Thursday, August 25, 2016

Notes on the Apple/NSO Trident 0days

I thought I'd write up some comments on today's news of the NSO malware using 0days to infect human rights activist phones. For full reference, you want to read the Citizen's Lab report and the Lookout report.

Press: it's news to you, it's not news to us

I'm seeing breathless news articles appear. I dread the next time that I talk to my mom that she's going to ask about it (including "were you involved"). I suppose it is new to those outside the cybersec community, but for those of us insiders, it's not particularly newsworthy. It's just more government malware going after activists. It's just one more set of 0days.

I point this out in case press wants to contact for some awesome sounding quote about how exciting/important this is. I'll have the opposite quote.

Don't panic: all patches fix 0days

We should pay attention to context: all patches (for iPhone, Windows, etc.) fix 0days that hackers can use to break into devices. Normally these 0days are discovered by the company itself or by outside researchers intending to fix (and not exploit) the problem. What's different here is that where most 0days are just a theoretical danger, these 0days are an actual danger -- currently being exploited by the NSO Group's products. Thus, there's maybe a bit more urgency in this patch compared to other patches.

Don't panic: NSA/Chinese/Russians using secret 0days anyway

It's almost certain the NSA, the Chinese, and the Russian have similar 0days. That means applying this patch makes you safe from the NSO Group (for a while, until they find new 0days), but it's unlikely this patch makes you safe from the others.

Of course it's multiple 0days

Some people are marveling how the attack includes three 0days. That's been the norm for browser exploits for a decade now. There's sandboxes and ASLR protections to get through. There's privilege escalation to get into the kernel. And then there's persistence. How far you get in solving one or more of these problems with a single 0day depends upon luck.

It's actually four 0days

While it wasn't given a CVE number, there was a fourth 0day: the persistence using the JavaScriptCore binary to run a JavaScript text file. The JavaScriptCore program appears to be only a tool for developers and not needed the functioning of the phone. It appears that the iOS 9.3.5 patch disables. While technically, it's not a coding "bug", it's still a design bug. 0days solving the persistence problem (where the malware/implant runs when phone is rebooted) are worth over a hundred thousand dollars all on their own.

That about wraps it up for VEP

VEP is Vulnerability Equities Process that's supposed to, but doesn't, manage how the government uses 0days it acquires.

Agitators like the EFF have been fighting against the NSA's acquisition and use of 0days, as if this makes us all less secure. What today's incident shows is that acquisition/use of 0days will be widespread around the world, regardless what the NSA does. It's be nice to get more transparency about what they NSA is doing through the VEP process, but the reality is the EFF is never going to get anything close to what it's agitating for.

That about wraps is up for Wassenaar

Wassenaar is an internal arms control "treaty". Left-wing agitators convinced the Wassenaar folks to add 0days and malware to the treaty -- with horrific results. There is essentially no difference between bad code and good code, only how it's used, so the the Wassenaar extensions have essentially outlawed all good code and security research.

Some agitators are convinced Wassenaar can be still be fixed (it can't). Israel, where NSO Group is based, is not a member of Wassenaar, and thus whatever limitations Wassenaar could come up with would not stop the NSO.

Some have pointed out that Israel frequently adopts Wassenaar rules anyway, but they would then simply transfer the company somewhere else, such as Singapore.

The point is that 0day development is intensely international. There are great 0day researchers throughout the non-Wassenaar countries. It's not like precision tooling for aluminum cylinders (for nuclear enrichment) that can only be made in an industrialized country. Some of the best 0day researchers come from backwards countries, growing up with only an Internet connection.


The victim in this case, Ahmed Mansoor, has apparently been hacked many time, including with HackingTeam's malware and Finfisher malware -- notorious commercial products used by evil government's to hack into dissident's computers.

Obviously, he'll be hacked again. He's a gold mine for researchers in this area. The NSA, anti-virus companies, Apple jailbreak companies, and the like should be jumping over themselves offering this guy a phone. One way this would work is giving him a new phone every 6 months in exchange for the previous phone to analyze.

