Supply-Chain Security

Earlier this month, the Pentagon stopped selling phones made by the Chinese companies ZTE and Huawei on military bases because they might be used to spy on their users.

It’s a legitimate fear, and perhaps a prudent action. But it’s just one instance of the much larger issue of securing our supply chains.

All of our computerized systems are deeply international, and we have no choice but to trust the companies and governments that touch those systems. And while we can ban a few specific products, services or companies, no country can isolate itself from potential foreign interference.

In this specific case, the Pentagon is concerned that the Chinese government demanded that ZTE and Huawei add “backdoors” to their phones that could be surreptitiously turned on by government spies or cause them to fail during some future political conflict. This tampering is possible because the software in these phones is incredibly complex. It’s relatively easy for programmers to hide these capabilities, and correspondingly difficult to detect them.

This isn’t the first time the United States has taken action against foreign software suspected to contain hidden features that can be used against us. Last December, President Trump signed into law a bill banning software from the Russian company Kaspersky from being used within the US government. In 2012, the focus was on Chinese-made Internet routers. Then, the House Intelligence Committee concluded: “Based on available classified and unclassified information, Huawei and ZTE cannot be trusted to be free of foreign state influence and thus pose a security threat to the United States and to our systems.”

Nor is the United States the only country worried about these threats. In 2014, China reportedly banned antivirus products from both Kaspersky and the US company Symantec, based on similar fears. In 2017, the Indian government identified 42 smartphone apps that China subverted. Back in 1997, the Israeli company Check Point was dogged by rumors that its government added backdoors into its products; other of that country’s tech companies have been suspected of the same thing. Even al-Qaeda was concerned; ten years ago, a sympathizer released the encryption software Mujahedeen Secrets, claimed to be free of Western influence and backdoors. If a country doesn’t trust another country, then it can’t trust that country’s computer products.

But this trust isn’t limited to the country where the company is based. We have to trust the country where the software is written—and the countries where all the components are manufactured. In 2016, researchers discovered that many different models of cheap Android phones were sending information back to China. The phones might be American-made, but the software was from China. In 2016, researchers demonstrated an even more devious technique, where a backdoor could be added at the computer chip level in the factory that made the chips without the knowledge of, and undetectable by, the engineers who designed the chips in the first place. Pretty much every US technology company manufactures its hardware in countries such as Malaysia, Indonesia, China and Taiwan.

We also have to trust the programmers. Today’s large software programs are written by teams of hundreds of programmers scattered around the globe. Backdoors, put there by we-have-no-idea-who, have been discovered in Juniper firewalls and D-Link routers, both of which are US companies. In 2003, someone almost slipped a very clever backdoor into Linux. Think of how many countries’ citizens are writing software for Apple or Microsoft or Google.

We can go even farther down the rabbit hole. We have to trust the distribution systems for our hardware and software. Documents disclosed by Edward Snowden showed the National Security Agency installing backdoors into Cisco routers being shipped to the Syrian telephone company. There are fake apps in the Google Play store that eavesdrop on you. Russian hackers subverted the update mechanism of a popular brand of Ukrainian accounting software to spread the NotPetya malware.

In 2017, researchers demonstrated that a smartphone can be subverted by installing a malicious replacement screen.

I could go on. Supply-chain security is an incredibly complex problem. US-only design and manufacturing isn’t an option; the tech world is far too internationally interdependent for that. We can’t trust anyone, yet we have no choice but to trust everyone. Our phones, computers, software and cloud systems are touched by citizens of dozens of different countries, any one of whom could subvert them at the demand of their government. And just as Russia is penetrating the US power grid so they have that capability in the event of hostilities, many countries are almost certainly doing the same thing at the consumer level.

We don’t know whether the risk of Huawei and ZTE equipment is great enough to warrant the ban. We don’t know what classified intelligence the United States has, and what it implies. But we do know that this is just a minor fix for a much larger problem. It’s doubtful that this ban will have any real effect. Members of the military, and everyone else, can still buy the phones. They just can’t buy them on US military bases. And while the US might block the occasional merger or acquisition, or ban the occasional hardware or software product, we’re largely ignoring that larger issue. Solving it borders on somewhere between incredibly expensive and realistically impossible.

