[HN Gopher] NSO Group iMessage Zero-Click Exploit Captured in th... ___________________________________________________________________ NSO Group iMessage Zero-Click Exploit Captured in the Wild Author : jbegley Score : 353 points Date : 2021-09-13 20:04 UTC (2 hours ago) (HTM) web link (citizenlab.ca) (TXT) w3m dump (citizenlab.ca) | defaulty wrote: | This report says they discovered this in March. | | The NY Times [1] just reported that "Apple's security team has | been working around the clock to develop a fix since Tuesday, | after researchers at Citizen Lab, a cybersecurity watchdog | organization at the University of Toronto, discovered that a | Saudi activist's iPhone had been infected with spyware from NSO | Group." | | What took so long? Did Apple not know about this in March or was | someone sitting on it for 6 months? | | [1] https://www.nytimes.com/2021/09/13/technology/apple- | software... | robocat wrote: | "Citizen Lab forwarded the artifacts to Apple on Tuesday | September 7." -- from article, no need to jump to unwarranted | conclusions about Apple. "In March 2021, we examined the phone | of a Saudi activist" - it would be interesting to know the | reason why Citizen Lab delayed so long. Hopefully they just | wanted time to discover who else was being targeted? | dezfuli wrote: | > In March 2021, we examined the phone of a Saudi activist | who has chosen to remain anonymous, and determined that they | had been hacked with NSO Group's Pegasus spyware. During the | course of the analysis we obtained an iTunes backup of the | device. | | > Recent re-analysis of the backup yielded several files with | the ".gif" extension in Library/SMS/Attachments that we | determined were sent to the phone immediately before it was | hacked with NSO Group's Pegasus spyware. | | Seems like they originally examined the phone in March, but | recently did another analysis, during the course of which | they discovered the exploit and reported it to Apple. | badRNG wrote: | I assume it takes time to go from "this person could have | potentially been targeted with Pegasus" to "this person's | iPhone was exploited by Pegasus, and here is how they did | it." | [deleted] | mortenjorck wrote: | Is there a reason why quarantining image attachments from unknown | senders hasn't been standard industry practice ever since | Stagefright? | zionic wrote: | Project managers like the pretty inline previews! Security? | Pssh that's just for nerds. | flixic wrote: | Apple specifically introduced BlastDoor framework to combat | this, so NSO shifted their attacks around decoding, avoiding | BlastDoor. | arsome wrote: | Android 10 also introduced similar mitigations: | https://android-developers.googleblog.com/2019/05/queue- | hard... | | Though it's worth noting that the cost of Stagefright was | surprisingly low - it took a long time for a good ASLR bypass | to come out for it and by that time most devices were updated | or replaced. Additionally, the sheer variance between Android | devices means developing worm-level exploits becomes | extremely difficult compared to something where everyone's | running the exact same binary like Windows, so it likely only | saw targeted use. | notyourday wrote: | Apple should know who works for NSO Group. It should block every | single account of every single person working for that org. Same | goes for their families. | | Google should do the same for Android. | | You do not fight organizations like that by fighting | "organization". You make it very difficult for people who work | for those organizations to participate in a society that relies | on what they actively work on breaking. In fact, you tell Israeli | government that unless they put a leash on its dog and lock it up | in its backyard, you will start disabling accounts of every | single person in Israeli government. When the government leaders | cannot work their iphones, they will ensure that NSO does not | touch Apple's products. | nebula8804 wrote: | 30 seconds later, a command comes down the chain from Israel to | its lapdog: the US and then 5 seconds after that Tim Cook gets | a call from his local congressperson stating that he is in | violation of AB 2844 stating that you cannot discriminate | against Israeli's | | [1]:https://iacforaction.org/in-support-of-the-anti-bds- | ab-2844-... | | 1 second after that, the restriction is lifted. | qaq wrote: | which will accomplish exactly nothing same way as taking out | Cartel leaders does not reduce the flow of drugs. | notyourday wrote: | Baby hackers that want go working for NSO want to have a high | life. Modern high life requires modern communications | devices. Blocking them from modern life (for example, vaccine | passports done via iPhone and