Apple Patches Up Devices In Response To The Exposure Of Yet Another NSO Group Exploit

from the soon-they-will-make-a-board-with-a-nail-so-big-it-will-destroy-them-all dept

Israeli digital arms merchant NSO Group continues to sell its malware to a wide variety of governments. The governments it sells to, which includes a bunch of notorious human rights abusers, continue to use these exploits to target dissidents, activists, journalists, religious leaders, and political opponents. And the manufacturers of the devices exploited by governments to harm people these governments don't like (NSO says "criminals and terrorists," long-term customers say "eh, whoever") continue to patch things up so these exploits no longer work.

The circle of life continues. No sooner had longtime critic/investigator of NSO Group's exploits and activities -- Citizen Lab -- reported the Bahrain government was using "zero click" exploits to intercept communications and take control of targeted devices then a patch has arrived. Apple, whose devices were compromised using an exploit Citizen Lab has dubbed FORCEDENTRY, has responded to the somewhat surprising and altogether disturbing news that NSO has developed yet another exploit that requires no target interaction at all to deploy.

Apple released a patch Monday against two security vulnerabilities, one of which the Israeli surveillance company NSO Group has exploited, according to researchers.

The updated iOS software patches against a zero-click exploit that uses iMessage to launch malicious code, which in turn allows NSO Group clients to infiltrate targets — including the phone of a Saudi activist in March, researchers at Citizen Lab said.

The backdoor being closed involves a pretty clever trick of the trade. Since links require clicks and images don't, the exploit utilizes a tainted gif to crash Apple's image rendering library, which is then used to launch a second exploit that gives NSO customers control of these devices, allowing them to browse internal storage and eavesdrop on communications.

It's not the first time NSO has developed a zero-click exploit that affects iOS devices. It's just the latest exposed by Citizen Lab's incredible investigation efforts. Thanks to Citizen Lab, more Apple device users around the world are better protected against malicious hackers… working for a company that sells exploits to government agencies. And whatever can be nominally exploited for good (the terrorists and criminals NSO continues to claim its customers target, despite an ever-growing mountain of evidence that says otherwise) can be exploited by governments and malicious hackers who don't even have sketchy "national security" justifications to raise in the defense of their actions.

The arms race continues. It appears marketers of exploits will continue to do what they've always done: maintain over-the-air superiority for as long as possible. And while it may seem this is just part of the counterterrorism game, NSO Group's tacit approval of the targeting of dissidents, journalists, and others who have angered local governments (but have never committed any terrorist or criminal acts) shows it's not willing to stop profiting from the misery of people being hunted and harmed by repressive regimes.

Filed Under: ios, iphone, malware, patches, surveillance
Companies: apple, nso group

Embrace Fans: How One Mystery Modder Has Kept System Shock 2 Playable

from the shocking dept

There's this weird thing in the video game industry in terms of how the industry reacts to fans doing things with their games. On one side, you have publishers that strictly control what fans can do with their games, even going the legal threat route at times. Other publishers are more permissive with game IP and are then shocked at what fans manage to do with their games. Still other publishers proactively create tools within their games to allow fans to create wildly cool productions within the games and then celebrate those fans. And, of course, there are fans manipulating properties such as original soundtracks to create new music as an homage to the original score.

There is a wide spectrum of what fans want to do to express their fandom with video games, in other words, and also a spectrum of ways publishers respond to these dedicated fans. The original Doom, for instance, was created nearly three decades ago, but an active modding community has kept the game relevant by building on that original work. In the case of System Shock 2, however, it turns out the game originally released in 1999 is essentially only playable on modern machines due to the dedication of one single mystery fan.

After developer Looking Glass Studios closed in 2000, the game wound up in ownership limbo. For a time, it languished without updates. Getting it to run on more modern machines increasingly became a massive hassle. Then, in 2012, a fan released an unofficial update that took aim at those issues with almost cyborg-like laser precision. To this day, nobody knows the identity of the fan who released this update.

The mystery savior of System Shock 2 goes by the online handle “Le Corbeau.” In 2012, according to a feature over at Rock Paper Shotgun, they first posted their revolutionary patch to the game, titled “NewDark,” on a French Thief fan forum. Nobody’s entirely sure how this fan pulled off an update of this magnitude, but it likely involved building upon an incomplete version of the game’s source code that leaked in 2010.

