Telco security is a dumpster fire and everyone's getting burned Here's a front-page headline you won't see these days: CHINA'S SPIES ARE TAPPING OUR PHONES. Not that they're not – they are – but, like the environment, there's so much cybersecurity horror in the media that, yes, of course they are. And? The story deserves screaming headlines everywhere, from national TV news down to the …
Which is why anybody with pretence to understanding 1+1=2 maintains their own privacy safeguards according to need, such as VPNs, encrypted protocols like https, keeping a special no-credit account for Internet shopping, etc. etc.
And will always need to. "But we have to leave the [ID/location data of choice] open, so the network can route it", etc. etc. Yeah, just like TOR does.
Personally, if I had anything sensitive to send, I'd steg it into a yet another piccie of my cute cat, post it on social media, and good luck to the Chinese/Russians/North Koreans/CIA sucking it out of the shit ocean.
@Panicnow, you undermine your own argument.
The purpose of regulation is broadly speaking to implement minimum standards to drive desirable outcomes that markets don't deliver, and you're saying that regulation kills innovation. Why is that? If there's a commercial benefit from innovation, nobody is stopping companies improving their security practices, they're choosing not to because there's no value to them.
In the few instances where regulation could act as an impediment, regulators are more than happy to offer regulatory sandboxes or trials, and to engage with and listen to companies.
Adding regulation to address failings in the poorer players usually has the effect of putting a drag on improvements from the better players. Regulation based on correcting bad habits is rarely compatible with good habits. Not specifically IT but, in my 40+ years working, I came across numerous situations where the introduction of regulations to improve on poor safety practices of one set of companies stopped some of the good practices of others. It didn't have to be like that but, when politicians have to be seen to do something, the easiest (and best vote-winning) option is to look at what has been hitting the headlines (which is invariably the bad news)...
> nobody is stopping companies improving their security practices, they're choosing not to because there's no value to them.
This. Everything, but everything is about money. And laws. If there’s no laws, and no cost benefit to doing it, no CFO will sign it off.
In the UK landline phones are going VoIP, which presumably means they could negotiate encryption for a call between phones with this arrangement. Anyone know if this is being done?
What is this "landline" you speak of? Seriously, so many folks are ditching them all together and using mobile; yeah I guess that isn't as secure as we'd like but there's e2ee stuff like WhatsApp that supports voice or even video calls. My brother hasn't actually tried to phone me by LTE for ages and neither of us has a landline (for anything but broadband) any more; it's all WhatsApp these days. Though I do feel sorry for folks who can't use those methods for whatever reason.
( Of course this has its own problems - as a courtesy I have to *email* the Chinese spooks and *tell them* what I gave the cat for breakfast :P :P )
"If a Telco satisfies the regulation, what incentive is there to innovate."
Innovate? The only innovation that has been going on recently is finding new ways to screw over customers in order to push up shareholder earnings and handsome CEO remuneration. Once the parasites have sucked out all the profit, what's left to do this so-called innovation?
Rinse and repeat for all of the other utility suppliers...
If the author is so concerned about hacking, how about calling for shutting down RAF Menwith Hill? It seems that hacking is OK as long as it is America that is doing it. Rupert Goodwins should stick to watching John Wayne movies, where he can 'grab the Winchesters and head off injuns at the pass'. The biggest hacker in the world does not have the privilege of crying victim.
VoiceOfTruth username: check
Standing up for China: check
Reference to dated American pop culture having seen little else, to make a point: check
Evidently you are unhappy at having your rock moved again.
China try their hardest to copy and undermine everyone else in the world purely for their own interests. Our governments might be spying on us, we know, but at least they aren't trying to screw most of us over in the way China does.
What VoT is trying to explain is how utterly unreasonable it is for us to complain about this. After all, the Chinese people are treated "equally well":
- legislated requirement by Chinese companies to cooperate with State Security? check
- "required state software" on phones? check
- discouraged Winnie the Pooh pix? check
- "vacations away" for the miscreants? check
- "affirmative action" towards Uyghurs? check.
- national firewall to keep unpure thoughts out? check.
- takedown of surveillanced social medial postings? check.
As the article points out, it's really unclear what Trump 2 will mean for China. He is certainly antagonistic towards them. But he is also so incompetent and such a turn off to US allies that China may actually benefit in the long term.
Example: "Taiwan sucks, they stole all our chips. We will only help them against China if they pay us!" OK, what if that gains traction in Taiwan for the pro-reunification KMT faction? What then, if they reunify and China gets control over all the TSMC fabs, intact?
Their one big weakness is that Xi's over-dogmatic management of economic matters and over-reliance on state owned enterprises, along with birthrate issues, makes their future economic trajectory likely less brilliant than could have been anticipated in the 2010s.
The only reason we don't know they are spying on us, or to be quite specific "SCREWING US OUT OF BUSINESS" is because it takes maybe 20 years and a possibly even a change of government branding before someone is really brave enough to throw away their career and family, or the STATUS QUO actually run out of illegal options like "gas lighting" the whistle blowers.
WAKE UP MUPPETS, PLEASE.
IT'S THIS KIND OF THINKING WHICH KEEPS WOULD BE IMMIGRANTS QUEUING UP IN FRANCE IN ORDER TO GET TO THE UK.
SHEESH
He's a Putin stooge, he's just shilling for China because anything bad for the west is good for Putin. He runs his tin pot empire so badly that the only way Russia won't be a third world country in another decade is if the west destroys itself and falls down to his level.
Coupled with laziness, yes. The laziness is evident in the reluctance to question what other pressure groups claim to need, and resolve into something both sides could live with.
So when some law enforcement types say "we need to break encryption", the politicians should be pushing back with "why? How would you use that power exactly? How can it be implemented without compromising everyone's security?" But instead they just transmit the demand, we resist it, and nobody gives much thought to how to reconcile the two sides (which is what the politicians ought to be doing).
In particular, telcos have evolved from circuit switching to the same IP packet switching as the rest of us, but without the end-to-end encryption of the sort even the Chinese state's cleverest attackers can't crack.
Telcos are common carriers. If users are concerned about their data in transit, then they should encrypt it. I've had fun discussions in the past with clients who want their data encrypted. Why? Because they didn't trust the telco. Why, then would they trust the telco to manage (in lumbering bison fashion) their encryption?
Plus most telcos can't anyway, or could only partially encrypt. Pretty much every country has lawful intercept requirements in telco licences, and as the world moved to IP, so did the demands to be able to lawfully intercept pretty much any IP communication in real-time, or near real-time. And demands for magic bullets keep increasing as governments want the ability to monitor everything. Some of which telcos can't do, ie apps like WhatsApp.
So my strong suspicion is it's not the telcos that got 'hacked', it's that China figured out a way to compromise this-
https://en.wikipedia.org/wiki/Communications_Assistance_for_Law_Enforcement_Act
Probes can either send directly to the LEA according to the industry standard delivery formats (c.f. ATIS T1.IAS, T1.678v2, et al.); or they can deliver to an intermediate element called a mediation device, where the mediation device does the formatting and communication of the data to the LEA. A probe that can send the correctly formatted data to the LEA is called a "self-contained" probe.
And the US has a... few challenges implementing that given the number of LEAs and other agencies that might require a basic, or Title III wiretap. If hackers have figured out a way to compromise those probes, well, it's pretty much wide open. And then it would probably need a CALEA2.0
The UK went through a similar exercise when RIPA was reformed to the 'Snoopers Charter'.. Which actually reduced the number potential snoopers, and how lawful intercepts were implemented and managed. But the UK has the advantage of fewer LEAs authorised to request wire taps, so it's easier to secure those services. Plus we have a simpler legal framework, ie GCHQ can (under the right conditons) lawfully intercept any traffic, foreign or domestic. The NSA can't (ish) do that because they're more limited in what they can do wrt domestic surveillance. They're the logical choice to act as a mediation service and 'honest broker', but then there's the political angle about trust.
It's one of those 'awful but lawful' things. LEAs need the ability to perform wire-taps, but the public also needs to be able to trust those LEAs to act reasonably and proportionatly.
A lot of what you have said here is true, but it misses the big picture as another commentard or two has.
This is not always about the data passing through, but the metadata of who is talking to who which is jolly useful for intelligence agencies, and if they have utterly pwaned the system in any conflict they can shut it all down easily and bring chaos to all systems that need connectivity for whatever reasons (such as commerce, emergency services, utility management, etc). Internet resilience counts for bugger-all if the last mile exchanges have gone off line!
This is not always about the data passing through, but the metadata of who is talking to who which is jolly useful for intelligence agencies, and if they have utterly pwaned the system in any conflict they can shut it all down easily
Metadata is implicit, if CALEA has been cracked, ie a Trap & Trace warrant provides metadata only, Title III the whole conversation. This is also why I suspect it's CALEA that is the problem. So if say, a core Juniper or Cisco router had been hacked, it doesn't follow that China (or anyone else) would be able to wiretap data passing through those routers very easily. The danger with CALEA implementations is it provides exactly that capability, and thus risk of compromise. If the routers were compromised, telcos should know that pretty quickly and fix it with an OS update. CALEA's more of a 'black box' to telcos though, and telcos wouldn't know if the use of those features was lawful, or not.
It's standard practice (or should be) to protect the control plane of any network to prevent unauthorised access. Newfangled stuff like software-provided networking wants to extend the control plane to users so they can mess around with their service profiles, but outside of some NNI offers, I'm not aware of any sane telco offering that as a service. Then there's the 'Huawei' challenge, which as you say was more about denial of service than compromise.. And also pretty easy to detect, ie why is there suddenly gigabytes of traffic going from the control plane to destinations unnknown?
"It's standard practice (or should be) to protect the control plane of any network to prevent unauthorised access."
When I worked in mobile telecoms it was typical for equipment vendors to remotely run/manage that equipment for the OpCos (the OpCos often didn't have (many) staff who actually understood how that stuff worked). So Nokia, Ericsson, Huawei, and ZTE would have day-to-day remote access to (re-)configure mobile infrastructure.
Technically the vendors' staff had authorised access..........of course what happens if those staff are subject to "State Agency" control? especially if the State in question isn't the same state as that where the OpCo operates...
Technically the vendors' staff had authorised access..........of course what happens if those staff are subject to "State Agency" control? especially if the State in question isn't the same state as that where the OpCo operates...
Yup. Big Tech has turned what used to be a trusted platform into virtual swiss cheese. So holes opened up for services like CALEA or other lawful intercept systems and vendor support.. Which in some cases is more revenue realisation, ie holes having to be opened for licence enforcement. Other vendor support is down to how the telco implements that. So many decades ago, I worked for BT. If DEC, IBM or Amdahl needed access, I'd get a ticket from those systems owners authorising me to go and physically connect their circuits, then disconnect once done. Same principle applied to most telcos I've worked with because you really don't want to extend your control plane.
But for CALEA and lawful intercept stuff, there is already 'State Agency' control given that stuff is generally Classified, and stafff who work on it vetted. Which also means if that's been outsourced, those staff should also have been vetted, but the telco has also outsourced a critical part of their trust model.. Which is a problem when telcos do ruthless cost cutting and try to outsource core/critical operational functions. The CFOs may get excited about financially engineering OPEX, but can't outsource liability or accountability for those decisions. Best they could hope for then is to try and blame the CTO, or hope their DOI covers them.
Most CALEA systems are made by an Israeli firm, AMDOCS, and Israeli intelligence had full access to the US phone network, and in some cases the Israeli mafia as well. The phone networks simply can’t be secured any more, in no small part because the cost of doing so would outweigh the economic value of a dwindling legacy service. Most landline switching providers went out of business 30 years ago and that gear is unmaintainable and slowly crumbling when the telcos run out of COs to cannibalize, but mobile is not far behind in entropy.
"The US government has lost the ability to enforce the responsibilities of telcos"
It's not lost it, it's sold it. It started with Reagan's comment about the man from the government coming to help, it's maintained by the vested-interest pork-barrel and campaign donation politics that the US is so fond of and it's supported by the "you're not the boss of me" attitude of everyone else in the US. Until it all goes to shit in which case they can't wait for that government man to turn up with his chequebook.
Today it's the telcos., tomorrow it will be the water companies, the day after it will be some other key infrastructure.
I'm not validating being alive, I'm validating whether or not the spying <whoever> would be the slightest bit interested in this data point.
As far as validation goes, my cat loves me when I turn up with Felix like a well-trained human. That's good enough for me.
You don't have to care.
You don't need an abortion or a divorce from a violent husband
You aren't planing to bring up any safety concerns at work or complain about a local council proposal
And you aren't friends with any of the wrong ethnic minorities
It'll turn up in some ML library - and will be available, for a small fee for later use by the social media AI bots when all the real users have left and only the bots are writing and reading the STUFF that's posted.
Similar to what is happening with LinkdIn at the moment, or the BBC eventually.
ALF
We're told its terrible, the Chinese have hacked everything and so on but nowhere can I find anyone who can tell me exactly what's wrong and what's needed to fix it. In other words, what we've got here is classic marketing FUD.
We know that phone protocols are weak because of the ease of phone scams and unwanted telemarketing (same difference?). Anyone can interface to the global phone system and inexpensively impersonate anyone. Data's a bit more of a problem but even that is prone to the same kinds of impersonation fraud and unsolicited data. A big part of the problem is that these systems have to be fairly weak so that marketing can take advantage of them -- after all, the Chinese might be able to see everything we're up to but they're really late to that particular party behind all the usual Big Tech suspects (and a host of lesser names). After all, it was decades ago that our (US) government discovered that they really didn't need to go in for bulk spying when the basic information they needed could be readily purchased from data brokers.
I just assume Big Brother is watching me, there is no privacy on line and so on. If I desperately needed to communicate end to end I'd make my own arrangements.
>I find anyone who can tell me exactly what's wrong and what's needed to fix it.
You can't be told what's wrong because of terrorism
The fix is to pick a bogeyman and insist all their equipment be removed from the network at great expense and replaced with equipment made in the same Chinese factory by a company with a more American name.
We will also need greater security in the form of surveillance and crack downs on terrorist tools like VPNs and encryption
This will all be paid for by removing government inefficiencies like the FCC
"We know that phone protocols are weak because of the ease of phone scams and unwanted telemarketing"
That has absolutely zero to do with security and everything to do with telcos getting a cut of call termination revenue (usually around 1/3 of the call charge)
It's not in their financial interests to fail to pass those calls unless they're not being paid...
...which is where a bunch of forged VOIP routing data has galvanised them into action to protect their revenues, whilst bleating that they're doing it for customer protection
It's the difference between abuse ON the network vs abuse OF the network. Telcos simply don't care about the former (mainly due to common carrier rules) but are hot on the latter (because it's lost revenue)
Or, maybe your Smart Taps are ordering the mince pies from China instead of ASDA. What ? Has the supply chain with that "Middle East/West - Far/Eastern Kingdom" company been disrupted again ?
It could just be the "Seasonal Adjustment" we have to adjust to ?
Or, It might simply be that ancient ERP system acting up again, or we could have been hacked ?
No. Turns out it was an unscheduled Microsoft update.....
ALF
Years ago when I was a kid my dad worked as a consul (a retail-facing diplomat) in a country that was, at the time, a frenemy of his government.
Our home phones were monitored by the local fuzz. So, my dad and a colleague persuaded my mother and the colleague's wife to get on the phone with one another and yak yak yak exchange recipes for, I dunno, Christmas cakes and bean salads and whatever. For hours. Finally they gave up.
Surely with AI voice synthesis we can swamp these phone lines with enough meaningless BS to make surveillance harder. While we rebuild.
And, as for the people saying secure systems need back doors, well, see figure 1.
Surely with AI voice synthesis we can swamp these phone lines with enough meaningless BS to make surveillance harder. While we rebuild.
Now that's a great idea! One way to try and defeat traffic analysis is to generate noise to mask the signal, so could automagically try and defeat human eavesdroppers with some AIs reading Vogon poetry to each other. Might constitute cruel & unusual punishment, but the eavesdropper would have to admit first. A cheaper solution might be to just loop Baby Shark, and add the occasional extra 'doo' & use morse.
American spies are tapping your phones (See: Angela Merkel)
It's not exactly a "China" problem and one of the reasons that states are not pushing this is because hardening systems makes it just as hard to spy on their friends and allies as well as their opponents and enemies
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
