> We were unable to retrieve these binaries from flash memory, as we did not have access to a jailbreak for iPhone 11 running iOS 13.5.1.
It’s ironic that the exploit is able to plant arbitrary code on an up-to-date device and yet the owner of the phone can’t introspect their phone to see it themselves because they don’t know how to bypass the protections :/
These attacks would be a lot less dangerous if they couldn't get on-disk persistence. Just reboot your phone, and you're good to go. Only creeps like NSO who spy on normal people need that degree of persistence. Everyone else can just hang out in ram on some always-on server.
Vendors need to make it easier to verify the integrity of persistent firmware, in an offline fashion. It will dramatically increase the cost of persistence, which is the best way to put these thugs out of business.
Doesn’t really work like that. First of all, when would you reboot your phone? Once per day? Once per hour? Every five minutes? Regardless, these attacks are incredibly advanced, remember they require zero interaction from the user.
Even if you rebooted constantly and the exploit lacked a persistence vector, they would still be able to exploit you whenever they want. There are literally no good defense mechanisms against zero-click attacks. The only effective one being turning off your phone forever.
Something like these exploits takes 1-2 minutes maximum to achieve full data exfiltration. This means you’re not safe even if you reboot every five minutes.
So preventing persistence vectors is not really useful against these types of attacks. Persistence is more of a “comfort feature” for attackers, is not really something essential.
Normally bugs in these types of attacks target daemons that are always connected even if not logged onto iMessage or even if you disable iMessage. Or at least this was the case with previously known bugs.
On-disk persistence (“untethered”) is actually fairly rare. Why do that when it leaves behind evidence and you can just remotely run the exploit again to hack the device?
News like "zero-click iMessage to root exploit" costs Apple millions of dollars as it's a PR nightmare and erodes the trust they spent years (+tens of millions of dollars) building. Those "thousands of dollars" they would spend on forensics would be their least concern.
Imagine The Guardian, The New York Times and several other top journals covered this story with a sensational title like "Our Journalists' iPhones are hacked remotely". There's no going back from that.
How come when we hear about this stuff it is always Israeli companies involved? Is ethics not taught in Israeli Computer Science curricula? Those who wrote this exploit are clearly "brilliant" and at least some of them are bound to be reading Hacker News. Is other countries' spyware firms just better at hiding their malware than Israel's is?
> How come when we hear about this stuff it is always Israeli companies involved?
Everyone seems to be focusing on the "always" in your statement, so i'll ignore that and give you a straight answer.
Strong investment in STEM education, after school programming and computer security programs, mandatory military service where they get a chance to evaluate everyone and funnel the smart technical folks in to Unit 8200, and heavy investment into security startups.
Israel also benefits from everyone else depending on their tools. Not only do they get to see the intelligence being collected by other countries and gain insights into their espionage operations, they also would be able to piggy back into any networks that were of particular interest.
It was a requirement for my Software Engineering degree (my university was in the US). When discussing with my coworkers in the past, I don't think many of them were required to take any ethics courses, unfortunately.
Ethics in software is something we should all probably talk about a little more often.
My alma mater treated CS more like "Applied Math", to the degree that I don't think that anyone in the department viewed Software Engineering as a major source of employment after the (Master's) degree.
Viewed from the lens of "CS is a researcher/PhD candidate mill", a lack of focus on ethics makes some sense to the cynic in me.
It was taught in mine. Lots of focus on stuff like gender issues, discrimination, and academic dishonesty (don't cheat or plagiarize, etc). The guy who held the ethic course also held the course in abstract computer science. He most definitely would've been displeased had his students used what he taught them to write malware targeting journalists!
It's no longer commonly taught, I think it was 10 years ago. It may have something to do with degree accreditation bodies but I'm not sure.
Knowing Ethics doesn't really mean much, given ethicists aren't more ethical than normal people [0].
As an aside, another consideration is this isn't some private corporation, it's every government, you've got to consider the number of people before someone like Snowden popped their faces out.
In order to understand that ethicists aren't more ethical than normal people you need a course in ontology. We sadly lack courses in ontology in most curriculum.
Israel has mandatory military service and part of it's military is an elite hacking group known as Unit 8200[0]. Members of this unit who leave the military have founded a huge number of information security and antivirus companies based in Israel (mostly in Tel Aviv)[1].
It's not always Israeli companies. For example we have seen attacks in journalists, NGO workers and activists from Hacking Team which is Italian, Finisher / Gamma International which is Germany or British (IIRC), then there are other hacking groups for hire from India. Of course then there is state stuff from Russia, China amongst others.
When HackingTeam was exposed, no one was asking to sanction Italy. Hating on Israel specifically is a very cool and woke thing to do. Has been for decades.
Oh come on. It's not like Italy has been bombing foreign scientists, sending assassins all around the world, or illegally occupying an entire country for seven decades.
Whataboutisming when people are justifiably calling out an Israeli company (shielded by Israeli courts) for continuing to be the reason why human rights activists and journalists are being jailed or murdered, is a very cool and contrarian thing to do.
Why does this shining light of democracy allow/encourage it's companies to perpetuate authoritarianism for their neighbors? Not a very democracy-loving thing to do.
> Hating on Israel specifically is a very cool and woke thing to do. Has been for decades.
And defenders of Israeli actions using the defense of people 'hating on Israel' instead of reflecting on the fact that people have genuine policy disagreements with what Israel does has been a popular deflection tactic for decades.
You can't divorce what Israel does on a daily basis from its image and then act surprised when it is being criticized.
Who was the last agent of the Italian state to infiltrate a foreign country and bomb and assassinate civilians in broad daylight? Israel did this last month.
I also don't remember Italy bulldozing people's homes while the occupants watch and then turning that land over to their preferred ethnic group, but you know my history isn't so great.
Specifically, Israel has a huge cybersecurity software business around selling oppressive regimes NSA-style tools of mass surveillance and spyware kits. This is a government-sanctioned industry (US intelligence is in this too), and doesn't seem to have any ethics. Here are some stories:
It’s called selection bias. It’s fun and always acceptable to hate on Israel. It’s also more memorable due to the sensationalization of it.
A few years ago bluecoat systems was caught providing deep packet inspection gear to the Syrian government. But that wasn’t Israel so no biggie and you either never heard about it or didn’t pay much attention because it wasn’t Israel.
American and European companies do this all the time but it’s not sensationalized to the same degree. That’s just business as usual.
Don't people routinely get called anti-semite for just criticizing the Israeli government? Except for some small circles, I don't think your statement is true, it's certainly not true for mainstream US politics.
