I mean why? They couldn’t have invested that much in R&D
Good question. Generally speaking, we have seen some denial (think SIA) and procrastination. Hikvision is likely making incredible deals right now for whoever wants to continue (see Hikvision USA's decline). That combination may prove attractive.
Being familiar with some of Stanley's other brands, Proto, Vidmar, and now Lista. This Kind of baffles me. I'm not going to even DDG it but I can take a guess that they must have a few US Government contracts. Seems kind of backwards.
I hope Stanley and those involved do something before phase 2 hits next year. Could easily become a real mess real quick if action isn't taken. This nonchalant blanket statement on their part makes me think they'll just crack open a cold one and wait for all this to simply blow over...
Perhaps they got an amazing deal from a beaten down Hik? Perhaps their $2B in revenue affords them enough channels and projects to feel comfortable moving that inventory? Perhaps it's a bit of risk management while evaluating additional vendors? Perhaps they had to keep inventory low during the first half of the year to make a quarterly earnings call or two? Perhaps they bought more dense products, not just cameras? Perhaps, perhaps, perhaps! I'd think Stanley's size, processes and channels affords them the ability to simply take larger calculated risks with suppliers and inventory management.
As for the marketing, if their lawyers have given the all-clear, isn't it Stanley's fiduciary duty to sell all they can into all their verticals?
JCI / Tyco is not telling buyers what to do at all here, unlike Stanley. JCI / Tyco is putting up a disclaimer, leaving it up to the buyer to evaluate whether such 'restrictions' apply to them. That is what strikes me is a vetted legal stance.
Definitely a vetted legal stance but I'd still be shocked if these were not lawyer approved responses, especially considering they deal with government directives. The NDAA FAQ, short and concise as it is, seems crafted to answer most commonly asked questions and give the green light to continue Fed sales until August 2019.
Now that it's August 2019, doesn't the big July 2019 purchase suggest the inventory will be used mostly for commercial projects anyway? Plus they get the added benefit of telling Fed customers, as well as others, hey 'we're stocking up in case of drought; we're a reliable partner.'
1. The security specific impacts of the tariffs on Stanley's bottom line (i.e. the reason for that disclosure in their 10-K) are completely negligible, to the point of not being relevant in any way.
2. It's Matt Kushner, not Mark.
3. Matt is not the CEO of anything, he's the President of the Products division -- it's own entity within the Stanley umbrella, and he has no relationship with the integration side whatsoever.
4. Stanley/3Xlogic's defense of this will be that they write their own firmware for the cameras. While that may or may not be true in the first place, I also don't think it's a defense of any kind.
5. I'm completely disgusted at this. Pathetic on Stanley's part, but I have absolutely no question in my mind that it was driven by a financial incentive -- I guarantee they got an absolutely bonkers deal on that hardware, and some bean-counter somewhere made the decision to do this. Par for the Stanley course.
Matt Kushner is the CEO/President of products and solutions. Matt does have a lot to do with the integration side. 3xLogic does indeed write their own firmware. The 3xLogic product plays in the retail space more then the government market.
2. Matt doesn't have a lot to do with the integration side.
3. 3xLogic does not write their own firmware, they make basic changes to the Hik firmware as has been pointed out in this thread.
4. You finally got something right -- yes, 3xLogic is focused more on retail than government. That still doesn't change the fact that this move by Stanley is utterly shameful, and I'm disappointed in their leadership -- many of whom I know personally -- for allowing this to happen.
Your second point is incorrect. Matt now runs both the product/manufacturing side of Stanley as well as their global integration business. All security businesses in Stanley report to Matt. This change occurred in June.
Your third point is incorrect. Matt now runs both the product/manufacturing side of Stanley as well as their global integration business. All security businesses in Stanley report to Matt. This change occurred in June.
Jonathan de Chateau is spot on. I am no more informed after reading this sensationalized article other than the writer doesn't like Stanley, 3X Logic, doesn't understand the leadership of the organization he is writing about, or appreciate the effort this company makes to sell products that benefit their customers (writing their own firmware / product availability) or their shareholders (typically larger purchases receive a deeper discount).
A large company made a sizable purchase - big deal. I wonder where the the computer or phone the writer is using was made?
Stanley operates worldwide, there are more markets to feed products to
These tariffs only apply to goods shipped from China to the US, so Stanley's own statements about stocking up inventory to avoid 'increased tariff fees' is a US-specific claim. If Stanley wanted to ship products from China to the Netherlands or New Zealand, there is no need to address any tariff concern.
The Huawei/Hik/Dahua ban is only a problem in the US Market.
Not according to Hikvision itself. Their just-released H1 2019 financial transcript admits they have faced problems both in the USandother countries:
There is a significant decline. Due to the impact of the US National Defense Authorization Act and the US Department of Commerce’s “physical list” sanctions, concerned that the US revenue has shown a negative growth since the second half of last year, and the company is expanding its mid- to high-end market because of some interference from non-market factors has not made much progress in many countries in a short period of time.
Jonathan, you need to think through things before you reply. Specifically, you have a tendency to make specific factual claims that can be refuted. Either avoid those (just make emotive statements like "I love Hikvision" or "The US government is bad") or make sure your factual claims are backed by evidence. Happy to engage with you.
