63 comments

[ 2.4 ms ] story [ 101 ms ] thread
Not much surprises me about Facebook any more. The leadership is tone deaf.
It seems their corporate motto, instead of the old Google, "Don't be evil" is "Be as evil as possible."
It's weird isn't it? I went through a period (personally) where I felt super misunderstood by people around me, and after a while I realised it was me who was miscalibrated. I get the impression that FB feels the same, but without the capacity for self-reflection or desire to change. A shame because the Facebook platforms could be, if not a force for good, at the very least neutral. Instead it seems like every single thing they do is insidious.
Facebook is creating a more Open and Connected World. This little privacy incursions are the tax that you pay, as part of the social contract, to help bring the greatness of Facebook to others.

^ This is what Mark Zuckerberg tells government and journalists.

And you know what? If you are a Facebook user, he's right! Only non-users and people dragged onto the platform only to communicate with friends/family/partners who insist in Facebook-only communication, have a right to complain.

I'm baffled that, even with the horrible rep Facebook has, they somehow decided to put "from Facebook" splash screens into both WhatsApp and Instagram. Why? What possible benefit could it have? Most people already know who owns the services but now anybody who opens the app is faced with it. If anything, it should just make people reluctant to use the apps, surely.
Many people don't realize that WhatsApp and Instagram are the same thing as Facebook. Facebook's brand is somewhat tarnished, and they want to polish it up with Instagram and WhatsApp (which have been less impacted by the bad press).
I'd say most, at least not until the sticker appeared.
What possible benefit could it have?

Perhaps stock price/awareness?

The same way that lots of companies put their ticker symbol in their advertising, or the way local television news programs will put its parent company's ticker symbol in the closing graphics.

Being tone-deaf would imply they're unable to understand other people's issues. Facebook actively seeks to track all of us for their financial gain, against the wishes of many of us.

Facebook is actively malicious.

It's not only the leadership. The engineering side is also complicit in this to some degree.
The original report is from Vice:

https://www.vice.com/en_us/article/pke9k9/facebook-wanted-ns...

"The Facebook representatives stated that Facebook was concerned that its method for gathering user data through Onavo Protect was less effective on Apple devices than on Android devices," the court filing reads. "The Facebook representatives also stated that Facebook wanted to use purported capabilities of Pegasus to monitor users on Apple devices and were willing to pay for the ability to monitor Onavo Protect users."

And here's the Facebook response from that same article that you neglected to include:

"NSO is trying to distract from the facts Facebook and WhatsApp filed in court over six months ago. Their attempt to avoid responsibility includes inaccurate representations about both their spyware and a discussion with people who work at Facebook. Our lawsuit describes how NSO is responsible for attacking over 100 human rights activists and journalists around the world. NSO CEO Shalev Hulio has admitted his company can attack devices without a user knowing and he can see who has been targeted with Pegasus. We look forward to proving our case against NSO in court and seeking accountability for their actions," the statement from a Facebook spokesperson read.

2 notes about the parent. 1) The parent is written by an employee at Facebook and 2) it does not deny the claim instead redirecting the readers attention.

None of this makes the original claim true or false. I'll be curious to see what comes to light around that. I just like to notice these subtle things.

I work for neither, and the claim itself is vague, as it lacks any technical facts.

"purported capabilities to monitor users" can mean anything from full on CIA spy-mode with pema-enabling audio and video and 24/7 recording to logging their IP address when they visit a website.

Why should Facebook be doing any of that?

Even the best case outcome is negative here.

Sure, have any opinion you want as long as you base it on facts, and respect others who don't agree with you.
All I see is two snakes (FB, NSO) are fighting on which one will eat the little white mouse (our privacy). I did the article because there is always some thing to learn even in the gutter.
https://en.wikipedia.org/wiki/Onavo#Facebook_Research this should provide some background; this is the software referenced in TFA. Facebook bought a massively popular VPN service specifically to monitor their users' web traffic and app usage.
If all the users data was going through the VPN, Facebook defacto knows what the user is doing on the web making that suggestion moot. It's the on device activity they want.
Yup, and they wanted to shove nation-state malware in to Onavo to do it, it sounds like!
"NSO is trying to distract from the facts [a whole lot of irrelevant content]."
> "NSO is trying to distract

This seems to be a case of the pot calling the kettle black.

(comment deleted)
I wish I could stop using WhatsApp. It's the only FB service I use, and I because everyone else in my life relies on it, I can't just uninstall it and get away with it :(
You just have to start small, and eventually you might get there. It was like that for me with Signal. I was able to get a couple of my more willing close contacts to begin using it. After a couple months, another began using it, and eventually after two to three years the vast majority, most whom I never tried convincing, are using the application actively.
Drop it and just go with e-mail, postal mail, phone calls, and SMS.

I did, and found out who my real "friends" really are.

Just keep trying! It took a long time, but I managed to move my whole direct family to signal.

You will probably have to install it for them.

Make a group chat.

Use it regularly.

But as it’s basically the same functionality, you won’t have to train them to use it. It’s worth it.

Play dumb, say WA is broken on your phone, ask then to install Signal to work around. Use Signal with whoever agrees
I'm not sure you've followed OP. It could well be the case that his workplace and school activities are communicated via WA. His "playing dumb" results in him cut-off from valuable information he actually needs.
This is correct. Most workplaces and educational institutions use WhatsApp to communicate with employees/students.
<in my country>

Also in mine, but it's not a global thing.

(comment deleted)
Talented engineers that spend their limited working years figuring out how to extract every last cent from every person on Earth should feel some shame.

I wonder how harshly history will judge them (many of whom are on HN).

When FB news appears on HN I can't help but feel there's a curated tone/narrative. A mixture of "everyone's doing it" and "they clicked agree on the ToS" to "you should've known it would happen".

Anyone want to take bets if FB runs sock-puppet accounts across the web? It'll be plausibly deniable and run thru a third party but still. Would anyone be surprised?

Of course they do. I don't question the if, but I'm curious about the number...
Maybe so.

But doesn't HN scan for concerted behavior?

Please read the site guidelines and keep insinuations of astroturfing off HN unless you have specific evidence.

https://news.ycombinator.com/newsguidelines.html

Lots of past explanation here: https://hn.algolia.com/?sort=byDate&dateRange=all&type=comme...

Specific evidence of astroturfing would involve combing through IP and moderation logs.

I don't understand why insinuating the integrity of this forum is compromised - as if that's personally offensive to you. Do you not know what sock puppets are? Do you realize there's a market for it, and FB isn't above bidding?

This story is from 2017. By 2023 I promise you news will leak of FB using sock puppets. Sorry if that's offensive Dang.

It's not so much that it's personally offensive. It's a moderation issue because such comments (a) add noise, (b) undermine trust, (c) are extremely common, and (d) are overwhelmingly imaginary. I say (d) based on personally having studied this data closely for years.

If you look through the past explanations at https://hn.algolia.com/?sort=byDate&dateRange=all&type=comme... you'll find plenty of...past explanations.

Talented engineers that spend their limited time judging others because they disagree with their sense of morals should feel some shame.
I’d like to suggest a fun project for Apple that might allow them to kill off this NSO malware: Apple should devote a few engineers to create honeypot iPhones that they could get into the hands of a few carefully chosen journalists and dissidents who would then “lose” their phones or allow the phones to be confiscated by governments or organizations who use NSO software. The objective is to get a copy of the NSO malware and figure out the exploit(s) they use.

The honeypot phones would behave exactly like normal phones but save all incoming data at the lowest protocol layer (whether by wifi, cellular, Lightning connector, and maybe even in-circuit attempts to reflash firmware) to hidden internal terabyte microSD storage, which it would later exfiltrate back to Apple at some point —- perhaps by even having a second hidden cellular connection. I’m assuming that Apple has all the talent it needs to reverse engineer and plug the NSO malware once it has an actual copy of the malware.

That would be a very offensive move. I like it. How will that kill off this malware though? Just by making incrementally harder (might work!) or through something more fundamental I'm missing?
> How will that kill off this malware though?

I wouldn’t be surprised if everything that NSO does depends on just one or two extremely good exploits. Once Apple rolls out an update to patch the one or two critical bugs, it’ll stop NSO for a nice long time until they spend hundreds of man years or millions of dollars to find another exploit that’s just as good.

I don't actually think it costs hundreds of man years to find these bugs at the moment.
> governments

I'm sure you know this, but deliberately committing an act of espionage to directly or indirectly subvert the activities of government agencies would be a silly thing for Apple to try to do.

Their dollars are better spent on lobbying (make shit like this illegal), and engineering (make shit like this literally not work because iPhone is as secure as it can be).

Since when does a foreign government performing espionage give a crap about the target country’s laws? It’s naive to think some adversary is going to see “hacking is illegal” and just throw up their hands and say gee whiz I guess there goes our plans...
You're making some faulty assumptions about what I'm saying, which means I probably wasn't clear - sorry.

What I mean is: making software like this for sale to the highest bidder should not be something a company is able to do legally.

It should be as bizarre as the idea of incorporating a business in the US specifically, and publicly, to rob banks or commit securities fraud.

1st and 2nd Amendments, baby
What does this response mean? I know those two amendments intimately. I do not understand how they’re germane as a response, invoking the first and second amendments as a defense to corporate espionage and potential obstruction?
> making software like this for sale to the highest bidder should not be something a company is able to do legally.

I disagree. There ahould be nothing inherently illegal about owning, making or selling such software to an entity that can legally use it. (I would assume any country employing such software would indemnify there agents using it against foreign adversaries).

Not that I like it, and as a private citizen, I dont like thw prospect of being spied on, even though I have nothing to hide.

To stop it, I think you'd need to take a step back into the 90s and early 2000s and classify such programs as munitions and restrict export (not that all offerings are from US countries).

> I disagree

Have just read your answer and I totally see your point! I don't agree but it's definitely a judgement call.

Perhaps this would be a better way of expressing my position (with a few simplifications of the current situation):

1/ It seems morally wrong for it to be possible for an American company to buy spyware which exploits security vulnerabilities in another American company's software. The act of exploiting those vulnerabilities is illegal in the United States and against the terms of service of the software developer. The outcome of the exploitation (mass clandestine collection of user data without any permissioning) is also illegal.

2/ The US government could solve this by making it illegal for US companies to use the software, outright. They and other nations could also solve or diminish the issue for foreign nations by precluding private companies within their jurisdiction from building commercial propositions around these vulnerabilities. So both a ban on domestic "import" of the product, and a ban on "export" too.

3/ Clearly government agencies need and will continue to produce and procure software like this in the same way as they need to produce and procure military-grade assault weapons, surface-to-air missiles, and stealth bombers. The production, trafficking, and purchase of these items is highly regulated and tightly controlled: I cannot simply start manufacturing firearms because I have the equipment! This regulation is in part a means of preventing widespread availability of dangerous items getting into the hands of consumers and bad actors.

4/ At the very least, the same ought to apply here: an infosec company wishing to auction exploits or sell spyware SaaS should have to be very tightly regulated by the state, and should be unable to sell any of its products or services to any domestic or foreign entity without state approval — a QUANGO of sorts.

Yeah Apple would never do it. Best you can hope for is YOUR government doing this vs other governments to help protect you from foreign malware. If you own government has a poorly funded intelligence apparatus or is actually the one spying on you, you're out of luck.
This is an interesting thought exercise, I am going to ask a few questions. Think about them and then decide if this is a good idea:

1. How big will the project be? I.E. what staff you need to develop AND deploy honeypot phones.

2. Who would decide targets?

3. What do you do with the data collected? Who enforces those rules?

4. How do you keep the project secret?

5. How do you prevent various 3 letter agencies from ordering you to deploy this technology for national security?

6. How do you protect Apple's reputation once it leaks out that there are secret phones that eavesdrop on you?

A better long term strategy is to offer large bug/exploit bounties. This foils malware and builds trust in Apple platform.

5 & 6 seem incorrect here. Apple could do it regardless of whether they deploy this sort of thing. As for 6, the idea is that the journalist knows they have a doctored device
You're naively assuming that Apple's decision making and internal coms have not already been compromised by these same malicious actors. In terms of risk reward, comprising the hardware makers internal coms is priority 0.
So...malware isn't that simple. Network honeypots can work for that but malicious apps or remote exploit that require specifics apps/services running under the target's account would not be easy to catch this way.

APTs are not exactly a new thing. On windows you get endpoint security software that logs excessive telemetry to a place threat hunters of security companies can search to find exploitation or infection attempts.

NSO likely has dozens of backup bugs and is capable of finding more, so this wouldn't work unless you can continue it forever.
You can see how important Onavo was to Facebook by the lengths they were willing to go to protect it, including the whole "distributing it to teens via enterprise cert" thing Apple slapped them down for. The data from Onavo is how they knew what up-and-coming competitors were popular, and allowed Facebook to buy them out before they could become fully established.
Facebook should buy Zoom.

Then we only need to hate one company.

(comment deleted)
The good news is this NSO thing appears to only work if it's not everywhere. If every FB app comes bundled with it, it'll be easy to figure out how it works in aggregate, and then NSO gets to move into the league of the common spyware/antivirus cat-and-mouse games.