30 comments

[ 4.1 ms ] story [ 55.9 ms ] thread
(comment deleted)
These companies were required by the government to have lawful intercept capability. A bad actor took advantage of that government-required backdoor, and now the government has the shamelessness to grandstand about privacy and security? We need to elect better people.
Not even that, they have CVE 10 from 2019 on their routers, which the hackers got root on then patched, so they wouldn't be kicked off by other hackers. All because IT upkeep wasn't done and hardening on Cisco devices is a distinct admin guide and not at all on by default. The days are long gone of qualified and careful network admins, now we just get the low-ball outsourced Cisco TAC and the like which DGAF
>We need to elect better people

The better people do not put themselves to be elected.

goomba fallacy. the government isn't one person with one position. i agree with you that the backdoor should never have been installed in the first place but accusing them of hypocrisy because a group of lawmakers passed a law a while ago and a different group of lawmakers want a report on what went wrong and why is silliness. It seems as though the person spearheading this effort, Senator Cantwell, is in fact one of the better people that you propose we should elect but here you are shitting on her for trying to shed light on the pitfalls of the very policy you seem to be against in the first place.
If they simply implicated an "APT" in wrongdoing, they would have released it, as it would have been unremarkable and fit neatly within the Overton window of hissing-chinese spys justifying an even more expansive national security apparatus and general anti-sino sentiments among the ruling class in Washington.

This leads me to two possible, non-exclusive outcomes: the links to China are tenuous, and the attribution is flimsy (e.g., they accessed a machine at 9 am Beijing time!); or the report implicates the system itself as unauditable by design, which was bound to happen given the design of the intercept tools.

(comment deleted)
why does the government, any government, has a backdoor on anyone's phones to begin with?
srsly doubt that these reports would ever be released publicly, but i'm curious if they might suggest that their recent high-profile extended outages are related to weaknesses that were easily exploited by bad actors.
Many years ago I wrote a functional spec for lawful intercept in a 3G data node. It was based on a spec for a different product, so it contained a lot of institutional knowledge of how lawful intercept works.

A key element of the design of lawful intercept is not to trust the company running the network. Otherwise employees of that company would become targets for organized crime influence, among what are probably a few other considerations. The network operator isn't told about intercepts, and the relatively low rate of traffic intercept, the node has to support up to 3% of traffic intercepted, at least that was the spec at the time, makes it relatively easy for that traffic to be hidden from network management tools. It's not supposed to show up in your logs or network management reporting.

Intercepts originate on LI consoles operated by law enforcement agencies. This sounds pretty good so far. Until a hacker breaks into an LI console. Now that hacker can acquire traffic with pinpoint accuracy, undetected by design.

I have always been skeptical of claims that network operators have eliminated salt typhoon from their networks. I do not believe they know when the exploit began. Nor can they tell if their networks are truly free of salt typhoon activity. There are multiple vendors of LI console software. It's a standardized interoperable protocol to set up intercepts. So there's no one neck to wring.

What is an LI console? Where is it installed that it has access to accomplish this?
I worked in/with network ops at a big US telco. Some of the engineers have ideas on which nodes have these intercepts (and what they are) based on the call flows they monitor and the level of access they have to troubleshoot problems further. I can’t guess the details further since that wasn’t my domain, but that part of opsec wasn’t fully hidden.
They don't want their backdoors they allowed and buffoonery in securing/managing them exposed. This is only the wireless providers, now what about all the residential ISP's like Comcast, Cox, Charter, etc? They're even more incompetent usually, I've worked for enough to know.
A decent example of why implementing authoritarian policies is a bad strategy for the US; particularly coming from the current administration. We're only strengthening Chinese supremacy at this point and tearing the US apart in the process of trying to claw some back. We don't have what it takes to pull this shit off as well as China does. This is a failure at many levels: the uncoordinated surveillance, the gross lack of security, lack of skills, lack of knowledge, etc. and it extends to many aspects of American governance. Between the US putting significant traumatic pressure on its own citizens and companies doing mass layoffs in an increasingly unaffordable economy, this will push even more brain drain overseas, which only accelerates China's strengthening stance more.
This was enabled by the Communications Assistance for Law Enforcement Act (CALEA), enacted in 1994. Congress made their bed, now they need to lie in. Time to remove the govt mandated backdoors.
The hackers already have it.

There is no reason to hide it from the general public.

I worked at Verizon almost 10 years ago, they hired a group come to come in and assess. Within 3-4 hours they pwned the entire place (including offices outside of the office we were in) through an unsecured windows jenkins machine/script console.
> why Americans should have confidence in the security of their networks

Perhaps they should not.

It's hilarious that the Chinese, plus a whole boat load of other countries, plus a bunch of individuals and groups, all have access to the communications spying system.

At this point the only person without access to it is you!

It blows my mind that some individuals have allowed politicians to put these systems in place to spy on everyone.

The only purpose for these spy devices is to collect blackmail and wait until the person either becomes either important or the government wants to do parallel construction on a court case.

There is absolutely no need for anyone to spy on another persons conversation. We have had encrypted messaging for many years and the world keeps turning.

> At this point the only person without access to it is you!

This is how Microsoft, Google and Apple works.