I would then have another department whose job is to be as subtle as possible - for example, all their exploits are 'in ram' and all data sent back is plausibly deniable. (for example, rather than using a random 256 bit nonce while establishing an HTTPS connection to apple to check for updates, use 256 bits of encrypted data you wish to exfiltrate)
Where this is an issue, which goes against your point - the groups can step on each other toes. The discovery of the broader and more detectable attacks invites attention, further scrutiny and additional forensics which may uncover the more sophisticated attacks.
Where the real deceptive action takes place is in learning how other opposing groups operate and mimicking their tactics to make the process of attribution more difficult.
They would phish lockheed/military folks with emails stating "Hey we met at 'military conference' here is my contact file - lets stay in touch"
The file had malware which would trickle very slowly data out.
it was discovered due to one user complaining about his machine being slow... then it was discovered that it was discovered and the chinese opened the fire-hose and the worms were flooding the 3-egress points to the internet Lockheed had at that time, until they could kill the connects and clean up the system.
The other thing the chinese did was to infect 3rd party suppliers who were supposed to be air-gapped, so they infected machines at suppliers to go after any USB sticks that were used to transfer info and get the malware back to Lockheed systems via the USB transfer of info between contractors and lockheed...
Which is basically how stuxnet managed to get its foothold.
Alternatively, if I wanted to accuse my political opponent of being a Russian stooge, I'd do the same thing. You wouldn't even have to be under the scrutiny of a three letter agency. Just find a security researcher that will agree with you for a lot of money.
Why do you assume a "basic phone" would protect you in any way? It's far more likely to only be capable of insecure, easily interceptable forms of communication (e.g. SMS). Also, it's software is likely much worse than more popular phones (e.g. an egregious example is cheap Android phones shipping with malware preinstalled).
[0] https://www.extremetech.com/defense/161870-the-humble-sim-ca...
Tbh the only two positives were:
- Battery would last several days on a single charge. I had totally forgotten that that used to be the case.
- Less time wasted on social media etc.
But the drawback was immense!
For one, it was not until I put my smart phone away that I realised just how valuable Google Maps is to me.
And of course, a lot of my communications with other people are in various apps these days. SMS is just not very useful at all now.
So the lesson learned was that it is better to have a smart phone.
Unfortunately, even if you trust your "basic" phone to not be compromised, it still means you can't have a personal computer. From what I've read, that's the strategy used on the Kremlin - for security reasons, they banned computers and went back to typewriters.
https://en.wikipedia.org/wiki/Kaspersky_bans_and_allegations...
Or you can save yourself the time and say that Kaspersky have proved themselves untrustworthy over an extended period of time and just avoid it and take everything they say as probably either propaganda or marketing or both.
Even if you trust them, their product causes such extreme degredation of usability that one place I worked decided the cure is worse than the disease and removed Kaspersky from all its machines to the general celebration of all users. I was unaffected because I was the sole linux user so had been spared the Kaspersky virus on my machine.
A carve out for python scripts is a dubious claim.
There is no way I'm going to just download and run that script because I'm honest and I like not being in prison.
[0] https://www.acquisition.gov/far/52.204-23
[1] https://www.justice.gov/opa/pr/deputy-attorney-general-lisa-...
On the plus side, since it's a 300 line Python script, you can read it (which does not involve running it), figure out what it's doing, explain it to somebody else in broad terms, and get them to write some equivalent code.
I mean it looks probably fine to me. But saying it's a 300 line python script is kind of begging the question.
[1] using mkstemp but you need to check that stuff to make sure. You also need to check what it does with the things it AES decrypts (they're just pathnames so again, probably fine etc).
https://www-fsb-ru.translate.goog/fsb/press/message/single.h...
"Now it's FSB. Federal Security Bureau. Same friendly service with a new name."
Just "SELECT * FROM nsa_exploits" would probably turn all our stomachs and I'd guess they still only have a small fraction of what exists.
Software is to a large extent built on default-unsafe primitives, and we wrest security from them at great effort and with dubious efficacy. We still have fights on HN about whether or not "memory safety" is necessary, and that is frankly so far below the level we need to operate that it would be humorous if it weren't sad. Granted, that fight is dying down as we gradually converge on "yes, it's necessary", but it's like level 2 and we need to be operating on level 18.
good thing we live in a free democratic society!
It's gotten to the point where full-chain Android exploits, traditionally easier to find and use because of lacking update policies and incompetent manufacturer chains, are worth more than their iOS counterparts: https://zerodium.com/program.html
Because of iOS' excellent update rate and generally very secure operating system model, I'd expect this to mean that there are so many exploits for either platform that the trade of exploits for the ostensibly more secure platform isn't restricted by the amount of exploits anymore, but rather by the rate the existing 0day stock gets burned by use.
I expect intelligence agencies to be fully stocked with more 0days than they currently need. Not just intelligence agencies either; for your average large international criminal organization, whether it's the maffia or the NSO group, there should be plenty of exploits to be found and bought.
https://twitter.com/Zerodium/status/1326498688621948928
now did they have too many? maybe. but maybe also because they were expecting apple to announce a new ios at the wwdc that was happening in june.. or maybe lots of 0-day exploiters suddenly wanted to dump their exploits knowing that apple was probably going to be patching them soon. oddly enough that tweet about resuming payment coincided with the release timeline of ios 14.
most of this is irrelevant though because we lack any information. what is, "too many"? 10? 100? 1000? it could be that just like any other middleman they sometimes need to sit on "inventory" and they can't just buy up that many at one time in case apple fixes them all in an update.
What is APT in this context?
you might be surprised. you don't have to be somebody important, you just might be working somewhere interesting or know somebody important.
ps Snowden leaks showed NSA hacked ordinary broadband providers administrators to get access to networks, because POIs were using those providers.
It's debatable how useful this advice is for field agents, who might not be carrying a computer with them all the time, but for regular people it's entirely feasible.
The issue here isn’t backups. Cloud and local would be equally affected if the system is compromised.
What now?
Seems pretty noisy IMO. It prevents software updates with visible errors. I wonder if its just the limitations of iOS or its a non-nation state actor. I noticed it modifies some Facetime files, I wonder if it exploits the camera through that.
Unfortunately, given the state of the Apple first-party software, I doubt this would ring too many alarm bells.
If anything, were I to start getting visible errors, I'd welcome the change from Apple's previous MO of simply silently failing.
I would recommend to fork it, thoroughly analyse every line of code and run it on a dedicated computer without internet. Always keep in mind you can't trust them at all.
> A collection of utilities to simplify and automate the process of gathering forensic traces helpful to identify a potential compromise of Android and iOS devices ... released by the Amnesty International Security Lab in July 2021 in the context of the Pegasus project along with a technical forensic methodology..
STIX IoC format, https://www.oasis-open.org/2021/06/23/stix-v2-1-and-taxii-v2...
> The [threat intelligence] work was based initially on three specifications contributed by the US Department of Homeland Security (DHS) for development and standardization under the OASIS open standards process: STIX (Structured Threat Information Expression), TAXII (Trusted Automated Exchange of Indicator Information), and CybOX (Cyber Observable Expression).
iOS IoC sources, please add to this list:
https://github.com/AmnestyTech/investigations
https://github.com/citizenlab/malware-indicators
https://securelist.com/operation-triangulation/109842/https://imazing.com/guides/detect-pegasus-and-other-spyware-...