I think it's a nice political move, but I will be surprised if it makes much difference in the end.
It is impossible to demonstrate trustworthiness to someone who isn't willing to believe it.
Some issues which would get raised by your friends if they didn't want you to buy Huawei:
Firstly, you have the problem of underhanded code (e.g http://underhanded.xcott.com/) e.g. deniable backdoors. Auditing a large C codebase to the point where you have confidence in it is Expensive and Time Consuming.
Secondly, version control gets to be a huge problem. If you are going to rely on the results of your audit, now you have to build the firmware yourself with a trusted toolchain. This is going to be a lot of work. Especially since you now have to do this for every firmware release for every product you use. Most organisations aren't getting patching and release management right even as things stand right now.
Thirdly: do we need to look at the FPGAs, ASICs and "auxiliary" firmware? Are all the parts standard? Where were they fabbed? Can we trust those guys? Is the router we get next month going to be the same board revision, with parts from the same vendors?
Fourthly: how comfortable are the players in various countries going to be with a Chinese state-owned company having their detailed network designs for telcos and core networks? (I mean, pretending they don't already ;)
Paranoid hat mode: I do wonder whether the huge mistrust of Huawei is standard anti-competitiveness... or because everyone's agencies have been using {backdoors, bugs, info} provided by various companies and "friendly employees" for years - and buying Huawei kit just seems like it's making things too easy for certain parties.
They enter the US market to have their reputation instantly destroyed by official US institutions, that are filing concern about possible spying through their products at a moment where they haven't even looked at it, to later conclude that there were security risks found but none of the allegations were true.
I don't know how big the final damage for Huawei is, but that in order to avoid this just to let them look at their source code seems like a good way of addressing this.
And that is actually one of the big pro free software arguments in general:
By having the source code openly* available you know when you are screwed over.
Congrats Huawei for an in my opinion right way to address this issue!
* in the scenario of Huawei they only want to make source code available for analyzing purposes by governmental institutions. That does not change the statement issued above though
I see a flaw here. How would we know that the source code made available to US officials is the actual code built and shipped on their devices? They could be showing officials 'cleaned' code, and then ship different code with spyware/malware baked in. The only way to really trust the code is if an end user can download the source, review it, build it, and install it on their device.
1st) small chance that spying features are implemented that a paranoid analyzing by US officials wouldn't have revealed* (or that the US would have said the products are good, while still having reasonable concerns about potential spying)
2nd) i don't know how they would give their source code to government officials but i guess it's fair to assume that it can be done in private and trusting nature (also they probably are able to test if a piece of hardware runs the code given or not)
3rd) risk of secretive spying features being found is high * * (even if you want to argue it might be lower than described by myself above -> see 1st), therefore generally would lead to one of the biggest company scandals in the 21st history and completely destroy all of Huawei's business in all of the Western World (not worth it)
* somebody shall correct me if i might be wrong, but wouldn't it be pretty hard to hide spyware in software being used worldwide by millions of users and that is center of attention by governments for a long time
* * think of the amount of Huawei contractors, the sheer quantity of their sales
Right except PCC for ARM SoC are pretty thin on the ground. So they would have to build a PCC compiler and runtime, and then you'd have to audit those...
Still, it would be very hard to make sure that the provided code is indeed the one running on the suspicious machines. The only way I see to make sure of that would be to provide tools to compile and flash the hardware, which doesn't make much business sense. This also gives no protection to silicon based backdoors that has nothing to do with OS code.
Has anyone compared Ericssons tech with Huawei?
Honest question. I feel like if you're setting up infrastructure, take it from the countries that does it the best. Ericsson is Swedish and _THE_ first country to roll out with 4G (around my parents place, even).
The technology isn't really relevant. Sure, organizations with unlimited budget would probably choose some other vendor than Huawei. But that really doesn't include most mobile operators in the world. And then what starts mattering is that Ericsson or NSN charges twice as much for the same capacity. Or that Huawei is willing to give financing on good terms (including on parts of the network supplied by other vendors).
I beg the differ. It is very relevant if you want proper infrastructure with reliability and speed.
3G sucks in Singapore, but the 4g is amazing. Ericsson is in charge of the 4g infrastructure here. It's not fully done, but for me it feels like island wide coverage.
The point is that you can't judge a company solely on where they are from and that simply because of the company's origin to not only state concern, but to actually completely ruin their reputation by issuing serious concerns about possible spying activities, before having analyzed the products in suspicion, is just wrong.
That is btw exactly what you are doing.
Aliyun OS is illegal, so Huawei has to suffer?
This is at least what is the logic i draw from your statement in connection with the article
Note: And after having destroyed part of their reputation in the US and having analyzed their products, the official conclusion was that there were security risks found, but no possible spying or anything.
Aliyun is derived from the Android Open Source Project (AOSP). In intent and execution, it is much the same as OPhone, which is another Android-derived OS used in China.
Neither one violates licensing terms for AOSP.
There are many devices that make use of AOSP for a wide range of purposes, from the well-known Amazon Kindle, which competes with Android, to in-vehicle systems you might never know run AOSP.
If you look at the Open Handset Alliance membership, you will find several that either sell OPhone devices, or develop and integrate OPhone system software. And yet Google objects to none of that. Curious, no?
Note: Have you even read the article? They say they would make the source code available for official governmental institutions to analyze it if they wanted, they don't say anything about making it completely open-source!
Making the source code open doesn't help unless you can flash the devices, since you have no guarantee the source code is what's on the devices.
Plus, if the backdoors are in hardware (say the hardware AES implementation has a small key scheduling "bug" or something) , not software, source code wouldn't help.
Exactly. And any update feature, which is typically built into most networking products, could enable a backdoor to be installed at a later date. Could be clean now, but doesn't mean always!
It is impossible to demonstrate trustworthiness to someone who isn't willing to believe it.
Some issues which would get raised by your friends if they didn't want you to buy Huawei:
Firstly, you have the problem of underhanded code (e.g http://underhanded.xcott.com/) e.g. deniable backdoors. Auditing a large C codebase to the point where you have confidence in it is Expensive and Time Consuming.
Secondly, version control gets to be a huge problem. If you are going to rely on the results of your audit, now you have to build the firmware yourself with a trusted toolchain. This is going to be a lot of work. Especially since you now have to do this for every firmware release for every product you use. Most organisations aren't getting patching and release management right even as things stand right now.
Thirdly: do we need to look at the FPGAs, ASICs and "auxiliary" firmware? Are all the parts standard? Where were they fabbed? Can we trust those guys? Is the router we get next month going to be the same board revision, with parts from the same vendors?
Fourthly: how comfortable are the players in various countries going to be with a Chinese state-owned company having their detailed network designs for telcos and core networks? (I mean, pretending they don't already ;)
Paranoid hat mode: I do wonder whether the huge mistrust of Huawei is standard anti-competitiveness... or because everyone's agencies have been using {backdoors, bugs, info} provided by various companies and "friendly employees" for years - and buying Huawei kit just seems like it's making things too easy for certain parties.
If you are interested in these kinds of shenigans: http://spectrum.ieee.org/telecom/security/the-athens-affair/... is a fascinating read.