Apple, of course, should head the list of companies doing this, proving "activist phones" to activists with their own secret monitoring tools installed so that they can regularly check if some new malware/implant has been installed.

iPhones are still better, suck it Android

Despite the fact that everybody and their mother is buying iPhone 0days to hack phones, it's still the most secure phone. Androids are open to any old hacker -- iPhone are open only to nation state hackers.

Use signal, use Tor

I didn't see Signal on the list of apps the malware tapped into. There's no particular reason for this, other than NSO haven't gotten around to it yet. But I thought I'd point how yet again, Signal wins.

SMS vs. MitM

Some have pointed to SMS as the exploit vector, which gave Citizen's Lab the evidence that the phone had been hacked.

It's a Safari exploit, so getting the user to visit a web page is required. This can be done over SMS, over email, over Twitter, or over any other messaging service the user uses. Presumably, SMS was chosen because users are more paranoid of links in phishing emails than they are SMS messages.

However, the way it should be doing is with man-in-the-middle (MitM) tools in the infrastructure. Such a tool would wait until the victim visited any webpage via Safari, then magically append the exploit to the page. As Snowden showed, this is apparently how the NSA does it, which is probably why they haven't gotten caught yet after exploiting iPhones for years.

The UAE (the government who is almost certainly trying to hack Mansoor's phone) has the control over their infrastructure in theory to conduct a hack. We've already caught other governments doing similar things (like Tunisia). My guess is they were just lazy, and wanted to do it the easiest way for them.

Another lesson in confirmation bias

The biggest problem with hacker attribution is the confirmation bias problem. Once you develop a theory, your mind shifts to distorting evidence trying to prove the theory. After a while, only your theory seems possible as one that can fit all your carefully selected evidence.

You can watch this happen in two recent blogposts [1] [2] by Krypt3ia attributing bitcoin payments to the Shadow Broker hackers as coming from the government (FBI, NSA, TAO). These posts are absolutely wrong. Nonetheless, the press has picked up on the story and run with it [*]. [Note: click on the pictures in this post to blow them up so you can see them better].

The Shadow Brokers published their bitcoin address (19BY2XCgbDe6WtTVbTyzM9eR3LYr6VitWK) asking for donations to release the rest of their tools. They've received 66 transactions so far, totally 1.78 bitcoin, or roughly $1000 at today's exchange rate.

Bitcoin is not anonymous by pseudonymous. Bitcoin is a public ledger with all transaction visible by everyone. Sometimes we can't tie addresses back to people, but sometimes we can. There are a lot of researchers who spent a lot of time on "taint anlysis" trying to track down the real identity of evildoers. Thus, it seems plausible that we might be able to discover the identities of those people making contributions to Shadow Brokers.

The first of Krypt3ia's errant blogposts tries to use the Bitcoin taint analysis plugin within Maltego in order to do some analysis on the Shadow Broker address. What he found was links to the Silk Road address -- the address controlled by the FBI since they took down that darknet marketplace several years ago. Therefore, he created the theory that the government (FBI? NSA? TAO?) was up to some evil tricks, such as trying to fill the account with money so that they could then track where the money went in the public blockchain.

But he misinterpreted the links. (He was wrong.) There were no payments from the Silk Road accounts to the Shadow Broker account. Instead, there were people making payments to both accounts. As a prank.

To demonstrate how this prank wors, I made my own transaction, where I pay money to the Shadow Brokers (19BY2...), to Silk Road (1F1A...), and to a few other well-known accounts controlled by the government.

The point here is that anybody can do these shenanigans. That government controlled addresses are involved means nothing. They are public, and anybody can send coin to them.

That blogpost points to yet more shenanigans, such as somebody "rick rolling", to confirm that TAO hackers were involved. What you see in the picture below is a series of transactions using bitcoin addresses containing the phrase "never gonna give you up", the title of Rich Astley's song (I underlined the words in red).

Far from the government being involved, somebody else took credit for the hack, with the Twitter handle @MalwareTechBlog. In a blogpost [*], he describes what he did. He then proves his identity by signing a message at the bottom of his post, using the same key (the 1never.... key above) in his tricks. Below is a screenshot of how I verified (and how anybody can verify) the key.

