So far, they have been tolerated by the Israeli government as they all went to the same schools, all did the armed forces service together, and all know each other. This allowed them to get a free pass so far. Privately, many of their ex-colleagues, are very critical of their lack of ethics.
All this will change, the day some of the NSO exploits will be used against Israel, the same way some of the NSA leaked tools are now used in the wild.
Mossad, on the other hand, is a civilian intelligence service and I'm told there's a strong tradition that its members don't freelance their services after leaving.
"The Israeli Unit 8200 An OSINT-based study"
"Most of this data is shared internally across the
IDF (as well as sometimes externally, cf. 3.3 below) to
the Unit’s relevant stakeholders, whether combat
troops, decision-makers or other intelligence agencies
such as Mossad. Or as Yair Cohen, who served 33 years
in Unit 8200, the last five (2001–05) as its commander,
put it, "90% of the intelligence material in Israel is
coming from 8200 […] there isn't a major operation,
from the Mossad or any intelligence security agency,
that 8200 is not involved in"
>"...Mossad, on the other hand, is a civilian intelligence service and I'm told there's a strong tradition that its members don't freelance their services after leaving..."
Tradition is not what it used to be:
"Black Cube: The Bumbling Spies of the ‘Private Mossad’"
"...Despite some missteps, Black Cube “has to turn clients away
because it cannot service all the demands,” said Mr. Halevy,
a former head of the Mossad, an Israeli government intelligence agency. He said Black Cube has worked on 300 cases since being founded in 2010 by two former Israeli military intelligence officers,
Dan Zorella and Avi Yanus..."
"Harvey Weinstein hired ex-Mossad agents to suppress allegations, report claims"
Intelligence services typically have less turnover. Though that is changing, particularly for NSA, where people leave to go to contractors.
Also, frankly, describing NSO as ex Mossad just makes phone malware sound much more complicated than it is and much harder to stop. At the end of the day, its software, written by people in much the same way any software is written. It just exploits mistakes other software devs made so that it can run.
emphasis on "military intelligence officers" i.e. not mossad. this is like mixing up the CIA and FBI. to an outsider they might appear the same, but that's not really the case.
"Efraim Halevy, former director of Mossad, an Israeli intelligence service, is a member of Black Cube’s advisory board."
There's a reason why Russian malware software does not attack systems that have an RU locale for the keyboard: don't sh_t where you eat.
Of course if there are state-sponsored hackers (I'm not really aware if those exist, but I allow this possibility), they will target whatever their management points at. And with corruption it's pretty possible that some local business could be targeted as a part of some financial wars.
But majority of hackers are just some guys with some IT knowledge and zero morale. They'll buy some exploits and tools on black markets, duct tape them into something and release in the wild, waiting for profits (or police). They'll rob banks or babushkas, they don't care.
Which is a huge misconception outsiders have about this scene. They are Russian-speaking, not Russian, just like English speaking gangs are not necessarily English. These groups may (and often do) consist of nationals of different exUSSR countries, sometimes without even knowing each other personally. They might not even be a single group, just some individuals doing different parts of the scheme. (including "press releases" and "interviews" they sometimes do)
It has been the case long before all this ransomware fad. Russia, Ukraine, Kazakhstan, Belarus, and partially Lithuania had world's top CC theft gangs for a couple decades, and they always been of mixed origin. They mostly steal EU and US cards because it offers better reward/risk ratio, compared to the home countries which are poor. But nothing stopped them from stealing CCs in Russia or Ukraine either, certainly not some mythical cops (who couldn't care less in reality); in fact, skimmers are widespread in those countries as well.
Ransomware groups are the same as CC thieves, it's just a different scheme; they probably avoid home countries for the same reason (same risk, less reward). The state can't possibly have too much influence on them, it just triggers the bullshit detector for anyone who lives in any former Soviet republic and knows about this stuff at least superficially.
Why wouldn't the Israeli government tolerate them? If anything, doesn't their government benefit from groups like this?
They get access to spy tools that they didn't have to use taxpayer money to fund, and because it's former members of their own intelligence working on it, they have some semblance of influence over how it's used.
Am I missing something?
Israel is only peripherally and reluctantly involved in the confrontations with Russia and China at the heart of 5E interests, and it neither trusts nor is trusted by 5E countries to the level of sharing intelligence sources or tools except in specific, transactional interactions.
American and Israeli politicians like to talk about Israel being America's "closest ally", but those are just pretty words. Israel's real selling point to the US is that it's a low-maintenance ally.
Hm, that's interesting. Israel seems to be the highest-maintenance ally the US has. Other than, perhaps, Pakistan.
I would say that Israel is politically necessary in the US, but they are expensive and prickly.
And I don't think I've ever seen the "closest ally" quote.
We surely inhabit different media worlds, but FWIW that's the perspective from this side. No arguments intended.
US troops have died in combat defending Saudi Arabia and Kuwait. They've been killed by militants directly supported by Pakistani intelligence services.
How exactly is Israel "high maintenance" by those standards?
I think the US support of Israel comes from a different place, and I think Israel is a cantankerous partner. This may be by design, of course.
There is a legitimate argument that US aid to Israel isn't well thought out rationally, but the only reason that's plausible is that a few billion a year and low-cost diplomatic statements/votes aren't a big enough deal for the Serious National Security Considerations to come into play.
I think the hostility encountered by the US in the Middle East is entirely a function of protecting her own interests in a complicated and contested region. Maybe necessary, definitely inevitable.
The human suffering on all sides is a cost of doing business. This is deemed acceptable by the US govt and not contested by the hosting countries for various bad reasons. It is nothing more special than that. There is no grand righteous moral justification, but that is a useful fiction.
I apologize if this offends you, and I don't share it to be disrespectful -- just to explain my perspective.
If you're trying to describe the actual actions of the parties involved, morality is not a useful analytical or predictive tool; that comes into play when you yourself try to act.
Has the leak of NSA tools changed anything?
Yes. The bipartisan USA Freedom Act limited several aspects of the NSA's dragnet . Amendments weakening the bill were defeated . Less materially, a documentation requirement for § 702 searches of U.S. persons was added in 2018 .
I mean when the CIA got busted not only spying on Congress a few years ago, but also lying about spying on Congress, they were told “don’t do that again please.”
Statute of limitations has expired, IIRC.
I imagine it's similar for black/grey-hat software development.
I didn't get the connection between microwave and spying tools
There's no such thing as ex-Mossad or ex-CIA or ex-KGB etc.
Apparently it's not Mossad but unit 8200, but I'd bet anything that nothing happen without their blessing.
An interesting quote:
"This has been the longest solo exploitation project I've ever worked on, taking around half a year. But it's important to emphasize up front that the teams and companies supplying the global trade in cyberweapons like this one aren't typically just individuals working alone. They're well-resourced and focused teams of collaborating experts, each with their own specialization. They aren't starting with absolutely no clue how bluetooth or wifi work. They also potentially have access to information and hardware I simply don't have, like development devices, special cables, leaked source code, symbols files and so on."
The podcast Darknet Diaries had an episode about the topic recently: https://darknetdiaries.com/episode/98/
(that episode is tied to this book: https://www.amazon.com/gp/product/1635576059/ about the topic)
Also, I like that podcast in general - highly recommend it if you're into infosec stuff!
It's a great set of episodes. This is without a doubt my favourite podcast. 2nd favourite being Knowledge Fight, which debunks Alex Jones and the nonsense that he spews on a daily basis.
I mentioned in another post about why people would leak to the press, when you most likely will get caught and fired. Leakers of a different caliber will leak source code to governments and companies like NSO and have much less likelihood of being caught and much higher remuneration.
