Yes, the AFR’s Lenovo story is still accurate

41

lenovo-1

blog The news reported over the weekend by the Financial Review that devices manufactured by Chinese vendor Lenovo (including its extremely popular ThinkPad line) have been banned from use in the “secret” and “top secret” networks of the intelligence and defence services of Australia, the US, Britain, Canada and New Zealand, because of similar espionage concerns as have been leveled at Chinese networking vendor Huawei, has caused a massive amount of interest from the IT industry, to say the least. Over the past several days Delimiter’s article on the subject has received a substantial amount of traffic, and we’re aware of several high-level discussions behind the scenes on the issue; not surprising, given the potentially huge impact that Lenovo would face on its business, if it was ever shown that the ThinkPad line it bought from IBM back in 2005 was fundamentally unsound.

All of this is why we were very surprised to see, several days after the AFR published the story, this flat-out denial issued by Defence late on Tuesday. Quite a few readers have already seen it, but at the time, Defence said:

“Reports published on 27 and 29 July 2013 in the Australian Financial Review allege a Department of Defence ban on the use of Lenovo computer equipment on the Defence Secret and Top Secret Networks.‪ ‪This reporting is factually incorrect. There is no Department of Defence ban on the Lenovo Company or their computer products; either for classified or unclassified systems.”

So, who’s right? After all, this seems like a fairly black and white situation. Either Lenovo products are blocked from being used in some areas of Defence, or they’re not — it’s a pretty clear-cut situation. Either the Financial Review’s article is accurate, or the Department of Defence’s statement is accurate. It would be hard to imagine both of these opposing views being true at the same time.

Over the past day Delimiter has done a bit of research into this specific topic, with a view to determining the truth of the AFR’s report. And right now, without saying where we have obtained our information, it seems clear that the Financial Review’s report on this issue is broadly accurate. In short, although the specifics of the ban are unclear, the newspaper is correct that Lenovo machines are not used in certain areas of Defence. In this context, a common English reading of Defence’s statement issued on Tuesday shows that it may be taken to be disingenuous at best.

It’s not often Delimiter comes to the defence of the AFR. Although your writer spent some time at the newspaper as a technology reporter a few years back and still retains a fondness for it, in recent times the masthead has had a few shockers — especially on issues such as the NBN and IT security. It’s not unusual for us to point out inaccuracies and issues with its articles. And we have no doubt that some quibbles can be found even in the paper’s Lenovo coverage this week. But let us say this: The AFR does appear to have hooked a live one with its Lenovo story.

In a certain sense this isn’t surprising. The article’s initial trio of authors pack some punch between them. Christopher Joye has developed a knack for picking up interesting IT security stories recently (although he does tend to exaggerate them), while Paul Smith is one of Australia’s most senior technology writers, and John Kerin one of Australia’s most senior Defence writers. We encourage these writers and the newspaper to stand fast in the face of Defence’s bluster on this issue. And we strongly encourage Defence to come clean and issue a new statement clarifying the situation. Because its current official viewpoint on this matter is sadly defective.

Image credit: Lenovo

41 COMMENTS

  1. Renai you have said ” In short, although the specifics of the ban are unclear, the newspaper is correct that Lenovo machines are not used in certain areas of Defence” .

    Your quote from the AFR was “Computers manufactured by the world’s biggest personal computer maker, Lenovo, have been banned from the “secret” and ‘‘top secret” ­networks ………….. because of concerns they are vulnerable to being hacked.”

    If the Lenovo computers are “vulnerable to being hacked” then surely every business in the Western World should be made aware. If we were talking about a computer virus or some other malware then everyone would know about it and be able to take protective measures. Why should this be any different?

    Neither yourself, the AFR or the Department of Defence hiding a supposed problem with the Lenovo from the world brings any of you any credit . All it does is reinforce the mistrust that a lot of Australians have with the media and government departments.

    .

    • hey Bob,

      I’m not hiding anything from readers. I don’t have any evidence that Lenovo computers are vulnerable. What I have seen is enough to convince me that the AFR is correct that Lenovo machines specifically are not used in certain areas of Defence.

      “If the Lenovo computers are “vulnerable to being hacked” then surely every business in the Western World should be made aware. If we were talking about a computer virus or some other malware then everyone would know about it and be able to take protective measures. Why should this be any different?”

      I highly agree, and my previous article stated this precisely.

