Quite the opposite - it makes more and more companies to consider open source. RISC-V is all rage now, people turning their eyes to open source EDAs. I hope with the help of SymbiFlow[1], Chisel[2]/FIRRTL[3], and other similar tools the duopoly of Intel (Altera) and Xilinx will come to its end. There is also an interesting initiative[4] to make ASIC design as affordable (in terms of time, knowledge, and money) as possible. And using KiCad[5] for simple projects can help for small businesses.
The issue is not that it reduces interest in open source. In fact the article states there's evidence that open source solutions are getting renewed attention in the Chinese government.
The issue is that the executive order would make it unlawful to share technology with foreign adversaries. So it effectively forces open source projects to hard fork along geopolitical boundaries. For example, if (and these are still if's) Huawei were to be designated a foreign adversary; and, if Huawei were to develop a RISC-V implementation of interest; it would be unlawful for a US person to use that implementation, or otherwise "acquire" said technology from Huawei.
The underlying premise of the executive order, as I understand it, is that technology developed by, or under the influence of, foreign adversaries is potentially tainted. Thus to defend the US national security interest, US persons shall be penalized for using their technology.
Thus the concern is that US-based open source developers and users would be directly at risk by interacting with the very projects you cite, should they fall under the influence of a foreign adversary.
Or to put it more concretely: ARM might be very happy if Huawei were designated a foreign adversary, and Huawei invested heavily in RISC-V. Because then ARM could lobby US lawmakers to rule that RISC-V technology is tainted under the theories contained in the executive order, thus reducing competition from open source alternatives.
A contact at Foxconn just told me yesterday that Apple is genuinely serious about leaving China completely.
Apparently, Mr. Trump summoned Mr. Cook last week, and extended an offer of a tax break and other "relocation packages" on the size "not seen in human history" if Apple moves to USA.
Hearing things like that keeps reminding me that Taiwanese engineering fraternity is one of worlds best intelligence agencies :)
Bold Presidents can do a lot more than we assume; so much of their assumed limits on power are moderated by convention, reputation, and the willingness for opponents to use the courts.
If we take no other lesson from the past 2.5 years...
Those last 2.5 years are the culmination of what happened over a hundred years ago with Woodrow Wilson when he criticised the founding documents and dismissed the separation of powers.
This [1] appears to be written from a more right-wing stance, although it could just be rightly critical of Wilson's legacy. Regardless, it's not inaccurate. Hopefully the dislike of Trump will help to shock the rest of the system back into seeing a worth in a strong separation of powers. It's not that Obama didn't also disregard them, it's just that he's far more likeable and suits the views of a lot of people. Not so great when there's an incumbent you don't like.
And Apple will milk that agreement long after Trump leaves office, doing whatever makes more sense for the bottom line, even if that means moving to production to Mexico eventually. And, just like all these large companies, will avoid paying corporate taxes to an even greater extent. Trump will claim he restored American manufacturing, and he will have, long enough for him to Tweet about it, and not much longer.
Every company considering a deal with Trump should consider that America has walked away from shitty deals before. Sometimes it just takes a little while.
Considering that two U.S. appeals courts have ruled that source code which was classed as a munition was protected by the First Amendment, I'm not too worried just yet.
Of course we have a lot of new judges so who knows.
Bunnie seems to fear this type of IP restriction but with regard to closed source chipset designs and proprietary hardware, which he views as key to continued innovation in China.
I have met Bunnie, and he has a bit of a warped view of the world. I think it caused him to gloss over things like https://www.theregister.co.uk/2019/03/28/hcsec_huawei_oversi... where Huawei did not give a single shit about security in their cellular basestation codebase.
Sure, Huawei will read CVEs and sometimes deal with them, but really basic things like updating OpenSSL libraries seem near impossible for Huawei. Their hardware is thus vulnerable to exploitation by any ill intentioned person wandering by :c
Part of this is the whole stolen codebase problem, where Huawei (as Nortel's Chinese manufacturing partner) took their designs and code, without fully understanding them. They've been able to tack on a lot of neat stuff, but the underlying architecture is still not understood by their engineers.
And so is so much other US-produced or maintained hardware. Do we now ban outdated corporate websites which can be hacked and used to launch attacks on other servers?
