alt Hacker NewsThese companies were required by the government to have lawful intercept capability. A bad actor took advantage of that government-required backdoor, and now the government has the shamelessness to grandstand about privacy and security? We need to elect better people.
Replies
I agree with you on electing better people, but this is largely a systematic problem with how government works:
1. Propose bill to solve a problem which is either minor or completely misunderstood by the person proposing the bill 2. Pass bill, don't solve original "problem," creates 15 new, actual problems 3. Run on fixing all the new problems they created (and some others that don't exist) 4. Repeat
>and now the government has the shamelessness to grandstand about privacy and security? We need to elect better people.
Where's "the government [... grandstanding] about privacy and security"? It's getting blocked by the companies, not the government.
>She said Mandiant refused to provide the requested network security assessments, apparently at the direction of AT&T and Verizon.
The problem isn't the back door. Every telecom company in every country provides access for "lawful intercept". Phone taps have been a thing for decades and as far as I know, require a warrant.
The problem is that telecoms are very large, very complex environments, often with poor security controls. Investing in better controls is hard, time-consuming and expensive, and many telecoms are reluctant to do it. That's not great great since telcos are prime targets for nation state hackers as Salt Typhoon shows.
Hacking the lawful intercept systems is very brazen, but even if the hackers didn't don't go as far, and "only" gained control of normal telco stuff like call routing, numbering, billing, etc. it still would have been incredibly dangerous.
I've worked as a security consultant with one or two companies (who shall remain nameless) whose sole product was a hardware device with a black-box software stack meant to be a plug-and-play lawful intercept compliance solution. Telecoms should be able to buy it, install it, and access a web panel to do their government-mandated business.
In the three or four year I worked with them, they would only let me do penetration testing of their user network, and never the segments where the developers were, and never the product itself. In speaking with their security team (one guy - shocker) during compliance initiatives, it was very clear to me that the product itself was not to be touched per the explicit direction of senior leadership.
All I can say is that if the parts of their environment they did let us touch are any indication of the state of the rest of their assets, that device was compromised a long time ago.