this post was submitted on 17 Sep 2023
560 points (98.8% liked)

World News

39401 readers
2656 users here now

A community for discussing events around the World

Rules:

Similarly, if you see posts along these lines, do not engage. Report them, block them, and live a happier life than they do. We see too many slapfights that boil down to "Mom! He's bugging me!" and "I'm not touching you!" Going forward, slapfights will result in removed comments and temp bans to cool off.

We ask that the users report any comment or post that violate the rules, to use critical thinking when reading, posting or commenting. Users that post off-topic spam, advocate violence, have multiple comments or posts removed, weaponize reports or violate the code of conduct will be banned.

All posts and comments will be reviewed on a case-by-case basis. This means that some content that violates the rules may be allowed, while other content that does not violate the rules may be removed. The moderators retain the right to remove any content and ban users.


Lemmy World Partners

News [email protected]

Politics [email protected]

World Politics [email protected]


Recommendations

For Firefox users, there is media bias / propaganda / fact check plugin.

https://addons.mozilla.org/en-US/firefox/addon/media-bias-fact-check/

founded 2 years ago
MODERATORS
 
  • Russia appears to be targeting journalists with spyware known as Pegasus.

  • Pegasus is a "zero-click" software, hacking phones by sending texts that don't need to be opened.

  • The software has targeted dozens of journalists, activists, and politicians in recent years.

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 5 points 1 year ago (1 children)

Theres literally a functioning business model of "find zero-day exploits for software X and sell that info to the highest bidder". There is actively many huge bounties for currently working exploits that you, random dude on the internet, can get if you can show that an unknown bug can be used to gain access to some software. Pegasus is one of the groups buying the exploits and then using it.

It is a perpetual cat and mouse game. Every time that Apple is made aware of an exploit they patch it asap, but that doesn't mean they've fixed every exploit. You can't fix a bug unless you know it's there.

[–] [email protected] -1 points 1 year ago* (last edited 1 year ago) (2 children)

Really? An entire economy based on hacking, exploits, and exfiltration? (Edit: I guess I need this: /s, because, /whoosh)

Again. A 2 TRILLION DOLLAR COMPANY, should be able to find the resources to not only find these exploits, but be able to more vigorously check their own code on their own platform on their own hardware in their own labs.

Doubly since it affects a broad range of hardware/software/firmware, and since these exploits essentially own everything, and it is targeted at high value targets including members of state, journos, advocates and dissenters, it would seem necessary to develop better security in tandem with the other half of the monopoly and OEM'S and national security agencies.

It isn't just a bug that erases your favorite cat pics. Worst case, these exploits can erase your life if you end up saying/knowing/thinking something someone doesn't like.

I find it difficult to believe after 3 years, multiple os updates, code changes, hardware/chip redesign, the same exploit(s) have remained so thoroughly effective, and the best a company can do is "lockdown"

You're already owned by then.

[–] [email protected] 5 points 1 year ago (1 children)

Ye, it's a real thing. A quick google search for the term "companies that buy software exploits" lead me to the following real companies that will buy exploits you find; zerodium, offensive cyber, and vupen. In fact, zerodium currently has a $400,000 bounty for an exploit for microsoft outlook. It's very useful for say something like a government to know about these hacks in case say they want to hack someone. For example stuxnet was written by the US to fuck with Iranian centrifuges.

Pegasus isn't just a single exploit. It uses many and every patch to an OS doesn't fix every single exploit so there's always another way Pegasus can break into the system. Also, do you think that with every update to iOS the developers are rewriting their entire code base? I've written lots of updates for my software and I almost never scrap the entire thing when I need to do rewrites.

Again, Apple, a 2 TRILLION dollar company, can only fix exploits they know exist.

[–] [email protected] -1 points 1 year ago* (last edited 1 year ago)

Again, with 2 trillion dollars, I'd fucking hire every hacker, grey, black, white, and red hat, every security expert, every current and former intelligence agent, consultant, pundit, engineer, 7 year old prodigy, AI, and the corpse of Steve Jobs to fix a problem that essentially makes any and all security features null and void.

But, that's just me.

I'm not a shareholder grasping at my 96 cent dividend over the safety and lives of people.

And even after spending all that, I'd still have 2 trillion because that is an insane figure that is so big it would pay 10 million people 200k. Surely enough to fix the problem.

[–] Ottomateeverything 3 points 1 year ago* (last edited 1 year ago)

Yeah, the argument that there's money in this business only furthers the point here - there's money in it because it's valuable to abuse systems. Therefore the people running those systems should be the ones fucking funding it. And then using that agreement to keep the exploit details behind closed doors until they are able to fix it.

It's almost like this should be an entire internal department. Maybe it could be named after the idea of keeping things secure?

If the company making massive profits off the sales of these devices isn't going to fund it, who is? It's fucking insane to me that Google basically funds the security of iOS for Apple, who's their direct competition in that market. We probably wouldn't even know this exists if it wasn't for stuff like that.