Huawei Denies Involvement in Buggy Linux Kernel Patch Proposal (zdnet.com) 109
Huawei denied on Monday having any official involvement in an insecure patch submitted to the Linux kernel project over the weekend; patch that introduced a "trivially exploitable" vulnerability. From a report: The buggy patch was submitted to the official Linux kernel project via its mailing list on Sunday. Named HKSP (Huawei Kernel Self Protection), the patch allegedly introduced a series of security-hardening options to the Linux kernel. Big tech companies that heavily use Linux in their data centers and online services, often submit patches to the Linux kernel. Companies like Google, Microsoft, Amazon, and others have been known to have contributed code. On Sunday, the HKSP submission sparked interest in the Linux community as could signal Huawei's wish to possibly contribute to the official kernel. Due to this, the patch came under immediate scrutiny, including from the developers of Grsecurity, a project that provides its own set of security-hardening patches for the Linux kernel. In a blog post published on the same day, the Grsecurity team said that it discovered that the HKSP patch was introducing a "trivially exploitable" vulnerability in the kernel code -- if the patch was to be approved.
It is not official until officially denied (Score:2, Insightful)
Re: (Score:2, Interesting)
Well, I went to check China Daily which is a CCP mouthpiece and couldn't find anything yet. Fingers crossed? Why are they even allowing patches from known state actors?
Re: (Score:2)
The majority of patches are from untrustworthy sources. State actors, companies, random people we know little about. The system is designed to vet all code before it gets merged, as happened here.
Re: (Score:3)
There won't be anything about any of this in Chinese official state press. They're not idiots. They know the best way to deal with something like this unless it's already being repeated everywhere is to simply ignore it.
Re: (Score:2)
> They know the best way to deal with something like this unless it's already being repeated everywhere is to simply ignore it.
It worked for the virus... at least until February/March.
Re: (Score:2)
As I said, "unless it's already being repeated everywhere." Once it got too big to ignore, the state press had to deal with it.
Comment removed (Score:5, Informative)
Re: (Score:2)
Comment removed (Score:5, Interesting)
Re: (Score:3)
There's something called Occam's Razor. You may want to use it every so often instead of a tinfoil hat.
There is also something called plausible deniability. In the world of spying it's hardly possible to be too paranoid.
Re: (Score:3)
of there were undetected billion attempts before
Finding one example is a far stretch from a billion. There are however a billion rejected patches due to code quality issues, and some actual malice attempted in the past as well which was detected and called out.
No process is perfect.
Would Huawei put their name on it? (Score:3)
If it was a serious attempt, do you think Huawei would sign it? Funny thing about security these days, but precisely because no one trusts China, we know that anything tagged Chinese in any way is going to get extra high levels of scrutiny. I almost feel more secure with Huawei products precisely because I believe the real experts on security are going to go over them with a fine toothed comb and scream bloody murder if they find anything. (And I certainly feel more secure with Huawei than with most product
Re: Would Huawei put their name on it? (Score:2)
>I think there is a small possibility it did come from someone associated with Huawei. If so, that person just earned getting fired ...the author of the patch is a Huawei employee, and despite attempts now to distance itself from the code after publication of this post, it still retains the
>for incompetence. But I think it much more likely the source is someone trying to make China look bad. Which leads me to the
>question of "What do we actually know about the identity of the source of this patch?"
Re: (Score:2)
Don't know whether or not to trust your source, and it would take too long to assess it. I can't recall ever having heard of it before.
Nor do I know what a "Level 20" staffer is supposed to mean, though it sounds quite implausible on its surface. Any company with that many levels of employees would be creating a lot of confusion and distancing within the ranks of the employees. A system with 20 levels of promotion strikes me as pretty odd.
However, in the context of my comment, you ignored the only question
Re: (Score:3)
If by "just about everyone else", you mean "the set of Microsoft schills", then I agree. Otherwise, Mellissa, take Bill's computer away and don't let him post on /. anymore.
