Security quotes of the week

[Posted April 21, 2021 by jake]

Cellebrite makes software to automate physically extracting and indexing data from mobile devices. They exist within the grey – where enterprise branding joins together with the larcenous to be called “digital intelligence.” Their customer list has included authoritarian regimes in Belarus, Russia, Venezuela, and China; death squads in Bangladesh; military juntas in Myanmar; and those seeking to abuse and oppress in Turkey, UAE, and elsewhere. [...]
Given the number of opportunities present, we found that it’s possible to execute arbitrary code on a Cellebrite machine simply by including a specially formatted but otherwise innocuous file in any app on a device that is subsequently plugged into Cellebrite and scanned. There are virtually no limits on the code that can be executed.

— Signal's Moxie Marlinspike "finds" a Cellebrite toolkit and does what comes naturally

There's a similar issue with advertising and privacy, that we discussed just last month. Google clarified its plans to block 3rd party cookies. In many ways, this is good for privacy. 3rd party cookies are often abused in creepy ways to track people. So it's good that Google won't support them (Firefox and Safari already made this move earlier). But lots of people then vocally complained that this would only give more power to Google, because it can deal with the lack of data, while competitive (smaller) advertising firms cannot.
These issues are often in conflict -- and many of the big tech critics out there don't want to recognize that. In fact, it lets them attack these companies no matter what they do. If they do something that's good for privacy, but bad for competition, focus on how it's bad for competition. If they do something that's good for competition, but bad for privacy, focus on how it's bad for privacy.

— Mike Masnick

Security quotes of the week

Posted Apr 22, 2021 3:45 UTC (Thu) by logang (subscriber, #127618) [Link] (2 responses)

The real gold quote in Moxie's blog comes at the end:

> In completely unrelated news, upcoming versions of Signal will be periodically fetching files to place in app storage. These files are never used for anything inside Signal and never interact with Signal software or data, but they look nice, and aesthetics are important in software. Files will only be returned for accounts that have been active installs for some time already, and only probabilistically in low percentages based on phone number sharding. We have a few different versions of files that we think are aesthetically pleasing, and will iterate through those slowly over time. There is no other significance to these files.

Security quotes of the week

Posted Apr 23, 2021 7:06 UTC (Fri) by elel (guest, #100484) [Link]

I know, lol. If you're using these tools in a place where the results have to hold up in court this will give you no end of headaches. Unfortunately this may not be as effective in all the countries where the tools are in use, depending on how much they care about integrity of evidence.

Security quotes of the week

Posted Apr 23, 2021 13:35 UTC (Fri) by flussence (guest, #85566) [Link]

Perhaps egging on rubber-hose cryptanalysis of his end users is a bad idea, given very recent events with US politics and his own product's reputation.

Security quotes of the week

Posted Apr 22, 2021 9:22 UTC (Thu) by Karellen (subscriber, #67644) [Link] (4 responses)

many of the big tech critics out there don't want to recognize that. In fact, it lets them attack these companies no matter what they do.

Maybe they do recognise that and big tech is a problem, no matter what they do, because they are big, and antitrust enforcement has been a complete joke for 20 years, and not a heck of a lot better for the 20 years before that. And ultimately that's what needs to be fixed.

Security quotes of the week

Posted Apr 22, 2021 10:31 UTC (Thu) by pizza (subscriber, #46) [Link] (3 responses)

Sure, let's restart meaningful enforcement of antitrust law.

And the most deserving targets for the guillotine? Verizon, AT&T, Comcast. Who have _actual_ monopolies and routinely act in ways that make "Big Tech" look like saints in comparison.

Security quotes of the week

Posted Apr 22, 2021 11:53 UTC (Thu) by ddevault (subscriber, #99589) [Link] (2 responses)

Why needlessly limit ourselves? All of these companies are a problem.

Security quotes of the week

Posted Apr 22, 2021 12:15 UTC (Thu) by pizza (subscriber, #46) [Link] (1 responses)

Because of the law of unintended consequences. Or heck, even the intended consequences.

Nearly all of the calls to "regulate big tech" are being made using false pretenses for self-serving purposes.

Security quotes of the week

Posted Apr 22, 2021 17:32 UTC (Thu) by Wol (subscriber, #4433) [Link]

Do roughly what we do here - you cannot deliver content over a network where you are the monopoly provider.

Okay, that's not completely true, many content providers own delivery networks, but they are independent arms that have to operate "at arms length".

For example, I have no idea who owns the wires and pipes that deliver electricity or gas, I just buy my power from a choice of "the big six" or a bunch of smaller suppliers, and they have a bulk contract that lets them deliver to their customers in my area. I suspect the owner is the (descendant of) the original local monopoly supplier, but I neither know nor care - it's not my problem.

BT owns most of the phone infrastructure, but we do have cable companies, and BT is obliged to publish a price list. The same set-up applies - I can go to any phone provider and they have the contract with BT/Openreach to provide the infrastructure. There are rumours that when there are technical problems, Openreach treat BT customers preferentially, but that would get BT into heap big trouble if proven.

The only thing is, that CAN cause problems when things go wrong, because the customer has no contract with the infrastructure supplier, and it's difficult to get redress if things really go tits-up.

Cheers,
Wol