Slashdot Mirror

← Back to Stories (view on slashdot.org)

NSO Has Been Selling a Smartphone-Surveilling Malware For Six Years (nytimes.com)

Posted by EditorDavid on from the spying-on-spyware dept.

The New York Times continues their coverage of the commercial spytech industry, noting its services "are in higher demand now that companies like Apple, Facebook and Google are using stronger encryption to protect data in their systems, in the process making it harder for government agencies to track suspects... For the last six years, the NSO Group's main product, a tracking system called Pegasus, has been used by a growing number of government agencies to target a range of smartphones -- including iPhones, Androids, and BlackBerry and Symbian systems -- without leaving a trace...to extract text messages, contact lists, calendar records, emails, instant messages and GPS locations." Slashdot reader turkeydance quotes their article: That will cost you $650,000, plus a $500,000 setup fee with an Israeli outfit called the NSO Group. You can spy on more people if you would like -- just check out the company's price list. The NSO Group is one of a number of companies that sell surveillance tools that can capture all the activity on a smartphone, like a user's location and personal contacts. These tools can even turn the phone into a secret recording device...

The company is one of dozens of digital spying outfits that track everything a target does on a smartphone. They aggressively market their services to governments and law enforcement agencies around the world. The industry argues that this spying is necessary to track terrorists, kidnappers and drug lords. The NSO Group's corporate mission statement is "Make the world a safe place"... An ethics committee made up of employees and external counsel vets potential customers based on human rights rankings set by the World Bank and other global bodies....
One of the services offered by the NSO group is "over the air stealth installation," though they can also install their spying software through Wi-Fi hot spots. One critic argues "They can say they're trying to make the world a safer place, but they are also making the world a more surveilled place."

98 comments

  1. Gee... by 110010001000 · · Score: 2, Interesting

    I can sell you a 99 cent app that can do all that. No one checks permissions on apps.

    1. Re: Gee... by Anonymous Coward · · Score: 0

      Can they really do Person Of Interest style silent physical contactless installation? What kind of security holes and 0day exploits would they need access to for this to work?

    2. Re: Gee... by Anonymous Coward · · Score: 0

      I could tell you but then I couldn't sell it...

    3. Re:Gee... by Anonymous Coward · · Score: 0

      Jesus Christ, I'm gonna shit my britches.

    4. Re: Gee... by Anonymous Coward · · Score: 0

      I'm guessing "The Net" style security holes: Every phone has a second IP address in the 24.75.345/24 subnet, listening on port 65538. You just have to scan for it...

    5. Re:Gee... by FatdogHaiku · · Score: 1

      OK, calm down. It's going to be all right.
      First, do you keep your cell phone in your back pocket?
      If so, please move it before the microphone gets plugged up...

      --
      You have the right to remain sentient. If you give up the right to remain sentient, you will be elected to public office
    6. Re: Gee... by Anonymous Coward · · Score: 0

      I guess if you really want to know the details you need to come up with $650,000 and another $500,000 to get it set up. It was speculated that this Israeli company was engaged by the FBI to access the iPhone in the terrorist case out in California. The same phone Apple claimed would take to long time and cost too much money. Who want's to bet that the same company could still crack the latest iPhone with the security upgrades?

      People need to stop whining about being able to be anonymous. Too many people think their lives are actually important enough for someone to spy on. Take a big fucking step backwards and see that the government is more vulnerable to system hacks and data theft than your average citizen. The three letter agencies do have access to some really powerful tools in their arsenal. The thing is they target specific people or groups with these tools and do not and cannot spend the resources to use their tools on a massive scale. Collecting and processing huge amounts of data does not produce results. And even though it was skipped over one of the documents Snowden released was about them abandoning mass data collection.

    7. Re: Gee... by Anonymous Coward · · Score: 0

      People's lives are important enough. The government wants to know as soon as someone, anyone, starts challenging the power brokers and the ruling class.

      This is NOT just about determine who needs to have what brand of shampoo add show up on their feed. It is about perpetuating power structures and if you don't see it you're either blind or in on it.

  2. I"m safe! by NewtonsLaw · · Score: 4, Interesting

    Haha... now those folk who mock me for having a $9 "dumb" phone will realise exactly why I've not moved my life onto an Android or iPhone device!

    1. Re:I"m safe! by Anonymous Coward · · Score: 0

      Your dumbphone is even less secure. Nothing on it is encrypted. NOTHING.

      Only Apple iPhones are secure, and even then, people who install all the random shitty apps that websites want you to use instead of their website have more control over your device than the website. To hell with those apps. Unless I'm going to get a better experience (eg spotify) they are just "webviews" over the website anyway.

      Android apps are some of the least insecure piece of trash out there, not only do they ask for too many permissions, the users ultimately ignore them anyway.

