[maltalex]

Yes, telecoms should be forced to invest in their own security if they're not doing it. But the focus on the back door misses the point in my opinion. Even if the back door wasn't there, you wouldn't want nation state hackers anywhere near telecoms since they're critical infrastructure.

[AnthonyMouse]

> Even if the back door wasn't there, you wouldn't want nation state hackers anywhere near telecoms since they're critical infrastructure.

This is only because of the design defect that "lawful intercept" requires.

Telecoms should be completely untrusted because everything is end-to-end encrypted. Compromising a telecom shouldn't allow you to do anything other than bring about a denial of service, and even that would only be effective against anyone who didn't have a redundant link with a different provider, which all actually critical infrastructure should. And a denial of service is conspicuous, as opposed to spying on required-to-be-unencrypted traffic which can continue undetected indefinitely and is a significant national security risk.

Our need to not be spied on is greater than our need to spy on ourselves and requiring designs that assume the opposite of that is a major self-imposed security vulnerability.

[Nextgrid]

Even if let's say lawful intercept is done away with and calls are end-to-end encrypted, the telco would still be in control of key management and distribution... and if those clowns can't secure lawful intercept, why do you think the key distribution infrastructure would fare any better?

[AnthonyMouse]

Why should they be in charge of key management? They should be in charge of physical plant and leave all of that to someone else. We should be discontinuing the legacy PSTN and making "phone" an IETF protocol where your "phone number" is user@domain.