return to table of content

Apple alerts users in 92 nations to mercenary spyware attacks

kmeisthax
42 replies
1d2h

Note that "mercenary spyware" is the politically correct term Apple chose for "state-sponsored attacker" because Modi complained that Apple was exposing them for using illegal NSO Group spyware.

loceng
17 replies
1d2h

The power of language, where "state-sponsored" too accurately directs the population's attention to their government but where mercenary is vague and non-aiming - where a simple change in language is enough to quell that ire and attention of authoritarians; or should I say authoritarian behaviour to not out them directly as authoritarians?

miohtama
14 replies
1d2h

Apple needs to work with authoritarian governments, or nobody is going to build our iPhones.

I would guess it’s obvious for everyone who gets the message that they are political targets. However it is also important to call out abuse of power, like is in the case of India, Spain, Poland, where the governing party is spying the opposition in order to find ways to get rid of them.

nehal3m
10 replies
1d1h

Apple needs to work with authoritarian governments, or nobody is going to build our iPhones.

Not only is this objectively true, I also have an iPhone. It's not news to me but it still makes me do a double take every time.

Maybe I should try oscillating to Linux and FairPhone again...

tombert
8 replies
1d1h

I think as of right now, it's nearly impossible to buy a guilt-free computer of any kind. It's a spectrum, obviously, but I think if you were to audit every component of any computer you buy from basically any company, you'd eventually get something kind of depressing.

A relative of mine in the defense industry has told me that, generally speaking, the DoD requires that none of the components in missiles have parts manufactured by potential adversaries, which makes enough sense but is also extremely difficult now.

Dalewyn
7 replies
1d1h

When I have to point to something when I say I doubt manufacturing will ever come back to the west, I point to the fact we can't manufacture the simplest of things ourselves anymore.

Thanks Delta Airlines, whose metal nametags are literally just cut sheets of aluminum with some paint on them and are still Made in China. Someone seriously wants to tell me we can manufacture bleeding edge tech when we can't even cut and paint our own fucking sheet metal?

kwhitefoot
5 replies
1d1h

That's just weird. the US is definitely a lower cost country than Norway yet my youngest son works for a company here in Norway that does quite a lot of business making metal and plastic tags of various kinds with text engraved, printed, or laser cut.

As far as I know most of the machinery is made in Europe, mostly Germany, again generally higher cost than the US. So I find it difficult to believe that it can't be done in the US.

jfim
2 replies
1d

My guess is that it's likely cultural.

Cost cutting seems to be done much more deeply in the US than in Europe. For example, economy class on all North American airlines is rather miserable, while most European non budget carriers have a better experience in economy.

tombert
0 replies
1d

I feel like, for better or worse, the US is sort of obsessed with figuring out how to drive costs down as low as possible, at least historically. So much early American industry was based around making mass-production more and more efficient, e.g. early assembly lines for the Ford company being an obvious case.

In a lot of ways, this is obviously good, most people benefit from lower prices, more value being created, etc, but I think it's also made it so that cheap-but-ethically-dubious manufacturing from other countries becomes increasingly appealing, especially since it's abstracted enough from the end-user to where they can comfortably say "out of site out of mind".

I'm no better; I know very well the conditions of some other countries, and think they're very bad. I also think it's bad that America fought a whole war to end slavery, and instead we just launder it through other countries. Still, despite me thinking all of this, I still generally shop for reasonable prices instead of trying to focus on ethical stuff.

roody15
0 replies
21h5m

Can confirm just got back from Barcelona on an Iberia flight. Evonomy on this flight was hands down better than any flight I have taken in the US. Food, service, even baggage policy was just simply a better experience. Honestly my mind was blown / food multiple meals included in price of economy seat. Just less nickel and diming and overall better experience,

jayrot
1 replies
20h58m

The metal nametags is a very poor example of the point being attempted since I would venture a guess that there are 1000s of companies or shops in the US that can make metal nametags.

Dalewyn
0 replies
13h49m

I wholly admit it's a highly specific and probably poor example, but it helps to get my point across. Even US flags and US Olympic team uniforms were Made In China until there were rightful uproars to force the issue back to the homeland.

When we can't make our own fucking blue jeans we absolutely cannot try for a technology victory.

reaperducer
0 replies
1d1h

Very often it's not about "can't," and more about "cheaper."

There's plenty of places to get metal nametags made in the U.S.A. But Delta chose to go the cheapest route to save a few pennies.

geodel
0 replies
1d

Well you can also try committing to new year resolutions and so many other things. But companies have bet on consumers value convenience over everything else. And so far they've been right in almost every instance.

loceng
1 replies
1d1h

As a bridge perhaps, and not all authoritarians are equal - of course, so being rational is fine - aligning with a less worse, less captured society is a reasonable stepping stone; and a maneuver can be to pit one tyrant against another, where India-China relations aren't good - however that could be useful to both tyrants towards manufacturing consent to send all of their young military aged men - who would be the strongest, most capable to go up against the tyrants - instead sending them to a meat grinder of a potential WW3 that the military industrial complex is also likely drooling over in their fascist wet dreams; the two sides of the fascist coin being authoritarian politicians and industrial complexes.

However the longer we allow revenues to be generated in relationships with authoritarian economies-states, the more we're empowering them.

That in a way is also a carrot - at least until a certain point of no return - where in America there's an effort to collapse the USD, and they might succeed - and then where BRICS will have buying power to influence the rest of the world to align with bad actors in each countries who aren't yet toeing the tyrannical line - and help them navigate towards a totalitarian state.

Knowing who is your ally in each nation is important, and keeping communication lines open is the bare minimum - and tyrant wannabes in different nations, except in places like China where they already are locked down in their systems, still need to creep forward in as incognito method as possible until they've captured all of the various positions necessary before they can recruit and grow their Gestapo.

Most people are unaware that Canada is about to be captured by fascists, and where laws and mandates have already passed that could allow those politicians to pretend they won the next election (multiple people in our intelligence agency CSIS already whistleblowing that China, the CCP is confirmed to have interfered in at least our last 2 elections which kept Trudeau-NDP in power) - and then pump that out and control the narratives in our state-funded media channels like CBC; mainstream news - including the biggest dissident media company called Rebel News - aren't shown on Facebook, for vector example, another vector being an arguably manufactured false flag 3-day outage of Rogers Telecommunications - where this fascist government immediately afterward mandated all telecommunications companies cross-integrate their services "to act as a backup" for other companies - which conveniently creates-allows for a centralized system for monitoring, etc.

FpUser
0 replies
1d

"where this fascist government..."

I am not sure whether this counts as the success or the failure of the meds

mc32
0 replies
1d1h

There are definitely more countries where Intelligence Services spy on not only the opposition but members of congress. The FBI admitted to spying on members of the US senate as well as an adversarial candidate to the US presidency.

everforward
0 replies
1d1h

Best to refer to them as the “Ministry of Truth”. We’ve always been at war with Eurasia.

I wonder if someone has made a “De-bullshitify English” Chrome add on to replace phrases like “mercenary hacker” and “officer-involved shooting” with more semantically correct phrases.

FpUser
0 replies
1d

So you're saying that non authoritarian governments do not sponsor or do themselves the spying / attacks?

2OEH8eoCRo0
9 replies
1d1h

Interesting use of language on your part as well- what makes the NSO Group spyware illegal?

ajross
4 replies
1d1h

The DMCA, in the US. Other statutes in other markets. Hacking computers is pretty prima facie criminal everywhere. It's true that there are inter-jurisdictional edge cases (cracking an iPhone in India via an attack from Israel probably isn't illegal in the USA,etc...) which allows NSO to operate more freely than we'd like. But no one seriously claims this is legal activity anywhere in particular, just that we can't catch them.

Basically the distinction is one of law enforcement authority, not legality.

PeterisP
2 replies
21h21m

The point I'm hearing in the parent post is more like that many of the state actors using such attacks against domestic targets actually may be legally allowed to do so, if they have passed laws which permit their own security services to use such software on their residents' phones.

Even in USA that likely could be legal with an appropriate court warrant, and many other countries have more permissive constitutions.

jayrot
1 replies
21h1m

Even in USA that likely could be legal with an appropriate court warrant

Can you expand upon this? I'm not particularly familiar but it doesn't seem right. Obviously LEO agencies are allowed to subpoena private information, but can they legally use exploits with a warrant? Are there recorded examples of this?

[Based on your reference to warrants, I guess I'm excluding the NSA or other supposed state-level spy agencies that supposedly secretively deploy such tactics]

PeterisP
0 replies
20h19m

I'm not a lawyer and the proper answer is likely state-dependent, but why not?

