Malicious SS7 activity and why SMS should never by used for 2FA

bzs at bzs at
Mon Apr 19 23:46:11 UTC 2021

Can I make an old f*** comment on all this?

We didn't design this network to be highly secure.

It's general enough that security can be layered on at various places.

But when you get down to it it was mostly designed to get information
flowing easy, fast, and freely. Not to lock it down or provide strong
accountability, authorization, and authentication.

Look at RFCs prior to about 1990, security's hardly considered beyond
an occasional login/password scheme or MITM packet injection.

It was designed to be very cheap to implement and deploy at least in
part because it was designed and implemented on frugal academic

And to share those implementations or roll your own because the specs
(RFCs etc) were published free.

Then people, corporations by and large, came along and realized they
could use the net to make many zillions of dollars if only it were


Did anyone promise them that?

And no one ever really figured out how to make it secure beyond some
superficial attempts like adopting login/passwords, wire encryption
(SSL etc.), 2FA, MITM avoidance, etc. none of which were really part
of some well thought out, engineered scheme. Just some new doo-dad to
toss on hoping that maybe this will be good enough. It wasn't.

Now, when their sites are compromised, when they lose gazillions of
dollars to ransomware, when 100M records walk out the door, whatever,
they put on the big sad face and imply they were let down and *they*,
someone else, some gearheads, need to try harder. They're terribly,
terribly disappointed.

What a great con job, try to shame someone else into solving your
problems for you basically for free.

If they want to protect trillions of dollars in assets maybe they need
to toss in a few billion to help, and stop hoping some bad press for
the technical community will shame some geniuses into dreaming up
better security for them mostly for free in terms of research and
specs and acceptance but that's the hard part.

You know what the net did successfully produce, over and over? Some of
the wealthiest individuals and corporations etc in the history of
civilization. Maybe the profit margins were a little too high and now
we're paying the price, or someone is.

It's like my aged, now gone, adviser who'd worked in software going
back to the 50s said about the Y2K problem at that time: It's not that
we couldn't anticipate Y2K problems. It's that we never dreamed the
cheap bastards would still be running the same exact software without
any updates or review for forty years!

        -Barry Shein

Software Tool & Die    | bzs at             |
Purveyors to the Trade | Voice: +1 617-STD-WRLD       | 800-THE-WRLD
The World: Since 1989  | A Public Information Utility | *oo*

More information about the NANOG mailing list