> The security researchers also claimed they had created a modified version of Apple’s proprietary software development tool, Xcode, which could sneak surveillance backdoors into any apps or programs created using the tool. Xcode, which is distributed by Apple to hundreds of thousands of developers, is used to create apps that are sold through Apple’s App Store.
> The modified version of Xcode, the researchers claimed, could enable spies to steal passwords and grab messages on infected devices. Researchers also claimed the modified Xcode could “force all iOS applications to send embedded data to a listening post.” It remains unclear how intelligence agencies would get developers to use the poisoned version of Xcode.
Nothing in this article is surprising. I mean, honestly, if you don't think the CIA is actively trying to gain access to your devices, WTF do you think they do all day?
I'd be more concerned if the intelligence agencies of the world WEREN'T doing this. It's their purpose. It's what we pay them for with our taxes.
Of course we should also always root for tech companies to stay one step ahead. But infosec is an arms race, and I sure hope my own country's intelligence agencies (CSIS and the CSE in Canada) are doing their best to stay ahead of, say, North Korea or Russia.
(Please note: I'm not saying violating our privacy is OK, any more than I'm saying it's cool to launch nuclear weapons. But if anyone's going to have the ability to hack my phone or launch a nuke, I want it to be the people on my own team. This seems like basic self-interest and survival strategy.)
One would hope that they were trying to gain access to someone else's devices, as opposed to turning the guns towards their own citizens and economy. If a soldier showed up at my door and pointed their gun at me, my reaction wouldn't be "of course you're doing that, your job is to point guns."
> One would hope that they were trying to gain access to someone else's devices, as opposed to turning the guns towards their own citizens and economy.
Apple devices are sold all over the world, so there's no way of gaining access to the enemy's devices without that method also being applicable to everyone else. Actually using them on everyone else is a different matter.
"...no way of gaining access to the enemy's devices without that method also being applicable to everyone else."
That's only true of some methods like using exploits and other vulnerabilities, or mass-surveillance style methods. It's not true of other types like confidence tricks and social engineering, eavesdropping and potentially watching passwords being entered or getting them on camera, phishing, fake wifi points, tailored viruses, or cookie hacking. Those methods can be designed for a specific target. Of course, there's also the good old-fashioned method of getting a warrant for data.
The entire concept that the government has "a right" to this data - an argument I've seen judges actually make to justify these activities - is ludicrous. They don't have a right to it by default. They have a compelling interest in the data/information if and only if there is enough reason to believe someone is up to criminal activity. In which case they should have no problem at all getting a warrant.
Somethings like spying on American phone calls (or just their "metadata") I agree with.
But somethings like breaking encryption, exploiting iPhones, etc. while they may be used against Americans can also be used against others.
Essentially there's an arms race, and we use our tax money to sponsor our government in this race, with the hopes that they'll side with us. There really isn't another option unless you want to give a private entity this power, or not participate in the race (which I don't advise).
> Somethings like spying on American phone calls (or just their "metadata") I agree with.
> But somethings like breaking encryption, exploiting iPhones, etc. while they may be used against Americans can also be used against others.
Both of these can have a chilling effect on free speech, therefore I'm against the CIA doing this to citizens. The potential threat against citizens nowhere near outweighs the need to uphold our constitution.
Unfortunately, other nation states might not care about US laws. Which returns to the above statement that it’s better for the CIA and Apple to be in a security arms war than it is for Apple and the FSB, at least from the perspective of an American.
I'm yet to see a clear explanation for citizens not being as much of a risk as, say, a random foreigner located far away from your country.
If anything, a citizen is more capable of carrying out a terrorist attack, or just doing any action some foreign power wants to perform in that country.
The exception for domestic citizens seems to be just a concession for the masses and their representatives, not a pragmatic choice.
Edit: a pragmatic reasoning could be compartmentalization — keeping citizens under the watch of a separate entity (e.g. FBI) but it doesn't explain why domestic mass surveillance should be ruled out.
> "...it doesn't explain why domestic mass surveillance should be ruled out."
It's a matter of who we have a responsibility towards.
