[HN Gopher] Huawei could have wiretapped KPN
___________________________________________________________________
Huawei could have wiretapped KPN
Author : miohtama
Score : 131 points
Date : 2021-04-18 20:33 UTC (2 hours ago)
(HTM) web link (nltimes.nl)
(TXT) w3m dump (nltimes.nl)
| encryptluks2 wrote:
| I could have hacked the electric grid. Just cause someone could
| have done something doesn't mean that they did. This is pandering
| to political bias.
| contravariant wrote:
| Depending on what you mean by 'hacked' that's still newsworthy.
|
| In this article 'wiretapped' means that they had uncontrolled
| and unlimited access to all conversations. The problem isn't so
| much that it could have happened but that it might have
| happened.
| 1cvmask wrote:
| Every potential access or potential hack is newsworthy then.
| That's about a million articles a day then. Which would mean
| it is not newsworthy then. Everything is a potential this or
| potential that by the reasoning.
| losvedir wrote:
| You have to assume the network can eavesdrop. Just goes to show
| the importance of end-to-end encryption.
| jand wrote:
| This article contains no new revelations on top of previous
| articles:
|
| "Huawei's says it never acted inappropriately by abusing its
| position in the Netherlands. KPN says in a response that it has
| no indications that lines were tapped or that customer data was
| stolen."
| slver wrote:
| - Yesterday: Huawei eavesdropped on a foreign telecom!
|
| - Today: Huawei could have eavesdropped on a foreign telecom.
|
| - Tomorrow: Huawei didn't eavesdrop on a foreign telecom. Imagine
| if they did though. Chills.
|
| I'm so over this.
| [deleted]
| christkv wrote:
| I'm more worried about Europe letting the Chinese government buy
| into crucial infrastructure
| https://www.google.com/amp/s/energy.economictimes.indiatimes...
|
| How is this even sensible and there is no way the Chinese
| government will ever let a non Chinese firm control their
| infrastructure so why is this not stopped. What politicians are
| making money on this?
| edhelas wrote:
| Why do we need Chinese technologies in Europe again?
| de6u99er wrote:
| I'd like to remind everybody of the Snowden revelations.
|
| Maybe the real issue is, that US intelligence agencies are not
| able to force Huawei to add backdoors into their equipment.
| justicezyx wrote:
| In China's South Song dynasty, a military leader by the name Yue
| Fei (Yue Fei ) [1], was sentenced to death by his political enemy
| Qin Hui (Qin Kuai ) [2] on false accusations.
|
| What made this event particularly memorable, in addition to the
| fact that Yue Fei was considered a patriot; was that Qin Hui had
| blatantly responded to questions of how can you prove your
| accusations?
|
| Qin Hui's reply: Yue Fei, when given, the right power, probably
| would commit those wrongdoings.
|
| This is called Mo Xu You [3].
|
| You know why Chinese are not as angry as an American could be on
| Huawei's situations? Because everyone understand this is a
| political conflict. For this type of conflicts, only true power
| and strength can get any answer. Talking is not only futile, it's
| countereffective.
|
| [1] https://en.m.wikipedia.org/wiki/Yue_Fei
|
| [2] https://en.m.wikipedia.org/wiki/Qin_Hui
|
| [3] https://zh.m.wikipedia.org/wiki/%E8%8E%AB%E9%A0%88%E6%9C%89
| ajross wrote:
| The spin on this situation is dumb. What it amounts to is that
| KPN hired Huawei on a contract basis to administer its equipment,
| and as a result those contract administrators had...
| administrator privileges on the Huawei equipment. Now, obviously
| telco equipment can be used for spying, but there's absolutely no
| allegation of wrongdoing here at all.
|
| If there is any finger to point, it's at KPN for hiring an
| untrusted contractor and giving them sensitive access.
| varispeed wrote:
| Your comment sound kind of like victim blaming.
| geofft wrote:
| If there was no actual spying, then there's no victim.
