Comments

echo October 25, 2021 2:44 PM

I think you can also add so-called “dark design patterns” and weaponised databases into the mix along with turnkey cyberweapons.

Within the current climate I really do think a case can be made for corporate manslaughter at a minimum as well as crimes against humanity in some quarters. I don’t believe public inquiries or early retirement are adequate responses. I’m thinking “whole life tariffs” for some as well as other robust measures using other available tools.

Sumadelet October 26, 2021 3:48 AM

Politics aside, this case simply illustrates what @Clive Robinson and others have said here many times in the past: having your security endpoint on the same device as your communications endpoint is a bad idea. What the zero-click exploit demonstrates is that you must treat remotely accessible devices as compromised. Always.

JohnnyS October 26, 2021 6:25 AM

Who is the greater “bad actor” here? The vendors trying to make a buck by exploiting bad software, or the purveyors of these leaky, crappy “operating systems”?

If Android and iOS are so full of zero-days that someone can make a handsome living off of breaking into those systems, then you need to hold the purveyors of those OSes responsible for their failure to deliver software that is either reliable or secure.

jack o latern October 26, 2021 9:28 AM

FTA, “As long as we store our lives on devices that have vulnerabilities, and surveillance companies can earn millions of dollars selling ways to exploit them, our defenses are limited, especially if a government decides it wants our data.”

So don’t store your life on your phone.

The following is especially exasperating.

“Did they steal my contacts so they could arrest my sources? Comb through my messages to see who I’d talked to? Troll through photos of my family at the beach? Only the hackers knew”

Why on earth was he storing photos of his family on a phone that contained confidential information that could lead the to the death or injury of his sources? That’s bad security to the point of reckless endangerment of his loved ones.

I’m not justifying the bad behavior of the attacks but I also believe that in this environment the end user has some minimal duty to protect him or herself. Hardware isolation between work and play is not too much to ask. It just isn’t. If one is willing to risk the life of one’s family to avoid the inconvenience of having two phones then it strikes me that one’s life priorities need to be questioned in more ways than one.

Rob R October 26, 2021 10:19 AM

@jack o lantern: No, blaming the victim is not productive to finding a solution. The attacker could have easily compromised both his phones if the reporter had kept his work and home life separate. Many employers make using a personal phone for work easy by subsidizing the cost of the phone and the sandboxing work apps. This is pretty common, but I don’t know how the NYT handles their employees phones.

Andy October 26, 2021 10:26 AM

The way I see it, NSO and others are doing us a favor by showing that “the emperor has no clothes.”

I see no blame being put on OS or the end user. If it weren’t for NSO, someone else would have done it. Remember the Crypto Wars. Treating crypto like munition didn’t prevent others from developing capabilities. North Korea of all places was able to successfully attack Sony Pictures.

Clive Robinson October 26, 2021 10:32 AM

@ jack o latern,

So don’t store your life on your phone.

But that is what we are peing pushed towards both by Corporations and Government entities.

Whilst it is not yet compulsory in the UK for certain I can see it being a policy of the current encumbrants.

The policy is clearly to turn a persons mobile phone into an “egg basket” of their private financial and other data.

I was in a bank a few days back asking about opening a “savings account” and saying I did not want “online banking”. I was told that the bank policy was for all customers to not just have but use “online banking”. I politely asked what their policy was to stop “Idebtity Theft” and appart from pointless and worthless platitudes no answer eas forth comming, so I made it clear that was not acceptable, and left.

So the policy appears to be,

1, Make you carry a nobile phone as a tracking decice at all times.

2, Stop any kind of cash based transactions, by forcing NFC etc purchases from your phone.

3, Make all your “documentation” electronic only to be carried on the mobile phone.

If people can not see the danger behind these policies then I wonder what they are thinking about…

John October 26, 2021 11:02 AM

Hmmm….

Carry a ‘special’ phone that reads the local RF….

So charges never appear on your account :).

I wonder how long it will take? Maybe it is already happening?

WEP – Wireless Equivalent Privacy and other fiction!

John

echo October 26, 2021 11:32 AM

I was in a bank a few days back asking about opening a “savings account” and saying I did not want “online banking”. I was told that the bank policy was for all customers to not just have but use “online banking”. I politely asked what their policy was to stop “Idebtity Theft” and appart from pointless and worthless platitudes no answer eas forth comming, so I made it clear that was not acceptable, and left.

