Hacker News new | past | comments | ask | show | jobs | submit login
Huawei was able to eavesdrop on Dutch mobile network KPN: Report (nltimes.nl)
254 points by miohtama 7 months ago | hide | past | favorite | 131 comments



The spin on this situation is dumb. What it amounts to is that KPN hired Huawei on a contract basis to administer its equipment, and as a result those contract administrators had... administrator privileges on the Huawei equipment. Now, obviously telco equipment can be used for spying, but there's absolutely no allegation of wrongdoing here at all.

If there is any finger to point, it's at KPN for hiring an untrusted contractor and giving them sensitive access.


> Now, obviously telco equipment can be used for spying, but there's absolutely no allegation of wrongdoing here at all.

That's incorrect. The report made by Capgemini stated that there were clear boundaries as to what Huawei was allowed to access but they violated those boundaries. Apparently also a list of numbers under surveillance by Dutch intelligence was found in possession of Huawei. Which was clearly well beyond those boundaries.

Just like a sysadmin can read the mail of the boss doesn't mean your allowed to.


Though I can't read the actual report, this article does not support your claims.

>Apparently also a list of numbers under surveillance by Dutch intelligence was found in possession of Huawei. Which was clearly well beyond those boundaries

Wouldn't the ones running the network need to know which numbers were under surveillance to provide the intelligence agency access?


The original source[0] definitely supports those claims.

"Ongecontroleerde en ongeautoriseerde toegang vanuit China heeft na 28 oktober 2009 daadwerkelijk plaatsgevonden"

which translates to

"Uncontrolled and unauthorized access from China actually took place after October 28, 2009"

> Wouldn't the ones running the network need to know which numbers were under surveillance to provide the intelligence agency access?

No. That data should only be on a server within the KPN network. Huawei employees had an office in a KPN building. There is no need for that data to ever leave that network.

[0]: https://www.volkskrant.nl/nieuws-achtergrond/huawei-kon-alle...


>Uncontrolled and unauthorized access from China actually took place after October 28, 2009"

That does not state Huawei is responsible for that event, it could be the security testing team.


I work at a company that has a sister entity in China. We routinely have to defend against their deliberate, concerted efforts to breach the various firewalls we've erected to keep the networks separate. These are almost always billed as "security scans"--but there's no good reason for them.


We're discussing a report from a team hired to do a security audit, that would certainly qualify as a good reason for them.


Depends on the scope and intent. If they're anything like our China partner, the scope is far outside the contract and the intent is pretty clearly nefarious. They act like we're too stupid to understand or recognize what they're doing, too.


Hackers could always claim they were security testing :)

If that would have been the case, it would have been the first thing they'd mention though.


It was? Those words came from the report done by the security testing team.


Copy the lines + link that state that please. That's not my observation.

Note: i'm a native dutch speaker. So no translation required.


From the original link

>The Capgemini report stated that Huawei staff, both from within KPN buildings and from China, could eavesdrop on unauthorized, uncontrolled, and unlimited KPN mobile numbers.

That quote clearly comes from the security testing team's report. It's not clear from the quote provided to me who is responsible for the "Uncontrolled and unauthorized access," but we know there was an ongoing security audit at the time mentioned.


Capgemini did the audit, not Huawei who had uncontrolled access.

It should be clear that unauthorized access is not from those doing the audit, but from Huawei. Why is that so hard to understand? Lol


Why should it be clear? What evidence do you have? I can't read the report, you could easily find where they say "Huawei was responsible for the unauthorized access" that for some reason the articles don't directly quote.

Instead you're acting like I'm being dumb for not making baseless assumptions. The articles aren't titled "Huawei eavesdropped on KPN" for a reason.


Unauthorized access was detected from China outside of the procedure.

With that access they could have done anything ( eg. eavesdropping ).

Follow up requests are currently happening by the Dutch government ( other related news from today).

KPN also mentioned: currently they have no access. While the report states: they had access.

KPN mentioned that Huawei's employees with access were employed by KPN. Wick could be correct, but it didn't explain access from China since those employees are employed in the netherlands.

A bit of wordplay going around. That's true.

--

Capgemini:

Huawei blijkt zich buiten de procedure om vanuit China toegang tot de kern van het netwerk te verschaffen. Veiligheidsmensen van KPN weten dat dit gebeurt, maar doen niets. ‘Ongecontroleerde en ongeautoriseerde toegang vanuit China heeft na 28 oktober 2009 daadwerkelijk plaatsgevonden’, vermeldt het rapport in april 2010. [...] De onderzoekers [van Capgemini] vragen het Chinese bedrijf daarom wie bij de gegevens kan en hoe de versleuteling is geregeld. ‘Pas na lang aandringen’ is Huawei bereid ‘duidelijkheid te verschaffen’. Huawei blijkt een uiterst zwakke versleuteling toe te passen en zelf het sleutelbeheer te doen. Capgemini: ‘Daarmee zijn nummers die onder de tap staan bekend bij Huawei’.

Edit: couldn't respond below. Source is the origin of all foreign news articles, it's the original newspaper that is in possession of the Capgemini report: https://www.volkskrant.nl/nieuws-achtergrond/huawei-kon-alle...

