Interesting how this 3 day old story is getting twisted more and more. Can we stick to the facts?
Huawei was used for outsourcing, Huawei obviously has root access. If you outsource your IT to a company with known ties to a foreign government you can't complain about them having sensitive access.
So if anyone accessed from China, it must be huawei? You do know China has 1.4B people. And hackers often use zombie machines to attack. But clearly didn't matter to you.
Huawei was the only one that circumvented the password policy from KPN, which is the telecom provider of > 50% of phone infrastructure in the Netherlands ( including government).
The audit was from 2009 and was an internal security audit that got leaked. It's specifically about Huawei.
Yeah I guess this is like having Kaspersky and then complaining that data was exfiltrated to the FSB or something. Or you know, know who you are dealing with when you outsource.
Who is the 'they' in your comment? The Capgemini report underlying all this, in no unclear terms, states that Huawei abused their access; with unmonitored and unauthorized access from China.
Additionally, it concludes that Dutch telecom act was violated by Huawei by being able to access the numbers being tapped by Dutch security services.
All statements in the original news article are backed up by the Capgemini report. Of course this report could be wrong, but then it's curious why KPN decided to keep this report a secret, apart from sharing the results with Dutch intelligence (AIVD).
Either way, I have a hard time seeing how any of this is 'spin'.
I don't need to spin anything. I hereby oppose Huawei having this kind of unlimited and unchecked access in past present and future.
The only part that is unclear, and may never be clear, is whether this authority has been abused. However I oppose them (or anyone) having the authority in the first place.
Huawei had employees onsite in the netherlands for access. Unauthorized full network access happened from China.
I do agree it's again here and shouldn't be anymore. But don't claim it's normal, the audit reported it as not.
KPN even hid the report for 10 years, because it was afraid of it's contents to go public.
Ps. Yes, i speak dutch, so I read the original article on Volkskrant.nl . More information is probably getting out soon as it's being inquired currently by their government.
They had unauthorized access, which means they used it. It's not clear for what currently, that's why it describes the scope of access.
They also found that the application can tap entire phone calls, which was forbidden.
Edit:
What do you think the following means ( Dutch is my native tongue, lol):
> ‘Ongecontroleerde en ongeautoriseerde toegang vanuit China heeft na 28 oktober 2009 daadwerkelijk plaatsgevonden’, vermeldt het rapport in april 2010.
Translation: Unchecked and unauthorized access has taken place from china after 28 October 2009.
You are referencing the Guardian which is not the original source. I'm referencing the original report from Volkskrant, which has access to the Capgemini security audit.
The Capgemini report stated:
- They had accessed KPN's network without authorization and from China in 2009. They circumvented the default password policy from KPN
- They could have eavesdropped, because they had an application that enabled it, which was forbidden.
Also. The Dutch statement of KPN that the Guardian mentioned was not: "adding that none of its suppliers had “unauthorised, uncontrolled or unlimited access to our networks and systems”, as the article states.
The literal statement was ( in dutch):
> "Geen enkele leverancier van KPN heeft 'ongeautoriseerde, ongecontroleerde en ongelimiteerde' toegang tot de netwerken en systemen, of is in staat om KPN-klanten af te luisteren of tapinformatie in te zien."
Which is misleading, since it means: "Currently, no supplier has 'unauthorized and uncontrolled and unlimited' access to our networks and systems." This can be true, because they changed a lot because of the security audit that got leaked.
I don't get it. Won't your logic imply that all locksmiths are trespassers now? Because, you know, they have unauthorized access to most premises secured by locks.
I probably won't. Has this particular locksmith (Huawei) been shown to stalk people? Who are the people that accused the locksmith of stalking? Are they competitors? Should I trust their words?
To be honest I do wonder what other countries' government do with the data they have gathered on their citizens as well as foreign personnel. I guess it must be that the justice league countries are using those data to protect their citizens and defend human rights across the globe.