It's well established that with an appropriate warrant, LEO have always been able to come into your house without telling you and add hidden surveillance bugs to listen on your communications; they have always been allowed to physically modify or replace your phone (e.g. physical phone wiretaps a century ago); Electronic Communications Privacy Act reasserts that this applies also to electronic surveillance and digital communications; so (as a non-expert) I don't really see why that wouldn't apply to smartphone exploits as well. We do see exploits being applied to devices in LEO possession (e.g. https://www.theverge.com/2021/4/14/22383957/fbi-san-bernadin... for one random example) to recover evidence.

The main restriction is the constitutional limits of 4th amendment which requires specific warrants for each case - which is a significant practical obstacle, so the circumstances in which warrantless wiretapping is permitted (e.g. by PATRIOT act) is a contentious issue; however, it's not relevant if a proper warrant is obtained.

kube-system
0 replies
23h31m

The CFAA is the broadest and most relevant US statute regarding computer hacking. But yes, international computer hackers typically operate outside of the jurisdictional reach of their targets.

vngzs
0 replies
1d1h

I would describe this spyware's "illegal" status as colloquially true - despite the lack of a comprehensive, international, enforceable legal framework - at least in the USA [0]:

As part of this effort, the End-User Review Committee of the BIS decided to add four foreign entities, among them two Israeli companies, NSO Group and Candiru, to the Entity List. The U.S. Export Administration Regulations (‘EAR’) impose additional license requirements for exports to listed entities, and limits the exceptions for exports, reexports, and transfers to such entities.

But they continue:

The existing international and national frameworks regulating the export of sensitive spyware technologies lack the teeth necessary to deal with contemporary issues relating to the abuse of these technologies and the growing need for their enhanced supervision.

[0]: https://www.law.georgetown.edu/ctbl/blog/managing-risky-busi...

nativeit
0 replies
1d1h

Aren’t its primary methods of deployment and utilization widely considered to violate domestic and international laws for unauthorized access to targets’ devices and/or data? I might be mistaken, I don’t know for sure how common such statutes are outside of the US, but I’m pretty sure it’s illegal in the United States, even for law enforcement (the likely unconstitutional extrajudicial activities of some unnamed alphabet agencies notwithstanding). If nothing else, there are documented cases where it’s been used to spy on journalists and activists in Saudi Arabia, including the widow of the assassinated American journalist Jamal Khashoggi.

kmeisthax
0 replies
11h37m

NSO Group is sanctioned, so buying their spyware is probably illegal if you're an American. Furthermore, several tech companies have sued or are in the process of suing NSO Group for their hacking operations. Expect those lawsuits to involve every HN user's two least favorite laws: DMCA 1201 and CFAA.

1oooqooq
0 replies
23h35m

ironically, DMCA does.

vinay_ys
4 replies
23h28m

Well, supreme court ordered panel investigation into this spyware scandal didn't find any evidence of actual spyware. So there's that. Also, if government wants to investigate someone, they have so many powerful ways to do that (and they actually do that). So, it's not clear to me what need they have to go spy on people via NSO tools. And surely, if they were building large datacenters to do massive spying like some TLAs do in 5eyes countries, we would know about it. So, no, this isn't the local government but a foreign government (which doesn't have detention powers in another country) that's likely to use remote hacking methods to coerce people in another country. We saw this with leaked data dumps from recent hacks by the not so friendly neighbors on India's many citizen databases (like retirement provident fund systems etc).

mynameisvlad
3 replies
22h58m

I'm not sure exactly what part of it you're trying to refute since your comment is kind of all over the place, but GP comment is correct.

The reason it's called that is literally because of the Indian government.

Apple's removal of the term "state-sponsored" from its description of threat notifications comes after it repeatedly faced pressure from the Indian government on linking such breaches to state actors, said a source with direct knowledge.

https://www.reuters.com/technology/cybersecurity/apple-warns...

vinay_ys
2 replies
9h0m

I'm clearly refuting this – "because Modi complained" in the GPs post. And your linked article is making an unsubstantiated claim based on "source with direct knowledge". That's just not credible enough.

mynameisvlad
1 replies
4h23m

It was not clear at all. You jumped thoughts half a dozen times throughout your comment.

That’s not an unsubstantiated claim, that’s literally how you deal with sensitive contacts and information in journalism.

You understand that nobody is going to speak on the record about this, right? What, exactly, do you expect in terms of substantiation?

vinay_ys
0 replies
1h31m

It would have made more sense if you have context on the local politics in India or followed the supreme court case on this matter.

That’s not an unsubstantiated claim, that’s literally how you deal with sensitive contacts and information in journalism.

The way it works is if the writing has a byline of a credible investigative journalist. It doesn't work for an anonymous wire service article.

You understand that nobody is going to speak on the record about this, right? What, exactly, do you expect in terms of substantiation?

Journalism used to have standards. If you didn't have multiple confirmations you wouldn't publish it. These days they publish anything. They have more better credibility than anonymous opinion posts on random internet forums.

bparsons
3 replies
1d2h

Interesting. By reading that term, I thought the exact opposite. Mercenary sounds decidedly like a non-state actor.

sofixa
0 replies
1d1h

Why? Mercenaries are most often hired by state actors.

jsheard
0 replies
1d1h

The wording is technically correct since these attacks are often facilitated by private for-profit companies. It just glosses over who is paying them (state actors).

danudey
0 replies
1d1h

That was my first thought as well, though on further consideration I assumed that it was some kind of paid/for-profit criminal organization performing these attacks on behalf of a nation-state.

sneak
2 replies
1d1h

Technically speaking, Apple placing iCloud services for users in China on CCP-controlled hardware (as required for their continued operation in China) is also a “state-sponsored attack”.

Not that they have a choice, given that their most profitable product lines are all basically 95%+ manufactured in China by Chinese nationals working for Chinese companies.

bluish29
1 replies
1d1h

So apple/companies complying to US/EU laws is state-sponored attacks and not following local law?

sneak
0 replies
1d1h

https://www.reuters.com/article/idUSKBN1ZK1CO/

Yes. We’re well past “following local law” and into “active cooperation” territory. Apple by nature can’t have adversarial relationships with the US or Chinese governments or they’d get squashed like a bug.

One might even argue they have a fiduciary duty to not pick fights with city hall.

saagarjha
0 replies
1d

Mercenary spyware isn’t a new term. It’s inclusive of hacking-for-hire groups that are not state entities or funded by countries.

geodel
0 replies
1d

Well "mercenary" do sound weasel term but calling it "state sponsored" with releasing details for others to research and prove/disprove isn't doing much apart from agitating supposed states.

Any government has to take Apple's word seriously it is not like an individual or small time company claiming that government illegally tapped their phones or hacked computer and government doesn't even bother to respond because its not worth their time.

bee_rider
42 replies
1d2h

There’s a reddit thread by somebody who got one of these:

https://old.reddit.com/r/iphone/comments/1c10jai/i_have_rece...

The interesting thing IMO is they claim to just be some random college student. Which seems believable because if they were a real secret squirrel I guess they wouldn’t ask reddit about it, haha.

I wonder if the hackers are targeting people based on phone numbers or something. (I could imagine a college student recently getting a new number and ending up with one that’d been associated with a target—I guess? Although you’d hope there’d be a way to retire numbers that are known to be targets).

josefresco
15 replies
1d1h

"random college student"

I think there's a misunderstanding on what constitutes a valid or ideal target for state sponsored (or "mercenary") attackers. Simply working at a research lab, industrial manufacturer, power station, tech company or knowing a certain professor can put you on a target list.

bee_rider
10 replies
1d

Well dang I work in a research lab and I didn’t get an email.

I’m just going to assume my research is so interesting that they sent the real badasses after me, somebody that Apple can’t catch. The truth is too ego-shattering.

quesera
6 replies
22h53m

Look to your left. Look to your right.

Both of those people are working for a foreign government.

At least one of them does not know it.

Trust no one.

jayrot
4 replies
21h41m

If this is sarcasm, I love it. If you're serious then I don't.

bee_rider
3 replies
20h44m

I think it must be, it is a re-spin of a common “toxic STEM professor” meme.

quesera
2 replies
13h12m

It's a story told to first-year law students: Look to your left, look to your right, only one of you three will become a lawyer.

pmontra
1 replies
12h37m

The first day at university in the 80s, Computer Science, the head of faculty told us that stats were that only 30% made it to graduation and started walking in front of the first row of the hall. “You will graduate, you won't, you won't. You will graduate, you won't, you won't." Motivational speech or not, at least half of the students dropped out in the first two years. The goal of those two years seemed to be right that: convincing people to leave. Then it got easier and more interesting.

quesera
0 replies
5h57m

Similar experience in EE, the first year requirements were full of "filter" or "weed-out" courses in math and physics.

The generous argument is that it's only fair to the student that they should know quickly whether they'll be able to get through the material. Failing fast can be merciful.