There is value in source audits, but you're wrong that exploits come out of stolen source. That's exceedingly rare, and usually quickly publicly leaked when it happens.
I can attest to this, I've found it's frequently far more satisfying to debug at -O3 than -O0. At O3, the disassembly really lays bare the invalid assumptions that were relied upon.
You aren't the first person to say that exploits created as a result from source code theft are rare and the theft is quickly publicly leaked when it happens. Why do you think this? I would think that unethical players like NSO Group would have even more motivation to ensure the use of stolen source code is never revealed.
NSO isn't an "unethical" player, they are "ethical" within their own twisted ethics (that most of us don't agree with). They aren't a spy organization outside the law, they're a company building tools for (supposedly) law enforcement. Being caught doing something blatantly illegal like using stolen source code would be the end of them. They can't afford that risk. They have absolutely no need to use source code. There are zillions of binary-only techniques for finding exploitable bugs (e.g. fuzzing). Source code just isn't nearly as useful as you think it is.
If you want a practical example: just a few weeks ago I got ahold of a peculiar, wholly undocumented embedded device (can't even find teardowns on the Internet, no public firmware downloads, etc) and within one day I had a remote root exploit working - this wasn't using an existing CVE in a library, this was a bespoke bug in this device's firmware, and the exploitation involved reverse engineering two authentication token algorithms and a custom binary communications protocol. No source code. Obviously this isn't iOS, which is quite bit more hardened, but that should give you an idea of just how easy it is to find exploitable bugs with just something like Ghidra, if you know what you're doing (I was: I was looking specifically for a kind of bug likely to exist, to narrow down the possibilities of where it might be present, and eventually found a suspicious point of attack surface that indeed turned out to be vulnerable; then it was just a matter of reverse engineering enough of the protocol and token requirements of that code to be able to actually trigger it remotely).
I was actually kind of annoyed it took as long as a couple hours to find it (once I had a decent understanding of the rest of the system); I was expecting even less, but it turned out they did a better job than I expected avoiding some of the classic mistakes - but not a good enough one :).
No. Some Apple source code has publicly leaked (iBoot) but stealing this kind of stuff is bound to leak. And reversing binaries for vulnerabilities is not that much harder.
I would be surprised if their core iOS research team is much more than 10 or so people at any given time.
They also probably use brokers and buy at least some of the exploits they use from freelancers if they offer ~7 figures for a zero click exploit a lot of freelancers will be working on this too.
It’s just like any bug bounty program, internally you run a small and dedicated team and externally you pay enough to entice freelancers to spend their free time on your systems to scale it further.
Reverse engineering is not that complicated, however getting some results is difficult and time consuming.
In that example it's basically looking at how some libraries are parsing input, that's it. Since everything in those phones are C/C++ nothing is "safe".
It's the same skills you need to crack games, cheat in online games etc ...
The parent comment seems to imply that someone who can find programmer mistakes is a better programmer than one who actually writes software for the public. If thats true then wouldnt it be reasonable to prefer to use message software written by NSO instead of Apple. Why dont "security researchers" write the software we use instead of "software engineers".^1 Which group would be more likely to have "the best programmers in the world" who would be the least likely to make mistakes. Honest question. Im not trolling. I think about this question all the time.
1. Some of the programs I use and rely on everyday, even more than something like "iMessage", were written by people who claim to work in "security" or "research" (or even teaching math to university students) not "engineering". I have no complaints about these programs. Yet I have plenty of complaints about the software foisted upon us by Big Tech.
The latter looks really impressive when it’s done well, but it’d be silly to expect someone with deep security knowledge to sit down and build a spreadsheet manager from scratch. The two skill sets are just different. There is no “best”.
Hacker's need to find just one mistake out of 1k lines of code.
For example. this is a use after free bug. You can statically analyze disassembled code to find places where this might be happenning, and then figure out how to exploit that instance of the bug.