Android) will quickly lower the | ranks. | | Blocking Israeli government officials from Google and Apple | will _immediately_ solve NSO is an Israeli company that is | cozy with the government and gets government protection | problem. | | None of the NSO group's clients would want to pay for it via | suitcases of cash. And in either event paying with suitcases | of cash creates problems in the modern world for those that | receive the suitcases of cash. | qaq wrote: | there is a wide range of exploit brokers and a decent | number of security researchers that choose $ over morality | as long as there is demand there will be supply. | rodgerd wrote: | > Apple should know who works for NSO Group. It should block | every single account of every single person working for that | org. Same goes for their families. | | NSO are suing Facebook - successfully so far - to force them to | allow NSO staff access to Facebook when FB responded to NSO | attacks by doing just that. | notyourday wrote: | Facebook was suing NSO about the hacks that NSO carried out. | | In this case Facebook, Apple, Google, etc should simply | terminate the accounts exercising "we are deplatforming you. | No explanation" option they all have. | q_andrew wrote: | It seems like the NSO group is some kind of Hydra where every | time their exploits are thwarted they find 2 new ones. The | difference is that Hydras go for demigods while NSO products | target civil servants and minorities. | danicgross wrote: | Would turning off iMessage protect from this? Or would the iPhone | still process the GIF through SMS somehow...? | SheinhardtWigCo wrote: | Their high-confidence attribution to NSO Group is described as | being based on two factors: | | 1. Incomplete deletion of evidence from a SQLite database, in the | exact same manner observed in a previous Pegasus sample; | | 2. The presence of a new process with the same name as a process | observed in a previous Pegasus sample. | | But isn't it likely that someone with the skills needed to | discover and weaponize a chain of 0-day exploits, is incentivized | and able to detect these quirks in Pegasus samples and imitate | them, with the goal of misattribution? | | Of course, there may be more factors involved in the attribution | that aren't being shared publicly. | [deleted] | Leparamour wrote: | Since when do we assume misattribution in fingerprinting APTs? | | Crowdstrike will find out it's clearly Russia behind this and | Mandiant will blame China. | Hnrobert42 wrote: | It seems like incomplete deletion of data is an error. If you | are an exploit developer looking to throw investigators off | your trail, it is one thing to name your processes with Pegasus | names. It is another to deliberately introduce errors in your | exploit to appear like Pegasus. | | Your proposal is possible. It is just less likely than that | this exploit was developed by NSO Group. | giarc wrote: | I recently learned of this group through the Dark Net Diaries | podcast. The host does a pretty good job of covering the NSO | group in episode 99 and 100. | | https://darknetdiaries.com/episode/ | trangus_1985 wrote: | If you're interested in infosec/appsec, DND is a great place to | get started. The host packages up stories in a well put- | together way, has no qualms about breaking to explain a concept | or term, and does it all within an hour. | adamgordonbell wrote: | Those episodes were great! | | It sounded like NSO group just considers loosing zero days like | this a cost of doing business. | | There seemed to be an implication that they have a war chest of | these exploits and expect them to each get burnt after a | certain amount of usage. | DSingularity wrote: | I wonder what the US response would have been if the NSO | group was an Iranian business. | [deleted] | Operyl wrote: | I heavily recommend reading "This is How They Tell Me The World | Ends" written by one of the guests he had in episode 98, Nicole | Perlroth (which also touched a little on the NSO in that | episode). She's The NY Times cybersecurity reporter. A lot of | the book focused on the NSO, among others. | badRNG wrote: | This episode just came out last week, and this is the second | time NSO has made news since it aired (along with Germany being | a confirmed client.) Surprisingly apropos, but I imagine Jack's | disappointed the big news makes it just after his episode's | release on the subject. | vjust wrote: | I once worked in a 'dissident' org (supported by the US Agency | for International Development) - these orgs were fighting for | human rights in their countries. In one extreme case/country, my | prospective project team mate, no one knew her real name (came to | know this later), though she was our colleague, was