Darknet Diaries recently had an episode with John Scott-Railton from Citizen Lab on how he was allegedly being spied on by the makers of Pegasus, and then lured them into a trap
It should be explained to public how such exploit take place, with open sourcing necessary parts. Otherwise there is no way for us to know it wasn't intentional at first place.
I am not meaning there is a possibility like Apple as a company decides to put exploits. However governments can easily do it with single engineer at right place.
I feel like phones should just have a "scrub anything that isn't ASCII text" option for paranoid folks. No unicode, no emoji, no media. I mean, I guess they could still f*ck that up, and maybe it'd be admitting defeat, but still.
I wouldn't say so. The problem is the cyber warfare market created by nation states. If it wasn't for those large spenders, we wouldn't be where we are right now.
IMO nation states had a very negative influence on the internet, bringing secrecy, warfare, balkanized markets, mandatory identification and other closed concepts to a place that worked on open principles.
If states would invest more in security advancement and open research than in warfare, we might have been in a better position.
This is definitely part of the problem. But the fundamental flaw is the departure from simplicity.
The solution is to have a processor that is so simple that it cant do more then what you expect, and building the tools to make the unexpected stand out.
However, there is a bigger market for a processor with 3 extra layers of root access to ensure your boss can spy on you and Disney&Co really want this to be the norm.
It depends what you mean by "security first". If you're a person of interest and you're carrying around a personal spy with actual data on it and a hardware connected microphone, camera, GPS, sensors etc, which sends God knows what over the internet then yes, it's not going to go well for you.
But if you use devices with hardware kill switches and the most secure OS possible (storing nothing on device, perhaps it's a gateway to another security hardened machine).
Secure computing is possible, but it takes a lot of time, effort and dedication.
If you're just using off the shelf hardware and software you're going to have a bad time.
One thing that seems to link these Pegasus stories is that none of these targeted individuals are practising seemingly decent security ops, being hacked over WhatsApp or iMessage seems fairly trivial and hopefully now they would reconsider their threat model.
It's whwt that has really evolved into. We used to live in a much simpler (and secure in that manner) world where there were no smartphones, even GPRS didn't exist, all important communication were done on physical medium.
That became much more inconvenient as technology just progressed to a point where 99.9% of the society couldn't resist using the smartphone, rightly for many purposes, including many of us here too.
But as OSs (and even SoCs) became more complex as more features are added (well, I can't think of Apple or Samsung execs on stage saying "hey we didn't add any features this year" so it has to go this way naturally) flaws are inevitable.
By now every piece of software and hardware that is in use, every abstraction layer in that computing tower of bable has been thoroughly hacked. Anywhere from plaintext passwords on a server to insane exploits like Rowhammer, those security websites and podcasts have long weekly litanies of tragedy. Additionally there is all-knowing Google, chinese phones phoning home, undocumented functions in intel processors, ISPs sabotaging user encryption, small-time browser plugin writers that get offered high sums for their plugin to get a front row seat to users' browsers, programmers pulling who-knows-what from npm and are probably pwned by time they write 'hello world', phishing, billions of smart devices constantly listening and often filming and we probably only know 10% of what's going on until a Snowden 2.0 comes along.
Yes, all of it is 'fundamentally flawed', and it would take a herculean effort to start over with a clean slate, yes, to figuratively burn it all down and make simple provably correct and safe hardware and a small and minimal OS that has browsing and communications built in.
Yeah. Aren't there even known cases of journalists being tracked through hacks and killed? (Like https://www.cnn.com/2019/01/12/middleeast/khashoggi-phone-ma....) Flawed computer code ever putting people into dangerous situations and being involved with deaths should be considered like the Therac-25 incident: a case study and a call to action to change the industry so that regular practices that solve the issue are in effect everywhere.
> So how do we protect our privacy from the advance of technology? It doesn't seem possible. Just going after NSO is useless.
Like we do with anything else:
These are crimes, but we are stuck in the mindset of the nascent Internet, when it was a growing experiment, a subculture in our society, harmless, and we wanted to nurture it and give it maximum freedom.
Those days are long gone. The Internet is completely integral to our society, like a major city (an extraordinarily large one) - in fact, anything not integrated into the Internet is on the fringe, like a business without a website. The idea of a harmless Internet has been antiquated for a long time; it is a serious place of serious money, serious criminals, and serious political actors.