( Google cache is possible as a workaround fyi)


Where is this Capgemeni statement from? It's extremely strange that they make several accusations yet the only part that's actually from the report is the same quote mentioned before. The [...] also moves on to a completely new topic.

Overall, it says the same "Huawei could have done something" as the other sources I've seen.


The article says:

> The company gained unauthorized access to the heart of the mobile network from China.

... but then, in the very next sentence:

> How often that happened is not clear because it was not recorded anywhere.

This wording is a bit unclear. The first sentence states as a matter of fact that there was unauthorized access, while the second states that there are no records.


I read it as meaning they had access (i.e. they could access it), but we don't know if they did access it.


You'd be better advised to read it as: journalists have no idea what they're describing, and mash together words without nuanced regard to what the facts may be.

c.f. the Murray Gell-Mann Amnesia Effect.


"The company" could refer to either Huawei or Capgemeni in that sentence, and Capgemeni makes the most sense given the following sentence.


That is not conflicting. "did they" and "how often" are two different questions. Metadata can and often does indicate the fact that something was accessed but not how often. For example, the "last modified" user/timestamp on a file.


It might mean not officially recorded anywhere, like an intelligence agency gave them a heads up about it, but the network admins at the company didn't see anything with their monitoring software.


Or the admins saw it once and then revoked privileges - you know it happened at least once and probably more, but you don't know how many more.


It could be done at arms length through an API. Then it would become an issue of reading data they shouldn’t be.


Wouldn't that API then just give someone else (presumably the intelligence agency) unrestrained access to all phone lines? Someone outside should be responsible for providing access, you can argue Huawei shouldn't have been chosen but I find it hard to blame them for doing their job.


Unless people inventing such API thought that the domestic telco equipment will be operated by foregin companies. And I somehow suspect they've thought exactly the opposite: that they can rely on domestic providers be domestic firms, easily supervised by the domestic law enforcement agencies.


Could also be possession of database with intent to select.


I feel we need to read all these stories with a skeptical eye because, frankly, Huawei's become a political football, and there is a very strong motivation to cast events in the most unfavorable light possible by officials who are working backwards from the conclusion. Perhaps they do have some kind of spying master plan but I have found a lot of the fanfare for these stories hasn't held up to scrutiny.


I agree that there is a lot of spin on these stories: efforts to paint bad and sloppy network security decisions as evidence of actual malice. I am sympathetic to the national security agencies who are likely driving this reporting, though. Giving untrusted foreign companies access to your communications infrastructure is generally a bad idea, and the evidence (from Western countries’ own actions) is that this kind of access will eventually be abused. But the problem is that there appears to be an effort to paint these security screwups as something more concretely malicious than they are, in order to sway public opinion.

From my perspective it does not make a lot of sense for Huawei or China to engage in overt spying at this stage of the game, even if (assuming the worst intentions) that is something they plan to do. Right now all of the incentives for that company are to gain the trust of customers during these early stages when everyone is looking for a reason to throw up protectionist barriers. A decade from now when Huawei systems are ubiquitous and the competition has largely been put out of business, then maybe the situation will be different. But why kill the golden goose by doing something stupid now?

That doesn’t mean there wasn’t bad behavior. Maybe people are behaving irrationally. But I tend to see sloppiness behind these stories rather than actual malice.


> Right now all of the incentives for that company are to gain the trust of customers during these early stages when everyone is looking for a reason to throw up protectionist barriers.

What makes you think these are "early stages"? AFAIK many telcos already use Huawei 4G equipment, though I can't find actual numbers for that. I'd say Huawei/China is already well positioned to abuse any backdoor access they have. The move to 5G could only expand this.

KPN is obviously in the wrong here since they can't prove whether there was unauthorized access or not, and speculation articles like this don't help. In any case, it doesn't seem like a good idea to give untethered access to a company accused of IP theft time and time again[1]. Whether all those are PR smear campaigns or there's a real cause for concern is difficult to judge as an outsider, but given China's track record, I'm inclined to believe there's some truth in them.

[1]: https://www.forbes.com/sites/zakdoffman/2019/05/25/huawei-ac...


>What makes you think these are "early stages"? AFAIK many telcos already use Huawei 4G equipment, though I can't find actual numbers for that. I'd say Huawei/China is already well positioned to abuse any backdoor access they have. The move to 5G could only expand this.

We're at the peak of a massive international debate regarding the role of Huawei in Western communications networks. This is a debate that has already led to bans and restrictions on the deployment of Huawei equipment in 5G networks [0-3]. 5G buildouts are happening right now, and hence the political purchasing decisions (with a multi-decade impact) are happening now. I suspect that's why we're seeing things like TFA.

It seems to me that this would be the worst possible time for Huawei to get caught doing something unambiguously malicious. Right now Western networks could remove Huawei if they wanted to, or if politicians ban it. Ten years from now -- assuming Huawei "wins" in most Western nations -- it will be vastly more difficult to replace that equipment. If we imagine a 2035 where Huawei has dominated the US/European 5G market, I suspect that their European competitors will also be much weaker (or will have abandoned the field entirely), meaning that there really isn't much of an alternative.