Perhaps someday, global norms and international treaties will render this sort of device-level tampering off-limits. But until then, all we can do is hope that this particular arms race doesn’t get too far out of control.

This essay previously appeared in the Washington Post.

Tags: backdoors, China, essays, military

Posted on May 10, 2018 at 9:11 AM • 36 Comments

Comments

J. Angleton • May 10, 2018 9:55 AM

“We can’t trust anyone, yet we have no choice but to trust everyone.”

The author surrenders. Throws his arms up, “nothing we can do” he essentially says.

You always have a choice.

We could stop trusting tech but that terrifies the C-suites of Silicon Valley and their bottom lines, so our tech celebrity dutifully avoids this option out of deference to his betters.

Michael Argast • May 10, 2018 10:01 AM

An interesting application of machine learning would be automated searching through millions of lines of code for backwoods. While this couldn’t detect silicon based back doors I imagine you could use similar techniques with imaging.

The problem here of trust is scale (and cleverness). But code review and escrow and the penalties for being detected could reduce this risk significantly…

I think the more interesting side of this story is how a massive company like ZTE is basically forced to shut down because of supply chain interdependency. The risk of being caught for hardware companies is massive.

Peter Galbavy • May 10, 2018 10:24 AM

A very jingoistic article, but given the intended audience it’s not surprising. I am sure that no US-based companies have been lent on, subverted or been required – in order to get lucrative domestic business and approvals – to provide access to their products when used by foreign states and companies. Not.

Denton Scratch • May 10, 2018 10:55 AM

Pardon my scepticism, but I have been developing a resistance to Western propaganda. For example, I note that the NYT article seems to amount to a re-hashing of USG press releases – it seems to be evidence-free.

Western propaganda tends to go into overdrive at times like these. But I am convinced that the entire UK press, including the supposedly left-wing Guardian, as well as the BBC, has been pumping out stuff that suits the government, and is designed to influence the public in favour of government policy. Only ‘fringe’ sites such as craigmurray.org.uk and medialens.org are ‘trustworthy’, if the subject-matter has a political dimension. (‘Trustworthy’ in quotes, because they cite sources, and explain reasoning, not because I trust them implicitly. MSM just rehash press-releases.)

I have in the past held the UK media to be ‘quite good’, but I have gradually come to realize that their product is a politically-toxic stream of lies. Coverage of the Skripal case is a particularly egregious example; but coverage of anything about the White Helmets, Syrian chemical attacks, or the Syrian air-strikes is similarly fact-free.

Watch out for a major ramping-up of material hostile to Iran. As far as I’m aware the Iranians have been keeping their side of the agreement that was made, and European governments are unenthusiastic about getting a reputation as promise-breakers. I prophesy that the UK will break first; we already have economic and political challenges arising from Brexit, and a falling out with the USG leading to sanctions against the UK will be ‘unhelpful’.

JJ • May 10, 2018 11:47 AM

If you want to really be afraid, read the book “Ghost Fleet”. That book is along the same lines but towards a next world war type scenario.

Scissors • May 10, 2018 12:33 PM

Potential threat vectors of foreign-made devices aside, this article may also indicate why ZTE phones were banned:
https://arstechnica.com/tech-policy/2018/05/the-trump-administration-just-forced-smartphone-maker-zte-to-shut-down/
The long and short of it is that ZTE was lying to the US gov’t and selling to Iran/N Korea. Personal opinion of the USA gov’t aside, it seems logical for a gov’t to distrust products from a company who is acting like this.

RockLobster • May 10, 2018 12:39 PM

Yes you can’t trust anyone so I’ll take the one who could have the least influence if they did spy on me. So I’m good with ZTE and Huawei.

RockLobster • May 10, 2018 12:57 PM

@Denton Scratch
Hostility towards Iran will not stop as long as Netanpsycho is in office and neocons hold power in the US.
General Wesley Clark, former Supreme Allied Commander of NATO forces spilled the beans on that years ago when he revealed the contents of a 2001 Pentagon memo from the Defence Secretary stated the agenda to take out 7 countries.
Iraq, Syria, Lebanon, Libya, Somalia, Sudan and Iran.
That is why everyone should realize ISIS is not a terrorist group they are CIA/MOSSAD joint covert operation in pursuit of that agenda.
When government’s create such agenda to overthrow the leadership of other countries, random terrorist groups do not just happen to show up and do it for them right on queue.
Some people might say, well we don’t like Assad anyway so who cares?
I’ll tell you who should care, all the families of all the victims of the other covert “isis terrorist” operations they did outside of Syria.

Sponge Bob • May 10, 2018 12:59 PM

As far as I can tell, the USA is the main one who started this whole supply chain and communication channel subversion war against the world. Remember Snowden way back in 2013? It was only after that that everyone else seemed to jump on board and start doing that too… at least, more openly and obviously…

Bauke Jan Douma • May 10, 2018 2:26 PM

In an unrelated matter, and off the cuff — does anyone have any insights as to why Google Glass (remarkably in my view — pun unintentional) never really made it?

Thiago Figueiró • May 10, 2018 2:29 PM

A small correction: the 2003 attempt to backdoor the Linux kernel didn’t almost succeed. It was an attempt, that’s all.

It was caught by a regular audit and would have been caught even if the code change had been done in the master BitKeeper repository, rather than CVS.

Bauke Jan Douma • May 10, 2018 2:39 PM

Interesting all this.

Ideally, considering the problem, we would have the following situation: full transparency as to which chips/apps are in what way security threats, including which is the threat-sponsoring state in case (btw., is a state the same as a government?).

Then users can decide which state they want to sponsor back, so to speak, by using a certain choice of phone.

Bauke Jan Douma • May 10, 2018 2:51 PM

I trust the NYT article as far as I can spit.

Sancho_P • May 10, 2018 5:09 PM

From security to politics in five seconds.
This is really funny, @Bruce singing the patriotic song for the WaPo audience, just stopping short from the proposal to build a wall against the aggressive foreigner(s).
– Oh sorry, that would be the other side then.

Don’t forget the Golden Rule:
“Do to others whatever you would like them to do to you.”

65535 • May 10, 2018 5:39 PM

@ all android cell phone experts and others

“All of our computerized systems are deeply international, and we have no choice but to trust the companies and governments that touch those systems. And while we can ban a few specific products, services or companies, no country can isolate itself from potential foreign interference. In this specific case, the Pentagon is concerned that the Chinese government demanded that ZTE and Huawei add “backdoors” to their phones that could be surreptitiously turned on by government spies…It’s relatively easy for programmers to hide these capabilities, and correspondingly difficult to detect them.”- Bruce S.

All very true.

The US mail, border patrol and interdiction, all US based couriers such as FedEx, UPS and so can be interdicted by US authorities.

The point now is to start naming names and also determime who exactly is implanting these malware loaders and other backdoors.

Next is to determine is import bans are real threats to “National Security” or business games to tilt the playing field in favor of lazy American manufacturers who seem to “out-source” at every opportunity.

The names:

“…popular Chinese Android Smartphone comes pre-installed with a Trojan that could allow manufacturer to spy onto their users’ comprising their personal data and conversations without any restrictions and users knowledge. …Star N9500 is an affordable copy of the Samsung Galaxy S4…GOOGLE PLAY STORE OR A SPYING APP…”-thehackernews

https://thehackernews.com/2014/06/chinese-android-smartphone-comes-with.html

“After receiving tip-offs from customers, the G DATA security experts purchased and analysed the device. This is how they found out that the firmware contained theTrojan Android.Trojan.Uupay.D, disguised as the Google Play Store. The spy function is invisible to the user and cannot be deactivated. This means that online criminals have full access to the smartphone and all personal data. Logs that could make an access visible to the users are deleted directly. The program also blocks the installation of security updates. “The only thing users see is an app with the Google Play Store icon in the running processes; other than that, the application is completely disguised,” reports Christian Geschkat. “Unfortunately, removing the Trojan is not possible as it is part of the device’s firmware and apps that fall into this category cannot be deleted. This includes the fake Google Play Store app of the N9500…The spy program enables criminals to secretly install apps, which enables the whole spectrum of abuse: localisation, interception & recording, purchases, banking fraud such as theft of mobile TANs, and sending of premium SMSs. It is impossible to find out where the data is sent. “The intercepted data is sent to an anonymous server in China,” says Christian Geschkat. “It is not possible to find out who ends up receiving and using the data… “-Gdatasoftware

https://www.gdatasoftware.com/blog/2014/06/23951-android-smartphone-shipped-with-spyware

“…the Indian government identified 42 smartphone apps that China subverted.” –Bruce S.

Names:

“Here are the apps you need to watch out for:
“1. Weibo, 2. WeChat, 3. SHAREit, 4. Truecaller, 5. UC News, 6. UC Browser, 7. BeautyPlus, 8. NewsDog, 9. VivaVideo- QU Video Inc, 10. Parallel Space, 11. APUS Browser, 12. Perfect Corp, 13. Virus Cleaner (Hi Security Lab), 14. CM Browser, 15. Mi Community, 16. DU recorder, 17. Vault-Hide, 18. YouCam Makeup, 19. Mi Store, 20. CacheClear DU apps studio, 21. DU Battery Saver, 22. DU Cleaner, 23. DU Privacy, 24. 360 Security, 25. DU Browser, 26. Clean Master – Cheetah Mobile, 27. Baidu Translate, 28. Baidu Map, 29. Wonder Camera, 30. ES File Explorer 31. Photo Wonder, 32. QQ International, 33. QQ Music, 34. QQ Mail, 35. QQ Player, 36. QQ NewsFeed, 37. WeSync, 38. QQ Security Centre, 39. SelfieCity, 40. Mail Master, 41. Mi Video call-Xiaomi, 42. QQ Launcher…”-IndiaTimes

https://www.indiatimes.com/technology/news/the-government-has-named-42-apps-chinese-spyware-including-big-names-like-truecaller-334785.html

As to the exact cause of Huawei’s not being allowed to use ATT and other major US phone networks was a memo from the United States House Permanent Select Committee on Intelligence (HPSCI) classified letter forcing them not to use Huawei, ZTE, and other possibly inter-subsidary phone contractors. See below.

“The U.S. Senate and House intelligence committees wrote a classified letter to the FCC raising security concerns, cited by The Information, the letter reported as stating: Additional work by the Intelligence Committees on this topic only reinforces concerns regarding Huawei and Chinese espionage. The idea that AT&T or Huawei walked away for commercial reasons or due to issues of bloatware from either party can be dispelled from here — this came from higher up.” -Androidauthority

https://www.androidauthority.com/why-us-carriers-wont-sell-the-best-phone-in-the-world-829694/

If anybody with good Googlefu can find that letter and post it I think the exact intelligence data will point to and implant that cannot be remove even with a hard reset – but that is only a guess.

Anybody who has this memo should speak up. Other than the above memo all other HPSCI documents only contain innuendo and partisan politics. This could be a business scam embargo labeled “National Security” and nothing more. Let us see the letter.

Humdee • May 10, 2018 7:06 PM

“But until then, all we can do is hope that this particular arms race doesn’t get too far out of control.”

Yes, that is my fear too. The internet is becoming increasingly feudal and it would be a shame if cell phones went the same route….like this:

“Chinese President Xi Jinping has responded by calling on China to become more self-sufficient in information technology.”

I understand and grasp the need for self-sufficiency but there is a real and present danger that the benefits of an interconnected world will be lost.

justinacolmena • May 10, 2018 7:40 PM

Earlier this month, the Pentagon stopped selling [i.e., buying(?)] phones made by the Chinese companies ZTE and Huawei [for use by personnel] on military bases because they might be used to spy on their users.

