The security community warned that making Lawful Access easy and automated would guarantee that bad people would penetrate the network.
And now we have China using CALEA-crippled systems to slurp up the entire USA network. Exactly as predicted.
And this - "outside of the norms of what we see in the espionage space" - LOL. ROTFL even. The NSA tapped Google's backbone! Have we forgotten Room 641A? MAINWAY? Poindexter and TIA? Palantir?
The NSA used to play defence and offence, and has gone full-offence for a generation. Did anyone really believe that only the USA could play offence?
Morons.
godelski 9 hours ago [-]
A door with a lock can only be opened by those with a key...
as well as anyone that can pick the lock, jimmy the lock, remove the door from its hinges, remove the lock, break the door down, go under the door, go over the door, get somebody with a key to open the door, and many other methods which can be found with just a little imagination.
dvno42 16 hours ago [-]
So what was the actual point of compromise? Was it a CALEA supporting software vendor? My guess is a common MD (Mediator device) vendor was targeted that was used by many carriers but that's speculation on my part.
Context for others, there's a small number of software vendors that make these MD devices that handle initiating a capture of a flow (a wiretapping request) and managing the chain of custody for a pcap. MDs usually sends an SNMP poll to a router/switch to start a (r)span port and the MD device slurps up all data and saves it.
Anyway, what I'm curious about is if it's the MDs that were taken over and if it was one manufacturer but I'm not seeing much technical info on all these reports.
The simple answer is that CALEA requires all traffic to be effectively in plain text. Once you impose that constraint, any decent router exploit gives you everything.
EE84M3i 3 hours ago [-]
I thought this campaign targeted telephony networks (SMS, voice), not IP networks?
aftbit 14 hours ago [-]
Most protocols that I use day-to-day are secure against simple passive interception. Either SSH or TLS encrypts just about every packet that leaves my network. This got much better with DNS over HTTPS (or TLS before that). Of course these protocols are sometimes susceptible to downgrade attacks, man in the middle compromises, etc, but none of that would be available to someone who was running a pcap without modifying the traffic streams.
So how would a simple MD attack affect me? Any sort of CALEA attack on a higher protocol layer (e.g. compromising Gmail at Google instead of capturing their traffic) would make sense, but not a pcap.
shrubble 1 hours ago [-]
As far as I know, all telecommunications companies in the USA do not encrypt phone calls in the core of their networks; they may have TLS to/from the customers to the SBC (session border controller, a firewall/terminating point for customers), but once it’s past that point, it’s all sent in the clear.
dvno42 14 hours ago [-]
Definitely, I would hope these kinds of systems become less useful with more encryption. I imagine, these kinds of collections I mentioned above are just one of many angles used in an investigation with this particular angle being for correlation and supporting evidence against a request to bookface, cloudflare, etc.
edit these network devices probably also carry voip/voice trunks from enterprise and possibly carriers such as VZW. No telling if those are encrypted or not. If China is able to tap that using these CALEA systems, I could see how that would be a big deal for stealing IP/secrets.
michael1999 10 hours ago [-]
No. That’s what makes CALEA so damaging. It is ILLEGAL to encrypt covered traffic in a way that isn’t intercept-able by any random sheriff’s office in any county of the USA.
michael1999 10 hours ago [-]
That’s what makes CALEA so toxic. Any covered comms must be effectively-plain-text, or it doesn’t work. Once you impose a plain-text architecture, a mass-breach is inevitable.
tempodox 15 hours ago [-]
Maybe this idiocy could be explained by the idea that the powers that be are more afraid of their own citizens than of any foreign threat.
themafia 13 hours ago [-]
Take it one step further. Foreign threats are often manufactured or overplayed for their value in convincing American citizens to hand over even more power to their government.
lyu07282 9 hours ago [-]
That take is only deemed acceptable in the abstract, but if you mentioned any current examples people would loose their shit and crucify you for even suggesting it. "We oppose every war except the current war and support all civil rights movements except the one that's going on right now"
breppp 13 hours ago [-]
Hardly, for your own citizens you need lawful interception systems because... of the law.
While for foreign citizens you can pretty much capture anything at will, without any need for FISA or warrants
michael1999 10 hours ago [-]
I wish. They are mostly dumb racists who believe you can invent magic encryption that only white Americans can crack.
godelski 4 hours ago [-]
Hanlon's razor: never attribute to malice what can easily be attributed to stupidity.
Does anyone here think even a decent portion of government officials are tech literate? (I'm not even convinced half of hacker new or half of programmers are tech literate! Instead only have basic literacy and high confidence) There's a few, but I'm not convinced it's that many. The vast majority of Congressmen don't even have an aid who specializes in tech. So do you think it takes any more than someone at the NSA saying "it's encrypted and only we can access it" for them to believe in this magic key? (And this is something we've seen NSA officials say)
Remember, in the senate only 12 members are under 50, 33 are 60-69, and 33 are over 70! In the house 20% are over 70, 43% over 60, and 70% over 50. Only 8% are under 40. Almost none of these people have ever programmed. Just think about how tech illiterate the average 20 year old is (even worse on a technology subreddit!) and we're talking about.
Come on guys. It's a choice between stupid old people and hyper intelligent deep state actors that are acting idiotically. I'd put money on aliens before I'd put money on the later
figassis 2 hours ago [-]
You can get aides so I’m not worried about their ages. Problem is how do you convince a competent tech aide to work for them at crap salary vs a tech company? Maybe get part time aides? Or just pay for some consulting hours?
godelski 2 hours ago [-]
> You can get aides so I’m not worried about their ages.
>> The vast majority of Congressmen don't even have an aid who specializes in tech.
The problem is aids cost money. I happen to have a senator with one, and actually had a long conversation with them. The main difference with my senator? They have way more aids than most other senators. I'll admit, I'm mostly going off of his word, but it doesn't seem all that trivial to check who the aids are or even how many. All I can seem to find is that the average number of staff members is around 30 and that's definitely not all domain expert aids.
