34 comments

[ 2.0 ms ] story [ 52.6 ms ] thread
>Gibson, who until recently built surveillance technologies for Western government hacking tools maker Trenchant, may be the first documented case of someone who builds exploits and spyware being themselves targeted with spyware.

Leopards ate my face moment?

They're not developing these tools to NOT use them...

> I went immediately to buy a new phone.

Why does he think that will help against a state-backed adversary?

> “I was panicking,” Jay Gibson, who asked that we don’t use his real name over fears of retaliation, told TechCrunch.

And later,

> Without a full forensic analysis of Gibson’s phone ... it’s impossible to know why he was targeted or who targeted him.

> But Gibson told TechCrunch that he believes the threat notification he received from Apple is connected to the circumstances of his departure from Trenchant ...

I find it funny that (1) this guy never thought this would happen to him (2) this guy has the balls to talk to media about this but fears retaliation

I mean, seriously, those who want to know your real name already know it.

Going public is presumably part of his strategy for trying not to be disappeared.
any guesses for the state here?
When it comes to state-sponsored cyber-spying like this, take your pick between USA, Israel, Russia, China.
Maybe it went like this:

- Exploit developer makes and plays with exploits on their phone

- Apple notices this, warns them that there is spyware on their phone

- Exploit developer somehow thinks it is governments hacking into their phone

These exploits get developed on airgapped devices
> I have mixed feelings of how pathetic this is, and then extreme fear because once things hit this level, you never know what’s going to happen

Interesting kind of payback. What does he think happens to the people whom the exploits he develops target?

What is the surprise? If I'm in his shoe I'd expect the gov knows everything about me including how often I make sex.
I've interviewed with these types of companies (not the ones in the article). I've even caught them using their exploits on me after they made me an offer and that seems to be the most likely explanation for what happened here. I don't know how anyone can develop exploits for resale in good conscience.

If these companies have no qualms using their exploits against their own employees they'll have absolutely no problem using them against members of Congress, the Courts, investment banks, tech leaders, and anyone with any sort of power. This gives them the ability to blackmail some of the most powerful people in the world.

edit: And that's not even mentioning their reported "intended use" against dissidents and journalists.

Maybe that was just a phase of your interview.
I figured security researchers were always targets of multiple APT actors and random individuals. However...

> I've even caught them using their exploits on me after they made me an offer

Not only for exploit companies that eat their own dog food, nor only cybersecurity jobs, but I've heard of this happening to people interviewing for other tech area considered strategic.

The noticed ones weren't that subtle, and were presumably noticed because the attacker wasn't using the best methods, but maybe more routine SOP for lower-value targets.

I have no idea what the actors and motivations actually were. Speculation:

* the hiring company or its country, vetting the candidate by spying on them, including for corporate/national counterintelligence reasons (it's really not much different than a lot of the sneaky surveillance capitalism vetting that many companies quietly do, just unambiguously illegal in this case);

* the hiring company, spying to monitor the competitive offer situation (e.g., what counteroffers or concerns does the candidate have);

* other state, individual, and possibly corporate actors, for whom the imminent offer flagged the target as worth keeping an eye on (for, e.g., advance access to research they do individually, knowledge of attacks they do individually, possible technical entry point to the job-offering organization or others, or kompromat for getting access/actions); or

* random associated individuals acting on their own, recreationally enjoying the power over others that their cracking toys give them (which at least used to be not too uncommon, before cybersecurity was professionalized, when there were proportionally much more teens and alienated people, and they hadn't yet been told about color-coded hats for prefabricated codes of behavior from which they could choose; now, most people with skillz have the carrot of a lucrative job or respected status as researcher that they can pursue, instead of seeking power/status other ways and without guidelines).

Personally, I try not to work on strategic target areas, since I like to save my very limited guts for fighting product concepts and reliable systems into shape, not for being helplessly violated by lawless authoritarian institutions. Good luck.

This is why I don't want to work in cybersecurity

This is too dangerous, it's the wild west

Forget blackmail, people wildly overestimate the value of blackmail. Far more predictable and lucrative is just to use exploits for insider information, including as favors and bribes, and selling them to governments willing to pay immense amounts of money. Blackmail is far too messy. Grease works way better.
Live by the sword, die by the sword.
This guy is pretty naive if he thinks they (or their biggest customers) won't verify whether he really was leaking something or not if they've got the tools to do that lol and to maybe send a message to not think about it
> Gibson .. may be the first documented case of someone who builds exploits and spyware being themselves targeted with spyware.

> But the ex-Trenchant employee may not be the only exploit developer targeted with spyware .. there have been other spyware and exploit developers in the last few months

I would like to see the screenshot or the photo of display with that kind of alert.
(comment deleted)
This framing seems weird:

> Two days after receiving the Apple threat notification, Gibson contacted a forensic expert with extensive experience investigating spyware attacks.

Surely as a professional "exploit developer", Gibson himself should have been about as expert at this particular niche as any human being on the planet already.

I mean, sure, absolutely he should have called in his friends in the community and gotten more eyes on the device. But the way that's written it sounds like he took it into the local Genius Bar.

It also, in context, feels a little obfuscatory. Like he's trying to flag the involvement of senior folks who he can't name.

I think you're conflating two precepts. Just because you can write an exploit, it doesn't - inherently - mean that you have the skills/knowledge/tools of where to look for all signs of exploit having occurred on your device(s).

From the inference of that logic, every developer should be able to use gdb or Windbg to ascertain where they shot themselves in the foot - but we know that this specific set of skills isn't inherently required to be a developer.

So, the same logic would be true here: Just because you can write a hand full of exploits, it doesn't inherently mean that you have the tools/know-how to be able to ascertain if any of all of the available exploits in the wild (or in private, re: tools for Trenchat) have been used on your phone.

Edit: gbd != gdb

Why is it not computer crime? It wasn't done by the govt, they suspect it was done clandestinely by Trenchant.

Sue them!

There's still no proof that it was Trenchant, and there was no evidence on the device. It's unlikely that it will ever be identified as an attack from Trenchant. Trenchant/L3Harris is a supplier for Five Eyes, and any attribution of their exploits will likely be concealed.
Normally with crime we arrest people. Half the problems in the world seem to stem from the fact companies are unaccountable.
I can kinda sympathize with the guy, as I got fucked over in Defense contracting in a not-dissimilar fashion a lifetime ago. These companies reel you in with decently-sized (or even outrageously-large) pay packages and promises of doing “good work”, bleed you of your energy and time for their profits, then shove you out the door and blame you for anything that went wrong (especially if you try to act honestly and report wrongdoing - that’s a one-way ticket out the fucking door and into blackball territory).

Nobody should be doing work for these scumbags, but people will always fall for their spiels and grifts, unfortunately, out of some naive sense of “doing good” or “getting the bad guys”. It’s always just “leopards ate my face”, though.

I'm more interested in how Apple makes this determination than I am about the drama between this dev and his former employer.
>“I was panicking,” Jay Gibson, who asked that we don’t use his real name over fears of retaliation, told TechCrunch.

I lol'd for a second imagining this is his actual name but the writer didn't realise it

This is why I don't want to work in cybersecurity

This is too dangerous, it's the wild west

So basically it was probably someone in his chain of command leaking the Chrome exploits, and this guy was the scapegoat used to cover that up for now.

Though the whole thing sounds more made up than legit.

I had to read "Apple alerts exploit developer" several times to understand what it meant.

First read: "Apple's alerts somehow exploit a developer".

nth read: "Apple's alerts tell a developer of exploits that..."

As a former researcher in this space, anyone who develops commercial exploits knows what they are doing and that their work if they happen to be in the US is subject to ITAR level restrictions.

I stopped when it became a game at that level. I refuse to be a government contractor…. It’s about not using software like this to kill people like Jamal Khashoggi.

F the dipshits at NSO and the turds at Corellium.