I don't believe that happened the way you describe it. Blue Coat was illegally on-sold to Syria from a UAE-based distributor and that company received a 200% fine of the sale price.
You know what's even more acceptable? Dismissing any criticism of Israel as "anti-semitism", absolving them of any wrongdoing whatsoever. This happens every time like clockwork when talking about the Israeli defense industry and the horrible things they do.
Oh, that's such formal crap.
The Founders are Israeli, RND is Israeli, most employees are Israelis in israel. It's an Israeli company.
As an Israeli with very similar background to the people who work there I'm ashamed of our industry involvement in this disgusting business.
> How come when we hear about this stuff it is always Israeli companies involved? Is ethics not taught in Israeli Computer Science curricula?
Personal opinion, but I think the mandatory army service in Israel seems to teach that everything is 'defense' and Israel is always 'defending itself', no matter what, this sort of thinking then bleeds into the private sector as these guys leave the military and use the skills they learned there to establish businesses.
Having interacted with the Palestinians during their army service as 'the enemy', the victims of NSO undoubtedly fall into the same category, thus not worth loosing their sleep over.
There is the idea that being the stronger side in a constant state of conflict with a neighbour for decades suits Israel economically, despite the human cost on both sides. Combined with national service, it creates a highly credible testing ground for public and private development of defence products, technologies and services, which are extremely valuable exports.
A country of its size and only relative recent independence, is punching well above its weight being the 8th largest arms exporter in the world over the last decade.[1]
If I had to guess.... as a person who once did a fair amount of business in the middle east, but Egypt and not Israel...
I had a former customer there _go out of business_ when the Barack Hussein Obama (mmm mmm mmm!) administration supportd an attempted putsch by (in my customer's words) "The Retarded F___ing Nazis who killed Sadat for making peace with the Jews."
Israel and the non-Brotherhood Arab countries face the burdensome situation that their most reliable "ally" is a country that depending on the politics is going to support the Brotherhood _and_ the large wannabe-hegemonic Russian satellite state trying to develop nuclear weapons. (Oh, and funded said state's reconquest of Syria in the process). Said schizophrenic state also has a massive surveillance system of its own.
My guess: they all don't look at this as a violation of civil rights or ethics, they look at this as a means for the little countries like them to get a leg up on some of the insane intelligence agencies of the large countries that are funding enemies both domestic and foreign.
It was awesome when Facebook deleted NSO group employees personal profiles. And then they whined about it. The silver lining of Facebook owning WhatsApp.
If Facebook was sincere, they could have held their ground. The Israeli government would then have to decide whether it was willing to ban a platform so widely used in their country or to simply fine them. Instead, FB decided to comply. Just a bunch of dead brown people — who cares?
The Israeli government has absolutely no say in how any of this plays out, that is the entire point of an independent judiciary. The lawsuit and sanctions are decided by the courts based on existing laws and precedent, and for them Facebook's size or position in the Israeli market does not (and should not) hold any weight whatsoever.
The most the legislative can do is amend the relevant laws to make what Facebook tried to do legal going forward, and that still wouldn't apply retroactively. The odds of the government choosing to extensively overhaul its consumer protection laws for the interests of a single multinational in a single lawsuit aren't great.
> The Israeli government has absolutely no say in how any of this plays out, that is the entire point of an independent judiciary.
Israel has no genuinely independent judiciary, nor genuinely free press.
IDF regularly intervenes in both, that's a very poorly held secret.
Any normal nation would be completely horrified at the prospect of a private company effectively intervening into its foreign relations, but Israel is remarkably not, and even seem to give NSO a considerable amount of legal cover.
I believe it's just a cover for the state to distance itself from the activity in public eyes, just like IDF distances itself from peddling military hardware around the world by hiding behind "independent private companies."
> Israel is the only country in the world where the judiciary appoints itself
No.
Judges who serve on the Supreme Court, as well as the district and magistrate courts, are appointed by the Judicial Selection Committee, which consists of nine members: the Minister of Justice, another cabinet member, two Knesset members (in practice one is from the coalition and the other is from the opposition), two members of the Israel Bar Association, and the President of the Supreme Court and two other Supreme Court justices. The committee is chaired by the Minister of Justice. It can appoint judges to the magistrate and district courts by a majority vote, but appointing a Supreme Court judge requires a majority of at least 7 to 9 or two less than the number present at the meeting.
In short, Judges and people who are dependent on them have an absolute majority. They also have a direct veto power over any Supreme Court appointment (7 of 9 and they have 3 votes).
The establishment already has 3 votes by default, and needs only 2 yes votes — an easy thing to do, and almost certain if supreme court is already stuffed by pro-establishment judges for a few government terms.
And candidates for supreme court appointment almost always come from seniormost district court judges, which were simple majority appointed.
And if supreme court appointment keeps getting vetoed, they can simply do nothing, and wait for appointment by default of seniormost district court judge.
And all of this does not matter at all when IDF intervenes.
"The establishment already has 3 votes by default, and needs only 2 yes votes"
Except the 'only 2 votes' are dependent on the other 3 vote block for a living. Also, the Supreme Court has retained its option for interfering with the composition of Knesset block, and putting an opposition member in it, which would make it an effective 1 member block.
You have no idea what you're talking about, and comments like "that's a very poorly held secret." don't deserve the effort of trying to find a reference to refute them.
Yes, Facebook could do that. There's probably many laws in many other countries Facebook operates in that are a lot less reasonable than this one, but I guess if for some reason this was the specific hill they wanted to die on, they would absolutely be free to do so.
Facebook also has a pretty big engineering office in Tel-Aviv, which they'd probably have to close in this scenario. I imagine that would also be a massive PITA. But, again, there's nothing technically stopping them from doing that.
As someone that isn't a developer, I wonder how many zero days come from people inside the software team. To simply have knowledge of a difficult bug that hasn't been resolved would seem to be valuable commodity in a closed source system.
* firstly, not many people outside the security world knows that bugs are a valuable commodity for attackers. Same thing with internal orgs diagrams which are something you can sell to economic intelligence firms.
* secondly, top-tier orgs like FAANG usually peppers a lot of telemetry around known bugs in production code in order to see if someone isn't exploiting them (or simply to better track down the root cause).
> firstly, not many people outside the security world knows that bugs are a valuable commodity for attackers. Same thing with internal orgs diagrams which are something you can sell to economic intelligence firms.
All you need to realize its value is read some security related news for a week.
Also you can have security_interested people apply to FAANG and then cause harm.