The Huawei ban is very clearly a political anti-China move, not one based on technical reasons.
We need a cultural shift, security should not be a whimsical dream. A company running vulnerable websites should be culpable for their neglect, and likely shouldn't be administering their own IT affairs if they are repeatedly negligent.
This is an anti-China move, but we do know Huawei builds vulnerable LTE basestations and products, and refuses to do the bare minimum to secure them, despite promising $20 billion in investment in software security (see the article I linked to earlier).
I haven't ever seen any evidence of "rampant" IP theft by Huawei. Every time, it's the same one Cisco case that got settled 15 years ago, unsubstantiated claims about Nortel two decades ago, and T-Mobile's "Tappy" robot. This for a massive company with over $100 billion in revenue a year. If there were actually something to the characterization, you'd think there'd be more evidence. It's a bit like defining Google solely on the basis of Oracle's case and Apple's earlier claims of Android being an iOS clone.
Samsung was embroiled in a very bitter IP dispute with Apple, in which it was found to have violated Apple's patents, essentially copying the design of the iPhone, and ordered to pay over a half a billion dollars.
Yet American companies aren't banned from doing business with Samsung, nor should they be.
This seems like a specific and direct attack at Bunnie. Do you have any evidence to back up your claim? Was your opinion of what you call his 'warped view of other world' shaped from your conversation? What specifically about that conversation led you to that conclusion?
I don't know Bunnie and I only follow his blog posts sometimes but he's a strong proponent of open source software and open source hardware [1]. Bunnie is helping to develop a fully open source hardware laptop, Novena [2], that requires companies providing components to not require non disclosure agreements [3]. Bunnie is also specifically interested in FPGAs and making them and their toolschains available [4].
Your post seems like it has a veiled nationalistic and anti-open source undercurrent. Is Bunnies silence on the matter of the Huawei security issue reason for you to have this view? If so, do others not mentioning Intel's vulnerabilities [5] the past years also mean they have the same "warped view of the world".
To be clear, I'm not trying to absolve Huawei or Intel of anything. I'm trying to address the claim that Bunnie turns a blind eye to proprietary chipset and hardware technology more than others.
I'm not attacking Bunnie, everyone has their own view of the world. Bunnie has repeatedly stated that he views IP as an impediment to R&D, and anything that threatens the quasi-open sourcing of hardware (eg: how data sheets, BSPs and code are passed around by sellers in China, in spite of the legalities) is bad: https://www.youtube.com/watch?v=SGJ5cZnoodY
> really basic things like updating OpenSSL libraries seem near impossible for Huawei.
> Huawei (...) took their designs and code, without fully understanding them.
Do you want to say that there aren't people in China smart enough to "update OpenSSL" in their codebase? Whichever way the codebase started to be used by the company?
A lot of companies and developers inherit the products created in some other times in some other companies and generally are able to update them.
No, I'm not saying that at all. What I am saying is those managing Huawei do not care about updating OpenSSL or other dependencies. Its a corporate culture problem at Huawei IMO
Many companies have the same problems, not rewarding people who fix these type of security issues and look at security holistically, and instead the only path to success is to create new features
re: judges -
I'm not a lawyer but the recent Supreme Court decisions seem to be a shot across the bow for administrative rulemaking like the BIS ruling that Bunnie is quoting.
It's conceivable that Huawai could sue the US and win in the Supreme Court and overturn these regulations - on the basis that Congress needs to pass a specific law to bind them, rather than allowing vague laws to be vaguely interpreted by executive agencies as they see fit.
The article takes a while to get to the point made in the title but the way to counteract this seems to be, get the infrastructure for open source out of America before it's too late. In contrast to the ARM example, the US doesn't really have any leverage against a volunteer open source project not within its borders.
Open Source effectively is out of America or any other single jurisdiction: think of all of the people who have up to date copies of virtually every package all around the world. If the U.S. were to say tomorrow, as we used to do with cryptography, that (certain types of) software can't be shared outside of the U.S., the development of said (Open Source) software would likely just be taken over by groups outside the U.S.[1]
I recall that happening in the 90's with a few different types of software due to U.S. software patents and corporate legal departments. VLC hasn't always been the go-to Linux multimedia application, for example.