What they also told me is that most of the expert advice tends to come through lobbying. Or "industry relationships" as he put it while using air quotes. It's a budgeting problem, not just that it is hard to get a competent tech aid at such a low salary but even just a handful of domain expert aids in the first place.
robotnikman 10 hours ago [-]
>The NSA used to play defence and offence, and has gone full-offence for a generation.
And IIRC most of those people who used to work for the NSA now work at private firms like the NSO group, which is pretty scary when you think about it. It's hard to blame them though, if I was being offered the amount of money they were given, I would probably take it as well.
I recommend the book 'This Is How They Tell Me the World Ends' by Nicole Perlroth, it gives some good insights into what is going on behind the scenes (though with some of the major events which have happened since it was published some things may be outdated. Either way it's a good read.)
michael1999 10 hours ago [-]
Yeah. Turning exploit production into a “respectable” business didn’t help.
throwawayqqq11 15 hours ago [-]
... morons with moral superiority complex.
They havent forgotten their offensive operations, they never knew about it or never cared.
vaxman 14 hours ago [-]
IMHO, the real "morons" (your word) are those deploying Chinese-fabricated SoCs (like the latest ESP32, LinkStar, etc) and mainboards with Chinese-written BIOS/EFI/UEFI (like Zima) on what an increasing number of "influencers" deem "Raspberry Pi alternatives". Even when you cite the websites about things like "Moonbounce", there is a generation of workers in the Business now that become outwardly enraged and irrational about the risk and otherwise stick their head firmly in the sand while quietly knowing what they have done and will therefore likely continue to do is costing us the Country. Even if this effort wasn't part of VOLT, it certainly is consistent with the LAW in China that all companies must have CCP management and implement all requests required of them by that management. The worst part is that when you publicly confront these companies with this fact, for example, in Discord, they don't even deny it, they simply respond solemnly that "the other side does it too." (True, but our guys don't currently sell prisoner kidneys.)
Hey, I'll bet you never look at that WiFi-"enabled" power bank or HEPA/AC unit again the same way (or my favorite AI response du jour "Some Chinese scooters come with a microphone integrated into a GPS tracker or helmet, while others can be customized with aftermarket solutions. There is no single model called "Chinese scooter with microphone," but rather multiple products and approaches that fit this description.") Errbody worried about the talking LLM parrot AI and your vehicle dashboard always listening (or even watching), but that's not the most serious threat we face now.
donkeybeer 13 hours ago [-]
Unfortunately the problem is that your government is the one that has natural powers to inflict violence on you, but Chinese can't. (And vice versa for Chinese citizens)
edgineer 8 hours ago [-]
Not sure if you're aware, but the organ harvesting allegations are complicated because the Falun Gong believe their adherents enjoy magical organ healing; the blind will see, kidneys become good again, etc., and that they are targeted specifically for their organs is an endorsement of their religion. So there's incentive for false claims, which I rarely see brought up.
sugarpimpdorsey 13 hours ago [-]
Celebrated programming genius and de facto leader of the GNU project Richard Stallman very publicly used a Loongson for many years. Case closed.
iknowstuff 12 hours ago [-]
Discord is banned in China and uses GCP. What is the point you are making against it exactly?
mu53 10 hours ago [-]
Companies have official discords to respond to requests or questions. They attempted to call out a company (presumably US based) for this concern and got the specified response
BlueTemplar 9 hours ago [-]
Discord developers have also been funded by Tencent even before they had the idea for it, and Tencent might still be a majority owner.
vaxman 13 hours ago [-]
PS: I've been downvoted on HN for years and years for mentioning this topic. Once, someone even summoned dang. One would think that by now, with this being out in the open (why did "China H2Oh" fail again? lol) but no..threat actors gone act.. Those smart enough to listen to words of someone with nearly five decades in the Business might not lose as much money as those who don't.
donkeybeer 12 hours ago [-]
Can a Chinese cop arrest you or kill you in America?
Bender 12 hours ago [-]
Not the person you are asking but there are indeed Chinese cops in the USA that harass and threaten Chinese expats and even threaten to hurt or arrest their family members back in the mainland. It is a violation of our nation's sovereignty but some cities are very slow to arrest them if they even try.
Here [1] is one example of a couple Chinese police in NYC but I can not find the links to the groups in Los Angeles.
Oh I understand some countries do these kinds of operations, but as a general rule your government has far more power over you than a foreign government. Obviously relevant if you are an expat etc
Zigurd 13 hours ago [-]
I wrote the lawful intercept spec for a 3G GGSN node. So keep in mind that my knowledge of present day systems might be outdated. The spec was derived from pre-existing specifications for telephone equipment. One of the interesting things about lawful intercept is that it was supposed to hide from network management. Intercepts aren't logged at the network operator. The node being used in an intercept gives no indication that the intercept is happening.
IIRC the standard at the time was to enable intercepting up to 3% of traffic, without the surveillance target of course knowing, but also without their carrier knowing. Law-enforcement agencies used LI consoles on their own premises to order intercepts.
So it's not that lawful intercept was particularly easy to hack, it's that once it's compromised, detecting that it's being used nefariously is especially difficult. I would question whether anyone knows for sure when the compromise began, and how long it lasted.
wildzzz 6 hours ago [-]
It seems crazy to me that the network operator would have zero insight into any audit logs for lawful intercept. How would anyone know if someone broke in?
nekitamo 17 hours ago [-]
This is what we get for installing mandatory government backdoors all over our communications infrastructure. Unbelievable that such a critical piece of infrastructure wasn't secured properly. But after the OPM hack and the bungled implementation of CIA "drop sites" online, nothing about our government's cyber incompetence surprises me anymore.
dlcarrier 17 hours ago [-]
I'm really tempted to stop using phone numbers, altogether. The security is really bad, and phone numbers are used for identification almost as often as social security numbers, but there's no requirement to have one.
jacquesm 16 hours ago [-]
Technically not. But not having a working phone number will quickly become a problem when you need to interact with authorities, banks, insurance companies, the legal system etc. I remember when cell phones were becoming affordable and I thought I was clever by ditching my land line. That got me no end of trouble, then bit by bit it became more normalized to the point that if you have a landline now people look at you a little funny. Not having a phone number today would be the same as not having a landline would have been in the early 90's, and probably much worse than not having a phone was back then.
