. I had no knowledge of the stack yet they were somehow convinced they wanted to hire me. It was weird. I didn't have any connections either. It dawned on my only later that the move from CS to PS networks meant that my skills suddenly became interesting to them (before I did systems & security development for web companies). And with PS came the people who brought the agile mindset ... low and behold everyone in Telco now talks about virtualization, CI/CD and stuff you never heard the old guys talk about. In a similar way the Automotive landscape was transformed a decade later (a sim-card with wheels that is using Ethernet instead of CAN). @pmarca was right when he said SW is eating the world
I'd imagine it would be difficult finding a spot with the big ones, mentioned in this thread. They often have a hiring stop in many Western countries which forces them to outsource good jobs to external "suppliers". If you get a gig like this it is usually great money provided that you land in a department with a cool boss (always a gamble in these bureaucracies). Also being geographically flexible helps especially when you want to carve out your niche as a consultant. When they do eventually hire for internal jobs then they usually look to convert these "externals" into "internals" before they even announce it.
Another route is to closely follow a hot topic that you are passionate about at ETSI. (avoid anything that smells like Enterprise vaporware like their TLS middlebox clusterfudge and you should be good). At ETSI you can find small companies that are still innovating in areas which aren't considered the core-business of the big guys (public safety comes to mind). Also the good news is that the topics here (https://www.etsi.org/technologies) are widely applicable across industry silos. If you just focus on telco you might lock yourself in too much which defeats the effort (of doing the legwork required to penetrate these fields). In any case play the long-game otherwise there is no point (imvho).
EDIT: another thing ofc is virtualization. SDN, SD-WAN, and all that. If you're into this kind of turtles all the way down complexity it's a great selling point: https://media.ccc.de/v/35c3-9446-sd-wan_a_new_hop ... other areas I could think of is security and further automating delivery pipelines. I have so far not seen any web based (or even automotive) company that puts as much money into CI/CD as the big telcos do. Fines for downtime of a eNodeB are in the millions/day so the quality/automation angle always sells well. Reducing the time that it takes to map responsibility between a trace/bug-report to an actual developer/tester to look at the problem is real $ saved.
> What always puzzles me is how the West keeps underestimating Asian countries / societies abilities to outperform them.
The same smug condescension is frequently on HN; the third comment right now reads in part ...this lack of value around creativity and direct inventorship makes the Chinese a super formidable second place in many arenas but without the skills or cultural DNA to actually take the lead or be the expeditionary force... If I were China, I'd encourage this attitude until I was good and ready - a little paranoia and an assumption of competence would help (come to think of it; this might be the whole point of the recent flood of China stories, if one were to put on their conspiracy theory hat.)
indeed, these people need to travel more, or at least read Confucius / Sun Tzu. They all forget that they're thinking long term and not like in the West where today's short-term profit trumps all that might make sense in the long-run (not just companies but already starting from the way families work).
I'm convinced that this complacency, ignorance and attitude of superiority is also the kernel to their downfall and demise. The aging US/EU as a viable market simply is a joke when compared to the potential of the Asian markets.
I asked an Italian double Michelin star chef once where he had the best dish of authentic pasta ever. He said in Tokyo (but that it was closely followed by his mothers recipe).
Not saying that the Chinese are as quality obsessed as the Japanese, but there are countless similar points where the West just misses things because of ignorance and the Emperial feelings of superiority.
Yes of course. Especially when it's the SDK of a router, or drivers for an Android mobile so you can make a ROM for them! (Those are the examples I had originally in mind)
What I want to say is that this wasn't some cloak+dagger operation as the US media paints it. When I say US media one must also consider the amplification of these news from other FVEY members - especially Australia who were very vocal about Huawei being a security risk - all very heavily involved in amplifying this manufactured outrage.
Another reason why the IP-theft angle (as reported in the West) is true but still exaggerated is that from what I have seen at the standardization meetings (again since mid-2000 till today - which is when LTE/-a were conceived is that Huawei was unlike their Western competitors very aggressive in innovating. I can't say the same thing about the delegates from Ericsson, A/LU, Siemens, Nokia which sent (quite old) people that were promoted away internally to look after these bureaucratic process. Huawei outperformed all of them (especially in 4G, 5G, SDN and the Future-Netwerks/IGN even M2M/IoT topics). They invested incredible amounts of time and money in innovation (through the standards path) almost like a start-up, which can't be said for the others and set up bodies in China (CENELEC) to ensure being on par with ETSI regs.
What hurt the established (big) guys most is that they actually thought like a start-up. If you worked at Huawei as a junior in Italy and other sites, you were allowed to move across departments and fields getting a well rounded picture of how the telco-sector works. If you wanted to gain the same experience with the big guys you'd have to stay 15-20 years in the company as opposed to 3-5 with Huawei. This is why Huawei engineers are highly sought after by other telco firms.
Lastly Huawei has been always competing on price. I got downvoted for saying this before here because people only saw the price-tags of the latest UEs like the P-range etc, but this isn't what we're talking about when we speak about NEV's (and from a security pov the risk isn't so much in the handsets but the rest of the infrastructure that makes the lions share of the R&D work). Huawei kit was (and still is) the worst and most shoddy equipment you can get in terms of Interoparability. (IOT means "interoperability testing" in this context and the industry used to employ whole departments in this field of work). Despite the crap quality they could sell their wares very cheaply across Africa and emerging countries (often to questionable regimes, ... but so did all the others only that their prices eventually ended up being to high once Huawei entered that regional market). So if it wouldn't be Huawei selling custom-made Lawful-Intercept (LI) to these dictators it would still be the established players doing it ...
The only thing that has changed in this game is the perception of how China is viewed in the world. Trust is a fickle thing and once you start playing with protectionism and trade-war that trust is over and from a security POV you have no other choice than re-think your supply-chain. Also to be fair to the established NEVs: Huawei sold their kit across the globe and still operates R&D centers across Europe employing thousands, the established players entered China and moved a large amount of innovation into China, the playing field wasn't equal. Huawei could tap into the know-how overseas and back home, while the established players operating in China faced a lot of restrictions.
Damn this is getting long, last point: if you are able to undercut your competitor at a loss (because you're propped up by your own government) there is simply no way for the others to compete with you. This is the kicker IMO and not the topic of Huawei being a natsec threat (which only is a symptom once trust broke down).
EDIT: TL;DR I'm not saying they didn't steal things but the information is twisted the way it is reported. And if we speak about backdoors we'd have to equally speak about threat-models and here backdoors are only tangentially interesting since the vulns that stem from shoddy engineering (hello crappy ASN1 parsers) are much cheaper to harness than some hypothetical purpose-made backdoor that costs millions to implement and keep covered-up. (Occam's razor)