Source

For as long as law enforcement has sought a way to monitor people's conversations—though they'd only do so with a court order, we're supposed to believe—privacy experts have warned that building backdoors into communications systems to ease government snooping is dangerous. A recent Chinese incursion into U.S. internet providers using infrastructure created to allow police easy wiretap access offers evidence, and not for the first time, that weakening security for anybody weakens it for everybody.

Subverted Wiretapping Systems

"A cyberattack tied to the Chinese government penetrated the networks of a swath of U.S. broadband providers, potentially accessing information from systems the federal government uses for court-authorized network wiretapping requests," The Wall Street Journal reported last week. "For months or longer, the hackers might have held access to network infrastructure used to cooperate with lawful U.S. requests for communications data."

Among the companies breached by the hacker group, dubbed "Salt Typhoon" by investigators, are Verizon, AT&T, and Lumen Technologies. The group is just one of several linked to the Chinese government that has targeted data and communications systems in the West.

While the Journal report doesn't specify, Joe Mullin and Cindy Cohn of the Electronic Frontier Foundation (EFF) believe the wiretap-ready systems penetrated by the Chinese hackers were "likely created to facilitate smooth compliance with wrong-headed laws like CALEA." CALEA, known in full as the Communications Assistance for Law Enforcement Act, dates back to 1994 and "forced telephone companies to redesign their network architectures to make it easier for law enforcement to wiretap digital telephone calls," according to an EFF guide to the law. A decade later it was expanded to encompass internet service providers, who were targeted by Salt Typhoon.

"That's right," comment Mullin and Cohn. "The path for law enforcement access set up by these companies was apparently compromised and used by China-backed hackers."

Ignored Precedents

This isn't the first time that CALEA-mandated wiretapping backdoors have been exploited by hackers. As computer security expert Nicholas Weaver pointed out for Lawfare in 2015, "any phone switch sold in the US must include the ability to efficiently tap a large number of calls. And since the US represents such a major market, this means virtually every phone switch sold worldwide contains 'lawful intercept' functionality."

Two decades ago, that mandatory wiretapping capability was subverted by hackers targeting Vodafone Greece. They intercepted phone conversations of the country's prime minister and high political, law enforcement, and military officials, among others.

Which is to say that nobody appears to have learned anything between the 2004 hacking of government-mandated wiretapping capabilities at a Greek telecom and the 2024 hacking of government-mandated wiretapping capabilities at U.S. internet service providers. Well, unless we're counting the Chinese hackers. They seem to have learned quite a bit from the earlier experience.

It should be needless to say, but let's say it anyway: this was all predictable and preventable.

'The Problem With Backdoors'

"The problem with backdoors is known—any alternate channel devoted to access by one party will undoubtedly be discovered, accessed, and abused by another," David Ruiz of the internet security firm Malwarebytes Labs wrote in 2019. He noted that cybersecurity researchers had been making that argument for years. They've been repeating themselves for years because their warnings appear to fall on deaf ears.

Even some believers in backdoors on specific devices concede that building wiretapping into whole communications systems is too dangerous to contemplate. A 2019 paper from the Carnegie Endowment for Peace's Encryption Working Group thought "some forms of access to encrypted information, such as access to data at rest on mobile phones, should be further discussed," but cautioned that compromising the security of what it called "data in motion" (communications networks) "would create a massive target for criminal and foreign intelligence adversaries."

Such foreign intelligence adversaries, for instance, as hackers sponsored by the Chinese government to penetrate U.S. internet firms.

So, just how dangerous was the Salt Typhoon hack?

'A Potentially Catastrophic Breach'

"The widespread compromise is considered a potentially catastrophic security breach," adds The Wall Street Journal. "It appeared to be geared toward intelligence collection."

China's state-sponsored hackers are continuously targeting U.S. infrastructure, including water-treatment facilities and the electricity grid. They've also penetrated pipeline systems. "The PRC's targeting of our critical infrastructure is both broad and unrelenting," FBI Director Christopher Wray warned in April, referring to the People's Republic of China.

