Stuff like this is why I have to tell our Chinese CFO why we don't want Huawei network devices. Yes Jeff, I know they are cheap as shit, you cheapskate, but you don't put the cheapest solution in place to run your critical systems on!
this post was submitted on 17 Sep 2024
562 points (99.1% liked)
World News
38979 readers
2573 users here now
A community for discussing events around the World
Rules:
-
Rule 1: posts have the following requirements:
- Post news articles only
- Video links are NOT articles and will be removed.
- Title must match the article headline
- Not United States Internal News
- Recent (Past 30 Days)
- Screenshots/links to other social media sites (Twitter/X/Facebook/Youtube/reddit, etc.) are explicitly forbidden, as are link shorteners.
-
Rule 2: Do not copy the entire article into your post. The key points in 1-2 paragraphs is allowed (even encouraged!), but large segments of articles posted in the body will result in the post being removed. If you have to stop and think "Is this fair use?", it probably isn't. Archive links, especially the ones created on link submission, are absolutely allowed but those that avoid paywalls are not.
-
Rule 3: Opinions articles, or Articles based on misinformation/propaganda may be removed. Sources that have a Low or Very Low factual reporting rating or MBFC Credibility Rating may be removed.
-
Rule 4: Posts or comments that are homophobic, transphobic, racist, sexist, anti-religious, or ableist will be removed. “Ironic” prejudice is just prejudiced.
-
Posts and comments must abide by the lemmy.world terms of service UPDATED AS OF 10/19
-
Rule 5: Keep it civil. It's OK to say the subject of an article is behaving like a (pejorative, pejorative). It's NOT OK to say another USER is (pejorative). Strong language is fine, just not directed at other members. Engage in good-faith and with respect! This includes accusing another user of being a bot or paid actor. Trolling is uncivil and is grounds for removal and/or a community ban.
Similarly, if you see posts along these lines, do not engage. Report them, block them, and live a happier life than they do. We see too many slapfights that boil down to "Mom! He's bugging me!" and "I'm not touching you!" Going forward, slapfights will result in removed comments and temp bans to cool off.
-
Rule 6: Memes, spam, other low effort posting, reposts, misinformation, advocating violence, off-topic, trolling, offensive, regarding the moderators or meta in content may be removed at any time.
-
Rule 7: We didn't USED to need a rule about how many posts one could make in a day, then someone posted NINETEEN articles in a single day. Not comments, FULL ARTICLES. If you're posting more than say, 10 or so, consider going outside and touching grass. We reserve the right to limit over-posting so a single user does not dominate the front page.
We ask that the users report any comment or post that violate the rules, to use critical thinking when reading, posting or commenting. Users that post off-topic spam, advocate violence, have multiple comments or posts removed, weaponize reports or violate the code of conduct will be banned.
All posts and comments will be reviewed on a case-by-case basis. This means that some content that violates the rules may be allowed, while other content that does not violate the rules may be removed. The moderators retain the right to remove any content and ban users.
Lemmy World Partners
News [email protected]
Politics [email protected]
World Politics [email protected]
Recommendations
For Firefox users, there is media bias / propaganda / fact check plugin.
https://addons.mozilla.org/en-US/firefox/addon/media-bias-fact-check/
- Consider including the article’s mediabiasfactcheck.com/ link
founded 1 year ago
MODERATORS
PW;DR
How the fuck did that happen?
Dear south korean government
please hire me instead. I promise I'm so paranoid, this will never happen.
Suppliers lie.
I know a guy who is the sole reason that software written by <adversary> isnt being currently used in <host countries most top secret defense environment>. His boss told him to lie if asked, and he refused to and informed <end user>.
Cheap devices
Like every military operation, the job always goes to the lowest bidder, that is still overpriced, because it's just tax money. That's what always cracks me up about stuff that is marketed as military grade.
It's still expensive because everything has to go through OPSEC.
It's expensive because it has to go through a dozen layers of private contractors.
The US military was remarkably good at rapidly churning out cheap, effective armorments during the WW and early Cold War era. But the LBJ/Nixon pivot to private industry eroded all the efficiency. Then Reagan kicked military spending into overdrive in the 80s, and it's been a snowball of waste, fraud, and embezzlement ever since.
Now the model for military procurement is just a jobs program for Congressional districts. The epitome of the Do Nothing profession.
Capitalism. They just bought the cheapest reliable enough option they could find and didn't give two craps about infosec, because that's too expensive to actually properly do. Minimize the financial losses of an upfront purchase. (I worked more than enough jobs in hardware design to know what management cares about and what it doesn't)
Also, big yikes for the Israel flag in your username.
