I've got a Huawei laptop that's pretty nice . . . but I'm reluctant to use it for anything even remotely sensitive.
Am I being overly paranoid? Or should I treat it as basically trustworthy as any other major brand of computer?
The system requires a special app to update drivers and so forth, but frankly this is not additional security exposure, since Huawei bits are all over the machine to begin with.
In a post snowden world, why would you trust a 5E product anymore?
Not saying that you should trust Chinese companies, but the notion that they're any worst by speculation in the face of evidence for the alternative's being complicate in spying on their users is rather absurd. People can't shake off the good-guy-bad-guy narrative, can they?
> In a post snowden world, why would you trust a 5E product anymore?
Because I’m one of the people the 5E apparatus is trying to protect, and if my local spy agency got in touch with me to ask me for my data, I’d give it to them without a second thought.
I’m glad you personally know all personnel involved in the US security apparatus so well that you can so happily vouch that none of them will use details of your private life in a way that you would disapprove of. Even that you can wholeheartedly vouch for the conscience of the US government as a whole is rather surprising, in light of past decades. I envy such a level of trust.
Conveniently you don't need to know everyone individually if you think there is sufficient oversight. I think there hasn't always been, but I am now reasonably convinced someone would get fired if they were poking around in my personal data just for fun, much as I don't worry about individual Google staff reading my email.
One of the biggest dangers is to forget that organizations, be they companies, governments, or whatever else are made up of people. So you're not voluntarily conceding your information to some organization beyond the base interests of people. As an example of this one of Snowden's revelations is that the NSA would regularly grab and share sexually explicit photos with their friends. [1] In another instance, NSA workers would spy on their 'love interests' frequently enough that they had a tongue in cheek label for it - LOVEINT. [2]
You might support actions such as the NSA spying on the porn habits of Islamic 'radicalizers' planning to release the information in efforts to discredit them. [3] But consider that who governments consider good and whom they consider bad is something very much subject to change. For instance are you aware of the now infamous letter the FBI sent to MLK in an effort to blackmail him and even drive him to suicide? [4]
These are the people that you'd so happily give your information to. The notions of a black and white, good and evil, world is something out of Hollywood. In reality there are good and 'evil' sides to every nation and organization. And when you submit yourself to any, you don't get to pick who your information is made available to or how it will be used.
Finally there is the matter of risk:reward. You stand an extremely low probability of being victimized at any given point in your life. And even if you are victimized it will be likely to be a petty local offense such as burglary, robbery, assault, etc. These are not the sort of actions that national intelligence agencies are tasked with preventing, which is more along the lines of terrorism and national security dangers. By being so happy to turn over all information about yourself you expose some risk that that information will end up being used against you. How does this increased risk compare against the decreased risk due to whatever value your personal information provides? This is not really possible to measure, so each individual must decide for himself. But I find it difficult to imagine that this is a beneficial exchange.
> As an example of this one of Snowden's revelations is that the NSA would regularly grab and share sexually explicit photos with their friends
I believe the best outcome, by far, of Snowden's revelations was to bring questions like this into the public sphere, and thus hopefully increase oversight. I think this is happening in all areas, private and public.
I would be pretty surprised (although not amazed) if a Facebook engineer could easily read my Messenger messages now and generally stalk me, although I suspect it was very very easy for them to do it a few years ago.
I have a Xiaomi phone. The hardware is pretty nice and I enjoy using it. But I don't trust it and find it creepy as hell.
The built-in file browser shows ads related to random conversations I've had(not related to searches or my general interests) way to often for me to consider it a coincidence.
I'm seriously considering getting an iphone again, just because I trust Apple a bit more(and only a little).
But there would be no way in hell I would do sensitive work on Huawei or Xiaomi laptop.
I have the same experience. The hardware is nice for the price but it's loaded with crappy apps.
Some of them are badly translated, updates to a simple calender app suddenly requires ridiculous permissions.
And worst of all, enabling USB debugging test apps through Android Studio requires a Mi Account. Maybe I'm paranoid but I can't think of a reason other than corporate espionage.
To GP and this: Have you considered the Android One Xiaomi phones? I can't imagine having ads in the default file browser. And a Mi Account for USB debug is just "No".
As with all Android phones (and to a certain extent iOS devices as well), trusting the default operating system is a very bad idea. Unlock the bootloader, flash it with something trustworthy.
There is no perfect security in this world. You can only mitigate your risk exposure.
If you have substantial business interests in China, you’d prefer a non Chinese brand laptop.
If you are more worried about IRS going after your financial records, US based advertisers tracking your online activities or NSA monitoring your contacts with people in Arab countries, huawei may be a better choice, since it won’t work with IRS, Facebook or NSA.
Are there recorded instances of the IRS actually breaking into people's computers remotely instead of, at the most, getting a warrant for the device to be seized? I guess you'd never know if they did that for parallel construction.
IRS can ask dell (with certain legal procedures) to unlock your dell laptop without you providing your password. It can’t do the same for Huawei devices. That’s a big difference.
Dell doesn't have a way into your TPM, or to into Windows its authentication loop. Either would create a gaping security hole very likely to be exploited.
So no, Dell can't unlock/decrypt your laptop without your password. The most they could do is bypass your BIOS/EFI password.
b) Brands are tied at different levels to their nations, and go after people from different kinds of reasons.
