How Spy Tech Firms Let Governments See Everything on a Smartphone
nytimes.comI wrote some really effective data recovery software a decade ago. Before I knew it governments around the world were buying it up in droves. I then got pushed (not by the governments, but by my partner at the company I had) to write a special forensics edition, that does a byte-by-byte scan of the source disk rather than a block-by-block scan, which would extract embedded files out of a hard disk and basically ensure that nothing would be missed.
That code eventually got a big fancy "forensics" UI wrapped around it with a bunch of other functionality such as logging the process, and it got sold for $1k / copy. It would sell upwards of 80 copies at a time in a single batch. It was very profitable (though I personally did not see much of that profit).
I always felt very uneasy about it and I stopped developing that line of software even though at this point I could get ~50% of the profit if I were to continue it. I had no idea what it was actually being used for all of the time and I had no way to find out. I do know however that some of the time it was used for good, to catch people distributing child pornography and so forth, however I don't know what percentage of the time it was used for that kind of thing, and I'm also aware that that is the justification that is used for a lot of surveillance. Philosophically I believe in counter-survelliance more than surveillance, because I'm pro privacy and pro citizen empowerment rather than the other way around, I think the balance of power has gotten out of whack as this article nicely illustrates.
If I got it correctly, unlike the software in the article - yours wasn't a malware that stealthily does something unbeknownst to the legitimate user, or something that even impacts the security measures user has set up. It was a genuine and honest data analysis tool, scanning the drive one already has full access to.
Tools like yours (cracked/warez - even a $100 bar was impossible for a schoolkid in late '90s/early '00s Russia, not to say about $1K+ price points) and articles on filesystem internals had helped me to recover my own data from drive failures a couple of times. So, thank you.
And I really believe that would've anyone taken a possession of my notes and inspected them with a magnifying glass - the problem would be anything (me leaving the notes, someone taking the notes, ...) but that someone made the glass.
In my view, much grief can be avoided if people that have a mind able to build things that can have an impact for better or for worse, will use that mind to also control how those things will be used.
When engineering and philosophy are divorced, bad things happen.
Unfortunatelly that may not even be enough. Intelligence doesn't have morals, and when it is employed with a predatory mindset, there may not be escape for the "prey" without a fight.. The arms race may be a mechanism of evolotion. You either accept it, or dissapear..
Just out of curiosity, if you don't mind, what is it called?
This is the data recovery app consumer version that kicked it all off (it has the same engine as the original one): http://macdaddy.io/mac-data-recovery/
You wont find any data recovery software that does a more thorough scan than that, even though it was written in 2004 or so and has been barely modified since. I spent years writing it, in C, so it ended up highly optimized. In forensics mode it scans a drive byte-by-byte, and it assumes each byte is the start of a file of the 100 or so filetypes that it supports, and it maintains that assumption until it is proven to be false as it goes deeper into that file's data. That way it really shouldn't miss anything. It also transparently UUDecodes, unzips, and otherwise decodes data on the fly as to extract file contents under as many conditions as possible. It uses linked lists to maintain its memory of what files are where until it dumps out its buffer as output files, and it uses binary searches and threads to speed up. All in all it's about 1000 lines of code, though I really don't think that anyone would ever be able to read it except for me.
I recently noticed that if you run it over your iTunes Music folder it'll extract and output the media that is contained inside your M4P ("MPEG 4 protected audio") files, and output it as unprotected MP3's. So it effectively strips all of the DRM off of all your media in seconds. Even if you didn't purchase that media (say your friend sent it to you) and couldn't play it before. That was not intentional. You can see that effect in this app: https://itunes.apple.com/app/file-extractor/id1129674765 which is the same codebase, but it is being applied to used space (files) instead of free space.
Point is it doesn't matter, as a creator, maker, investor, etc. -- you always have a choice, and for some the temptation to follow the money even if the path is one they would not take if given another choice of equal financial value.
My money is on test????/photo???.
Not that I care for the karma but why is it being downvoted ?
As the sister comment says, it's because your comment doesn't make sense. What does "test????/photo????" mean?
