More telcos confirm Salt Typhoon breaches as White House weighs in

Original Article ↗ Hacker News Discussion ↗

Signal, end-to-end encryption, and trust

  • Debate over FBI recommending Signal: some see it as evidence Signal is compromised; others argue Signal’s protocol is formally analyzed and currently among the strongest available.
  • Trust split:
    • Pro‑Signal: open source; crypto independently verified; client doesn’t need to trust the server for message contents.
    • Skeptical: server code isn’t fully verifiable; Signal historically ran non‑open server components; requirement for a phone number harms anonymity and creates exploitable metadata.
  • Several note that practical compromise is more likely via OS, hardware, or targeted app delivery (e.g., tainted APKs) than via breaking Signal’s crypto.
  • Alternatives mentioned include Session, Matrix, Tox, SimpleX; but none discussed in comparable depth.

CALEA, lawful intercept, and the Salt Typhoon attack path

  • Many think the breach likely exploited lawful-intercept (CALEA) systems or third‑party “wiretapping outsourcing” providers, not core network routing directly.
  • Others argue reporting doesn’t clearly support that and point instead to insecure or legacy telco equipment, firmware implants, TFTP-based provisioning, and weak management protocols.
  • Broad agreement that LI backdoors mandated for domestic law enforcement create a high‑value target that foreign actors can and do exploit.

Metadata, phone numbers, and KYC

  • Strong criticism of mandatory phone numbers for messaging and financial services: creates de‑facto identity, maps social graphs, and adds breach risk.
  • Services blocking VOIP numbers (e.g., Venmo, some banks, WhatsApp) are seen as prioritizing fraud reduction and “Know Your Customer” requirements over user privacy.
  • Workarounds (cheap travel SIMs, eSIMs) show phone-based “identity” is weak and easily gamed.

Telecom security practices and incentives

  • Multiple commenters describe telecom/network security as systematically weak:
    • Shared secrets for RADIUS/SNMP/BGP, rarely used or weak TCP protection, poor host key validation, insecure consoles, and spotty secure boot/auditing.
  • Legacy/EOL gear with known vulnerabilities persists because it “still works” and replacing it is costly.
  • Companies face little real liability for breaches, leading to “compliance theater” and dependence on cyberinsurance rather than serious hardening.
  • Advocated fixes include strong data minimization, meaningful financial penalties for PII loss, and treating stored data as a dangerous liability, not an asset.

Attribution, geopolitics, and “act of war” questions

  • Some treat PRC attribution as plausible given known espionage patterns and concurrent Treasury intrusion; others see “China, China, China” as unproven narrative with little public evidence.
  • Several frame this as part of an ongoing digital cold war and “prepositioning” in critical infrastructure, not necessarily a prelude to kinetic war.
  • Repeated theme: US-mandated surveillance capabilities (CALEA, SS7 exposure, LI platforms) have now been turned against US infrastructure by foreign actors, validating long‑standing warnings about backdoors.