Where there are security vulnerabilities, I'd rather it be the NSA exploiting them than someone else. The fact that Huawei support engineers have so much power is much more troubling.
This is so obviously true that I found the tone of the post confusing. It's similar to people's reaction to the comparative threat of keeping their email on Google Mail or some random webmail provider that's likely to lose their mail spool to SQL injection. I'm not arguing that the NSA threat isn't worrisome; it is. But other threats are in fact even worse!
> A government is far more likely to oppress you, deny you rights, blackmail you for political reasons, etc. because it has the resources to do so.
I don't know... you're asserting as a fact here that one is more likely to be oppressed or blackmailed by the USG than by a criminal. But for blackmail alone there are thousands of criminal cases per year in the US, and an incalculable amount of "oppression" caused by criminals generally. What are the numbers for USG cases of blackmail each year? I guess they wouldn't be tallied... But I'd have to estimate that they're somewhat lower.
Criminals and Governments have a long history rich for data mining. If someone wanted to do that study they could.
Asking for facts elides the far more nuanced question of whether it is good for the American Government Marketing Team to continue to operate a known blacksite when the American public is auditing security practices.
The problem with this line of thought is that large criminal enterprises have political goals, and sufficiently large governments have criminal elements with criminal goals within 'em.
who's more likely to work at the NSA? A man who respects the constitution or a criminal? as the NSA grows in both size and power the answer will become clear. As an nsa employee you'll quit or expose secrets when things get sketchy. the only people stick around will be... what exactly?
> Criminals by and large just want money, governments want power. That makes them a far more serious threat.
It's really, really easy to say this living in a place where the rule of law is reasonably robust. There are many parts of the world where this isn't the case.
I am living in Indonesia right now. I would say at first I agreed with you. However what I see as time goes on is that the rule of law in the US is largely an elaborate illusion.
The point of rule of law is supposed to be that the government is bound by the laws. Calling this "robust" with regard to the NSA is the equivalent of putting ones head in the sand....
>There are many parts of the world where this isn't the case.
There are even more parts of the world where the "rule of law" is what opresses people rather than criminals. Dictatorships, third world monarchies, banana republics etc. And sometimes, criminals and an opressive government go hand in hand, as in some latin american countries...
BTW, the district in Indonesia which has the best government is a monarchy (the Sultanate of Jogjakarta). It is a Constitutional Monarchy and the Sultan does not have legislative power (only executive power).
I will admit though that as an American it seems weird to have a Sultan of a small district in a larger parliamentary democracy. It would be like having a King of New Hampshire....
I see what you mean; there are two things that most interest me.
The first is "wow, did I just see them in action?".
The second is that journalists are consulting the wrong "experts" in situations like this. They think "cryptographers" are the experts in these Snowden leaks, but the real experts for most stories are incident responders, pentesters, reverse engineers, and even simple IT engineers.
As for being wrong, I'm sure if I could reveal more details, people might be able to debunk me. Sadly, I can't.
Actually, it's not just Huawei, it's pretty much all everything. Pretty much every router, telcom switch, storage system, etc. sold outside the United States comes with a support contract whereby the vendor's engineers can connect and manage the device.
Indeed, there's a recent legal case of a company selling stuff to Iran. The company said they weren't responsible, because it was resold by intermediaries. Yet, their support engineers were connecting in to manage the box.
The lede was really "here's what we saw", at least to the extent that we can reveal anything being bound by customer confidentiality agreements (which, frankly, isn't much, which kinda sucks for the reasder).
Sure, you're both saying that the least bad option is the best option, which is obviously true. But that's not really the argument, or at least not the end of it. Some of us would like to have options that are significantly better than the best existing option.
Probability dictates it's more likely Huawei will abuse its power than the NSA will abuse Huawei's power. So be equally uncomfortable if you want, but it's Huawei you should be scared of (in this case).
Can you people cut the fucking bullshit? Everyone here is speaking either "quantitatively" or in "probabilistic" terms, but I have yet to see research or actual discourse backing it up.
You're saying Huawei is more power hungry than the NSA?
According to probability theory, if you have A (one single condition), and A+B (two different conditions), A will always be more probable to occur than A+B. Not seeing this is called conjunction fallacy, typically elucidated as the Linda problem. In this case, though, we have one known thing (Huawei has tech support accounts), and one unknown thing (the NSA have access to Huawei's tech support accounts).
