Most active commenters
  • beeflet(6)
  • jacquesm(4)
  • dlcarrier(3)
  • hammock(3)
  • bongodongobob(3)
  • breppp(3)

←back to thread

FBI cyber cop: Salt Typhoon pwned 'nearly every American'

(www.theregister.com)
287 points Bender | 46 comments | 30 Aug 25 12:43 UTC | HN request time: 0.612s | source | bottom
1. nekitamo ◴[30 Aug 25 15:11 UTC] No.45075341[source]
This is what we get for installing mandatory government backdoors all over our communications infrastructure. Unbelievable that such a critical piece of infrastructure wasn't secured properly. But after the OPM hack and the bungled implementation of CIA "drop sites" online, nothing about our government's cyber incompetence surprises me anymore.
replies(3): >>45075621 #>>45075962 #>>45076589 #
2. dlcarrier ◴[30 Aug 25 15:47 UTC] No.45075621[source]
I'm really tempted to stop using phone numbers, altogether. The security is really bad, and phone numbers are used for identification almost as often as social security numbers, but there's no requirement to have one.
replies(1): >>45075691 #
3. jacquesm ◴[30 Aug 25 15:57 UTC] No.45075691[source]
Technically not. But not having a working phone number will quickly become a problem when you need to interact with authorities, banks, insurance companies, the legal system etc. I remember when cell phones were becoming affordable and I thought I was clever by ditching my land line. That got me no end of trouble, then bit by bit it became more normalized to the point that if you have a landline now people look at you a little funny. Not having a phone number today would be the same as not having a landline would have been in the early 90's, and probably much worse than not having a phone was back then.
replies(3): >>45075911 #>>45076936 #>>45078864 #
4. latchkey ◴[30 Aug 25 16:30 UTC] No.45075911{3}[source]
Even worse is that a lot of these services block the google voice VoIP numbers, so you can't even get away with that.
replies(3): >>45076156 #>>45076417 #>>45078908 #
5. krisbolton ◴[30 Aug 25 16:38 UTC] No.45075962[source]
Top tier state-sponsored actors don't need backdoors, their skill, resources, and persistance mean they can penetrate almost any system. Ascrbing this to mandatory backdoors distracts from the fact we need to improve cyber resilence and build better offense.

Reading the Atlantic Council's recent paper on what the US can do to counter the system China has created which funnels exploits to their government shows how mistatched the West is versus China. Paper here: https://www.atlanticcouncil.org/wp-content/uploads/2025/06/C...

replies(3): >>45076226 #>>45076516 #>>45078872 #
6. jkestner ◴[30 Aug 25 17:01 UTC] No.45076156{4}[source]
Imagine if they could block the banks of numbers that bad actors use.
replies(1): >>45076795 #
7. hammock ◴[30 Aug 25 17:07 UTC] No.45076226[source]
You are being downvoted by anti-backdoor people, which is fine, but you highlight an interesting new facet of the discussion:

How do we build a functioning world where secrets are not required? By this I don’t mean “everyone behaves good and therefore has nothing to hide/fear” but rather, how do we function in a world in which secrets are simply not possible?

replies(3): >>45076457 #>>45076475 #>>45077025 #
8. mjevans ◴[30 Aug 25 17:26 UTC] No.45076417{4}[source]
Which is crazy, since that's the only service that even PARTLY filters some of the insane level of spam that gets sent to my unused prepaid number that everyone contacting is clearly an automated spambot.
9. christophilus ◴[30 Aug 25 17:32 UTC] No.45076457{3}[source]
Locally.
10. ptero ◴[30 Aug 25 17:34 UTC] No.45076475{3}[source]
It is not black and white. There is a continuum of difference between my whole life being discoverable by a targeted effort of a major state (for which there were always very few defenses) and "we have no privacy" world where my whole life is being easily seen by anyone: employers, coworkers, neighbors, potential dates, etc.

I think sliding down towards "I have no privacy" end of the spectrum is bad for both the citizens and the society. Stopping the this slide is a worthwhile goal. My 2c.

replies(2): >>45076777 #>>45077559 #
11. zargon ◴[30 Aug 25 17:39 UTC] No.45076516[source]
I think your point is we need deeper security improvements than only patching back doors. But it does come across like saying “hackers don’t need to guess passwords to get in, therefore just use hunter2.”
12. mensetmanusman ◴[30 Aug 25 17:47 UTC] No.45076589[source]
Computers can never be 100% secure. It’s just a matter of how many zeros one is willing to spend, especially when physical access to the hardware is so easy (for nation states).
replies(4): >>45076710 #>>45076713 #>>45077022 #>>45078898 #
13. Veserv ◴[30 Aug 25 17:59 UTC] No.45076710[source]
You only need to spend barely 7 zeros to defeat any organization in the world. About half of a single tank to defeat any commercial IT system no matter how much they spend on “security”.
replies(1): >>45077036 #
14. JumpCrisscross ◴[30 Aug 25 17:59 UTC] No.45076713[source]
> when physical access to the hardware is so easy (for nation states)

So where is our deep, persistent infiltration of China?

replies(2): >>45076881 #>>45079915 #
15. lazide ◴[30 Aug 25 18:07 UTC] No.45076777{4}[source]
Generally? Lots and lots of lying and bullshit, so people stop knowing or caring what the actual truth is as long as people do x specific thing they need.
16. jacquesm ◴[30 Aug 25 18:08 UTC] No.45076795{5}[source]
This is one of the more annoying things I'm dealing with at the moment. Some bad actor (a Belgian company called Voxbone) that has thousands of numbers in NL keeps calling me with all kinds of obviously scammy proposals. They're abusive, rude and just won't get lost and they just keep switching to new numbers.
replies(2): >>45077187 #>>45077602 #
17. tlb ◴[30 Aug 25 18:22 UTC] No.45076881{3}[source]
Unknown to the public. The NSA doesn't announce when it has pwned other countries (except sometimes much later) and China doesn't reveal intrusions the way US agencies and companies are required to.
18. Waterluvian ◴[30 Aug 25 18:29 UTC] No.45076936{3}[source]
Six years ago when I obtained a mortgage I tested just this. Correct email and address but no phone number. What happened is that the documentation and all that with the lender was submitted fine without one. And my broker didn’t need one (we used email after our first in-person visit). But once I logged in to manage the mortgage (after a few payments already) it insisted on a number. I put in a null number and it was fine.

This only became a problem when the mortgage was paid off last year and despite getting emails about it, I got a registered letter saying they must talk to me and that haven’t been answering my phone. So I call them as instructed and it was just a “you’re done. We’ll be mailing you documents to send to your insurer. Thanks for your business.”

FWIW: I’ve never personally owned a land line. The last time I ever lived somewhere with one was 19 years ago.

replies(1): >>45084346 #
19. beeflet ◴[30 Aug 25 18:46 UTC] No.45077022[source]
>Computers can never be 100% secure.

This is ridiculous defeatism. You are going to need more 0's than exist in the global economy to crack many cryptosystems.

replies(1): >>45077075 #
20. impossiblefork ◴[30 Aug 25 18:46 UTC] No.45077025{3}[source]
What do you mean, 'secrets are not possible'? You can still have secrets, you just stop writing things down, stop talking and literally start whispering or using other anti-eavesdropping techniques.
replies(1): >>45077555 #
21. beeflet ◴[30 Aug 25 18:47 UTC] No.45077036{3}[source]
Then let them spend it instead of giving your data away for free
replies(2): >>45077156 #>>45077508 #
22. bongodongobob ◴[30 Aug 25 18:53 UTC] No.45077075{3}[source]
I don't need to crack crypto, I just need to find an admin that can be blackmailed.
replies(1): >>45077121 #
23. beeflet ◴[30 Aug 25 18:59 UTC] No.45077121{4}[source]
Then design the system so that there is not a single source of administrative failure.
replies(2): >>45077350 #>>45080205 #
24. busterarm ◴[30 Aug 25 19:05 UTC] No.45077156{4}[source]
It's a lot cheaper to just kidnap and interrogate someone with the access you need.

And that's only if blackmail didn't work.

replies(1): >>45077165 #
25. beeflet ◴[30 Aug 25 19:06 UTC] No.45077165{5}[source]
Okay then make them do that instead of giving your data away for free
26. reaperducer ◴[30 Aug 25 19:10 UTC] No.45077187{6}[source]
This can't be happening.

There are easily hundreds of comments on HN from people in Europe who assure us all that this is solely an American problem, and that it never happens anywhere else.

replies(1): >>45083678 #
27. breppp ◴[30 Aug 25 19:33 UTC] No.45077350{5}[source]
and also make sure to design a system without any bugs
replies(1): >>45078805 #
28. Veserv ◴[30 Aug 25 19:52 UTC] No.45077508{4}[source]
That is what they did. Salt Typhoon is what they got. This will continue to happen until critical software systems are secure against state actors and requires tens to hundreds of billions of dollars to compromise instead of millions to tens of millions (in the hardest cases).
29. hammock ◴[30 Aug 25 20:01 UTC] No.45077555{4}[source]
It’s a thought experiment , as I observe that it is becoming harder and harder to have secrets. Even your examples (whispering, speaking behind a closed wall, even private thoughts) are either no longer safe or have promising technology being actively developed to counter them
30. hammock ◴[30 Aug 25 20:02 UTC] No.45077559{4}[source]
Yes
31. hyperman1 ◴[30 Aug 25 20:07 UTC] No.45077602{6}[source]
That's what it is? As a Belgian, I've got these calls for a few months now, from France or the Netherlands. Some robotic french female voice says something incomprehensible, then the call stops. Got about 8 of these in the last 2 months. I assumed this was mostly a US problem, but it appears over here now.
32. beeflet ◴[30 Aug 25 23:08 UTC] No.45078805{6}[source]
You should look into cryptography. It actually is possible to design open systems provably without bugs or single sources of failure. It's possible to build mechanisms of plausible deniability that are largely immune to rubber-hose attacks.

It's also possible to design systems with an intermediate level of security. With your attitude, you might as well leave your house unlocked because any competent locksmith could break in.

replies(1): >>45080595 #
33. dlcarrier ◴[30 Aug 25 23:17 UTC] No.45078864{3}[source]
My bank's two-factor authentication system lets the user select the communications method before logging in, so I set my phone number to a 555 exchange, making it invalid, and it hasn't cause any trouble. A teller did once notice it, but agreed it was a good idea.

There's no way the legal system could require a phone number, because the government overplays their support for the homeless, and being able to work with people that don't have phone numbers is a big part of that.

34. wakawaka28 ◴[30 Aug 25 23:19 UTC] No.45078872[source]
If they don't NEED them, why do they always DEMAND them? The fact is that mandatory backdoors makes things easier for attackers. Counter offensive capabilities do not cancel out defensive vulnerabilities. Once your data is gone or your personnel killed, there's no taking it back.
35. wakawaka28 ◴[30 Aug 25 23:24 UTC] No.45078898[source]
They can be close enough to 100% as you like. Even if that was true, it does not excuse the morons who built the stuff for easy spying instead of reasonable security.
36. dlcarrier ◴[30 Aug 25 23:25 UTC] No.45078908{4}[source]
That's what I do use, when a phone number is needed. The only placed that seemed to notice was OpenAI, but my GPU has 16 GB of RAM, so I run all my inferencing locally, using open models, which is a good idea anyway.

The bigger problem with Google Voice is that Google's email gateway for SMS is awful. It cuts off outgoing messages after two carriage returns, strips out single carriage returns, and won't send me group messages, instead sending me a link to the message, and even that only rarely, usually not even notifying me that I received a group message.

I've found a few alternatives, and I wouldn't mind paying a few dollars a month for one, but every one I've looked into requires I upload a copy of my photo ID, and I'm definately not going to do that.

replies(1): >>45084721 #
37. everybodyknows ◴[31 Aug 25 02:49 UTC] No.45079915{3}[source]
A few years back the whole US humint network in the PRC was lost, agents killed, due to use of antiquated security tech.
replies(1): >>45087368 #
38. bongodongobob ◴[31 Aug 25 03:46 UTC] No.45080205{5}[source]
Lol, ok hotshot.
39. breppp ◴[31 Aug 25 05:28 UTC] No.45080595{7}[source]
I am aware of cryptography, but how does strong cryptography prevents these?

https://www.heartbleed.com

https://www.blackduck.com/blog/understanding-apple-goto-fail...

replies(1): >>45086081 #
40. jacquesm ◴[31 Aug 25 15:00 UTC] No.45083678{7}[source]
Europe usually lags the USA on such subjects by about a decade.
41. jacquesm ◴[31 Aug 25 16:19 UTC] No.45084346{4}[source]
Not a bad score, paying off your mortgage in 6 years. Congratulations!!
42. backscratches ◴[31 Aug 25 16:56 UTC] No.45084721{5}[source]
Jmp.chat is superb (time tested, open source, great support)... And cheogram (their mobile app) can be a UnifiedPush distributor!
43. beeflet ◴[31 Aug 25 19:10 UTC] No.45086081{8}[source]
Side channels are prevented through security audits. There is not an infinite well of bugs in any codebase that will always be exploitable.

Once you patch the bugs, they are patched. You eventually reach a state where there is no more surface area for bugs.

replies(2): >>45086619 #>>45087693 #
44. bongodongobob ◴[31 Aug 25 20:09 UTC] No.45086619{9}[source]
I feel like you've never worked at a company that has decades of tech debt and has more than just a handful of devs.
45. h3half ◴[31 Aug 25 21:42 UTC] No.45087368{4}[source]
Do you have links where I can read about that? Sounds interesting
46. breppp ◴[31 Aug 25 22:32 UTC] No.45087693{9}[source]
I'm sorry, that's not aligned with reality. Possible states in a system grow exponentially with lines of codes added and no one can expect or prevent all the failure states leading to security issues