      Android's webview is some of the poorest programmed things, hence it's been dumped for the "Chrome" webview, which takes the failings to a whole new level.

      So how does a spying company make a spy tool to get on these devices? It's not ads. I'm telling you it's not ads. It's actually through "encryption downgrade" attacks over public WiFi. Nobody actually checks that the AT&T wireless access point is really an AT&T wireless access point. If you are using a Public WiFi access point without a VPN, you are basically letting yourself be compromised.

    2. Re:I"m safe! by sims+2 · · Score: 5, Informative

      Why can't I deny individual permissions like I can with an Iphone? Solitaire needs access to your location information..Like hell it does deny!...And then somehow the app continues on just fine without access to the camera.

      Unlike android calculator needs access your contact list, photos, location information and bank account.

      And then i'm given an ultimatum I either let it do whatever it likes or I can't use the app at all.

      --
      Minimum threshold fixed. Thanks!
    3. Re:I"m safe! by TheGratefulNet · · Score: 4, Interesting

      with all the layers (rf, netmgt, etc) in a 'phone' these days, its 100% impossible for any of us normal folks to fully secure these things.

      I have not even tried; given up before trying. I know better. there are carrier layers and layers that even the first few support folks can't get to. layers the vendors put in, and there might be some blobs that even THEY don't get access to.

      whole thing is a shit stink mess.

      I never install apps unless absolutely necessary. never do anything 'important' on phones and treat them as if each one is perma-keylogging me. that's the only way to work with them - to assume they are thru-and-thru compromised.

      which, really, they are. no matter what you fanboys think.

      all phones are under government (and other orgs) control. horse has left the barn.

      such a shame. pocket computers were a cool concept, but we lost the right to own our own computers and even desktops are becoming owned by others who will never tell you that they have access to your stuff.

      depressing to see this down-side of what humanity lowers itself to.

      aliens should just nuke us from orbit. its the only way to be sure.

      --

      --
      "It is now safe to switch off your computer."
    4. Re:I"m safe! by Anonymous Coward · · Score: 0

      must dumb phones are even easier to trace and follow, everything you do is unencrypted and accessible and you are easy to trace through the cell network anyway.

    5. Re: I"m safe! by Anonymous Coward · · Score: 0

      Duh how else is the app supposed to calculate my bank account...

    6. Re:I"m safe! by Desler · · Score: 1

      Because you want to make it easier for them to snoop on you?

    7. Re:I"m safe! by Anonymous Coward · · Score: 0

      The whole point of this article is that apple iphones and droid phones are NOT secure. if they can install malware over wifi silently then claiming they are secure is an oxymoron.

    8. Re:I"m safe! by currently_awake · · Score: 5, Insightful

      We need a third option: Deny but fake yes. The App thinks it has permission but it doesn't. All access just gets fake data and a "Everything worked ok" message. And log all access attempts, with data, so we can see what it's actually doing.

    9. Re:I"m safe! by amiga3D · · Score: 1

      It's defective by design. It's not intended to be secure. Anyone who trusts their phone with anything more important than their grocery list is a fool.

    10. Re:I"m safe! by Anonymous Coward · · Score: 0

      So how was the human activist that was targetted through NSO software supposed to communicate? Smoke signals? Tam-tam?

    11. Re:I"m safe! by sims+2 · · Score: 1

      Sounds like a good option to have for diagnostics but its not an option I would want to put in front of he average user.

      I don't have anything running the latest IOS but none of the versions I used allowed apps to talk to each other in the background. Thats another thing I don't like about android no one seems to know how to keep apps from chatting with each other something they never should have been allowed to do in the first place at the very least not without permission.

      --
      Minimum threshold fixed. Thanks!
    12. Re:I"m safe! by jonwil · · Score: 1

      I have a Nokia N900 Linux phone which is so obscure and unpopular no-one is going to bother writing exploits specifically for it. And with the unofficial updates from the community I get fixes for a lot of the general bugs going around (e.g. more recent OpenSSL than the phone came with for example). And being Linux and using so much open source software I can contribute directly to the development of the thing (e.g. I have done a lot of work on updating the included set of root certificates to the latest set from the Mozilla team as well as documenting exactly how you do that)

      The N900 also has some hardware features that make spying a little bit harder (for one thing the cellular radio has no ability to access the microphone, speakers or audio hardware and record audio on the sly nor can it access the main Linux filesystem of the device, everything the cellular radio does is done by the main CPU pushing data/audio/etc to it)

    13. Re:I"m safe! by stealth_finger · · Score: 1

      I'm safe. I have a windows phone and nothing fucking works on it and hardly any other fucker has one (because they're shit). It's quite nice in the security through obscurity boat now that it's been abandoned by the mac people.