|
| If someone gets pickpocketed on the subway, saying "You
| should have protected yourself better" is victim blaming,
| sure. But if someone doesn't get pickpocketed and then points
| out how there was a _foreigner_ sitting right next to them
| who could, theoretically, have pickpocketed them, should they
| have chosen, and while the foreigner didn 't pickpocket them
| this time, you know how those foreigners are... then "Why
| didn't you just get up and sit somewhere else if he bothered
| you" is a particularly polite form of what you perhaps ought
| to tell them.
| ipaddr wrote:
| Why would you think a foreigner would pick pocket? Pick
| pockets are locals to an area. People who don' know the
| area are not the best people to take advantage of a group
| that does.
|
| To your point. If you tried to commit a murder and failed
| you would still have a victim and a crime.
| Gys wrote:
| > for hiring an untrusted contractor
|
| So you agree Huawei cannot be trusted. I think that is the
| whole point of the discussion.
| simion314 wrote:
| Not OP, but must probably this is just part of the anti-China
| propaganda , I think it started with the false accusations
| from Bloomberg... so I expect that any Huawei related news is
| false until some actual evidence is presented to the police
| or something.
| hn8788 wrote:
| Huawei doesn't really deserve the benefit of the doubt, a
| lot of their early success was due to hacking Cisco and
| Nortel then building competing products based on stolen
| information, all while the Chinese government was
| restricting non-Chinese telecom vendors from operating in
| the country.
| simion314 wrote:
| I personally don't like to be manipulated by media. So
| for this case I am just saying be aware not to be a
| tool/pawn is some big player's game, I suggest you either
| do more digging , wait for some real evidence - but
| downvote if the mention of the Bloomberg fake article or
| innocent until proven guilty is a something wrong that
| needs to be hidden.
| geofft wrote:
| You shouldn't trust _any_ provider under the jurisdiction of
| an anti-liberty nation-state:
| https://en.wikipedia.org/wiki/Room_641A
|
| Not sure why Huawei is unique here.
| kube-system wrote:
| The US and the Netherlands are both allied members of NATO.
| That's why Huawei is a different story.
| geofft wrote:
| Are you saying it's worse for China to (be granted
| sufficient access by the Netherlands that, in theory, if
| they wished to abuse that access, they could) spy on
| communications in the Netherlands than for the US to spy
| on communications in the US?
| ipaddr wrote:
| From a NATO point of view yes. China spying on the
| Netherlands would be worse than the US spying on itself.
| arss wrote:
| Even if they are at fault for not doing their due diligence
| that doesn't remove the fault of someone spying
| jsiepkes wrote:
| > Now, obviously telco equipment can be used for spying, but
| there's absolutely no allegation of wrongdoing here at all.
|
| That's incorrect. The report made by Capgemini stated that
| there were clear boundaries as to what Huawei was allowed to
| access but they violated those boundaries. Apparently also a
| list of numbers under surveillance by Dutch intelligence was
| found in possession of Huawei. Which was clearly well beyond
| those boundaries.
|
| Just like a sysadmin can read the mail of the boss doesn't mean
| your allowed to.
| boomboomsubban wrote:
| Though I can't read the actual report, this article does not
| support your claims.
|
| >Apparently also a list of numbers under surveillance by
| Dutch intelligence was found in possession of Huawei. Which
| was clearly well beyond those boundaries
|
| Wouldn't the ones running the network need to know which
| numbers were under surveillance to provide the intelligence
| agency access?
| AlphaSite wrote:
| It could be done at arms length through an API. Then it
| would become an issue of reading data they shouldn't be.
| Joker_vD wrote:
| Unless people inventing such API thought that the
| domestic telco equipment will be operated by foregin
| companies. And I somehow suspect they've thought exactly
| the opposite: that they can rely on domestic providers be
| domestic firms, easily supervised by the domestic law
| enforcement agencies.
| hansjorg wrote:
| Could also be possession of database with intent to
| select.
