China Wiretaps Americans in 'Worst Hack in Our Nation's History' (gizmodo.com) 88
Longtime Slashdot reader mspohr shares a report from Gizmodo: Hackers for the Chinese government were able to deeply penetrate U.S. telecommunications infrastructure in ways that President Joe Biden's administration hasn't yet acknowledged, according to new reports from the Washington Post and New York Times. The hackers were able to listen to phone calls and read text messages, reportedly exploiting the system U.S. authorities use to wiretap Americans in criminal cases. The worst part? The networks are still compromised and it may take incredibly drastic measures to boot them from U.S. systems.
The hackers behind the infiltration of U.S. telecom infrastructure are known to Western intelligence agencies as Salt Typhoon, and this particular breach of U.S. equipment was first reported in early October by the Wall Street Journal. But Sen. Mark Warner, a Democrat from Virginia, spoke with the Washington Post and New York Times this week to warn the public that this is so much worse than we initially thought, dubbing it "the worst telecom hack in our nation's history." And those articles based on Warner's warnings were published late Thursday.
Hackers weren't able to monitor or intercept anything encrypted, according to the Times, which means that conversations over apps like Signal and Apple's iMessage were probably protected. But end-to-end encryption over texts between Apple devices and Android devices, for instance, aren't encrypted in the same way, meaning they were vulnerable to interception by Salt Typhoon, according to the Times. The details about how the hackers were able to push so deeply into U.S. systems are still scarce, but it has something to do with the ways in which U.S. authorities wiretap suspects in this country with a court order.
The hackers behind the infiltration of U.S. telecom infrastructure are known to Western intelligence agencies as Salt Typhoon, and this particular breach of U.S. equipment was first reported in early October by the Wall Street Journal. But Sen. Mark Warner, a Democrat from Virginia, spoke with the Washington Post and New York Times this week to warn the public that this is so much worse than we initially thought, dubbing it "the worst telecom hack in our nation's history." And those articles based on Warner's warnings were published late Thursday.
Hackers weren't able to monitor or intercept anything encrypted, according to the Times, which means that conversations over apps like Signal and Apple's iMessage were probably protected. But end-to-end encryption over texts between Apple devices and Android devices, for instance, aren't encrypted in the same way, meaning they were vulnerable to interception by Salt Typhoon, according to the Times. The details about how the hackers were able to push so deeply into U.S. systems are still scarce, but it has something to do with the ways in which U.S. authorities wiretap suspects in this country with a court order.
So we put holes in our security... (Score:5, Insightful)
it has something to do with the ways in which U.S. authorities wiretap suspects in this country with a court order.
Re:So we put holes in our security... (Score:5, Insightful)
I have no problem with our government entities blocking VPNs, China, Russia, NK, etc IPs. It is so weird we havent done that yet.
Re: (Score:2)
What? You honestly think you can't route around such blocks?
Re: So we put holes in our security... (Score:1)
Re: (Score:2)
I have no problem with our government entities blocking VPNs, China, Russia, NK, etc IPs. It is so weird we havent done that yet.
Sooo, you want a surveillance state? Good luck with that!
Re:So we put holes in our security... (Score:5, Informative)
IP blocking is not going to help. They routinely use compromised systems inside the target country, or in another friendly nation.
Re: (Score:2)
I have no problem with our government entities blocking VPNs, China, Russia, NK,
Geoblocking solves nothing.
Do you think someone working for China can't rent a local server?
Re: (Score:2)
The problem is not the existence of a back door by itself. Governments have - if enabled by court orders - listened in to their citizens for over hundred years. It was one of the established methods to keep a tap on the mafia, drug cartels and corrupt politicians.
What has struck here is the acknowledgement by several consecutive US governments, that this kind of access is a tempting target for overseas intelligence services, and that such infrastructure must be kept secure and up to date in this millennium'
Re: (Score:1)
it has something to do with the ways in which U.S. authorities wiretap suspects in this country with a court order.
I was wondering why my back door was chaffing, bleeding, and hurting so badly.
Re: (Score:1)
Re: (Score:2)
Yep, such a surprise! No expert could _ever_ have predicted this could help other malicious actors as well! Oh, wait...
Re: So we put holes in our security... (Score:2)
They now believe the hackers from a group called âoeSalt Typhoon,â closely linked to Chinaâ(TM)s Ministry of State Security, were lurking undetected inside the networks of the biggest American telecommunications firms for more than a year.
