[HN Gopher] More telcos confirm Salt Typhoon breaches as White H...
___________________________________________________________________
More telcos confirm Salt Typhoon breaches as White House weighs in
Author : rntn
Score : 316 points
Date : 2024-12-31 01:52 UTC (21 hours ago)
(HTM) web link (www.theregister.com)
(TXT) w3m dump (www.theregister.com)
| monero-xmr wrote:
| Wasn't it a couple years ago the intelligence community was
| arguing for backdoor mandates, and now the FBI recommends Signal
| for safe chats? Such a farce. Hopefully the new admin goes
| through _their_ emails and text messages over the last 4 years.
| Privacy for me, not for thee, I suppose...
| snypher wrote:
| It doesn't take much to read between the lines on those two
| statements. Feds have access to Signal if they want it, but are
| using it as filter paper against most attacks against the
| public etc.
| tptacek wrote:
| The "feds" do not have access to Signal, except by CNE
| attacks against individual phones. Signal's security does not
| rely on you trusting the Signal organization.
| snypher wrote:
| It's ok for someone to believe that, but I don't believe
| that. Unfortunately there is no practical way to verify it
| either.
| cosmojg wrote:
| What are you talking about? Signal is open source, and
| its cryptographic security is trivially verifiable. If
| you don't trust the nonprofit behind it for whatever
| reason, you can simply compile it yourself.
| warkdarrior wrote:
| If you compile it yourself, can you still connect to the
| Signal servers?
| greyface- wrote:
| And, even if you can connect with your own client, can
| you trust the server is running the code they claim it
| is? They were caught running proprietary server code for
| a time in 2020-2021. https://github.com/signalapp/Signal-
| Android/issues/11101#iss... /
| https://news.ycombinator.com/item?id=26715223
| tapoxi wrote:
| But the client is designed to not trust the server,
| that's why encryption is end-to-end. So does it matter?
| greyface- wrote:
| In some sense, no - the protocol protects the contents of
| your messages. In another sense, yes - a compromised
| server is much easier to collect metadata from.
| tptacek wrote:
| Metadata, yes. Of course, the protocols, and thus all the
| inconveniences of the Signal app people constantly
| complain about, are designed to minimize that metadata.
| But: yes. Contents of messages, though? No.
| greyface- wrote:
| If Signal, the service, was designed to minimize metadata
| collection, then why is it so insistent on verifying each
| user's connection to an E.164 telephone number at
| registration? Even now, when we have usernames, they
| require us to prove a phone number which they pinky-swear
| they won't tell anyone. Necessary privacy tradeoff for
| spam prevention, they say. This isn't metadata
| minimization, and telephone number is a uniquely
| compromising piece of metadata for all but the most
| paranoid of users who use unique burner numbers for
| everything.
| tptacek wrote:
| This is the most-frequently-asked question about Signal,
| it has a clear answer, the answer is privacy-preserving,
| and you can read it over and over and over again by
| typing "Signal" into the search bar at the bottom of this
| page.
| greyface- wrote:
| The answer is not privacy-preserving for any sense of the
| word "privacy" that includes non-disclosure of a user's
| phone number as a legitimate privacy interest. Your
| threat model is valid for you, but it is not universal.
| tapoxi wrote:
| Yes. There's also libraries that do this, like libsignal.
| viraptor wrote:
| > and its cryptographic security is trivially verifiable
|
| That's going quite far. Even with all the details of it
| documented and open, there's a relatively small number of
| people who can actually verify that both the
| implementation is correct and the design is safe. Even
| though I can understand how it works, I wouldn't claim I
| can verify it in any meaningful way.
| tptacek wrote:
| Multiple teams have done formal verification of the
| Signal Protocol, which won the Levchin Prize at Real
| World Crypto in 2017.
| viraptor wrote:
| Sure, there are teams who have done it. But it's not
| trivial. The fact there's a price for it shows it's not
| trivial. If I choose a random developer, it's close to
| guaranteed they wouldn't be able to reproduce that. The
| chances go to 0 for a random Signal user.
|
| Alternatively: it's trivial for people sufficiently
| experienced with cryptography. And that's a tiny pool of
| people overall.
| tptacek wrote:
| The idea isn't that you do formal verification of the
| protocol every time you run it. It suffices for the
| protocol to be formally verified once, and then just to
| run that one protocol. If you thought otherwise, you
| might as well stop trusting AES and ChaCha20.
| greyface- wrote:
| It is possible for the core protocol to be tightly
| secure, while a bug in a peripheral area of the software
| leads to total compromise. Weakest link, etc. One-time
| formal verification is only sufficient in a very narrow
| sense.
| tptacek wrote:
| It is also possible for a state-level adversary to simply
| hijack your phone, whatever it is, and moot everything
| Signal does to protect your communications.
| Cryptographically speaking, though, Signal is more or
| less the most trustworthy thing we have.
| chasil wrote:
| Just look at PuTTY and e521 keys.
|
| Or go back to Dual_EC_DRBG.
|
| Unless DJB has blessed it, I'll pass.
| tptacek wrote:
| What do those two issues have to do with each other?
| chasil wrote:
| These were showstopper bugs that betrayed anything they
| touched.
|
| Avoiding this is obviously a huge effort.
| tptacek wrote:
| Dual EC was a "showstopper bug"?
| er4hn wrote:
| It did stop openssl whenever you tried to use it in
| production mode ;)
| ghostpepper wrote:
| It's not practically open source though - how many people
| actually build it themselves and sideload onto their
| Android/iphone?
|
| How much effort would it be for the US government to
| force Google to ship a different APK from everyone else
| to a single individual?
| tptacek wrote:
| I don't know, a lot? They could with the same amount of
| effort just get Google to ship a backdoored operating
| system. Or the chipset manufacturer to embed a hardware
| vulnerability.
| gertop wrote:
| "Here's a court order, you must serve this tainted APK we
| built to the user at this email"
|
| VS
|
| "You must backdoor the operating system used on billions
| of devices. Nobody can know about it but we somehow made
| it a law that you must obey."
|
| Come on, that's not the same amount of efforts at all.
| tptacek wrote:
| Looks like exactly the same amount of effort to me?
| nprateem wrote:
| Effort maybe but not likelihood of discovery
| devops99 wrote:
| The cryptography is not where Signal is vulnerable. What
| Signal is running on, as in operating system and/or
| hardware that runs other embedded software on "hidden
| cores", is how the private keys can be taken.
|
| Anything you can buy retail will for sure fuck you the
| user over.
| tptacek wrote:
| Oh, so none of this has anything to do with Signal. Ok!
| devops99 wrote:
| In theory, "none of this has anything to do with Signal",
| and you are correct ; but back over here in reality:
| Signal runs on these systems.
|
| Hence the security afforded by Signal is very weak in-
| practice and questionable at best.
| Intermernet wrote:
| Retail hardware actually has a better track record at the
| moment than bespoke, closed market devices. ANOM was a
| trap and most closed encryption schemes are hideously
| buggy. You're actually better off with Android and
| signal. If we had open baseband it would be better, but
| we don't, so it's not.
|
| Perfect security isn't possible. See "reflections on
| trusting trust".
| devops99 wrote:
| Bespoke but-not-really-bespoke closed-market devices made
| by the right people are very secure, but they are not
| sold to the profane (you).
|
| > ANOM was a trap
|
| Yes, ANOM was intended to be a trap.
