Hacker News new | past | comments | ask | show | jobs | submit login
5G: The outsourced elephant in the room (berthub.eu)
590 points by sam_lowry_ on April 17, 2021 | hide | past | favorite | 239 comments



For background context around telecoms for anyone reading this, there is an underlying difference in how telecoms networks are designed and architected - in the Telco world, links between networks were predicated on trust. Originally, telecoms networks were run by national level quasi-government operators, one per country. You interconnected with other "known entities".

Even now, you likely have 3, 4 or 5 national mobile operators in any one country. They negotiate their own roaming agreements in order for you to get roaming access. It's all driven by these kinds of relationships predicated on trusting other networks.

In IT, we are rapidly moving towards zero trust (due to the internet), but circuit switched (legacy) voice is still all designed to be sent over private circuits between operators who trust each other.

The legacy protocols (see SS7), used to route calls between operators are functional, but also lack access control and authentication, as it's assumed only trusted parties are on the network and able to use them. Those assumptions are no longer valid, and there's a huge challenge in dealing with this - hence SMS and call interception and rerouting attacks to steal 2FA tokens etc.


The recently discussed[1][2] method of hijacking SMS with almost zero effort was an eye opener to me. I had thought it required social engineering my carrier. Nope, just a $15 service.

[1] https://news.ycombinator.com/item?id=26469738

[2] https://lucky225.medium.com/its-time-to-stop-using-sms-for-a...

[3] https://krebsonsecurity.com/2021/03/can-we-stop-pretending-s...

Edit...added [3] above. Apparently, it's a $16 service, not $15: https://sakari.io/pricing/


Indeed!

And if you have access to SS7, you can do it without the middle-man $15 service!

These systems are really designed for use in a world where only trusted actors have any access to the system! That's clearly not true with all these third parties exposing functionality to the general public!

[1] https://www.ptsecurity.com/upload/ptcom/PT-SS7-AD-Data-Sheet...


> And if you have access to SS7, you can do it without the middle-man $15 service!

This doesn't really seem to make things any worse. Surely it's easier to have $15 than it is to have access to SS7.


Yeah, but say you want to hijack a million accounts. It's easier to have access to SS7 than $15 million.


What's the threat model there?


Installing a backdoor to a a piece of equipment that handles SS7, for instance?


No, what is the threat model for the agent who wants to hijack text messages to a million random phones? Why are they doing it?


Off the top of my head:

- Major players are using phone numbers to de-dup people. Use your million phone numbers to bypass such verifications and aggregate more power than intended. You could sell the accounts directly or monetize them individually (e.g., social media like farms, turning cloud free trials into dogecoin, ...).

- Way too many services believe that if you control a phone/email you must be the account holder. Banks, 401k managers, and other critical pieces of infrastructure are more than happy to harvest your phone number for "added security" and proceed to weaken the security on your account by allowing anyone with control of that phone number to hijack the account.

- Unique phone numbers are valuable in their own right. Individual numbers have max message rates and other garbage, but with an army of phone numbers you can, e.g., send out the same scam message to most phone numbers, see who bites, and use that to build a curated list of a hopefully much smaller set of numbers to target with real people.

- If you have any extra information like a plausible contact graph you can use that to impersonate people for viral marketing or something (kind of like how the Marco Polo app texted your entire contact list without your permission). I'm pretty sure permissions are way more locked down than they were when apps used to just use your phone directly, but if you control the phone number and have that contact info then you could pull off a similar marketing trick still today.

- Just snooping on the information is probably valuable. I'm struggling to imagine how you'd monetize it directly (some kind of insider trading?), but 1M person-hours worth of intercepted texts can't be worth <=$0 I don't think.


> Banks, 401k managers, and other critical pieces of infrastructure are more than happy to harvest your phone number for "added security" and proceed to weaken the security on your account by allowing anyone with control of that phone number to hijack the account.

This is a targeted attack.

> Individual numbers have max message rates and other garbage, but with an army of phone numbers you can, e.g., send out the same scam message to most phone numbers

As I read this, it involves sending messages from random numbers, not reading messages that get sent to random numbers?

> I'm struggling to imagine how you'd monetize it directly (some kind of insider trading?), but 1M person-hours worth of intercepted texts can't be worth <=$0 I don't think.

Data can easily be worthless if it takes effort to process and doesn't produce much value. This is a common case; "if the data exists, it must be valuable" is not a particularly strong argument.

Insider trading doesn't really work, since by hypothesis you have no idea who the people are whose messages you're reading. (If you know, then you're performing a targeted attack.) There's no "inside" as far as you're concerned.


> This is a targeted attack.

Kind of. If you have a dump of email/phone combos lying around then it's just a dragnet operation against vulnerable institutions.

If you're pointing out that you said "random" phone numbers, I think it's worth mentioning that the techniques mentioned in this thread can let you target your favorite million numbers, but even just having a pool of a random numbers is still valuable -- for any account you want to compromise you have a 1/10k chance of controlling the number needed. That's an annoying cost but not prohibitive even for accounts only worth pennies on average.

> As I read this, it involves sending messages from random numbers, not reading messages that get sent to random numbers?

Send and receive (since you need to know which people would respond to obvious scams). As I say that though, I don't think there's much if any benefit over the other SMS spoofing scams which just use a link as the payload.

> "if the data exists, it must be valuable" is not a particularly strong argument.

True, but that wasn't _quite_ the implied argument. People mostly view phones as private, and in 1M person hours you're likely to capture admissions of crimes, cheating, and all kinds of things. If for no other reason than pure blackmail those should have value to an adversary; the question at hand is more about how much value exists and how hard it will be to find and exploit. Private comms are qualitatively different from, e.g., the twitter firehose.

> Insider trading doesn't really work, since by hypothesis you have no idea who the people are whose messages you're reading.

I don't think that's actually a requirement. If somebody confidently asserts they're personally doing [important thing] tomorrow (as opposed to you just sniffing a text saying they think doge is going up) then that can be a strong signal that [important thing] is going to happen. Since most texts probably aren't actionable on the stock market, you probably won't get many such signals, so you can probably afford to actually look up the owners for any matches you get to double-check your hunches.

I still don't think that'd be super easy to turn a feed of texts into insider trading (some ballpark math suggests you might not get much if any actionable intelligence in a reasonable period of time even if you could sift through it), hence my lack of confidence when I proposed it, but there aren't any fundamental barriers that would prevent texts from a pool of randomly selected numbers from being indicative of stock movements.


You could become employed at the company, or break in or compromise one of the employees, to get access to the messages from valuable targets


Right, but $15 a piece makes it only worth it for targeted attacks. Even if it's harder or more expensive to get access to SS7, it might become economical to attempt MITM on a larger target base once you do.


And how to get that?


It's not a publicly facing service that's on offer, but some smaller telcos and sketchy VoIP providers with legacy access often re-sell it.

There's some good CCC talks on the subject if it's of interest.


The funny part about that is the $15 hijack service was predicated on the flimsy legal fig leaf of somebody writing in an ink signature on a piece of paper and scanning it to port a number (term is an LOA, letter of authorization), same as I have to do when I port a bunch of DIDs between voip providers.

Literally anyone with a printer and a pen can forge any signature and have a fairly high degree of success in the porting process.


SS7 is not fixable in my opinion. It needs to undergo the metaphorical equivalent of being burnt to the ground and having its ashes stomped around on a bit.

The further you go into the architecture of the "trust based" PSTN, SS7, traditional Telco stuff... The more you will see the total lack of modern cryptography, PKIs, zero trust network modeling, etc.

I'll admit that my perspective is skewed by working in backbone IP network engineering for a mid sized ISP. We occasionally have reason to interact with some pstn related stuff. All of the real technical innovation, security advances and such have been taking place in the ISP world for the past 25 years, not the Telco world.


Indeed, SS7 is based on a whole host of assumptions that just can't be relied upon. Since SS7 doesn't even bother to try to verify who anyone is (you'd only peer with trustworthy people, right?!), it's also very hard to hold anyone accountable too. And since the idea of SS7 signalling is that it can be forwarded and passed around, it simply needs to be replaced by authenticated, access-control validated signalling. Then you can at least have some confidence you're actually hearing from a network that has a reason to be communicating.

Too much of SS7 comes from a world where anyone can do anything - there's no legitimate reason in 2021 for an arbitrary network to be able to request a user's network location and cell ID, but the protocols support it. SS7 firewalls try to plug the gaps, but ultimately you just innovate in how you try to get the network to hand over what you want, and eventually you'll find a way the firewall doesn't spot. Cat and mouse continues.

Telco networks are "zero trust", just not in the right way(!)


> The more you will see the total lack of modern cryptography, PKIs..

Funny you say that as x509 was an ITU standard. But yes, PSTN is terribly broken, with mobile bolted on.


SS7 is dead except in legacy switches. IMS started rolling out in 2004(ish), and replaced most voice switching with SIP, which gradually flowed out towards customers.

Most voice installed for the last 10 years is already over IP. If it doesn't start in the CPE, then it starts at the curbside or lot where a DSLAM or equivalent generate dial tones, pack it onto IP packets and send it over a fiber connection.


Isn't the internet in the same situation, with BGP being assumed to be done between trusted parties?


The first rule of BGP is to filter what you get. Don't just blindly accept whatever the peer advertises. The second rule is obvious, but for the third there's also a lot of knobs for traffic engineering with BGP. And on top of that there's RPKI [ https://blog.cloudflare.com/rpki/ ]

I guess all of the big telcos have some homegrown ossified hacky "solution" that also serve as a minimal kind of "firewall" for SS7. (Basically I imagine that there's a lot of hardcoded rules for phone numbers, country codes and operators. Sure, they probably are an opposite of a problem for national intelligence services, after all it's easier to go by unnoticed in the noise, but they at least help with a total BGP-like hijack of a whole country code by an operator.)


Big telcos need to do SS7 filtering and (based on the interface they receive the message from) limit what can be done. The trouble is that SS7 lacks proper authentication, so it's like setting Linux iptables rules only based on the interface name - eth0, eth1 etc.

There are product-based SS7 protocol firewalls available that try to detect the "patterns" of signalling used to do "bad things", and block and report them.

Part of the problem with SS7 is that it's complex, and you can't easily restrict who says what - if you port your number from Operator A to Operator B, your number prefix still sits in A's range, and calls are signalled to Operator A. They can then tell you to try Operator B. B may then need to tell you the user is roaming and how to reach them. But yes, current firewlls leave a lot to be desired!

