I think by default these companies kinda filter out people with values that would impede unrestricted use of their tools. And at worse possibly attract people who think "I'd sure like to spy on other people". That's scary.

You don't know how any of these could be developed in good conscience? How about: anti-proliferation intelligence work is going to happen whether it requires human intelligence or CNE, and CNE is less costly and harmful?

I get where you're probably coming from: this same technology is used all over the world to target journalists and dissidents in countries with and without the rule of law. A very real concern. I wouldn't do this kind of work either (also, it's been over a decade since I had the chops even to apprentice at it).

But there are very coherent reasons people are comfortable doing this work for NATO countries. Our reflexive distrust of law enforcement and intelligence work is a fringe belief: a lot of families are very proud to include people working in these fields.

The most important thing I guess I'd have to say here is: our opinion of this stuff doesn't matter. At current market rates every country in the world can afford CNE technology, and it's a market well served by vendors outside of NATO.

Forget blackmail, people wildly overestimate the value of blackmail. Far more predictable and lucrative is just to use exploits for insider information, including as favors and bribes, and selling them to governments willing to pay immense amounts of money. Blackmail is far too messy. Grease works way better.

That's outrageous that they tried to attack you like that. How exactly did it happen? Did they send a link via SMS to your phone, or some other way?

Maybe that was just a phase of your interview.

This is why I don't want to work in cybersecurity

This is too dangerous, it's the wild west

I figured security researchers were always targets of multiple APT actors and random individuals. However...

> I've even caught them using their exploits on me after they made me an offer

Not only for exploit companies that eat their own dog food, nor only cybersecurity jobs, but I've heard of this happening to people interviewing for other tech area considered strategic.

The noticed ones weren't that subtle, and were presumably noticed because the attacker wasn't using the best methods, but maybe more routine SOP for lower-value targets.

I have no idea what the actors and motivations actually were. Speculation:

* the hiring company or its country, vetting the candidate by spying on them, including for corporate/national counterintelligence reasons (it's really not much different than a lot of the sneaky surveillance capitalism vetting that many companies quietly do, just unambiguously illegal in this case);

* the hiring company, spying to monitor the competitive offer situation (e.g., what counteroffers or concerns does the candidate have);

* other state, individual, and possibly corporate actors, for whom the imminent offer flagged the target as worth keeping an eye on (for, e.g., advance access to research they do individually, knowledge of attacks they do individually, possible technical entry point to the job-offering organization or others, or kompromat for getting access/actions); or

* random associated individuals acting on their own, recreationally enjoying the power over others that their cracking toys give them (which at least used to be not too uncommon, before cybersecurity was professionalized, when there were proportionally much more teens and alienated people, and they hadn't yet been told about color-coded hats for prefabricated codes of behavior from which they could choose; now, most people with skillz have the carrot of a lucrative job or respected status as researcher that they can pursue, instead of seeking power/status other ways and without guidelines).

Personally, I try not to work on strategic target areas, since I like to save my very limited guts for fighting product concepts and reliable systems into shape, not for being helplessly violated by lawless authoritarian institutions. Good luck.

[dead]

His former employer sandbox over wifi or use stingray like devices. Apple can see that this went over the public iMessage/PushNotification channels.

So Apple told them of exploits? :)

This honestly smells really strong like made up shit. Or the guy is very much a low key player.

Generally, if you develop exploits, you should be completely aware of every single possible attack vector. If you are working for a company like Trenchant, and you know what you are doing, the last thing you do is use Apple devices (at least fully, most of the time you have a public phone and much more secure private phone)

The reason is, when you take an Apple phone, connect it to a router that proxies through a computer so you can inspect traffic, you can see the vast amounts of shit being sent back to Apple which you have no control of.

Meanwhile, if you do the same with my custom rooted, de-googled android phone that I take overseas, you will see only ntp traffic, and that is only so I don't have to deal with cert issues because my clock is wrong.

Going public is presumably part of his strategy for trying not to be disappeared.

For at least 2 decades now exploit developers have been rather infamously prime targets for spyware, so whoever wrote this piece isn't read in at all to the industry.

"Leopards ate my face" reference for others not in the know: https://knowyourmeme.com/memes/leopards-eating-peoples-faces...

Based on the article, it sounds like a bit of a "he said - she said" article after Gibson was terminated at Trenchant/L3Harris.

Enlist and get your top secret clearance managing LANs and teaching officers how to add images into PowerPoints, they said. You’ll never be unemployed. Then you realize the “job” mostly involves being a disposable cog in some ex-colonel’s endless PowerPoint war. Every meeting feels like a high-stakes reenactment of “Yes, sir,” where accountability is optional and speaking up is career suicide. Billion-dollar mistakes are brushed off as “lessons learned,” while you get a lecture about integrity. It’s the world’s most expensive game of “the emperor has no clothes,” except everyone’s wearing lanyards and classified guilt.

[dead]

Sounds like he naively believes only governments use these, and only against legitimate criminals.

I agree it reads weird, but I am leaving room for the idea that there are a lot of very gifted people who work on this stuff as an intellectual challenge, have a sort of straight up systemsy computer science background, and don't have or care about a bigger picture of where they fit into the industry. But still: the companies that became Trenchant were notoriously paranoid about state-sponsored CNE threats! It would still be weird to be surprised by them.

I think you're conflating two precepts. Just because you can write an exploit, it doesn't - inherently - mean that you have the skills/knowledge/tools of where to look for all signs of exploit having occurred on your device(s).

From the inference of that logic, every developer should be able to use gdb or Windbg to ascertain where they shot themselves in the foot - but we know that this specific set of skills isn't inherently required to be a developer.

So, the same logic would be true here: Just because you can write a hand full of exploits, it doesn't inherently mean that you have the tools/know-how to be able to ascertain if any of all of the available exploits in the wild (or in private, re: tools for Trenchat) have been used on your phone.

Edit: gbd != gdb

I know people involved at Trenchant and have trouble believing that anybody who worked there was shocked by this threat. Maybe things have changed post-L3Harris but "it" (it's more than one company) was an incredibly paranoid IT shop prior to the acquisition.

If an engineer at Ford dies in a car crash does he really deserve it?

We live in a world full of threat-actors. We need exploits just like we need firearms and tanks and fighters and jets.

To mock the guy is just naive.

There's still no proof that it was Trenchant, and there was no evidence on the device. It's unlikely that it will ever be identified as an attack from Trenchant. Trenchant/L3Harris is a supplier for Five Eyes, and any attribution of their exploits will likely be concealed.

Normally with crime we arrest people. Half the problems in the world seem to stem from the fact companies are unaccountable.

Here's what it looks like: https://c.ndtvimg.com/2024-04/30p8264g_apple-notification_62...

I don't think he thinks it is a state.

>> I went immediately to buy a new phone.

> Why does he think that will help against a state-backed adversary?

What are his alternatives?

This doesn’t make sense… of course it will help. It gives you a clean slate, not compromised when you pick it up.

There is some amount of protection until the adversary discovers the new number. But since they've already compromised his phone they likely have his dad's number and can compromise that phone to find him again. It's dystopian.

If he's running iOS he can also enabled Lockdown Mode on the new phone to block most types of attacks.

The article notes that the target's former employer makes hackng tools and they separated on bad terms. Seems like it easily could just be the target's former employer.

If it's actually a state, it's unlikely to be a NATO or FVEY country, since L3Harris is one of the largest defense contractors in the world and most of those countries are customers. The piece is kind of all over the place but the vibe it lands on is that his work phone may have been owned up by his employers.

I'm going to go out on a limb here and say it's a state in the DMV.. L3Harris HQ is in Arlington if I'm not mistaken

When it comes to state-sponsored cyber-spying like this, take your pick between USA, Israel, Russia, China.

These exploits get developed on airgapped devices

Nullable column I guess?

I’m kidding of course