Uhh, their WiFi implementation is hacked-together old open source code distributed as statically linked binary blobs. And that is just the software part, there isn't much visibility into the silicon side..
Every hardware manufacturer can be instructed/bribed/forced to add backdoors to their hardware by their own government, hence the necessary push for open drivers/firmware (Broadcom itself, just to name one, has had strong ties with the US govt for a long time).
I can imagine a meeting in which some high rank officer says "Here's our backdoor blob, you merge this to all your chipsets firmware, so when necessary we can selectively either shut off Ethernet chips or have them relay information elsewhere as instructed through magic packets, which of course won't be noticed because the leds won't blink and any other chipset seeing these packets will comply as well letting them pass through without allowing any form of sniffing or telling the system administrator (1)". I can't imagine any manufacturer risking their business by replying "nope, we won't comply"; they will jump when commanded to do so and if caught the standard reply will be "we were forced" or "they say it's for national security, you know, to catch those evil terrorists!".
(1) it may seem absurd, sort of sci-fi, but having access to the underlying hardware and its firmware would make it not that hard to do. In that case, the only way to safely analyze network traffic would require very fast logic analyzers that wouldn't use any dedicated network chipsets.
The point is: security through obscurity usually doesn't work well, unless the untrusted party is the hardware maker itself, or whoever decides what they put in the hardware; in that case security through obscurity becomes a lot more about obscurity than security, which makes it near 100% effective.
> I can't imagine any manufacturer risking their business by replying "nope, we won't comply"
How about the risk to their business when a multinational corporation is X-raying their cores for backdoors (as one does) and finds the state backdoor, and then decides to no longer do business with the hardware manufacturer because of it—and also publicizes the existence of the backdoor, such that other multinationals pull out as well?
(I say "multinationals" because, presumably, purely-domestic corporations could be compelled by the state to accept the backdoor and say nothing about it.)
I didn’t say it wasn’t debunked, I said that it is what GP was talking about. I didn’t think the “debunked” part was relevant to the question asked that I was responding to. I guess you think it is, so my apologies.
Portions of the US government have tried multiple times to make the addition of backdoors required via public force of law. They're still trying to promote it now. Short of that public requirement, they can ask & issue orders to not discuss the matter, tie it with defense orders, or imply the withholding of export or trade licenses, all contingent upon cooperation. In the end it looks pretty blurry between a request for cooperation and and order.
Even in China, they might not need to rely on explicit state security authority, just tie it up with state sponsored funding or other softer measures.
Are holes in security infrastructure required to collect metadata? Are keys, data that secures content - considered metadata? They're not content. Since you can't discuss the letters publicly, a claim could be that it is metadata, and compel keeping the request to collect it as such secret - similarly the fight from the silenced party, if there were any fight, could be out of public visibility.
No they aren't. Read the Wikipedia page you linked to.
It's great that you can make claims like this based on zero evidence or even allegations, but there is no basis in fact for it.
What's more the number of 3rd party people that have to be involved in something like this make it virtually impossible that the national security letter structure could keep them all silent, especially since there are numerous foreign nationals in the supply chains.
Go read the huge amount of ACLU coverage of these, or the many articles linked, or the congressional testimony. There are no allegations that this mechanism is being used to do what you say.
You seem to be making specific, narrow arguments to cast doubt on a much wider claim.
Not the OP, but I think that addressing specific parts of the claim is extremely important.
We've seen this around the PRISM program, where the allegations of support by tech companies were confused by their support for lawful law enforcment warrants (as opposed to the NSA's dragnet surveillance via PRISM). This confusion has reached the point where I saw a lecturer claiming Google helped the NSA collect data as part of PRISM, where the NSA's own slides[1] show the opposite[2].
FISC/FISCR don't order surveillance, they permits it; the only compulsory powers they have are to limit the scope and conditions of the surveillance permitted, and that's binding on the government under FISA, which criminalizes certain surveillance unless authorized by FISC/FISCR.
And that's a pretty weak compulsion, since the people who are bound are the people who would ordinarily prosecute any federal crime, and they probably aren't interested in prosecuting themselves.
FISA courts issue warrants, which are court orders. All US courts have the power of the writ which means they can issue further orders to effectuate an order or ruling. So a court can order a company to assist the government in the execution of a warrant. This is pretty long-settled law.
The fact that some government agent applies for the warrant does not alter the fact that the warrant, once granted, is an order nor does it remove the power of the writ for further orders to effectuate the warrant.
Ive looked - a lot - to try and find a reasonable alternative. I haven't found any devices that are as inexpensive and convenient as the ESP chips. Microchip have some relatively inexpensive WiFi modules that need to be used with another MCU and Silabs have some modules including an ARM MCU (WGM160P). These still need blobs but I'm a little happier with a larger more established silicon vendor.
I think (at least a couple of years ago) you could get a dev kit for Microchips parts. The difficulty was then you're responsible for keeping the WiFi stack up to date.
Not unique to Chinese firms either. Sprint resisted blanket surveillance, for a while, and were finally coerced into line. Do you imagine hardware vendors are immune to the same pressure, in the US, Japan, and Europe?