There's a number of good talks from CCC about SS7 - one is https://media.ccc.de/v/31c3_-_6249_-_en_-_saal_1_-_201412271...


> if you port your number from Operator A to Operator B, your number prefix still sits in A's range, and calls are signalled to Operator A. They can then tell you to try Operator B. B may then need to tell you the user is roaming and how to reach them. But yes, current firewlls leave a lot to be desired!

Not in all networks as far as I'm aware. UK is an annoying example of not having a central database of ported numbers (with ACQ), where a redirect is setup in the old network. I once ported my number in the UK and had huge issues receiving international calls or 2FA codes, it took me ages to work out and only got it sorted by leaving the number entirely and getting a new one.

Otherwise, like here in Germany, it's done with a proper database and the call never passes through the old network.


as far as i understand, there are no operators in Europe (maybe UK) anymore that don't run filtering on SS7. btw: SS7 is the legacy system and not part of 4G/5G.


They should all be running filtering, although not all filtering is as effective as each other.

As you say, this is the legacy system, but it's still a huge problem for them!


My colleagues who do intrusion testing (for operators e.g.) tell me: We have not seen SS7 attacks in Europe for long time. The remaining attack surfaces are in the middle-east and north america.


That's promising! It's now 5 years ago, but Telenor had a fairly big outage caused by malformed SS7 inbound signalling. Not sure if there's been anything since, but it certainly was an issue relatively recently.

Hopefully with the (slow) move to 4G and IMS calling, we can turn the page on SS7 attacks soon.


I think RPKI poses a grave danger in terms of censorship. Anyone who controls the centralized database of public keys to prefixes can instantly and automatically take anyone offline, if all other routers refer to them in real-time for building route tables.


Hmm, yes, but not really.

Yes, because it's a centralized meta-control plane of/for BGP. But no, because after all IP address space is already centrally managed anyway: IANA -> RIRs (-> LIRs), but not really, because each AS decides what to do with RPKI data.

So it's much better than parsing RIPE plain text query reults, and it's the correct fix for hijackings.

"Real-world censorship resistance" is not in the threat model for the current Internet at the RPKI/BGP/RIR level, but it's very much in scope for high-level protocols like DNS, TLS, HTTP (as privacy concerns).

See https://tools.ietf.org/html/rfc4593 and https://tools.ietf.org/html/rfc7132 Regular ("in-band") DoS or tampering attacks on RPKI databases and CAs (certificate authorities) are of course taken into consideration - even by nation states. Though these particular RFCs don't offer a particularly systematic and ironclad solution. (The problem is punted to users: "just use (stale data and) caches, decide for yourself what to do if the central DB is unavailable".) Likely there's some other RFCs that offer better answers with - hopefully - more operational detail.

Building a truly global efficient/high-bandwidth/low-cost "infinitely" censorship resistant Internet is (very) hard. Currently traffic passes through various networks, those "autonomous systems" have the capability to direct (and filter, eg. null route) traffic. Source routing in theory might help with working-around bad AS-es, but even detecting such AS-es seems hard theoretically. And on top of all that there's the economic aspect. (How would the network/users/operators incentivize each other to work around bad ASes?)


At transit layer to an extent yes, but with every underlying user of the connectivity considering the connection compromised, and therefore using their own measures on the untrusted link.

Hence IPsec and site to site/road warrior VPN - the underlying connectivity is regarded as untrusted by any sane user.

In telecoms, anyone on the SS7 network can make a request to find a given number, or say the number is available and can be reached by routing via their network.


Any reputable and clueful transit provider these days is performing automated RPKI validation of the prefixes announced to them. In addition to whatever prefix lists might be manually set up on a bgp session.

That's only a small piece of the puzzle in network security generally, but is sure better than how SS7 works right now.


Yes, but increasingly traffic is strongly encrypted, with users able to exert some level of control over that encryption


Most carriers already use PKI for their BGP traffic. It's not the Wild West anymore (although of course you'll always find some weak link if you backtrack AS announcements far enough)


This same approach (assume only trusted parties) is fundamental to SCADA systems (the industrial control protocols for power generation, wastewater systems, and other big industrial machinery). At best you get a firewall in front of it.


> as it's assumed only trusted parties are on the network and able to use them. Those assumptions are no longer valid

Why not refuse to peer with networks that peer/sell to bad actors? Before we had ML based email filters that kind of “hold upstreams responsible” strategy worked pretty well.


That's one approach, but some operators have SS7 connections to unknown providers. And turning off connections is a great way to discover that a whole host of services (think Twilio etc) suddenly stop working, as they were using some sketchy forgotten-about route into the network.

With third party access often "leased" via legitimate-ish providers though, it's hard to really do this without cutting countries or territories loose. Small countries often have operators that give SS7 access, to raise some extra revenue they can't get from their (small and population limited) subscriber-base.


It may be callous to say but I think most customers would be okay with the trade-off of losing telephone access to some small country that decided to monetize access to global telephony by selling to spammers and scammers, in exchange for not getting those calls.


Reminds me of how NIS used to work on LANs. Oh what fun was had in college with NFS mounted home directories...


If the trust issues cannot be fixed on hardware level or on base layer, it needs to be fixed on higher levels with more prominent and audited protocols. “IP based calls and everyone gets a free VPN from their telco”


This would solve eavesdropping, but not the problem of you friendly neighborhood stalker knowing the rough location of your cellphone at any given point in time.


My assumption is that all intelligence services in all countries would love to have access to fully compromised networks. They spend all their time thinking about how to access information, so they would be fairly incompetent not to consider this.

Does that mean that all systems are compromised? No, because there are risks associated with tapping in to these systems. Partly it depends on if they have access to the systems, but mostly on the possible blow-back if they get caught.

Example: Swedens FRA (NSA equivalent) could in theory ask Ericsson (a Swedish company), to install a backdoor. But, Sweden has a fairly free press, and there are good chances that someone would leak this information. If it got leaked it would be a major scandal that could go as far as toppling the government and destroy one of Swedens most important export companies. Its very risky, and its a risk no one wants to take, so the parts made in sweden are probably not compromised.

China, on the other hand has almost no risks associated with adding backdoor. No free press, hard suppression of whistle blowers, and since most foreign intelligence services already assume the equipment is compromised, there is no real reputational damage either. I assume they are all compromised, why wouldn't they be?

The US is somewhere in between.

Sometimes companies are compromised by intelligence services, but much more often I think its employees. Why try to change Tim Cooks stance on privacy, when all you need to do is find one Apple employee, willing to take a sack of money to "do their country a great service"?


> Does that mean that all systems are compromised? No, because there are risks associated with tapping in to these systems. Partly it depends on if they have access to the systems, but mostly on the possible blow-back if they get caught.

Isn’t it common knowledge that the US and China is spying on everyone? The main difference is that China is not a military ally, and its government spying, which is unfettered, supports its private enterprise that is government financed and owned. US govt spying is unfettered. US corporate spying far more restricted because US businesses are bound by Federal and State laws, and it’s not centrally coordinated, instead US businesses are autonomous entities. And though US corporate spying on customers is rampant, it is also transparently written into usage contracts. US corporate spying is obviously for profit, and since the US and Europe are strategically tied through NATO, it’s not on the same threat level. China and its axis ally Russia, clearly bump up against the West because our political systems are fundamentally opposite, democratic vs autocratic.

What this translates to is Chinese investors are agressively running around buying into key strategic businesses, advised by data gathering in coordination with its government, with a view to maintaining control, which reflects how the country is managed itself.

American investors are running around buying/competing against business in coordination with data rich parent company entities, with a view to making money. But because it’s a democratic country where laws preserve autonomy even against the government, it’s a free for all and anyone can play, even Chinese owned American companies. Which is a reflection of how the US is managed itself.

This is also how Europe is managed, so I do believe Chinese control of telcos is a bigger threat to Europe’s way of life.


>China and its axis ally Russia, clearly bump up against the West because our political systems are fundamentally opposite, democratic vs autocratic.

This is a speck of misapprehension that slipped in to your otherwise great writeup. Governments don't naturally conflict because they have different forms and they don't make automatic friends when they are similar. The US is presently allied with many autocracies. Middle-aged Europe was uniformly feudal, and constantly at war. Pre-WWII America was strictly isolationist and despite being a democracy had a fairly sized pro-Hitler element. Governments conflict when they have something to conflict over.


The real reason superpowers clash is that they all want to be the dominant but there's only room for one at the top. The political or economic systems are absolutely irrelevant here. All that matters is what needs to be done to stay the dominant superpower. The closer the race, the lower they're all going to sink.

US leadership fundamentally doesn't care about human rights abuses in China more than Chinese leadership cares about abuses against black people in the US. They don't care about bringing democracy in a country when their next move is to make sure "the right" leader is appointed. They don't care about freedom of speech when they can block it as needed under any pretense. And they don't care about any of the principles they advocate if those principles get in their way, they will all happily ally with someone embodying the exact thing they're fighting against if it server their interest of maintaining or growing their power.

And getting to the point addressed above, they care about the image of the company they forced to introduce backdoors only as far as they can be punished by the bigger power, or if they can't sell it as fighting the terrorists (or scare word of the day). Case in point, Sweden and Ericsson wouldn't get away with it because their sphere of influence is a stone's throw away and the US would crucify them. China and Russia can mostly get away with it because their influence extends far enough that they have enough of a "friendly audience" for which they can sell a story. The US can get away with it everywhere else because even if Cisco is backdoored through and through, the US is the dominant superpower and is able to pressure allies to "see things" their way, and they can also sell everything as "the fight against ...".

Superpowers see advancing their interests by any means as a matter of survival and this takes precedence over anything else. They'll do what needs to be done and deal with the fallout after. And if you live long enough to move through these different regimes you start seeing the pattern immediately, only thing that changes is the "feel good" story the people are served with.


I prefer the "feel good" story of the US - ruled via democracy rather than the "feel good" story of China - ruled via an unelected communist bureaucracy. I suppose if you take a world-wide poll, most folks would agree with me.


That is definitely true, but I think there’s an effect where citizens of a democracy are less likely to be willing to go to war against another democracy. It would be easy for americans to justify war against china, because americans value democracy and can say “we’re liberating them from their oppressive government”. (And some segments of the chinese population are very oppressed, so it wouldn’t be wrong.) But it seems less likely that a democratic government would oppress a majority of its population than an autocracy world, so that justification is harder to make


> because americans value democracy and can say “we’re liberating them from their oppressive government”

Most democracies are in general against war for practical reasons, wars are a drain away from stuff at home that's important for them as people. US citizens may be "less likely" to want that but only because recent history has saturated them with the justification that the war is against regimes with "different values". It's an easy sell for people who are never to keen on going beyond that. So it would mostly be a matter of repackaging the justification. Some democracies can afford both the wars and the "moral repackaging" for their citizens.

