FBI cyber cop: Salt Typhoon pwned 'nearly every American'

Meanwhile in Europe, dump politics do nothing to stop USA and PRC spy.

The ban for anti-social networks to less 16yo is a good start but it does not fix the smartphone or telecommunication spy.

The need to ban twitter, tiktok, facebook and many others is a must.

A better title would be “Chinese Communist Party” or “China” pwned nearly every American… This is a state, not a school computer club.

Oh goodie

The CISA announcement, which contains a lot more substance, was posted https://news.ycombinator.com/item?id=45065458

> This indiscriminate targeting, as the FBI and White House security officials have previously noted, allowed Beijing’s snoops to geo-locate millions of mobile phone users, monitor their internet traffic, and, in some cases, record their phone calls. Victims reportedly included President Donald Trump and Vice President JD Vance.

Welp... that's quite a capable piece of surveillance.

I imagined it involved tapping to cell towers/cell infrastructure, but the details at the wikipedia page [1] suggest servers were hacked instead? Did they hack AT&T servers or something?

Side note, are there any ways to not get your data stolen in such cases? I would imagine using only a VPN might help, but if they're getting data from triangulation you couldn't do much short of turning off your phone, right?

1 - https://en.wikipedia.org/wiki/Salt_Typhoon#Methodology

Presumably this includes SMS-based MFA codes.

Salt Typhoon used govt-mandated backdoors to spy on Americans. As a result the govt told Americans to use Signal rather than rely on the phone system.

https://www.npr.org/2024/12/17/nx-s1-5223490/text-messaging-...

Relevant excerpt:

>The FBI and CISA raised the alarm two months after The Wall Street Journal reported that hackers linked to the Chinese government have broken into systems that enable U.S. law enforcement agencies to conduct electronic surveillance operations under the Communications Assistance for Law Enforcement Act (CALEA).

>"These are for legitimate wiretaps that have been authorized by the courts," Hong says. But in hackers' hands, he says, the tools could potentially be used "to surveil communications and metadata for lots of people. And it seems like the [hackers'] focus is primarily Washington, D.C."

> What this really underscores is that what the PRC is doing through these proxy actors is really reckless and unbounded, in a way that is significantly outside of the norms of what we see in the espionage space,"

What norms are he referring to?

This is what we get for installing mandatory government backdoors all over our communications infrastructure. Unbelievable that such a critical piece of infrastructure wasn't secured properly. But after the OPM hack and the bungled implementation of CIA "drop sites" online, nothing about our government's cyber incompetence surprises me anymore.

Almost as if having GDPR to keep at least the worst of the data-brokering/selling industry out is a good thing.

The more detailed report someone posted does sound like this was hacked at the source, but a lot of the data can be bought legally on the open, not-even-too-grey market. Some journalists bought one of the location data sets and used it to demonstrate that you can identify intelligence agency employees from it (if someone spends almost every workday at one site belonging to the agency, occasionally visits the other one... the other place that "anonymous" user spends a lot of time at is likely the home of an intelligence agency employee).

If the industry wasn't selling it to anyone who asks, they'd still likely keep it in easily hacked places.

More like "US government demands doors be left unlocked, Chinese Communist Party walked in"

Having any piece of the "Data Broker" industry not completely dismantled is not only a security risk but an affront to humanity.

Yea, I wasn’t aware that there was a rule book for spies. I thought the only rule was “anything goes, but don’t get caught.” But perhaps I’m uninformed.

Just like they were warned repeatedly and loudly by the cypherpunks and anybody who had two functioning brain cells to rub together.

Then it would be flagged removed for having forbidden words in the title.

Hey, do what you have to do.

We will.

Can't speak for every American, but I won't take offense. It's our job to protect our infrastructure, corporations and data. Not at all the responsibility of Europe, India or China. It's your job to protect yours.

Don't think that'll stop the NSA/CIA or CCP hackers much.