Moreover, these pranks should be seen in context. Goofball shenanigans on the blockchain are really, really common. An example is the following transaction:

Notice the vanity bitcoin address transfering money to the Silk Road account. There is also a "Public Note" on this transaction, a feature unique to -- which recently removed the feature because it was so extensively abused.

Bitcoin also has a feature where 40 bytes of a message can be added to transactions. The first transaction sending bitcoins to both Shadow Brokers and Silk Road was this one. If you tell it to "show scripts", you see that it contains an email address for Cryptome, the biggest and oldest Internet leaks site (albeit not as notorious as Wikileaks).

The point is this: shenanigans and pranks are common on the Internet. What we see with Shadow Brokers is normal trickery. If you are unfamiliar with Bitcoin culture, it may look like some extra special trickery just for Shadow Brokers, but it isn't.

After much criticism why his first blogpost was wrong, Krypt3ia published a second. The point of the second was to lambaste his critics -- just because he jotted down some idle thoughts in a post doesn't make him responsible for journalists like ZDnet picking up as a story that's now suddenly being passed around.

But his continues with the claim that there is somehow evidence of government involvement, even though his original claim of payments from Silk Road were wrong. As he says:
However, my contention still stands that there be some fuckery going on here with those wallet transactions by the looks of it and that the likely candidate would be the government
Krypt3ia goes onto then claim, about the Rick Astley trick:
So yeah, these accounts as far as I can tell so far without going and spending way to many fucking hours on bitcoin.ifo or some such site, were created to purposely rick roll and fuck with the ShadowBrokers. Now, they may be fractions of bitcoins but I ask you, who the fuck has bitcoin money to burn here? Any of you out there? I certainly don’t and the way it was done, so tongue in cheek kinda reminds me of the audacity of TAO…
Who has bitcoin money to burn? The answer is everyone. Krypt3ia obvious isn't paying attention to the value of bitcoin here, which are pennies. Each transaction of 0.0001337 bitcoins is worth about 10 cents at current exchange rates, meaning this Rick Roll was less than $1. It takes minutes to open an account (like at and use your credit card (or debit card) to $1 worth of bitcoin and carry out this prank.

He goes on to say:
If you also look at the wallets that I have marked with the super cool “Invisible Man” logo, you can see how some of those were actually transfering money from wallet to wallet in sequence to then each post transactions to Shadow. Now what is that all about huh? More wallets acting together? As Velma would often say in Scooby Doo, JINKY’S! Something is going on there.
Well, no, it's normal bitcoin transactions. (I've made this mistake too -- learned about it, then forgot about it, then had to relearn about it). A Bitcoin transaction needs to consume all the previous transactions that it refers to. This invariably leaves some bitcoin left over, so has to be transferred back into the user's wallet. Thus, on my hijinx at the top of this post, you see the address 1HFWw... receives most of the bitcoin. That was a newly created by my wallet back in 2014 to receive the unspent portions of transactions. While it looks strange, it's perfectly normal.

It's easy to point out that Krypt3ia just doesn't understand much about bitcoin, and is getting excited by Maltego output he doesn't understand.

But the real issue is confirmation bias. He's developed a theory, and searches for confirmation of that theory. He says "there are connections that cannot be discounted", when in fact all the connections can easily be discounted with more research, with more knowledge. When he gets attacked, he's becomes even more motivated to search for reasons why he's actually right. He's not motivated to be proven wrong.

And this is the case of most "attribution" in the cybersec issue. We don't have smoking guns (such as bitcoin coming from the Silk Road account), and must make do with flimsy data (like here, bitcoin going to the Silk Road account). Sometimes our intuition is right, and this flimsy data does indeed point us to the hacker. In other cases, it leads us astray, as I've documented before in this blog. The less we understand something, the more it confirms our theory rather than conforming we just don't understand. That "we just don't know" is rarely an acceptable answer.

I point this out because I'm always the skeptic when the government attributes attacks to North Korea, China, Russia, Iran, and so on. I've seen them be right sometimes, and I've seem them be absolutely wrong. And when they are wrong, it's easy figuring out why -- because of things like confirmation bias.

