US Government Agencies Bought Chinese Surveillance Tech Despite Federal Ban

schwit1 writes: At least three U.S. federal agencies, including the military, have purchased China-made video surveillance equipment banned from use in the federal government. Purchasing records seen by TechCrunch and video surveillance news site IPVM show the agencies collectively spent thousands of dollars on purchasing video surveillance equipment manufactured by Lorex, a wholly owned subsidiary of Dahua Technology. Dahua is one of several China-based companies banned from selling to the federal government under a 2019 defense spending law over fears that the technology could help the Chinese government conduct espionage.

Sieve government.

[Ostracus]

Dahua is one of several China-based companies banned from selling to the federal government under a 2019 defense spending law over fears that the technology could help the Chinese government conduct espionage.

Considering how leaky our government is it's already too late.

Knowing the enemy?

[shanen]

Really feeble FP. No time to even look at the article, eh? Gotta bag that FP. Or if you were going for funny, then it seems even more feeble.

If you had looked at the article, even briefly, then you might have concluded that it's a nothing burger. Spending a few thousand dollars? That means they bought just a few of them. To take apart and study, most likely. NOT a large-scale installation and NOT any significant profit for the Chinese company.

But if they were smart, then the purchases were made in a way that the destinations were not clear, because the Chinese might be cunning enough to swap in harmless and neutered devices for their REAL ones that were headed to security researchers. Actually, the way the article was worded, I suspect those devices may have gone straight to the NSA.

However, I actually doubt the Chinese are stupid enough to randomly ship the really dangerous devices. Instead, they would design and ship devices with features that would support "becoming dangerous" only when needed. There might be traces of the capabilities, but no hard evidence.

Just a wild example if I were trying to design such a device: It would have a big chunk of memory that gets erased any time the machine loses power ior gets reset ior is moved to a new network. Ior detects that it is being tampered with in any suspicious way. That volatile memory is where the actual spying software would be running, but only remotely installed AFTER careful, preferably passive, probing to determine that a particular device was installed in a "useful" location. The factory-state device would be completely harmless.

Re:

[mysidia]

The factory-state device would be completely harmless.

They'd need the factory-state device to not be completely harmless to initially get the non-harmless code installed.

I suppose they could design the cameras so that they inherently go out to the cloud to "Check for updates" and immediately execute instructions provided by a remote server without using a clear, transparent user-controllable update process with payload also available for manual download, but that also should not pass as harmless.

Re:

[shanen]

I'm not fully understanding your reply, but the safe state would presumably be in ROM. The dirty code would only be downloaded in cases where the attackers felt that (1) It's a place worth attacking and (2) There is little risk of being caught. Even if the device uses an EEPROM rather than a ROM, the dirty code should never be stored in any nonvolatile location. Checking for updates might be part of the attack process, but if I was setting up a secure network I would be quite strict about update-related com

Re:

[mysidia]

... , but the safe state would presumably be in ROM. The dirty code would only be downloaded in cases where the attackers felt ...

The problem is if the ROM is in a "Safe state", then there is No way of loading dirty code without administrative access to the device.

Dirty code is not strictly code that executes malicious instructions to conduct other activities.. Backdoors that allow unauthorized access to load different code or deliberate bugs that cause Dirty code to be able to get loaded are also dirt

Re:

[shanen]

Basic concurrence? But of course the manufacturer knows everything about administrative access to the device. And of course anyone could exploit the trigger mechanism if it can be figured out.

Again, I have to reiterate that I am NOT a security expert, but fundamentally speaking, hiding the ability to switch to the unsafe state is the tricky part of it. The trigger obviously cannot be some kind of obvious bug. It would also have to be a piece of code that has a legitimate purpose, but which can somehow be pu

Re:

[Anubis IV]

If you had looked at the article, even briefly

So...welcome to Slashdot. I see you must be new here.

(We actually had a nice chat just last week or the week before, so I know you're not, but still, I couldn't resist poking fun just a bit.)

Re:

[shanen]

Yeah, I considered a RTFA joke, but I can't do Funny.

