I've interviewed with these types of companies (not the ones in the article). I've even caught them using their exploits on me after they made me an offer and that seems to be the most likely explanation for what happened here. I don't know how anyone can develop exploits for resale in good conscience.
If these companies have no qualms using their exploits against their own employees they'll have absolutely no problem using them against members of Congress, the Courts, investment banks, tech leaders, and anyone with any sort of power. This gives them the ability to blackmail some of the most powerful people in the world.
edit: And that's not even mentioning their reported "intended use" against dissidents and journalists.
I think by default these companies kinda filter out people with values that would impede unrestricted use of their tools. And at worse possibly attract people who think "I'd sure like to spy on other people". That's scary.
You don't know how any of these could be developed in good conscience? How about: anti-proliferation intelligence work is going to happen whether it requires human intelligence or CNE, and CNE is less costly and harmful?
I get where you're probably coming from: this same technology is used all over the world to target journalists and dissidents in countries with and without the rule of law. A very real concern. I wouldn't do this kind of work either (also, it's been over a decade since I had the chops even to apprentice at it).
But there are very coherent reasons people are comfortable doing this work for NATO countries. Our reflexive distrust of law enforcement and intelligence work is a fringe belief: a lot of families are very proud to include people working in these fields.
The most important thing I guess I'd have to say here is: our opinion of this stuff doesn't matter. At current market rates every country in the world can afford CNE technology, and it's a market well served by vendors outside of NATO.
It very much does matter. If more people refuse to do this type of work, it eventually won't be done to the required standard. People would cut family ties and this would stop fast.
That's an incredibly blinkered view of the ecosystem that assumes that the only talent capable of delivering this work is people you talk to or share cultural ties with. There are ultra-skilled people in developing countries who could not give less of a fuck about how uncomfortable this stuff makes people in the west.
There are tons of people in the West who have no qualms about doing this for pure crime purposes; many of them are the ones who espouse most ardently that doing this work for the government is immoral.
This is kind of like saying "if people wouldn't murder other people then..."
"Bad" kind of work always finds bodies to fill it's spots. Boycotts of a particular business might work, but a type of work won't, especially when there is decent money on the table. And then when you start adding in people that had previous run ins with law enforcement and find it hard to get a "legit" job and get a decent offer from a place like this, they'll have no problem taking it.
It would stop in your country but not globally. That means your country loses all expertise and will be much worse off to defend itself.
Case in point: In 2007 Germany passed a "hacking law" (§202c). On its face, it was supposed to prevent black hat work. Except it very predictably also did enormous damage to security research.
> You don't know how any of these could be developed in good conscience?
The OP did say "...for resale in good conscience."
I personally read that as the commercial companies that allows anyone to buy the product off the shelf for the right price -- including governments, but also rogue elements. Bad actors, groups, or even people engaged in abusive domestic practices (customers without the time, experience, or resources to do it in-house). Not the people who work directly under government agencies developing these things for State level intelligence/ops
I think I agree with what I think you're trying to say.
However I don't agree with the repercussions of this, which are the same ones that make all reasonable people, security experts included, oppose EU's ChatControl or the UK's backdoor requests: There is no way to ensure and protect the people that need protection, as there is no way to ensure that only "the good guys" have it.
We tend to bullshit ourselves into believing that because spyware software like Predator are weapons, meaning that only countries would be allowed to buy them and use them (same way that Jeff Bezos cannot buy and use an F-35 for example). We see though, that certain individuals _can_ get their hands on these things and use them however they want.
For example, 3 years ago someone adjacent to the greek government bought and used Predator against MEPs, journalists, army generals, mafia bosses, MPs of opposing parties and even MPs of their own, ruling, party. The greek government of course denied that they did it, and they said that this individual did not act under the instructions of the government (though they then changed the law to prevent anyone for learning details about it, but that's a different story).
So, apart from adopting the same approach as with ChatControl and encryption backdoors, i.e. banning them, I don't know how we could protect ourselves against them.
I'm an American and am glad of my personal belief that the American system would not allow something like ChatControl by state mandate. I also wouldn't participate in commercial exploit development (even if I was capable of doing so competitively). But I don't think the two things are at all comparable.
> At current market rates every country in the world can afford CNE technology
Slippery slopes don't justify anything. You might not care enough to make a difference, but many people do and your justification rings hollow to everyone that's potentially a victim. You wouldn't say this about nuclear proliferation, so why make a carveout for digital mercenary work? Because it's "harmless"?
