[StudentStuff]

Bunnie seems to fear this type of IP restriction but with regard to closed source chipset designs and proprietary hardware, which he views as key to continued innovation in China.

I have met Bunnie, and he has a bit of a warped view of the world. I think it caused him to gloss over things like https://www.theregister.co.uk/2019/03/28/hcsec_huawei_oversi... where Huawei did not give a single shit about security in their cellular basestation codebase.

Sure, Huawei will read CVEs and sometimes deal with them, but really basic things like updating OpenSSL libraries seem near impossible for Huawei. Their hardware is thus vulnerable to exploitation by any ill intentioned person wandering by :c

Part of this is the whole stolen codebase problem, where Huawei (as Nortel's Chinese manufacturing partner) took their designs and code, without fully understanding them. They've been able to tack on a lot of neat stuff, but the underlying architecture is still not understood by their engineers.

[the_pwner224]

And so is so much other US-produced or maintained hardware. Do we now ban outdated corporate websites which can be hacked and used to launch attacks on other servers?

The Huawei ban is very clearly a political anti-China move, not one based on technical reasons.

[StudentStuff]

We need a cultural shift, security should not be a whimsical dream. A company running vulnerable websites should be culpable for their neglect, and likely shouldn't be administering their own IT affairs if they are repeatedly negligent.

This is an anti-China move, but we do know Huawei builds vulnerable LTE basestations and products, and refuses to do the bare minimum to secure them, despite promising $20 billion in investment in software security (see the article I linked to earlier).

[i_am_nomad]

Do you not understand the part about Huawei’s rampant, Chinese-style IP theft directly contributing to the poor security of its products?

[DiogenesKynikos]

I haven't ever seen any evidence of "rampant" IP theft by Huawei. Every time, it's the same one Cisco case that got settled 15 years ago, unsubstantiated claims about Nortel two decades ago, and T-Mobile's "Tappy" robot. This for a massive company with over $100 billion in revenue a year. If there were actually something to the characterization, you'd think there'd be more evidence. It's a bit like defining Google solely on the basis of Oracle's case and Apple's earlier claims of Android being an iOS clone.

[i_am_nomad]

Try taking this position with, say, Samsung.

[DiogenesKynikos]

I'm not sure I follow.

Samsung was embroiled in a very bitter IP dispute with Apple, in which it was found to have violated Apple's patents, essentially copying the design of the iPhone, and ordered to pay over a half a billion dollars.

Yet American companies aren't banned from doing business with Samsung, nor should they be.

[abetusk]

This seems like a specific and direct attack at Bunnie. Do you have any evidence to back up your claim? Was your opinion of what you call his 'warped view of other world' shaped from your conversation? What specifically about that conversation led you to that conclusion?

I don't know Bunnie and I only follow his blog posts sometimes but he's a strong proponent of open source software and open source hardware [1]. Bunnie is helping to develop a fully open source hardware laptop, Novena [2], that requires companies providing components to not require non disclosure agreements [3]. Bunnie is also specifically interested in FPGAs and making them and their toolschains available [4].

Your post seems like it has a veiled nationalistic and anti-open source undercurrent. Is Bunnies silence on the matter of the Huawei security issue reason for you to have this view? If so, do others not mentioning Intel's vulnerabilities [5] the past years also mean they have the same "warped view of the world".

To be clear, I'm not trying to absolve Huawei or Intel of anything. I'm trying to address the claim that Bunnie turns a blind eye to proprietary chipset and hardware technology more than others.

[1] https://www.eff.org/press/releases/hardware-hacker-anti-acta...

[2] https://www.bunniestudios.com/blog/?cat=28

[3] https://en.wikipedia.org/wiki/Andrew_Huang_(hacker)#Novena

[4] https://www.bunniestudios.com/blog/?p=5166

[5] https://meltdownattack.com/

[StudentStuff]

I'm not attacking Bunnie, everyone has their own view of the world. Bunnie has repeatedly stated that he views IP as an impediment to R&D, and anything that threatens the quasi-open sourcing of hardware (eg: how data sheets, BSPs and code are passed around by sellers in China, in spite of the legalities) is bad: https://www.youtube.com/watch?v=SGJ5cZnoodY

[acqq]

> really basic things like updating OpenSSL libraries seem near impossible for Huawei.

> Huawei (...) took their designs and code, without fully understanding them.

Do you want to say that there aren't people in China smart enough to "update OpenSSL" in their codebase? Whichever way the codebase started to be used by the company?

A lot of companies and developers inherit the products created in some other times in some other companies and generally are able to update them.

[StudentStuff]

No, I'm not saying that at all. What I am saying is those managing Huawei do not care about updating OpenSSL or other dependencies. Its a corporate culture problem at Huawei IMO

[gnopgnip]

Many companies have the same problems, not rewarding people who fix these type of security issues and look at security holistically, and instead the only path to success is to create new features

[StudentStuff]

See Cisco's handling of their low-end routers as a great example: https://news.ycombinator.com/item?id=19507225

It is rotten corporate culture that is starving critical maintenance work at these companies, creating the internet of vulnerable shit.