Comment by lxgr
5 months ago
Was there any specific bad design?
As far as I understand it, it's more of the lack of a design (for authentication) that got us into all that trouble, similar to BGP, Email, and many other protocols that were originally designed with trusted counterparties in mind.
It just so happened that the illusion of mutual trust broke down earlier in the Internet than it did in the international phone network. (Some even still believe in it to this day!)
The problem was that they didn’t want the extra hassle of verifying that senders owned the numbers they were announcing. In the earlier SS7 era that was manageable because all of the parties were major phone companies but VoIP opened up a wave of small fly-by-night players. Porting the system forward without recognizing that change in the security assumptions was recognized as a mistake in the early 2000s but the telephone companies saw preventing it as a cost which would also reduce their revenue from delivering all of that spam.