Waterluvian 14 hours ago [-]
Six years ago when I obtained a mortgage I tested just this. Correct email and address but no phone number. What happened is that the documentation and all that with the lender was submitted fine without one. And my broker didn’t need one (we used email after our first in-person visit). But once I logged in to manage the mortgage (after a few payments already) it insisted on a number. I put in a null number and it was fine.
This only became a problem when the mortgage was paid off last year and despite getting emails about it, I got a registered letter saying they must talk to me and that haven’t been answering my phone. So I call them as instructed and it was just a “you’re done. We’ll be mailing you documents to send to your insurer. Thanks for your business.”
FWIW: I’ve never personally owned a land line. The last time I ever lived somewhere with one was 19 years ago.
dlcarrier 9 hours ago [-]
My bank's two-factor authentication system lets the user select the communications method before logging in, so I set my phone number to a 555 exchange, making it invalid, and it hasn't cause any trouble. A teller did once notice it, but agreed it was a good idea.
There's no way the legal system could require a phone number, because the government overplays their support for the homeless, and being able to work with people that don't have phone numbers is a big part of that.
latchkey 16 hours ago [-]
Even worse is that a lot of these services block the google voice VoIP numbers, so you can't even get away with that.
dlcarrier 9 hours ago [-]
That's what I do use, when a phone number is needed. The only placed that seemed to notice was OpenAI, but my GPU has 16 GB of RAM, so I run all my inferencing locally, using open models, which is a good idea anyway.
The bigger problem with Google Voice is that Google's email gateway for SMS is awful. It cuts off outgoing messages after two carriage returns, strips out single carriage returns, and won't send me group messages, instead sending me a link to the message, and even that only rarely, usually not even notifying me that I received a group message.
I've found a few alternatives, and I wouldn't mind paying a few dollars a month for one, but every one I've looked into requires I upload a copy of my photo ID, and I'm definately not going to do that.
mjevans 15 hours ago [-]
Which is crazy, since that's the only service that even PARTLY filters some of the insane level of spam that gets sent to my unused prepaid number that everyone contacting is clearly an automated spambot.
jkestner 15 hours ago [-]
Imagine if they could block the banks of numbers that bad actors use.
jacquesm 14 hours ago [-]
This is one of the more annoying things I'm dealing with at the moment. Some bad actor (a Belgian company called Voxbone) that has thousands of numbers in NL keeps calling me with all kinds of obviously scammy proposals. They're abusive, rude and just won't get lost and they just keep switching to new numbers.
hyperman1 12 hours ago [-]
That's what it is? As a Belgian, I've got these calls for a few months now, from France or the Netherlands. Some robotic french female voice says something incomprehensible, then the call stops. Got about 8 of these in the last 2 months. I assumed this was mostly a US problem, but it appears over here now.
reaperducer 13 hours ago [-]
This can't be happening.
There are easily hundreds of comments on HN from people in Europe who assure us all that this is solely an American problem, and that it never happens anywhere else.
krisbolton 16 hours ago [-]
Top tier state-sponsored actors don't need backdoors, their skill, resources, and persistance mean they can penetrate almost any system. Ascrbing this to mandatory backdoors distracts from the fact we need to improve cyber resilence and build better offense.
Reading the Atlantic Council's recent paper on what the US can do to counter the system China has created which funnels exploits to their government shows how mistatched the West is versus China. Paper here: https://www.atlanticcouncil.org/wp-content/uploads/2025/06/C...
zargon 15 hours ago [-]
I think your point is we need deeper security improvements than only patching back doors. But it does come across like saying “hackers don’t need to guess passwords to get in, therefore just use hunter2.”
wakawaka28 9 hours ago [-]
If they don't NEED them, why do they always DEMAND them? The fact is that mandatory backdoors makes things easier for attackers. Counter offensive capabilities do not cancel out defensive vulnerabilities. Once your data is gone or your personnel killed, there's no taking it back.
hammock 15 hours ago [-]
You are being downvoted by anti-backdoor people, which is fine, but you highlight an interesting new facet of the discussion:
How do we build a functioning world where secrets are not required? By this I don’t mean “everyone behaves good and therefore has nothing to hide/fear” but rather, how do we function in a world in which secrets are simply not possible?
ptero 15 hours ago [-]
It is not black and white. There is a continuum of difference between my whole life being discoverable by a targeted effort of a major state (for which there were always very few defenses) and "we have no privacy" world where my whole life is being easily seen by anyone: employers, coworkers, neighbors, potential dates, etc.
I think sliding down towards "I have no privacy" end of the spectrum is bad for both the citizens and the society. Stopping the this slide is a worthwhile goal. My 2c.
hammock 12 hours ago [-]
Yes
lazide 14 hours ago [-]
Generally? Lots and lots of lying and bullshit, so people stop knowing or caring what the actual truth is as long as people do x specific thing they need.
impossiblefork 14 hours ago [-]
What do you mean, 'secrets are not possible'? You can still have secrets, you just stop writing things down, stop talking and literally start whispering or using other anti-eavesdropping techniques.
hammock 12 hours ago [-]
It’s a thought experiment , as I observe that it is becoming harder and harder to have secrets. Even your examples (whispering, speaking behind a closed wall, even private thoughts) are either no longer safe or have promising technology being actively developed to counter them
christophilus 15 hours ago [-]
Locally.
mensetmanusman 15 hours ago [-]
Computers can never be 100% secure. It’s just a matter of how many zeros one is willing to spend, especially when physical access to the hardware is so easy (for nation states).