quite social | and pleasant. In her country's expatriate circles in DC, she was | worried about foreign spies. Family back home is at risk, and so | is she, even if she lives in DC. These are brave people. | | She wanted to build a database of something, and we were like, | "keep your phone in another room" if you want to come discuss. | Something that I am not sure she practices but more people need | to practice. | | CitizenLab is doing yeoman's service for people's rights to | privacy and human rights. They're heroes. | [deleted] | eynsham wrote: | > supported by the US Agency for International Development | | Isn't it more usual for the NED to do such things? I remark | upon this because it occurs to me that using USAID to do | politics might make recipients suspicious of aid even when it's | both necessary from a humanitarian perspective and unlikely to | threaten the ruling dispensation in the recipient country. | (This is a separate question from whether the NED/US government | as a whole should even involve itself in such matters, to which | my answer is 'maybe', since the dubious stuff probably happens | anyway and lots of these civil society organisations &c. | actually do good work [e.g. the The Assistance Association for | Political Prisoners in Burma.]) | vjust wrote: | True.. I was slightly inaccurate, This org. had various USG | funders, with a large slice of funding from US-AID projects. | Washington is full of these 'USAID contractors', some tiny | others mega-sized. But _this_ project may have been funded by | a division of US Dept of State that is focused on Human | Rights - DRL. Not sure where the lines are about which one | US-Aid gets and which one is State. For example development | of journalism in an emerging country would be US-Aid. But | OTOH, a project promoting free elections in the same country | _could_ be State. Not sure. | | In any case, they span the range from benign to hostile | nations, with varying risks attached. The "About" page for | many such sensitive orgs would be silent on who the team was, | except if it was Americans (like me) who didn't mind being | their name out there (or nervously okayed the name being | public). | [deleted] | iJohnDoe wrote: | Kind of interesting Apple reacted as quickly as they did. It | usually takes a lot of effort to get Apple to acknowledge | anything. Or maybe because they didn't request a bug bounty? | [deleted] | syntheticcorp wrote: | It's because it is being exploited in the wild. Those bugs tend | to get patched fast. | badkitty99 wrote: | And their angle on this "not being a big deal" is that it's | only used on high profile targets, so they need to keep that | front up to maintain their busy bottom line | r00fus wrote: | Buried lede: Apple has patched that particular exploit [1] and | everyone should download iOS14.8 now if you want to be protected | (no doubt NSO has other tricks up their sleeve). | | Edit: Just realized it also impacts macOS and watchOS as well | which were also patched. Patch Monday! | | [1] https://support.apple.com/en-ca/HT212807 | sneak wrote: | Pretty soon the choice will be between: | | - vulnerable to the latest published exploits | | or | | - vulnerable to clientside scanning of your media for | wrongthink by Apple for the CCP | | Smash that iOS update button and do your part for the party! | samtheprogram wrote: | The irony is that if you're not updated to the latest iOS, | the easier (cheaper?) it is for the CCP to run surveillance | exploits on your device a la the Uighurs. | | You can either trust Apple, or lose all security updates. | Syonyk wrote: | > _Pretty soon the choice will be between_ | | What about "Don't use Apple products"? I know that Android is | just as bad in many ways... | | And if all options in the modern tech industry basket of | choice are terrible, well... humanity survived without them | for an awfully long time. | | I've gone back to a flip phone from an iPhone. I no longer | use Windows if I can at all avoid it (there exist a few | sysadmin tasks involving netbooting Mikrotik devices for | major OS updates that are far less painful on Windows than | other OSes), and have no plans to let Win11 in my life. And | Apple is heading out the door too. Throw in my dislike of | Intel, and... yeah, it's getting pretty thin pickings. I | still have an iPad with no accounts on it as a PDF reader, | but I'd like to replace that with something else (Remarkable | or such). | | "Agh, this is soooo terrible, but I'm going to keep using | it!" just means, in practice, it's not that terrible. | TaylorAlexander wrote: | It just makes me so uncomfortable that these things keep | happening. We always find out about these things eventually but | what percentage of the