Investigating an “evil” RJ45 dongle

Totally agree.

And a great example that truth is complicated, expensive and uncomfortable. It's much easier to postulate an evil nation-state entity with a bad plan (without evidence) than to dig through the thicket of this article. It's much cheaper as well, certainly in terms of time and knowhow. And it's also much more comfortable to claim you're the victim and have uncovered a conspiracy, rather than realize this was just the result of the patchwork typical of engineering.

Kudos to the author.

Yeah, the insane takes spread faster but it takes more time and resources to look into it than just come to conclusions early.

The worst thing is this creates an environment where most people are either completely credulous and buy into everything or completely incredulous and think everything is unfounded. It's just exhausting to have a healthy level of skepticism these days, and maybe 1 out of 1000 times (number source: from thin air) something that sounds insane actually has some truth to it.

I would also add, it's not _unreasonable_ to be wary of something when a tool like a virus scan pops up a warning. The jargon used to explain what the executable is doing is gibberish to any 'normal' user, there's no way for them to know it's listing stuff you'd more or less expect it to be doing.

Of course, there's a bit of a jump from that to making bold claims about what it's doing, but the initial concern was understandable.

Yeah, for a substantial fraction of people, this case will stick to their minds as "oh the chinese .. again" It's both sad and scary. It was even submitted to HN. Flagged by now, but still. Many people won't have read this follow-up, especially since it doesn't come as a 1-sentence TL;DR..

Hmm, why is it sad and scary?

The problem is that good journalism doesn't have funding. Otherwise this shit would never have made it into a newspaper, maybe outside of a really shitty yellow rag.

> The problem is that good journalism doesn't have funding.

The BBC and Reuters can be posited as counterexamples to your assertion. They’re good journalists and well-funded (and not primarily by advertising either).

Hmm... but do you think that they would produce such an article, funding the research into it?

From what I can tell, they would report accurately once these findings were published but would not find a researcher to dig into the claims before publishing that someone (named) said that these chips are at fault.

Not the OP, but I think I get the "sad and scary" part. It seems as though there is some vilification going on and that's happened before with very sad outcome.

It's sad because the HN crowd is technically maximally (?) literate and should be one of the last communities to even remotely buy the debunked story.

It's scary because if even those in the know are not resistant to such BS, who else is going to shield the general public from populism-fueled pushes to anarchy or worse? Detoriation of trust in media is one of the building blocks of that, and if even the experts of subject areas are fooled and/or don't care enough, all hope may be lost.

The silver lining though is that the HN submission got pushback in terms of comments and an eventual flagging.

BBC is under constant threat of getting defunded, it's almost a meme at this point, and on top of that is generally under constant attack. Reuters doesn't do much local or regional stuff.

To add, there's a huge politically motivated anti-China movement going on right now, to the point where anything Chinese sounds scary or suspicious. This has been going on for years now, but only came to my awareness with the Huawei scare (as of today, no evidence was found that they did come loaded with backdoors and the like - but do correct me if I'm wrong, this is based on what I remember, not researched facts).

I mean I don't trust the Chinese, but neither do I trust the Americans so it's choose your flavour of evil.

Anyway that said, I'm sure it's politically and economically motivated, as for decades China has played catch-up in the global economy and they are rapidly overtaking, with financial interests worldwide. The US is trying to slow them down by trying to keep e.g. chip technology out of their hands, but other than that all they can do is to stop Chinese companies from earning money in the US.

Truth lies somewhere in between. It's also a generalization to think everything related to the “evil-nation” postulation is nothing beyond a conspiracy theory. Absence of evidence is not evidence of absence.

Edit: quoted evil-nation since it’s a debatable term usually applied to any country not politically or culturally aligned with some intelligence activity presence.

Sadly, this is just another example of "A lie can travel halfway around the world before the truth puts on its shoes."

That doesn't mean that every sensational thing is a lie, but verifying the truth definitely takes time!

In the absence of further information, I would totally choose to believe the story.

Corporations cannot be trusted. Proprietary software is bad enough but proprietary drivers is on a whole new level. You really have no idea what those things are doing unless you reverse engineer them.

Here are example of corporations essentially pwning your computer with their "justified and trustworthy" software:

https://www.vice.com/en/article/fs-labs-flight-simulator-pas...