|
| > and most closed encryption schemes are hideously buggy
|
| Yes they are. Hence some of us use open encryption
| schemes on our closed-market devices.
|
| > You're actually better off with Android and signal.
|
| I am better off with closed-market devices than I am with
| any retail device.
|
| > If we had open baseband it would be better
|
| And the ability to audit what is loaded on the handset,
| and the ability to reflash, etc. In the real-world all we
| have so far is punting this problem over to another
| compute board.
|
| > Perfect security isn't possible.
|
| Perhaps, but I was not after "perfect security", I was
| just after "security" and no retail device will ever give
| me that, but a closed-market device already has.
|
| > See "reflections on trusting trust".
|
| Already saw it. You're welcome to see: -
| https://guix.gnu.org/blog/2020/reproducible-computations-
| with-guix/ - https://reproducible-builds.org
| - https://guix.gnu.org/en/blog/2023/the-full-source-
| bootstrap-building-from-source-all-the-way-down/
| bryant wrote:
| Well, if you're in a position where you can only put
| faith in someone else's word as to whether it's good for
| your needs (this is the vast majority of people), there's
| this: https://community.signalusers.org/t/overview-of-
| third-party-...
| fragmede wrote:
| > Unfortunately there is no practical way to verify it
| either.
|
| discuss an exceedingly clear assassination plot against
| the President exclusively over signal with yourself
| between a phone that's traceable back to you, and a
| burner that isn't. if the secret service pays you a
| visit, and that's the only way they could have come by
| it, then you have you answer.
| hunter2_ wrote:
| I think the bar for paying such a visit would be
| infinitely high (they would find a way to defend in a
| more clandestine manner) to keep the ruse going.
| nprateem wrote:
| Let us know how that goes
| buckle8017 wrote:
| Signal's servers have access to your profile, settings,
| contacts, and block list if the PIN you select has low
| security.
| tptacek wrote:
| Which is to say: in the worst-case plausible failure
| model for Signal, they get the same metadata access as
| all the other messengers do. OK!
| fragmede wrote:
| Threema leaks no such metadata
| tptacek wrote:
| https://breakingthe3ma.app/
|
| You want to use this, by all means.
| rkagerer wrote:
| Were any/all of those vulnerabilities mitigated?
| antgiant wrote:
| Per the link. Yes. Here the specific statement.
|
| Lessons Learned
|
| We believe that all of the vulnerabilities we discovered
| have been mitigated by Threema's recent patches. This
| means that, at this time, the security issues we found no
| longer pose any threat to Threema customers, including
| OnPrem instances that have been kept up-to-date. On the
| other hand, some of the vulnerabilities we discovered may
| have been present in Threema for a long time.
| tptacek wrote:
| For what it's worth, and obviously I could have been
| clearer about this: what's interesting about that link is
| the description of Threema's design, not the specific
| vulnerabilities the team found.
| daneel_w wrote:
| Not all other messengers require a mobile phone number in
| order to get access, meaning not all other messengers
| have a view of users' social networks - some of them are
| anonymous, and Signal is not. It's a fundamental
| difference. But we've been here before.
| devops99 wrote:
| GrapheneOS ships binary blobs that run in kernel space.
| Outside of GrapheneOS, Google and Apple are effectively
| your systems administrator. The glowies do have access to
| your Signal chats.
|
| Perhaps if you and also others you know run a modified
| libre branch of GrapheneOS, on different hardware*, and
| compile the Signal clients from source code, then those
| Signal chats specifically are secure. But in that case why
| use Signal's servers?
|
| And, you'll still want to run a separate copy of your
| Signal build (https://molly.im seems to demonstrate this is
| practicable) for "official" Signal to talk to the
| taxcattle.
|
| [*] you would have to be particularly careful and somewhat
| elaborate with this hardware, and DIY not outside price
| range of off-the-shelf parts yet also beyond the
| operational threshold of most would be involved.
| int0x29 wrote:
| While the statments are contradictory I wouldn't take it as
| sign of some vast conspiracy. I would just take it as a sign
| they are stuck needing to give out some kind of guidance to
| prevent foreign access. While they are a domestic police
| service they are also a counterintelligence service and thus
| need to provide some guidance there.
| s5300 wrote:
| US Military has atleast privately switched away from any Signal
| usage within the past few months - it's undoubtedly compromised
| in some way. If the FBI is recommending it it's for
| exploitative purposes & a false premise of safety.
| blackeyeblitzar wrote:
| So what's the alternative
| edm0nd wrote:
| Session, Matrix, Tox perhaps
| glaucon wrote:
| I know nothing about this field so I went looking for
| those product names.
|
| I believe the Session referred to is here ...
| https://getsession.org/
|
| Tox is here ? https://tox.chat/
|
| The Matrix i found seems to have been closed down earlier
| this month ...
| https://en.m.wikipedia.org/wiki/Matrix_(app) ... that's
| assuming I found the correct "matrix".
|
| If it matters to you don't take my word for those being
| the correct points of contact, that's just me searching
| for two minutes.
|
| As a side rant, I wish people would choose less generic
| names for their projects, calling something "session" ?
| You might as well call it "thing".
| nerdponx wrote:
| This is probably the Matrix they meant:
| https://matrix.org/
| glaucon wrote:
| Thanks, that does seem more plausible than the one I
| found.
| impossiblefork wrote:
| Completely avoiding sensitive communication over mobile
| phones.
| llamaimperative wrote:
| Nothing contradictory (in philosophy), really: they said
| American law enforcement should be able to break encryption
| when they have warrants and they now say Chinese spies should
| not be able to.
|
| This is obviously technically impossible, but the desire for
| that end state makes a ton of sense from the IC's perspective.
| hunter2_ wrote:
| That something can simultaneously be impossible and sensible
| is peculiar. It almost suggests that the technique has merely
| not yet been figured out.
|
| Secrets fail unsafe. Maybe an alternative doesn't.
| btilly wrote:
| It is sensible that people would want the impossible. It
| isn't sensible to try to mandate it.
|
| Government keeps trying to mandate it in various ways. With
| predictably bad results.
| tzs wrote:
| How is it obviously technically impossible?
| btilly wrote:
| Whatever method is available to American law enforcement is
| eventually going to become available to Chinese spies. The
| record of keeping this kind of secret is abysmal. If by no
| other means, then by social engineering the same access
| that local police departments were supposed to have.
|
| Salt Typhoon - which this discussion is about - is an
| example. Tools for tracking people that were supposed to be
| for our side, turn out to also be used by the Chinese. Plus
| the act of creating partial security often creates new
| security holes that can be exploited in unexpected ways.
|
| Either you build things to be secure, or you have to assume
| that it will someday be broken. There is no in between.
| Animats wrote:
| _"...implies that the attack wasn 't against the broadband
| providers directly, but against one of the intermediary
| companies that sit between the government CALEA requests and
| the broadband providers"_
|
| Yup. The attack hit the CALEA backdoor via a wiretapping
| outsourcing company. Which one?
|
| * NEX-TECH: https://www.nex-tech.com/carrier/calea/
|
| * Substentio: https://www.subsentio.com/solutions/platforms-
| technologies/
|
| * Sy-Tech: https://www.sytechcorp.com/calea-lawful-intercept
|
| Who else is in that business? There aren't that many
| wiretapping outsourcing companies.
|
| Verisign used to be in this business but apparently no longer
| is.