It won't be the last (Score:1)
Re: (Score:2)
What about "Chinese Hackers #1337"?
Re: It won't be the last (Score:2)
...nor would it be under a name easily traceable to Huawei
Western interests, sure; the Chinese haven't quite discovered subtlety yet but when they do, rest assured they'll begin tryIng to figure out how to implement it.
The CCP definitely needs to re-read Sun Tzu.
Re: (Score:2)
The CCP definitely needs to re-read Sun Tzu.
Indeed, a compendium of ancient conventional military wisdom is always timely.
Without an understanding of the teachings republished by Sun Tzu, modern military commanders might make the horrible mistake of attempting an enveloping maneuver! Of course, if they read Sun Tzu they'll be spared the indignity of this victory, as they will understand that the enemy, once surrounded, will not surrender but will become super-soldiers who fight really hard!
Foo who? Root for him (Score:2)
Meanwhile, the rest of us can read Master Foo's Rootless Root: http://www.catb.org/esr/writin... [catb.org]
Re: (Score:1)
Sheesh. Sun Tzu's _Art of War_ is a treatise of leadership, organizational, diplomatic, and espionage principles disguised as a military training stories. Don't you kids get taught *anything* in school these days?
Re: (Score:2)
He's also not right that a good amount of the what-appears-to-be-insight within it is only insightful if you have little knowledge of history, and therefor know how wrong it is.
Re: (Score:2)
Let's try that again.
He's also not wrong that a good amount of what-appears-to-be-insightful within it is only insightful if you have little knowledge of history, and therefor don't know how wrong it is.
Re: It won't be the last (Score:1)
Look at China's growing involvement and influence in Africa. They know about subtlety and use it where needed. They just don't make any effort when it's not needed, when they know the rest of the world doesb't have the balls to do anything.
Hilarious comments in the repository now (Score:5, Informative)
This is from the alleged developer: :) Yes, in no way, shape or form is this at all related to Huawei, nor the government of China. Nothing to see here, move along.
"NOTICE:
This project have done my research in spare timethe name of hksp was given by myself
it's not related to huawei companythere is no huawei product use these code.
This patch code is raised by me,as one person do not have enough energy to cover every thing
so there is lack of quality assurance like review and test.
THis patch is just a demo code.
"
Re:Hilarious comments in the repository now (Score:5, Insightful)
As a follow up, the article says this guy is "one of its top security engineers". I wonder what the other security engineers at Huawei can do, then.
Huawei - Chinese Communist Party owned (Score:1, Troll)
As a follow up, the article says this guy is "one of its top security engineers". I wonder what the other security engineers at Huawei can do, then.
They can do what they are told to do. Huawei is Chinese Communist Party (CCP) controlled. The company claims to be employee owned but that is CCP-speak for trade union association owned and the trade union association is naturally control by the CCP.
Re: (Score:2)
I don't think he even works for Huawei. We don't even know his name, he doesn't have a Huawei email address.
Re: (Score:2)
When working with Chinese engineers, do they customarily have an email address at the company's domain, or do they instead have a personal email that they also use at work?
Even when it is the CEO of a Chinese engineering firm, and you send an email to their work address, the reply is likely to come from a personal email connected to their phone.
Obedience in China is based on authority, nor formalism, they don't worry about formalisms like which domain the email address had, they would expect you to simply v
Re: (Score:2)
In my experience they use a corporate email address for official business.
Re: (Score:1)
Maybe security engineer has the opposite meaning in China?
Also, is it certain that this guy works for Huawei? Usually when you work for a company you do not add their name to stuff you do on your spare time. I would certainly not give credit to someone else for my own work.
Re: (Score:2)
"I wonder what the other security engineers at Huawei can do": Disguise their mischievousness better?
Re: (Score:2)
As a follow up, the article says this guy is "one of its top security engineers". I wonder what the other security engineers at Huawei can do, then.
It's hilarious. He's one of their top engineers, and it has nothing to do with his work, but he used the company name in its title.
