Lenovo Banned by U.S. State Department

chrplace writes "The BBC is reporting that the Chinese-made Lenovo PCs are not allowed inside secure US networks." From the article: "Assistant Secretary of State Richard Griffin said the department would also alter its procurement process to ensure US information security was guaranteed. His comments came after Rep Frank Wolf expressed national security concerns. The company Lenovo insisted such concerns were unwarranted and said the computers posed no security risk."

Protectionism? Why?

[denissmith (31123)]

While Levono insists that their computers pose no security risk, we need to remember that they do run the Windows OS which is a significant hole:-) On a more serious note, this is obviously a purely political step - but why? No one with any technical savvy is going to believe that these systems pose a greater security risk, unless someone independently confirms this and demonstrates how a backdoor exists. Is a mere accusation enough to get a company dumped from secure contracts, if so I have dirt on Halliburton, KBR, CACI and a host of companies who are defrauding government agencies. Isolationism doesn't score political points the way it used to, and these are the same people that will happily defend moving jobs off shore. Who are they trying to appeal to here? There can't be that many blindly stupis people in the country ( 29%, or so, it seems)...

Re:Protectionism? Why?

[Spiked_Three (626260)]

"No one with any technical savvy is going to believe that these systems pose a greater security risk, unless someone independently confirms this and demonstrates how a backdoor exists."

Why would you think this has not already happened? Add to that the fact the the government buys these things in bulk and even IF a sample posessed no backdoor, how hard would it be to put a backdoor in 1 out of 1000 and hope it gets by?

Paranoid? I think not, you haven't had night shift cleaning crews hired by the chinese int

Re:Protectionism? Why?

[denissmith (31123)]

I don't believe in Windows backdoors any more that I believe that the Lenovo people are able to pull this off without anyone detecting it. Remember, Lenovo assembles these in this country and in Mexico, and the company has moved its headquarters here, and hired American executives, etc. If they got caught doing this HEADS WOULD ROLL. These people would all be guilty of spying or treason, so it wouldn't be quietly hidden away, they would face arrest, possible execution. These aren't products from a company where the Chinese government has direct control of operations, and design, specification and manufacture is worldwide.

Re:Protectionism? Why?

[lgw (121541)]

One reason the US government is so paraoid about hardware backdoor is the number of times we've done this to other countries! Line printers (line-at-a-time impact printers) sold to Iraq in the 80s had radio transponders secretly embedded, so that they could be located at some distance. As such printers are only used in large data centers, we had a targets list of a significant portion of the Iraqi communications infrastructure, which we bombed at the start of Gulf War I.

Xerox machines sold to the USSR during the cold war often had cameras embedded, and service technicians would take great risk in retreiving the data (I think it was actual film) when servicing the machines, but we had pictures of everything copied.

These are just 2 very simple examples that have been made public, who knows what sort of stuff we've done that's clever enough that we still keep it secret. If the Chinese got busted the consequences wouldn't be much worse than where we already are today. The CHinese government could, after all, argue that they're not crossing the line any more than the US government has repeatedly done.

Re:Protectionism? Why?

[blueZhift (652272)]

There's definitely a lot of politics and money in play here. Practically speaking, it would be difficult to impossible to exclude products made by any country that may be a present or future enemy of the US from use in govt agencies. And ironically the US govt has aided and abetted the rise of Chinese economic and political power that now they suddenly fear. If they really cared so much, they should have said something before IBM sold its PC division to Lenovo. So given that everyone spies on everyone else, the real trick is not to stop the spying, but to make sure that your enemy (and sometimes your friends) only get inaccurate or junk info.

For the current matter, I would guess that some domestic PC maker is trying to take advantage of the situation, *cough*Dell*cough*HP*cough, pardon me!

They would be stupid not to rig the machines

[goombah99 (560566)]

Hardware and software backdoors are a reality. Look at the tiawanese Router maker that put a backdoor password in all the netgear routers. Consider that britain finally wised up and wont buy closed source software on their defense avionics. Consider the fact that slot machines get ripped off every year by programmrs putting in backdoors.