The truth is probably more complicated. Let's just say that the student population ended up looking a lot like the TA and professor population. Lather, rinse, repeat.

simpaticoder
0 replies
19h37m

This comment has an off-by-one error.

szundi
1 replies
23h58m

For now

bee_rider
0 replies
23h31m

So may different ways to read that, haha

layer8
0 replies
21h59m

You probably have been targeted with the more advanced spyware that Apple hasn’t detected yet. ;)

throwaway48476
1 replies
23h21m

NSO was targeting something like 40k people just in mexico. It's entirely possible that this was an accidental targeting because they have a similar name or email to a target.

JoshLone
0 replies
16h22m

I found this email from Apple in my inbox too. At first I thought it was spam.

The only thing I can think why I could possibly be targeted is that I mentioned on a few Youtube channels about the clearly obvious IDF troll armies spamming the comments of any YT news stories which highlighted the atrocities (as well as mentioning when the troll armies seemed to stop their operations dramatically last week when the World Kitchen aid workers were killed and the news exploded around it).

Lockdown mode now enabled.

runjake
0 replies
22h50m

My next question would be "What do your immediate relatives and friends do, or what are they involved with?"

IncreasePosts
0 replies
1d

It could also be an accidental misidentification - maybe OP has the same name as someone they actually wanted to target, or their phone number or email address is very similar to someone they wanted to target.

Or, it could be an intentional misidentification - maybe OP has a friend who was picked up by whatever east european security services, and provided OPs name as some kind of co-conspirator in something OP's friend was into.

t-sauer
9 replies
1d2h

That person already got targeted last summer. I doubt they are as uninteresting as they believe/claim to be.

Vicinity9635
6 replies
23h33m

You'd be surprised. A college student in an interesting field is an interesting target. Doesn't mean he's done anything nefarious or even shady.

Industrial espionage is a thing.

t-sauer
5 replies
22h50m

Why would a college student be an interesting target simply for being a college student in an interesting field? If they work at an interesting company or something like that I would understand, but the knowledge that is accessible in colleges is not some super secret stuff or am I missing something?

pulisse
2 replies
22h23m

The conversation here is focussing on industrial espionage, but that's only one use case for this kind of active measure. An association with an opposition political party could easily get one on a surveillance list.

threeseed
0 replies
20h35m

We've had this problem quite a bit in Australia.

Chinese students attending protests have had their families back home warned.

Personally know friends this has happened to.

sangnoir
0 replies
21h2m

Yep, imagine an international postgrad student from an NSO client-state who criticizes their home country's leadership online, or is perceived to be a political activist is likely to be targeted by their own government for additional on-device monitoring via spyware. This could provide a springboard into monitoring other groups the victim may be a member of.

cookiengineer
0 replies
21h3m

They are gullible and they need the money.

Student debts are a harsh reality a lot of people cannot escape from.

bennyhill
0 replies
21h46m

Colleges are basically outsourced green field R&D setup through professors as well as Patent departments to monetize their internal/grant research spend.. Sampling in a large company what you would happen upon is mundane additions to complex solutions you would be unlikely to want to copy if you weren't along for the earlier parts of the ride.

josefresco
1 replies
1d1h

It doesn't take much to be a target. CIA spy maybe not, but the net is wide when it comes to surveillance. Infrastructure providers, higher education, research labs are all common targets.

duxup
0 replies
1d

It doesn't take much to be a target.

I wonder how to quantify this. Even folks in those industries listed while there may be reason we could imagine to target them... I would imagine lots of folks in those same industries are NOT targeted.

Of course we'd have to identify "targeted", personally I wouldn't include "your name ended up on a list after someone grepped a bunch of data". I would think of as targeted as a more curated type list / process / and then the call was made to "target" someone.

Otherwise, heck random scanning on the internet would be "targeted".

Despegar
4 replies
1d2h

Well the they might be just a college student, but they could have a relationship with the actual target in some way. And if it's part of a complex operation they could be trying some indirect approaches.

passion__desire
1 replies
1d1h

Or maybe have a bigger blast radius so that it is difficult to know the exact targets. Drown the detection algos in the noise.

ethbr1
0 replies
22h2m

Exactly. If you're identifying targets by noisy proxy signals (geo/IP + behavior?) then you're going to have non-zero false positives.

alwillis
0 replies
20h36m

Well the they might be just a college student, but they could have a relationship with the actual target in some way.

People who are "just" college students often are the sons and daughters of people who could be targeted. Not to mention people in their social circles.

CPLX
0 replies
8h15m

If you want to get someone to click a link or open a photo/video having it sent to them by their nanny for example would seem pretty effective.

AnotherGoodName
4 replies
22h16m

Everyone's thinking academic secrets but have they engaged in activism in any way shape or form?

Being able to take activists and discredit them is an amazing ability. I would not at all be surprised if the xz compression backdoor was an attempt by a certain government to gain the ability to discredit anyone that is against them in anyway.

nextaccountic
1 replies
20h2m

what activists are running sshd?

Cyphase
0 replies
17h32m

Many software freedom and tech privacy activists.

mrguyorama
0 replies
22h0m

College students are a traditional target of oppressive or authoritarian regimes. Teaching young adults to view the world through different lenses and systems is an important part of most college programs, as is a significant amount of self-discovery, and both lend themselves very well to activism, especially since young adults are rarely so jaded as to feel like they "can't do anything about it"

internetter
0 replies
19h31m

Having wrote an article on XZ, I was half expecting to have this text popup, especially as I'm fairly certain i was targeted by a misinformation campaign already

duskwuff
0 replies
13h10m

There's some significant geopolitical intrigue surrounding Cyprus -- probably the most obvious are its partition between between Turkey and Greece and its use as a tax haven by Russian oligarchs.

alfalfasprout
1 replies
20h44m

It's fairly common practice to test out exploits on victims that aren't the actual target first.

saagarjha
0 replies
9h19m

Uh, no?

pjderouen
0 replies
23h34m

It could be that they’re related to a target. I’ve done a lot of hobby OSINT and sometimes finding a target is using off-center targeting to effectively triangulate or pivot.

bennyhill
0 replies
22h48m

A government that stoops to civil rights crimes but doesn't attach a good percentage of its fear to student movements is kind of oblivious to history as it pertains to its own miserable survival.

spxneo
41 replies
1d

It's probably far worse with Android users that Google is not disclosing.

I'm seriously considering changing to Apple after this. Not that its secure but that they are willing to go to this length to communicate it.

user_7832
27 replies
1d

I'm seriously considering changing to Apple after this.

Ironically that may be worse for you. iMessage is probably a critical step in 60% (or more) of these exploits, and the various unicode/pdf etc rendering engines are responsible in many exploits. Android's open-source nature likely means that a lot of these things are found by security researchers first. Don't forget that zerodium still pays more for an android 0-day than an iOS 0-day.

Plus, the huge variability between Samsung/Google/Moto/Huawei etc makes it triply hard for a single exploit to be successful.

joe_guy
12 replies
22h29m

I do not believe the android Messages application is open source. I believe AOSP contains something very barebones. It has been a lot of years, am I incorrect?

realusername
11 replies
21h45m

The big difference here is the Message app on Android is just a normal app whereas imessage is bundled deep in the OS with tons of private apis

saagarjha
7 replies
20h51m

I don’t understand why people keep bringing this up when it has no functional relevance to how secure it is

realusername
4 replies
11h29m

It's highly relevant, if you breach the Message app on Android... well it's the same as breaching any other app.

That's why most of the exploits are targeting imessage

saagarjha
3 replies
9h32m

No. Most exploits target iMessage because everyone has it installed.

realusername
2 replies
8h14m

There's plenty of normal apps built-in, iOS isn't very modular. But none of those are not as deeply integrated as imessage.

saagarjha
1 replies
46m

Ok, but you still haven’t explained how this means it is any less secure. Can you point to exploits that take advantage of the system integration it has?

realusername
0 replies
25m

It's less secure because it's not using the same sandbox used by billions of apps.

Can you point to exploits that take advantage of the system integration it has?

Sure, the last pegasus attack on the image codec would not have worked on Android.

user_7832
1 replies
19h45m

I believe it is relevant, at least till recently Apple developed a “blastdoor” to keep iMessage safer against such attacks. While other apps have been used in attacks (eg WhatsApp/Jeff Bezos iirc) iMessage seems to have more permissions than an average user app.

saagarjha
0 replies
16h36m

No it doesn’t. Blastdoor is a security mitigation that restricts what iMessage can do in a way that is denied to other third party apps.

joe_guy
1 replies
16h13m

The big difference here is the Message app on Android is just a normal app whereas imessage is bundled deep in the OS with tons of private apis

I'm replying to someone who said the important factor is android is open sourced. I pointed out the relevant android program is not open sourced.

realusername
0 replies
7h32m

That's a half truth as well because the APIs that Message is using are open source and documented. You can recreate a third-party Message app and that's what is used in some of the android distributions.

spxneo
0 replies
20h55m

that is so bizarre that something so essential requires deep integration with the OS, of course that is going to open a can of worms.

spxneo
4 replies
1d

you changed my mind successfully thank you

but what about dumb phones from late 2000s like my Samsung Alias 2? what kind of sick bastard would make zero days for this

spxneo
0 replies
21h4m

weird why wouldn't it work with US networks...but works in other countries?

not sure about the rotary thing that looks cool tho

user_7832
0 replies
19h34m

Happy to be able to help!

If we’re talking about having the microphone tapped etc, I don’t think anyone would still be developing 0-days for such old phones. If you want to be safer (assuming fear of old software having unpatched vulnerabilities) Nokia launched a dumb phone not too long ago.

However… GSM networks and cell tower level tracking is much harder/almost impossible to escape short of throwing away your phone. SMSes can be hijacked, hostile agents can force downgrade the connection to 3G/2g to break encryption (iirc, please correct me if wrong), and your location is generally known to your service provider and Uncle Sam.

Plus… the SIM card is its own mini computer, and lots of the firmware between that and the telephony modules is proprietary and closed source. If you’re familiar with intel ME you have an idea of what I’m talking about.

Honestly, if you’re not a journalist going after big names, or a top CEO/president etc you likely don’t need to worry about any of these. But if you are, or just want to be privacy conscious, your best bet is to never use cell towers and only use Wi-Fi/internet from public or untraceable places; along with Wi-Fi calling for telephony. Btw I’m not sure but I think Google fi and a few carriers/MVNOs offer virtual numbers, which can be a good first step for privacy.

1oooqooq
0 replies
23h38m

for those you don't need 0days. you can use 360*20days just fine. it's like there was any firmware update for them ever.

onedognight
3 replies
23h35m

Apple specifically acknowledges this and has Lockdown Mode to address it. If you care about security you should enable it. Of course you’ll not be able to watch YouTube videos, but you’ll be safer.

cute_boi
2 replies
19h43m

whats the point of carrying phone that doesn't even play youtube videos? If security is so important then they should probably carry nokia style 2000's phone where there is no chance of malaware?

shepherdjerred
0 replies
18h54m

I don't have YouTube on my phone and I have Safari disabled. I use my iPhone for:

* Controlling smart home devices

* Messaging and phone calls

* Checking the weather

* Recording data with Apple Health

* Uploading runs to Strava

* Setting wakeup alarms

* Listening to Apple Music

* Using Apple Maps to get around

* Connecting with CarPlay

comex
0 replies
17h33m

I don’t think Lockdown Mode actually prevents you from watching YouTube videos. Some googling suggests that there might be issues when using the YouTube website in Safari – which makes sense, since Lockdown Mode disables a bunch of Safari features. But the YouTube app probably still works. (I haven’t tried though.)

jwells89
1 replies
22h15m

Plus, the huge variability between Samsung/Google/Moto/Huawei etc makes it triply hard for a single exploit to be successful.

That variability is a double-edged sword. Manufacturer-added Android bundleware is notorious for being shoddily built and could easily represent added points of ingress.

Which is why I wish it were practical to replace OEM Android versions with GrapheneOS/CalyxOS or similar on the latest devices, similar to how a cutting edge PC can run one’s choice of Linux. As long as more secure or at least more standardized Android distributions can only run on devices with some age on them, their popularity will be limited even among the technically inclined.

alwayslikethis
0 replies
21h29m

GrapheneOS and I think CalyxOS runs just fine on the latest Pixel devices. From what I see it is quite up to date most of the times.

user_7832
0 replies
19h47m

You raise a good point, however iirc the values of the 2 oses were the same for a long time in the past.

gorbypark
0 replies
10h44m

I've read (I have no sources) that while the "zerodium still pays more for an android 0-day" thing can be true, the conditions on the "top" payout are pretty strict, due to the same aforementioned variability between vendors. To get that payout you'd have to find something exploitable on nearly all vendors version of android along with working on 2-3 versions. In reality an iMessage exploit is going to pay out a lot more because it would be exploitable on nearly all iPhones running x version of iOS, for example. Finding an exploit in say "Samsung messenger" (I don't know if that even exists) would pay less than an equivalent iMessage one.

ipaddr
6 replies
1d

Are you a journalist or high profile target? If not, this notification isn't for the average person.

ziddoap
1 replies
21h30m

Or if you are adjacent to a high profile target, working in the same company as a high profile target, working at a company that is contracted to a high profile target, friend of a friend of a high profile target.... And so on.

Sure, the average person probably doesn't need this (although as another comment pointed out, HN isn't quite representative of the average)... But the net is a hell of a lot wider than just journalists.

standardUser
0 replies
21h22m

Years ago I worked for a non-profit in an office building in San Francisco. My office neighbors were Google, the US Secret Service and, I shit you not, China Daily (a major news outlet run by the Chinese Communist party).

gxs
1 replies
1d

Why is it hard to see that while he may not be a target for any sort of state sponsored attack, it’s a bellwether of apples stance on security.

I really, really don’t think he meant he was switching to Apple because he’s a CIA spy stationed in Moscow.

spxneo
0 replies
1d

CIA spy stationed in Moscow.

Чёрт побери!

scrollaway
0 replies
1d

Right it’s unthinkable you’d find high profile targets on hacker news.

All you’ll find here are founders of highly funded startups and software developers at boring companies such as Google, Microsoft and Apple.

No point getting into these people’s phones if you’re a state actor for sure /shrug

consumer451
0 replies
22h21m

You don't need to be a journalist. I think many tech workers are oblivious to how juicy and obvious a target we are. Most of us publish a detailed target on our own back via LinkedIn, or our company's website About Us and Clients pages.

Long ago, I co-founded a tiny startup. We had some high profile clients. I was dumb enough to put those clients on our site. I also used to be dumb enough to have a public social media profile, in my name.

I was already somewhat security aware, but one day I almost fell for a spear phishing email. Someone created a gmail account 1 character different from my gf's gmail. They sent me a well worded, but simple email along the lines of "Hey baby, check this out!" and URL shortened link. She happened to be next to me, and I said to her "Hey, what's this?" "What? I didn't send that!" I then opened it in a VM and saw that it resolved to something.ru.

It was a combo of identifying the juicy client of ours, seeing my name as co-founder, finding me on FB, finding my gf in my profile, getting her email, etc.

I then got to learn fun new terms like threat modeling.

Is it possible that someone might think that you have ssh access to a server on an interesting network? You are a target.

resource_waste
1 replies
23h0m

Wait... Apple has the worst security record of any of the FAANG companies and you are switching to them because they admitted a security issue after the fact?

What?

Is this just regular Apple fanboy-ism?

spxneo
0 replies
22h39m

i changed my mind after somebody reminded me Android is more secure and harder to hack due to diversity in hardware

fishywang
1 replies
21h28m

It's probably far worse with Android users that Google is not disclosing.

[citation needed]

slim
0 replies
14h39m

Google has been doing this for a long time. I received one of those emails circa 2010

ethbr1
0 replies
21h55m

Reading between the lines, one thing that I expect Apple has but may not be discussing -- root-cause replayability post-infection, across all Apple devices.

I.e. infection is eventually discovered, Apple isolates the vulnerability's entry point, then Apple has some ability to re-scan all devices to detect which may have also had the attack targeted against them

Hashing some data that can serve as a fingerprint makes sense from a herd standpoint (hell, even something as simple as call stack after iMessage received)

blakesterz
35 replies
1d2h

If I got a message that said:

  “Apple detected that you are being targeted by a mercenary spyware attack that is trying to remotely compromise the iPhone associated with your Apple ID -xxx-,” it wrote in the warning to affected customers."
I would assume it's fake, part of some phishing scam. How can we know something like this is real? I'd be even more likely to think it's fake if it looks different than all the other messages I get.

Edited to add: As a comment below pointed out if you "sign in to appleid.apple.com" it'll confirm, which even I would trust! Thanks to quitit for pointing that out.

speedgoose
29 replies
1d2h

But if the phishing scam manages to display such a message in a different way on your phone, you can’t trust the phone anymore as it has likely been hacked.

__jonas
28 replies
1d2h

On the Apple Support page here:

https://support.apple.com/en-in/102174

In the screenshot it says the threat notification was sent "via email and iMessage", so it would not be displayed in any different way on your phone, which I also find surprising. I definitely wouldn't expect to receive something like this as an Email, and I have turned off iMessage.

the_mar
27 replies
1d1h

Just out of curiosity why would you have imessage turned off?

sneak
12 replies
1d1h

iMessage histories are backed up in the nightly automatic non-e2ee iCloud Backup, effectively backdooring iMessage’s “end to end encryption” by escrowing the plaintext to a not-endpoint.