No, that is not a reasonable thing to claim.
Lying across cultures is so hard! Who knows which details will stand out. So much easier when you know which questions are allowed to be asked, and which aren't.
Re: (Score:2)
Note also that he is using a gmail address to submit the patch and attached to his GitHub account, not a Huawei one.
Re: (Score:1)
Re: (Score:2, Troll)
everything he does is an official representation of the company
Horsepuckey. I'm one of the top physical security professionals at Amazon, if I personally declare "Olives are the worst food ever inflicted on mankind" that is most certainly **NOT** an official representation from Amazon Corporate. There are channels for official communications, correspondence outside those channels are not official and if I represent them as the company policy then I will be fired (/. frequently carries stories about morons who got fired for doing exactly that).
On the other hand, if I
Re: (Score:2)
And you know this how? Crystal ball? The voices in your head? We don't even know the creator's real name or whether he even works for Huawei at all. I'll "watch this space" to see if someone named Anonymous Coward gets canned.
Re: (Score:2)
They make that claim but don't present any information to back it up. They don't even know his name.
The patch was submitted under the name "wzt wzt", his web site is www.cloud-sec.org but currently down, and his GitHub page doesn't have his name on it either. His other GitHub repos don't seem to have anything to do with Huawei either.
I can't see any evidence that he works for them at all.
Re: (Score:1)
Maybe he's a "top security engineer" by skill but that doesn't mean he's got any executive power or representation capacity. The US already have an unhealthy attitude to employee opinions and hobbies, I realize the C-level can't stay entirely disconnected but if a "top [company] coder" can't submit a shoddy open source patch because his code quality reflects poorly on the company's code quality then all sanity has left. Next thing you'll tell the McD employee that as a "top burger flipper" he can't do any c
Re: (Score:2)
So actually, I do not believe the developer's statement that it was on his own time. When they work on their own time, it is quite good. But what they do on company time...
Mega points for his Social Credit System score (Score:2)
The demo non-functional exploit patch is mine (Score:1)
Please ignore the fact that I submitted it as a kernel patch, for inclusion on every system. And the exploit is just demo code that isn't exploitable by anyone except authorized CCP comrades and anyone that finds it.
Nothing to see, you racist assholes. Move along.
There's no Evidence!! (Score:4, Funny)
Look you anti-CCP racists, there's absolutely no evidence at all that this patch was man-made in Wuhan Lab on October 28th 2019.
NO. EVIDENCE. AT. ALL.
As such, Huewei and the CCP are innocent and this is clearly Trump's fault!
In other news, Lee Harvey Oswald obviously had nothing to do with the Kennedy assassination because he wasn't even alive in 1968 when Bobby Kennedy was assassinated!! IT'S SCIENCE YOU CAN'T DENY IT!
Re: (Score:2)
Please don't tell him that he access to all the records, he might ask somebody to read them to him and then we're all screwed. Shhhhh....
Re: (Score:1)
Needs more shark fin soup (Score:1)
It was only a matter of time until the Chinese belief in magical remedies enters into the Linux kernel.
Re: (Score:2)
Looking at his code it does seem to be a genuine attempt to harden the Linux kernel. As he states not production ready patches, but ideas for discussion along with demonstration code.
Given the language barrier code seems like an ideal way to express those concepts.
Misguided perhaps and nothing to do with Huawei (he is using a Gmail address) but not malicious.
Re: (Score:2)
but not malicious.
You don't know that, you'd have to have a huuuuuuuuge body of knowledge about the situation that isn't publicly available, and won't be in the short term.
You have no idea of it was malicious or not, same as everybody else.
Magical thinking indeed.
Re: (Score:2)
but not malicious.
You don't know that, you'd have to have a huuuuuuuuge body of knowledge about the situation that isn't publicly available, and won't be in the short term.
You have no idea of it was malicious or not, same as everybody else.
Magical thinking indeed.
