Hacker News new | past | comments | ask | show | jobs | submit login

It just makes me so uncomfortable that these things keep happening. We always find out about these things eventually but what percentage of the time are our devices vulnerable? Isn’t it close to 100% of the time that our desktops and mobile devices have significant security vulnerabilities?



The way I describe it to friends and family is that there are basically two levels of protection:

- Protecting yourself from rub of the mill malware that is looking to make money off of you. You can do this pretty effectively by always updating your software as soon as you can and avoiding sketchy and unnecessary apps and websites

- Protecting yourself from an attack by a nation state level agency. I don't think there is any way to be safe from this, and people who are targeted like this need to use protection that go well beyond the choice of cell phone or chat app


Basically, you’re either dealing with Mossad or not-Mossad. If your adversary is not-Mossad, then you’ll probably be fine if you pick a good password and don’t respond to emails from ChEaPestPAiNPi11s@ virus-basket.biz.ru. If your adversary is the Mossad, YOU’RE GONNA DIE AND THERE’S NOTHING THAT YOU CAN DO ABOUT IT. The Mossad is not intimidated by the fact that you employ https://. If the Mossad wants your data, they’re going to use a drone to replace your cellphone with a piece of uranium that’s shaped like a cellphone, and when you die of tumors filled with tumors, they’re going to hold a press conference and say “It wasn’t us” as they wear t-shirts that say “IT WAS DEFINITELY US,” and then they’re going to buy all of your stuff at your estate sale so that they can directly look at the photos of your vacation instead of reading your insipid emails about them. In summary, https:// and two dollars will get you a bus ticket to nowhere. Also, SANTA CLAUS ISN’T REAL. When it rains, it pours.

[PDF] https://www.usenix.org/system/files/1401_08-12_mickens.pdf


I think this understates the threat of privatized hacking tools. Governments that can barely tie their shoelaces now have access to capabilities that only a few heavy hitters used to have. One example: In Mexico NSO software was used to target anti-obesity activists who were pushing for less soda pop consumption.


The funny thing is that despite all of this high end, super secret, extremely sophisticated technology used against them, those activists won in the end.


It's a well known piece but it's from 2014 (or earlier), and the world was different back then.



> Protecting yourself from an attack by a nation state level agency.

My personal data was hacked by a nation-state level agency. The only way I could’ve prevented that is by not working in a national security position for that country’s geopolitical rival.

Now the only thing I can reasonably do is avoid ever stepping foot in that country lest they detain me for “extra questioning.”


Sorry… sounds really rough.


Eh, thanks but don’t feel bad for me. There’s hundreds of other countries I can visit. I feel bad for the dissidents who are targeted within their own country and have no hope to leave.


And worse targeted abroad. Russia, China, Saudi. They all target, sometimes kill, sometimes abduct abroad. Even in the US... Scary.


Which country?


The OPM breach was attributed to China. My personal data was also disclosed in the breach and I’ve since traveled to China multiple times.

https://en.m.wikipedia.org/wiki/Office_of_Personnel_Manageme...


Until run of the mill malware learns of a vuln only thought to be known by nation states, and then all hell breaks loose.


Don't know why you're getting down voted, that's literally what happened with WannaCry

https://www.acronis.com/en-gb/articles/nhs-cyber-attack/


This is sort of in the middle. NSO Group's exploits are surely expensive, but they are also not pinpointed. The states buying these exploits aren't spending the unlimited resources at their disposal to do the exploitation, it just costs them cash. This is one of the thing that likely promotes proliferation of this stuff, since it is so easy to pick another target.

So I do think there is a level between these two where you can be defended against nation states that will use COTS-equivalent exploits against you even if you won't resist an active attempt by a full team targeting you very specifically.

But doing this is hard as hell in the modern world, because so so so much of our device surfaces is riddled with memory errors.


Time to be “that guy”…

“Nation state” is a well-defined term in the political sciences, and we misuse it here on HN all the time. To quote Wikipedia:

“A nation state is a political unit where the state and nation are congruent. It is a more precise concept than "country", since a country does not need to have a predominant ethnic group.”

https://en.m.wikipedia.org/wiki/Nation_state


Nation-state is often used in a different sense to distinguish the participants in the Westphalian system of sovereignty from other entities that might be labelled nations and/or states; this use derives in part from the fact that the Westphalian system is itself considered the turning point to nation-states (in the sense the parent describes) as a general norm, and that the participants in that system are generally also nation-states in that primary sense. (While “state” alone is often used for this where context makes it clear that this sense of “state” it s intended, there are lots of other uses of “state”—particularly for subordinate units of certain Westphalian sovereigns—which can create ambiguity, and “Westphalian sovereign” is a lot more cumbersome than “nation-state”.)


