Apple emergency patches fix zero-click iMessage bug used to inject NSO spyware Apple on Monday issued security patches for its mobile and desktop operating systems, and for its WebKit browser engine, to address two security flaws, at least one of which was, it is said, used by autocratic governments to spy on human rights advocates. A day before the iGiant is expected to announce the iPhone 13, it …
Nicola Sturgeon should take note, there are going to autocratic governments much closer to home, wanting to know her plans for Scottish Independence, in the coming months. How often will GCHQ's defining words 'in the national interest', as in - in national (UK) interest be used to authorise device surveillance hacks, should be the question on everyone's mind, north of the border.
London/Westminster has been controlling/manipulating Scotland for years, the idea they'll give that up, let democracy take its course, without using every software tool at their disposal, is somewhat doubtful. Underhand use of digital technologies is here to stay. After all, it's now ingrained in UK law, as 'lawful', and here lies the problem for Scotland.
Perhaps Scotland should remember why they originally joined the UK rather than complain about the "controlling Westminster Government" - especially when they want to leave it to join the even more controlling EU!
Note: I have ties to Scotland and was against Brexit.
The UK left the EU of its own accord on a 52%/48% (of those that voted) advisory referendum.
The UK government said a few weeks ago that there would need to be sustained support in polls of over 60% over "a reasonably long period" for Scotland to have a referendum.
So which is more controlling again? The UK isn't a union of equals (as it wasn't in 1707).
I think the problem is that the whole remain campaign (and certainly David Cameron) assumed Remain would win. That's probably why Cameron didn't specify a limit for the referendum. He didn't think of it because he thought that once they got the referendum they were asking for, and lost, the Tory Eurosceptics would shut up.
The problem is, they didn't lose, and even when the remain campaign started fighting, they fought with facts. The problem is facts, while often correct, don't engage people's emotions as much as a good bit of lying. Put simply, the leave campaign said "Stuff is broken, we will fix it" (as did Trump in 2016), which engages people's emotions far more than the simply stating that the other campaign is wrong, and things are generally OK, which is what the remain campaign did in this country and what Clinton did in the US. Even if you are telling the truth.
I have a fair few Irish friends, and not one to date has ever said in conversation, the EU was controlling, funny that? If anything, the EU had Ireland's back during Brexit negotiations. Yet, bring up the topic of past British rule in Ireland, it is still a bitter pill to swallow.
Westminster regards Scotland has always been very controlling. Try living in Scotland for a few years, just on a pure practical level, you'll soon realise Scotland shouldn't be run from Westminster.
Not only should Scotland arguably not be run from Westminster, as a Highlander I'd argue it shouldn't be run from the Central Belt either. Folk down there have hardly a clue about the practical side of life in the Highlands but talk as though we're all one happy family!
And? We're the biggest offshore tax haven and funny money laundrette off the coast of the EU. Channel Islands? Paleese! Gibraltar. Come on now. Cyprus? *gives you a pitying look*
The City of Westminster and the City of London is where it's at. All those pretty modern highrises? *Not* owned by Brits, and likely not even *lived in* by Brits. No... they're all owned by random limited companies with controlling interests elsewhere, with again controlling interests elsewhere until at the end of the rabbit hole an Eurasian or African person with connections to <insert despotic tin pot "republic"> pops up.
You might want to read about how much dirty money washes through the great laundrette that is the London property market in a year...
Old dead WebKit has killed mountains of iPhones and iPads. Apple leaves behind older kit and the browser just crashes on modern web pages. Forbid other browsers web engines and the ithings become useless. But also browser lock-in is vulnerability lock-in for up to date devices too. Any good AV for iOS anyone? Bask in Apple’s love.
"Our latest discovery of yet another Apple zero day employed as part of NSO Group’s arsenal further illustrates that companies like NSO Group are facilitating 'despotism-as-a-service' for unaccountable government security agencies," Citizen Lab researchers said in a post on Monday. "Regulation of this growing, highly profitable, and harmful marketplace is desperately needed."
What is the reason, in the case of the above not being fake news, the NSO Group and its backers are not proscribed as a terrorist organisation by the US and its allies? If it were a Russian or a Chinese or a Taliban or an emergent stateless organisation responsible for such activities, you can be sure Uncle Sam would be proclaiming that to all and sundry in a flash.
My dear AMFM, the rules of the game are very clear.
If you attack civilians with bombs or guns, you are a terrorist. If you make the bombs or guns used by the terrorist, you are a respected member of the "Defence" Industry. And so it is with spyware.
NSO can, and are, using the same defence as Smith & Wesson, Remington, Glock and everyone else in this business. "We just make the tools". The odds of Uncle Sam, in particular, chastising arms manufacturers are lower than the surface temperature of your home planet.
Those are the old misguiding rules, Androgynous Cupboard. Play by them at your peril for the price exacted for not being bang up to date with regulatory changes is similar to that suffered by software and captivated clients running on ancient hardware with pathetically slow and limiting processors/chips/computers.
Such an advance though is perfectly normal and fully to be expected and lauded for it confirms and announces progress has been made rather than it being thought hindered and/or halted.
Here is news of a General who recognises the catastrophic deficit in UKGBNI Command and Control of Future Fields and would welcome what is no less than absolutely necessary outside of military command help ....... https://www.nationaldefensemagazine.org/articles/2021/9/14/ai-edge-computing-top-priorities-for-uk-strategic-command
However, the abiding difficulty one may experience is that the extremely strange and fundamentally novel nature of such as are now certainly the most powerful and energetic of leading theatres of executive and populous engagement results so oft in news of the necessary help being free available from home sources being dismissed thusly ......