Apple can read approximately everyone’s iMessages out of their backups. It’s not private or secure, and claiming it is end to end encrypted is misleading almost to the point of being actually false.

jackson1442
7 replies
1d

This is the same behavior as SMS if you have enabled “Messages backup.” If backup is not enabled you will not have a copy of iMessages stored in iCloud (though all compatible and configured devices will still receive messages).

This can be changed by opting in to the e2ee iCloud data service “Advanced Data Protection.”

sneak
6 replies
23h25m

Nope. Even opting into ADP, your iMessage conversations will still be backed up to Apple without e2ee - just from the non-ADP phones of all the people you iMessage with instead of your own phone.

iMessages are backed up in duplicate - once on the sender and once on the receiver. You can only control e2ee for half of it, so your conversations are still under surveillance unless everyone you message with has also turned on ADP.

Cyphase
5 replies
16h55m

Is there any E2EE messaging service, or network protocol of any sort, that doesn't suffer from this? If an endpoint is compromised in whatever way, it doesn't matter how encrypted the data is in transit.

sneak
4 replies
12h47m

Signal doesn’t have this problem.

By your terminology, all iOS devices are “compromised” by default from having non-e2ee iCloud Backup enabled by default.

Signal chats on iOS are stored in a storage class that cannot be backed up or exported from the device.

saagarjha
3 replies
9h20m

Which is, of course, often not what users actually want.

sneak
2 replies
3h1m

Users want their messages and iMessaged nudes to be private from Apple and warrantless FBI snooping. Presently, they aren’t.

saagarjha
1 replies
47m

Pretty sure Apple requires a warrant to decrypt those.

sneak
0 replies
17m

You are incorrect.

https://en.m.wikipedia.org/wiki/PRISM

From the front page of the Times today, they are renewing the law that says they have to do it without a warrant (FISA Section 702, aka PRISM).

https://www.nytimes.com/2024/04/12/us/politics/surveillance-...

You’ll note that this is regularly and frequently used by the FBI against domestic users (such as BLM protesters). Apple processes these FISA demands on over 70,000 user accounts every year, and the number is increasing. (That’s just the count for the warrantless FISA stuff - search warrants are a different (larger) figure.)

They also expanded it to allow them to search Apple’s data on people entering the US as visitors.

The House also passed several other significant amendments. They included allowing the Section 702 program to be used to gather intelligence on foreign narcotics trafficking organizations and to vet potential foreign visitors to the United States; empowering certain congressional leaders to observe classified hearings before a court that oversees national-security surveillance; and expanding the types of companies with access to foreign communications that can be required to participate in the program.
astrange
1 replies
1d

That has nothing to do with turning it on or off since the same happens with SMS.

error503
0 replies
19h18m

Nobody remotely versed in this stuff would expect SMS to be end-to-end encrypted, though to be honest the more notable fact to me here is that Apple can read any plaintext in your backups. iMessage is an over the top messaging service more akin to WhatsApp or Signal than it is to SMS, so that is a more relevant comparison. I don't know if any of the clients store plaintext messages that would be backed up to Apple in a similar manner or not, but I'd hope at least the more security focused ones do not.

Apple makes privacy claims about iMessage including 'Apple can’t decrypt the data.', which is notably false in this (common) scenario, and requires a large asterisk on those claims, IMO bordering on making them unethical, period.

ZekeSulastin
0 replies
1d

Albeit recent and optional, isn’t that a hole specifically fixed by the Advanced Data Protection option[0]? Granted, it doesn’t do much if your recipients don’t also have it enabled.

0: https://support.apple.com/en-us/102651

Vicinity9635
0 replies
23h32m

Still a step above SMS.

__jonas
4 replies
23h3m

I'm in Europe, I haven't encountered anyone in my life who has used iMessage (everyone uses WhatsApp, now also Telegram/Signal), so I don't really have a use for it, when I wanted to try the weird AR emoji / heartbeat reaction message things with my partner we noticed we both had iMessage turned off, I guess it's like a setting that maybe we skipped during the phone setup? Not sure if it's on by default for some people.

plufz
3 replies
20h53m

Where in Europe is that? Surprising to me (Swedish).

__jonas
2 replies
20h18m

I've lived in Germany and the UK, I guess I wrongly assumed it was like this everywhere in Europe. Might also be related to the social environment.

I am noticing, the social circle I am currently in has now largely moved to Telegram, whereas in other places it's 100% WhatsApp.

zarzavat
0 replies
16h43m

Telegram itself seems like one big honeypot, if people are moving from WhatsApp to Telegram that’s quite a retrograde step.

sneak
0 replies
12h45m

Telegram is not end to end encrypted. The service provider can read the messages.

w0m
3 replies
1d1h

Unless things have changed since I last looked, if those you talk to aren't also on iMessage, it feels like a net negative to use as you get inconsistent/negative behavior between contacts. From that end, it becomes sort of a moral issue with the clearly arbitrarily locked gates and poor experiences. So you disable and use a non-malicious and cross platform solution.

rootusrootus
2 replies
22h50m

Apple is malicious, but Facebook is totally okay?

w0m
0 replies
5h22m

Apple explicitly and actively making what should be a 'standard' text message experience worse on non-apple devices is malicious.

FB Messenger is simply an alternative. I haven't paid attention to it, but maybe the Threads fediverse integration will piss me off just as much.

dqv
0 replies
17h35m

Apple is malicious, but Facebook is totally okay?

This is such a bizarre comment to make, because OP never suggested that Facebook is "totally okay". You replied to them after their edit window passed, so they didn't say that and then edit it out either.

vinay_ys
2 replies
23h46m

iMessage has been one of the most successful delivery vector for these spyware attacks.

So, if you think you are a likely target of a state sponsored attack, best thing you can do on an Apple device is to turn on lockdown mode, turn off iCloud and iMessage, stop using keychain, use only a yubikey for all authentication, and restrict yourself to a limited number of essential apps on your primary device and use a dedicated burner device for all your throwaway browsing and communications, and erase/reset that device after every session. And still, assume everything you say and do online is fully compromised, because there are always system vulnerabilities that haven't been made known yet ('zero-day' attacks) and are being used to compromise highly targeted individuals. In the end, it is a very convoluted cat and mouse game.

nprateem
0 replies
21h24m

So it's not just me :-D

draugadrotten
0 replies
22h43m

assume everything you say and do online is fully compromised

This is the way.

bdd8f1df777b
0 replies
17h1m

Several CVEs in the past related to iMessage. And it has surprisingly high privilege. Since I seldom need it, turning it off is better for my security.

1oooqooq
0 replies
23h43m

*tinfoil hat on

imessage and rcs (and arguably mms, although that started as cost cutting) are backdoors for the legal protections on mining telephony provider metadata for marketing. with those two "opt in" (lol) techs, all safeguards are off.

grecy
1 replies
1d2h

As long as it doesn't have any links to click or try to force you to login to something, it just sounds like information to me.

If my bank sent me something about Credit Card fraud I would be very skeptical if it had a big "CLICK HERE TO LOGIN" type of thing.

But if it was just info, and maybe ended with "Contact your local branch to learn more", but no links, no phone numbers, etc. I would be less skeptical.

jayrot
0 replies
21h32m

This is, I think, a valuable heuristic. Anything but the most complex and long-term scam always includes some call to action, nearly always URGENT and IMMEDIATE (so as not to give you a chance to think about it or research it).

A notification that is ONLY a notification about something is very unlikely to be malicious (though could certainly be erroneous). My bank will send me a concerning email or SMS about suspicious activity that needs to be reviewed or confirmed, but because they know it's a vector for attack their specifically ask you to call them at their published number listed on your card.

unicon
0 replies
1d2h

I heard it should show as a badge/banner on top of your iCloud Web Panel in the browser.

Edit: on top of the message you get

quitit
0 replies
1d2h

How can we know something like this is real?

From apple's website:

"To verify that an Apple threat notification is genuine, sign in to appleid.apple.com. If Apple sent you a threat notification, it will be clearly visible at the top of the page after you sign in."

https://support.apple.com/en-lamr/102174

c0t300
0 replies
1d2h

at the end it says that you can check the validity by signing in to icloud, there an alert banner is shown

pksebben
22 replies
1d2h

Between the Metaverse, "mercenary spyware", AI war targeting, and death drones, I keep wondering who it is that read Neuromancer and thought; "What a rosy picture! How can we realize this stunning vision of a future-to-be?"

jsheard
17 replies
1d2h

Sci-Fi Author: In my book I invented the Torment Nexus as a cautionary tale

Tech Company: At long last, we have created the Torment Nexus from classic sci-fi novel Don't Create The Torment Nexus

https://twitter.com/AlexBlechman/status/1457842724128833538

tialaramex
8 replies
23h35m

To be fair, somebody will always decide what you wrote was a warning and they should fear it, even if you specifically intended a utopia, just as people insist on rooting for and even imitating the bad guys from stories because they misunderstood "cool" as "good".

Example: Some people think San Junipero, the one positive Black Mirror episode with an actual Happily Ever After romantic ending is a dystopian vision.

Some people think the Primer, the technological device at the heart of Diamond Age, is the problem, not the Neo-Victorian aristocrats like Elizabeth's parents with their pseudo-colonial control over part of China, not the huge corporations whose greed is tearing the world apart and their engineers like Fiona's father, nor the Cyberpunks left over from a previous era like Nell's father - no the problem is the machine.

In the Tweet framing it's easy, it's named a Torment Nexus and the book is literally titled "Don't Create The Torment Nexus" but what about the Horseless Carriage? The Novel? The Television? Are we creating the Urban Sprawl, the Wasted Youth, are we helping to Manufacture Consent ? Or maybe these are Freedom and Art for the Masses ? Framing.

kibwen
5 replies
17h41m

> Some people think San Junipero, the one positive Black Mirror episode with an actual Happily Ever After romantic ending is a dystopian vision.

IIRC, after the couple prances away hand-in-hand into the sunset, the camera pulls back through the fourth wall to reveal the darkened server room in which their minds are being emulated, blinkenlights glittering in the darkness among the monotone drone of case fans, zooming out to reveal an endless row of servers receding into the distant blackness in a scene reminiscent of The Matrix. If the showrunners intended it to be unambiguously happy, I feel like they would have omitted that part... Or maybe I'm hallucinating, because I found the implications utterly horrifying, much to my partner's consternation.

godelski
3 replies
15h26m

Not to mention that Black Mirror's entire agenda is near-Sci-Fi horror.

The episode is specifically about getting trapped in nostalgia, a non-existent past. Yes, love is found in this pursuit, but so it death. All the music in the show is about living in a box and forgetting about the real world. Other characters talk about forgetting they're in the simulation and they talk about how they live in a graveyard. There's that hole conversation with Greg about how the timelimit exists so people don't kill themselves to permanently leave the world behind and "live" in San Junipero forever.

And I'd expect of all people HN people (computer people) would understand that uploading into a simulated reality is not the same as you entering that reality. Remember, once "you" are data, you can be copied. Then who is the real you. If you can be uploaded without being killed in the process then certainly that entity is not "you," but rather a different entity who has all your memories and is not able to distinguish itself from you. But you are still experiencing your experiences and not their experiences, so you are different entities. It is just an AI double. The promise of an afterlife is no different than the promises of old. A story to help you move on, to help you find comfort in the end. But this story is just more tangible for those who are left. San Junipero is not much different from many of the other stories who approach this topic. Even the happier Upload is quite dystopian between the lines of being a rom-com. It is that happiness that is the dystopia itself, the lure of false promises. The poisoned desert so sweet and tempting it is impossible to not take a bite.

tialaramex
2 replies
9h55m

Remember, once "you" are data, you can be copied.

If you're copied that's what "Hang the DJ" is about, and more darkly the short story "Lena". But San Junipero deliberately doesn't do that.

Alas, the thing you claim isn't the same as being is in fact exactly how you work today. Is this an existential nightmare? I got used to it pretty quickly, and in San Junipero you'd have a lot longer to get used to it. Greg Egan posits that, to the extent consciousness is anything it's somehow a consequence of patterns of computation. That is, if somehow the same patterns that you represent came into existence again they'd "be" you in every sense that matters. The "Lena" scenario remains horrifying, all those copies are the same person, instantiated over, and over, and over again to do menial tasks. But San Junipero is just life after death.

godelski
1 replies
9h45m

The Permutation City reference is irrelevant to San Junipero. I never made the claim that the entities in the simulation were not sentient. I made the claim that they aren't "you." These are very different things.

I haven't seen the newer seasons. But looking at the synopsis on wiki (Beyond the Sea?), this is a very different scenario. Permutation City might be a better one to look at for what I'm getting at. Remember in that story that you are essentially making a copy of yourself and putting it into that universe. That entity is not you, but it is sentient, conscious, and it's own thing. But you aren't in that simulation with it unless you virtually go in (and in their scenario you need to deal with the time differential).

San Junipero is a corporation promising you life after death. The same way Amazon Prime's Upload does. But San Junipero in Black Mirror itself made no claim, and the writers place a lot of not so subtle hints as to the idea that it isn't. Not only by nature of being a Black Mirror episode, but I suggest you look closer at the soundtrack of the episode and how its used in context.

tialaramex
0 replies
8h24m

I made the claim that they aren't "you." These are very different things.

I understand what you're claiming, as I pointed out under this understanding your current existence is already terrifying. Not just when you fall asleep, but even moment by moment the underpinning compute substrate is repaired and replaced and yet it feels as though this is an ongoing experience, there's no reason Yorkie experiences this any differently even though intellectually she knows the transformation was more... substantial.

It's just Trigger's Broom / the Ship of Theseus, this isn't even a new idea.

the writers place a lot of not so subtle hints as to the idea that it isn't.

Like the hint where Charlie Brooker specifically said that no it's the Happily Ever After ending ? Maybe he wasn't patting his head like you knew he would be if he was addressing True Fans like you ? Didn't give the secret sign ?

I thought I already spelled this out well enough, that somebody will insist that the heroes are villains, that the bad guys are the good guys and so on. Sometimes they have a point, but more often they just didn't see what was in front of them. I am kinda tangentially interested in the Slash scene (e.g. I know people involved in AO3) and the Slash communities are the same - sometimes you're like sure, this was barely subtext in the movie/ TV show/ novel, in a braver world the writers would have had them kiss on camera, but other times it's like "Where did this even come from? Were you watching the same show?" - and sometimes that's deliberate contrariness but other times it really isn't.

It's not as though I don't have my own divergences from what writers believe about their own works - for example in my opinion Firefly was a TV show about the bad guys (people who lost a civil war and just decide that doesn't count) written by someone who doesn't understand that they're the bad guys. Obvious Whedon doesn't agree and I don't expect him to. Or for example Vinge insisted he doesn't know who/what Rabbit is in "Rainbows End" and in my opinion there's only one option which makes any sense.

But I guess I kinda asked for people to insist their wrong interpretations of San Junipero are the only correct one when I gave the example.

tialaramex
0 replies
15h33m

If the showrunners intended it to be unambiguously happy, I feel like they would have omitted that part...

I think this has the same direct purpose as my favourite modern Doctor Who scene but with different larger strategy. To tell the audience something explicitly, because it's not necessarily obvious and otherwise not everybody will have guessed. Often the Doctor understands what's going on and the audience are learning as they go, but in "The Girl In The Fireplace" the Doctor never actually knows why this spaceship chose this girl, in this time. The audience does at the end though, because we pull out to show the spaceship's name.

Both the women know exactly what we're shown at the end of San Junipero. That "Heaven is a place on Earth" in a very literal sense, but while it's explained somewhat, the details aren't mentioned because they'd be clunky as exposition - hence the explicit visualization of the data centre where they're running.

You aren't alone in finding this horrifying, but for Charlie Brooker, myself and a large number of people this is the best case scenario - and since Charlie wrote the show...

pksebben
0 replies
21h37m

Okay, yeah. But even from a pretty hardcore moral relativist POV...

"mercenary spyware", AI war targeting, and death drones

Are not super easy to justify. Like, sure some people obviously think those ought to be a thing, but those people are dicks.

nojs
0 replies
18h59m

San Junipero, the one positive Black Mirror episode with an actual Happily Ever After romantic ending

You forgot Hang the DJ :)

rchaud
5 replies
1d2h

Same goes for certain types of lead characters in things like American Psycho, Fight Club, Mad Men and Wolf of Wall St. These are seen as aspirational instead of cautionary tales.

unholythree
1 replies
1d1h

I go to a restaurant where the owner has recently hung a sign reading “The World is Yours” as though Tony Montana from Scarface should be regarded a fount of wisdom.

philistine
0 replies
1d

If you want to deify Tony Montana, there is one quote that is the John 3:16 of his proselytizing, and the world is yours is not that quote. I guess you can't put it in a restaurant.

2OEH8eoCRo0
1 replies
22h34m

There was a recent article in NYT about Grand Theft Auto and the author mentions that their friends became a little more racist after playing it as kids. My takeaway was that these forms of media aren't for children because they probably won't understand that it's satire. Then I realized that many adults don't understand that it's satire either.

Edit: article in question: https://www.nytimes.com/2024/01/25/arts/grand-theft-auto-isl...

fulafel
0 replies
12h51m

The framing and cut scenes in GTA may be satire but the gameplay where you actually immerse yourself in the game in get into the character's shoes mostly aren't. Those parts are largely just shooting people.

I guess you could argue that it's some other kind of satire than being anti violence.

