, 14 tweets, 3 min read Read on Twitter
From the UK’s report on Huawei base station software analysis. assets.publishing.service.gov.uk/government/upl…
Also, this section on reproducing the build process is pretty bad. Nobody can even tell if the software running in the equipment was built from the reviewed source.
Many people are saying that other manufacturers probably have the same defects as Huawei. I bet they’re right. This isn’t really the point, though (short thread.)
The UK and other western nations have been having a debate about whether to trust Huawei equipment and software to run critical national infrastructure. There are financial motivations, political ones, real concerns etc. It is very complicated and above my pay grade. 2/
What the UK appears to have been attempting is to split this difference. Buy Huawei equipment, but put an independent layer of UK cybersecurity analysis on top — to ensure that they can obtain the financial benefits while also mitigating security concerns. 3/
What this report says is *not* that Huawei is uniquely bad. And *not* that there’s anything malicious in the software. But rather, that the current condition of Huawei SW development makes this external review layer non-functional. 4/
There are several problems here, but they all amount to “our reviews are worthless.” The biggest one is that currently, the UK govt can’t even verify that the code running in Huawei equipment is the same code they were given to review. 5/
This problem of “reproducible builds” is a big annoying one across our industry. The binaries running on the devices have to be the same as the ones that get built from code that’s been reviewed, or you’re just wasting people’s time. 6/
Even if Huawei solves that problem (and they’ve been trying for some time apparently), the codebase is apparently a mess. It contains a bunch of insecure dependencies, each of which brings in a stack of known vulnerabilities. 7/
While this is potentially true of other vendors, particularly those that are just spinning up and have immature codebases, those vendors aren’t trying to achieve the unique feat that the UK-Huawei partnership is: namely make a not-fully-trusted partner into a trusted one. 8/
Personally I think this is an impossible problem, even in the best case. Our best software security techniques are barely sufficient to stop accidental vulnerabilities being introduced by honest developers. They can’t possibly work against a manufacturer acting with malice. 9/
Whether you believe this or not, this report shows that Huawei-UK is nowhere near even having the capability to give this a shot. 10/
Last point: I am not saying that Huawei is malicious. I am only saying that dishonest behavior by Huawei is *within the threat model the UK is applying*, and that the partnership and review systems are trying to rule out. 11/
I’ve worked with Huawei engineers. They were super nice and I found the entire organization to be impressive and earnest.

But, as the Snowden documents showed, it’s never good policy to blindly trust a foreign equipment manufacturer if you don’t trust their government. /Fin
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Matthew Green
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!