      --
      Wanna buy a shirt?
      https://www.redbubble.com/people/stealthfinger/shop?asc=u
    14. Re:I"m safe! by Anonymous Coward · · Score: 0

      Use the phone only as a modem. Encrypt the data before it enters the phone, decrypt it after it leaves the phone. Use a system without non-removable persistent writable storage (i.e. turn it off and on again and it's guaranteed to be in a known state). Forget about standard PCs and Macs.

    15. Re:I"m safe! by AHuxley · · Score: 2

      Re "I never install apps unless absolutely necessary. never do anything 'important' on phones and treat them as if each one is perma-keylogging me. that's the only way to work with them - to assume they are thru-and-thru compromised."

      Thats what makes it all so fun now, everyone knows the US branded product lines are all crypto junk and seem very gov friendly as sold over every generation.
      So a journalist or activist can now have some real fun. Create vast investigations on one device and look up government document's, hint at meetings with a few gov informants or contractors who reached out to pass on paper files. Read up on whistleblower protections and the private sector, the private sector with gov contracts. Seek out law firms with security cleared staff who can take on such issues. Create huge lists of contacts that are only hinted at on that device. Hints about other agencies, funding... documents.
      Pack lots of fiction in and make the junk crypto become a chore to any intelligence service or contractor who actually has to extract and read it all :)
      A real human has to wade into all that effortlessly collected data, so make the haul impressive and add some fictional depth.
      Get a voice actor with an older voice who can invoke doubt about their decades in gov, mil to create the other party to conversations every so often too so the mic malware gets some use. Wonder around the right parts of a city to make a meeting with a gov worker or contractor seem possible to any mapping or tracking software.

      --
      Domestic spying is now "Benign Information Gathering"
    16. Re:I"m safe! by guises · · Score: 1

      This was a proposed solution for the spying on Android - instead of trying to block permissions, just give a fake location and fake credentials, fake contacts, etc. Most MOD makers rejected this though, for fear that it would make Google angry. Maybe it's time to return to this option.

    17. Re: I"m safe! by Anonymous Coward · · Score: 1

      Suicide by NSA? It might work, but why try?

    18. Re:I"m safe! by AmiMoJo · · Score: 1

      You can deny individual permissions on Android since Marshmallow, or before if you had Cyanogen or another ROM that supported it (my phone shipped with Cyanogen).

      The stock calculator and every one I've ever downloaded needs zero permissions. If you look at the reviews on Play, apps that want excessive permissions get negative ratings and developers usually justify each permission in the description.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    19. Re:I"m safe! by AmiMoJo · · Score: 2

      Privacy Guard supports this. Apps get fake data, usually stuff like "user has 0 contacts" or "GPS location not available at this time". You can enable logging on a per app basis. Many phones ship with it built in.

      There is also the separate system from Marshmallow onwards that lets apps be aware of when they are being denied. You can use Privacy Guard instead if you want them not to know that you denied them for some reason.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    20. Re:I"m safe! by Anonymous Coward · · Score: 0

      One look at my wannabe crackberry with a qwerty and i'm free as I can be from envy...and from prying eyes. I'm safe too!
       
      Today's captcha is programs like the ones the NSO sells.

    21. Re:I"m safe! by Anonymous Coward · · Score: 0

      No, you're not. Just because your private stuff isn't on a smartphone only means they won't use that to spy on you. If they can hack iPhones over the air you can rest assured they can hack your PC, too. And if they're really desperate, they'll just break into your house and physically take whatever they need.

    22. Re: I"m safe! by AHuxley · · Score: 1

      Re "It might work, but why try?"
      A gov would work out it's all one way, on one device rather quickly. Think of it more as desensitisation to the words, terms, movements, talks. Fictional work by an author is not a very interesting person needing a team of 6-12 gov agents tasked on them or even the cost of long term digital tracking.
      Thats really the fault with the domestic modern collect it all vision the NSA has totally sold its 5 eye supporters on over decades.
      Humans tasked with looking at an entire nations population are going to have to make some quick selections to find interesting people given the teams needed to cover so, so many other interesting people wondering around.
      One consumer grade account been totally overloaded with digital fiction could allow a member of the press to focus on their real work. 150 complex fictional stories are waiting to be sorted or the account set as having been investigated and found to be fictional.
      A hint of a small amount of data found and the gov is very interested, just the right amount and the gov stays interested, a dump of fiction that clogs up the neat tracking database and a few contractors (buddy system now) have to fix things..
      Vast domestic spying networks have to be able to take fictional errors into account, so why not induce that finding :)
      Get that account listed in with the wider confederation of basement-dwelling loners.. i.e. well away from the interesting people lists.