| Ironlink wrote:
| The article says:
|
| > The company gained unauthorized access to the heart of
| the mobile network from China.
|
| ... but then, in the very next sentence:
|
| > How often that happened is not clear because it was not
| recorded anywhere.
|
| This wording is a bit unclear. The first sentence states as
| a matter of fact that there was unauthorized access, while
| the second states that there are no records.
| hn8788 wrote:
| It might mean not officially recorded anywhere, like an
| intelligence agency gave them a heads up about it, but
| the network admins at the company didn't see anything
| with their monitoring software.
| toyg wrote:
| Or the admins saw it once and then revoked privileges -
| you know it happened _at least once_ and probably more,
| but you don 't know _how many more_.
| namenotrequired wrote:
| I read it as meaning they _had_ access (i.e. they _could_
| access it), but we don 't know if they _did_ access it.
| inopinatus wrote:
| You'd be better advised to read it as: journalists have
| no idea what they're describing, and mash together words
| without nuanced regard to what the facts may be.
|
| c.f. the Murray Gell-Mann Amnesia Effect.
| emodendroket wrote:
| I feel we need to read all these stories with a skeptical eye
| because, frankly, Huawei's become a political football, and
| there is a very strong motivation to cast events in the most
| unfavorable light possible by officials who are working
| backwards from the conclusion. Perhaps they do have some kind
| of spying master plan but I have found a lot of the fanfare for
| these stories hasn't held up to scrutiny.
| ncann wrote:
| This is something that irks me as well. Every time Huawei is
| mentioned in a conversation, the topic of spying is
| inevitably brought up, but as far as I know there has been no
| concrete case found that they did indeed do any kind of
| spying act through their equipment. If someone can actually
| link me something that can prove this claim I would be very
| interested to read it.
| pydry wrote:
| Reminds me a bit of the Bloomberg saga also, where
| theoretical compromises were somehow "confused" for real ones
| when a journalist talked to a spook:
| https://9to5mac.com/2021/02/15/bloomberg-spy-chip-2/
| kube-system wrote:
| > Now, obviously telco equipment can be used for spying, but
| there's absolutely no allegation of wrongdoing here at all.
|
| Of course. But, security posture is an important thing to
| consider. This may be an obvious thing to many people on this
| forum, but it is not obvious to much of the general public.
| the-dude wrote:
| Original title : _Huawei was able to eavesdrop on Dutch mobile
| network KPN: Report_
|
| Dupe : https://news.ycombinator.com/item?id=26842733 ( 65
| comments )
| angio wrote:
| Also discussed indirectly here
| https://news.ycombinator.com/item?id=26843068 (235 comments)
| the-dude wrote:
| Yes, I believe that submission was triggered by submission I
| linked to.
| roenxi wrote:
| I dunno how newsworthy the "Huawei" part of this is. The options
| seem to be go with a local provider or accept some level of risk
| of exfiltrated data. For example, nobody is pretending that Cisco
| is trustworthy.
|
| I'm sure the Chinese spies made off with some stuff that they
| shouldn't have because they'd be stupid not to - but if anything
| this sounds so brazen that I assume the access was mostly for
| routine tech support. KPN clearly needs some help with their IT.
| slver wrote:
| > I dunno how newsworthy the "Huawei" part of this is.
|
| Actually, it's very fashionable to suspect Huawei of whatever,
| and ban them from doing whatever.
| kube-system wrote:
| Everything has risk, but that doesn't mean that all risk is
| equal. There are a lot of things to consider when evaluating
| the risk of any vendor, even domestic vendors.
| 1cvmask wrote:
| < KPN says in a response that it has no indications that lines
| were tapped or that customer data was stolen.
|
| So there is no story, but a potential story on a potential (fill
| in the blanks)
|
| < The Capgemini report stated that Huawei staff, both from within
| KPN buildings and from China, could eavesdrop on unauthorized,
| uncontrolled, and unlimited KPN mobile numbers. The company
| gained unauthorized access to the heart of the mobile network
| from China. How often that happened is not clear because it was
| not recorded anywhere.
