Everyone who has reason to fear a state actor should not use smart phone except for truly innocent activity. It's just insecure.
Probably some immutable Linux distro would be better. Are there guides out there how to do that for non-experts?
Without being opposition in some of that state, most of us handle money in their insecure devices. Can we be sure that "ordinary" criminals don't have enough access for their purposes?
> Everyone who has reason to fear a state actor should not use smart phone except for truly innocent activity. It's just insecure.
The real lesson here is to not have unsupported devices in your possession. This malware uses 5 exploits which were from 2021.
> Probably some immutable Linux distro would be better. Are there guides out there how to do that for non-experts?
Android is an immutable system, but it doesn't help when people won't upgrade to a supported device. A "linux distribution" isn't going to help when there are proprietary firmware components that aren't updated.
> Without being opposition in some of that state, most of us handle money in their insecure devices. Can we be sure that "ordinary" criminals don't have enough access for their purposes?
Easiest way is to minimize having unsupported devices. The Pixels have a 5 Y support period that includes the underlying firmware.
This article is misleading, they're not "zero days" when they were discovered 2 years ago.
The real lesson is to mandate minimum support. Otherwise bigtech will use this as an excuse to destroy the environment for profit through increasing planned obsolescence.
I would require 5 year mandatory security updates for all devices and another 5 years of support which customers can purchase for a fee which is capped at 5% of the sale price per year.
Manufacturers which don't fix CVEs within 90 days must accept returns at full sale price.
That would fix the whole economics around vulnerablities.
The EU is working on a law that forbids selling devices with known vulnerabilities. This means manufacturers will either have to patch their stuff quickly or risk getting their entire lineup banned from sale if a serious security issue is found in their hardware. Stores will probably demand support lifetimes as well or they'll be stuck with unsellable stock once a company decides that three years of updates turned out to be too long after all.
I think further provisions are necessary, such as source code escrow; once you go out of business or drop software support for a product, the entire code repository should open up to the public to fix it themselves, including the necessary keys to load the replacement software. It shouldn't matter if you use the same code base for other devices that you do support, if you're maintaining that code you may as well push those fixes out to older devices.
The biggest issue with phones and tablets is that often the problem lies within kernel driver that the manufacturer has no control over. Qualcomm and friends are the biggest crooks here, sometimes dropping software support for their chips after only two or three years, with no realistic alternatives for sourcing SoCs.
Add in a mandatory portion of device sales that goes to responsibly-disclosed vulnerability bounties.
It'd have some side effects of centralizing handset manufacture into a few manufacturers (and core component suppliers) and/or pushing more into using straight-Android.
But making the economics more aligned with security, in a predictable way for the manufacturer, seems important enough to make the trade-off.
Minimum 5 years seems like an okay one, second half is a bit weird… Capped at 5%, and mandatory to offer? Seems like it could influence prices of phones.
Mandating fixes for CVEs in 90 days sounds nice on paper… Not sure about the implications of that
The idea is that there should be an option for customers to extend their coverage for a sensible fee. Without a cap on the price manufacturers could charge insane prices.
Mandating a time to fix puts a lot of pressure on manufacturers to have security teams ready at all times and make sure their patch process works pretty flawlessly.
The implications on device prices is certainly an increase by 10% but a lot of knock off devices would stop making economical sense.
> The real lesson is to mandate minimum support. Otherwise bigtech will use this as an excuse to destroy the environment for profit through increasing planned obsolescence.
If by $BigTech you mean Google. Apple just released a patch for iPhone 5S devices (circa 2013) earlier this year.
Supported devices, including Pixel phones, are often behind on security patches. Using such a device is better than using something completely supported, but that doesn't mean you'll be immune from these kinds of attacks. (Note that the exploits are from 2021 because that was when they were discovered–they are true zero days.)
> The real lesson here is to not have unsupported devices in your possession.
No, the real lesson from any similar discussion is to never, ever, ever trust any cell phone, or any other form of computer, period. It literally doesnt matter who assembles device, codes/builds OS or does full stack creation of components. It doesnt matter how many gigatons of Apple's koolaid you drank. If you are smart, use other ways or at least change very frequently burner phones (not very ecological but once you are a target for anybody powerful enough, unfortunately such concerns evaporate). The idea that 'this next solution solves everything' is really dumb, it failed spectacularly every single time so far.
