Does China own your box?

There have been rumours going around that Microsoft has been cooperating with the US government to build secret backdoors into the upcoming edition of Windows known as Vista to allow easy government access to all of your private data. Well, Arstechnica yesterday did what I think is a pretty good job of putting that particular rumour to rest, primarily with this quote from one of Microsoft’s cryptography programmers.

Over my dead body.

Well, maybe not literally-I’m not ready to be a martyr quite yet-but certainly not in any product I work on. And I’m not alone in that sentiment. The official line from high up is that we do not create back doors. And in the unlikely situation that we are forced to by law we’ll either announce it publicly or withdraw the entire feature. Back doors are simply not acceptable. Besides, they wouldn’t find anybody on this team willing to implement and test the back door.

If you stop and think about it, it’s really a rather absurd idea for Microsoft to add a “feature” like that. It would provide them with no business advantage, since they’re already going to achieve high market penetration based on other features, without having to agree to the NSA’s Big Brother demands.

Now, on the other side we have China. Last year this brief article was published.

Lenovo Group on Monday in Beijing released China’s first security chip – “Hengzhi” which has been approved by the State Encryption Administration and independently developed by the company.

It means that China’s information security-sensitive departments in the government, military and research institutions can now purchase safe PCs independently developed and controlled by Chinese.

According to relevant regulations the design, development and manufacture of China’s encryption chips must rely on independent domestic ability and are forbidden from using relevant foreign products.

Safe Lenovo PCs installed with Hengzhi chips will provide security-sensitive departments in the government, military and research institutions with PC terminals completely developed and controlled by Chinese.

As learned Lenovo will officially launch safe PCs installed with Hengzhi security chips within this year.

hengzhi
A reporter is taking photo for Lenovo’s Hengzhi chip at the 8th Beijing International High-tech Expo.

You may remember Lenovo as the company that now own’s what was formerly IBM’s popular Thinkpad brand of notebook PCs. What you have probably never heard of, however, is the State Encryption Administration. Unfortunately, little information is avaliable in English about China’s encryption regularions (and I wouldn’t be surprised if much of it isn’t even publicly avaliable in Chinese.) We do know, however, that this group was first created in 2000, and while specifics are unclear, the basic framework implemented by the law was as follows:

Import into the PRC: The import of foreign encryption products will only be permissible if approval has been obtained from the State Encryption Administration

Sale/distribution: Encryption products can only be sold or distributed within the PRC by entities which have acquired special permits. Such permits are unlikely to be granted to non-PRC entities such as foreign invested enterprises.

Manufacture: Restrictions also apply to the type of entities which can manufacture encryption products, and such products will require approval.

End-users: Users of foreign encryption products, in use prior to the introduction of the new law, must have registered such use with the State Encryption Administration by last January 31 2000 in order to continue using such equipment. In addition, unlike PRC entities, foreign users must also obtain approval for the use of encryption products.

What this basically means is that any encryption product imported to, or sold in China requires government approval, and I think it is fairly safe to assume that said approval requires a backdoor of the very same type as the rumoured Microsoft one.

In a wonderful bit of double-speak, another news tidbit describes the hengzhi chip as a “significant breakthrough in the field of trusted computing technology.” I presume that the breakthrough in “trusted computing” would be knowing in advance that you cannot trust your own hardware to protect your secrets no matter what procedures you implement. Clearly this does, in the most pedantic sense, represent a breakthrough of a kind.

This article, also referenced by Ars, has a little more to say.

“Lenovo ships a lot of PCs inside China with a Chinese government chip instead of the TPM,” he says. “We don’t know what it does.”

The obvious fear is that the chip gives the Chinese government the ability to access any encrypted communications, something that seems particularly sinister in light of the recent allegations that American technology companies (in particular Yahoo) have helped the Chinese government locate dissidents. But Anderson emphasizes that these machines are only sold within China. “They’re completely unsuitable for the American market,” he says.

The last part is important. While many of are computers are assembled in China, I don’t think that there is any significant danger that secret Chinese spy chips are installed in your Dell, Apple, or even Lenovo computer. Were such a thing discovered, it would immediately trigger the highest level sanctions against the Chinese government, and probably cripple their subcontracted manufacturing industry overnight. However, it seems to be certain that any new computer you buy inside China will most likely have this chip installed, and even a moderately lower price is not, in my mind, enough to make up for inviting the secret police into your secret documents. It may sound paranoid, but I would strongly caution anyone to reconsider a decision to buy computer hardware in China, and if you want to get a cheaper but well made notebook PC, just save your money for a nice Taiwanese Asus or BenQ .

