If there is any finger to point, it's at KPN for hiring an untrusted contractor and giving them sensitive access.
That's incorrect. The report made by Capgemini stated that there were clear boundaries as to what Huawei was allowed to access but they violated those boundaries. Apparently also a list of numbers under surveillance by Dutch intelligence was found in possession of Huawei. Which was clearly well beyond those boundaries.
Just like a sysadmin can read the mail of the boss doesn't mean your allowed to.
>Apparently also a list of numbers under surveillance by Dutch intelligence was found in possession of Huawei. Which was clearly well beyond those boundaries
Wouldn't the ones running the network need to know which numbers were under surveillance to provide the intelligence agency access?
"Ongecontroleerde en ongeautoriseerde toegang vanuit China heeft na 28 oktober 2009 daadwerkelijk plaatsgevonden"
which translates to
"Uncontrolled and unauthorized access from China actually took place after October 28, 2009"
> Wouldn't the ones running the network need to know which numbers were under surveillance to provide the intelligence agency access?
No. That data should only be on a server within the KPN network. Huawei employees had an office in a KPN building. There is no need for that data to ever leave that network.
That does not state Huawei is responsible for that event, it could be the security testing team.
If that would have been the case, it would have been the first thing they'd mention though.
Note: i'm a native dutch speaker. So no translation required.
>The Capgemini report stated that Huawei staff, both from within KPN buildings and from China, could eavesdrop on unauthorized, uncontrolled, and unlimited KPN mobile numbers.
That quote clearly comes from the security testing team's report. It's not clear from the quote provided to me who is responsible for the "Uncontrolled and unauthorized access," but we know there was an ongoing security audit at the time mentioned.
It should be clear that unauthorized access is not from those doing the audit, but from Huawei. Why is that so hard to understand? Lol
Instead you're acting like I'm being dumb for not making baseless assumptions. The articles aren't titled "Huawei eavesdropped on KPN" for a reason.
With that access they could have done anything ( eg. eavesdropping ).
Follow up requests are currently happening by the Dutch government ( other related news from today).
KPN also mentioned: currently they have no access. While the report states: they had access.
KPN mentioned that Huawei's employees with access were employed by KPN. Wick could be correct, but it didn't explain access from China since those employees are employed in the netherlands.
A bit of wordplay going around. That's true.
Huawei blijkt zich buiten de procedure om vanuit China toegang tot de kern van het netwerk te verschaffen. Veiligheidsmensen van KPN weten dat dit gebeurt, maar doen niets. ‘Ongecontroleerde en ongeautoriseerde toegang vanuit China heeft na 28 oktober 2009 daadwerkelijk plaatsgevonden’, vermeldt het rapport in april 2010.
De onderzoekers [van Capgemini] vragen het Chinese bedrijf daarom wie bij de gegevens kan en hoe de versleuteling is geregeld. ‘Pas na lang aandringen’ is Huawei bereid ‘duidelijkheid te verschaffen’. Huawei blijkt een uiterst zwakke versleuteling toe te passen en zelf het sleutelbeheer te doen. Capgemini: ‘Daarmee zijn nummers die onder de tap staan bekend bij Huawei’.
Edit: couldn't respond below. Source is the origin of all foreign news articles, it's the original newspaper that is in possession of the Capgemini report: https://www.volkskrant.nl/nieuws-achtergrond/huawei-kon-alle...
( Google cache is possible as a workaround fyi)
Overall, it says the same "Huawei could have done something" as the other sources I've seen.
> The company gained unauthorized access to the heart of the mobile network from China.
... but then, in the very next sentence:
> How often that happened is not clear because it was not recorded anywhere.
This wording is a bit unclear. The first sentence states as a matter of fact that there was unauthorized access, while the second states that there are no records.
c.f. the Murray Gell-Mann Amnesia Effect.
From my perspective it does not make a lot of sense for Huawei or China to engage in overt spying at this stage of the game, even if (assuming the worst intentions) that is something they plan to do. Right now all of the incentives for that company are to gain the trust of customers during these early stages when everyone is looking for a reason to throw up protectionist barriers. A decade from now when Huawei systems are ubiquitous and the competition has largely been put out of business, then maybe the situation will be different. But why kill the golden goose by doing something stupid now?