      • Hi Renai
        I don’t know what the situation is that you find yourself in in respect to the material and information you have managed to access. You may not be able to reveal the information I don’t know. I would much prefer to have you say if necessary that you can’t reveal the information at the moment rather than allude to the Defence statement being wrong and the AFR article being partially correct and basically leaving the readers up in the air.

        The simple fact is that the reason given by the AFR for the Lenovo not being used was that they were “vulnerable to being hacked.” The existence of a hardware backdoor is at the heart of the AFR article. You say that the Lenovo machines are not used in certain areas of Defence which could be true for a number of reasons but what we need to know is whether or not the AFR allegation of a backdoor is correct or not.

        If the AFR article is correct then as the article pointed out what other computer gear is compromised and does this include things like the iPhone which is also manufactured in China. Surely we deserve an honest answer about this allegation that has been running rife for a number of years now.

        • Look mate, I don’t know why I have to say this again, but I have not seen any evidence about backdoors in Lenovo gear. I have, however, seen information sufficient to convince me that Lenovo gear is not allowed in certain areas of Defence. I can’t publish the source of that information.

          Clear e-fucking-nough for you?

  2. I don’t use a spade on a daily basis, so does that mean I’ve actively banned it?

    Also, after saying the AFR has dropped the ball a few times, they’re clearly right, sorry, “accurate”, this time?

    • Hey mate, I base my articles on evidence. If the AFR is inaccurate in a specific case, I’ll state so. If it’s accurate, as in this case, I’ll state that. Would you have it any other way?

      • No no; my point was you’re not making a good argument for the story to be “accurate” when, right now, there’s no measure by which we have available to make said claim.

        AFR has made a claim; not produced evidence to back it. The claim may be valid; but it may well also simply be an inaccurate assumption based on observation.

        Hence my spade comment. Just because I do not use one, doesn’t mean I have banned it’s use. It’s potentially a bit more complicated. :)

        • There’s no measure by which you can verify the claim, apart from my word. I have seen evidence, but I can’t give that evidence to you. You don’t have to believe me, but I think I’ve earned some credibility by now.

          Make sense? I’m sorry — but journalism is at times a murky business. Not all that I know (very, very far from it!) can be published.

          • No offence Renai, but I’ve long since stopped “believing” reporters on face value, where there’s little to back claims.

            Most people who apply critical thinking do. That is not to say there is disrespect, far from it in your case, but if I believed everything every reporter ever told me, without due consideration, who would be more of a fool for it? :)

          • *shrugs*

            Not much I can do about it mate. Don’t believe me — it’s up to you. As the Buddha said, don’t believe anyone. All statements must be tested against reality, using your own rational mind. In this case, I would encourage you to ask yourself whether I have ever lied to you in the past, or whether I have reason to do so now.

          • It’s not a case of lying, Renai. It’s how facts are presented (or represented).

            Virtually every business will have policies. You have a comments policy for Delimeter, for example.

            But just because you have a policy that doesn’t specifically approve “Dune” or “The Hobbit” quotes, doesn’t mean they are banned. We are being asked to make that connection.

            I’m not sure it’s an entirely valid argument, whether a tin-foil hat is in use, or not. :)

          • Not exactly true.

            Renai is saying “I have seen evidence that indicates Lenovo computers aren’t used for specific things in defense, and that it is intentional, not accidental that Lenovo isn’t used there.”

            He isn’t saying “I have seen a policy, that says everything *except* lenovo is OK, therefore Lenovo is banned.”

            He isn’t saying “I have seen a policy that says Lenovo is banned”,

            He is saying, based on the evidence he has seen, Lenovo is banned, but by his wording, it is less than a concise declaration of banning, and more than merely an appearance of banning.

            @Bob.H
            You clearly misunderstood Renai 3 times, Renai has no evidence that Lenovo is hackable. Let me state that again, Renai has seen no evidence that Lenovo is hackable. Renai has only seen evidence that Defense THINK Lenovo is hackable, and pretty importantly, no evidence as to why.

  3. Ren, is it possible that the language used by Defence is in fact accurate, in that there is no specific ban on Lenovo products, but without meeting certification requirements that provide the requisite security clearances, they fall under the banner of ‘not authorised for procurement or deployment’ within Defence and those offices dealing with Classified information? As I said the other day, devices and vendors tend to be explicitly authorised and everything else is excluded by default. That would mean Lenovo, Asus and every other brand not certified would effectively be ‘banned’, but not actually targeted as such, merely not included in the authorised vendor/products list. That would make the reality sit somewhere between the claims of both parties.