The effect of the patch was that people could actually play the game again. Strangely, at no point has Le Corbeau sought any credit for his or her work. Nobody to date knows who this person is. But, because of their dedication and, my assumption, fandom, System Shock 2 is not only still relevant, but now on sale on Steam once more. That's because Nightdive Studios got the rights to System Shock 2 and promptly inserted Le Corbeau's patch into a re-release. Far from being upset about this, Le Corbeau has continued to patch the game.

Nightdive even tried to get the modder involved, but to no avail.

Nightdive, having found System Shock 2's actual source code in Looking Glass founder Paul Neurath’s closet, is now making its own improvements to System Shock 2, as well as a remake of the first System Shock and an all-new System Shock game. Despite all this, the studio—like perplexed but grateful fans—has no idea who Le Corbeau actually is. CEO Stephen Kick told RPS that he’s tried to reach out in hopes of collaborating over the years, but hasn’t had any success yet. “They have done an amazing job, but at some point those efforts will collide with our own as we wish to improve the original title,” said Kick.

If that last bit in some way signals some animosity towards the modder on the part of Nightdive, this story is going to have a massively infuriating ending. Because the fact is that Le Cordeau's efforts directly kept System Shock 2 relevant and available for fans to enjoy, which in turn kept the market open and ready to accept re-releases of the game and new iterations of it.

Regardless, sure, let game companies claim that fans being fans is some threat to their business if they like, so long as everyone realizes how silly that is.

Filed Under: culture, fans, le corbeau, modding, patches, system shock 2, video games

After The 'Octopus Incident' White House Threatened To Stop 'Menacing Logos' From Spy Satellites

from the what's-so-menacing-about-talledega-nights? dept

Back in late 2013, we wrote about the insanity of the "logo" placed on a spy satellite by the National Reconnaissance Organization, which consisted -- literally -- of an octopus enveloping the globe, and the tag line "Nothing is Beyond Our Reach." Incredibly, the Director of National Intelligence tweeted out this image, just months after the Snowden revelations, and no one seemed to think the public might find it... creepy as fuck. Our good friends at Muckrock decided to dig in with some FOIA requests about all of this and wrote up the following amazing story about the aftermath of the fallout of that decision and posted an excellent story about it which, of all things, includes trying to translate quotes from "Talledega Nights" into Latin to avoid scrutiny. That article, by JPat Brown is reposted, with permission, below.

Records released to William Pierce show that the fallout from the National Reconnaissance Office's infamous "world-eating octopus" logo was enough for the White House to threaten veto power over future logos on spy satellites. Despite this warning to steer clear of controversy, the designers for the NROL-76 logo tried their best to sneak in a "Talladega Nights" reference - even resorting to Latin to get around copyright.

In early May of 2016, someone within the NRO asked if the mission patch for the NROL-76 mission had been approved.

As launch wasn't due for a year, the question was oddly premature, and someone on the team voiced their curiosity.

A later email from August 2016 explains the concern - following the embarrassment over the NRO-39's octopus logo (which records released to Runa Sandvik show was an engineering in-joke that backfired to a comical degree), the NRO wasn't even sure if it could approve its own logos without the White House's final say.

As far as they were told, the NRO could still have "ultimate authority" over logos … so long as they avoided "menacing designs." Which means "yes" to fluffy animals …

and "no" to creepy cephalopods and whatever's redacted here.

Fortunately, the theme for this design was "Lewis and Clark," which the NRO thought was fairly family-friendly, especially when compared to, say, a dragon with American flag wings.

But we'll let you be the judge.

If that slogan strikes you as oddly familiar, then congratulations on your excellent cinematic tastes; "If you ain't first, you're last" is indeed the catch-phrase of Ricky Bobby, Will Ferrell's character from "Talladega Nights."

The design notes make this explicit, as well as explain that it was chosen as a slogan because one team member "loves NASCAR" and "wanted to go fast."

From the beginning, the person that appears to be the NRO team leader tried to drop a few hints that they weren't all that confident a "Talladega Nights" reference was going to (literally) fly …

before finally giving it the formal nix on copyright grounds.

Undaunted, one team member proposed a sneaky compromise - just Google Translate it into Latin and nobody will notice.

This team member claims the "Latin approach" has worked before, though a quick search shows that it didn't work out quite as well as they made it sound. And there were a few other minor considerations ...

