Pegasus Spyware

Just broke that Pegasus spyware is spreading like fire. Android and IOS are affected. Curious to see how Purism/ garden variety Linux phones handle this.

Can you point us to an article?

There’s a tool to check iOS and Android devices, developed by Amnesty International, I think:

Article about the tool: https://techcrunch.com/2021/07/19/toolkit-nso-pegasus-iphone-android/

This wont even run on Librem5 IMO.

Would be interesting to find any related CVE to get more details.

It’s almost impossible to protect against Pegasus and other government spyware.

The best protection against this type of intrusion is open software (open for inspection). This gives at least the possibility for more eyes (not only four ) to detect the spyware. Yes I believe more in the ability of humans than detection software. The later is also known by the spy organization and avoidance will be developed

I think it is meritorious to consider such possibilities since journalists are a group that may be well dispositioned to try the L5. In fact, the only non-IT people I know that run Linux all happen to be journalists or have a journalist background.

On of the biggest wins here is possibly the inclusion of SE Linux or some other file integrity monitoring tool. For something in the category of Pegasus, there must be changes written to disk at some point. The fundamental issue here is that fall that high endgovernment exploitation, changes must persist in some way. And that means a change, even if it’s a hook, must be performed on disk. But currently, users have little to no insight to what the phone OS is doing in the background and what changes are persisting on disk. And there are plenty of ways to start addressing that.

The Pegasus case is a strong call to action that end users need to have greater insight into the internals on the disk. And yes, that requires instrumentation and education. But for that are in the business of caring because they are in the business of working in serious circumstances, they will either need to acquire that competency either through themselves or a trusted third party.

What we can say for a fact is that the current walled-garden approach delivered by Apple and Google does little to ensure in-flight security of the phone at large. Just analysis at the time of delivery and install for downloaded apps. It would appear that is not sufficient for some lines of work and some lives.

Yes and no. There’s nothing magic about Pegasus. It just exploits vulnerabilities. You protect yourself by not having vulnerabilities. That of course is almost impossible. I believe that at least some of the vulnerabilities have been long fixed. So you at least protect yourself by keeping up to date with your patches.

I don’t know about an actual CVE but Pegasus appears to be being discussed in two topics in this forum and in the other topic NSO Group Pegasus there are some technical details linked to.

So you at least protect yourself by keeping up to date with your patches.

But what about software package managers that push updates for software not being used or related to existing use patterns? The person who knows how to patch what they need to is truly the master!!!

For the diminutive person interested in “personal computing” akin to the “private garden” of quondam times, there are many challenges…

It caught my eye that one of the victims of Pegasus surveillance was Princess Latifa (more formally Sheikha Latifa bint Mohammed bin Rashid Al Maktoum).

This is a really good illustration of how even if a technology is sometimes used for good, governments will inevitably use it for bad as well. Pegasus cost her a few years of her life, for no justifiable reason.

Along these lines (if I may be permitted to abstract for a moment - may I primarily say that I appreciate your reply), I wonder what - practices, knowledge - should be taught about digital technology to improve the chances that it will be used for the good.

Something along the lines: “Every person that works, uses and/or designs digital technology is obliged to read 1984 from George Orwell.”

That’s too funny

Along those lines, also relevant is Huxley’s Brave New World, which is ‘an account of society making use of all the devices available … in order to … standardize the population, to iron out inconvenient human differences, to create … mass produced models of human being’ (as per his own description of the book) .

You need to put a sticker on the cover.
“Caution: Not meant as an instruction manual”

Just musing …

a mandatory, public, independent assessment report of the “what if”?

So before they sell the surveillance software they would have to answer the hard questions about who is going to use it, how it is going to be used and how they screen out the “bad” uses. If it goes pear-shaped (highly likely), at least their failure will be on the public record and they will suffer reputational damage.

That could lead to this kind of software being offered on a service model, so that the vendor retains greater control over their business reputation. However I can see a lot of security agencies getting antsy about that.

Apple is suing NSO Group now. NSO responds with typical “pedofiles and terrorists” excuse:

The pot calling the kettle black

I’ll be curious to see how this plays out. Counts one and two look, to me, to be Apple saying they own the devices and that’s why they have standing to make the lawsuit. I kind of hope there’s more media attention on this point as either Apple owns the devices and should be compensated for device missuse (huge implications here) or they don’t and have no standing to bring forth the lawsuit.
This could lead to an interesting class action against Pegasus from all andoid/iPhone users that were impacted even indirectly…

Count 3 actually looks fairly straightforward, at least from my limited knowledge, as there is really no argument that Pegasus breached the contract. I suspect this count will be settled monetarily with Pegasus saying “yeah we’ll stop doing that” then proceeding to do the same thing but slightly differently. (Count 4 is an alternate to 3 and looks likely to be irrelevant as 3 seems likely to stick).