The chain of elements from screen to packets sent over network, and network itself is extremely long and to claim each of the piece is 100% secure is not naive, just stupidly ignorant. Especially with all the scandals from manufacturers, NSA/CIA, Snowden revalations etc.
Or just dont do anything else that everybody else is doing, states nor corporations have no reason yet to go after almost everybody out there. But if you hold any position of power, even completely apolitical then you are already a target for decades and no amount of OS updates will make your phone actually secure.
Realistically almost everyone needs some degree of trust in computers nowadays. Except for the the guy who lives off the grid in the woods in the middle of no where, you can’t function without some degree of trust.
> The real lesson here is to not have unsupported devices in your possession.
That's of course a minimum requirement. But the analysis showed that it took e.g. Samsung 8 months from distributing vulnerable code to distributing the fix for one the CVEs. Google was faster, but even them it took several months.
> Android is an immutable system,
OK, system might not be a uniquely defined term here. As always it depends where you draw your system border. If you mean the system firmware image, it is probably immutable. Not sure whether all vendors use dmverity.
However, I meant "the whole phone". Obviously Android phones are not immutable, you can install apps. And after rebooting they are still there and can again use the same vulnerability if there is one. What I meant by immutable is there is no way to install any executable code, because all storage that is writable is noexec. And even if a vulnerability exists and allows to mess with RAM, the corruption is gone at reboot (well, unless the write protection, code signing / dmverity itself is affected by the vulnerability). Without having really worked with most of them I understand Vanilla OS, Fedora CoreOS, Fedora Silverblue, and SUSE ALP all go into that direction (although they still allow installing additional containerized apps).
Including a browser and an email client into the base image and removing the option to install anything else is what I meant with immutable Linux distro.
When you update it, you install another signed image. Of course the supply chain for that image is then the risky part, you'll never have zero risk.
When newer OS versions are fugly, user hostile hot garbage, people don't want to update. You need to provide long term support, but also not cannibalize your product for very dubious reasons.
The TAG link referenced in this article outlines how they use a fully updated Samsung device as a honeypot. At the time, even a fully updated device wasn't protected.
> Without being opposition in some of that state, most of us handle money in their insecure devices. Can we be sure that "ordinary" criminals don't have enough access for their purposes?
A Android or iOS full chain is likely worth a couple million American each. Due to the extreme prices you can be sure when governments use it they do their best to hide their tracks to not burn the vulnerabilities.
Stealing someone’s money is probably a very noticeable way to burn your exploits or at least alert someone to fact that their device has been compromised.
Yup this. These vulnerabilities are far too valuable to use for petty crime. You'll never get an equivalent return from using them to compromise a handful of phones, and if you use them on a large scale, they'll get noticed and patched fast. It's pretty much only used by Governments on whoever they consider to be an enemy of the state.
> Everyone who has reason to fear a state actor should not use smart phone except for truly innocent activity. It's just insecure.
Of course, this is a terrible state to have to be in.
> Probably some immutable Linux distro would be better.
Nope
> Without being opposition in some of that state, most of us handle money in their insecure devices. Can we be sure that "ordinary" criminals don't have enough access for their purposes?
Generally "ordinary" criminals find it to be more cost-effective to phish you
If your threat model involves hiding your activity from a state actor, you need to worry about warrants as much as you do malware. From that perspective the entire operating system is working against you, since your adversary can simply subpoena Apple or Google for your cloud storage and access logs, which will reveal as much compromising data on you as even the best malware.
With NSO, Cytrox, other companies, why do all commercial malware comes from Israel? Do Israelis hate freedom of press, journalists and human rights more than others?
While I think the Israelis have been more likely to be happy with this sort of state action, compared to many countries, I think one of the major reasons is that Israel is a massive hub for security companies and staff. Since the early success of Checkpoint creating a pool of money that went back in to Israeli tech companies they've been very big in the cybersecurity space- 1 in 3 of the big cyber companies are Israeli.