Ultimately, the team leader vetoed all Latin phrases as "hard to understand and remember," using the NRO's own motto as an example. A list of pre-approved slogans (including a few redacted ones) was sent to the team, and with a topical joke about the 2016 presidential elections, the matter was put to a vote.

The lesser-known Ricky Bobby quote "Explore - Discover - Know" won out …

and you can see it here on the finalized logo.

Read the full release embedded below or on the request page.

Filed Under: latin, nro, octopus, patches, satellites, surveillance, talledega nights

Could Firmware Expiration Dates Fix The Internet Of Broken Things...Before People Get Hurt?

from the the-looming-global-IOT-shitstorm dept

If you hadn't noticed, the incredibly flimsy security in most Internet of Things devices has resulted in a security and privacy dumpster fire of epic proportions. And while recent, massive DDoS attacks like the one leveled against DNS provider DYN last year are just one symptom of this problem, most security analysts expect things to get significantly, dramatically worse before they get better. And by worse, most of them mean dramatically worse; as in these vulnerabilities are going to result in attacks on core infrastructure that will inevitably result in human deaths... at scale.

Estimates suggest that 21 billion to 50 billion IoT devices are expected to come online by 2020. That's 21 to 50 billion new attack vectors on homes, businesses and governments. And many of these are products that are too large to replace every year (cars, refrigerators, ovens) but are being manufactured by companies for whom software -- and more importantly firmware updates -- aren't a particular forte or priority.

To date, there are a number of solutions being proposed to tackle this explosion in poorly-secured devices, none of which seem to really solve the issue. Agencies like Homeland Security have issued a number of toothless standards the companies that are making these poorly-secured products are free to ignore. And efforts at regulating the space, assuming regulators could even craft sensible regulations without hindering the emerging sector in the first place, can similarly be ignored by overseas manufacturers.

In the wake of the Wannacry ransomware, University of Pennsylvania researcher Sandy Clark has proposed something along these lines: firmware expiration dates. Clark argues that we've already figured out how to standardize our relationships with automobiles, with mandated regular inspection, maintenance and repairs governed by manufacturer recalls, DOT highway maintenance, and annual owner-obligated inspections. As such, she suggests similar requirements be imposed on internet-connected devices:

A requirement that all IoT software be upgradeable throughout the expected lifetime of the product. Many IoT devices on the market right now contain software (firmware) that cannot be patched even against known vulnerabilities.

A minimum time limit by which manufacturers must issue patches or software upgrades to fix known vulnerabilities.

A minimum time limit for users to install patches or upgrades, perhaps this could be facilitated by insurance providers (perhaps discounts for automated patching, and different price points for different levels of risk)."

Of course, none of this would be easy, especially when you consider this is a global problem that needs coordinated, cross-government solutions in an era where agreement on much of anything is cumbersome. And like previous suggestions, there's no guarantee that whoever crafted these requirements would do a particularly good job, that overseas companies would be consistently willing to comply, or that these mandated software upgrades would actually improve device security. And imagine being responsible for determining all of this for the 50 billion looming internet connected devices worldwide?

That's why many networking engineers aren't looking so much at the devices as they are at the networks they run on. Network operators say they can design more intelligent networks that can quickly spot, de-prioritize, or quarantine infected devices before they contribute to the next Wannacry or historically-massive DDoS attack. But again, none of this is going to be easy, and it's going to require multi-pronged, multi-country, ultra-flexible solutions. And while we take the time to hash out whatever solution we ultimately adopt, keep in mind that the 50 million IoT device count projected by 2020 -- is expected to balloon to 82 billion by 2025.

Filed Under: expiration dates, iot, patches, recalls, sandy clark, security, vulnerabilities

Petition Submitted To Require Congress To Wear The Logos Of Their Corporate Donors

from the the-esteemed-Congressman,-brought-to-you-in-part-by... dept

The idea that members of Congress should wear the logos of their corporate sponsors is as old as the internet itself, but it appears that someone's finally doing something about it. (Or at least bringing it to the attention of the current administration where it can be handed a set of talking points.) A petition at "We the People" requests that Congress members switch over to NASCAR-style representation, and wear their "affections" literally on their sleeves.