[1] The infrastructure part is easy, the giving away access/bandwidth for free part is hard.
In general, the developers are wherever the corporate sponsorship is these days. i.e most development on key packages these days isn't done as a labor of love by most developers anymore. Also, at least a significant fraction, if not the majority, of those doing FOSS development here in the U.S. weren't born here. Linus being a perfect example. So it's not like we have any magic pixie dust that makes U.S.-born developers special.
So you're right, you can't pipe them out through fiber channel but you don't need to. You just need to fund them wherever you want them.
> In general, the developers are wherever the corporate sponsorship is these days. i.e most development on key packages these days isn't done as a labor of love by most developers anymore. Also, at least a significant fraction, if not the majority, of those doing FOSS development here in the U.S. weren't born here. Linus being a perfect example. So it's not like we have any magic pixie dust that makes U.S.-born developers special.
That's the thing, though. The physical location of the developers and the legal nexus of the companies are different things. Any sovereign government can exert power over the actions of companies that operate elsewhere, so long as they have anything in their own jurisdiction that can be gripped and squeezed -- a "nexus". Sometimes sovereign nations will even create laws that are "extra-territorial", laws they expect to be obeyed beyond their own borders, even if only enforceable once you are within those borders.
If all your developers live in Europe, but you sell to US companies too, guess what? The US can push you around. Do you want to do business with a bank with any US footprint whatsoever, guess what? The US can push you around. Do your executives travel to the US? Guess what? etc etc etc.
The US is not a special case here: the use of local and international legal and financial pressure to achieve policy goals outside one's own borders is common. However the US is a superpower, has far more levers to push on, far more heft to push them with and far lesser immediate consequences for doing so. The EU and China are probably its only rivals in this kind of economic realpolitik.
But if Bhutan tried to do this? We wouldn't even hear about it.
You might get an immediate hit to development, but given a bit of time non-US developers would step up their game. A lot of FOSS is paid for by big companies who would likely want to continue operating this way, so they would reroute expenses accordingly.
Crypto didn't die when it was export-restricted, and that stuff is really complicated.
FOSS developers like those sponsored by Google/FB/MS to make React/etc.? Sure. But FOSS developers making useful applications and sharing them with the community (think Gnome/KDE, cmus, calcurse, WINE, VLC)? From my experience there is a lot of diversity there, and also a lot of representation from Europe.
Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and to petition the Government for a redress of grievances.
The bulwark defending the bulwark is the population.
Already holds up: "The claimed principle was simple: export of munitions—guns, bombs, planes, and software—was (and remains) restricted; but the export of books is protected by the First Amendment. The question was never tested in court with respect to PGP. In cases addressing other encryption software, however, two federal appeals courts have established the rule that cryptographic software source code is speech protected by the First Amendment (the Ninth Circuit Court of Appeals in the Bernstein case and the Sixth Circuit Court of Appeals in the Junger case). " https://en.wikipedia.org/wiki/Pretty_Good_Privacy
It's worth checking that claim against the Ninth Circuit's decision [1], because the court said:
> We emphasize the narrowness of our First Amendment holding. We do not hold that all software is expressive. Much of it surely is not ... We hold merely that because the prepublication licensing regime challenged here applies directly to scientific expression, vests boundless discretion in government officials, and lacks adequate procedural safeguards, it constitutes an impermissible prior restraint on speech.
If good crypto really boils down to math, and therefore either everyone can be secure or noone, then I'd rather everyone be secure. There are more ways to stop terrorists than wanton collection of communication.
There is nothing to defend. US gov(i.e Trump) gives a directive and the "one of the most powerful company in the world" complies like all the others did(i.e Huawei's suppliers, Oil companies dealing with Iran etc).
Sure it does, if a large chunk of the volunteers are in the US.
The division of the open source world into the “US part” and the “Chinese part” would be a roughly 50% cut in the efficiency of the FOSS ecosystem, and is on the table given the developments he describes.
Metcalfe's Law probably applies, though perhaps not at full effect. That would suggest the diminution in effectiveness of the FOSS ecosystem would be more severe than linear.
“through powers granted via the “EAR” (Export Administration Regulation 15 CFR, subchapter C, parts 730-774), along with a sometimes surprisingly broad definition of what qualifies as export-controlled US technology.”
