Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
United States China Communications Politics

Senate Unanimously Approves Bill To Ban Purchase of Huawei Equipment With Federal Funds (thehill.com) 53

The Senate unanimously approved legislation on Thursday that would ban the use of federal funds to purchase telecommunications equipment from companies deemed a national security threat, such as Chinese group Huawei. From a report: The bipartisan Secure and Trusted Telecommunications Networks Act, which the House passed in December, bans the Federal Communications Commission (FCC) from giving funds to U.S. telecom groups to purchase equipment from companies deemed threats. The bill would require the FCC to establish a $1 billion fund to help smaller telecom providers to rip out and replace equipment from such companies, and to compile a list of firms seen as posing a threat to telecom networks.
This discussion has been archived. No new comments can be posted.

Senate Unanimously Approves Bill To Ban Purchase of Huawei Equipment With Federal Funds

Comments Filter:
  • Huawei produces more than just telecom equipment. Tablets, computers etc. are all produced at bottom market prices. Schools and Universities love to purchase these.

  • Micro$oft ???
  • by Jodka ( 520060 ) on Friday February 28, 2020 @02:27PM (#59778890)

    A better plan might be to establish a policy to audit equipment for security, regardless of where it is manufactured.

    Better because banning the purchase of Huawei leaves wide-open other opportunities for intrusion through both intentional and unintended manufactured-in exploits. Another reason is that the legislation continues to deny purchases of Huawei equipment even if Huawei cleans up its act, which is unjust and inefficient.

    This looks more like Congress selling out to the protectionist lobbying of Huawei's competitors than any sincere attempt to improve security, playing to public anti-China and anti-trade sentiments. Though not purely, because the threat of permanent legislative ban on federal purchases has some effect to discourage nefarious acts from other manufactures. Though the effect is also to incentivize development of more effectively covert means of intrusion.

    Open source mandates would helpful, if there were a practical way to verify hardware for conformance to a published design. Maybe if the designs in a hardware description language were published, the entire software toolchain was published, the die layouts were published and silicon on the actual hardware was sampled and imaged and matched to those layouts, then that would work. Uncertain if that is feasible mandate though, the response might be "not selling to you if you require that."

    • A better plan might be to establish a policy to audit equipment for security, regardless of where it is manufactured.

      You can't trust the congress to produce sensible legislation on technical matters. Most of the senators have degrees in law and humanities, and very few in science or technology.

    • A better plan might be to establish a policy to audit equipment for security, regardless of where it is manufactured.

      Even better would be to require all routers bought by the Feds to have open-source firmware. Then a meaningful audit can be done by anyone.

      • by Jodka ( 520060 )

        A better plan might be to establish a policy to audit equipment for security, regardless of where it is manufactured.

        Even better would be to require all routers bought by the Feds to have open-source firmware. Then a meaningful audit can be done by anyone.

        Not so much. The firmware can be flawless, pass an audit and withstand thorough public scrutiny and yet the hardware can be compromised. For example, the hardware could simply not report what is the actual firmware and hide away additional hidden programs which it never reports.

        • There is always some level of security risk. An exploit could be in software, firmware, hardware, the compiler, or a brain implant in the auditor. But deeper levels are far more difficult and less plausible.

          Building an exploit into hardware is way more difficult than doing it in firmware, and will require a lot of additional silicon that will increase cost and power consumption, which means nobody buys the routers.

      • This is all fine and dandy before someone inserts one line like "#include backdoors.c" prior the final build of firmware.

    • by DRJlaw ( 946416 )

      A better plan might be to establish a policy to audit equipment for security, regardless of where it is manufactured.

      Because the International Obfuscated C Code Contest [ioccc.org] has not conclusively shown that audits are not a guarantee of anything.

      Better because banning the purchase of Huawei leaves wide-open other opportunities for intrusion through both intentional and unintended manufactured-in exploits. Another reason is that the legislation continues to deny purchases of Huawei equipment even if Huawei cleans

      • by Jodka ( 520060 )

        A better plan might be to establish a policy to audit equipment for security, regardless of where it is manufactured.

        Because the International Obfuscated C Code Contest [ioccc.org] has not conclusively shown that audits are not a guarantee of anything.