|
| So you outsourced some services as many companies do and failed
| to keep tabs on it, just like many companies do.
|
| Forgetting to audit outsourced work is extremely prevalent.
|
| < Based on the Capgemini report, KPN decided to refrain from
| outsourcing the full maintenance of the mobile core network. To
| this day, the telecom company maintains its mobile core network
| itself, with the help of Western suppliers. To tackle the risks
| in the systems of the network, KPN said it was implementing an
| improvement plan.
|
| A report by Capgemini, a leading Western supplier for outsourced
| personnel to telecommuncations companies. No conflict of interest
| there.
| jryle70 wrote:
| We have another thread actively discusses potential issues with
| Google's FloC [0], which is only a proposal at this time, no
| harm done yet. Do you think Huawei/China is less of a potential
| thread than Google? If not why do you think there is no story
| here?
|
| [0] https://news.ycombinator.com/item?id=26854073
| MrsPeaches wrote:
| > A report by Capgemini, a leading Western supplier for
| outsourced personnel to telecommuncations companies. No
| conflict of interest there.
|
| Way to bury the lede! [1]
|
| [1] https://en.wikipedia.org/wiki/Capgemini
| ruskimir wrote:
| Oh man, the 50 cent army is out in force.
| lucb1e wrote:
| > So there is no story, but a potential story on a potential
|
| For what it's worth, GDPR fines have been handed out for
| missing access restrictions, e.g. for sensitive data not having
| or checking audit logging and applying 2FA. Though I do agree
| it makes for a more lousy news story than if it had happened.
| [deleted]
| londons_explore wrote:
| I "could have" wiretapped KPN when I worked in the networks
| department.
|
| Without any evidence that any wiretaps actually occurred, I'm
| afraid this is just fearmongering...
| treve wrote:
| For a potential security breach at this level, if access was
| possible, and no records exists if it happened, you operate
| under the assumption there was a breach.
| f430 wrote:
| cant wait to see how Huawei apologists will spin this one off
| severino wrote:
| This looks like western propaganda to make us think that it's
| better to just keep the US wiretapping our networks, as always.
| game_the0ry wrote:
| American, here. Given that there is no hard proof that Huawei
| actually spies on their customers and that Huawei critics use the
| same talking points in the media to criticize Huawei and China, I
| am starting believe that this is not about China as a threat.
| That they _could_ be a threat is not the same as the being a
| threat.
|
| Rather, Western leaders no longer have the willingness or belief
| that we can compete in tech with China (on the contrary, we can
| and should), so they've given up and threw a tantrum, screaming '
| _no fair no fair, they steal our IP_ ', which is predictable,
| given that Western corporate leaders have outsourced all
| manufacturing to China...dumb.
|
| There are real issues to criticize with China, and Huawei is not
| the worst one.
| someonehere wrote:
| Do you even know how businesses are supposed to operate in
| China if they're from the outside? My understanding from a
| security friend is there are all these hurdles and the Chinese
| government wants access to networks and source code for
| anything that's operating within the country.
|
| Also, there have been plenty of stories on HN where American
| businesses are ripped off by China knockoffs and there's no way
| to really sue them or stop them in court. China has its claws
| in everything.
|
| Everything that's based out of China should be considered an
| entity working for the government. Even Huawei
| ethbr0 wrote:
| You also described America, circa-1800s.
| tpmx wrote:
| We're living now, not in the 1800s. That may be
| historically interesting, but not that much interesting
| beyond that. It's not about who's "good" and who's "evil",
| now or then.
| nafizh wrote:
| This kind of ignorance about the CCP machine and its
| surreptitious control over any and every company from China has
| led to the current situation where China is committing a
| genocide out in front of the world without any consequence. For
| starter, I would suggest reading the book 'The Party'.
| m00x wrote:
| Because you hire someone, it gives them the right to steal your
| IP? What?
