Anyone have a good resource of backdoor / spy / sketchy China computer manufacturing things?
I always see info about the Huawei scandal for example, and I would love to read a great write up of more specific technical details of things going on
But, you'll have an easier time finding out what companies who sell services related to supply chain integrity protection and counterfeit detection. Googling about those topics and companies like Harris Corp are good places to start. If you look at what these companies do, you should be able to infer what they are protecting against.
From what I gather, the usual threat for this sort of compromise is that adversaries in the supply chain or channel either provide or inject bogus parts or equipment. This may be done for spying purposes, but most often are just ways to make a little extra money.
The alleged difference with a state-owned entity like Huawei is that the "trusted" supply chain itself is doing untrustworthy things.
Depending on how you define it, I don't think Huawei is technically "state-owned", but because "communism" technically all business are owned by the PRC?
According to the NY Times, Huawei is owned by a holding company, which is in turn 1% owned by the CEO and 99% by the company's employee union, which is an affiliate of the Shenzhen Government Employee union.
But the union has no control, other than after-work social activity.
It's about as complex and weird as a situation can get. Spies hide in complexity.
I have a feeling the majority of this research is conducted by Five Eyes military counter-intelligence branches (ripping it out of the hands of whoever was on the trail before), with the resulting reports passed around in redacted form to those who need to know (e.g. the manufacturers, suppliers, investors, etc.) but not generally bubbling up to the public, except through backchannels (like my friend in the Navy who warned me ten years ago to avoid buying anything with Huawei chips in it, saying he couldn’t get into the details.)
If the current approach is more of the same, we’ll see these reports declassified in 30 years or so, when China is (in one way or another) no longer the same looming threat it is today.
I suspect any modified hardware would be targeted, not every single computer. You probably shouldn't order a computer online if this is your threat model, and instead pay for one off the shelf.
If a state actor is sufficiently motivated, even in a physical purchase, your computer will just get switched out for a bugged one at the cashier.
Common OPSEC practice re: buying hardware (or anything you don’t want your name associated with, really), is to pay an unaffiliated proxy to buy it for you.
>your computer will just get switched out for a bugged one at the cashier.
I doubt it. How would they swap it in time if you drove to a random Best buy, picked out a laptop (I think they still keep them in locked cages on the show floor), and kept eyes on it until checkout? Nevermind that they'll need surveillance on you 24/7 and have the exact model ready to go (or be able to plant the bug within minutes) to pull this off. It's much more feasible to only bug delivered/ordered equipment.
It seems really implausible to pull off without making a scene with a bunch of retail workers thinking you're trying to pull off some kind of scam/fraud.
I always see info about the Huawei scandal for example, and I would love to read a great write up of more specific technical details of things going on