Wrong way intersection?

We all look at times, we look in the direction that we are going we look at where we want to be, in this we are all alike and for the most, we stop to look where we were, what we passed and where we came from. These are natural moments. So what is natural on focussing on Huawei, especially the accusations by Finite State, a Matt Wyckhouse undertaking. I have a few issues here. You see, when a person hides behind statements like: “‘The Finite State report was highly critical of Huawei, claiming that the Chinese company’s “devices quantitatively pose a high risk to their users. In virtually all categories we examined, Huawei devices were found to be less secure than those from other vendors making similar devices.” According to Finite State, this included potential backdoors. “Out of all the firmware images analyzed, 55% had at least one potential backdoor,” Finite State reported. “These backdoor access vulnerabilities allow an attacker with knowledge of the firmware and/or with a corresponding cryptographic key to log into the device.”“, when the bla bla is surrounding “Out of all the firmware images analyzed, 55% had at least one potential backdoor“, a percentage with ‘potential backdoor‘, you should optionally be regarded as a hack giving a hatchet job, plain and simple. A real cyber security firm will give us: “These are the clear backdoors found“, there is no percentage, and it will be presented as evidence plain and simple. That is how this works; let’s face it, Columbus Ohio is not really Silicon Valley, is it? (there is a plot twist, read on please)

And when TechRadar gives us: ‘Huawei’s telecom equipment is more likely to have flaws than rivals’ claims report‘, my question becomes based on what evidence? When it is linked to: “when compared to similar equipment manufactured by its rivals Juniper and Arista“, why are they dependable? Or perhaps only the NSA has those backdoors? There is a disgusting amount of bias coming out of the mouths from those who should stay absolutely neutral, and it gets to be worse.

Twenty four

It is like a real time drama with Kiefer Sutherland, less than 24 hours ago, Cisco gave us: “Cisco issued three “critical” security warnings for its DNA Center users – two having a Common Vulnerability Scoring System rating of 9.8 out of 10“, which is really really bad and the rest of the media ignores it completely. So when we get: “In one advisory Cisco said a vulnerability in the web-based management interface of DCNM could let an attacker obtain a valid session cookie without knowing the administrative user password by sending a specially crafted HTTP request to a specific web servlet that is available on affected devices. The vulnerability is due to improper session management on affected DCNM software” there is a much larger story, especially as Cisco is working to remove a few severe failings in its own system, which are unlikely to be removed for a few more months, all leading to larger issues, but the media is seemingly more interested in spouting anti-Huawei materials and not interested in warning optional victims, how does that go over to you?

TechRadar also gives us: “Finite State makes big claims in its report but until it is publicly released, we won’t know for sure if its findings are accurate. However, now that the news is out, further investigation into its legitimacy will likely be carried out by the media, world governments and of course by Huawei itself“, a relatively unknown company in the middle of nowhere; that is how it reads to me and I will happily have my serve of humble pie when they are proven to be correct, yet that public release is likely to find delays to maximise on fear, all whilst Cisco is evading the limelight by media friends. This is not entirely correct from my side, Cisco has been warning all kinds of parties since they were found and that is a noble thing, yet the media does not hand out that reality to the larger media does it? (They had not responsibility to do so)

I have a second issue, this is supposed to be a ‘for profit‘ venture and that is fine, they have been around for 2 years, yet we now see: “the security report was done pro-bono as the company believed making this information public was the best way to inform policy makers of the security issues in Huawei’s equipment“, so this report requiring a massive amount of hours and testing if we go by: ‘all the firmware images analysed‘, the (initial) absence of numbers is also debatable here, so in all this time and resources required, this report was done pro-bono? Is (like it goes in deceptive conduct) merely a pro-bono report, or are they servicing Juniper and/or Arista? Is that not a valid question?

I find the setting debatable from the mere TechRadar point of view. From my point of view, well known cyber experts have looked at Huawei and none of them have given any clear indication that there was a clear and present danger with anything that Huawei has, they had shown previous issues and they had been dealt with, so unless Finite State gives the golden bullet with clear evidence, than the future of Finite State might not be that bright. Can we expect anything form a cyber-firm that facilitates for others? Well, yes but those are not known as Cyber Experts, they are merely digital marketing firms and the method used implies that they are not very good at what they do.

