As a society, we absolutely have to start actively developing software (OS in the first place) and hardware with privacy as a topmost priority. Using Windows and common Windows apps leaves bizarrely many tracks on the computer. Just take a look at one of the many resources on "computer forensics" and you'll see.
And I doubt this can be addressed without decreasing complexity.
This will make things described in the original article even easier.
The reason Candiru works is because Windows machines are general computing devices which give users almost complete access to the machine.
If you want a machine that malware cannot spy on, you want something non-general and locked down, like an Chromebook or iPhone or some other system with secure boot and mandatory code signing. There must be an authority that decides, “this is password stealer that must be blocked” vs “this is keyboard autocomplete handler and can be allowed”.
This requires standardized interfaces, code signing systems, auto updates, solid security boundaries, distributed app whitelists - lots of complex stuff. You can decrease complexity a bit, but if you go too far, you will end up with systems which are easy to compromise and hard to heal.
Well unless you are building everything from source (after auditing software), you end up trusting someone for the executable (packaged by distro maintainers). Distros like Gentoo solve this pretty well by giving a good suite of build tools, Nevertheless it's too bothersome for most users. Arch distributes it's package signing abilities to multiple maintainers who can revoke each other's keys. which imo is better than trusting a downloaded exe signed by Microsoft.
Open source has one really good benefit, Having more eyes on the code, which means less likely a bug goes undetected. It also means reduced effort for finding bugs. Though imo Linux is arguably more safer because if it's smaller surface area.
I think Linux (with additions like AppArmor/SELinux) is definitely more than enough for most high profile people. That coupled with Good Security practices (not running untrusted binaries, using end-to-end encrypted mediums for communication) imo should deter 99.9% of those surveillance attacks.
> Open source has one really good benefit, Having more eyes on the code, which means less likely a bug goes undetected.
This a million times.
The concept is so simple it doesn't even need proof or examples as solid arguments, but just in case, here's one: the famous Interbase backdoor.
Interbase was a database engine by Borland. In 1994 some developer added a hardcoded credential backdoor to ease development, but forgot to remove it in production.
The backdoor wasn't malicious, yet still dangerous as it gave administrator privileges to anyone; it went unnoticed for about seven years and multiple versions of the product. In mid 2000, Borland released Interbase as Open Source, and within six months the vulnerability was discovered and fixed.
Microsoft didn’t attributed it to an Israeli firm, Citizen Lab did.
Another article on this also showed pricing reported by Citizen Lab, $1.8 per 10 devices if this is true this market will be exploding unless it will be heavily regulated..
> We believe Sourgum is an Israel-based private sector offensive actor or PSOA. Citizen Lab has identified the group as a company called Candiru. Sourgum generally sells cyberweapons that enable its customers, often government agencies around the world, to hack into their targets’ computers, phones, network infrastructure and internet-connected devices.
I just want to point out Candiru is a fish that supposedly wriggles up someone's ding-dong when they pee in Amazonian rivers while swimming? I'm... gravely... skeptical that it ever actually happens, if I were to guess it's one of those, "I fell on it while getting dressed" situations that are occasionally explained to amused ER doctors. Maybe even one of those, "they put a chemical in the pool that makes the water turn purple when you pee." Whatever the deal with Candiru is, at some point someone suggested naming their spyware after the urethra fish. They might be making the world a worse place, but you can't say they don't have a sense of humor about it.
Oh I don’t see humor in it at all. These guys picked the name of something that crawls up your urethra because that is how they saw themselves. These are Monsters, not people.
Also for targeting activists in India to arrest them on trumped charges and planted evidence on the Bhima Koregaon case. All of them are being held without trial -- a norm of sorts for the current Indian government
The held include activists, reputed professors from IIT.
I am curious as to how exactly the spyware got on the victims computers. In the Microsoft blog, they mention a chain of exploits. But it could be interesting to understand how they are able to target an individual system with such precision.
Article does mention Chrome 0-day Vulnerabilities (CVE-2021-21166 and CVE-2021-30551) and a Office Vulnerability (CVE-2021-33742). Knowing these were targeted attacks, It could have been as easy as sending a innocent looking email with a innocent looking link (something like blacklivesmatters[.]info). That combined with the Windows privilege acceleration attacks, could get the spyware insane amount of access. Considering these individuals (politicians, journalists) probably dealt with a lot of mail everyday, this could easily have gone undetected.
This really gives you a perspective on how big this company is, having the resources and incentive to do these exploits instead of reporting it.
The attacker knows very well who the victim is and probably has all their contact info. From there you can use email or messaging to direct them towards your digital traps.
The mods have since responded that they've fixed it, but in the future, if you'd like them to respond sooner, you can email them about stuff like this using the footer contact link and they can usually fix it rapidly.
And I doubt this can be addressed without decreasing complexity.