That doesn’t mean there wasn’t bad behavior. Maybe people are behaving irrationally. But I tend to see sloppiness behind these stories rather than actual malice.
What makes you think these are "early stages"? AFAIK many telcos already use Huawei 4G equipment, though I can't find actual numbers for that. I'd say Huawei/China is already well positioned to abuse any backdoor access they have. The move to 5G could only expand this.
KPN is obviously in the wrong here since they can't prove whether there was unauthorized access or not, and speculation articles like this don't help. In any case, it doesn't seem like a good idea to give untethered access to a company accused of IP theft time and time again. Whether all those are PR smear campaigns or there's a real cause for concern is difficult to judge as an outsider, but given China's track record, I'm inclined to believe there's some truth in them.
We're at the peak of a massive international debate regarding the role of Huawei in Western communications networks. This is a debate that has already led to bans and restrictions on the deployment of Huawei equipment in 5G networks [0-3]. 5G buildouts are happening right now, and hence the political purchasing decisions (with a multi-decade impact) are happening now. I suspect that's why we're seeing things like TFA.
It seems to me that this would be the worst possible time for Huawei to get caught doing something unambiguously malicious. Right now Western networks could remove Huawei if they wanted to, or if politicians ban it. Ten years from now -- assuming Huawei "wins" in most Western nations -- it will be vastly more difficult to replace that equipment. If we imagine a 2035 where Huawei has dominated the US/European 5G market, I suspect that their European competitors will also be much weaker (or will have abandoned the field entirely), meaning that there really isn't much of an alternative.
So TL;DR I can't say that there is a good time to get caught spying, but there definitely is a bad time: and it's right now.
[3-N] Just search on "<European country> 5g Huawei debate"
There are a lot of unsubstantiated claims here. First of all, the stealing of IP. Next, that this is how Huawei got their break.
As far as I understand it, Huawei grew by developing cheap telephone switches in the 1980s and early 1990s, long before it had anything to do with Nortel. Huawei focused on relatively simple components that it could manufacture more cheaply than Western competitors, and it gained market share inside China. It only moved up the value chain as its revenue increased and it had more ability to spend on R&D. By the time Huawei was beginning to move into more advanced markets, Nortel was already a basket case.
The strange thing to me is that all these claims that Huawei made it because they supposedly stole from Nortel seem to have appeared in the 2010s, long after Nortel's demise, and they're incredibly vague. By contrast, analyses of Huawei's early history that I've seen barely mention Nortel: .
And then here's the key line:
> No one knows who managed to hack Nortel or where that data went in China.
This is all so vague, whereas the reasons for Huawei's growth and Nortel's demise are so much more concrete. For Huawei, the ability to capture a sizeable chunk of the market in China for cheap telephone switches, aided by its lower labor costs, better knowledge of the local market, and some level of protectionism. For Nortel, serious mismanagement and a financial scandal.
The thesis of the article, that economic espionage in the 2000s did in Nortel, is not plausible. It just looks like blame-shifting from a former Nortel employee, which Bloomberg decided to trumpet during a time (2000) when the US government was waging was a major anti-Huawei campaign.
And yes most state sponsored hacks are difficult to figure out exactly the source and end use of the data. Look at what’s happening right now with the solar winds back for instance.
Is the expectation that businesses are supposed to simply ignore the authority of the sovereign states they operate in? There seems to be a bit of circular logic going on here.
Perhaps not, but I try not to believe things just because they confirm my existing biases.
So you agree Huawei cannot be trusted. I think that is the whole point of the discussion.
Also, innocent until proven guilty should only apply to regular people, not state actors. Many historical events are only declassified after 50, 60 years, or never at all. Believe a story or not is your judgement, but asking for proofs are either naive, or just looking for excuses.
I did not said that Huawei is not spying, mayb ethey do but I am still waiting for the evidence. Similar on how I wait for evidence that Google is reading our politicians emails and blackmailing them - is not enough to hear some conspiracy and then upvote it like a tool because I hate Huawei or Google.