>secondly, top-tier orgs like FAANG usually peppers a lot of telemetry around known bugs in production code in order to see if someone isn't exploiting them (or simply to better track down the root cause).
As you said - around known bugs, so it's irrelevant here
We have an interal bug bounty program! But it's more of a retainer when you think about it. We basically transfer a six figure dollar amount, in 12 monthly installments, to our developers. Then in return when they find a bug they bring it to attention and fix it. It works pretty well!!
Ha. If you happen to know of a red team that doesn't have to still go to meetings and write documentation, please let me know so I can switch employers. :)
I didn't think this was true until I read Permanent Record, where Snowden talks about how the agencies could get stuff done through bribes or planted employees. Since knowing that, I've become a lot less certain.
So, iiuc, this "zero-click" hack involved iMessage and payloads apparently injected via Apple's domains and the exfiltration of data through a tor-like network eventually reaching malicious servers.
Is anyone aware of any (FOSS) software (presumably intrusion detectors or indicators of compromise) for mobile phones that might help flag or even prevent such attacks?
TinyCheck [0] comes to mind, but it isn't truly mobile. TrackerControl [1] and Guardian Firewall [2] are perhaps the closest to something like this but concentrate on privacy more than on security.
Most likely the malware is using SSL so packet sniffing from an external device isn't gonna work. And it's apple, so at best you might find a firewall among their tightly locked down app store. Don't worry, apple knows what's good for you far better than you ever could
::eye roll::
And water is wet. Apples priorities are still misplaced.
The point being argued is that apple is not giving enough attention to important security issues while also preventing others from doing so themselves.
> Is anyone aware of any (FOSS) software (presumably intrusion detectors or indicators of compromise) for mobile phones that might help flag or even prevent such attacks?
Assuming such applications existed, how would you install them on the "suspect" iPhone?
Assuming you were able to install such applications, you'd still not have any access to or control over the baseband (which I strongly suspect has plenty of issues of its own).
Assuming the malicious software avoided using Wi-Fi and used only the the cellular data connection for command and control, exfiltration, etc., it'd be damn near impossible to monitor the ("plain-text") data being sent and received (assuming such software would make use of private certificates -- or asymmetric encryption, in general -- to avoid being MITM'd itself, which seems like a reasonable assumption).
--
EDIT: This got me thinking, "what would be the most secure way to keep and use a mobile phone?" (assuming one could not simply avoid doing so).
My first thought is to use a mobile phone with the baseband radio(s) (verifiably) disabled/removed (if that is even possible?) or -- even better -- a Wi-Fi only device (similar in function as the old iPod Touch, for example) on which one used only SIP applications for calling (ideally via an "internal PBX" shared by all of one's correspondents) along with one's preferred E2E-encrypted messaging applications (e.g., Matrix, Signal, WhatsApp, etc.), all of which are used (importantly!) exclusively over an always-on VPN connection.
In instances where Wi-Fi was unavailable and/or one had no other options, a "mobile hotspot" or another ("real") mobile phone acting as one could potentially be used.
I'm interested in hearing thoughts on this idea (including any reasons why this is a bad idea that didn't occur to me during my two minute thought experiment), any other similar ideas that others have had, or any actual practices that are actually being used.
>> what would be the most secure way to keep and use a mobile phone?
My opinion: there is no secure way.
My initial solution: build a home phone based on a Raspberry Pi 3B+ (with touch screen).
I already built this home phone for myself. It does only voice and SMS/MMS. It only works over Ethernet or Wi-Fi.It uses mains electricity. I wrote the software -it's Python3 and C.
I've been using this phone as my daily driver for the last year. It is very reliable.
I plan to start making it available in Jan 2021. Look for more posts here.
Blokada isn't a serious security app. It leaks DNS connections over TCP (only handles UDP) and uses covert techniques to track users (generates a unique ID for every install and sends it tagged with the phone model every time one visits a blokada webpage from within the app).
Yeah, no where close.
Disclaimer: I work on privacy enhancing tech on Android.
Apart from usual suspects like AdGuard [0] and other anti-virus products:
Intra [1] with any adblocking DNS of your choice.
Nebulo: [2] A no-gimmicks alternative to DNS based blocking (their latest beta supports DNS over HTTP3 (QUIC)).
I use both: Intra has no DNS leaks but is IPv4 only right now and laced with analytics (the fork I developed/use is stripped off all analytics). Nebulo is lighter on RAM and battery and supports custom on-device blocklists (non PlayStore version).
> regularhours.net and holdmydoor.com appeared on a Turkish CERT list in November 2019
> we observed MONARCHY and SNEAKY KESTREL continue to use these domain names in attacks through August 2020.
Interesting to see that the malicious hosts are not in any standard blacklist or safe browsing databases for browsers while Turkey's CERT has been sink-holing them via ISPs on a national level since at least 2019.
More generally, is there a known correlation between kernel panics and exploits, especially on macOS?
> Almisshal’s device shows what appears to be an unusual number of kernel panics (phone crashes) between January and July 2020. While some of the panics may be benign, they may also indicate earlier attempts to exploit vulnerabilities against his device.
Failed exploits, especially kernel-level ones, will result in higher system instability. I'm aware of at least one company (ZecOps) that specializes in detecting exploitations using crash analysis.
Do you have a source on the blue screening?. Usually code names are random but can be less random within a group of exploits/projects (such as eternalblue, eternalromance, eternalsyngery, eternalchampion)
I've blue screened plenty of computers with eternalblue in the past. I am just not convinced its where the name comes from, I feel like its just a happy accident.
The name came from a previous exploit called BlueKeep, which wasn't related to BSOD.
In fact: "On 6 September 2019, an exploit of the wormable BlueKeep security vulnerability was announced to have been released into the public realm.[4] The initial version of this exploit was, however, unreliable, being known to cause "blue screen of death" (BSOD) errors. A fix was later announced, removing the cause of the BSOD error."
They even fixed a BSOD issue that popped up in BlueKeep as that was no good to them.
NSO Group will lose a lot of business when authoritarian countries wake up and realize they can simply force Apple to migrate user data into servers they own in exchange for market access.
>when authoritarian countries wake up and realize they can simply force Apple to migrate user data into servers they own in exchange for market access
China is the only authoritarian country with enough leverage over Apple to force them to do that sort of thing. There it's not just an enormous market, but also an utterly critical part of Apple's supply chains. Every other authoritarian country is small fry in comparison, and if they demanded such a thing Apple would tell them to get stuffed. Apple has not just commercial reasons, but political ones as well. While Trump is enamored with authoritarians, the incoming Biden Administration is not, nor is much of Congress or the general public. The EU would also like to at least pretend to care overall. Particularly right now at a time of scrutiny, Apple has every reason to not merely deny such a demand but to do so loudly and publicly.
