Hacker News new | ask | show | jobs
by mortb 2636 days ago
Maybe, as some posters in this thread are suggesting, this should not be read as a PR article. This should be read as a "Huawei (and others) we are watching you. Stop doing those things we are able to spot your doings, and we are willing to show the world". Of course the article touts about the ability of defender and their forensics team, but there is definitely a possibility that another message is being conveyed. As I am working mostly in web etc I have no experience in writing drivers so this is quite a few software layers below my comfort zone. However, to me having read the article, it seems that the "Watchdog" goal achieved by Huawei's code is done in such a round about fashion that is either a combination of "skilled but sloppy programmer" or "skilled and not sloppy but wanting to be perceived as sloppy". Some context, WannaCry and DOUBLEPULSAR are mentioned several times. Read about the NSA backdoors: https://en.wikipedia.org/wiki/EternalBlue https://en.wikipedia.org/wiki/DoublePulsar

Etrnal Blue was leaked from NSA and developed into WannaCry
1 comments
mortb 2636 days ago
Another piece of context, the article says that the issue was resolved together with Huawei. Why then make a publicly available article about it naming the company? Why not just patch and pretend that there were no issue, or patch and with a more generic description "we have implemented a mechanism to monitor drivers that might try to execute arbitrary code"?
link
tastroder 2636 days ago
That happens all the time as it's relatively normal to do so in this type of disclosure . With the political focus on Huawei these days it's likely just people noticing this message more than others, it's not like other big manufacturers show better security practices. With Huawei in particular, MS as a US company really couldn't have omitted the name from the disclosure without being put in a weird spot later down the road.

While I agree with other posters that the wording of this disclosure is unnecessarily mixed with a PR piece, naming companies for me is crucial as it allows end users to assess their own impact o f a vulnerability and also puts a public track record on these vendors.

link
emmelaich 2636 days ago
If you don't mention the company you implicate everyone.
link