[HN Gopher] Huawei could have wiretapped KPN ___________________________________________________________________ Huawei could have wiretapped KPN Author : miohtama Score : 131 points Date : 2021-04-18 20:33 UTC (2 hours ago) (HTM) web link (nltimes.nl) (TXT) w3m dump (nltimes.nl) | encryptluks2 wrote: | I could have hacked the electric grid. Just cause someone could | have done something doesn't mean that they did. This is pandering | to political bias. | contravariant wrote: | Depending on what you mean by 'hacked' that's still newsworthy. | | In this article 'wiretapped' means that they had uncontrolled | and unlimited access to all conversations. The problem isn't so | much that it could have happened but that it might have | happened. | 1cvmask wrote: | Every potential access or potential hack is newsworthy then. | That's about a million articles a day then. Which would mean | it is not newsworthy then. Everything is a potential this or | potential that by the reasoning. | losvedir wrote: | You have to assume the network can eavesdrop. Just goes to show | the importance of end-to-end encryption. | jand wrote: | This article contains no new revelations on top of previous | articles: | | "Huawei's says it never acted inappropriately by abusing its | position in the Netherlands. KPN says in a response that it has | no indications that lines were tapped or that customer data was | stolen." | slver wrote: | - Yesterday: Huawei eavesdropped on a foreign telecom! | | - Today: Huawei could have eavesdropped on a foreign telecom. | | - Tomorrow: Huawei didn't eavesdrop on a foreign telecom. Imagine | if they did though. Chills. | | I'm so over this. | [deleted] | christkv wrote: | I'm more worried about Europe letting the Chinese government buy | into crucial infrastructure | https://www.google.com/amp/s/energy.economictimes.indiatimes... | | How is this even sensible and there is no way the Chinese | government will ever let a non Chinese firm control their | infrastructure so why is this not stopped. What politicians are | making money on this? | edhelas wrote: | Why do we need Chinese technologies in Europe again? | de6u99er wrote: | I'd like to remind everybody of the Snowden revelations. | | Maybe the real issue is, that US intelligence agencies are not | able to force Huawei to add backdoors into their equipment. | justicezyx wrote: | In China's South Song dynasty, a military leader by the name Yue | Fei (Yue Fei ) [1], was sentenced to death by his political enemy | Qin Hui (Qin Kuai ) [2] on false accusations. | | What made this event particularly memorable, in addition to the | fact that Yue Fei was considered a patriot; was that Qin Hui had | blatantly responded to questions of how can you prove your | accusations? | | Qin Hui's reply: Yue Fei, when given, the right power, probably | would commit those wrongdoings. | | This is called Mo Xu You [3]. | | You know why Chinese are not as angry as an American could be on | Huawei's situations? Because everyone understand this is a | political conflict. For this type of conflicts, only true power | and strength can get any answer. Talking is not only futile, it's | countereffective. | | [1] https://en.m.wikipedia.org/wiki/Yue_Fei | | [2] https://en.m.wikipedia.org/wiki/Qin_Hui | | [3] https://zh.m.wikipedia.org/wiki/%E8%8E%AB%E9%A0%88%E6%9C%89 | ajross wrote: | The spin on this situation is dumb. What it amounts to is that | KPN hired Huawei on a contract basis to administer its equipment, | and as a result those contract administrators had... | administrator privileges on the Huawei equipment. Now, obviously | telco equipment can be used for spying, but there's absolutely no | allegation of wrongdoing here at all. | | If there is any finger to point, it's at KPN for hiring an | untrusted contractor and giving them sensitive access. | varispeed wrote: | Your comment sound kind of like victim blaming. | geofft wrote: | If there was no actual spying, then there's no victim. | | If someone gets pickpocketed on the subway, saying "You | should have protected yourself better" is victim blaming, | sure. But if someone doesn't get pickpocketed and then points | out how there was a _foreigner_ sitting right next to them | who could, theoretically, have pickpocketed them, should they | have chosen, and while the foreigner didn 't pickpocket them | this time, you know how those foreigners are... then "Why | didn't you just get up and sit somewhere else if he bothered | you" is a particularly polite form of what you perhaps ought | to tell them. | ipaddr wrote: | Why would you think a foreigner would pick pocket? Pick | pockets are locals to an area. People who don' know the | area are not the best people to take advantage of a group | that does. | | To your point. If you tried to commit a murder and failed | you would still have a victim and a crime. | Gys wrote: | > for hiring an untrusted contractor | | So you agree Huawei cannot be trusted. I think that is the | whole point of the discussion. | simion314 wrote: | Not OP, but must probably this is just part of the anti-China | propaganda , I think it started with the false accusations | from Bloomberg... so I expect that any Huawei related news is | false until some actual evidence is presented to the police | or something. | hn8788 wrote: | Huawei doesn't really deserve the