Maltego plugin showing my Bitcoin hijinx transaction from above

Creating vanity addresses, for rickrolling or other reasons

Sunday, August 21, 2016

A lesson in social engineering: president debates

In theory, we hackers are supposed to be experts in social engineering. In practice, we get suckered into it like everyone else. I point this out because of the upcoming presidential debates between Hillary and Trump (and hopefully Johnson). There is no debate, there is only social engineering.

Some think Trump will pull out of the debates, because he's been complaining a lot lately that they are rigged. No. That's just because Trump is a populist demagogue. A politician can only champion the cause of the "people" if there is something "powerful" to fight against. He has to set things up ahead of time (debates, elections, etc.) so that any failure on his part can be attributed to the powerful corrupting the system. His constant whining about the debates doesn't mean he'll pull out any more than whining about the election means he'll pull out of that.

Moreover, he's down in the polls (What polls? What's the question??). He therefore needs the debates to pull himself back up. And it'll likely work -- because social-engineering.

Here's how the social engineering works, and how Trump will win the debates.

The moderators, the ones running the debate, will do their best to ask Trump the toughest questions they think of. At this point, I think their first question will be about the Kahn family, and Trump's crappy treatment of their hero son. This is one of Trump's biggest weaknesses, but especially so among military-obsessed Republicans.

And Trump's response to this will be awesome. I don't know what it will be, but I do know that he's employing some of the world's top speech writers and debate specialists to work on the answer. He'll be practicing this question diligently working on a scripted answer, from many ways it can be asked, from now until the election. And then, when that question comes up, it'll look like he's just responding off-the-cuff, without any special thought, and it'll impress the heck out of all the viewers that don't already hate him.

The same will apply too all Trump's weak points. You think the debates are an opportunity for the press to lock him down, to make him reveal his weak points once and for all in front of a national audience, but the reverse is true. What the audience will instead see is somebody given tough, nearly impossible questions, and who nonetheless has a competent answer to everything. This will impress everyone with how "presidential" Trump has become.

Also, waivering voters will see that the Trump gets much tougher questions than Hillary. This will feed into Trump's claim the media is biased against him. Of course, the reality is that Trump is a walking disaster area with so many more weaknesses to hit, but there's some truth to the fact that media has a strong left-wing bias. Regardless of Trump's performance, the media will be on trial during the debate, and they'll lose.

The danger to Trump is that he goes off script, that his advisors haven't beaten it into his head hard enough that he's social engineering and not talking. That's been his greatest flaw so far. But, and this is a big "but", it's also been his biggest strength. By owning his gaffes, he's seen as a more authentic man of the people and not a slick politician. I point this out because we are all still working according to the rules of past elections, and Trump appears to have rewritten the rules for this election.

Anyway, this post is about social-engineering, not politics. You should watch the debate, not for content, but for how well each candidates does social engineering. Watch how they field every question, then "bridge" to a prepared statement they've been practicing for months. Watch how the moderators try to take them "off message", and how the candidates put things back "on message". Watch how Clinton, while being friendly and natural, never ever gets "off message", and how you don't even notice that she's "bridging" to her message. Watch how Trump, though, will get flustered and off message. Watch how Hillary controls her hand gestures (almost) none, while Trump frequently fails to.

At least, this is what I'll be watching for. And watching for live tweeting, as I paraphrase what candidate really were saying, as egregiously as I can :).

Saturday, August 20, 2016

Bugs don't come from the Zero-Day Faerie

This WIRED "article" (aka. thinly veiled yellow journalism) demonstrates the essential thing wrong with the 0day debate. Those arguing for NSA disclosure of 0days believe the Zero-Day Faerie brings them, that sometimes when the NSA wakes up in the morning, it finds a new 0day under its pillow.