The U.S. Cybersecurity and Infrastructure Security Agency cautions that "PRC state-sponsored cyber actors are seeking to pre-position themselves on information technology (IT) networks for disruptive or destructive cyberattacks against U.S. critical infrastructure in the event of a major crisis or conflict with the United States."

And yes, the U.S. government is probably returning the favor by hacking systems in China and elsewhere. But that will be cold comfort if the lights go out here because the feds essentially rolled out the red carpet for foreign infiltration of American networks.

The debate over information security has raged for years with people like Edward Snowden pointing out that law enforcement agencies can't be trusted with access to our communications, or to abide by the rules that theoretically define when and how they can snoop. Now we know that they aren't competent custodians of wiretapping systems that privacy advocates warned were open invitations to bad actors.

Salt Typhoon may have done enormous damage to American security by penetrating internet systems relied on by private individuals, businesses, utilities, and government agencies. If it leads to the end of government-mandated backdoors that offer easy access to hackers, some good could come of this.

The post Chinese Hackers Used U.S. Government-Mandated Wiretap Systems appeared first on Reason.com.

Microsoft is in the midst of a deal that would bring the infamous Three Mile Island nuclear power plant back to life, according to reporting by The Washington Post. If the name sounds familiar, it’s because the Pennsylvania plant was home to a partial meltdown of one of its reactors back in 1979.

The deal would make Microsoft the plant’s sole customer for 20 years, meaning it’ll hoover up 100 percent of the power all for itself. Why does the company need so much juice? You can guess. It’s for AI, which is notoriously power hungry. Look, if it takes an entire nuclear power plant so we can ask Bing to whip up an image of Steve Urkel in space riding a skateboard, then we gotta do it. It’s the future… or whatever.

Let’s break it down further. If this deal is approved by regulators, Three Mile Island will provide Microsoft with enough energy to power 800,000 homes. Again, no homes will be getting that energy, but don’t worry. Microsoft will be able to hold a live streaming event to show off some ghoulish new AI video generation tools or something.

I know I’m coming off as a real troglodyte here, but there is a silver lining. This could help Microsoft meet its pledge to power AI development with zero emissions electricity. It’s not as if these companies would give up on AI if there wasn’t a decommissioned nuclear power plant sitting around, so this move could help alleviate some of the strain that’s already being placed on our power grid due to ye olde artificial intelligence.

If approved, this would be a first-of-its-kind deal for a couple of reasons. A commercial power plant has never worked exclusively for one client before. It’ll also be the very first time a decommissioned power plant has come back online. It’s worth noting that the plant shut down five years ago for economic reasons, which has nothing to do with the partial meltdown from 1979. The current plan is for it to resume operations by 2028.

“The energy industry cannot be the reason China or Russia beats us in AI,” said Joseph Dominguez, chief executive of Constellation, the company that owns the plant. I’d take his jingoistic language with a grain of salt, however, as Constellation stands to make an absolute boatload of cash from this deal.

Let’s do some math. Yearly profits from a nuclear power plant averages $470 million. Microsoft will be the exclusive buyer of this energy for 20 years, which totals $9.4 billion. Constellation is spending $1.6 billion to get the plant going again, along with federal subsidies and tax breaks provided by the Inflation Recovery Act. This leaves $7.8 billion in sweet, sweet profit. That’s just a guesstimate, but you get the gist. The company does promise $1 million in "philanthropic giving to the region" over the next five years. That's $200,000 a year.  

This isn’t a done deal. There are many regulatory hurdles that Constellation will have to jump over. This includes intensive safety inspections from the federal Nuclear Regulatory Commission, which has never authorized a plant reopening. There’s also likely to be an inquiry into those aforementioned tax breaks, as all of the energy is going to one private company and not serving entire communities. But come on. Steve Urkel on a skateboard in space.

On the plus side, Constellation will need around 600 employees to run the plant, according to the New York Times. Jobs are good. Also, the company says it won’t be seeking any additional subsidies from Pennsylvania. The Palisades nuclear plant in Michigan is also looking to reopen for business, but it plans on servicing the local grid and not the gaping maw of AI.