Why do companies like Google and Microsoft not get more aggressive with these semi-criminal-orgs? Couldn't they massively raise the cost of being in this business by by making an example of a few?
Brainstorming:
- Sue them, aggressively.
- Looks for exploits in their own systems and publish their code, making it worthless.
- Publish lists of their owners and employees and/or ban them from Google/Microsoft services.
I'm sure folks here could think of more/better ideas.
I think they are sueing (some of) them. There was a new yorker article (https://www.newyorker.com/magazine/2022/04/25/how-democracie...) on how apple and other tech firms are sueing NSO and some other actors under the grounds they are violating the Icloud EULA by using imessage to hack people.
It seems really hard to find grounds to sue these spyware vendors that don't equally apply to security researchers doing the kind of work that makes spyware less viable overall.
That is not a realistic concern with most major vendors. Apple, for example, has clear guidelines on what security researchers are allowed to do. Anyone who follows those guidelines won't be sued.
But they don't have to do that. They can choose to sue spyware vendors and not sue security researchers who have technically violated the same provision.
> It’s pretty easy to brand security researchers as malicious if you don’t like them.
OK.
But it's in Apple's interest to work with them. Because the alternative is that the 0-day exploits get sold to companies or countries that aren't Apple.
No such synergistic relationship exists between Apple and spyware vendors.
> Publish lists of their owners and employees and/or ban them from Google/Microsoft services
How can you ban an individual from using Google or Microsoft services? Will you require id. cards, pictures and the like in order to register your Gmail account? Well, that would be great as it would stop many other people from using those services.
Also, what you seem to suggest (a "black list" exposing people working at X) is wrong at so many levels. Should we also expose people from the military, CIA, FBI, etc? Rest assured that those orgs cause so much more harm that companies writing exploits for your browser.
> Why do companies like Google and Microsoft not get more aggressive with these semi-criminal-orgs?
Because they operate in the same manner.
If a spyware maker is convicted in US, the gate might be open to convict also Google, Facebook, Microsoft, Apple on the same grounds.
They don't operate in the same manner. Google and Microsoft's business model isn't to find 0-days, write exploits for them, and then sell those exploits to attackers.
> - Looks for exploits in their own systems and publish their code, making it worthless.
Are you saying Google should publish exploits of Variston's systems? There's kind of a "two wrongs" problem there; such information would likely require illegal hacking ("accessing a computer system without permission") to discover.
> - Publish lists of their owners and employees
I'm sure they do as much as they can in that regard, but I'm sure such companies do much to hide their ownership and employees, and at any rate it could be seen as encouraging illegal harassment of said employees.
> ban them from Google/Microsoft services.
To the extent possible I'm sure they do this, but Google can't really stop someone from using Chrome, or always reliably detect when someone representing a malicious company is using their services.
A breach of the Terms and Services that all publishers are required to abide by, to have a relationship with Google and/or Apple. They have a list of security provisions and list of things you can and cannot do.
Nothing in the article implies that Variston has any relationship with Google and/or Apple or wants one. T&C is not the law - it may be a condition of Variston being able to publish apps on Google Play and Apple Store, but Variston definitely has (and should have) the right to refuse that T&C and not publish any apps, you can't unilaterally impose contracts on others.
Love it or (more likely) hate it, the DMCA has anti-circumvention provisions in it, and breaking out of a sandbox sounds like it matches that.
> Are you saying Google should publish exploits of Variston's systems? There's kind of a "two wrongs" problem there; such information would likely require illegal hacking ("accessing a computer system without permission") to discover.
I don't think there's actually any problems here, as long as the "publish" portion is adhered to. Making sure they don't break the law in finding those exploits would be the hard part though, as you note.
The DMCA anti-circumvention provisions apply only to technology that protects content covered by the DMCA; it doesn't criminalize arbitrary sandbox breaks.
Individual Corporation to User sanctions are a good idea. For it to be effective, it's need to not only hit the user, but their extended network. Imagine if you worked for these guys, and then oneday you found out, both apple and google and microsoft banned you, your wife and kids and parents from their networks based on your actions. Say the ban lasted 5 years for relations and lifetime for the person.
It'd be an interesting escalation. I think it would work, It's a big part of the digital ecosystem you'd essentially be blacklisting bad actors from. Though there'd be scope creep eventually. So maybe it'd be dead on arrival as a technique to pressure them.
The described scope is already horrible enough that I don't know how you could possibly acknowledge that it'd get even worse and still advocate for it.
> Imagine if you worked for these guys, and then oneday you found out, both apple and google and microsoft banned you, your wife and kids and parents from their networks based on your actions
I feel sorry for you if you live in a country like that, but fortunately, in the country this company operates there are laws and regulations preventing that you can be punished or discriminated based on what your parents do or done.
> there are laws and regulations preventing that you can be punished or discriminated based on what your parents do or done.
Preventing the state from doing the punishment, yes. But AFAIK there’s no de jure rule on private entities doing this. It may go against the spirit of our systems and societal norms, but it would not be against the letter.