The article starts with the sentences:
WHEN THE NSA discovers a new method of hacking into a piece of software or hardware, it faces a dilemma. Report the security flaw it exploits to the product’s manufacturer so it gets fixed, or keep that vulnerability secret—what’s known in the security industry as a “zero day”—and use it to hack its targets, gathering valuable intelligence.
But the NSA doesn't accidentally "discover" 0days -- it hunts for them, for the purpose of hacking. The NSA first decides it needs a Cisco 0day to hack terrorists, then spends hundreds of thousands of dollars either researching or buying the 0day. The WIRED article imagines that at this point, late in the decision cycle, that suddenly this dilemma emerges. It doesn't.

The "dilemma" starts earlier in the decision chain. Is it worth it for the government to spend $100,000 to find and disclose a Cisco 0day? Or is it worth $100,000 for the government to find a Cisco 0day and use it to hack terrorists.

The answers are obviously "no" and "yes". There is little value of the national interest in spending $100,000 to find a Cisco 0day. There are so many more undiscovered vulnerabilities that this will make little dent in the total number of bugs. Sure, in the long run, "vuln disclosure" makes computers more secure, but a large government investment in vuln disclosure (and bug bounties) will only be a small increase on the total vuln disclosure that happens without government involvement.

Conversely, if it allows the NSA to hack into a terrorist network, a $100,000 is cheap, and an obvious benefit.

My point is this. There are legitimate policy questions about government hacking and use of 0days. At the bare minimum, there should be more transparency. But the premises of activists like Andy Greenburg are insane. NSA 0days aren't accidentally "discovered", they don't come from a magic Zero-Day Faerie. The NSA instead hunts for them, after they've come up with a clearly articulated need for one that exceeds mere disclosure.

Credit: @dinodaizovi, among others, has recently tweeted that "discover" is a flawed term that derails the 0day debate, as those like Greenberg assume it means as he describes it in his opening paragraph, that the NSA comes across them accidentally. Dino suggested the word "hunt" instead.

Thursday, August 18, 2016

EQGRP tools are post-exploitation

A recent leak exposed hackings tools from the "Equation Group", a group likely related to the NSA TAO (the NSA/DoD hacking group). I thought I'd write up some comments.

Despite the existence of 0days, these tools seem to be overwhelmingly post-exploitation. They aren't the sorts of tools you use to break into a network -- but the sorts of tools you use afterwards.

The focus of the tools appear to be about hacking into network equipment, installing implants, achievement permanence, and using the equipment to sniff network traffic.

Different pentesters have different ways of doing things once they've gotten inside a network, and this is reflected in their toolkits. Some focus on Windows and getting domain admin control, and have tools like mimikatz. Other's focus on webapps, and how to install hostile PHP scripts. In this case, these tools reflect a methodology that goes after network equipment.

It's a good strategy. Finding equipment is easy, and undetectable, just do a traceroute. As long as network equipment isn't causing problems, sysadmins ignore it, so your implants are unlikely to be detected. Internal network equipment is rarely patched, so old exploits are still likely to work. Some tools appear to target bugs in equipment that are likely older than Equation Group itself.

In particular, because network equipment is at the network center instead of the edges, you can reach out and sniff packets through the equipment. Half the time it's a feature of the network equipment, so no special implant is needed. Conversely, when on the edge of the network, switches often prevent you from sniffing packets, and even if you exploit the switch (e.g. ARP flood), all you get are nearby machines. Getting critical machines from across the network requires remotely hacking network devices.

So you see a group of pentest-type people (TAO hackers) with a consistent methodology, and toolmakers who develop and refine tools for them. Tool development is a rare thing amount pentesters -- they use tools, they don't develop them. Having programmers on staff dramatically changes the nature of pentesting.

Consider the program xml2pcap. I don't know what it does, but it looks like similar tools I've written in my own pentests. Various network devices will allow you to sniff packets, but produce output in custom formats. Therefore, you need to write a quick-and-dirty tool that converts from that weird format back into the standard pcap format for use with tools like Wireshark. More than once I've had to convert HTML/XML output to pcap. Setting port filters for 21 (FTP) and Telnet (23) produces low-bandwidth traffic with high return (admin passwords) within networks -- all you need is a script that can convert the packets into standard format to exploit this.

Also consider the tftpd tool in the dump. Many network devices support that protocol for updating firmware and configuration. That's pretty much all it's used for. This points to a defensive security strategy for your organization: log all TFTP traffic.