But people also misunderstand democracy and what it means. The fact that the interests of the majority are respected might also mean that the minority is suffering a great deal. How well are black people's interests represented in the US?

One the other hand in democracy you are allowed to give a tiny endorsement to a person or party for a leadership position in the hope that they will represent your interest while others are buying "priority" over you for this representation with far more than a vote. You're not seeing this as less of a democracy so people are not judging political systems based on their actual implementation but rather by picking and choosing on particular values.

Russia is ostensibly a democracy, albeit one where the leadership is somewhat predetermined a very small minority. USA is a democracy albeit one where the leadership is somewhat representing the interests of a very small minority. I'm sure a war between these two is not seen as such a remote possibility in terms of people's preference.


> How well are black people's interests represented in the US?

Reasonably well it would seem from the outside. 11% of congress is "black", which is roughly in line with population and there seem to be hundreds of laws and programs aimed at helping them. And there's also lots of media attention to their problems and struggles.


> Reasonably well it would seem from the outside. 11% of congress is "black", which is roughly in line with population

That picture turns to the opposite when looking at statistics of jail and prison inmates representation, or when looking at how the wealth in the country is racially divided and whole neighborhoods still racially and economically segregated.

In that context BLM is not really a new thing, it's just the most modern manifestation of a rather old and still very on-going issue [0].

[0] https://en.wikipedia.org/wiki/List_of_ethnic_riots#United_St...


I don't think that necessarily indicates that their interests aren't represented (which was the statement I objected to).

A group can have plenty of political representation and institutional and legal support and still struggle for other reasons (e.g. historic oppression or cultural problems depending on whether you lean left or right).

Though on second thought there still are a few laws with racist intent on the books aren't there? Though they're being undone at a decent clip.


> And there's also lots of media attention to their problems and struggles.

People treated well don't need lots of media attention to remind those treating them well that black lives matter, in 2021. I'd say that for a democracy that's a pretty bad track record that isn't improving fast enough. Democratic majority decisions sometimes leave the minority far behind.


> Russia is ostensibly a democracy, albeit one where the leadership is somewhat predetermined a very small minority. USA is a democracy albeit one where the leadership is somewhat representing the interests of a very small minority.

The US electoral system may have it’s flaws, but to compare it to Russia is absurd.

How many opposition leaders has the US government tried to murder recently?


> but to compare it to Russia is absurd

The statement was clearly about the relationship each country has with democracy, comparing not to each other but to what democracy should be. There's value in evaluating things against what they should be, not against an arbitrarily worse thing. It's the only way to see the flaws and look to improve.


>I think there’s an effect where citizens of a democracy are less likely to be willing to go to war against another democracy.

It's difficult to disentangle that from the unpopularity of war. Since democratic regimes are harder to get to do things, because you have to convince more than one person, the null hypothesis would be that autocratic regimes have a higher propensity for belligerence, especially in societies predating the invention of propaganda.


From what I read about Nazi Germany, going into all-out war with other powers was very unpopular in 1939. Ordinary Germans supported Anschluss of Austria or Sudetenland, but did not want to risk another big war for Poland of all things.

But in a totalitarian regime, consent of the governed did not matter much. Expressions of pacifism would land you in a concentration camp really quick.

Democracies care a little more about what the average Joe thinks, even though they are far from perfect in this regard and consent can be sorta-kinda manufactured.


Democracies are less likely to fight because during diplomatic talks they can draw on their domestic values that are rules on ‘how to collaborate without giving up autonomy’. Autocratic cultures most fundamental rule is ‘who is charge’ and then establishing the hierarchy of where everyone else fits. So you are always more likely to end up in stalemate or conflict when an autocracy is one of the negotiating parties because of a higher likelihood they might want to force the issue that they are in charge.


And yet the US, the so called "oldest democracy", has been at war for all but a few dozen years.

The reality is that countries you call "democracies" are allies of the United States, while countries you call "dictatorships" are enemies. If a democracy is to be an enemy, the first course of action is to first make it stop being a democracy. Then if it goes your way there's nothing to be worried about, and if the chaos installs someone you don't like then you're not fighting a democracy.

The Chinese government has popular support. So were many others the US invaded or overthrew - some were even democracies. It doesn't matter, as we saw with the Iraq war any inconvenient facts will not make it into the narratives and any lies will be disseminated as needed.


> The Chinese government has popular support.

Because if you criticise the Chinese government you disappear for a few months at best. If you’re unlucky you’re never seen again.

> countries you call "democracies" are allies of the United States, while countries you call "dictatorships"

That’s an extraordinarily bold claim and I think you should have to back it up with some evidence. Which of the countries that are called dictatorships do you think are unjustly labeled as such?


> Because if you criticise the Chinese government you disappear for a few months at best. If you’re unlucky you’re never seen again.

Wasn't too long ago that being considered too far on the left in the US was a professional and social death sentence.

Was neither too long ago that anybody who opposed illegal wars of aggression, torture, and state-sponsored assassinations, was deemed a "treacherous terrorist supporter" who might as well have flown the planes into the towers themselves, the earlier versions of that involved sending armed soldiers to violently break up peaceful student protesters ala Kent State.

Heck, "race riots" are a regular thing in the US to this day, yet somehow not considered political, nor the countless black activists that were jailed, left to live in exile, or straight up assassinated in the US [0], somehow none of that is considered "political" [1].

Add in the reality how the US has not just the biggest prison population, but also the highest incarceration rate on the planet, and it comes across as a bit tone-deaf to constantly evoke how in the "evil not US countries" people are allegedly getting vanished in droves, but never ever in the US [2].

[0] https://digitalcommons.law.yale.edu/cgi/viewcontent.cgi?arti...

[1] https://www.theguardian.com/world/2018/may/11/rakem-balogun-...

[2] https://www.businessinsider.com/more-than-80-percent-of-the-...


If foreigners looked at us the way we describe them (insert X bogeyman) and the fact that we have the worlds largest concentration camp of black men ever known to mankind.... Now what would they call that.... And then we employ them as prison labor or putting out dangerous fires..... Now what we call that..... We have laws that severely criminalize things that blacks do (crack consumption in the 90s) and not really for whites (cocaine consumption)....and the list goes on and on.... we call lesser things in other countries ethnic genocide etc.... Our State Department loves wagging the finger at other countries for lesser things that we do systematically domestically like civil forfeiture on blacks... Our sanctimonious grandstanding op-eds call such things in other countries as autocratic, authoritarian, dictatorship, ethnic genocide, strongman leadership, fascism and so on.... Look forward to the downvotes for stating the obvious....


Well thank you. Yes I should learn to tighten up my comments, too many points. It’s a whole new discussion here that we could get into.


>China and its axis ally Russia, clearly bump up against the West because our political systems are fundamentally opposite, democratic vs autocratic.

Laughable considering cordial relationship between US and Vietnam. The latter political system is basically a clone of China.



>The main difference is that China is not a military ally, and its government spying, which is unfettered, supports its private enterprise that is government financed and owned.

The main difference is that US law is exported to the rest of the world's population and Chinese law is not.

If Julian Assange leaked Chinese intelligence/war-crime-evidence he would be at home raising his kids right now.



I'm aware of a number of backdoor that have been inserted by western governments. Linus claims at one point the NSA asked him to put in a backdoor in to Linux. The difference is that in a free society Linus can go public and that makes it much more risky for a intelligence service to try it. It doesn't mean it doesn't happen.

The "Back doors" in AXE are a slightly different thing. Many countries have laws that says that law enforcement have the right to wiretap phone calls under some circumstances. This means that telcos want and ask for this feature so that they can comply with the law. The telcos are aware of the systems capability because they need it to be there. Anyone who reads the law can see that the telcos has to facilitate wiretapping, but they obviously dont want to advertise it, so its an open secret.

Its quite different if you deliver a solution, with a hidden back door that the customer dont know about or have asked for, for the benefit of the intelligence service in the country of manufacturing. Enabling a nation to wiretap illegally in countries where they do not have jurisdiction.


> The difference is that in a free society Linus can go public and that makes it much more risky for a intelligence service to try it.

How does Linus ability to go public make it more dangerous for intelligence services?

That implies intelligence services approaching him with such an offer would put themselves in danger of consequences just for asking, when that's evidently not true: There were no consequences for the NSA for asking Linus, there were no consequences for the NSA in the vast majority of cases it was caught doing something it shouldn't do.

It's also not true that in the "free society" is some binary thing: In the US National Security Letters are a very real thing, outfits affected by them are legally not allowed to publicize it. By any definition of this "free society keeps intelligence services in check" logic that should not be a thing, but it is, just like many other legal tools to suppress the free and open reporting about "national security" issues.


Every major power wants backdoors in these systems. Asking the producers to put in a back door is just one mechanism. They are also putting plants/spies in these companies as employees, bribing people, etc. And they have practically an infinite budget. It's not a matter of if but when. It's a reasonable expectation that any sufficiently large system that has been around for long periods of time has been compromised by spooks. If they aren't compromised, then every spy agency on the planet is shockingly incompetent.


It's a feature called "lawful interception". It's not a secret backdoor.


this isn't how any of this works. we're talking about ISP's & Telco networks not some data-center at FAANG.

- no need for backdoors since Huawei, Ericsson & Nokia are full to the brim with bugdoors (Huawei tops the chart here since many years already and as anyone involved in Inter-Operability-Testing (IOT) at the NEV will confirm).

- no need for "compromising networks" when you have the actual vendor (Huawei, Nokia, Ericsson often their subcontractors) sitting totally legally in your ISP's network and being paid for responding to the alarms raised and escalated by O&M.

- even the attacks against 3/4/5G become academic in the discussion of nation state threat actors when they can operate and exploit simply as an insider of the system. These weaknesses (as outrageous as they are) are useful but it's a different threat model


I don't have any non-public insight as to how intelligence agencies operate, so this is pure conjecture on my part:

If I was I was a intelligence agency in a country where there is a risk of blow-back, like in Europe or the US, I might prefer to use exploits. That way you haven't compromised your own country infrastructure (as much) and the risk of leaks is much lower since you dont have to work with an outside entity. A government agency forcing a domestic company to add backdoors, looks much worse if it gets out, then an agency using existing bugs.