I don't know what your goal is with this statement but it certainly doesn't make me feel any better. If you're this emotionally invested in the topic, it might be best for your own optics to not chime in.
I'm not justifying anything. I'm saying a very large number of people don't share the premise in the parent comment. It's one thing to disagree with a practice; it's another thing to suggest that disagreement with it is universal. It is not.
The difference is that it's completely plausible to protect against a cyberattack, but completely implausible to protect against a nuclear attack.
The onus is on Apple and their userbase to protect their own computers, not the rest of society to patrol and regulate unstoppable "information crime" against them
you, sadly, internalized a state humanity adopted after wwii, were the anti red propaganda told everyone that of you could illegally burn a forest down to then buy a Ferrari, it was the best course of action because if you didn't do it, someone would.
thankfully people like you are being ostracized, albeit too slow, and pointed out as what you really are: agentless weak oportunists.
I don't wanna give away too much in case they're reading, but they didn't use their stealthiest exploit. It was pretty obvious, especially if you monitor your network traffic.
I gotta admit I'm not in the habit of monitoring my network traffic... Gotta wonder if it's even possible to protect ourselves against this surveillance without going full OPSEC mode.
I figured security researchers were always targets of multiple APT actors and random individuals. However...
> I've even caught them using their exploits on me after they made me an offer
Not only for exploit companies that eat their own dog food, nor only cybersecurity jobs, but I've heard of this happening to people interviewing for other tech area considered strategic.
The noticed ones weren't that subtle, and were presumably noticed because the attacker wasn't using the best methods, but maybe more routine SOP for lower-value targets.
I have no idea what the actors and motivations actually were. Speculation:
* the hiring company or its country, vetting the candidate by spying on them, including for corporate/national counterintelligence reasons (it's really not much different than a lot of the sneaky surveillance capitalism vetting that many companies quietly do, just unambiguously illegal in this case);
* the hiring company, spying to monitor the competitive offer situation (e.g., what counteroffers or concerns does the candidate have);
* other state, individual, and possibly corporate actors, for whom the imminent offer flagged the target as worth keeping an eye on (for, e.g., advance access to research they do individually, knowledge of attacks they do individually, possible technical entry point to the job-offering organization or others, or kompromat for getting access/actions); or
* random associated individuals acting on their own, recreationally enjoying the power over others that their cracking toys give them (which at least used to be not too uncommon, before cybersecurity was professionalized, when there were proportionally much more teens and alienated people, and they hadn't yet been told about color-coded hats for prefabricated codes of behavior from which they could choose; now, most people with skillz have the carrot of a lucrative job or respected status as researcher that they can pursue, instead of seeking power/status other ways and without guidelines).
Personally, I try not to work on strategic target areas, since I like to save my very limited guts for fighting product concepts and reliable systems into shape, not for being helplessly violated by lawless authoritarian institutions. Good luck.
Forget blackmail, people wildly overestimate the value of blackmail. Far more predictable and lucrative is just to use exploits for insider information, including as favors and bribes, and selling them to governments willing to pay immense amounts of money. Blackmail is far too messy. Grease works way better.
Plata o plomo. Usually a combination of threats and bribery is most effective. The truly dangerous groups usually have the ability and willingness to pay well.
Sorry, that’s just not how it is practices and at least has not for a long time. You’ve heard the saying, you catch more flies with honey than vinegar, right. If you have unlimited funds and you are the giver and bringer and provider, there is no need for blackmail. It’s just the nuclear option, so to say.
At the political level things don’t operate like some cartel, sort of certain places and certain rather narrow regions of the world where it may take some additional motivating to do the right thing for themselves.
Ironically that actually applies to him too. Sure, he likely had all kinds of stuff on people, but frankly bribery still always works far more effectively unless you encounter some resistance. It’s a rather established practice. The “blackmail” material is really just an insurance, not actual leverage.
> Gibson .. may be the first documented case of someone who builds exploits and spyware being themselves targeted with spyware.
> But the ex-Trenchant employee may not be the only exploit developer targeted with spyware .. there have been other spyware and exploit developers in the last few months
So basically it was probably someone in his chain of command leaking the Chrome exploits, and this guy was the scapegoat used to cover that up for now.
Though the whole thing sounds more made up than legit.
This guy is pretty naive if he thinks they (or their biggest customers) won't verify whether he really was leaking something or not if they've got the tools to do that lol and to maybe send a message to not think about it
> “I was panicking,” Jay Gibson, who asked that we don’t use his real name over fears of retaliation, told TechCrunch.