Sure it's more difficult to imagine how commondity hardware would be rigged but it's not implausible if the target warrants it. There's been some pretty big efforts stage

Re:Protectionism? Why?

[radtea (464814)]

On a more serious note, this is obviously a purely political step - but why?

Because the U.S. is in the grip of a fairly major bout of xenophobia just now. This is something that overtakes all human groups every once in a while, where suddenly anyone who is remotely outside the mainstream is automatically suspect and "other".

This kind of thinking can be seen all over the current immigration reform in the U.S., as well as border security generally. It creates massive distortions in thinking--for example, President Bush's proposal for a "tamperproof" ID for foreigners working in the U.S. only makes sense if you somehow mentally categorize outsiders in such a way that they are inherently different from Americans. Otherwise the obvious work-around of foreigners using fake American IDs is, well, obvious. Without this kind of unconscious mental distortion it is clear that foreigners are indistinguishable from Americans.

We see the same kind of thinking amongst the people who say that various illegal and unconstitutional measures will only be used against "terrorists", as if that was an unabiguously distinct, knowable category of person. By reconceptualizing terrorists as inherently "other" they are able to perform this nasty mental trickery of reassuring themselves that only bad people will be affected by the draconian powers being granted spies and miliary officials, despite the glaring epistemological problems with such beliefs.

In such a social climate, xenophobia has a lot of political value, and gestures of solidarity with the group (flag waving, declarations of patriotic feeling, signs posted on businesses declaring they hire only documented legal workers) are highly valued. Those things by themselves are relatively benign, but the flip-side is the tendency to demonize anyone outside of the group.

Personally, I would think that no closed-source application should ever be used in a secure network environment. That includes the OS, obviously. There's just too much stuff that a closed-source application could be doing that isn't good, even if there was no malicious intent.

Re:Protectionism? Why?

[CosmeticLobotamy (155360)]

"A little box on the keyboard wire"? I'm sorry, but do you imagine Chinese intelligence to be run by 14-year-old pranksters that get their spy supplies at ThinkGeek?

Re:Protectionism? Why?

[frodo from middle ea (602941)]

It puts pressure no the Chinese, pure and simple.

Are you Japanese ?

Re:Not protectionism, paranoia and justified.

[Andy Dodd (701)]

"Especially since all new Thinkpads have a fucking TCPA chip. Can you trust a chinese fabbed uber security module for critical national security purposes?"

Wherever that TCPA chip was fabbed, it is almost guaranteed to come from the same source as those found in laptops from any other manufacturer.

If there were ANY chips in the Lenovo that were built in China without a clear paper trail leading back to a non-Chinese supplier (or a Chinese supplier that isn't also selling chips to manufacturers that the gover

Cry Wolf

[TripMaster Monkey (862126)]

From TFA:

Mr Wolf, Republican chairman of the committee that oversees the department's funds, told reporters that China's spying efforts were "frightening".

It was "no secret that the US is a principal target of Chinese intelligence services", he said, adding: "No American government agency should want to purchase from them".

This is just plain stupid. Apparently, Representative Wolf's [house.gov] former crusades against meth [lasvegastribune.com] and medical marijuana [stopthedrugwar.org] no longer have the punch needed, especially in an election year, so he stirs up some ridiculous FUD about Lenovo laptops.

Never mind that the State Department would probably be wiping the default software load on these laptops in favor of its own custom software load (frankly, if they don't, they're idiots). Never mind that the State Department itself (as well as any other networks these systems will be connecting to) should be adequately protected by firewalls to prevent any unauthorized phoning-home by these systems (again, idiots if they don't). Never mind that someone at least halfway competent should be able to analyze packets exiting these systems to determine conclusively, one way or another, if they are trying to compromise security (again...well, you get the idea).

Trouble is, none of these measures will provide Rep. Wolf with the political ammo required in a year divisible by 2. By denouncing the Lenovo laptops as a 'security risk', he insures that his constituents (at least the less-technically minded of them) perceive him as 'fighting for America'.

Re:Cry Wolf

[timster (32400)]

You forgot to mention that laptops from all manufacturers tend to be made in China. It's silly to think that Apple or Dell carefully examines all their laptops shipped from China to make sure they don't contain some kind of spy hardware or software.

