> How reasonable do you think it is to be this automatically suspicious of any computer coming from China?
Based on their track record? Pretty fucking reasonable.
I would say that most probably isn't malicious collaboration with the CCP, rather sheer incompetence. Shipping secure anything just isn't part of their culture. Read a comment on HN the other day from someone that evaluated Huawei hardware for a telco and swore it was so full of holes to be unusable.
The ingrained extreme cheapness of Chinese culture doesn't help. Security is viewed as a luxury - why waste time and money on it when that could be better spent elsewhere?
That said, the incompetence gives them plausible deniability when the intelligence agencies take advantage to exploit the holes for their own use.
What kind of security vulnerabilities do you think an incompetent PC OEM is going to accidentally introduce to a barebones PC that's basically shipping an Intel reference platform and no SSD? Or that GL.iNet might be able to introduce to a system where OpenWRT is assembling the firmware image that gets flashed to the board, and if there are any closed-source components they'd be coming from Mediatek and not developed by GL.iNet?
Shipping telco hardware with a massive bespoke software stack implementing an impossibly-complex pile of standards is very different from what we're talking about here.
> What kind of security vulnerabilities do you think an incompetent PC OEM is going to accidentally introduce to a barebones PC that's basically shipping an Intel reference platform and no SSD?
That's only a problem if the Active Management Technology feature is correctly supported by the OEM including wiring it up to a supported NIC, and the feature is enabled and provisioned by default, and the NIC in question is connected to a network that is a potential attack vector.
From what I can tell, the current NIC of choice for Chinese router PCs is the Intel i226-V, and such PCs come with 4-8 of those. In order to work with the Active Management Technology feature, those would have to be the more expensive i226-LM or i226-IT parts. So AMT is impossible to enable on those PCs and there's no part of the boot firmware that continues interacting with any NIC after the OS has taken over managing PCIe peripherals.
> there's no part of the boot firmware that continues interacting with any NIC after the OS has taken over managing PCIe peripherals
Are you sure about that? Because I remember something called ACPI that gets executed by the OS every time some configuration changes, such as power levels.
STH has reviewed Chinese PCs that come preloaded with malware. My MSI motherboard force installs Nahimic by default. Not technically malware but the same mechanism exists for malware.
Do you think any of that is relevant to the case of buying a barebones PC that doesn't include SSD or RAM, then adding those components yourself and installing a non-Windows OS?
If your MSI motherboard is installing Nahimic without an internet connection, it is doing so through a mechanism where the installer is made available to the OS in an ACPI table that Windows checks. That check can be disabled with a registry key to prevent such software from being re-installed, and the motherboard may have a BIOS option to disable the anti-feature (though the registry key method is generally more effective, since BIOS settings often get reset to defaults).
Please don't ignore the points I've already made about how a firmware-based attack against a non-Windows OS is a lot hardware to pull off. I'm not asking if you think a company would be willing to ship such malware, I'm asking what kind of malware you think is realistically possible. What do you expect a UEFI-based malware to be capable of doing in this context, given the constraints of the hardware we're talking about?
I’ve reluctantly come to the view that Apple is the best bet for a consumer to get a somewhat reasonable (price notwithstanding) compromise between hardware vertical integration and software that offers substantial bug bounties and large market incentives to not allow bad vulnerabilities to sit for too long. With deep enough pockets to hang tough if needed in various situations.
I completely agree about the buggy bloated software but all I’m saying is that it’s the best bet compared to actual consumer alternatives which are generally a frankenmix of the lowest cost components sourced from the lowest cost vendor with minimum effort spent to ensure and maintain any semblance of security.
Not only this, but most US companies do not really have any incentive to focus on security.
On HN there is an echo chamber with the shunning of companies who have experienced incompetence based breaches. Your average consumer does not know (beyond the news cycle) or generally even really care.
I think you can even look at FBI and NSA public service announcements and guides about consumer electronics security as a sort of ''shit this industry stuff is pretty bad we need to think about our goal differently,'' with regards to them trying to pick up some of the security slack that US companies shit out with their products.
The various 3-letter-agencies really are incentivized to help government and industry be legitimately secure against anything short of the sophisticated attacks they themselves can orchestrate
When you’ve got the sort of reach and resources they have, it does you no good if script kiddies or unsophisticated attacks are causing problems and you don’t need the easily preventable attack vectors they’d use.
Someone evaluated Huawei hardware for many telcos years ago and a lot of them decided the equipment is not only usable, it’s the best choice. So which ones were the incompetents or shills?
Im curious how you are currently writing those comments. Other than most of the hardware is made in CN or TW, there is not so much records targeting normal people.
Also you get good hardware cheap, it just works and helps us going forward. Enterprise crap from companies like Intel (especially their server disks) are nightmare for years now and last Juniper and Cisco hardcore bugs in software causing soft-drops without any metrics rising on-device - good luck with that.
I’m more than happy using CN stuff than imaginary safer and better US crap.
As someone who was personally a victim of the 1-2 punch of vulnerable HW and unquestionable malware that took advantage of said vulnerability from the same vendor (and I have the pcaps to prove it), I have sworn off CN garbage forever, I don't care if I have to pay 3x the price.
No one stops you from doing so, just know you will probably be part of a botnet sooner or later.
If you have proof, then why wouldn't you name and shame the vendor in question, or at least be less vague about what kind of product you're talking about? Talking about how you determined that you were being attacked through a combination of hardware and software vulnerabilities would be way more interesting and appropriate for this forum than generic anti-China complaints.
Based on their track record? Pretty fucking reasonable.
I would say that most probably isn't malicious collaboration with the CCP, rather sheer incompetence. Shipping secure anything just isn't part of their culture. Read a comment on HN the other day from someone that evaluated Huawei hardware for a telco and swore it was so full of holes to be unusable.
The ingrained extreme cheapness of Chinese culture doesn't help. Security is viewed as a luxury - why waste time and money on it when that could be better spent elsewhere?
That said, the incompetence gives them plausible deniability when the intelligence agencies take advantage to exploit the holes for their own use.