      --
      Domestic spying is now "Benign Information Gathering"
    23. Re:I"m safe! by NotAPK · · Score: 1

      "Nothing on it is encrypted. NOTHING."

      But that's the point: there's nothing on it.

      Also, the user doesn't trust it because they know that it's not encrypted.

    24. Re:I"m safe! by tburkhol · · Score: 2

      Watchlists and mass surveillance already sweep up more people and information than "they" can follow. They've poisoned their own data set, and there's little need to go out and create a handful of honey pots.

      Those agencies still believe in the myth that big data can pull the One True Terrorist out of a hundred million, if you just give it a big enough data set. They can't. They don't have enough of a positive control population to train their algorithms. The data may be helpful, after the fact, to find co-conspirators, but even that hasn't really worked out so far. If big data really worked, I wouldn't be seeing ads for TVs for a month after I bought one.

      They want the public to believe that big data can identify the One True Terrorist, because it serves the two-fold goals of making the public feel like the government is keeping them safe and serves as a deterrent against organizing or conspiring. All of the "you can't trust your devices" paranoia furthers these goals.

    25. Re:I"m safe! by Anonymous Coward · · Score: 0

      Apple surely has a few million in loose cash to get security experts to give them the heads up that law enforcement has a backdoor on their flagship product(s). Strange how Russians in Pattaya are still flogging 'fixes'.

      Apparently NOT. Shame on Apple. Going on 5 years double shame.
      We have gone backwards in standards to the time when peeping tom journalists thought listening in on the Queen / Lady Di or the British PM was 'acceptable' . For a premium product, an 'F' for security is not good for shareholders.

    26. Re:I"m safe! by e70838 · · Score: 1

      The dumbphone is more secure because it contains almost nothing. IMHO, we need dumbphone with good battery, good 4G and excellent tethering.

    27. Re:I"m safe! by Anonymous Coward · · Score: 0

      "must dumb phones are even easier to trace and follow"

      That is why every spy or criminal with any sense uses burner phones with one time use SIMs.
      Never call more than one number from any given SIM. Destroy the SIM and phone and discard separately after each call. Never send emails, just leave a draft message in the shared email account. Dead drops are safer.

    28. Re:I"m safe! by BlueStrat · · Score: 0

      Those agencies still believe in the myth that big data can pull the One True Terrorist out of a hundred million, if you just give it a big enough data set. They can't. They don't have enough of a positive control population to train their algorithms. The data may be helpful, after the fact, to find co-conspirators, but even that hasn't really worked out so far. If big data really worked, I wouldn't be seeing ads for TVs for a month after I bought one.

      Those agencies, at the top levels, never believed any such thing. It was never designed nor intended to catch "terrorists". That was just the cover story.

      What it *is* ideal for is domestic surveillance (and blackmail) of journalists, activists, ideological/political opponents/candidates, parallel-construction, and planting evidence (at least, as long as they still bother with things like trials and evidence).

      Strat

      --
      Progressivism (aka US 'Liberalism'): Ideas so good they need a police/surveillance-state to enforce.
    29. Re:I"m safe! by houghi · · Score: 1

      No, we do not need that option, because it means we agree with what is going on. Can it be used as a workaround? Sure. And how do you know it is not still sending the real info? What we need is :
      a) a way to turn it off if we so desire.
      b) having it off by default,
      c) Only usage within the domain, so no sales of the date. No usage of Google data for Youtube.
      d) Insight in what they are doing with the data
      e) ability to remove the data (not just hide it)
      d) limited time that this information can be stored

      If that is too hard for them then boo-fucking-hoo.

      Will this ever happen? No, because our data is way more valued than we are.

      --
      Don't fight for your country, if your country does not fight for you.
    30. Re:I"m safe! by coolsnowmen · · Score: 1

      Sounds like a good option to have for diagnostics but its not an option I would want to put in front of he average user.

      Stop doubting your fellow man. Give them the option, just don't make it easy to shoot yourself in the foot.

    31. Re:I"m safe! by amiga3D · · Score: 1

      The funny thing is that snail mail is probably more secure than a cell phone. The lazy fuckers have to get off their asses and actually go get the mail, open and read it. I bet they don't even bother. I wonder what they'd think if you had a modem and simply set up an encrypted BBS for communication? All sorts of tricks you can do if you think about it. Almost anything is better than a cell phone.

    32. Re: I"m safe! by BellyJelly · · Score: 1

      Is it possible to use LXC containers in an android kernel? Containerise the app and control it's access. Maybe use that to allow the presentation of multiple different address books to different containers so that Facebook only gets to see the contacts you actually use Whatsapp to talk to. Feed fake location data to other apps so they think you are in Antarctica.

