"on the side of angels, albeit deeply misunderstood"
Wasn't Lucifer himself an angel once, and now has a bit of a PR problem?
The Hacking Team pushed out a new statement on Wednesday, moaning that the only victim of the mega-breach against its systems is Hacking Team itself. Eric Rabe, the firm's chief marketing and communications officer, complained that the controversial outfit is “being treated as the offender, and the criminals who attacked the …
They're good contenders, but there's been a couple of whoppers regarding Snowden and aftermath, Apple's ebook "misunderstanding of terms", and various others that are right up there with the Hacking Team's effort at ..damage mitigation.
I propose we call the fenomenon BBS ( Burnt Bum Syndrome) and measure it in BAUD ( Belligerent Arguments Under Distress )
Well, the choice of unit really depends on what is being measured - is it the hand-wringing and pleading and bullshit PR damage control or is it the scale of the offence that has been discovered?
On the second measure, this one rates quite high, to the point where calling it a 'Rabe' would perhaps be unwieldy as nearly everything must be expressed as a fraction of the whole unit - much like a Farad being rather too large for everyday usage.
Thus, Facebook's frequent land-grabs of personal content would rate about 50 millirabes, it being something people are largely entering into of their own volition. Perhaps a 'Schmidt', in honour of how much data Google hoovers up about everyone - even when you have told them to stop.
In terms of the former metric - the 'PR' response - the 'Rabe' might be a good measure but I think a 'Zuckerberg' may well be a good option as they are very much used to explaining things as just a 'misunderstanding' - nothing dodgy is going on, really.
So, I would estimate that Hacking Team is currently at about 20 kSt (kiloschmidts) and 5 Zb - rounding for simplicity.
But this is cumbersome; what's needed is a measurement to represent the level of farce.
Utilising our units, above, we can propose the Whisper, which represents the amount of straining of public belief that results from a breach of 1 St, being forcefully decelerated through a PR filter of 1 Zb.
Thus, Hacking Team are current outputting an estimated 100 kWsp.
At that level, the bullshit is visible from the moon on a clear day below and with a cheap pair of binoculars.
Reading this man's words, it takes a supreme effort not to vomit.
So, their software is not a 'weapon'. Okay, let's run with that for a moment.
The thing about 'weapons', is that they are usually at least somewhat obvious. If you supply a nation's police force with sidearms then, when they use them, it's known. You can't deny that your officers don't have guns because anyone seeing them on the street will be able to look at their hips and see the weapon.
If they draw the weapon, you know about it and if they use it against someone, that, too is generally known.
So let's compare that to the 'tools' supplied by Hacking Team.
In complete contrast with 'weapons', these 'tools' are supplied confidentially, without the knowledge of the people. Their existence is not admitted and is not readily able to be discerned. Moreover, when these 'tools' are used, they are used silently and secretly, hidden from the people they are used against.
So, fine -let's agree that the 'tools' developed and sold by Hacking Team are not 'weapons'. I am comfortable with that.
So let's now investigate the nature of these 'tools'.
The best analogy I can think of at the moment is to imagine (not very hard at the moment) a flaw in the software of cars that caused the brakes to be applied when the pedal was not pressed. Now imagine that that flaw was found by someone like Hacking Team and methods to exploit it were developed and then sold to law enforcement agencies, who were very keen to get their hands on some 'tools' to help them stop police chases.
To them, these 'tools' were, of course, 'necessary' and were justified because they 'helped save lives' and preventing access to these important 'crime-fighting tools' would only result in more danger to officers and reduce the safety of the public.
But here's the rub - even if we truly believe that these 'tools' were only sold to the most ethically upstanding institutions who, in turn, only used them in the most ethically justified situations and only after the most rigorous scrutiny and vetting and approval, the tools being used are not the whole pictures.
Why? Because they only work by exploiting vulnerabilities and those vulnerabilities exist however careful you are with the dissemination of those exploits and however ethical you are in their application. They are there, and their existence is a risk for anyone making use of the software - in the case of our analogy, to anyone driving one of the cars affected.
So, imagine that this vulnerability in the braking software causes so random issue where a car suddenly brakes, in heavy traffic on a freeway, causing a pile-up of a dozen or so cars, resulting in great delays for huge numbers of people, many injuries and a few deaths.
The software developed to exploit the vulnerability in that software is not the cause - the underlying vulnerability is. But to to know about this vulnerability - and not only that but to have researched it and tested it and understood it enough to know exactly how it might be triggered - but to not tell the manufacturer? I don't understand how that can fit any definition of ethical.
And to then bleat on about how what you are doing is necessary to protect people? Well, that is just an astonishing level of self-delusion at best or, more probably, outright lying.
But that is, again, assuming that they really do sell only to ethical institutions and their software really is only used for ethically-justified purposes in an ethically-guided fashion.
And that is something that, frankly, I doubt even they believe.
We now have a very real-world equivalent in the form of the Fiat-Chrysler 2013+ models, with the Fiat engine, that allows wireless remote control of the brakes, power-steering, etc. The POC is to be demoed at BlackHat next month. You can do some serious evil with that.
It seems that a Black-Hat actually has better moral sense than HT. Curious that.
"complained that the controversial outfit is “being treated as the offender, and the criminals who attacked the company are not”."
Well Boo fucking Hoo.
Is this guy really so deluded to not see why he is being treated like the villain by people who find his behaviour reprehensible (even if it is technically legal)?
He is a disingenuous turd-bot that's out of control.