JumpCrisscross 14 hours ago [-]
> when physical access to the hardware is so easy (for nation states)
So where is our deep, persistent infiltration of China?
tlb 14 hours ago [-]
Unknown to the public. The NSA doesn't announce when it has pwned other countries (except sometimes much later) and China doesn't reveal intrusions the way US agencies and companies are required to.
everybodyknows 6 hours ago [-]
A few years back the whole US humint network in the PRC was lost, agents killed, due to use of antiquated security tech.
wakawaka28 9 hours ago [-]
They can be close enough to 100% as you like. Even if that was true, it does not excuse the morons who built the stuff for easy spying instead of reasonable security.
beeflet 14 hours ago [-]
>Computers can never be 100% secure.
This is ridiculous defeatism. You are going to need more 0's than exist in the global economy to crack many cryptosystems.
bongodongobob 14 hours ago [-]
I don't need to crack crypto, I just need to find an admin that can be blackmailed.
beeflet 13 hours ago [-]
Then design the system so that there is not a single source of administrative failure.
breppp 13 hours ago [-]
and also make sure to design a system without any bugs
beeflet 9 hours ago [-]
You should look into cryptography. It actually is possible to design open systems provably without bugs or single sources of failure. It's possible to build mechanisms of plausible deniability that are largely immune to rubber-hose attacks.
It's also possible to design systems with an intermediate level of security. With your attitude, you might as well leave your house unlocked because any competent locksmith could break in.
breppp 3 hours ago [-]
I am aware of cryptography, but how does strong cryptography prevents these?
You only need to spend barely 7 zeros to defeat any organization in the world. About half of a single tank to defeat any commercial IT system no matter how much they spend on “security”.
beeflet 14 hours ago [-]
Then let them spend it instead of giving your data away for free
Veserv 13 hours ago [-]
That is what they did. Salt Typhoon is what they got. This will continue to happen until critical software systems are secure against state actors and requires tens to hundreds of billions of dollars to compromise instead of millions to tens of millions (in the hardest cases).
busterarm 13 hours ago [-]
It's a lot cheaper to just kidnap and interrogate someone with the access you need.
And that's only if blackmail didn't work.
beeflet 13 hours ago [-]
Okay then make them do that instead of giving your data away for free
loteck 14 hours ago [-]
Any discussion of Salt Typhoon should start with the unusual fact that it is still an active and uncontained incident, despite having been widely revealed in 2024. Typically we are accustomed to discussing lessons learned during a post mortem. This particular mortem has not yet posted. We are still owned and data continues to be compromised.
Man, good thing Doge and MAGA gutted 30% of that agency[1]. We certainly don't need a bunch of bureaucrats doing (checks notes) cybersecurity and infrastructure security right now.
I mean, clearly they weren't very effective anyway.
conception 14 hours ago [-]
So we definitely should just give up and not do anything instead. That makes sense.
beeflet 14 hours ago [-]
Yeah, defund the government spying apparatus if it isn't useful
overfeed 10 hours ago [-]
Are you arguing for entirely dismantling the government's counter-espionage apparatus because it's not 100% effective? China would love that.
beeflet 9 hours ago [-]
How effective is it?
qnleigh 15 hours ago [-]
These were intrusions into private companies.
beeflet 14 hours ago [-]
So what is funding the government going to do then? At some point you have to make people responsible for their own computer systems.
mensetmanusman 15 hours ago [-]
Agencies aren’t allowed to fix private company security.
mullingitover 13 hours ago [-]
Really? CISA isn't allowed to work with any private companies on a problem that impacts critical infrastructure and thus national security? Do you have any sources for this claim?
Nobody's saying that CISA would break down Verizon's doors and go to their keyboards and start pushing commits, but they sure as hell are working with the telecom industry.
> What this really underscores is that what the PRC is doing through these proxy actors is really reckless and unbounded, in a way that is significantly outside of the norms of what we see in the espionage space,"
What norms are he referring to?
Telemakhos 17 hours ago [-]
Given that the US intelligence community, with PRISM and Upstream and the like, hoovers up all the world's communications, I think the "norms" must be "nobody except the US was able to do this until now." Now China has shown that it can compete in the same space.
hammock 15 hours ago [-]
Western intelligence plus Israel*
And yeah pretty much. I don’t know anything about anything but it feels like there is a hierarchy (norm? At least what they are trying to enforce) of US > Five Eyes > other Western Intel (France, etc) > Pakistan/Russia/Etc > China/North Korea/Iran; and Israel falls somewhere in that mix as a maverick. Of course in practice it doesn’t work out this way.
That’s NSA equivalent. But the point still stands - do you know the names of the agencies off the top of your head? I had to look them up on wikipedia, and they’re still pretty easy to forget about.
Dylan16807 14 hours ago [-]
How are you defining West here? If we go by the international date line they're not all that far away and if you zag left as you go further south it works quite well. You need a similar shape on the other side too to get Europe but exclude Africa, so it makes for a pretty reasonable cut of the planet overall.
It's a tilted west.
Dylan16807 11 hours ago [-]
Oof people hate this comment.
Look, I know it's cultural much more than geographical. But Australia can easily be both. It's not actually a counterexample.
impossiblefork 13 hours ago [-]
It has very different values than the west.
