On 24 April 2018 at 21:45, Naslund, Steve <SNaslund@medline.com> wrote: Hey,
The US Government considers Huawei and ZTE to have "close ties" to the Chinese government according to the Director of National Intelligence along with the heads of CIA, FBI, and the NSA as stated in testimony before the Senate Intelligence Committee. The founder of Huawei is the former engineering officer of the People's Liberation Army of China.
Now, this only applies to US Government agencies according to their acquisition rules but there have been moves by the FCC to ban these devices from US cellular network. I am not advocating for or against any of these policies and you can run what you want (assuming it can be imported). I myself would be nervous running Huawei code in a device if a cyber war broke out between the US and China.
Thank you for the insight, quite interesting. Call me naive, but I don't think sticker in device has any implications on security, as components and code are sourced through complicated chains through various jurisdictions. Let's assume for a moment that attacker is NSA, I don't think that NSA would want to even push project through Cisco or Apple via official channels, even if legally allowed, to get some secret backdoor installed, because too many people would be involved in the project and controlling the information would become challenging. Two years from now lot of those involved people might be in different company or different country, how to avoid them from exposing the information? It seems much better vector would be to target individual person with commit rights, ensure you have leverage over them, then ask them to commit specific set of abstruse code, which is likely to pass code review but introduce functionality which benefits your agenda. Even if this one person would talk, would they know it was NSA, if they knew, would anyone believe them? Why would China work differently? Why not pwn one Cisco employee in India to get the code in that the party sees beneficial? -- ++ytti