77 comments

[ 2.9 ms ] story [ 76.1 ms ] thread
(comment deleted)
"Polish media reports say Poland purchased Pegasus in 2017, using money from the so-called Justice Fund, which is meant to help the victims of crimes and to rehabilitate criminals." from the older 'scandals'.

https://www.euractiv.com/section/politics/short_news/polish-...

At that moment it's safe to assume that all EU govs use Pegasus against the public in general.

I don't think it's reasonable to assume all EU governments (or even all Polish governments) will act the same as PiS do/did.
I think it is in fact reasonable. Private persons are unlikely to have means/connections to acquire Pegasus while victims are all around EU, see another link below.

https://www.dw.com/en/spain-court-reopens-investigation-in-p...

There are not many examples of the government hacking opposition politicians an en leaking damaging material to friendly "news" agencies for political gain

https://notesfrompoland.com/2023/12/18/polish-state-tv-order...

Law and justice are a particularly extreme example.

Didn't Merkel have the Bundesamt für Verfassungsschutz spy on her political opposition?
I haven't seen anything about that, but if she did then thats disapointing
AFAIK all uses of Pegasus were conducted after an agreement (a warrant) was issued from Polish courts - which were in opposition to the PiS government. If I'm right about this, doesn't it mean this particular affair unnecessarily demonizes PiS?

Either way, I think it's very reasonable to *do* assume the worst of governments - as in we should strive to design the system to be able to withstand as much malice from people in power as possible.

I don't think it's accurate to say the courts were in opposition to the PS government. PiS appointed lots of their own judges in their years in power who often decided along lines that PiS wanted. The biggest example of course being the Constitutional Tribunal.

Sure there were judges who opposed PiS, but there were plenty who did not. This guy, who is now in Belarus, is an example of one of PiS's pet judges

https://notesfrompoland.com/2024/05/06/polish-judge-flees-to...

Sure, but - again AFAIK - the judges issuing the warrants weren't the judges appointed by PiS.
I have seen no evidence either way on that.
What is meant by "civil society" in this article?
It would appear the targets are all journalists. I think they're using this phrasing to denote that they're civilians.
"Civil society" implies the existence of uncivil people; it's good guys vs bad guys, not civilian vs military. If Ukraine targeted civilian organizations in Russia, the headline wouldn't call it an attack on "civil society" (but Russian media might.)
> "Civil society" implies the existence of uncivil people

It does not. You are conflating:

civil 2b: adequate in courtesy and politeness : MANNERLY

with

civil 4: of, relating to, or involving the general public, their activities, needs, or ways, or civic affairs as distinguished from special (such as military or religious) affairs

https://www.merriam-webster.com/dictionary/civil

You can see that 'uncivil' does not include in its meanings an antonym of civil 4:

https://www.merriam-webster.com/dictionary/uncivil

You're being naive. Propaganda often employs double meanings, subtext and implications. This kind of language would not be used if the actors were reversed.
Civil society as a term for “not government” goes waaaayyyyyy back.. I think you are mistaking a cloud for a ufo here..
As a term for "not government", it would not be used to refer to civilians of a hostile nation.
Major public organizations and interest groups (such as the EFF, ACLU or AARP) that are independent from the state:

  Civil society can be understood as the "third sector" of society, distinct from government and business, and including the family and the private sphere. By other authors, civil society is used in the sense of 1) the aggregate of non-governmental organizations and institutions that advance the interests and will of citizens or 2) individuals and organizations in a society which are independent of the government.
https://en.wikipedia.org/wiki/Civil_society
I believe Wikipedia has a good overview, in particular "the aggregate of non-governmental organizations and institutions that advance the interests and will of citizens" is probably the definition that best matches the one used in the article.

https://en.wikipedia.org/wiki/Civil_society

This kind of spying seems necessary and appropriate to me, provided it is done under the appropriate legal framework. The security concern with Russia and Belarus are self evident now, and the security concerns around hosting a large dissident population must be enormous. You don't want extremists within the dissident movements (it'd bad if the Putin assassination was planned on your soil), nor penetration of the dissident movement by foreign intelligence (it'd be a bad if the opposition leader got novichoked on your soil). I'm not sure how else to address these kinds of problems in society except with some kind of well regulated security apparatus (making the big assumption that it is well regulated here).
>I'm not sure how else to address these kinds of problems in society except with some kind of well regulated security apparatus (making the big assumption that it is well regulated here).