Imagine if there were movements in Switzerland to move to certain areas to push out the speakers of some local dialect, and literally organized home-buying in groups to get them out?
nbngeorcjhe 17 hours ago [-]
He's referring to the norm that only the American government is allowed to conduct unlawful mass surveillance of American citizens. Who do these Chinese think they are???
kevindamm 14 hours ago [-]
Indiscriminate targeting. It's clarified at the end of that paragraph, and was part of the article's lead-in:
"There's a thought among the public that if you don't work in a sensitive area that the PRC might be interested in for its traditional espionage activities, then you are safe, they will not target you," [deputy assistant director for the FBI's cyber division] said, during a Thursday interview with The Register. "As we have seen from Salt Typhoon, this is no longer an assumption that anyone can afford to make."
BlueTemplar 8 hours ago [-]
That's an oxymoron : it's not targeting at this point.
(Some high value people do seem to be targeted for even more intensive spying.)
drob518 17 hours ago [-]
Yea, I wasn’t aware that there was a rule book for spies. I thought the only rule was “anything goes, but don’t get caught.” But perhaps I’m uninformed.
eviks 17 hours ago [-]
The ones that are in his head, just as soft, curvy, and flexible as the matter inside
toofy 17 hours ago [-]
do we have other sources for this other than just this government’s?
i absolutely believe it may have happened, but due to overwhelming and well documented history of lies from this regime, i’d feel like i was standing on more solid footing with this if we had some reputable 3rd party sources. ideally someone who is far away from the hysterical levels of partisanship our current leaders have planted themselves.
again, i’m not in denial that it couldnt have happened, it’s just that unfortunately i think it would be unreasonable to trust anything from this regime’s people. and to reiterate, they have a long and very well documented history of outright lying. not even typical politician half truths, but shoving it in our face lying.
Anecdote, but I have a friend in cybersecurity in Australia, and he was telling me a few months ago that China basically has almost all the data they could want on almost all of the US.
kogasa240p 16 hours ago [-]
And of course the only thing that the US government will do is double down on surveillance even harder.
Israeli government has current access to United States communications the same way China does.
Ms-J 10 hours ago [-]
This is what happens if you allow the government a backdoor into your messaging or communication systems.
Open source software doesn't have backdoors and it works fine for everyone.
user_7832 18 hours ago [-]
> This indiscriminate targeting, as the FBI and White House security officials have previously noted, allowed Beijing’s snoops to geo-locate millions of mobile phone users, monitor their internet traffic, and, in some cases, record their phone calls. Victims reportedly included President Donald Trump and Vice President JD Vance.
Welp... that's quite a capable piece of surveillance.
I imagined it involved tapping to cell towers/cell infrastructure, but the details at the wikipedia page [1] suggest servers were hacked instead? Did they hack AT&T servers or something?
Side note, are there any ways to not get your data stolen in such cases? I would imagine using only a VPN might help, but if they're getting data from triangulation you couldn't do much short of turning off your phone, right?
Almost as if having GDPR to keep at least the worst of the data-brokering/selling industry out is a good thing.
The more detailed report someone posted does sound like this was hacked at the source, but a lot of the data can be bought legally on the open, not-even-too-grey market. Some journalists bought one of the location data sets and used it to demonstrate that you can identify intelligence agency employees from it (if someone spends almost every workday at one site belonging to the agency, occasionally visits the other one... the other place that "anonymous" user spends a lot of time at is likely the home of an intelligence agency employee).
If the industry wasn't selling it to anyone who asks, they'd still likely keep it in easily hacked places.
MSFT_Edging 17 hours ago [-]
Having any piece of the "Data Broker" industry not completely dismantled is not only a security risk but an affront to humanity.
fsagx 16 hours ago [-]
> Victims reportedly included President Donald Trump and Vice President JD Vance
I wish the journalist had been a little cheeky and tried to get a quote from Angela Merkel.
oasisbob 15 hours ago [-]
I live in a state, Washington, with mandatory breach reporting and notifications.
Haven't seen anything from this. Any idea why? Low compliance in general? Telcos think they're big enough to ignore state regs?
phyzome 17 hours ago [-]
Presumably this includes SMS-based MFA codes.
mrtesthah 17 hours ago [-]
Salt Typhoon used govt-mandated backdoors to spy on Americans. As a result the govt told Americans to use Signal rather than rely on the phone system.
>The FBI and CISA raised the alarm two months after The Wall Street Journal reported that hackers linked to the Chinese government have broken into systems that enable U.S. law enforcement agencies to conduct electronic surveillance operations under the Communications Assistance for Law Enforcement Act (CALEA).
>"These are for legitimate wiretaps that have been authorized by the courts," Hong says. But in hackers' hands, he says, the tools could potentially be used "to surveil communications and metadata for lots of people. And it seems like the [hackers'] focus is primarily Washington, D.C."
DrillShopper 17 hours ago [-]
Just like they were warned repeatedly and loudly by the cypherpunks and anybody who had two functioning brain cells to rub together.
mensetmanusman 15 hours ago [-]
China pwned nearly every Chinese as well. The CCP can only kill American spies operating in China with this information.
hungmung 14 hours ago [-]
China has secret police operating in America right now.
ForOldHack 5 hours ago [-]
They have been here since before Nixon.
hereme888 15 hours ago [-]
Once upon a time, problems like these were solved with definitive measures; cut the cable, or send a bullet.
But state-sponsored cyber-war and other such aggressions are now considered normal daily life. Just as bad, U.S. MSM rarely reports American aggression towards others.
narrator 14 hours ago [-]
I think one unprecedented thing about how China operates is every single company is like a private military contractor with letters of marque and reprisal to do whatever the heck they feel like in the name of CCP world dominance. As long as it's patriotic, you can do absolutely whatever the heck you want to the other guys. Harvest their organs for profit, sabotage major infrastructure, hack absolutely everything, fund and supply and launder money for fentanyl production, etc. The kinds of things only the dirty tricks department of intelligence agencies are allowed to do in Western countries that they get called out and scandalized about when people find out about that.