And seriously, it's not like authoritarians are all stupid (unfortunately) and need to "wake up". They're all aware what China has demanded and gotten away with. If they thought they could too, they would. But they wouldn't, so they don't.
Orthogonal to your comment, but Apple could say no and walk away.
On the other hand, Google did so, and the cost to them is staggering and the reward negligible - they probably regret that decision intensely. It will become a business school case study in why companies shouldn't put ethics ahead of money.
The point being that we need a business environment where it makes business sense to stand up to authoritarian regimes.
Can you imagine if Google were the ones behind the great filter and panopticon that is the Chinese internet? Corporations are made up of human beings and at some point if you have any values you have to take a stand. The whole current philosophy of maximizing shareholder value falls apart when you realize the selfsame system that enables a free market is deeply intertwined with the impact powerful organizations have on society.
And history is clear about what happens when industry enables governments to oppress their citizens. It does not end well for millions of people.
>Orthogonal to your comment, but Apple could say no and walk away.
>On the other hand, Google did so, and the cost to them is staggering and the reward negligible - they probably regret that decision intensely.
Wait, what? Who did Google do that to that wasn't China? Because the only one I remember is China, and I explicitly acknowledged in my comment that they have the leverage to carve their own rules. Arguably even more-so with Apple than Google, that's one place where Apple's hardware and vertical integration strategy is a definite weakness vs other players rather than a strength. It's certainly not as if Apple has no negotiating chips vs China, but it's clear who likely has the strongest hand.
But for Google, was there really a "staggering" cost, or any real cost, over refusing the likes of Saudi Arabia or the UAE? I'd love to read up on that if you could point me to what you're thinking of.
Saying "the only privacy threat you have to worry about is the 1.5 billion person country that makes _everything_ with a chip in it" is like saying "Take your daily arsenic and you won't have to worry about the the cancer."
People sometimes say that Linux based OSes largely lack malware because they're unpopular but I would argue that it's also because they're so different from eachother. Even if the user wants to install you're binary it's hard to make it work on both redhat and alpine, if they don't want it it's even harder. A contrast to this is the extreme monoculture in "mobile Oses" and iOS in particular where even the IM app is more or less dictated by a single small group of people.
> Even if the user wants to install you're binary it's hard to make it work on both redhat and alpine
Statically linking a binary to not require libc or muscl or any other libraries isn't hard. This is the easiest part of exploit writing. All linux distros run ELF binaries just fine.
People who are trying to package things in a correct way, where the user can list the installed program, uninstall it, have configuration stored in standardized locations, etc... that's actually a harder problem. But just because writing a "correct" package varies a bit by distro doesn't mean an exploit, which doesn't have to follow packaging guidelines, has the same difficulty.
In addition, you're trying to compare it to the difficulty of writing an exploit for iOS. It's not comparable. There's documentation about every step of compiling and packaging software for linux distros. There's no documentation for elevating privileges and breaking iOS's sandbox because it's not intended to be possible.
Google has a very good internal security research team and there hasn't been a high impact/zero click RCE on androids that Google themselves maintain for a while.
Considering the recent iOS exploits, you're likely to be a little bit safer on a Google phone and common sense at the moment - but I'm 100% sure that a player like NSO will have an exploit for your phone as well.
Might have more luck with a dedicated "locked down" phone from a security company, there's some players that have entire custom android distributions with enhanced process/app isolation in the kernel and various stuff on top that prevents accidental leaks from "important" apps - also won't be 100% safe there but you can't even get that on iOS.
Apple's security architecture is leagues ahead of Android's. They have bespoke innovative protections at the hardware and hypervisor level, as well as an actual security CPU (as opposed to TrustZone on Androids, which is always swiss cheese in one way or another). This is largely possible because Apple are building their own silicon (none of the other silicon vendors are anywhere near as competent in this field).
I say this as an Android user. Apple only gets hit with all these exploit chains because they are immensely valuable single target. All the Android phones are worse, it's just that hacking Android doesn't pay nearly as much (and that market is much more fragmented).
Additionally, Google's public bug bounty project for Android is dysfunctional and run by contractors without the slightest clue how to handle the reports.
On the other hand, since Android is a more open ecosystem, you can make simpler architectural guarantees than you can on iOS. For example, on a rooted Android you can set a long boot-time-only passphrase for full disk encryption which guarantees data security at rest, which you can't on iOS or non rooted Android (they force you to use your regular unlock passphrase, which isn't practical to make long, and in Apple's case isn't used for FDE, though Android is moving in that direction too). But none of that will save you from NSO runtime 0days, just from police seizing your phone and getting data out if you turn it off.
Android dominates the mobile OS market share though. Seems like targeting it would yield a higher ROI. Much like how malware writers target Windows, because it dominates the desktop OS market share.
Hope the HN crowd doesn’t take this the wrong way but, an Apple user tends to be a more valuable target. Think government brass, corporate elites and all their soft bellies, ie daddy’s teenage daughter or run of the mill mistress.
Android is fragmented (though that is changing slowly), which means it's much harder to port and validate a single exploit chain to work on many Android phones.
In the UK, through Section 49 of RIPA, if you refused to provide your password to police you will get arrested for 2 years just on that. If they claim it could be national security related, you get 5 years.
Until recently, iOS 0days were worth a lot of money, more than Android, it also represents a nice target because a relatively few number of OS and hardware configurations make up the vast majority of devices. This means you have to do less configuration/messing around to get your exploit working on a lot of devices.
WhatsApp "attempted" to get NSOs export license revoked and failed. How would you expect America to stop two of their allies from dealing with each other (with a potential courtship in the works)? Especially when America itself gets major weapons contracts to look the other way?
This will just continue to get worse. More journalists and human rights activists will die because some delusional maniacs feelings were hurt, some ex IDF techs want to make some money and a President wants to keep jobs at Lockheed Martin.
Maybe the BDS list should include more countries. Maybe tech as a whole should replace lip service and instead redirect (and/or reject) major funds to fight injustice on a geopolitical level. Maybe VC funds shouldn't "techwash" despot dollars.
The tech industry has a lot of power in itself and can push the needle without the need to rely on 'America' to do something.
