Hacker News new | past | comments | ask | show | jobs | submit login


Is there any way you can substantiate any of this? I wouldn't be shocked, but it seems borderline implausible that we'd be getting all this interest in various ways to hack into iPhones physically if you could just dial a number--and I think it also goes without saying that, whether Apple provides official backdoors or no, it has a high interest in ensuring that there aren't any unofficial backdoors for many other reasons (preserving DRM for one example, if you need them to have a selfish motivation).


Except, of course, everybody on the deep web.

I'm fascinated by this idea of a deep web only accessible by the cognoscenti. Presumably if a link slips out then the deep web becomes a lot shallower?

Not necessarily, because things like robots.txt will still prevent it from ending up in search engine results.

I forgot about the part where it's mandatory for search engines to comply with a robots.txt

Well actually the relatively hard part is hosting a crawler of decent size, and then if you crawl in violation of robots.txt its pretty straight forward to use iptables to ban you, of course you then spend money on hiring a botnet to mask your traffic footprint, except that on that same darknet there might be people who are friends of the owner of that botnet.

It is non-obviously difficult.

Does this not rather beg the question - is there a deep web, and how big (or small) is it. I can easily understand the desire for a coherent group of people putting up vpns etc to keep their world seperate from others - but that implies you join in based on some other criteria, which sounds not very deep web but pretty secret-VPN-we-are-not-telling-you-about-unless-we-cross-your-AS-Number-when-something-is-obvious

It just has that feel of "secret society" to it, which tended just to reflect the informal power structures of the wider world anyway.

No, the "deep web" is real in the sense that there are billions of network addresses that contain content or services which are not accessible through the 'standard' discovery services (Google). In many ways things like Usenet are still part of it as there are netnews groups, and they get used, but there isn't a lot of indexing going on. Further there are at least two 'separated' NNTP type networks that are invitation only.

So it is a "collection" of secret societies, each with their own quirks. As a collection is constitutes a 'web' and perhaps the only commonality is the desire to not be part of the "public" web.

[1] http://begthequestion.info/

Can confirm this. I interviewed for a UK based competitor who was scared NSO were better. The competitor's supposed capabilities were scary enough for me to bin my phone contract at the time because they had my contact details. The agent was less than honest about the job description as well. Arseholes all around.

Posting anon, well that's obvious.

Stipulate that somebody has an exploit for libjpeg, and that's probably enough to own a phone by texting them. That said, with a libjpeg exploit, there's a lot more fun one can have.

It's possible to do this in a staged way -- basically, give me 100k phone numbers, I'll do automated attacks and catch 25-50k of them (old unpatched OSes for which if I had a $5-10mm budget I'd have 0-days ready, phishing, etc.).

Then, use the early victims to catch the rest -- hopefully they're admin assistants, HR people, etc. Targeted attacks on the rest.

Black bag jobs on the remainder, using legal or extralegal means, based on value of the target. It's not worth bothering to black bag someone who you only want to get the big boss if the big boss is otherwise exploitable.

The key is you don't need to have a single exploit which works on 100% of your targets; you can do multiple things.

The cost increases dramatically compared to unencrypted comms. Moreover you risk wasting valuable 0-days on targets that may not be worth it.

Plus, risk of alerting the target (which is why targeting hackers is unwise...)

I wasn't arguing against encryption tools, just that serious attackers are plausible threats.

We're going to need verifiable sources for claims like that.

"We're going to need verifiable sources for claims like that."

This entire parent+thread argument back and forth is completely absurd.

It doesn't matter whether he has sources. It doesn't matter whether that firm does or does not exist. It doesn't matter what you think of their tech or his explanation or who is who or what is what.

Your phone has two[1] completely independent, full-featured computers inside of it, totally distinct from the actual computer that is your phone (that you use) that are completely out of your control, and depending on the model, have up to DMA control over your device.

Whisper systems does not solve this. SecurePhoneBlahBlah does not solve this. Moxie Marlinspike does not solve this. If you have a smartphone, you are owned at a deeper level than you've ever been owned before and there is nothing you can do about it other than removing your SIM card. Game over.

[1] The baseband processor and the SIM chip itself.

Hardening the device itself is necessary but encrypted comms are just as important and arguably more pressing and easier to do. One thing at a time.

Great point -- that is 101 of any serious security equipment validation. It is not that this software package/app or that card and so on are certified. The whole package from ground up (hardware components down to analog bits, EM emission... up to top level application get certified as secure) has to be.