But the Westphalian system explicitly emphasizes the importance of the boundaries of the state vs the size of those boundaries. The HN usage tends to imply that “nation state” is something particularly impressive. But “an attack by a San Marino-level agency” doesn’t convey that same level of impressiveness.


Yeah, in security, “nation-state level actor” is used to mean “the most capable category of attackers, most (all?) of whom are particularly powerful nation-states [0]”, not “attacker at the level of at least the least-capable nation-state”.

[0] In the “Westphalian sovereign” sense.


Russia is 81% ethnic Russian, per Wikipedia. I think that's close enough to qualify for "nation and state are congruent".

Sure, it might make more sense to define this as "state-level agency", but that would confuse things for Americans. My internet security threat model ignores the state agencies of Montana just as much as yours ignores those of San Marino.


That wasn’t a misuse though - was it?


Well, perhaps the original poster was using it accurately.

In my experience, the common HN usage really translates to “country with a big military budget”, which is not at all what the term means.

Neither the US nor Russia are nation states. China and San Marino are both nation states. I’m guessing the poster meant “countries like the US, Russia and China”, and not “countries like China and San Marino.”


Honestly I think they just mean "state". Yes, some states have more resources than others, but the ones without a lot of resources generally aren't engaging in cyber attacks, and "state" as a general category is good enough summary.

I think people say "nation state" in part just because it flows better rhythmically, and in part because of that whole "westphalian" thing; and because the word "state" has other confusing meanings (including in CS, state as in 'state machine'; and the 50 USA states).

But really on HN when talking about "threat actors", they mostly just mean "state-level". (See I had to add -level to make it rhythmically like 'nation state' again, the one syllable 'state' is just too short it just plops into your sentence ruining it)

[Hey, why is it called the United Nations instead of the United States anyway? Oops, cause there already is a United States. But the UN is clearly an organization of States not Nations. But the things are conflated and confused generally in European nationalist ideologies of the 18th-20th centuries, that have affected our vocabulary and concepts for these things, it's not just HN. "Nation" is often used as a synonym for "State", so "nation state" ends up just kind of doubling down]

I say "state-level actor".

Almost any contemporary liberal democracy (and not only those) at least formally defines itself as a state of it's citizens, not belonging to any particular "nation" (ie ethnicity basically) in particular. I don't see the point in distinguishing between states that are "nation" states or not in the 21st century, or think that it has a clear distinction.


>Hey, why is it called the United Nations instead of the United States anyway? Oops, cause there already is a United States. But the UN is clearly an organization of States not Nations.

States are sovereign political entities; of course modern countries tend to have a federal state made of several constituent states (see: USA, Germany, etc) where each claims certain jurisdiction. In ancient times there were city-states like Athens, Sparta... and even in 18th century Europe cities like Venice were states (Republic of Venice).

Nations are people united by something they have in common. That could be shared history, language, culture, the geographic area they live in, or something more abstract like fandom of certain sports teams or other hobbies.

There is considerable overlap between nations and states, and given state is already overloaded, extra words are added for clarity.

I like "state-level" because these sorts of exploits and attacks are really about resources, not sovereignty, territory, etc. The fact is a rich person or company could fund a team that does vulnerability research and get results on par with the top tier folks already doing it.

And, the UN should be called the "United Countries" since it is really about territorial areas. They admit members based on geographical claims; I don't see any ethnic, cultural, or fandom group (that isn't in control of some territory and thus also country/nation) as a member.


It's to distinguish the hypothetical attacker and their resources from an individual or group of individuals. The threat to my personal health if Mossad is after me vs a particularly violent jilted ex-lover vs if I took down the local gang/cartel/drug dealer (ie they all want to kill me) but the level (and possibility) of defense against each of those threats are vastly different.


> I don't think there is any way to be safe from this

Apple could certainly do a lot more to protect their customers, and we generally let Apple off far too lightly here. For starters: using their enormous revenues to bid up the prices for these cracks. Writing better software, eg using well-known techniques to harden imessage. etc.