    33. Re: I"m safe! by Anonymous Coward · · Score: 0

      Even dumbphones have details of your contacts, a rough idea of your location, and a microphone. Many have a lot more than that. And they all run on multiple closed-source layers of firmware, with no encryption or sandboxing, that never ever get updated.

      That's the very opposite of "safe".

    34. Re:I"m safe! by Anonymous Coward · · Score: 0

      An app like this exists already, it's called Xprivacy permission manager, but it requires root permission which are, guess what, not provided by default on pretty much all phones.

      Secondly, permission manager is easy. Pretty sure Google is capable of bypassing such a simple solution.

    35. Re:I"m safe! by AHuxley · · Score: 1

      Re "What it *is* ideal for is domestic surveillance (and blackmail) of journalists, activists, ideological/political opponents/candidates, parallel-construction, and planting evidence (at least, as long as they still bother with things like trials and evidence)."
      FIRSTFRUIT tracked the press daily :)
      https://theintercept.com/2016/... (May 17 2016)

      --
      Domestic spying is now "Benign Information Gathering"
    36. Re: I"m safe! by jmcvetta · · Score: 1

      If you're an American, the joke's on you. Ever since CALEA, it's unlawful to sell a phone in the United States that doesn't have hardware level remote surveillance capabilities built-in.

      This particular badlaw was signed by Bill Clinton well before 911. Try to get a copy of the (secret, but leaked) implementing regulations if you can.

  3. 6 years? by Anonymous Coward · · Score: 0

    That we know of.

  4. Vetting criteria by Anonymous Coward · · Score: 0

    1)Has enough money? Yes

    What's for lunch?

  5. Harder to track my foot! by Anonymous Coward · · Score: 0

    A stingray works just as well on a Ipony 17 as it does on a Nexus 20. Or if they had some valid reason (and possibly a court order) they could just get the devices location from the cell provider.

    Encryption protects whats on the phone it doesn't do a damn thing to protect the devices location.

  6. 1/ to cover a hack, leave cyrillic clues by sittingnut · · Score: 1

    to cover identity, use the well tested fact that western media/'security researchers' are always willing to 'fall' for any and all obvious cyrillic clues left behind, to blame russians on all occasion.
    but don't forget to leave small amount of korean script too. very good for free publicity.

    1. Re: 1/ to cover a hack, leave cyrillic clues by Anonymous Coward · · Score: 0

      Ha we don't even need proof to blame the Russians. If we blame them enough eventually we'll be right.

  7. CFAA? by whoever57 · · Score: 2

    How is using this software not illegal under the CFAA?

    --
    The real "Libtards" are the Libertarians!
    1. Re:CFAA? by Anonymous Coward · · Score: 0

      Who is going to prosecute the offenders? -PCP

    2. Re:CFAA? by dead_user · · Score: 1

      U.S. law, Israeli company. I would assume they wouldn't have to follow U.S. law.

    3. Re:CFAA? by Desler · · Score: 1

      This isn't an actual serious question, right? You aren't really that naive, are you?

    4. Re:CFAA? by whoever57 · · Score: 1

      U.S. law, Israeli company. I would assume they wouldn't have to follow U.S. law.

      Yes, I understand that. However, the USA has extradited people from abroad for breaking into computers based in the USA. Also, some of the users may be in the USA.

      --
      The real "Libtards" are the Libertarians!
    5. Re:CFAA? by whoever57 · · Score: 2

      This isn't an actual serious question, right? You aren't really that naive, are you?

      No, it was a rhetorical question, designed to show how f*cked up things are in the USA.

      --
      The real "Libtards" are the Libertarians!
    6. Re:CFAA? by Desler · · Score: 1

      Right. Because governments and police agencies in other countries don't do the exact same thing.

    7. Re:CFAA? by amiga3D · · Score: 1

      Welcome to the New World Order. Hope you like it.

    8. Re:CFAA? by Anonymous Coward · · Score: 0

      How is using this software not illegal under the CFAA?

      Have you actually READ the CFAA, or even the Wikipedia version?

      I thought it was common knowledge there was no general "they broke into my computer" law like digital trespassing.

      Pretty sure even those scary loking login banners have been debunked long ago.

    9. Re:CFAA? by Anonymous Coward · · Score: 0

      Like Kim Dotcom and Megaupload didn't?

    10. Re:CFAA? by stealth_finger · · Score: 1

      How is using this software not illegal under the CFAA?

      Ha, like they give a shit what's legal.

      --
      Wanna buy a shirt?
      https://www.redbubble.com/people/stealthfinger/shop?asc=u
  8. Only terrorists, kidnappers and drug lords? by haruchai · · Score: 2

    "The industry argues that this spying is necessary to track terrorists, kidnappers and drug lords"

    what about pedophiles? And Jason Bourne?