If I'm a Intelligence agency in a country that doesn't care about blow-back like China or Russia, why bother finding and using an exploit, when you can call up the vendor and have them design the system with your use-case in mind? You dont have to worry about someone fixing the bug you have spent man years making exploitable, and you can make sure the backdoor can only be used by you. Its way more convenient and cost effective.


> why bother finding and using an exploit, when you can call up the vendor and have them design the system with your use-case in mind?

China is now suffering fron Huawei blowback in quite a few western countries.


True. But not anywhere near as bad as in a western country. You don't see Xi Jinping being eviscerated in Chinese media, or being forced to testify in front of congress. Also telcos dont really care, and will continue to buy Huawei equipment if prices are low enough, unless governments outright ban them from doing so.

I think Huawei, would have experienced almost the same blowback even if they didn't have any backdoor. Western intelligence experts, would have advised against using Huawei without any evidence of backdoors, simply because they know they would have put in backdoors if they where in the position of china, and they assume the Chinese aren't incompetent.

The blow back also serves a political purposes for everyone around. Western politicians/military gets to say "We need to protect ourselves against scary China!". And China's propaganda machine gets to say "Look at the terrible racist west treating us unfairly, by accusing us of bad things without evidence!".


Nobody needs backdoors when there are quite complete legal interception features regulated into core systems. Plus everything is IP these days, so tapping a call is trivial. It just can't really be done towards outside the telco network without anyone noticing, the world isn't a hacker movie...


Google Ericsson Vodafone Greece.

And for US, google Cloud Act.


The wiretapping scandal you are referring to is known as "The Athens Affair" and has to do with infiltration of Ericsson software exchanges by experts on how the software is working. Vodafone is/was the one to blame here and it wasn't a fault of the software provided by Ericsson. More info here: https://spectrum.ieee.org/telecom/security/the-athens-affair


The CLOUD Act is a mechanism for legal authorities to compel companies to produce data they hold, even if it is stored on servers outside the US. I don't think it's fair to characterise that as a backdoor.


The US can use the front door and nobody can stop them. That's the dividend of being a superpower. It's the good old gunboat diplomacy for the 21st century. What are local potentates going to do against America?


If the Dutch would get Philips to weaken crypto devices [0], [1] then it wouldn't surprise me if the Swedes would ask the same of Ericsson [2]

[0] https://www.vpro.nl/argos/lees/onderwerpen/cryptoleaks/2020/...

[1] https://www.ceesjansen.nl/en/cryptography/

[2] https://www.tandfonline.com/doi/full/10.1080/02684527.2020.1...


After Watergate in the 1970s a huge debate broke out in the US about spying and surveillance. The compromise they reached is that non US citizens are not covered by the Constitution. I think you're giving the US and it's people too much credit. Ultimately America will do whatever it must to maintain it's superpower status.

Any country that is serious about cyber security needs to develop and maintain its own communication network.


Airbus to sue over US-German spying row [0]

[0] https://www.bbc.com/news/world-europe-32542140


> would love to have access to fully compromised networks

If this became known the subjects of interest would stop using those networks. Only the low level criminals would be dumb enough to get caught.


> there are risks associated with tapping in to these systems

Which is why the intelligence services never do the hacking themselves. Instead, they buy the data off the "dark web", from the hackers whole stole and the information brokers who trade in it. If they have to do that, that is. In the US at least, agencies can just buy data on the open market. Supposedly "anonymized", but I'm pretty sure everyone reading this knows that protection is flimsy.


Plenty of evidence proves that intelligent services:

- Buy exploits on the market, with the US govt being the biggest buyer.

- Buy data off legitimate advertising and intelligence companies

- Hire people to find bugdoors

- Hire people to infiltrate all sorts of companies and extract information or plant bugdoors

- Convince or coerce companies to plant bugdoors in their own products

- Do the hacking themselves, plant hardware backdoors and so on

Unsurprisingly, they use all available methods.


OK, I should not have said never, but when the option is between "we could hack this but if we get caught it would be an international diplomatic incident" and "hey there's a broker over here with the data for sale", the do buy it.


"Sweden has a fairly free press"

That's so wrong it hurts! All our press are dependent on government "presstöd" aka handouts.


According to Reporters without borders, Sweden ranks 4th in the world, in press freedom. I think that would qualify as "fairly free".

https://rsf.org/en/ranking_table


Always be wary of such (and for that matter any) rankings and take them with a massive amount of salt. These NGOs are often fronts for agendas.

https://rsf.org/en/our-supporters

They have the CIA vehicle for regime change as one of their sponsors, the amusingly named National Endowment for Democracy that specializes in overthrowing non-white democracies and regime change.

https://en.wikipedia.org/wiki/National_Endowment_for_Democra...

https://williamblum.org/chapters/rogue-state/trojan-horse-th...


> National Endowment for Democracy that specializes in overthrowing non-white democracies and regime change.

They also don't mind white regime change, NED, along with NATO, the US DoS, and a couple of other rather relevant names, where openly sponsoring [0] "Yat's our man" [1], who ended up becoming PM of Ukraine after Euromaidan escalated into a full blown coup.

[0] https://web.archive.org/web/20200328203654/https://openukrai...

[1] https://www.bbc.com/news/world-europe-26079957


The press can be free regardless. If the allocations are according to some objective metrics then I don’t see a problem.


If the government has the power to grant money and set metrics, it also has the power to take it away, and change the metrics. So if you are getting a grant based on "objective metrics," it might be a good idea to not piss of the people defining them.


Of course but that is a move that costs the government something in political capital. There are always dangers in criticising the powers that be, but I can not see that these kinds of press grants are a big problem.

If the country is a democratic one to begin with, the grants do more good by insulating the press from commercial powers than they do bad in this way, in my opinion.


It may well be a good trade off. I'm just pointing out that there is never a way to be completely free from whoever is paying the bills.


Objective metrics can be as biased as subjective metrics.


I disagree.

The complaint was that a grant from the government makes the press less free to criticise the government.

If the grant is clearly and legally bound to be determined according to a set of objective and publicly available metrics I do not see that it would be such a big problem.

Of course a vindictive government could do what they can to negatively affect the press outlet in question but similarly could a supporting public affect them.

In any case it can all be accounted and prepared for as long as the process is objective and transparent.


The selection of arbitrary objective metrics and the weight associated to them is subjective by nature. Every ranking system is subjective by definition even if the outcomes are measured objectively. Every ranking system is by definition mathematical garbage that we use to evaluate whatever we feel the need to evaluate. We still need them as filters and for other reasons.


Independent and free are not the same thing. You could say sweden's press is free despite its dependance. However, maybe the sweden gov values free press and the press is free via this relationship.


There’s a clear bias in your thinking against the US and for Sweden. Any of the points you bring up could equally apply to both places, but you come out bring the negative against one and the positive against the other.


> The US is somewhere in between.

Bart Gellman's book says that Snowden warned him not to be the only person in possession of the leaked data prior to publication, as the US intelligence community would kill him (Gellman) instantly to prevent the publication of the information contained therein.

This was the biggest takeaway from the book, for me: the US military will assassinate US citizens (journalists!) in the middle of New York City without due process or a trial to prevent them from carrying out journalism.

We expect this kind of cloak and dagger shit from the CIA, but it pays to think about it in clear terms: the US military can and will assassinate US citizens engaging in constitutionally protected activity in the middle of Manhattan with no consequences whatsoever.


Snowden was an IT contractor, how does he know what the “US intelligence community” would and wouldn’t do?

Not that he’s necessarily wrong, but it seems like a leap to go from Snowden saying something he believes, to a certainty that “the US military can and will assassinate US citizens in the middle of manhattan”.


Snowden was trained and directly employed by the CIA in 2006 before he changed jobs to working at IC contractor companies.

After CIA training, he worked in Geneva under diplomatic cover, in 2007 to 2009.


indeed he was a real prodigy Sharepoint administrator. I don't want to diminish the value of what he leaked but it's easy to claim he was aware of all the potential butthurt before others pointed it out as things unfolded.

It is much more realistic that what happened was a true "Burn after reading moment" https://www.youtube.com/watch?v=pabA320p9B0


I am fairly confident that CIA training for those who are going to be living and working under diplomatic cover in a foreign country extends well beyond how to wrangle Exchange and Sharepoint.

He wrote about some of the things that happened in Geneva, I encourage you to read them. Even sysadmins for the CIA need to know some stuff about how the game works.


he was how old when he was in Geneve? 23? Doubt that any kind of training made him an experienced operative. He was still a kid and hardly the Jason Bourne people make him out to be. I'm not saying his leaks didn't provide huge value but it is more plausible that he wasn't fully aware of all the impact that he claims he had knowledge of back then today (or what people attribute him with).


I don't think someone needs to be Jason Bourne to have come to the conclusion in the 73 years of the CIA's operational history that they assassinate people who risk their large-scale projects' secrecy.

This feels like a strawman to cling to the idea that being a US citizen means that the CIA won't assassinate you for being inconvenient, which has been literally and directly claimed, at least twice, by someone from the actual CIA.

Indeed, the reason you even know the name Jason Bourne, or the reason those movies work, is because of the generation-long history and reputation of the US military intelligence services to break the law flagrantly in many countries with no meaningful consequences. We don't have to suspend disbelief to engage with the idea that there is a section of government with staff who can kill anyone they deem needs killing.


Don't forget the murder of Fred Hampton, for which the US government was found to be civily liable (greater than 50%)


Is there proof of this or is this conjecture?


Two examples we know of of the CIA assassinating Americans without trial or consequences:

https://en.wikipedia.org/wiki/Anwar_al-Awlaki

https://en.wikipedia.org/wiki/Abdulrahman_al-Awlaki

The potential murder of Gellman was stated by Snowden, who was trained by the CIA, and was stated on more than one occasion.


Also this, which wasn't directly the CIA but by CIA backed groups: https://en.wikipedia.org/wiki/Orlando_Letelier, a political assassination on US soil. (Although not a US citizen)


That's one heck of a leap to blame on the CIA.


