If I was an intelligence agency, I would have one department whose job is to 'get caught'. Ie. they use dumb methods to spy on obvious targets, like using exploits to install malware that leaves a wake of plenty of discoverable info and loudly sends data back to the mothership.
I would then have another department whose job is to be as subtle as possible - for example, all their exploits are 'in ram' and all data sent back is plausibly deniable. (for example, rather than using a random 256 bit nonce while establishing an HTTPS connection to apple to check for updates, use 256 bits of encrypted data you wish to exfiltrate)
This is effectively what happens but not for that reason. Take the CIA and NSA, and then the FSB and GRU - within each you have different operational groups with different practices and techniques each uniquely developed. Some are more advanced than others based on both the spread and importance of the target. Further, within these groups they would again separate out their techniques based on the importance of targets.
Where this is an issue, which goes against your point - the groups can step on each other toes. The discovery of the broader and more detectable attacks invites attention, further scrutiny and additional forensics which may uncover the more sophisticated attacks.
Where the real deceptive action takes place is in learning how other opposing groups operate and mimicking their tactics to make the process of attribution more difficult.
Chinese spies did a version of this against Lockheed...
They would phish lockheed/military folks with emails stating "Hey we met at 'military conference' here is my contact file - lets stay in touch"
The file had malware which would trickle very slowly data out.
it was discovered due to one user complaining about his machine being slow... then it was discovered that it was discovered and the chinese opened the fire-hose and the worms were flooding the 3-egress points to the internet Lockheed had at that time, until they could kill the connects and clean up the system.
The other thing the chinese did was to infect 3rd party suppliers who were supposed to be air-gapped, so they infected machines at suppliers to go after any USB sticks that were used to transfer info and get the malware back to Lockheed systems via the USB transfer of info between contractors and lockheed...
Which is basically how stuxnet managed to get its foothold.
Intelligence does not get funded the same way that everything else does. It has a history of being self-funding if necessary. This could easily all be funded off the books via a third department that simply straight-up acts as a conventional ransomware attacker. I would be deeply unsurprised most ransomware payouts ultimately land in some intelligence budget for some country somewhere.
Doesn't sound wise- especially when targeting security researchers. The "dumb" method gets discovered and opened the device to extreme scrutiny. Exploits should be considered disposable because once they are used they can be discovered and patched.
If I was the government and wanted to turn Americans against Russia so any anti-Russian military movement was supported by the American people, I'd use known Russian hacking techniques against political campaigns and then encourage those campaigns to privately hire security researchers to agree it was the Russians.
Alternatively, if I wanted to accuse my political opponent of being a Russian stooge, I'd do the same thing. You wouldn't even have to be under the scrutiny of a three letter agency. Just find a security researcher that will agree with you for a lot of money.
If I was an intelligent person, I would use a basic phone for making phone calls and not carry surveillance devices on my person or have them in my house. This way I would not have to worry about keeping up with agencies that operate above the law, are accountable to none, and operate with huge budgets to subvert the ethics and mores of capable people.
> If I was an intelligent person, I would use a basic phone for making phone calls and not carry surveillance devices on my person or have them in my house. This way I would not have to worry about keeping up with agencies that operate above the law...
Why do you assume a "basic phone" would protect you in any way? It's far more likely to only be capable of insecure, easily interceptable forms of communication (e.g. SMS). Also, it's software is likely much worse than more popular phones (e.g. an egregious example is cheap Android phones shipping with malware preinstalled).
Have a really small 4g hotspot hotglued to a tiny Linux computer running the Tails distribution read-only with a removable SD card with all your data and no executable code on it if you're a real cypherpunk.
We really ought to push for something better than Tails. I'd love to run something like it on an aarch64-linux or riscv64-linux board. I'd love to run something that doesn't have a hacked, nearly broken debian boot process, which broke the ability to kexec it many versions ago, etc.
The 4g is in the hotspot that you're connecting to via wifi from the mini-computer. That way you don't have baseband firmware exploits to deal with on the linux machine like you would now with a traditional android phone. 4G firmware are all binary blobs that probably have backdoors.
So am I to understand that from an OpSec perspective, connecting a machine to a known compromised system, is ok to do, “because you want internet”?