Re:Cry Wolf

[mungtor (306258)]

Dell laptops are assembled in Malaysia and shipped to the US from there. Components are mostly Taiwan, Singapore, and Korea. I'm sure there is China in there too, but there doesn't seem to be a lot.

Re:Cry Wolf

[Daniel_Staal (609844)]

IIRC (it's been a while since I did IT support for the state department), a classified computer (the only type they are talking about a ban on) shouldn't be connected to the Internet at all. It might be connected to the State Department's own secure network, but even that is a question.

(As for wiping it and installing their own software: duh. There's a disk image with the standard State Department software, and it is written to every computer. That's not even security: that's just the easist way to do th

Re:Cry Wolf

[TripMaster Monkey (862126)]

I didn't say there was no risk. I did say:

• By following proper security procedures, any risk could be effectively managed.
    - and -
  
• Rep. Wolf isn't interested in avoiding risk. He's interested in acquiring political clout.

Re:Cry Wolf

[Guysmiley777 (880063)]

Political clout!? Surely sir you jest! /sarcasm

If only there were some way he could spin this so he was also saving children wrapped in American flags from burning buildings. Won't someone please think of the children?

Re:Cry Wolf

[networkBoy (774728)]

My concern would be a compromised firmware &&|| microcode in the chipset.
With a large enough flash memory you could log a lot of information, all this can happen at the BIOS level. Then you try to acquire the notebooks upon refresh. Doesn't matter that the HDD is crushed, you have it in flash. If you comprimise the network stack you could (in theory) do packet inspection and store interesting packets. If you comprimise the chipset you can do almost anything. NOR flash cells are a compatible pro

Dumb

[homer_ca (144738)]

It's not like the PCs weren't made in China when the division was owned by IBM.

Re:Dumb

[just_another_sean (919159)]

Not to mention every other PC manufacturer who's PCs are made in China. Dell, HP, Gateway, Acer, show me one PC manufacturer who doesn't have at least some of their PCs assembled in China by Chinese.

Seems kind of arbitrary for them to pick on one company over this.

Re:Dumb

[archen (447353)]

Actually I'd like to know where they are going to get these PC's that are not made in China. And why stop at China anyway? Ban all foreign PCs (which isn't going to make much of a difference since they're all made in China anway). Oh, the U.S. doesn't make any anymore? Guess that's too bad for us. Most companies don't even bother hiding where it comes from. My iBook shipped directly from China to my address.

Re:Dumb

[insecuritiez (606865)]

Read the article:

"But Lenovo insisted the state department computers, which were made at former IBM facilities in North Carolina and Mexico, posed no security threat."

Re:Dumb

[gedeco (696368)]

The only pc's who don't have electronics "made in China" are part of musea colections.

Re:Dumb

[burnin1965 (535071)]

"It's not like the PCs weren't made in China when the division was owned by IBM."

That truely is the ironic part of Wolf's concern. As if the upper management, the part of IBM PCs that changed when they were pruchased by Lenovo, would have ever noticed if the Chinese made PCs were bugged before leaving the factory.

That said, there should be proper due diligence for any equipment that is purchased and used in sensitive work. In the 1960s the Soviet embassy in Washington purchased/leased a Xerox copier and didn't realize that it was bugged with a CIA camera that took pictures of every document they copied. When the Xerox repairman came in to do routine maintenance on the equipment he would replace the film and take the exposed roll to the CIA. :)

http://www.parascope.com/articles/0197/xerox.htm [parascope.com]

Re:Dumb .. and dumber

[forgotten_my_nick (802929)]

While I may not agree with it the US government has a point.

Does anyone remember the US Jet that was sold to the Chinese President? More then 20 bugging devices found in it. Some of them built into the jets framework itself (so they weren't casually put there).

http://news.bbc.co.uk/2/hi/asia-pacific/1771238.st m [bbc.co.uk]

Although there is so much Chinese tech in the US these days even just avoiding the chinese company isn't going to avoid China.

Re:Dumb .. and dumber

[jandrese (485)]

Not to mention the US Embassy [bugsweeps.com] in Moscow built during the cold war.