To quote the wikipedia article:

A US State Department document made available by the National Security Archive on 10 April 2010 reveals that a démarche protesting Pinochet's Operation Condor assassination program was proposed and sent on 23 August 1976 to US diplomatic missions in Uruguay, Argentina, and Chile to be delivered to their host governments but later rescinded on 16 September 1976 by Henry Kissinger, following concerns raised by US ambassadors assigned there of both personal safety and a likely diplomatic contretemps. Five days later, the Letelier assassination took place.[8]

Documents released in 2015 revealed a CIA report dated 28 April 1978, which showed that the agency by then had knowledge that Pinochet ordered the murders.[9] The report stated, "Contreras told a confidante he authorized the assassination of Letelier on orders from Pinochet."[9] A State Department document also referred to eight separate CIA reports from around the same date, each sourced to "extremely sensitive informants" who provided evidence of Pinochet's direct involvement in ordering the assassination and in directing the subsequent cover-up.[9]

During the tenure of Richard Downie at the William J. Perry Center for Hemispheric Defense Studies, a U.S. Southern Command educational institution located at the National Defense University, the alleged (and as yet unproven) role of Jaime Garcia Covarrubias, a Chilean professor who was head of counterintelligence for DINA in the 1970s, in the torture and murder of seven detainees was revealed inside the center. His alleged role was first brought to Downie's attention in early 2008 by Center Assistant Professor Martin Edwin Andersen, a senior staff member who earlier, as a senior advisor for policy planning at the Criminal Division of the U.S. Department of Justice, was the first national security whistleblower to receive the U.S. Office of Special Counsel's "Public Servant Award."[10] In an October 1987 investigative report in The Nation, Andersen broke the story of how, in a June 1976 meeting in the Hotel Carrera in Santiago, Kissinger gave the bloody military junta in neighboring Argentina the "green light" for their own dirty "war."[11]


I may not be reading this clearly, but how is the CIA involved in the assassination here? It seems like they had intel that it could happen but didn't order it, execute it or have any direct involvement.


The assertion was "the US military can and will assassinate US citizens engaging in constitutionally protected activity in the middle of Manhattan."

It really diminishes your point when that is compared to an airstrike on foreign soil.


I don't really think the territorial claim on the land where the extrajudicial assassination happens is very relevant to the legal fact of the matter.

We don't say that the FSB attempting to execute Skripal in a UK shopping mall doesn't count because it was in the UK. Murder is murder.

The claim that the IC would assassinate Gellman in New York was made by someone who used to be an actual CIA operative and went through their training.


It absolutely doesn't matter where it is. All that means is that the means of murder will change. Instead of being an airstrikes it might be someone off the street paid for the hit or an operative killing them or poisoning them. In both cases, you'd have no way to know. The only places you'd be able to know are in foreign countries where risks of capture and death are much higher and where investigations can't be silenced.


> Since the early 2000s at least, most billing has been outsourced. This works by sending all Call Detail Records (CDRs) to a third party, often from Israel or China.

This is quite misleadingly written: telcos are not shipping reams of CDRs to some cubicle farm in Haifa or Chongqing.

Yes, almost every telco outsources its billing software to other companies, notably Amdocs (founded in Israel, now HQ's in the US). However, billing info is some of the most sensitive data a telco has for both privacy and commercial reasons, so that software always runs in a closed environment from where it cannot dial home. Historically that's been on-prem, it's slowly moving to the Cloud but even there it's going to be firewalled off very carefully.


Let's not oversell the fact that Amdocs' official HQ is in the US: It's an Israeli company through and through. It did more development in the US back in 2001 than it does now: Today, their US footprint is mostly customer sites. And you will find people brought in from Israel everywhere. It's always been bad enough that managers that don't speak Hebrew knew they were always at a disadvantage. Your best bet for saying it's not an Israeli company is to say that a whole lot of R&D is being done in other countries with cheaper labor.

While it's true that the installations are on-prem (having been to quite a few of those), Amdocs business model isn't about dropping code and going away: They are so embedded with your typical deployment that there's plenty of opportunity to exfiltrate data. Sending every CDR to Haifa? Probably not: The Sysadmins on your typical large telco are iffy, but not that iffy.

And carefully firewalled? The talent was never great, and the security practices were never all that serious: I've been handed production shells that I had no business having, because it was convenient at the time. Once again, I'd say that the best argument to claim that there's no data exfiltration is that the people writing the code aren't good enough to do this under the customer's nose.


I was involved in some RF*s on Amdocs side for a bunch of telecoms in USA, Europe and Asia a few years ago. Security requirements were very long and rather reasonable, to a point that it was pain in the ass to follow all of it. Part of what we had to submit was deployment architecture that included security architecture that was reviewed by security teams. We also had some meetings with security teams which were more like serious interrogations (they just could go with waterboarding to speed up things). We even had as result of those discussion to alter somewhat product architecture (not "lets stick in tls". actual changes in how system works and interacts) in order to enable more secure deployment and operations. But those were Tier 1 telecoms. Smaller one probably less strict but I don't know as I didn't deal with them


There's a big gap between what happens in the larger telcos that run infrastructure, and the white label operators.


White label operators can't usually afford Amdocs solution from one side. From the other side, Amdocs doesn't have a server farm in Israel to do CDR processing :) Everything happens either on client premises (and Amdocs can deliver end-to-end solution, including buildout of complete datacenter if it required by client) or "in the cloud"


Oh yea, super secure, their outsourced security team is all over it.


This aligns with my experience working at IBM. I knew Vodafone was a big customer, but I found the extent of that relationship peculiar; in presentations given by senior engineers it came across that IBM seemed to running the core parts of their network. That can sometimes mean Vodafone engineers are barely allowed to touch anything without an IBM contractor on site. It got me thinking; who and what is really running these telecom networks and are they not much more than a branding exercise.


This is more common than many think.

Once a managed provider steps in, they want to "own" the configuration. You end up with the operator itself actually having to raise tickets with the MSP to change things on their own network.

All this becomes a huge issue if there's a major outage, as the MSP might not have enough access to actually get in and do anything.

Most telecoms networks are run (to some significant extent) by a managed service provider, in my experience. When O2 UK had a major core outage due to an Ericsson certificate expiry inside the core, it wasn't O2 engineers that found and fixed the issue; it was Ericsson engineers.

The margins as an operator don't make it easy to keep around the deep technical skills to be an expert in the network you own.


Operator margins in the US are enough to pay billions for media companies, at least. But maybe more competition is allowed in Europe.


There's definitely a "side of the pond" aspect to this - US operators pay for media companies, but they likely do so to raise their margins, and I presume they're borrowing the funds from institutional investors to do this, rather than bootstrapping their acquisitions with profits.

In Europe you'll likely see far lower per-user pricing due to competition. You'll typically have 3 or 4 operators with physical networks, and a number of virtual operators providing white labelled service over the underlying networks.

A standard target ARPU (average revenue per user) would probably be around 15 GBP per user per month. You'll likely get to that via contract users who you try to get on 22 GBP per month or thereabouts, and pay as you go users whose ARPU is far lower (maybe 8 or 10?)

Compared with the US, consumer prices paid are incredibly cheap - expect unlimited calls and SMS, and many gigabytes of data. If you shop around you'll get even cheaper still. In the UK you'd be able to get unlimited 4G or 5G data for 25 GBP per month.

Clearly the US has a much larger geography to cover, but there's definitely more competition leading to downward price pressure in Europe, in my view.


Canada's average ARPU for mobile customers is like 60-70$ I think.


More than allowed - in the EU at least, telecoms (wireline at least) is heavily regulated, and monopoly infrastructure providers (i.e. wire owners) are required to provide wholesale services and operate on those services for their own retail arms. Mobile operators have slightly less regulation in the way of competitition but there are similar requirements for vMNOS etc. So yeah, overall margins tend to be smaller and there's healthier competition overall, but telecoms is still flush with cash in general.


> You end up with the operator itself actually having to raise tickets with the MSP to change things on their own network.

Once, I found out a contractor was so used to opening and closing tickets for themselves that they were actually gaming the system and using it as a way to correct payements for their services. Each payement went through at least two accounting services and yet it worked. Interesting discussions followed :-). They are still there.


If you’ve worked at an MSP, you realize this is the case with a lot of companies. I worked on the infra of a pretty major publisher and their full time staff literally didn’t know anything about their platform. All the websites had been written by contractors, and then the maintenance was handled by us. It’s actually insane.


Bert hubert has another great article that is referenced[0]

[0]https://berthub.eu/articles/posts/how-tech-loses-out/

This article hits the nail on its head, and i can see it happening all around us, not only in the telcom/tech world. Boeing is a prime example for instance, but also the general death of manufacturing in the western world has resulted in this.


IBM won a major outsourcing contract in the early 2000s for Southern Europe (I know, I was there). I can assure you that they did not run the network because of a) sheer literal incompetence (they did not have the skills, in multiple regards) and b) the deal was solely for IT workloads and on an exclusive basis, and that did prevent many Vodafone staffers from actually fixing the messes IBM created.

(EDS won the northen countries, BTW, and I think things were marginally better with them, but either way, things soon reverted back to a more flexible arrangement because product development was severely hampered and most OpCos ended up rebuilding their IT systems)


This is factual information, so why the downvote?


I worked with Vodafone and AT&T for projects in Europe. It was a large company to that did some work with SDNs and were a MSP. Can confirm the endless chain of subcontractors when dealing with large Telcos.

Europe in general has a fetish with subcontracting IT to the point where only the contractor’s can do it. Sometimes it’s the contractors’s contractor’s contractor who is the only one who can do anything.


this fetishization of contracting everything out to subcontractors has to do with the fact that most business schools teach one principle and one principle only. risk taking is a sin that will hurt your bottom line. subcontracting delegates that risk to someone else while leaving your company with little to no real staff that can do the innovation.

in the short term this does not matter, because the company stays profitable, but long term this is resulting in a system in which no one has complete ownership and responsibility of their systems, which makes doing changes and innovating nearly impossible.


The US doesn’t do it quite as much. I was shocked how much some of the larger known European telcos and companies contract out. As in the entirety of their networking and most of their IT functions were outside.


The US does it quite a bit. I think it depends on what sort of company you're working in.

For instance, when I worked in US govt, best as I could tell all the real work was done by contractors and the govt employees sat around on their asses all day.


I have seen many European companies love big monopolistic giants like IBM or Microsoft. There is literally no respect for smaller innovative companies.


I was shocked when I saw one of the Big Medical companies in Europe outsource almost every single thing.

Headquartered in Switzerland, its German office was mainly just Product managers writing requirements. Most of them would do endless paper work and all technical work is outsourced to multiple contractors. One of the requirements of the Product managers was to handle all these contractors so that things run smoothly. Many of the product managers had PhD degrees or Masters doing this nonsense. Finally the wonder why the cost of their products are so high.

I have noticed that it is better in the United States where a lot of medical companies have a lot of in house technical experience.


