bink
12 hours ago
I've interviewed with these types of companies (not the ones in the article). I've even caught them using their exploits on me after they made me an offer and that seems to be the most likely explanation for what happened here. I don't know how anyone can develop exploits for resale in good conscience.
If these companies have no qualms using their exploits against their own employees they'll have absolutely no problem using them against members of Congress, the Courts, investment banks, tech leaders, and anyone with any sort of power. This gives them the ability to blackmail some of the most powerful people in the world.
edit: And that's not even mentioning their reported "intended use" against dissidents and journalists.
duxup
10 hours ago
I think by default these companies kinda filter out people with values that would impede unrestricted use of their tools. And at worse possibly attract people who think "I'd sure like to spy on other people". That's scary.
gessha
7 hours ago
That or they mask their activity with layers of management and vague and abstract products.
tptacek
10 hours ago
You don't know how any of these could be developed in good conscience? How about: anti-proliferation intelligence work is going to happen whether it requires human intelligence or CNE, and CNE is less costly and harmful?
I get where you're probably coming from: this same technology is used all over the world to target journalists and dissidents in countries with and without the rule of law. A very real concern. I wouldn't do this kind of work either (also, it's been over a decade since I had the chops even to apprentice at it).
But there are very coherent reasons people are comfortable doing this work for NATO countries. Our reflexive distrust of law enforcement and intelligence work is a fringe belief: a lot of families are very proud to include people working in these fields.
The most important thing I guess I'd have to say here is: our opinion of this stuff doesn't matter. At current market rates every country in the world can afford CNE technology, and it's a market well served by vendors outside of NATO.
Ms-J
10 hours ago
"our opinion of this stuff doesn't matter."
It very much does matter. If more people refuse to do this type of work, it eventually won't be done to the required standard. People would cut family ties and this would stop fast.
tptacek
9 hours ago
That's an incredibly blinkered view of the ecosystem that assumes that the only talent capable of delivering this work is people you talk to or share cultural ties with. There are ultra-skilled people in developing countries who could not give less of a fuck about how uncomfortable this stuff makes people in the west.
GauntletWizard
9 hours ago
There are tons of people in the West who have no qualms about doing this for pure crime purposes; many of them are the ones who espouse most ardently that doing this work for the government is immoral.
philipallstar
7 hours ago
> many of them are the ones who espouse most ardently that doing this work for the government is immoral
How do you know this?
GauntletWizard
4 hours ago
An opinion, based on meeting people like https://www.nbcnews.com/news/us-news/capital-one-hacking-sus...
fruitworks
5 hours ago
so what? As GP suggests, they are not nessisary for the development of exploits.
pixl97
6 hours ago
>If more people refuse to do this type of work
This is kind of like saying "if people wouldn't murder other people then..."
"Bad" kind of work always finds bodies to fill it's spots. Boycotts of a particular business might work, but a type of work won't, especially when there is decent money on the table. And then when you start adding in people that had previous run ins with law enforcement and find it hard to get a "legit" job and get a decent offer from a place like this, they'll have no problem taking it.
1659447091
2 hours ago
> You don't know how any of these could be developed in good conscience?
The OP did say "...for resale in good conscience."
I personally read that as the commercial companies that allows anyone to buy the product off the shelf for the right price -- including governments, but also rogue elements. Bad actors, groups, or even people engaged in abusive domestic practices (customers without the time, experience, or resources to do it in-house). Not the people who work directly under government agencies developing these things for State level intelligence/ops
sakisv
7 hours ago
I think I agree with what I think you're trying to say.
However I don't agree with the repercussions of this, which are the same ones that make all reasonable people, security experts included, oppose EU's ChatControl or the UK's backdoor requests: There is no way to ensure and protect the people that need protection, as there is no way to ensure that only "the good guys" have it.
We tend to bullshit ourselves into believing that because spyware software like Predator are weapons, meaning that only countries would be allowed to buy them and use them (same way that Jeff Bezos cannot buy and use an F-35 for example). We see though, that certain individuals _can_ get their hands on these things and use them however they want.
For example, 3 years ago someone adjacent to the greek government bought and used Predator against MEPs, journalists, army generals, mafia bosses, MPs of opposing parties and even MPs of their own, ruling, party. The greek government of course denied that they did it, and they said that this individual did not act under the instructions of the government (though they then changed the law to prevent anyone for learning details about it, but that's a different story).
So, apart from adopting the same approach as with ChatControl and encryption backdoors, i.e. banning them, I don't know how we could protect ourselves against them.
tptacek
6 hours ago
I'm an American and am glad of my personal belief that the American system would not allow something like ChatControl by state mandate. I also wouldn't participate in commercial exploit development (even if I was capable of doing so competitively). But I don't think the two things are at all comparable.
bigyabai
8 hours ago
> At current market rates every country in the world can afford CNE technology
Slippery slopes don't justify anything. You might not care enough to make a difference, but many people do and your justification rings hollow to everyone that's potentially a victim. You wouldn't say this about nuclear proliferation, so why make a carveout for digital mercenary work? Because it's "harmless"?
I don't know what your goal is with this statement but it certainly doesn't make me feel any better. If you're this emotionally invested in the topic, it might be best for your own optics to not chime in.
tptacek
8 hours ago
I'm not justifying anything. I'm saying a very large number of people don't share the premise in the parent comment. It's one thing to disagree with a practice; it's another thing to suggest that disagreement with it is universal. It is not.
fruitworks
4 hours ago
The difference is that it's completely plausible to protect against a cyberattack, but completely implausible to protect against a nuclear attack.
The onus is on Apple and their userbase to protect their own computers, not the rest of society to patrol and regulate unstoppable "information crime" against them
saagarjha
9 hours ago
Maybe that was just a phase of your interview.
Ms-J
11 hours ago
That's outrageous that they tried to attack you like that. How exactly did it happen? Did they send a link via SMS to your phone, or some other way?
bink
10 hours ago
I don't wanna give away too much in case they're reading, but they didn't use their stealthiest exploit. It was pretty obvious, especially if you monitor your network traffic.
matheusmoreira
10 hours ago
I gotta admit I'm not in the habit of monitoring my network traffic... Gotta wonder if it's even possible to protect ourselves against this surveillance without going full OPSEC mode.
throwaway48476
8 hours ago
If you're developing tools you're likely testing against vendor network monitoring apps and in the habit of using them.
Ms-J
10 hours ago
Ok guessing against a computer of yours and not a phone (which of course is still possible) thanks. Hope it can help all of us stay safe.
cj
10 hours ago
How obvious would it be to someone being hired as an office manager or janitor or similar?
cobertos
10 hours ago
Monitoring your network traffic on your local PC (ala Little Snitch or Open Snitch) or monitoring it at the gateway/router level?
bink
8 hours ago
At the router level. I turned off cellular data to be sure, but I don't even think that was necessary since it was on wifi.
jokoon
8 hours ago
This is why I don't want to work in cybersecurity
This is too dangerous, it's the wild west
neilv
8 hours ago
I figured security researchers were always targets of multiple APT actors and random individuals. However...
> I've even caught them using their exploits on me after they made me an offer
Not only for exploit companies that eat their own dog food, nor only cybersecurity jobs, but I've heard of this happening to people interviewing for other tech area considered strategic.
The noticed ones weren't that subtle, and were presumably noticed because the attacker wasn't using the best methods, but maybe more routine SOP for lower-value targets.
I have no idea what the actors and motivations actually were. Speculation:
* the hiring company or its country, vetting the candidate by spying on them, including for corporate/national counterintelligence reasons (it's really not much different than a lot of the sneaky surveillance capitalism vetting that many companies quietly do, just unambiguously illegal in this case);
* the hiring company, spying to monitor the competitive offer situation (e.g., what counteroffers or concerns does the candidate have);
* other state, individual, and possibly corporate actors, for whom the imminent offer flagged the target as worth keeping an eye on (for, e.g., advance access to research they do individually, knowledge of attacks they do individually, possible technical entry point to the job-offering organization or others, or kompromat for getting access/actions); or
* random associated individuals acting on their own, recreationally enjoying the power over others that their cracking toys give them (which at least used to be not too uncommon, before cybersecurity was professionalized, when there were proportionally much more teens and alienated people, and they hadn't yet been told about color-coded hats for prefabricated codes of behavior from which they could choose; now, most people with skillz have the carrot of a lucrative job or respected status as researcher that they can pursue, instead of seeking power/status other ways and without guidelines).
Personally, I try not to work on strategic target areas, since I like to save my very limited guts for fighting product concepts and reliable systems into shape, not for being helplessly violated by lawless authoritarian institutions. Good luck.
hopelite
8 hours ago
Forget blackmail, people wildly overestimate the value of blackmail. Far more predictable and lucrative is just to use exploits for insider information, including as favors and bribes, and selling them to governments willing to pay immense amounts of money. Blackmail is far too messy. Grease works way better.
throwaway48476
8 hours ago
Plata o plomo. Usually a combination of threats and bribery is most effective. The truly dangerous groups usually have the ability and willingness to pay well.
hopelite
3 hours ago
Sorry, that’s just not how it is practices and at least has not for a long time. You’ve heard the saying, you catch more flies with honey than vinegar, right. If you have unlimited funds and you are the giver and bringer and provider, there is no need for blackmail. It’s just the nuclear option, so to say.
At the political level things don’t operate like some cartel, sort of certain places and certain rather narrow regions of the world where it may take some additional motivating to do the right thing for themselves.
octoberfranklin
6 hours ago
Forget blackmail
Tell that to Epstein.
hopelite
3 hours ago
Ironically that actually applies to him too. Sure, he likely had all kinds of stuff on people, but frankly bribery still always works far more effectively unless you encounter some resistance. It’s a rather established practice. The “blackmail” material is really just an insurance, not actual leverage.