    --
    Pain is merely failure leaving the body
    1. Re:Only terrorists, kidnappers and drug lords? by Anonymous Coward · · Score: 0

      "The industry argues that this spying is necessary to track terrorists, kidnappers and drug lords"

      what about pedophiles? And Jason Bourne?

      Also permissable surveillance targets, along with Haruchai, EditorDavid, Anonymous Coward, and anyone else who comments on their actions

    2. Re:Only terrorists, kidnappers and drug lords? by Anonymous Coward · · Score: 0

      By the same standard, I think it's safe to say that Israel needs to be on a watch list. Every time Israel is in the news it's about some military or spying technology or about some cold or hot war shit with the Arabs. That country is trouble.

    3. Re:Only terrorists, kidnappers and drug lords? by stealth_finger · · Score: 2

      Israel is always in trouble, they have three highly aggressive neighbors who don't seem they think they have the right to exist (because they're jewish I think is the main reason) and everyone else expects them to play nice and get along.

      --
      Wanna buy a shirt?
      https://www.redbubble.com/people/stealthfinger/shop?asc=u
    4. Re:Only terrorists, kidnappers and drug lords? by Anonymous Coward · · Score: 0

      Jason Bourne

      Dammit, why does my name keep coming up on these things!

      Matt Damon is still a good choice.

    5. Re:Only terrorists, kidnappers and drug lords? by Anonymous Coward · · Score: 0

      OK, you toe the party line. Can you adapt it to the current discussion too? Is being jewish a valid excuse for selling this attack toolkit? "They didn't like us when we were given their land, so now it's ok to spy on everybody." Something like that?

    6. Re:Only terrorists, kidnappers and drug lords? by stealth_finger · · Score: 2

      I didn't think this had anything specifically to do with jewishness or israel itself. That just happens to be where these guys are. They could be in the US, Russia, China or even fucking North Korea and it wouldn't change the implications too much.

      --
      Wanna buy a shirt?
      https://www.redbubble.com/people/stealthfinger/shop?asc=u
  9. Windows 10... by Anonymous Coward · · Score: 0

    Somebody tell me Windows doesn't have the same exploits.

    1. Re:Windows 10... by Gumbercules!! · · Score: 4, Funny

      Windows Phone users are protected from vulnerability in the same way Santa Claus is protected from vulnerabilities. Neither exist.

    2. Re:Windows 10... by zenlessyank · · Score: 1

      I feel like I exist. Feel me and see if I exist. And so does my WinPhone. Security through obscurity.

    3. Re:Windows 10... by amiga3D · · Score: 1

      Oh man. I haven't laughed that hard in ages. My sides hurt.

    4. Re:Windows 10... by Anonymous Coward · · Score: 0

      In Windows 10, they aren't exploits. They're features.

    5. Re:Windows 10... by Anonymous Coward · · Score: 0

      It does not need exploits as Microsoft is already on the business of spying on every users device.

  10. they call zombie mod by Anonymous Coward · · Score: 0

    minecraft servers are being used to host data using the blocks as binary code, probably as images and messaging.

  11. Article needs fixing by Anonymous Coward · · Score: 0

    "...companies like Apple, Facebook and Google are using stronger encryption to protect data in their systems, in the process making it harder for government agencies to track suspects [WITHOUT FIRST OBTAINING A WARRANT]".

    There, fixed it for 'ya.

  12. Israeli outfit called the NSO Group? by khz6955 · · Score: 3, Insightful

    "Want to invisibly spy on 10 iPhone owners .. That will cost you $650,000, plus a $500,000 setup fee with an Israeli outfit called the NSO Group .. Since it is privately held, not much is known about the NSO Group’s finances"

    In other words a front group for the Israeli Security Service, the same people that have full control of all telephone records in the continental United States.

    NSO Group’s iPhone Zero-Days used against a UAE Human Rights Defender

    1. Re:Israeli outfit called the NSO Group? by AmiMoJo · · Score: 2

      It's telling that no government has set up an agency like these guys or the NSA / GCHQ, that is tasked solely with finding zero days and helping companies fix them. They could protect their citizens from the bad guys, but instead they prefer to keep their options open in case they want to make use of these services one day.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    2. Re:Israeli outfit called the NSO Group? by Anonymous Coward · · Score: 0

      In other words a front group for the Israeli Security Service, the same people that have full control of all telephone records in the continental United States.
       

      Please provide some sort of evidence to back up them controlling all telephone records in the continental United States. Also please provide some evidence that this is a front group for the Israeli Security Service. Your own linked article claims this is a private Israeli company which was sold to a San Francisco corporation.
      Without evidence, you're sounding like a Zionist conspiracy theorist here.