It's more the structure of the government rather than a justice league. The governments are held accountable by the people. Such is not true in China.
You don't have to wonder what China does with it's data. They track and imprison people for their dissent and ethnic status. There is no trial by jury. You are sent off to a work camp.
That does not happen in modern democracies. If you have evidence of such, please present it.
Just to get ahead of this but some people like to say you can compare the US immigration centers to the CCP concentration camps.
This is a false equivalency and a common CCP-propaganda talking point.
People willingly migrate to the US and are relieved when they hit these camps, they turn themselves in on purpose. They are processed and either deported or released and await trial to determine their asylum claim. None are there by force, it is temporary to process them.
The CCP takes people from their population by force and keeps them in work camps. Notably they take people just for being an ethnic minority. This is all without trial by jury.
About the US immigration centres --- I am not sure if those who suffered there would had come to those camps if they had knew what's happening in them, especially the children.
Hmm... so I guess the African Americans should be thankful that only some of them are being abused/oppressed by the government, that must be very comforting.
It's more like a locksmith that comes into your house when you didn't call this time. And installed the first time they came, a device to check everyone that comes in ( since they discovered an Chinese application that listens to phone calls)
> En ze doen nog een ernstige ontdekking. De zes Chinese medewerkers werken met een programma dat hen in staat stelt om elk telefoongesprek dat via KPN gaat mee te luisteren. Ook dat is in strijd met afspraken. Deze mogelijkheid houdt in dat Huawei-medewerkers waar ook ter wereld KPN-nummers kunnen meeluisteren. Dat betekent dat ze delen van het gesprek of het hele gesprek kunnen volgen zonder dat de bellers of iemand bij KPN op de hoogte is.
> Huawei heeft contractueel de mogelijkheid om voor kwaliteitsdoeleinden een gesprek kortstondig – enkele seconden – te volgen, dat heet inluisteren. Het hele gesprek volgen – meeluisteren – is verboden. Een bron: ‘Ze konden nummers tappen, ze konden overal ter wereld meeluisteren, KPN had geen idee wat Huawei op het netwerk deed.’
They could tap phones from all over the world. KPN had no idea what Huawei did on their network.
> It's more like a locksmith that comes into your house when you didn't call this time. And installed the first time they came, a device to check everyone that comes in ( since they discovered an Chinese application that listens to phone calls)
It's more like a locksmith coming into your home because you asked him to manage the locks and ensure they were in working condition... and surprise he keeps them in working condition.
In other news, USA asks Cisco to build routers for NSA network and accuses NSA of having too much access, which they could have used.
It says that they could tap phone-calls in KPN's network anytime and anywhere without anyone knowing.
It's not what it states. It says that Huawei does the core of the mobile network ( eg. switches). If they want access, they have to ask it and they will generate a security code.
> Als Huawei erbij wil, moet het bedrijf bij het Netwerk Operations Center van KPN een veiligheidscode aanvragen. Daarna bereiden technici van KPN de toegang voor. Alleen dan kan Huawei in het hart van het netwerk.
But Huawei seems to get access from China outside of this procedure.
> Maar het gaat toch verkeerd. Huawei blijkt zich buiten de procedure om vanuit China toegang tot de kern van het netwerk te verschaffen. Veiligheidsmensen van KPN weten dat dit gebeurt, maar doen niets. ‘Ongecontroleerde en ongeautoriseerde toegang vanuit China heeft na 28 oktober 2009 daadwerkelijk plaatsgevonden’, vermeldt het rapport in april 2010.
They found an additional serious breach. A program to listen to every phone call within the network of KPN.
> zes Chinese medewerkers werken met een programma dat hen in staat stelt om elk telefoongesprek dat via KPN gaat mee te luisteren. Ook dat is in strijd met afspraken.
Listening to an entire phone call is forbidden.
> Huawei heeft contractueel de mogelijkheid om voor kwaliteitsdoeleinden een gesprek kortstondig – enkele seconden – te volgen, dat heet inluisteren. Het hele gesprek volgen – meeluisteren – is verboden.
It's interesting to see how this speculative piece keeps popping up, whereas GCHQ's THREE YEAR long hack [1] of Belgium's largest ISP was largely ignored. China bashing is easier than Five-Eyes bashing?
How do you mean 'was largely ignored'? It was headline news for almost a year during the snowden period. It still is discussed occasionally and both us and uk are trusted less by eu countries because of it.
Maybe I'm wrong about this, but I don't remember there being this much noise about it. Sure, the rest of the Snowden revelations, but the GCHQ hack seemed largely forgotten. IIRC no charges were ever filed and there was no diplomatic response.
There was a lot of diplomatic fallout but that doesn't take place in public. Reportedly the other EU secret services became more careful about sharing with UK.
We know the US spies and so does China - this is not news.
We do not have evidence the NSA is doing industrial espionage.
Moreover, this is Huawei, not technically 'the state' and it's about the fact they are related to the state - and - they've had incredible access as part of their normal operations which is questionable.
China is the most aggressive and active state sponsor of hacking and they 100% do it for purposes of industrial espionage.
Literally 'leaving the door open' to every phone in a nation to a state-backed entity seems unthinkable in 2021.
It's probably going to be best if everyone uses local carrier gear and consulting entities for this kind of work the advantage of 'totally free trade' doesn't seem to be more than what would be lost otherwise.
Fyi, Snowden has claimed the NSA engages in industrial espionage [0] and there are leaked documents implicating the German security services for having helped them [1].
I agree about the ideal world solution being to only use home designed/produced tech. Sadly there are only a few companies on earth actually making this tech. For a long time the only company with a real 5G solution was Huawei. I'm as suspicious of the Chinese as the next rational human. I just think almost all telecoms infrastructure is compromised by the US, so its about picking the problem rather than avoiding it...
>stories are all about a Chinese company once having done a thing they were asked to do...
The dutch governement and the dutch telecom providers did NOT ask any chinese governement or huwawei to eavesdrop or do any kind of work of the sorts.
From the source ( volkskrant )
"Huawei was in staat om zowel binnen KPN als vanuit China ‘ongeautoriseerd, ongecontroleerd en ongelimiteerd KPN-mobiele nummers af te luisteren’, inclusief die van ministers, toenmalig minister-president Jan Peter Balkenende en Chinese dissidenten. Tevens had Huawei inzicht in de database met afgetapte telefoonnummers. Dat is in strijd met de Telecommunicatiewet."
Roughly translates to: Huawei has unlimited access to listen to every KPN-number including those of ministers and chinese dissidents and had insights into databases with tapped phonenumbers without authorisation or oversight which was in violation with the Telecommunication law
This story is mainly about KPN's incompetence but also about the massive influence Huawei or the chinese government has over KPN's network. There's no evidence of misuse but there also wouldn't be any evidence to begin with if there was misuse as they had full control over the network.
- could have eavesdropped
- likely wouldn't have been found out
- but there is no indication that they did so
In the end Huawei (the company) has no benefits and IMHO no intention to spy on the Dutch mobile network. The problem is that the employees of Huawei, independent of nationality, might be a different story. (Or more precise China or the USA pressuring employees or installing "their people" in the right technical positions).
But as a side note that is also true for the USA, not just China.
It's just that for all western/(somewhat proper) democratic countries the US is much closer ideological and political then China, even with all the faults the USA has.
Like e.g China is a "de-facto" one party system (theoretical they have more) and the US is a "de-facto" two party system. Which is better but still
not proper democratic.
There's some debate about the degree to which the authorization could have been abused, but it today's world it's just hard to imagine how such rights and authorization could be granted in the first place.
Huawei was used for outsourcing, Huawei obviously has root access. If you outsource your IT to a company with known ties to a foreign government you can't complain about them having sensitive access.