 Google suspends some business with Huawei after Trump blacklist and this is the bigger headlining piece of this, but it's not where it all starts. This is kind of an ancillary secondary effect where Google who's been supplying, you know, working with licensed versions of Android and the Android Play Store and related tools is now restricted from doing that in the future with some of the Huawei phones and devices. Also, Intel Qualcomm joined in Google and cutting off business with Huawei and these are all kind of the spiraling effects based on an executive order banning the Huawei system and also there are plenty of other articles like a Huawei response and this is all fine and dandy, but this is more the political side of it. This is certainly going to be some of the fallout, but I want to talk about the more objective security side. I mean, politics are fun to talk about, but they also become, you know, riddled with emotion and debate and we don't know who's playing what side for what reason and what gains financially for doing this, but politics is politics and that's not what I'm here to talk about. Let's talk about the actual cybersecurity of Huawei and this is where things get a little bit bad, especially for Huawei. So secret Huawei enterprise router snoop backdoor was actually telnet service size photo phone. They thought they found a backdoor. Well, you don't need a backdoor when there's a ton of front doors open because your product is not well made. So this was actually found that they had a telnet. Why you would do debugging over telnet? I don't know, but they were, they had a debugging interface apparently got left on and essentially is like a backdoor, but it's more ineptitude than it is a security through obscurity or some type of potential backdoor. Essentially, Huawei is not a secure company. They're not mature in terms of the way they write software and I'm not saying this because I have some opinion. I'm in the U.S. and I think, oh, this is some big bad company in China. We're going to talk specifically about the Huawei Cybersecurity Evaluation Center, HSEC oversight board, a report by the National Security Advisory United Kingdom. And we'll jump right into the summary, but I'll leave a link to all 46 pages so you can read them. This starts on page 27. But essentially it's kind of damning of when it explains why we see so many bugs with Huawei. Extensive non-adherence to basic secure coding practice, including Huawei's own internal standard mandated since 2013, making vulnerabilities much more likely. The extent of this had reduced between versions, but remained a cause for concern. Extensive incorrect use of safe memory manipulation functions. Extensive mid use of signed unsigned typing and casting for different variable sizes, not validating variables is, you know, often key how these buffer overflows begin and exploits start. A poor management of software component imports, making supportability and lifecycle security very difficult, inappropriate suppression of warnings from static analysis tools, potentially hiding vulnerabilities. Extensive use of inherently insecure and prohibitive memory manipulation functions and unmanageable build processes, including tool chains that are out of date. They're using old tools or testing in poor sanitation of their variables and the code. Now, also in this report, they talk about using really old versions of Linux to compile this and not updating the tool sets kind of related to the way the build process in a tool chain is. And a lot of this comes from not having a mature development team. Here in the US, we've been developing software much, much longer. So generally good companies, there's always going to be exceptions, but generally you have a lot more mentors and people who may be helpful in bringing on like senior engineer levels. China does not have as mature of an ecosystem around this. So you have a bigger problem. Plus the culture is different. The push to market first, get it out there first is, you know, kind of embedded in their culture from everything I've understood or talked with people who work in that industry. And that does not necessarily mean security first. Now, I know there's US companies that do this as well. It's not like it's isolated to just China, but let's talk about Huawei and the position they're in. Huawei makes a massive amount of commercial equipment, especially this is related greatly around the 5G. So you're talking about network and routing equipment. And this is a big thing that Huawei wants to bid on and become the infrastructure. And so I pulled up over here at the CVE details. And I'll leave a link to this as well. Lots of red here for all the different devices that are in there. Now granted, some of this is across a lot of devices because they do make a lot. So statistically I'm aware they're going to have more CVEs. But you shouldn't be having CVEs and stuff like your AR3200 series enterprise routers that have severe levels of 10. This is the Fusion Rack one. Where's the other one here? Routers that accepted just crafted packets here, the CVE 2016, 6206. This comes down to constantly being released with poor coding practices allow full level 10 vulnerabilities in enterprise equipment. I get it if you're making the bottom of the barrel consumer equipment. This happens, but we're seeing this in prices. Sometimes the driving factor, not security unfortunately. So yeah, this was cheaper than the other brands. But then it came with these backdoors in it. And like I said, why do you need to put a backdoor? And when there's this many front doors in a product? So they do legitimately represent a bad choice to build infrastructure on based on the high level vulnerabilities. I'm not saying other companies are amazingly better, but they are better than Huawei, which unfortunately I won't really think any of them have the 100% grasp of security. And I'm hoping more of these companies choose to be open source, which would allow for better code auditing, better visibility in there. And if you're building an open source product and you're using really old, and we can see in your build process, you're using really old versions of the tool chain, you're going to get called out faster than you do when you have to go through. So a oversight committee to come in here and build reports on you. So like I said, all politics aside, the entire Huawei system, it just really is not good. Anyone I've talked to in the enterprise market, you know, friends I've had in its industry, they've not found this equipment to be the best supported. They have talked about, you know, trouble with firmware updates and obviously security issues with it are not been as easy to patch as they would like to. And I know I've called out even large companies like Cisco before with their recent ASAs and the horrible job they did patching them. But the overall track record seems to be worse on Huawei. Cybersecurity is really tough. Programming is really, really tough. It is hard to write enterprise level good products, but at least you should be starting with Google tool chains as opposed to starting with really old tool chains, because now you're almost baking invulnerability from the rip. So that's my opinion on them in terms of cybersecurity and that, like I said, there's going to be more fallout from all the companies that get banned on there, but as far as what do I think of them, because this has come up many times, they're a poorly coded product that's going to have a lot of security holes in it. That's my bigger thoughts on there. Hopefully some vendor comes out there and does more open source for this. So we have better visibility and we have less worries about this. So that's about it. And if you want to read the political stuff, I'm sure you can dive into the politics of all this with all these links. I'll leave you. Thanks. Thanks for watching. If you liked this video, give it a thumbs up. If you want to subscribe to this channel to see more content, hit that subscribe button and the bell icon and maybe YouTube will send you a notice when we post. If you want to hire us for a project that you've seen or discussed in this video, head over to LawrenceSystems.com where we offer both business IT services and consulting services and are excited to help you with whatever project you want to throw at us. Also, if you want to carry on the discussion further, head over to Forums.LawrenceSystems.com where we can keep the conversation going. And if you want to help the channel out in other ways, we offer affiliate links below, which offer discounts for you and a small cut for us that does help fund this channel. And once again, thanks again for watching this video and see on next time.