This is why there is legitimate concern about this sort of thing. It actually happens. It would make a great spying tool as well. Just add some keylogging logic as well as some storage (perhaps store it on unused sectors of the HDD) to the southbridge as well as a hook into the onboard NIC. When an attacker gets a machine on the network (these machines wouldn't be connected to the internet) somehow, they send out a specially formatted

Re:Dumb

[rodgster (671476)]

It's not like the HP laptop I'm typing this on wasn't made/assembled/shipped from China too.

Agreed very dumb.

Old News

[eldavojohn (898314)]

This is old news to anyone who works in Defense.

In fact, if you want to use hardware/software in a classified area, it has to be from a United States based company and passed through a rigorous investigation as to whether or not it is safe to use. Even things like Java or C++ libraries have to undergo this for the simple fact of the matter that the US government is over-cautious.

Do you blame them? Can you strip down a Laptop and really ensure that there's nothing like a keystroke logger or a very very low-level chipset process running on a side processor or microcontroller that captures choice information and automatically sends it out the NIC to a Chinese agency?

You have to remember that there are conspiracy theorists out there that are paid and unpaid. The paid ones are simply better at controlling their imagination to realistic limits and are hired by governments to think & fear.

Now, do you remember when certain Chinese conspiracy theorists decided that China's government suspected Windows SP2 [newamerica.net] of foul play? This is more of the same kind of thinking ...

Re:Good policy

[Homology (639438)]

I believe US companies should be given preferential treatment by the US government for the following reasons:

But when other states does the same, we hear outraged yapping from US about undermining "free market". Go figure.

Concern about security

[Garabito (720521)]

"Assistant Secretary of State Richard Griffin said the department would also alter its procurement process to ensure US information security was guaranteed"

After the interview, Secretary of State Richard Griffin proceded to log on with his blank-password account on his spyware infested Windows PC...

Does this mean... ?

[TheJediGeek (903350)]

alter its procurement process to ensure US information security was guaranteed

Does this mean that they WON'T be outsourcing their network management to India?

This is plain ignorant.

[ZSpade (812879)]

Exactly when have computer components been made in America. Most, in fact, are not. thinkpads were made in China before, the only difference now is that they are not supervised by a US company.

Somebody should show this guy the label on the pen he uses, on his reading glasses, on most of the small electronics he owns. Odds are they aren't made in America either. Does that mean his cellphone is a threat to national security!? This kind of ignorance really makes no sense whatsoever.

Re:This is plain ignorant.

[Frumious Wombat (845680)]

Digital Equipment Corporation PDP-8s, probably. The State Department should be finalizing the procurement procedures for 2 or 3 of those any day now.

In all seriousness, unlike our 80s Moscow Embassy (which did have microphones embedded in the cement), a laptop phoning home is pretty easy to detect. Don't do anything serious on it, hook it up to the network, start typing while someone watches your packets. It's not like the Chinese have their new MagicNet(tm) which doesn't require wires, or emit electromagnetic radiation detectable by standard instruments.

OTOH, one could make the distinction between (for example) HP or Dell, which are built by Taiwainese companies, and Lenovo, which is Mainland Chinese, if you're really worried about embedded tracking devices, etc, but that's still a political, rather than a technical argument. Of course, someone at State could simply decide that auditing every 30th laptop for phoning home is too much work and risk, but even then they'd probaby only find a standard set of phishing tools and DOS zombie installs, rather than hostile foreign government spyware.

Any congresscritter proposing legislation involving technology should have to show credit from MIT for a recent course in computing/electrical engineering.

Re:This is plain ignorant.

[by Anonymous Coward]

Acctually I consider that to be a very serious threat to national security. What happens if someday we do go to war with China, suddenly the shelves of Walmart are completley bare. We have no production base in the United States anymore, and it was that production base that won us the last World War. China doesn't have to embed gremlins in there products to take the USA down, they just have to stop selling their products to us and our economy/society would colapse.

I bought one of those things.

[Ivan Matveitch (748164)]

It started to sing the Internationale [fordham.edu] so I took it back to store.

Damn... There goes the eggroll

[kid_oliva (899189)]

I suppose next they're going to ban chinese take-out as well.