Yet we still don't have serious law or law enforcement, not as an oppressive force but in the tradition of free, open societies. It would be like New York or Tokyo without law or law enforcement. We should create in the federal government (not state governments, given the Internet's borderless nature) a major domestic law enforcement agency, on the scale of the FBI, to protect people and enforce laws; I suspect we need a major addition to or revision of our legal code to go with it. That is how we deal with crime in other parts of society; the Internet is no different. We need divisions dealing with theft, fraud, destruction or property, invasions (hacking), etc. It's long past time to stop applying the antiquated notions to the current reality. Why do you accept this Wild West chaos; it no long fuels creativity and growth, it greatly hampers it.
Legislation holding companies liable for breaches and leaks, which were in their capabilities to prevent. Simple and fair, scales well. No downsides.
Sure, not everything is always their fault, but usually it is and comes with yoloing from the first line of code, shipping alph… proof of concept software, or outsourcing their network’s security to MS Word. If a breach could ruin a company beyond reputation, people may stop storing cleartext credentials or testing merely their app’s UI at best; if a hacker could stop your show, companies may take bug bounty programs serious, and be grateful for disclosures instead of filing reports, when someone edit-and-resend’ed on a web API and accidentally got a copy of their database.
Today, a breach has zero consequences. Why would you spend a shitton of money on security, when marketing’s budget isn’t downright ridiculous yet?
And of course it would be super helpful, if governments would stop encouraging insecurity by buying e.g. NSO’s products for what they do. Always awkward persecuting someone you depend on… The NSO’s business should be straight illegal, including export/import. Since hacking someone without their consent usually comes with the ability to tamper with evidence, it’s really questionable for law enforcement and straight unethical for anyone else. Just kill the whole sector IMO.
It depends on what your threat model is. If its individuals, local law enforcement, or even national law enforcement (context dependent) you are trying to hide from, you can obtain phones with cash and make it very difficult to link them to you (use a sim card bought with cash and never give out that number, use a VOIP service for your primary number, use an OS that doesn't send back much telemetry, turn off location, never use the phone near your home, etc).
If your threat model includes targeted attack by a major intelligence agency, just accept that you are likely screwed.
You can't. It's all marketing fluff at this point, because significant enough state actors will see the ~$10,000,000 R&D cost for a few iOS/Android zero-days as a drop in the bucket. We live in a post-security world, where it's economically feasible to develop malware at a pace that outruns Blue Teams. We live in a post-privacy world because Apple and Google happily pass your data back to world governments in the name of stopping terrorism, or whatever the social cause du-jour is.
There's no escape really, your only option is to embrace the paranoia and learn to love the cat-and-mouse game, or (what most people choose) give up. Remember, this is the future you voted for when you signed up for Google Drive and bought your iPhone. This is the future you willingly supported with each ad that YouTube showed you on movie night, and the one you opted-into when you noticed you were low on popcorn and got 2-day delivery on kernels from Amazon.
Going after NSO is far from useless.
These guys make 100s of millions, this gives them power to subvert and influence politicians so criminalizing this sort of surveillance will be impossible.
Once NSO employees and founders be held responsible for the damage they do and the life they ruin you'll see much less talent go and work there or establish new companies of the same sort.
Same way the mafia used to do it when they realized all their phones and cars were bugged. No technology. Talk in person, outside.
Seriously, if you are a journalist investigating anything that might upset the powers that be in a nation-state, don't use any online technology and for gods sake not a mobile phone.
By valuing it. Apple's annual revenue is more than the entire government budget of Saudi Arabia. That's a pretty meaningless comparison, but certainly gives an idea of the scale. There's asymmetry in security, but only one side is trying right now.
Do these types of iMessage attachment exploits require the victim to do anything on their end? Downloading the attachment? Opening the message ? That part is unclear to me
My security researcher buddy at Apple responsible for investigating this vulnerability told me that the hack is very complex; Apple couldn't even fully figure it out before pushing patches; the patches do not fix all the known bugs used in the vulnerability; the attackers most likely have access to Apple internal source code as well. They are very thankful for Citizen Lab without which the bugs wouldn't have been discovered. Also, there are likely many more compromised phones out there and Apple is kind of scratching their heads on how to fix, or even detect it. How do you fix a vulnerability that's secret and that no one knows is actively exploited?
So, what is the legality of this? I've not followed much about this at all, but NSO group appears to be an Israeli company.
Do they just sell, or operate the hacking software for their clients? If they operate it, is it illegal for an Israeli company to hack an American citizen (I assume it is illegal in America, but how about Israel?)
Is the sale of hacking software regulated in any way?
> (I assume it is illegal in America, but how about Israel?)
This part doesn't matter much in practicality. Like it is illegal for the US gov't to spy on their citizens. It is illegal for the UK to spy on their citizens. So the NSA made a deal with the UK. They spy on us, we spy on them, and exchange the info. There, the US didn't break the law and neither did the UK. They worked around it.
I am but one atom in a molecule in a drop in an ocean, but I have pledged to never be involved in the hiring of any person who has had any willing association with any organization responsible for efforts similar to Pegasus, with no exceptions. I will also immediately resign any job that violates the above as well. Trends like this are not to be taken lightly - for the first time in human history, the concept of an all encompassing tyrannical dystopia is a realistic possibility, and you deceive yourself if you think that there aren’t very very powerful people that get an almost erotic thrill at this possibility. Contributing to the advancement and deployment of this technological capability is the very definition of a violation of whatever meager ethics our profession possesses, and should be taken as essentially a credible threat against literally every other living person.
Forget Y Combinator -- come build the next great surveillance start-up at the IDF's Unit 8200, the world's greatest hacker school and incubator for mass surveillance start-ups. With generous subsidies from US taxpayers, Unit 8200 lets you level up your surveillance game by practicing on 4.5 million Palestinian beta-testers. (Go nuts, it's not like they can sue you!) Plus, say goodbye to those moral qualms -- at 8200, you'll acquire the unshakeable conviction that you're a Good Guy fighting the Bad Guys. When you graduate, the IDF will keep the data you collected, but the skills you acquire and the friends you make are yours to keep forever.
It would seem to be the rational thing for NSO to hack a journalist who is writing on them, so that they better prepare for what’s coming. As for all the countries that buy and use NSO, to target and kill journalists, they are all close all allies of the US and Israel.
And the US and England were also spying on the journalist Julian Assange, and have kept him in prison and tortured him for over a decade. Ben Hubbard luckily just got hacked.
> the US and England were also spying on the journalist Julian Assange, and have kept him in prison and tortured him for over a decade. Ben Hubbard luckily just got hacked.
As you probably know, these assertions are a big stretch for many people. Not everyone considers Assange a journalist. He was living in an embassy for most of those years, so while he was confined, it's not a prison and not torture. Hubbard isn't lucky; neither the US or UK have ever imprisoned and tortured a journalist from a major publication (unless I'm overlooking someone). There may be legitimate debate about Assange, but it's not credible to pretend that these are facts.
When you are doing the information from the inside thing, you do need to get your players in line.
England?
I'm English ... and Welsh, Cornish, Scottish and tangentially Irish, not to mention German (check my username).
The country is called Britain, the Great thing is only to distinguish from the other Britain - Brittany (part of France). You might as well call everyone from the USA as Texans.
He was not tortured in the embassy - he was a guest who gradually outstayed his welcome. He was always treated well. As you can see Harrods is just to the right. This is not the roughest place to be a prisoner in Christendom.
Whilst he was in there, there were always several Police stationed nearby. They stood in doorways and kept watch. Probably a boring job but nice and simple. The whole thing basically costed the UK tax payer a fair old wodge and obviously Ecuador too.
I know that area and what goes on because I run internets for some flats nearby.
[+] [-] h0l0cube|4 years ago|reply
https://darknetdiaries.com/episode/100/
[+] [-] tgsovlerkhgsel|4 years ago|reply
[+] [-] tablespoon|4 years ago|reply
Yeah, the right way to use blurring is to mockup a lookalike for content you want to hide, then blur the mockup.
[+] [-] csomar|4 years ago|reply
[+] [-] flatiron|4 years ago|reply
Pedo who used to swirl his face not knowing people can unswirl.
[+] [-] peanut_worm|4 years ago|reply
[+] [-] booleandilemma|4 years ago|reply
[+] [-] boppo1|4 years ago|reply
[+] [-] alienalp|4 years ago|reply
[+] [-] boardwaalk|4 years ago|reply
[+] [-] otoh|4 years ago|reply
[+] [-] strictfp|4 years ago|reply
IMO nation states had a very negative influence on the internet, bringing secrecy, warfare, balkanized markets, mandatory identification and other closed concepts to a place that worked on open principles.
If states would invest more in security advancement and open research than in warfare, we might have been in a better position.
[+] [-] Azsy|4 years ago|reply
The solution is to have a processor that is so simple that it cant do more then what you expect, and building the tools to make the unexpected stand out.
However, there is a bigger market for a processor with 3 extra layers of root access to ensure your boss can spy on you and Disney&Co really want this to be the norm.
[+] [-] aboringusername|4 years ago|reply
But if you use devices with hardware kill switches and the most secure OS possible (storing nothing on device, perhaps it's a gateway to another security hardened machine).
Secure computing is possible, but it takes a lot of time, effort and dedication.
If you're just using off the shelf hardware and software you're going to have a bad time.
One thing that seems to link these Pegasus stories is that none of these targeted individuals are practising seemingly decent security ops, being hacked over WhatsApp or iMessage seems fairly trivial and hopefully now they would reconsider their threat model.
[+] [-] can16358p|4 years ago|reply
That became much more inconvenient as technology just progressed to a point where 99.9% of the society couldn't resist using the smartphone, rightly for many purposes, including many of us here too.
But as OSs (and even SoCs) became more complex as more features are added (well, I can't think of Apple or Samsung execs on stage saying "hey we didn't add any features this year" so it has to go this way naturally) flaws are inevitable.
[+] [-] UweSchmidt|4 years ago|reply
Yes, all of it is 'fundamentally flawed', and it would take a herculean effort to start over with a clean slate, yes, to figuratively burn it all down and make simple provably correct and safe hardware and a small and minimal OS that has browsing and communications built in.
Anyone?
[+] [-] AgentME|4 years ago|reply
[+] [-] xtat|4 years ago|reply
[+] [-] FridayoLeary|4 years ago|reply
[+] [-] wolverine876|4 years ago|reply
Like we do with anything else:
These are crimes, but we are stuck in the mindset of the nascent Internet, when it was a growing experiment, a subculture in our society, harmless, and we wanted to nurture it and give it maximum freedom.
Those days are long gone. The Internet is completely integral to our society, like a major city (an extraordinarily large one) - in fact, anything not integrated into the Internet is on the fringe, like a business without a website. The idea of a harmless Internet has been antiquated for a long time; it is a serious place of serious money, serious criminals, and serious political actors.
Yet we still don't have serious law or law enforcement, not as an oppressive force but in the tradition of free, open societies. It would be like New York or Tokyo without law or law enforcement. We should create in the federal government (not state governments, given the Internet's borderless nature) a major domestic law enforcement agency, on the scale of the FBI, to protect people and enforce laws; I suspect we need a major addition to or revision of our legal code to go with it. That is how we deal with crime in other parts of society; the Internet is no different. We need divisions dealing with theft, fraud, destruction or property, invasions (hacking), etc. It's long past time to stop applying the antiquated notions to the current reality. Why do you accept this Wild West chaos; it no long fuels creativity and growth, it greatly hampers it.
[+] [-] monopoledance|4 years ago|reply
Sure, not everything is always their fault, but usually it is and comes with yoloing from the first line of code, shipping alph… proof of concept software, or outsourcing their network’s security to MS Word. If a breach could ruin a company beyond reputation, people may stop storing cleartext credentials or testing merely their app’s UI at best; if a hacker could stop your show, companies may take bug bounty programs serious, and be grateful for disclosures instead of filing reports, when someone edit-and-resend’ed on a web API and accidentally got a copy of their database.
Today, a breach has zero consequences. Why would you spend a shitton of money on security, when marketing’s budget isn’t downright ridiculous yet?
And of course it would be super helpful, if governments would stop encouraging insecurity by buying e.g. NSO’s products for what they do. Always awkward persecuting someone you depend on… The NSO’s business should be straight illegal, including export/import. Since hacking someone without their consent usually comes with the ability to tamper with evidence, it’s really questionable for law enforcement and straight unethical for anyone else. Just kill the whole sector IMO.
[+] [-] OminousWeapons|4 years ago|reply
If your threat model includes targeted attack by a major intelligence agency, just accept that you are likely screwed.
[+] [-] smoldesu|4 years ago|reply
There's no escape really, your only option is to embrace the paranoia and learn to love the cat-and-mouse game, or (what most people choose) give up. Remember, this is the future you voted for when you signed up for Google Drive and bought your iPhone. This is the future you willingly supported with each ad that YouTube showed you on movie night, and the one you opted-into when you noticed you were low on popcorn and got 2-day delivery on kernels from Amazon.
[+] [-] mola|4 years ago|reply
[+] [-] throwawayboise|4 years ago|reply
Seriously, if you are a journalist investigating anything that might upset the powers that be in a nation-state, don't use any online technology and for gods sake not a mobile phone.
[+] [-] travoc|4 years ago|reply
Very unlikely give that the US does this as much as anyone. We are all potential victims in this new form of warfare.
[+] [-] SavantIdiot|4 years ago|reply
Really not much you can do with zero-clicks.
Don't be rich or famous I guess? Or don't use smartphones.
[+] [-] Tepix|4 years ago|reply
https://blog.cryptographyengineering.com/2021/07/20/a-case-a...
[+] [-] tyrfing|4 years ago|reply
[+] [-] hyperstar|4 years ago|reply
[+] [-] ralston3|4 years ago|reply
[+] [-] appleshaveholes|4 years ago|reply
[+] [-] mijoharas|4 years ago|reply
Do they just sell, or operate the hacking software for their clients? If they operate it, is it illegal for an Israeli company to hack an American citizen (I assume it is illegal in America, but how about Israel?)
Is the sale of hacking software regulated in any way?
[+] [-] cronix|4 years ago|reply
This part doesn't matter much in practicality. Like it is illegal for the US gov't to spy on their citizens. It is illegal for the UK to spy on their citizens. So the NSA made a deal with the UK. They spy on us, we spy on them, and exchange the info. There, the US didn't break the law and neither did the UK. They worked around it.
We live in a shadowy world.
https://www.theguardian.com/world/2013/nov/20/us-uk-secret-d...
[+] [-] catlikesshrimp|4 years ago|reply
An android tablet connecting to wifi hotspots only, or even lan only, with minimal software, and a dumb phone are more secure than iphone.
[+] [-] runnerup|4 years ago|reply
[+] [-] intsar10|4 years ago|reply
[+] [-] sydd|4 years ago|reply
[+] [-] dpratt|4 years ago|reply
[+] [-] atdt|4 years ago|reply
[+] [-] 1cvmask|4 years ago|reply
And the US and England were also spying on the journalist Julian Assange, and have kept him in prison and tortured him for over a decade. Ben Hubbard luckily just got hacked.
[+] [-] wolverine876|4 years ago|reply
As you probably know, these assertions are a big stretch for many people. Not everyone considers Assange a journalist. He was living in an embassy for most of those years, so while he was confined, it's not a prison and not torture. Hubbard isn't lucky; neither the US or UK have ever imprisoned and tortured a journalist from a major publication (unless I'm overlooking someone). There may be legitimate debate about Assange, but it's not credible to pretend that these are facts.
[+] [-] gerdesj|4 years ago|reply
When you are doing the information from the inside thing, you do need to get your players in line.
England?
I'm English ... and Welsh, Cornish, Scottish and tangentially Irish, not to mention German (check my username).
The country is called Britain, the Great thing is only to distinguish from the other Britain - Brittany (part of France). You might as well call everyone from the USA as Texans.
Julian Assange spent rather a long time here: https://www.google.co.uk/maps/@51.4992504,-0.1614713,3a,75y,...
He was not tortured in the embassy - he was a guest who gradually outstayed his welcome. He was always treated well. As you can see Harrods is just to the right. This is not the roughest place to be a prisoner in Christendom.
Whilst he was in there, there were always several Police stationed nearby. They stood in doorways and kept watch. Probably a boring job but nice and simple. The whole thing basically costed the UK tax payer a fair old wodge and obviously Ecuador too.
I know that area and what goes on because I run internets for some flats nearby.
[+] [-] simlevesque|4 years ago|reply
[+] [-] chinathrow|4 years ago|reply
Ethical? No.
Legitimate? Hell no.
[+] [-] unknown|4 years ago|reply
[deleted]
[+] [-] midasuni|4 years ago|reply
[+] [-] orteam|4 years ago|reply
[deleted]
[+] [-] sharmin123|4 years ago|reply
[deleted]
[+] [-] supperburg|4 years ago|reply
[deleted]