Thank you for expressing an interest in AWE 20. The paper sift has now been completed.During the paper sift stage of the project each product was marked on its own merits by a team of Military and MOD personnel as well as engineers from DE&S. It was decided as a panel that AWE 20 would not be the right trials arena to test and understand the technology. As I’m sure you can understand we have a limited time to investigate a wide range of products from a wide question set and as such the panel had to ensure that AWE was the most appropriate arena to test the products. Products such as yours will be passed onto relevant project teams / TDUs to ensure awareness of the product is raised and I would encourage you to attend the VIP day to gain further exposure for the technology.
The clear and present danger then, should such be a persistent situation, is that leading technology is engaged and employed and developed further beyond the reach of home based teams by switched-on foreigners/Savvy SMARTR Competitors for such as may very well be new knowledge abhors a vacuum and will naturally migrate to where it is appreciated and where reward can be enjoyed.
And anonymous dumb downvotes on the matters revealed here are indicative of the problem.
howdy, Doc,
the only problem of the English-speaking downvoters is that they think they can speak English as well as you do... well, your own version of it has a bundle of a mysterious, airy swifty touch of a surreal upgrade... they must read more Shakespearean writings, maybe. keep IT up, and thank you. the Dolphins are getting back. pity noone's to pray for letting me see them rush down the Waters kinda right out of the Blue. though i hope i will (-:
no hennessy badge? alright, beer then
This is where I'd rather see Apple engineers spend their image scanning powers on.
Now that the vulnerability is known, it is easy to implement an algorithm that identifies malicious files exploiting this vulnerability. No need to train an AI or anything.
Apple could run that algorithm on all images stored in the iCloud, and potentially also on handsets. This would immediately turn up all iThings that are or were compromised using this exploit today or months ago, and help us identify a lot of other NSO customers.
It's a good point to highlight. In effect, the same technology could be used to weed out those undermining the democratic process by attempting to inject such compromises, by joining up the metadata, but then that's not in line with Apple's own controlling methods at heart.
But it shows how such scanning technology can be used for whatever Apple decide (or local law decides) is important in the scheme of things. In effect, it shows how easy it is to play God with such tools.
Every device from the 6S onwards is compatible with iOS 14. If you're still using an iPhone 5S it came out in 2013 and the iPhone 6 was 2014. You can ditch Apple if you like but you'll likely find Android devices get even shorter support times (I'm still bitter Google dumped support for their Nexus 6 after just two years).
Apple supports its iDevices for far longer than any Android manufacturer. Take the iPhone 6s as an example. Launched September 2015 and it's still on the list of phones compatible with the yet to be released iOS 15. That will see its service life extend well into 2023 and possibly beyond.
Show me an equivalent Android device with an 8+ year life!
If Apple had really wanted to fix this years ago, since NSO started operating, they would have offered something like $10 million dollars bounty (a trivial amount for a company with hundreds of billions of dollars in cash laying around).. sufficient to induce any one of the hundreds of engineers at NSO with access to their repositories/knowledge of the exploit, to jump ship and flee to the USA to collect it. That they didn't speaks volumes about how serious Apple are about security.
A glaring gap in iOS is that it still, 12? 13? years down the line, doesn’t have any sort of iMessage/SMS filtering or whitelisting capability.
I am plagued by an incessant bombardment of crude/nasty/offensive/stupid spam texts. Apparently the scammers think my name is either Fred or Ramon. Their latest campaign consists of impersonating my carrier, with oh-so-convincing pleas along the lines of “Free message from At&t: Ramon, thanks for paying your bill, we want to give you $617.37 as a thank, please click ://dodgy-url.cn/randomstring to claim”.
Come on apple. Simple keyword filtering, that’s all I ask. There are tribes of tree-dwelling bonobos in the Congo that have figured out how to do that, I’m sure it’s not beyond the wit of a trillion-dollar tech company…
It’s 2021, and apparently, some bonobos are able to search for a near-definitive answer to life’s complex questions, such as, “Does iPhone allow SMS filtering…?”
On iOS/iPadOS:
Settings ➡️ Messages ➡️ Unknown & Spam
https://duckduckgo.com/?q=iphone+sms+filter&t=ipad&ia=web
Every vendor is going to tell you their platform is secure. It's a given. What worries me is the confidence of the Apple faithful that the statement is true. It's good to be cautious, but it seems that most of the Apple faithful are not, because they believe that all iThings are 100% secure.
If a vendor advises you to run some sort of malware protection then they are telling you to be cautious. So if you took a kicking and you didn't have any malware protection then the vendor could argue with some credibility that it was your own fault for not using protection. If you took a kicking and you did use malware protection then the vendor could argue that the malware protection provider was at fault. The Apple approach of telling all their users that there's no need for malware protection is surely flawed.
If somebody were to try to sue what would their defence be? They can't say you should have used protection, they are the ones who told you it wasn't necessary after all. And if you did have some sort of protection installed they couldn't blame the vendor of that app because they'd told you such an app was necessary.
The biggest protection against being pwned is not a secure platform. It isn't malware protection. It's caution and the actions and configurations that result from that.
But the scary thing about this vulnerability is that you don't need to open an attachment to get pwned. Any sensible person will have their messaging app to only accept messages from known contacts. That same sensible person will, through an abundance of caution, choose not to open attachments even from people they know unless they can verify the attachment is valid. But even with that reasonable level of caution you wouldn't have been protected in this case. Really what sort of developer thinks it safe to download and activate an attachment even if the end user hasn't told the app to do so?
In this case it could p-o-s-s-i-b-l-y be argued that (ISTR) Steve Jobs warned against the use of Adobe software on Apple products. However the fact that pdf's are supported on Apple products means that get-out card is no longer valid.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