Most Israelis I talked to (about this specific subject; including the ones, working for NSO Group) do not understand the concept of human rights. First two questions I get are "How gives these rights?" and "Where does the list written?" in this order with the same intonation. My guess it is result of some kind of indoctrination during high school and army service.
Utter crap. The overwhelming majority of NSO's hiring pool -- i.e. army tech "graduates" -- are firmly against them. Another chunk doesn't care and is swayed by their 2-4x salaries, luxurious company vacations, gifts, all things to "make it up for" what you do.
They're known to be "the bad guys". The tech courses we took in the army had plenty of emphasis on ethics, both the moral kind and conflict-of-interest kind.
>tech courses we took in the army had plenty of emphasis on ethics, both the moral kind and conflict-of-interest kind
All the things done to all citizens of Israel (for example, indiscriminate movement and contact tracing) and residents of occupied territories are made possible by graduates of these courses.
Main emphasis of "emphasis on ethics" is explanation to soldiers how each choice made during a chain of events resulting in underage kid, teenager or old woman in her sixties being shot point-blank is correct and no other choice is possible.
What I meant is "don't go black hat", along with things that, upon writing this reply, might be too revealing to put online.
I've written and rewritten this reply maybe four times, but there's really no way to phrase it in a way you won't twist it to fit your "you're personally responsible for civilian murder" narrative. But I know what we did (my dept. at least), and that was not it.
That's absolutely bullshit, many tech literate people here are against the weapon industry, which NSO is part of. Enough of them don't give a shit, which is why NSO can hire people from the intelligence arm of the army for ridiculous salaries.
Not in the weapons industry, but in my experience statements like that struggle to hold up to the test of time. Seems like the places I wanted to work the least for offered the most, by a significant margin.
It's about making your lifestyle fit around the expected income and making a choice to accept lower wages in industries which align greater with your morals.
Everyone involved from NSO execs through to the Saudi's and Emirati's should be facing DOJ indictments no different to what Russian, North Korean and Chinese hackers face
This thin veneer of NSO being a legitimate company has been exposed
india for the last couple of years has been cracking down on "whatsapp groups" in occupied kashmir for reasons unknown. the encryption has not helped them because now they cant just use their homegrown network analyzer called "netra" to sift through whatsapp messages like they do on facebook. instead they opted to have whatsapp admins get "registered" and "licensed" to operate their groups. this resulted in being called into the police station and having this pegasus and other shit installed so that they can get backdoor access.
the one thing these media outlets don't outrightly say is the reason why admins are told to report to police stations and someone on twitter has an answer to that.
> Maybe tech as a whole should replace lip service and instead redirect (and/or reject) major funds to fight injustice on a geopolitical level.
So instead of a democratically elected US Govt dropping freedom from a 1 billion bomber on a 10$ tent, A bunch of hippies in a small part of the US should use the power of social media to control and direct conversation, culture and world events like some sort of a uber-exclusive shady techbro-illuminati?
The problem is genuine but any solution involving tech would only worsen the problem
America didn't stop giving aid to Israel despite 53 years of military occupation and apartheid. You think this is going to be the thing that changes the status quo on Israel?
People regularly do say that, and they are generally the same ones using Iran's support of Palestine to justify our actions against Iran. I don't get your point.
The problem with ISIS is their beheadings, slaughter of innocents, destabilization of countries, piracy, and persecuting minorities. Not their support of Islam.
The problem with Iran is their development of nuclear weapons, their ballistic missile program which now extends in range to cover the Europe, their support in weapons, money and training of various paramilitary groups such as the Houthis, Hezbollah, Hamas and Islamic Jihad, their oppression of their own citizens, hanging gays from cranes, various bombing and attack operations (US forces, Saudi facilities), attacks against oil tankers and calls to annihilate Israel. Not their support of Palestine.
Now ask yourself, how much of that list is the US or Israel also guilty of an equivalent crime? Supporting Palestine is one of the few things that seperates them.
You seem to assume “America” values the lives of all journalists, including ones outside their sphere of influence. That has never been true, and likely never will be.
As long as US and Israel are fundamentally aligned on long-term foreign policy objectives, aid will continue to be provided no matter what. Dirty work has to be done by someone.
America has no qualms killing journalists in their sphere of influence, and they even prosecute journalists for reporting on their killings. See "Collateral Murder."
You better watch and read up on collateral murder again, because it sure as shit wasn’t an example of America having no qualms about killing journalists.
Two journalists were killed for being with people committing no hostile actions, the soldiers involved in the actions laughed and taunted those they slaughtered, the government then lied about what had happened for years, and the only people to face punishment are Manning and Assange. And no, carrying weapons in a war zone does not make this acceptable.
When exactly does the US give a shit about killing journalists?
No, that isn’t what happened. Why are you pretending that they knew they were journalists instead of acknowledging that this incident was a tragic mistake?
Nothing in my post pretends that, and "how should we know the media card carrying unarmed civilians we shot were journalists" doesn't help their case as much as you think.
It helps it exactly as much as I think. Obviously the only one who said anything like that is you though. And now you’re falsely claiming that they intentionally targeted unarmed civilians.
I might be able to agree with your extremely forgiving view of the military's actions if they didn't cover the incident up for years. Instead, they intentionally shot unarmed civilians who had done nothing wrong merely for being close to people carrying weapons and reported killing insurgents.
You keep accusing me of lying without even attempting to explain how I'm wrong. The original group containing two journalists was fired on with the US fully aware only a few weapons were present, and with no hostile actions happening. Explain how shooting those people isn't intentionally targeting unarmed civilians.
If America wanted NSO to avoid dealing with particular countries, all it would take is a single phonecall to the Israeli government. It can do that, because one country is a superpower and a different country is the client.
I suspect the reason that does not happen is because NSO does the US's dirty work for it, otherwise the US would have stopped it already. After all, the US directly supports those same governments NSO works with. It's probably not too upset its dependents are getting support from a different actor.
AIPAC's secret is the impression it's so powerful, but whenever an American administration wanted to advance a policy AIPAC didn't like (from selling aircraft to the Saudis in the 80s all the way to the Iran Deal), AIPAC melted away. It has no power to defend NSO, and I doubt it even has an interest to.
Why would Trump care to withdraw from the Paris climate accord or the Cuba normalization agreement?
I'm not arguing Nethanyahu played no role, he did deploy whatever influence and persuasion he could muster, and that helped overpower the influence of those who supported the deal, like French President Macron. But ultimately it was Trump's decision, and Nethanyahu would have had to live with it had Trump made a different call.
Aside, note that nobody even thinks of easing up US sanctions on Cuba again or rejoining that agreement with Cuba. The Democratic party got such a signal from Hispanics last elections it's not even on the agenda.