Also they could treat their employees better so there’s less churn. Every newly-hired kernel engineer is bound to repeat the same technical mistakes that their predecessor made a decade ago.


Might be a business model for a Kernel engineer:

* Go work for Apple

* Learn vulnerabilities

* Resign

* Sell vulnerabilities for cash on the dark market

Edit: formatting


But is this because computers fundamentally cannot be made secure, or due to backdoors and sloppy coding? I’ve heard BSD is pretty secure right? Couldn’t we make phones that secure if we didn’t bloat them with flashy new features every six months?


Invulnerability for your devices is a chimera. You can only do what's possible in your capacity to secure yourself.

I am at peace with the fact that I'm doing the best I can and keeping those I love protected.


The problem is that we're moving into a more and more digital world where it's not possible to even opt out. Estonia had their ID card photo database hacked.[0]

>A hacker was able to obtain over 280,000 personal identity photos following an attack on the state information system last Friday. The suspect is reportedly a resident of Tallinn.

>The culprit had already obtained personal names and ID codes and was able to obtain a third component, the photos, by making individual requests from thousands of IP addresses.

How do you protect yourself against that when the government requires you to have an ID card and puts you into the database? What happens when financial transaction logs get hacked or medical histories?

[0] https://news.err.ee/1608291072/hacker-downloads-close-to-300...


Yeah I find it worrying how society only cares about what is technically possible and not what is realistically safe and secure. We could build taller and cheaper buildings if we ignored standards and just accepted that sometimes they fall over. But we don't because that is insanely dangerous.

But now with tech the risk is invisible unlike a collapsed bridge. In Australia it is basically impossible to live a normal life without bringing your phone everywhere because they mandate that you scan QR codes before entering stores and the manual written forms are usually hidden behind a counter and on request only.


Security has always been relative. I feel much safer knowing that an exploit like this is worth hundreds of thousands or even millions of dollars.

It keeps them closely guarded and selective about use. All of that makes me an unlikely target and reduces individual risk.


> I feel much safer knowing that an exploit like this is worth hundreds of thousands or even millions of dollars.

I don't. Look at how much companies like Apple pay out for responsible disclosure if they pay out at all, and then compare it to what exploits go for on the grey/black market. Typically the buyers have deep pockets and burning millions of dollars wouldn't make them blink.


Why does it matter if it’s the “good guys” or “bad guys” paying?

If a vulnerability only cost ~$100 then a malicious person could compromise an ex lover’s phone, for example. The fact that they are expensive means that their use is limited to targeted, strategic attacks. You don’t have to agree that those attacks are good, but surely pricing the average person out of 0-days is better than the alternative.


> The fact that they are expensive means that their use is limited to targeted, strategic attacks.

There are organized crime networks that pull in billions of dollars of revenue a year. If they wanted to pull off dragnet fraud, for example, they have the funds to do so.


>Why does it matter if it’s the “good guys” or “bad guys” paying?

Who do you think are more likely to use the vuln/exploit on regular everyday users? The nation state people are going to use it on targeted persons/groups (typically) while the "bad guys" are going to use it so they get the greatest bang for their buck.


Or the nation state uses it against everyone in a dragnet operation? Also, specifically targeted people by nation states often are "regular everyday users". They just happened to draw the ire of the wrong person.


But still, I feel relatively safe knowing/thinking that the Saudi government doesn’t want to hack my iPhone.


Organized crime might, as they orchestrate fraud, blackmail etc networks all over the world.


It makes me wonder how people like Bill Gates or Jeff Bezos use for their phone security.

For sure they are much more interesting targets than I am, therefore burning a few 0-days might be worth the effort.


Wasn't Bezos phone hacked by the Saudis?


oh didn't know that


Yes, but it can be somewhat mitigated by not using SMS or iMessage.

Don't share the phone number of your sim with anyone for any reason whatsoever (or don't put a sim in the phone at all and use an external wifi router (this is what I do), or use a data-only sim), and ensure that iMessage and iCloud is disabled.

This doesn't make your phone invulnerable, it just makes it less vulnerable.


That's exactly why I started scratching my head as to why the web entire security model assumes a trusted execution environment. That no longer makes sense in today's world.