Thankfully my bank provides but does not require online banking. (There are certain classes of transaction I would instruct the bank in writing to ignore if conducted via any other method than in-person with a member of bank staff who personally knows me. In fact on one occasion I said I would leave and come back the next day as they weren’t available. Staff did actually go looking for and produced them so the business was concluded soon after.) It is however annoying to learn certain transactions require official photo ID. So this is another reason to get my passport. Oddly enough the same bank staff who require photo ID are the same people authorised to sign necessary documentation for supporting said passport application. This is slightly farcical and gold plating of requirements laid down in law. In fact it’s not the first time I have triggered “fraud prevention” policy which was not backed up by a policy nor lawful and likely made up on the hoof but we are where we are.

So the policy appears to be,

1, Make you carry a nobile phone as a tracking decice at all times.

2, Stop any kind of cash based transactions, by forcing NFC etc purchases from your phone.

3, Make all your “documentation” electronic only to be carried on the mobile phone.

If people can not see the danger behind these policies then I wonder what they are thinking about…

This from the current ruling party who some elections ago were screaming “No ID cards” and making jokes about “papers please!” and “EUSSR” and making comparisons with North Korea.

Needless to say I want my passport so I can get the [expletive] out of this place given what is coming down the pipe.

Aaron October 26, 2021 11:56 AM

Smartphones: the danger of opening Pandora’s box isn’t knowingly doing so; it is unknowingly doing so.

SpaceLifeForm October 26, 2021 4:21 PM

@ Sumadelet, Clive

Looking from another angle

… is that you must treat remotely accessible devices as compromised. Always.

Hmmm, remotely accessible devices. Like a web server?

How is that Certificate Authority system working for you today?

SpaceLifeForm October 26, 2021 6:07 PM

@ Sumadelet, Clive, ALL

Those remotely accessible devices do exist.

Operation HunTOR.

Clive Robinson October 26, 2021 11:04 PM

@ SpaceLifeForm, Sumadelet, ALL,

Hmmm, remotely accessible devices. Like a web server?

Any device where the communications end point allows an “end run attack” around the security end point would be a “remotely accessible device” from a security perspective.

So yes “Like a web server” or “web client” or anything where the OS, drivers, or other Apps allow access to the “plaintext” past the final security end point.

Why do I say “final security end point” well consider how crypto worked for the past two millennia if not more. The message became encrypted and put into an untrusted communications network. Untill the Victorian era this ment giving it to a person who transported it by horse power. If the message was traveling a great distance this would require several horses and several people. By the late 1600’s “courier networks” had started forming for “mail” thus a “layered system” developed using coded messages that ended up in physically sealed packets, that in turn ended up in physically sealed bags, on coaches with armed coachmen. Each being a different security layer.

So as long as the first and final security end points are secure, it does not matter how secure or insecure the points and security layers in between are.

By WWII it was realised that the security in between was not for “confidentiality” or realy even for “integrity” but “availability”. So as long as the crypto was strong the message could be broadcast by radio to anyone who cared to tune into the transmission.

And that is the point, the only trust you put in the network between the first and last communications end-points is that it will deliver the encrypted message no matter how complex the underlying layers are.

So to ensure the system is secure you need to do three things,

1, Have strong encryption.
2, Armour the ciphertext.
3, Ensure the plaintext / ciphertext issolation is sufficient.

It’s this “issolation” that is by far the hardest thing to do and get right in the face of “Level III / State Level” attackers.

Which brings us to,

How is that Certificate Authority system working…

The problem is the “Private-Key” which is the “Bag of Bits”(BoB) “Abstract Data Type”(ADT) that forms the “Root of Trust”(RoT). It is ensuring it is easily available for the intended purpose, and not available to anything else.

This can not be done on consumer, or commercial computers, as they fail to maintain segregation. Even those “trusted enclaves” fail.

So the solution is to use some kind of “Hardware Security Modual”(HSM) where the Privaye Key is held in an issolated way, and ciphertext is pushed into the HSM on the insecure interface and plaintext pushed out of the HSM secure interface.

Obviously there is a lot of thought that has to go into the design of a HSM due to side channel elimination. And has been found even the “professionals” get it wrong sometimes.

John October 27, 2021 6:36 AM

Hmmm…..

When the comm ‘channel’ is no longer available…

  1. ‘Remote’ device needs to function OK when there in no channel available.

This is the BIG failure mode today. No cloud. No big or little brother. Device does not work usefully.

Problem is much worse when deceptive ‘other’ information is then made ‘available’.

John

Clive Robinson October 27, 2021 8:54 AM

@ John, ALL,

No cloud. No big or little brother. Device does not work usefully.

This is a problem that goes back six or more decades to early computers and operator terminals and later user terminals with 300 75 or 300 baud dial in.