So TL;DR I can't say that there is a good time to get caught spying, but there definitely is a bad time: and it's right now.

[0] https://www.bbc.com/news/newsbeat-47041341 [1] https://www.telecompaper.com/news/dutch-mps-call-for-more-cl... [2] https://www.reuters.com/article/us-france-huawei-5g-security... [3-N] Just search on "<European country> 5g Huawei debate"


Part of what made the US hit the panic button was that Huawei was poised to be the premier maker of 5G equipment all over the world.


This is something that irks me as well. Every time Huawei is mentioned in a conversation, the topic of spying is inevitably brought up, but as far as I know there has been no concrete case found that they did indeed do any kind of spying act through their equipment. If someone can actually link me something that can prove this claim I would be very interested to read it.


Reminds me a bit of the Bloomberg saga also, where theoretical compromises were somehow "confused" for real ones when a journalist talked to a spook: https://9to5mac.com/2021/02/15/bloomberg-spy-chip-2/


Understand that feeling but Huaweis existence is born from corporate espionage stealing IP from Nortel networks in the 00s. Not a great starting point for a company and it really doesn’t take much of a stretch to see the concern about Chinese party wanting to spy on the rest of the world given the lack of freedom of their own people...


That's just not true. Nortel collapsed due to its own terrible management, including a massive accounting scandal. Years later, a former Nortel exec tried to pin the blame on Chinese hackers.


Nortel collapse has many reasons that I am not debating. The stealing of IP and then undercutting the bids of Nortel with the same tech but cheaper is where Huawei got their break. My point is if thats a starting point as a company what kind of culture is breed from it and what does that say about the current situation


> The stealing of IP and then undercutting the bids of Nortel with the same tech but cheaper is where Huawei got their break.

There are a lot of unsubstantiated claims here. First of all, the stealing of IP. Next, that this is how Huawei got their break.

As far as I understand it, Huawei grew by developing cheap telephone switches in the 1980s and early 1990s, long before it had anything to do with Nortel. Huawei focused on relatively simple components that it could manufacture more cheaply than Western competitors, and it gained market share inside China. It only moved up the value chain as its revenue increased and it had more ability to spend on R&D. By the time Huawei was beginning to move into more advanced markets, Nortel was already a basket case.

The strange thing to me is that all these claims that Huawei made it because they supposedly stole from Nortel seem to have appeared in the 2010s, long after Nortel's demise, and they're incredibly vague. By contrast, analyses of Huawei's early history that I've seen barely mention Nortel: [1].

1. https://csis-website-prod.s3.amazonaws.com/s3fs-public/legac...


I think this article sums it up effectively. Economic espionage on the behalf of state funding the company and corporate espionage state sponsored hacking of Nortel from 2000 to 2009 and then hiring 20 scientists from Nortel. My argument isn't about Nortel its about the behavior of Huawei and why it isn't a trusted company.

https://www.bnnbloomberg.ca/did-a-chinese-hack-kill-canada-s...


Poaching employees from a competitor is not economic espionage. It's extremely common.

And then here's the key line:

> No one knows who managed to hack Nortel or where that data went in China.

This is all so vague, whereas the reasons for Huawei's growth and Nortel's demise are so much more concrete. For Huawei, the ability to capture a sizeable chunk of the market in China for cheap telephone switches, aided by its lower labor costs, better knowledge of the local market, and some level of protectionism. For Nortel, serious mismanagement and a financial scandal.

The thesis of the article, that economic espionage in the 2000s did in Nortel, is not plausible. It just looks like blame-shifting from a former Nortel employee, which Bloomberg decided to trumpet during a time (2000) when the US government was waging was a major anti-Huawei campaign.


Probably all of our point are true to a point and all contribute. Again I’m not arguing about nortels downfall (which you seem to be focused on maybe because that is a lot easier to discuss than huaweis trustworthiness), I’m pointing to why Huawei is not a trusted company. If you can convince me of it’s trustworthiness please do - otherwise I will rely on the multiple sources of material that seem to point to its connections to the Chinese government.

And yes most state sponsored hacks are difficult to figure out exactly the source and end use of the data. Look at what’s happening right now with the solar winds back for instance.


> otherwise I will rely on the multiple sources of material that seem to point to its connections to the Chinese government

Is the expectation that businesses are supposed to simply ignore the authority of the sovereign states they operate in? There seems to be a bit of circular logic going on here.


Agreed. You’ve proven my point. The trustworthiness of Huawei is interwoven with their government which has proven to be untrustworthy and one which I wouldn’t want to build critical intelligence infrastructure upon.


> it really doesn’t take much of a stretch to see the concern about Chinese party wanting to spy on the rest of the world given the lack of freedom of their own people

Perhaps not, but I try not to believe things just because they confirm my existing biases.


I agree - it is a dangerous precedent to set. I do think that with large infrastructure purchases and installations you really have to go in with open eyes -- it's very difficult to undo those kind of purchases. Probably make sense to use trusted providers.


> for hiring an untrusted contractor

So you agree Huawei cannot be trusted. I think that is the whole point of the discussion.


Not OP, but must probably this is just part of the anti-China propaganda , I think it started with the false accusations from Bloomberg... so I expect that any Huawei related news is false until some actual evidence is presented to the police or something.