It's an obfuscated reference to a popular open source data recovery toolset. I think the parent was trying to avoid potentially "outing" GP against their wishes, by making a vague reference that some might get.
Well, it's a guessing game to know what company the parent parent is referring to and there are two well known recovery software but I didn't want to give out the name so others could keep on guessing. So I just wildcard masked the thing.
I reckon people find it uninformative. If not, then I'd guess the exact opposite. You should know which.
testdisk/photorecI think because the comment is confusing. Are the question marks a text encoding error?
With your skills, you could help with the balance. Out here and with your karma account ;)
I've read a story similar to yours on HN where someone explained that they made passive income off a data recovery tool. They also said that it wouldn't work on SSDs, so it was becoming less relevant with time.
Do the forensic techniques you implemented work on SSDs? Also, were you the person who posted that earlier?
Yes, that's me. Hacker News is the only place I feel I can talk about this kind of thing so it's cathartic. And no, it doesnt work on SSD's. They're black boxes. However I think data recovery on them is possible with hardware. It's the controller that returns 0's after it has been sent the command to TRIM some free space.
You shouldn't feel bad. If something like that is technically possible, and there's a demand, someone will write that code.
The only two ways to fight it (that I can think of) are:
1) Make it technically impossible (open firmware, open hardware)
2) Make it illegal
There's of course a third way - not give a crap, and just let them watch you.
> The only two ways to fight it
Actually, I think both technological and legal measures are always necessary. One just doesn't work well without the other.
(Personally, I'm leaning towards "but technical measures first", though - as tech is much more agile than legal stuff.)
> If something like that is technically possible, and there's a demand, someone will write that code.
That isn't necessarily true, though it's an easy fig leaf to hide behind when you're doing something that is unique and that helps the dark side.
I've heard it said by people that were actively developing malware and spam software.
The moral issue aside, I can't even begin to fathom how their software would even work. How do you stealth install software to a random phone out in the wild? Social engineering, or purely technical?
The linked NYTimes article references 3 exploits dubbed the "Trident Exploit Chain" that are detailed in an excellent Lookout / Citizen Lab writeup [1] discussed on HN 8 days ago [2].
The target is sent an SMS containing a link to site that triggers the explot chain to remotely jailbreak the phone and clandestinely install the monitoring software.
Ahmed Mansoor, a UAE journalist, was recently targeted with one of these SMS messages and was immediately suspicious. Instead of clicking the link he contacted Citizen Lab researchers who connected it back to NSO group.
[1] https://citizenlab.org/2016/08/million-dollar-dissident-ipho... [2] https://news.ycombinator.com/item?id=12360662
Anyone else think it's a bit of a joke that a $1M+ bug still relies on the user clicking a phishing sms to work?
I'd suspect there's a disconnect between the group selling/providing the tools, and the group using them.
A webkit 0day could've been delivered via a watering-hole attack or something even just a tiny bit more sophisticated (compromise a trusted contacts social media account, send the link from there) and succeeded.
Whoever put the effort/time/money into developing the exploit chain is likely pissed off it got burnt via such an amateur delivery.
Not particularly. Besides the fact that was only one of many possible delivery vectors available, e.g. XSS, direct compromise of a visited site etc, it's one with quite a high chance of succeeding* in the wild.
* when the target isn't already paranoid due to previous attacks and the bait isn't quite so pathetic in its construction...
Edit: I imagine they went with the SMS method due to its high accuracy and low risk of detection from third parties.
iirc, the method they got caught using was an unsolicited sms with a link to a page with a mobile safari/webkit 0day that silently installed a jailbreak
You compel the cellco to load it through a backdoor in the baseband processor?
I dont know about other devices, but it is possible to remotely and silently install software to android. You need your google account password for that, but I suppose they have some 0days for that..
I you were high profile it would be a good reason for a dumb phone or a lesser known smartphone.
Lesser known is actually worse. Less work by the community on removing security holes vs an attacker who can concentrate efforts.
Not that it matters - high profile should not use any kind of phone for anything serious.
The most secure option would be not to carry a mobile phone at all. Otherwise, iOS is probably the most secure mobile operating system, simply based on the price of remote exploits: a remote exploit for iOS is worth several times more ($500K-1M) than the equivalent one for Android ($100K-200K).
that seems like a small difference in cost for high value data...
dumb phones generally don't have the capability to do end-to-end crypto or full disk encryption and other desirable things.
Sickening. This company doesn't seem to have even a basic moral compass. Even when their tools are being used against human rights workers or journalist they have no qualms.
This is the disturbing thing about corporations, profit is their moral compass.
It takes people with power in the corporate structure to contradict that default.
No this is the thing about anything involving people, as soon as you have a group -- the moral .
Governments have done horrible things. Researchers have done horrible things. Religious Groups have done horrible things. NonProfits have done horrible things.
It's not about profits.
It's about motivations, or, in bad cases, necessity. About necessities (like not going bankrupt, or feeding a hungry tribe by claiming the land of your neighbor, etc) I'm not sure much can be done. But I do think it's about profits when it comes to corporations. Shareholders are often relatively passive and in it for the money, they aren't "mission driven" (being the best at one thing in your industry, spearheading a new way of transportation, etc). Their field or artisanship isn't their motivation, the profit is.
When you're designing a new engine, you might decide to use 10% more expensive parts to make it 20% more fuel efficient, but this additional cost might result in 10% lower sales, so the board decides against it since exhaust is just an externality. If those people were considered with ecology they might consider a lower rate of profit but instead take pride in the fact that they're helping humanity combat global warming while maintaining the standard of living.
It's easier to rationalize away "bad things" when making money is at the top of your value scale. I think it resembles the individualism of our age, people used to be more aware that they were a cog in the machinery of history, no one thinks like that anymore, it's all "be the best you can be" rather than "be the best we can be".
> It's easier to rationalize away "bad things" when making money is at the top of your value scale.
I agree. The purist free market ideology, for lack of a better term (or maybe Objectivism?), is a convenient justification for not dealing with difficult issues. 'The ideology says I can/should only care about money, so I don't need to worry about all that.' If only life were so simple that we could rely on an ideology.
Making profit is a good moral compass than not having any. This way corporations only care about how they can make money with the data. They don't care about the data itself which means it's only going to be used for things such as advertising or optimizing the user experience to increase profits. If they can't make money with spying on you then they won't spy at all.
A government might not have a moral compass at all. They may start mass surveillance with good intentions like fighting terrorism but when should they stop? Since they have already invested into mass surveillance why stop at terrorism? Why not use it to fight crime in general? Why not use it to enforce every law imaginable? Since we now have data ranging back several years into the past why not use it retroactively enfore laws?
Whenever I read articles like this these days, I just throw my hands in the air and sigh, thinking about how tainted IT has become. Any tech can be weaponized, but the scale of it feels utterly demoralizing to me.
What's the way out? Become less connected? Go back to fixed function hardware? Is there even a way out without shedding layers of abstraction? Is there even a way out at all, or is this our new brave new world?
> Go back to fixed function hardware?
Battlestar Galactica phones?
No, but I think we will eventually go to peer-based mesh networks with smarter clients. The reasons are:
1. Mobile devices keep getting faster and have more memory- they aren't and shouldn't be dumbed-down clients peddled by telecom companies to get them to buy their services.
2. People don't want to pay for things they shouldn't have to, like interconnectivity, if there are enough devices for everyone to pull off the network without help.
I suppose there will be a class of people, probably techies/hackers, that will build/use technologies that will protect their privacy. I wish there were communities similar to the one around linux do develop these technologies.
However, we can't think about anything digital nowadays without factoring in AI, the problem is that once you do that, things become quite unpredictable...
For certain, there will be a fight, on one side governments ans control structures trying to increase their control, and on the other regular citizens trying to live the way they once did.. althogh.. that may already be impossible..
Why should they have moral compasses?
Like it will make any difference. There are people in the military that will go to church and then invade a country like Lybia or Syria for their oil or gas while believing they are doing good for humanity.
We need less moral compasses and more accountancy, checks and balances of the people in power. It should never be about self control, but controls in the institutions.
It will make a difference. The world is the way it is because of what people believe and how they act. The more people that eschew evil the less people that get damaged. That being said, recovery software I'd put at a neutral on the good - evil spectrum. Like guns, the impact is negative only in the wrong hands.
To play devils advocate: who's not to say that these tools weren't sold under the pretense of being used against criminals, only to have them turned at humans rights activists instead?
For the record, I do not believe that at all. But it hasn't been ruled out.
The article included the response of direct questions to said company about these violations. They refused to say it was wrong or violated their internal ethics policy.
Additionally, they just repeated no laws were broken.
There is no playing devils advocate here. They clearly don't care about what happened in Mexico or middle-east.
> Even when their tools are being used against human rights workers or journalist they have no qualms.
And why should they? If you don't agree with their moral compass, then don't invest or support them. By laws of nature, they will eventually die away if it is unsustainable. However, I'd wager it is highly sustainable hence their continued existence. This has happened throughout all of human history.
Your logic is terribly wrong. Part, or most, of what makes the use of these tools against human rights workers and journalists unsustainable is the outrage by us.
Try applying your same logic to people who murder journalists in order to maintain a deceptive narrative. Should we avoid having any qualms about that too?
So we should let bad things happen if someone can build a business out of it? This is, sadly, a not uncommon view around here; if the "free market" wills it, is it right.
I think they are highly moral - they deliver, honor their contracts, have very good support and have very good reputation. They also follow the laws of their land.
What UAE sovereign does in its own territory is his own business. It is not the other parties' job to interfere in its internal dealings.
Perhaps IBM could have made the same argument in the 1930s.
Look, you might want to think that over again.
Is it me, or is the NYT suggesting that they have been victims of this Pegasus system?
We need protection against governments. They are the mafia of today's world.
Ironically studies of mafia show that they win by providing government services to those without. Anarchy is desirable by no one and when government a not reach then we turn to any strongman to bring order and predictability - it is the essential definition of government.
Don't blame governments for being mafia, blame us for not forcing them to behave. We need a public debate on the meaning of privacy and the ownership of personal computing.
There is a school of thought in political science that government is simply the big, legitimate mafia.
(responding to the school of thought you are referencing) "might makes right" school of political realism never made sense for me in a domestic context.
the relationship of the state to the citizen at the citizen's birth is completely one directional: the state provides infrastructure, security, and economic activity while expecting nothing in return until much later in a person's life-- and if the person doesn't ever proffer anything in return to the state, that doesn't guarantee violence against the individual, nor exclusion from services.
if the platonic form of a state were that it has to be a mafia of sorts reliant on the threat of physical force, it'd quickly go extinct for lack of younger replacements. can't have the young replacing the old if they never make it to middle age due to a lack of investment and all.
that being said, the current governments of the west do have plenty of similarities with the various mafias... but in my opinion the issue of runaway government is a failure mode resulting from particular circumstances rather than a problem of government in the abstract.
> We need protection against governments
The government is us, at least in democracies. Voters get what they vote for. Your problems isn't with government, but with your fellow voters: The eternal problem of society.
But I do need to work with my fellow voters on many issues - I don't live in a cave - and I need government to protect me from crime, invasion, poisons in my food, diseases, aircraft that crash, racial discrimination, contractual abuses and violations, and many other things.
I dont know in what country you live, but where I am from, government is not "us". Definitely not me. Yes we have democratic elections. The result is that government takes 60% of my income and provides me terrible services that I dont want and often times I morally dont agree with and would never voluntarily support. Whats the difference from mafia?
USA is the same, government spies on their own citizens and on rest of the world. That is what we need protection from. They are not really protecting us, they are just playing a theatre pretending they do.
you say I need government to protect me from crime, invasion, poisons in my food, diseases, aircraft that crash, racial discrimination, contractual abuses and violations, and many other things.
I believe we would do better job at this without government. Or at least without the monopoly government as it exists today.