benefit of the doubt, a | lot of their early success was due to hacking Cisco and | Nortel then building competing products based on stolen | information, all while the Chinese government was | restricting non-Chinese telecom vendors from operating in | the country. | simion314 wrote: | I personally don't like to be manipulated by media. So | for this case I am just saying be aware not to be a | tool/pawn is some big player's game, I suggest you either | do more digging , wait for some real evidence - but | downvote if the mention of the Bloomberg fake article or | innocent until proven guilty is a something wrong that | needs to be hidden. | geofft wrote: | You shouldn't trust _any_ provider under the jurisdiction of | an anti-liberty nation-state: | https://en.wikipedia.org/wiki/Room_641A | | Not sure why Huawei is unique here. | kube-system wrote: | The US and the Netherlands are both allied members of NATO. | That's why Huawei is a different story. | geofft wrote: | Are you saying it's worse for China to (be granted | sufficient access by the Netherlands that, in theory, if | they wished to abuse that access, they could) spy on | communications in the Netherlands than for the US to spy | on communications in the US? | ipaddr wrote: | From a NATO point of view yes. China spying on the | Netherlands would be worse than the US spying on itself. | arss wrote: | Even if they are at fault for not doing their due diligence | that doesn't remove the fault of someone spying | jsiepkes wrote: | > Now, obviously telco equipment can be used for spying, but | there's absolutely no allegation of wrongdoing here at all. | | That's incorrect. The report made by Capgemini stated that | there were clear boundaries as to what Huawei was allowed to | access but they violated those boundaries. Apparently also a | list of numbers under surveillance by Dutch intelligence was | found in possession of Huawei. Which was clearly well beyond | those boundaries. | | Just like a sysadmin can read the mail of the boss doesn't mean | your allowed to. | boomboomsubban wrote: | Though I can't read the actual report, this article does not | support your claims. | | >Apparently also a list of numbers under surveillance by | Dutch intelligence was found in possession of Huawei. Which | was clearly well beyond those boundaries | | Wouldn't the ones running the network need to know which | numbers were under surveillance to provide the intelligence | agency access? | AlphaSite wrote: | It could be done at arms length through an API. Then it | would become an issue of reading data they shouldn't be. | Joker_vD wrote: | Unless people inventing such API thought that the | domestic telco equipment will be operated by foregin | companies. And I somehow suspect they've thought exactly | the opposite: that they can rely on domestic providers be | domestic firms, easily supervised by the domestic law | enforcement agencies. | hansjorg wrote: | Could also be possession of database with intent to | select. | Ironlink wrote: | The article says: | | > The company gained unauthorized access to the heart of | the mobile network from China. | | ... but then, in the very next sentence: | | > How often that happened is not clear because it was not | recorded anywhere. | | This wording is a bit unclear. The first sentence states as | a matter of fact that there was unauthorized access, while | the second states that there are no records. | hn8788 wrote: | It might mean not officially recorded anywhere, like an | intelligence agency gave them a heads up about it, but | the network admins at the company didn't see anything | with their monitoring software. | toyg wrote: | Or the admins saw it once and then revoked privileges - | you know it happened _at least once_ and probably more, | but you don 't know _how many more_. | namenotrequired wrote: | I read it as meaning they _had_ access (i.e. they _could_ | access it), but we don 't know if they _did_ access it. | inopinatus wrote: | You'd be better advised to read it as: journalists have | no idea what they're describing, and mash together words | without nuanced regard to what the facts may be. | | c.f. the Murray Gell-Mann Amnesia Effect. | emodendroket wrote: | I feel we need to read all these stories with a skeptical eye | because, frankly, Huawei's become a political football, and | there is a very strong motivation to cast events in the most | unfavorable light possible by officials who are working | backwards from the conclusion. Perhaps they do have some kind | of spying master plan but I have found a lot of the fanfare for | these stories hasn't held up to scrutiny. | ncann wrote: | This is something that irks me as well. Every time Huawei is | mentioned in a conversation, the topic of spying is | inevitably brought up, but as far as I know there has been no | concrete case found that they did indeed do any kind of | spying act through their equipment. If someone can actually | link me something that can prove this claim I would be very | interested to read it. | pydry wrote: | Reminds me a bit of the Bloomberg saga also, where | theoretical compromises were somehow "confused" for real ones | when a journalist talked to a spook: | https://9to5mac.com/2021/02/15/bloomberg-spy-chip-2/ | kube-system wrote: | > Now, obviously telco equipment can be used for spying, but | there's absolutely no allegation of wrongdoing here at all. | | Of course. But, security posture is an important thing to | consider. This may be an obvious thing to many people on this | forum, but it is not obvious to much of the general public. | the-dude wrote: | Original title : _Huawei was able to eavesdrop on Dutch mobile | network KPN: Report_ | | Dupe : https://news.ycombinator.com/item?id=26842733 ( 65 | comments ) | angio wrote: | Also discussed indirectly here | https://news.ycombinator.com/item?id=26843068 (235 comments) | the-dude wrote: | Yes, I believe that submission was triggered by submission I | linked to. | roenxi wrote: | I dunno how newsworthy the "Huawei" part of this is. The options | seem to be go with a local provider or accept some level of risk | of exfiltrated data. For example, nobody is pretending that Cisco | is trustworthy. | | I'm sure the Chinese spies made off with some stuff that they | shouldn't have because they'd be stupid not to - but if anything | this sounds so brazen that I assume the access was mostly for | routine tech support. KPN clearly needs some help with their IT. | slver wrote: | > I dunno how newsworthy the "Huawei" part of this is. | | Actually, it's very fashionable to suspect Huawei of whatever, | and ban them from doing whatever. | kube-system wrote: | Everything has risk, but that doesn't mean that all risk is | equal. There are a lot of things to consider when evaluating | the risk of any vendor, even domestic vendors. | 1cvmask wrote: | < KPN says in a response that it has no indications that lines | were tapped or that customer data was stolen. | | So there is no story, but a potential story on a potential (fill | in the blanks) | | < The Capgemini report stated that Huawei staff, both from within | KPN buildings and from China, could eavesdrop on unauthorized, | uncontrolled, and unlimited KPN mobile numbers. The company | gained unauthorized access to the heart of the mobile network | from China. How often that happened is not clear because it was | not recorded anywhere. | | So you outsourced some services as many companies do and failed | to keep tabs on it, just like many companies do. | | Forgetting to audit outsourced work is extremely prevalent. | | < Based on the Capgemini report, KPN decided to refrain from | outsourcing the full maintenance of the mobile core network. To | this day, the telecom company maintains its mobile core network | itself, with the help of Western suppliers. To tackle the risks | in the systems of the network, KPN said it was implementing an | improvement plan. | | A report by Capgemini, a leading Western supplier for outsourced | personnel to telecommuncations companies. No conflict of interest | there. | jryle70 wrote: | We have another thread actively discusses potential issues with | Google's FloC [0], which is only a proposal at this time, no | harm done yet. Do you think Huawei/China is less of a potential | thread than Google? If not why do you think there is no story | here? | | [0] https://news.ycombinator.com/item?id=26854073 | MrsPeaches wrote: | > A report by Capgemini, a leading Western supplier for | outsourced personnel to telecommuncations companies. No | conflict of interest there. | | Way to bury the lede! [1] | | [1] https://en.wikipedia.org/wiki/Capgemini | ruskimir wrote: | Oh man, the 50 cent army is out in force. | lucb1e wrote: | > So there is no story, but a potential story on a potential | | For what it's worth, GDPR fines have been handed out for | missing access restrictions, e.g. for sensitive data not having | or checking audit logging and applying 2FA. Though I do agree | it makes for a more lousy news story than if it had happened. | [deleted] | londons_explore wrote: | I "could have" wiretapped KPN when I worked in the networks | department. | | Without any evidence that any wiretaps actually occurred, I'm | afraid this is just fearmongering... | treve wrote: | For a potential security breach at this level, if access was | possible, and no records exists if it happened, you operate | under the assumption there was a breach. | f430 wrote: | cant wait to see how Huawei apologists will spin this one off | severino wrote: | This looks like western propaganda to make us think that it's | better to just keep the US wiretapping our networks, as always. | game_the0ry wrote: | American, here. Given that there is no hard proof that Huawei | actually spies on their customers and that Huawei critics use the | same talking points in the media to criticize Huawei and China, I | am starting believe that this is not about China as a threat. | That they _could_ be a threat is not the same as the being a | threat. | | Rather, Western leaders no longer have the willingness or belief | that we can compete in tech with China (on the contrary, we can | and should), so they've given up and threw a tantrum, screaming ' | _no fair no fair, they steal our IP_ ', which is predictable, | given that Western corporate leaders have outsourced all | manufacturing to China...dumb. | | There are real issues to criticize with China, and Huawei is not | the worst one. | someonehere wrote: | Do you even know how businesses are supposed to operate in | China if they're from the outside? My understanding from a | security friend is there are all these hurdles and the Chinese | government wants access to networks and source code for | anything that's operating within the country. | | Also, there have been plenty of stories on HN where American | businesses are ripped off by China knockoffs and there's no way | to really sue them or stop them in court. China has its claws | in everything. | | Everything that's based out of China should be considered an | entity working for the government. Even Huawei | ethbr0 wrote: | You also described America, circa-1800s. | tpmx wrote: | We're living now, not in the 1800s. That may be | historically interesting, but not that much interesting | beyond that. It's not about who's "good" and who's "evil", | now or then. | nafizh wrote: | This kind of ignorance about the CCP machine and its | surreptitious control over any and every company from China has | led to the current situation where China is committing a | genocide out in front of the world without any consequence. For | starter, I would suggest reading the book 'The Party'. | m00x wrote: | Because you hire someone, it gives them the right to steal your | IP? What? | retox wrote: | Isn't the problem that if you are competitive with China they | will steal the designs anyway, and potentially use any saved | research capital to make improvements? You'll always be at a | disadvantage if you're you're paying for your own competitors | R&D. | | I do agree that manufacturing should come back on-shore to | close that gap at least. | themodelplumber wrote: | I agree; at the very least it'd be nice to see less fear- | mongering. | | Especially with modern, acculturated tech, the democratic world | ought to be doing acrobatic flips and twists off each and every | "where'd Jack Ma go" springboard news event that comes out of | modern China. Those are leverage points, they are the dragon's | missing armor plates. | | Tech comparison alone though...if you make it out to be a | logistics-only game, as many in government do, then I can see | why things would get depressing fast. Tech & culture | integration is a huge accomplishment of the modern world and we | ought to leverage it, even in the service of shoring up or | solving logistics issues. | kube-system wrote: | I agree that Huawei is not the worst issue to criticize China | on. | | But, you don't need "proof" of a spying to recognize that it's | high risk to put someone in a high-trust role if they are | beholden to competing interests. The competing interests | themselves are enough to establish the existence of risk. | | You're right that many people who outsourced to China | previously wrote off all these risks as unimportant and later | cried foul when their IP was stolen... this discussion is 20 | years too late, and people still think the evidence isn't | strong enough. | | If you think that Chinese companies stealing your widget design | is bad, wait until they put sanctions on your countries | critical infrastructure's IT vendors. I'm sure Taiwan isn't | waiting around for any "proof" of Chinese spying. When the | proof comes it'll be too late. | zozin wrote: | Yes, it's all just a big conspiracy at the highest levels, lol. | | What really happened is that western countries and corporations | didn't care _enough_ about China because China wasn't that | powerful/influential. Now that China is powerful/influential, | the era of just signing on the dotted line or not pushing back | is over. | | Banning Huawei _is_ competing. See Lotte Mart's fate in China. | the-dude wrote: | _NSA tapped German Chancellery for decades, WikiLeaks claims_ : | https://www.theguardian.com/us-news/2015/jul/08/nsa-tapped-g... | | Supposedly, that did actually happen. | DaiPlusPlus wrote: | Everyone spies on everyone[1][2][3] - that's why everyone's | government buildings all have their own secure-rooms. The | diplomatic thing is to not go-public about ones' allies doing | it unless you have a reason to embarrass them for something | else. | | [1] https://www.cnn.com/2015/06/25/opinions/france-spy-claims | | [2] https://www.politico.com/story/2013/10/marco-rubio-nsa- | spyin... | | [3] https://www.usnews.com/news/best- | countries/articles/2018-10-... | jollybean wrote: | It did happen. | | But it's not really news that spy agencies spy. Although maybe | a little bit that NSA was spying on Germans, but that's | probably not really news either, even for the Germans. | | But if a private corp. doing contract work for another entity | spies - and when the ownership of that corp is tied the | government - that's news. | | The question marks as to whether this was merely 'Huawei as | admins have access' or 'Huawei has access and abused it' ... is | the high relevant issue that needs to be fully sorted out. | nyolfen wrote: | i would suggest that german telecoms not contract their mobile | network deployment and management to nsa, then | Cacti wrote: | Whataboutism at its finest. | aritmo wrote: | This is getting silly. Huawei is the most prominent Chinese | company and because of the economic war, you get such speculative | articles. | | And a few days ago, Cisco was found to have a bug in their | routers for small businesses that lead to remote code execution. | https://portswigger.net/daily-swig/cisco-router-flaws-left-s... ___________________________________________________________________ (page generated 2021-04-18 23:00 UTC)