NSA finds exploits for their own mission and Google Project Zero researches vulnerabilities to [per their claim] ensure internet stays a secure platform but neither of them sell exploits for profit like NSO.
So, no, they're not the only "genius"es out there. They just are less ethical about it.
Members of those teams are often Security Engineers at e.g Google, Banks, computer emergency response team (CERT) and so on.
>We have two Canadians, two Estonians, an Israeli and a Korean
Not much different too how software exploitation was done in Win98-ME-xp era was done.
A lot of vulnerabilities are very obvious from disassembly, and often can even be found with automated tools.
Today, it's easy. Back in early 200x, everybody was not only hiding their sources well, but obfuscating binaries in every way possible.
People just forgot the scale of binary only exploitation on its peak.
From what I've heard it can be almost trivial to find them if you know what to look for. But it seems that very few people know exactly where to look, and fewer still understand how to interpret the results.
Basically, they are propped up by their gov, and that is the major problem.
A lot of knowledge about the target system's internals (comes with experience) and probably a lot of investment in fuzzing infrastructure or A LOT of time reverse engineering and reviewing manually. Finding bugs in closed source software by hand is incredibly slow and painful.
> Selection starts from age of 4
Care to share your sources for that? As far as I know most are self taught and get some further training in military.
It might be boring to some and might be extremely interesting for others. People who like solving puzzles and facing hard challenges usually like it. Of course, if your passion is building you wouldn't like it as you don't "build" something new.
> Usually a group of introverted young kids that look at their own shoes while talking to you, led by an extroverted young kid, that looks at your shoes while talking to you.
Have you met these people at all? Because it definitely sounds like you haven't and you just describe the typecast some movie would use.
My children were attending/graduated/served kindergarten/school/army in Israel and I saw selection process as a parent.
My wife was a school teacher in Israel. She described to me some of the evaluation metrics she was supposed to submit every half a year over each and every pupil she had.
> Have you met these people at all?
I cannot confirm nor deny I met these people.
I mean, they were followed all their life when they arrive at the final selection process, it is a track record after all
What does this have to do with the military? What does the "selection" actually entail?
1) at age of 4 all the parents were gathered to meet kindergarten personnel. They explained that kids will play games all year. Parents were separated to groups and given logical puzzles to solve. Results were noted.
For the next two years children were playing games with changing rules to negate natural ability for specific game and to select for ability to find the best strategy within current constraints.
At the same time each parent is given a day to present his/her profession. Results are noted.
Results were passed to school class selection committee.
2) According to results in kindergarten kids are grouped in schools. Some are given opportunity to participate in electrical engineering or robotic activities (my daughter was Top 5 in Israeli competition for 6-9 years old with reduced team).
3) By the end of the second year some of the parents are notified that there will be an examination. Test is analogous to IQ (math, language, general knowledge). Graded on the curve for municipality. Top 8% are invited for one day a week for additional activities. Top 2% are invited to special schools with much more intensive program. My daughter made it to top 8%. Activities are: decision making, finding solutions within constraints, leading groups of people to solve bigger problems.
4) By the end of elementary, depending on previous results, kids get access to full math program (as opposed to reduced arithmetic). Additional activities include software and electrical engineering, robotics, chemistry, physics and so on. Parents and kids, that didn't made it to Top 8% at previous years, are not aware of these activities (invitations are sent personally).
5) At age of 15 kids pass initial evaluation by IDF. Good grades at high school will guarantee initial evaluation will be upheld. Bad grades will negatively impact the chances.
6) By the end of high school whole history and psychological profile are passed to IDF for final evaluation.
> What does this have to do with the military?
In Israel everything has everything to do with military.
I can't agree more with what the above commenter said. This is not infosec hiring, it's Spy Kids.
Most people who are good at this are working for national security orgs, blue team in the private sector, or cash focused criminals. This is the relatively small group of people who are comfortable selling tools to help dictators hack journalists up with saws.