Given that the US intelligence community, with PRISM and Upstream and the like, hoovers up all the world's communications, I think the "norms" must be "nobody except the US was able to do this until now." Now China has shown that it can compete in the same space.

He's referring to the norm that only the American government is allowed to conduct unlawful mass surveillance of American citizens. Who do these Chinese think they are???

I'm really tempted to stop using phone numbers, altogether. The security is really bad, and phone numbers are used for identification almost as often as social security numbers, but there's no requirement to have one.

"Salt Typhoon" specifically refers to Microsoft's observations of malicious activity, which they believe to be associated with the Ministry of State Security.

They are obviously different from other official Chinese components, and the private sector actors that support them. The distinction is also made because other firms sometimes have differing assessments and visibility.

The ones that are in his head, just as soft, curvy, and flexible as the matter inside

do we have other sources for this other than just this government’s?

i absolutely believe it may have happened, but due to overwhelming and well documented history of lies from this regime, i’d feel like i was standing on more solid footing with this if we had some reputable 3rd party sources. ideally someone who is far away from the hysterical levels of partisanship our current leaders have planted themselves.

again, i’m not in denial that it couldnt have happened, it’s just that unfortunately i think it would be unreasonable to trust anything from this regime’s people. and to reiterate, they have a long and very well documented history of outright lying. not even typical politician half truths, but shoving it in our face lying.

The security community warned that making Lawful Access easy and automated would guarantee that bad people would penetrate the network.

And now we have China using CALEA-crippled systems to slurp up the entire USA network. Exactly as predicted.

And this - "outside of the norms of what we see in the espionage space" - LOL. ROTFL even. The NSA tapped Google's backbone! Have we forgotten Room 641A? MAINWAY? Poindexter and TIA? Palantir?

The NSA used to play defence and offence, and has gone full-offence for a generation. Did anyone really believe that only the USA could play offence?

Morons.

Verizon says they targeted certain politicians.

https://www.verizon.com/about/salt-typhoon-matter-update

Technically not. But not having a working phone number will quickly become a problem when you need to interact with authorities, banks, insurance companies, the legal system etc. I remember when cell phones were becoming affordable and I thought I was clever by ditching my land line. That got me no end of trouble, then bit by bit it became more normalized to the point that if you have a landline now people look at you a little funny. Not having a phone number today would be the same as not having a landline would have been in the early 90's, and probably much worse than not having a phone was back then.

It turns out blowing a giant hole in your security model so that uncle sam can spy on your users also makes it easier for bad guys to spy on your users! Shocking!!

China is the last group we should blame for this. Our government did this to us and must be held accountable or this will happen again, and again, and again.

Titles can’t contain “China”?

Man, good thing Doge and MAGA gutted 30% of that agency[1]. We certainly don't need a bunch of bureaucrats doing (checks notes) cybersecurity and infrastructure security right now.

[1] https://archive.is/20250603190111/https://www.axios.com/2025...

It does not stop, that is correct. But it is a first important step to start breaking some bad ones.

Why is it suddenly a problem when it's a foreign government?

For China a data set like this is only usefull if it can be validated, which it seems from reading between the lines, they have/are doing. The only use China has for this data set it to guage a competitors true capacity, VS there own capacity. It is highly likely that this data set will not be used to access any individuals information in any way that could lead to a situation that then could be back tracked, and that the copy that China has is hermeticaly sealed off in some inner sanctum of the secret squirles. Any posture that China takes will use many other sources of information beside this one. And of course, it's Chinas posture that has some strategists concerned right now, which is compounded by what looks like a perfect job, done completly online that has left a dead end trail, and zero proof of anything. So classic spy craft, with no possibility of a hollywood movie.

> Victims reportedly included President Donald Trump and Vice President JD Vance

I wish the journalist had been a little cheeky and tried to get a quote from Angela Merkel.

Even worse is that a lot of these services block the google voice VoIP numbers, so you can't even get away with that.

I mean, clearly they weren't very effective anyway.