  4. From reports I’ve read elsewhere it seems that there isn’t so much a ban as a lack of accreditation for Lenovo kit.

    It’s not like there’s a report that says “Lenovo kit is banned”, rather there’s a report that says “the following equipment has been accredited for use” and Lenovo isn’t on that list. It’s way too time consuming to accredit every single product from every single vendor.

    Are we going to see media reports claiming that “Commodore 64 computers are banned for use in secure Government organisations” just because they aren’t on the accredited list?

    This seems to be more about the symantics of language. Is a lack of accreditation really a ban? To use an analogy, if I don’t have accreditation to drive a car (i.e. a drivers license) that doesn’t mean I’m banned from driving, just that I lack the accreditation. However if I’m disqualified from driving, then that’s a ban.

    • Conflating “ban” from “not accredited” is a stretch, even for the AFR.

      By that same logic quite a lot of non-chinese-headquartered hardware is likely “banned” too.

    • It’s not just a lack of accreditation. The AFR is correct — Lenovo machines are specifically not used in some sections of Defence. It may be an informal policy, it may be a formal policy of certain units within Defence — but there is indeed a policy.

      • Renai says “The AFR is correct — Lenovo machines are specifically not used in some sections of Defence.”

        That is a lot different to a ban. We don’t use Lenovo machines at all in the organisation I work for but that doesn’t mean we have a ban on Lenovo products.

        You’ve said in other comments words to the effect of “trust me, I’ve seen some things but I can’t share them with you” which is fair enough. Protecting sources and sensitive information and all that. I get it. And based on your track record of articles and opinions I have no reason to not believe you. But have you really seen anything that says that Lenovo is specifically banned as a vendor? Is it the only vendor that’s banned or is it just one of many?

        I also work in an extremely high security environment and we have authorised lists of products for almost every aspect of IT. That doesn’t mean we actively ban particular products (well, we do sometimes but that’s quite rare and never a whole manufacturer), just that we can’t test and support everthing. It’s one thing to say that all products from company XYZ are banned because of espionage fears and another to not include products from that manufacturer on the list of approved products.

        Anyway, as I said before, I think this is more about the symantics of language, i.e. ban vs non-approved.

        • “But have you really seen anything that says that Lenovo is specifically banned as a vendor?”

          As I said in the article, I’m confident that they definitely are in some areas of Defence. I’m sure Lenovo isn’t the only vendor — Huawei would be another example.

  5. If Huwawei and Lenovo devices have back doors then there are plenty of private companies who can discover what they are. While such engineering effort is pretty specialised it isn’t rocket science.
    Often the best way to deduce truth is to look at the commercial implications. If Cisco could come up with the proof and publicise it they would be able to destroy Huwawei in all markets outside of China, same for the rival notebook manufacturers ….. but they haven’t. Why would ALL commercial competitors elect not to chase down what could kill off their competitors products?

    I don’t doubt the appetite of the world’s governments for espionage activities but the simple fact of the matter is these mythical “special” back doors don’t exist because it’s too commercially risky.

    Oh and I have no idea if Lenovo is banned or not by defence but it is really fairly irrelevant when you take your tin foil hat off.

  6. I find this comment thread hilarious.

    On one hand, I totally understand the point of view many people have. I tend not to believe things unless I have evidence, myself.

    On the other hand … I’ve published almost 5,000 articles now on Delimiter, and perhaps the same amount in total with ZDNet and the Financial Review. How often can you say that I’ve been wrong, especially on something that’s not opinion? I’d love for you all to find examples :)

    • Why do we have to state you are right or wrong, in order to question the AFR article?

      That’s not attacking your credibility. You’re not on trial imho, the AFR are making statements based on extrapolation and drawing a very long bow.

      I am, most definitely, questioning the validity of the AFR’s apparent statement that a lack of accreditation for laptop hardware, is in any way an automatic, active ban against the entirety of Lenovo.

      • “the AFR’s apparent statement that a lack of accreditation for laptop hardware, is in any way an automatic, active ban against the entirety of Lenovo”

        That is not what the AFR reported. the AFR reported:

        “Computers manufactured by the world’s biggest personal computer maker, Lenovo, have been banned from the “secret” and ‘‘top secret” ­networks of the intelligence and defence services of Australia, the US, Britain, Canada, and New Zealand, because of concerns they are vulnerable to being hacked.”