| supriyo-biswas wrote:
| Thank you for posting this. The search term "calea
| solutions"[1] also brings up some relevant material, such as
| networking companies advising how to set up interception, and
| an old note from the DoJ[2] grumbling about low adoption in
| 2004 and interesting tidbits about how the government
| sponsored the costs for its implementation.
|
| [1] https://www.google.com/search?client=firefox-
| b-d&q=calea+sol...
|
| [2] https://oig.justice.gov/reports/FBI/a0419/findings.htm
| tguvot wrote:
| where from ""...implies that the attack wasn't against the
| broadband providers directly, but against one of the
| intermediary companies that sit between the government CALEA
| requests and the broadband providers" comes from ? from
| schneier ? because if you go to the actual reporting in wsj
| for example, it doesn't imply that attack was against TTP
| providers. also TTP providers are optional
| Maxious wrote:
| WSJ: U.S. Wiretap Systems Targeted in China-Linked Hack
| https://www.wsj.com/tech/cybersecurity/u-s-wiretap-
| systems-t...
|
| That seems pretty clear.
| tguvot wrote:
| nope :)
|
| wiretap systems are on the telecom provider side and it a
| bunch of different and in many cases ordinary networking
| equipment that can be easily misconfigured.
|
| TTP (aka companies listed above) are optional and usually
| used by companies that don't have their own legal
| department to process warrants/want to deal with fine
| details of intercepts
| bn-l wrote:
| > wiretapping outsourcing company
|
| Is it a great idea to give all that info to India as well?
| petesergeant wrote:
| The FBI has a weird mandate in that it's both counter-espionage
| and counter-crime, and those are two quite different missions.
| Unsurprising to know that counter-espionage want great
| encryption, and counter-crime want backdoorable encryption.
| JTbane wrote:
| It seems like every few years law enforcement puts out
| statements about how good encryption is for criminals, and then
| they have to walk it back as data breaches happen.
| kube-system wrote:
| Sometimes you're on offense, sometimes you're on defense. The
| government does both.
| rat87 wrote:
| You want the new anti democratic/authoritarian administration
| to look through the FBIs emails to find something to frame them
| for? You sure that's wise? Even if they don't respect privacy
| like they should?
| 2OEH8eoCRo0 wrote:
| Telcos need a way to comply with court orders. That's it.
| rsingel wrote:
| No, the feds _require_ CALEA-backdoors. Absent CALEA, a
| telecom could say we don 't have the data or the capability
| jmclnx wrote:
| >This public-private effort aims to put in place minimum
| cybersecurity
|
| Nice, we do not what the CEOs of these telcos have to give up
| their bonuses. So we force them to do the just bare minimum.
| Isn't capitalism great.
| votepaunchy wrote:
| Minimum is not "bare minimum". The alternative to minimum
| requirements is no requirements.
| gertop wrote:
| Not allowing foreign entities to spy on their customers
| _feels_ like the bare minimum to me.
| JumpCrisscross wrote:
| > _So we force them to do the just bare minimum. Isn 't
| capitalism great_
|
| This has nothing to do with capitalism. The Soviet Union wasn't
| a paragon of information security.
| lenerdenator wrote:
| It does, at least with respect to how the US does capitalism.
|
| The goal is to make the number at the bottom of the piece of
| paper bigger by a large enough margin in the next ninety
| days. If you can prove that there's the imminent risk of a
| specific cyberattack in the next 90 days and that it will
| have an adverse impact on getting that number bigger, fine,
| company leadership will pay attention, but that's rarely the
| case. Most cyberattacks are obviously clandestine in nature,
| and by the time they're found, the move isn't to harden
| infrastructure against known unknowns, but to reduce legal
| exposure and financial liability for leaving infrastructure
| unsecured. It's cheaper, and makes the number at the bottom
| of the piece of paper bigger.
| gruez wrote:
| >The goal is to make the number at the bottom of the piece
| of paper bigger by a large enough margin in the next ninety
| days. If you can prove that there's the imminent risk of a
| specific cyberattack in the next 90 days and that it will
| have an adverse impact on getting that number bigger, fine,
| company leadership will pay attention, but that's rarely
| the case.
|
| 1. Capitalists seem pretty content with money losing
| ventures for far more than "the next ninety days", as long
| as they think it'll bring them future profits. Amazon and
| Uber are famous examples.
|
| 2. You think the government (or whatever the capitalism
| alternative is) aren't under the same pressure? Unless we
| live in a post scarcity economy, there's always going to be
| a beancounter looking at the balance sheet and scrutinizing
| expenses.
| keybored wrote:
| I'm pretty sure that the Soviet Union was state capitalist.
| gruez wrote:
| "true communism has never been tried"
| keybored wrote:
| My guy/gal, state capitalism as a transition towards
| socialism and then to communism was an explicit Marxist
| _policy_ by the Soviet Union. Hence that state (of state
| capitalism) was a part of the big-C Communism of the
| Soviet Union.
|
| Sometimes thought-terminating quips are not enough.
| nixosbestos wrote:
| Meanwhile US banks, Venmo, PayPal, etc all insist on using "real"
| phone numbers as verification.
|
| Funny that Venmo won't let me use a voip number, but I signed up
| for Tello, activated an eSIM while abroad and was immediately
| able to receive an SMS and sign-up. For the high barrier cost of
| $5. Wow, such security. Bravo folks.
| blackeyeblitzar wrote:
| The problem is that VOIP numbers, from companies like
| Bandwidth, are frequently used to perform various frauds. So
| many financial services ban them because the KYC for real
| numbers is much better.
| mellow-lake-day wrote:
| KYC = know your customer?
| tempodox wrote:
| Yes.
| dr_dshiv wrote:
| It has nothing to do with Kentucky's Yummiest Chicken, if
| that's what you were thinking.
| FergusArgyll wrote:
| Yes, and AML = Anti Money Laundering
| silisili wrote:
| I have more bank and credit accounts than the average person,
| probably. 5 bank accounts, and 8 credits accounts I can
| remember as active off the top of my head.
|
| Every single one works with GVoice, except Venmo. Chase,
| Cap1, Fidelity, etc. Not small players.
|
| So while I think you make a fair enough argument for sure, it
| doesn't seem to be the case when nobody else does it, and
| makes Venmo seem like a pain in the arse.
| BenjiWiebe wrote:
| My Gvoice number works with Chase, Citi, Discover, AMEX,
| Capitol One. Does not work with Wells Fargo, _despite_
| allowing you to sign up with it. Took a notarized snail
| mail to fix that one.
| zmgsabst wrote:
| In practice, these companies get a phone number I possess for
| 1-3 months on a travel SIM rather than the VOIP number I've
| steadily maintained for two decades and by which the US feds
| know me (because they don't care).
| immibis wrote:
| Because VOIP requires a verified Google account and phone
| number, while traditional numbers can, uh, be purchased
| anonymously at the corner store.
| atonse wrote:
| Depends on which country. In places like India that's not
| possible. Your cell phone number becomes a de facto
| identity so they require all kinds of identity documents to
| get a SIM.
| taneliv wrote:
| So there's a cottage industry of middle men on the
| streets who will set you up with a SIM card, or a travel
| ticket or whatever, for people who don't have identity.
| (Or in some cases don't want to reveal their identity,
| but I reckon this is less typical.) Sure, you pay extra
| for the service, the middle man takes 10%, 30% or 500%
| and the identity is then with that person---or their
| fraudulent papers, I don't know how it works in detail.