Top tier state-sponsored actors don't need backdoors, their skill, resources, and persistance mean they can penetrate almost any system. Ascrbing this to mandatory backdoors distracts from the fact we need to improve cyber resilence and build better offense.

Reading the Atlantic Council's recent paper on what the US can do to counter the system China has created which funnels exploits to their government shows how mistatched the West is versus China. Paper here: https://www.atlanticcouncil.org/wp-content/uploads/2025/06/C...

direct link: https://www.cisa.gov/news-events/cybersecurity-advisories/aa...

how is this not a total shitstorm on twitter and in media is beyond me. nobody cares since nobody got hurt?

So what was the actual point of compromise? Was it a CALEA supporting software vendor? My guess is a common MD (Mediator device) vendor was targeted that was used by many carriers but that's speculation on my part.

Context for others, there's a small number of software vendors that make these MD devices that handle initiating a capture of a flow (a wiretapping request) and managing the chain of custody for a pcap. MDs usually sends an SNMP poll to a router/switch to start a (r)span port and the MD device slurps up all data and saves it.

Anyway, what I'm curious about is if it's the MDs that were taken over and if it was one manufacturer but I'm not seeing much technical info on all these reports.

Here's some context for "LI" for those interested: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9...

And of course the only thing that the US government will do is double down on surveillance even harder.

Exactly. China can't do much with my data, compared to the US government or my insurance company.

Maybe this idiocy could be explained by the idea that the powers that be are more afraid of their own citizens than of any foreign threat.

Western intelligence plus Israel*

And yeah pretty much. I don’t know anything about anything but it feels like there is a hierarchy (norm? At least what they are trying to enforce) of US > Five Eyes > other Western Intel (France, etc) > Pakistan/Russia/Etc > China/North Korea/Iran; and Israel falls somewhere in that mix as a maverick. Of course in practice it doesn’t work out this way.

Reminds me of the recent news that the US will ban Chinese components from undersea cables, globally: https://asia.nikkei.com/content/99550c9ade243fe057e8a2ba6f29...

Imagine if they could block the banks of numbers that bad actors use.

You are being downvoted by anti-backdoor people, which is fine, but you highlight an interesting new facet of the discussion:

How do we build a functioning world where secrets are not required? By this I don’t mean “everyone behaves good and therefore has nothing to hide/fear” but rather, how do we function in a world in which secrets are simply not possible?

Which is crazy, since that's the only service that even PARTLY filters some of the insane level of spam that gets sent to my unused prepaid number that everyone contacting is clearly an automated spambot.

Locally.

It is not black and white. There is a continuum of difference between my whole life being discoverable by a targeted effort of a major state (for which there were always very few defenses) and "we have no privacy" world where my whole life is being easily seen by anyone: employers, coworkers, neighbors, potential dates, etc.

I think sliding down towards "I have no privacy" end of the spectrum is bad for both the citizens and the society. Stopping the this slide is a worthwhile goal. My 2c.

Anecdote, but I have a friend in cybersecurity in Australia, and he was telling me a few months ago that China basically has almost all the data they could want on almost all of the US.

I think your point is we need deeper security improvements than only patching back doors. But it does come across like saying “hackers don’t need to guess passwords to get in, therefore just use hunter2.”

... morons with moral superiority complex.

They havent forgotten their offensive operations, they never knew about it or never cared.

These were intrusions into private companies.

Once upon a time, problems like these were solved with definitive measures; cut the cable, or send a bullet.

But state-sponsored cyber-war and other such aggressions are now considered normal daily life. Just as bad, U.S. MSM rarely reports American aggression towards others.

I live in a state, Washington, with mandatory breach reporting and notifications.

Haven't seen anything from this. Any idea why? Low compliance in general? Telcos think they're big enough to ignore state regs?

China pwned nearly every Chinese as well. The CCP can only kill American spies operating in China with this information.

Computers can never be 100% secure. It’s just a matter of how many zeros one is willing to spend, especially when physical access to the hardware is so easy (for nation states).

