[danpalmer]

> A perfect situation for Hanlon's razor...

I'm not at all suggesting that Huawei (or TP-Link, or anyone else) are actively attempting to subvert security systems or intentionally adding backdoors. In that sense it's probably right to conclude this is ignorance.

The problem is that an attacker, especially those with the backing of a nation state, can trivially attack those insecure supply chains and install backdoors or data exfiltration.

As for whether others are as bad, I think the sort of audit that was done on Huawei is done for other companies attempting to sell into that level. These audits are not really about looking at the code – sometimes they do, but you're never going to get a useful security audit of 10s-100s of millions of lines of code. They're more about the security posture of these companies, and in that way, Huawei failed.

I do expect that Cisco, HP, other network hardware vendors are better at this. Do they still have crap code? Sure. Do they still have security vulnerabilities? Of course. Could a nation state still get a backdoor in? Probably. But would it be significantly harder to do, easier to detect, and easier to resolve? Yes, and that makes them better suited to critical infrastructure.

[geokon]

"But would it be significantly harder to do, easier to detect, and easier to resolve? Yes, and that makes them better suited to critical infrastructure. "

But like what is that conclusion based on?

I'm not saying you're wrong - just curious why you hold HP and Cisco in high esteem.

At least in terms of engineering talent I'd expect them to be much worse. Huawei is prolly the Google of China paying huge salaries and getting the county's top engineers (along with Alibaba). When I lived in Santa Barbara Cisco didn't have a good rep and they didn't pay well. A typical bureaucratic officespaceesque soul sucker. I don't know about HP but I don't get the sense it's a presitgious place to work either.

Again, these are very shaky ill informed judgments on my part I admit :) hence why I'm curious if you're talking from a position of knowledge on the subject

[danpalmer]

> But like what is that conclusion based on?

It's based on a few assumptions, but ones I feel are reasonable to make. The fact these companies will have been audited in the same way, but that the concerns have not been raised (by government, industry, security consultants) suggests that these processes are very different.

Version control, code auditing, code review, reproducible builds, etc, those will all contribute to being able to protect against attackers.

You're right that there's a huge talent pool in China, and there is good engineering happening in China, but there are also cultural barriers to it in some places. The 9/9/6 working culture in Chinese tech companies optimises for throughput not quality, and the general impression I have from reading about internal engineering cultures at other Chinese tech companies aligns with the Huawei report.

I'm not speaking from a position of expertise, I am judging this and drawing my own conclusions, but I don't feel they are ill informed (nor do I think yours are). I'm confident in the facts I know, have evidence for my opinions, and have reason to believe my suspicions.

[geokon]

"The fact these companies will have been audited in the same way .."

Have they? Are you sure? The Huawei audit were not a routine audit. According to Wired it was done by the special British "Huawei Cyber Security Evaluation Centre". I can't find any evidence the UK National Cyber Security Centre has done the same with Cisco or HP.

> am judging this and drawing my own conclusions, but I don't feel they are ill informed (nor do I think yours are)

The difference between us is that I definitely think MY conclusions are ill informed. Hope someone who knows what they're talking about can chime in

[Dah00n]

It all sounds very reasonable untill you remember that multiple backdoors and hardcoded hidden admin accounts have been found in Cisco products. I have yet to see any proof that Huawei are worse (or better) than Cisco. IMO absolutely nothing have been proven in terms of quality versus other manufacturers outside of political standpoints in all this. As far as I can tell this audit have not been done (or at least not published) to any other manufacturer than Huawei. It's 100 % politics and zero evidence of quality when only one side gets tested and published.