And later,
> Without a full forensic analysis of Gibson’s phone ... it’s impossible to know why he was targeted or who targeted him.
> But Gibson told TechCrunch that he believes the threat notification he received from Apple is connected to the circumstances of his departure from Trenchant ...
I find it funny that (1) this guy never thought this would happen to him (2) this guy has the balls to talk to media about this but fears retaliation
I mean, seriously, those who want to know your real name already know it.
This honestly smells really strong like made up shit. Or the guy is very much a low key player.
Generally, if you develop exploits, you should be completely aware of every single possible attack vector. If you are working for a company like Trenchant, and you know what you are doing, the last thing you do is use Apple devices (at least fully, most of the time you have a public phone and much more secure private phone)
The reason is, when you take an Apple phone, connect it to a router that proxies through a computer so you can inspect traffic, you can see the vast amounts of shit being sent back to Apple which you have no control of.
Meanwhile, if you do the same with my custom rooted, de-googled android phone that I take overseas, you will see only ntp traffic, and that is only so I don't have to deal with cert issues because my clock is wrong.
> The SRD is intended for use in a controlled setting for security research only…The SRD isn't meant for personal use or daily carry, and must remain on the premises of program participants at all times.
>Gibson, who until recently built surveillance technologies for Western government hacking tools maker Trenchant, may be the first documented case of someone who builds exploits and spyware being themselves targeted with spyware.
Leopards ate my face moment?
They're not developing these tools to NOT use them...
For at least 2 decades now exploit developers have been rather infamously prime targets for spyware, so whoever wrote this piece isn't read in at all to the industry.
"..if you are a state or federal enforcement authority, and you have
suspicion of any criminal activity of `Jay Gibson', be encouraged to
immediately contact: Lorenzo Franceschi-Bicchierai securely on Signal
at +1 917 257 1382, or via Telegram, Keybase and Wire @lorenzofb, or
by email.
Leopards ate my face is only negative, and has been more political, typically someone voting to weaponize the government against their peer-level enemies but hypocritically, only to later realize they are not a party to the benefits, only the consequences.
It is really about a perceptual flaw in pre-fascist democratic behavior: people believing themselves to be a part of the protected class because they voted for it.
It seems to apply here because someone profiting from the creation of tools used on others by people with money/power has them used on him by the government.
tldr; it is a subset of you reap what you sow, with more specificity and punch
Too biblical and old-fashioned, probably. I would say that at least half the people who've used "leopards ate my face" don't even know the meaning of reap. The simplicity and visual character of the modern expression make it memier.
People vote for "leopards eating face" party because they want leopards to eat other peoples faces. You're relying on that party to do something they didn't say (it's not "leopards eat everyone else's face but not yours" party)
If you vote for a party to build a monument, then they build a monument, that's reaping what you sow.
Not sure, but the phrasing around this article and the entire second half of it definitely sounds like similar articles I've seen during these kinds of suits.
I can kinda sympathize with the guy, as I got fucked over in Defense contracting in a not-dissimilar fashion a lifetime ago. These companies reel you in with decently-sized (or even outrageously-large) pay packages and promises of doing “good work”, bleed you of your energy and time for their profits, then shove you out the door and blame you for anything that went wrong (especially if you try to act honestly and report wrongdoing - that’s a one-way ticket out the fucking door and into blackball territory).
Nobody should be doing work for these scumbags, but people will always fall for their spiels and grifts, unfortunately, out of some naive sense of “doing good” or “getting the bad guys”. It’s always just “leopards ate my face”, though.
Enlist and get your top secret clearance managing LANs and teaching officers how to add images into PowerPoints, they said. You’ll never be unemployed. Then you realize the “job” mostly involves being a disposable cog in some ex-colonel’s endless PowerPoint war. Every meeting feels like a high-stakes reenactment of “Yes, sir,” where accountability is optional and speaking up is career suicide. Billion-dollar mistakes are brushed off as “lessons learned,” while you get a lecture about integrity. It’s the world’s most expensive game of “the emperor has no clothes,” except everyone’s wearing lanyards and classified guilt.
I know people involved at Trenchant and have trouble believing that anybody who worked there was shocked by this threat. Maybe things have changed post-L3Harris but "it" (it's more than one company) was an incredibly paranoid IT shop prior to the acquisition.
Firefighters recently resorted to breaking a Tesla’s window to free a 20-month-old child locked inside after one of the vehicle’s batteries died. The emergency rescue is the second of such incidents reported on this week by Arizona CBS news affiliate KPHO and reiterates the potential dangers of the EV company’s ongoing, under-addressed battery issues in extreme heat.