        It is this statement, that I, and indeed they, continue to stand behind. The accreditation stuff was introduced into the discussion by Defence — not by the AFR. But as I said, I have very good reason to believe the AFR’s original article, specifically that very paragraph there — is accurate.

        • So our military establishment has decided to copy the US and start lying to us….great :/

          • Although I still can quite get over a nagging feeling that this type of warning might be put out by the US to protect it’s corporations market shares (Cisco, Dell, etc)

            Maybe I’m just getting cynical, or maybe it’s just a sign of the times since Wikileaks spilled the US cables…

          • Yep. Getting warmer. I used to work in a business associated with router manufacture. The Huawei thing is pure revenge. Huawei started out by reverse engineering and blatently copying Cisco routers – all the while protected and encouraged by the Chinese Government. Meanwhile Cisco still had huge business in China so the US had to sit back and grit its teeth lest it start a trade war.

    • Speaking for myself here, but I work in a very high security environment and I’ve seen the sorts of mistakes and misinterpretations that are made when incorrect language is used or when someone from within an organisation makes a statement about something they only partialy know about.

      I’m also looking at some other reporting that is saying that it isn’t a ban but rather a lack of accreditation to be used in super sensitive environments. Then there are others saying that this lack of accredication is actually a ban on the manufacturer.

      Who am I supposed to believe when multiple sources I normally trust are telling me different things and no-one is able to show me any evidence (understandable given the secure nature of the topic)?

      If anything I think the questioning nature of your readers shows an inquisitive mindset that is willing to question what they are told by anyone. I don’t think that’s a bad thing.

        • “I can tell you categorically that it’s not a lack of accreditation.”

          With a categorical statement like that I’m inclinded to lean towards your view/reporting.

          This brings up another question, who the hell is leaking sensitive security information from within our most sensitive and secretive Government organisations? I dread the amount of forensic IT work and paperwork that would need to be completed in my organisation should such a leak occur.

          • Categorically off the record, though. Right?

            Look, I don’t think Renai is being intentionally misleading by any measure, but you can’t really claim as such if you’re then going to not explain further. It’s just an alternative of “trust me”.

            I trust facts (sorry Renai). Not supposition. Right now, the later is all we have. Sure, there may be something to this story. Equally it could be another AFR article that choses sensation over sensible.

            Would this be such a story if it was a US or EU vendor? I’d like to think it would. But I doubt it.

          • Yes, you’re right, that is precisely what I am saying — “trust me”.

            It’s up to you if you don’t. But, trust me, if you think I’m wrong, then you’re misinformed :D

  7. Previous articles have made the point that we should expect Australian and other Western government agencies to “put up or shut up” if evidence cannot be presented to the public about the activities of these Chinese firms.

    It should be noted that this principal has not been applied to this article. While the author is mostly likely using an accurate and reliable source, readers should not form an opinion on this topic until the facts are available.

    • Mate I use anonymous sources, and “background” information supplied by people off the record in virtually every article I write. It’s a little more obvious here, but the reason many of you probably think I am better informed than most journalists is because I speak to people off the record so much — because it allows me to get the facts in a way that I would not otherwise be able to ;)

      But I take your point — in fact, I applaud it! Evidence should be the foundation of all we base our rational judgement on.

  8. Sounds like a media beatup/exaggeration to be pushing the point that no Lenovo machines used = a ban.

    In a high security environment it can be a case of presumed guilty until proven innocent, as well as being necessary to constantly re-prove your innocence. I would expect everything in Defence is “banned” by default, and that getting in is possibly not even be worth the hassle for some vendors. It’s not as simple as just getting particular models accredited as SOE the same way any old company’s IT department works. Defence might demand inspections on the factory floor where the goods are sealed, inspections at each stop on the way to Canberra (or wherever) to ensure no tampering takes place etc. Many vulnerabilities and attacks in these contexts would be carefully targeted via a third party infiltrating the supply chain. Asking “if Lenovo/Huawei/whoever had back doors then why has no large company noticed/complained by now?” is naive. Of course they won’t be shipping trojans in every box.

    • Read more comments.

      Read the article.

      “Sounds like a media beatup/exaggeration to be pushing the point that no Lenovo machines used = a ban.”
      This is precisely the opposite of what Renai is saying.

      Renai is saying that in some locations, Lenovo aren’t allowed, not that they aren’t just not accredited. They are incapable of getting accreditation.

Comments are closed.