Which is hilarious, as IBM outsources its own network to at least two entities as well.

The IBM guy is probably connecting to Vodaphone through some AT&T managed tunnel.


In the past I worked at a mid level 4G provider in the US who had to deal with the larger providers on a regular basis. I was always astounded at how little they knew about their own networks.

Regarding the articles statement of providers wanting an "all-in-one" solution, I have seen that in person, where management forced it, found it was horrible and then gave in and let us build the mixed vendor solution that worked well. I've personally mixed enode-b's from 2 different vendors to 3 different vendors SGW's and a different vendors PGW with no issues.

The "One Throat To Choke" idea doesn't work if your business depends on that throat to operate so you end up with the vendor calling the shots instead of the business.


>>The "One Throat To Choke" idea

but it sounds soooooo good in meetings !


The bigger they are, the harder they fall...

On the whole, the technical standards should allow the kind of interoperability you described. That's the kind of fun real-world engineering that techies love. The bean-counters don't, because it's more devices needing support packages, it's more suppliers on the books, and ultimately it's probably (slightly) less profit than buying a single box.

I've seen big household name operators in Europe stop even pretending they're doing the work, and straight up pass on contact details and a mobile number for the person at their tier-1 vendor partner, so you can liaise directly with them.

It seems in these "5G" days even more than before, operators are retreating into the business of connectivity service, and leaving more and more for their vendor partners to do. When you're not even hiding the fact to a client that they may as well speak directly to the vendor, that says it all(!)


> We recently asked a large European service provider why only part of their customers get IPv6 service, and how they pick which parts do or do not get such service. They could not tell us, and informed us they too would like to know

woah. as a EU citizen, i'm terrified. i wanted to say surprised, but after a moment's thought, turns out it's only a moderate misalignment of expectations.


I retired in 2012, but at that time my employer had completely subcontracted the operation and maintenance of its mobile network to Ericsson, Huawei and Nokia. It was in France.

Once I asked for a one day snapshot of all mobile data for a cooperative R&D project. The saga went on for months with repeated requests at various hierarchical levels, but to no avail.

It's not that they refused, but I guess that the guys in charge simply were unable to get the requested information from the subcontractors.


I work for a large EU Telco and I can tell you the inside battles to get stuff done are absolutely ridiculous.

Of course I work for a subcontractor too.


This is gold.

>> In reality, most service providers have not been operating on this model for decades. Driven by balance-sheet mechanics and consultants, service providers have been highly incentivised to outsource anything that could possibly be outsourced, and then some.

>> In a modern telecommunications service provider, new equipment is deployed, configured, maintained and often financed by the vendor. Just to let that sink in, Huawei (and their close partners) already run and directly operate the mobile telecommunication infrastructure for over 100 million European subscribers.

I think it's quite a safe bet that no operator in China went that way by buying and outsourcing from/to Western companies.


Ericsson threaten to leave Sweden, if actions by Swedish government meant that they lose access to the Chinese markets and running/future contracts.


And those Western companies that sold to China telecos had their IP stolen and appear in Huawei/ZTE products few years later.


It's nearly impossible for telecom to deploy/configure/maintain their networks by themselves due to the scale. For example, I just googled, AT&T seems to have 67000 towers/macro cell sites. Let's say they want to update all of them to install modern 5G equipment. In many cases this equipment may come from different vendors and to deploy it might be multi-day job. Of the top of my head, about 20% of site visits fail due to various reasons (with good percent of them failing even before starting due to scheduling issues, sickness, not delivered at time equipment, etc) .

How much time and people it will take to AT&T to do all the work on it sown ?


> How much time and people it will take to AT&T to do all the work on it sown ?

About as many people as are currently working on it, probably. The work does, in fact, get done by real live humans. That they work for a contractor only adds humans in the middle. Also the money to pay them is present; it just flows through a few extra contractor accounts first.


And who will support existing network: fixing things, dealing with day to day operations, etc ? If it's same people, deployment timelines will be extended by years.

If it's not and you hire extra people in order to work on this deployment, than when job is done, you end up with extra few thousands of employees that have nothing to do and you need to fire them. In this case it's easier, faster and cheaper to outsource the work than doing hiring of thousands of people, training them and then firing them when job is done...


It’s a project based business model and isn’t particularly challenging to staff. For the field service portion of my business, I can tell you how many man hours at each title I need for the next 2-3 years. You know what you maintenance demand is and can project capital projects, because the business knows what capital money it’s borrowing.

End of the day, it’s more to do with accounting stuff like fixed asset inventory, risk management and keeping salaries and benefits low. It’s easier to fire a contractor or hire a shittier/cheaper one than deal with a bunch of employees. IMO, saving hard dollars isn’t a driver.


upgrading 67k towers for 5G and making relevant changes in software/network infra, it's not "project based business model". This particular exercise called "network transformation" and it makes grown men cry and quit their job :)


> If it's not and you hire extra people in order to work on this deployment, than when job is done, you end up with extra few thousands of employees that have nothing to do and you need to fire them. In this case it's easier, faster and cheaper to outsource the work than doing hiring of thousands of people, training them and then firing them when job is done...

Are there enough carriers that the contractors stay busy 100% of the time or do they just hire and fire people as needed?

I get why contract gigs can be mutually beneficial but it seems like either the demand is there for full-time trained technicians to do a particular job, or there isn't. If there isn't, then it does it really matter who does the hiring/firing?

I think what I always figured was that most deployments are rolling and there will always be new tech to train on and then deploy every few years, which sounds fairly sustainable as a full time labor force. I haven't ran a telco before obviously.


Hiring/training it's a time consuming process, especially for large scale project like this (think, 67k towers across entire united states).

Usually telecoms RFI pretty much entire project from third party vendors (or few of them, on order to reduce risks), with very long list of requirements covering everything from software integration to hardware deployment. Vendors will bring teams of their own engineers for "higher level jobs" and a whole bunch of "licenses" subcontractors to do actual track rolls. In case it's a complicated project, like upgrade to 5G, vendor most likely can't provide entire solution by itself, so it will be a "consortium" of vendors that stich up complete solution that is organized by vendor that answers RFI. In this case each vendor may have it's own subcontractors who may have their own subcontractors etc...


They did it before, even had to wire everything together, coast to coast.


"Before" it was simple. Now it's very complex. It's very complex exercise in large scale planning, logistics and coordination. If company tries to do it by itself, it something that will take years of work of hundreds to thousands of dedicated to this task people to accomplish.

Market and customers require faster pace.


> One even went so far as to state during an all-hands meeting with technical staff that ‘running a communication network’ was by no means a core competence for them.

This is an outraging but very widely spread phenomenon. No industry is spared from the MBA hawks. Everything now is rent-seeking and moat building. Innovation has been packaged away and can only happen when the market makers say it can.

What can an engineer do about that?


> What can an engineer do about that?

Lots!

- Name the companies in question

- Stop working for them, and start working for companies that favor engineering expertise

- As a consumer, advertise the good companies and call bullshit on the bad ones

- Raise awareness about these practices among your elected political representatives and their constituencies

If all of their skilled engineers leave, the bad company cannot run only on the basis of MBAs juggling balance sheets. Unfortunately most of my fellow engineers are far more likely to sit around blaming “the MBAs” over drinks than take any of the above actions.


> If all of their skilled engineers leave, the bad company cannot run only on the basis of MBAs juggling balance sheets.

The MBAs can just outsource the work.


Just another instance of how Harvard Business School completely f*ing up things. Future historians will have trouble understanding how we let MBAs destroy our civilization.


Related: This white paper was published within the last 2 weeks relating to "5G Network Slicing"

Quote from the author: “Currently, the impact on real-world applications of this network slicing attack is only limited by the number of slices live in 5G networks globally. The risks, if this fundamental vulnerability in the design of 5G standards had gone undiscovered, are significant. Having brought this to the industry’s attention through the appropriate forums and processes, we are glad to be working with the operator and standards communities to highlight this issue and promote best practice going forward.”

PDF can be downloaded from here: https://info.adaptivemobile.com/5g-network-slicing-security


Cynical me certainly can believe all this. But on the other hand, I’m wary of just reinforcing what I believe anyway.

How trustworthy is this? There seems to be a lot of inside information, where did they get it from? Does anyone have corroborating links? All article links are either general, or US specific.


Much of this is fairly widely known in the telecoms sector, and is "open secrets".

The sector is a pretty "closed shop" though, full of trade secrets and "proprietary" things. Underneath it all though, actually it's fairly simple once you get your head around it.

If you work closely with an operator, even as a client, you'll see examples of this - the number of people brought to meetings from the vendor, versus from the operator. Who answers the questions.

For a public example, see the Telefonica O2 outage in the UK (and Japan, I believe) due to an Ericsson certificate outage, and how much of a role Ericsson played in this. (https://www.theregister.com/2018/12/06/ericsson_o2_telefonic...)

Press releases also give bits and pieces away:

https://www.ericsson.com/en/press-releases/2019/11/orange-op...

https://www.mobileeurope.co.uk/press-wire/9588-three-uk-join...

Although they might not give the level of detail you're looking for, it should hopefully corroborate things.


No exactly what I was looking for, but a good start. Thank you!


Hi - author here. By all means ask around. I can only tell you that I've received may corroborating anecdotes over the past year. Many telcos even assumed I was writing about them specifically, when I wasn't! I also have a second post that has some more logos and names where I based this article on -> https://berthub.eu/articles/posts/how-tech-loses-out/


The reality is even worse. The article depicts the operators as middle-men piggybacking on the tech expertise of vendors like Ericsson or Nokia. Unfortunately, the vendors are subject to exactly the same pressures.

The whole industry is in a deepening downward spiral. Outsourcing and subcontracting is rampant, layoffs left, right and center. The combination of non-functional requirements that would make even senior FAANG fellows dizzy - left to be done by stressed out graying veterans or naive greenhorns, who leave the industry after 2-3 years for 50-100% raises elsewhere for the same skillset. Due to the monopsony power of the large operators, the vendors barely break even on their deliveries. There's no institutional knowledge buildup, nobody to take up the baton after the veterans retire, the vendors gave up pretending they care about being a nice place to work. If you're a techie, stay away from the telecom industry.


It’s public knowledge that most telcos don’t actually run their own network. That also make the whole fear regarding back door in Huawei equipment at little strange, it seems mostly political.

I’ve pointed it out in previous discussion that China doesn’t need back doors to western 4G/5G infrastructure, because it’s their people operating it.

But as with much other technologi our politicians are ignorant and forgetful.