The government we elect in our own country is responsible to us, and as a people we widely do not want our government spying on us. (This is true in most if not all countries.)
But that same government is NOT responsible to the citizens of other nations. The CIA has no responsibility towards Canadians (like myself) or anyone else who isn't American.
I'm not arguing that this is ethically right. I'm just saying it's pragmatic.
If you're not a citizen of my country, my country has no legal obligations to you outside of international law. And no country, to my knowledge, has ever tried to introduce the right to privacy into international law. Every country hates spies within its own borders, but seeks to have them inside of everyone else's.
I don't think that's historically accurate. Please correct me if I'm wrong, but wasn't the battle cry of the revolution "no taxation without representation"? It wasn't about privacy, it was about wanting to be more than just a backwater colony.
"No Soldier shall, in time of peace be quartered in any house, without the consent of the Owner, nor in time of war, but in a manner to be prescribed by law." -- The 3rd Amendment
The early revolutionary war history overly simplified is something like this. Britain increases taxes on America. America stops paying taxes. Britain increases military presence to force America to pay taxes. America fought against the British military.
During the increased British military presence in America the British goverment did terrible things, including living in civilians homes and eating their food. This is what the parent comment meant when he said "The American revolution was started because citizens did not want the government in their homes." Ultimately, the British goverment was in American homes to help the tax collection effort, so your idea of early Americans caring a lot about taxation is also true.
Also, bootleggers who made money by smuggling stuff for cheap and selling it right below the full tariff price and weren't happy about the British ending their tariffs and making them lose money.
Also, the whole trial by jury of peers was really great for those like John Hancock (the guy who signed his name really big on the Constitution) who got in trouble with the British for smuggling and then would be invariably found not guilty by his employees. When military trials came into place, Hancock and his distributor buddies started getting jail time.
Also, by the way, Hancock shipping basically had a mob, who were responsible for a bunch of the rioting in Boston and likely the related Tea Party.
Just wanted to point out that America wasn't exactly formed out of ideology.
By the way- that big signature? Essentially the largest political middle finger ever.
I did say my history lesson was oversimplified. The question of _how_ Americans avoided paying taxes is always interesting, not just during this time period.
> wasn't the battle cry of the revolution "no taxation without representation"?
That was a slogan of the revolution, but there were more than one; it wasn't the unique complaint. There was also a fairly specific list of grievances in the Declaration of Independence.
I think you all must have a different relationship with your government in Canada than US citizens do.
None of these agencies are "on my own team". They are all adversaries. I feel far more threatened by US government hacking precisely because I live inside US jurisdiction. If we were to have a difference of opinions, and they were to snoop around in my data and decide they didn't like what they found, well, I'm sitting right here; they could easily ruin my life.
What are the Koreans or the Russians or anyone else going to do to me? They're an ocean away and I pose no conceivable threat to them. Harassing me would be expensive and pointless; they're not going to bother.
I suspect we have a similar % of Canadians who distrust the government as Americans do. I'd count myself among them.
However:
1) I maintain that the only reason to fund an intelligence agency is to expect them to perform intelligence activities, and today that requires being the best in the world at black hat infosec.
2) I mistrust my government less than I mistrust yours or Russsia's, because at least my government depends on me for votes and taxes and general compliance with laws.
>2) I mistrust my government less than I mistrust yours or Russsia's, because at least my government depends on me for votes and taxes and general compliance with laws.
But this also means that they have way more reason to lie to you and to mislead you.
I suspect you're being downvoted because of the below. Spoiler alert: dictators don't follow the same value calculus as normal people for when they should "bother".
Sure, I'm aware of those cases - but I am not a former Russian military intelligence officer, and I'll wager that nobody else participating in this thread is, either. There is no conceivable reason that any dictator, anywhere in the world, should care enough about any of us to bother spending the enormous amount of money and presumably political capital that would be involved in executing such an attack, so why should we worry about it?
That's obviously true (most people will not be targeted). But there's plenty more cases than the last few prominent ones. There are also low level cases that are not reported globally, only in local news.
It's ranging from secret services trying to use people to bomb planes and public places, to dissidents active abroad being threatened, beaten up or assassinated by suspected secret services of their origin countries. On source of such activity is Assad's regime in Syria.
> COINTELPRO (1956–1971) was a series of covert, and at times illegal,[1][2] projects conducted by the United States Federal Bureau of Investigation (FBI) aimed at surveilling, infiltrating, discrediting, and disrupting domestic political organizations.
> The letter does not specify precisely what action it is urging King to undertake; King understood the letter as advocating that he commit suicide, ...
We only found out about COINTELPRO because some US citizens got together and burglarized the FBI [1]. What programs are running today that we don't know about yet, because we haven't burglarized them lately?
You're setting them up to fail. You're talking about blackmail specifically. That's where anything going public destroy's the person's career. The blackmail will keep it secret for leverage. You then ask for us to tell you which people are getting blackmailed like folks publish this stuff instead of cave in or battle back in a secret way. Irrational. Of course we can't tell you who is being blackmailed right now. All we can say is that, if opportunity is there, it's happening. And so we need to eliminate the opportunity.
Our precedent is J Edgar Hoover. This nobody running an organization with limited power used surveillance to get dirt on lots of politicians and other powerful people. Their surveillance capabilities were extremely limited. He still managed to get enough which, combined with his media skills, got control of enough of Congress to massively increase his power. He kept at that for a long time. The FBI remains one of the most powerful, well-funded agencies in America.
So, here was my speculation around the time of 9/11. I was going by capabilities Bamford wrote about. I said they probably just ask NSA to use its existing capabilities to watch more people. It will be a black program (SAP or USAP). That means most of Congress won't legally know about it. The USAP's might just take a handful of them (committee heads). Then, with all that data collection, they could literally just have one team of people doing nothing but collecting data on Congress and maybe some Justices. Maybe just the committee members that hold them accountable plus their political opponents. It's not a lot of people or conversations to watch. They'd probably find evidence of bribery by lobbyists, prostitution, etc really fast. They see way more than Hoover did. Hell, they can even bootstrap by spying on those that set their budget first, getting a big increase, and then using a slice of that to target more of Congress.
The people running those organizations are already amoral, rule breakers who see everything as a means to an end. What are the odds that a power monger at top of spy agency would try what Hoover did? And what are those odds if they have widespread surveillance, total secrecy and mostly legal immunity? I'd peg it somewhere close to 100% that it will happen unless we block such surveillance projects. America, in fear, voted for more or didn't resist it. So, it will happen. The expanded access with, per Snowden leaks, sharing with over a dozen agencies will increase the number of abuses. Hell, folks were even looking at their girlfriends with Snowden himself stealing about everything. Think folks hunting for blackmail data couldn't or wouldn't collecting their own dirt with nobody noticing?
Considering that Apple is a US company, and that millions of US citizens use Apple products, US intelligence agencies should be securing these devices. Not compromising them.
The US has such an overwhelming military advantage over North Korea or Russia that it doesn't have to gain a leg up in infosec. All it has to do is level the playing field by making sure that everyone's running as securely as possible.
I'll rely on the one dozen Naval Carrier Strike Groups to keep me safe. Really doubt that reading Kim Jong Un's email is going to make a difference.
> Considering that Apple is a US company, and that millions of US citizens use Apple products, US intelligence agencies should be securing these devices. Not compromising them.
You're absolutely right! It's unquestionably the job of the US intelligence apparatus to help secure American interests.
With that said, Apple is a multi-national company, with millions of units used by people of all nationalities. And a vast amount of American military superiority is based on superior technical intelligence.
A carrier group can solve, at great expense in blood and treasure, a problem that intelligence can often solve more quickly and at an earlier point in time. With that in mind, it seems reckless to not take seriously the value of intelligence.
Again, you're completely correct in every way. Apple is an American company! It's just perhaps possible that there could be a bit of subtlety to this.
So for the sake of possibly needing to break into a non-US citizen's iPhone, they do research to create exploits that put EVERY US citizen who uses an iPhone at risk? And they really don't have a great track record of keeping these exploits safe [1]
If there was a way to have exploits that only affected non-citizens, I would expect them to explore that enthusiastically. I suspect there is no such thing, but I would absolutely love to be enlightened as to how completely wrong I am!
With that in mind, do you think it would be wise for an intelligence agency to refuse to consider searching for exploitable holes in a platform that is known for a fact to occasionally used by adversaries? Bear in mind that, of course, there are plenty of other groups and agencies doing the same thing.
Do you think this choice would better serve to advance American interests? If so, why? Would the weaknesses the CIA could find cease to be if the CIA was not looking for them? Perhaps you imagine a scenario in which the CIA finds every exploit first, and in doing so causes them to get fixed rapidly. Would you be comfortable with an intelligence agency working hand-in-glove with a major American company selling supposedly-secure consumer goods? Would you trust such an arrangement to protect you?
You're right, there's no existing solution to exempt US citizens from these exploits. However, with the massive resources available to them, if they focused on enhancing our security rather than fouling it, I very much believe we would be better off. Think about how much crime occurs in the modern era through electronic hacks and exploits. Would it be better to have these intel back channels, or to stop these crimes? Their priorities are in the wrong place, through tradition more than anything else.
There are many, many platforms that are "occasionally used by adversaries". The Intelligence Community has put exceptional resources towards one that has a very significant market share among it's citizens. And given the wholesale surveillance we are already under, I can't accept that this was an innocuous decision.
Trust is built through positive actions over time. I have zero trust for our Intelligence Community as is; and I've actually worked with US intelligence. If they devoted a majority of their efforts to finding and patching security risks through public and open source means, I would slowly start to trust them again.
You're so completely right that the NSA, CIA, and more already agree with you!
The IC invests massive resources into enhancing security. I've seen it firsthand - software projects like SELinux and a whole slew of research projects come to mind in addition to stuff I worked on. Though if you've only ever been exposed to the other side of the house, it's easy to be ignorant that the defensive missions exist at all. Certainly it tends to not make any news, ever.
It's true, I've only been on the military side of the IC, so everything I've been exposed to has been offensive in nature. That being said, the attitude of everyone I've met in the IC has been "we need to be able to access everything, at any cost". This attitude comes from the top (how else would it be so pervasive), and it is completely at odds with any sense of security for the average citizen. I think that this overall attitude is what really skews me. I'm familiar with SELinux, and why it was made open source; but I'm also familiar with Dual_EC_DRBG. Seems SELinux release may have been more a red herring or PR stunt than an actual attempt to protect security of the average person, given how much effort they put into defeating the security of the average person.
>I'll rely on the one dozen Naval Carrier Strike Groups to keep me safe. Really doubt that reading Kim Jong Un's email is going to make a difference.
That's a weak strawman argument.
The fact that spying on foreign enemies now requires the capability to spy domestically is definitely a red flag. But saying we don't need infosec when that Naval Carrier Strike Group can be owned, rendered useless by a cyber attack is naive.
Moreover, rogue hacker groups from all across the world posess the power to covertly & remotely target critical infrastructure of virtually any nation. What good is a Naval Carrier Strike Group going to do against that?
The CIA is spying on your phone so that the Russians and Chinese don't have to?? Really, you think CIA OpSec is that good... as in so hard to crack that it's worth spending $100 billions (in Rubles and Yuan) to do it some other way? Maybe some political doofus thinks that, but technically savvy folks should know better.
Nope, if you create a weapon you better be prepared for your enemy to use it against you.
Not that I think anything I say will convince you to my thinking, but I didn't say "the CIA is spying on your phone so that the Russians and Chinese don't have to". I'm not sure how you got that from what I wrote.
In an ideal world, no one can hack my phone. This is why I support Apple and Google and Microsoft and all the others doing their very best to keep my devices as secure as possible.
In the worst-possible world, enemy nations have hacked my phone. Because if they've hacked my phone, they've also hacked those of my politicians and military.
In the real world, the only way for my country to be able to defend against enemies is to be as-good-as or better than those enemies at hacking my phone.
That's why I support it. Because I have a sneaking suspicion that truly awful people are working hard to hack every device out there, and the best infosec defense is a good infosec offense.
I don't disagree with you that "if you create a weapon you better be prepared for your enemy to use it against you". But a worse scenario than that is for my enemy to beat me to the punch and I'm standing here with sticks and stones.
The thing about an arms race is that once it starts, it's pretty much impossible to get out of. I didn't start the infosec arms race. It would be nice if the race didn't exist at all. But it does.
Only a "political doofus" would prefer to pretend otherwise.
If I thought CIA/NSA hacking was truly white-hat to increase the security of Apple devices, then I would agree. However, 3DES seems to be one of the last times that actual info-sec as opposed to spying (on local citizens) with questionable legal standing (in the US) was the purpose.
Sadly, the omniscient and incorruptable rep of the NSA/CIA and associated TLA have been significantly tarnished by Snowden and the current external political interference. This is a crisis, because there are likely people in powerful positions of those orgamizations who do not have their countries interests at heart. Whatever ideology (white nationalist or communist) or external subversion they are not being adequately policed in the current situation.
I would prefer they spend their efforts spying externally rather than internally and keeping everyone's private information safe. For example focus on vulns in Huawei 5G base stations or foreign anti-virus installations instead. I think that's safer for us tax payers. Heck, use the social credit system for your own ends, as they did with Tindr.
Apple products are used globally, so even if they do restrict their spying efforts externally, the ability to hack Apple products is aligned with those efforts.
They should also absolutely be looking for vulnerabilities in Huawei products. They should be looking for them in any product with significant market share. But there's no reason to think they can't do both.
All that aside: Theres a social credit system with Tinder? Am I reading you correct? Tell me more! That sounds way more interesting...
Apple sales in China are ~10% of the market and falling.
In the US (especially high value targets) are ~50% or higher. That's not a good ratio for the US. I suspect the numbers for Russia are more similar to China. Targeting your own people (and not trying to secure the system) isn't a good strategic plan.
Thought experiment: You're a chinese spy. Your enemy is pouring tonnes of effort into hacking the phones made by your own country, but have chosen to put zero effort into hacking those made by theirs.
Which phone do you use?
Meanwhile, your own people are good at hacking both American and Chinese phones.
So in this scenario, the USA's decision to not try to hack products made by American companies leaves them at a decided disadvantage to China's decision to hack all of them.
Hack the NSO group (or any of your adversaries/allies) and use their zero days... likely a lot cheaper than developing your own or creating new ones for other people to hack and use against you. If nobody else has any, you're not behind :^)
Really you need to think about world governments less like permanent adversaries and more like parents that get annoyed with each other from time to time.
I am generally positive on the side of TLA efforts to compromise existing software, more so if they share the vulnerabilities with those companies (basically, security testing is hard, having a government agency that tries to break software could be seen as a very useful public service)... when they hoard those exploits to use themselves I'm a bit less sympathetic and grow less and less the longer they hold off on disclosing them.
The thing I'm 100% not okay with is when TLAs use social pressure, legal pressure or traditional espionage to insure there are exploits they can exploit - this has never ended well and is always a concession in security that increases our vulnerability to bad actors. I have a modicum of trust for TLAs in the traditional espionage realms, but they have entirely burned my opinion of them when it comes to tech at this point... The NSA compromising ECC `Dual_EC_DRBG` is just a level of stupidity that demonstrates a clear lack of responsibility to civilians.
Most people don't pay taxes so the CIA can spy on them. They pay taxes so they don't end up in prison. If they're going to take our money I'd actually prefer they just used it to buy themselves luxuries over spying on us.
That's kind of the root problem of democracy, isn't it? If a government truly is "of the people, by the people, for the people", then they are by definition on their people's team, and their people should trust them.
But, if they can't in fact be on your team, and if you can't trust them, then you can't really have a democracy, can you? You end up with something else, something that looks like democracy but really isn't.
How is pen testing of iPhones stealing Apple's secrets? Does Apple know these holes are there and they're keeping them secret?
I'll grant you that if the CIA broke into Apple and stole keys, that would stealing along with breaking and entering or the cybercrime equivalent. But that's not what the article says.
>How is pen testing of iPhones stealing Apple's secrets?
Did you read the article? The CIA -- in addition to pentesting -- is trying to exfiltrate GID keys of Apple devices. That is quite literally, trying to steal Apple's secrets -- not checking which systems have vulnerabilities.
I guess we disagree then. Pen testing to me is: "Can I steal your key? Here, I have a proof that I can steal it." Actually exfiltrating (not necessary to produce a proof that you were able to view it) so that you can produce fraudulent signatures is completely orthogonal to exfiltration.
Not to nitpick but this is from 2015, which was right around the time when journalists were able to dig into how companies like microsoft and apple worked with the CIA/NSA to violate privacy, happily or otherwise.
What about moles? Could the CIA hire someone, or many people, to attempt to get hired by Apple and spend years working their way into the higher echelons of the company?
"“Apple led the way with secure coprocessors in phones, with fingerprint sensors, with encrypted messages. If you can attack Apple, then you can probably attack anyone.”"
They really didn't. There were cryptophones, such as Cryptophone, doing secure messaging and stuff before Apple. Julian Assange used one IIRC. High-assurance security did stuff like Sectera Edge with some side-channel shielding, too. Then, there were companies like OK Labs building minimal, trusted, computing bases into phones with stuff like Android sandboxed in user-mode. Sensitive stuff ran outside. Then, Apple got into the game. They could still copy some of these techniques for improved security on top of what they're doing already.
Apple still led the way: Because Apple did it, Android vendors followed suit.
Cryptophone and the other products were a niche market and no one really knows if they are good enough to withstand a nation state attack or if they are just good enough to provide better opsec for companies than regular phones did.
>Brennan said the CIA reorganization will be modeled after the agency’s Counterterrorism Center, which runs the U.S. targeted killing and drone program.
I always like to remind people when this comes up - The CIA is a civilian agency. They are not military. They have no legal right to engage in anything remotely resembling military action. Their only legal behavior is to collect international intelligence, though they seem to be capable only of doing everything outside their mandate and not within it. Why they weren't disbanded after the USSR imploded into bankruptcy 2 weeks after they had delivered a report claiming that the USSR was 'not a paper tiger' and 'growing stronger every day' and that they would continue to present the largest threat to the US on the global stage for the foreseeable future I have no idea. Most amateurs could have told you the USSR was on its last legs after years of scientists and members of their military reporting not being paid for years at a time. But the CIA was absolutely certain that they were doing great. And they should know, they had devoted stupendous resources to their intelligence work there. But, nope, they didn't see it coming at all.
It’s funny because it appears, looking at the history of data leaks, security breaches etc - our biggest threat appears to be our insecurity
Perhaps they should work the other way, assisting people and entities of this country to be MORE secure, not LESS.
One thing is sure, is that the Snowden leaks really made me realize that countries won't bother with morals to improve national security and advance its capabilities, but in the end, it's just another debate that Machiavel has answers for.
I think that communication technologies, and high speed internet becoming so widespread, created a big new battlefield which is particular because it's not so violent and ugly.
There aren't clear military laws about the internet like there is for other battlefield like the geneva convention, and that's makes all of this so interesting.
If you redefine terrorism to remove the dependence on violence, unless I missed something in the article? I don't personally believe that trying to find security flaws terrorism.
they aren't just trying to find security flaws... they probably buy/find most of them so that they can use them (it might scare and/or terrorize some people to be watched and controlled at all times)
> The modified version of Xcode, the researchers claimed, could enable spies to steal passwords and grab messages on infected devices. Researchers also claimed the modified Xcode could “force all iOS applications to send embedded data to a listening post.” It remains unclear how intelligence agencies would get developers to use the poisoned version of Xcode.
Sounds suspiciously like XCodeGhost: https://en.wikipedia.org/wiki/XcodeGhost.
This is probably worth a reference to Ken Thompson's "Reflections on Trusting Trust".