NSO is a private company. It was even in foreign ownership up to not long ago (when it was repurchased by its original founders).
This is not something AIPAC is concerned with. Clearly US government as well as Israeli government have some interest in letting NSO roll its operations (have any NSO officials been banned by the US? US knew to ban Israeli officials in the past, AIPAC or not).
I say that precisely because I have been paying attention. The opposite impression is useful for both sides, but in reality America calls the shots. Israel would go against America's position only on issues it considers existential or close to such. I doubt NSO even registers.
Netanyahu ran campaign ads about how he undermined and disrespected Obama, even while getting Obama to give him a record $38 billion aid. He colluded with Flynn and the Russians to undermine Obama and promote Trump. He gets whatever he wants from the US. When he wanted to attack BDS he got the first piece of legislation out of the 2019 US Senate, bill S-1. That's more US political power than Chuck Schumer.
"Netanyahu ran campaign ads about how he undermined and disrespected Obama"
More accurately, he ran campaign ads arguing that he fought for Israel against the Iran deal. He further presented himself as a victim of Obama's disrespect, especially since the 'shoe on table' incident.
[EDIT:
"while getting Obama to give him a record $38 billion aid"
Longstanding American policy to bolster its client, also a part of the Camp David accords. I do think the aid agreement should not be renewed next time since it's counterproductive to both sides.
]
"He colluded with Flynn and the Russians to undermine Obama and promote Trump."
Wrong. Note however that focusing on this conspiracy shows where the true power lies. When America interferes in Israeli politics it does so openly and without even much mention, because there's no point, it's that powerful (e.g. Clinton helping Peres and Barak, or V-15's funding).
"He gets whatever he wants from the US."
That's why he got the same terms from Obama as he did from Trump, right? After all, it's the same Nethanyahu. Nah. It's American policy that changed.
All your list is part of Nethanyahu's mystique ("I speak perfect English! I can get the Americans to work in our favour! Even when the administration doesn't support me, because I have so many connections and am so convincing it doesn't matter!"), which is very good for him electorally, but most Israelis have woken up from that.
P.S.
"That's more US political power than Chuck Schumer."
That's a trick question, right? Since Schumer has almost no power - no stage presence, minority in Senate. He can't even threaten the filibuster.
(What would he filibuster? The Judicial filibuster has been cancelled, and the Republicans barely have a legislative agenda.
After the GOP keeps majority, everything will be decided by Biden-GOP negotiations, and Schumer will have to sign the dotted line.)
We saw the news this year when a Saudi prince directly authorized the murder and dismemberment of an American/Saudi journalist inside it's own embassy. And literally nothing happened.
I'm not holding my breath on America ever making the right decisions with respect to foreign policy.
Khashoggi wasn't American. And imo, he was an idiot - never sought asylum, constantly criticized the Saudi regime, and in the end got diced because he decided it would be spiffy to go to the embassy of the very regime he attacked to get a marriage document or something. That was hubris at play, thinking that he was highly placed enough to not be killed.
His nationality matters in that the US shouldn't raise as much hue and cry as people expected them to do. In fact, the US response was more than sufficient.
Should the US government be equally responsible for your life if you decide to put your head inside a crocodile's mouth? Yet the US government does its part *1000 to get its own citizens back to safety (or kills them with drones, but that's another story). Most countries don't even bother with such hassles - on the contrary, if you're unlucky enough to be British, your government will try to use you as a bargaining chip.
I don’t think this is wise. China, Russia, etc will continue to develop these exploits; What is needed is better security. Of course, most people don’t really care about nation states spying on their phones (it doesn’t have any concrete bad effects on them, after all).
Nations have no friends, only interests, the same could be said with most corporates.
At the risk of sounding pessimistic, there's no value in changing anything if the current course of action aligns with the long term interest of US policymakers and their stakeholders.
From [1]: It's a tight interplay of America's long-running Middle East strategy, US public opinion/electoral politics, and a pro-Israel lobbying campaign that is effective.
Related to the pro-Israel lobbying, the documentary "The Occupation of The American Mind"[2] delves into the propaganda effort that was carried out for years to shape the American public opinion about Israel. I quite recemmend it.
The religious right can't even prevent Drag Queen Story Hour from happening, what makes you think they have this much power?
It's more likely that it is simply the influence of Israelis and Jews in America, who are powerful enough to determine US foreign policy (Jared Kushner, as far as I can tell, is not a "religious right" but a zionist Jew).
They have a lot of power because nobody is opposing them in issues related to Israel. Because most people are ok with the status quo, fanatical christians pull their strings with large number of voters to support anything related to the state of Israel.
It’s more likely someone is unaware of your examples, because it requires a level of knowledge in corporate geopolitical actors that most people wouldn’t come across via normal news streams.
I’ve seen too many of these comments over the years. They always come from the same hateful place. Once comments like that bubble up, it’s no longer a dialogue and the person writing them is not debating in good faith.
The guidelines tell you to assume good faith, and I think the commenter you’re replying to gave a fairly reasonable explanation of the intention behind what was written. For the most part, people don’t have a vendetta against Israel in particular: they are just unaware of other cases, or aren’t going to bring them up in an article about the NSO group, which is Israeli.
I mean, Israel/Palestine obviously a complicated political topic. There’s the BDS, there’s a pro-Israel lobby–my point is that a comment made about trying to punish Israel for allowing the NSO to operate isn’t necessarily trying to push an agenda beyond “I’m angry that exploit brokers exist here”.
Can you please stop doing this? Multiple people (including myself) have told you directly and repeatedly that your comments are not helpful. Israel, Apple security, Rust, I couldn’t care less: the point is you show up and repeatedly post borderline flamebait and drag the conversation down. Your comments outside of those topics seem completely reasonable and productive so I am unsure why you keep at this particular thing.
Seems fairly hypocritical in a number of ways. From our own companies actions, like Blackwater, to our allies actions, like Saudi Arabia, to our own government's actions, like "Collateral Murder" or events in Yemen. Why punish Israel?
The whole "assist[ing] in getting journalists arrested/murdered/dismembered" thing still seems like pretty good justification to me. I'm not sure "but everyone else is doing it!" makes that acceptable. Requiring that we deal with every single one of those problems simultaneously else we shouldn't bother with any of them doesn't seem productive.
I'm also not sure I'd describe the refusal to actively fund that behaviour as punishment, but I suppose that's somewhat beside the point.