Not sure why Huawei is unique here.
Of course. But, security posture is an important thing to consider. This may be an obvious thing to many people on this forum, but it is not obvious to much of the general public.
First of all, it's not a spinoff. KPN his the report because it was afraid for it's existence.
Second is that Huawei could listen to KPN'S internal communications ( = their network) that includes a lot of government calls.
As far as I'm aware, practically every European telco hires Huawei engineers to maintain their infrastructure in this way. It's therefore not reasonable to call them an untrusted contractor, as they are evidently very trusted.
"Huawei also knew which numbers were tapped by police and intelligence services."
massive boon to the CCP IC to have access on a foreign's country ongoing investigation etc. (the in Canada detained CFO comes to mind but the potential is much bigger than this)
If someone gets pickpocketed on the subway, saying "You should have protected yourself better" is victim blaming, sure. But if someone doesn't get pickpocketed and then points out how there was a foreigner sitting right next to them who could, theoretically, have pickpocketed them, should they have chosen, and while the foreigner didn't pickpocket them this time, you know how those foreigners are... then "Why didn't you just get up and sit somewhere else if he bothered you" is a particularly polite form of what you perhaps ought to tell them.
So there is no story, but a potential story on a potential (fill in the blanks)
< The Capgemini report stated that Huawei staff, both from within KPN buildings and from China, could eavesdrop on unauthorized, uncontrolled, and unlimited KPN mobile numbers. The company gained unauthorized access to the heart of the mobile network from China. How often that happened is not clear because it was not recorded anywhere.
So you outsourced some services as many companies do and failed to keep tabs on it, just like many companies do.
Forgetting to audit outsourced work is extremely prevalent.
< Based on the Capgemini report, KPN decided to refrain from outsourcing the full maintenance of the mobile core network. To this day, the telecom company maintains its mobile core network itself, with the help of Western suppliers. To tackle the risks in the systems of the network, KPN said it was implementing an improvement plan.
A report by Capgemini, a leading Western supplier for outsourced personnel to telecommuncations companies. No conflict of interest there.
The report contains the sentence
KPN has zero incentive to admit to anything and every incentive to deny everything. I'd take such a PR statement with a grain of salt.
Way to bury the lede! 
There are two main concerns at play here that are very different: consumer privacy and national security.
The consumer privacy concerns are generally subject to regulation by law, but national security concerns often are extralegal in nature. This makes a big difference in the availability of tools to address the problems. Google will follow your laws or pay fines until they comply. Spies won't.
I'm sorry, are you just completely ignorant of everything that's happening across the globe? If so, why are you even commenting?
China routinely harasses, threatens, and then acts on threats given to human rights activists and expats. Chinese citizens that speak with reporters and human rights activists are put at severe risk because people like you are fine with letting Chinese technology infiltrate all aspects of your infrastructure.
Your ignorance is malicious.
The sentence you are quoting is not me questioning the importance of the issue, I am suggesting that there are two separate concerns at play which are both important.
For what it's worth, GDPR fines have been handed out for missing access restrictions, e.g. for sensitive data not having or checking audit logging and applying 2FA. Though I do agree it makes for a more lousy news story than if it had happened.
Rather, Western leaders no longer have the willingness or belief that we can compete in tech with China (on the contrary, we can and should), so they've given up and threw a tantrum, screaming 'no fair no fair, they steal our IP', which is predictable, given that Western corporate leaders have outsourced all manufacturing to China...dumb.
There are real issues to criticize with China, and Huawei is not the worst one.
But, you don't need "proof" of a spying to recognize that it's high risk to put someone in a high-trust role if they are beholden to competing interests. The competing interests themselves are enough to establish the existence of risk.
You're right that many people who outsourced to China previously wrote off all these risks as unimportant and later cried foul when their IP was stolen... this discussion is 20 years too late, and people still think the evidence isn't strong enough.
If you think that Chinese companies stealing your widget design is bad, wait until they put sanctions on your countries critical infrastructure's IT vendors. I'm sure Taiwan isn't waiting around for any "proof" of Chinese spying. When the proof comes it'll be too late.