It may, however, spur new legislation to subsequently ban the practice.
> Preventing the state from doing the punishment, yes. But AFAIK there’s no de jure rule on private entities doing this. It may go against the spirit of our systems and societal norms, but it would not be against the letter.
Here we have schools using all this crap from Microsoft or Google for education. I don't see how a company, with our actual laws, can prevent a kid from studying just because his parents did something.
> Why? What incentives and financial gain do they get from that?
General goodwill, good publicity, and mid-to-long-term, strengthening the market they operate in and reducing their own expenditures.
The question is interesting because they seem to also be the best players for it: they're affected, have the right skill sets, and more than enough spare money to afford it.
> We hope this post will remind those in the security research community that they are targets to government-backed attackers and should remain vigilant when engaging with individuals they have not previously interacted with.
In reply to what I posted, yes, although it's not quite what I meant. The people who reach out to you if they think you are good are kind of amusing, especially if you know you're not that good :) But beyond that I haven't seen much. If you live in most countries you're not really concerned that some foreign agent is going to show up at your door and ask for you to stop. Or at least I haven't heard about it nor does anyone really seem to care about it. Perhaps it does happen and gets silently brushed under the rug, but I would think that this kind of thing would leak out…
> TAG became aware of the Heliconia framework when Google received an anonymous submission to the Chrome bug reporting program. The submitter filed three bugs, each with instructions and an archive that contained source code. They used unique names in the bug reports including, “Heliconia Noise,” “Heliconia Soft” and “Files.” TAG analyzed the submissions and found they contained frameworks for deploying exploits in the wild and a script in the source code included clues pointing to the possible developer of the exploitation frameworks, Variston IT.
Does that mean that this was likely an internal whistleblower at Variston since the bug reports had internal build tools?
Considering it's a malware vendor, I'd put my money on they ship it with the internal build tools by accident, mistakes like that are pretty typical in that space.
Could be, but the three separate reports/leaks make that seem unlikely to me. It could also the a hacker that compromised the company to obtain the tools.
I don’t work in this industry and I never plan to. I haven’t done anything illegal and AFAIK, their work is in a legal grey area as well. I’m not seeing the issue.
These companies make a lot of enemies, you're likely on a list at this point just in case those enemies should ever need some temporary leverage. If your friend has integrity to his company and self you will likely not survive such an encounter. Good luck.
I'm not pushing this, just thought it was interesting when I read about it in ~2009, and here we are 2022, and no magic beans have appeared...
I'd also like to add that during the Obama presidency, a law was written and passed to the effect of authorizing kinetic effects in response to cyber attacks. Bombs for bits basically.
> As is currently normal for internally found Chrome bugs, no CVE was assigned.
Why I don't care about or trust anything from Google TAG, PZ, or any other "security blog" that Google publishes.
They have no problems copping CVEs on competitors like Mozilla, Microsoft, or Apple.... but squirrel away zero days on their own products for the better part of a year or more and then quietly publish blog posts without actually filing for a CVE.
> They have no problems copping CVEs on competitors like Mozilla, Microsoft, or Apple.... but squirrel away zero days on their own products for the better part of a year or more and then quietly publish blog posts without actually filing for a CVE.
This comes up from time to time, but I'm not sure it's actually supported by the evidence, and maybe it's just random anecdotes from people that are consumed and then become opinion. Project Zero reports on Google vulnerabilities often, and in fact just made a post critical of Android's security practices.[1]
I remember reading years back metrics on who they publish bugs about, and on looking, I see they published something earlier this year about the prior year in review[2] with data.
It's really not hard to look some of this stuff up to see whether your feelings are supported by the data. Maybe this changes your opinion, maybe it doesn't, but at least you have some data to look at now.
And your second source is Google, so take that with a grain of salt. Not only that, but it backs up my claim. They even admit in the article that IOS gets 7 times more bugs than Android because Google applies the Android methodology to IOS arbitrarily even though the two update philosophies aren't really compatible.
> ARS is a pretty pedestrian source. Are you discounting it because of the site name over the content?
The Ars article just links to the Project Zero blog post (a very recent one).
> And your second source is Google, so take that with a grain of salt.
The Project Zero blog post I linked to is them reviewing their past submissions, and they provide a link to that, and review the data all you want. It's up to you to consider whether you think the researchers are hiding Google exploits, using this data, or other data, or other people's analysis, or just your own intuition.
> Not only that, but it backs up my claim. They even admit in the article that IOS gets 7 times more bugs than Android because Google applies the Android methodology to IOS arbitrarily even though the two update philosophies aren't really compatible.
What does that have to do with your claim that they "squirrel away zero days on their own products for the better part of a year or more and then quietly publish blog posts without actually filing for a CVE." ?
Also, you're taking their admission along with the data that the numbers paint iOS worse than what the reality is as evidence of them being heavy handed against iOS? That's an interesting interpretation.
[I work at Google, but not on anything related to TAG or P0]
I feel like you're misreading the timeline here. The Chrome vuln you mention was found in June 2021 and fixed in August 2021, not 2022. From the bug, it was found and fixed due to automated regression testing done by the chrome team.
This is the equivalent of asking every buffer overflow in Chrome to be assigned a CVE, which is odd. Further, it's exactly the same behavior as Mozilla follows, as demonstrated by the line
> The sandbox escape is specific to the Windows version of Firefox and was fixed without a CVE in September 2019.
in the blog post. Neither vendor is acting badly by not filing a CVE for vulnerabilities they found and fixed internally. CVEs are usually for communication across organizations, which isn't needed if everything is handled within the chrome or mozilla bug trackers.
Mozilla, Microsoft, and Apple can publish CVEs in Google's products if they want to fund the work --- and they should fund exactly that kind of work. Meanwhile: it is absolutely not a norm in the technology industry to publish arbitrary internal discoveries.
I do not need to explain to you what CVE means, but still the "C" is for Coordinated : CVE used to be that identifier where downstream actors could keep track of in order to keep their systems up to date.
Since Google and P0 are so worried about the safety of theirs users's ecosystem, they should issue CVEs for internally found bugs in Chrome so that CEF, Electron, and every chrome-like projects maintainers can verify if they have backported the correct fix. They even complained about downstreamers leaving a patch gap for attackers recently :)
Unfortunately, nowadays CVEs are a commodity (perhaps a currency in the future ?) where the less you have the more "secure" your system is, which is utter bullshit.
>squirrel away zero days on their own products for the better part of a year or more
The bug was discovered by Google on 2021-07-11, the fix was submitted on 2021-07-27, it was merged into the then-current Chrome version on 2022-08-11, and the bug was made public on 2021-11-02.
Since Google found the vulnerability internally and at the time had no knowledge that anyone else knew about it, Google didn't know it was a zero day a the time.
>quietly publish blog posts
I think publishing a blog post is the opposite of quiet.
Disclosure: I work at Google but not on any of these teams.
[2] P&L and Balances are public data in Spain, but usually behind paywalls. Sometimes the financial data without the paywall just shows the order of magnitude, like in this specific case.
What's interesting to me about this is that someone would pay for a scheme that required spear phishing (malicious pdf or other file), whereas other known players in this space base their offerings on zero-click RCEs.
So the way this was discovered was through an anonymous tip. How often is this the means of discovery for malware / 0-days / etc? Would Google have found this if it wasn't for the tip?
I know it’s not a fair parallelism, but I can’t help to think how laughable it is when Google calls out anyone for spyware, privacy violations, zero days, CVEs, etc.
Google doesn’t even manage their own App Store for spyware. They don’t play fair on disclosures. They violate public trust all the time with tracking users when they say they don’t. They shutdown GCP accounts with zero chance of support.
Google really just needs to stay quiet and work on improving their search results. I think they would find it surprising that the less they say and do would actually improve their public support. The Google engineers can keep getting paid to do nothing and the public support and trust would go up.
Indeed it sounds hypocritical to state "Google and TAG will continue to take action against, and publish research about, the commercial spyware industry.", while not including Google itself in the said industry.
It does smell like an attempt to redefine "spyware" to mean a subset of "cyber crime", instead of its original meaning, which now covers most of "legitimate" adtech and software telemetry.
> The first recorded use of the term spyware occurred on October 16, 1995 in a Usenet post that poked fun at Microsoft's business model. Spyware at first denoted software meant for espionage purposes.
I'm insisting it has the meaning that... the entire Wikipedia article you linked uses.
You quoted the beginning of the first paragraph of the History section, but the full paragraph reads:
> The first recorded use of the term spyware occurred on October 16, 1995 in a Usenet post that poked fun at Microsoft's business model. Spyware at first denoted software meant for espionage purposes. However, in early 2000 the founder of Zone Labs, Gregor Freund, used the term in a press release for the ZoneAlarm Personal Firewall. Later in 2000, a parent using ZoneAlarm was alerted to the fact that Reader Rabbit, educational software marketed to children by the Mattel toy company, was surreptitiously sending data back to Mattel. Since then, "spyware" has taken on its present sense.
I wasn't aware of the earlier, truly original meaning - actual espionage. That doesn't change the fact that for the past 20+ years, the common meaning - dare I say, original mainstream one - encompassed every kind of hidden tracking, data collection and exfiltration, almost none of it being part of actual espionage, but rather most of it being in service of targeting ads.
It's hilarious how nobody is pointing out the extreme irony of microsoft and google calling anyone elses software spyware. I'd rather have my bank password leaked by some brazillian than my web browser, purchase, location, social connections, interests, and work activities leaked by big tech and stored in perpetuity.
If you were a journalist or activist operating in Rwanda you might have a slightly different view.
These are tools that target individuals, and if you are being targeted by a nation state (some of which don’t have the best human rights record) that’s going to be worse than Microsoft’s storing everything you listed.
Brainstorming:
- Sue them, aggressively.
- Looks for exploits in their own systems and publish their code, making it worthless.
- Publish lists of their owners and employees and/or ban them from Google/Microsoft services.
I'm sure folks here could think of more/better ideas.