Most active commenters
  • beeflet(6)
  • bongodongobob(3)
  • breppp(3)

←back to thread

FBI cyber cop: Salt Typhoon pwned 'nearly every American'

(www.theregister.com)
287 points Bender | 21 comments | 30 Aug 25 12:43 UTC | HN request time: 1.147s | source | bottom
Show context
nekitamo ◴[30 Aug 25 15:11 UTC] No.45075341[source]
This is what we get for installing mandatory government backdoors all over our communications infrastructure. Unbelievable that such a critical piece of infrastructure wasn't secured properly. But after the OPM hack and the bungled implementation of CIA "drop sites" online, nothing about our government's cyber incompetence surprises me anymore.
replies(3): >>45075621 #>>45075962 #>>45076589 #
1. mensetmanusman ◴[30 Aug 25 17:47 UTC] No.45076589[source]
Computers can never be 100% secure. It’s just a matter of how many zeros one is willing to spend, especially when physical access to the hardware is so easy (for nation states).
replies(4): >>45076710 #>>45076713 #>>45077022 #>>45078898 #
2. Veserv ◴[30 Aug 25 17:59 UTC] No.45076710[source]
You only need to spend barely 7 zeros to defeat any organization in the world. About half of a single tank to defeat any commercial IT system no matter how much they spend on “security”.
replies(1): >>45077036 #
3. JumpCrisscross ◴[30 Aug 25 17:59 UTC] No.45076713[source]
> when physical access to the hardware is so easy (for nation states)

So where is our deep, persistent infiltration of China?

replies(2): >>45076881 #>>45079915 #
4. tlb ◴[30 Aug 25 18:22 UTC] No.45076881[source]
Unknown to the public. The NSA doesn't announce when it has pwned other countries (except sometimes much later) and China doesn't reveal intrusions the way US agencies and companies are required to.
5. beeflet ◴[30 Aug 25 18:46 UTC] No.45077022[source]
>Computers can never be 100% secure.

This is ridiculous defeatism. You are going to need more 0's than exist in the global economy to crack many cryptosystems.

replies(1): >>45077075 #
6. beeflet ◴[30 Aug 25 18:47 UTC] No.45077036[source]
Then let them spend it instead of giving your data away for free
replies(2): >>45077156 #>>45077508 #
7. bongodongobob ◴[30 Aug 25 18:53 UTC] No.45077075[source]
I don't need to crack crypto, I just need to find an admin that can be blackmailed.
replies(1): >>45077121 #
8. beeflet ◴[30 Aug 25 18:59 UTC] No.45077121{3}[source]
Then design the system so that there is not a single source of administrative failure.
replies(2): >>45077350 #>>45080205 #
9. busterarm ◴[30 Aug 25 19:05 UTC] No.45077156{3}[source]
It's a lot cheaper to just kidnap and interrogate someone with the access you need.

And that's only if blackmail didn't work.

replies(1): >>45077165 #
10. beeflet ◴[30 Aug 25 19:06 UTC] No.45077165{4}[source]
Okay then make them do that instead of giving your data away for free
11. breppp ◴[30 Aug 25 19:33 UTC] No.45077350{4}[source]
and also make sure to design a system without any bugs
replies(1): >>45078805 #
12. Veserv ◴[30 Aug 25 19:52 UTC] No.45077508{3}[source]
That is what they did. Salt Typhoon is what they got. This will continue to happen until critical software systems are secure against state actors and requires tens to hundreds of billions of dollars to compromise instead of millions to tens of millions (in the hardest cases).
13. beeflet ◴[30 Aug 25 23:08 UTC] No.45078805{5}[source]
You should look into cryptography. It actually is possible to design open systems provably without bugs or single sources of failure. It's possible to build mechanisms of plausible deniability that are largely immune to rubber-hose attacks.

It's also possible to design systems with an intermediate level of security. With your attitude, you might as well leave your house unlocked because any competent locksmith could break in.

replies(1): >>45080595 #
14. wakawaka28 ◴[30 Aug 25 23:24 UTC] No.45078898[source]
They can be close enough to 100% as you like. Even if that was true, it does not excuse the morons who built the stuff for easy spying instead of reasonable security.
15. everybodyknows ◴[31 Aug 25 02:49 UTC] No.45079915[source]
A few years back the whole US humint network in the PRC was lost, agents killed, due to use of antiquated security tech.
replies(1): >>45087368 #
16. bongodongobob ◴[31 Aug 25 03:46 UTC] No.45080205{4}[source]
Lol, ok hotshot.
17. breppp ◴[31 Aug 25 05:28 UTC] No.45080595{6}[source]
I am aware of cryptography, but how does strong cryptography prevents these?

https://www.heartbleed.com

https://www.blackduck.com/blog/understanding-apple-goto-fail...

replies(1): >>45086081 #
18. beeflet ◴[31 Aug 25 19:10 UTC] No.45086081{7}[source]
Side channels are prevented through security audits. There is not an infinite well of bugs in any codebase that will always be exploitable.

Once you patch the bugs, they are patched. You eventually reach a state where there is no more surface area for bugs.

replies(2): >>45086619 #>>45087693 #
19. bongodongobob ◴[31 Aug 25 20:09 UTC] No.45086619{8}[source]
I feel like you've never worked at a company that has decades of tech debt and has more than just a handful of devs.
20. h3half ◴[31 Aug 25 21:42 UTC] No.45087368{3}[source]
Do you have links where I can read about that? Sounds interesting
21. breppp ◴[31 Aug 25 22:32 UTC] No.45087693{8}[source]
I'm sorry, that's not aligned with reality. Possible states in a system grow exponentially with lines of codes added and no one can expect or prevent all the failure states leading to security issues