It sounded like NSO group just considers loosing zero days like this a cost of doing business.
There seemed to be an implication that they have a war chest of these exploits and expect them to each get burnt after a certain amount of usage.
That's exactly what it is. These companies buy, research and stockpile exploits, and keep a few always at ready for when the currently deployed ones get burned. All exploits have a shelf life, and the more widely one is used, the more likely it is to get caught.
Because let's not forget: NSO and their ilk are not in the business of developing exploits. That's just their raw material. They are in the business of selling weapons-grade espionage and surveillance capabilities.
Massive blow to the integrity of European telecoms.
"The Guardian reported this year that hundreds of thousands of euros of Yana Peel’s legal bills were expensed to the NSO Group by her husband – another move that apparently angered his partners.
Stephen Peel’s lawyers said at that time that the “manner” in which the legal fees were paid had been approved by Kowski and Lueken, and he strongly disputed the suggestion that the payment of the expense claims was a source of disagreement between the partners.
Peel, Lueken and Kowski are all now involved in a legal dispute over the future ownership of the firm they created."
People have lost their lives due to these pariahs!
Israel already has a massive PR issue with other countries, it would do them well to reign in these offensive front arms of their government/'companies.'
Citizen Labs is really a great thing for civilization. There are not enough altruistic organizations.
The basic issue is that every nation is actively buying and using zero-days and doesn't want to stop. And companies like NSO aren't really (so they say at least) hacking anybody. They just develop and license hacking tools to governments to use for "lawful" law enforcement purposes. So nobody wants to ban the zero-day market because every country is a huge buyer of zero-days themselves and it is hard to ban selling zero-days to sovereign governments who are using them in accordance with their own laws (even if the regimes in question are terrible and using them to violate their citizens basic human rights). After all, it would be a bit awkward for the US to demand that the NSO Group stop selling it's hacking tools to Saudi Arabia while we have a multi-billion dollar defense industry selling the Saudis all sorts of advanced weaponry.
And if you think this is in any way unusual, take a look at the places the US and China and France sell weapons to.
Israel's specialties happen to be software exploits and EW equipment, but this isn't a deeply different interaction.
But for these middle eastern countries Israel selling them exploits which allow them to spy on dissidents may actually improve relations by helping out regimes which would otherwise be sworn enemies of theirs…
- Protecting yourself from rub of the mill malware that is looking to make money off of you. You can do this pretty effectively by always updating your software as soon as you can and avoiding sketchy and unnecessary apps and websites
- Protecting yourself from an attack by a nation state level agency. I don't think there is any way to be safe from this, and people who are targeted like this need to use protection that go well beyond the choice of cell phone or chat app
My personal data was hacked by a nation-state level agency. The only way I could’ve prevented that is by not working in a national security position for that country’s geopolitical rival.
Now the only thing I can reasonably do is avoid ever stepping foot in that country lest they detain me for “extra questioning.”
So I do think there is a level between these two where you can be defended against nation states that will use COTS-equivalent exploits against you even if you won't resist an active attempt by a full team targeting you very specifically.
But doing this is hard as hell in the modern world, because so so so much of our device surfaces is riddled with memory errors.
“Nation state” is a well-defined term in the political sciences, and we misuse it here on HN all the time. To quote Wikipedia:
“A nation state is a political unit where the state and nation are congruent. It is a more precise concept than "country", since a country does not need to have a predominant ethnic group.”
 In the “Westphalian sovereign” sense.
Sure, it might make more sense to define this as "state-level agency", but that would confuse things for Americans. My internet security threat model ignores the state agencies of Montana just as much as yours ignores those of San Marino.
In my experience, the common HN usage really translates to “country with a big military budget”, which is not at all what the term means.
Neither the US nor Russia are nation states. China and San Marino are both nation states. I’m guessing the poster meant “countries like the US, Russia and China”, and not “countries like China and San Marino.”