Huawei doesn't really deserve the benefit of the doubt, a lot of their early success was due to hacking Cisco and Nortel then building competing products based on stolen information, all while the Chinese government was restricting non-Chinese telecom vendors from operating in the country.


I personally don't like to be manipulated by media. So for this case I am just saying be aware not to be a tool/pawn is some big player's game, I suggest you either do more digging , wait for some real evidence - but downvote if the mention of the Bloomberg fake article or innocent until proven guilty is a something wrong that needs to be hidden.


You're contradicting yourself here, as you don't want to be manipulated but are already convinced that this is part of anti-China propaganda.

Also, innocent until proven guilty should only apply to regular people, not state actors. Many historical events are only declassified after 50, 60 years, or never at all. Believe a story or not is your judgement, but asking for proofs are either naive, or just looking for excuses.


I mean the title and the content do not match . So the title was created to push a certain agenda , so what? is it propaganda or just the old pure evil capitalism that pushed the editor to change the title into some false accusations?

I did not said that Huawei is not spying, mayb ethey do but I am still waiting for the evidence. Similar on how I wait for evidence that Google is reading our politicians emails and blackmailing them - is not enough to hear some conspiracy and then upvote it like a tool because I hate Huawei or Google.


You shouldn't trust any provider under the jurisdiction of an anti-liberty nation-state: https://en.wikipedia.org/wiki/Room_641A

Not sure why Huawei is unique here.


The US and the Netherlands are both allied members of NATO. That's why Huawei is a different story.


Are you saying it's worse for China to (be granted sufficient access by the Netherlands that, in theory, if they wished to abuse that access, they could) spy on communications in the Netherlands than for the US to spy on communications in the US?


I'm saying that the it's a reductionist oversimplification to say that it doesn't matter who the Netherlands picks for their telecom infrastructure because "everyone spies". Different countries have different relationships with each other, and the entire point of an alliance is to cooperate and establish trust.


From a NATO point of view yes. China spying on the Netherlands would be worse than the US spying on itself.


I can't speak for the OP, but I'd say that, yes. The US's spying activity is an overreach (to put it mildly) and I don't agree with the extent or purpose in many cases. We also don't really have a well functioning democracy, in my opinion, due to the capture of the government by private corporations. But what we do have is still a democracy, and it is absolutely lightyears above and beyond the genocidal, anti-liberty government of China.


And that's pretty much the situation of every telecom in europe and probably many more countries https://berthub.eu/articles/posts/5g-elephant-in-the-room/


Even if they are at fault for not doing their due diligence that doesn't remove the fault of someone spying


What's upsetting is that these organizations are given exclusive use of something that is essentially public (certain electronic sounds in the air) and they were very careless with it. It has nothing to do with Huawei and everything to do with KPN (and most other telcos) being negligent.


> Now, obviously telco equipment can be used for spying, but there's absolutely no allegation of wrongdoing here at all.

Of course. But, security posture is an important thing to consider. This may be an obvious thing to many people on this forum, but it is not obvious to much of the general public.


Well, what you just read is a counter-propaganda piece, so that’s no surprise that it was spun that way.


That's not what it's saying ( i speak dutch)

First of all, it's not a spinoff. KPN his the report because it was afraid for it's existence.

Second is that Huawei could listen to KPN'S internal communications ( = their network) that includes a lot of government calls.


> untrusted contractor

As far as I'm aware, practically every European telco hires Huawei engineers to maintain their infrastructure in this way. It's therefore not reasonable to call them an untrusted contractor, as they are evidently very trusted.


it is a very big deal since none of these people are LEO's:

"Huawei also knew which numbers were tapped by police and intelligence services."

massive boon to the CCP IC to have access on a foreign's country ongoing investigation etc. (the in Canada detained CFO comes to mind but the potential is much bigger than this)


Your comment sound kind of like victim blaming.


If there was no actual spying, then there's no victim.

If someone gets pickpocketed on the subway, saying "You should have protected yourself better" is victim blaming, sure. But if someone doesn't get pickpocketed and then points out how there was a foreigner sitting right next to them who could, theoretically, have pickpocketed them, should they have chosen, and while the foreigner didn't pickpocket them this time, you know how those foreigners are... then "Why didn't you just get up and sit somewhere else if he bothered you" is a particularly polite form of what you perhaps ought to tell them.


< KPN says in a response that it has no indications that lines were tapped or that customer data was stolen.

So there is no story, but a potential story on a potential (fill in the blanks)

< The Capgemini report stated that Huawei staff, both from within KPN buildings and from China, could eavesdrop on unauthorized, uncontrolled, and unlimited KPN mobile numbers. The company gained unauthorized access to the heart of the mobile network from China. How often that happened is not clear because it was not recorded anywhere.

So you outsourced some services as many companies do and failed to keep tabs on it, just like many companies do.

Forgetting to audit outsourced work is extremely prevalent.

< Based on the Capgemini report, KPN decided to refrain from outsourcing the full maintenance of the mobile core network. To this day, the telecom company maintains its mobile core network itself, with the help of Western suppliers. To tackle the risks in the systems of the network, KPN said it was implementing an improvement plan.