| baobun wrote:
| > while traditional numbers can, uh, be purchased
| anonymously at the corner store.
|
| That is a closing window and the case in fewer and fewer
| places. It wont be long until most people would need to fly
| across the globe or get involved with organised crime to
| pull that off...
| freeopinion wrote:
| You keep using that word. I do not think it means what you
| think it means.
| axus wrote:
| Don't all financial institutions need some real
| identification with physical address to sign up? Phone
| numbers / email addresses should be for communication, not
| tracking.
| cookiengineer wrote:
| The same level of security that shitter's checkmark introduced.
| All checkmark accounts are fake, and the ones without are real
| people, I guess?
|
| The idea that scammers don't have digital money laying around
| just waiting on being spent on something is so absurdly out of
| touch on how everything in cyber works.
| disqard wrote:
| Corporations are "people".
|
| Corporations "eat" money.
|
| Entities that can feed a corporation, are treated as peers,
| i.e. "people".
|
| Thus, on shitter, if you can pay, you are a person (and get a
| blue checkmark).
| withinboredom wrote:
| Oh, nice allusion. If corporations eat money and you're not
| paying, i.e., a free service. You are prey.
| toast0 wrote:
| > For the high barrier cost of $5. Wow, such security. Bravo
| folks.
|
| $5 is at least 5x the cost of a voip number. I'm not a bank,
| but if I'm spending money to verify you control a number, I
| feel better when you (or someone else) has spent $5 on the
| number than if it was $1 or less.
| lazide wrote:
| Also, that is clearly a workaround that took some research to
| do. Aka you're probably in the top 1% of the population from
| a 'figuring out workarounds' perspective.
|
| VoIP is so well known (and automated) to do, even at $.10, it
| would be a magnitude easier to do.
|
| Banks are always slow, and behind the times - _because_ they
| are risk adverse. That has pros and cons.
| somat wrote:
| It makes me think of linux distros.
|
| there are the ones that closely follow software updates and
| you get to complain that things are breaking all the time.
|
| and there are the stable distros, now you get to complain
| how old and out of date everything is.
| iszomer wrote:
| I still have about $15 of international calling credit on a
| GV number I hardly use anymore with no option of transferring
| or using that balance on a different platform like Google's
| Play store.
| rsync wrote:
| "... but if I'm spending money to verify you control a
| number, I feel better when you (or someone else) has spent $5
| ..."
|
| This is exactly it.
|
| All of these auth mechanisms that tie back to "real" phone
| numbers and other aspects of "real identity" are _not for
| you_ - they are not for your security.
|
| These companies have a brutal, unrelenting scam/spam problem
| that they have _no idea how to solve_ and so the best they
| can do is just throw sand in the gears.
|
| So, when twilio (for instance) refuses to let you 2FA with
| anything other than tracing back to a real mobile SIM[1] (
| _how ironic_ ...) it is not to help you - it is designed to
| slow down abusers.
|
| [1] The "authy" workflow is still backstopped by a mobile
| SIM.
| dghlsakjg wrote:
| https://www.bitsaboutmoney.com/archive/optimal-amount-of-
| fra...
|
| Relevant reading.
|
| Basically comes down to: the costs of acceptable levels of
| fraud < the cost of eliminating all fraud.
|
| There are processes that would more or less eliminate all
| fraud, but they are such a pain in the ass that we just
| deal with the fraud instead.
| mjevans wrote:
| Blanket Denial is the issue.
|
| A PROCESS for verifying the number isn't used for fraud and
| allowing use. I don't know, maybe the fact that I've been a
| customer for YEARS, use that number, and have successfully done
| thousands of dollars in transactions over a platform without
| any abnormal issue?
| terribleperson wrote:
| My google voice number is unlikely to be stolen from me, but
| instead I have to use a 'real' phone number that could be
| compromised by handing cash to an employee at a store.
|
| One time a company retroactively blocked VOIP numbers, which
| was really stupid.
| Krasnol wrote:
| > My google voice number is unlikely to be stolen from me
|
| I'd say that with Google, chances are that they just stop
| offering the service.
| MetaWhirledPeas wrote:
| When Google Voice was brand new I snagged me a number.
| (Since lost because I did not respond to a prompt to keep
| it alive, or something?) I wonder if they anticipated the
| cost of keeping those around for decades. Managing
| someone's personal phone number is a solemn commitment that
| you can't just drop willy-nilly.
| thfuran wrote:
| The only solemn commitment Google has is to the bottom
| line.
| MetaWhirledPeas wrote:
| Aren't they still supporting old Google Voice numbers
| though? I don't see how they could be making any money on
| that.
| thfuran wrote:
| That's one of their older services. I assume they really
| like the data they get from it.
| danlugo92 wrote:
| Whatsapp just retroactivelly blocked google voice numbers
| recently
| rwmj wrote:
| That's nothing to do with security, just Meta wanting to
| know everything about you / being annoyed that another
| company has that data instead of them.
| immibis wrote:
| Security of shareholder value!
| BenjiWiebe wrote:
| Knock on wood, mine still works. Please, any Whatsapp/Meta
| engineers, don't go specifically disable mine now that you
| read this comment.
| bushbaba wrote:
| Because that real phone number is tied to an imei number
| which can be used to track your historical and real time
| location from teleco data
| betaby wrote:
| And yet it is 'impossible' to police to recover stolen
| iPhone.
| dboreham wrote:
| Unrelated. Tracking data is service-side, not secret to
| the phone.
| ceejayoz wrote:
| It's entirely possible. They just don't care.
| kyrra wrote:
| This is why I like Google Fi. It is much harder to do account
| takeout over of a Google Fi number compared to most telecos.
| The attacker would have to take over the Google account which
| seemed to be harder to do.
| lokar wrote:
| I agree, and also use Fi
|
| But, I worry about what happens if I somehow get locked out
| of the account...
| edoceo wrote:
| Just post on socials (that you can still access) about
| being locked out and then hope for the best?
| lokar wrote:
| Well, for now, I still have former co-workers there who
| can help, but that won't last forever.
| kyrra wrote:
| For the most part, the "have a friend at Google" doesn't
| help anymore. They even tell us googlers to use the
| external process when our account gets locked.
| fasteo wrote:
| Does Tello require KYC, that is, is the eSIM linked to an
| actual identity ? As least in Europe (psd2) that's the key for
| accepting a phone number as a 2FA method
| ricktdotorg wrote:
| i bought a Tello eSIM to use for my Rabbit R1, am in USA, was
| not required to provide any KYC, received a (213) LA area
| code number, recommend Tello so far.
| rsync wrote:
| No KYC with Tello or USMobile.
|
| All of my 2FA Mules[1] are USMobile SIMs attached to
| pseudonyms which were created out of thin air.
|
| It helps _a lot_ to run your own mail servers and have a few
| pseudonym domains that are used for only these purposes.
|
| [1] https://kozubik.com/items/2famule/
| mikeweiss wrote:
| Can we talk about how Venmo doesn't even let you login from
| abroad... And their app doesn't provide a decent error message
| it just 403s.
| fnordpiglet wrote:
| These stem from a requirement to know you as a person in some
| verifiable way. These are legal and regulatory requirements but
| the laws and requirements are there to ensure finserv can
| meaningfully contain criminal activity - fraud, theft, money
| laundering, black market, terrorism financing, etc. It turns
| out by far the most effective measure is simply knowing who the
| principals are in any transaction.
|
| Some companies have much lower thresholds for their KYC, but
| end up being facilitators of crime and draw scrutiny over time
| by both their more regulated partners and their governments.
|
| I'd note that the US is relatively lax in these requirements
| compared to Singapore, Canada, Japan, and increasingly the EU.
| In many jurisdictions you need to prove liveliness, do photo
| verification, sometimes video interviews with an agent showing
| your documents.
| Andrex wrote:
| > In many jurisdictions you need to prove liveliness, do
| photo verification, sometimes video interviews with an agent
| showing your documents.
|
| When vtuber-esque deepfakes become trivial for the average
| person, I wonder what the next stage in this cat-and-mouse
| becomes. DNA-verficiation-USB-dongles?
| krapht wrote:
| Why do straight to dystopia when notary publics exist?
| lazide wrote:
| Online notaries have been a thing for awhile now. Don't
| worry, we can still have dystopias with Notaries.
| vkou wrote:
| Maybe you could just, you know, show up to a bank branch?
| Like people have done for centuries?
| brendoelfrendo wrote:
| Physical businesses? The horror! Won't someone think of
| the fintechs?
| BenjiWiebe wrote:
| Or what if I live in a rural area and have very few local
| branch banks available?
|
| I actually had an issue with this and ended up sending a
| notarized letter by snail mail, since I didn't feel like
| making a special 1hr each way trip during business hours
| to the closest branch.
| op00to wrote:
| There is no right to not be inconvenienced by living in a
| remote area in any country I'm aware of.
| vkou wrote:
| > Or what if I live in a rural area and have very few
| local branch banks available?
|
| Then you have to be ready to accept that there are
| advantages and disadvantages to your choice of where you
| live, and that is one of the latter.
|
| There's a reason rural property is so cheap. It comes
| with a lot of disadvantages and inconveniences and costs
| that city-dwellers don't need to pay.
| afh1 wrote:
| You can, at the same time, verify a person's identity upon
| opening the account, as you mentioned with documents, and use
| a TOTP MFA instead of SIM-based authentication. If regulators
| require SIM-based authn, then it's just bad policy, which
| should come to no one's surprise when it comes to government
| regulation. Finally, KYC is for the IRS. The illusion of
| safety makes a good selling point, though.
| _DeadFred_ wrote:
| US regulators don't normally specify down to 'require SIM-
| based authn'. Instead they give vague directives that
| companies have to determine their own implementation for
| meeting. And the implementation needs to be blessed by
| corporate AND insurance company lawyers, which too often
| ends up meaning those lawyers dictate the implementation.
| photonthug wrote:
| > know you as a person in some verifiable way .. the laws and
| requirements are there to ensure .. knowing who the
| principals are in any transaction.
|
| Except that person you're responding to explains succinctly
| how this is security theater that accomplishes little and
| ultimately is just a thinly veiled tactic for harassing users
| / coercive data collection. And the person above _that_ is
| commenting that unnecessary data collection is just an
| incentive for hackers.
|
| Comments like this just feel like apologism for bad policies,
| at best. Does anyone really think that people need to be
| scrutinized because most money laundering is small
| transactions from individuals, or, is it still huge
| transactions from huge customers that banks want to protect?
| codedokode wrote:
| Phone number is not an identity document, and you can rent a
| number cheaply on a black market. Also, there should be no
| verification for small amounts of money. We can use cash
| anonymously, why we cannot transfer money anonymously?
| BenjiWiebe wrote:
| Another cool thing that some companies do: refuse to deal with
| me because the family business account is in my dad's name,
| _despite_ me knowing all the correct information to pretend to
| be my dad.
|
| Like, the only reason I don't answer the phone and say "this is
| <Dad's name>", is because I'm honest. You'll _never_ keep a bad
| guy out that already knows all the information that you ask for
| - he 'll just lie and claim to be the business/account owner.
| codedokode wrote:
| Technically they might be right, because your father might
| not trust you to access the account, so you need some kind of
| written permission.
|
| > he'll just lie and claim to be the business/account owner.
|
| He can lie, but he doesn't have another person's passport to
| prove his lies.
| devops99 wrote:
| We can never trust them again.
|
| We must implement as LAW that a SIM card can provide and only
| provide a Zero Knowledge Proof of "this SIM is valid for this
| cellular/data plan up to a specific date".
|
| If they want to track us all the time, whatever, if they can't
| keep that data safe from the Chinese Communist Party, then they
| aren't competent enough to have it.
| hooverd wrote:
| I can't believe the CPC would do this- add a backdoor to
| American technology for American agencies.
| devops99 wrote:
| but that would be _illegal_ and therefore _impossibru_ /s
| rsync wrote:
| "We must implement as LAW that a SIM card can provide and only
| provide a Zero Knowledge Proof ..."
|
| Now is a good time to remind everyone that a SIM card is a
| _full blown computer_ with CPU, RAM and NV storage.
|
| Further, your carrier can _upload and execute_ code on your SIM
| card without your knowledge or the knowledge of the higher
| level application processor functions of your telephone.
| deadso wrote:
| Is there any sandboxing to prevent access from the SIM card
| computer to information on your phone? And if so, absent of
| some (admittedly not very unlikely) 0day allowing sandbox
| escape, what would a malicious SIM program be able to do?
| gruez wrote:
| >and only provide a Zero Knowledge Proof of "this SIM is valid
| for this cellular/data plan up to a specific date".
|
| How do you implement bandwidth quotas with this?
| yehbit wrote:
| Better security is smaller nodes or value and more of them. But
| it's more profitable to say screw others security and monopolize
| everything
| freeqaz wrote:
| I work in security and this surprised me to see. Not that these
| companies got hacked, but the scope of the attack being
| simultaneous. Coordinated. Popping multiple companies at the same
| time says something about the goals the PRD has.
|
| It risks a lot of "noise" to do it this way. Why not just bribe
| employees to listen in on high profile targets? Why try to hit
| them all and create a top level response at the Presidential
| level?
|
| This feels optics-driven and political. I'm not sure what it
| means, but it's interesting to ponder on. Attacking
| infrastructure is definitely the modern "cold war" of our era.
| buildbot wrote:
| I think this is the perfect time to do something like this, in
| the midst of a presidential transition. Regardless of the
| outgoing and incoming politics, things will be more chaotic.
| While it won't be unnoticed, it's going to be down the lists of
| things to deal with probably, and possibly forgotten.
| mike_d wrote:
| This is a total yawn, and the norm. It looks coordinated
| because the team who focuses specifically on telecoms had their
| tools burned. Pick pretty much any sector of interest and the
| intelligence services of the top 50 countries all have a team
| dedicated to hacking it. The majority of them are successful.
|
| Sadly even most people in security are woefully unaware of the
| scope and scale of these operations, even within the networks
| they are responsible for.
|
| The "noise" here was not from the attacker. They don't want to
| get caught. But sometimes mistakes happen.
| 0xbadcafebee wrote:
| Interestingly, some of those teams dedicated to hacking are
| either private sector or a branch that nobody has heard of. I
| once interviewed for a company whose pitch to me was
| basically "we get indemnity to hack foreign telcos" and "we
| develop ways to spy that nobody has thought of". That was 20
| years ago
| hooo wrote:
| What do those companies look like externally? Are they
| publically known?
| 0xbadcafebee wrote:
| Some are specialized, some are diversified. Definitely
| public, I believe they all have to be listed on fedgov's
| contractor list? Some are obvious weapons contractors,
| some aren't (like extensions of big-name universities).
| If you see job listings for weapons development, cyber
| ops, secret-clearance software dev, cryptography, etc,
| that's a clue.
| metalman wrote:
| Given the noise about huawaie and spy cranes, it would be
| interesting to know if the "attacks" were against any and all
| telecoms equipment, or just chinese stuff, not that I think it
| would make any difference. The daylight (heh heh!) trolling for
| telecom and power cables, is most definitly a (he ha!) signal,
| aimed at western politicians. Another one, is that while there
| are claims of North Korea , taking crypto, no identifiable
| victim has stood up. Western politicians are attempting to
| redirect the whole worlds economy, based on saving us from the
| very things that are happening, just now. So it does seem more
| than coincidental.
| immibis wrote:
| Aren't they attacks against the US government mandated
| backdoors in all equipment?
| 0xbadcafebee wrote:
| It probably wasn't a simultaneous attack, they probably
| penetrated over a long period of time. The defenders just
| _found_ them all simultaneously (you find one, you go looking
| for the others)
|
| > Why not just bribe employees to listen in on high profile
| targets?
|
| Developing assets is complicated and difficult, attacking SS7
| remotely is trivial, especially if you have multiple targets to
| surveil
| marcosdumay wrote:
| The most incompetent crook is the first one to get caught.
|
| There's a huge selection bias factored into what attacks make
| the news.
| alexpotato wrote:
| Incompetence is just one dimension on odds of being caught.
|
| You could be an incredibly competent and highly motivated
| crook and bad luck in the form of an intern looking at logs
| or a cleaning lady spotting you entering a building could
| take you down.
| ChrisArchitect wrote:
| Some related prior discussion:
|
| _PRC Targeting of Commercial Telecommunications Infrastructure_
|
| https://news.ycombinator.com/item?id=42132014
|
| _AT &T, Verizon reportedly hacked to target US govt wiretapping
| platform_
|
| https://news.ycombinator.com/item?id=41766610
| jmward01 wrote:
| This is why we need device to device encryption on top of all the
| security that a telco has. There is no excuse for any connection
| I make being unencrypted at any point except the receiver.
| mike_d wrote:
| While you aren't wrong about needing end to end encryption,
| that would not have helped here. What China was after was meta
| data (who is communicating with who), which is a completely
| different problem to solve.
| whimsicalism wrote:
| the articles i saw said they could record phone calls at will
| trollied wrote:
| Yes, but not by man-in-the-middle attacks between the
| device and the network. There are systems internal to the
| provider that let you listen to any call.
| immibis wrote:
| Because the US government forces them to have these
| systems and to not encrypt the calls. There should be
| more attention on the fact that, essentially, the US
| government hacked US telecoms for China's benefit.
| 0xbadcafebee wrote:
| Since the 80s you can spy on anyone's calls using the
| telco's standard maintenance features. You dial up a
| number, you then dial another number, and you're
| basically patched in to the second number, can listen in
| on any current call. There was a different system
| required by the government for taps, but linemen have
| their own method so they can diagnose issues. At least
| that used to be the case through the 2010s.
|
| Stupidity and banality is a far greater threat than
| conspiracy.
| bilbo0s wrote:
| Let's not overstate it. The US government hacks telecom
| for the benefit of the US government. Now having said
| that, as someone above mentioned, the intelligence
| agencies of the top 50 national governments are obviously
| all keen to use those hacks for their own benefit. And
| the flip side of that is that the US government is very
| interested in stopping these other national governments
| from succeeding.
|
| Clearly, the counter-intel part of the US government
| effort has been less successful than the surveillance and
| intelligence gathering effort. But that doesn't mean that
| the US government _wants_ all those other nations to be
| able to gather data from these systems. Our government
| wants nothing more than to be the only national
| government capable of gathering data from these systems.
| sneak wrote:
| Make your phone calls with Signal and you don't have this
| problem. So far the US government isn't forcing anyone to
| use unencrypted calling.
| mike_hearn wrote:
| Well obviously there is a good excuse, that users do not want
| to and cannot generally deal with key management. Even dealing
| with phone numbers is a hassle, and now you want to add a
| public key on top? One which cannot easily be written down, and
| is presumably tied to the handset so if you lose and replace
| your phone you stop being able to receive all phone calls until
| you manually somehow distribute your new key to everyone else?
|
| End to end encryption has proven to be unworkable in every
| context it's been tried. There are no end-to-end encrypted
| systems in the world today that have any use, and in fact the
| term has been repurposed by the tech industry to mean pseudo
| encrypted, where the encryption is done using software that is
| also controlled by the adversary, making it meaningless. But as
| nobody was doing real end-to-end encryption anyway, the
| engineers behind that decision can perhaps be forgiven for it.
| btown wrote:
| > pseudo encrypted, where the encryption is done using
| software that is also controlled by the adversary
|
| I'd say there's a very real use for this, though, which is
| that with mobile applications it's more complicated to
| compromise a software deployment chain than it is to
| compromise a server-side system. If you're a state-level
| attacker and you want to coordinate a deployment of listening
| capabilities on Signal, say, you need to persistently
| compromise Signal's software supply chain and/or build
| systems, and do so in advance of other attacks you might want
| to coordinate with, because you need to wait for an entire
| App Store review cycle for your code to propagate to devices.
| The moment someone notices (say, a security researcher
| MITM'ing themselves) that traffic doesn't match the Signal
| protocol, your existence has been revealed. Whereas for the
| telcos in question, it seems it was possible to just
| compromise a server-side system to gain persistent listening
| capabilities, which could happen silently.
|
| Now, this can and should be a lot better, if, say, the Signal
| app was built not by Signal but by Apple and Google
| themselves, on build servers that provably create and release
| reproducible builds straight from a GitHub commit. It would
| remove the ability for Signal to be compromised in a non-
| community-auditable way. But even without this, it's a
| nontrivial amount of defense-in-depth.
| knallfrosch wrote:
| You can just force Google/Apple to roll out compromised
| versions to selected users and force them to keep their
| mouth shut about it.
| fn-mote wrote:
| Your comment concerns the situation where the state level
| attacker is the US.
|
| As the article points out, there are many other
| adversaries to be concerned about. Protecting against
| them would be good. Don't give up so quickly.
|
| Aside - not the main point -->
|
| I actually do not know if we are at the level of "forced
| speech" in the US. Publishing hacked apps would fall
| under that category. Forced silence is something and less
| powerful. Still bad, obviously.
| supertrope wrote:
| Apple Facetime is painless enough. It can't mitigate targeted
| government espionage but it raises the bar from mass
| collection of plaintext.
| BlueTemplar wrote:
| AFAIK this would not be news for EU telecoms : they are being
| operated by Chinese companies, so those have permanent access to
| nearly everything anyway.
|
| https://berthub.eu/articles/posts/5g-elephant-in-the-room/
|
| So is that not the case for USA telecoms ?
| jart wrote:
| Well at least American telecoms are fighting them. The European
| MO is to not only let themselves be conquered, but they
| actually pay China to do it. Thankfully American online
| services are on Europe's side, and work harder than anyone to
| protect their communications. These services don't even charge
| Europe anything, and Europe rewards them with billions of
| dollars of fines for doing it. Europe also defaced our websites
| in an effort to tax the attention economy, and removed legal
| protections for open source developers.
| __m wrote:
| > American online services are on Europe's side, and work
| harder than anyone to protect their communications
|
| Yeah sure, except giving the NSA access and complying with
| the CLOUD Act.
| topspin wrote:
| > fighting them
|
| That's amusing. I'll grant that US companies haven't outright
| surrendered, and are still at least permitted to engage in
| lip service on the issue. But actual "fighting"? That would
| mean a tech world that looks very different than what we have
| today, and would fatally conflict with no end of "interests"
| in the US.
| ggm wrote:
| This feels like the perfect time for two outcomes: Ripley's
| solution, and deploy clean slate IPv6.
| gorgoiler wrote:
| Can you elaborate? The first I assume is "take off and nuke the
| site from orbit", per _Aliens (1986)_. What are you advocating
| for with IPv6? Increasing the enumeration space for IP
| addresses from 32 bits to /64 prefixes?
| ggm wrote:
| I'm really just advocating for a drop in replacement. You
| wouldn't redeploy the addressing architecture you have,
| instead disrupt the surface the salt gets into. If you did a
| drop in why not go the whole hog and make it a 6 fabric?
| daneel_w wrote:
| But, a drop-in replacement of what? SS7? Diameter? Chinese
| cellular base stations from Huawei etc.? The collective
| telco IT infra and the shoddy security practices (or lack
| thereof)?
| ggm wrote:
| "Yes"
| est wrote:
| > capability to geolocate millions of individuals
|
| I guess Starlink could easily geolocate every 4G/5G phone IMIE
| with huge direct-to-celll attennas
| mike_hearn wrote:
| Modern mobile phone protocols do not expose your IMEI
| encrypted, they have a multi-step process in which temporary
| identifiers are used to identify the device to most of the
| network. So this is not necessarily the case.
| yapyap wrote:
| even with SS7 ?
| betaby wrote:
| Last time I saw SS7 in production about a decade ago. Which
| operator uses SS7 today?
| andy_ppp wrote:
| War with China is starting to seem increasingly likely, we need
| to seriously prepare our industry now to manufacture things again
| and stop giving them our technology.
|
| The NSA/CIA need to start making systems more secure by default
| and stop thinking spying on their own populations is a top
| priority.
| Krasnol wrote:
| What war?
|
| The digital has been running for quite a while, and there won't
| be a real one. China has nothing to gain from starting one. I
| mean seriously...why would you shoot your customer?
| rickydroll wrote:
| > I mean seriously...why would you shoot your customer?
|
| It depends on your goal. If it is strictly a commercial
| relationship, "shooting your customer" could be advantageous
| for preserving a revenue stream. Customer lock-in Could be
| seen as a form of "shooting your customer"
|
| If your goal is political, "shooting your customer" may
| enable a regime change that is friendlier to you. We have
| done this multiple times in the Middle East, Central America,
| and South America.
| lenerdenator wrote:
| The difference is, China has more have-nots than the US has
| people. The US is the main source of value creation for
| China. If Xi wants to not have a coup and be beh... I mean,
| if Xi wants to guarantee the future prosperity of the PRC,
| he needs to raise those have-nots out of poverty and the
| way to do that is by selling stuff to Americans and
| stealing their IP, not creating a shooting war with a
| country that has enough nuclear weapons to make this planet
| uninhabitable to intelligent life for centuries.
|
| The US has done what it has done in the regions you list
| because they're already unstable (particularly the Middle
| East) and have no way of striking decisive blows against US
| territory.
| kiba wrote:
| The way to do that is to actually have stronger
| consumption in China, not antagonize the US.
| jamesmotherway wrote:
| China-nexus threat actors tend to be focused on espionage,
| including intellectual property theft. "Prepositioning" is a
| more recent observation, but it doesn't mean a war is
| inevitable. While it would be useful in that scenario, in
| others it may act only as a deterrent. Everyone should hope a
| war does not occur.
|
| The NSA and CIA are neither able nor authorized to defend all
| privately-owned critical infrastructure. While concerns about
| agency oversight are warranted, I can assure you that spying on
| the population is not their top priority. It's abundantly clear
| that foreign threats aren't confined to their own geographies
| and networks. That can't be addressed without having the
| capability to look inward.
|
| Secure by Design is an initiative led by CISA, which frequently
| shares guidance and threat reporting from the NSA and their
| partners. Unfortunately, they also can't unilaterally secure
| the private sector overnight.
|
| These are difficult problems. Critical infrastructure owners
| and operators need to rise to the challenge we face.
| notyourwork wrote:
| The NSA/CIA need to start paying higher salaries to encourage
| more talent to go into the government sector. I remember in
| undergrad we had an NSA recruiter come talk to our computer
| science class. After the discussion, I was able to chat them up
| on the side and they mentioned salary being the hardest problem
| with recruiting top talent. Big tech pays too much and
| government not enough. Where would you go when you graduate?
| 2OEH8eoCRo0 wrote:
| Do they pay too little or have big tech monopolies distorted
| the market with their firehoses of cash? Bit of both?
| AndyMcConachie wrote:
| The people involved in this have all the reason to blame China or
| Chinese backed groups for this, but has there been any actual
| evidence released that confirms this? Attribution is notoriously
| difficult and the only thing the public has to go on is the word
| of people involved.
|
| Yet when one reads these articles it's just, "China, China,
| China!!!"
|
| Anyone have a link to actual evidence?
| nextworddev wrote:
| Usually if North Korea or Russia did it, they say North Korea
| or Russia did it.
| GordonS wrote:
| Honestly, it feels like they just pick a nation based on the
| current narrative. They already have plenty to bash Russia
| with regarding the Ukraine war, and they need to keep
| sinophobia alive and kicking, hence China.
|
| Plainly I have no real evidence for this, other than the
| constant _lack_ of evidence for their claims, and the doubts
| that are cast within the infosec community when data is
| available.
| nextworddev wrote:
| Since OP asked for evidence, maybe we should ask for the
| evidence that backs your hypothesis that bad reporting
| about China = unsubstantiated sinophobia
| INGSOCIALITE wrote:
| we've always been at war with eurasia
| GordonS wrote:
| Unfortunately much of the West seems to have mistaken
| 1984 for a manual, rather than a cautionary work of
| fiction.
| michaelt wrote:
| Many times in the past, a piece of malware developed by one
| group has been co-opted by another group. You see a virus like
| Stuxnet or Mirai that's working well, you just replace the
| payload, or switch the command-and-control code over to
| yourself. Then you launch an attack, but the weapon has someone
| else's fingerprints all over it.
|
| As such, even if Xi Jinping himself had stood up at the UN and
| claimed responsibility for a particular Windows kernel-mode
| rootkit, that _still_ wouldn 't be incontrovertible evidence.
| cedws wrote:
| If companies practiced data minimisation, and end-to-end
| encrypted their customers' data that they don't need to see,
| fewer of these breaches would happen because there would be no
| incentive to break in. But intelligence agencies insist on having
| access to innocent citizens' conversations.
| beezlebroxxxxxx wrote:
| > But intelligence agencies insist on having access to innocent
| citizens' conversations.
|
| That's part of the problem. But companies also are unwilling to
| pay to do any of the things that you've described. There is no
| punishment or fine that is actually punitive. Protecting (short
| term) profit is more important than protecting users' data ---
| it's even more important than protecting the (long term) profit
| potential of a company with a good reputation.
|
| Until the data breaches lead to serious $$$ impact for the
| company, the impact of these breaches will simply be waved off
| and pushed down to users. ("Sorry, we didn't protect your stuff
| at all. But, here's some credit monitoring!") Even in the
| profession of software development and engineering, very few
| people actually take data security seriously. There's lots of
| talk in the industry, but also lots of pisspoor practices when
| it comes to actually implementing the tech _in a business_.
| ganoushoreilly wrote:
| Hell in this instance, just replacing non EOL equipment that
| had known vulnerabilities would have gone a long way. We're
| talking routing infrastructure with implants designed years
| ago, still vulnerable and shuffling data internally.
| Dalewyn wrote:
| The "problem" is noone cares and certainly doesn't want to
| pay for the costs, especially the end users. That EOL
| equipment _still works_ , there are next to no practical
| problems for the vast vast vast vast vast vast vast
| majority of people. You cannot convince them that this is a
| problem (for them) worth spending (their) money on.
|
| Even during the best of times people simply do not give a
| fuck about privacy.
|
| Honestly, if there is a problem at all I would say it's the
| uselessness of the Intelligence Community when actually
| posed with an espionage attack on our national security.
| FBI and CISA's response has been "Can't do; don't use." and
| I haven't heard a peep from the CIA or NSA.
| danudey wrote:
| Until companies are held liable for security failures
| they could have and should have prevented, there's no
| incentive for anyone to do anything. As long as the cost
| of replacing hardware, securing software, and hiring
| experienced professionals to manage everything is higher
| than the cost of suffering a data breach companies aren't
| going to do anything.
|
| I've seen the same thing at previous jobs; I had a lot to
| do and knew a lot of security issues that could
| potentially cause us problems, but management wasn't
| willing to give me any more resources (like hiring
| someone else) despite increasing my workload and
| responsibilities for no extra pay. Surprise, one of our
| game's beta testers discovered a misconfigured firewall
| and default password and got access to one of our backend
| MySQL servers. Thankfully they reported it to us right
| away, but... geez.
| mystified5016 wrote:
| But At&t and their 42,690 partners say they value my privacy
| :(
| scrose wrote:
| They do value your privacy! They just don't like to share
| how many cents its worth to them
| thwarted wrote:
| There's another side to it, which you allude to with the give
| away of credit monitoring services that data breaches result
| in. The whole reason the data is valuable is for account
| takeover and identity theft because identity verification
| uses publicly available information (largely publicly
| available, or at least discoverable, even without breaches).
| But no one wants to put in the effort to do appropriate
| identity verification, and consumers don't want to be
| bothered to jump through stricter identity verification
| process hoops and delays---they'll just go to a competitor
| who isn't as strict.
|
| So we could make the PII less valuable by not using for
| things that attract fraudsters.
| oooyay wrote:
| I work in internal tools development, aka platform
| engineering, and this is interesting:
|
| > That's part of the problem. But companies also are
| unwilling to pay to do any of the things that you've
| described. There is no punishment or fine that is actually
| punitive. Protecting (short term) profit is more important
| than protecting users' data --- it's even more important than
| protecting the (long term) profit potential of a company with
| a good reputation.
|
| Frankly, any company that says they're a technology or
| software business should be building these kinds of systems.
| They can grab FOSS implementations and build on top or hire
| people who build these kinds of systems from the ground up.
| There's plenty of people in platform engineering in the US
| who could use those jobs. There's zero excuse other than that
| they don't want to spend the money to protect their customers
| data.
| causal wrote:
| Intelligence agencies may use that data, but there are plenty
| of financial incentives to keep that data regardless. Mining
| user data is a big business.
| api wrote:
| The best solution to privacy is serious liability for losses of
| private customer data.
|
| Leak or lose a customer's location tracking data? That'll be
| $10,000 per data point per customer please.
|
| It would convert this stuff from an asset into a liability.
| nyc_data_geek1 wrote:
| This exactly. Data ought to be viewed as fissile material.
| That is, potentially very powerful, but extremely risky to
| store for long periods. Imposing severe penalties is the only
| way to attain this, as the current slap on the wrist/offer ID
| theft/credit monitoring is an absurd slap in the face to
| consumers as we are inundated with new and better scams from
| better equipped scammers everyday.
|
| The current state is clearly broken and unsustainable, but
| good luck getting any significant penalties through
| legislation with a far-right government.
| Terr_ wrote:
| Yeah, take an externality, make it priceable, and _then_ "the
| market" and amoral corporations will start reacting.
|
| Same principle as fines for hard-to-localize pollution.
| danudey wrote:
| After Apple argued for years that a mandatory encryption-
| bypassing, privacy-bypassing backdoor for the government could
| be used by malicious entities, and the government insisting
| that it's all fine don't worry, now we're seeing those
| mandatory encryption-bypassing, privacy-bypassing backdoors for
| government being used by malicious entities and suddenly the
| FBI is suggesting everyone use end-to-end encryption apps
| because of the fiasco that they caused.
|
| But don't worry, as soon as _this_ catastrophe is over we 'll
| be back to encryption is bad, security is bad, give us an easy
| way to get all your data or the bad guys win.
| jrexilius wrote:
| Thats not exactly true. The FCC911 and other government laws
| require the telcos to have access to location data and record
| calls/texts for warrants. The problem is both regulatory as
| well as commercial. It is unrealistic to expect the general
| public nor the government to go with real privacy for mobile
| phones. People want LE/firefighters to respond when they call
| 911. Most people want organized crime and other egregious
| crimes to be caught/prosecuted, etc. etc.
| salawat wrote:
| Nonsense. I kindly informed my teenage niece of the fact all
| her communications on her phone should be considered public,
| and the nature of Lawful Interception, and the tradeoffs she
| was opted into for the sakenof Law Enforcement's convenience.
|
| She was not amused or empathetic to their plight in the
| slightest. Population of at least 2 I guess.
| 2OEH8eoCRo0 wrote:
| While I agree, isn't this a degree of victim blaming? They were
| hacked by a state actor and every thread ignores the elephant
| in the room.
| webdoodle wrote:
| They need to release all the metadata for Jefferey Epstein et al.
| Clearly the U.S. government isn't going to after 20 years of lies
| and deceit.
| 1vuio0pswjnm7 wrote:
| https://www.cisa.gov/sites/default/files/2024-12/guidance-mo...
| GenerocUsername wrote:
| So this is obviously the intelligence agencies cleaning data
| before Trump takes control right
| Hilift wrote:
| The US Treasury just announced they had an incursion by Chinese
| threat actors. Their "cyber security vendor" had a remote access
| key compromised, enabling the attackers access to endpoints
| within Treasury.
| codedokode wrote:
| Imagine if the calls were E2E encrypted, phone accounts were
| anonymous, there were no identifiers like IMEI, and phone
| companies didn't detect and record geolocation... this attack
| would be much harder.
| Zigurd wrote:
| I can't confirm it because the descriptions of the hack are
| unclear but if _more_ network operators say they 've been hacked
| it is more and more likely the Chinese got in by attacking lawful
| intercept. This could happen in various ways: bribe or blackmail
| someone in law enforcement with access to a lawful intercept
| management system (LIMS), a supply chain attack on an LIMS
| vendor, hacking the authentication between networks and LIMS,
| etc.
|
| If it is an LI attack the answer to which networks are
| compromised is: All of them that support automated LI.
|
| That's a nasty attack because LI is designed to not be easily
| detectable because of worries about network operators knowing who
| is being tapped.
___________________________________________________________________
(page generated 2024-12-31 23:00 UTC)