Yes. Have you not yet learned that normal people dont care about privacy?

Agencies aren’t allowed to fix private company security.

Israel is a part of western intelligence. Adding them as your main response is strange.

They have skillfully used it for IP theft which OECD estimates is worth about $500B annually in lost revenue. Destroying the mechanism for R&D funding is actually a great strategy by China. Props

US government demands doors exist. CCP finds keys.

I’d prefer neither. But my prediction is that when we have a conflict with China, their digital access is going to be a game changer.

You only need to spend barely 7 zeros to defeat any organization in the world. About half of a single tank to defeat any commercial IT system no matter how much they spend on “security”.

> when physical access to the hardware is so easy (for nation states)

So where is our deep, persistent infiltration of China?

Any discussion of Salt Typhoon should start with the unusual fact that it is still an active and uncontained incident, despite having been widely revealed in 2024. Typically we are accustomed to discussing lessons learned during a post mortem. This particular mortem has not yet posted. We are still owned and data continues to be compromised.

https://www.theregister.com/2025/08/28/china_salt_typhoon_al...

So we definitely should just give up and not do anything instead. That makes sense.

I honestly don't believe China is doing something that America itself didn't start. The US did this too most likely.

Generally? Lots and lots of lying and bullshit, so people stop knowing or caring what the actual truth is as long as people do x specific thing they need.

Notably, Israel is not actually located anywhere near the physical ‘west’.

This is one of the more annoying things I'm dealing with at the moment. Some bad actor (a Belgian company called Voxbone) that has thousands of numbers in NL keeps calling me with all kinds of obviously scammy proposals. They're abusive, rude and just won't get lost and they just keep switching to new numbers.

Neither is Australia but you’d almost universally call it the west. Because western in this instance is a cultural qualifier not a geographic one.

Objecting to calling Israel the west is at least as weird as including it in the context of this conversation.

Indiscriminate targeting. It's clarified at the end of that paragraph, and was part of the article's lead-in:

   "There's a thought among the public that if you don't work in a sensitive area that the PRC might be interested in for its traditional espionage activities, then you are safe, they will not target you," [deputy assistant director for the FBI's cyber division] said, during a Thursday interview with The Register. "As we have seen from Salt Typhoon, this is no longer an assumption that anyone can afford to make."

China has secret police operating in America right now.

Unknown to the public. The NSA doesn't announce when it has pwned other countries (except sometimes much later) and China doesn't reveal intrusions the way US agencies and companies are required to.

Unnecessary, this administration destroys R&D funding on its own.

Most protocols that I use day-to-day are secure against simple passive interception. Either SSH or TLS encrypts just about every packet that leaves my network. This got much better with DNS over HTTPS (or TLS before that). Of course these protocols are sometimes susceptible to downgrade attacks, man in the middle compromises, etc, but none of that would be available to someone who was running a pcap without modifying the traffic streams.

So how would a simple MD attack affect me? Any sort of CALEA attack on a higher protocol layer (e.g. compromising Gmail at Google instead of capturing their traffic) would make sense, but not a pcap.

Right. Until their nudes get leaked that is.

Six years ago when I obtained a mortgage I tested just this. Correct email and address but no phone number. What happened is that the documentation and all that with the lender was submitted fine without one. And my broker didn’t need one (we used email after our first in-person visit). But once I logged in to manage the mortgage (after a few payments already) it insisted on a number. I put in a null number and it was fine.

This only became a problem when the mortgage was paid off last year and despite getting emails about it, I got a registered letter saying they must talk to me and that haven’t been answering my phone. So I call them as instructed and it was just a “you’re done. We’ll be mailing you documents to send to your insurer. Thanks for your business.”

FWIW: I’ve never personally owned a land line. The last time I ever lived somewhere with one was 19 years ago.