    3. Re:Israeli outfit called the NSO Group? by khz6955 · · Score: 1

      There isn't a security company on the planet that isn't hooked into the security services of some nation state. In certain cases the security apparatus of one state is a wholly owned subsidiarity of another states security apparatus.

      Behind the Scenes at the Company Behind the Scenes
      --
      At my fingertips, the zero day is wrapped in code like a Christmas present, then becomes an exploit, the programmatic expression of my will. I live for this shit.

  13. You can have most anyone tracked for a $1.1 MILLIO by raymorris · · Score: 1

    This software is $500,000 setup plus $650,000 per target. So $1.15 million dollars.

    Bounty hunters track down bail jumpers for $250 (if they're easy and for $5,000 if they're hard. ($50-$100/hour isn't bad for someone without a degree).

    If someone is willing to spend over a million dollars tracking you, you'll be tracked. A million dollars will hire ten private investigators for a year.

  14. shit by Anonymous Coward · · Score: 0

    I need a new mouse also because the infrared is a iot to my smartphone...

  15. Re:You can have most anyone tracked for a $1.1 MIL by Anonymous Coward · · Score: 0

    How much do they charge to track down anti-lisp terrorists who write with unbalanced parentheses?

  16. Re:You can have most anyone tracked for a $1.1 MIL by tlhIngan · · Score: 1

    This software is $500,000 setup plus $650,000 per target. So $1.15 million dollars.

    Bounty hunters track down bail jumpers for $250 (if they're easy and for $5,000 if they're hard. ($50-$100/hour isn't bad for someone without a degree).

    If someone is willing to spend over a million dollars tracking you, you'll be tracked. A million dollars will hire ten private investigators for a year.

    I suspect that's because of the relative difficulty in breaking iOS. There are a lot of flaws in it, but it's very hard to exploit in a way that's repeatable and without user interaction. Which is why iOS exploits cost a lot of money. If you're using this for Android, you're really wasting a lot of money (Android flaws are practically a dime a dozen).

    Apple's $200,000 bug bounty is probably 1/10th of what people are willing to pay for iOS exploits, which they re-sell at high prices for services like this.

    And to be honest, you are probably right - it's cheaper to just do gumshoe tracking of an iPhone user than to actually hack into an iPhone to track said user.

  17. Not sure if ... Also, not even most secure iOS by raymorris · · Score: 2

    I'm not sure if you're a fan saying "best team ever", a troll, or just very misinformed.

    If you're a big fan of Apple, that's cool. Your quarterback is the best ever. Steve Jobs was a genius. Beat the hell outta Microsoft! Stop reading here if you're a big Apple fan.

    If you're trolling, you're late. Try getting in right when the story is posted for best results.

    Lastly, I've been doing network security full time for nearly 20 years. Apple's iOS doesn't -completely- suck for some aspects of security. Convenience is of utmost importance with Apple iOS, though, and there are always compromises between convenience and security. Apple's iOS is not even the most secure iOS. Cisco iOS is safer. Cisco iOS basically runs the entire internet, that's how much it's trusted. (But even it isn't perfect.) If we wanted to expand to operating systems not called iOS, many are more secure.

  18. Re:an Israeli outfit by Anonymous Coward · · Score: 0

    The nations surrounding Israel are populated by large numbers of people who, to put it mildly, strongly dislike Israel. It should not come as a surprise that the Israelis place a strong emphasis on intelligence acquisition technologies. -PCP

  19. Attention Slashdot Editors by Anonymous Coward · · Score: 1

    It's "malware", not "a malware".

  20. NSO, read more by Anonymous Coward · · Score: 0

    https://wikileaks.org/hackingteam/emails/?q=NSO&mfrom=&mto=&title=&notitle=&date=&nofrom=&noto=&count=50&sort=0#searchresult

  21. I'll bore them to death by ITRambo · · Score: 0

    Anyone listening to my calls or texts deserves the death by boredom that will happen to them. Fuck all you spy agency assholes.

  22. How to make NSO's job difficult by hwstar · · Score: 1

    Let's see... If I was a terrorist, I'd have a pool of 100 or so smartphones ready to be cloned from a virgin image. When one needs to use a phone for a mission, I'd pull one randomly from the pool, install the image, and a never-used, new SIM card, and give it to the operative. When they are done with a mission, I'd wipe the phone, and return it to the pool.