Maybe because I’m not opsec and don’t know my ass from a hole in the ground, but my security recommendation would be, no, do not purposely connect your machine to a known compromised system regardless of its advertised purpose, attack vectors, attack surface, probability of unwanted exploitation, or justification as to why it’s necessary to do so, because you’re exposing yourself, and possibly corporate machine and network, to compromise. Find a trusted system (aka audited and considered reasonably low risk while acknowledging no system can ever be deemed fully secure and trust, or zero trust is a large determining factor) and consider the compromised machine as not existing at all, therefore not being an option at all, because connecting to it would go against common sense and 8th graders practice better security habits
I'm not sure what you understand to be a "basic phone", but they are easily intercepted and traced (triangulation from mobile phone towers, it's how the emergency services can locate you if you dial 112 all across Europe).
Communication has always been known to be a risky endevour with potential for various compromises, even for sovereigns. That telephony and now network communication infrastructure the world over is minimally at risk of, if not subject to, surveillance is understood.
Carrying a general purpose computer of substantial complexity that is equipped with state of the art sensors, optics, and components (including ai), which is then topped with yet another thick complex layer of software, which is subject to known and unknown access (by various parties), is not the same thing as a telephone (analog, digital, wired, or not).
Today, unless in a secured EM cage, there really aren't that many places where you can be certain you can have a private conversation, face to face. Visiting friends? Alexa and friends may be listening. Even the lousy TV sets :) Walk in the park? Your companion likely has a smartphone.
A healthy society requires the availability of private spaces and private interactions. When a citizenry becomes aware of pervasive surveillance it self censors. Self censorship prevents airing of views in an unemcumberred manner. When views are constrained, problems remain unaddressed.
Tyranny typically thrives in such insecure and non-optimal circumstances.
>Today, unless in a secured EM cage, there really aren't that many places where you can be certain you can have a private conversation, face to face.
Even then the assurance is only so high. Governments operate what are called SCIFs, Secure Compartmentalized Information Facilities, where they not only conduct physical exclusion and EM hardening but also acoustic damping so that an adversary can't, in theory, listen through the walls with a fancy stethoscope or a laser microphone.
There's a scene from Neuromancer where Molly and Case pay another character for a private discussion room, which is basically a cyberpunk SCIF. I've always found that scene oddly prescient; privacy today is quickly becoming a luxury.
> "- Battery would last several days on a single charge. I had totally forgotten that that used to be the case."
Several days? Surely you meant weeks? Unless you spent an hour or two calling on the phone every day, of course.
I get 5-10 days out of my iPhone depending on desire for leisure. In the "dumb" era the number was about 2-3 weeks, even when I was young and always texting throughout the day.
> I get 5-10 days out of my iPhone depending on desire for leisure
I probably use the phone a lot more than you. My iPhone has to be charged at least twice a day, and it’s not even that old. My current iPhone is an iPhone 14 Pro.
Yeah that definitely sounds like you're constantly on the phone - or at the very least keep everything and then some running in the background with app refresh and location services etc. enabled.
Any modern smartphone will have several days of battery life, if not more, if you use it as a dumb phone (WiFi & mobile data turned off, only using it for calls & SMS). My Galaxy S5 (~8 years old now?) passively discharged at 1% per day with WiFi & data disabled.
Not to mention that map application availability was equal to zero unless using the very latest breed of pre-smart phones from the late 2000s, and even then it was so-so.
> surveillance devices on my person or have them in my house.
Unfortunately, even if you trust your "basic" phone to not be compromised, it still means you can't have a personal computer. From what I've read, that's the strategy used on the Kremlin - for security reasons, they banned computers and went back to typewriters.
Are you implying that calls made from smart phones are anything but on the clear? Are you making all your voice calls using some merging other than the phone app?
Many calls are made using apps these days. WhatsApp alone had more than 15 billion voice minutes on average per day back in 2020.
If your phone and the phone of the other party are not compromised, it is indeed possible to conduct end-to-end encrypted calls with perfect forward secrecy.
> If your phone and the phone of the other party are not compromised, it is indeed possible to conduct end-to-end encrypted calls with perfect forward secrecy.
> A collection of utilities to simplify and automate the process of gathering forensic traces helpful to identify a potential compromise of Android and iOS devices ... released by the Amnesty International Security Lab in July 2021 in the context of the Pegasus project along with a technical forensic methodology..
> The [threat intelligence] work was based initially on three specifications contributed by the US Department of Homeland Security (DHS) for development and standardization under the OASIS open standards process: STIX (Structured Threat Information Expression), TAXII (Trusted Automated Exchange of Indicator Information), and CybOX (Cyber Observable Expression).
Or you can save yourself the time and say that Kaspersky have proved themselves untrustworthy over an extended period of time and just avoid it and take everything they say as probably either propaganda or marketing or both.
Even if you trust them, their product causes such extreme degredation of usability that one place I worked decided the cure is worse than the disease and removed Kaspersky from all its machines to the general celebration of all users. I was unaffected because I was the sole linux user so had been spared the Kaspersky virus on my machine.