10 thoughts on “Does China own your box?”

  1. The NSA’s involvement with DES (and later AES) was only to make it stronger. People were, uh, silghtly surprised when the outside world discovered differential cryptanalysis and realized that the very specific changes to the DES S-box that the NSA had asked for twenty years earlier made it unusually resistant to the technique. However, there were lots of rumors at the time that the NSA had asked for backdoors, just as now, when they really made it stronger.

    Encryption is really hard to get right. A lot of these countries that insist on “domestic-only” encryption end up picking something that is much easier for US intelligence to crack than if they had chosen US commercial encryption. If China’s building a backdoor into their commercial systems, they’ll be all the easier for the NSA to crack.

  2. Absolutely. I would assume that the Chinese government is smart enough not to use the system with the backdoor on their own confidential information, just in case the NSA or some other foreign intelligence agency has figured out how to use it.

  3. Were such a thing discovered, it would immediately trigger the highest level sanctions against the Chinese government, and probably cripple their subcontracted manufacturing industry overnight.

    Exactly right. If such a thing were discovered, it would be the end of the world because Bush would drop more nukes on China then China has dropped on China (and they’ve dropped a lot for testing) and the world would be over. I don’t think we have to worry about the Chinese government learning about all the porn, I mean secret government documents, we have on our computers. Never-the-less, I’ll use this as a reason to say buy Apple, because even though they’re built in China, they are designed in America and it’s very unlikely that the Chinese government would be able to sneak a chip in an Apple (or Dell Sony Hitachi etc for that matter) without someone knowing about it.

  4. Actually, I believe all of Apple’s products are manufactured by Taiwanese companies. Although of course some of the production will be outsourced to the mainland.

  5. They USED to be… That was actually a deciding factor in my latest computer purchase. (I’m pro-Taiwanese Independence as long as that’s what the people want — I’m not going to try and force it on anyone — and anti-Chinese government as long as they keep being stupid.) The last time I bought an Apple computer it was made in Taiwan, so I was disappointed when my PowerBook said China on the bottom. My mini iPod is also made in China, although I believe some of the same generation ones are made in Taiwan; I’m not sure about the more recent ones though. I’m actually going to go get a new one tonight to play my Daily Show episodes (first every purchase from the iTunes store), so I’ll let you know where the video ones available in Okinawa are from. Oh, my iSight is also China as is the iMac I got for my Mom… 🙁

  6. I don’t want to seem like a conspiracy nut, but I attended hearings on the Hill on the issue of government-mandated backdoors into encryption programs in the early 1990s. In fact they were mandated by law, and a number of computer experts were testifying that the programs were poorly written and so on. I simply don’t buy any such claim that Microsoft “wouldn’t” do such a thing because no one could be found to test it, etc. What fatuous nonsense! There’s always someone will to screw others for the thrill of power or the lure of cash — just look at the illegal spying going on at the NSA right now under the Bush Administration. The engineer is just talking out his ass.

    It doesn’t seem likely that there are secret chips in Chinese computers — it reminds me forcibly of the Kenyan claim I heard when I was in the Peace Corps there that we secretly put contraceptives in US food aid. But backdoors are not only possible but AFAIK mandatory in some programs.

    Michael

  7. But Michael, the Chinese chips aren’t secret-they’re touted in a Lenovo press release as being government approved. And do you really think the Chinese government would approve an encryption chip without a back door?

    Of course, this is all ignoring the fact that you can always run an entirely software based encryption scheme, let’s say PGP, without having any worry about the Chinese government having a backdoor into your system. Of course, we can probably also assume that under Chinese law, using an un-licensed encryption system is probably in and of itself a rather seriously punishable crime.

  8. When this article was first written, the threat of your PC being 0wned by the PRC was a fantasy. Fast forward to the end of 2010 and this is a reality.

    We have had countless incidence of abuse of trusted technology by the PRC since then — US importing counterfeit network equipment with back doors, aurora PDF exploits/gmail hacks, conficker worms, the intercepting 15% of the worlds internet traffic for a day in April 2010 , mandating Green Dam censorware software on all local PCs, the list goes on…

    What is going on with this “Hengzhi chip” or 联想“恒智”安全芯片 as its known locally these days? Presumably there are billions of the things in place now.

Comments are closed.