NSO Group told European lawmakers this week that "under 50" customers use its notorious Pegasus spyware, though these customers include "more than five" European Union member states.
The surveillance-ware maker's General Counsel Chaim Gelfand refused to answer specific questions about the company's customers during a European Parliament committee meeting on Thursday.
Instead, he frequently repeated the company line that NSO exclusively sells its spyware to government agencies — not private companies or individuals — and only "for the purpose of preventing and investigating terrorism and other serious crimes."
Spyware developed by Italian firm RCS Labs was used to target cellphones in Italy and Kazakhstan — in some cases with an assist from the victims' cellular network providers, according to Google's Threat Analysis Group (TAG).
RCS Labs customers include law-enforcement agencies worldwide, according to the vendor's website. It's one of more than 30 outfits Google researchers are tracking that sell exploits or surveillance capabilities to government-backed groups. And we're told this particular spyware runs on both iOS and Android phones.
We understand this particular campaign of espionage involving RCS's spyware was documented last week by Lookout, which dubbed the toolkit "Hermit." We're told it is potentially capable of spying on the victims' chat apps, camera and microphone, contacts book and calendars, browser, and clipboard, and beam that info back to base. It's said that Italian authorities have used this tool in tackling corruption cases, and the Kazakh government has had its hands on it, too.
Spyware vendor Cytrox sold zero-day exploits to government-backed snoops who used them to deploy the firm's Predator spyware in at least three campaigns in 2021, according to Google's Threat Analysis Group (TAG).
The Predator campaigns relied on four vulnerabilities in Chrome (CVE-2021-37973, CVE-2021-37976, CVE-2021-38000 and CVE-2021-38003) and one in Android (CVE-2021-1048) to infect devices with the surveillance-ware.
Based on CitizenLab's analysis of Predator spyware, Google's bug hunters believe that the buyers of these exploits operate in Egypt, Armenia, Greece, Madagascar, Côte d'Ivoire, Serbia, Spain, Indonesia, and possibly other countries.
Analysis NSO Group's Pegasus spyware-for-governments keeps returning to the headlines thanks to revelations such as its use against Spain's prime minister and senior British officials.
But there's one nation where outrage about Pegasus has been constant for nearly a year and shows little sign of abating: India.
A quick recap: Pegasus was created by Israeli outfit NSO Group, which marketed the product as "preventing crime and terror acts" and promised it would only sell the software to governments it had vetted, and for approved purposes like taking down terrorists or targeting criminals who abuse children.
The US Immigration and Customs Enforcement (ICE) agency has spent about $2.8 billion over the past 14 years on a massive surveillance "dragnet" that uses big data and facial-recognition technology to secretly spy on most Americans, according to a report from Georgetown Law's Center on Privacy and Technology.
The research took two years and included "hundreds" of Freedom of Information Act requests, along with reviews of ICE's contracting and procurement records. It details how ICE surveillance spending jumped from about $71 million annually in 2008 to about $388 million per year as of 2021. The network it has purchased with this $2.8 billion means that "ICE now operates as a domestic surveillance agency" and its methods cross "legal and ethical lines," the report concludes.
ICE did not respond to The Register's request for comment.
In brief San Francisco police have been using driverless cars for surveillance to assist in law enforcement investigations.
According to an SFPD training document obtained by Motherboard [PDF]: "Autonomous vehicles are recording their surroundings continuously and have the potential to help with investigative leads."
It indicates that police officers will receive additional information about how to access this evidence, and added: "Investigations have already done this several times."
Comment Many information security practices use surveillance of users' activities. Logging, monitoring, observability – call it what you will, we have built a digital panopticon for our colleagues at work, and it's time to rethink this approach.
The flaws of surveillance-based infosec are already appreciated. The European Court of Justice (ECJ) recently found that mass surveillance of the population was an unjustified intrusion into privacy, even when the goal is to combat serious crime. Why, then, do we consider it reasonable to implement invasive surveillance to address the flawed computer systems we choose to use?
Does watching staff 24x7 really make things more secure?
Spain's prime minister and defense minister are the latest elected officials to detect Pegasus spyware on their mobile phones, according to multiple media reports quoting Spanish authorities.
During a press conference on Monday, Félix Bolaños, the minister for the presidency, told reporters that cellphones of Spanish prime minister Pedro Sánchez and defense minister Margarita Robles were both infected by NSO's notorious surveillance software last year.
Sánchez's device was breached twice, and Robles' phone was breached once. Bolaños noted that a Spanish judge did not authorize these breaches, meaning "external" groups initiated the espionage.
Someone at least tried to use NSO Group's surveillance software to spy on European Commission officials last year, according to a Reuters report.
European Justice Commissioner Didier Reynders and at least four commission staffers were targeted, according to the news outlet, citing two EU officials and documentation.
The European Commission did not immediately respond to The Register's request for comment.
Google has made changes to its Play Store policies, effectively banning third-party call-recording apps beginning May 11, claiming it seeks to close alternative use accessibility APIs for things other than accessibility.
Google has for a while blocked real call recording on Android 6 and over the microphone on Android 10. Developers have been using accessibility APIs as a workaround to enable the recording of calls on Android.
Accessibility Service APIs are tools that offer additional services that can help those with disabilities overcome challenges. Using these services against their designed intentions, i.e. to achieve a goal not geared at overcoming disabilities, remains the only way for third-party apps to record calls.
Biting the hand that feeds IT © 1998–2022