4 years ago by mcguire
"Bredoux added: āIt takes a bit of time to realise it, but itās extremely unpleasant to think that one is being spied on, that photos of your husband and children, your friends ā who are all collateral victims ā are being looked at; that there is no space in which you can escape. Itās very disturbing.ā"
Welcome to the future! It's pretty much the same as the past, only more effective.
4 years ago by raxxorrax
This is why we need competent people at EU level and national governments. The current leadership is very much in favor of such surveillance. In Germany, it is even large parts of the press, which is pretty damning given their profession.
4 years ago by cronix
A depressing thought experiment a professor once posited many years ago....Hitler comes to power in the internet era and now has state of the art tools to find people of certain traits, vs manpower and spies to discover them. Ability to go through your entire lives digital footprint. Every picture. Every video you've created, or viewed on a website. Every location you've visited, how long you were there, and who was around you. Everything you've ever searched. Everything you've ever purchased. Every contact you have. Content of email, text, phone calls, etc. All keyword searchable with beautiful charts and graphs showing how you relate to everyone you've ever come into contact with.
4 years ago by fsflover
It's pretty much what we have in China now.
4 years ago by miohtama
To the positive spin for China, they tend to target only their fellow citizens and have some internal coherency and moral. NSO is an Israeli national problem that sells the spying capabilities to the highest bidding crook dictator around the world.
4 years ago by kota2
There are programmes doing this in the West as well.
4 years ago by bilbo0s
We have all that, just without Hitler in power. At least in the US anyway, the government has access, should it become necessary, to a comprehensive catalog of your activities and communications. It's just that they should get a warrant before accessing it, which I'm not naive enough to believe that they do in all cases.
The ship already sailed on the whole "ubiquitous gaze" thing.
4 years ago by howaboutnope
> I've heard quite a lot of people that talk about post-privacy, and they talk about it in terms of feeling like, you know, it's too late, we're done for, there's just no possibility for privacy left anymore and we just have to get used to it. And this is a pretty fascinating thing, because it seems to me that you never hear a feminist say that we're post-consent because there is rape. And why is that? The reason is that it's bullshit.
> We can't have a post-privacy world until we're post-privilege. So when we cave in our autonomy, then we can sort of say, "well, okay, we don't need privacy anymore, in fact we don't have privacy anymore, and I'm okay with that." Realistically though people are not comfortable with that. Because, if you only look at it from a position of privilege, like, say, white man on a stage, then yeah, maybe post-privacy works out okay for those people. But if you have ever not been, or if you are currently not, a white man with a passport from one of the five good nations in the world, it might not really work out well for you, and in fact it might be designed specifically such that it will continue to not work out well for you, because the structures themselves produce these inequalities.
> So when you hear someone talk about post-privacy, I think it's really important to engage them about their own privilege in the system and what it is they are actually arguing for.
-- Jacob Appelbaum, http://www.youtube.com/watch?v=Y3h46EbqhPo&t=7m46s
4 years ago by _threads
I know LenaĆÆg since Iāve been working at Mediapart a few years ago. I feel sorry for her. We were very careful on all security aspects, and itās sad to see itās never enough.
4 years ago by canistel
Ironically, users themselves are disallowed from rooting their phones.
Right to root, is right to repair.
4 years ago by duxup
I'm all for having the right to repair.
I'm not convinced any of the folks involved ability to root would prevent the situation described.
4 years ago by js8
If you could safely (on the hardware level) replace image of the phone with another, it would be easy to guarantee that you can get a rootkit-free phone - all you need is a trusted image.
4 years ago by pvarangot
The Pegasus thing didn't even survive a reboot, it was reinstalled by using the 0-day again on a fresh boot. Replacing the image would have done nothing if they were flashing a version that still had the iMessage vulnerability.
4 years ago by dewey
> it would be easy to guarantee that you can get a rootkit-free phone
The problem in this case is that you get the malware installed through a no-click required iMessage and not a "supply chain" attack on the image your phone is running on. How would that help?
4 years ago by mrtksn
> all you need is a trusted image
I bet you, that image will be provided by the trustworthy people from NSO, free of charge or at a price! Whatever makes you trust their image.
IMHO devices should be root-able but with high barriers of entry, something like soldering should be involved. If you are after doing something that you don't understand but a stranger on the internet told you to do it you shouldn't be able to do it.
I just want to remind you that quite recently a few police agencies come together, built a "secure messaging app", fed it to the criminals and tracked all their communication until gather enough information to take down their entire operation.[0]
Or the time when CIA run a Swiss encryption company[1]
4 years ago by 923u8ghf
I think it would have, because the primary attack vector is your messaging app. Some Android phones, such as mine, are locked in such a way that this cannot be uninstalled. I can use another messaging app but this one will still run on my phone which means that it can still be exploited.
Unfortunately, the only way to secure my phone because it no longer receives updates is through rooting, but this phone is not a model that can be rooted so my plan is to buy a new phone and root that, and probably remove all text messaging apps or find a way to sandbox them in a secure environment.
4 years ago by raxxorrax
It would give you the ability to check at least. Not having root doesn't protect you evidently.
Smartphone landscape of software is a huge failure aside from monetization of apps and user data.
4 years ago by rodgerd
If anything, it would likely make it worse, since you'd now have "convincing the user to install your payload", recreating the phishing problems of desktop platforms.
4 years ago by johannes1234321
Once the system is compromised the best repair is a full reset (and even better swapping the device, not that the restore image has been tampered with ...) root powers are needed for analysis. But that's nothing a normal user can do ...
But on the larger point: I agree there should be an option for suers to replace firmware and become root. But limiting root access makes work for Pegasus and others harder, which is good.
4 years ago by kbenson
> But limiting root access makes work for Pegasus and others harder, which is good.
It's not enough to "make it harder", to actually know whether it's a useful mitigation you would have to compare how much harder it makes it compared to what inconvenience it caused for that. Pegasus has no problem getting root right now. I strongly suspect they have a built up hoard of 0-days to apply in case the current faorite technique is patched (how else could you make a business out of it? If you're running a business you can't allow some other party to control your main product).
So, how much does limiting root access hurt Pegasus? Very little, IMO. A case could be made that it helps them, in the same way that excessive regulation helps large companies, which already have resources and experience dealing with it that smaller companies must overcome to enter the market. Pegasus, and the ability to hack into phones on-demand, may have been largely hidden from the public because it was relegated to a few large players.
And what does everyone get for this? Vendor lock-in, higher prices, less control over your own devices.
4 years ago by nix23
>users themselves are disallowed from rooting their phones
What? how's that possible?
4 years ago by dathinab
In practice, not by law.
Or at least often not by law, there are some stupid laws around WiFi/broadband etc. which can be interpreted to state that it's not allowed for a phone to be sold which can be rooted (without a hack) as the user could use it to setup a WiFi hot-spot which uses non-legal frequencies. This law was made because supposedly that (with routers) is a problem, except it isn't as far as I know and it as pure lobby work from a certain industry which also loves the user to be forced to use their routers.
(PS: Also country dependent.)
4 years ago by belter
I have seen some manuals were released and some tools reverse engineered. What is currently the best link for a deep technical overview of how these tools work/worked?
4 years ago by belter
As I did not get any replies I share what I found. If anybody has better or more detailed resources, please be kind and feed our curious minds:
"Technical Analysis of Pegasus Spyware"
https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegas...
"Pegasus Spyware"
https://en.wikipedia.org/wiki/Pegasus_(spyware)
"The Million Dollar Dissident"
https://citizenlab.ca/2016/08/million-dollar-dissident-iphon...
4 years ago by metabagel
Taki taki, beratna!
4 years ago by belter
Im ta nating!
4 years ago by journey_16162
So basically it can install itself after clicking a link in a web browser.
I know it's very hard but could the browsers be improved so that something like this is virtually impossible?
4 years ago by bj-rn
"Forensic Methodology Report: How to catch NSO Groupās Pegasus"
https://www.amnesty.org/en/latest/research/2021/07/forensic-...
4 years ago by DSingularity
Well, I thought it was only terrorists that were targeted?
4 years ago by benque
One man's journalist is another man's .... ;-)
4 years ago by stavros
And the same invariable lie is always used, "oh, don't worry, we're only going to use this against the bad guys". Bad guys only exist in a world without nuance.
4 years ago by mtnGoat
bad guy is a just not a term that should be trusted when coming from politicians at this point. "bad" is an opinion in the sports of politics and power, because they are worried about their own hind end, not that of the state at large.
4 years ago by stavros
Terrorists, journalists, only a few letters are different.
4 years ago by dathinab
Yes, just a word edit distance of 13 (6del, 7adds).
It's the same distance as changing <Freedom> to <Dictator> ;=)
EDIT: Yes I miscalculated, I overlooked the r.
4 years ago by stavros
Such trivialities do not matter in a TRULY FREE country, and please look over here, not over there.
4 years ago by Rapzid
Edit distance, sedis shun'ist. They are all ists; what more do we need to know?
4 years ago by rodgerd
NSO customers' definitions of terrorist may not align well with yours.
4 years ago by ekianjo
everyone is a potential terrorist under imaginary laws
4 years ago by SubzeroCarnage
Slight OT: the malware indicators of compromise that Amnesty International released have no license, thereby prohibiting use in other projects as far as I understand.
https://github.com/AmnestyTech/investigations/issues/11
If anyone can help on that front it'd be much appreciated.
4 years ago by robgibbons
IANAL but arguably, those indicator files are merely lists of information, and therefore are not subject to copyright. They are not, on their own, a creative work.
https://www.nolo.com/legal-encyclopedia/types-databases-that...
4 years ago by jhgb
But that page says things like "[when] no judgment is needed to decide which names and addresses should be included". Surely somebody decided what are the things for a classifier to look for, and that would be a creative decision?
4 years ago by robgibbons
Again, IANAL, but a decision whether to add a domain or email address to one of these lists is not a creative decision, it's a mechanical boolean decision. It's a matter of fact, not of creativity or subjective inclusion. The regex pattern they used might be an example of a creative work, but the list of matches is probably not.
In the same sense, recipes are not copyrightable. The thought that goes into composing them may be creative, but the list of ingredients itself is not subject to copyright.
4 years ago by firebaze
If I were a journalist I'd almost feel insulted if I or at least my organization hadn't been targeted.
4 years ago by specialist
How would I factory reset and then cold boot my phone?
I'm very noob wrt firmware and rootkits and even CPU microcode. My understanding is some kind of factory reset is no longer feasible. And certainly no longer verifiable.
--
Ages ago, I proposed that electronic voting machines (tabulators) boot from CD-ROM. Device's ROM would only have bare minimum boot loader. Imagine some super minimal embedded controller, zero unnecessary features. Mount a CD, run the optical scanner, a few buttons, 2 line LCD panel, dot matrix printer.
Assume 2000s best practices election administration. Scantron style ballots, precinct-based poll sites, tabulation occurs the moment polls close, tabulated results posted publicly.
These CD-ROMs would then by secured, as much as possible, thru physical chain of custody. Just like all other election artifacts. They'd also contain snapshot of entire source and toolchain and election data, so any one could inspect them, reproduce the builds, verify the dataset, etc.
My jurisdiction had 100s of poll sites. Instead of programming each ballot scanner, they'd burn CD-ROMs.
Any way.
I mention this because I think such simplistic view of secured computing is no longer feasible. And to consider all the things we'd have to give up to return such a world.
Could I put a phone's entire dev stack onto some WORM media and then reimage the device? What would that even look like?
4 years ago by npteljes
You can't really be sure about your device, even after a supposed reset. Lenovo, for one, had a way to reinstall its bloat/spyware on its laptops, even after you reinstalled Windows yourself.
4 years ago by PradeetPatel
Is there no regulatory or compliance requirements for surveillance software?
Instead of blaming the victims of pegasus, we should focus our attention on the lack of actions from key policymakers and regulatory bodies. It is not possible for every individual to be a technical expert when it comes to malware removal, but we can reduce the likelihood of misusing surveillance software by creating an ethical framework around it, backed by nations that value freedom and democracy.
4 years ago by rodgerd
I agree that laws are the right way to deal with this - there will always be another vulnerability for bad actors to exploit; technical solutions are not the answer unless you want to move your smartphone at the pace and rigor of the Apollo program - but I three real challenges here:
1. If NSO enjoy the tacit support of the Israeli government, then they are effectively judgement proof, no different to crimeware businesses that enjoy the tacit support of the Russian government.
2. Major Western governments such as the US will support the Israeli government for "bigger picture" reasons, and potentially implicitly the NSO. Particularly if the NSO are "only" facilitating the torture and murder of journalists who upset the Saudi government. So again, whatever national laws or international agreements may be in place don't really matter. Much as you'll never see a Blackwater mercenary in front of the war crimes tribunal in the Hague, you'll never see the NSO charged anywhere.
3. More broadly, there have been solid international frameworks for cracking down on, for example, money laundering. The AMLAT treaties are quite effective for money laundering, not so much for finance of terrorism. No nation outside of Canada has designated ISIS-like organisations as terrorists, subject to finance controls, for example. Trying to get an effective, multilateral agreement on how to handle tools that many governments want cheap access to in order to attack their enemies will be quite the challenge.
4 years ago by JumpCrisscross
> Is there no regulatory or compliance requirements for surveillance software?
Nope! It's not even clear if Pegasus and its employees broke any laws. (Though I would love to see CFAA and copyright law tested against this.) Optimistically, this might be the wake-up call to change that.
4 years ago by sofixa
IANAL but lots of countries have laws against gaining access to computing devices or data without prior authorisation.
4 years ago by SMAAART
4 years ago by raxxorrax
We have a lot of laws against dragnet surveillance. They didn't help at all as there is no consequence of breaking them.
Even if they are found guilty, policy makers have noticed that this too hasn't any effect at all. They just need to craft an exception et voilĆ it is allegedly legal.
4 years ago by raxxorrax
Not having your system locked down would be the first problem that needs solving if you want to combat malware.
Forget regulatory compliance, we didn't get safe http traffic or disk encryption by listening to policy makers. That isn't a general indictment, they just are too slow and their motivation is compromised on the topic of surveillance.
4 years ago by bsder
To me, it would seem that this kind of software trips over all kinds of European laws and directives. Hell, it probably trips over all kinds of wiretap laws in the US.
Is it that nobody is filing these or just that the revelations are too new and that the lawyers are just beginning to spin up?
Daily digest email
Get a daily email with the the top stories from Hacker News. No spam, unsubscribe at any time.