>Requiring that we deal with every single one of those problems simultaneously else we shouldn't bother with any of them doesn't seem productive.
Then deal with the domestic ones first, the ones we have the most control over. People only care about these issues when the solution is "punish the country," a solution that likely causes more suffering than it stops.
Israeli courts rejected the case to revoke NSOs export license which would then implicate the state itself.
IANAL but I think the case can be made that the export of NSOs software is against US law and a violation of the Wassenaar Arrangement. See: 5D002.C.1
So in theory if Israel is allowing one of its companies to break US law then it would make sense to use that as a basis to stop aid to Israel which may be what OP is alluding to.
Israel is not a signatory of the Wassenaar Arrangement, and I'm not sure how that would work under the law mentioned. Either way, it would be rather targeted enforcement considering what the Hacking Team apparently did with Italy signing the agreement.
Whether the actions are technically illegal doesn't really matter unless we are already punishing anyone that breaks those laws. In your hypothetical, we would be punishing Somalia when Italy did the exact same thing unpunished.
I forgot to add on my hypothetical that the Somalian government was protecting me. In which case it would be valid for people to be calling for sanctions let alone revocation of state aid.
Iirc, hacking team dissolved or greatly downsized after their leak. I do not recall any cases against them for their export license to be revoked. I'm sure if the Italian courts rejected the case baselessly then there would be consequences (maybe further legal action/sanctions on specific individuals) as Italy does not operate with the same unique impunity that Israel does.
The difference with Italy is that it does not receive state aid from the Americans. I'm sure if they were then people would be calling for cuts in a similar situation.
>The difference with Italy is that it does not receive state aid from the Americans. I'm sure if they were then people would be calling for cuts in a similar situation.
This isn't true. On top of the general disaster aid, including $10 million for COVID, we have seven US military bases in the country which accounts for millions a year in aid.
The US is by far the worst aid giver in the western world. Most so-called aid is "you can have this gift if you use it to buy X, Y or Z from businesses in the US".
Look to Scandinavia and you'll see actual aid instead of (poorly) hidden state sponsoring of defense contractors. They even give more per capita than the US without those strings attached. US aid is embarrassing.
Besides, US bases are not aid to the host country but aid by the host country to the US.
>Besides, US bases are not aid to the host country but aid by the host country to the US.
They eliminate some need for the host country to spend on their military, often provide rent money, and stimulate the local economy. It's done to usurp sovereignty, but the host agrees as it benefits them financially.
I don't disagree with your broader point, but I don't see how it changes anything. Calls to stop aid to a country differ even if the countries do the same thing.
Oh ok. Thanks for the correction. If the Italian government shields hacking team then I wouldn't be surprised if someone said that they should have that state aid cut.
Can you elaborate why do you think that export of NSOs software would be against US law, preferably which specific law?
My first assumption is that the act isn't covered by any US law at all. For some analogy, the murder of Jamal Khashoggi does not violate any US law as the many US laws regarding murder (i.e. the separate criminal statutes of each of the US states plus any federal laws that may apply) do not regulate acts done by Saudi citizens to Saudi citizens in Istanbul.
So the question becomes not about legality but about policy - whether the act harms US interests. And arguably selling of arms and tools by US allies (e.g. Israel) to US allies (e.g. Saudi Arabia) is not against US policy and thus there's no grounds to apply any sanctions - now, if NSO would sell the same things to Iran, that would be a different issue.
USA could have standing if NSOs tools have been used to hack journalists in USA - but this is not what this article is about. If NSOs tools have been used to hack journalists in Saudi Arabia or United Arab Emirate or Mexico, that's not a violation of USA laws; and if this has happened according to the legal permissions of the respective government (no matter how lax or arbitrary granting these legal permissions may be) then it's not a violation of any law; if we look from the purely legal perspective and not the moral one, it's perfectly legitimate for sovereign states to make laws that abuse their journalists as much as the state wants as long as it doesn't rise to the level of crimes against humanity. Almost any act or argument against a dictatorship abusing their people is inherently political, not legal.
One incident where NSO may be in hot water is the hacking of Rania Dridi described in the original article if the events happened in London (it's unclear to me from the description) - then this may be cause to assert that NSO are complicit in violating UK law (but not USA law).
I get what you're trying to say, but specifically it's the US ongoing blockade putting their food supplies at risk, and more generally you are still punishing other countries for actions we engage in regularly. Start by prosecuting the CIA that plotted assassinating Assange.
Apple needs to do a serious architecture of how its own apps work. Its clearly unacceptable that their own apps are not sandboxed to the same level as everything else. If its not possible to implement all of imessage with the public APIs then they need to find a way to expose those private APIs publicly in a safe way.
imessage and facetime have been a constant source of exploits.
It’s not just the lack of sandboxing — iMessage uses language-level serialization of object graphs. This design is never suitable for sending across privilege boundaries. Apple should replace the format with a reasonable wire format. If this requires updates to apps that integrate with iMessage or breaks interoperability with older iOS versions, so be it.
Can you explain a bit? Are you saying they send messages as Swift objects/structures directly? Instead of a serialization like JSON/CBOR/Proto/Proprietary/etc?
This seems to be functionally much like Python’s pickle, Boost.Serialization, Java’s object serialization, etc. These techniques seem clever, and they are genuinely useful for prototyping and for certain applications that inherently have no security concerns, but they are not at all suitable for network use. Fundamentally, for network use, one should define a data format, an API, etc and implement it. Using object serialization is backwards — it’s writing the code and then asking a framework to magically network it, and the result is that it networks it too much.
(There are a few systems for writing code and a network protocol simultaneously that treat security as a first-class consideration. The E language comes to mind. I still wouldn’t use E objects to represent data for interoperability reasons if nothing else. But ObjC is not E, and Apple’s design is inexcusable in 2020.)
It has been proven to be a weak point in their implementation with previous exploits, and it's likely to be the case here - it's a good guess at least.
Apple has been hardening their software to use NSSecureCoding and similar since then, so I would be surprised if this would still be a problem (since this is fairly easy to check for and fix). My guess is that this is probably a run-of-the-mill overflow or corruption.
That’s like saying one can harden pickle by specifying magic options and trying to limit the supported classes to a very large list instead of an effectively infinite list. Sure, you can make the the blatantly insecure mechanism harder to exploit, but it’s still a horrible design.
I think Apple could address this for real is one of two ways. They could replace the protocol entirely, or they could treat the existing baroque protocol like any other network protocol and write a grammar and parser for it.
