What could go wrong? A case against security nihilism
When the Pegasus spyware became known, and it was known that NSO was selling to repressive regimes, people were concerned that it would be used to target reporters and people with differing political views. Now we KNOW that those concerns were justified.
Notably, these targets include journalists and members of various nations’ political opposition parties — in other words, precisely the people who every thinking person worried would be the target of the mass-exploitation software that NSO sells. And indeed, that should be the biggest lesson of these stories: the bad thing everyone said would happen now has.
That link is to a technical blog, and the details are fascinating, if you like to get down in the technological mud. Here is one issue that should be addressed.
What we know that these attacks take advantage of fundamental weaknesses in Apple iMessage: most critically, the fact that iMessage will gleefully parse all sorts of complex data received from random strangers, and will do that parsing using crappy libraries written in memory unsafe languages. These issues are hard to fix, since iMessage can accept so many data formats and has been allowed to sprout so much complexity over the past few years.
Because even in the "security phone manufacturer" rewriting that much code - in a language that developers don't like to use - isn't making the cut. That and the universal management cry of "add more function" coupled with "you want to spend how much on security?"
My guess is that iMessage will NOT be rewritten, or not anytime soon, that is.
For a more political look at the problem, consider the Guardian. Revealed: leak uncovers global abuse of cyber-surveillance weapon
There is a lot of info in that article, and it is worth your time. NSO says that the monitor the customers to be sure they are only using the software for criminals and terrorists. Personally I think the problem stems from the fact that some regimes consider anyone with a dissenting opinion to be a criminal.
The broad array of numbers in the list belonging to people who seemingly have no connection to criminality suggests some NSO clients are breaching their contracts with the company, spying on pro-democracy activists and journalists investigating corruption, as well as political opponents and government critics.
And you don't have to be IN a "bad" country for the bad guys to target you. Here's a story of what happened to woman in France, who was targeted by Morocco. Despite the hype, iPhone security no match for NSO spyware.
No comments:
Post a Comment
Comment Moderation is in place. Your comment will be visible as soon as I can get to it. Unless it is SPAM, and then it will never see the light of day.
Be Nice. Personal Attacks WILL be deleted. And I reserve the right to delete stuff that annoys me.