Subject: Re: OT: Much Satellite Traffic Is Unencrypted
A shockingly large amount of sensitive traffic is being broadcast unencrypted, including critical infrastructure, internal corporate and government communications, private citizens’ voice calls and SMS, and consumer Internet traffic from in-flight wifi and mobile networks.

As they say, the "S" in "IOT" stands for security.

There's no doubt this applies to Berkshire because of it's NG pipeline and electrical transmission infrastructure, and has for a while.

SMS is always unencrypted to my understanding, satellite or not. You may have a phone that made you migrated to RCS or use iMessage, and that's one of the reasons why there's been a push to retire the protocol; particularly given how much of multi-factor authentication is access codes sent over text messages. As long as the in-flight wifi wasn't MITM'ed (ie, intercepted between the browser and the tls termination point) a passenger would be okay.

Until financial liability for consequential damage is the responsibility of the vendor

I'm willing to take it to another board related to information security, but I very mildly disagree with you. I think businesses should be insured for liability, and - like safe deposit boxes in banks - be liable only in the case of negligence. I've usually heard threat actors like this described as advanced persistent threat groups (APTs) so if I use that acronym, that's what I mean.

This does sound like a nation state APT and I would not be worried about your bank. They generally are not interested in robbing anyone, but are conducting espionage or establishing influence. Much better to get financial or medical records and find who is pliable with bribes, dating site records to see who might have something to hide, or strategic industrial companies for planning or design files. There are criminal APT groups that are capable of this, but I suspect they'd have used it already, or were in the business of selling the exploits to the nation state APTs.

Most worthwhile systems are regularly patched and defended in depth, so the gap between the discovering of a vulnerability, the discovery of the exploit of the vulnerability, and before public disclosure and remediation are most interesting. This access seems like it would have been extraordinarily valuable for the gap between the 2nd and 3rd events. There are a lot of Big IP devices and being aware of vulnerabilities in the time between F5 being notified and F5 developing and delivering patches would be valuable to many intelligence agencies.

Most of our greatest assets are mostly being not so interesting, at a nation-state level.