Same applies to SNMP. By the way, SNMP vulnerabilities in network equipment is still low hanging fruit. SNMP stores thousands of configuration parameters and statistics in a big tree, meaning that it has an enormous attack surface. Anything value that's a settable, variable-length value (OCTECT STRING, OBJECT IDENTIFIER) is something you can play with for buffer-overflows and format string bugs. The Cisco 0day in the toolkit was one example.

Some have pointed out that the code in the tools is crappy, and they make obvious crypto errors (such as using the same initialization vectors). This is nonsense. It's largely pentesters, not software developers, creating these tools. And they have limited threat models -- encryption is to avoid easy detection that they are exfiltrating data, not to prevent somebody from looking at the data.

From that perspective, then, this is fine code, with some effort spent at quality for tools that don't particularly need it. I'm a professional coder, and my little scripts often suck worse than the code I see here.

Lastly, I don't think it's a hack of the NSA themselves. Those people are over-the-top paranoid about opsec. But 95% of the US cyber-industrial-complex is made of up companies, who are much more lax about security than the NSA itself. It's probably one of those companies that got popped -- such as an employee who went to DEFCON and accidentally left his notebook computer open on the hotel WiFi.


Despite the 0days, these appear to be post-exploitation tools. They look like the sort of tools pentesters might develop over years, where each time they pop a target, they do a little development based on the devices they find inside that new network in order to compromise more machines/data.

Wednesday, August 17, 2016

Hey lawyers, I'm not your client

We can't talk casually with lawyers, at parties or infosec conferences. For one thing, it's an ethical problem for them, as they put a couple minute's thought into a question that can have lifelong consequences for a you. For another thing, it puts them legal jeopardy if you (falsely) think there is an attorney-client relationship. This makes lawyers boring people at parties, because all they can discuss is nonsense like sports scores.

In an attempt to remedy this situation, so I can talk casually about the law, I'm writing the following open-letter:

Dear Lawyers:
Unless there is a written agreement signed by you and me, I'm not your client. I understand that I should not interpret any comment as actual legal advice. I know that we are talking about hypothetical situations, and that I should not try to apply that information to my own situation. I know that we are often making jokes, and taking such things seriously as "legal advice" would be against my interests. I'm the one at fault, deliberately instigating you into discussing hypotheticals and making such jokes, for the lulz.
Robert Graham
Of course, I don't know if this letter will actually help lawyers chillax and talk more openly about the law. For that, I guess I'd need legal advice.

Monday, August 15, 2016

National interest is exploitation, not disclosure

Most of us agree that more accountability/transparency is needed in how the government/NSA/FBI exploits 0days. However, the EFF's positions on the topic are often absurd, which prevent our voices from being heard.

One of the EFF's long time planks is that the government should be disclosing/fixing 0days rather than exploiting them (through the NSA or FBI). As they phrase it in a recent blog post:
as described by White House Cybersecurity Coordinator, Michael Daniel: “[I]n the majority of cases, responsibly disclosing a newly discovered vulnerability is clearly in the national interest.” Other knowledgeable insiders—from former National Security Council Cybersecurity Directors Ari Schwartz and Rob Knake to President Obama’s hand-picked Review Group on Intelligence and Communications Technologies—have also endorsed clear, public rules favoring disclosure.
The EFF isn't even paying attention to what the government said. The majority of vulnerabilities are useless to the NSA/FBI. Even powerful bugs like Heartbleed or Shellshock are useless, because they can't easily be weaponized. They can't easily be put into a point-and-shoot tool and given to cyberwarriors.

Thus, it's a tautology saying "majority of cases vulns should be disclosed". It has no bearing on the minority of bugs the NSA is interested in -- the cases where we want more transparency and accountability.

These minority of bugs are not discovered accidentally. Accidental bugs have value to the NSA, so the NSA spends considerable amount of money hunting down different bugs that would be of use, and in many cases, buying useful vulns from 0day sellers. The EFF pretends the political issue is about 0days the NSA happens to come across accidentally -- the real political issue is about the ones the NSA spent a lot of money on.

For these bugs, the minority of bugs the NSA sees, we need to ask whether it's in the national interest to exploit them, or to disclose/fix them. And the answer to this question is clearly in favor of exploitation, not fixing. It's basic math.

An end-to-end Apple iOS 0day (with sandbox escape and persistance) is worth around $1 million, according to recent bounties from Zerodium and Exodus Intel.

There are two competing national interests with such a bug. The first is whether such a bug should be purchased and used against terrorist iPhones in order to disrupt ISIS. The second is whether such a bug should be purchased and disclosed/fixed, to protect American citizens using iPhones.

Well, for one thing, the threat is asymmetric. As Snowden showed, the NSA has widespread control over network infrastructure, and can therefore insert exploits as part of a man-in-the-middle attack. That makes any browser-bugs, such as the iOS bug above, much more valuable to the NSA. No other intelligence organization, no hacker group, has that level of control over networks, especially within the United States. Non-NSA actors have to instead rely upon the much less reliable "watering hole" and "phishing" methods to hack targets. Thus, this makes the bug of extreme value for exploitation by the NSA, but of little value in fixing to protect Americans.

The NSA buys one bug per version of iOS. It only needs one to hack into terrorist phones. But there are many more bugs. If it were in the national interest to buy iOS 0days, buying just one will have little impact, since many more bugs still lurk waiting to be found. The government would have to buy many bugs to make a significant dent in the risk.

And why is the government helping Apple at the expense of competitors anyway? Why is it securing iOS with its bug-bounty program and not Android? And not Windows? And not Adobe PDF? And not the million other products people use?

The point is that no sane person can argue that it's worth it for the government to spend $1 million per iOS 0day in order to disclose/fix. If it were in the national interest, we'd already have federal bug bounties of that order, for all sorts of products. Long before the EFF argues that it's in the national interest that purchased bugs should be disclosed rather than exploited, the EFF needs to first show that it's in the national interest to have a federal bug bounty program at all.

Conversely, it's insane to argue it's not worth $1 million to hack into terrorist iPhones. Assuming the rumors are true, the NSA has been incredibly effective at disrupting terrorist networks, reducing the collateral damage of drone strikes and such. Seriously, I know lots of people in government, and they have stories. Even if you discount the value of taking out terrorists, 0days have been hugely effective at preventing "collateral damage" -- i.e. the deaths of innocents.

The NSA/DoD/FBI buying and using 0days is here to stay. Nothing the EFF does or says will ever change that. Given this constant, the only question is how We The People get more visibility into what's going on, that our representative get more oversight, that the courts have clearer and more consistent rules. I'm the first to stand up and express my worry that the NSA might unleash a worm that takes down the Internet, or the FBI secretly hacks into my home devices. Policy makers need to address these issues, not the nonsense issues promoted by the EFF.

Monday, August 08, 2016

I gamergate Meredith Mciver

One of the basic skills of hackers is "doxxing". It's actually not a skill. All you need to do is a quick search of public records databases through sites like Spokeo, Intelius, and and you can quickly dox anybody.

During the Republican convention, Trump's wife plagiarized Obama's wife in a speech. A person in the Trump organization named "Meredith Mciver" took the blame for it. Trump haters immediately leapt to the conclusion that this person was fake, pointing out her Twitter and Facebook accounts were created after the controversy started.

So I'm going to go all gamergate on her and see what I can find.

According to New York public records, somebody named "Meredith Mciver" has been working for a company called the "The Trump Organization" as "Staff Writer" for many years. Her parents are Phyllis and James Mciver. Her older sister is Karen Mciver. She has an apartment at  588 W End Avenue in Manhattan (though I won't tell you which apartment -- find out for yourself). Through, you can track down more information, such as her yearbook photo from 1962.

Now, all these public records could be fake, of course, but that would require a conspiracy larger than the one hiding the truth about Obama's birth certificate.

I point this out because we have enough reasons to hate Trump (his populist demagoguery, his bankrupt character, his racism) and don't need to search for more reasons. Yet, conspiracy theorists, "mciverers", want to exploit this non-issue as much as they can.