Having said that, there are many aspects of Slashdot that still mystify me after these many years. But now I see the biggest problem as the lack of a viable financial model that can pay for improvements, even when they are obviously needed.

FP abuse is just an annoyingly visible problem. Not even sure I would be willing to help pay for features focused on that particular problem. I think the moderation might be #1. Or enhancing karma?

Re:

[Ostracus]

Uh huh. Just how many of you are using an ad-blocker on Slashdot? How many have complained recently about "paywalls"? There's no "viable financial model" (beyond the one already being used) because none of you would allow it.

Re:

[shanen]

I sometimes notice that I have an option to remove the ads, but I do not exercise it. Nor do I use ad blockers. I even sometimes pay a tiny bit of attention to the ads, though my fundamental principle is "ads are dubious trash and any company that is relying on ads is also trash". When I visit a website that shows ads I am volunteering to accept the ads even though I think that financial model has died.

The problem with paywalls is that you can't compete with free. Insofar as the amount of free information a

Re:

[shanen]

Serendipitously, the current Slashdot fortune cookie is

"I have more information in one place than anybody in the world." -- Jerry Pournelle, an absurd notion, apparently about the BIX BBS

which is related to my point about time. As long as the BIX BBS contained more information than he could read, there would be no way for him to disprove his thesis. I doubt BIX was that big, but he would probably cite Wikipedia or the google or the entire Internet now. Unless he really was hung up about the ownership idea, in which it does become absurd.

Huawei ban

[Shompol]

At the same time Google is banned from installing app store on Huawei. Can we have that lifted please?

Not politics

[gurps_npc]

First note, that any investigations like this likely refer to things that happen before Biden became President. Will be true for at least another year or so. Takes a while for these things to become public.

That said, this kind of screw up is most likely caused by career bureaucrats, not political appointees. Likely simply someone that did not know the selling company was a subsidiary of a banned company, and did not check. Someone just assumed things and did not find out until it was too late.

Re:

[CrimsonAvenger]

First note, that any investigations like this likely refer to things that happen before Biden became President.

Hmm...May 2021 was mentioned in TFA as one of the purchases...Seems to me I remember an election before May 2021...now who was it who got elected....

Course, you may be thinking of the purchase in July, not the May purchase. Year for the July purchase...2021.

The Army purchase(s) happened under both Presidents, so that's something.

In other words, no, it wasn't that EEEEVIL Trump that this happene

What better way

[jenningsthecat]

to send disinformation to Chinese spies?

Re:

[Ostracus]

Stick goatse.cx in front of all those cameras. Instant regime change.

Thousands of dollars!

[jellomizer]

That sounds more like a general mistake made with probably some low level purchasing manager, who probably was just bargain shopping for the cheapest product.
To keep his budget down, and basically to show general concern about not wasting taxpayer money.

With all the crap and actual waste that goes on in the government, this really seems like a general political oops than some overreaching conspiracy, or hypocritical disregard of a policy, or even a tricky maneuver by China. Because selling a few dozen chea

Re:

[FuegoFuerte]

Yeah, this. Especially if they were buying Lorex, it would be an easy mistake to make... they're sort of Canadian (I believe they were originally an independent Canadian company selling cameras made by Dahua and possibly others), for a while they were owned by Flir (who definitely sells to the US Gov.) and then Dahua bought them from Flir (I think they did it directly, but could have been an intermediate owner in there). So if you do a simple search, you could get any of several different answers to "who

Spent only thousands?

[JeffOwl]

Only thousands of dollars sounds like not enough to do anything useful for surveillance at a government agency level. Perhaps they are buying the equipment to reverse engineer it to determine if there is some actual threat to companies using it. Or perhaps they are doing research on equipment used by adversary agencies to learn how to counter the technology.

Well of Course They Did

[l0ungeb0y]

Chinese Companies are eagerly innovating the future of technology. American companies are fat and happy, treating the US consumer as a captive audience for price gauging and rent begging, and who will in the end cede our entire nation to China as a vassal state, so long as they maintain their wealth and power. Kiss your democracy and freedoms good bye, and welcome to Peter Thiel's and Steve Bannon's Corporate Feudalism, citizen-serf.