They also have a steady stream of IDF graduates from Unit 8200 [1] (and other bits of the IDF) who are young, smart and know each other as a cohort. You'll meet groups of them at lots of Israeli firms; and lots of older cohorts will have good networks across the sector because of this.
The possession of skills do not equity the possession of intent. While the US has massive cybersecurity capabilities, they do not cause journalists or human right activists to suffer because of it. So there is obviously something more into this equation why Israeli software firms make into the headlines constantly.
Personally I think living in a country that has been in a state of war for last 70 years makes you reassess your morality.
I'm not making a moral judgement on this, I'm just saying I understand why there are a lot of companies that create weapons in a country at war for most of its existence.
For someone in such position deciding "do I want to work on things that rip people to shreds, or would I rather work on surveillance software?" The surveillance software choice can be considered a lesser evil and potentially something that can save lives etc.
While I don't think Netanyahu was/is losing sleep over Pegasus and the like, I also mostly think it's the effect of Israel having a very well developed cyberwarfare capability. That sort of experience inevitably bleeds into the private sector, especially when it's as weakly regulated as the Israel tech sector.
Relatively simple: Israel has a mandatory military service if you're not one of the ultra-orthodox who are exempt, so there's a massive pipeline of young highly talented people of all directions to the government, and those who are good in IT end up being offered positions in Mossad and other agencies (or in the IDF themselves) - and once they retire from government service, the private sector has a huge supply of experienced people to hire. Not to mention they're all very well networked.
No other Western-aligned country has such a pipeline - the US has it partially, but wannabe-competitors have a harder time acquiring customers, as non-Americans have to deal with ITAR and other export controls.
I agree with the description, but it does make me wonder why we don't see this stuff out of South Korea as well. They also have similar compulsory military service, but seem to mostly be producing starcraft players, k-drama and pop stars.
Israel is in constant active fighting with its neighbours and only survives because they have extremely good SIGINT capabilities (remember Stuxnet?). In contrast, all South Korea has to fear is that a North Korea nuclear rocket test goes bad. That's a marked difference in attitude.
The comment above yours gives a real explanation, where OP posits a question whether Israelis "hate" freedom of expression. This isn't a good question or observation and is something I'd expect from a 9th grader. Of course israeli's don't hate freedom of expression. Who would answer "yes" to that? OP also suggests an answer with the question OP posits-an unsavory answer given the audience of HackerNews nonethless. OPs comment was not researched, obviously negatively biased, and doesn't even have a reasonable suggestive answer.
because they're extrapolating from a few spyware countries come from israel -> does every single israeli hate freedom of press, journalists and human rights. its a pretty bad faith argument and borderline racist
anyway Israel isn't the only one selling spyware software. There are a metric ton of sellers, operators, and people just selling zero-days to any bidder
the answer to their question is that Israel is a dense, highly educated country with a lot of expertise in computer security and other technology areas. VRED is a difficult and exciting area of work, and the pipeline from gaining these skills in the military and translating it to private industry is very real. it has nothing to do with freedom of the press, journalists, or human rights
If anything the opposite. There is a double meaning in my words. The stereotypical Israeli has strong opinions on almost everything. Freedom of thought goes hand in hand with freedom of the press and a general love of freedom. Otoh they feel that the international media is strongly biased against them and don't fairly report on the palestinian conflict. For example take a look at the resolutions passed by the UN Human Rights council. It's hard to come to any other conclusion other then it's been weaponised against israel.
Also bear in mind Israel crippling vulnerability to organised terror whose leaders cruelty know no limits and view every jew as a legitimate target. Especially in a freedom loving society this is intolerable so every step is considered in fighting this menace.
Cytrox is Macedonian with a presence in Israel. NSO is entirely based out of Israel (although owned by some private equity firm outside of the country after they were sanctioned).
You think no-one uses a phone more than two years old? Most manufacturers drop support for older models fairly quickly so I bet there are millions of unpatched Androids older than that in the wild.
Probably some immutable Linux distro would be better. Are there guides out there how to do that for non-experts?
Without being opposition in some of that state, most of us handle money in their insecure devices. Can we be sure that "ordinary" criminals don't have enough access for their purposes?