i’m loath to root for a corporate entity in any form, but this had me chuckling:
“We are of course willing to responsibly disclose the specific vulnerabilities we know about to Cellebrite if they do the same for all the vulnerabilities they use in their physical extraction and other services to their respective vendors, now and in the future.”
What happens if you are at the receiving end of this Cellebrite software, and your phone is one of the phones that has these completely unrelated files on it?
Maybe your “interviewer” won’t find it as funny. Maybe it’s still better than the alternative? If they’re actually doing it, that is.
If you are being “interviewed” by a government that does not have guarantees around civil rights and rule of law, a cheeky exploit likely won’t matter: the presence of Signal may be enough to convict you in the eyes of the state, let alone anything else found on your phone.
If the state does respect rights and rules of law, I think the presence of an exploit targeting forensic gathering tools that you didn’t install yourself could arguably introduce enough doubt to the process to exclude anything identified in the search.
Having Signal or WhatsApp on your phone is sure to be excuse enough if the government you’re dealing with doesn’t guarantee civil rights or the rule of law
Your interviewer won’t find it, that’s the point. Your interviewer’s software will parse the file, and the file triggers a remote code execution. But why would that remote code execution be displayed to the interviewer as user?
But as it happens, I sort of know someone who works with this. His employer will be angry at Cellebrite, and will the contract will soon say “all CVEs must be applied, or else they pay damages”. Moxie will not have overlooked this aspect.
Not knowing more than what’s presented in the article, I imagined for example that the interviewer could have old reports open, or visible in a file browser, and then the exploit would modify them all. That could be one way to notice that something just happened.
Like when I change some file from underneath my text editor, and it goes “the file changed on disk, what do you want to do?”
When you can program a computer to do anything, that includes any imaginable bad things. Just choose a meaning of “bad”, and general computing includes at an instance of that. The fallacy is to transfer the badness to general computing, or the developer who can choose freely what code to write and run.
A program such as Signal can run any code on a Cellebrite computer, including code which is bad for the Signal user. That doesn’t make Signal bad, or imply that the Signal developers would act against their user’s interest, or even that they might. Just that they could.
Cellebrite has two main customer groups, one of them involves prosecution. That statement tells prosecutors that the report they use aren’t reliable. Those prosecutors need reliability and will tell their Cellebrite salescritters that, so it’s an excellent way to threaten Cellebrite’s Cellebrite’s income.
i’m loath to root for a corporate entity in any form, but this had me chuckling:
“We are of course willing to responsibly disclose the specific vulnerabilities we know about to Cellebrite if they do the same for all the vulnerabilities they use in their physical extraction and other services to their respective vendors, now and in the future.”
It took me five minutes to realize that the software didn’t actually “fall off the back of a truck”.
I am very gullible.
I totally believed it too, the photo of the kit on the street really sells it.
I think it might be a reference to Simpsons episode where Bart and Homer work for mafia.
https://youtu.be/kccONko4xYE
“es ist vom Laster gefallen” is a common expression in German language since the years of 1945-1948 when such skills were needed to survive.
I had to laugh out loudly when I read it yesterday.
What happens if you are at the receiving end of this Cellebrite software, and your phone is one of the phones that has these completely unrelated files on it?
Maybe your “interviewer” won’t find it as funny. Maybe it’s still better than the alternative? If they’re actually doing it, that is.
If you are being “interviewed” by a government that does not have guarantees around civil rights and rule of law, a cheeky exploit likely won’t matter: the presence of Signal may be enough to convict you in the eyes of the state, let alone anything else found on your phone.
If the state does respect rights and rules of law, I think the presence of an exploit targeting forensic gathering tools that you didn’t install yourself could arguably introduce enough doubt to the process to exclude anything identified in the search.
Show me a state whose spooks and counterterrorism apparatus respect rights and rules of law and I’ll show you a bridge you can buy for 5 bucks.
Some governments have been known to torture and imprison people on the basis of owning a Casio watch: https://www.theguardian.com/world/2011/apr/25/guantanamo-files-casio-wristwatch-alqaida
Having Signal or WhatsApp on your phone is sure to be excuse enough if the government you’re dealing with doesn’t guarantee civil rights or the rule of law
Your interviewer won’t find it, that’s the point. Your interviewer’s software will parse the file, and the file triggers a remote code execution. But why would that remote code execution be displayed to the interviewer as user?
But as it happens, I sort of know someone who works with this. His employer will be angry at Cellebrite, and will the contract will soon say “all CVEs must be applied, or else they pay damages”. Moxie will not have overlooked this aspect.
Not knowing more than what’s presented in the article, I imagined for example that the interviewer could have old reports open, or visible in a file browser, and then the exploit would modify them all. That could be one way to notice that something just happened.
Like when I change some file from underneath my text editor, and it goes “the file changed on disk, what do you want to do?”
A common fallacy of general computing.
When you can program a computer to do anything, that includes any imaginable bad things. Just choose a meaning of “bad”, and general computing includes at an instance of that. The fallacy is to transfer the badness to general computing, or the developer who can choose freely what code to write and run.
A program such as Signal can run any code on a Cellebrite computer, including code which is bad for the Signal user. That doesn’t make Signal bad, or imply that the Signal developers would act against their user’s interest, or even that they might. Just that they could.
Modifying past and future reports is not something I came up with. It’s right there in the article.
Yes, because it’s a good threat.
Cellebrite has two main customer groups, one of them involves prosecution. That statement tells prosecutors that the report they use aren’t reliable. Those prosecutors need reliability and will tell their Cellebrite salescritters that, so it’s an excellent way to threaten Cellebrite’s Cellebrite’s income.
Now I’m curious how those aesthetically pleasing files look like. And, um, what other aesthetic things they can do…