They have learned that the Chinese hackers got a nearly complete list of phone numbers the Justice Department monitors in its âoelawful interceptâ system, which places wiretaps on people suspected of committing crimes or spying, usually after a war
Re: (Score:2)
it has something to do with the ways in which U.S. authorities wiretap suspects in this country with a court order.
An Unconstitutional (meaning illegal, which we forget is the same thing) FISA court, supports the use of illegal surveillance methods (Stingrays) by allowing law enforcement to NOT reveal their illegal “sources and methods” in legal cases where said evidence was blatantly captured illegally.
I’d say it has something to do with America having illegal and Unconstitutional processes in place that “they” wish to keep protected. “Holes” doesn’t even begin to descri
Re: So we put holes in our security... (Score:2)
Re: (Score:2)
And in the US, those with a clue are making cell sites that intercept and sift regular, day to day cellphone use in major cities, looking for terrorist info.
Sting-Ray, other Cell Site Simulators sniff and snarf all day long. Few realize they're being routed through IMSI catchers, which undress all they do, unless with the user has end-to-end encryption.
Someone from China figured out how to do this through law enforcement backdoors, now law enforcement is mad.
I do not doubt we (USA) does this across the worl
Smart people warned us about this (Score:2)
Re: So we put logs in our security... (Score:2)
Nice try, scary wording for they had log retention for legal reasons, the same as your employer for your work emails, customer transactions etc.
Until we know more, this is most likely.
Back door (Score:5, Informative)
Seems an obvious corollary, but apparently the US authorities don't think that way.
Re: (Score:1)
Re: (Score:2)
Does any of Taiwan technology comes without backdoor?
Not more or less than any US tech. Seriously. Vendors place backdoors to spy on their customers for marketing reasons. Vendor-placed backdoors for actual spying outside of that are so rare that, AFAIK, there is not a single report of them. There are reports of the US NSA placing such backdoors by intercepting equipment during shipping though. If any "Taiwan technology" has a backdoor for regular spying, it may well be NSA-placed.
Re: (Score:2)
Re: (Score:2)
Insofar as they are not NSA-mandated, yes.
Re: Back door (Score:2)
Re: Back door (Score:2)
Oh look, there is a spy balloon from the other side of the world with radio receivers and my coffee pot seems to be uploading audio filesâ¦.
Cmon.
Re: (Score:2)
Re:Back door (Score:4, Informative)
So, turns out if you make a back door for the good guys to come in, the bad guys will use it, too.
Seems an obvious corollary, but apparently the US authorities don't think that way.
None of them do. They are convinced they are saving the world and are not bright enough to think any deeper. At least now we have a glaring example of "lawful access" actually being a glaring security hole. Next time the director of some western LEO says they need this we'll have an epic example of why they should fuck off and die.
Re: (Score:3)
Indeed. These people are fanatical and pretty dumb. At the same time they have a deep, deep distrust of freedom, especially when it applies to others. Hence they want everybody under surveillance all the time. The traditional way to implement that was an all-seeing, all-knowing and vengeful "God" that did the surveillance. Of course, that was fake, but people believed it, so it was the next best thing. Now that we can implement universal surveillance, the same assholes desperately want it, especially as the
Re: (Score:2)
It is also something the actual experts have strongly pointed out since forever. I guess the US "authorities" have quite a few retards with a hard one for spying on citizens.
Re:Back door (Score:5, Interesting)
Not exactly that.
I'd say it's a generalized problem with authoritarians (and athorities in general, since they attract such) that they simply cannot abide being told 'no.'
They varely rarely introspect on themselves about this, and will almost always scream angry denials and post-hoc rationalizations about why and how their latest temper tantrum is not this thing, and how I have it all wrong, but such reactions are very similar to people addicted to pain killers, or performance enhancing drugs.
That out of the way, the behavior is not a conscious one; again, they dont introspect it at all, and instead just act. However, it very closely appears to follow this pattern:
Picture an authority or authority figure getting told NO, when they want to do something they ostensibly have control over. [CEO wanting unfettered admin privs in their company's network, for example.] When somebody asserts this 'NO', they take it as an innate attack against that authority; somebody 'thinking they are above the 'actual' authorities' [see again, 'i'm the CEO, and I'M in charge here! I'll fire your bitch ass if you dont give me what I want!' And pals] The very notion that they even *could* be told 'NO', and worse yet, that it could be *enforced*, defacto implies that they are not the highest authority; something or someone has more authority and control than they do, and this causes anger, panic, fear, and resentment basically instantaneously.
People like us, who understand that certain things are inescapable consequences of actual physical reality, and are things enforced by that reality, can assert 'no, you cant actually do that' to these people, and the meaning of that 'no' is lost. All they see and hear, is 'somebody acting above their station, trying to enforce a different, unwanted policy.' They dont see it as 'no, really, that's a thing that you simply cannot accomplish or have. It's not attainable by anyone. I'm not stopping you, the nature of reality says you genuinely cannot do or have it that way.' You cannot make them see it that way.
From their perspective, you are simply out to stop them from getting what they want, and are thus an enemy of the state.
I'd suggest that some healthy introspection on this matter on their part would do wonders, but much like the afore mentioned addicts, they insist that there is nothing wrong, and you are being adversarial to suggest such things.
You really cannot help such people.
Actually forming coallitions and agencies to overpower their authority, makes you into the very thing they instinctually label you as, and just reinforces the behavior.
There are very clear warning signs that you are dealing with such a person/group, and those signs are VERY aparent in how our govt approaches citizen privacy, and digital security. The very EXISTENCE of the FISA court, is a powerful indicator, here.
They have a belief, and that belief is divorced from actual reality.
Re: (Score:1)
I have had a look into authoritarianism a while ago, and I agree. But I also came to the conclusion that authoritarians have severe learning disability and disability to understand reality, so I like to call them "retards" on occasion. And yes, you cannot help these people. But you can, on occasion, protect others against them.
Re: (Score:1)
The very notion that they even *could* be told 'NO', and worse yet, that it could be *enforced*, defacto implies that they are not the highest authority; something or someone has more authority and control than they do, and this causes anger, panic, fear, and resentment basically instantaneously.
You've basically just explained atheism.
"What?!? There is someone above me, standards from outside myself and my peer group that I must obey?!?"
Re: (Score:2)
What an exceptionally stupid comment.
Re: (Score:1)
This no-no has been known for many years already. Whoever put the back-door in should get "it" up their back door.
Re: (Score:2)
If I had a penny for everytime this was said on Slashdot, I'd be dead, compressed and buried under 15 tons of pennies.
AND WE WERE RIGHT, DAMMIT!
ffs government agencies are dumb
We're from the government! (Score:5, Funny)
* knock knock *
"Hi, we're from the government, and we're here to help you!"
* Eyes the red and gold lapel pins with a prominent hammer and sickle. *
"Uh... which government did you say you were from?"
Re: (Score:2, Insightful)
You think the US flag is any better?
Yeah. I get that when given the choice, you'd prefer a place like Iran, China or North Korea over the US, but any person well grounded in reality wouldn't.
Re: (Score:1)
At least for another 2 months.
Re: (Score:2)
I'm not saying you're wrong, but a story about how the US government is spying on its citizens and the Chinese, in a completely legitimate act of international signals espionage, pwned them, might not be the best place to do it.
Re: We're from the government! (Score:2)
A lawful intercept isn't spying. Literally every country on the planet does it.
still compromised (Score:2)
>All the major U.S. carriers, including AT&T, Verizon, and T-Mobile, were impacted, according to the Post.
>Incredibly, Warner says the hackers are still inside the U.S. system and there’s no obvious way to get them out that doesn’t involve physically replacing old equipment, according to Warner.
>“This is massive, and we have a particularly vulnerable system,” Warner told the Post.
Maybe "All the major U.S. carriers" should check this out:
https://www.cisa.gov/news-even... [cisa.gov]
Re: (Score:2)
Re: (Score:1)
What good will that do?
There was no exploitation of bugs in the software. The Chinese government has the legitimate keys to our kingdom.
That's why it will take "drastic measures to boot them from U.S. systems"
Patches are not drastic.
Removing the key (singular) that all the different US government agencies are using for wiretaps is what is drastic.
Even then, the three letter agencies demanding the back door knew this would be the outcome, and were even told by all the experts that this would be the outcome.
Re: (Score:2)
So hard coded backdoors in firmware then? Great choice!
Will never exist (Score:2)
Online security will never exist as long as governments and corporations are involved, period. Both want to spy for their own benefit. Creepy bastards the whole lot of them.
Re: (Score:2)
Because, there would be no “online”, period.
Re: (Score:2)
Glad you see my point.
Re: (Score:2)
Actually, the GDPR does reasonably well. Even the really big players get slapped to that they know it. Enforcement is still not what it should be, but the morass of surveillance desires is really deep and I think we are slowly getting there.
"... with a court order" (Score:2)
Yeah, right! Good joke. Rules have no meaning on all sides in this arena.
No-one is responsible (Score:2)
How exactly does the US government think it will lock millions of back-doors? It decided long-ago that protecting itself from the people was more important than communication privacy. Nothing undoes that thinking: The US is stuck in a quandary, they can't stop disabling communication privacy and they won't give-up their back-doors. The result is a weakness that can never be fixed.
The failure of the US government to set standards, means there are multiple weaknesses in authentication/encryption/security
Re: (Score:2)
How exactly does the US government think it will lock millions of back-doors?
Ah that's the cunningness of the plan. America knew this might be a possibility. And so snuck in hard coded access the government could use to reset and disable the other backdoor if it was ever compromised.
Huh? What do you mean I'm already logged in from somewhere else? D'oh !
Re: (Score:2)
The pragmatic fix is for users to entirely move to end to end encrypted communications. There are no shortage of options these days. It's only SMS messages and phone calls that are insecure by design.
Re: (Score:2)
Rofl (Score:2)
Yeah, we believe you - NOT.
VAULT-7 guys! You can't believe anything they tell you.
Why name the hackers... (Score:4, Funny)
Re: (Score:2)
Now here's someone asking the right question. Why, indeed, does it seem more like they're the criminals' marketing department rather than their adversaries?
Re: (Score:3)
... ever so slightly interesting names like "Typhoon", etc... Why not name them more aptly? How about "micro-wieners", "scotty-no-mates" or "douche-bags"?
It's more manly to be hacked by a powerful Typhoon, than admit you were bested by a micro wiener.
Re: (Score:3)
When you hear "we were victims of a sophisticated attack by high tech criminals", read "we didn't change the default password."
Does anyone remember CALEA? (Score:5, Interesting)
My only hope (Score:2)
Re: (Score:2)
I'm pretty sure that tiger going after the slowest target thing is a myth. Predictors pick a target and stick with that target until they either bring it down or they are too tired to continue.
Re: thanks for taking 1 for the team (Score:2)
Security messaging (Score:2)
I'm going back to writing on paper airplanes and tossing them at the recipient
Re: (Score:2)
Or telegram, signal, whatsapp..
There are encrypted options.
Re: (Score:2)
Whatsapp now asks you to backup your keys on Google. Now you might not do that, but is everyone you're talking to also following suit?
Do not bother with anything produced by Zuck if you expect privacy. They aren't interested. In this case, they were interested in platform readoption.
of course (Score:2)
This is the same thing Snowden warned us about in addition to many others. Back doors sued for any reason makes the system weak but that doesn't stop dumb politicians from demanding them. We're going to be in an endless loop until we rid of government of idiots. This isn't going to change anything though, we're caught in the anacyclosis at the precipice of Ochlocracy.
Re: oh no (Score:2)
Uh no (Score:1)
Chinese hackers were not able to listen to phone calls.
This is one crap "article".
Sometimes hold the presses and get technical review.
Shouldn't be possible (Score:4, Insightful)
the system U.S. authorities use to wiretap Americans
A fixed, pre-existing wiretap infrastructure simply should not exist. If the police want to fight crime, they can monitor the end-points. It's exactly the same argument that we have, over and over again, about encryption. Transmission infrastructure should be as secure as we can make it. The vast majority of users (individuals and businesses) are not criminals, and hence deserve the protection of a secure infrastructure.
Hackers for the Chinese government :o (Score:3)
So, Americans are under warrantless surveillance (Score:2)
The only difference is, the surveillance isn't carried out by US or US-friendly big tech companies. So it's absolutely outrageous!
In fact, I'm so worked up that I'm headed back home in my GM-monitored to watch the ballgame on my Samsung-monitored smart TV to forget about all that surveillance.
Whose heads will be rolling for this? (Score:2)
Libertarian hypochondria. (Score:2, Interesting)
Amateurs! (Score:2)
In the Netherlands, we just let Israel run our wiretap software. Dutch technicians aren't even allowed to examine the hardware. How's that for security, eh?
Makes sense now (Score:2)
This would explain why all passwords were recently forced reset company wide
and why damn near every router and switch in every network are moving to 2FA.
( Typically SecurID )
2FA makes scripting a bitch though. . .