Boom! I told people they might do that back in the crypto discussions. Custom crypto and high-assurance security are still munitions with only a few things re-classified such as mass-market, one-size-fits-all software and use of ciphers in browser (https). This is what they might do to the rest with the leverage if it was ever truly threatening. They’re already doing it to companies over Huawei.
I also speculated they might have done this to get backdoors in products. A combo of offering payment and threats together. We know they do the payments. I don’t know if they do export threats, though.
“some independent security research would have already found and published a paper on this. Given the level of fame and notoriety such a researcher would gain for finding the “smoking gun””
Bunny is being really naive here or maybe doesn’t understand computer espionage. Most subversion must be done in a way that doesn’t look like subversion. The system just has to be remotely exploitable. The best route to that is to intentionally leave in memory safety bugs or a configuration that enables privilege escalation. Hackers find those all the time in all kinds of devices. They say, “Hey, they just made a common mistake.” Maybe it was there on purpose. We won’t know.
“It’s no secret that the US has outsourced most of its electronics supply chain overseas. From the fabrication of silicon chips, to the injection molding of plastic cases, to the assembly of smartphones, it happens overseas, with several essential links going through or influenced by China.”
And this is why what the U.S. government is doing is incredibly stupid. You could substitute other industries in here. It’s a smarter move to minimize one’s dependency on a country before pissing that country off in a way that can prevent them getting what they depend on.
> The best route to that is to intentionally leave in memory safety bugs or a configuration that enables privilege escalation. Hackers find those all the time in all kinds of devices. They say, “Hey, they just made a common mistake.” Maybe it was there on purpose. We won’t know.
By that logic everyone from Apple to Xerox could possibly be enabling computer espionage. You’d never be able to prove a bug wasn’t a deliberate back door.
That's exactly why it's the best route. It gives exploitability with max deniability. The deniability also reduces legal risks for anyone paid to add vulnerabilities to their products.
The weakness of freedom of speech is it also allows freedom of lying. It's the cost of it. I think there could/should be an amendment to constitution that prevents government officials from consciously lying to people
The fact of whether an official "consciously lying to people" is extremely hard to know, because it is a measure of someone's status of mind in the past. The real world is much more complicated than what you could imagine.
Good points. Clearly there are gray areas. But sometimes it would be possible to prove lying. Just like it is possible to prove some marketing is fraudulent.
A trade war may stimulate Open Source. Each adversary might subsidize the development of Open Source equivalents of the other's key proprietary products and services protected by Intellectual Property.
> If Huawei has truly engaged in a long-term pattern of conduct significantly adverse to national security, surely, some independent security research would have already found and published a paper
Presenting non sequitur as evidence has become par for the course. Let's step back to one day before the heartbleed bug was discovered in ssl libs, when a similar argument could've been made regarding the ssl library's security. Only to be disproven a day later.
Huawei licenses the ARM instruction set and some architecture components. If it’s a mobile processor, at the very least it’s going to license ARM instructions
> I have zero problems with "economic pain" caused by us not doing business with a country that has 1M people in "re-education camps", disappears protesters, and wants to extradite people from Hong Kong.
If these were the reasons for the U.S's actions I would agree with you more. I think only international pressure can help with these issues. The Chinese people themselves can do very little given the realities of their country's surveillance capabilities.
But let's not nobly kid ourselves that these issues have anything to do with the cause or the possible resolution to the trade war.
If you’re confident that free countries produce better tech why do we have to choke them out? Wouldn’t it be a stronger message to let the freedom do the work?
But forgetting the morals for a second, doesn't it dilute the message? Here's an amoral analogy:
We're running a marathon and I'm currently winning but you're catching up. I'm confident that I'm winning because I take 10000mg of vitamin C every day. But also I'm going to pour burning asphalt on the road behind me.
When you lose the race, are you going to reconsider not eating vitamin C every day, or will you blame me for pouring burning asphalt on the road?
[1] https://symbiflow.github.io/
[2] https://github.com/freechipsproject/chisel3
[3] https://github.com/freechipsproject/firrtl
[4] https://theopenroadproject.org/
[5] http://kicad-pcb.org/