In July 2023, a 73-year-old man was reportedly forced to kick out a window in his Model Y after becoming trapped. A similar emergency occurred for a mother and her daughter in Illinois a few weeks later after renting a Tesla, while a California driver last month claimed she found herself stuck in her EV while waiting on an over-the-air software update that shut down her car. In the 40 minutes it took to complete the update, outside temperatures rose to 115-degrees Fahrenheit.
And yeah, if you know how, and can go through multiple steps:
The only other workaround to battery issues appears to be a step-by-step solution in the owner’s manual that only opens a dead Tesla’s front hood by ostensibly hotwiring the car using external jumper cables. If this is the case, then people who find themselves locked out of their EV may need to continue relying on EMS—and their axes—until Tesla decides to address the glaring safety hazard.
Right. I was talking about passenger safety. But sure, if you purposefully designed a vehicle that has poor pedestrian visibility and end up getting hit by that same vehicle due to that poor visibility, you shouldn't be surprised.
I agree that car analogies should be taken seriously.
Sure, cars are useful. But aiming to sell as many cars as possible is no more ethical than selling as many yachts as you can, especially if it involves making the living conditions worse for anyone who doesn't own a yacht, for example by bribing politicians, or destroying non-yacht-capable waterways.
As a former researcher in this space, anyone who develops commercial exploits knows what they are doing and that their work if they happen to be in the US is subject to ITAR level restrictions.
I stopped when it became a game at that level. I refuse to be a government contractor…. It’s about not using software like this to kill people like Jamal Khashoggi.
I wouldn’t be surprised if Apple’s malware notification comes via the same or similar mechanism as Apple 2FA codes on iOS, as iMessage itself is a common vector for these kinds of malware being warned of, such as Pegasus. Apple also notifies you of this kind of malware via the email used for your AppleID, in addition to on-device, though I wouldn’t be surprised if that same malware would attempt to monitor for these messages from Apple to prevent them from being received and/or read.
The Apple Support app, for example, has capabilities which when triggered from the Apple side, allow screen-sharing and logging to be shared with Apple. I don’t know if this functionality relies on iMessage being enabled either, but I do know that the Apple Support app seemingly still works in Lockdown Mode.
I’d be curious if the person in TFA had their device in Lockdown Mode, which supposedly is supposed to make these kinds of exploits harder to install. If they were using Lockdown Mode, and they still got exploited, that isn’t great news for the rest of us, but the fact that Apple notified them is better than the alternative of Apple not being aware of the breach and/or Apple being aware and not notifying them for reasons.
Apple has the capability to remotely disable iPhones, which has been used when large numbers of iPhones were looted during riots in the US. I’m not sure if that capability relies on the devices not already being activated or not, but I’ve seen credible screenshots of the message when iPhones are so disabled.
If I got a message in my iPhone saying it had been remotely disabled, I would take it to an Apple Store or authorized Apple Service Center, where they could tell me what should happen next. This would be inconvenient, to be sure, but it would be preferable to continuing to use the device.
There's still no proof that it was Trenchant, and there was no evidence on the device. It's unlikely that it will ever be identified as an attack from Trenchant. Trenchant/L3Harris is a supplier for Five Eyes, and any attribution of their exploits will likely be concealed.
> Two days after receiving the Apple threat notification, Gibson contacted a forensic expert with extensive experience investigating spyware attacks.
Surely as a professional "exploit developer", Gibson himself should have been about as expert at this particular niche as any human being on the planet already.
I mean, sure, absolutely he should have called in his friends in the community and gotten more eyes on the device. But the way that's written it sounds like he took it into the local Genius Bar.
It also, in context, feels a little obfuscatory. Like he's trying to flag the involvement of senior folks who he can't name.
I agree it reads weird, but I am leaving room for the idea that there are a lot of very gifted people who work on this stuff as an intellectual challenge, have a sort of straight up systemsy computer science background, and don't have or care about a bigger picture of where they fit into the industry. But still: the companies that became Trenchant were notoriously paranoid about state-sponsored CNE threats! It would still be weird to be surprised by them.
I think you're conflating two precepts. Just because you can write an exploit, it doesn't - inherently - mean that you have the skills/knowledge/tools of where to look for all signs of exploit having occurred on your device(s).
From the inference of that logic, every developer should be able to use gdb or Windbg to ascertain where they shot themselves in the foot - but we know that this specific set of skills isn't inherently required to be a developer.