Shipped a browser stealer to users and exfiltrated on an unencrypted channel the usernames and passwords of users they deemed to be "pirates".

https://old.reddit.com/r/Asmongold/comments/1cibw9r/valorant...

https://www.unknowncheats.me/forum/anti-cheat-bypass/634974-...

Screenshots your computer screen and exfiltrates the picture to their servers.

https://www.theregister.com/2016/09/23/capcom_street_fighter...

https://twitter.com/TheWack0lian/status/779397840762245124

https://fuzzysecurity.com/tutorials/28.html

https://github.com/FuzzySecurity/Capcom-Rootkit

The driver literally provided privilege escalation as a service for any user space executable.

As far as I'm concerned anyone who trusts these corporations with kernel level access to their computers is out of their minds. I don't trust firmware but at least it's contained in some isolated device.

Which firm's journalist was it that just got arrested at a press conference for asking questions about Israel?

>It's sad because the HN crowd is technically maximally (?) literate

I laughed. While there certainly are very smart people here, HN crowd is pretty diverse and large parts of crowd are startup/business/framework of the week/ai bros folks. Not someone who would know what spi is from the top of their head.

Honestly there are so many claims about Huawei but I think the loudest ones were about the 5G network which were BS but there were some that were legit, and this is exactly my point - it’s exhausting to check this stuff, so the vast majority of people either believe it all or none. For example it seems like the Supermicro spy chip thing has truth to it (it feels the thing OP was rebutting was inspired by this story), though it’s unclear, it’s very much based on statements from 3 letter agencies, so I just have to guess, yes probably China got their manufacturers to install hardware spyware on some devices.

These days, all countries are doing insane digital spying on other countries. I believe we’re in a modern Cold War. China is a unique threat not because there’s something uniquely evil about them but they own so much manufacturing and have an explicit tight relationship between companies and government. This is the main reason for moving manufacturing to US, nobody really cares about the workers, it’s a security threat.

All that can be true, and still also be true that most of the shit you hear about China is BS and xenophobic. It leads to actual violence and racism. That’s why it’s important to push back against, for the regular people just living their life. I’m never going to defend any country, these are battles the very richest people are fighting it’s not my war, I push back so don’t people don’t act as foot soldiers in their war or become collateral damage for something they have no part of.

Fun considering the history too [https://www.risidata.com/index.php?/Database/Detail/cia-troj...]

I meant relative to a random dude on the street.

Sorry but you are blurring the lines between an actual malicious attack and a badly designed driver.

The first is what the original claim was, screaming "Russians!" and "Chinese!" at the same time with poor technical understa ding.

The second is what actually happened. It's no worse than inserting a CD-ROM and installing a driver. As bad as that is, and to be criticised in its own right, it's qualitatively different from the first.

Let's not muddy the waters by conflating the two and make the (IMO legitimate) criticism of one of them wade into a conspiracy theory about the other.

> Absence of evidence is not evidence of absence.

Correct. Not more, not less. Question is what the default assumption is. With enough BS thrown around, the public seems to tend to tilt to "something is fishy" without any (non-debunked) evidence having ever been presented. Doesn't mean it never will be, but until then, a lot of debunked falsehoods shouldn't create more bias than just silence. Sadly, something always sticks.

Didn’t china make the news recently because they hacked a handful of huge American telcos and cell providers?

Or the balloon that was hanging out for a while, that was a thing.

Ejected, not arrested: https://news.yahoo.com/news/antony-blinken-kicks-journalist-...

fundamentally, it’s a ‘liberal’ (assume good intent/turn the other cheek) vs ‘conservative’ (cover your ass) approach. In the literal, not political meaning.

With enough problems, enough people get burned that of course this is where it goes.

There is no muddying of waters here. I posted an example of a corporation who thought it was alright to ship literal malware to their customers. They had every intention of stealing their credentials. They did it on purpose, because they thought they were police officers and wanted to "track down" some notorious "pirate". They displayed zero remorse, only regretting the fact they got caught. They actually thought they were justified in their endeavours.

There are no "conspiracy theories" here. It's not a theory, it's really happening. It's not a conspiracy, they don't even think what they're doing is wrong. Corporations see themselves as utterly justified in everything that they do in the name of profit. There are no limits they wouldn't cross. Nothing is sacred to them. Not morals, not you, and certainly not your computer and the personal information stored in it.

Trust them at your peril.