I mean if that’s true, doesn’t that make the fear a much more practical concern?

It’s much worse to have a potentially hostile foreign state running core infrastructure than potentially have them install a back door.


This is far from proprietary, I would say it doesn't even rise to the level of "open secret". It's plain and obvious to anyone in the industry, just not exactly advertised outside it.

Personally, I left the industry in 2006 and it was already very close to what's described in this article. I was working for a tier-1 vendor, sitting in the carrier's offices coordinating field work, and saw every facet of these interactions. (Technically I wasn't even working for the vendor, I was working for a contracting firm that had temped me out to the vendor, so it's even more abstract.) Institutional knowledge was held by project managers on the vendor's side at least as much as by the carrier's own staff.

Talk to literally anyone in the industry. I'd be surprised if you can find a single one who says it's not as bad as this article suggests.


The author is widely respected in the internet, open source and technical world. He founded the PowerDNS project and worked with many operators as a result.

Not that that’s everything but I would tend to trust Bert. Certainly, based on his tracks record, I don’t think he’d deliberately mislead.


It's not inside information, it's common knowledge if you work in telecom area.

How trustworthy ? It depends. Operators in developing countries those day might completely outsource buildout and management of their network to Huawei because they frankly have best end to end portfolio I think.

With operators in rest of the world, especially those that are "well established" reality is more complicated. Telecom networks having a lot of moving parts and require a lot of domain specific knowledge or proficiency with hundreds or thousands types of hardware and multitude of heavily customized per telecom needs software systems. For some of those things work might indeed be outsourced but in many cases outsourced work performed by people who function as company employees in day to day: i.e. they work in telecom office building, have employee badges, pass background checks, etc. Essentially this type of outsourcing is deeply embedded within telecom itself for a most part


> In a modern telecommunications service provider, new equipment is deployed, configured, maintained and often financed by the vendor. Just to let that sink in, Huawei (and their close partners) already run and directly operate the mobile telecommunication infrastructure for over 100 million European subscribers.

> The host service provider often has no detailed insight in what is going on, and would have a hard time figuring this out through their remaining staff. Rampant outsourcing has meant that most local expertise has also left the company, willingly or unwillingly.

100% reflects my experience working in Huawei BR a few years ago. Carriers are mostly customer facing companies and very limited technically.

Our customer (million + subscribers BR carrier) often hadn't the slightest idea how their own network was built and worked.

Banning Huawei is absolutely impossible, at least in Brazil.


>> In a modern telecommunications service provider, new equipment is deployed, configured, maintained and often financed by the vendor

If you think this is bad in some place like the UK, you should see how ISPs and mobile network operators are set up in some countries in the developing world, where the vendor has fully captured the Telco as basically a hostage to its technical services.

This is what happens when you have a mixture of institutional corruption, kickbacks and bribes, lack of local technical resources to develop a domestic network engineering talent pool, and a vendor that knows how weak the client entity's negotiating position is.


What also does not help is that becoming good at networking engineering at scale is something that is hard, if not impossible to learn on your own. Software Engineering is something one can teach themselves on a laptop, learning to design, build and operate networks at a large scale across geographies is simply not possible without being part of the industry.

Network engineering talent is incredibly hard to come by in most regions of the world, especially if you consider that ISP networking deals with arcane technologies not really used in most "enterprise" networks. (BGP in various ways, MPLS is a big one, and arcane transports like SONET or DWDM solutions).

Sure, one might be able to learn how to configure BGP, how ip works etc from their laptop using GNS3 or a couple of second hand routers/switches, but learning how to design networks at scale is completely different beast.

Most people seem to enter the field by getting hired as tech support at a NOC and working their way up from there, which is kind of a grind compared to some more lucrative positions available to people who posses the technical talent.


I agree with 100% of that - a much harder problem to solve when learning real network engineering is much more capital intensive and requires real financial resources that may be beyond the reach of many.


Also, it is a really difficult problem to solve. Most curriculums of universities and polytechnical schools only focus on the technical, theoretical aspects of network engineering, but getting hand-ons experience in actually running an ISP network is very, very difficult. The market for people who want to get into this line of work is also very small compared to software engineers, programmers and system administrators. The work is usually high risk, technically very complex and it can be very stressful. (It being vital infrastructure, and breaking something can result in catastrophe for your customers in some cases)

I sometimes wonder what will happen if we have no one left to maintain the systems so many layers of software and systems depend upon.


This is my experience interacting with mobile telcos as well.

Even to get some simple logs from a base station you need to either ask an Ericsson engineer or, worse, wait for the Telco employee with the relevant knowledge to find time to do it. Telco employees with such knowledge are very few compared to the amount of workload they have to do, so it is hard to get them to dedicate time to help you.


Ehm. You all are aware that 5G was created with the expectation that in the future all networks (and core functions) will be cloud-based? The last remaining HW will be the physical antenna and some PA/LNA and some local signal processing. You connect fiber to that and everything else is a operator-as-a-service model - running on AWS/Azure/GCP.


You're aware that telcos have massive amounts of physical stuff needed to make that happen first? You can't "cloud" hand wave away things like massive metro scale dark fiber networks for backhaul. Or things like inter city long haul DWDM networks. I assure you there's a lot more going on hidden behind the scenes of a modern ISP or 4G/5G carrier than just some antennas and software in a VM somewhere.


This will not happen this year. But in the long run you don't need much own HW to be an operator. And fiber connectivity is (as the startpoint of this comments) outsourced in large scale.


"in the long run you don't need that much HW to be an operator" - have you ever worked for a facilities based ISP or Telco and visited the interiors of dozens of different POPs? Please do so and then come tell us all about how telecom infrastructure on a national and global scale isn't composed of massive amounts of hardware all over the place.


I work in a team that created 5G. And around ~2014 it was clear: operators want to go away from own HW.


Just because you've outsourced some function to another contractor or telecom doesn't make the physical stuff go away. It just abstracts it away to someone else's responsibility.


how? the hardware needs to be there because you actually need to run the physical infrastructure to locations, no matter the technology, you still need geographical coverage to actually build connectivity.


well, around ~2011 network operators discovered that it's possible to virtualize network&compute, i.e. run routers, switches and computers in VMs. As result of this they came up with a grand plan where they will stick everything to virtual machines on top of cheapest hardware (preferably). A bunch of conferenced happened in order to define standards for all this happy future. Only most of it crashed and burned for multiple reasons. But it was back then.

Now, in theory, it's pretty much possible to run operator based on leased lines (many operators actually run over leased lines anyway, in many countries and they don't own physical fiber networks due to regulations or other reasons), and interfaces with antennas/enodebs that are "virtualized" (to support multiple operators at once) or even using cloud-ran while deploying rest of software stack "in cloud".


checkout how rakuten and altiostar are doing just that.


4G is already pretty much cloud-based. But it doesn't mean the cloud should be run by the network equipment vendor - a more sustainable model would be the network operator, or at least European tier 1 developing and maintaining it.


>>> what remains in the other half are IT Architects who do not get closer to actual operations than an Excel sheet or a Visio diagram.

the only light point in an otherwise depressing read


Steel production capability is considered strategically important in case we go to war, and it has been so since World War II. Steps have been taken to retain domestic production capacity for this reason. Until we have a planet of one people and one nation, we’re stuck thinking this way about things that are critically important, should we find ourselves at war with a former partner.

Tech sovereignty has become such a thing. And the bad news is that we have lost. I’ll leave others to debate why, but we can’t manufacture our own chips, we cant make our own telco networks, and the cloud systems that provide back end services are almost lost.

The state of play here is dire for the US and it’s strategic partners. I’d say that surveillance is less worrying than the simple fact that a potential future adversary has an off switch for these things that they can toggle at will: no more chips, no more telco products and no more cloud services - now, let’s have that South China Sea conversation one more time...


There is an amazing amount of FUD in this article. I have worked in the telco industry for the better part of 30 years, and am back on it now after a 5-year hiatus in cloud computing.

Before I "left" there was certainly a trend towards outsourcing and large "swaps" of radio gear (Nortel-Ericsson in my case, and Motorola-Huwawei at a direct competitor, to quote only two examples), but there was no way in $UNDERWORLD that we would let a vendor have direct access to our gear unsupervised (be it Cisco, Ericsson, whatever). Remote troubleshooting was possible, but usually via jump boxes and VNC (only very seldom we would let anyone VPN in, and even then it was only to sub-sections of the network). Nothing left our O&M network. Nothing came in, either, because upgrades were rolled out from internal servers.

And it is still very much the same thing today. Although there are outsourcers and vendors who work alongside core staff in my telco customers (like myself now), we don't have access to anything but lab or dev environments, and even then mostly with MFA and very stringent limitations.

Outsourced staff _does_ do field service of various kinds, and they do have access to base stations, DSLAMs and various other physical infrastructure, but that's usually done with (usually much cheaper) local technicians and not vendor staff. There are certifications for those.

The reality is that most telco services are being "automated out" and moved to virtualized stacks that are easier to manage. And yes, VoIP on the core (no more SS7 if anyone can help it) and Kubernetes everywhere...

But what I found to be really weird was the notion of outsourcing billing. Besides being a GDPR nightmare (and I'm in Europe, like the author, so I find it doubly unsettling), that was only done "off-prem" when all companies involved were in the same group (which was customary when fixed and mobile operators were separate). These days billing is, comparatively, greatly simplified (thanks to flat fees, real-time billing systems for prepaid and streamlined bundles), so the only data that actually leaves the BSS core goes to the (smaller and smaller) printing facilities.

So I would take it all with a massive dollop of salt.


Which telco is that? Is it UK based by any chance? Article says things are different in the UK.


I wonder if it really matters if networks are insecure. I generally connect to the internet via whatever hotspot is available or 4G if not with no expectation that it's fully secure. That's what https and other encryption is for. And I don't generally have anything to hide - there are a bunch of tools like tor and VPNs for people who do. That's probably the way forward - secure tech on your device rather than trusting to the kindness of strangers.

Talking of phone network security one thing that does piss me off is my phone company just transferred my phone number of 10 years to fraudsters who presumably called customer support with some sob story. You'd think they could have some standards to stop that like at least sending an email to your usual address saying "There's been transfer request - you good?"


Ok, but what about SMS, MMS, phone calls, getting your approximate position, ...? What if they decided to shut down the whole network because of some reason? Then https wont help you.


You could drop SMS, MMS and phone calls and use something like whatsapp instead, which a lot of people seem to be moving towards anyway.