I can't buy some mathematically proven secure software, install it on a Chinese tablet and claim it is secure and expect it to get approved.

This is a funny market as some domestic analog components are hard to find today. Micron, I think, makes some but heck most are sourced from China.

This makes 'secure' hardware ridiculously expensive. As in $50k+ for switches and routers and there is a whole market specializing in it.

Now, one can look at it another way -- some security is better than no security. I can see the argument on both sides. At least if NSA can record my phone calls maybe the local cops can't and so on...

Use separate devices: one with SIM/baseband, one without (wifi only).

Only encrypted traffic goes through the mobile device, e.g. cheap Firefox phone. Decryption takes place on wifi-only "media player" device in the form factor of a phone.

This is still exposed to DMA attacks from wifi device, but it's a smaller attack surface. Next level of protection is a hardware IOMMU on Cortex-A15 or x86 VT-d, plus a Type-1 hypervisor to isolate the wifi device.

Keep in mind that even without a SIM, the GSM radio is still active[1]. From my GSM-layman perspective, it sounds safer than being in a "trusted" pairing with the network, yet since it's all closed source, you have to wonder if there are magic packets that can own your device just as badly as if you have a SIM in.

[1] https://security.stackexchange.com/questions/30876/can-andro...

>> Whisper systems does not solve this. SecurePhoneBlahBlah does not solve this.

1. The SIM chip generally is not a full featured computer and I'm unsure that it would have DMA access. But yes the baseband processor is indeed an issue.

2. Products like this prevent the kind of passive data-slurping that has been popular so far - i.e. install a box at the telco and record everything. That's a good start.

So yes, it does matter and it's a good start, and it pushes up costs for pervasive surveillance.

The SIM card is a full featured computer. It has memory, a CPU, and your telco operator can upload java applets to it which can interact with the baseband and the application processors.

And that's the point ... right now the stingrays and such simply act as IMSI catchers, etc., but if they can impersonate the carrier they can upload arbitrary java applets to the SIM card which can undermine the call-encryption app you are using. It's an obvious next step which you aren't protected against.[1]

I don't know if any SIM cards get DMA access the way some baseband processors (not all) do ...

[1] You could get one of those little sim wrapper foils and enable encryption-only for your SIM (which it almost certainly does not have now) which I think would defeat a lot of the carrier-impersonation attacks ...


Apparently they're not that secretive, since you know about their internal tech, and you didn't work there and didn't even have an interview.

Pardon me for saying so, but your original comment and your responses to various requests for substantiation don't pass the bullshit test.

I'm not saying you are wrong, but I am saying you haven't remotely proven your claims to this audience.

Ok, then don't believe me. I'm just going to move on now.

>sitting on a bunch of exploits

This is an important point. We waste a lot of breath accusing people of having deliberately planted backdoors, and moving to alternatives that we think are too trustworthy to have backdoors in them.

Whether or not the programmers behave ethically, they're still going to make mistakes and write vulnerable code like everyone else, and you'd better believe the security services (and their contractors) are looking for them.

Subtle marketing.

To be fair, the stuff you are talking about is targeted malware. The odds of people being actively targeted rather than passively surveilled is orders of magnitude in difference.

Everyone is being passively watched at some level, even if it is just for billing purposes.

Defense is always about defense in depth. Always.

Signal makes it much harder to tap your phone and makes mass surveillance extremely difficult, both of which are still important. But you're right that people need to be informed of the risks they still face.

That will always remain an issue: Even if someone manages to create a secure app, the software and hardware platform will never be secure.

Hijacking a smartphone by only knowing its number on the other hand does not seem realistic too me. So a source for this claim would be great …

It seems realistic to me. Just send a phishing SMS ("Your bill of $103.54 is due TODAY: http://payments-comcast.net/83954583"), hope the user clicks it, have the webpage exploit one of the numerous iOS Safari vulnerabilities, and you are done. There are tons of vulnerabilities in smartphone browsers: iOS 7.1.2 alone fixed 28 UNIQUE VULNERABILITIES in Webkit (http://support.apple.com/kb/HT6297) 7.1.2 was released merely 2 months after 7.1.1, so at least 3 vulnerabilities are discovered and fixed every week.

I don't doubt the existence of the company, I doubt the hijacking capabilities …

Does this involve collusion with the telco? IIRC There's a fair amount of baseband-layer stuff that can be done with SMS from a trusted party.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact