That right there tells me that we as "the tech community" are way too okay with this sort of application of the tech. The tech we're all so convinced will "make the world a better place." /s
It looks like NSO is backed up by the Israeli government. They say their software is only sold to governments which were previously vetted, but the reality is that most of the time they sell to authoritarian states which monitor and persecute people opposing the regime.
Oh, but you see, NSO targets only "terrorists and criminals", so if you're a law-abiding citizen with nothing to hide, there's nothing to be concerned about. Right? It's not like there's any regimes out there where, say, casual investigative journalism or opposition politics would ever land you with criminal or terrorist charges, no sirree.
Selling malware/software weapons to US entities is generally legal for other US entities*, with the main caveat that if it ends up ITAR regulated then you can only sell it to the US government and other ITAR-cleared suppliers unless it's open source (in which case you'd be selling the platform).
NSO Group is bad because they have been caught selling to oppressive regimes and allegedly actively supported (and potentially continue to support) the deployment of their software for oppressive regimes to harm innocent civilians. They should be (and iirc are) sanctioned for their bad behaviors, bad intentions, and mishandling of their responsibilities.
* There are plenty of caveats (e.g. the seller & buyer need to have good intentions and only plan to use the malware in accordance with the law). I am not a lawyer and this is not legal advice.
Much of this stuff is classified as a weapon, and thus really sold by the Israeli government, not by the company. It's no different from a MANPADS that sometimes is used to destroy a Ka-52 over Ukraine, and sometimes is used to shoot down a civilian airliner - that is to say it's directed by the foreign policy (and foreign policy errors) of the manufacturing country.
There's no reason to expect the world to disarm any time soon, so the best approach is to be aware and democratically influence policy, rooting out bad ideas and bad actors.
Israel is constantly trying to woo Saudi Arabia so that they can be allies during a potential war with Iran. Israel will definitely sacrifice some human rights activists just for the ability to cross the Saudi airspace. But it has not been going well for Israel lately.
It gives me the impression that you find "the tech community" to be a cohesive collective that has the organization to switch gears in a given direction.
I wonder why you expect it to be like that.
In reality, "the tech community" is extremely diverse and not cohesive at all.
For one example, a large proportion of developers are barely making enough money to pay their most basic bills. They don't have enough mental space to even know what NSO is...
Actual headline: mentions NSO group and nothing about Apple.
Top comment (+50 comments): Why do we talk about Apple so much and so little about NSO group.
The absurdly pro-Apple PR on HN is tough to bear. I have to say it's so overt it made me more hostile to Apple (NSO is obviously a worthy topic, but we do discuss it).
The NSO is less of an issue to me than the fact they are finding exploits Apple isn't (assuming Apple truly isn't aware of these and/or building them in on request) and that Apple has more than enough to budget for. To me, the NSO (as evil as they are) is like a regulator who cuts through a company's "self-regulation" claims and proves that the company they are regulating is either intentionally making their own platform insecure or is at best, negligent to mitigating and being proactive in addressing obvious issues.
Apple could pay all these people and companies way more than they could ever hope to earn on the free world market to simply fuck off. They are notoriously stingy with bug bounties and constantly disillusion those who are helping to ostensibly make their platforms more secure. I view NSO in a similar light to Correllium, whom Apple has tried to shutdown (unsuccessfully).
Its like trying to blame a whistleblower rather than prosecuting the misconduct that comes to light. The energy and blame is misplaced and this lawsuit only distracts from the fact that iMessage is basically the skeleton key to access anything and everything on a modern iPhone, after all this time.
The NSO group is the easiest to spot. The other parties involved in their operations are not so easily traced, such as Team Jorge, AIMS, Legion, Xaknet etc.
For once, I am not okay with what they are doing, and I've started to fight them actively.
If NSO did not exist the vulnerabilities they discover would still be there. So I guess the complaint should not be that they exist, so much as their motivations and applications being questionable. It's an argument for something similarly funded to exist, but with an aim to responsibly report the bugs and get them fixed.
I dont think its the "tech community" being okay with this application of the tech as much as it is fear of standing up to Israelis in any way.
Imagine you own a infosec company and an applicant with excellent skills applies. You look at the CV in detail before the interview and you see that they proudly declare their NSO background. Tell me what will you do? Cancel the interview? How comfortable would you be to deny the applicant a job for that reason alone?
I would wager the majority would consciously hire them out of fear of blowback and most of the remainder would unconsciously suppress their opinions on the NSO.
I don't see why companies that facilitate criminal acts are not swiftly brought to legal justice. We should not be tolerating companies like NSO group in any sense. If the Israeli government wants to look the other way, we should designate NSO group a terrorist organization and start sanctioning any country that won't bring them to justice.
If Snowden and Assange can be extradited to the US and tried for crimes, executives of NSO group absolutely should as well. Lock 'em up!
> That right there tells me that we as "the tech community" are way too okay with this sort of application of the tech. The tech we're all so convinced will "make the world a better place."
This calls for a larger discussion of individual choices of every one of us. It would not be an easy discussion, because things are far from simple, and yet every one of us should actively think, instead of falling into the whataboutism trap and doing nothing.
For example, there are probably thousands of tech people in Russia right now either breaking into Ukrainian systems or writing software for missiles, drones, targeting systems, etc. These systems do not write themselves. Each of those people should ask themselves if this is really what they should be doing. I am certainly asking myself if I want to ever work with people who were complicit in these crimes (and how will I know?).
I know some people who pledged to never work on any military systems. I was close to that point of view, until Russia started dropping bombs on my Ukrainian friends. Now I don't see it quite in the same light anymore.
Similarly, the NSO group is not an amorphous entity, PEOPLE work there and write these exploits. In each case, it is a conscious decision.
My point is that we can't abstract tech from moral choices. There is always right and wrong, there is always the right thing to do. It might not be universally applicable, and there will always be endless discussions on HN ("but what about..."), but each of us can and should think about how our work is applied.
No big political leaders out of the tech world yet. So "the tech community" doesnt have anyone to rally around. And this more a political prob than a technical problem.
This is a problem of legislation. It would be trivially easy to stop this behavior, but governments in the western sphere tend to like surveillance as well.
Its super interesting to me how much its emphasized that you shouldn't use Lockdown Mode unless you are a journalist or otherwise in direct palpable danger. They really do try to talk you out of it. Its curious, because there's very little difference in functionality (as experienced by the user) other than disabling a lot of Apple nonsense from running in the background expanding your attack surface.
And everybody parrots the nonsense caveat that everyone shouldn't use it, only those special enough should like it was a zero-sum game or scarce resource. Everyone should use it because it disables a lot of nonsense that doesn't serve you and probably even saves battery power. Also, the more people use it, the less it can be used to fingerprint specific users.
It does make iOS slightly more inconvenient, such as when adding each other on iMessage. And it severely reduces JavaScript performance in Safari. I think Apple wants to avoid making iOS feel slower or clunkier than Android. And zero-day spyware is usually targeted towards important individuals, not used for mass surveillance, so it indeed is a smaller risk to individual people.
I'd prefer a third mode that compromises between the two, perhaps letting you lower your security for a few minutes when you need the extra functionality. For example, Safari could detect when JavaScript is being slow and pop up an offer to re-enable JIT.
> Its curious, because there's very little difference in functionality (as experienced by the user) other than disabling a lot of Apple nonsense from running in the background expanding your attack surface.
If they didn't want people to have all of the background stuff running, they wouldn't put it on there in the first place. It's not super surprising that they want people to use the features (whether "nonsense" or not) that they purposely put there.
Capitalist view: If they didn't emphasize it, some first-time Apple customers might be convinced by concerned friends and family to enable Lockdown Mode by default, and then might complain to Apple / return their device because it "doesn't do the things it was advertised to do" (because those features don't work in Lockdown Mode.)
Realpolitik view: repressive regimes probably only allow Apple to release devices with this feature available, as long as they don't heavily push it / make it the default. If Lockdown Mode defaulted to "on" in China, and so was used by the majority of users, then Apple would be quickly booted out of China.
I use Lockdown Mode on my Mac because I don’t use iMessage, FaceTime, or other apple services on that device. It’s literally just a computer for software dev and maybe YouTube videos.
I haven’t noticed any difference with web content either, but I also use Firefox / Chrome instead of Safari.
What I would really like to see is options. For example on iOS I use shared photo albums, so it would be nice to keep that feature but disable all the other capabilities.
Isn't it time we made first messages from all new contacts plain text only, and all other messages some very restricted subset rather than some crazy extensible system that isn't so different from ActiveX?
And on top of that, maybe the whole app should run in a sandbox.
And on top of that, perhaps it should all be a webview to give one more layer of protection.
Again a buffer overflow in image decoding, that sounds similar to the one from 2021 [1]. That one was wild, building a CPU out of primitives offered by an arcane image compression format embedded in pdf, to be able to do enough arithmetic to further escalate to arbitrary code execution!
There needs to be a more fine tuned lockdown mode, for example to disable automations and risks in imessage and safari but leave device accessories working. Losing bluetooth accessories to protect yourself from zero click imessage exploits is just bad.
imessage is the major wide open attack surface.
I don't need to be able to accept iMessage messages from random numbers. I'd be happy to enable "Prevent messages from unknown numbers" for example. Is this possible?
Here are several comments regarding rewriting everything in safer languages like Rust, among others. However, before such a transition can potentially take place, I believe it's more realistic to achieve another important goal: enabling robust logging capabilities, akin to the Endpoint Security Framework on MacOS or System Events on Windows, for iOS. With the implementation of such tooling, enterprises could potentially integrate mobile endpoints into their SIEM systems, making it easier to detect attacks of this nature.
I've personally utilized the mvt-ios tool to investigate iPhone backups. Within these backups, there is a SQLite file that mvt-ios scans for potentially malicious process names. (I've examined all publicly available STIX2 IOCs and having tooling that simply reports the names of processes from mobile phone to a central SIEM would be adequate for identifying these attacks.) Unfortunately, this method cannot be used in real-time across all devices. To employ it, one must first create a complete backup of the phone and then scrutinize that backup. If we had a tool similar to the Endpoint Security Framework available for mobile devices, we could activate enterprise-level security monitoring systems and potentially establish secure communications in the current era, rather than waiting for everything to be rewritten in Rust (a bit of irony).
I appreciate that a solution is for people to update immediately. It really makes me wonder if my Android phones over the years have had 1-days exploited by the sheer incompetence of the ecosystem in updating phones.
Not much confidence when you get an update with security patches from 2-3 months ago.
Naive question, does apple have any way of detecting and informing users who are current victims of these types of exploits when security fixes are issued?
> The exploit involved PassKit attachments containing malicious images sent from an attacker iMessage account to the victim.
Man, iMessage is a security disaster for Apple. No matter how much work they do in other areas, it seems like they'll paying for a while for their decisions around the iMessage architecture.
In addition to lockdown mode, pair with a vpn and security researcher Jeff Johnsons "stop the madness", and "stop the script". Both are paid safari plugins for ios. Stop the script is the best way to stop inline javascript on ios. Disabling JS on iphone can't do that.
[+] [-] black_puppydog|2 years ago|reply
I just want to add this: these people operate pretty much in the open. They're not ashamed of it either, or else they wouldn't put it on their CV:
https://www.linkedin.com/company/nso-group/people/
That right there tells me that we as "the tech community" are way too okay with this sort of application of the tech. The tech we're all so convinced will "make the world a better place." /s
[+] [-] caisah|2 years ago|reply
It looks like NSO is backed up by the Israeli government. They say their software is only sold to governments which were previously vetted, but the reality is that most of the time they sell to authoritarian states which monitor and persecute people opposing the regime.
[+] [-] resolutebat|2 years ago|reply
[+] [-] Sephr|2 years ago|reply
NSO Group is bad because they have been caught selling to oppressive regimes and allegedly actively supported (and potentially continue to support) the deployment of their software for oppressive regimes to harm innocent civilians. They should be (and iirc are) sanctioned for their bad behaviors, bad intentions, and mishandling of their responsibilities.
* There are plenty of caveats (e.g. the seller & buyer need to have good intentions and only plan to use the malware in accordance with the law). I am not a lawyer and this is not legal advice.
[+] [-] H8crilA|2 years ago|reply
There's no reason to expect the world to disarm any time soon, so the best approach is to be aware and democratically influence policy, rooting out bad ideas and bad actors.
Israel is constantly trying to woo Saudi Arabia so that they can be allies during a potential war with Iran. Israel will definitely sacrifice some human rights activists just for the ability to cross the Saudi airspace. But it has not been going well for Israel lately.
[+] [-] rmbyrro|2 years ago|reply
I wonder why you expect it to be like that.
In reality, "the tech community" is extremely diverse and not cohesive at all.
For one example, a large proportion of developers are barely making enough money to pay their most basic bills. They don't have enough mental space to even know what NSO is...
[+] [-] dcormier|2 years ago|reply
https://darknetdiaries.com/episode/100/
[+] [-] yyyk|2 years ago|reply
Top comment (+50 comments): Why do we talk about Apple so much and so little about NSO group.
The absurdly pro-Apple PR on HN is tough to bear. I have to say it's so overt it made me more hostile to Apple (NSO is obviously a worthy topic, but we do discuss it).
[+] [-] neilv|2 years ago|reply
[+] [-] Obscurity4340|2 years ago|reply
Apple could pay all these people and companies way more than they could ever hope to earn on the free world market to simply fuck off. They are notoriously stingy with bug bounties and constantly disillusion those who are helping to ostensibly make their platforms more secure. I view NSO in a similar light to Correllium, whom Apple has tried to shutdown (unsuccessfully).
Its like trying to blame a whistleblower rather than prosecuting the misconduct that comes to light. The energy and blame is misplaced and this lawsuit only distracts from the fact that iMessage is basically the skeleton key to access anything and everything on a modern iPhone, after all this time.
[+] [-] cookiengineer|2 years ago|reply
For once, I am not okay with what they are doing, and I've started to fight them actively.
You're welcome to join.
[+] [-] asveikau|2 years ago|reply
[+] [-] DSingularity|2 years ago|reply
Imagine you own a infosec company and an applicant with excellent skills applies. You look at the CV in detail before the interview and you see that they proudly declare their NSO background. Tell me what will you do? Cancel the interview? How comfortable would you be to deny the applicant a job for that reason alone?
I would wager the majority would consciously hire them out of fear of blowback and most of the remainder would unconsciously suppress their opinions on the NSO.
[+] [-] illumin8|2 years ago|reply
If Snowden and Assange can be extradited to the US and tried for crimes, executives of NSO group absolutely should as well. Lock 'em up!
[+] [-] broupannoiffuto|2 years ago|reply
[+] [-] dr_kiszonka|2 years ago|reply
[+] [-] tempera|2 years ago|reply
That is a law of nature and no amount of shaming will change it.
[+] [-] jwr|2 years ago|reply
This calls for a larger discussion of individual choices of every one of us. It would not be an easy discussion, because things are far from simple, and yet every one of us should actively think, instead of falling into the whataboutism trap and doing nothing.
For example, there are probably thousands of tech people in Russia right now either breaking into Ukrainian systems or writing software for missiles, drones, targeting systems, etc. These systems do not write themselves. Each of those people should ask themselves if this is really what they should be doing. I am certainly asking myself if I want to ever work with people who were complicit in these crimes (and how will I know?).
I know some people who pledged to never work on any military systems. I was close to that point of view, until Russia started dropping bombs on my Ukrainian friends. Now I don't see it quite in the same light anymore.
Similarly, the NSO group is not an amorphous entity, PEOPLE work there and write these exploits. In each case, it is a conscious decision.
My point is that we can't abstract tech from moral choices. There is always right and wrong, there is always the right thing to do. It might not be universally applicable, and there will always be endless discussions on HN ("but what about..."), but each of us can and should think about how our work is applied.
[+] [-] smfugit|2 years ago|reply
[+] [-] raxxorraxor|2 years ago|reply
[+] [-] quonn|2 years ago|reply
That was true 15 years ago … I don‘t hear this often anymore.
[+] [-] heywhatupboys|2 years ago|reply
[+] [-] localplume|2 years ago|reply
[deleted]
[+] [-] aihkas|2 years ago|reply
[deleted]
[+] [-] rakkhi|2 years ago|reply
We wear sun screen and maybe get pissed if the sun screen company is not doing a good job. But go ahead yell at the sun. Those dam UV rays!!!
[+] [-] Obscurity4340|2 years ago|reply
And everybody parrots the nonsense caveat that everyone shouldn't use it, only those special enough should like it was a zero-sum game or scarce resource. Everyone should use it because it disables a lot of nonsense that doesn't serve you and probably even saves battery power. Also, the more people use it, the less it can be used to fingerprint specific users.
[+] [-] andrewia|2 years ago|reply
I'd prefer a third mode that compromises between the two, perhaps letting you lower your security for a few minutes when you need the extra functionality. For example, Safari could detect when JavaScript is being slow and pop up an offer to re-enable JIT.
[+] [-] saghm|2 years ago|reply
If they didn't want people to have all of the background stuff running, they wouldn't put it on there in the first place. It's not super surprising that they want people to use the features (whether "nonsense" or not) that they purposely put there.
[+] [-] derefr|2 years ago|reply
Realpolitik view: repressive regimes probably only allow Apple to release devices with this feature available, as long as they don't heavily push it / make it the default. If Lockdown Mode defaulted to "on" in China, and so was used by the majority of users, then Apple would be quickly booted out of China.
[+] [-] SamuelAdams|2 years ago|reply
[+] [-] highwaylights|2 years ago|reply
Continuity seems to go right out the window for me for one, which is something I really rely on.
Airplay also seems to become really temperamental.
All of this could just be my network but it only seems to have been the case since switching to lockdown mode.
Also, screen time requests don’t work which is a real pain.
[+] [-] YeBanKo|2 years ago|reply
I would rathe have a full app firewall with configurable profiles instead of lockdown mode.
[+] [-] londons_explore|2 years ago|reply
Isn't it time we made first messages from all new contacts plain text only, and all other messages some very restricted subset rather than some crazy extensible system that isn't so different from ActiveX?
And on top of that, maybe the whole app should run in a sandbox.
And on top of that, perhaps it should all be a webview to give one more layer of protection.
[+] [-] ruuda|2 years ago|reply
[1]: https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-i...
[+] [-] MiguelHudnandez|2 years ago|reply
https://support.apple.com/en-us/HT201222
[+] [-] ch4s3|2 years ago|reply
[+] [-] nickaflip|2 years ago|reply
[+] [-] kmos17|2 years ago|reply
[+] [-] aborsy|2 years ago|reply
Has an iPhone in the lockdown mode been hacked so far, using a zero day vulnerability (not tricking the user to install a malicious program)?
[+] [-] dang|2 years ago|reply
iOS 16.6.1 fixes two vulnerabilities known to be actively exploited in the wild - https://news.ycombinator.com/item?id=37423506 - Sept 2023 (7 comments)
[+] [-] goldinfra|2 years ago|reply
[+] [-] KernelPanic|2 years ago|reply
I've personally utilized the mvt-ios tool to investigate iPhone backups. Within these backups, there is a SQLite file that mvt-ios scans for potentially malicious process names. (I've examined all publicly available STIX2 IOCs and having tooling that simply reports the names of processes from mobile phone to a central SIEM would be adequate for identifying these attacks.) Unfortunately, this method cannot be used in real-time across all devices. To employ it, one must first create a complete backup of the phone and then scrutinize that backup. If we had a tool similar to the Endpoint Security Framework available for mobile devices, we could activate enterprise-level security monitoring systems and potentially establish secure communications in the current era, rather than waiting for everything to be rewritten in Rust (a bit of irony).
[+] [-] nevi-me|2 years ago|reply
Not much confidence when you get an update with security patches from 2-3 months ago.
[+] [-] kbos87|2 years ago|reply
[+] [-] envy2|2 years ago|reply
[+] [-] sebstefan|2 years ago|reply
Kind of insane, the only higher you can get is finding the same on Android
[+] [-] monkpit|2 years ago|reply
You really have no way of knowing that a box is not owned as soon as it has connectivity (and possibly even before that).
I feel like many people have the idea that security is “these machines are good until we detect some intrusion”.
But it seems like the more sane default is “every machine is compromised and I should never trust anything ever” if you take security seriously.
Maybe the latter is gaining popularity, but I still feel like the former ideology is pretty prominent.
[+] [-] eviks|2 years ago|reply
[+] [-] parhamn|2 years ago|reply
Man, iMessage is a security disaster for Apple. No matter how much work they do in other areas, it seems like they'll paying for a while for their decisions around the iMessage architecture.
[+] [-] spacebacon|2 years ago|reply