        I am aware that IT security folk prefer to speak in terms of guarantees and agree that it is useful in some contexts, such as proofs of the effectiveness of encryption algorithms. Yet, practically, if 1-bit encryption keeps my grandmother out of my porn 50% of the time then that is an improvement over no encryption. Audits which reduce risk of intrusion are not a guarantee, yet that does not imply that they are not helpful or should be abandoned. Along the same lines, code reviews are no guarantee agai

    • by gweihir ( 88907 )

      A better plan might be to establish a policy to audit equipment for security, regardless of where it is manufactured.

      You mean finding all those Cisco backdoors? The NSA will not like that...

      • you are spreading misinformation either ignorantly or maliciously. The "Cisco backdoors" were not put in by cisco. The shipments were intercepted after they left the vendor and hacked then. Cisco was not involved.
        • I read that as backdoors in Cisco equipment put there by the NSA.

          • the backdoors that were put there by the NSA were put there *after* the device had been shipped from the vendor. The NSA intercepted the packages after they were shipped. The devices were shipped from Cisco *without* any backdoors.
        • by gweihir ( 88907 )

          So you missed all those convenient "bugs" Cisco equipment had in the last few years? Well, you obviously do not know that this is a primary strategy for camouflaging backdoors.

          The only other option is that Cisco developers are exceptionally incompetent and they do not do any meaningful internal code reviews at all. That would be worse.

          • Comment removed based on user account deletion
            • by gweihir ( 88907 )

              And you just show you are even more clueless. Do you have any actual qualifications in this area? I guess not. You just have a big mouth.

              First, there is a timeline for the different actions. Second, there are different types of backdoors and it is desirable tho have more than one in place. And third, a somewhat competent target can detect modified firmware given a reference system, but that does not work for bugs. Also, bug-type backdoors eventually can be discovered by others and then they are gone and new

        • you are spreading misinformation either ignorantly or maliciously.

          He does it every day and continues even if you correct him, so it appears to just be malicious.

          Especially when on other subjects he isn't so stupid. He clearly knows better.

          • by gweihir ( 88907 )

            Especially when on other subjects he isn't so stupid. He clearly knows better.

            Hahaha, funny. On this subject, I happen to be an actual expert. Of course, in the IT Security field, even the most clueless morons think they know how things work and that can lead to them finding actual expert statements outlandish and not credible.

            • Especially when on other subjects he isn't so stupid. He clearly knows better.

              Hahaha, funny. On this subject, I happen to be an actual expert.

              That doesn't help your case. In the slightest.

              Socrates found the same thing, a few years back; none of the purportedly wise men had any clue at all what led to their success, and most of them cited factors that actually interfered with their success but that they had overcome by luck or assistance.

              Here, you presume that because you see yourself as an expert, whatever words you bleet must be wise. Even though the actual meaning of the words you bleeted might be completely false. But because you see yourself

              • by gweihir ( 88907 )

                Especially when on other subjects he isn't so stupid. He clearly knows better.

                Hahaha, funny. On this subject, I happen to be an actual expert.

                That doesn't help your case. In the slightest.

                It does not need to help me. I have no interest in convincing big-ego-small-skills people like you. I am just mocking you.

                • Oh, my, what an impressive epeen you described.

                  I have no doubt you'll report being very satisfied with it.

        • Comment removed based on user account deletion
          • I didn't mention anything about any audit. I simply corrected him that the NSA intercepted the devices after the manufacturer shipped. The manufacturers did not put the fucking backdoors in moron. So yes it is mis-information because he was implying that manufacturers put backdoors in. That is incorrect. sorry to bust your bubble.
            • by gweihir ( 88907 )

              Nope. You did not "correct" me. You made a completely ridiculous claim that the NSA would use just this one way to add backdoors.

    • by cusco ( 717999 )

      This looks more like Congress selling out to the protectionist lobbying of Huawei's competitors

      *cough* Cisco *cough*

  • What about all of the Huawei equipment that has already been installed?
    What about any other equipment that is already installed?
    It may be worthwhile to invest some time, money, and effort on checking up on these devices.

  • Anyone else read it as Senate Unanimously Approves Bill To Ban Purchase of Hawaii?

If money can't buy happiness, I guess you'll just have to rent it.

Working...