Over the years things have swung from “Central control dumb personal control” to “Personal control to dumb service control” and back agai with the rise and fall of PC’s etc has happened. Such as who remembers “thin clients” something that is kind of comming back with “cloud services” and “Bring your own device”(BYOD) though as commercial rented service not organisational.

Obviously as such it brings into question,

1, Security / confidentiality.
2, Availability / reliability.
3, Integrity.
4, Many legal and regulatory asspects both civil and criminal.

But there is also a “tipping point” issue. Personal Computing requires a degree of “horse power” depending on what the actual task is. If too many people go down the very low power thin client route, the cost of more powerfull PC’s will rise due to lack of volume sales (software likewise). Thus the cost of “independence will rise” disproportionately and a cost spiral will start, that may not be possible to get out of as easily as it was to get into. Because where as you have choice to go down thin client or not now, past the tipping point of industry cost changes you will not have a choice of switching back…

echo October 27, 2021 9:28 AM

@Clie

You do realise your answers sometimes kill creative discussion of solutions? There’s a public policy discussion here around economics and the enviroment and what form of products are available in the market but I may as well not bother mentioning it. Everyone is welded to narrow and reactive thinking.

A Raspberry PI400 if they tweaked it for 16GB and SSD out of the box would do for the overwhelming majority of businesses and most people. Before the latest iterations I looked into a Raspberry PI as a small form factor solution for bolting to the VESA plate on the back of my display. Instead I went for end of lease business class “new to me” very repairable laptops. Somebody paid through the nose for those and I got them for approximately £220 each.

There’s a bigger discussion on the meta issues of economics, business models, public versus private funding and so on and so forth. People used to have discussions about stuff like this but the narrative today is so controlled and sterile especially in the UK (and US) you wouldn’t know there was a different way of doing things.

Not everything is an either/or thing.

Peter A. October 27, 2021 9:32 AM

@Clive: re: savings account

I am afraid we’re heading (if not being there already) for a world where the most secure bank is the “land bank”, i.e. a jar of currency buried in your backyard. Your savings may become losings by one signature of a busybody on some piece of paper.

Just after COVID situation started a panic, supplies mostly bought out, borders closed etc. I also panicked a little bit and decided to withdraw some rather laughable amount of a more stable than local currency which was just sitting there from a past transaction. I phoned the bank to book the time and place of withdrawal, per procedure. I got an angry answer of “no, why do you need that, borders are closed”. I asked for a legal basis for refusal, and got the answer of “the order of the bank’s CEO, based on the executive order of ministry of whatever”. There was no communication to the effect on the bank’s page (even if it held various CEO’s announcements and stuff), and I could not find any EO on the official government register of acts of law that restricted banking activity (there was a lot of bullshit about compulsory masks and stuff, closing out businesses etc., but nothing about foreign currency transactions). I had to do some tricks to wire transfer that money to another bank and withdraw it in a few batches.

So, please everybody consider what can happen in a more serious situation.

Clive Robinson October 27, 2021 10:31 AM

@ echo,

You do realise your answers sometimes kill creative discussion of solutions?

How odd, normally it is me telling people how not to get stuffed down the “Our Way or No way” highway.

The point I was making is that there is an economic trap caused by “short term thinking” if people stop buying a particular type of product then the law of “Supply and Demand” comes into play so “No demand” becomes “No supply” within 18months in the ICT industry. Unfortunatly it does not work as well the other way “Demand today” does not cause “Supply today” or any time soon if ever.

But it is made worse due to “contracting out”, whilst people will que up for your business once they have you they will “fence you in” in some way.

You might remember those Amazon Cloud “Storage trucks” that got a posting here a while back (called snowball or similar. Whilst they would send one out to get your data, you could not get your data back the same way, you got little boxes Fed-Ex’d or similar and it might take weeks. That is just one overly obvious form of “Vendor lock-in” which is peanuts compared to “industry lock-out” where product is taken out of the market.

It is as I said a trap, but C-Level managment rarely tend to think about such things untill the industry lock-out has happened, and they are then forced into the path of vender lock-in because they have only done at best short term planning…

But,

A Raspberry PI400 if they tweaked it for 16GB and SSD out of the box would do for the overwhelming majority of businesses

Would be a form of “lock-in”…

For about two decades now a large amount of desktop computing has been “technical makework”. That is the bells and whistles of desktop OS’s and Apps have driven the “upgrade cycle” via the IT “Hamster wheel of pain”. In reality the humans at them are steadily getting less and less productive due to the bells and whistles. That is a simple letter has to be a work of art, conforming to corporates branding… Even Emails suffer the same “branding fate” with bells and whistles being the driving force…

The thing is though I am cautious about saying it, the likes of ML and AI have progressed far enough that running such systems “on the desktop” is now becoming possible for more and more “knowledge workers”.