No. You only don't know it, and by claiming he wouldn't are you not only concluding from your own lack of experience but are acting malicious in fact, because you're deliberately making a claim you know you cannot do. Of course we forgive you, because we wouldn't find any rest of we continuously accused dumb people of acting maliciously out of ignorance.
But yes, some of us can tell what is and isn't malicious. The Chinese dev did in fact not show any signs of malice. So did he use his company's name and he
Working As Designed (Score:4, Insightful)
This is open source working as designed, and why you're crazy to put your trust in closed-sourced systems if you are at all interested in security.
Coincidentally Working As Designed (Score:3)
This is open source working as designed, and why you're crazy to put your trust in closed-sourced systems if you are at all interested in security.
Coincidentally working as designed because a security group happened to get interested due to the novelty of a Huawei patch. The thousand eyes notion has been known to routinely fail as open source code does not necessary actually get all those eyes.
"Working as designed" can also be interpreted as the ability to insert exploits as anyone may contribute, at least from CCP and similar perspectives.
Re: Coincidentally Working As Designed (Score:2)
It was referring to review and catching flaws.
Re: (Score:2)
It was referring to review and catching flaws.
As I noted, and pointed out the coincidental nature of the catch this time
Re: Coincidentally Working As Designed (Score:2)
Such patches are all routinely reviewed through Links and his team. You did realise this?
Re: Coincidentally Working As Designed (Score:2)
Oops Linus not links, how embarrassing.
Re: (Score:2)
Such patches are all routinely reviewed through Linus and his team. You did realise this?
And you realize Linus was not credited with the discovery, rather a specialized security group that happened to look at this one.
Re: Coincidentally Working As Designed (Score:2)
Still doesn't make anything coincidental?
Re: (Score:2)
Still doesn't make anything coincidental?
It was coincidental that this security group looked at this patch. They do not regularly do so.
Re: Coincidentally Working As Designed (Score:2)
But others do. So?
Re: (Score:2)
But others do. So?
No. Others do not necessarily do that sort of review. That's the point. This is why exploits occasionally go unnoticed despite the "many eyes" theory.
Re: (Score:2)
Such patches are all routinely reviewed through Linus and his team. You did realise this?
And you realize Linus was not credited with the discovery, rather a specialized security group that happened to look at this one.
Can you comprehend that Linus is in communication with the people who check on things, and he knows if somebody has checked it or not, and if they're competent to review it? Like, he literally reads the same mailing list that they found out about it on, and were talking about it on, so if they hadn't checked, he would know nobody had checked yet?
Did you know that Linus is a rather clever fellow, and not even that far below average? /s
Re: (Score:2)
Re: (Score:2)
It was referring to review and catching flaws.
As I noted, and pointed out the coincidental nature of the catch this time
There was no bug caught. There was a proposal rejected.
Re: (Score:2)
It was referring to review and catching flaws.
As I noted, and pointed out the coincidental nature of the catch this time
There was no bug caught. There was a proposal rejected.
Because it was coincidentally caught in time, this time.
Re: (Score:3)
This is open source working as designed, and why you're crazy to put your trust in closed-sourced systems if you are at all interested in security.
Coincidentally working as designed because a security group happened to get interested due to the novelty of a Huawei patch.
It didn't just "happen" to get reviewed, there is a large body of kernel hackers who know what stuff is important, and significant changes to important systems don't happen without a lot of review.
The system isn't accidental, they've been doing it for decades.
The thousand eyes notion has been known to routinely fail as open source code does not necessary actually get all those eyes.
You're intentionally misrepresenting this concept. Fuck you and your FUD. That's talking about fixing known bugs that are difficult for individual programmers to figure out how to solve. Amazingly, there was a time in the past where some bugs would tak
This vulnerability has been present for nine years (Score:2)
It didn't just "happen" to get reviewed, there is a large body of kernel hackers who know what stuff is important, and significant changes to important systems don't happen without a lot of review.