I think people say "nation state" in part just because it flows better rhythmically, and in part because of that whole "westphalian" thing; and because the word "state" has other confusing meanings (including in CS, state as in 'state machine'; and the 50 USA states).
But really on HN when talking about "threat actors", they mostly just mean "state-level". (See I had to add -level to make it rhythmically like 'nation state' again, the one syllable 'state' is just too short it just plops into your sentence ruining it)
[Hey, why is it called the United Nations instead of the United States anyway? Oops, cause there already is a United States. But the UN is clearly an organization of States not Nations. But the things are conflated and confused generally in European nationalist ideologies of the 18th-20th centuries, that have affected our vocabulary and concepts for these things, it's not just HN. "Nation" is often used as a synonym for "State", so "nation state" ends up just kind of doubling down]
I say "state-level actor".
Almost any contemporary liberal democracy (and not only those) at least formally defines itself as a state of it's citizens, not belonging to any particular "nation" (ie ethnicity basically) in particular. I don't see the point in distinguishing between states that are "nation" states or not in the 21st century, or think that it has a clear distinction.
States are sovereign political entities; of course modern countries tend to have a federal state made of several constituent states (see: USA, Germany, etc) where each claims certain jurisdiction. In ancient times there were city-states like Athens, Sparta... and even in 18th century Europe cities like Venice were states (Republic of Venice).
Nations are people united by something they have in common. That could be shared history, language, culture, the geographic area they live in, or something more abstract like fandom of certain sports teams or other hobbies.
There is considerable overlap between nations and states, and given state is already overloaded, extra words are added for clarity.
I like "state-level" because these sorts of exploits and attacks are really about resources, not sovereignty, territory, etc. The fact is a rich person or company could fund a team that does vulnerability research and get results on par with the top tier folks already doing it.
And, the UN should be called the "United Countries" since it is really about territorial areas. They admit members based on geographical claims; I don't see any ethnic, cultural, or fandom group (that isn't in control of some territory and thus also country/nation) as a member.
Apple could certainly do a lot more to protect their customers, and we generally let Apple off far too lightly here. For starters: using their enormous revenues to bid up the prices for these cracks. Writing better software, eg using well-known techniques to harden imessage. etc.
* Go work for Apple
* Learn vulnerabilities
* Sell vulnerabilities for cash on the dark market
I am at peace with the fact that I'm doing the best I can and keeping those I love protected.
>A hacker was able to obtain over 280,000 personal identity photos following an attack on the state information system last Friday. The suspect is reportedly a resident of Tallinn.
>The culprit had already obtained personal names and ID codes and was able to obtain a third component, the photos, by making individual requests from thousands of IP addresses.
How do you protect yourself against that when the government requires you to have an ID card and puts you into the database? What happens when financial transaction logs get hacked or medical histories?
But now with tech the risk is invisible unlike a collapsed bridge. In Australia it is basically impossible to live a normal life without bringing your phone everywhere because they mandate that you scan QR codes before entering stores and the manual written forms are usually hidden behind a counter and on request only.
It keeps them closely guarded and selective about use. All of that makes me an unlikely target and reduces individual risk.
I don't. Look at how much companies like Apple pay out for responsible disclosure if they pay out at all, and then compare it to what exploits go for on the grey/black market. Typically the buyers have deep pockets and burning millions of dollars wouldn't make them blink.
If a vulnerability only cost ~$100 then a malicious person could compromise an ex lover’s phone, for example. The fact that they are expensive means that their use is limited to targeted, strategic attacks. You don’t have to agree that those attacks are good, but surely pricing the average person out of 0-days is better than the alternative.
There are organized crime networks that pull in billions of dollars of revenue a year. If they wanted to pull off dragnet fraud, for example, they have the funds to do so.
Who do you think are more likely to use the vuln/exploit on regular everyday users? The nation state people are going to use it on targeted persons/groups (typically) while the "bad guys" are going to use it so they get the greatest bang for their buck.