I think one unprecedented thing about how China operates is every single company is like a private military contractor with letters of marque and reprisal to do whatever the heck they feel like in the name of CCP world dominance. As long as it's patriotic, you can do absolutely whatever the heck you want to the other guys. Harvest their organs for profit, sabotage major infrastructure, hack absolutely everything, fund and supply and launder money for fentanyl production, etc. The kinds of things only the dirty tricks department of intelligence agencies are allowed to do in Western countries that they get called out and scandalized about when people find out about that.

Likewise, if you're Jack Ma and they don't like what poem you quoted, all your stuff is now theirs and there aren't any silly laws to protect yourself. Absolutely 100% goal oriented to the steady increase in power of the communist party and absolutely no higher principles apply.

IMHO, the real "morons" (your word) are those deploying Chinese-fabricated SoCs (like the latest ESP32, LinkStar, etc) and mainboards with Chinese-written BIOS/EFI/UEFI (like Zima) on what an increasing number of "influencers" deem "Raspberry Pi alternatives". Even when you cite the websites about things like "Moonbounce", there is a generation of workers in the Business now that become outwardly enraged and irrational about the risk and otherwise stick their head firmly in the sand while quietly knowing what they have done and will therefore likely continue to do is costing us the Country. Even if this effort wasn't part of VOLT, it certainly is consistent with the LAW in China that all companies must have CCP management and implement all requests required of them by that management. The worst part is that when you publicly confront these companies with this fact, for example, in Discord, they don't even deny it, they simply respond solemnly that "the other side does it too." (True, but our guys don't currently sell prisoner kidneys.)

Hey, I'll bet you never look at that WiFi-"enabled" power bank or HEPA/AC unit again the same way (or my favorite AI response du jour "Some Chinese scooters come with a microphone integrated into a GPS tracker or helmet, while others can be customized with aftermarket solutions. There is no single model called "Chinese scooter with microphone," but rather multiple products and approaches that fit this description.") Errbody worried about the talking LLM parrot AI and your vehicle dashboard always listening (or even watching), but that's not the most serious threat we face now.

>Computers can never be 100% secure.

This is ridiculous defeatism. You are going to need more 0's than exist in the global economy to crack many cryptosystems.

What do you mean, 'secrets are not possible'? You can still have secrets, you just stop writing things down, stop talking and literally start whispering or using other anti-eavesdropping techniques.

Definitely, I would hope these kinds of systems become less useful with more encryption. I imagine, these kinds of collections I mentioned above are just one of many angles used in an investigation with this particular angle being for correlation and supporting evidence against a request to bookface, cloudflare, etc.

edit these network devices probably also carry voip/voice trunks from enterprise and possibly carriers such as VZW. No telling if those are encrypted or not. If China is able to tap that using these CALEA systems, I could see how that would be a big deal for stealing IP/secrets.

Then let them spend it instead of giving your data away for free

How are you defining West here? If we go by the international date line they're not all that far away and if you zag left as you go further south it works quite well. You need a similar shape on the other side too to get Europe but exclude Africa, so it makes for a pretty reasonable cut of the planet overall.

It's a tilted west.

So what is funding the government going to do then? At some point you have to make people responsible for their own computer systems.

Yeah, defund the government spying apparatus if it isn't useful

I don't need to crack crypto, I just need to find an admin that can be blackmailed.

Then design the system so that there is not a single source of administrative failure.

It has very different values than the west.

Imagine if there were movements in Switzerland to move to certain areas to push out the speakers of some local dialect, and literally organized home-buying in groups to get them out?

It's a lot cheaper to just kidnap and interrogate someone with the access you need.

And that's only if blackmail didn't work.

Okay then make them do that instead of giving your data away for free

This can't be happening.

There are easily hundreds of comments on HN from people in Europe who assure us all that this is solely an American problem, and that it never happens anywhere else.

Really? CISA isn't allowed to work with any private companies on a problem that impacts critical infrastructure and thus national security? Do you have any sources for this claim?

Nobody's saying that CISA would break down Verizon's doors and go to their keyboards and start pushing commits, but they sure as hell are working with the telecom industry.

Take it one step further. Foreign threats are often manufactured or overplayed for their value in convincing American citizens to hand over even more power to their government.

Business requires security. If you can do anything physical in the US, or in Europe etc. then you must be doing something so clever that secrecy is warranted.

And yet my bank still only supports SMS 2fa, god help us all.

This is one of the most humiliating aspects of living here:

That the government is unwilling to genuinely protect its own interests, for example, by preventing ordinary people's data from leaking abroad or ensuring real internet privacy, because without these things we are so unbelievably vulnerable, not just to influence operations designed with this data, but they'll know literally the whole economic structure of the EU, how many people work where, where a particular person works, etc.

They're not even preventing foreign countries from getting access to bank transactions.

When they're denied they cry terrorism, but reality is that if you have this knowledge you can say 'Oh, impossibleFork just moved to X, and he's an expert in Y, he's probably doing Z and W. Let's hire some guys to try the exact same thing, so that it'll be a business here instead of there'.

I don't understand how a government can expect the country it governs to have an economy when it allows this kind of data leakage.

Hardly, for your own citizens you need lawful interception systems because... of the law.

While for foreign citizens you can pretty much capture anything at will, without any need for FISA or warrants

Realpolitik

Unfortunately the problem is that your government is the one that has natural powers to inflict violence on you, but Chinese can't. (And vice versa for Chinese citizens)

and also make sure to design a system without any bugs

I wrote the lawful intercept spec for a 3G GGSN node. So keep in mind that my knowledge of present day systems might be outdated. The spec was derived from pre-existing specifications for telephone equipment. One of the interesting things about lawful intercept is that it was supposed to hide from network management. Intercepts aren't logged at the network operator. The node being used in an intercept gives no indication that the intercept is happening.

IIRC the standard at the time was to enable intercepting up to 3% of traffic, without the surveillance target of course knowing, but also without their carrier knowing. Law-enforcement agencies used LI consoles on their own premises to order intercepts.

So it's not that lawful intercept was particularly easy to hack, it's that once it's compromised, detecting that it's being used nefariously is especially difficult. I would question whether anyone knows for sure when the compromise began, and how long it lasted.

PS: I've been downvoted on HN for years and years for mentioning this topic. Once, someone even summoned dang. One would think that by now, with this being out in the open (why did "China H2Oh" fail again? lol) but no..threat actors gone act.. Those smart enough to listen to words of someone with nearly five decades in the Business might not lose as much money as those who don't.

Celebrated programming genius and de facto leader of the GNU project Richard Stallman very publicly used a Loongson for many years. Case closed.

That is what they did. Salt Typhoon is what they got. This will continue to happen until critical software systems are secure against state actors and requires tens to hundreds of billions of dollars to compromise instead of millions to tens of millions (in the hardest cases).

Discord is banned in China and uses GCP. What is the point you are making against it exactly?

By what measure?

It’s a thought experiment , as I observe that it is becoming harder and harder to have secrets. Even your examples (whispering, speaking behind a closed wall, even private thoughts) are either no longer safe or have promising technology being actively developed to counter them

Yes

That's what it is? As a Belgian, I've got these calls for a few months now, from France or the Netherlands. Some robotic french female voice says something incomprehensible, then the call stops. Got about 8 of these in the last 2 months. I assumed this was mostly a US problem, but it appears over here now.

Can a Chinese cop arrest you or kill you in America?

and Technologists scream "we told you not to install the doors!"

Not the person you are asking but there are indeed Chinese cops in the USA that harass and threaten Chinese expats and even threaten to hurt or arrest their family members back in the mainland. It is a violation of our nation's sovereignty but some cities are very slow to arrest them if they even try.

Here [1] is one example of a couple Chinese police in NYC but I can not find the links to the groups in Los Angeles.

[1] - https://www.pbs.org/newshour/politics/2-men-arrested-on-char...

Ditched my phone 5 years ago, guess I'm one of the few American's unaffected.

Oof people hate this comment.

Look, I know it's cultural much more than geographical. But Australia can easily be both. It's not actually a counterexample.

I just hope the NSA is better at this than they are.

Not the poster, but the Mossad has made quite a name for themselves. I honestly have no idea if Australia even has an intelligence service - do you?

Are you arguing for entirely dismantling the government's counter-espionage apparatus because it's not 100% effective? China would love that.

This is what happens if you allow the government a backdoor into your messaging or communication systems.

Open source software doesn't have backdoors and it works fine for everyone.

What were your motivations? How has this impacted your daily life? I’m curious to know anything you are willing to share.

Companies have official discords to respond to requests or questions. They attempted to call out a company (presumably US based) for this concern and got the specified response

The simple answer is that CALEA requires all traffic to be effectively in plain text. Once you impose that constraint, any decent router exploit gives you everything.

That’s what makes CALEA so toxic. Any covered comms must be effectively-plain-text, or it doesn’t work. Once you impose a plain-text architecture, a mass-breach is inevitable.

>The NSA used to play defence and offence, and has gone full-offence for a generation.

And IIRC most of those people who used to work for the NSA now work at private firms like the NSO group, which is pretty scary when you think about it. It's hard to blame them though, if I was being offered the amount of money they were given, I would probably take it as well.

I recommend the book 'This Is How They Tell Me the World Ends' by Nicole Perlroth, it gives some good insights into what is going on behind the scenes (though with some of the major events which have happened since it was published some things may be outdated. Either way it's a good read.)

Yeah. Turning exploit production into a “respectable” business didn’t help.

I wish. They are mostly dumb racists who believe you can invent magic encryption that only white Americans can crack.

No. That’s what makes CALEA so damaging. It is ILLEGAL to encrypt covered traffic in a way that isn’t intercept-able by any random sheriff’s office in any county of the USA.

Because it means the US probably can't win a ground or sea war against them.

A door with a lock can only be opened by those with a key...

as well as anyone that can pick the lock, jimmy the lock, remove the door from its hinges, remove the lock, break the door down, go under the door, go over the door, get somebody with a key to open the door, and many other methods which can be found with just a little imagination.

That take is only deemed acceptable in the abstract, but if you mentioned any current examples people would loose their shit and crucify you for even suggesting it. "We oppose every war except the current war and support all civil rights movements except the one that's going on right now"

How effective is it?

You should look into cryptography. It actually is possible to design open systems provably without bugs or single sources of failure. It's possible to build mechanisms of plausible deniability that are largely immune to rubber-hose attacks.

It's also possible to design systems with an intermediate level of security. With your attitude, you might as well leave your house unlocked because any competent locksmith could break in.

My bank's two-factor authentication system lets the user select the communications method before logging in, so I set my phone number to a 555 exchange, making it invalid, and it hasn't cause any trouble. A teller did once notice it, but agreed it was a good idea.

There's no way the legal system could require a phone number, because the government overplays their support for the homeless, and being able to work with people that don't have phone numbers is a big part of that.

If they don't NEED them, why do they always DEMAND them? The fact is that mandatory backdoors makes things easier for attackers. Counter offensive capabilities do not cancel out defensive vulnerabilities. Once your data is gone or your personnel killed, there's no taking it back.

They can be close enough to 100% as you like. Even if that was true, it does not excuse the morons who built the stuff for easy spying instead of reasonable security.

That's what I do use, when a phone number is needed. The only placed that seemed to notice was OpenAI, but my GPU has 16 GB of RAM, so I run all my inferencing locally, using open models, which is a good idea anyway.

The bigger problem with Google Voice is that Google's email gateway for SMS is awful. It cuts off outgoing messages after two carriage returns, strips out single carriage returns, and won't send me group messages, instead sending me a link to the message, and even that only rarely, usually not even notifying me that I received a group message.

I've found a few alternatives, and I wouldn't mind paying a few dollars a month for one, but every one I've looked into requires I upload a copy of my photo ID, and I'm definately not going to do that.

Discord developers have also been funded by Tencent even before they had the idea for it, and Tencent might still be a majority owner.

Related: https://www.businessinsider.com/israelis-bugged-the-us-for-t...

Israeli government has current access to United States communications the same way China does.

That's an oxymoron : it's not targeting at this point.

(Some high value people do seem to be targeted for even more intensive spying.)

Not sure if you're aware, but the organ harvesting allegations are complicated because the Falun Gong believe their adherents enjoy magical organ healing; the blind will see, kidneys become good again, etc., and that they are targeted specifically for their organs is an endorsement of their religion. So there's incentive for false claims, which I rarely see brought up.

If an "FBI cyber cop" says "pwned" you know it's serious.

Australia is one of the 5 eye nations…

Is anyone really surprised?

That’s NSA equivalent. But the point still stands - do you know the names of the agencies off the top of your head? I had to look them up on wikipedia, and they’re still pretty easy to forget about.

It seems crazy to me that the network operator would have zero insight into any audit logs for lawful intercept. How would anyone know if someone broke in?

A few years back the whole US humint network in the PRC was lost, agents killed, due to use of antiquated security tech.

They have been here since before Nixon.

They do not know what R and D is, let alone what is does. One guy bankrupted a casino and saluted a North Korean General, and the other tried to impregnate a couch

Lol, ok hotshot.

Hanlon's razor: never attribute to malice what can easily be attributed to stupidity.

Does anyone here think even a decent portion of government officials are tech literate? (I'm not even convinced half of hacker new or half of programmers are tech literate! Instead only have basic literacy and high confidence) There's a few, but I'm not convinced it's that many. The vast majority of Congressmen don't even have an aid who specializes in tech. So do you think it takes any more than someone at the NSA saying "it's encrypted and only we can access it" for them to believe in this magic key? (And this is something we've seen NSA officials say)

Remember, in the senate only 12 members are under 50, 33 are 60-69, and 33 are over 70! In the house 20% are over 70, 43% over 60, and 70% over 50. Only 8% are under 40. Almost none of these people have ever programmed. Just think about how tech illiterate the average 20 year old is (even worse on a technology subreddit!) and we're talking about.

Come on guys. It's a choice between stupid old people and hyper intelligent deep state actors that are acting idiotically. I'd put money on aliens before I'd put money on the later

Oh I understand some countries do these kinds of operations, but as a general rule your government has far more power over you than a foreign government. Obviously relevant if you are an expat etc

I am aware of cryptography, but how does strong cryptography prevents these?

https://www.heartbleed.com

https://www.blackduck.com/blog/understanding-apple-goto-fail...

I thought this campaign targeted telephony networks (SMS, voice), not IP networks?

You can get aides so I’m not worried about their ages. Problem is how do you convince a competent tech aide to work for them at crap salary vs a tech company? Maybe get part time aides? Or just pay for some consulting hours?

  > You can get aides so I’m not worried about their ages.

  >> The vast majority of Congressmen don't even have an aid who specializes in tech.

The problem is aids cost money. I happen to have a senator with one, and actually had a long conversation with them. The main difference with my senator? They have way more aids than most other senators. I'll admit, I'm mostly going off of his word, but it doesn't seem all that trivial to check who the aids are or even how many. All I can seem to find is that the average number of staff members is around 30 and that's definitely not all domain expert aids.

What they also told me is that most of the expert advice tends to come through lobbying. Or "industry relationships" as he put it while using air quotes. It's a budgeting problem, not just that it is hard to get a competent tech aid at such a low salary but even just a handful of domain expert aids in the first place.

As far as I know, all telecommunications companies in the USA do not encrypt phone calls in the core of their networks; they may have TLS to/from the customers to the SBC (session border controller, a firewall/terminating point for customers), but once it’s past that point, it’s all sent in the clear.