A report by Capgemini, a leading Western supplier for outsourced personnel to telecommuncations companies. No conflict of interest there.


As the original article[0] states, the report explicitly says that public knowledge of the report would threaten the existance of KPN due to the massive loss of trust in the company.

The report contains the sentence

"Ongecontroleerde en ongeautoriseerde toegang vanuit China heeft na 28 oktober 2009 daadwerkelijk plaatsgevonden"

which translates to

"Uncontrolled and unauthorized access from China actually took place after October 28, 2009"

KPN has zero incentive to admit to anything and every incentive to deny everything. I'd take such a PR statement with a grain of salt.

[0]: https://www.volkskrant.nl/nieuws-achtergrond/huawei-kon-alle...


> A report by Capgemini, a leading Western supplier for outsourced personnel to telecommuncations companies. No conflict of interest there.

Way to bury the lede! [1]

[1] https://en.wikipedia.org/wiki/Capgemini


We have another thread actively discusses potential issues with Google's FloC [0], which is only a proposal at this time, no harm done yet. Do you think Huawei/China is less of a potential thread than Google? If not why do you think there is no story here?

[0] https://news.ycombinator.com/item?id=26854073


...a threat to who, and for what?

There are two main concerns at play here that are very different: consumer privacy and national security.

The consumer privacy concerns are generally subject to regulation by law, but national security concerns often are extralegal in nature. This makes a big difference in the availability of tools to address the problems. Google will follow your laws or pay fines until they comply. Spies won't.


>...a threat to who, and for what?

I'm sorry, are you just completely ignorant of everything that's happening across the globe? If so, why are you even commenting?

China routinely harasses, threatens, and then acts on threats given to human rights activists and expats. Chinese citizens that speak with reporters and human rights activists are put at severe risk because people like you are fine with letting Chinese technology infiltrate all aspects of your infrastructure.

Your ignorance is malicious.


You completely misinterpreted what I was suggesting.

The sentence you are quoting is not me questioning the importance of the issue, I am suggesting that there are two separate concerns at play which are both important.


> So there is no story, but a potential story on a potential

For what it's worth, GDPR fines have been handed out for missing access restrictions, e.g. for sensitive data not having or checking audit logging and applying 2FA. Though I do agree it makes for a more lousy news story than if it had happened.


American, here. Given that there is no hard proof that Huawei actually spies on their customers and that Huawei critics use the same talking points in the media to criticize Huawei and China, I am starting believe that this is not about China as a threat. That they could be a threat is not the same as the being a threat.

Rather, Western leaders no longer have the willingness or belief that we can compete in tech with China (on the contrary, we can and should), so they've given up and threw a tantrum, screaming 'no fair no fair, they steal our IP', which is predictable, given that Western corporate leaders have outsourced all manufacturing to China...dumb.

There are real issues to criticize with China, and Huawei is not the worst one.


I agree that Huawei is not the worst issue to criticize China on.

But, you don't need "proof" of a spying to recognize that it's high risk to put someone in a high-trust role if they are beholden to competing interests. The competing interests themselves are enough to establish the existence of risk.

You're right that many people who outsourced to China previously wrote off all these risks as unimportant and later cried foul when their IP was stolen... this discussion is 20 years too late, and people still think the evidence isn't strong enough.

If you think that Chinese companies stealing your widget design is bad, wait until they put sanctions on your countries critical infrastructure's IT vendors. I'm sure Taiwan isn't waiting around for any "proof" of Chinese spying. When the proof comes it'll be too late.


> outsourced to China previously wrote off all these risks as unimportant and later cried foul when their IP was stolen

Give me one concrete example from a reputable source. I'll PayPal you $20 (gift option) look my profile to get my contact information.


I’m not exactly sure what you’re challenging, or what is controversial about my statement. Counterfeiting and IP theft is a approaching (if not already, by some estimates) a trillion dollar industry. A lot of it is something as simply as “third shift/ghost shift” products, rejected manufacturing samples, QA rejects being sold out the back door, etc. If you want some articles about supply chain risk management in China, I’m sure I can dig some up.


I do not challenge.

I ask for a concrete example from reputable source.

If I trust online content. I might as well believe Trump is right about calling Chinese virus.


Would you believe the words of Jack Ma himself?

"The problem is that the fake products today, they have better quality,a better price than the real product, than the real names," Ma said in a speech at Alibaba's investors day in the southern Chinese city of Hangzhou on Tuesday. "They're the same exact factories, the same exact raw materials, but they do not use that (brand) name," he added.

https://sg.style.yahoo.com/style/french-hit-alibaba-founder-...

Or maybe, a study from MIT, with a couple specific examples and a number of links to more detail?

https://sloanreview.mit.edu/article/protecting-intellectual-...


User kube-system delivered concrete examples from reputable sources further down the thread. Could you now please post concrete proof of having sent your paypal gift?


I don’t want anyone’s money. I’m just here for discussion.


Do you even know how businesses are supposed to operate in China if they’re from the outside? My understanding from a security friend is there are all these hurdles and the Chinese government wants access to networks and source code for anything that’s operating within the country.