And they did not find the exploit. It was found because a security group had a unique interest this particular time. From the summary: "On Sunday, the HKSP submission sparked interest in the Linux community as could signal Huawei's wish to possibly contribute to the official kernel. Due to this, the patch came under immediate scrutiny, including from the developers of Grsecurity, a project that provides its own set of security-hardening patches for the Linux kernel."
The system isn't accidental, they've been doing it for decades.
And yet exploits occasionally go unnotice
Re: (Score:2)
It didn't just "happen" to get reviewed, there is a large body of kernel hackers who know what stuff is important, and significant changes to important systems don't happen without a lot of review.
And they did not find the exploit.
I'm not sure why you want there to be some narrative that ends up making it true that they didn't find it, when actually they did.
Your argument seems to be that it was found by a unicorn, so it doesn't count? Is that correct?
Re: (Score:2)
It didn't just "happen" to get reviewed, there is a large body of kernel hackers who know what stuff is important, and significant changes to important systems don't happen without a lot of review.
And they did not find the exploit.
I'm not sure why you want there to be some narrative that ends up making it true that they didn't find it, when actually they did.
Linus and the regular kernel devs did not find this problem. That is the "they" being referred to here. My point from the first post is that this bug was found by a special security group that had a unique interest in this particular patch.
Re: (Score:2)
It didn't just "happen" to get reviewed, there is a large body of kernel hackers who know what stuff is important, and significant changes to important systems don't happen without a lot of review.
And they did not find the exploit.
I'm not sure why you want there to be some narrative that ends up making it true that they didn't find it, when actually they did.
Linus and the regular kernel devs did not find this problem. .
False. You simply don't understand what happened, but you have a narrative anyways.
Re: (Score:2)
It didn't just "happen" to get reviewed, there is a large body of kernel hackers who know what stuff is important, and significant changes to important systems don't happen without a lot of review.
And they did not find the exploit.
I'm not sure why you want there to be some narrative that ends up making it true that they didn't find it, when actually they did.
Linus and the regular kernel devs did not find this problem. .
False. You simply don't understand what happened, but you have a narrative anyways.
LOL. What a case of projection you have. Now go re-read the summary. "On Sunday, the HKSP submission sparked interest in the Linux community as could signal Huawei's wish to possibly contribute to the official kernel. Due to this, the patch came under immediate scrutiny, including from the developers of Grsecurity, a project that provides its own set of security-hardening patches for the Linux kernel. In a blog post published on the same day, the Grsecurity team said that it discovered that the HKSP patch w
Re: (Score:2)
It didn't just "happen" to get reviewed, there is a large body of kernel hackers who know what stuff is important, and significant changes to important systems don't happen without a lot of review.
And they did not find the exploit.
I'm not sure why you want there to be some narrative that ends up making it true that they didn't find it, when actually they did.
Linus and the regular kernel devs did not find this problem. .
False. You simply don't understand what happened, but you have a narrative anyways.
LOL. What a case of projection you have. Now go re-read the summary. "On Sunday, the HKSP submission sparked interest in the Linux community as could signal Huawei's wish to possibly contribute to the official kernel. Due to this, the patch came under immediate scrutiny, including from the developers of Grsecurity, a project that provides its own set of security-hardening patches for the Linux kernel. In a blog post published on the same day, the Grsecurity team said that it discovered that the HKSP patch was introducing a "trivially exploitable" vulnerability in the kernel code -- if the patch was to be approved."
What you don't comprehend is that these are regular kernel contributors. You've got your head stuck so far up your ass you can only imagine one label for them.
Re: (Score:2)
You can use all the vetted open source operating system and programs you want, it's all insecure if your hardware isn't also open for review.
Do you control the minix micro-kernel inside your intel CPU? Answer: no you don't.
Re: (Score:2)
What makes you think it came from Huawei? Anything besides that some anonymous poster using a pseudonym claimed it?
China denies patch came from China. (Score:3, Funny)
Said it came from either the USA or Italy!
