# Backdoors & security



## Alain De Vos (Dec 5, 2020)

Made in China,








						Chinese routers with backdoors sold in Walmart, Amazon & eBay | Cybernews
					

Walmart-exclusive Jetstream routers and Wavlink routers contain hidden backdoors. The routers are actively being exploited by Mirai malware




					cybernews.com


----------



## ShelLuser (Dec 6, 2020)

Or made in the US...  the story I mean. Funny how they easily accuse the (obviously Chinese) router without providing a shred of evidence. And sorry to say but this part really makes me question this source: "_This backdoor would allow an attacker the ability to remotely control not only the routers, but also any devices connected to that network._ ". Sure, just gaining access to a network behind a router will allow you to magically control any machines there because... "reasons".

And then I see the YouTube video and it all starts to make sense to me. I'll bet we get commercials when looking at that too. And what do you know... it starts with an ad, so it's obviously a video of which the author(s) hope to generate some kind of income. Surely this won't result in some conflict of interest


----------



## a6h (Dec 6, 2020)

There are different kind of evidence. From testimony to scientific evidence. Then we have mathematical proof, and also other stuff, e.g. self-evident proposition, etc.
Here's my question: in such cases, i.e. "Made in China" report, what constitutes an evidence?


----------



## richardtoohey2 (Dec 6, 2020)

Made in America (or under American control):



			https://www.washingtonpost.com/graphics/2020/world/national-security/cia-crypto-encryption-machines-espionage/
		


Not quite the same thing, but still not cricket.


----------



## a6h (Dec 6, 2020)

richardtoohey2 said:


> Made in America (or under American control):
> 
> 
> https://www.washingtonpost.com/graphics/2020/world/national-security/cia-crypto-encryption-machines-espionage/


If we apply same logic which was presented by ShelLuser i.e. commercial interest, we can -- hypothetically speaking -- argue that you can't trust any WaPo's articles, because Bezos owns the paper, i.e. Amazon has commercial interest.


----------



## ShelLuser (Dec 6, 2020)

vigole said:


> If we apply same logic which was presented by ShelLuser i.e. commercial interest, we can -- hypothetically speaking -- argue that you can't trust any WaPo's articles, because Bezos owns the paper, i.e. Amazon has commercial interest.


Hardly, that's comparing apples & oranges. On YouTube _anyone_ can claim whatever they like and try to monetize on it; there's only one interest being served here and there's also no harm in people not buying into your story.

A newspaper like the Post on the other hand doesn't merely try to sell you one article, it's their policy to get paid for their services in general. Not to mention that they also have a reputation to uphold, though obviously fake news can be a thing no matter how big the news outlet is.

And well, that other story about selling bugged encryption tools sounds a lot more realistic.


----------



## a6h (Dec 6, 2020)

ShelLuser :
Anyway, I don't want to be argumentative, criticise your point of view, or pick side on this matter.

Such assertions made by news, like "made in China" is very similar to "Russia did it". It's more political than legitimate forensic works. For example I tend to dismiss any news about "Russia did it".
On the other hand for me the "made in China" is self-evident, i.e. as far as possible I avoid anything from China. In both cases, it's fair to say, at least for me for the most part, it's subjective, anecdotal and not rely on evidence. In short, I have bias and it's more political.

Other problem is the broad range of definition of evidence and some case proof. And the last one, which is the most complex one: How and why I should trust a news source. I don't have an answer for that either. There comes a point which you have to start to trust someone or something. Even in extreme cases such as mathematics, you need to construct axioms.


----------



## PMc (Dec 6, 2020)

This is only the beginning of what we will see.



ShelLuser said:


> Sure, just gaining access to a network behind a router will allow you to magically control any machines there because...


"Because" is simple: because people don't want to take responsibility. They don't want to design their network. They want it all to start function automatically. And so, if the device is allowed to configure everything, it will also control everything. People look at the average stranger on the street with anguish and distrust, but let foreign companies manage their home, driven by the vague promise that this would make their lifes somehow "better".



vigole said:


> If we apply same logic which was presented by ShelLuser i.e. commercial interest, we can -- hypothetically speaking -- argue that you can't trust any WaPo's articles, because Bezos owns the paper, i.e. Amazon has commercial interest.


Yeah, why not? What about the option of thinking for yourself instead? Is that completely out of question?