FabHK
0 replies
1d

And, famously, Michael Lewis's first book, "Liar's Poker":

Despite the book's quite unflattering depiction of Wall Street firms and many of the people who worked there, many younger readers were fascinated by the life depicted. Many read it as a "how-to manual" and asked the author for additional "secrets" that he might care to share.

https://en.wikipedia.org/wiki/Liar%27s_Poker#Reception

astrange
1 replies
1d

The tech company is right since this appears to be a reference to the Total Perspective Vortex from Hitchhiker's Guide, which notably didn't do anything bad when it was turned on.

kristianbrigman
0 replies
1d

Only for Zaphod and only because he was in a simulation where he was in fact the most important person :)

throwiforgtnlzy
0 replies
16h6m

Don't worry, reality and time will find a way to make reality worse than anything a fiction writer could've conceived in the past. Even Brave New World seems quaint now.

reaperducer
0 replies
1d

I keep wondering who it is that read Neuromancer and thought; "What a rosy picture! How can we realize this stunning vision of a future-to-be?"

The same people who read 1984 and thought the same thing.

Or the people who failed to read 1984, so they didn't get the warnings.

mrguyorama
0 replies
21h39m

There will never be a shortage of people who read dystopia and think "That would be awful, I should oppress the entire world as it's rightful, righteous god king and make sure things go well (specifically how my extremely small perspective understands right and wrong)"

We see on this very board a huge segment of people who believe "tech" for "tech's sake" is a good thing, or that any "tech" is inherently an advancement of society, and that advancement === good

godelski
0 replies
15h51m

"What a rosy picture! How can we realize this stunning vision of a future-to-be?"

The people who said

  Don't worry about doing it right, just do it fast, we'll fix it later
And it was never fixed. It seems we keep pushing to go faster and faster, and for cheaper. If you continually are cutting weight pretty soon you're gonna have to cut off your limbs. Any successful bureaucrat/manager who cut fat before you is not going to leave much fat left for you to cut. Besides, some fat is actually good.

resource_waste
13 replies
1d2h

I suppose this is an alternative to security... Real 'Scroll to the bottom of the terms and click accept" vibes..

Is there any company as big as Apple with so many major security issues?

hiatus
12 replies
1d1h

Is there any company as big as Apple with so many major security issues?

To be fair, does any Android device alert you to a compromise like this?

resource_waste
11 replies
1d1h

Android is more secure, especially in recent history. You can even see it in 0 day bounties.

Don't pay attention to Samsung though, that company is probably the Apple equivalent of android.

saagarjha
6 replies
1d

I don’t see how the bounties back this up?

resource_waste
5 replies
23h3m

Supply and demand.

saagarjha
2 replies
20h46m

Neither is correlated to how secure something is?

resource_waste
1 replies
5h30m

Yes it is

saagarjha
0 replies
36m

Despite you feeling smug about it, the economics of the zero day market are far more complex than you think they are.

rootusrootus
1 replies
22h38m

The bounties look like they have fairly comparable distribution, and just knowing the dollar figures doesn't really tell much about either supply or demand. Your inference requires that knowledge.

resource_waste
0 replies
5h31m

just knowing the dollar figures doesn't really tell much about either supply or demand.

Well we just broke econ

ziddoap
2 replies
1d

Android is more secure, especially in recent history. You can even see it in 0 day bounties.

This needs citations, and more than just referencing 0-day bounties.

0-day bounties are an incredibly weak signal in regards to security posture.

ziddoap
0 replies
21h27m

Pricing of 0-days has very little correlation with the security of something, if any correlation.

I'm not sure what the "and for more" you are referencing. The site lists prices, an FAQ, and events. None of that supports the argument made by parent comment.

hiatus
0 replies
1d

The number of public bounties for a system seems orthogonal to the number of actual vulnerabilities in a system. Of course, vulnerabilities exist independent of the existence of a bounty for them.

Lendal
11 replies
1d1h

Pet peeve: This story alternates between "nations" and "countries" as if they were synonyms. A nation is a group of people sharing cultural, ethnic, and historical ties. There are many more nations than there are countries, especially within the US. A country has a political boundary, a flag and an anthem. It's one thing to use a word in the wrong way, because maybe you don't know the other word exists, and that's okay. But it's really annoying to hear both words being used in the same story but alternating them, without any explanation as to why. Is this an AI generated story?

hnfong
4 replies
1d1h

I'm not sure this is true

There are many more nations than there are countries, especially within the US.

Each US state has "a political boundary, a flag and an anthem". So that's 50 of them. How many nations are there in the US?

dragonwriter
2 replies
1d1h

It’s “true” if you, as the GP seems to intend to, define “country” to be “state that is sovereign in the sense of a principal subject of international law”.

This is, to say the least, not the only definition of a “country” (and is also among the definitions of “nation”.)

hnfong
1 replies
1d1h

"Country" definitely does not mean "sovereign states" in English.

And I do mean "English" because in the UK, England, Scotland and Wales are officially considered "countries" by the UK government...

tialaramex
0 replies
1d

If you care, you definitely need to specify what you mean, e.g. the British gameshow "Pointless" has a catch phrase:

"And by 'country' we mean a sovereign state that is a member of the UN in its own right"

So if you're asked for "country names ending in land" on the show they'll invariably remind you of the definition and you ought to then know Scotland is plain wrong, whereas Ireland is a reasonable although obvious (so not "Pointless") attempt to answer.

hiatus
0 replies
1d1h

There are many more nations than there are countries, especially within the US.

I took this to include things like first nations and reservations which are themselves "sovereign".

dragonwriter
2 replies
1d1h

Pet peeve: Misguided pedantry

Both “country” and “nation” have a wide variety of definitions, and several of them overlap.

The definition you give for “nation” is a particular technical one used in certain contexts, but the word used for the way you define “country” in the context where that kind of technical definition is being used for “nation” is “state”, not “country”. (And even “state” may be used with additional qualifiers to disambiguate the exact sense when used for that, because it is a heavily-overloaded term.)

gamepsys
1 replies
1d

Pet peeve: Not enough pedantry with language use in publications.

Nation and country are not interchangeable. Words have meaning. Good journalist choose their words deliberately and have a deeper understand of language than the average person.

mynameisvlad
0 replies
22h48m

Sure, words certainly have meaning, but that meaning is constantly evolving and even differs from person to person.

For the common person and the common definition and use of the two words, they are very much interchangeable. The common person might not even notice the change in words because the generally used definitions of both are common enough.

vineyardmike
0 replies
1d1h

With all due respect, I’ve simply never heard anyone use these terms “correctly”. I live in an English-speaking country, and the closest thing I’ve seen to this is university signs that say things like “this is tiger nation” or something similar. But I’ve also seen people use “country” to express that too.

I assume they’re alternating not because it’s AI written but because the author considered them synonymous and wanted it to sound less repetitive.

These words are just so overloaded that I think this is a lost battle. People hike in the back-country, you can live in the city or the country. And frankly if you used “nation” to represent a cultural group of people in almost any context I think people would not understand or worse - assume you were stoking some racial angst or land-dispute.

samatman
0 replies
23h35m

Hence the name of the major intercountryal governing body, the United Countries.

drcongo
0 replies
1d1h

It's TechCrunch, pretty much the bottom of the barrel.

sigspec
10 replies
1d2h

Pegasus and NSO.

(Edit: of course I'm flagged for this. Surprise surprise)

freedomben
7 replies
1d1h

I spend way too much time on HN, and having seen how often flags are abused or simply used too liberally, I think they are way too over powered. A lot of good discussion gets killed by flags right it of the gate. Sometimes it gets vouched and redeemed, but the vast majority of the time the damage is done and that comment or story languishes in obscurity.

pvg
6 replies
1d

The comment doesn't really say anything and the commenter is not saying they edited the comment to make it just non-substantive rather than non-substantive and inflammatory.

freedomben
5 replies
1d

Excellent point. Thank you!

I would hope people aren't using flags for low-value comments, but you make a great point that it could have been edited to remove something that was deserving of a flag.

pvg
2 replies
1d

aren't using flags for low-value comments

They could, and if you ask me, they should. They gum up threads and often start meta discussions about exactly how low-value they are. Many are even explicitly listed in the guidelines - snark, tropes and memes, 'broke the back button', shallow putdowns, etc. Righteously flaggable, one and all.

freedomben
1 replies
21h15m

I agree regarding snark, and pretty much anything that criticizes the person rather than the ideas. But one person's tropes and memes are often somebody else's current belief/position, especially if they are part of today's lucky 10,000[1].

What (in your opinion) is the purpose of the down-vote button?

[1]: https://xkcd.com/1053/

pvg
0 replies
20h31m

But one person's tropes and memes are often somebody else's current belief/position

In a site with the ostensible goal of 'curious conversation', that's not really good enough - it's not the job of your potential interlocutors to figure out what sincere, reasoned beliefs and positions hide behind the throwaway trope line. If you want to have a conversation, it's on you to try to converse. There are lots of other places where the trope line is fine - from the group chat with friends or colleagues to twitter. But those places work in different ways.

What (in your opinion) is the purpose of the down-vote button?

It's a way to say 'this comment is misranked'. There are lots of reasons to feel a comment is misranked - including simple disagreement.

Kbelicius
1 replies
1d

Saw it while it was flagged. There were two sentences. They removed the second one. Cant remember the exact wording, it was a short one, but it was basically saying: "Israel bad".

freedomben
0 replies
21h12m

Ah thanks, that does indeed sound flag-worthy

saagarjha
0 replies
1d

You were probably flagged because your comments are consistently of low quality.

Etheryte
0 replies
1d

You're being downvoted because you made a three-word comment that adds nearly nothing to the discussion on a site that hopes to entice meaningful discourse. Trying to play the victim on top of that is just silly.

_the_inflator
10 replies
1d1h

"Mercenary spyware attacks, such as those using Pegasus from the NSO Group, are exceptionally rare and vastly more sophisticated than regular cybercriminal activity or consumer malware"

So, maybe even provoking an Apple warning to those targets could also be part of a sophisticated operation.

These targets react or have to react in a certain way. Instigate to lure people out of hiding and entice them to react, even if only to observe their behavior.

What do these targeted people do then? Switching phones? Accessing certain digital services, warning their network via conventional lines?

From an observer's perspective, this is pretty thrilling.

resource_waste
8 replies
1d1h

What do these targeted people do then? Switching phones?

When you can get a $130 Motorola that has better security... Yes.

Since the 2018 iphone crack by the FBI, I am shocked anyone uses their iphone for secrets.

itscodingtime
4 replies
1d

Is there a modern smartphone or cellphone the fbi, cia, nsa any nation state can not hack ?

I can guarantee you the fbi can also hack a $130 motorolla.

dylan604
2 replies
23h23m

Nothing is un-hackable if you know how to properly use a $5 wrench.

lcnPylGDnU4H9OF
1 replies
23h1m

If it required the wrench, it was at least un-hackable enough. Part of the reason for remote hacking is to avoid alerting the hacked party to what's going on, which is obviously failed by the time you're hitting them with a wrench.

dylan604
0 replies
22h48m

At the end of the day, you want the data. Sure, it's much more convenient to get the data from a device, but if you had to get it somewhere else, the data is obtainable.

fsflover
0 replies
9h49m

Librem 5, when all hardware kill switches are in position "off".

dieortin
1 replies
1d

I doubt a 6 year old phone with outdated OS will be more secure than an up to date iPhone

resource_waste
0 replies
22h58m

Why are you comparing 6 year old phones?

FabHK
0 replies
1d

The 2018 crack that one can foil by picking a decent passphrase instead of a 4-digit number?

quitit
0 replies
19h8m

Apple advise whom to contact on their website for guidance, but they are of course not alone in dispensing this and similar advice.

Apple:

"If you have received an Apple threat notification We strongly suggest you enlist expert help, such as the rapid-response emergency security assistance provided by the Digital Security Helpline at the nonprofit Access Now. Apple threat notification recipients can contact the Digital Security Helpline 24 hours a day, seven days a week through their website. Outside organizations do not have any information about what caused Apple to send a threat notification, but they can assist targeted users with tailored security advice."

https://support.apple.com/en-lamr/102174

Amnesty International:

"The Access Now Helpline and other Security Lab civil society partners are also equipped to support individuals who have received these Apple notifications."

https://securitylab.amnesty.org/latest/2024/04/apple-threat-...

neilv
6 replies
1d1h

Is this spyware possible due to engineering flaws in Apple products?

wepple
2 replies
1d1h

Technically, yes?

But there has never ever been non-trivial software that has been completely free of such defects.

In other words (in my opinion), iOS is probably better than most other platforms against this type of attack.

amelius
1 replies
19h57m

"In other words" doesn't make sense here.

wepple
0 replies
17h29m

Why

fckgw
0 replies
1d1h

I guess? Every platform has bugs and zero days.

Maximus9000
0 replies
1d

Check out Darknet diaries podcast on the NSO group. NSO group likely pays over $100k USD to hackers that have a good zero day for iphone.

https://darknetdiaries.com/episode/100/

Etheryte
0 replies
1d

Pretty much every computer virus, worm, etc ever has been due to engineering flaws in software products. All software ever made has bugs in it, including whatever you're using right now.

Animats
6 replies
23h24m

The message from Apple is so vague that it's useless. It just says to be afraid. There's no advice on what action to take.

swinglock
3 replies
23h6m

The article omitted it, but the message says to update iOS to the latest software and enable its lockdown mode.

Animats
2 replies
22h6m

Right. That's a "turn it off and turn it on again" tech support answer.

wolverine876
0 replies
20h42m

I disagree: I'd expect they would have discovered the exploit and delivered and update to patch it, and lock down mode is not standard usage by normal users.

jayrot
0 replies
21h18m

Hardly. Keeping your apps and operating system updated is one of the more reliable prophylaxis against vulnerabilities.

Unless I'm misunderstanding "turn it off and on again" suggest a kind of pointless, "just start over and try again" kind of suggestion, no?

filenox
0 replies
23h10m

That's not true, in the message they refer you to a web page with more details: About Apple threat notifications and protecting against mercenary spyware -https://support.apple.com/en-in/102174

Vicinity9635
0 replies
23h9m

It tells you to update your phone and turn on lockdown mode.

ryandrake
4 replies
1d1h

It looks like the message encourages users to update "to the latest software version, iOS 16.6." I wonder if their message is different to users on devices which no longer can be updated beyond iOS 15, like iPhone 7, 7 Plus, SE and so on.

1oooqooq
2 replies
23h40m

why do you think devices out of support date got any message at all?

dylan604
1 replies
23h20m

to encourage them to upgrade?

jayrot
0 replies
21h22m

"Just buy your mom an iPhone"

t-sauer
0 replies
1d1h

That's the message they got in summer 2023 when iOS 16.6 was the most recent one.

mardifoufs
5 replies
21h20m

How can Pegasus and NSO still be allowed to exist? I know they are an Israeli corporation, but even then has there been action against them from the Israeli government? This is basically rogue state behavior

tptacek
2 replies
17h35m

There are plenty of companies like these that you haven't heard of. I don't think Israel has much to do with the situation.

mardifoufs
1 replies
13h26m

But that's the thing. This is basically public knowledge at this point. I realize that almost every regional or super power has or tries to have this type of corporation for their own usage, but in this case it's public knowledge and it also openly targets Israel's allies. A good example is how France's president was targeted.

I'm not sure the US wouldn't at least pretend to shut down/restrain a corporation that's helping Israel's ennemies spy on Netanyahu for example.

tptacek
0 replies
13h8m

Why do you think that? What's the precedent?

thebytefairy
0 replies
4h51m

PBS Frontline has a good documentary on the NSO Group. They are sanctioned by the government, and even used as political leverage - https://m.youtube.com/watch?v=6ZVj1_SE4Mo

CPLX
0 replies
8h8m

Your theory is that the Israeli government doesn’t approve of what they are doing?

world2vec
2 replies
1d2h

Doesn't say which 92 nations tho.

scoot
0 replies
1d

I thought it odd that the end-user message mentioned it at all. Compared to last years message it strays into editorial content.

Vicinity9635
0 replies
23h8m

opsec

1970-01-01
2 replies
1d2h

Good way to get Pegasus devs to blink, but nothing more.

t-sauer
1 replies
1d2h

Maybe my thinking is a bit naive, but I would assume that the message signals that Apple found a new way to identify (and therefore maybe neutralize) Pegasus which is probably at least a medium annoyance to them.

vinay_ys
0 replies
23h39m

If you were the hacker operating a remote command and control for such a targeted attack, you would immediately know if Apple or some other mechanism silently blocked your exploit kill chain. This notification to users tells you nothing new. If something doesn't work, you move on to the next exploit available to you. It's not likely that they would shut shop and go away just because apple notified users. Only thing this does is Apple gets more users to turn on their protection mechanisms like lockdown mode which makes it more valuable to find vulnerabilities in that (as that is the new baseline now). And so goes the tale. It's a never ending escalatory game.

ein0p
1 replies
1d

I’d think this extends to all countries actually, and find it curious that only 92 are being notified.

dylan604
0 replies
23h18m

Could this be illegal in some countries to notify users like this? I could see how revealing to some one they were the subject of a gov't targeting would be illegal in some countries.

FunkyFunTimes
0 replies
1d1h

Here’s hoping that this isn’t any sort of psychological warfare tactic which Apple has been pressurised to sow into making groups of people assume blame at certain groups for the purpose of swaying elections in certain ways.

Because God knows how many times Five Eyes have tampered with elections across the Middle East in the past 50 years.

I wouldn’t be naive to believe everything totally and just putting another perspective out there which may be worth considering (even for just a few seconds).