Give me one concrete example from a reputable source. I'll PayPal you $20 (gift option) look my profile to get my contact information.
I ask for a concrete example from reputable source.
If I trust online content. I might as well believe Trump is right about calling Chinese virus.
"The problem is that the fake products today, they have better quality,a better price than the real product, than the real names," Ma said in a speech at Alibaba's investors day in the southern Chinese city of Hangzhou on Tuesday. "They're the same exact factories, the same exact raw materials, but they do not use that (brand) name," he added.
Or maybe, a study from MIT, with a couple specific examples and a number of links to more detail?
Also, there have been plenty of stories on HN where American businesses are ripped off by China knockoffs and there’s no way to really sue them or stop them in court. China has its claws in everything.
Everything that’s based out of China should be considered an entity working for the government. Even Huawei
Taking good ideas and improving them is - and will always be - the fundamental corner stone of human development. That's why "ripping off" more advanced competitors worked out well for the US when they did it, it worked out well for Japan when they did it, it's working out well for China now that they're doing it, and it will work out well for whoever decides to work hard next.
Do you know what isn't fundamental to human development? Made-up concepts like intellectual "property" that only serve the stagnant that aim to rent-seek (and not innovate). These concepts are what lulled the US into a false sense of security and allowed China to excel.
The reality of the matter is that IP laws are nonsense. They only serve to hold back those it binds. Instead of being upset when other people don't play by your made-up rules, you should work harder and become competitive again.
Disclosure: I have no love for China. It is a horrible country with disgustingly abhorrent views. That said, I don't think we should put our collective heads in the sand and avoid addressing the giant elephant thrashing in our room.
The famous “friend” who can corroborate any statement without being humiliated after being harshly refuted...
If you think CCP is so rich that they can hire enough people to make sense of the code of all businesses in China, then you might as well outsource all your IT development to CCP, because AFAIK, CCP government employee and contractors are dirt cheap...
I do agree that manufacturing should come back on-shore to close that gap at least.
Especially with modern, acculturated tech, the democratic world ought to be doing acrobatic flips and twists off each and every "where'd Jack Ma go" springboard news event that comes out of modern China. Those are leverage points, they are the dragon's missing armor plates.
Tech comparison alone though...if you make it out to be a logistics-only game, as many in government do, then I can see why things would get depressing fast. Tech & culture integration is a huge accomplishment of the modern world and we ought to leverage it, even in the service of shoring up or solving logistics issues.
What really happened is that western countries and corporations didn't care _enough_ about China because China wasn't that powerful/influential. Now that China is powerful/influential, the era of just signing on the dotted line or not pushing back is over.
Banning Huawei _is_ competing. See Lotte Mart's fate in China.
In realism(as in realism theory of international relations) they are the same thing. You should prevent a rival from having the capability to harm you if you can, not let them develop the capability to harm you and hope that they don't.
you are right atm "Western Leader" only care and dare to point finger on things in their evidence and interest, when this pandemic still rampaging after a year and getting worst in some country despite the use of vaccines(made in China), Huawei is not the worst one to criticize and confront CCP with
Without any evidence that any wiretaps actually occurred, I'm afraid this is just fearmongering...
Was this actually used to gain unauthorized access to information? Maybe, maybe not. It was still bad to grant this access in the first place, and arguably the only reason it didn't lead to unauthorized access is because action was taken. "We let a known serial killer loose but he didn't kill anyone" is still pretty bad.
Also that this was kept secret for 12 years doesn't exactly inspire confidence.
Dupe : https://news.ycombinator.com/item?id=26842733 ( 65 comments )
<<Huawei denies that claim and issued a statement Wednesday saying the company "has never and will never covertly access telecom networks, nor do we have the capability to do so.">>
The report on KPN proves that they have the "capability" and they they know it!
And a few days ago, Cisco was found to have a bug in their routers for small businesses that lead to remote code execution. https://portswigger.net/daily-swig/cisco-router-flaws-left-s...
"Huawei’s says it never acted inappropriately by abusing its position in the Netherlands. KPN says in a response that it has no indications that lines were tapped or that customer data was stolen."