Also, there have been plenty of stories on HN where American businesses are ripped off by China knockoffs and there’s no way to really sue them or stop them in court. China has its claws in everything.

Everything that’s based out of China should be considered an entity working for the government. Even Huawei


Since these companies operate only with the blessing of the CCP and are under its control, they all should be considered foreign agents when conducting business outside of china.


You also described America, circa-1800s.


We're living now, not in the 1800s. That may be historically interesting, but not that much interesting beyond that. It's not about who's "good" and who's "evil", now or then.


I think GP's implied point about copying ideas still stands. Like the US in the 1800s, they're not just making clones. They're making better ones. They're innovating.

Taking good ideas and improving them is - and will always be - the fundamental corner stone of human development. That's why "ripping off" more advanced competitors worked out well for the US when they did it, it worked out well for Japan when they did it, it's working out well for China now that they're doing it, and it will work out well for whoever decides to work hard next.

Do you know what isn't fundamental to human development? Made-up concepts like intellectual "property" that only serve the stagnant that aim to rent-seek (and not innovate). These concepts are what lulled the US into a false sense of security and allowed China to excel.

The reality of the matter is that IP laws are nonsense. They only serve to hold back those it binds. Instead of being upset when other people don't play by your made-up rules, you should work harder and become competitive again.

Disclosure: I have no love for China. It is a horrible country with disgustingly abhorrent views. That said, I don't think we should put our collective heads in the sand and avoid addressing the giant elephant thrashing in our room.


This is one of the best comments I think I've ever read on HN. Concise, summarizing a lot of things, and saying it well (much better than I could!). Thanks!


> My understanding from a security friend is there are all these hurdles and the Chinese government wants access to networks and source code for anything that’s operating within the country.

The famous “friend” who can corroborate any statement without being humiliated after being harshly refuted...

If you think CCP is so rich that they can hire enough people to make sense of the code of all businesses in China, then you might as well outsource all your IT development to CCP, because AFAIK, CCP government employee and contractors are dirt cheap...


Because you hire someone, it gives them the right to steal your IP? What?


Isn't the problem that if you are competitive with China they will steal the designs anyway, and potentially use any saved research capital to make improvements? You'll always be at a disadvantage if you're you're paying for your own competitors R&D.

I do agree that manufacturing should come back on-shore to close that gap at least.


I agree; at the very least it'd be nice to see less fear-mongering.

Especially with modern, acculturated tech, the democratic world ought to be doing acrobatic flips and twists off each and every "where'd Jack Ma go" springboard news event that comes out of modern China. Those are leverage points, they are the dragon's missing armor plates.

Tech comparison alone though...if you make it out to be a logistics-only game, as many in government do, then I can see why things would get depressing fast. Tech & culture integration is a huge accomplishment of the modern world and we ought to leverage it, even in the service of shoring up or solving logistics issues.


Yes, it's all just a big conspiracy at the highest levels, lol.

What really happened is that western countries and corporations didn't care _enough_ about China because China wasn't that powerful/influential. Now that China is powerful/influential, the era of just signing on the dotted line or not pushing back is over.

Banning Huawei _is_ competing. See Lotte Mart's fate in China.


>That they could be a threat is not the same as the being a threat.

In realism(as in realism theory of international relations) they are the same thing. You should prevent a rival from having the capability to harm you if you can, not let them develop the capability to harm you and hope that they don't.


> There are real issues to criticize with China, and Huawei is not the worst one

you are right atm "Western Leader" only care and dare to point finger on things in their evidence and interest, when this pandemic still rampaging after a year and getting worst in some country despite the use of vaccines(made in China), Huawei is not the worst one to criticize and confront CCP with


This kind of ignorance about the CCP machine and its surreptitious control over any and every company from China has led to the current situation where China is committing a genocide out in front of the world without any consequence. For starter, I would suggest reading the book 'The Party'.


I "could have" wiretapped KPN when I worked in the networks department.

Without any evidence that any wiretaps actually occurred, I'm afraid this is just fearmongering...


Well, yes; but this is missing the context that you don't have a history of doing so. By now there is plenty of evidence that China does engage is large-scale hacking campaigns to steal trade secrets, and before anyone brings on the "but whadabout the US?", the scope is much larger (US is mostly focused on security, not trade secrets) and the US has imperfect but at least some oversight.

Was this actually used to gain unauthorized access to information? Maybe, maybe not. It was still bad to grant this access in the first place, and arguably the only reason it didn't lead to unauthorized access is because action was taken. "We let a known serial killer loose but he didn't kill anyone" is still pretty bad.

Also that this was kept secret for 12 years doesn't exactly inspire confidence.


For a potential security breach at this level, if access was possible, and no records exists if it happened, you operate under the assumption there was a breach.


Original title : Huawei was able to eavesdrop on Dutch mobile network KPN: Report

Dupe : https://news.ycombinator.com/item?id=26842733 ( 65 comments )


Also discussed indirectly here https://news.ycombinator.com/item?id=26843068 (235 comments)


Yes, I believe that submission was triggered by submission I linked to.


Even if you read with good intention, and consider that the backdoor/workaround was not used, here you have the proof that Huawei is caught lying publicly.

See:

https://www.c4isrnet.com/battlefield-tech/it-networks/5g/202...

<<Huawei denies that claim and issued a statement Wednesday saying the company "has never and will never covertly access telecom networks, nor do we have the capability to do so.">>

The report on KPN proves that they have the "capability" and they they know it!


This is getting silly. Huawei is the most prominent Chinese company and because of the economic war, you get such speculative articles.

And a few days ago, Cisco was found to have a bug in their routers for small businesses that lead to remote code execution. https://portswigger.net/daily-swig/cisco-router-flaws-left-s...


This article contains no new revelations on top of previous articles:

"Huawei’s says it never acted inappropriately by abusing its position in the Netherlands. KPN says in a response that it has no indications that lines were tapped or that customer data was stolen."


Why does anyone still care about eavesdropping on mobile networks? How come it is still not 100% universally acknowledged that the network is hostile and carriers should not be treated as anything but a dumb pipe for IP over which you have your own security on the application layer? Maybe carriers should just straight up declare regular phone calls as non-private and start publishing all recordings of literally everyone's calls ever straight to their website. Seems like we need that kind of nuclear option to finally destroy the remaining false sense of security in the plain old telephone system.


I'm seeing a lot of misinformation here. The original source[0] is De Volkskrant, which is a _very_ reputable independent newspaper. It does not do sensation pieces.

Key points, from top to bottom:

- When a daughter company of KPN was looking for a new customer management system, Huawei's price was only 25% that of the competition. This was so low that employees initially thought it was a mistake.

- In 2009, KPN wants to reduce the cost of managing the mobile network by outsourcing ot to Huawei. It asked Capgemini to analyze the risks, which is the now-leaked report.

- The results are alarming enough that they are declared secret. Literally, "if those results were to become public, there will be a mass exodus among companies and governmental organisations to other providers. The existance of KPN as a whole would be seriously threatened".

- The core network is managed by Chinese citizans from a dedicated room in The Hague.

- Access from China is possible, but strictly limited. It requires explicit permission from the KPN NOC, who are supposed to provide temporary access.

- Unauthorized and uncontrolled access from China has been detected after 28 october 2009.

- The KPN network has a wiretapping system. A record of phone numbers being tapped is kept on a secure server. This server is managed by Huawei, who refuse to provide information about who has access to it and how it is secured. After a lot of pressure, they discover that tyis security is extremely weak and that Huawei has full control over it - meaning that Huawei has full knowledge of all numbers being wiretapped by the police and intelligence agencies.

- The six Chinese employees use a tool which allows them to listen to any phone call on the network. This is in direct violation of the law and it violates the agreement between Huawei and KPN. They can use this tool without anyone at KPN being made aware of it.

- Huawei is supposed to have access to second-long snippets for quality assurance. In practice, they had full access to all phonecalls. KPN had no way of knowing what they were doing.

- The tool used has no record keeping and the interface is in Chinese, meaning nobody is able to understand what they are doing.

So yeah, yikes.

This is way beyond admins having admin access. This is Huawei having unlimited access far beyond what they are supposed to, and evidence of this access being actively misused. It's not just the regular propaganda.

[0]: https://www.volkskrant.nl/nieuws-achtergrond/huawei-kon-alle...


Hopefully this get upvoted to the top. Answers a lot of speculations and questions in the thread.


This reminded me of "How Tech Loses Out at Companies, Countries and Continents" by Bert Hubert of PowerDNS.

https://berthub.eu/articles/posts/how-tech-loses-out/ https://news.ycombinator.com/item?id=26849669

KPN should be administering their own equipment.


I dunno how newsworthy the "Huawei" part of this is. The options seem to be go with a local provider or accept some level of risk of exfiltrated data. For example, nobody is pretending that Cisco is trustworthy.

I'm sure the Chinese spies made off with some stuff that they shouldn't have because they'd be stupid not to - but if anything this sounds so brazen that I assume the access was mostly for routine tech support. KPN clearly needs some help with their IT.


Everything has risk, but that doesn't mean that all risk is equal. There are a lot of things to consider when evaluating the risk of any vendor, even domestic vendors.


Just a thought experiment, for every Huawei-bashing news out there, there would be an equivalent Cisco-bashing or Ericsson-bashing article in China.


Protocols like TLS and encryption is there because any physical network is untrusted. If you have sensitive data, use e2e encryption. And any sensitive data is most likely already using such scheme. Also today's routers and physical network has insane bandwidth. 100 to 400 Gbps networks, billions of packets per second, millions of flows. To sniff the physical network and gather specific useful data, such as a personal contact, some files, or a message, especially from encrypted steams, is a huge endeavor. you would need a large dedicated ASIC with Gigabytes of memory, storage and large power budget. And you need a team of people to work on the software and hardware of such system. And there is no way you can hide such endeavor. Huawei has foreign people in key executive position and in multiple countries. I don't think its possible for the company to keep people quiet on things if these people feel its wrong. If Huawei's attempt to sale networking gear is a secret campaign to sniff and spy on world's data, there is no way these people would not find signs of it and stayed quiet. This whole scrutiny on Huawei has been a long time, multiple years. If foreign employees saw anything internally they would have whistle-blown by now. Honestly, if you want to know what Huawei is really up to, you could get some high ranking foreign employees to check up on executive meetings and documents. Huawei also have customers and partners working closely with each other. They also allow third party's review their source code and products. Many times partners are saying there is no evidence of security issues. Frankly, if a bad actor wants to get access to secret data, its much more useful to hack OS, servers and databases.


