[vayup]

Some of the stuff that was extracted from the unencrypted traffic in the link:

- T-Mobile backhaul: Users' SMS, voice call contents and internet traffic content in plain text.

- AT&T Mexico cellular backhaul: Raw user internet traffic

- TelMex VOIP on satellite backhaul: Plaintext voice calls

- U.S. military: SIP traffic exposing ship names

- Mexico government and military: Unencrypted intra-government traffic

- Walmart Mexico: Unencrypted corporate emails, plaintext credentials to inventory management systems, inventory records transferred and updated using FTP

This is insane!

While it is important to work on futuristic threats such as Quantum cryptanalysis, backdoors in standardized cryptographic protocols, etc. - the unfortunate reality is that the vast majority of real-world attacks happen because basic protection is not enabled. Good reminder not take our eyes off the basics.

[alfiedotwtf]

> This is insane!

Not as insane as it was in the early 2000s…

> while link-layer encryption has been standard practice in satellite TV for decades

Before Snowden, I would say 99% of ALL TCP traffic I saw on satellites was in unadulterated plain-text. Web and email mostly.

… the pipe was so fast, you could only pcap if you had a SCSI hard drive!

[petercooper]

I was exposed to some of this as a teenager due to a (now dead) family member being heavily into telecoms. You could receive and process POCSAG (the protocol used by paging systems) to pretty much read the entire stream of unencrypted, plain text pager messages going out over the wire. You could also reprogram a generic pager to receive pages for whatever number you liked. You could also transmit your own POCSAG and send any number a page (only within your transmission range).

SMS was also a bit like this in its early days and you could read them coming off the local cell (also true of calls at a certain time, but I didn't see much of this).

I just did a quick search and apparently many pagers in the UK are still running cleartext POCSAG! https://www.reddit.com/r/RTLSDR/comments/1asnchu/are_uk_page...

[tmjwid]

Yeah POCSAG is not encrypted here in the UK. You can still see all the emergency information from around the country unencrypted in realtime. They even broadcast the details of the emergency and a lot of times it's not nice. You do/did get some bird watching sightings though!

[mattsparkes]

Very curious to hear more about this. How is it done, and what's the legal status of doing it?

[sidewndr46]

This is still the case today in the US, plenty of pager systems run POCSAG or near equivalents. There is no conditional access or encryption of any kind. Receiving such signals is notionally criminal, but I'm unaware of any prosecutions for such a thing.

[T3OU-736]

```… the pipe was so fast, you could only pcap if you had a SCSI hard drive!```

This is why NSA asked for (and got from SGI) a guranteed rate I/O API - to make sure that whstever the signal intelkigence platform sensors captured could be written to storage.

[feraloink]

In https://satcom.sysnet.ucsd.edu/ Has The Issue Been Fixed section:

>we re-scanned with their permission and were able to verify a remedy had been deployed: T-Mobile, WalMart, and KPU.

The fact that critical infrastructure (e.g. utility companies using satellite links for remote-operated SCADA) was exposed is really scary too.

[colechristensen]

>The fact that critical infrastructure (e.g. utility companies using satellite links for remote-operated SCADA) was exposed is really scary too.

Really serious security risks in critical/industrial infrastructure are ... numerous. And these aren't complex vulnerabilities, these are leaving the door open with default passwords, unencrypted traffic, and that sort of thing.

[jabiko]

When driving by Bad Aibling I always wondered why the BND (intelligence agency) invests so heavily in satellite communication eavesdropping. I naively assumed that this kind of communication would be encrypted.

Also a fun fact: For a long time it was only semi-officially known that the BND owned and operated the site. Officially it was called "Long distance telecommunications station of the Bundeswehr" and operated by the "Federal Office for Telecommunications Statistics"

[MagnumOpus]

At least since the mid-1990s Echelon revelations in the EU parliament anybody who cares knows that Bad Aibling (and similar stations all across Europe like Bude/Morwenstow in the UK) had been operated by the NSA in collaboration with US Army intelligence (if the official name of “18th United States Army Security Agency Field Station” didn’t clue you in.

Officially it has been transferred to the BND; experience suggests all data from there still goes straight back to Fort Meade… (And in exchange the BND gets some morsels back on people _they_ are not allowed to spy on publicly.)

[RajT88]

I'm waiting for IT departments worldwide to wake up to the threat that your browsers are leaking all of your URI's by default back to the manufacturers.

URI's leak company secrets. I'm sure there's some people at Google using Edge which are leaking company data to Microsoft. I'm sure there's some people at Microsoft using Chrome which are leaking data to Google.

Edge and Chrome both send back every URI you visit to "improve search results" or to "sync history across devices". It's not clear if this includes private mode traffic or not (they don't say).

Huge privacy hole to allow this, and nobody seems to be aware or care.

[fmobus]

For that to be in anyway useful for those companies (as a means to spy on their competitors), they'd have to be actively looking into the information to derive intelligence. Not really practical without some serious engineering, which would leave tons of evidence. It's not worth it. That's just not how these companies operate.

> there's some people at Google using Edge

I'd be surprised if it's more than a handful of people with explicit exceptions for work-related tasks. Chrome is the norm.

[RajT88]

> For that to be in anyway useful for those companies (as a means to spy on their competitors), they'd have to be actively looking into the information to derive intelligence. Not really practical without some serious engineering, which would leave tons of evidence. It's not worth it. That's just not how these companies operate.

Was thinking about this as well. What evidence would it realistically leave? I mean - they are sending the uri's by default so no client side reverse engineering is needed. They say plainly they are doing this.

Yes, it's a lot of traffic.

IP spaces are well known. Easy to filter for corporate traffic. From there, it's a smorgasbord of internal URI's to dig through - anything with no domain name, or host.(companyname).com traffic. Also easy.

Maybe this ends up in a big data lake queryable by certain groups, but not anyone likely to spill the beans. NDA covers you there. This is not New York Times level corporate subterfuge. It's almost certainly not legal - and this is the important thing - the regulators haven't had the gumption to prosecute anti-competitive behavior in earnest since the 70's or earlier. What Microsoft went through in the 90's in retrospect was antitrust litigation with kid gloves on.

This armchair analyst sees no downside to such practices. Risk, but so little it doesn't matter.

Sure, insiders could spill the beans and violate their NDA's, but who the fuck is going to do more than levy a slap on the wrist for something too difficult to explain to Congress in a way that gets them to care?

Now, I think if you actually put your hands on the browsing history of congressmen harvested in this way, and put it into the public domain, you're going to get a bunch of regulators to all of a sudden care about antitrust enforcement again.

[fmobus]

You're putting too much faith in NDAs. All it takes is one disgruntled employee with a sense of ethics.

Also, evidence doesn't have to be externally visible. In a lawsuit discovery will dig through design docs, server logs, emails, chats, everything.

[estimator7292]

That's what we have AI for. This type of thing is no longer a manual or manually-automated process.

[fmobus]

Sure, but that still takes engineering. Extracting information and intelligence out of the data is not just throwing AI into a pile of data, it's real engineering that will always required months of design, experiments, computing and storage capacity planning, releases, maintenance, operations, etc.

That leaves a huge internal paper trail - the kind of thing that shows up during discovery in a lawsuit.

No, companies like that are not doing this kind of shit, it's not worth it.

[RajT88]

I mean, realistically, yes. But you'd be surprised sometimes pretty technical folks who just use whatever is installed when their work machine for whatever reason runs Windows.

[fmobus]

Luckily, the fleet is tightly managed and you <i>can't<i> install just anything.

[pengaru]

Wait til you hear about how many companies willfully perform all their work in g-suite and office 365/teams

[RajT88]

Indeed. And they are trying to find sneaky ways to get you to back up more and more data there.

They do have privacy policies which say they won't sell that data, or use it for advertising or anything other than delivering the service. But - who knows if that is true? There's no oversight. And if they get caught breaking that privacy policy, who has the appetite these days to do anything meaningful in terms penalties? Nobody.

[nakedper]

WHEN they get caught and the fine never outweighs the sale price of the data. It's not a coincidence. It's a clear factory in the cost of doing that into business. There's no Moreland ethical backbone here.

[shadowgovt]

I believe the point of the above comment is "The trust model already trusts the recipient, so nobody cares that the recipient is seeing query params because they trust the recipient to ignore them."

> who knows if that is true? There's no oversight

The oversight is that those companies rely heavily on being trustworthy, and proving untrustworthy would be disastrous for their business models. Companies don't have to care right now because they have reason to believe Google, MS, et. al. aren't sniffing that data. If they came to believe they were?

Google alone is making $43 billion on Cloud and would prefer not to jeopardize that revenue stream.

[abdullahkhalids]

Facebook for example has been shown in multiple public scandals and lawsuits to be untrustworthy. It is still among the largest social media platforms, and many businesses, for example, reveal large chunks of their marketing strategies to Facebook through its advertising tools.

The reason why this does not result in a significant loss of usage is because trustworthiness-usage is not a linear function or a even a continuous function -- it is a step function. To cause less usage, the loss-of-trust force has to be higher than the networking effect force. Otherwise, behavior does not change.

[RajT88]

> If they came to believe they were?

That's what I don't get - security and compliance people are paranoid.

This is the kind of thing they shouldn't be requiring evidence to care about, given the rest of their job is about the "what-ifs". Just seems crazy to me.

[zelos]

> Real-time military object telemetry with precise geolocation, identifiers, and live telemetry

Oops

[NoiseBert69]

Pulls out the bamboo whip

Another round of OpSec training

[atoav]

Why? I thought we are now clear on OpSec?

[misswaterfairy]

Perhaps not in the clear for OpSec purposes...

[1oooqooq]

that message was about the inner circle of the regime, to discuss the plans to sabotage opsec elsewhere.

anyway, but even that had a joke of opsec.

[rurban]

Did you check how hospitals or governments treat sensitive patient data? They are transported in clear (no TLS) over the net from the hospital or ensurers databases to the practitioners. Not on 80, but still just plain DICOM XML. With full names and all the sensitive data. That's a bit more insane IMHO.

The new German ecard patient system is also trivial to hack, as shown multiple times on CCC. As long as no one goes to jail, they will continue like this.

[CGMthrowaway]

Is there a git repo that lets one read this stuff in real time yet?