That is DataBases are going to get “inteligent”. So it might trigger a need for increasingly powerfull desktop machines at sensible costings. One aspect of this is “immersive technology” or “VR on Steroids”, because it highlights a more general asspect of data usage. Which is “local detail -v-
distance overview”.

The required scope of coverage changes with distance, so you don’t need to have anything more than “local” at high precision, as you effectively move, precision can be lost where you move away and increased as you move towards. Most forms of data can be stored and utilized in this respect. That is yesterdays sales total, last weeks, the month before, the quater before. Fine detail diminishes with how distant you are looking. Basically anything that gets aggregated with dimentional distance, where the dimensions can be temporal etc.

Sumadelet October 27, 2021 3:32 PM

@John.

I presume that was a rhetorical question, but for the benefit of others.

The Raspberry Pi has an ‘other’ feature in that it boots via proprietary firmware executed by the GPU before the ARM core is started. This behaviour is well documented.

h++ps://raspberrypi.stackexchange.com/questions/10489/how-does-raspberry-pi-boot

Firmware repository of pre-compiled binary files (no open source): h++ps://github.com/raspberrypi/firmware

Sumadelet

Steve October 27, 2021 8:20 PM

@Bruce:

The world needs to do something about these cyberweapons arms manufacturers.

Something tells me that’s easier said than done.

Recall that a gentleman named Abdul Qadeer Khan happily proliferated nuclear weapons technology to North Korea, Iran and Libya for decades without much in the way of a penalty and nuclear weapons are a mite more dangerous than a bug on a journalist’s phone.

If there’s “something” to be done by the world, let’s hear it.

Clive Robinson October 27, 2021 10:17 PM

@ Steve,

Recall that a gentleman named Abdul Qadeer Khan happily proliferated nuclear weapons

Better known as “AQ Khan, Father of the Pakistani nuclear bomb”.

Who died just a couple of weeks ago,

https://www.bbc.co.uk/news/world-asia-58857827

And still much is unknown about his life and activities.

We do know he stole the centrifuge technology whilst “doing work” apparently in the Neatherlands of all places. He set up his company selling not just the designs but working units of centrifuges in Switzerland. Which as a very much indipendent state within Europe but not realy part of it, takes a quite liberal attitude to technology that other western nations get all up tight about including Cryptographic machines.

But whilst AQ Khan styalized himself as “the father of the Pakistani nuclear bomb” he was just one of several people. What is not clear is just what knowledge he sold on and to whom. He certainly sold centrifuge designs, but actuall bomb designs? Many do not think he did.

The thing is whilst it was Lybia that in effect sold him out to the CIA and the UK SIS (MI6) we actually only know about centrifuges, that are a “foundation corner” of not just nuclear bombs but nearly all nuclear activities such as power stations as well.

What we also know is that high level officials in Pakistan darn well knew what he was upto and actively encoraged what he was doing. Very specifically to North Korea via Iran in return for North Korea’s missile technology.

Hence the reason for stuxnet, the US could not get at “The Hermit Kingdom” of North Korea and they certainly lost quite a number of people trying. So a plan was hatched to try to spread very dangerous malware via Iran in the hope it would get into North Korean systems.

Whilst Iran suffered to an extent, they had actually moved on from the AQ Khan centrifuge design. To a more efficient “type II” design, which was sufficiently different from the AQ Khan design that although the control systems were the same thus vulnerable the actual mechanics were sufficiently different to the ones Israel had from Libya that the harm was not catastrophic. Stuxnet failed entirely with North Korea as they openly showed Swiss Inspectors a few days after the news of stuxnet broke. Not only did the North Koreans have significantly different centrifuge mechanics their control systems were very different and the malware did not do the North Korean program any harm.

Thus North Korea has more than just a working nuclear bomb, more importantly they have a long range balistic missile delivery system capable of reaching not just into Low Earth Orbit, but to the continental USA.

Contrary to what various US neo-con organisations and politicians say, North Korea is not realy a nuclear threat to the continental USA. There system if deployed would be a suicide shot and they well know it.

What it is, is the equivalent of a “Keep of the grass” notice to the USA that has repeayedly behaved in “bad faith” and in the process actually driven North Korea down the nuclear bomb path. That is North Korea is very much behaving as a “rational actor” as does Iran, and unlike the USA which in it’s foreign policy even acts at odds with the US citizens own interests all to frequently…

echo October 27, 2021 11:01 PM

@Clive

You’ve kind of done it again… I don’t think we reason on the same plane.

