I've interviewed with these types of companies (not the ones in the article). I've even caught them using their exploits on me after they made me an offer and that seems to be the most likely explanation for what happened here. I don't know how anyone can develop exploits for resale in good conscience.
If these companies have no qualms using their exploits against their own employees they'll have absolutely no problem using them against members of Congress, the Courts, investment banks, tech leaders, and anyone with any sort of power. This gives them the ability to blackmail some of the most powerful people in the world.
edit: And that's not even mentioning their reported "intended use" against dissidents and journalists.
I think by default these companies kinda filter out people with values that would impede unrestricted use of their tools. And at worse possibly attract people who think "I'd sure like to spy on other people". That's scary.
You don't know how any of these could be developed in good conscience? How about: anti-proliferation intelligence work is going to happen whether it requires human intelligence or CNE, and CNE is less costly and harmful?
I get where you're probably coming from: this same technology is used all over the world to target journalists and dissidents in countries with and without the rule of law. A very real concern. I wouldn't do this kind of work either (also, it's been over a decade since I had the chops even to apprentice at it).
But there are very coherent reasons people are comfortable doing this work for NATO countries. Our reflexive distrust of law enforcement and intelligence work is a fringe belief: a lot of families are very proud to include people working in these fields.
The most important thing I guess I'd have to say here is: our opinion of this stuff doesn't matter. At current market rates every country in the world can afford CNE technology, and it's a market well served by vendors outside of NATO.
It very much does matter. If more people refuse to do this type of work, it eventually won't be done to the required standard. People would cut family ties and this would stop fast.
That's an incredibly blinkered view of the ecosystem that assumes that the only talent capable of delivering this work is people you talk to or share cultural ties with. There are ultra-skilled people in developing countries who could not give less of a fuck about how uncomfortable this stuff makes people in the west.
There are tons of people in the West who have no qualms about doing this for pure crime purposes; many of them are the ones who espouse most ardently that doing this work for the government is immoral.
This is kind of like saying "if people wouldn't murder other people then..."
"Bad" kind of work always finds bodies to fill it's spots. Boycotts of a particular business might work, but a type of work won't, especially when there is decent money on the table. And then when you start adding in people that had previous run ins with law enforcement and find it hard to get a "legit" job and get a decent offer from a place like this, they'll have no problem taking it.
> You don't know how any of these could be developed in good conscience?
The OP did say "...for resale in good conscience."
I personally read that as the commercial companies that allows anyone to buy the product off the shelf for the right price -- including governments, but also rogue elements. Bad actors, groups, or even people engaged in abusive domestic practices (customers without the time, experience, or resources to do it in-house). Not the people who work directly under government agencies developing these things for State level intelligence/ops
I think I agree with what I think you're trying to say.
However I don't agree with the repercussions of this, which are the same ones that make all reasonable people, security experts included, oppose EU's ChatControl or the UK's backdoor requests: There is no way to ensure and protect the people that need protection, as there is no way to ensure that only "the good guys" have it.
We tend to bullshit ourselves into believing that because spyware software like Predator are weapons, meaning that only countries would be allowed to buy them and use them (same way that Jeff Bezos cannot buy and use an F-35 for example). We see though, that certain individuals _can_ get their hands on these things and use them however they want.
For example, 3 years ago someone adjacent to the greek government bought and used Predator against MEPs, journalists, army generals, mafia bosses, MPs of opposing parties and even MPs of their own, ruling, party. The greek government of course denied that they did it, and they said that this individual did not act under the instructions of the government (though they then changed the law to prevent anyone for learning details about it, but that's a different story).
So, apart from adopting the same approach as with ChatControl and encryption backdoors, i.e. banning them, I don't know how we could protect ourselves against them.
I'm an American and am glad of my personal belief that the American system would not allow something like ChatControl by state mandate. I also wouldn't participate in commercial exploit development (even if I was capable of doing so competitively). But I don't think the two things are at all comparable.
> At current market rates every country in the world can afford CNE technology
Slippery slopes don't justify anything. You might not care enough to make a difference, but many people do and your justification rings hollow to everyone that's potentially a victim. You wouldn't say this about nuclear proliferation, so why make a carveout for digital mercenary work? Because it's "harmless"?
I don't know what your goal is with this statement but it certainly doesn't make me feel any better. If you're this emotionally invested in the topic, it might be best for your own optics to not chime in.
I'm not justifying anything. I'm saying a very large number of people don't share the premise in the parent comment. It's one thing to disagree with a practice; it's another thing to suggest that disagreement with it is universal. It is not.
The difference is that it's completely plausible to protect against a cyberattack, but completely implausible to protect against a nuclear attack.
The onus is on Apple and their userbase to protect their own computers, not the rest of society to patrol and regulate unstoppable "information crime" against them
I don't wanna give away too much in case they're reading, but they didn't use their stealthiest exploit. It was pretty obvious, especially if you monitor your network traffic.
I gotta admit I'm not in the habit of monitoring my network traffic... Gotta wonder if it's even possible to protect ourselves against this surveillance without going full OPSEC mode.
I figured security researchers were always targets of multiple APT actors and random individuals. However...
> I've even caught them using their exploits on me after they made me an offer
Not only for exploit companies that eat their own dog food, nor only cybersecurity jobs, but I've heard of this happening to people interviewing for other tech area considered strategic.
The noticed ones weren't that subtle, and were presumably noticed because the attacker wasn't using the best methods, but maybe more routine SOP for lower-value targets.
I have no idea what the actors and motivations actually were. Speculation:
* the hiring company or its country, vetting the candidate by spying on them, including for corporate/national counterintelligence reasons (it's really not much different than a lot of the sneaky surveillance capitalism vetting that many companies quietly do, just unambiguously illegal in this case);
* the hiring company, spying to monitor the competitive offer situation (e.g., what counteroffers or concerns does the candidate have);
* other state, individual, and possibly corporate actors, for whom the imminent offer flagged the target as worth keeping an eye on (for, e.g., advance access to research they do individually, knowledge of attacks they do individually, possible technical entry point to the job-offering organization or others, or kompromat for getting access/actions); or
* random associated individuals acting on their own, recreationally enjoying the power over others that their cracking toys give them (which at least used to be not too uncommon, before cybersecurity was professionalized, when there were proportionally much more teens and alienated people, and they hadn't yet been told about color-coded hats for prefabricated codes of behavior from which they could choose; now, most people with skillz have the carrot of a lucrative job or respected status as researcher that they can pursue, instead of seeking power/status other ways and without guidelines).
Personally, I try not to work on strategic target areas, since I like to save my very limited guts for fighting product concepts and reliable systems into shape, not for being helplessly violated by lawless authoritarian institutions. Good luck.
Forget blackmail, people wildly overestimate the value of blackmail. Far more predictable and lucrative is just to use exploits for insider information, including as favors and bribes, and selling them to governments willing to pay immense amounts of money. Blackmail is far too messy. Grease works way better.
Plata o plomo. Usually a combination of threats and bribery is most effective. The truly dangerous groups usually have the ability and willingness to pay well.
Sorry, that’s just not how it is practices and at least has not for a long time. You’ve heard the saying, you catch more flies with honey than vinegar, right. If you have unlimited funds and you are the giver and bringer and provider, there is no need for blackmail. It’s just the nuclear option, so to say.
At the political level things don’t operate like some cartel, sort of certain places and certain rather narrow regions of the world where it may take some additional motivating to do the right thing for themselves.
Ironically that actually applies to him too. Sure, he likely had all kinds of stuff on people, but frankly bribery still always works far more effectively unless you encounter some resistance. It’s a rather established practice. The “blackmail” material is really just an insurance, not actual leverage.
> Gibson .. may be the first documented case of someone who builds exploits and spyware being themselves targeted with spyware.
> But the ex-Trenchant employee may not be the only exploit developer targeted with spyware .. there have been other spyware and exploit developers in the last few months
So basically it was probably someone in his chain of command leaking the Chrome exploits, and this guy was the scapegoat used to cover that up for now.
Though the whole thing sounds more made up than legit.
This guy is pretty naive if he thinks they (or their biggest customers) won't verify whether he really was leaking something or not if they've got the tools to do that lol and to maybe send a message to not think about it
> “I was panicking,” Jay Gibson, who asked that we don’t use his real name over fears of retaliation, told TechCrunch.
And later,
> Without a full forensic analysis of Gibson’s phone ... it’s impossible to know why he was targeted or who targeted him.
> But Gibson told TechCrunch that he believes the threat notification he received from Apple is connected to the circumstances of his departure from Trenchant ...
I find it funny that (1) this guy never thought this would happen to him (2) this guy has the balls to talk to media about this but fears retaliation
I mean, seriously, those who want to know your real name already know it.
This honestly smells really strong like made up shit. Or the guy is very much a low key player.
Generally, if you develop exploits, you should be completely aware of every single possible attack vector. If you are working for a company like Trenchant, and you know what you are doing, the last thing you do is use Apple devices (at least fully, most of the time you have a public phone and much more secure private phone)
The reason is, when you take an Apple phone, connect it to a router that proxies through a computer so you can inspect traffic, you can see the vast amounts of shit being sent back to Apple which you have no control of.
Meanwhile, if you do the same with my custom rooted, de-googled android phone that I take overseas, you will see only ntp traffic, and that is only so I don't have to deal with cert issues because my clock is wrong.
I can kinda sympathize with the guy, as I got fucked over in Defense contracting in a not-dissimilar fashion a lifetime ago. These companies reel you in with decently-sized (or even outrageously-large) pay packages and promises of doing “good work”, bleed you of your energy and time for their profits, then shove you out the door and blame you for anything that went wrong (especially if you try to act honestly and report wrongdoing - that’s a one-way ticket out the fucking door and into blackball territory).
Nobody should be doing work for these scumbags, but people will always fall for their spiels and grifts, unfortunately, out of some naive sense of “doing good” or “getting the bad guys”. It’s always just “leopards ate my face”, though.
Enlist and get your top secret clearance managing LANs and teaching officers how to add images into PowerPoints, they said. You’ll never be unemployed. Then you realize the “job” mostly involves being a disposable cog in some ex-colonel’s endless PowerPoint war. Every meeting feels like a high-stakes reenactment of “Yes, sir,” where accountability is optional and speaking up is career suicide. Billion-dollar mistakes are brushed off as “lessons learned,” while you get a lecture about integrity. It’s the world’s most expensive game of “the emperor has no clothes,” except everyone’s wearing lanyards and classified guilt.
>Gibson, who until recently built surveillance technologies for Western government hacking tools maker Trenchant, may be the first documented case of someone who builds exploits and spyware being themselves targeted with spyware.
Leopards ate my face moment?
They're not developing these tools to NOT use them...
For at least 2 decades now exploit developers have been rather infamously prime targets for spyware, so whoever wrote this piece isn't read in at all to the industry.
"..if you are a state or federal enforcement authority, and you have
suspicion of any criminal activity of `Jay Gibson', be encouraged to
immediately contact: Lorenzo Franceschi-Bicchierai securely on Signal
at +1 917 257 1382, or via Telegram, Keybase and Wire @lorenzofb, or
by email.
Leopards ate my face is only negative, and has been more political, typically someone voting to weaponize the government against their peer-level enemies but hypocritically, only to later realize they are not a party to the benefits, only the consequences.
It is really about a perceptual flaw in pre-fascist democratic behavior: people believing themselves to be a part of the protected class because they voted for it.
It seems to apply here because someone profiting from the creation of tools used on others by people with money/power has them used on him by the government.
tldr; it is a subset of you reap what you sow, with more specificity and punch
Too biblical and old-fashioned, probably. I would say that at least half the people who've used "leopards ate my face" don't even know the meaning of reap. The simplicity and visual character of the modern expression make it memier.
Not sure, but the phrasing around this article and the entire second half of it definitely sounds like similar articles I've seen during these kinds of suits.
I know people involved at Trenchant and have trouble believing that anybody who worked there was shocked by this threat. Maybe things have changed post-L3Harris but "it" (it's more than one company) was an incredibly paranoid IT shop prior to the acquisition.
Firefighters recently resorted to breaking a Tesla’s window to free a 20-month-old child locked inside after one of the vehicle’s batteries died. The emergency rescue is the second of such incidents reported on this week by Arizona CBS news affiliate KPHO and reiterates the potential dangers of the EV company’s ongoing, under-addressed battery issues in extreme heat.
In July 2023, a 73-year-old man was reportedly forced to kick out a window in his Model Y after becoming trapped. A similar emergency occurred for a mother and her daughter in Illinois a few weeks later after renting a Tesla, while a California driver last month claimed she found herself stuck in her EV while waiting on an over-the-air software update that shut down her car. In the 40 minutes it took to complete the update, outside temperatures rose to 115-degrees Fahrenheit.
And yeah, if you know how, and can go through multiple steps:
The only other workaround to battery issues appears to be a step-by-step solution in the owner’s manual that only opens a dead Tesla’s front hood by ostensibly hotwiring the car using external jumper cables. If this is the case, then people who find themselves locked out of their EV may need to continue relying on EMS—and their axes—until Tesla decides to address the glaring safety hazard.
Right. I was talking about passenger safety. But sure, if you purposefully designed a vehicle that has poor pedestrian visibility and end up getting hit by that same vehicle due to that poor visibility, you shouldn't be surprised.
I agree that car analogies should be taken seriously.
Sure, cars are useful. But aiming to sell as many cars as possible is no more ethical than selling as many yachts as you can, especially if it involves making the living conditions worse for anyone who doesn't own a yacht, for example by bribing politicians, or destroying non-yacht-capable waterways.
I wouldn’t be surprised if Apple’s malware notification comes via the same or similar mechanism as Apple 2FA codes on iOS, as iMessage itself is a common vector for these kinds of malware being warned of, such as Pegasus. Apple also notifies you of this kind of malware via the email used for your AppleID, in addition to on-device, though I wouldn’t be surprised if that same malware would attempt to monitor for these messages from Apple to prevent them from being received and/or read.
The Apple Support app, for example, has capabilities which when triggered from the Apple side, allow screen-sharing and logging to be shared with Apple. I don’t know if this functionality relies on iMessage being enabled either, but I do know that the Apple Support app seemingly still works in Lockdown Mode.
I’d be curious if the person in TFA had their device in Lockdown Mode, which supposedly is supposed to make these kinds of exploits harder to install. If they were using Lockdown Mode, and they still got exploited, that isn’t great news for the rest of us, but the fact that Apple notified them is better than the alternative of Apple not being aware of the breach and/or Apple being aware and not notifying them for reasons.
Apple has the capability to remotely disable iPhones, which has been used when large numbers of iPhones were looted during riots in the US. I’m not sure if that capability relies on the devices not already being activated or not, but I’ve seen credible screenshots of the message when iPhones are so disabled.
If I got a message in my iPhone saying it had been remotely disabled, I would take it to an Apple Store or authorized Apple Service Center, where they could tell me what should happen next. This would be inconvenient, to be sure, but it would be preferable to continuing to use the device.
There's still no proof that it was Trenchant, and there was no evidence on the device. It's unlikely that it will ever be identified as an attack from Trenchant. Trenchant/L3Harris is a supplier for Five Eyes, and any attribution of their exploits will likely be concealed.
> Two days after receiving the Apple threat notification, Gibson contacted a forensic expert with extensive experience investigating spyware attacks.
Surely as a professional "exploit developer", Gibson himself should have been about as expert at this particular niche as any human being on the planet already.
I mean, sure, absolutely he should have called in his friends in the community and gotten more eyes on the device. But the way that's written it sounds like he took it into the local Genius Bar.
It also, in context, feels a little obfuscatory. Like he's trying to flag the involvement of senior folks who he can't name.
I agree it reads weird, but I am leaving room for the idea that there are a lot of very gifted people who work on this stuff as an intellectual challenge, have a sort of straight up systemsy computer science background, and don't have or care about a bigger picture of where they fit into the industry. But still: the companies that became Trenchant were notoriously paranoid about state-sponsored CNE threats! It would still be weird to be surprised by them.
I'm not in this field but I was under the impression that people who know they are likely to be individually targeted use two (or more) phones and the one they use for their (target-worthy activity) is kept heavily locked down. Inconvenient to be sure but it seems like an unavoidable cost of being in that business.
You need to consider your location known to the government at all times if they know they'd want it beforehand. Most places are either surveilled heavily or sparsely populated, i.e. good for satellite-based observation. Maybe also to big enough corporations if they really want.
This does not imply that it is easy to track everyone everywhere at all times. I guess most targeted ones would like to protect their communication, and even meetings in person are possible if you keep some safeguards.
Is this a serious response? It is nearly impossible to live without a phone, short of pulling a Christ Mccandless. I understand that means this _is_ an option, but it is an option in the same way that cutting off your leg for fun is always an option.
Well if you're knowingly being targeted by a government, your choices are basically go off the grid... or continue having every inch of your life tracked so they can find any tiny little thing to construe as probable cause to take you in.
> It is nearly impossible to live without a phone,
There's a whole continuum.
Other than 2FA, text messaging is easy to get rid of.
You still use it to make calls, so yeah, they can track you that way. You can keep the phone off most of the time, though. People close to me know that they're more likely to reach me by calling my home phone.
What else does one really need a phone for?
Navigation? Do what I did: Get another phone that never has a SIM card and use an offline app.
Camera? The same. But really, life is very doable without a camera to begin with!
I had Ubuntu Touch installed on an older OnePlus phone. It did everything, but they haven't figured out how to work with VoLTE. I considered just saying "screw it" and using it anyways, but then remembered that my Mum calls twice a week to chat me up so I went back.
But 100% you can still find alternatives, its just about how much stuff you wanna carry around with you right?
If there are zero click, unknown yet zero days against Apple devices, it won't help.
If you are actually security conscious, the only setup that works is have a public facing phone and a private phone that is custom rooted, de googled, and you control everything that runs on it.
Maybe but if we're talking on the level of targeted government surveillance, I think all options are on the table, i.e. they should assume they are being watched everywhere they go, and that all their communications, including their close friends/family (or anyone they have already been talking to lately) are likely being monitored as well, in which case, getting a new phone may not do much of anything.
There is some amount of protection until the adversary discovers the new number. But since they've already compromised his phone they likely have his dad's number and can compromise that phone to find him again. It's dystopian.
If he's running iOS he can also enabled Lockdown Mode on the new phone to block most types of attacks.
The article notes that the target's former employer makes hackng tools and they separated on bad terms. Seems like it easily could just be the target's former employer.
I would be more surprised if these employers didn’t target their employees to prevent leaks of trade secrets, union activity, or other internal dissent. Having the power would be too tempting to resist, and besides, there is some degree of legitimate concern; it would be easy enough for rogue employees to sell exploits on the side for millions (there are plenty of buyers).
I'm not disagreeing with you, but doing so would open them up to criminal charges and liability. Rightly or wrongly, selling exploits is not illegal. Hacking your employees devices is.
If it's actually a state, it's unlikely to be a NATO or FVEY country, since L3Harris is one of the largest defense contractors in the world and most of those countries are customers. The piece is kind of all over the place but the vibe it lands on is that his work phone may have been owned up by his employers.
> his work phone may have been owned up by his employers
First line says "personal phone". I presume MDM on a work phone could do most of the things they'd be interested in, without the risk of setting off an alarm like this. Anyone have speculation about a reason for an employer to pwn a phone that's already on their MDM?
I've interviewed with these types of companies (not the ones in the article). I've even caught them using their exploits on me after they made me an offer and that seems to be the most likely explanation for what happened here. I don't know how anyone can develop exploits for resale in good conscience.
If these companies have no qualms using their exploits against their own employees they'll have absolutely no problem using them against members of Congress, the Courts, investment banks, tech leaders, and anyone with any sort of power. This gives them the ability to blackmail some of the most powerful people in the world.
edit: And that's not even mentioning their reported "intended use" against dissidents and journalists.
I think by default these companies kinda filter out people with values that would impede unrestricted use of their tools. And at worse possibly attract people who think "I'd sure like to spy on other people". That's scary.
That or they mask their activity with layers of management and vague and abstract products.
You don't know how any of these could be developed in good conscience? How about: anti-proliferation intelligence work is going to happen whether it requires human intelligence or CNE, and CNE is less costly and harmful?
I get where you're probably coming from: this same technology is used all over the world to target journalists and dissidents in countries with and without the rule of law. A very real concern. I wouldn't do this kind of work either (also, it's been over a decade since I had the chops even to apprentice at it).
But there are very coherent reasons people are comfortable doing this work for NATO countries. Our reflexive distrust of law enforcement and intelligence work is a fringe belief: a lot of families are very proud to include people working in these fields.
The most important thing I guess I'd have to say here is: our opinion of this stuff doesn't matter. At current market rates every country in the world can afford CNE technology, and it's a market well served by vendors outside of NATO.
"our opinion of this stuff doesn't matter."
It very much does matter. If more people refuse to do this type of work, it eventually won't be done to the required standard. People would cut family ties and this would stop fast.
That's an incredibly blinkered view of the ecosystem that assumes that the only talent capable of delivering this work is people you talk to or share cultural ties with. There are ultra-skilled people in developing countries who could not give less of a fuck about how uncomfortable this stuff makes people in the west.
There are tons of people in the West who have no qualms about doing this for pure crime purposes; many of them are the ones who espouse most ardently that doing this work for the government is immoral.
> many of them are the ones who espouse most ardently that doing this work for the government is immoral
How do you know this?
An opinion, based on meeting people like https://www.nbcnews.com/news/us-news/capital-one-hacking-sus...
so what? As GP suggests, they are not nessisary for the development of exploits.
>If more people refuse to do this type of work
This is kind of like saying "if people wouldn't murder other people then..."
"Bad" kind of work always finds bodies to fill it's spots. Boycotts of a particular business might work, but a type of work won't, especially when there is decent money on the table. And then when you start adding in people that had previous run ins with law enforcement and find it hard to get a "legit" job and get a decent offer from a place like this, they'll have no problem taking it.
> You don't know how any of these could be developed in good conscience?
The OP did say "...for resale in good conscience."
I personally read that as the commercial companies that allows anyone to buy the product off the shelf for the right price -- including governments, but also rogue elements. Bad actors, groups, or even people engaged in abusive domestic practices (customers without the time, experience, or resources to do it in-house). Not the people who work directly under government agencies developing these things for State level intelligence/ops
I think I agree with what I think you're trying to say.
However I don't agree with the repercussions of this, which are the same ones that make all reasonable people, security experts included, oppose EU's ChatControl or the UK's backdoor requests: There is no way to ensure and protect the people that need protection, as there is no way to ensure that only "the good guys" have it.
We tend to bullshit ourselves into believing that because spyware software like Predator are weapons, meaning that only countries would be allowed to buy them and use them (same way that Jeff Bezos cannot buy and use an F-35 for example). We see though, that certain individuals _can_ get their hands on these things and use them however they want.
For example, 3 years ago someone adjacent to the greek government bought and used Predator against MEPs, journalists, army generals, mafia bosses, MPs of opposing parties and even MPs of their own, ruling, party. The greek government of course denied that they did it, and they said that this individual did not act under the instructions of the government (though they then changed the law to prevent anyone for learning details about it, but that's a different story).
So, apart from adopting the same approach as with ChatControl and encryption backdoors, i.e. banning them, I don't know how we could protect ourselves against them.
I'm an American and am glad of my personal belief that the American system would not allow something like ChatControl by state mandate. I also wouldn't participate in commercial exploit development (even if I was capable of doing so competitively). But I don't think the two things are at all comparable.
ChatControl has almost happened here in the USA multiple times, and they will try again.
If you say so. Either way: not comparable to CNE operations.
> At current market rates every country in the world can afford CNE technology
Slippery slopes don't justify anything. You might not care enough to make a difference, but many people do and your justification rings hollow to everyone that's potentially a victim. You wouldn't say this about nuclear proliferation, so why make a carveout for digital mercenary work? Because it's "harmless"?
I don't know what your goal is with this statement but it certainly doesn't make me feel any better. If you're this emotionally invested in the topic, it might be best for your own optics to not chime in.
I'm not justifying anything. I'm saying a very large number of people don't share the premise in the parent comment. It's one thing to disagree with a practice; it's another thing to suggest that disagreement with it is universal. It is not.
The difference is that it's completely plausible to protect against a cyberattack, but completely implausible to protect against a nuclear attack.
The onus is on Apple and their userbase to protect their own computers, not the rest of society to patrol and regulate unstoppable "information crime" against them
Maybe that was just a phase of your interview.
That's outrageous that they tried to attack you like that. How exactly did it happen? Did they send a link via SMS to your phone, or some other way?
I don't wanna give away too much in case they're reading, but they didn't use their stealthiest exploit. It was pretty obvious, especially if you monitor your network traffic.
I gotta admit I'm not in the habit of monitoring my network traffic... Gotta wonder if it's even possible to protect ourselves against this surveillance without going full OPSEC mode.
If you're developing tools you're likely testing against vendor network monitoring apps and in the habit of using them.
Ok guessing against a computer of yours and not a phone (which of course is still possible) thanks. Hope it can help all of us stay safe.
How obvious would it be to someone being hired as an office manager or janitor or similar?
Monitoring your network traffic on your local PC (ala Little Snitch or Open Snitch) or monitoring it at the gateway/router level?
At the router level. I turned off cellular data to be sure, but I don't even think that was necessary since it was on wifi.
This is why I don't want to work in cybersecurity
This is too dangerous, it's the wild west
I figured security researchers were always targets of multiple APT actors and random individuals. However...
> I've even caught them using their exploits on me after they made me an offer
Not only for exploit companies that eat their own dog food, nor only cybersecurity jobs, but I've heard of this happening to people interviewing for other tech area considered strategic.
The noticed ones weren't that subtle, and were presumably noticed because the attacker wasn't using the best methods, but maybe more routine SOP for lower-value targets.
I have no idea what the actors and motivations actually were. Speculation:
* the hiring company or its country, vetting the candidate by spying on them, including for corporate/national counterintelligence reasons (it's really not much different than a lot of the sneaky surveillance capitalism vetting that many companies quietly do, just unambiguously illegal in this case);
* the hiring company, spying to monitor the competitive offer situation (e.g., what counteroffers or concerns does the candidate have);
* other state, individual, and possibly corporate actors, for whom the imminent offer flagged the target as worth keeping an eye on (for, e.g., advance access to research they do individually, knowledge of attacks they do individually, possible technical entry point to the job-offering organization or others, or kompromat for getting access/actions); or
* random associated individuals acting on their own, recreationally enjoying the power over others that their cracking toys give them (which at least used to be not too uncommon, before cybersecurity was professionalized, when there were proportionally much more teens and alienated people, and they hadn't yet been told about color-coded hats for prefabricated codes of behavior from which they could choose; now, most people with skillz have the carrot of a lucrative job or respected status as researcher that they can pursue, instead of seeking power/status other ways and without guidelines).
Personally, I try not to work on strategic target areas, since I like to save my very limited guts for fighting product concepts and reliable systems into shape, not for being helplessly violated by lawless authoritarian institutions. Good luck.
Forget blackmail, people wildly overestimate the value of blackmail. Far more predictable and lucrative is just to use exploits for insider information, including as favors and bribes, and selling them to governments willing to pay immense amounts of money. Blackmail is far too messy. Grease works way better.
Plata o plomo. Usually a combination of threats and bribery is most effective. The truly dangerous groups usually have the ability and willingness to pay well.
Sorry, that’s just not how it is practices and at least has not for a long time. You’ve heard the saying, you catch more flies with honey than vinegar, right. If you have unlimited funds and you are the giver and bringer and provider, there is no need for blackmail. It’s just the nuclear option, so to say.
At the political level things don’t operate like some cartel, sort of certain places and certain rather narrow regions of the world where it may take some additional motivating to do the right thing for themselves.
Forget blackmail
Tell that to Epstein.
Ironically that actually applies to him too. Sure, he likely had all kinds of stuff on people, but frankly bribery still always works far more effectively unless you encounter some resistance. It’s a rather established practice. The “blackmail” material is really just an insurance, not actual leverage.
> Gibson .. may be the first documented case of someone who builds exploits and spyware being themselves targeted with spyware.
> But the ex-Trenchant employee may not be the only exploit developer targeted with spyware .. there have been other spyware and exploit developers in the last few months
I'm more interested in how Apple makes this determination than I am about the drama between this dev and his former employer.
I had to read "Apple alerts exploit developer" several times to understand what it meant.
First read: "Apple's alerts somehow exploit a developer".
nth read: "Apple's alerts tell a developer of exploits that..."
>“I was panicking,” Jay Gibson, who asked that we don’t use his real name over fears of retaliation, told TechCrunch.
I lol'd for a second imagining this is his actual name but the writer didn't realise it
So basically it was probably someone in his chain of command leaking the Chrome exploits, and this guy was the scapegoat used to cover that up for now.
Though the whole thing sounds more made up than legit.
This guy is pretty naive if he thinks they (or their biggest customers) won't verify whether he really was leaking something or not if they've got the tools to do that lol and to maybe send a message to not think about it
> “I was panicking,” Jay Gibson, who asked that we don’t use his real name over fears of retaliation, told TechCrunch.
And later,
> Without a full forensic analysis of Gibson’s phone ... it’s impossible to know why he was targeted or who targeted him.
> But Gibson told TechCrunch that he believes the threat notification he received from Apple is connected to the circumstances of his departure from Trenchant ...
I find it funny that (1) this guy never thought this would happen to him (2) this guy has the balls to talk to media about this but fears retaliation
I mean, seriously, those who want to know your real name already know it.
This honestly smells really strong like made up shit. Or the guy is very much a low key player.
Generally, if you develop exploits, you should be completely aware of every single possible attack vector. If you are working for a company like Trenchant, and you know what you are doing, the last thing you do is use Apple devices (at least fully, most of the time you have a public phone and much more secure private phone)
The reason is, when you take an Apple phone, connect it to a router that proxies through a computer so you can inspect traffic, you can see the vast amounts of shit being sent back to Apple which you have no control of.
Meanwhile, if you do the same with my custom rooted, de-googled android phone that I take overseas, you will see only ntp traffic, and that is only so I don't have to deal with cert issues because my clock is wrong.
Trenchant employees use iPhones just like everyone else. What else would they use?
Going public is presumably part of his strategy for trying not to be disappeared.
I can kinda sympathize with the guy, as I got fucked over in Defense contracting in a not-dissimilar fashion a lifetime ago. These companies reel you in with decently-sized (or even outrageously-large) pay packages and promises of doing “good work”, bleed you of your energy and time for their profits, then shove you out the door and blame you for anything that went wrong (especially if you try to act honestly and report wrongdoing - that’s a one-way ticket out the fucking door and into blackball territory).
Nobody should be doing work for these scumbags, but people will always fall for their spiels and grifts, unfortunately, out of some naive sense of “doing good” or “getting the bad guys”. It’s always just “leopards ate my face”, though.
Enlist and get your top secret clearance managing LANs and teaching officers how to add images into PowerPoints, they said. You’ll never be unemployed. Then you realize the “job” mostly involves being a disposable cog in some ex-colonel’s endless PowerPoint war. Every meeting feels like a high-stakes reenactment of “Yes, sir,” where accountability is optional and speaking up is career suicide. Billion-dollar mistakes are brushed off as “lessons learned,” while you get a lecture about integrity. It’s the world’s most expensive game of “the emperor has no clothes,” except everyone’s wearing lanyards and classified guilt.
[dead]
>Gibson, who until recently built surveillance technologies for Western government hacking tools maker Trenchant, may be the first documented case of someone who builds exploits and spyware being themselves targeted with spyware.
Leopards ate my face moment?
They're not developing these tools to NOT use them...
For at least 2 decades now exploit developers have been rather infamously prime targets for spyware, so whoever wrote this piece isn't read in at all to the industry.
"..if you are a state or federal enforcement authority, and you have suspicion of any criminal activity of `Jay Gibson', be encouraged to immediately contact: Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram, Keybase and Wire @lorenzofb, or by email.
Oddly it seems to echo the feelings of the spyware developer in question.
I agree that developer, as quoted, has an odd vibe.
"Leopards ate my face" reference for others not in the know: https://knowyourmeme.com/memes/leopards-eating-peoples-faces...
The original tweet just had its tenth anniversary (2015-10-16):
> 'I never thought leopards would eat MY face,' sobs woman who voted for the Leopards Eating People's Faces Party.
* https://twitter.com/Cavalorn/status/654934442549620736
What happened with "reap what one sows", did it go out of fashion? Seems the same.
Leopards ate my face is only negative, and has been more political, typically someone voting to weaponize the government against their peer-level enemies but hypocritically, only to later realize they are not a party to the benefits, only the consequences.
It is really about a perceptual flaw in pre-fascist democratic behavior: people believing themselves to be a part of the protected class because they voted for it.
It seems to apply here because someone profiting from the creation of tools used on others by people with money/power has them used on him by the government.
tldr; it is a subset of you reap what you sow, with more specificity and punch
You know what? Thank you for explaining that!
Too biblical and old-fashioned, probably. I would say that at least half the people who've used "leopards ate my face" don't even know the meaning of reap. The simplicity and visual character of the modern expression make it memier.
Based on the article, it sounds like a bit of a "he said - she said" article after Gibson was terminated at Trenchant/L3Harris.
To clarify with the final paragraphs of context, “He said, Corp said, 3 of 3 coworkers asked corroborated what He said”.
I'm not entirely sure how that applies to my post.
What I mean is:
1. Most of us in this segment of the industry recognize the risks
2. He is absolutely not the first person targeted by this
3. This article sounds like it's part of a wrongful termination suit by Gibson based on the context provided
Is there a lawsuit?
Not sure, but the phrasing around this article and the entire second half of it definitely sounds like similar articles I've seen during these kinds of suits.
You swim with sharks...
> I have mixed feelings of how pathetic this is, and then extreme fear because once things hit this level, you never know what’s going to happen
Interesting kind of payback. What does he think happens to the people whom the exploits he develops target?
Sounds like he naively believes only governments use these, and only against legitimate criminals.
Live by the sword, die by the sword.
I know people involved at Trenchant and have trouble believing that anybody who worked there was shocked by this threat. Maybe things have changed post-L3Harris but "it" (it's more than one company) was an incredibly paranoid IT shop prior to the acquisition.
If an engineer at Ford dies in a car crash does he really deserve it?
We live in a world full of threat-actors. We need exploits just like we need firearms and tanks and fighters and jets.
To mock the guy is just naive.
An engineer at Ford isn’t developing cars that actively harms passengers.
If you develop weapons, physical or digital, don’t be surprised if you end up on the receiving end.
> An engineer at Ford isn’t developing cars that actively harms passengers.
Maybe not at Ford?
https://www.popsci.com/technology/tesla-lock-issue/
Firefighters recently resorted to breaking a Tesla’s window to free a 20-month-old child locked inside after one of the vehicle’s batteries died. The emergency rescue is the second of such incidents reported on this week by Arizona CBS news affiliate KPHO and reiterates the potential dangers of the EV company’s ongoing, under-addressed battery issues in extreme heat.
In July 2023, a 73-year-old man was reportedly forced to kick out a window in his Model Y after becoming trapped. A similar emergency occurred for a mother and her daughter in Illinois a few weeks later after renting a Tesla, while a California driver last month claimed she found herself stuck in her EV while waiting on an over-the-air software update that shut down her car. In the 40 minutes it took to complete the update, outside temperatures rose to 115-degrees Fahrenheit.
And yeah, if you know how, and can go through multiple steps: The only other workaround to battery issues appears to be a step-by-step solution in the owner’s manual that only opens a dead Tesla’s front hood by ostensibly hotwiring the car using external jumper cables. If this is the case, then people who find themselves locked out of their EV may need to continue relying on EMS—and their axes—until Tesla decides to address the glaring safety hazard.
In the cases of the adults stuck inside the cars, aren't there mechanical unlocking handles inside Teslas?
Well, they’re certainly developing cars that kill and maim pedestrians, disperse clouds of microplastics, and contribute excess CO2 to our atmosphere…
Right. I was talking about passenger safety. But sure, if you purposefully designed a vehicle that has poor pedestrian visibility and end up getting hit by that same vehicle due to that poor visibility, you shouldn't be surprised.
I agree that car analogies should be taken seriously.
Sure, cars are useful. But aiming to sell as many cars as possible is no more ethical than selling as many yachts as you can, especially if it involves making the living conditions worse for anyone who doesn't own a yacht, for example by bribing politicians, or destroying non-yacht-capable waterways.
Not the best analogy, more like a man who develops car mounted harpoons being hit by a car mounted harpoon.
This is why I don't want to work in cybersecurity
This is too dangerous, it's the wild west
I would like to see the screenshot or the photo of display with that kind of alert.
Here's what it looks like: https://c.ndtvimg.com/2024-04/30p8264g_apple-notification_62...
> Apple detected a targeted mercenary spyware attack against your iPhone
Not going to lie, this subject line would fit right in with the phishing messages and 419 scams in my Spam folder.
Indeed, however the notification also comes via iMessage and appears at the top of your Apple account, plus contains no external links
I wouldn’t be surprised if Apple’s malware notification comes via the same or similar mechanism as Apple 2FA codes on iOS, as iMessage itself is a common vector for these kinds of malware being warned of, such as Pegasus. Apple also notifies you of this kind of malware via the email used for your AppleID, in addition to on-device, though I wouldn’t be surprised if that same malware would attempt to monitor for these messages from Apple to prevent them from being received and/or read.
The Apple Support app, for example, has capabilities which when triggered from the Apple side, allow screen-sharing and logging to be shared with Apple. I don’t know if this functionality relies on iMessage being enabled either, but I do know that the Apple Support app seemingly still works in Lockdown Mode.
I’d be curious if the person in TFA had their device in Lockdown Mode, which supposedly is supposed to make these kinds of exploits harder to install. If they were using Lockdown Mode, and they still got exploited, that isn’t great news for the rest of us, but the fact that Apple notified them is better than the alternative of Apple not being aware of the breach and/or Apple being aware and not notifying them for reasons.
An email? If they can breach your phone, surely email is the least trustworthy mechanism you can use - it’s high latency, shared across systems, etc
A better mechanism would surely be a push notification to the device, or one of the alert-based notifications used for earthquakes etc
A push notification that you receive…on the phone? There isn’t really a good solution here.
Well, it blocked the exploit. If the adversary knows the exploits blocked, their cover is burnt. What do they do?
push notification + out of band comms would be more ideal, time sensitivity is significantly important.
Apple has the capability to remotely disable iPhones, which has been used when large numbers of iPhones were looted during riots in the US. I’m not sure if that capability relies on the devices not already being activated or not, but I’ve seen credible screenshots of the message when iPhones are so disabled.
If I got a message in my iPhone saying it had been remotely disabled, I would take it to an Apple Store or authorized Apple Service Center, where they could tell me what should happen next. This would be inconvenient, to be sure, but it would be preferable to continuing to use the device.
Why is it not computer crime? It wasn't done by the govt, they suspect it was done clandestinely by Trenchant.
Sue them!
There's still no proof that it was Trenchant, and there was no evidence on the device. It's unlikely that it will ever be identified as an attack from Trenchant. Trenchant/L3Harris is a supplier for Five Eyes, and any attribution of their exploits will likely be concealed.
This framing seems weird:
> Two days after receiving the Apple threat notification, Gibson contacted a forensic expert with extensive experience investigating spyware attacks.
Surely as a professional "exploit developer", Gibson himself should have been about as expert at this particular niche as any human being on the planet already.
I mean, sure, absolutely he should have called in his friends in the community and gotten more eyes on the device. But the way that's written it sounds like he took it into the local Genius Bar.
It also, in context, feels a little obfuscatory. Like he's trying to flag the involvement of senior folks who he can't name.
I agree it reads weird, but I am leaving room for the idea that there are a lot of very gifted people who work on this stuff as an intellectual challenge, have a sort of straight up systemsy computer science background, and don't have or care about a bigger picture of where they fit into the industry. But still: the companies that became Trenchant were notoriously paranoid about state-sponsored CNE threats! It would still be weird to be surprised by them.
> I went immediately to buy a new phone.
Why does he think that will help against a state-backed adversary?
I don't think he thinks it is a state.
But the title says gov spyware?
meaning gov-grade spyware, most likely
It's spyware that govs buy, but clearly the article goes in another direction as to who might have an interest in this guy.
>> I went immediately to buy a new phone.
> Why does he think that will help against a state-backed adversary?
What are his alternatives?
I'm not in this field but I was under the impression that people who know they are likely to be individually targeted use two (or more) phones and the one they use for their (target-worthy activity) is kept heavily locked down. Inconvenient to be sure but it seems like an unavoidable cost of being in that business.
It depends what the use case is, does the adversary want to read your email, tap your microphone or track your location?
You need to consider your location known to the government at all times if they know they'd want it beforehand. Most places are either surveilled heavily or sparsely populated, i.e. good for satellite-based observation. Maybe also to big enough corporations if they really want.
This does not imply that it is easy to track everyone everywhere at all times. I guess most targeted ones would like to protect their communication, and even meetings in person are possible if you keep some safeguards.
You’re assuming America, and on local soil. There are plenty of places where your statements are inaccurate.
Get a new iPhone and immediately turn on lockdown mode.
Not using a phone anymore
Is this a serious response? It is nearly impossible to live without a phone, short of pulling a Christ Mccandless. I understand that means this _is_ an option, but it is an option in the same way that cutting off your leg for fun is always an option.
Well if you're knowingly being targeted by a government, your choices are basically go off the grid... or continue having every inch of your life tracked so they can find any tiny little thing to construe as probable cause to take you in.
I don't really see any alternatives. Do you?
Going off the grid does not really prevent the alternative. It also presents convenient opportunities for accidents, depending on how far you go.
What do you suggest then?
> It is nearly impossible to live without a phone,
There's a whole continuum.
Other than 2FA, text messaging is easy to get rid of.
You still use it to make calls, so yeah, they can track you that way. You can keep the phone off most of the time, though. People close to me know that they're more likely to reach me by calling my home phone.
What else does one really need a phone for?
Navigation? Do what I did: Get another phone that never has a SIM card and use an offline app.
Camera? The same. But really, life is very doable without a camera to begin with!
The only reason I need a phone is 2FA.
I had Ubuntu Touch installed on an older OnePlus phone. It did everything, but they haven't figured out how to work with VoLTE. I considered just saying "screw it" and using it anyways, but then remembered that my Mum calls twice a week to chat me up so I went back.
But 100% you can still find alternatives, its just about how much stuff you wanna carry around with you right?
This doesn’t make sense… of course it will help. It gives you a clean slate, not compromised when you pick it up.
If there are zero click, unknown yet zero days against Apple devices, it won't help.
If you are actually security conscious, the only setup that works is have a public facing phone and a private phone that is custom rooted, de googled, and you control everything that runs on it.
Maybe but if we're talking on the level of targeted government surveillance, I think all options are on the table, i.e. they should assume they are being watched everywhere they go, and that all their communications, including their close friends/family (or anyone they have already been talking to lately) are likely being monitored as well, in which case, getting a new phone may not do much of anything.
Does that really not make sense?
There is some amount of protection until the adversary discovers the new number. But since they've already compromised his phone they likely have his dad's number and can compromise that phone to find him again. It's dystopian.
If he's running iOS he can also enabled Lockdown Mode on the new phone to block most types of attacks.
any guesses for the state here?
The article notes that the target's former employer makes hackng tools and they separated on bad terms. Seems like it easily could just be the target's former employer.
I would be more surprised if these employers didn’t target their employees to prevent leaks of trade secrets, union activity, or other internal dissent. Having the power would be too tempting to resist, and besides, there is some degree of legitimate concern; it would be easy enough for rogue employees to sell exploits on the side for millions (there are plenty of buyers).
Another reason not to work at places like this.
I'm not disagreeing with you, but doing so would open them up to criminal charges and liability. Rightly or wrongly, selling exploits is not illegal. Hacking your employees devices is.
True, but most governments probably aren’t interested in pressing charges against critical vendors, as long as the product is delivered.
Yeah I think the sensibilities inside orgs like that filters out folks with some values and the result would be ... not a lot of trust.
If it's actually a state, it's unlikely to be a NATO or FVEY country, since L3Harris is one of the largest defense contractors in the world and most of those countries are customers. The piece is kind of all over the place but the vibe it lands on is that his work phone may have been owned up by his employers.
> his work phone may have been owned up by his employers
First line says "personal phone". I presume MDM on a work phone could do most of the things they'd be interested in, without the risk of setting off an alarm like this. Anyone have speculation about a reason for an employer to pwn a phone that's already on their MDM?
I'm going to go out on a limb here and say it's a state in the DMV.. L3Harris HQ is in Arlington if I'm not mistaken
When it comes to state-sponsored cyber-spying like this, take your pick between USA, Israel, Russia, China.
Maybe it went like this:
- Exploit developer makes and plays with exploits on their phone
- Apple notices this, warns them that there is spyware on their phone
- Exploit developer somehow thinks it is governments hacking into their phone
What is the surprise? If I'm in his shoe I'd expect the gov knows everything about me including how often I make sex.
Nullable column I guess?
I’m kidding of course
0 is not NULL!