Pegasus Spyware

Just broke that Pegasus spyware is spreading like fire. Android and IOS are affected. Curious to see how Purism/ garden variety Linux phones handle this.

1 Like

Can you point us to an article?

There’s a tool to check iOS and Android devices, developed by Amnesty International, I think:

Article about the tool: https://techcrunch.com/2021/07/19/toolkit-nso-pegasus-iphone-android/

3 Likes

This wont even run on Librem5 IMO.

Would be interesting to find any related CVE to get more details.

1 Like

It’s almost impossible to protect against Pegasus and other government spyware.

The best protection against this type of intrusion is open software (open for inspection). This gives at least the possibility for more eyes (not only four :wink:) to detect the spyware. Yes I believe more in the ability of humans than detection software. The later is also known by the spy organization and avoidance will be developed

1 Like

I think it is meritorious to consider such possibilities since journalists are a group that may be well dispositioned to try the L5. In fact, the only non-IT people I know that run Linux all happen to be journalists or have a journalist background.

On of the biggest wins here is possibly the inclusion of SE Linux or some other file integrity monitoring tool. For something in the category of Pegasus, there must be changes written to disk at some point. The fundamental issue here is that fall that high endgovernment exploitation, changes must persist in some way. And that means a change, even if it’s a hook, must be performed on disk. But currently, users have little to no insight to what the phone OS is doing in the background and what changes are persisting on disk. And there are plenty of ways to start addressing that.

The Pegasus case is a strong call to action that end users need to have greater insight into the internals on the disk. And yes, that requires instrumentation and education. But for that are in the business of caring because they are in the business of working in serious circumstances, they will either need to acquire that competency either through themselves or a trusted third party.

What we can say for a fact is that the current walled-garden approach delivered by Apple and Google does little to ensure in-flight security of the phone at large. Just analysis at the time of delivery and install for downloaded apps. It would appear that is not sufficient for some lines of work and some lives.

Yes and no. There’s nothing magic about Pegasus. It just exploits vulnerabilities. You protect yourself by not having vulnerabilities. That of course is almost impossible. :wink: I believe that at least some of the vulnerabilities have been long fixed. So you at least protect yourself by keeping up to date with your patches.

I don’t know about an actual CVE but Pegasus appears to be being discussed in two topics in this forum and in the other topic NSO Group Pegasus there are some technical details linked to.

1 Like

So you at least protect yourself by keeping up to date with your patches.

But what about software package managers that push updates for software not being used or related to existing use patterns? The person who knows how to patch what they need to is truly the master!!!

For the diminutive person interested in “personal computing” akin to the “private garden” of quondam times, there are many challenges…

It caught my eye that one of the victims of Pegasus surveillance was Princess Latifa (more formally Sheikha Latifa bint Mohammed bin Rashid Al Maktoum).

This is a really good illustration of how even if a technology is sometimes used for good, governments will inevitably use it for bad as well. Pegasus cost her a few years of her life, for no justifiable reason.

1 Like

Along these lines (if I may be permitted to abstract for a moment - may I primarily say that I appreciate your reply), I wonder what - practices, knowledge - should be taught about digital technology to improve the chances that it will be used for the good.

Something along the lines: “Every person that works, uses and/or designs digital technology is obliged to read 1984 from George Orwell.”

1 Like

That’s too funny :woozy_face:

Along those lines, also relevant is Huxley’s Brave New World, which is ‘an account of society making use of all the devices available … in order to … standardize the population, to iron out inconvenient human differences, to create … mass produced models of human being’ (as per his own description of the book) .

Huxley was not much of an optimist...

He also said:

There will be in the next generation or so a pharmacological method of making people love their servitude and producing dictatorship without tears, so to speak; producing a kind of painless concentration camp for entire societies, so that people will in fact have their liberties be taken away from them but will rather enjoy it, because they will be distracted from any desire to rebel by propaganda, or brainwashing, or brainwashing enhanced by pharmacological methods. And this seems to be the final revolution.

1 Like

You need to put a sticker on the cover.
“Caution: Not meant as an instruction manual”

4 Likes

Just musing …

a mandatory, public, independent assessment report of the “what if”?

So before they sell the surveillance software they would have to answer the hard questions about who is going to use it, how it is going to be used and how they screen out the “bad” uses. If it goes pear-shaped (highly likely), at least their failure will be on the public record and they will suffer reputational damage.

That could lead to this kind of software being offered on a service model, so that the vendor retains greater control over their business reputation. However I can see a lot of security agencies getting antsy about that.

2 Likes