China Sees NatSec Threat in Intel PIII Serial Number

Cryptome DVDs. Donate $25 for two DVDs of the Cryptome collection of 47,000 files from June 1996 to January 2009 (~6.9 GB). Click Paypal or mail check/MO made out to John Young, 251 West 89th Street, New York, NY 10024. The collection includes all files of cryptome.org, cryptome.info, jya.com, cartome.org, eyeball-series.org and iraq-kill-maim.org, and 23,100 (updated) pages of counter-intelligence dossiers declassified by the US Army Information and Security Command, dating from 1945 to 1985.The DVDs will be sent anywhere worldwide without extra cost.

2 July 1999. Thanks to John Gilmore.

From: Guangming Daily newspaper, Wednesday, June 30, 1999

Translation by (and thanks to): Anonymous

Ministry of Information Industry (MII) Advises Government Agencies on Prudent Use of PIII

Follow-up Report on Hidden Perils in Pentium III and Win98

by Our Staff Reporter Yang Gu

Our report on the hidden security perils in Pentium III of Intel and Win98 of Microsoft has evoked strong reaction from all sides. The leaders of the information centers of a number of Ministries and Commissions have written to MII, in the hope of getting its advice and guidance. Heads of competent departments of MII have convened emergency meetings of domestic PC manufacturers and information centers of some Ministries and Commissions, at which they listened to opinions aired by all sides and discussed relevant policies and measures. Upon widely soliciting views and getting extensive information, MII will prepare a report on enhancing security management for electronic information products.

Administration: PIII sold to government agencies cannot be connected directly to Internet

In an interview with our staff reporter, the head of the competent departments of MII said that as the administration, we strongly believe that national interests are of overarching importance. We must first of all be responsible for the security of the information systems of government agencies at all levels, and place high emphasis on the security dimensions of all kinds of electronic information products (including hardware and software) and the system itself. We have conducted serious research and thus acquired a thorough knowledge of hidden security perils in PIII chips, Win98 as well as servers produced by different companies. We have also learnt about the response of the media and American end users toward Processor Serial Number (PSN) of PIII, including the fact that the U.S. Government is yet to use PIII on a massive scale. We are of the view that domestic PC manufacturers must turn off PSN, that such products sold in China must pass the necessary testing and that PIII machines sold to government agencies should not be directly connected to Internet. Government agencies at all levels, including those in such critical sectors as telecommunications, banking, finance and taxation, and the military must first and foremost turn off PSN when they buy PIII machines. Even then, computers of this nature should only be used either in a stand-alone way or on Intranet, and must never be used for direct Internet connection with the OA network of government agencies.

We have briefed altogether 13 domestic PC manufacturers on the latest developments and made clear our views. The domestic PC manufacturers indicated that since the bombing of the Chinese embassy in Yugoslavia by the U.S.-headed NATO, they have come to know more clearly the hegemonic ambitions of the United States. They now feel that safeguarding state sovereignty and security is the number one priority. The commercial interests of enterprises are insignificant as compared with national interests. They were unanimous in fully supporting the decisions made by the administration.

These domestic PC manufacturers also indicated that the most reliable way to safeguard information security is to use our own products. If we have to use imported products, a high degree of prudence and vigilance should be exercised, rigorous testing conducted, and all the necessary safeguard measures introduced. These enterprises also provided some information on hidden security perils in some imported IT products.

Intel Is Yet to Fully Answer Our Inquiry

On 27 May, Intel responded to inquiry about PIII PSN at the request of MII.

The importance of the Chinese market to Intel cannot be over-exaggerated. Suppose the annual sales in China is 3 million processors, Intel would reap an annual turnover of about 3 billion RMB yuan. If PIII comes across difficulty in China, the company's sales of 3 billion RMB yuan will be affected. Previously, in order to respond to our staff reporters' questions, Intel has used the service of such heavyweight figures as the President of Intel China and global marketing manager for PIII. This time around, in order to better explain to MII, Intel sent in a more powerful team, including a Vice President from the headquarters who is also President of Intel Greater China and two Directors responsible for security matters.

The leaders of the competent departments of MII expressed the view that as the IT administration of the Chinese Government, MII must see to it that the IT products manufactured and sold within the territory of China not threaten national security. At the same time, it must protect the legitimate rights and interests of the large numbers of ordinary Chinese users against violations. It hoped that Intel could provide a serious and credible explanation regarding PIII issues.

Intel briefed on the purpose and role of PSN for PIII.

According to Intel, putting an identification mark on each computer using PIII can help enhance the security and manageability of the system as well as manageability of information. It can also serve to improve functions in authentication, access and tracking, thus enabling enterprises to have a better knowledge of its resources available. Intel talked from a technical perspective about the ways to set up, turn off or access PSN, and explained that PSN is but a number, and that PSN can be accessed only when software is run locally. End users can control this function by opting for or against it. PSN will not result in the access or loss of data on the hard disc or memory. Nor will PSN per se cause security risks. Intel also confirmed that it had not helped any organization or agency in adding any other device on PIII, which might also undermine the security of end users. The two sides conducted in-depth discussions on the relevant issues. However, Intel has not fully answered all the questions posed by MII.

Representatives of Users from Various Ministries and Commissions: Set up a Security Testing Mechanism for IT Products As Soon As Possible

At the MII-sponsored workshop on the security aspects of information products such as PIII, heads of the information centers of 14 state Ministries and Commissions expressed their concerns and suggestions. They believed that security is of utmost importance for IT products and that imported products naturally have hidden security perils. Core products such as mainframe, server, processor and firewall must all be subject to special security testing. The central government should set up an agency to do the testing. Only when IT products pass such security testing can they be sold in China. Gradually an authoritative certification, appraisal and testing mechanism should take shape. For IT products such as router, firewall and network scrambler, import should be banned whenever there are domestic alternatives.

In spreading the use of information technology, our long-term goal should be to accelerate the development of national information industry through introducing, digesting, assimilating foreign products and further conducting innovation. Moreover, strong support should be given to the research and development of IT security products. We should pay attention not just to network security, but more so to the security of IT products, because the basis of network and information security lies in the security and reliability of IT hardware and software.

Up to this day, China has not yet developed its own CPU and operating system. This is an area where China needs to speed up its efforts. This should be an act of the Government and represents state will. The Central Government and the administration must attach great importance to this work and increase investment. We should vigorously advocate the use of domestic products for OA systems and wiring-government projects at all levels. Only then can we break loose from control by others. Internet and Intranet should be subject to effective security safeguards. The Central Government ought to promulgate at an early date its policies for the IT industry, for government procurement, and for application and equipment.