I worked for a bunch of years in biggest Israeli company that is selling OSS/BSS and related outsourcing services to telecoms (those who can afford it's solutions), and had some first hand experience with them

>Since the early 2000s at least, most billing has been outsourced. This works by sending all Call Detail Records (CDRs) to a third party, often from Israel or China. A CDR stores who called whom and for how long. More data might be attached, for example the location of the customer, or where the customer was roaming abroad etc.

Don't know about software from China, but the one that we sold doesn't send anything back to Israel. There are a lot of rules and restrictions upon CDRs and we had a bunch of training with regards to it. Everything is running on client site, usually on hardware deployed by us at their data centers and managed by dedicated team of people who relocate to live next to the client in order to provide 24/7 support of the systems on site

>Typical service providers have hundreds of thousands of network elements. Surprisingly perhaps, many of these are actually maintained manually (!). Thousands of networking engineers labour to keep all this infrastructure operating well.

This is a mix of half-truths and lies.

None of the operators have thousands of people to manually configure day-to-day network stuff. Operators have rather sophisticated automation systems (aka OSS) that deal with provision and configuration of everything in their networks. Or almost everything. Any given operator whose life span is a decade or two today has a boatload of equipment (thousands of different types of hardware from same amount of vendors). In many cases this equipment was bought and deployed 10 or 20+ years ago. Companies that made it do not exist for many years. This hardware can't be replaced with anything, because nobody does this type of systems anyway. Those systems tend to have proprietary interfaces and in many cases can be managed only through Element Manager which can be managed only manually through some ancient windows or java application.

>Meanwhile, modern large scale internet companies (like Google, Netflix, Facebook) have automated all such maintenance. Automation in this context means that no configuration states are edited manually but instead, entire networks get provisioned and configured from central templates.

>With such automation, small teams of engineers can control and operate vast networks with relative ease - especially if good use is made of continuous integration and real life testing.

I also worked for a while in one of FAANGS. They have it easy: all the hardware with modern with nice interfaces. You can actually automate it. Also their networks are much-much smaller compared to mid-sized telecom, much simpler and much more homogeneous. Automation that FAANG I worked for was a joke compared to automation systems that run telecom networks. My job was near network engineering team and during conversations they admitted that what they have is crap. I believe that at one point of time they considered to buy telecom level OSS system but bailed out because they couldn't get a source code .


I work in one of the companies in the business (a competitor on some Amdocs' markets), and this person seems to know what they're saying.


What I don't get in this entire conversation is how is 5G different from any other transport layer? Can't secure communication be achieved by encrypting the communications at a higher level?


Metadata still exists in that framework.


I can’t help notice that we always keep relying on closed-source for these kind of things, and then distrust providers because we don’t know what that secret code does.

Am I the only one noticing that the obvious solution is to stop using closed-source tools for such delicate infrastructure that’s meant to serve the general population?

I honestly can even grasp how we got into this mess in the first place: publicly funded software for public infrastructure that has such delicate security implications should obviously be open source only.


> Driven by balance-sheet mechanics and consultants

It’s not just telcos...


No only by balance-sheet mechanics, there is some politics attached. In my work place we're currently discussing moving in-house data centers to a cloud-provider. At the first glance it looks like at a higher cost (in-house cheaper). Now some balance-sheet-makeup sets in.


Probably Off Topic, but may be a chance if anyone within the industry might know.

What are the current / purposed patent licensing terms of NR-U; finalised and related with 3GPP Rel 16 are going to be? Specific to standalone NR-U ( As in MultiFire in 4G. ) which could compete with WiFi 6e.


"Just to let that sink in, Huawei (and their close partners) already run and directly operate the mobile telecommunication infrastructure for over 100 million European subscribers".

Which providers are using and which are not using Huawei?


My concern wouldn't be with data being exfiltrated, seeing as so much is E2E encrypted these days.

But what if there is a remote kill switch - taking down a cellular network could cause a whole heap of problems in the 21st century.


I work in OT security in an industry completely unrelated to Telecoms but which is also a matter of national security and everything in this blog post doesn't really sound believable from my experience dealing with sensitive infrastructures. Different industries, different countries, etc. I get that things can differ a bit, but going from "the infrastructure is airgapped" (in my industry) to "the infrastructure is managed remotely by a foreign entity" (as claimed by the author) seems too big to be true. Not gonna lie, I'm a bit sceptical about the veracity of some of these claims.


The author would find Pivotal Commware[0] interesting. Not only stateside but offering advances in hardware efficiency and durability.

Full disclosure: employee, soon investor

[edit: also, they are hiring]

[0] https://pivotalcommware.com/


5G Vs. Starlink

Which will win?

?

Or, more likely, does the future hold a coming broadband internet connectivity price war?

?

And if so...

...who will be the "last IP address standing"?

?


[flagged]


We really need more open spectrum. There seems to be no end to the privacy problems caused by cellular equipment.


How should open spectrum help? Do you think you can run infrastructure on scale better than the current operators?


" European service providers are by and large currently not in good control of their networks, writes Picking Huawei is not specifically a sea change but simply a continuation of existing policy for most providers. If we really care about our privacy and the stability of our communication networks, we should be able to build such networks autonomously. The Galmon GNSS Monitoring Project monitors the RNA levels of humans in the human genome."

Can you just get lost? Thank you!


Are you GPT-3?


It does seem to be some sort of automated spam - a mix of the article, the same chunks of disconnected factlets and some random sprinkling of nonsense. Is it possible to flag a whole account? @mods?


I believe the whole account is flagged if enough comments are flagged by multiple people. I've already emailed dang.


Right it looks like 10 months ago it was an actual account, and either got hacked to karma-farm(?) or author decided to use as a throwaway test.


Check out the submission history.



Oh, it was getting a bunch of downvotes, and it didn't really add much to the conversation, so I nuked it.

I'll do that. It's not the downvotes that bother me; it's that I am not really adding to the conversation.

I feel that it's important to add to the conversation; not just participate.

That post was mostly whining about outsourced software and CS. Not my proudest moment.


I found it interesting. Instead of down-voting a comment the down-voters should post a refutal. That would add to the conversation. I'm always prepared to change my mind. Instead of getting down-voted into oblivion.


The “random nonsense” in this particular example are the next/previous article links from the bottom of the page.


Yes, it’s spamming at a lot of posts at the moment. See the other comments it has made.


This is amazing. I wonder what % of people would recognize that it wasn't written by a human. I thought that some parts were confusing but the idea that it was written by something like GPT never occurred to me.


Meh, you don't need GPT-3 for this, I've used web Markov chain tools for quickly generating this kind of text from a sample like 15 years ago...


I got fooled. But reading the original article I noticed that the generated comment just picks out some sentences from the original one and pastes them together. It's not generating the sentences themselves but string sentences together that fit a context.


Definitely looks like an account that was possibly hijacked (due to age of account) to reach a higher karma

Or just a GPT-3 experiment, that's possible as well


Pretty good karma for a bot.


Yes it is.


Wow ... I read this whole thing thinking it was a human. On a re-read I'm wondering what I was thinking. One thing that stands out on the account's previous posts is the paragraph lengths are quite consistent.

I'm going to have to train my bot senses. I got conned. Any tips? Mindlessly reading me is not prepared...


Wait, what? Are you suggesting this post is GPT-3 or something? Did we read the same article?

Edit: ok, I think you meant to reply to another comment which is currently flagged/dead. It looked like you were referring to the linked article itself.


One tell-tale sign I've noticed is sentences that don't go anywhere - the last sentence of the first paragraph starts going somewhere, then suddenly stops. If we assume people communicate for the reason of conveying some meaning, always dig for the meaning. If it's not there, it's likely some kind of vapid content-less babble...

If you read critically with a view of "what are they actually saying?", you tend to spot this fairly quickly. The ending with some irrelevant babble gave the game away a bit though.


That's an excellent tip. Form an idea of what "they" are trying to convey... If it evaporates unexpectedly it might not be trying to convey anything...cause it's just an ML algo. The trouble is having clarity of thought myself, I barely know what point I'm trying to make let alone following the precise points of others half the time. These things really nail verisimilitude of chatter about an unfamiliar topic or of a smarter person, for instance, where you can't detect the BS because you assume lack of knowledge.


There's actually a really interesting field of (serious) academic and scientific endeavour into the study of "pseudo profound bullshit" - a search for that will find you some of the papers available freely online.

It seems that these text generation bots are pretty good, as you say, at generating some basic level chatter about a topic in a manner that can sound convincing. Somewhat like a "talk-show style TV news pundit" can - I'm reminded of the various times they're tricked into giving their commentary on things that haven't happened yet, and they happily (blindly) oblige, because they're more interested in being seen to be an expert than in actually having something to say.

I think the more confident and critical you are in reading, the raider it is to detect the nonsense through internal inconsistencies - many of these text generation systems really struggle to produce an internally consistent argument.


Oh dang.. Was trying to reply to ttty comment that got flagged as likely not hijacked account. Off topic but interesting.


Ah ok, I got terribly confused, because the sam_lowry account seemed quite legit!


Apologies... But also: question everything. He he.


Isn't outsourcing essentially a tax avoidance? Companies look for cheap labour overseas because they don't want to pay local rates, which typically include higher tax and cost of adhering to any regulations. If a person tried to do this - for example outsourced their bank account to tax haven and asked their salary to be paid there, the authorities would be all over it. So now the fact that companies are not only not hiding the fact they are trying to bypass the system, they also are lobbying governments to make it easier! I for a second don't believe that there is no money under the table involved. Why otherwise politicians would choose to funk up the local population to appease a big corporation?

Bottom line is that outsourcing should only be possible if it was not possible to create a product locally or companies should pay any difference in tax locally, so that people who got put out of jobs because of this can at least get benefits.

And finally I don't understand why even discussing doing any deals with China does not amount to farting in a room.


Outsourcing is done for many reasons. Sometimes companies have more projects than staff and outsourcing offers them flexible bandwidth. The downside to this approach is that it puts stress on staff who have to train or maintain the outsourcer.


I would understand outsourcing to countries that value human rights, have workers' protections in place and so on. But simply going for the cheapest possible option, where you get forced labour and children making your product simply wrong and indefensible. We at least should lobby online and offline shops to show country of origin on the labels. I wish if I could go on Amazon and have ability to filter out anything that comes from China. If you want to buy something responsibly it is very time consuming and some manufacturers go to great length to hide where their products are really made. Those people who exploited labour in Asia now got filthy rich and they are in position to shush any politician looking to put a stop to this or make sure such filters would not be implemented.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: