[ungreased0675]

These companies were required by the government to have lawful intercept capability. A bad actor took advantage of that government-required backdoor, and now the government has the shamelessness to grandstand about privacy and security? We need to elect better people.

[illithid0]

I've worked as a security consultant with one or two companies (who shall remain nameless) whose sole product was a hardware device with a black-box software stack meant to be a plug-and-play lawful intercept compliance solution. Telecoms should be able to buy it, install it, and access a web panel to do their government-mandated business.

In the three or four year I worked with them, they would only let me do penetration testing of their user network, and never the segments where the developers were, and never the product itself. In speaking with their security team (one guy - shocker) during compliance initiatives, it was very clear to me that the product itself was not to be touched per the explicit direction of senior leadership.

All I can say is that if the parts of their environment they did let us touch are any indication of the state of the rest of their assets, that device was compromised a long time ago.

[red-iron-pine]

when I lived in NoVA I had a roommate that installed and serviced boxes that sound suspiciously similar.

SSL crackers to MITM all ISP user traffic

[Ms-J]

Certainly these devices exist and are installed daily to further steal our info, but are you sure these devices weren't DPI boxes? If you could give a little more detail I might know since I've worked with this type of equipment.

[unethical_ban]

Yuck.

[SunshineTheCat]

I agree with you on electing better people, but this is largely a systematic problem with how government works:

1. Propose bill to solve a problem which is either minor or completely misunderstood by the person proposing the bill 2. Pass bill, don't solve original "problem," creates 15 new, actual problems 3. Run on fixing all the new problems they created (and some others that don't exist) 4. Repeat

[sidewndr46]

You forgot about the part to appropriate money, spend it, & declare the problem solved

[maltalex]

The problem isn't the back door. Every telecom company in every country provides access for "lawful intercept". Phone taps have been a thing for decades and as far as I know, require a warrant.

The problem is that telecoms are very large, very complex environments, often with poor security controls. Investing in better controls is hard, time-consuming and expensive, and many telecoms are reluctant to do it. That's not great great since telcos are prime targets for nation state hackers as Salt Typhoon shows.

Hacking the lawful intercept systems is very brazen, but even if the hackers didn't don't go as far, and "only" gained control of normal telco stuff like call routing, numbering, billing, etc. it still would have been incredibly dangerous.

[forgotaccount3]

> many telecoms are reluctant to do it.

This really buries the lede. Telecoms are reluctant to do it because 'doing' it isn't aligned with their priorities.

Why would a telecom risk bankruptcy by investing heavily into a system that their competitors aren't?

If you want a back-door to exist (questionable) then the government either needs to have strong regulatory compliance where poor implementations receive a heavy fine such that telecoms who don't invest into a secure implementation get fined in excess of the investment cost or the government needs to fund the implementation itself.

[maltalex]

Yes, telecoms should be forced to invest in their own security if they're not doing it. But the focus on the back door misses the point in my opinion. Even if the back door wasn't there, you wouldn't want nation state hackers anywhere near telecoms since they're critical infrastructure.

[AnthonyMouse]

> Even if the back door wasn't there, you wouldn't want nation state hackers anywhere near telecoms since they're critical infrastructure.

This is only because of the design defect that "lawful intercept" requires.

Telecoms should be completely untrusted because everything is end-to-end encrypted. Compromising a telecom shouldn't allow you to do anything other than bring about a denial of service, and even that would only be effective against anyone who didn't have a redundant link with a different provider, which all actually critical infrastructure should. And a denial of service is conspicuous, as opposed to spying on required-to-be-unencrypted traffic which can continue undetected indefinitely and is a significant national security risk.

Our need to not be spied on is greater than our need to spy on ourselves and requiring designs that assume the opposite of that is a major self-imposed security vulnerability.

[Nextgrid]

Even if let's say lawful intercept is done away with and calls are end-to-end encrypted, the telco would still be in control of key management and distribution... and if those clowns can't secure lawful intercept, why do you think the key distribution infrastructure would fare any better?

[AnthonyMouse]

Why should they be in charge of key management? They should be in charge of physical plant and leave all of that to someone else. We should be discontinuing the legacy PSTN and making "phone" an IETF protocol where your "phone number" is user@domain.

[ddtaylor]

The problem is the back door.

Decentralized systems don't have the same faults.

Just because you want to force a structure or paradigm doesn't absolve it of responsibility for the problem.

Hand waving the problem away because a company is bad at management or scale doesn't change anything.

[KaiserPro]

you are both confusing two issues.

Yes there is a lawful intercept system that operates inside telecoms networks, that is an issue.

The other issue is that there is no real security inside said telecoms networks. (side note, there is still fucking SS7 floating about)

Salt typhoon is not "just hijacking lawful intercept" its ability to fuck with the network in a way that is largely undetected. Sure the intercept stuff might help, but they don't actually need that. In the same way we learnt about state actors taking complete control of middle east telecoms systems, we can be fairly sure that other state actors have taken control of USA telecoms systems

Both the Executive and congress have done shit all about it, and will continue to ignore it until something happens

[pigggg]

This. The lawful intercept infrastructure is one facet of their network. The rest of their infra is also a deep concern: call records, SS7 signaling, the IP network, mobile infra and it's back end (sim swapping).

[maltalex]

> you are both confusing two issues.

How am I confusing the two? My whole point was the same as yours - that the existence of lawful intercept is a separate issue and that the focus should be on securing telecoms.

[maltalex]

Even if the back door wasn't there, you wouldn't want nation state hackers anywhere near telecoms since they're critical infrastructure. Telecoms should be highly secure. Period.

[ddtaylor]

It's okay to have unlocked backdoors because you don't lock your front door?

[maltalex]

I get that you don't like lawful intercept. That's fine. But focusing on only that aspect of telcos derails the conversation and prevents us (in the very broad sense of "us") from making progress on things we all agree on. Can we stop bikeshedding and agree that telcos are critical infrastructure and need to be highly secure in general?

A hacker in control of a telco can do as they please regardless of any backdoors or lawful intercept systems. They can just use regular network functions to route calls wherever they want.

[ddtaylor]

> Can we stop bikeshedding and agree that telcos are critical infrastructure and need to be highly secure in general?

Yes, because the solutions to both are the same. Decentralized and trustless systems solve both problems is my opinion. I agree the pathway from where we are at now and there is complex, but it's not "bikeshedding" to believe there are fundamentally different and better ways to organize and secure a network that change the attack surface entirely.

(Think of IP layer being replaced with a PKI as a small example)

[Clent]

No, it's pointless to complain about the existence of a backdoor, locked or unlocked because there is a front door that is not being locked.

[ddtaylor]

Not if the solutions to both are the same.

[gruez]

>and now the government has the shamelessness to grandstand about privacy and security? We need to elect better people.

Where's "the government [... grandstanding] about privacy and security"? It's getting blocked by the companies, not the government.

>She said Mandiant refused to provide the requested network security assessments, apparently at the direction of AT&T and Verizon.

[observationist]

"US Senator says AT&T, Verizon blocking release of Salt Typhoon security assessment reports"

A US senator is using it for political grandstanding. She is an ineffective twit with no power and no principles, no right under law to receive what she demanded, and she made sure to run to the press with it "see! look, I'm a principled, powerful senator holding those evil corporations feet to the fire!"

The problem is that the vulnerability exploited by salt typhoon is a systemic flaw implemented at the demand of Cantwell and other of our legislative morons.

You cannot have an "only the good guys" backdoor. That doesn't work. People are bad, and stupid, and fallible. You can't make policy or exceptions that depend on people being good, and smart, and infallible.

She's using the inevitable consequence of a system she helped create for her own political benefit. She voted for the backdoor back in 94 against the strenuous and principled objections by people who actually know what they're talking about.

Bobblehead talking points should not serve as the basis for technical policy and governance, but here we are.

[oasisbob]

> The problem is that the vulnerability exploited by salt typhoon is a systemic flaw implemented at the demand of Cantwell and other of our legislative morons.

Assuming you're talking about CALEA, I find it hard to blame Cantwell personally given that she first joined the House in 1993, and CALEA was passed in 1994. She wasn't in much of a position to "demand" anything against the headwinds of a bipartisan bill passed in both chambers by a voice vote.

[jtbayly]

The point remains that she's pretending the problem is AT&T, when really it is the US government's demand for a backdoor.

This should be trumpeted as an example of why we cannot mandate encryption backdoors in chat, unless we want everybody to have access to every encrypted message we send.

[Spivak]

You can tell this whole thing will be a nothingburger on the government side because the only thing she can actually do is pull in some CEOs to (not) answer questions and receive a congressional tsk tsk.

[observationist]

It's not even a strongly worded letter, lol. Senators and congress people should have to wear shock collars, and on majority polling get hourly "feedback" from their constituency, and for senators, weekly national feedback.

The convention of states project seems like it might be the only way out - there's a shot at implementing term limits, clearing up some of the money in politics issues, no risk of a runaway convention, etc, and we can bypass the people deliberately fouling up the system.

[plagiarist]

The country is such a dumpster fire. Fucking congressional hearings. The best case scenario is a little video clip that legislators can use to campaign with.

Each election period they have to take a break from eroding citizens' rights catering to lobbyists. The video clips help them pretend they were doing something other than insider trading while in the seat.

[charcircuit]

>You cannot have an "only the good guys" backdoor.

So what? If I store a document in a private Google doc. I know that technically a Google employee could read it if they really wanted to, but the policies, security, and culture in place make it have a 0% of happening. It's possible to design proper access systems where random people are not able to come in and utilize that access.

[observationist]

So you think there's no Google employees with privileged access gooning on private images, stalking, selling access, disrupting individuals, etc?

Schmidt notoriously had a backdoor, and I'd be far more shocked if executives did not have backdoor access and know all the workarounds and conditions in which they have unaccountable, admin visibility into any data they might want to access.

These are human beings, not diligent, intrepid champions of moral clarity with pristine principles.

[happyopossum]

Google employees with access? Yes. Google employees without audited and multiple levels of approval? No. I can tell you there are not.

Any Eng at Google can read the entire codebase for gdrive, if there were backdoors it would become public knowledge very quickly.

[the-rc]

What's this notorious backdoor?

[bigyabai]

> It's possible to design proper access systems where random people are not able to come in and utilize that access.

How quickly "Hacker" News forgets Snowden.

[wang_li]

>I know that technically a Google employee could read it if they really wanted to, but the policies, security, and culture in place make it have a 0% of happening.

We know it's non-zero as they have already had occasions when it has happened that Google employees used their access to stalk teenagers.

[charcircuit]

And such access kicked off an internal investigation and got him fired. Privacy is taken seriously.

[wang_li]

>And such access kicked off an internal investigation and got him fired. Privacy is taken seriously.

The complaints of the victim's parents kicked off an internal investigation, months later. It's not like google found this and took care of it on their own. Also, it has happened before too.

[jtbayly]

This is such a backwards take. You are ignoring that the system you cite as evidence that secure systems with backdoors can be designed and protected from random access has not been perfectly protected.

And you say it's stronger now.

Ok, so which country or neighbor is going to be the one to hack our national encryption system with a back door the first time? The second time? The third time? Before we manage to get it right (which we never will), what damage will be done by the backdoor? Probably something like Salt Typhoon, which you also conveniently ignore as a counterfactual to your claim.

[hulitu]

> Privacy is taken seriously.

With bug fixes and performance improvements ? Your privacy is very important for us, that's why we collect it all.

[dmix]

Is this speculation or has that information come out already?

[medina]

https://www.commerce.senate.gov/2025/12/experts-agree-u-s-co...

> “The Chinese government's espionage operation deeply penetrated networks of at least nine U.S. telecom companies, including AT&T and Verizon,” said Sen. Cantwell. “They exploited the wiretapping system that our law enforcement agencies rely on under the Communications Assistance for Law Enforcement Act -- known as CALEA. These systems became an open door for Chinese intelligence. Salt Typhoon allowed the Chinese operation to track millions of Americans’ locations in real time, record phone calls at will and read our text messages.”

[xnx]

This quote speaks in past tense, but last I heard the Chinese still had access/control of compromised systems. Do we know if this attack is even over?

[dmix]

That definitely deserves a congressional investigation then. No wonder they don't want to talk about that.

[ratelimitsteve]

goomba fallacy. the government isn't one person with one position. i agree with you that the backdoor should never have been installed in the first place but accusing them of hypocrisy because a group of lawmakers passed a law a while ago and a different group of lawmakers want a report on what went wrong and why is silliness. It seems as though the person spearheading this effort, Senator Cantwell, is in fact one of the better people that you propose we should elect but here you are shitting on her for trying to shed light on the pitfalls of the very policy you seem to be against in the first place.

[hulitu]

>We need to elect better people

The better people do not put themselves to be elected.

[downrightmike]

Not even that, they have CVE 10 from 2019 on their routers, which the hackers got root on then patched, so they wouldn't be kicked off by other hackers. All because IT upkeep wasn't done and hardening on Cisco devices is a distinct admin guide and not at all on by default. The days are long gone of qualified and careful network admins, now we just get the low-ball outsourced Cisco TAC and the like which DGAF