According to the link you shared, it seems Kaspersky has been prohibited solely on governmental computer systems in certain nations which Kaspersky previously revealed as deploying malware against their adversaries, correct? I doubt many on HN work for those entities and besides I am not sure Python script fit the definition of Kaspersky software.
The US Federal government is the largest employer in the world, with well over two million civilian employees. Lots of people on HN are unable to use Kaspersky at work based on that prohibition.
A carve out for python scripts is a dubious claim.
Good point but it's also a pretty small open source python script. Looks like everything is handled on-device in this case (at least at the time of writing this comment).
I've committed to the US Government, in my own name, that I will not use or provide certain products. If you service a government contract that includes FAR 52.204 then you are agreeing not use Kaspersky products[0]. If you claim to be compliant and then have an incident where you've used prohibited products, the government can come after you with the False Claims Act[1].
There is no way I'm going to just download and run that script because I'm honest and I like not being in prison.
Written by some people whose code you are getting paid to not run!
On the plus side, since it's a 300 line Python script, you can read it (which does not involve running it), figure out what it's doing, explain it to somebody else in broad terms, and get them to write some equivalent code.
....with some not-so-standard dependencies like plistlib that you would need to check
....containing magic numbers, their own timestamp conversion for some reason, classic obscure cryptographer variable names (A = R[0] etc), use of pack and unpack, which reads and decrypts various random files, writes tempfiles[1] and does other things that are not completely straightforward for even someone who knows what they're doing to fully assess.
I mean it looks probably fine to me. But saying it's a 300 line python script is kind of begging the question.
[1] using mkstemp but you need to check that stuff to make sure. You also need to check what it does with the things it AES decrypts (they're just pathnames so again, probably fine etc).
FUD stands for Fear, Uncertainty, and Doubt. But the comment you're replying to is a factual article that lists what entities have restricted use of Kaspersky software and under what circumstances. You may think that the arguments against Kaspersky are FUD, but this post is not.
I know very well what FUD stands for.. and there’s nothing factual in whatever links up there, it’s all allegations with no proof that resulted in a government ban
>There's no evidence that they have any back-doors in their software or any ties to the Russian mafia or state...
It’s just to happen that an NSA spy contractor was detected by an anti virus software that’s basically doing its job.
All AV software are technically malware to prevent other malwares, and old AV -including kaspresky, used to operate in an offline manner unless you update the local db, then things evolved to the need to have a cloud service to upload and analyze new suspicious files, in fact, the new ones -EDR- do more intensive tasks than AV by real time monitoring what the user does, analyzing the traffic, programs opened, forensics, and data collection for further analysis and immediately uploaded to the cloud (or the MDR), that’s part of its design, banning something because it did its job detecting a spy software IS a complete FUD only to happen that the business is in X country or an allegation that its CEO or founder worked in X.
If you are serious about security, using windows to start with shouldn’t be your first choice, but if you have no options in here and you have to use an AV, would you choose an AV made in the same country you are in (or in the same intelligence alliance like the 5 eyes/14 eyes), or would you choose an external one how you usually do with a VPN for example? At the end of the day, AV or even EDR it’s just another software that can be bypassed, exploited, and even targeted with zero day attacks, so base your personal policy about these facts and not outsourcing yours to NSA or some spy agency.
The fact that you think you can just handwave away legal obligations like this with common sense is certainly telling. It says you don't know what you're talking about. You could reasonably assert that the government's ban of Kaspersky's software is motivated by FUD. However the ban itself is very real, violating the ban can get you into a world of trouble, so warning people to stay out of trouble for violating that ban is not FUD.
Explained by analogy: Them: "Smoking marijuana can get you into trouble with the government." You: "That's just FUD, it's a harmless plant from my garden, it's not going to hurt me."
I just don't think you understand the laws deeply. You seem to indicate you know what you're talking about and I think you do, but your understanding is surface level, i.e it is someone else in your organisation who told you how these work.
So we pretty much love the closed nature of "Open" AI, and don't hesitate to send a lot of data to it, but we're suspicious about a small open source python file?
In this context IT IS FUD.
I think if we could somehow see all the "zero days" that are out there that all of us, and I mean, things that exist at all, not just things discovered by some human and an exploit written, even those in the industry and those well-endowed with cynicism, would be surprised. I include myself even as I expound this opinion.
Just "SELECT * FROM nsa_exploits" would probably turn all our stomachs and I'd guess they still only have a small fraction of what exists.