time are our devices vulnerable? Isn't | it close to 100% of the time that our desktops and mobile | devices have significant security vulnerabilities? | r00fus wrote: | Invulnerability for your devices is a chimera. You can only | do what's possible in your capacity to secure yourself. | | I am at peace with the fact that I'm doing the best I can and | keeping those I love protected. | buddylw wrote: | Security has always been relative. I feel much safer | knowing that an exploit like this is worth hundreds of | thousands or even millions of dollars. | | It keeps them closely guarded and selective about use. All | of that makes me an unlikely target and reduces individual | risk. | heavyset_go wrote: | > _I feel much safer knowing that an exploit like this is | worth hundreds of thousands or even millions of dollars._ | | I don't. Look at how much companies like Apple pay out | for responsible disclosure if they pay out at all, and | then compare it to what exploits go for on the grey/black | market. Typically the buyers have deep pockets and | burning millions of dollars wouldn't make them blink. | dkokelley wrote: | Why does it matter if it's the "good guys" or "bad guys" | paying? | | If a vulnerability only cost ~$100 then a malicious | person could compromise an ex lover's phone, for example. | The fact that they are expensive means that their use is | limited to targeted, strategic attacks. You don't have to | agree that those attacks are good, but surely pricing the | average person out of 0-days is better than the | alternative. | heavyset_go wrote: | > _The fact that they are expensive means that their use | is limited to targeted, strategic attacks._ | | There are organized crime networks that pull in billions | of dollars of revenue a year. If they wanted to pull off | dragnet fraud, for example, they have the funds to do so. | dylan604 wrote: | >Why does it matter if it's the "good guys" or "bad guys" | paying? | | Who do you think are more likely to use the vuln/exploit | on regular everyday users? The nation state people are | going to use it on targeted persons/groups (typically) | while the "bad guys" are going to use it so they get the | greatest bang for their buck. | madeofpalk wrote: | But still, I feel relatively safe knowing/thinking that | the Saudi government doesn't want to hack my iPhone. | heavyset_go wrote: | Organized crime might, as they orchestrate fraud, | blackmail etc networks all over the world. | 8eye wrote: | you would expect quality from a commercial product because | all of the investment being put into a product but these | exploits are saying otherwise. open source projects may have | more investments that care on a different level. we might | have to figure out a way to go in that direction eventually | considering how dangerous this is getting, many people depend | on the quality of a product to ensure safer communication, | and with some it is a life and death situation. do yeah it's | sad that this keeps happening, it seems like we can think of | a better way to not make this happen as often. | overkill28 wrote: | The way I describe it to friends and family is that there are | basically two levels of protection: | | - Protecting yourself from rub of the mill malware that is | looking to make money off of you. You can do this pretty | effectively by always updating your software as soon as you | can and avoiding sketchy and unnecessary apps and websites | | - Protecting yourself from an attack by a nation state level | agency. I don't think there is any way to be safe from this, | and people who are targeted like this need to use protection | that go well beyond the choice of cell phone or chat app | jdavis703 wrote: | > Protecting yourself from an attack by a nation state | level agency. | | My personal data was hacked by a nation-state level agency. | The only way I could've prevented that is by not working in | a national security position for that country's | geopolitical rival. | | Now the only thing I can reasonably do is avoid ever | stepping foot in that country lest they detain me for | "extra questioning." | dylan604 wrote: | Until run of the mill malware learns of a vuln only thought | to be known by nation states, and then all hell breaks | loose. | shapefrog wrote: | > Isn't it close to 100% of the time that our desktops and | mobile devices have significant security vulnerabilities? | | It is 100%. The sader reality is that the most likely weak | link when it comes to exploiting your device is you. | sneak wrote: | Yes, but it can be somewhat mitigated by not using SMS or | iMessage. | | Don't share the phone number of your sim with anyone for any | reason whatsoever (or don't put a sim in the phone at all and | use an