  23. TELL ME AGAIN: WHY SHOULD I HAVE A SMARTPHONE? by kheldan · · Score: 1

    I'm the guy who keeps saying: "So-called 'smartphones' have more holes in their security than a swisscheese or a colander, why the hell would I ever want one!?" and then I get called a 'Luddite' and any number of other names for not adopting such shitty technology -- regardless of the fact that practically every single day I read about yet another exploit someone discovered that can be used to take total and complete control of any smartphone. Then there's this story, which just confirms everything I've been seeing and saying all this time, and puts the final nail in the 'smartphone' coffin; why the ACTUAL FUCK would I want one of these gods-be-damned things, when it apparently is childs' play for any large corporation or government to slip a total spyware package into the gods-be-damned thing, and not only access everything on the phone, but watch and listen to every damned thing I do and track every single step I take, 24/7/365?

    Oh, HELL NO.

    I will never, never, EVER own a gods-be-damned 'smartphone', now or ever. I'd rather have NO cellphone and go back to using a landline and an answering machine, before carrying around something that's only one step removed from the monitoring anklet the cops put on people under house arrest.

    Seriously, people: WHY DO YOU STILL HAVE ONE? Get rid of it. You don't NEED it. Get the cheapest dumb phone and leave it at that!

    --
    Are YOU using the TOOL, or is the TOOL using YOU? Think about it!
    1. Re:TELL ME AGAIN: WHY SHOULD I HAVE A SMARTPHONE? by Anonymous Coward · · Score: 0

      You're assuming the dumbphone isn't also pwned. Or that the network itself isn't pwned. Or that your smart TV isn't pwned. Or your cable box isn't pwned. Not that I disagree with you, most days I simply want to move out to the woods, away from the whole satanic lot of it, get myself a landline and a great big TV antenna (for my 1980s-era CRT TV), and spend my days whittling wood.

      The problem is that until the day comes where I am independently wealthy or self-sufficient enough to do so, I have to live in a city and have a job. That requires me to have a smartphone. And unless I get rid of all the other devices in my home, my car, my city that are already spying on me, the smartphone is just one little part of how badly I'm fucked. Mind you, I don't think anyone would spend a good nickel (let alone a cool million) to get to my data, but you're right. Today you're never really alone-and it sucks.

      The only way to escape is to go off the grid, which I'm not capable (is anyone?) of doing on my own. BecauseeEven worse that modern society is designed to make sure I have no real survival skills, is that even if I did I would somehow have to pay tax on any land I own so even if I could sufficiently hunt, fish, and build shelter to survive, I'd still need money to pay property tax to continue to live on the land I owned or be able to be forcibly removed off of it by men in black uniforms with machine guns.

      So if the end result of any scenario is having the end of a fascist authoritarian's rifle pointed at me, I might as well just enjoy my creature comforts until they come to take me away for wrong-thought.

    2. Re:TELL ME AGAIN: WHY SHOULD I HAVE A SMARTPHONE? by kheldan · · Score: 1

      I have the dumbest of dumbphones ($50 retail price). First sign it's been compromised? I consider going back to a landline.
      I don't own a 'smart TV' because I'm not stupid.
      I don't have cable, I have an antenna, so no cable box or satellite box.
      I can't control the phone network or the internet. If I ever need a job above dishwasher at a mexican restaurant I need those (unfortunately!) but I don't use my real name online anywhere I can get away with it -- and I DO NOT use 'social media' of any kind because IT IS A TRAP.
      I don't talk about or text or email anything seriously sensitive and everyone I know knows better than to do so with me. They all also know how much shit will come down around their ears from me if they post pics of me online anywhere, so they know not to do that (or else!). I don't participate in 'rewards card' programs because that just gives them consent to track my purchases in a very personal way. I pay cash everywhere I can and am always looking for ways to do it more. I don't give my name, address, phone number, or email address out anywhere I can possibly avoid doing so. I'm doing EVERYTHING I CAN to preserve as much of my privacy and private life as I can -- and I do everything I can to Hide In Plain Sight. But it's getting harder and harder EVERY year. There's either going to be a Revolution, or I'm going to be Ted Kaczynski sans explosives and psychosis.

      --
      Are YOU using the TOOL, or is the TOOL using YOU? Think about it!
  24. hahaha jokes on you by Anonymous Coward · · Score: 0

    I use a windows phone!!!!!!

  25. On why we should assume systems are compromised by Paul+Fernhout · · Score: 1

    By me: http://pdfernhout.net/why-encr...
    "I believe decentralized knowledge sharing is important, especially for disaster preparedness. I also believe encryption is important in practice, the same way as many people have locks on their doors. Such things do affect a balance between state power and individual power, which is important in a democracy, and they also make it harder for vandals and criminals to operate. So, a project like Briar that supports decentralized communications and encryption is important for those and other reasons. Still, as my father (a machinist among other things) used to say, "Locks only keep honest people honest." Here is a partial list of all the ways a tool like Briar can fail when being used by activists engaged in controversial political actions. ..."

    --
    A 21st century issue: the irony of technologies of abundance in the hands of those still thinking in terms of scarcity.