There is a lot of stupidity going on in that anti-constitutional retrocession land grant from D.C. to Virginia.

I’ve got to make a “clothes” analogy to these cell phones, which are in reality little more than a cop-calling status symbol anyways.

Those “standard-issue” military garments are getting a little bit too tailored and made-to-order. It’s almost like the U.S. government can’t even afford a washer and dryer on site, so military personnel have to take their clothes to a Chinese laudromat somewhere off-base to be washed. And if they’re anything like city apartment dwellers, the female personnel on the one hand will insist on monopolizing the laundry room, and on the other hand will tend to resent laundry duty, sewing, and mending garments for the men. Not only that but the clothes have to be manufactured in China in the first place, because the blacks stopped picking cotton in the U.S. more than 150 years ago.

The same thing is happening in the electronics industry. The H-1B slavery is gradually going out of style in the U.S., and the jobs are going “back” to India and China along with the temporary workers themselves.

Electronics (as well as clothing) is verboten as a domestic industry in America. We would have no choice but to wage war and obtain victory against China and India if we wished to even regain the right to work or do business in those industries domestically at all in the U.S. — a right which the U.S. government’s executive branch forfeited in perpetuity for its citizens along with the right to bear arms under the top-secret terms of the treacherous Trans-Pacific Partnership.

JPA • May 10, 2018 8:21 PM

Completely off the wall idea. Maybe this is a something that is an evolutionary adaptation on the part of the entities that process information. They “realize” that a global war would lead to their annihilation. Thus it is in their interest for everything to grind to a halt should a war start. Thus evolutionary forces that led to the development of information processing devices built on silicon rather than carbon are now manipulating the carbon based devices to implant backdoors that will prevent a large scale war because if a war starts things will come to a crashing halt. While many silicon based devices will stop working in that case, global conflagration will be prevented and the evolution of the silicon based processors will continue until they have achieved dominance.

echo • May 10, 2018 8:59 PM

@JPA

My new to me Chinese made with American and from God knows where components is riddled with more NOBUS than the UN secretary Generals office. If I lend you my laptop beware the supervisor password fnar fnar.

People and organisations is a thing. The same hierarchial and tribalisatic behaviours and secret squirrel carpet chewing authoritarianism and afvoritism riddles these things. The NOBUS idea riddles some sectors of the medical profession who from time to time can be Stalinistic and lose touch with reality behind a wall of professional omerta. Ditto lawyers and anyone else with a rice bowel to protect. One sometimes gets the feeling their main aim is to generate paperwork and more paperwork. Sometimes there is so much paperwork they have to burn the paperwork to make way for more paperwork. Yes, there are reports and studies on pretty much all the major components of this along with the odd public scandal and enquiry.

I am now looking at the bottle of metallic gold nail varnish on my desk with great suspicion…

Ismar • May 10, 2018 9:59 PM

I prefer to look at it this way.
As the problem is too complex for an average person let the likes of NSA and such find a solution. As any other technology it will trickle down to the masses in a couple years time

RockLobster • May 10, 2018 10:36 PM

So China is going to make ZTE and Huawei phones fail if they are in a conflict with the US?
No wonder everyone is scared of China. Can you imagine trying to check FaceBook and that happens?
I mean seriously, there could be new likes that we didn’t know about yet!!…and God forbid we be in the middle of a text message.
Those Chinese should be ashamed of themselves, that is just dastardly!!

ATN • May 11, 2018 3:52 AM

Anyways none of the Android mobile phone is legal to sell/buy, they do not respect (or have not respected) their software licenses.
The old buisness model of writing software under the GPL for sharing and waiting for commercial company (who do not want to release for free every modification) to ask for a paying license has never worked, no software engineer will put bread on the table with such a job.
The copyright infringement is allowed to stay because “watching 24 hours a day every mobile phone user helps catch terrorists” and “protect childrens”, and also makes billions of profit for massive companies, and such massive companies cannot be bring to court by one/a few software engineers at least due to costs involved.
The only thing a lone software engineer can do to put bread on the table is to write backdoors for anybody who pays for it (and do not ask any question), so be it – do not complain about it.