As an analogy, suppose you had a wire format like XML, and you had the clever idea to process it in a dynamic language like Python or ObjC by looking up each tag in a list of all known types and trying to instantiate it. Sure, it would work, and you would be exploited all the time. NSSecureCoding limits the available types to a large and apparently still open ended list instead of literally every type that the deserializer can make sense of.
This is why no amount of "but apple cares about privacy" will ever make me drop the "Trust but verify" I try to live by (money allowing), even if I believe they care more than most.
I look at the “Apple cares about privacy” as a qualified “more than them other OS &mobile firms”, not “enough that you should blindly trust us”. No one’s security is perfect
Apples security model seems to mostly be based on fixing issues fast and pushing them out to almost all users. That means the only people at risk are those worth burning a brand new exploit on. The average consumer is pretty safe.
Not sure, but it might mean Local Privilege Escalation. It’s one thing to take control of the iMessage process, it’s another to then gain kernel level access.
Apple has never devoted enough care, resources, or money to cybersecurity. It’s just a fact.
They’ve also never devoted enough care, resources, or money to network architecture and how important availability is (with fairness, they have improved in this area in the last couple of years due to the major iCloud outages they had).
Apple doesn’t hire mainstream IT people and cybersecurity people from the enterprise realms. There is a vast amount of talented people and knowledge they simply ignore because the Apple culture is too hip and cool for that.
Steve Jobs is primarily the blame for all the above. He treated the departments and any person that cared about enterprise like dirt. Steve Jobs always said Apple is a consumer company. This philosophy has obviously carried on.
Every Apple security developer I've interacted with has been astonishingly competent. Unfortunately Apple's corporate policies mean they're very rarely in a position to publicly discuss things they're working on, so their visibility is significantly diminished (one of the reasons I wouldn't work there)
Some of my most competent security friends work or used to work for Apple.
They are, indeed, not "IT people and cybersecurity people from the enterprise realms", because those would be wholly unqualified to work on iOS security. The people actually working on iOS security are hackers and embedded security experts. As they should be. The enterprise cybersecurity world has approximately nothing to do with something like security of a mobile device (e.g. the people in that field wouldn't know the slightest thing about cutting edge exploit mitigations or hardware assisted countermeasures like pointer authentication, memory protection and IOMMUs, etc).
Apple has some of the top security people in the business. If “enterprise” experience is your bar, they have former Microsoft, Amazon, Google people ranging from junior engineers to VPs, including their current CISO. They have also hired non-enterprise people who wrote exploits like the one NSO used, as well as other prominent hackers.
"Cybersecurity" is a meaningless buzzword, but I can give you more specific statement.
Which tech companies devote enough care and have competent personnel working on embedded consumer device security?
Answer: Apple and Microsoft (Xbox group).
(Google is nowhere close because they don't design their own silicon, and the OEMs they rely on are incompetent in this field, so their efforts can only go so far, no amount of hiring competent sec folks will fix that problem).
It is hard to read and impossible to send an SMS on iPad without activating iMessage. I don't understand why this hasn't been considered anti-competitive behavior already. It is completely normal to send and receive SMS messages on Android tablets...
Journalists as messengers have always been targeted, and even killed, and it seems that Apple’s messaging system was the attack vector here.
While the article decries NSO being nefarious and selling to suspect “authoritarian” countries, high schools here in our democratic US have been buying hacking solutions to spy on students:
That isn’t a spy tool. It’s for forensics. You have to hand over your phone and unlock it voluntarily, and physically attach it to that thing and dump it. Very different.
Its only for forensics because schools cannot afford the version that breaks into the phone for you, its expensive and not something that a school can get access to.
No. It’s because they’re totally different products, and cellebrite, a forensics company, doesn’t make a version that you are describing. They make forensics products, not monitoring tools. They have nothing to do with NSO.
Depends. Perhaps it may not be zero-click, but it's definitely possible to hack someone's phone using a communication app by sending a malicious payload. For example, Jeff Bezos's iPhone was hacked using a WhatsApp exploit.
I'm not sure Google Voice is all that secure. When I activated my Google Voice number I instantly had access to dozens of the previous account's voicemails. Some of them were rather private.
It's all sensational articles though. Show me the bug they used to exploit iMessage. That'd be far more interesting that this Cold War madness we read everyday.
Whilst some details of the attack are still under wraps as Apple is still working on a fix, there is a considerable amount of detail under "The Attacks" [0].
The initial vector appears to exploit imagent, to cause the download and install Pegasus, in most cases. This is likely because imagent runs under the root user.
Since this is a software exploit, not a hardware one, the model of phone hardly seems relevant. An iPhone 11 running iOS 14 should not be vulnerable to this. However an iPhone 8 running iOS 13.5.1 is presumably vulnerable. I suspect the parent post conflated iOS 11 (software) with iPhone 11 (hardware).
That was my guess too, but I simply posted the claim from the article, since neither the parent (ironically) nor the GP appeared to have read it correctly.
It's hard to weigh the aggregate harm of doing something slightly bad at massive scale against the aggregate harm of doing something very bad to a small group. Both are pretty bad, and we should be vocal about both.
Ethical AI are rules of engagement for honest brokers. Having honestly intentioned people not have hidden badness in their products is still important even if other dishonest people do bad things.
"Journalists"? More like Islamist propagandists on the payroll of the Qatari regime and the Iranian intelligence seeking to spread instability and fan discontent among Shia minorities in the Gulf Arab countries. Not that the Gulf monarchies are angels but it's funny seeing people in the Western countries naively cover up for Islamist radicals (like Khashoggi) who like to posture all liberal and democratic until their Muslim brotherhood friends win the elections and institute an Islamist theocracy. Truly, Lenin was right when he said (apocryphally) that "our enemies will sell us the rope which we will hang them with".
"Alexa, hack into all journalist's computers, tablets, cell phones, and while you're at it, hack into all big banks, financial institutions, stock exchanges, voting machines, military installations, CIA, FBI, NSA, DHS, government computers, foreign government computers, corporations (USA, China, heck, every foreign corporation), every database, all of hollywood, silicon valley, the justice system, state governments, democrats, republicans, russians -- in fact, just hack EVERYBODY..."
Alexa: "OK, Done! Will there be anything else?"
You: "Yes! Alexa, cross correlate the results of all that data and tell me JUST WHAT IS GOING WRONG IN THE WORLD TODAY?"
Alexa: "Done! Here are the results in URL format:"
It’s ironic that the exploit is able to plant arbitrary code on an up-to-date device and yet the owner of the phone can’t introspect their phone to see it themselves because they don’t know how to bypass the protections :/