Cyber Security: UK Int Panel warns against Huawei...

DaManBugs

LE
Book Reviewer
I've actually nothing to add to the subject, being a total IT biff, but it's been educational reading all the very interesting contributions - even if I didn't understand them fully.

But once again I'm completely amazed at the stupendous depth of knowledge and information the ARRSE community can provide.

MsG
 

endure

GCM
But sold it to Belkin about 5 years ago, who are now trying to flog it to Foxconn...

The best thing about Linksys routers was that you could bung various flavours of open source firmware onto some of them.
 
Huawei have committed to spending several billion on upgrading their processes and instilling more professionalism, but HCSEC said that will be a major undertaking.
As the saying goes, "you can't test in quality - you have to design it in from the start". IMHO, the only way to do it is to hire good people, and train them well. The strictest processes in the industry will still be subverted by the incompetent (see: any number of firms in the subcontinent claiming CMMI Level 5), the greatest toolchains will always be outwitted by the greatest tools...

Unfortunately, much of the rest of the software industry are no better.
True, but the telecoms firms used to be a bit better. I've known people who worked for Cisco, Ericsson, and they seemed to have fairly strict processes. My then-team and I wrote software that's still in some Siemens kit (their early OTN stuff), and they seemed a fairly competent mob.

Don't get me started on some embedded firms though, even my kids learned that one EMV card reader firm were to be known as "f***ing V*****e" for their ability to release software that... just didn't work. Customers as beta testers, what a brilliant idea...
 
(...) My then-team and I wrote software that's still in some Siemens kit (their early OTN stuff), and they seemed a fairly competent mob. (...)
Ah Siemens, funny you should mention them. I haven't dealt with their telecoms division, but while we're talking about the professionalism and competence of Huawei, let's mention a few examples of how things work in other parts of Siemens.

Like the time where Siemens were to supply a critical major bit of embedded hardware to a major global corporation who had billions of dollars of their own and other supplier's money riding on Siemens delivering on time and working properly. Not to mention the livelihoods of many thousands of people involved. They had one guy responsible for delivering the software for this, and he had been working on it for over a year. Did he use a version control system? Of course not. Did he even make backups of any sort? Don't be silly! It was all on his laptop, which he dropped shortly before deadline, crashing the hard drive and losing everything. He went running to the IT department who were fortunately able to recover enough data from the hard drive to rescue the source code. Now that's professionalism! The IT heroes of this story were of course rewarded in the way that all such people are at Siemens, they were the first to go in the next round of cost cutting lay-offs.

Wasn't poor control of software and configuration one of the major criticisms which HCSEC had about Huawei?

Or how about the time when one of their much praised and highly recommended engineering teams at Erlangen (not the telecoms division) produced a new system which had at its centre a large piece of software written entirely using an obsolete compiler in a proprietary language dialect and incorporating critical components that happened to be pirated software that was no longer being distributed by the owner. To add icing to the cake, the customer found that the resulting software itself was so lacking in diagnostic functionality and ability to tune operating parameters in order to be usable in the field that they had someone local reverse engineer the system and re-write the software for them from scratch.

Oh, and HCSEC had criticisms about Huawei still using an old but still under support OS, that they were in the process of phasing out?

Or how about when a Siemens PhD came up with a new algorithmic solution to a difficult mathematical problem with applications in electrical engineering? This was such a work of genius that it became the foundation of a new bit of Siemens kit, that kit became a critical part of the capital investment of a customer, again with large sums of money at risk. Only there was one minor problem. The new algorithm was based on the standard model as taught in engineering textbooks, and that model not quite an exact model, it was an approximation. It was good enough for teaching the engineering principles, but the genuine experts in the field knew that the reality was more complex. The result was that this new system only gave correct answers within a very narrow set of parameters, too narrow to really do what it had been intended to. To my knowledge, there is to this day no practical genuine solution to this problem. In the end, the customer having spent loads of money not just on the Siemens kit, but more importantly on all the investment predicated on it working as advertised, everyone decided they were better off just closing their eyes and pretending it worked rather than opening that can of worms and admitting there was a problem.

But yes, we're definitely talking about a competent mob here.

And since we're talking about security, there's always Stuxnet. If you had to pick the products of any company in the industry who would be most vulnerable, it would have been the kit from Siemens. I don't know a great deal about the PC virus side of it, but given that Siemens liked to incorporate every Microsoft virus magnet they could find into their products whether it needed it or not (part of their "strategic partnership" with Microsoft), there was plenty of scope for using off the shelf viruses. The industrial kit side of it I believe I could have done myself, and if not, then I had the contact details of someone I am quite sure could. Siemens could have made their industrial stuff far more secure while making them much better products than the utter abomination that S7 turned into.