Likewise, if you're Jack Ma and they don't like what poem you quoted, all your stuff is now theirs and there aren't any silly laws to protect yourself. Absolutely 100% goal oriented to the steady increase in power of the communist party and absolutely no higher principles apply.
jofla_net 13 hours ago [-]
Realpolitik
almostbasic 6 hours ago [-]
Is anyone really surprised?
paulvnickerson 11 hours ago [-]
I just hope the NSA is better at this than they are.
CyberDildonics 8 hours ago [-]
If an "FBI cyber cop" says "pwned" you know it's serious.
roscas 19 hours ago [-]
Meanwhile in Europe, dump politics do nothing to stop USA and PRC spy.
The ban for anti-social networks to less 16yo is a good start but it does not fix the smartphone or telecommunication spy.
The need to ban twitter, tiktok, facebook and many others is a must.
impossiblefork 13 hours ago [-]
This is one of the most humiliating aspects of living here:
That the government is unwilling to genuinely protect its own interests, for example, by preventing ordinary people's data from leaking abroad or ensuring real internet privacy, because without these things we are so unbelievably vulnerable, not just to influence operations designed with this data, but they'll know literally the whole economic structure of the EU, how many people work where, where a particular person works, etc.
They're not even preventing foreign countries from getting access to bank transactions.
When they're denied they cry terrorism, but reality is that if you have this knowledge you can say 'Oh, impossibleFork just moved to X, and he's an expert in Y, he's probably doing Z and W. Let's hire some guys to try the exact same thing, so that it'll be a business here instead of there'.
I don't understand how a government can expect the country it governs to have an economy when it allows this kind of data leakage.
ronsor 17 hours ago [-]
Don't think that'll stop the NSA/CIA or CCP hackers much.
roscas 16 hours ago [-]
It does not stop, that is correct. But it is a first important step to start breaking some bad ones.
nickslaughter02 18 hours ago [-]
[flagged]
bilbo0s 17 hours ago [-]
Hey, do what you have to do.
We will.
Can't speak for every American, but I won't take offense. It's our job to protect our infrastructure, corporations and data. Not at all the responsibility of Europe, India or China. It's your job to protect yours.
webdoodle 11 hours ago [-]
Ditched my phone 5 years ago, guess I'm one of the few American's unaffected.
alcide 10 hours ago [-]
What were your motivations? How has this impacted your daily life? I’m curious to know anything you are willing to share.
idiotsecant 16 hours ago [-]
It turns out blowing a giant hole in your security model so that uncle sam can spy on your users also makes it easier for bad guys to spy on your users! Shocking!!
China is the last group we should blame for this. Our government did this to us and must be held accountable or this will happen again, and again, and again.
16 hours ago [-]
baq 16 hours ago [-]
how is this not a total shitstorm on twitter and in media is beyond me. nobody cares since nobody got hurt?
aydyn 15 hours ago [-]
Yes. Have you not yet learned that normal people dont care about privacy?
baq 14 hours ago [-]
Right. Until their nudes get leaked that is.
__turbobrew__ 13 hours ago [-]
And yet my bank still only supports SMS 2fa, god help us all.
metalman 16 hours ago [-]
For China a data set like this is only usefull if it can be validated, which it seems from reading between the lines, they have/are doing.
The only use China has for this data set it to guage a competitors true capacity, VS there own capacity.
It is highly likely that this data set will not be used to access any individuals information in any way that could lead to a situation that then could be back tracked, and that the copy that China has is hermeticaly sealed off in some inner sanctum of the secret squirles.
Any posture that China takes will use many other sources of information beside this one.
And of course, it's Chinas posture that has some strategists concerned right now, which is compounded by what looks like a perfect job, done completly online that has left a dead end trail, and zero proof of anything.
So classic spy craft, with no possibility of a hollywood movie.
gosub100 16 hours ago [-]
Why is it suddenly a problem when it's a foreign government?
kragen 10 hours ago [-]
Because it means the US probably can't win a ground or sea war against them.
fwip 15 hours ago [-]
Exactly. China can't do much with my data, compared to the US government or my insurance company.
mensetmanusman 15 hours ago [-]
They have skillfully used it for IP theft which OECD estimates is worth about $500B annually in lost revenue. Destroying the mechanism for R&D funding is actually a great strategy by China. Props
shigawire 14 hours ago [-]
Unnecessary, this administration destroys R&D funding on its own.
ForOldHack 5 hours ago [-]
They do not know what R and D is, let alone what is does. One guy bankrupted a casino and saluted a North Korean General, and the other tried to impregnate a couch
christophilus 14 hours ago [-]
I’d prefer neither. But my prediction is that when we have a conflict with China, their digital access is going to be a game changer.
impossiblefork 13 hours ago [-]
Business requires security. If you can do anything physical in the US, or in Europe etc. then you must be doing something so clever that secrecy is warranted.
737min 19 hours ago [-]
A better title would be “Chinese Communist Party” or “China” pwned nearly every American… This is a state, not a school computer club.
Citizen8396 17 hours ago [-]
"Salt Typhoon" specifically refers to Microsoft's observations of malicious activity, which they believe to be associated with the Ministry of State Security.
They are obviously different from other official Chinese components, and the private sector actors that support them. The distinction is also made because other firms sometimes have differing assessments and visibility.
MSFT_Edging 17 hours ago [-]
More like "US government demands doors be left unlocked, Chinese Communist Party walked in"
mensetmanusman 15 hours ago [-]
US government demands doors exist. CCP finds keys.
MSFT_Edging 12 hours ago [-]
and Technologists scream "we told you not to install the doors!"
2OEH8eoCRo0 17 hours ago [-]
Then it would be flagged removed for having forbidden words in the title.
knotimpressed 16 hours ago [-]
Titles can’t contain “China”?
ivape 14 hours ago [-]
I honestly don't believe China is doing something that America itself didn't start. The US did this too most likely.
voidfunc 18 hours ago [-]
Oh goodie
Rendered at 08:24:32 GMT+0000 (Coordinated Universal Time) with Vercel.