Chinese food may lead to Maoism. Protect yourself and your family with Freedom fries and toast!!! The American thing to do.

Yeah! We'll show them!

[BrianRoach (614397)]

By buying Dells ... assembled from components made in Taiwan. ::rollseyes::

I wonder if it's actually possible to construct a PC at this point without using at least one component that originated in China, given that everyone is now shifting manufacturing there.

- Roach

Guess we will have to remove all other stuff too

[digitaldc (879047)]

All other computer equipment manufactured in China must be removed too, by this reasoning.

This includes keyboards, mice, USB hubs, and other PC equipment.

Thank GOD the Blackberries are manufactured in Mexico!

No! Other stuff is still safe.

[WebCowboy (196209)]

All other computer equipment manufactured in China must be removed too, by this reasoning.

As I read this you're modded 5/insightful...Moderators on crack again...

This reasoning means nothing of the sort. The distinguishing factor is that Lenovo is PARTLY OWNED BY THE CHINESE GOVERNMENT. Apple makes computers in China, as does Dell. However, in those cases there is NO owenership by ANY foreign governments, China or otherwise. This is important because since a foreign government can control the latter companies to disrupt supply of sensitive goods (cutting them off, or sabotaging them).

This is standard Military policy: sensitive equipment of ANY kind cannot be supplied by ANY company that is partly or wholly owned by a foreign GOVERNMENT, and even private foreign ownership is restricted somewhat. As I mentioned in another post AMC had to sell AM General when Renault bought part of AMC because Renault was owned by the French GOVERNMENT, because the military wouldn't stand for relying on its supply of Hummers being influenced by the government of a foreign company.

This includes keyboards, mice, USB hubs, and other PC equipment.

Well although many are made in China, they are not made by companies owned by the Chinese government. If it really matters, a sizeable amount of this stuff is made in Taiwan (NOT recognised as part of Communist China) and other asian countries.

Thank GOD the Blackberries are manufactured in Mexico! ..by a Canadian company ;) This is not an issue becasue RIM is not a Crown Corporation, not because it is not Chinese. If RIM was a Crown Corporation (government) then I'm sure use of blackberries by US government or military agents wouls also be restricted, or a special agreement would've had to be established.

I can see it now.

[Chas (5144)]

[NSA Agent 1] Duuude! Yer gettin' a DELL!

[NSA Agent 2] AUUUUGH!

Know what would be funny?

[Rob T Firefly (844560)]

I know it'd never happen in a million years, but wouldn't it be absolutely hilarious if the Chinese company was so upset by the American politics involved that they decided to stop doing business with us?

How Does This Help?

[John_Booty (149925)]

It seems rather shortsighted to single out Lenovo. It would make a lot more sense for government computers to pass some sort of actual security audit, rather than simply singling out a single manufacturer. Most IBMs were probably manufactured in China anyway, even before the sale to Lenovo.

A large percentage of consumer eletronics are produced in China - if we're truly worried about the Chinese government spying on us through consumer electronics, why only care about a single brand?

That was a rhetorical question, of course. Obviously the answer is: "political grandstanding in an election year"

Still, this thing isn't totally without merit. After all, do we really want our government using computers manufactured by a company owned in part by the Chinese government? The American government has sabotaged other countries with software Trojan horses before [msn.com]. While I certainly don't believe that Lenovo Thinkpads have anything malicious lurking in the firmware, it's not totally impossible or anything.

28% a minority?

[dkone (457398)]

I don't trust them.

The article claims that the Chinese government owns a 28% stake in the company. At the end of the article a Lenovo spokesman says that the "government is only a minority stakeholder"

Well call me naive, but look at the power our government has over influencing companies where they own 0%. ie.. the whole NSA call monitoring thing, DOJ over MS, etc... Not to mention we have a much 'nicer' government then Chinas.

So I would hardly classify a government that owns 28% of a company a "minority stakeholder". Can you imagine the board meeting where the Lenovo CEO tell the "minority" stakeholder no.

DK

Re:28% a minority?

[Anonymous Meoward (665631)]

And if you want to be really paranoid, the "minority stakeholder" is in fact the People's Liberation Army.