Software is to a large extent built on default-unsafe primitives, and we wrest security from them at great effort and with dubious efficacy. We still have fights on HN about whether or not "memory safety" is necessary, and that is frankly so far below the level we need to operate that it would be humorous if it weren't sad. Granted, that fight is dying down as we gradually converge on "yes, it's necessary", but it's like level 2 and we need to be operating on level 18.
It's gotten to the point where full-chain Android exploits, traditionally easier to find and use because of lacking update policies and incompetent manufacturer chains, are worth more than their iOS counterparts: https://zerodium.com/program.html
Because of iOS' excellent update rate and generally very secure operating system model, I'd expect this to mean that there are so many exploits for either platform that the trade of exploits for the ostensibly more secure platform isn't restricted by the amount of exploits anymore, but rather by the rate the existing 0day stock gets burned by use.
I expect intelligence agencies to be fully stocked with more 0days than they currently need. Not just intelligence agencies either; for your average large international criminal organization, whether it's the maffia or the NSO group, there should be plenty of exploits to be found and bought.
now did they have too many? maybe. but maybe also because they were expecting apple to announce a new ios at the wwdc that was happening in june.. or maybe lots of 0-day exploiters suddenly wanted to dump their exploits knowing that apple was probably going to be patching them soon. oddly enough that tweet about resuming payment coincided with the release timeline of ios 14.
most of this is irrelevant though because we lack any information. what is, "too many"? 10? 100? 1000? it could be that just like any other middleman they sometimes need to sit on "inventory" and they can't just buy up that many at one time in case apple fixes them all in an update.
Seems pretty noisy IMO. It prevents software updates with visible errors. I wonder if its just the limitations of iOS or its a non-nation state actor. I noticed it modifies some Facetime files, I wonder if it exploits the camera through that.
You're describing the current status quo of the the e2e debate - allow e2e, but accept that the best exploits aren't going to be reported and patched, but reserved for intel agencies to use against high-value targets.
> While monitoring the network traffic of our own corporate Wi-Fi network using the Kaspersky Unified Monitoring and Analysis Platform (KUMA), we discovered a previously unknown mobile APT campaign targeting iOS devices.
If you are someone “important”, You need to turn off iMessages as that is a huge risk factor as it’s a system app. There will always be zero click exploits and that should be all you need to know
I am important, and so are you. I am not a person of interest to state security. If you want to go next level, carefully use an anonymous phone and a data only SIM card. This makes it more difficult to identify your device to which any one click exploit can be sent to the baseband or OS.
Slightly off-topic, but how do I download an iCloud backup so I can scan it with this tool? The googles imply that I can only recover my device from the cloud, not retrieve old backups for other purposes.
iMazing supports same kind of scanning based on open source Mobile Verification Toolkit. Plus overall better backup management for iOS and iPadOS compared to iTunes even on free tier
Warming: Kaspersky is a fierce supporter of the Putin's fascist regime. His company is known for working for FSB. Think twice before running any software created by them on your computer.
I would recommend to fork it, thoroughly analyse every line of code and run it on a dedicated computer without internet. Always keep in mind you can't trust them at all.
It's so disheartening because there are so many brilliant and talented people that work there, and only want to do their job and don't want to be involved with politics.
But it's absolutely true that Kaspersky is compromised by the Russian government, and their products and software cannot be trusted.
If you talk to certain old people - like my parents, one is 70 and other will hit the mark this November - they might say, "Russia? Like, the KGB?" and then I can quote Robbie Coltrane's Valentin in The World is Not Enough...
"Now it's FSB. Federal Security Bureau. Same friendly service with a new name."
Nope. Either there is trust, period, or there isn't. In this case there simply isn't, and if you are non-US person then US government definitely 100% falls into that category. We don't have same human rights you have as per US laws god dammit, how can we talk about any trust here. Our interest are momentarily aligned is the best we can go for.
Which is not the end of the world in any means, but lets be factual and act accordingly.
That's a classic false dilemma. While the US government is not perfect by far and has MANY flaws, the Russian government is an entirely different level of corrupt.
is that a wildcard subdomain that takes the subdomain and does `s/-/./g` to proxy and translate it? Or is this only for russian media-related websites you probably don't want to be visiting directly?
It's debatable how useful this advice is for field agents, who might not be carrying a computer with them all the time, but for regular people it's entirely feasible.
I would then have another department whose job is to be as subtle as possible - for example, all their exploits are 'in ram' and all data sent back is plausibly deniable. (for example, rather than using a random 256 bit nonce while establishing an HTTPS connection to apple to check for updates, use 256 bits of encrypted data you wish to exfiltrate)