And now we have China using CALEA-crippled systems to slurp up the entire USA network. Exactly as predicted.
And this - "outside of the norms of what we see in the espionage space" - LOL. ROTFL even. The NSA tapped Google's backbone! Have we forgotten Room 641A? MAINWAY? Poindexter and TIA? Palantir?
The NSA used to play defence and offence, and has gone full-offence for a generation. Did anyone really believe that only the USA could play offence?
Morons.
as well as anyone that can pick the lock, jimmy the lock, remove the door from its hinges, remove the lock, break the door down, go under the door, go over the door, get somebody with a key to open the door, and many other methods which can be found with just a little imagination.
Context for others, there's a small number of software vendors that make these MD devices that handle initiating a capture of a flow (a wiretapping request) and managing the chain of custody for a pcap. MDs usually sends an SNMP poll to a router/switch to start a (r)span port and the MD device slurps up all data and saves it.
Anyway, what I'm curious about is if it's the MDs that were taken over and if it was one manufacturer but I'm not seeing much technical info on all these reports.
Here's some context for "LI" for those interested: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9...
So how would a simple MD attack affect me? Any sort of CALEA attack on a higher protocol layer (e.g. compromising Gmail at Google instead of capturing their traffic) would make sense, but not a pcap.
edit these network devices probably also carry voip/voice trunks from enterprise and possibly carriers such as VZW. No telling if those are encrypted or not. If China is able to tap that using these CALEA systems, I could see how that would be a big deal for stealing IP/secrets.
While for foreign citizens you can pretty much capture anything at will, without any need for FISA or warrants
Does anyone here think even a decent portion of government officials are tech literate? (I'm not even convinced half of hacker new or half of programmers are tech literate! Instead only have basic literacy and high confidence) There's a few, but I'm not convinced it's that many. The vast majority of Congressmen don't even have an aid who specializes in tech. So do you think it takes any more than someone at the NSA saying "it's encrypted and only we can access it" for them to believe in this magic key? (And this is something we've seen NSA officials say)
Remember, in the senate only 12 members are under 50, 33 are 60-69, and 33 are over 70! In the house 20% are over 70, 43% over 60, and 70% over 50. Only 8% are under 40. Almost none of these people have ever programmed. Just think about how tech illiterate the average 20 year old is (even worse on a technology subreddit!) and we're talking about.
Come on guys. It's a choice between stupid old people and hyper intelligent deep state actors that are acting idiotically. I'd put money on aliens before I'd put money on the later
What they also told me is that most of the expert advice tends to come through lobbying. Or "industry relationships" as he put it while using air quotes. It's a budgeting problem, not just that it is hard to get a competent tech aid at such a low salary but even just a handful of domain expert aids in the first place.
And IIRC most of those people who used to work for the NSA now work at private firms like the NSO group, which is pretty scary when you think about it. It's hard to blame them though, if I was being offered the amount of money they were given, I would probably take it as well.
I recommend the book 'This Is How They Tell Me the World Ends' by Nicole Perlroth, it gives some good insights into what is going on behind the scenes (though with some of the major events which have happened since it was published some things may be outdated. Either way it's a good read.)
They havent forgotten their offensive operations, they never knew about it or never cared.
Hey, I'll bet you never look at that WiFi-"enabled" power bank or HEPA/AC unit again the same way (or my favorite AI response du jour "Some Chinese scooters come with a microphone integrated into a GPS tracker or helmet, while others can be customized with aftermarket solutions. There is no single model called "Chinese scooter with microphone," but rather multiple products and approaches that fit this description.") Errbody worried about the talking LLM parrot AI and your vehicle dashboard always listening (or even watching), but that's not the most serious threat we face now.
Here [1] is one example of a couple Chinese police in NYC but I can not find the links to the groups in Los Angeles.
[1] - https://www.pbs.org/newshour/politics/2-men-arrested-on-char...
IIRC the standard at the time was to enable intercepting up to 3% of traffic, without the surveillance target of course knowing, but also without their carrier knowing. Law-enforcement agencies used LI consoles on their own premises to order intercepts.
So it's not that lawful intercept was particularly easy to hack, it's that once it's compromised, detecting that it's being used nefariously is especially difficult. I would question whether anyone knows for sure when the compromise began, and how long it lasted.
This only became a problem when the mortgage was paid off last year and despite getting emails about it, I got a registered letter saying they must talk to me and that haven’t been answering my phone. So I call them as instructed and it was just a “you’re done. We’ll be mailing you documents to send to your insurer. Thanks for your business.”
FWIW: I’ve never personally owned a land line. The last time I ever lived somewhere with one was 19 years ago.
There's no way the legal system could require a phone number, because the government overplays their support for the homeless, and being able to work with people that don't have phone numbers is a big part of that.
The bigger problem with Google Voice is that Google's email gateway for SMS is awful. It cuts off outgoing messages after two carriage returns, strips out single carriage returns, and won't send me group messages, instead sending me a link to the message, and even that only rarely, usually not even notifying me that I received a group message.
I've found a few alternatives, and I wouldn't mind paying a few dollars a month for one, but every one I've looked into requires I upload a copy of my photo ID, and I'm definately not going to do that.
There are easily hundreds of comments on HN from people in Europe who assure us all that this is solely an American problem, and that it never happens anywhere else.
Reading the Atlantic Council's recent paper on what the US can do to counter the system China has created which funnels exploits to their government shows how mistatched the West is versus China. Paper here: https://www.atlanticcouncil.org/wp-content/uploads/2025/06/C...
How do we build a functioning world where secrets are not required? By this I don’t mean “everyone behaves good and therefore has nothing to hide/fear” but rather, how do we function in a world in which secrets are simply not possible?