So I can jump in there and show them how to do it, as long as it comes with 300 W Spring St #1904 as a stating bonus (we all have our price), it is 2 blocks from the Ohio FBI office, as well as a nice view of the Scioto River (good for enjoying coffee in the morning). Would I compromise? Optionally, but do you want to have faith in someone who compromises, or someone telling you how it is at a price? I get it, at times there is a tactical reason to do things pro-bono, sometimes it brings in the larger fish, yet in this case, when the floor falls from under them, in the way it was presented, do you have faith in them looking towards keeping you safe? Is that really the security you want to bank on?

Cisco has issue, yet they came forward (almost) immediately telling us how it is, the fact that the media is treating them darling and keeping them out of the media to the largest degree is not a crime, it places merely question marks on the integrity of the media, and how much credibility do they really have?

There is a larger concern and it is a serious one, the media has set the stage that less and less information is trusted, especially in fields where trust is essential. It changes the game, but how is not to be told, we cannot tell, yet there is every concern that Europe, Asia and India are less and less likely willing to trust US equipment. There has been clear indicators that 5G evolution did not give rise to trust, the fact that so called pro-bono work is working out is also not a given, until there are clear trustworthy sources showing all that Finite State had indeed the silver bullet, things can only go worse for many over the long term and that has been proven in several ways offer the last decade. It is not that I want.

Let’s not start kidding around here, the report is damning, there is no doubt. When we look past the TechRadar hype created and take a serious look at the paper (at the end), we get 55 pages of tech heaven, all jetlagged turbo text, with all the hypes that any techie get off on.

When a firm gives us: “Across the firmware tested, there were 8,826 observations of vulnerabilities with a CVSS score of 10.0, the maximum severity level, indicating serious flaws in the systems“, it better come with backing, and the source of the data, as well as the firmware better be verifiable, from my point of view, any discrepancy shown and Finite State becomes liable. Even when we see: “Our automated system analyzed more than 1.5 million files embedded within 9,936 firmware images supporting 558 different products within Huawei’s enterprise networking product lines“, the sources are not given to us (as far as I saw). The appendix does give us the hardware list and it is a huge list, so now that the die is cast we will have to see what happens next, not merely to Huawei and Finite State, large names have stated on the record that no issues had been found, they will be in equal measure get judged if the scrutiny on the Final State paper holds up, no matter how this goes, there is a shit storm coming and it will impact at least one party, yet how large it will be cannot be stated at present, the claims are too loud and if the scrutiny breaks the paper it might be the end of Finite State and its board of directors before they got decently started, should they make it, the opposition is a lot larger and it gets to be a lot uglier for many players involved.

The paper also gives clear premises, for one there is: “It is common for embedded devices to ship with a default password enabled for the primary account, “root” in this case, as long as the password can be changed and is documented as part of the standard operating procedure of the device.” OK, that is fair enough, but there is a second part, how many consumer get told on how to change that? And how does that compare to issues found with Sprint, T-Mobile and Verizon as documented parts that show users how to do that. Is that not equally important? In the end I can debate all the parts until I look like a failed auto asphyxiation attempt, yet the scrutiny from me has little to no value, it is the response of Huawei and the other players that now becomes the part, because these expert making 1000% or more of what I make will not be allowed the ‘Oops!’ or ‘That was not part of our investigation’ excuse, in that way whatever comes next will get ugly fast and in light of my initial exposure of anti-Huawei goons, I have an equal responsibility to take this to the next level, no matter how it goes, because that too is part of accountability. No matter how we slice it, Finite State has given us something serious to look at (one of the very first to do so), so now we look at the boffins at MiT and Stanford on what they make of it, and if the technical dudes at DARPA decide to wake up for this one, that would be nice too.

I look forward to round two, because it will be a beauty to watch on hundreds of channels all over the planet, this would make for great TV (and optionally ten times better than anything the Kardashians can show) so I’ll get the popcorn for this one.

https://finitestate.io/wp-content/uploads/2019/06/Finite-State-SCA1-Final.pdf

Finite-State-SCA1-Final

 

Advertisements

Leave a comment

Filed under Finance, IT, Law, Military, Politics, Science

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.