Hacker News new | ask | show | jobs
by fulafel 2230 days ago
Grsecurity people have been involved in a lot of fights and accusations over the years. Also this was a first posting of the patch set. I think it's pretty hard to show malice here. Of course your bayesian prior will be influenced by how paranoid you are about Huawei in general.

edit: apologies to Grsecurity, as pointed out downthread they make no accusations of backdoors. Although apparently the Grsecurity blog post was also altered after comments from Huwaeithe PSIRT, don't know what was in the original version.
2 comments
cycomanic 2230 days ago
Actually if you read the grsecurity blog it is much more nuanced then the linked story (and would have been a much better source to link to IMO).

In particular they do not insinuate a backdoor. In fact their post is pretty consistent in that they criticize the quality (or lack thereof) and limited understanding of security, which they have done for many others as well.

This seems to really be a story blown out of proportion based on the current political climate. I don't believe a similar vulnerability in a patch from cisco, Intel, Google or any of the others (and they had patches which were similarly criticized by grsecurity) would have received a backdoor label in the headlines.

That is not to say that we should not strongly scrutinise patches from Huawei.

link
fulafel 2230 days ago
Good correction.

But reading the Grsecurity blog, it becomes even clearer that this is far from production code and would be very far from passing any kind of QC for production code.

link
microtonal 2230 days ago
If you are going to try to insert backdoors, you will come up with a way to of doing it with plausible deniability. Letting an employee post the patch own their own credentials is one way way of setting up plausible deniability.
link
fulafel 2230 days ago
Yes, of course. But the flip side is that any given bug is unlikely to be a covert backdoor.

Considering the scrutiny Huwaei is under, and how this patch was not proposed or destined to any existing used Linux component, this would be an odd risk-reward equation.

I fear this will be a nail in the coffin for any freedoms Huawei employees had to participate in open source infosec dev community on their own volition. We should be encouraging this kind of participation, not publically crucifying beginning participants and their employers for mistakes.

link