Y'see, the PLA, unlike the armed forces of every other country on the planet, doesn't get its funding from the central government. They have their own business ventures, be it a stake in Lenovo or agricultural exports produced with slave labor. (Oops, I mean "re-education camps", silly me.)

If you want to know why this is so, read up on the Cultural Revolution, and how it almost tore China apart. Had the PLA not stepped in, China could have devolved into civil war yet again. The top general staff of the PLA obviously has every interest in maintaining control, so they would rather manage their own purse strings. It beats relying on the caprice of the leader of the People's Central Committee.

Getting back to the original question: Is it possible that some "extra" circuitry is in every Lenovo laptop? Certainly. Is it likely? I don't think so. (One thing to consider is how the U.S. Government is buying these laptops. We're addicted to deficit spending, and selling bonds to the China's central bank.)

Should every Lenovo laptop be inspected before use in government offices, just in case some enterprising intelligence officer in the PLA is really that stupid?

Umm.... can't hurt.

Surely the least of their worries

[simonjp (970013)]

I was going to write a long(-ish) reply, but decided against it - after all - it can be summed up easier: surely there are much weaker security issues than who made a laptop -- such as the user for example. Others have commented about windows. I say they should worry about education of their users rather than who made it.

And surely the US can't talk back at people for spying on others considering recent news.

What Laptops AREN'T made in China?

[the eric conspiracy (20178)]

I just bought an HP laptop that was FedEx'ed directly from Kunshun China to my door.

Actually, it's in the interest of the US taxpayer

[Opportunist (166417)]

Let's be reasonable here.

The US government, in theory, should do what is beneficial to the US citizens. They're, after all, their employers, their reason to exist. Without them, they're as superfluous as the RIAA to music.

So, the government should need no reason to reach for US manufactored goods and prefering them over foreign ones. For the simple sake of national commerce. Security aside, the US government is a non profit thing. Their "profit" is the well being of the US. And that isn't buying the cheapest products, the best deal for the US is their government buying at US companies.

Just stand up and proclaim that you won't buy the Chinese laptops and instead buy (insert something that at least partly could be possible manufactured at least at SOME areas within the US). Not because China is evil, not because you don't trust them, simply 'cause the US government should first and foremost aid (and thus buy from) US based enterprises.

Re:Actually, it's in the interest of the US taxpay

[sholden (12227)]

So they should spend more money than they need to, buy from less efficient producers, and reduce the productivity of the US?

I take it you're a communist? Since you want the government to be bigger - higher taxes and higher expenditure, want the government to subsidise less efficient producers so they don't need to become more productive, and if that reduces the productivity and overall income/wealth of the country then it's worth it.

read up on international trade

[enjahova (812395)]

If you want to be reasonable you should take an introductory course in economics. Just because you are buying from the US does not mean you are automatically doing the best thing for the US economy.

The concept is called relative advantage. Due to the situations being what they are, The US has been a leader in science and education for a while now, and China has lots of cheap labor. So the computer was first made by a handful of scientists in America, it was expensive as hell and there were very few of them. As the scientists better understood the computer and were able to commoditize its production it became cheaper and more accessible. Computers have now gotten to the point where they are pretty much a commodity, and manufacturing them at the cheapest cost is important inorder to meet the demand.

So China has the relative advantage of manufacturing, while Americans are still the leader in business and software. If you really want to do something good for the US stand up and proclaim that you want better education systems! If we are going to lose status in the world economy it wont be because we are buying foreign products, it will be because we got fat and lazy.

Just google Comparative Advantage if you want to know more about it.

Nobody ever got fired for buying IBM...

[tjw (27390)]

I guess it's time to rethink that mantra.

Re:I Agree

[gatkinso (15975)]

While I would love to agree with you, I have to regretfully point out the fact that we long ago handed virtually any manufacturing capability to the Chinese and now have no choice but to buy from them and hope that they continue to fund our debt.

However, they don't really have a choice anymore in the debt funding dept. They have to in order to insure the viability of their own investments.

House of cards? Or is it a house of cheap plastic goods, motherboards, and US govt issued bonds? Either way....