I think this is more of an OPSEC issue than an Infosec one, but both terms work.
Not if they were configured correctly. I.e. on their own, non-Internet connected VLANs.
If you have access to hardware level design, just about anything can happen.
If the network the cameras connect to has no way to reach the Internet, then the cameras can't reach the Internet.
I can think of many ways to transmit data. Doesn't even nessesarily have to be the Internet. Internal SIM card? Satelite connection? VLAN is definitely not a solution to a state-level hardware threat.
That is a really weak argument. It implies that no one inspects the device. The cameras I have are blocked at the router on their own vlan and since I pulled the cover off of them I know they have no other means of connecting to a network. A really weak argument
I think you misunderstood the previous comment. Not the devices need to be configured correctly, but the network they're connected to.
So if they purchased Ring cameras that are feeding everything to American AWS servers it would be ok?
Seems stupid that in a military install they're using cloud shit
Well, they did remove it when they found out. But....
Look. I'm looking at a Thinkpad. Lenovo owns that line now. I dunno if they can push firmware updates to old, pre-Lenovo models, but they can to current versions. Those things are pretty common in a business setting. AFAIK, the US has never raised any issues with Lenovo and security a la Huawei. But if there was an honest-to-God, knock-down, drag-out war, I assume that Beijing is gonna see whether it can leverage anything like that. And I've got, what...a microphone? A camera? Network access? Maybe interesting credentials or other things in memory or on my drive? I mean, there are probably things that you could do with that.
Then think of all the personal phones that military people have. Microphone. Camera. Network access and radio. Big fat firmware layer.
My guess is that if you did a really serious audit of even pretty secure environments, you'd find a lot of stuff floating around that's potentially exploitable, just due to firmware updates. If you exclude firmware updates, then you're vulnerable to holes that haven't been patched.
Okay, maybe, for some countries, you can use all domestic manufacturers. I don't think that South Korea could do that. Maybe the US or China could. But even there, I bet that there are supply chain attacks. I was reading a while back about some guy selling counterfeit Cisco hardware. He set up a bunch of bogus vendors on Amazon. His stuff got into even distribution channels with authorized Cisco partners, made it into US military networks.
Counterfeit Cisco gear ended up in US military bases, used in combat operations
That guy was just trying to make a buck, though I dunno if I'd have trusted his products. But you gotta figure that if that could have happened, there's room for intelligence agencies to make moves in that space. And that's the US, which I bet is probably the country most-able to avoid that. Imagine if you're a much smaller country, need to pull product from somewhere abroad.
Look. I'm looking at a Thinkpad. Lenovo owns that line now. I dunno if they can push firmware updates to old, pre-Lenovo models, but they can to current versions.
China aside, Lenovo has lost all semblance of trust after the whole Superfish debacle. Sure it's been more than a decade now but their response to that and the fact that it was even approved internally calls a lot into question. I wouldn't dare go near any of their devices.
TIL, if anyone is curious https://en.wikipedia.org/wiki/Superfish#Lenovo_security_incident
Ok so after a quick read it looks like they bundled some software which allowed third parties to eavesdrop on https traffic with a fairly trivial hack?
I've had lenovo laptop's forever. I could be described as a fan boy. I'd never heard about this. It's never nice to hear that something you're a fan of has problems like this.
I guess the only mitigating factor is that it wasn't intentional on Lenovo's part.
If they found out it goes to a specific server, why not just block the server and maybe isolate the network from the internet? I guess its easier to replace them but what's to say the replacements can't have the same flaw if other precautions aren't in place, like how do you even get to installing cameras on military bases without thoroughly vetting the firmware on them fist?
I wonder if this was the case. From the bloomberg article,
"No data has actually been leaked," they added.
And from Yonhap,
found to be designed to be able to transmit recorded footage externally
So maybe they were designed that way, but it didn't work because the cam network was offline?
Keep in mind that this was on the border with North Korea, so, they'd (the South Korean military) have a very high level of paranoia on being hacked to begin with.
This is just bad spy craft. You don't tell the person who bugged you that you found their bug. You mess with their head by setting up false flags.
Like have maps of China and what look like troop movements.
Or details about tank man.
Maybe this is a double head fake and they have compromised the server in China?
Why not have the cameras on a VLAN that has no Internet access?
Just use a system that connects to a server on base and nothing else
China is the only country that gives you lifetime free cloud storage for your devices
Whether you like it or not
view more: next ›