Posts by Matthew Poole
Last ←Newer Page 1 2 3 4 5 Older→ First
-
Hard News: The Huawei Question, in reply to Paul G. Buchanan,
Paul, without repeating what I just wrote, I think that what’s being expressed by the various members of the alphabet soup shows a significant cultural ignorance of how things work in, dare I say it, the real world. In real network operations centres for ISPs, the unexplained appearance of large-volume data flows would trigger all kinds of investigations. You cannot hide real-time network tapping, especially when it originates within the customer “edge” network (an ISP network is divided into the customer-facing “edge:, the ISP “core”, and the internet-facing “border”) and must traverse the core in order to get across the internet to its destination.
Either the packets get billed to the customer, who will probably notice when they start getting stung for about double the data usage they expect, or they just appear as they transit the core and the ISP suddenly has a massive outflow of data with no apparent source. In both cases there will be investigation to figure out why there is a discrepancy, and for a major customer like a government department or the likes of Tait or Rakon (or large volumes of un-sourced data) there will be a lot of effort put into establishing the cause. Eventually someone will notice that for various routers and switches packets out > packets in, and then all hell will break loose. This is not fanciful rumination, this is how things actually work.
-
Hard News: The Huawei Question, in reply to Kumara Republic,
And some nuanced insight by the Granny’s Andrew Laxon on the issue.
The bug could then send anything on the network to an overseas website, which would relay the information to a more secret site.
All without attracting any attention from network operations folk who might, maybe, possibly, wonder why their outbound traffic flows suddenly went through the roof?
Seriously, a network tap doesn't magic its data flows to the recipient, someone has to provide the bandwidth. A network-wide tap will generate significant volumes of data, and operators notice these things because suddenly their bandwidth is woefully inadequate. You cannot hide a network-wide tap, or even an indiscriminate tap on a single major client, for reasons not least of which is that the accountants will eventually spot the discrepancies between what's billed and what's purchased. Huawei might be providing the equipment for the segments closest to the customers, but the core of the network, the part that handles routing to the internet and packet capture for billing, will most likely be running stuff made by Cisco or Juniper, "good" American companies who aren't going to quietly get into bed with a foreign espionage operation.
-
Hard News: The Huawei Question, in reply to Paul G. Buchanan,
He may have strong reason to support the Huawei contracts, but it would be good to hear how he came to that position in light of the suspicions about Huawei serving as a SIGINT front of the PRC.
Maybe it came down to "On the one hand we have the CIA/NSA and their lap-dogs at the ASIO, and on the other hand we have GCHQ/MI5. There's no clear consensus within the supreme members of the Western intelligence community that Huawei equipment is a viable threat to national security, and we are a small, poor country with limited funds. If it's good enough for the Brits it's good enough for us."
-
Hard News: The Huawei Question, in reply to Rich of Observationz,
From talking to people at Telecom, nobody in the senior management structure knew the difference between an RNC and an office chair. Their assumption was that they picked a supplier, ticked a few boxes and a working system would materialise.
To be fair to senior management it’s not really their job to know the difference, it’s their job to listen to the people who do. The CIO might know the difference, maybe, but even that person is mostly so far removed from the coal face that normally all they can do is nod politely when meeting with their subordinate GMs and then take the business case to the Board for approval.
The RNCs cost millions of dollars, and that’s not small change. Someone thought they could get away with two RNCs for initial deployment, and that someone was wrong. Turns out that under normal operating conditions the RNC in Christchurch (ETA: controlling everything south of Taupo!) was running ~ 104% nominal load, and the moment that a cell tower fell over it immediately failed as it tried to cope with recalculating the network topology in addition to handling traffic. Exactly where in the design loop the responsible “someone” lies is anyone’s guess, and it could as much have been AL’s fault as Telecom’s. Telecom do have a lot of internal design experience and knowledge, but when you’re building an entirely new network you’re at the mercy of the quality of information provided by your hardware supplier(s).
-
I’m getting more and more confused about what the risk is supposed to be. If we’re talking about a fundamental threat to the stability of the communications networks themselves – ie: there’s something built into the hardware that would allow the Chinese government to crash the network by shutting down the flow of packets – that’s quite scary but it’s also a pretty out-there kind of plot.
If, on the other hand, we’re talking about some kind of built-in interception capability, I didn’t realise that part of the UFB deployment was Huawei supplying hardware encryption systems to our security services and Government. A basic part of communications security is that you don’t rely on the security of the physical network to protect your data. The NZ Infrastructure Security Manual, GCSB’s bible on security of NZ Government information systems, makes it abundantly clear that classified data may only be transmitted through physical zones of a lower security rating than the data itself if the data is first encrypted using an approved product. In other words, to even send classified data within the same building, never mind between buildings, if the end-to-end network is not entirely contained within areas that are approved for a classification level equal-to-or-higher-than the classification of the data, encryption must be applied before the data hits the wire.
Given the approval processes for COMSEC hardware as laid out in NZISM pretty much preclude Huawei from supplying anything that would do the encryption, the only way their supply of hardware for UFB presents any kind of interception threat is if Murray McCully starts getting classified email sent to his Xtra account. Either that or the US are quietly announcing that they don’t believe their approved crypto systems are truly secure, which is a whole completely different kettle of aquatic life.
-
It stinks to high heaven that Key got safely out of the country, accompanied by only two (probably extremely tame) members of the press before the deal was announced. I don't like the appearance of political interference and police complicity that this has going.
-
rail loop
Link, please, not loop. It's not a big circle with trains doing laps, it's a link between the west and the east by way of the CBD. Every time someone says "loop" the haters burn a dollar that could be paying for the work to happen, on the grounds that we don't need a train circuit.
-
Hard News: Unwarranted risk, in reply to Kumara Republic,
So basically the effects of a trade war, but involving companies and workers instead of governments?
Something like that, yes. If no vessel destined for or originating from POAL can be (un)loaded promptly, shippers will simply move their business to other ports that don’t have such a stigma.
Of course, if a general strike (or full strike of MUNZ members) eventuates there’ll be no workers at any port to do the unloading. -
Hard News: Unwarranted risk, in reply to Sofie Bribiesca,
The harold says support coming from many
Edging ever closer to a general strike. I would say I hope that National are cognisant of the risks associated with such a worker-hostile employment environment, but I can't help feeling that they're stoking the flames as a way of pushing through stronger anti-union provisions.
At least we have stronger controls on the use of military personnel as strike-breakers than existed in 1951, and a razor-thin majority in the House that would probably be an effective check on any such use.
-
Hard News: Unwarranted risk, in reply to Kumara Republic,
I'm still of the impression that PoAL management is seriously underestimating its enemy's friends in high places.
Well, becoming an international pariah will just allow them to rail further against the evils of socialised labour, all the while waving goodbye to shipping contracts as companies move their business to Tauranga.
It's a real shame that National are so thoroughly anti-rail/pro-truck, because the amount of shipping freight that's going to end up with Tauranga could be a strong incentive to upgrade the rail links.