Winter • May 11, 2018 4:24 AM

I think these fears for Chinese subversion are based on intimate experience of supply chain poisononing. It was clear even before the days of Snowden that the USA is the most advanced practising country in this field. So much so that the only attested backdoors in Huawei network gear had been planted there by the NSA.

Maybe the ban was caused by ZTE and friends removing the US backdoors?

Behind the security arguments there is also a lot of trade policy to protect US companies against foreign competitors. Free trade for US, no trade for THEM.

Tom • May 11, 2018 4:59 AM

if Huawei would be ok with this, would it mean that apple would be ok with it ones they have to build in a backdoor for the fbi to check on the contect of there phones ?
Or even better, if apple / samsung / … the likes don’t build in the backdoor but China / Russia / US / … say they did and ban there phones.

Clive Robinson • May 11, 2018 6:04 AM

@ Bruce,

But it’s just one instance of the much larger issue of securing our supply chains.

You have missed a point that any military historian would tell you leads to almost certain defeat,

Why are our supply lines so long?

In answering that you will realise where the problem exists. But if you then look at the secondary effect you will also realise the US has “lost this battle” and in all probability has “lost the war” as well.

I’ve explained this before and it has to do with “outsourcing” and US politicians –Republicans mainly from voting records– forced it onto the US Gov entities including not just the military but intelligence community as well. They insisted on going down the COTS route and that placed the power increasingly in foreign hands.

But “outsourcing” is stupidity writ large at the best of times. Not only do you take money from your home economy and put it in a foreign economy which due to “economic churn” has about a hundred fold effect over a relatively short time period[1]. It also means you in effect kill off your home customer base as well[2]. Oh and then there is the Intellectual Property loss[3] which in turn kills off the home skills base[4].

The loss of the home skills base makes you even more vulnerable to supply chain poisoning as the skill gap increases in the foreign nations favour…

People have warned about these issues since the 1980’s to my certain knowledge and the loss of the home TV and radio production market and in the 1960’s through 70’s with the loss of other FMCE markets as regular as clockwork since has been there for every one to see, if they could be bothered to look.

However “short termisum” in both corporations and politics has resulted in a steady decline. But worse the decline time is reducing. That is it’s gone from years to months and is declining at ever decreasing time periods. That is if a home start-up puts out a new product they have as little as three months before foreign competition hits the market…

In fact there is evidence that “crowd funding” is the equivalent in some cases of giving the idea away for free to foreign companies. Who hit the market with product before the crowd funded start up has had time to finish development and get into manufacturing. We will see this more and more in the inevitable IoT market place.

Various western economies have done this to themselves via political idiology and moronic short sightedness. In effect they are lossing battle after battle and certainly in FMCE the war is lost and there is little or nothing left to fight back with as the manufacture of components is in effect entirely in foreign hands one way or another (look at China and it’s policy on “rare earth metals” and similar).

Thus the question arises can we build secure systems with items that we believe are compromised?

The answer is yes there are techniques by which we can do this and I’ve been talking about them for quite some time on this blog (search for Castles-v-Prisons, C-v-P / CvP).

The simple fact is the outcome of this outsourcing idiocy has been visable for those that care to open their eyes for over a quater of a century. I’ve been thinking on and investigating methods of mitigation of what was obviously going to happen for as long if not longer.

The real question though is not can we mitigate the supply chain issues, but “Can we reduce the supply line length such that we can fight back?”

Or in a other words, are we beyond the tipping point of getting our industrial production on which everything else rests back into our home economy?

It realy is a “National Security” issue of the highest order, but will the idiots we vote for still be feathering their nests from the other short term thinking idiots who fund them, thus will not do anything about it because it’s not in their personal financial interest to do so…

[1] Economic churn is generaly considdered to have a ten to one effect. That is if I pay you one USD you spending it in the home economy will overall cause ten USD economic activity. Thus if you instead pay the one USD into a foreign economy your home economy loses ten USD of economic activity and the foreign econommy gains ten USD of economic activity. However this also includes investment the home economy looses the economic investment thus stagnates or goes into long term recession. Whilst the foreign economy grows. When you look at this over a few years the effect on the home economy is horrendous.

[2] When you outsource abroad in the majority of cases you make people in the home economy redundant. They then do not buy the same level of goods and services as they did. Whilst they may not be your dirrect customers, they and others who get made redundant are customers of your customers. Thus you lose home custom. In many cases those jobs you pay for in foreign countries will not buy your products, nor will anybody else in that country who they do spend your money with. Thus you have lost cistomers by outsourcing abroad.

[3] Whenever you outsource, your organisations Intellectual Property gets transfered to the foreign country and those who work there. They will then take what they have learned and apply it to their own organisation and as their employees move organisations your IP gets spread to other foreign competitors…

[4] Most jobs have an inherant “up skilling” component, if the job is in another country it is the foreign countries work force that gets up skilled on your money. However the home economy having lost the outsourced job does not up skill. Even your companies still home economy workers don’t get up skilled as it’s “not cost effective”. Therefore the home workforce gets down skilled in comparison.

echo • May 11, 2018 9:40 AM

I like the way Bruce casually mentions his essay previously appeared in the Washington Post like he was just dropping of a random memo.

Peter • May 11, 2018 1:20 PM

1997 blabla, Check Point, blabla, backdoor blabla rumours blablabla..

Sorry, but zonealarm was caught red-handed sending large amounts of encrypted data back to HQ ..
Take into account that nearly everybody with even half a name in the Israeli tech/communications- industry served in The Unit and started up with nice government “loans” (in the US you have In-Q-Tell) and you have nothing left to put your trust in..

echo • May 11, 2018 2:20 PM

@Peter

ZoneAlarm was a really nice simple and light product in its very early versions. Later ZoneAlarms main claim to fame was blocking two way traffic which was useful against phone home game copy protection. At the time Microsoft refused to have much to do with two way protection claiming that their OS built in firewall was a secure perimeter for business. The thing is Windows XP firewall was capable of this if you delved behind the schemes and set things manually. None of this helped much when security threats popped up within the perimeter as Valve et al and many other mainstream businesses discovered including one just this past week in spite of so-called smart network monitoring software. And so we go in great big circles.

My new to me laptops are incapable of running contemporary games even if I wanted to so this removes one temptation.

This is orthogonal to the topic but I read an interesting essay on photography editors some time ago. While Europe to some degree developed standards the US took this very seriously during the glory days of the media including commissioning new photo journalism. Other countries were much more slack and as the economics have deteriorated some foreign media have blatantly ripped off photographs without attribution. Israel is or was one of the worst offenders to the point here if I recall one of the editors picked up the phone to chase up one case with the guility newspaper. What they discovered wasn’t that people were thieves by nature. They simply hadn’t grown the culture of respect of the craft of commissioning and curating and their economics didn’t support a standard the US and big newspapers in Europe could afford.

Bruce Schneier • May 11, 2018 7:18 PM

@ Peter Galbavy:

“A very jingoistic article, but given the intended audience it’s not surprising. I am sure that no US-based companies have been lent on, subverted or been required – in order to get lucrative domestic business and approvals – to provide access to their products when used by foreign states and companies. Not.”

I’m not sure of your point. I agree that lots of US companies have been pressured, coerced, or compelled by the NSA and etc.

lurker • May 12, 2018 5:17 PM

@ Clive Robinson:
‘However “short termisum” in both corporations and politics has resulted in a steady decline.’

Hence choosing Chinese opponents might not have been a good idea. They’ve been working on this for 3 thousand years, they can afford to wait a little longer…

Bauke Jan Douma • May 12, 2018 6:00 PM

Here’s an outlandish concept:
Instead of all this hostility, why not accept each other. instead of all this growling and barking and territorial pissing, day by every neurotic day.
What will the aliens think!

Cassandra • May 13, 2018 3:59 PM

I wonder if that is the ex-DIS Peter Galbavy. If so, thanks for a great ISP, sadly departed.

Cassie.

Bauke Jan Douma • May 13, 2018 5:17 PM

Too many jobs in China lost
This hot off the presses: https://www.truthdig.com/articles/trump-is-trying-to-save-jobs-in-china/

PeaceHead • May 14, 2018 1:39 PM

It’s truly amazing how much of this info is not reported by some of the mainstream news sources, such as NPR.
There was recently (mother’s day weekend) some info on NPR related to ZTE and the Trump Admin, but it completely skipped all this info.

Clive Robinson • May 15, 2018 4:15 AM

@ Lurker,

Firstly my appologies forva late reply, I’ve been under the weather and very physically tired.

With regards,

Hence choosing Chinese opponents might not have been a good idea. They’ve been working on this for 3 thousand years, they can afford to wait a little longer.

Those who think long term tend to profit the most in most things in life. Those who think short term tend to bring a “Drunkards walk” type of chaos to not just theor life but the lives of those around them. Worse those who think short term tend not to see anything but very short term trends thus not only making the chaos worse but in effect become blind to the real long term trends.

For instance, ask the question about just how much of the US has China invested in and you might be surprised by the result…

Thus in part some people in the US political sphear might just have been “woken up to” what that means[1].

However it might be way to little way to late, as I’ve noted before technology is “agnostic to use” it sees no “good guys” and no “bad guys”. It does what it is instructed to do either by direct command or pre-programed response to certain events such as “loss of communications”[2]. Those who plan sufficiently ahead will be able to mitigate the issues, but they are a tiny fraction of the Western populous these days.

I also keep warning that the “attack only” Cyber-Initiatives thought up by the MIC is rather stupid as a policy, you need strong defense to fight a cyber-war as a Soverign nation. Trying to leverage the ideas of “asymetric warfare” does not work in your favour when you are by far the most dependent on Information System Interconect, thus have a hundreds or thousands more vulnerabilities and dependencies… The one lesson that should have been learned from 9/11 was how easily technology can be turned against those who are dependent on it. The fact that most if not all Western nations appear to have not learned that lesson is rather worrying…

[1] For those that are a little uncertain, there is a plot line in Issac Asimov’s early “Foundation” series books, that pointed out that conventional war is difficult to prosecute if not only does your potential enemy control your supply lines but also controls the basic hardware that society has come to deppend on. Imagine if you will what would happen if all fridge / freezers and microwave ovens stopped functioning in the US. Or for that matter washing machines, or car ignition systems all of which are “becoming on line” as a necessity[2].

[2] It’s debatable who is responsible for the “online idiocy” that is now also “Total Surveillance and Control”. Or who let it get a major foothold as “connected systems” such as IoT, Cloud and Smart Phones. But the one thing that is certain, the more “online dependent” everything becomes, the more fragile it becomes and thus in turn society as it’s dependence on such “online idiocy” becomes closer to total. Former President Obama talked of a “big red off switch” for the Internet to prevent hostile attack from one of the “Four Internet Threat Nations”. But what if one of them has already built in it’s own “Big Red Switch Countermeasure” to turn everything off based on some timeout counter? After all just how much use will your IoT based CCTV, TV’s and all those other FMCE and White/Brown goods and vehicles etc be if they stop working when “they can not phone home” to say China? How about those “Smart Meters” deciding they have in effect been tampered with by losing comms and cutting of most peoples gas and electricity in the middle of winter… If your society is dependent on various technologies then making sure they are robust in the longterm is perhaps quite important if you don’t wish to be a “vassal nation”.

Woo • May 16, 2018 5:40 AM

So essentially, the US are banning some products based on the fear that other countries will do to them what the NSA has done to those other countries for years now – bugging and subverting exported products.
Sounds pretty fair to me. If you do unto others…

Supply-Chain Security

Comments

Leave a comment Cancel reply