But yes, the state must get involved in ensuring that Huawei doesn't sell poor quality kit for phone systems but it's up to the market to decide when it comes to whatever Siemens sells for controlling everything from electric generating plants to factories to dangerous chemical processes to water supplies and food processing.

Do I sound a bit cynical?
 
Ah Siemens, funny you should mention them. I haven't dealt with their telecoms division, but while we're talking about the professionalism and competence of Huawei, let's mention a few examples of how things work in other parts of Siemens.

Like the time where Siemens were to supply a critical major bit of embedded hardware to a major global corporation who had billions of dollars of their own and other supplier's money riding on Siemens delivering on time and working properly. Not to mention the livelihoods of many thousands of people involved. They had one guy responsible for delivering the software for this, and he had been working on it for over a year. Did he use a version control system? Of course not. Did he even make backups of any sort? Don't be silly! It was all on his laptop, which he dropped shortly before deadline, crashing the hard drive and losing everything. He went running to the IT department who were fortunately able to recover enough data from the hard drive to rescue the source code. Now that's professionalism! The IT heroes of this story were of course rewarded in the way that all such people are at Siemens, they were the first to go in the next round of cost cutting lay-offs.

Wasn't poor control of software and configuration one of the major criticisms which HCSEC had about Huawei?

Or how about the time when one of their much praised and highly recommended engineering teams at Erlangen (not the telecoms division) produced a new system which had at its centre a large piece of software written entirely using an obsolete compiler in a proprietary language dialect and incorporating critical components that happened to be pirated software that was no longer being distributed by the owner. To add icing to the cake, the customer found that the resulting software itself was so lacking in diagnostic functionality and ability to tune operating parameters in order to be usable in the field that they had someone local reverse engineer the system and re-write the software for them from scratch.

Oh, and HCSEC had criticisms about Huawei still using an old but still under support OS, that they were in the process of phasing out?

Or how about when a Siemens PhD came up with a new algorithmic solution to a difficult mathematical problem with applications in electrical engineering? This was such a work of genius that it became the foundation of a new bit of Siemens kit, that kit became a critical part of the capital investment of a customer, again with large sums of money at risk. Only there was one minor problem. The new algorithm was based on the standard model as taught in engineering textbooks, and that model not quite an exact model, it was an approximation. It was good enough for teaching the engineering principles, but the genuine experts in the field knew that the reality was more complex. The result was that this new system only gave correct answers within a very narrow set of parameters, too narrow to really do what it had been intended to. To my knowledge, there is to this day no practical genuine solution to this problem. In the end, the customer having spent loads of money not just on the Siemens kit, but more importantly on all the investment predicated on it working as advertised, everyone decided they were better off just closing their eyes and pretending it worked rather than opening that can of worms and admitting there was a problem.

But yes, we're definitely talking about a competent mob here.

And since we're talking about security, there's always Stuxnet. If you had to pick the products of any company in the industry who would be most vulnerable, it would have been the kit from Siemens. I don't know a great deal about the PC virus side of it, but given that Siemens liked to incorporate every Microsoft virus magnet they could find into their products whether it needed it or not (part of their "strategic partnership" with Microsoft), there was plenty of scope for using off the shelf viruses. The industrial kit side of it I believe I could have done myself, and if not, then I had the contact details of someone I am quite sure could. Siemens could have made their industrial stuff far more secure while making them much better products than the utter abomination that S7 turned into.

But yes, the state must get involved in ensuring that Huawei doesn't sell poor quality kit for phone systems but it's up to the market to decide when it comes to whatever Siemens sells for controlling everything from electric generating plants to factories to dangerous chemical processes to water supplies and food processing.

Do I sound a bit cynical?
I seem to recall there being concerns about Siemens in the 90s yet as you say the major customers were already too heavily invested in them and under pressure to deliver. Siemens did well out of it and went on to acquire major engineering companies but did they also acquire those companies' best practice or did they impose their own? These days they are certified to iso 9001. It is to be hoped that reflects real improvements but certification is not the whole story...
 