It doesn't matter if it is china or anywhere else. It doesnt matter if we get some report or not. It doesn't matter if the report is solid or not. These plastic gadgets are a faultline, and it is obvious that sooner or later it will be exploited, one way or the other. That's why I never wanted to use one of them.


----------



## a6h (Dec 6, 2020)

PMc said:


> Yeah, why not? What about the option of thinking for yourself instead? Is that completely out of question?


I had to practice some level of self-censorship. Some of these papers are regarded as holy papers. If I express my sincere opinion about them, either I will branded at least as a troll (and believe me that's the nicest name calling which I expect to receive) or probably get banned from the Forums.


----------



## PMc (Dec 6, 2020)

vigole said:


> I had to practice some level of self-censorship. Some of these papers are regarded as holy papers.


Well, I'm not an American.

I was recently pointed to that matter by a marxist (funny as that is) - because, I was thinking that those people, like Zuckerberg, Bezos etc, had the incredible luck to be just at the right place at the right time, and thereby they dis-prove the whole marxist theory, and prove the "american dream": that you can get incredibly rich from zero by just doing the right thing.

But then I was pointed to an interesting detail that all those people have in common: their education. So I come to the conclusion that the Internet is now owned by about ten people, who all are somwhere in their forties, early fifties, who are richer than anybody else, and who share a common educational mindset (i.e. they should actually have become punks in line with their generation, but somehow didn't).
And I think it is a very safe assumption that those people will do what is in *their own* best interest.

Or, as Dylan Hunt once said: _I trust in Tyr being Tyr._


----------



## ShelLuser (Dec 7, 2020)

PMc said:


> "Because" is simple: because people don't want to take responsibility. They don't want to design their network. They want it all to start function automatically. And so, if the device is allowed to configure everything, it will also control everything.


But therein also lies the problem, modern client based OS's (looking at both MacOS & Windows 10) cover for this by applying a varied set of security measures of their own. And sometimes those security measures can pretty much end up a pain in the behinds, even for legitimate reasons!

I'm not only talking about things like firewalls which are always in use, despite being on a 'private' network, but also the authentication mechanics put in use. Simply put: there's no guarantee that you'll be able to take over client machines "just like that" by merely taking over the router. Yet that's exactly what the article is insinuating which is why I don't give it much value.

See, I'm certain that if there was an obvious remote root exploit in the works for both Windows & MacOS that we'd heard about it by now. Especially if an article such as this were to reveal the potential risks.

Now don't get me wrong here, I'm not saying we should dismiss stories like these entirely. I'm merely expressing my doubts about this particular one


----------



## ralphbsz (Dec 8, 2020)

PMc said:


> So I come to the conclusion that the Internet is now owned by about ten people, who all are somwhere in their forties, early fifties, who are richer than anybody else, and who share a common educational mindset (i.e. they should actually have become punks in line with their generation, but somehow didn't).


List those 10 people, and then we'll look up what they really own. My educated guess is that you'll find that they own 5-10% of the big social media and internet infrastructure companies. The rest is owned mostly by mutual funds, which mostly have the money from retirees (and soon to be retirees, in the US that's called as 401k retirement plans, plus all the public employee retirement funds). So in reality, 90% of the internet is owned by people like our son's high school chemistry teacher (through the California Public Employee retirement fund, which is either the US's or world's largest retirement fund), like the paper factory worker in the upper midwest, or me.


----------



## Crivens (Dec 8, 2020)

Maybe a better word would be 'controling'. As you pointed out, few people own the companies they control.


----------



## ralphbsz (Dec 8, 2020)

You are absolutely correct; in the last 20 years, there has been a trend towards split voting rights. So for example, while Zuckerberg or Brin/Page own relatively small fractions of their companies, they have outsized voting rights. For example, in the case of Facebook I vaguely remember hearing that Zuckerberg controls about 60% of the voting rights of shares, so he makes all the board decisions himself.

However, the independent shareholders (who hold about 80% or 90% of the shares) have an easy way to vote if they don't agree with Zuckerberg: They can vote with their feet and just sell their Facebook shares. If a majority of them do that, that will drive down the price significantly, so they would lose money. But importantly, it would also drive down the value of Zuckerberg's shares, potentially making him poor, and he would probably reconsider any decision that the majority of shareholders disagree with, purely out of self interest.