external wifi router (this is what I do), or use a | data-only sim), and ensure that iMessage and iCloud is | disabled. | | This doesn't make your phone invulnerable, it just makes it | less vulnerable. | [deleted] | nbzso wrote: | So I have to update to protect my self from Pegasus/NSO and in | the meantime to install next beta of CSAM scanner. | | Hmm. No. I Deleted all my apps and photos, using it as a phone | and banking app terminal. Phone calls metadata is collected by | governments by default, so I have no problem with this. I have | nothing to hide, and nothing to store on Apple devices. | | Someone more paranoid than me, told me outrageous theory. Apple | want's to take part of Pegasus spyware like market by providing a | legal and user approved backdoor for governments trough CSAM. I | don't believe it at all.:) | pengaru wrote: | > I have nothing to hide | | Don't underestimate the value of privacy. How much (or little) | you have to hide is something worth hiding. It's what you do | and don't know, do and don't say, do and don't communicate | with, this is all important to keep private by default. | | There's a tendency for individuals to assume the role of would- | be criminal in these discussions. It's more correct to assume | criminals exist on all sides, do you have any interest in | enabling a corrupt government to surveil its law-abiding | citizens? When you don't have privacy, you enable potential | criminals in power to see if the populace is aware of their | actions, or absolutely distracted by instagram. We're all | potential witnesses to crimes, and at this point it's | exceedingly likely we'd communicate those observations via | smartphones. We all require privacy and secure communications, | full stop. | nbzso wrote: | It is sacracstic coment depicting the general state of | things. | | Normalization of surveillance and acceptance of this "new | world" from the genereal public trough manufactured consent | by the corporations, media and governments is staggeringly | fast. | | There is not subsitution for privacy, whatever the percieved | motivation for "common good" is bringing to the table. | | My personal decision is to avoid the surrveilance state by | using FOSS solutions and abandon smartphone habbits. | | There must be a place for design and software solutions | outside the "status quo". Started this year by removing Apple | from my business and moving along to educate my customers of | incomming dangers for their businesess and personal life. | pphysch wrote: | This line of thinking is predicated on two assumptions: | | 1) That the local authorities are essentially malevolent | | 2) That it is only the individual's (privacy/security) | measures that are deterring the malevolent authority from | exploiting them | | For most Americans/Europeans, both of these assumptions are | false and based in paranoid fantasies. Local authorities are | rarely malevolent (though they may commonly be corrupt and | excessively self-interested and not care about you), and it | is virtually impossible for the average citizen to mount a | home defense (real or cyber) against a committed state actor, | or even local PD. It's like trying to secure a VM guest from | access by the host machine; you're completely surrounded. | | I fully support protecting yourself & your privacy against | petty criminals, but unilaterally taking on your government | is frankly just a waste of life. | gjs278 wrote: | take your meds | nebula8804 wrote: | Is there any confirmation this new release has any CSAM scanner | stuff in it? | nbzso wrote: | At tnis point in time I would not believe anything Apple is | saying. After all backslash they just postponed it, to make | it better and to avoid negative PR for the new iPhone. | | Traces of CSAM are found in iOS 14.3 | https://appleinsider.com/articles/21/08/18/apples-csam- | detec... | kevin_young wrote: | There's a shocking number of pedophiles. Shame they lobbied | so hard against keeping kids safe. | m3kw9 wrote: | Now that this is out, it won't be just NSO using it. Get it patch | now. | kome wrote: | A public university doing wonderful work again state sponsored | spyware. Thank you University of Toronto! You restore my faith in | academia. | United857 wrote: | I miss the days when iOS exploits were merely used for jailbreaks | and allowing alternative app stores, instead of being | weaponized/monetized as they are now. | phendrenad2 wrote: | Ah nice, just parse incoming gifs in your iMessage with the same | function that also parses PSDs. What could possibly go wrong? | Gotta be DRY, my dude! | Ms-J wrote: | It is increasingly bizarre in my opinion how this company (and | others like Toka) can run active terrorist operations, that if | anyone