
Security of critical phone database called into question - ghosh
https://www.washingtonpost.com/world/national-security/security-of-critical-phone-database-called-into-question/2016/04/28/11c23b10-0c8d-11e6-a6b6-2e6de3695b0e_story.html?postshare=2121461890367505&tid=ss_tw
======
jpollock
Having written several of these systems, there is nothing special about this
software (NP databases). They maintain records of where a phone number is
homed, nothing else. There is more information in the white pages.

In fact, NP databases typically won't have access to all phone numbers
anyways, only those for customers who have changed providers. Everything else
would be covered by the default routing rules.

In the US, the central database is not involved in call control (I've never
seen a design that was). Since phone companies are very risk averse, they
don't generally allow software they don't control into the middle of their
interactions with the customer. Phone companies will have their own mirrors of
the database and purchase (typically bespoke, typically outsourced) systems to
perform the in-call lookups.

Reading up how the US works, it's an exception based system, with records only
for ported numbers [1]. A typical record will look like:

(408) 555 1212 -> (715) 555 1212

The destination number is not a phone number, and has the granularity of a
single switch. No names, or anything else.

I'm guessing this isn't about information leakage, because there's no
information to leak. This isn't about DOS because the national database isn't
involved in call control. This isn't about serving warrants either, it's
operated locally.

I can only imagine that this is a trade barrier masquerading as security,
since switch software is produced offshore, and that's riskier.

[1][https://www.npac.com/number-portability/how-lnp-
works](https://www.npac.com/number-portability/how-lnp-works)

------
koolba
> Now Telcordia, a Swedish-owned firm, is being compelled to rewrite the
> database computer code — a massive undertaking — to assuage concerns from
> officials at the FBI and Federal Communications Commission that foreign
> citizens had access to the project. These officials fear that if other
> countries gain access to the code, they could reap a counterintelligence
> bonanza, learning the targets of U.S. law enforcement and espionage
> investigations.

I hope they didn't use an open source database because otherwise the bad guys
will have access to that too!

Seriously how stupid are the people in charge of this kind of thing if they
can't differentiate between programs and data? Now having a fear that there
may be back doors somewhere in there is a valid concern, but the answer to
that is sunlight on the code and layers of least privilege on the execution
environment.

~~~
throwanem
It's a federal project. How likely do you think it is that there'll be no
vulnerabilities which a review of the source code could expose?

------
ickwabe
The "database computer code" they are talking about is not the actual database
software (e.g. oracle, postgres, or whatever). It's the proprietary code used
to keep the data in the database accurate, up to date, distributed, etc. And
the code used for communicating with the service providers, co-ops, LSMSs,
etc.

This may seem a small thing and may be somewhat conceptually similar to DNS.
But in reality it is an entire ecosystem of it's own with complexities that
are not readily apparent. The incumbent (Neustar) has no obligation to share
it's IP with Telcordia.

"The database is significant because it tracks nearly every phone number in
North America, making it a key tool for law enforcement agencies seeking to
monitor criminal or espionage targets."

This statement is potentially very misleading. The NPAC does not "live" route
telephone calls. The NPAC is the database of ported phone number and various
characteristics about them. The database is replicated to LSMS databases at
the service providers. When you make a call it does not route through the
NPAC. It routes through the service providers, period.

While the NPAC could be helpful to law enforcement for knowing which SP
manages a particular number and various other characteristics about that
number, it would not be helpful as some sort of one-stop shop for wire
tapping.

From the NPAC site: "LSMS (Local Service Management System): The system owned
by a service provider and which receives data broadcast from the NPAC/SMS. The
LSMS provisions the service provider's downstream systems, such as its LNP
call routing database. The LSMS is a mechanized system used (primarily) to
receive data broadcasts from the NPAC/SMS."

------
Matt3o12_
And I'm sure you can't pay an American to do those evil things foreigners
could do.

I mean seriously what could any person do to such a project. You can't add a
backdoor because your code gets reviewed (if it doesn't, then that's where you
should start worrying about the integrity of the program). Furthermore, I hope
that the programmers (foreign or not) do not have access to any real data.

~~~
secfirstmd
Who code reviews the code reviewers?.......

~~~
dsfyu404ed
There's this thing called a reputation. If you suck at your job you get a bad
one. A bad reputation gets you passed over for raises, promotions, jobs and
other opportunities for career advancement.

------
mxuribe
Perhaps I don't understand the number portability system enough, but it sure
sounds a bit like the DNS system (in that the number portability system is
used to refer queries to specific phone numbers). If I'm right, isn't the DNS
worked on by people who are not U.S. nationals? Ah well.

~~~
jlgaddis
Related: E.164 [0], if you're curious.

[0]:
[https://en.m.wikipedia.org/wiki/E.164](https://en.m.wikipedia.org/wiki/E.164)

------
nxzero
Why is it okay for a foreign company to work on the project, but not foreign
nationals?

~~~
scintill76
> Seven other foreign citizens, including a British engineer, also worked on
> the project, although it was the Chinese engineer who raised red flags for
> officials.

Apparently it's OK if it's a Swedish company or there are British people
working on it, but not them Chinese!

------
mtgx
"Trust us with the backdoors and all the data we're collecting on you. They'll
be safe," they said.

------
awinter-py
> compelled to rewrite the database

is 'compel' a synonym for 'paid'?

~~~
jlgaddis
Not necessarily. See also "bribed", "extorted", "blackmailed", etc.