Huawei is a long time contributor (Score:5, Informative)
Huawei is a long time contributor to the kernel. See 2017 data compiled by Greg KH at https://www.linuxfoundation.or... [linuxfoundation.org].
- #15 in the list "Top companies contributing to the Linux kernel, 4.8– 4.13"
- #3 (after Intel and Google) in the list of companies bringing in the most new developers
I would be surprised if things had changed significantly in the last 2-3 years.
Re: (Score:2)
Bug or feature? (Score:2)
Was this just poor code, or an attempt to slip an exploit into the kernel?
Is it possible to discern the difference?
If it is, and it was not just inept or naive programming, is there anything to be done? Can anything be done?
Re: (Score:3)
It seems more likely just a probe of how good they are at detecting it. It was found easily, so they won't waste whatever nasty code they're sitting on.
not the first time (Score:5, Interesting)
https://linux.slashdot.org/sto... [slashdot.org]
I get the skepticism about Huawei's intentions (Score:2)
but... "On Sunday, the HKSP submission sparked interest in the Linux community as could signal Huawei's wish to possibly contribute to the official kernel. Due to this, the patch came under immediate scrutiny, including from the developers of Grsecurity, a project that provides its own set of security-hardening patches for the Linux kernel."
Really? Shouldn't this level of scrutiny apply to ANY security change. I mean all sources should be considered as potentialy having an ulterior motive.
Re: (Score:2)
Re: (Score:2)
This should be taught to all programmers, engineers, etc who work with computers: always assume everything external to your system is trying to crash or hack it.
Re: (Score:2)
Yes, such scrutiny is already applied to all security patches to kernel, but that doesn't make for sensationalist article does it?
Re: (Score:2)
but... "On Sunday, the HKSP submission sparked interest in the Linux community as could signal Huawei's wish to possibly contribute to the official kernel. Due to this, the patch came under immediate scrutiny, including from the developers of Grsecurity, a project that provides its own set of security-hardening patches for the Linux kernel."
Really? Shouldn't this level of scrutiny apply to ANY security change. I mean all sources should be considered as potentialy having an ulterior motive.
Right, but new sources are obviously even more suspect than the average source.
You vastly underestimate the routine paranoia of kernel developers. It is was why we don't "blue screen!" Nothing is trusted. Even when you trust the developer, you still don't trust their code.
They should have called their backdoor "SELinux". (Score:1)
It would have been a great success!
(Snowden leaks & SELinux) -> cognitive dissonance
Re: (Score:2)
Not really. You're assuming that there's a uniformity of purpose behind things, and that's not what the evidence suggests.
That said, I don't use SELinux, because I want to be able to read my disk from multiple different installed kernels. And if you want to be secure, don't put your computer on the net. Use a separate computer for that purpose. There is other hardening that you can do, but a lot of it interferes with updating the system...and the principle thing to do is break external communication lin
Wow, a bug in a code submission... (Score:3)
Do we all really expect people to be uber-kernel-codes from zero-day? [;)]
Is this yet another beat-up article? Similar to the "Chinese hackers attacking Covid-19 research" article.
Beware of propaganda from all factions.
Deny it all, even when caught red-handed (Score:2)
However, in a statement published on Monday, Huawei said that the company has no official involvement in the HKSP project, despite the project using the Huawei name in its title and the project having been developed by one of its top security engineers.
The company said the project was created and submitted to the Linux kernel project by the engineer, without its formal backing, and the HKSP code was never actually used in any of the official Huawei products.
So they will deny anything and everything. But if this proposed does slip through and made it to the kernel, the engineer who submitted the change "without formal backing" will suddenly become a new star in his corporate standing. Maybe get a nice promotion plus a hefty raise. And if, God forbids, this goes on without being detected for years, ALL US corporate environments will be under their thumbs.
More control over HKSP ? (Score:2)
I'm sure the developer in question isn't the only one who has been lazy in that regard
*Were* (Score:2)
Poor Huawai (Score:1)
Re: (Score:1)
Aye, Right. (Score:2)
Well colour me surprised.