else smaller was doing some of the same hacks they would | be in prison for a very long time. | | People have lost their lives due to these pariahs! | | Israel already has a massive PR issue with other countries, it | would do them well to reign in these offensive front arms of | their government/'companies.' | | Citizen Labs is really a great thing for civilization. There are | not enough altruistic organizations. | jasonhansel wrote: | Why is it that iOS's PDF implementation has been the source of so | many different exploits? This seems to be a pattern. | madeofpalk wrote: | PDFs are hard and complicated? | RattleyCooper wrote: | If I knew anybody at NSO Group I'd start messaging them | unsolicited PDFs and shit :P | traceroute66 wrote: | Recently my iPhone started rebooting itself occasionally and | randomly. I've been a long-term iPhone user and never seen this | behaviour before on previous or current device. | | I'm not one to wear a tin-foil hat, but I have to admit NSO did | come to mind. | jaywalk wrote: | Do you have reason to believe NSO Group would target you? | azinman2 wrote: | Unless you're a high profile target occom's razor says hardware | failure. | ericbarrett wrote: | Yup, probably a bad bit in RAM or a just-on-the-edge bus | error. | ls612 wrote: | My mom's iPad was doing the same thing for a long time and I | suspected hardware failure (it was getting kinda old), so I | told her to take it into the Apple store for diagnosis and | repair. It turned out that the iOS install was just corrupted | by bit flips and the Apple employee did a factory reset and it | was all good afterwards. There's many things that can go wrong | with even modern computers that aren't exploit related | theshadowknows wrote: | I always wonder what it takes to find this kind of exploit. Are | the programmers at NSO group just the best in the world? Or are | they incredibly lucky? Both? I'd love to know what a normal day | at work is like for their engineers. Clock in, sit down at | a...crazy expensive hardware and software testing station? Crack | open a brand new iPhone and start probing away while referencing | internet sourced chip documentation and software manuals? What | does it even look like? | sophacles wrote: | There's an entire "gray market" of exploit brokers. NSO group | is one of the many players. There's a good chance this is an | off-the-shelf exploit. | | The podcast Darknet Diaries had an episode about the topic | recently: https://darknetdiaries.com/episode/98/ | | (that episode is tied to this book: | https://www.amazon.com/gp/product/1635576059/ about the topic) | | Also, I like that podcast in general - highly recommend it if | you're into infosec stuff! | ThisIsTheWay wrote: | Episode 100 is specifically about NSO and dives deeper into | Pegasus. Highly recommended listening after episodes 98 and | 99. | | https://darknetdiaries.com/episode/100/ | myself248 wrote: | That goes very well with this prior episode as background | info: https://darknetdiaries.com/episode/28/ | staticassertion wrote: | Exploit development is a skill like any other. Instead of | learning things like software design patterns, distributed | systems, software reliability, etc you would have spent time | learning about memory layouts, OS designs, mitigation | techniques, decompilers, etc. | tester756 wrote: | Here's ranking of top people for this kind of job | | https://ctftime.org/ | | Members of those teams are often Security Engineers at e.g | Google, Banks, computer emergency response team (CERT) and so | on. | chelmzy wrote: | They may have purchased it from an exploit broker. | badRNG wrote: | Zerodium will pay up to $2,500,000 for no-click | iPhone/Android exploits [1]. I'm sure they'd only pay that | much if they were highly confident they have clients who'd | pay enough to make the risk and investment worth it. | | [1] https://zerodium.com/program.html | [deleted] | dogma1138 wrote: | They recruit people who were trained to find exploits, it's | less about having the best programmers and more about having | people with a specific set of learned skills and dedicating | them to this task. | | I would be surprised if their core iOS research team is much | more than 10 or so people at any given time. | | They also probably use brokers and buy at least some of the | exploits they use from freelancers if they offer ~7 figures for | a zero click exploit a lot of freelancers will be working on | this too. | | It's just like any bug bounty program, internally you run a | small and dedicated team and externally you pay enough to | entice freelancers to spend their free time on your systems to | scale it further. | diskzero wrote: | They probably hunt exploits like that, but what is quite