For sure they are much more interesting targets than I am, therefore burning a few 0-days might be worth the effort.
Don't share the phone number of your sim with anyone for any reason whatsoever (or don't put a sim in the phone at all and use an external wifi router (this is what I do), or use a data-only sim), and ensure that iMessage and iCloud is disabled.
This doesn't make your phone invulnerable, it just makes it less vulnerable.
Naively to me it looks like it's an artifact of 90s OS security model. The modern web, and the threats of the modern world require more stringent security facilities at the OS level to allow isolation of security context even to super users and specifically per program-origin, per identity, and per-process context isolation. Super users having the ability to read-write in any security context is no longer appropriate, at most super users should only be able to deny and delete, that's the only way to protect end-user privacy.
It is 100%. The sader reality is that the most likely weak link when it comes to exploiting your device is you.
Do you think this is a recipe for secure computing?
I do sometimes wonder what a "Manhattan Project" of software security would look like. I do think rewriting all common file parsers in <X> would be a very achievable project with a budget of a few dozen million dollars - nothing compared to the potential savings. The issue is then getting people to actually switch over. I think that a PR push by NIST et.al. could help convince the slowpokes that the "industry standard" has changed and they need to do something to avoid liability.
How do you estimate the financial damages here though? It's not like anybody's really going to stop buying iPhones over this. Not to any real degree. There's some brand damage to Apple but that calculation's highly debatable and swings around wildly. Which is the problem. Digital security is impossible to put a price on, because until someone is actively exploiting it, it costs WAY less to do nothing about the situation.
Microsoft at least started rewriting some components of Windows in Rust. Though they aren't saying which ones.
2. With the number of projects Apple has, the number of "trivial" enhancement like this add up very quickly.
1. Incomplete deletion of evidence from a SQLite database, in the exact same manner observed in a previous Pegasus sample;
2. The presence of a new process with the same name as a process observed in a previous Pegasus sample.
But isn't it likely that someone with the skills needed to discover and weaponize a chain of 0-day exploits, is incentivized and able to detect these quirks in Pegasus samples and imitate them, with the goal of misattribution?
Of course, there may be more factors involved in the attribution that aren't being shared publicly.
Your proposal is possible. It is just less likely than that this exploit was developed by NSO Group.
Crowdstrike will find out it's clearly Russia behind this and Mandiant will blame China.
Interesting that you're leaving out Israel from your listing while the very subject of this article is Israeli offensive cyberwar and espionage capabilities and a profound lack of ethics.
What I was trying to convey originally is that attribution is politically expedient. If you want to saber-rattle towards China you task Mandiant to find proof of Chinese hacking, if you want to blame Russia Crowdstrike gets the job. It's like employing McKinsey consulting to give a veneer of credibility to a predetermined outcome.
Edit: Just realized it also impacts macOS and watchOS as well which were also patched. Patch Monday!
I wonder if running as a standard user would offer some form of protection.
- vulnerable to the latest published exploits
- vulnerable to clientside scanning of your media for wrongthink by Apple for the CCP
Smash that iOS update button and do your part for the party!
What about "Don't use Apple products"? I know that Android is just as bad in many ways...
And if all options in the modern tech industry basket of choice are terrible, well... humanity survived without them for an awfully long time.
I've gone back to a flip phone from an iPhone. I no longer use Windows if I can at all avoid it (there exist a few sysadmin tasks involving netbooting Mikrotik devices for major OS updates that are far less painful on Windows than other OSes), and have no plans to let Win11 in my life. And Apple is heading out the door too. Throw in my dislike of Intel, and... yeah, it's getting pretty thin pickings. I still have an iPad with no accounts on it as a PDF reader, but I'd like to replace that with something else (Remarkable or such).
"Agh, this is soooo terrible, but I'm going to keep using it!" just means, in practice, it's not that terrible.
I don't think this is the only conclusion here.
