[elmo2you]

So, in summary:

1. Cisco used Open Source software (OpenDaylight), without sanitizing publicly available (GitHub) certificates and private keys.

2. The screenshot in the source article mentions the subject of the certificate. Yet, the text refers to it as the signing party.

3. Somebody used a business name and an email address that is associated to Huawei, to generate a certificate.

Observations:

- Regarding (1): If any finger pointing or suggesting should be done here, it should not be at anyone but Cisco.

- Regarding (2): Either the original source article contains incorrect information, or these certificates were self-signed, which makes any information supplied in the certificate arbitrary and meaningless.

- Regarding (2): If the information is incorrect, and the certificate was signed by an accredited party, the person who put this on GitHub sure made a stupid mistake, rendering this private key essentially useless (to anyone, Huawei and Cisco included).

- Regarding (3), just because somebody uses (either real of fake) business information to generate a certificate, does not indicate that said business had any involvement whatsoever. Not unless the certificate is signed by a party that guarantees the vetting of that info.

Final thought: The title with "Huawei cryptographic keys" appears to be very misleading at best, simple incorrect more likely. I do not see the link between Huawei and these keys, other than somebody using arbitrary information to generate a (self-signed) certificate from a private key.

[aswanson]

Yeah, the editorial titling was definitely clickbaity. That's why I always come to the comments first on HN if an article sounds sensationalistic.

[srcmap]

From what I read, it sounds like Cisco put a file from public github into the IOT firmware's /root/.ssh directory.

Something is very wrong with that firmware generating process.

Why would anyone do that? Even accidentally?

[yjftsjthsd-h]

There is a nice talk on youtube (sorry, tried to find a link and couldn't in less than 30 seconds) that discusses Cisco's firmware build... "process". Rest assured, "very wrong" is a nice description; allegedly, we're talking things like "random engineer builds firmware image from local checkout using personal build scripts and uncommitted code, and if it appears to work then it gets shipped to customers, either at large or on a case-by-case basis". Honestly, the presence of additional random files is completely unsurprising.

[chvid]

Creating a private key for test purposes and putting it in a test folder of an open source project is a quite reasonable thing to do. I am guessing the email-address is there because the tool used to create the certificate asked for it.

[aiscapehumanity]

Shoddy journalism, or compliance with an ongoing political narrative.

[agar]

This is a blog post by the software company that discovered the issue.

It's simply a marketing team leveraging the current threat environment to raise the profile of their product.