I can't imagine that it would matter if Stanley wrote their own firmware. Couldn't there still be back doors, or other vulnerabilities, hard coded into the chip? And aren't the main chips in these cameras also banned anyway?
The problem is that most "custom firmware" is little more than some superficial UI changes, and maybe the addition of a few custom API calls to facilitate an alternative to ONVIF for device discovery or configuration.
The majority of manufacturers that are OEMing Chinese product to create a value-priced line are not doing extensive firmware customization and review, they are doing just enough to make it non-obvious that it is a Hikvision (or whatever) camera, and just enough to support some of their legacy 1-off APIs.
On top of that, even if you wrote 100% of the firmware from the ground up, there is the issue of the embedded code in the SoC, which is basically a "virtual computer" unto itself. And a computer that the OEM has practically zero insight to.
You can think of firmware as being a hostage to the SoC, and any microcode on the SoC. Any communication the firmware has with the outside world (network), must pass through the SoC, and therefore the SoC can mount an almost impossible to detect man-in-the-middle attack on any firmware, custom or not.
Much of cyber security ultimately relies on trust and integrity. It is impossible (or, highly impractical at least) to test every single SoC you receive to ensure it is not compromised in any way.
Anyone telling you they have "solved" the inherent untrustability of HiSilicon SoCs through custom firmware is lying, incompetent, or both. This issue is not solved with custom firmware, it is not solved with open-source firmware or source code review, it is not solved with HTTPS, private certificates, VLANs, air-gapped networks, encrypted firmware, closed systems, or any combination of the above.
if the custom firmware on a rebranded camera stops the security risks
#13, thanks for your first comment. The 'custom firmware' or 'we write our own firmware' is almost always bogus.
#1 has already made the technical case, so I won't repeat it. I will add that a lot of OEM employees will claim that but when asked for details or to explain why most of the product is exactly the same, they have no response.
For example, Stanley 3xLogic OEMing is so fundamental, they literally copied significant chunks of Hikvision's user manual. That's not what true custom firmware development consists of.
From what I have seen of Stanley in the security space it's mostly all commercial projects in my area. There will be plenty of these companies that still want cheap.
Also I haven't done a ton a federal work, but what I have done they require extensive security audits on the products post configuration that are placed into service, but haven't seen or heard of any audit by the feds of other offerings by the vendor in this space for contracts. I am wondering how they will go about phase 2 with blacklisting a company for having such and offer.
Verizon, AT&T and the big telecoms will be a good lead to follow as they have the Brut force to test blacklisting as they have a ton of soon to be blacklisted phones that they must/should continue to support. After all they got the govt to reverse net neutrality which has been hugely affecting us. Then again it could be why these telecoms are having major service issues everywhere right now.
3xLogic firmware sits on top of the HIKVision firmware
Generally speaking, I don't think it makes sense to describe firmware sitting 'on top' of firmware. There's a single firmware and it can be modified by the original manufacturer to include or remove features the buyer wants. Think of buying a home and painting the walls and/or adding a bathroom. It's still the same home just with modifications.
While I like the house analogy, I think of situations like this as 'sitting on top' because the original manufacturer (OEM) generally does not allow any modification to the core firmware, they provide API endpoints and the partner then writes what is effectively completely separate software that uses those endpoints, it's two software programs running on one operating system/CPU that talk to each other. In theory, you could delete that partner's portion of the software and be back at the original OEM state. In this case, on the camera you can go to Open Platform -> Application and delete the 3xLogic camera server application.
This is not much different than cameras that offer app stores to add analytics capabilities, etc. and from a vunerability perspective, the OEM is still responsible for any vulnerabilities in the core firmware and the partner owns responsibility for their application.
So with the house analogy, HIK has provided the house and 3xLogic has provided the Furniture? :-)
it's two software programs running on one operating system/CPU that talk to each other.
"Firmware" is really a term for a collection of code that enables a device to bootup and function. It's a mini operating system, and associated utilities/programs.
A typical firmware build for an IP camera will start with a minimal linux build (eg: BusyBox), and then have various other programs added into it to facilitate functionality for the camera (eg: a webserver for the config UI, ffmpeg offshoots to encode video streams, ONVIF handling, some kind of watchdog program to handle resetting services that might get hung, etc.).
When an OEM customizes firmware, they may add some utilities/helper programs of their own to handle stuff like custom functionality, but these additions would be running "along side of" rather than "on top of" anything provided by the original manufacturer as part of the firmware development kit.
In some cases the OEM can customize the firmware to the extent they might replace certain core functionality that the manufacturer provides in the firmware. For example, Dahua firmware has the "sonia" binary, which handles a big chunk of the functionality around the web UI, video encoding, streaming, etc. You could write your own sonia-like code if for example you wanted to try and reduce latency of video by optimizing the encoding and streaming. In this case, you wouldn't be able to just delete the customized portion of the firmware and be back to a clean OEM build, as you would be deleting something that was fundamental to the camera being a camera.
I have not looked at 3xLogic's camera firmware, so I don't know how extensive their customization is, or is not.
From what I can tell (they really don't give away much on their website) Stanley do offer NDAA Compliant solutions (Federal Government Solutions | STANLEY Security) however I cannot find anything to indicate that Sonitrol has NDAA compliant products.