I suggest given the controversy, there's probably a lot of legit risk about using Huawei for any reason.
Unless you're doing something really dangerous, I would not be worried about Windows. There are zillions of tax evaders and otherwise criminals who 'use computers' and don't get caught for that reason in the US.
If you're going to do something really bad, well large American corporations may help out the Feds.
Carriers, web sites and other such places are probably more of a risk than your OS.
The security concern over Huawei is legit, even if there's economic war, and a hint of jingoism mixed in.
I would barely trust Lenovo if I had completely wiped the drive, and even then I'd be wary. Huawei is a whole different animal. I wouldn't allow a Huawei device in my home or office unless it had the battery removed and it was enclosed in a Faraday cage.
I just recently bought a Lenovo for someone close to me. Would you mind elaborating on why you say this about them, and if you really think they can be made somewhat privacy-safe for general use?
One thing that I think too many people forget is: you actually want to be spied by China (change with any relevant country) rather than by your own country because your own country is much more likely interested by you than China! I always try to choose hardware or services in countries that are not mine for that reason.
For my children, I chose mail adresses in India (zoho.com) because I am french; not that I trust India more than France but because being spied by India will certainly be less harmful for French citizens than being spied by some European country. I will myself never use a French service or app.
I really laugh when I see my country releasing some new "trustful" services for French citizens: maybe it is true but I have very little to win (not being spied by a country that does not care about me anyway) and too much to lose (if a country is about to annoy you it will certainly be yours).
If I were a chinese citizen I would certainly not use Chinese products for the very same reason, but an American citizen should be more confident in using such services than in using american ones! Why do American people want to be spied by the very single country they really have to fear?
You as an individual don't matter. However, there are plenty of individuals with power inside whatever organization they're a part of and/or in the political process of the country they live in, who are vulnerable to the exact same issues.
Are you worried about China, or the company itself? They probably don't care about your credit card info. State secrets, closed source code, or proprietary business processes might be more useful. But anything nefarious would need to be worth getting caught.
I'm sure people will be scrutinizing them a lot closer now?
Huawei is a proxy for the Chinese government so the question is moot.
China is indeed mainly focused internally, but there's no limit to how far they'll go in support of those ends. China attacked Google, Yahoo, Adobe, many others, using a zero-day IE exploit.
Of course they'll use your laptop as part of a botnet, C&C proxy, ransomware vector, etc. There's no benefit of the doubt remaining.
> China attacked Google, Yahoo, Adobe, many others, using a zero-day IE exploit.
Are you Google, Yahoo or Adobe though?
If you're a very high value target, everybody will attack you. NSA, 8400, Russian and Chinese teams, everybody. If you're just an individual working on their personal business, nobody is burning 0days on you.
I have had my personal Lenovo laptop coopted as part of a bot-net burning my net connection with all kinds of requests to unknown addresses. And this happened after I had it returned from an authorized service-center! Needless to say -that was my last Lenovo laptop.
I don't trust that the Government's motives are truly public (maybe the ban is just a consequence of them not being able to implant a backdoor) and I don't trust Huawei... but I also don't trust any other computer/phone manufacturer ever since the Snowden leak. I still use them though because I am not a high value target.
Out of curiosity, does Huawei provide a way to update drivers without the software? I know Dell has a similar offering but you can still download the drivers from their website
You would be much better off just getting the drivers direcly from the manufacter of each component. The only one that is likely only from Huawei would be the Bios which I guess is one of the more likely ones to be tampered with. :/ Reinstalling the OS with a known good source will likely defeat most attempts at spying on you.
Each laptop has 10+ devices with embedded firmware.
Like battery, HDD/SDD, display, ethernet, wifi and bluetooth modules, keyboard, touchpad, webcam, SD card reader, BIOS/SMM, TPM, etc.
Some of those might be innocuous and unable to host anything malicious, some might seem so but have non-obvious ways to compromise the system. And some, like anything communication related... sky is the limit.
What's common with those is that they are very hard, nearing impossible to audit and analyze. When was the last time you checked whether your laptop's WiFi firmware isn't doing something nasty? Or your SSD FW?
I think we need to be worried about a lot more than just BIOS and OS.
Only on windows. The mobo firmware only provided dumb storage. Windows has a feature that reads a section of the storage and automatically installs whatever it finds in it.
I think the idea is to provide a feature for persistent spyware. For example if a company wanted to be able to track their laptops even if someone factory resets it.
I have yet to become allergic to Google snooping but understand that lack of trust to be very well founded. I think I understand their secure boot architecture, though. Whereas I simply cannot trust Windows Secure Boot based vendor firmware.
Apple iOS devices. Their macOS Intel computers are about as trustworthy as Chromebook Intel.
Not-so-recent ThinkPad laptops with OpenBoot BIOS are ok.
But.
All of these devices have radios with each their own, black-box operating systems. I don't know how to develop a basis for trust there.
So I am left with very few alternatives.
A Raptor Talos II Workstation, with a custom battery-based power supply, locked inside a Faraday cage. Turned off.
Am I being overly paranoid? Or should I treat it as basically trustworthy as any other major brand of computer?
The system requires a special app to update drivers and so forth, but frankly this is not additional security exposure, since Huawei bits are all over the machine to begin with.
I'm sure y'all got opinions :-)