| retox wrote:
| Isn't the problem that if you are competitive with China they
| will steal the designs anyway, and potentially use any saved
| research capital to make improvements? You'll always be at a
| disadvantage if you're you're paying for your own competitors
| R&D.
|
| I do agree that manufacturing should come back on-shore to
| close that gap at least.
| themodelplumber wrote:
| I agree; at the very least it'd be nice to see less fear-
| mongering.
|
| Especially with modern, acculturated tech, the democratic world
| ought to be doing acrobatic flips and twists off each and every
| "where'd Jack Ma go" springboard news event that comes out of
| modern China. Those are leverage points, they are the dragon's
| missing armor plates.
|
| Tech comparison alone though...if you make it out to be a
| logistics-only game, as many in government do, then I can see
| why things would get depressing fast. Tech & culture
| integration is a huge accomplishment of the modern world and we
| ought to leverage it, even in the service of shoring up or
| solving logistics issues.
| kube-system wrote:
| I agree that Huawei is not the worst issue to criticize China
| on.
|
| But, you don't need "proof" of a spying to recognize that it's
| high risk to put someone in a high-trust role if they are
| beholden to competing interests. The competing interests
| themselves are enough to establish the existence of risk.
|
| You're right that many people who outsourced to China
| previously wrote off all these risks as unimportant and later
| cried foul when their IP was stolen... this discussion is 20
| years too late, and people still think the evidence isn't
| strong enough.
|
| If you think that Chinese companies stealing your widget design
| is bad, wait until they put sanctions on your countries
| critical infrastructure's IT vendors. I'm sure Taiwan isn't
| waiting around for any "proof" of Chinese spying. When the
| proof comes it'll be too late.
| zozin wrote:
| Yes, it's all just a big conspiracy at the highest levels, lol.
|
| What really happened is that western countries and corporations
| didn't care _enough_ about China because China wasn't that
| powerful/influential. Now that China is powerful/influential,
| the era of just signing on the dotted line or not pushing back
| is over.
|
| Banning Huawei _is_ competing. See Lotte Mart's fate in China.
| the-dude wrote:
| _NSA tapped German Chancellery for decades, WikiLeaks claims_ :
| https://www.theguardian.com/us-news/2015/jul/08/nsa-tapped-g...
|
| Supposedly, that did actually happen.
| DaiPlusPlus wrote:
| Everyone spies on everyone[1][2][3] - that's why everyone's
| government buildings all have their own secure-rooms. The
| diplomatic thing is to not go-public about ones' allies doing
| it unless you have a reason to embarrass them for something
| else.
|
| [1] https://www.cnn.com/2015/06/25/opinions/france-spy-claims
|
| [2] https://www.politico.com/story/2013/10/marco-rubio-nsa-
| spyin...
|
| [3] https://www.usnews.com/news/best-
| countries/articles/2018-10-...
| jollybean wrote:
| It did happen.
|
| But it's not really news that spy agencies spy. Although maybe
| a little bit that NSA was spying on Germans, but that's
| probably not really news either, even for the Germans.
|
| But if a private corp. doing contract work for another entity
| spies - and when the ownership of that corp is tied the
| government - that's news.
|
| The question marks as to whether this was merely 'Huawei as
| admins have access' or 'Huawei has access and abused it' ... is
| the high relevant issue that needs to be fully sorted out.
| nyolfen wrote:
| i would suggest that german telecoms not contract their mobile
| network deployment and management to nsa, then
| Cacti wrote:
| Whataboutism at its finest.
| aritmo wrote:
| This is getting silly. Huawei is the most prominent Chinese
| company and because of the economic war, you get such speculative
| articles.
|
| And a few days ago, Cisco was found to have a bug in their
| routers for small businesses that lead to remote code execution.
| https://portswigger.net/daily-swig/cisco-router-flaws-left-s...
___________________________________________________________________
(page generated 2021-04-18 23:00 UTC)