Lenovo: Companies working in China may have to install local backdoors

heidar | 177 points

Purism is working with coreboot to provide laptops where you can verify the integrity of firmware on your device, within the limits of Intel CPUs.

https://www.tomshardware.com/news/purism-heads-rootkit-tampe...

"Purism announced that, after almost a year of testing, it was able to successfully integrate the Heads firmware into its TPM-enabled and Coreboot-running Librem laptops. The open source firmware, which checks if someone has tampered with the laptops, allows users to freely inspect and customize the code. Purism also recently announced that all of its new Librem 13 and 15 laptops now include a TPM by default, so they all come with the Heads firmware by default, too."

Previously: Google on "Replacing exploit-ridden firmware with a Linux kernel", https://news.ycombinator.com/item?id=15579592

walterbell | 6 years ago

> Does Lenovo put backdoors in if the Chinese government asks?

> "If they want backdoors globally? We don't provide them. If they want a backdoor in China, let's just say that every multinational in China does the same thing.

Even though not a direct answer, close enough. One could only hope to get a similar statement from Apple wrt iCloud so we aren't left with assumptions about lack of privacy.

kodablah | 6 years ago

This is gravely concerning to me.

Privacy is a fundamental human right, and it's needed to fight unjust laws and practice civil disobedience in a safe and comfortable way.

If we had today's surveillance capabilities in the 70's, it would have been impossible for the LGBTQ community to achieve the societal acceptance they now have!

We need a fully open-source hardware ecosystem (with downloadable component blueprints, 3D-printing machines and local co-ops or gumtree-like marketplaces for obtaining free hardware), to bring much-needed democratisation to our society like the Internet did at the software / information access level.

We need a Linux of hardware.

mindfulhack | 6 years ago

> "Likewise, if there are countries that want to have access, and there are more countries than just China, you provide what they're asking."

Seems that it's kind of obvious and infuriating at the same time: companies that sell physical goods don't have much choice, they must meet country regulations for each country they want to sell.

woliveirajr | 6 years ago

I miss the early 90s and 2000s when governments were still struggling to understand what the internet was, rather than trying to control it.

mothsonasloth | 6 years ago

This is not unique to China. New Zealand has the TICSA requirement that network operators must provide intercept capabilities to security agencies, and all network operator designs must be approved by security agencies before deployment.

I would imagine other five eyes countries have or soon will have similar requirements.

rodgerd | 6 years ago

Maybe this will finally make Apple rethink its manufacturing.

It can either be the bastion of freedom in consumer electronics, as it likes to brag, or not. Time to decide.

reaperducer | 6 years ago

And apparently also confirmed that they’ve done it for other countries too, without providing any names.

ComputerGuru | 6 years ago

Eventually you just won't be able to buy a trustworthy computer.

chooseaname | 6 years ago

Interesting choice of language there:

"we don't put in backdoors [...] we follow the ethics"

but then

"if there are countries that want to have access [...] you provide what they're asking"

No, Mr. YY, it's you who's providing what "they" are asking, and that makes you evil, not me. ("Them" too, naturally.)

08-15 | 6 years ago

I'm sure they have plenty of examples to go by, all they need to do is consult Yahoo, Google or any of the telecoms for good strategies.

I guess on the plus side at least we know now that it is happening despite the lies the Federal government told us. I worry that as bad as it is for whistle blowers in the US what chance does China have?

greymeister | 6 years ago

> "Likewise, if there are countries that want to have access, and there are more countries than just China, you provide what they're asking."

So..the US as well? The UK? I wonder who else is "asking".

foxrob92 | 6 years ago

They are just stealing the concept from US (lawful intercept/CALEA)..

AnthonyWnC | 6 years ago

May?

It's just now getting official.

mtgx | 6 years ago
[deleted]
| 6 years ago

Meanwhile in the US we also have a long history of monitoring internet traffic, installing backdoors and allowing private third-parties to filter what we see online.

Where do we get off critiquing the PRC? We should clean our own house first.

claydavisss | 6 years ago

Are they telling me other companies in the West are not doing this and only Lenovo in China does it? I would find that hard to believe. You see, the reality is once your opponent has made the move first in an attempt to gain a competitive advantage, no matter how unethical that move is, you are forced to do the same or even more. If not you'll be quickly left so far behind and won't ever have the chance to come back in the race. Despite whatever anyone has told you, that's how the real world works. Our companies may not readily admit what they're doing but in reality they have little choices. It's similar to countries that don't possess nuclear weapons are always second class in the world's power order. The time limit to join first class was gone a long time ago and it will never come back.

netwanderer2 | 6 years ago