So, the same logic would be true here: Just because you can write a hand full of exploits, it doesn't inherently mean that you have the tools/know-how to be able to ascertain if any of all of the available exploits in the wild (or in private, re: tools for Trenchat) have been used on your phone.
You're arguing at the wrong side of the problem. Obviously yes, everyone can't be a perfect expert on everything and when doing anything complicated you should ask for help. Duh, as it were. I think I even said as much.
The point was at this level of expertise and size of market ("detection of iOS zero day rootkits"), there simply isn't a pool of "experts" you can draw on to do this a-la contract work. It's a tiny world and everyone is fumbling around and asking for help independently. And as a member of that tiny world, Gibson surely knew who he needed to call already.
But that's not the way the article framed the interaction, which implies to me that there's more context at work here.
I'm not in this field but I was under the impression that people who know they are likely to be individually targeted use two (or more) phones and the one they use for their (target-worthy activity) is kept heavily locked down. Inconvenient to be sure but it seems like an unavoidable cost of being in that business.
You need to consider your location known to the government at all times if they know they'd want it beforehand. Most places are either surveilled heavily or sparsely populated, i.e. good for satellite-based observation. Maybe also to big enough corporations if they really want.
This does not imply that it is easy to track everyone everywhere at all times. I guess most targeted ones would like to protect their communication, and even meetings in person are possible if you keep some safeguards.
Is this a serious response? It is nearly impossible to live without a phone, short of pulling a Christ Mccandless. I understand that means this _is_ an option, but it is an option in the same way that cutting off your leg for fun is always an option.
Well if you're knowingly being targeted by a government, your choices are basically go off the grid... or continue having every inch of your life tracked so they can find any tiny little thing to construe as probable cause to take you in.
> It is nearly impossible to live without a phone,
There's a whole continuum.
Other than 2FA, text messaging is easy to get rid of.
You still use it to make calls, so yeah, they can track you that way. You can keep the phone off most of the time, though. People close to me know that they're more likely to reach me by calling my home phone.
What else does one really need a phone for?
Navigation? Do what I did: Get another phone that never has a SIM card and use an offline app.
Camera? The same. But really, life is very doable without a camera to begin with!
I had Ubuntu Touch installed on an older OnePlus phone. It did everything, but they haven't figured out how to work with VoLTE. I considered just saying "screw it" and using it anyways, but then remembered that my Mum calls twice a week to chat me up so I went back.
But 100% you can still find alternatives, its just about how much stuff you wanna carry around with you right?
If there are zero click, unknown yet zero days against Apple devices, it won't help.
If you are actually security conscious, the only setup that works is have a public facing phone and a private phone that is custom rooted, de googled, and you control everything that runs on it.
Maybe but if we're talking on the level of targeted government surveillance, I think all options are on the table, i.e. they should assume they are being watched everywhere they go, and that all their communications, including their close friends/family (or anyone they have already been talking to lately) are likely being monitored as well, in which case, getting a new phone may not do much of anything.
There is some amount of protection until the adversary discovers the new number. But since they've already compromised his phone they likely have his dad's number and can compromise that phone to find him again. It's dystopian.
If he's running iOS he can also enabled Lockdown Mode on the new phone to block most types of attacks.
The article notes that the target's former employer makes hackng tools and they separated on bad terms. Seems like it easily could just be the target's former employer.
I would be more surprised if these employers didn’t target their employees to prevent leaks of trade secrets, union activity, or other internal dissent. Having the power would be too tempting to resist, and besides, there is some degree of legitimate concern; it would be easy enough for rogue employees to sell exploits on the side for millions (there are plenty of buyers).
I'm not disagreeing with you, but doing so would open them up to criminal charges and liability. Rightly or wrongly, selling exploits is not illegal. Hacking your employees devices is.
If it's actually a state, it's unlikely to be a NATO or FVEY country, since L3Harris is one of the largest defense contractors in the world and most of those countries are customers. The piece is kind of all over the place but the vibe it lands on is that his work phone may have been owned up by his employers.
> his work phone may have been owned up by his employers
First line says "personal phone". I presume MDM on a work phone could do most of the things they'd be interested in, without the risk of setting off an alarm like this. Anyone have speculation about a reason for an employer to pwn a phone that's already on their MDM?
If these companies have no qualms using their exploits against their own employees they'll have absolutely no problem using them against members of Congress, the Courts, investment banks, tech leaders, and anyone with any sort of power. This gives them the ability to blackmail some of the most powerful people in the world.
edit: And that's not even mentioning their reported "intended use" against dissidents and journalists.
I get where you're probably coming from: this same technology is used all over the world to target journalists and dissidents in countries with and without the rule of law. A very real concern. I wouldn't do this kind of work either (also, it's been over a decade since I had the chops even to apprentice at it).
But there are very coherent reasons people are comfortable doing this work for NATO countries. Our reflexive distrust of law enforcement and intelligence work is a fringe belief: a lot of families are very proud to include people working in these fields.
The most important thing I guess I'd have to say here is: our opinion of this stuff doesn't matter. At current market rates every country in the world can afford CNE technology, and it's a market well served by vendors outside of NATO.
It very much does matter. If more people refuse to do this type of work, it eventually won't be done to the required standard. People would cut family ties and this would stop fast.
How do you know this?
This is kind of like saying "if people wouldn't murder other people then..."
"Bad" kind of work always finds bodies to fill it's spots. Boycotts of a particular business might work, but a type of work won't, especially when there is decent money on the table. And then when you start adding in people that had previous run ins with law enforcement and find it hard to get a "legit" job and get a decent offer from a place like this, they'll have no problem taking it.
Case in point: In 2007 Germany passed a "hacking law" (§202c). On its face, it was supposed to prevent black hat work. Except it very predictably also did enormous damage to security research.
The OP did say "...for resale in good conscience."
I personally read that as the commercial companies that allows anyone to buy the product off the shelf for the right price -- including governments, but also rogue elements. Bad actors, groups, or even people engaged in abusive domestic practices (customers without the time, experience, or resources to do it in-house). Not the people who work directly under government agencies developing these things for State level intelligence/ops
However I don't agree with the repercussions of this, which are the same ones that make all reasonable people, security experts included, oppose EU's ChatControl or the UK's backdoor requests: There is no way to ensure and protect the people that need protection, as there is no way to ensure that only "the good guys" have it.
We tend to bullshit ourselves into believing that because spyware software like Predator are weapons, meaning that only countries would be allowed to buy them and use them (same way that Jeff Bezos cannot buy and use an F-35 for example). We see though, that certain individuals _can_ get their hands on these things and use them however they want.
For example, 3 years ago someone adjacent to the greek government bought and used Predator against MEPs, journalists, army generals, mafia bosses, MPs of opposing parties and even MPs of their own, ruling, party. The greek government of course denied that they did it, and they said that this individual did not act under the instructions of the government (though they then changed the law to prevent anyone for learning details about it, but that's a different story).
So, apart from adopting the same approach as with ChatControl and encryption backdoors, i.e. banning them, I don't know how we could protect ourselves against them.
Slippery slopes don't justify anything. You might not care enough to make a difference, but many people do and your justification rings hollow to everyone that's potentially a victim. You wouldn't say this about nuclear proliferation, so why make a carveout for digital mercenary work? Because it's "harmless"?
I don't know what your goal is with this statement but it certainly doesn't make me feel any better. If you're this emotionally invested in the topic, it might be best for your own optics to not chime in.
The onus is on Apple and their userbase to protect their own computers, not the rest of society to patrol and regulate unstoppable "information crime" against them
you, sadly, internalized a state humanity adopted after wwii, were the anti red propaganda told everyone that of you could illegally burn a forest down to then buy a Ferrari, it was the best course of action because if you didn't do it, someone would.
thankfully people like you are being ostracized, albeit too slow, and pointed out as what you really are: agentless weak oportunists.
This is too dangerous, it's the wild west
> I've even caught them using their exploits on me after they made me an offer
Not only for exploit companies that eat their own dog food, nor only cybersecurity jobs, but I've heard of this happening to people interviewing for other tech area considered strategic.
The noticed ones weren't that subtle, and were presumably noticed because the attacker wasn't using the best methods, but maybe more routine SOP for lower-value targets.
I have no idea what the actors and motivations actually were. Speculation:
* the hiring company or its country, vetting the candidate by spying on them, including for corporate/national counterintelligence reasons (it's really not much different than a lot of the sneaky surveillance capitalism vetting that many companies quietly do, just unambiguously illegal in this case);
* the hiring company, spying to monitor the competitive offer situation (e.g., what counteroffers or concerns does the candidate have);
* other state, individual, and possibly corporate actors, for whom the imminent offer flagged the target as worth keeping an eye on (for, e.g., advance access to research they do individually, knowledge of attacks they do individually, possible technical entry point to the job-offering organization or others, or kompromat for getting access/actions); or
* random associated individuals acting on their own, recreationally enjoying the power over others that their cracking toys give them (which at least used to be not too uncommon, before cybersecurity was professionalized, when there were proportionally much more teens and alienated people, and they hadn't yet been told about color-coded hats for prefabricated codes of behavior from which they could choose; now, most people with skillz have the carrot of a lucrative job or respected status as researcher that they can pursue, instead of seeking power/status other ways and without guidelines).
Personally, I try not to work on strategic target areas, since I like to save my very limited guts for fighting product concepts and reliable systems into shape, not for being helplessly violated by lawless authoritarian institutions. Good luck.
At the political level things don’t operate like some cartel, sort of certain places and certain rather narrow regions of the world where it may take some additional motivating to do the right thing for themselves.
Tell that to Epstein.
> But the ex-Trenchant employee may not be the only exploit developer targeted with spyware .. there have been other spyware and exploit developers in the last few months
I lol'd for a second imagining this is his actual name but the writer didn't realise it
First read: "Apple's alerts somehow exploit a developer".
nth read: "Apple's alerts tell a developer of exploits that..."
Though the whole thing sounds more made up than legit.
And later,
> Without a full forensic analysis of Gibson’s phone ... it’s impossible to know why he was targeted or who targeted him.
> But Gibson told TechCrunch that he believes the threat notification he received from Apple is connected to the circumstances of his departure from Trenchant ...
I find it funny that (1) this guy never thought this would happen to him (2) this guy has the balls to talk to media about this but fears retaliation
I mean, seriously, those who want to know your real name already know it.
Generally, if you develop exploits, you should be completely aware of every single possible attack vector. If you are working for a company like Trenchant, and you know what you are doing, the last thing you do is use Apple devices (at least fully, most of the time you have a public phone and much more secure private phone)
The reason is, when you take an Apple phone, connect it to a router that proxies through a computer so you can inspect traffic, you can see the vast amounts of shit being sent back to Apple which you have no control of.
Meanwhile, if you do the same with my custom rooted, de-googled android phone that I take overseas, you will see only ntp traffic, and that is only so I don't have to deal with cert issues because my clock is wrong.
(From https://security.apple.com/research-device)
Leopards ate my face moment?
They're not developing these tools to NOT use them...
> 'I never thought leopards would eat MY face,' sobs woman who voted for the Leopards Eating People's Faces Party.
* https://twitter.com/Cavalorn/status/654934442549620736
It is really about a perceptual flaw in pre-fascist democratic behavior: people believing themselves to be a part of the protected class because they voted for it.
It seems to apply here because someone profiting from the creation of tools used on others by people with money/power has them used on him by the government.
tldr; it is a subset of you reap what you sow, with more specificity and punch
People vote for "leopards eating face" party because they want leopards to eat other peoples faces. You're relying on that party to do something they didn't say (it's not "leopards eat everyone else's face but not yours" party)
If you vote for a party to build a monument, then they build a monument, that's reaping what you sow.
1. Most of us in this segment of the industry recognize the risks
2. He is absolutely not the first person targeted by this
3. This article sounds like it's part of a wrongful termination suit by Gibson based on the context provided
Nobody should be doing work for these scumbags, but people will always fall for their spiels and grifts, unfortunately, out of some naive sense of “doing good” or “getting the bad guys”. It’s always just “leopards ate my face”, though.
Interesting kind of payback. What does he think happens to the people whom the exploits he develops target?
We live in a world full of threat-actors. We need exploits just like we need firearms and tanks and fighters and jets.
To mock the guy is just naive.
If you develop weapons, physical or digital, don’t be surprised if you end up on the receiving end.
Maybe not at Ford?
https://www.popsci.com/technology/tesla-lock-issue/
Firefighters recently resorted to breaking a Tesla’s window to free a 20-month-old child locked inside after one of the vehicle’s batteries died. The emergency rescue is the second of such incidents reported on this week by Arizona CBS news affiliate KPHO and reiterates the potential dangers of the EV company’s ongoing, under-addressed battery issues in extreme heat.
In July 2023, a 73-year-old man was reportedly forced to kick out a window in his Model Y after becoming trapped. A similar emergency occurred for a mother and her daughter in Illinois a few weeks later after renting a Tesla, while a California driver last month claimed she found herself stuck in her EV while waiting on an over-the-air software update that shut down her car. In the 40 minutes it took to complete the update, outside temperatures rose to 115-degrees Fahrenheit.
And yeah, if you know how, and can go through multiple steps: The only other workaround to battery issues appears to be a step-by-step solution in the owner’s manual that only opens a dead Tesla’s front hood by ostensibly hotwiring the car using external jumper cables. If this is the case, then people who find themselves locked out of their EV may need to continue relying on EMS—and their axes—until Tesla decides to address the glaring safety hazard.
Sure, cars are useful. But aiming to sell as many cars as possible is no more ethical than selling as many yachts as you can, especially if it involves making the living conditions worse for anyone who doesn't own a yacht, for example by bribing politicians, or destroying non-yacht-capable waterways.
This is too dangerous, it's the wild west
I stopped when it became a game at that level. I refuse to be a government contractor…. It’s about not using software like this to kill people like Jamal Khashoggi.
F the dipshits at NSO and the turds at Corellium.
Not going to lie, this subject line would fit right in with the phishing messages and 419 scams in my Spam folder.
The Apple Support app, for example, has capabilities which when triggered from the Apple side, allow screen-sharing and logging to be shared with Apple. I don’t know if this functionality relies on iMessage being enabled either, but I do know that the Apple Support app seemingly still works in Lockdown Mode.
I’d be curious if the person in TFA had their device in Lockdown Mode, which supposedly is supposed to make these kinds of exploits harder to install. If they were using Lockdown Mode, and they still got exploited, that isn’t great news for the rest of us, but the fact that Apple notified them is better than the alternative of Apple not being aware of the breach and/or Apple being aware and not notifying them for reasons.
A better mechanism would surely be a push notification to the device, or one of the alert-based notifications used for earthquakes etc
push notification + out of band comms would be more ideal, time sensitivity is significantly important.
If I got a message in my iPhone saying it had been remotely disabled, I would take it to an Apple Store or authorized Apple Service Center, where they could tell me what should happen next. This would be inconvenient, to be sure, but it would be preferable to continuing to use the device.
Sue them!
> Two days after receiving the Apple threat notification, Gibson contacted a forensic expert with extensive experience investigating spyware attacks.
Surely as a professional "exploit developer", Gibson himself should have been about as expert at this particular niche as any human being on the planet already.
I mean, sure, absolutely he should have called in his friends in the community and gotten more eyes on the device. But the way that's written it sounds like he took it into the local Genius Bar.
It also, in context, feels a little obfuscatory. Like he's trying to flag the involvement of senior folks who he can't name.
From the inference of that logic, every developer should be able to use gdb or Windbg to ascertain where they shot themselves in the foot - but we know that this specific set of skills isn't inherently required to be a developer.
So, the same logic would be true here: Just because you can write a hand full of exploits, it doesn't inherently mean that you have the tools/know-how to be able to ascertain if any of all of the available exploits in the wild (or in private, re: tools for Trenchat) have been used on your phone.
Edit: gbd != gdb
The point was at this level of expertise and size of market ("detection of iOS zero day rootkits"), there simply isn't a pool of "experts" you can draw on to do this a-la contract work. It's a tiny world and everyone is fumbling around and asking for help independently. And as a member of that tiny world, Gibson surely knew who he needed to call already.
But that's not the way the article framed the interaction, which implies to me that there's more context at work here.
Why does he think that will help against a state-backed adversary?
> Why does he think that will help against a state-backed adversary?
What are his alternatives?
This does not imply that it is easy to track everyone everywhere at all times. I guess most targeted ones would like to protect their communication, and even meetings in person are possible if you keep some safeguards.
I don't really see any alternatives. Do you?
There's a whole continuum.
Other than 2FA, text messaging is easy to get rid of.
You still use it to make calls, so yeah, they can track you that way. You can keep the phone off most of the time, though. People close to me know that they're more likely to reach me by calling my home phone.
What else does one really need a phone for?
Navigation? Do what I did: Get another phone that never has a SIM card and use an offline app.
Camera? The same. But really, life is very doable without a camera to begin with!
The only reason I need a phone is 2FA.
But 100% you can still find alternatives, its just about how much stuff you wanna carry around with you right?
If you are actually security conscious, the only setup that works is have a public facing phone and a private phone that is custom rooted, de googled, and you control everything that runs on it.
Does that really not make sense?
If he's running iOS he can also enabled Lockdown Mode on the new phone to block most types of attacks.
Another reason not to work at places like this.
First line says "personal phone". I presume MDM on a work phone could do most of the things they'd be interested in, without the risk of setting off an alarm like this. Anyone have speculation about a reason for an employer to pwn a phone that's already on their MDM?
- Exploit developer makes and plays with exploits on their phone
- Apple notices this, warns them that there is spyware on their phone
- Exploit developer somehow thinks it is governments hacking into their phone
I’m kidding of course