9 comments

[ 3.2 ms ] story [ 185 ms ] thread
As Mickens said:

> In the real world, threat models are much simpler (see Figure 1). Basically, you’re either dealing with Mossad or not-Mossad. If your adversary is not-Mossad, then you’ll probably be fine if you pick a good password and don’t respond to emails from ChEaPestPAiNPi11s@virus-basket.biz.ru. If your adversary is the Mossad, YOU’RE GONNA DIE AND THERE’S NOTHING THAT YOU CAN DO ABOUT IT. The Mossad is not intimidated by the fact that you employ https. If the Mossad wants your data, they’re going to use a drone to replace your cellphone with a piece of uranium that’s shaped like a cellphone, and when you die of tumors filled with tumors, they’re going to hold a press conference and say “It wasn’t us” as they wear t-shirts that say “IT WAS DEFINITELY US,” and then they’re going to buy all of your stuff at your estate sale so that they can directly look at the photos of your vacation instead of reading your insipid emails about them.

I find this sort of fetishism interesting. Certainly, the NSA/FSB were and to some extent still are fetishized in film and media, but it seems Mossad consistently are. Within China 国家安全部 are and I assume that it's useful to them since popular fear of national magic is a potent controlling force. Once you're confronting a nation state you face an opponent who neither considers $M zero-days nor criminal prosecution a challenge. Just hope they don't torture you before using the bone saws.
Reading out loud (I had to) such heavy, thick next level propaganda diarrhea makes me wonder about so many things. Like, who cares?
The Mickens article was well-known satire about security professionals and overstated threat modeling.

Or did you mean TFA? Have to admit I didn't get far.

> They have created technology that use ads for offensive purposes and injecting spyware. As millions of ads compete for the right to penetrate our screens, Israeli firms are clandestinely selling technology that transforms these ads into tools of surveillance

So... there's no possible way you can defend against the attack except for the possible way where you use UBlock Origin?

I mean, don't get me wrong, reliably breaking out of the browser sandbox is impressive, but it's not the unstoppable threat the title advertises.

(Also, I wonder how vulnerable Firefox is vs WebKit these days. Now that they've caught up on per-origin process isolation, and a lot of the sensitive libraries are written in rust, and others that handle codecs are being compiled to webassembly as a form of hardening... they might be a pretty tough nut to crack by now.)

Many sandbox escapes have been fixed before.

It always goes this way:

1. 0day, no known fix.

2. Fix is made and released.

There is no details, why this would be unstoppable.

No defence?

If I don't use iOS, Android and Windows? If I use dumbphone?

Or if I use webbrowser that does not support Javascript, or have Javascript disabled at webbrowser? So Javascript code at ads does not run?

This kind of needs more details.