You have to assume the network can eavesdrop. Just goes to show the importance of end-to-end encryption.


I could have hacked the electric grid. Just cause someone could have done something doesn't mean that they did. This is pandering to political bias.


Depending on what you mean by 'hacked' that's still newsworthy.

In this article 'wiretapped' means that they had uncontrolled and unlimited access to all conversations. The problem isn't so much that it could have happened but that it might have happened.


Every potential access or potential hack is newsworthy then. That’s about a million articles a day then. Which would mean it is not newsworthy then. Everything is a potential this or potential that by the reasoning.


[flagged]


Everyone spies on everyone[1][2][3] - that's why everyone's government buildings all have their own secure-rooms. The diplomatic thing is to not go-public about ones' allies doing it unless you have a reason to embarrass them for something else.

[1] https://www.cnn.com/2015/06/25/opinions/france-spy-claims

[2] https://www.politico.com/story/2013/10/marco-rubio-nsa-spyin...

[3] https://www.usnews.com/news/best-countries/articles/2018-10-...


It did happen.

But it's not really news that spy agencies spy. Although maybe a little bit that NSA was spying on Germans, but that's probably not really news either, even for the Germans.

But if a private corp. doing contract work for another entity spies - and when the ownership of that corp is tied the government - that's news.

The question marks as to whether this was merely 'Huawei as admins have access' or 'Huawei has access and abused it' ... is the high relevant issue that needs to be fully sorted out.


i would suggest that german telecoms not contract their mobile network deployment and management to nsa, then


[flagged]


"Please don't post insinuations about astroturfing, shilling, brigading, foreign agents and the like. It degrades discussion and is usually mistaken. If you're worried about abuse, email hn@ycombinator.com and we'll look at the data."

https://news.ycombinator.com/newsguidelines.html

https://hn.algolia.com/?sort=byDate&dateRange=all&type=comme...


'The top comment is an inaccurate claim of "nothing to see here", but don't insinuate anything.'


The way to respond to inaccurate claims is with accurate information. You can do that without insinuating.


Maybe we should stop using infrastructure that allowed eavsdropping in the first place, we'd be fine? Then again, if everyone used e2e security, our spies wouldn't be able to spy :shrug:


This looks like western propaganda to make us think that it's better to just keep the US wiretapping our networks, as always.


I'd like to remind everybody of the Snowden revelations.

Maybe the real issue is, that US intelligence agencies are not able to force Huawei to add backdoors into their equipment.


I’m more worried about Europe letting the Chinese government buy into crucial infrastructure https://www.google.com/amp/s/energy.economictimes.indiatimes...

How is this even sensible and there is no way the Chinese government will ever let a non Chinese firm control their infrastructure so why is this not stopped. What politicians are making money on this?


In China's South Song dynasty, a military leader by the name Yue Fei (岳飞) [1], was sentenced to death by his political enemy Qin Hui (秦桧) [2] on false accusations.

What made this event particularly memorable, in addition to the fact that Yue Fei was considered a patriot; was that Qin Hui had blatantly responded to questions of how can you prove your accusations?

Qin Hui's reply: Yue Fei, when given, the right power, probably would commit those wrongdoings.

This is called 莫须有 [3].

You know why Chinese are not as angry as an American could be on Huawei's situations? Because everyone understand this is a political conflict. For this type of conflicts, only true power and strength can get any answer. Talking is not only futile, it's countereffective.

[1] https://en.m.wikipedia.org/wiki/Yue_Fei

[2] https://en.m.wikipedia.org/wiki/Qin_Hui

[3] https://zh.m.wikipedia.org/wiki/%E8%8E%AB%E9%A0%88%E6%9C%89


The difference here is Yue Fei has had a solid track record of being loyal to the emperor. In contrast with Huawei being CCP controlled, having poor track record of intellectual theft, and that CCP having clear conflicts of interest with the countries Huawei is doing business with.


> having poor track record of intellectual theft, and that CCP having clear conflicts of interest with the countries Huawei is doing business with.

You manage to generate completely nonsensical gibberish in very short sentence:

> having poor track record of intellectual theft

You are saying CCP did a poor job of stealing IP? Or you are saying CCP had done well in stealing IP?

If the latter, where is your evidence? CCP uses market coercion to force IP transfer, that's a well known practice. But where are the state sponsored IP theft?

> CCP having clear conflicts of interest with the countries Huawei is doing business with.

How so?

Obama called for G2 in [1], that's some serious recognition of the common interests between US and China. Right before Trump, you can find overwhelming official documents calling the sino us relationship being a overall positive one.

So suddenly, CCP becomes the bad guy because CCP had lots of conflicting interest?

And, for all the conflicting interests, other than the unfounded cyber security nonsense, what are the interests that huawei had a stake in?

[1] https://en.m.wikipedia.org/wiki/Group_of_Two




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: