The fun part is they don’t know the extent of the comprise or how long it has been going on.
What happened is that CISA recently published a report stating that they think a lot of US telecommunications equipment has been compromised. It isn’t a one time breach. They know that China has control over a unspecified amount of critical components. The malware China is using is extremely complex and very hard if not completely impossible to detect. China is very good at covering there tracks so even getting a sample of Malware is hard.
Because of all this, CISA is now recommending that people use encrypted messagers.
This is why the old guard of tech and privacy was against a lot of the shenanigans you routinely encounter in any app or device. Bonus, the S in IoT stands for security.
Security is last thing about Internet of thingS
Apparently, the hackers exploited the backdoor that was provided for “lawful surveillance” in the 3G spec. Imagine that.
Lol.
Seven years ago I spent hours trying to explain to my MP that this would happen if they weakened encryption and put in back doors.
He seemingly couldn’t get his head round the fact that you have to assume foreign adversaries have access to everything in transit and they’re not going to be worried about longer prison sentences designed to make up for weaker security.
I should send him an email asking if he understands the argument now it’s coming from an American in a suit and not just one of the plebs.
You absolutely should
Also include links to the human rights abuse done by the Chinese police. And the fact that South Korea almost just turned into a dictatorship.
My understanding is that the scope is totally unknown. I’m sure they exploited the crap out of those systems.
At first, the F.B.I. and other investigators believed that China’s hackers used stolen passwords to focus mostly on the system that taps telephone conversations and texts under court orders. It is administered by a number of the nation’s telecommunications firms, including the three largest — Verizon, AT&T and T-Mobile. But in recent days, investigators have discovered how deeply China’s hackers had moved throughout the country by exploiting aging equipment and seams in the networks connecting disparate systems.
https://www.nytimes.com/2024/11/21/us/politics/china-hacking-telecommunications.html
Doesn’t look like they know (or are willing to share specifics as to) the full scope of the hack, but they seem to have a pretty good idea.
So what would be an encrypted messenger? Telegram or a Matrix app like Element? Asking cuz I’ve been kinda hinting to my friends that maybe we should move away from Facebook Messenger, but all we do is share memes and YouTube videos… Occasionally we’ll fuck with their stupid AI and make it write all responses in cuneiform or call everyone “shitass”
Edit: I can’t spell for shit
Not Telegram. Signal is a better choice which has been audited by third parties and produces internal transparency reports.
And it’s open source!
I’ve been leaning towards Matrix/Element, but I’ll check out Signal and see what everyone else thinks. Thanks dood!
Signal is pretty easy to get people into, too, I feel like.
Matrix is not always encrypted.
Signal, Simplex chat or any other well vetted messager. Avoid Telegram as it isn’t encrypted and is tied to Russia.
Whut? When is matrix not encrypted somtetimes? Genuine question - I’m a matrix newbie and i thought that all was encrypted was the whole point O.o
On the transport level it is encrypted but not on the server. To get E2EE you need to turn it on.
It’s been on by default for many years now.
We have been down this road before. There’s nothing out there beating or close enough to signal.
https://soatok.blog/2024/05/14/its-time-for-furries-to-stop-using-telegram/ https://soatok.blog/2024/07/31/what-does-it-mean-to-be-a-signal-competitor/
I’d argue Threema. The server code isn’t open source, but the apps are auditable. You can use it without any other identifiers (phone number, email are optional). It comes from a private company, but they have had a good track record.
Edit: They also have a version on F-Droid, without proprietary components, that uses their own push protocol instead of Google’s.
Oh. How fun. yay
What, they weren’t recommending encrypted communication before?
They didn’t want to compromise their ability to spy on us easily.
Note even with all of this they only recommend they use encrypted messaging. We should merrily go along with fb messenger or sms or whatever they swear is good.
btw messenger isn’t the worst case scenario. 1-1 chats are e2ee.
it’s still facebook and it sucks, but it’s not as bad as SMS/calls
What breach happened
It not about one breach
CISA recently published a report stating that they think a lot of US telecommunications equipment has been compromised. It isn’t a one time breach. They know that China has control over a unspecified amount of critical components. The malware China is using is extremely complex and very hard if not completely impossible to detect. China is very good at covering there tracks so even getting a sample of Malware is hard. They are constantly evolving and adapting it so it is very tricky to pinpoint and clean systems.
Because of all this, CISA is now recommending that people use encrypted messagers. Usually the government wants unfeathered access to data so that’s how you know it is very bad.
Do you have a link to the report?
Salt Typhoon.
Sodium Tsunami.
NaCl Cyclone.
How much of this was delivered through the TikTok app?
None. It was built into the hardware. TikTok isn’t telecommunications related
This was caused by lowest bidder decision making. Along with a tolerance for critical systems designed, developed and manufactured outside of North America and Western Europe. If a country doesn’t have a history of liberal democracy, they can never be fully trusted.
I think trust is the problem honesty trust less and you won’t have to worry as much.
I wouldn’t be surprised if CISA, which was created under the Trump administration, is manufacturing consent for escalation with China.
Or more likely the US is terrible at security
Meme mentions CISA and FBI but everyone knows NSA already has a master list of vulns that they juggle deciding if they’re worth disclosing or better off keeping for themselves lol.
They sat on Eternal Blue for allegedly a decade. Any APT has plenty of time and money to spend attacking America’s public infara when they don’t even bother to cover the bargain basement stuff like the insanity that is Microsoft AD.
I wonder if China is any better with their hefty surveillance and firewall though. I wouldn’t be completely surpised if some of their public infara is also exposed for the same reasons.
Occam’s Razor
What does Occam’s Razor say about Saddam’s weapons of mass destruction?
Buying cheap routers from china? No problem.
More like buying routers from Amazon
Because Amazon is ITAR amd COMPSEC compliant.
Probably got rebates from Bejing for government customers.
That seems very unlikely. The people working at the NSA and CIA are fucking geniuses. Like bonafide, real-life, literal geniuses.
Their management however…
True, ultimately the politicians pull the strings of these agencies, and that’s quite the mixed bag.
And they didn’t build the telecom network
I HIGHLY doubt that
My best friend’s, dad’s, friend is a retired CIA agent. He knows everything about everything. Seriously. I’ve never had a conversation with him where he wasn’t highly knowledgeable about the subject. The guy has a memory like a steel trap. The NSA is full of guys like Snowden, and even smarter guys lead those guys. They know what they’re doing.