In the meantime, the complete absence of boardroom fights at the big computer companies seem to indicate that the other shareholders are on board with the decisions of management.


----------



## Alain De Vos (Dec 8, 2020)

The rights of shareholders are limited compared to the CEO.
There is a yearly shareholders meeting ..., to put something on the agenda one must represent a reasonable amount of shares.


----------



## ralphbsz (Dec 8, 2020)

(In the US) Shareholders are represented by directors, who are elected by shareholders. In the case of a company like Facebook, since Zuckerberg holds the majority of the voting rights (his shares have 10x more votes than the others), he appoints directors. In most other companies, director elections aren't really "competitive", with executives proposing directors who get rubberstamped. If you look behind the curtain, you'll find that executives have direct discussions with major shareholders, and shareholders are typically happy with the board nominations. Cases where shareholders are unhappy enough are rare but happen, and typically end with either shareholders ganging together and nominating an alternate slate of directors, or voting with their feet and selling the stock (which tends to depress prices a lot, which both executives and directors hate).

Board meetings are typically frequent (I don't know about Facebook); at other big companies I've worked at, they tend to be at least monthly, with committee meetings even bi-weekly. The board is typically quite inquisitive, and will ask executives uncomfortable questions. That's not just the CEO; typically board members interact with one or two layers of people below the CEO (I've seen that dribble down even to the senior engineer level, when we need to prepare data for executives to be ready for questioning by the board).

So shareholders in most companies are reasonably well represented, by the directors they elect. It would be better if cumulative voting was required; that would guarantee that smaller shareholders would be more fairly represented, but that's something not even the major democracies have figured out (neither Britain nor the US have proportional elections).

The situation at Facebook and similar companies is a bit unusual, because one particular set of shareholders (typically the founders) have outsize voting power. The fact that other shareholders are willing to buy "the other 90%" of the shares indicates that investors trust the executives to make good decisions. But the other shareholders still have the opportunity to walk away: if you don't like what Zuck is doing to Facebook, just sell your stock, and buy something else (Scott paper or Coors beer).


----------



## Crivens (Dec 8, 2020)

That may be so, if you hold your stocks yourself. Most people are so lazy that they order shares trough their bank depot and let the bank store it for you. That may be convinient, but it gives the bank the voting right of your share. So you may end up with 80% of the votes in the hands of a handfull of banksters, who don't own the shares and don't care about their value. You better hope they have no personal interest in turning that bizz belly up...


----------



## ralphbsz (Dec 9, 2020)

Actually, if you hold individual stocks in a brokerage account (in the US, that's typically done by brokerages, not banks, in Europe it might be different), you can vote your individual shares. When I worked at XYZ corporation, and was unhappy with the behavior of the CEO, I used to make it a point to vote my dozens and dozens (ha ha!) of shares against appointing the CEO to the board of directors. I obviously knew that it had no effect (they were not going to lose the election because of a few disgruntled employees), but I strongly suspect that management monitors the election statistics, and looks for messages in there.

But that doesn't matter anyway. Most stocks are not owned as individual stocks by individuals, but by large mutual funds. In turn, most mutual funds are held (in the US anyway) by retirement funds. For example, both personal retirement accounts (known as 401k or 403b) and pension funds (such as the California state teacher's pension fund known as CalPers) hold huge quantities of stock (and many other investments). So if you look at the largest holders of shares for most companies, you're likely to find Vanguard, Fidelity, BlackRock, and so on. These are companies that take cash investments from individuals, and then buy a (typically broad but focused) scattered portfolios of stock to invest in. One example might be a "toilet paper fund" (would have been a great investment in 2020!), which might contain (in the US, the brands might be unfamiliar in Europe) Scott Paper, Kimberly Clarke, Procter&Gamble, ...

And mutual fund companies tend to be activist investors. They go and call the executives of companies, and ask uncomfortable questions. When companies hold investor days (where many investors come to meetings), you can see analysts from the mutual fund companies quite aggressively hounding executives, and they are often very knowledgeable. A friend of ours (with a PhD in computer science) used to work as an analyst, and he would go ask the CTO of big companies questions about things like instruction sets, memory bandwidth, number of PCI lanes, cycles per instruction, vector processing options. By comparing the answers from different companies with his knowledge (intuition? guesses?) of where the market is going, he would recommend things like "sell Intel, buy Arm and AMD" (just as an example).

So: shareholders can have enormous power, if they just want to.


----------



## Crivens (Dec 9, 2020)

The problem stays the same. If these investment companies acrew up, they burn not their money but other peoples.

But I just got a good laugh out of this. Imagine you bought shares in the TP fond and get the news that your investment was flushed down the drain. Implemented as specified, one could say


----------



## ralphbsz (Dec 9, 2020)

Absolutely correct. The same happens with big companies. If you invest in Facebook, you do that because you believe that Zuckerberg is hyper-smart and ethical, and will make his company a lot of money, and you will share the richness in a small part (hint: I don't believe this is a good idea, and I neither own FB stock nor work there). And if you are wrong, then Zuckerberg will burn mostly not his own money, but other people's (mine or yours). Same with Vanguard or Fidelity: If they screw up, I will be poor in retirement.

And that's why investing in beer and toilet paper stocks is an old joke: while these companies will never be super successful, they will usually be stable. Since whatever happens in the world, people will always want to drink beer, and always ... you get it. I think 2020 has demonstrated that toilet paper and alcohol (and guns and ammo) are what people really need.


----------



## drhowarddrfine (Dec 9, 2020)

We didn't always have toilet paper. It's a relatively recent invention--the mid-1800s--and I long for the days....well....never mind.


----------



## Crivens (Dec 9, 2020)

Patience, padawa. We will tell you about the three shells when you are ready


----------



## Alain De Vos (Dec 9, 2020)

A maybe totally different question, but what our your opinions about employee stock options ?


----------



## ralphbsz (Dec 9, 2020)

That's a terribly complicated question. Do I like them personally, as a recipient of them? Sometimes. At some employers, I've gotten quite lucky with them. The joke I make is: the solid cherry kitchen cabinets and granite countertop were bought from XYZ company stock options.

But we need to recognize them for what they are: a part of your pay package. As are things like good health insurance programs (not so much an issue outside the US), retirement plans, and so on. But unlike the things that tie you to the company on a day-to-day basis, they tend to have a long-term effect. If I quit tomorrow, I know that my salary will stop very quickly (typically anywhere between 0 hours and a few months afterwards, depending on local customs and laws). But I still have the stock from my employer, I can still exercise stock options. But more importantly, I may have to look at the option vesting schedules: If I stay around for another 6 weeks, I might get another big packet of options, so let me not quit today but wait a little bit. And six weeks from now, there is the next vesting date, so I'll stay a little longer. Iterate that, and you'll end up tied to your job forever. Once, when I quit XYZ company, I told people: What is my sanity worth to me? About ABC K$ in stock options. There's a reason that options are called "golden handcuffs": If you stay longer, you will get more than proportionally richer. I have a friend who managed to stay for three years after a nasty takeover of his company (most others quit, the new management was difficult); he ended up seriously rich (the number of airplanes he bought is larger then the number of fingers on one hand, and some have multiple engines). Now, did it cause him massive hair loss? Absolutely.

The other thing we need to recognize is that stock (in all forms) is actually cheaper than cash pay for the company. Investors will typically overlook a small dilution of the value of their stock by issuing new stock for options; for large quantities, companies typically do buybacks. So if you get two job offers, one being A: $100K in cash plus $50K in options (expected value per year), and another one B: $150K in cash, you need to understand that the second company actually values you higher.

Then there is the risk factor (a.k.a. statistical distribution). Getting back to the previous example: If you work for company B, you will have $150K in the bank, every year. At company A, you will have $100K. You are likely to have $150K (that's the mean expected value). You might have $250K or way more too. Can you survive on $100K? Do you have a plan to do something useful with $250K if you get lucky? If getting only $100K means you will starve and live on the street, then don't go to work at A. On the other hand, if you can comfortable live on half that, but if you get $250K this year something wonderful happens (I have a friend who is literally waiting for a pay raise, so he can propose marriage and start a family), then go work for company A. One problem here is that most people are not capable of evaluating risk and statistics objectively. Many will go work at A (because of the theoretical chance of a huge payout), even though B is really the better deal, if you take into account that cash flow tends to lead to non-linear (inefficient) spending.