Huawei accounts alone are already at risk of being abused by Huawei. We don't know if NSA has access to the accounts. But even if they did, it would still be more probable that Huawei's access would be abused than the NSA using Huawei's access.
1)We can assume NSA has access.
2)Is it not the NSA that wants to actively penetrate every single device in existence? https://firstlook.org/theintercept/document/2014/03/20/hunt-...
3)Is there any evidence that Huawei abuses their customers? Like, evidence, not CNN talking points.
I'm just estimating based on assumptions of possibilities. Even if I had evidence that Huawei has never abused their customers, and with evidence that the NSA themselves have used Huawei's accounts to abuse customers, it's still more probable that Huawei's accounts themselves are a greater threat than the NSA abusing them.
Now. Is it more likely that the NSA will abuse them? That's a completely different question. Probability describes the function of an outcome based on a set of fixed parameters; in other words, you can estimate how often a coin flipped will land heads 10 times. The likelihood, however, is based on watching it come up heads 10 times, and would describe whether the coin was rigged or not.
Based on outcomes, is it likely the NSA is spying on customers using Huawei's tech support accounts? The only outcomes we can see is one report from a guy who says he saw a Huawei tech support account exfiltrating data that an American intelligence agency would like to have. It's really not enough data to make many conclusions. The only likelihood we can determine is that Huawei accounts are used to exfiltrate data from companies that American intelligence agencies would like.
Like someone else commented (could have been the OP?) another possible actor could be a CIA mole or some bribed/corrupt employee. Could be a rival company, or someone who wants to sell the information. We don't really know. We could assume the NSA is the only organization with an interest in hacking Huawei because this is the only report we've heard about such a thing, but that's speculating about unknowns.
There's really nothing about this action that screams NSA specifically; it's just being correlated with the story because the data appears to be useful for American intelligence. To say that there is no data that could be useful to both American intelligence and other parties would probably be a stretch. The only thing we do know for sure is that Huawei's accounts were used to exfiltrate data; who wants the data, and what for, is a mystery. But what is certain is that you should be afraid of your Huawei support accounts.
"We currently have good access and so much data that we don't know what to do with it," states one internal document. As justification for targeting the company, an NSA document claims that "many of our targets communicate over Huawei produced products, we want to make sure that we know how to exploit these products."
No, your reasoning is a common fallacy: assuming that A and B are independent probabalistic events.
Attackers are not earthquakes.
If we assume that both NSA and Huawei are intelligent actors (spare us the jokes please) and that both NSA and Huawei have the option of abusing a certain power, then
P(I get pwned) = P(NSA wants to pwn me) + P(Huawei wants to pwn me) + P(other)
Either NSA or Huawei can pwn you with this power, or both. Even if they both elect not to it's still possible someone else can and will.
Always holds whether or not A and B are independent. A contains (A n B) therefore is always bigger.
The assumption being made is that the NSA can't abuse the Huawei access without Huawei being complicit. I.e. if NSA pwn me, Huawei gave them access, so actually it's the NSA and Huawei pwning me together.
P(NSA pwn me) = P(NSA pwn me because Huawei pwned me and gave them access) <= P(Huawei pwn me)
The article is about the possibility that the NSA could be bribing Huawei engineers or infiltrating Huawei with spies. Either way, it requires Huawei employees to be complicit, and for the Huawei support infrastructure to be compromised.
The article discusses the NSA embedding themselves in the Huawei support infrastructure. If true, Huawei's access is being abused by individuals who work for both Huawei and the NSA. So, in order for the NSA to abuse Huawei's access in the way discussed in the article, then that requires Huawei employees to abuse Huawei's access. Hence,
P(NSA abuses H's access) <= P(H abuses H's access)
Nothing is assumed to be happening, that's why we're talking about probabilities. We are discussing the possibility that the NSA could be infiltrating and subverting the Huawei support infrastructure. That's what the article is about. We're not discussing whether or not the NSA directly hacked Huawei. While that is also a worrying piece of news, it isn't the same thing.
To give you an example, if I pick something up at random, the probability that it is a shoe is at least as big as the probability that it is a red shoe. That's because it can't be a red shoe without also being a shoe. Same thing with the A's and B's. If A and B happen, then that means A happens.
Conjunction fallacy only applies if A=A.
Here, your first A is different than your second A, no? If A is "X will abuse account access, given the opportunity" then it matters who is X.
In light of recent revelations it's clear to me that the NSA employees have unsupervised access to an incredible amount of data. I am pretty uncomfortable with that.