Naively to me it looks like it's an artifact of 90s OS security model. The modern web, and the threats of the modern world require more stringent security facilities at the OS level to allow isolation of security context even to super users and specifically per program-origin, per identity, and per-process context isolation. Super users having the ability to read-write in any security context is no longer appropriate, at most super users should only be able to deny and delete, that's the only way to protect end-user privacy.


Sandbox escapes are part of most serious exploit chains nowadays. They make things harder for exploit authors but absolutely do not fix the problem at a fundamental level. iMessage runs in a sandboxed environment. Doesn't stop the exploit in the article from getting root.


Qubes OS [0] is based on a different security model: security through compartmentalization.

[0] https://www.qubes-os.org/


I can't find a link to it now, but there was a blogpost on how all other non-compartmentalization approaches to security had failed.



That’s the one! :)


This is largely how iOS works.


you would expect quality from a commercial product because all of the investment being put into a product but these exploits are saying otherwise. open source projects may have more investments that care on a different level. we might have to figure out a way to go in that direction eventually considering how dangerous this is getting, many people depend on the quality of a product to ensure safer communication, and with some it is a life and death situation. do yeah it’s sad that this keeps happening, it seems like we can think of a better way to not make this happen as often.


> Isn’t it close to 100% of the time that our desktops and mobile devices have significant security vulnerabilities?

It is 100%. The sader reality is that the most likely weak link when it comes to exploiting your device is you.


It might be the outrage goggles, but OpenBSD is sure looking good lately. https://www.openbsd.org/security.html


Until it becomes more mainstream; every os can be exploited if lucrative


One company, which likely has a retention problem, is writing all of the code for your system and setting things up so that you can’t easily use anything else.

Do you think this is a recipe for secure computing?


Why do people keep writing file format parsers in unsafe languages?


I think it's mostly that people are continuing to use file format parsers that were written in unsafe languages in 1998.

I do sometimes wonder what a "Manhattan Project" of software security would look like. I do think rewriting all common file parsers in <X> would be a very achievable project with a budget of a few dozen million dollars - nothing compared to the potential savings. The issue is then getting people to actually switch over. I think that a PR push by NIST et.al. could help convince the slowpokes that the "industry standard" has changed and they need to do something to avoid liability.


> nothing compared to the potential savings.

How do you estimate the financial damages here though? It's not like anybody's really going to stop buying iPhones over this. Not to any real degree. There's some brand damage to Apple but that calculation's highly debatable and swings around wildly. Which is the problem. Digital security is impossible to put a price on, because until someone is actively exploiting it, it costs WAY less to do nothing about the situation.


Yes, in fact, if NSA, China's MSS, Mossad and other nation states are betting on these kind of exploits to exist in order to do their really dirty work (even if they contract it out to NSO Group), the "benefits" would be detrimental to them.


With kinds of resources Apple has, you could be writing a PDF parser from scratch in Rust or Swift (it is 100% memory-safe, right?) or whatever else kind of "in the background", maybe as an experimental project, and then replace the existing one with it when it's mature enough.

Microsoft at least started rewriting some components of Windows in Rust. Though they aren't saying which ones.


1. There are public visible Swift rewrite and sanbix enhancement.

2. With the number of projects Apple has, the number of "trivial" enhancement like this add up very quickly.


It is starting. I've seen big companies start shifting towards this future over the last couple of years. In discussions with other security professionals across various companies, it is appearing more like an inevitability that a shift to memory safety is coming, in one way or another. It is moving slower than I'd want, but the discussion feels very different than it did just three or four years ago.


Sure, tech companies and even just random people are already working on it piecemeal. I just think of someone with resources put a concerted effort into it we could replace all the parsers of un-trusted data in e.g. Chrome within 2 years. If a government did it then it can be justified by benefiting all of society, rather than one individual product team having to justify the effort for their own use.


In short, legacy code.


For those that are uncomfortable with this state of affairs, I recommend this presentation: "Quantifying Memory Unsafety and Reactions to It" https://www.youtube.com/watch?v=drfXNB6p6nI


It's the same as asking, what percentage of the time is science wrong? 100% of the time, yes. We're trying to approximate correctness and the plan is to get a bit closer every day as new information becomes available.


At least in Android the level of security is comparable with Win 3.11 for Workgroups. There is no access control except all or nothing. There is an OS which actively spies you.


When have you last used a modern Android OS? This is just not true, it offers exactly the same kind of controls as iOS does.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: