• Russia appears to be targeting journalists with spyware known as Pegasus.

  • Pegasus is a “zero-click” software, hacking phones by sending texts that don’t need to be opened.

  • The software has targeted dozens of journalists, activists, and politicians in recent years.

  • masterofn001@lemmy.ca
    link
    fedilink
    English
    arrow-up
    23
    arrow-down
    30
    ·
    edit-2
    1 year ago

    Code has been analyzed from several versions of it.

    Edit: the code and analysis report available here:

    https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/

    (Edit: it amazes me how much people will defend/rationalize the most valuable corporation ever known to put more effort into the camera being placed 2mm to the left than an exploit that gets people killed.)

    That Apple (especially) can’t mitigate against it is pretty damning.

    Regardless what Pegasus is made of, it exploits vulnerabilities. Use a rock, a bat, or hard boiled egg and you can break a cheap window. It’s the window that is insecure. Not the methods used.

    A trillion dollar company ought to be able to put up a bit more than plexiglass.

    And the mega corps ought to be working together on this. Imagine if it got out into the wild.

    Remember spectre?

    https://en.m.wikipedia.org/wiki/Spectre_(security_vulnerability)

    I am not a lawyer.

    • Dudewitbow@lemmy.ml
      link
      fedilink
      English
      arrow-up
      24
      arrow-down
      1
      ·
      1 year ago

      hardware based speculation is hard to patch compared to most exploits that are just bad programming mistakes due to two factors. one being its hardware and its hard to patch out hardware and 2. fixing it would lead to severe drop in performance. A name of a very recent one would be Retbleed.

      • masterofn001@lemmy.ca
        link
        fedilink
        English
        arrow-up
        6
        arrow-down
        5
        ·
        1 year ago

        Yet, if you check your dmesg you’ll find innumerable methods of mitigation against such exploits.

        A software patch for hardware issue.

        Personally, I’d rather the drop in performance than the Kashoggi treatment.

        • Dudewitbow@lemmy.ml
          link
          fedilink
          English
          arrow-up
          10
          arrow-down
          1
          ·
          1 year ago

          hence a preference thing, because In real life, when users see a huge performance drop, they complain (e.g Apple throttling old iphones due to aging battery without telling users). It’s why it’s one of the hardest fixes to do. Sometimes patches for speculation doesn’t hurt the end user much (e.g Zenbleed does not affect consumer loads like gaming) then you have situations like Intel’s Downfall, which has sizable AVX2/AVX512 performance penalties.

          • Serinus@lemmy.world
            link
            fedilink
            English
            arrow-up
            7
            arrow-down
            1
            ·
            1 year ago

            It was absolutely not just for aging battery. It was also planned obsolescence.

            • Dudewitbow@lemmy.ml
              link
              fedilink
              English
              arrow-up
              2
              ·
              edit-2
              1 year ago

              hence why it feels like that, but saying its the same situation again, some people would have prefer it for the phone to randomly shut off at 1-10% battery, and there’s the other camp that would have preferred for it to be throttled to prevent non zero shut down.

              Apples mistake was both not telling people about it publicly, and not giving them a choice.

          • Ottomateeverything@lemmy.world
            link
            fedilink
            English
            arrow-up
            3
            ·
            edit-2
            1 year ago

            because In real life, when users see a huge performance drop, they complain

            Yeah, true, and the dead people don’t get to complain, so just prioritize performance because the dead aren’t complaining.

            /s obviously. I don’t give a fuck how much performance you gain/lose by running an exposed system. Increasing road speed limits would help people get to work faster. But more of them would be dead. Road safety comes first, convenience and speed comes second.

            I could understand people having a slightly different priority list 30 years ago when performance was shit and computers were obscure. But in this day and age, we’re making increases in performance 99.9% of the populace won’t notice and computers literally run our lives. The priority is security.

            then you have situations like Intel’s Downfall, which has sizable AVX2/AVX512 performance penalties.

            Yeah, exactly. Most people don’t utilize AVX all that much. And those that do likely have newer machines that are unnaffected. And Intel is patching it.

            • Dudewitbow@lemmy.ml
              link
              fedilink
              English
              arrow-up
              2
              arrow-down
              1
              ·
              1 year ago

              The point is, anything there is code speculation, virtually every single time they invent a new way to speed up performance, a new method of attack gets found. It doesnt matter if its Arm, it doesnt matter if its Apple, jt doesnt matter if its Intel, doesnt matter if its AMD, everyone has exploits as long as code speculation is a thing. If security is a severe issue, would the solution not be finding or using phones without code speculation period as as long as long as it exists, historyically speaking, its only a matter of time till an exploit exists for it.

    • drcobaltjedi@programming.dev
      link
      fedilink
      English
      arrow-up
      8
      arrow-down
      3
      ·
      1 year ago

      Theres literally a functioning business model of “find zero-day exploits for software X and sell that info to the highest bidder”. There is actively many huge bounties for currently working exploits that you, random dude on the internet, can get if you can show that an unknown bug can be used to gain access to some software. Pegasus is one of the groups buying the exploits and then using it.

      It is a perpetual cat and mouse game. Every time that Apple is made aware of an exploit they patch it asap, but that doesn’t mean they’ve fixed every exploit. You can’t fix a bug unless you know it’s there.

      • masterofn001@lemmy.ca
        link
        fedilink
        English
        arrow-up
        3
        arrow-down
        4
        ·
        edit-2
        1 year ago

        Really? An entire economy based on hacking, exploits, and exfiltration? (Edit: I guess I need this: /s, because, /whoosh)

        Again. A 2 TRILLION DOLLAR COMPANY, should be able to find the resources to not only find these exploits, but be able to more vigorously check their own code on their own platform on their own hardware in their own labs.

        Doubly since it affects a broad range of hardware/software/firmware, and since these exploits essentially own everything, and it is targeted at high value targets including members of state, journos, advocates and dissenters, it would seem necessary to develop better security in tandem with the other half of the monopoly and OEM’S and national security agencies.

        It isn’t just a bug that erases your favorite cat pics. Worst case, these exploits can erase your life if you end up saying/knowing/thinking something someone doesn’t like.

        I find it difficult to believe after 3 years, multiple os updates, code changes, hardware/chip redesign, the same exploit(s) have remained so thoroughly effective, and the best a company can do is “lockdown”

        You’re already owned by then.

        • drcobaltjedi@programming.dev
          link
          fedilink
          English
          arrow-up
          5
          ·
          1 year ago

          Ye, it’s a real thing. A quick google search for the term “companies that buy software exploits” lead me to the following real companies that will buy exploits you find; zerodium, offensive cyber, and vupen. In fact, zerodium currently has a $400,000 bounty for an exploit for microsoft outlook. It’s very useful for say something like a government to know about these hacks in case say they want to hack someone. For example stuxnet was written by the US to fuck with Iranian centrifuges.

          Pegasus isn’t just a single exploit. It uses many and every patch to an OS doesn’t fix every single exploit so there’s always another way Pegasus can break into the system. Also, do you think that with every update to iOS the developers are rewriting their entire code base? I’ve written lots of updates for my software and I almost never scrap the entire thing when I need to do rewrites.

          Again, Apple, a 2 TRILLION dollar company, can only fix exploits they know exist.

          • masterofn001@lemmy.ca
            link
            fedilink
            English
            arrow-up
            2
            arrow-down
            3
            ·
            edit-2
            1 year ago

            Again, with 2 trillion dollars, I’d fucking hire every hacker, grey, black, white, and red hat, every security expert, every current and former intelligence agent, consultant, pundit, engineer, 7 year old prodigy, AI, and the corpse of Steve Jobs to fix a problem that essentially makes any and all security features null and void.

            But, that’s just me.

            I’m not a shareholder grasping at my 96 cent dividend over the safety and lives of people.

            And even after spending all that, I’d still have 2 trillion because that is an insane figure that is so big it would pay 10 million people 200k. Surely enough to fix the problem.

        • Ottomateeverything@lemmy.world
          link
          fedilink
          English
          arrow-up
          3
          ·
          edit-2
          1 year ago

          Yeah, the argument that there’s money in this business only furthers the point here - there’s money in it because it’s valuable to abuse systems. Therefore the people running those systems should be the ones fucking funding it. And then using that agreement to keep the exploit details behind closed doors until they are able to fix it.

          It’s almost like this should be an entire internal department. Maybe it could be named after the idea of keeping things secure?

          If the company making massive profits off the sales of these devices isn’t going to fund it, who is? It’s fucking insane to me that Google basically funds the security of iOS for Apple, who’s their direct competition in that market. We probably wouldn’t even know this exists if it wasn’t for stuff like that.