Key points, from top to bottom:
- When a daughter company of KPN was looking for a new customer management system, Huawei's price was only 25% that of the competition. This was so low that employees initially thought it was a mistake.
- In 2009, KPN wants to reduce the cost of managing the mobile network by outsourcing ot to Huawei. It asked Capgemini to analyze the risks, which is the now-leaked report.
- The results are alarming enough that they are declared secret. Literally, "if those results were to become public, there will be a mass exodus among companies and governmental organisations to other providers. The existance of KPN as a whole would be seriously threatened".
- The core network is managed by Chinese citizans from a dedicated room in The Hague.
- Access from China is possible, but strictly limited. It requires explicit permission from the KPN NOC, who are supposed to provide temporary access.
- Unauthorized and uncontrolled access from China has been detected after 28 october 2009.
- The KPN network has a wiretapping system. A record of phone numbers being tapped is kept on a secure server. This server is managed by Huawei, who refuse to provide information about who has access to it and how it is secured. After a lot of pressure, they discover that tyis security is extremely weak and that Huawei has full control over it - meaning that Huawei has full knowledge of all numbers being wiretapped by the police and intelligence agencies.
- The six Chinese employees use a tool which allows them to listen to any phone call on the network. This is in direct violation of the law and it violates the agreement between Huawei and KPN. They can use this tool without anyone at KPN being made aware of it.
- Huawei is supposed to have access to second-long snippets for quality assurance. In practice, they had full access to all phonecalls. KPN had no way of knowing what they were doing.
- The tool used has no record keeping and the interface is in Chinese, meaning nobody is able to understand what they are doing.
So yeah, yikes.
This is way beyond admins having admin access. This is Huawei having unlimited access far beyond what they are supposed to, and evidence of this access being actively misused. It's not just the regular propaganda.
KPN should be administering their own equipment.
I'm sure the Chinese spies made off with some stuff that they shouldn't have because they'd be stupid not to - but if anything this sounds so brazen that I assume the access was mostly for routine tech support. KPN clearly needs some help with their IT.
In this article 'wiretapped' means that they had uncontrolled and unlimited access to all conversations. The problem isn't so much that it could have happened but that it might have happened.
But it's not really news that spy agencies spy. Although maybe a little bit that NSA was spying on Germans, but that's probably not really news either, even for the Germans.
But if a private corp. doing contract work for another entity spies - and when the ownership of that corp is tied the government - that's news.
The question marks as to whether this was merely 'Huawei as admins have access' or 'Huawei has access and abused it' ... is the high relevant issue that needs to be fully sorted out.
Maybe the real issue is, that US intelligence agencies are not able to force Huawei to add backdoors into their equipment.
How is this even sensible and there is no way the Chinese government will ever let a non Chinese firm control their infrastructure so why is this not stopped. What politicians are making money on this?
What made this event particularly memorable, in addition to the fact that Yue Fei was considered a patriot; was that Qin Hui had blatantly responded to questions of how can you prove your accusations?
Qin Hui's reply:
Yue Fei, when given, the right power, probably would commit those wrongdoings.
This is called 莫须有 .
You know why Chinese are not as angry as an American could be on Huawei's situations? Because everyone understand this is a political conflict. For this type of conflicts, only true power and strength can get any answer. Talking is not only futile, it's countereffective.
You manage to generate completely nonsensical gibberish in very short sentence:
> having poor track record of intellectual theft
You are saying CCP did a poor job of stealing IP? Or you are saying CCP had done well in stealing IP?
If the latter, where is your evidence? CCP uses market coercion to force IP transfer, that's a well known practice. But where are the state sponsored IP theft?
> CCP having clear conflicts of interest with the countries Huawei is doing business with.
Obama called for G2 in , that's some serious recognition of the common interests between US and China. Right before Trump, you can find overwhelming official documents calling the sino us relationship being a overall positive one.
So suddenly, CCP becomes the bad guy because CCP had lots of conflicting interest?
And, for all the conflicting interests, other than the unfounded cyber security nonsense, what are the interests that huawei had a stake in?