I think we should acknowledge just how central personal computing devices are in society in 2021. Sure, it's true that humanity survived without them, but at that time, societal norms were drastically different. Removing tech from daily life today can be crippling, and that's part of what makes some of these issues so terrible. They directly threaten our daily lives.
I'd argue that it's possible for the thing to be "very terrible", and to conclude that it's still your only option to continue using the Apple/Google ecosystem.
- Not all users have the financial means to switch. The iPhone they own is the one phone they'll buy for the next 3-4 years.
- A growing number of users have only an iDevice and no standalone PC. Couple this with #1, and things get even more difficult.
- The utility afforded by the Apple ecosystem is high enough (or virtually required depending on one's job) that it outweighs the current set of downsides.
If a corner store owner pays a weekly fee to the local gang "for protection", it doesn't necessarily follow that because the owner chooses to pay the fee, the extortion must not be soooo terrible.
Time to consider GNU/Linux phones, Librem 5 and Pinephone.
You can either trust Apple, or lose all security updates.
> In March 2021, we examined the phone of a Saudi activist who has chosen to remain anonymous, and determined that they had been hacked with NSO Group’s Pegasus spyware. During the course of the analysis we obtained an iTunes backup of the device.
> Citizen Lab forwarded the artifacts to Apple on Tuesday, September 7. On Monday, September 13, Apple confirmed that the files included a zero-day exploit against iOS and MacOS.
In short: Just because they got access to the phone in March doesn't mean that they were already aware of the zero-day exploit back then. Finding this kind of stuff takes a while.
She wanted to build a database of something, and we were like, "keep your phone in another room" if you want to come discuss. Something that I am not sure she practices but more people need to practice.
CitizenLab is doing yeoman's service for people's rights to privacy and human rights. They're heroes.
Isn’t it more usual for the NED to do such things? I remark upon this because it occurs to me that using USAID to do politics might make recipients suspicious of aid even when it’s both necessary from a humanitarian perspective and unlikely to threaten the ruling dispensation in the recipient country. (This is a separate question from whether the NED/US government as a whole should even involve itself in such matters, to which my answer is ‘maybe’, since the dubious stuff probably happens anyway and lots of these civil society organisations &c. actually do good work [e.g. the The
Assistance Association for Political Prisoners in Burma.])
In any case, they span the range from benign to hostile nations, with varying risks attached. The "About" page for many such sensitive orgs would be silent on who the team was, except if it was Americans (like me) who didn't mind being their name out there (or nervously okayed the name being public).
I wish programmers would stop "helpfully parsing" files which are named with an "incorrect" extension. If a random unknown person sends me a file with .gif extension that is actually a PSD file, I most definitely do not want my machine parsing whatever that thing is.
I have been keeping an eye on the work done by what is now called Project Everest over the years in the communication and cryptographic space.
Is there similar work in the image and video decode space? My seach fu is not yeilding anything beyond some hardware decoding proofs.
Though it's worth noting that the cost of Stagefright was surprisingly low - it took a long time for a good ASLR bypass to come out for it and by that time most devices were updated or replaced. Additionally, the sheer variance between Android devices means developing worm-level exploits becomes extremely difficult compared to something where everyone's running the exact same binary like Windows, so it likely only saw targeted use.
The NY Times  just reported that "Apple’s security team has been working around the clock to develop a fix since Tuesday, after researchers at Citizen Lab, a cybersecurity watchdog organization at the University of Toronto, discovered that a Saudi activist’s iPhone had been infected with spyware from NSO Group."
What took so long? Did Apple not know about this in March or was someone sitting on it for 6 months?
> Recent re-analysis of the backup yielded several files with the “.gif” extension in Library/SMS/Attachments that we determined were sent to the phone immediately before it was hacked with NSO Group’s Pegasus spyware.
Seems like they originally examined the phone in March, but recently did another analysis, during the course of which they discovered the exploit and reported it to Apple.