I think sliding down towards "I have no privacy" end of the spectrum is bad for both the citizens and the society. Stopping the this slide is a worthwhile goal. My 2c.
So where is our deep, persistent infiltration of China?
This is ridiculous defeatism. You are going to need more 0's than exist in the global economy to crack many cryptosystems.
It's also possible to design systems with an intermediate level of security. With your attitude, you might as well leave your house unlocked because any competent locksmith could break in.
https://www.heartbleed.com
https://www.blackduck.com/blog/understanding-apple-goto-fail...
And that's only if blackmail didn't work.
https://www.theregister.com/2025/08/28/china_salt_typhoon_al...
[1] https://archive.is/20250603190111/https://www.axios.com/2025...
Nobody's saying that CISA would break down Verizon's doors and go to their keyboards and start pushing commits, but they sure as hell are working with the telecom industry.
What norms are he referring to?
And yeah pretty much. I don’t know anything about anything but it feels like there is a hierarchy (norm? At least what they are trying to enforce) of US > Five Eyes > other Western Intel (France, etc) > Pakistan/Russia/Etc > China/North Korea/Iran; and Israel falls somewhere in that mix as a maverick. Of course in practice it doesn’t work out this way.
Reminds me of the recent news that the US will ban Chinese components from undersea cables, globally: https://asia.nikkei.com/content/99550c9ade243fe057e8a2ba6f29...
Objecting to calling Israel the west is at least as weird as including it in the context of this conversation.
It's a tilted west.
Look, I know it's cultural much more than geographical. But Australia can easily be both. It's not actually a counterexample.
Imagine if there were movements in Switzerland to move to certain areas to push out the speakers of some local dialect, and literally organized home-buying in groups to get them out?
(Some high value people do seem to be targeted for even more intensive spying.)
i absolutely believe it may have happened, but due to overwhelming and well documented history of lies from this regime, i’d feel like i was standing on more solid footing with this if we had some reputable 3rd party sources. ideally someone who is far away from the hysterical levels of partisanship our current leaders have planted themselves.
again, i’m not in denial that it couldnt have happened, it’s just that unfortunately i think it would be unreasonable to trust anything from this regime’s people. and to reiterate, they have a long and very well documented history of outright lying. not even typical politician half truths, but shoving it in our face lying.
https://www.verizon.com/about/salt-typhoon-matter-update
Israeli government has current access to United States communications the same way China does.
Open source software doesn't have backdoors and it works fine for everyone.
Welp... that's quite a capable piece of surveillance.
I imagined it involved tapping to cell towers/cell infrastructure, but the details at the wikipedia page [1] suggest servers were hacked instead? Did they hack AT&T servers or something?
Side note, are there any ways to not get your data stolen in such cases? I would imagine using only a VPN might help, but if they're getting data from triangulation you couldn't do much short of turning off your phone, right?
1 - https://en.wikipedia.org/wiki/Salt_Typhoon#Methodology
The more detailed report someone posted does sound like this was hacked at the source, but a lot of the data can be bought legally on the open, not-even-too-grey market. Some journalists bought one of the location data sets and used it to demonstrate that you can identify intelligence agency employees from it (if someone spends almost every workday at one site belonging to the agency, occasionally visits the other one... the other place that "anonymous" user spends a lot of time at is likely the home of an intelligence agency employee).
If the industry wasn't selling it to anyone who asks, they'd still likely keep it in easily hacked places.
I wish the journalist had been a little cheeky and tried to get a quote from Angela Merkel.
Haven't seen anything from this. Any idea why? Low compliance in general? Telcos think they're big enough to ignore state regs?
https://www.npr.org/2024/12/17/nx-s1-5223490/text-messaging-...
>The FBI and CISA raised the alarm two months after The Wall Street Journal reported that hackers linked to the Chinese government have broken into systems that enable U.S. law enforcement agencies to conduct electronic surveillance operations under the Communications Assistance for Law Enforcement Act (CALEA).
>"These are for legitimate wiretaps that have been authorized by the courts," Hong says. But in hackers' hands, he says, the tools could potentially be used "to surveil communications and metadata for lots of people. And it seems like the [hackers'] focus is primarily Washington, D.C."
But state-sponsored cyber-war and other such aggressions are now considered normal daily life. Just as bad, U.S. MSM rarely reports American aggression towards others.
Likewise, if you're Jack Ma and they don't like what poem you quoted, all your stuff is now theirs and there aren't any silly laws to protect yourself. Absolutely 100% goal oriented to the steady increase in power of the communist party and absolutely no higher principles apply.
The ban for anti-social networks to less 16yo is a good start but it does not fix the smartphone or telecommunication spy.
The need to ban twitter, tiktok, facebook and many others is a must.
That the government is unwilling to genuinely protect its own interests, for example, by preventing ordinary people's data from leaking abroad or ensuring real internet privacy, because without these things we are so unbelievably vulnerable, not just to influence operations designed with this data, but they'll know literally the whole economic structure of the EU, how many people work where, where a particular person works, etc.
They're not even preventing foreign countries from getting access to bank transactions.
When they're denied they cry terrorism, but reality is that if you have this knowledge you can say 'Oh, impossibleFork just moved to X, and he's an expert in Y, he's probably doing Z and W. Let's hire some guys to try the exact same thing, so that it'll be a business here instead of there'.
I don't understand how a government can expect the country it governs to have an economy when it allows this kind of data leakage.
We will.
Can't speak for every American, but I won't take offense. It's our job to protect our infrastructure, corporations and data. Not at all the responsibility of Europe, India or China. It's your job to protect yours.
China is the last group we should blame for this. Our government did this to us and must be held accountable or this will happen again, and again, and again.
They are obviously different from other official Chinese components, and the private sector actors that support them. The distinction is also made because other firms sometimes have differing assessments and visibility.