I seem to recall there being concerns about Siemens in the 90s yet as you say the major customers were already too heavily invested in them and under pressure to deliver. Siemens did well out of it and went on to acquire major engineering companies but did they also acquire those companies' best practice or did they impose their own? These days they are certified to iso 9001. It is to be hoped that reflects real improvements but certification is not the whole story...
I used to work with people certified to iso 9001. Barely worth the paper it was printed on. That was getting on for 10 years ago now, though, so it may be worth more than just a pretty certificate these days.
 
These days they are certified to iso 9001. It is to be hoped that reflects real improvements but certification is not the whole story...
Siemens were certified ISO 9000 at the times the above occurred in. ISO whatever just means you have a process, it doesn't mean that what comes out of the sausage machine is good. You still need good people and they need to be free to make good decisions.

I seem to recall there being concerns about Siemens in the 90s yet as you say the major customers were already too heavily invested in them and under pressure to deliver. Siemens did well out of it and went on to acquire major engineering companies but did they also acquire those companies' best practice or did they impose their own?
They currently have a fraction of the lines of business that they used to occupy, and some of those are not doing well and could be next on the chopping block (e.g. power plant equipment). Any time they are in the news, it is generally announcing yet another division being closed down or sold.
 
Save making a new thread:

With Google complying with the US Governments ban on allowing access to certain Tech, looks like Huawei's path might take a different avenue, they are on about their own OS and App Store. I for one was looking at the P30 as a replacement for my current phone but will now look at something else instead. It will defintley hit sales in the West and could mark a downturn in their fortunes.
 

4(T)

LE
Save making a new thread:

With Google complying with the US Governments ban on allowing access to certain Tech, looks like Huawei's path might take a different avenue, they are on about their own OS and App Store. I for one was looking at the P30 as a replacement for my current phone but will now look at something else instead. It will defintley hit sales in the West and could mark a downturn in their fortunes.

The Chinese already have a complete range of apps that mimic all of the western flagship brands, so they may choose instead to displace Google/Android in non-US markets.

All they have to do is their normal loss-lead tactic of dumping hardware product into the markets at below cost prices, and then wait for the bundled apps to take hold. E.g. with western social media apps subject to increased legislation, taxation and control, it won't take long for global fickle youth to jump to something nice, trendy(ing) and unregulated.

I'm fairly sure we'll see major swings to China in the apps/OS field as well.
 
I seem to recall there being concerns about Siemens in the 90s yet as you say the major customers were already too heavily invested in them and under pressure to deliver. Siemens did well out of it and went on to acquire major engineering companies but did they also acquire those companies' best practice or did they impose their own? These days they are certified to iso 9001. It is to be hoped that reflects real improvements but certification is not the whole story...
ISO 9001 is a self licking lollipop, all it means is that you document your procedures and record that you follow them

I'm sure a lot of people know of examples where reality is wildly different
 
I'm certain I can't be the only one to note the irony of the OP shilling for President Trump's restrictive trade practices.

Meanwhile, welcome to your new Notthedroid phone powered by:

 
Save making a new thread:

With Google complying with the US Governments ban on allowing access to certain Tech, looks like Huawei's path might take a different avenue, they are on about their own OS and App Store. I for one was looking at the P30 as a replacement for my current phone but will now look at something else instead. It will defintley hit sales in the West and could mark a downturn in their fortunes.
Try a look at OnePlus. The new phone is out this month.
 
I'm certain I can't be the only one to note the irony of the OP shilling for President Trump's restrictive trade practices.

Meanwhile, welcome to your new Notthedroid phone powered by:

I think I recognise the Kanji, is it "Peeky Inside"?
 

endure

GCM
Consider this. You're a major manufacturer of mobile phones (not Huawei) based outside the USA which is basically all of them.

You've just seen Google pull the rug out from under Huawei.

Might you not start to consider protecting yourself from similar interference from Google by developing your own ecosystem just in case Uncle Donald takes a dislike to you too?

I suspect this latest move may have unintended consequences for Google.

SailfishOS - Sailfish OS
 
Last edited:

Nemesis44UK

LE
Book Reviewer
Save making a new thread:

With Google complying with the US Governments ban on allowing access to certain Tech, looks like Huawei's path might take a different avenue, they are on about their own OS and App Store. I for one was looking at the P30 as a replacement for my current phone but will now look at something else instead. It will defintley hit sales in the West and could mark a downturn in their fortunes.
Exactly my response. I will look elsewhere for my new phone. I'm not sure the P30 is waterproof, others haven't been, so that was a bit of a black mark anyway.
 

Latest Threads

Top