Finally, we have to distinguish different forms of stock pay, which most people simply lump together:
Employee stock purchase: Every month, you take 10% of your cash pay, and buy stock with it, which the company sells you to at a 15% discount (these are typical numbers), and at the stock price from a year ago. The stock is yours, but you get it at a good discount.
Stock grants: In addition to your monthly pay, the company says: for the next 5 years, we will give you 500 shares on each January 1 for free, and the current value is $100 per share. Stock grants can be performance based: Only if your code is bug-free and runs fast, or only if you sell 1000 widgets per week, or only if you make our stock price go up by 50%.
Stock options: Today's stock price is $100. For the next 5 years, on every January 1st, we allow you to buy 5000 shares at $100. Now, if a year from now the stock price is $80, you simply ignore it, and don't buy them. But if the stock price is $120, you just made some money. And if something wonderful has happened and the stock price is $1000, you just got pretty rich. Again, stock options can be non-qualified or performance based.

The difference between stock grants and stock options is the leverage: stock options emphasize small fluctuations in the stock price. Say in the example the stock price alternates between $90 and $110 every year: In the stock grant example, it's just a pretty smooth flow of cash; in the stock option example, you make good money when the price goes up, but don't lose money when it goes down.

And one thing that can completely up-end this whole discussion is taxation. In the US, that is ridiculously complicated, both for the company (for which stock options have become less desirable compared to purchase plans and outright grants over the last decade), and for the employee.

Personally, I think stock-based pay is mostly a good thing, because it reminds each and every employee that the legal purpose of a company is to make money, and that everyone at the company (from the CEO to the janitor) is legally required to work to increase the stock price in the long term. But stupid employees sometimes get too much in love with stock, and do dumb things. And employers have been known to exploit that and deliberately underpay people by giving them large stock packages of dubious value. This is very typical of startups: We will pay you little, but here is 3% of a company ... which is likely to be worthless.


----------



## PMc (Dec 9, 2020)

ralphbsz said:


> List those 10 people, and then we'll look up what they really own. My educated guess is that you'll find that they own 5-10% of the big social media and internet infrastructure companies. The rest is owned mostly by mutual funds, which mostly have the money from retirees (and soon to be retirees, in the US that's called as 401k retirement plans, plus all the public employee retirement funds). So in reality, 90% of the internet is owned by people like our son's high school chemistry teacher (through the California Public Employee retirement fund, which is either the US's or world's largest retirement fund), like the paper factory worker in the upper midwest, or me.



*laugh* You're certainly correct. This is something many people do not consider: that the shares of those evil (in the mind of some people) capitalist corps are to a great extend owned by those orgs which they rely on for their retirement. So, I absolutely agree with You on that.

Now that teacher, does he has an idea about which companies he (partially) owns? Probably yes, as a teacher.

What I mean is, those maybe ten people are the highest-level influencers, are those that are listened to, by the media, by politicians, and in lots of certain round tables. (And with 5-10% shares they may still have enough weight to even be feared.) Your chemistry teacher is not.

Don't get me wrong, I'm not at all into conspiracy stuff. But nevertheless I like to ask: what game is currently being played at this table called planet earth? Our world has changed with an ever-increasing speed during about 3 generations (and I don't think this is healthy): while over 100 millenia nature dictated how things are to be done (and nature has excellent algorithms to make sure we survive), now mortal men are in charge, all over. And I am not sure if those in charge, be it either these maybe ten people or the mutual funds deciders, are really up to the challenge.

I am specifically NOT talking about money (but those decision maker seem to be mostly concerned with the diversions of money). I am rather talking about the way we live. I my youth, we had no telephone, neither a TV or a clothes washer (wouldn't work, we had our own well). Was life bad because of that? In no way. But, for quite some decades, nobody can imagine to live without these. And nowadays a lot of people can no longer imagine to live without Google, i.e. their smartphone.
What does that mean: over the past 50 years, and to an ever greater extent, we are *outsourcing our life*. And that is what considers me.

In fact we are now outsourcing it to those ten people. And that, as I think, is more worrying than any conspiracy theory could be. But this is also the prerequisite for this backdoor story - it is all about the question: *who owns the populace?*


----------



## Crivens (Dec 10, 2020)

ralphbsz said:


> And one thing that can completely up-end this whole discussion is taxation. In the US, that is ridiculously complicated,


*laughs in german*


----------