Let’s get one thing clear up front … both Android phones and iPhones are infected with “spyware” when they come out of the factory.

If this case actually gets a lot of public attention then Apple has plenty to lose - because it will shine a light on a whole lot of murky stuff.

I didn’t read the 22 page filing in detail but just as one example …

Apple claims that

In particular, by registering for iCloud, Defendants agreed that “the relationship between you and Apple shall be governed by the laws of the State of California"

Everyone who actually reads Ts and Cs (for any company, not just Apple, which is noone) would already know that, but highlighting it is bringing out something that is fairly unpalatable to anyone outside the US.

In effect, it is taking any dispute beyond the reach of 99.999% of their foreign customers. If I had my way, foreign governments in jurisdictions with comparably reasonable legal systems would pass a law saying that that condition is null and void for individual customers and that a dispute must be dealt with by a court in the individual’s country. (Hence, as a corollary, business customers are fair game for Apple to drag to court in California.)

In addition, I would suppose that whatever bad things NSO Group has been up to, it highlights the security flaws of Apple products. Rather than whining about it and spending zillions in court perhaps they should take their medicine, fix their bugs, put those zillions towards pre-emptively making their products even more secure.

On top of that, it pretends that there is a distinction between authorised hacking and unauthorised hacking. Sure, NSO Group may be conducting unauthorised hacking, but, Apple, please tell us who the authorised hackers are (apart from Apple itself). Oh, that’s right, Apple is legally prevented from doing so.

I note that the filing claims that

Security researchers agree that iPhone is the safest, most secure consumer mobile
device on the market. Over the past four years, Android devices were found to have 15 to 47 times
more malware infections than iPhone. In addition, a recent study found that 98 percent of mobile
malware targets Android devices.

Seriously? There should be a law against using a filing for marketing (propaganda) purposes.

This would appear to be a pre-emptive strike against the obvious contradiction in their filing i.e. “we are sooooo secure” but “our device got hacked”. Suck it up, princess. You think you are the only one who got hacked this year?

could lead to an interesting class action against Google and Apple for making the devices insecure in the first place. In most categories of goods, that would be called a defective product and the manufacturer would be liable to fix it, and potentially even liable for consequential damages.

Indeed. That would fall into the category of “Apple has plenty to lose - because it will shine a light on a whole lot of murky stuff”.

Sure, we all understand that the relationship between the purchaser of a mainstream phone (“you”) and the manufacturer is an unhealthy, abusive one … but does Apple really want to highlight that?

As a general comment on the whole case, presumably Apple is really claiming that NSO Group is an accessory to whatever hacking crimes might have been committed or at worst a co-conspirator. NSO Group provided the tools - but it wasn’t NSO Group that used the tools. Foreign governments (mostly) did that - and that is another area where Apple might not want to shine light.

Is Apple claiming that if Apple works directly with the foreign government (potentially under legal compulsion) or the foreign government works alone then it’s OK? Many foreign governments have already created a legal framework for this to happen and it applies to Apple as it does to other Big Tech companies. Morally (to me) it makes no difference whether there is a third party involved (in this case NSO Group and, yes, making a profit doing it).

Just having a rant …

This is just my musings on this topic, nothing more.
I’m sure people in other arenas may know of many Linux users in that area. I found that many IT people usual around 40 years old and up, use Linux. The new generation of low-level IT techs seem to have been suckled on a digital phone, taught to spell by OFFICE, and like to stare at Windows.

I shouldn’t talk out of school, for I too am always jumping from Linux to Windows, simply because I know it, it has the tools that are easy to use and I don’t need to learn any O/S programming. I still think Linux wants to compete by being different to users in that it’s OpenSource, free (great price), and well supported. My tenant said he tried Linux but didn’t have the time to learn how and what a sudu is let alone make sure he was allowed. It’s the image Linux holds for it’s fame. IMO. i.e. Great - for geeks.

Government and corporation usually have 2, 5, 10 and 20 year visions. They need to have a good idea of what products will be expected and how easy the product or services adapt to people’s needs. To plan this, they hire consultants and consultants are someone that will tell you the time using your watch. I wonder how long will Linux devices be a consideration for many people before easier out numbers them.

I look around and I see just how attached people are to their devices (AKA leash). They treat their devices like it is their pacemaker and the phone manufacturers and their O/S hold the charger. If only Linux as it is, was as easy to turn on and use just like -that other O/S-

Free does have a price.

=s=

Interesting details:
https://arstechnica.com/information-technology/2021/12/the-secret-uganda-deal-that-has-brought-nso-to-the-brink-of-collapse/

Excerpt:

For example, when Google reverse-engineered the hack used against American diplomats in Uganda, it found an elegant, tiny piece of code that adapted software from 1990s Xerox machines to fit a so-called Turing machine—essentially a complete computer—into a single GIF file.