Baseline: There’s enough to cope with the majority of use cases.

Short-cuts: The IQ of an algorithm and data can be extracted and boiled down. Your average person or job function is simply not going to have a need nor be able to acquire the data to require the local resources to crunch anything original.

It’s the same as Photoshop. Most people don’t need Photoshop but want it on the off chance they may have a theoretical use. A 10 year old copy of Photoshop Elements would be good enough.

It’s not trivial but an open standard OS level API could facilitate local to remote processing, parallelism, shared storage, reconciling billing, close/loose coupling and all that jazz. The reason this is not baked in as standard is the usual suspects want you to keep buying their services.

Then there is the UK govenment passing our data to the Americans and a private US company (and not for the first time which should have lawyers twitching given the case law). Not only is this selling the UK out and not for the first time but yet another snub to the EU who have their own ongoing infrastucture project. Unlike the UK the French still have an independent IT sector, their own nuclear platform, and invented Minitel.

I’m not being a luddite or nationalistic but think there’s an amount of stupidity worth avoiding.

Winter October 28, 2021 2:48 AM

@Clive, All
“We do know he stole the centrifuge technology whilst “doing work” apparently in the Neatherlands of all places. ”

Indeed, that is true. It was Dutch technology that lead to the Islamic Atom Bomb.

But the story is much more interesting. A colleague of Khan found out he was doing suspicious things and informed his superiors, after which this colleague was fired.

The bigger story is that the Dutch intelligence service knew what Khan was up to but worked with the CIA who wanted Khan to have the plans.

ht-tps://voices.transparency.org/nuclear-espionage-whistleblower-the-pakistani-nuclear-bomb-is-made-in-holland-1154fb8454e9?gi=a38ef90dfb68

Why, you may ask?

Officially, nothing is known, but the Prime Minister of the time has later told in an interview that the CIA wanted to know what Khan was up to. However, that is too stupid even for the CIA. I strongly suspect it was for the same reason the CIA, and USA in general, have trained and supported Islamic Freedom Fighters in Afghanistan and Saudi financing of fundamentalist Islamic schools all over the Islamic world: To fight Communism.

India at the time was seen as “Communist” and they had an atomic bomb, so the US in their infinite wisdom decided Pakistan should have one too. An atomic bomb against Communism, but without a connection to the USA.

The Americans like to compare themselves to the Roman Empire. That is very apt in this respect.

In 451, the legions of the Western Roman Empire, together with a coalition of Alans and Visigoths defeated the Huns, their strongest enemies, quite decisively. They could have destroyed the complete army of the Huns once and for all. But instead, the Romans let the Huns go. This was to keep the balance of power against their German “allies”.

The result was that the Huns sacked Rome and the Western Roman Empire was gone.

Latter day Roman foreign politics was so much like current day US foreign politics.

Steve October 28, 2021 9:21 PM

Hm. Another reasonably anodyne comment gone.

I’d sure like to know what rule of the blog I’m violating so I can avoid having my comments deleted in the future.

Admittedly, marginally off topic but no more than others, I venture to say.

Clive Robinson October 28, 2021 10:01 PM

@ Steve,

Another reasonably anodyne comment gone.

Are you sure it actually posted on this thread?

I only remember one comment from your handle on this thread, and it –October 27, 2021 8:20 PM– and my reply –October 27, 2021 10:17 PM– to it are still there.

Freezing_in_Brazil October 29, 2021 8:26 AM

Re online banking

A funtional life is becoming impossible for the online banking luddites [like myself] down here. It takes a very determined person [like myself] to withstand it all. They hate you for not using it. If there is some social credit score going underground I must be the lowliest client in the entire the banking system. And it is not the baddest thing:

The local homologous of the IRS requires you to download and install a Java program to fill your papers.

Enough said.

A Nonny Bunny October 30, 2021 3:14 PM

@Winter

The result was that the Huns sacked Rome and the Western Roman Empire was gone.

Are you sure you got that right?
The 455AD sack was by the Vandals, not Huns
And it had been sacked 45 years earlier by the Visigoths, so I can understand Rome would want to keep their Visigoth allies in check.

Steve October 30, 2021 6:10 PM

@Clive,

Are you sure it actually posted on this thread?

Yep. It was in response to yours of October 27, 2021 10:17 PM, more or less an agreement and slight amplification with a bit of mild speculation tossed in.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.