likely | is that they have access to stolen Apple source code and scour | it for type overruns like the one in CoreGraphics that is the | cause of this exploit. I would estimate that the majority of | exploits are the result of source code theft, leaks of | potential vulnerabilities from people who have access to the | source code and social engineering. There isn't anything | particularly special about a "Mossad" trained or "NSA" trained | hacker. They are engineers like many of us and prefer the path | of least resistance. Trying to brute force buffer overruns | without having source code access is tedious. Why go to all the | effort to black box exploits when you can take advantage of | source code analysis. | | I mentioned in another post about why people would leak to the | press, when you most likely will get caught and fired. Leakers | of a different caliber will leak source code to governments and | companies like NSO and have much less likelihood of being | caught and much higher remuneration. | tomc1985 wrote: | I think it's more that the possibility space for exploits is so | large that a dedicated force of highly creative reverse- | engineers is all you need to dig them up. | | From what I've heard it can be almost trivial to find them if | you know what to look for. But it seems that very few people | know exactly where to look, and fewer still understand how to | interpret the results. | belter wrote: | The NSO group are ex-Mossad who decided working for the | government does not pay as well as making money out of | exploits, probably obtained at the highest levels of top secret | work. | | So far, they have been tolerated by the Israeli government as | they all went to the same schools, all did the armed forces | service together, and all know each other. This allowed them to | get a free pass so far. Privately, many of their ex-colleagues, | are very critical of their lack of ethics. | | All this will change, the day some of the NSO exploits will be | used against Israel, the same way some of the NSA leaked tools | are now used in the wild. | Leparamour wrote: | It wouldn't be too far-fetched to imagine that NSO is running | malware campaigns against Apple and Google employees. | walrus01 wrote: | the high tech industry in Israel is not _that big_. If you | look at the companies that make COTS microwave and millimeter | wave telecommunications equipment, they 're not too different | from the other .IL companies which make advanced radar | systems, jammers, and avionics for aircraft. | | I imagine it's similar for black/grey-hat software | development. | KoftaBob wrote: | > So far, they have been tolerated by the Israeli government | | Why wouldn't the Israeli government tolerate them? If | anything, doesn't their government benefit from groups like | this? | | They get access to spy tools that they didn't have to use | taxpayer money to fund, and because it's former members of | their own intelligence working on it, they have some | semblance of influence over how it's used. | | Am I missing something? | cafecitoking wrote: | Not really. Israel likely openly shares secrets with other | Five Eyes countries and so it gets a sort of free pass from | geopolitical pressures. Its a mutually beneficial exchange. | Additional to the Mossad comment, the Israeli students who | work for these group take an entrance exam at 17 and that | recommends them for what's known as UNIT 8200 which is a | feeder network/NSA clone. | monocasa wrote: | Israel isn't part of five eyes. | badRNG wrote: | > All this will change, the day some of the NSO exploits will | be used against Israel, the same way some of the NSA leaked | tools are now used in the wild. | | Has the leak of NSA tools changed anything? | JumpCrisscross wrote: | > _Has the leak of NSA tools changed anything?_ | | Yes. The bipartisan USA Freedom Act limited several aspects | of the NSA's dragnet [1]. Amendments weakening the bill | were defeated [2]. Less materially, a documentation | requirement for SS 702 searches of U.S. persons was added | in 2018 [3]. | | [1] https://www.eff.org/deeplinks/2014/11/usa-freedom-act- | week-w... | | [2] https://www.eff.org/deeplinks/2015/05/usa-freedom-act- | passes... | | [3] https://www.lawfareblog.com/summary-fisa-amendments- | reauthor... | Amezarak wrote: | I'm skeptical the NSA doesn't just ignore or creatively | interpret laws it doesn't like, given their past history | and the consequences for their misbehavior. | | I mean when the CIA got busted not only spying on | Congress a few years ago, but also lying about spying on | Congress, they were told "don't do that again please." | ndesaulniers wrote: | "Not wittingly." | sneak wrote: | http://www.hasjamesclapperbeenindictedyet.com/ | | Statute of limitations has expired, IIRC. | rodgerd wrote: | > Are the programmers at NSO group just the best in the world? | | Most people who are good at this are working for national | security orgs, blue team in the private sector, or cash focused | criminals. This is the relatively small group of people who are | comfortable selling tools to help dictators hack journalists up | with saws. | gerash wrote: | If you have an organization that can legally hire people, pay | them a stable salary and legally sell exploits to all sorts of | people around the world you end up with NSO. | | NSA finds exploits for their own mission and Google Project | Zero researches vulnerabilities to [per their claim] ensure | internet stays a secure platform but neither of them sell | exploits for profit like NSO. | | So, no, they're not the only "genius"es out there. They just | are less ethical about it. | Thaxll wrote: | It takes IDA Pro, some low level asm/C++/Python programming | skills and a lot of hours. | | Reverse engineering is not that complicated, however getting | some results is difficult and time consuming. | | In that example it's basically looking at how some libraries | are parsing input, that's it. Since everything in those phones | are C/C++ nothing is "safe". | | It's the same skills you need to crack games, cheat in online | games etc ... | kaladin-jasnah wrote: | It would be quite difficult if you can't get access to the | binaries that you have to put into IDA (or, well, Ghidra, for | that matter, but IDA Pro is probably better). | saagarjha wrote: | The binaries are available in OS restore images that Apple | makes publicly available. | helge9210 wrote: | These are ex-military engineers (security researchers). | Selection starts from age of 4. By the time they receive | special training in technological units of the army they | basically have a CS degree (at age of 19-20). | | > What does it even look like? | | Boring. Usually a group of introverted young kids that look at | their own shoes while talking to you, led by an extroverted | young kid, that looks at your shoes while talking to you. | java-man wrote: | You just leaked that the extrovert is a Finn! (the original | joke is about a Finnish extrovert). | yonatank wrote: | As someone who has some familiarity with the people and | processes, this response seems extremely off to me. | | > Selection starts from age of 4 | | Care to share your sources for that? As far as I know most | are self taught and get some further training in military. | | > Boring. | | It might be boring to some and might be extremely interesting | for others. People who like solving puzzles and facing hard | challenges usually like it. Of course, if your passion is | building you wouldn't like it as you don't "build" something | new. | | > Usually a group of introverted young kids that look at | their own shoes while talking to you, led by an extroverted | young kid, that looks at your shoes while talking to you. | | Have you met these people at all? Because it definitely | sounds like you haven't and you just describe the typecast | some movie would use. | helge9210 wrote: | > Care to share your sources for that? | | I'm Israeli. | | My children were attending/graduated/served | kindergarten/school/army in Israel and I saw selection | process as a parent. | | My wife was a school teacher in Israel. She described to me | some of the evaluation metrics she was supposed to submit | every half a year over each and every pupil she had. | | > Have you met these people at all? | | I cannot confirm nor deny I met these people. | [deleted] | fragmede wrote: | One person's boring is another's career culmination. | Breaking system security often consists of dead end after | dead end, and even if you get a lucky break, you may hit | another dead end after that. Finding an exploit often isn't | enough these days, they need to be chained together to | actually get somewhere interesting. Personally, it's very | unrewarding (aka boring, imho) work most of the time | because you don't find anything a lot of the time. (The | high off of finding something is something else tho, lemme | tell you.) If you're interested in the sort of work | involved, http://microcorruption.com is a good CTF to start | out on. | SavantIdiot wrote: | A lot of times it is just poring over code looking for bugs | that have already been found in other locations in the code. | | For example. this is a use after free bug. You can statically | analyze disassembled code to find places where this might be | happenning, and then figure out how to exploit that instance of | the bug. ___________________________________________________________________ (page generated 2021-09-13 23:00 UTC)