I have no information on what sort of access Huawei employees have but I assume at the very least they are not recruited specifically to spy on me and find 'individuals of interest'. People who are recruited to spy on individuals will have a completely different mindset to your average network engineer.
But either way it's a less than ideal situation, and too much power is at the fingertips of these employees.
You are assuming that the individuals are distinct - it is FAR more likely that a TLA agency has implanted support engineers who operate on their orders.
Just a few years ago, Chinese hackers were caught hacking into the US for no reason. The fact of the matter is that Huawei, with its close connections to the Chinese Government, could be straight up responsible for this.
Remember, half of the western world have banned Huawei devices from their country.
Keep up with the modern cyberwar people! The Chinese National Security Committee has already deployed "The Great Firewall of China" and banned the use of VPNs on their shores. HTTPS connections fail randomly in China and encryption is illegal.
Between the US and China, there is one country where people disappear for saying the wrong things on the internet.
I think it's naive to assume that the NSA is the only entity that is likely to be able to exploit vulnerabilities. This is the crux of the controversy around NSA's attacks on web security.
I only see a difference between an opaque, unaccountable organization in the USA and an opaque, unaccountable organization in China when I look through a nationalistic lens.
Qualitatively speaking, I think as opaque as the NSA and CIA are, they're more accountable to the average US Citizen than their Chinese equivalents are to the average Chinese citizen.
They're less accountable than I would like, but they are accountable for their actions.
The US is just as much a direct threat to my countries economic interests as China. A pity my countries politicians are in Washington's pockets and are silent now when only two years ago they were yammering about the threat from Chinese government hackers and Huawei.
FISA Courts. Senate Intelligence Committee. Yes, sometimes they have been ignored, and yes, sometimes they have been rubber-stampers. But presently both are, in some capacity, rebelling and, in some capacity, angling to reign in the intelligence bureaus. Nothing similar exists in, for example, France, Russia, China, or India.
> Nothing similar exists in, for example, France, Russia, China, or India.
Not true. France does have an Intelligence Committee ("Délégation parlementaire au renseignement"). And there is a control organism like the FISA Courts ("Commission nationale de contrôle des interceptions de sécurité"); while legally their decisions are only consultative, in practice the government almost always respects them. And it denies between 1% and 2% of requests, whereas the FISA only denies 0.03%.
However I'm no expert, so I can't say how much power or independance they actually have.
I thought we were speaking quantitatively. Where's that quantitative evidence?
EDIT: No offense, peterwwillis, but I tend to take arguments such as those from Americans with a grain of salt. Americans like to think that they are better than those nasty commies, but history says otherwise, what with the CIA transporting cocaine and overthrowing foreign governments, and the nsa actively carrying out MITM attacks.
No, he said Qualitatively. He doesn't need numbers, only the subjective property of the NSA or CIA's character versus similar agencies in China. I would probably also wager that we have more accountability over our intelligence agencies than Chinese people have over their intelligence agencies.
> I would probably also wager that we have more accountability over our intelligence agencies than Chinese people have over their intelligence agencies.
Neither citizenry has any meaningful control over "their" spy agencies. They're not your favourite sports team that you need to defend. If you harbour any illusions of democratic control: the elected class is a lot smaller and a few degrees more stable than the candidate pool. Before they get access to power, candidates tend to renounce any action against the NSA.
But qualitative statements are of literally no value. It's all gut instinct. Of course you'd like to think that the US can take moral high ground over the Chinese.
Try to get a Chinese security researcher to expose a hack by a Chinese security agency, on their own blog hosted in China. Don't need numbers to know I wouldn't do it. And I'm not American.
What we're discussing is the subjective perception of both agencies. NSA has most of their programs exposed, as opposed to the PLA, and yet the public still gives NSA the benefit of the doubt. Now that's what I call freedom.
If they are accountable, where can this company send the bill for the break-in?
Going around like thieves in the night and breaking into places and steal stuff like common criminals is not exactly the conduct of someone accountable for their actions. I would actually say its the opposite behavior.
Because I'm American, and while I'm not really a fan of most of the shit they're pulling, it's still more likely to be in my interest (or less against my interests) than whatever the PLA has in mind.
1. I was trying to display that NSA engages in the same actions as the PLA.
2. Real evidence points to real attacks on americans carried out by the NSA. The only tangible shred of information we have about the PLA comes from CNN/MSNBC/Business Insider talking points, and we all know how objective those are.