The whole populace being under surveillance is a much worse outcome than the chance of some politician being assassinated being relatively higher. Mass surveillance to prevent the latter seem absolutely in the worst interests of the average citizen; spying on people to protect the elites is what every nasty dictatorship does.

(comment deleted)
I think Russian security services work fully legally under Russian legal framework.
I think we can differentiate between the rules, level of judicial independence, and different systems too.

It's not all or nothing as far as the words "legal framework" goes.

(comment deleted)
No they don’t. They are a signatory of ECHR convention (which makes is part of national law).
What about this type of spying? (Also frontpage of HN right now, and done with similar tools i.e. Lumma malware-as-a-service)? https://news.ycombinator.com/item?id=40534868

The problem is, when the vulns exist due to hand-rolled parsing, you don't get to choose who the attacker is.

I think a lot of people are mis-seeing these Pegasus attacks as a problem of political will ("we need sanctions on NSO/Israel!") or memory safety ("rewrite it in Rust!") when there is a deeper problem: parser complexity.

Specifically, we're using context-sensitive and Turing-complete parsers up and down the software stack, which (at the Turing-complete level of complexity, says Gödel) guarantees that determined attackers can expect to discover an exploitable "weird machine."

Folks should watch this panel and other talks by Meredith L. Patterson (co-collaborator and wife of the late Len Sassaman) and Sergey Bratus (previously at DARPA, now Dartmouth) to get a sense of the problem and the solution.

https://youtu.be/8tAxHrntBJs?t=806

These folks are saying that, just as the industry handled over-the-wire insecurity with TLS and e2ee (and not rolling our own crypto) we can handle device exploitability with well-described data and automated parser generation from those descriptions (and not rolling our own parsers, which these folks say should be verboten for the same reason as rolling one's own crypto: parsing is too hard for non-specialists to get right).

Moreover, we don't have to redo the whole stack for it to be meaningful: big players can start using this tooling (e.g. https://github.com/UpstandingHackers/hammer) for parsers handling data from very untrustworthy inputs, such as message payloads sent to a phone number.

Apple's Lockdown mode is a step in this direction, though in such a crude, "burn the village" way that it makes the phone almost unusable. But sacrificing usability shouldn't be necessary with current methods. If these folks can make safe parsers for PDF (https://www.darpa.mil/program/safe-documents) it should be possible for anything.

Another great talk: https://www.youtube.com/watch?v=3kEfedtQVOY

You've over-egged the pudding here: neither Gödel's incompleteness theorem, nor Rice's Theorem, guarantee that an algorithm in a certain complexity class will have exploitable defect. Rice's Theorem in particular suggests that it's unlikely one will be able to statically prove that such an algorithm has the properties it's designed to have. That should be enough to make anyone nervous.

I hope readers will be able to look past this one sentence in your post and take a good hard look at the rest of it, which is quite important.

Rice's Theorem, as all Free Lunch Theorems, is too pessimistic.

In real conditions, static analysis and theorem proving can verify lots of safety properties. See e.g. Astrée & Airbus, or F* and Project Everest.

IMHO, the solution is to use static analysis in conjunction with DSLs that have restricted semantics to make static analysis and hand-written proofs easy.

It doesn't appear that we're disagreeing.

You're referring to verifying 'lots' of safety properties, I referred to verifying that an algorithm does everything it's supposed to. These are not the same thing in the general case.

My actual point was that generic incompleteness and undecidability theorems do not guarantee that any given program must be defective.

The thrust of langsec is in fact to parse all inputs at the boundaries, using algorithms with known properties, that is, ones where it's feasible to prove that they'll halt, won't overrun buffers, and so on.

The Gödel and computational complexity stuff is a bit out in the horizon, but the rest ain't wrong and is something that's getting a lot of (indirect) federal funding via the Secure Enclave/Trusted Execution Environment related research - and Bratus was one of the earlier people in the Trusted Computing space.

> If these folks can make safe parsers for PDF (https://www.darpa.mil/program/safe-documents) it should be possible for anything

It is, but it's very expensive. That's why a lot of this research has been getting billions in funding for 10-15 years now in order to build out the underlying ecosystem needed to harden the entire stack

Thank you for sharing these talks! I will never look at parsers the same way again.
> Pegasus attacks as a problem of political will ... when there is a deeper problem: parser complexity.

There is a "problem of political will" but also the problem of stupid SW which tries very high to decode everything you throw at it. Some time ago it was "file format not recognized", nowadays it is a root exploit.

from the article "...there is also no evidence suggesting that Russia, Belarus, or Lithuania are Pegasus customers. Latvia appears to use Pegasus, but the country is also not known for targeting victims outside of its borders. ...., Estonia does appear to use Pegasus extensively outside their borders, including within multiple European countries. "

It would be very surprising to see Russia using Western tech such as Pegasus, you can't just outsource your spy tools to your enemies. They most likely have as powerful if not more technologies.

This whole NSO spectacle is more about the subversive BDS movement than a genuine care about political suppression and spying on the citizens.

If they could get their hands on Pegasus tools, their use might be ideal for Russia if for no other reason than because it would sow uncertainty and confusion.
It's like using GPS. Russians created Glonass because GPS is under US control and can be used to subvert their operations. Pegasus is linked to a West allied country and can be used to feed them false information.
Pegasus is Israeli, I'm not sure it is "western".

Israel is very lenient towards Russia.

Used to be lenient
I'm surprised this was the case for so long as Iran is a close ally of russia.
Israel is very intertwined with the typical conception of "the West" via a very cozy relationship with the USA including billions in annual funding, and a great proportion of its citizens having roots in Europe and the USA.
At the same time Netanyahu is happy to wear Koloradka. And big chunk of Israeli population has Russian/USSR origins.
It's certainly a country at the nexus of many dimensions.

What's the significance of wearing Koloradka? It looks like something christian priests wear, I don't think I understand.

Koloradka originally was tsarist Russia reward. Later it was revived by soviets in WW2, but not used much after the war. Then Putin revived it as a symbol of continuous history of tsarist Russian empire, USSR and his regime. Nowadays it's a symbol of modern Russian imperialism with a historical flavor.

In those parts of europe where both tsarist Russia and Soviet union were occupiers and now Putin is a threat, koloradka is pretty much on the same rank as nazi symbols.

> And big chunk of Israeli population has Russian/USSR origins.

Most of whom probably still remeber very well the moderate Russian racism towards jews.

Also they probably would have stayed in Russia if they were happy with their government. Luckily Israel was one of the good ways to get out of the country if you had jewish roots.

Israel finds itself in the same position as Russia war-wise.
Some do remember. Some just used some obscure grandpa's paper as a getaway card into a better-off country. With many of those grandpa's papers being forged.
trying to understand the BSD linkage here and I'm coming up empty
I'm guessing they meant BDS - Boycott, Divestment and Sanctions.
Side note: Just checked are non-Android Linux OSes targeted by this spyware. Apparently, there's no public info in favor of such. So probably, nope. It looks mostly targeted against Android and iOS only.
Then I am switching to a feature phone Nokia by HMD
Check out postmarketOS. Can run on a Nokia you're specifying, but not only :)
Equally open to vulnerabilities. For example, there's an unpatched GLIBC vulnerability in Alpine Linux (which is the distro postmarket is built on).
CVE-2015-0235? What the hell? -2015- and still unpatched? But apparently it looks like the case.

Anyway, Alpine seem to use musl instead of glibc.

Packages will still call and use GLIBC - especially those that are cross-platform, because migrating your codebase to support a new ABI is a PITA.

This is a classic example I use when explaining the need for SBOMs and Software Supply Chain Security to non-software C-suite.

Do you have any info why this CVE is still unpatched? It seems absolutely crazy, given it is known (of course, a lot of similar bugs may not be even known as of now). Virtualization and containerization-based approaches would be a go-to method for reducing potential surface affected by them - given this was in (g)libc, even Linux namespaces would've potentially resisted most of things which can be done with it. Not to mention light hypervisors with very minimalistic codebase like Xen.

My phone doesn't run Xen yet (I've ran into some problems with kexec() support in Linux on aarch64), but it runs KVM just fine ;)

However, it seems that in Debian it's patched https://security-tracker.debian.org/tracker/CVE-2015-0235 . Is what you're talking about Alpine-specific?

> Do you have any info why this CVE is still unpatched

I'm not sure, but it's the tip of the iceberg. There are plenty of uncaught and unpatched vulnerabilities across all environments, and plenty that have not been reported because vendors like Zerodium will pay premiums for zero-days.

> Is what you're talking about Alpine-specific?

Yep! That's the point - vulnerabilities can be caught and known, but patching might not be provided, leaving environments open to attack.

> similar bugs may not be even known as of now). Virtualization and containerization-based approaches would be a go-to method for reducing potential surface affected by them

Virtualization as it is today is fairly vulnerable to escapes, but this is why the US Govt has been funding Secure Enclave/Trusted Execution research for 10-15 years now.

Basically, complex vuln-free code is highly unlikely to ever exist. That said, these are very difficult to exploit by some random attacker as these are fairly complex.

If you are at threat of being targeted by NSO Group or Zerodium enabled attacks, you are already on the radar of a country's Law Enforcement/Interior Ministry/Dept of Homeland Security/Intelligence Community and any attacks on your phone are the least of your worries.

Exports of these products are heavily regulated and require sign off from the government (eg. Israeli offensive security products like NSO's Pegasus require sign off from the Israeli MoD and PMO)

Your best solution is to buy a phone that is very well supported and constantly patched by the vendor (Apple, Google, higher model Samsung are fairly well maintained) as they will push critical patches if and when a vulnerability is found.

Feature phones and more generic smartphones won't have that level of support due to margin constraints.

> If you are at threat of being targeted by NSO Group or Zerodium enabled attacks, you are already on the radar of a country's Law Enforcement/Interior Ministry/Dept of Homeland Security/Intelligence Community and any attacks on your phone are the least of your worries.

Ah, you mean social engineering attacks and more powerful attacks relying completely outside of the cyberspace (to say more bluntly, which perfectly fits the case here, "in the meatspace"), right?

In terms of broadly-understood virtualization, there's always FPGA with its possibility to spawn multiple number of completely independent softcores. These days some FPGAs with enough computing power for well-optimized security-critical part of general-purpose computing (messaging, web browsing, maybe DSP - not computation like neural models) have fully open-source bitstream synthesis tools.

BTW, thanks a ton for letting me know about the unpatched vulnerability in Alpine. I'll talk to the pmOS guys about patching it.

> Ah, you mean social engineering attacks and more powerful attacks relying completely outside of the cyberspace (to say more bluntly, which perfectly fits the case here, "in the meatspace"), right

No. I mean actual unpatched vulnerabilities and exploits that haven't been published.

NVD is just the icing on the cake. Plenty of less scrupulous vendors like Zerodium, Crowdfense, NSO, etc have collected troves of exploits and vulnerabilities that have never been published, because they can pay 2-3x what bug bounty programs pay.

For example, NSO's Pegasus toolkit which has been operational for a decade but only remediated in the past couple months.

But it doesn't matter. If you've been targeted by adversary using one of those products, you are already very high profile and security theatre around your phone's security is basically useless if you don't have a security team to back you up.

> In terms of broadly-understood virtualization, there's always FPGA with its possibility to spawn multiple number of completely independent softcores. These days some FPGAs with enough computing power for well-optimized security-critical part of general-purpose computing

That's what Secure Enclave/Trusted Execution is in a nutshell, but it's progressed way past FPGAs (that was a late 2000s/early 2010s research area before moving up to CPUs and GPUs)

------------

Just stick with a common popular smartphone from a brand that makes sure to consistently be on top of patching and supportability.

It's about as safe a consumer computing device can be, and even nation states recognize that. Most leaders and politicans use common smartphones as well, but they are locked down with an MDM (this is BlackBerry/RIM's bread and butter now because they've deprecated phone manufacturing)

Why resort down to ad personam (the last two paragraphs)? These are not insults, but not valid arguments, either.

I know very well about Zerodium. However, FPGAs can be way more secure than any kind of ASICs. If you don't understand why, then I don't think further discussion is warranted. I worked with Apple's implementation of security enclaves, and they don't isolate (or "outsource" to be processed there) nearly as much as should be isolated. For example, whole display and touch input needs to go through the application processor, anyway. It's not a good way to go, to say the least. You can't overlay anything on the top of the display nor isolate touch input from some area (say, virtual keyboard) to go to the enclave. The rest of what it does is pretty meaningless, given these constraints.

Ah! I think our wires got crossed!

I wasn't referencing Apple's Secure Enclave - I'm just using the new buzzword for "trusted computing"/trusted execution. Such at this thesis from Cal a couple years ago [0]

> However, FPGAs can be way more secure than any kind of ASICs

I agree with you! The issue is usability (and I guess it depends use case to use case). We gotta navigate a happy path between security and usability. Otherwise users will try to undermine security features.

This is an interesting convo tho. I'm going to favorite this for some thinking later.

> Why resort down to ad personam (the last two paragraphs)? These are not insults, but not valid arguments, either

That wasn't meant to be an ad personam, and if it was I apologize. It's literally was advice I'd give anyone who's worried.

[0] - https://www2.eecs.berkeley.edu/Pubs/TechRpts/2021/EECS-2021-...

Ah, okay. You're welcome. I've seen also a similar paper called "Citadel" on arxiv.
> feature phone Nokia by HMD

Sure, but it runs Android Go (embedded Android) or KaiOS (embedded Linux) out of the box.

Any vulnerabilities that arises in Linux can also be weaponized on those OSes as well depending on when the OS image was deployed and whether or not the OEM supports upgrades and patches (generally they don't)

> Just checked are non-Android Linux OSes targeted by this spyware

It's safe to assume that any mobile phone OS will inevitably be targeted. There are always going to be unpatched and uncaught vulnerabilities, and the market for finding these vulns are very hot.

The bigger question is why do you think you'd be vulnerable to attack by a nation-state? If you are that prominent, you are screwed anyhow.

This article by Mickens is fairly accurate [0]

[0] - https://scholar.harvard.edu/files/mickens/files/thisworldofo...

How would you define a "mobile OS" then, to keep the alignment of what you said, particularly this part: "There are always going to be unpatched and uncaught vulnerabilities"?

Everything which can fit into a pocket and has a HTML5 browser?

FYI, I know about how extremely vulnerable average cellular baseband is (and that it would often use unprotected or weakly protected DMA). Let's assume the device in question doesn't have one of these.

Good question!

Just about every phone (smart or feature) is running some flavor of Unix (iOS/BSD for Apple, Android/Linux for most other smartphones, and KaiOS/Linux for feature phones).

The 1998 style Nokia brick is functionally non-existent as there is no financially viable demand for a product like that anymore.

The markets that are feature phone driven (much of Africa, poorer regions of South and Southeast Asia) are also heavily WhatsApp dependent, so the mobile OS needs to be lightweight but also support modern app functionality - which lends itself to the embedded Linux use case.

Also, no matter how much you modify and QA code, inevitably some bug will arise, and will be open to exploitation.

Second time this week in which I've seen "civil society" used in a headline on HN. It's such a blunt euphemism they may as well write "the good guys".
It’s a bog standard term that has nothing to do with 'good guys' or 'bad guys' - civil as in infrastructure not civil as in polite...