Since most politicians' campaigns are largely funded by wealthy companies and individuals, it would give voters a better sense of who the candidate they are voting for is actually representing if the company's logo, or individual's name, was prominently displayed upon the candidate's clothing at all public appearances and campaign events. Once elected, the candidate would be required to continue to wear those "sponsor's" names during all official duties and visits to constituents. The size of a logo or name would vary with the size of a donation. For example, a $1 million dollar contribution would warrant a patch of about 4" by 8" on the chest, while a free meal from a lobbyist would be represented by a quarter-sized button. Individual donations under $1000 are exempt.

This may seem as frivolous as requesting the construction of a Death Star or the immediate expulsion of Brits who criticize the NRA, but the underlying frustration with today's political world is evident. Many Americans are experiencing the sinking feeling that their future is in the hands of corporations and their purchased legislators, cutting them out of the loop. The periodic call to "throw the bums out" either goes unanswered or just results in a new set of bums

Holding legislators accountable often seems impossible, so if you can't beat 'em, shame 'em. If members of Congress are willing to capitulate to the highest bidder(s), the least they can do is display their true loyalties for all to see. The application of corporate logos would make it obvious at a glance who might be influencing elected officials' stances on various issues. As enjoyable as it would be to see this put into action, the idea itself comes wrapped in its own set of problems.

To begin with, this would place entirely too much importance on the visible logos (or lack thereof), replacing informed opinions with snap judgements. Mistaken conclusions would be drawn. A relatively logo-free Congressman would be perceived as a righteous lawmaker in a sea of purchased sinners, no matter the voting record or moral stature. The wrong conclusion could also be drawn in the opposite direction, turning a legislator's eerie resemblance to a stock car into a maze of twisty corporate conspiracy theories, all alike. Or something in between, like this hypothetical: A Congressman covered in logos of corporations that employ hundreds in his district -- sell-out or man of the people?

Another problem is that no matter what dollar amount is used as the cutoff line, donors will still find a way to get their money into the right hands while avoiding turning "their" legislator into a logoed farce. If the loophole isn't big enough to allow the (relatively) easy flow of money, the law will be amended until it is. No representative wants to look like they're corporate property and very few corporations are willing to roll on ungreased wheels.

Another issue is the distraction factor. If implemented, our already contentious partisan politics will devolve even further, resulting in pointless attacks based on who's wearing what corporate logo, or how many they're wearing. I firmly believe a legislative branch suffering from vapor lock is preferable to one that feels a day without an introduced bill is a wasted day, but sooner or later some important stuff needs to get done. It took our legislators four years to pass a "yearly" budget. Delays like this hurt actual taxpayers. I can only imagine how much longer that particular ordeal would have continued if logo-related arguments were added to the mix.

That brings us to the ultimate problem with this petition: a huge conflict of (self) interest. The very people petitioners want covered in logos are the same people who'd prefer their benefactors remain hidden. Not coincidentally, they're also the people that introduce, vote on and pass laws. It's damn near impossible to push a bill through Congress when a majority of legislators oppose it. And no matter how entertaining this would be, bypassing the legislative process to get this enacted (executive order?) screws with the underlying checks and balances, something no one should be encouraging.

All that being said, I'd still like to see the petition hit the "RESPONSE NEEDED" mark. If nothing else, it will send a message to the administration (and our lawmakers) that the American public views its representatives as little more than water carriers for big business and special interest groups. I'd also like to see the administration's response to this message. Most likely, it will point out that this information is readily available at the government's own Federal Election Commission site, not to mention informational powerhouses like OpenSecrets.org (whose site is much easier to search and navigate). It may also express concern over a loss of "decorum" should this be implemented, what with serviceable dark suits replaced with day-glo blazers covered in corporate logos.

If I had my way, I'd select a third option: have the petition be submitted as a bill and watch legislators go insane trying to take it seriously ("The public has spoken!") while simultaneously finding some way to torpedo the legislation without looking completely irate ("Stupid public! Why won't it shut up?!?"). A few days or weeks of logo-related panic would possibly bump C-SPAN ratings into the single digits and warm my cold, cynical heart ever so slightly.

Filed Under: corruption, lobbying, money, patches, politics, transparency

Charging $40,000 To Issue A Patch Makes Games 'Better,' Microsoft?

from the ctrl-z-returned-to-your-'edit'-menu-for-a-mere-$20,000 dept

The uglier side of working within walled gardens was made apparent late last week when indie developer Polytron announced it would not be releasing a new patch for its Xbox Live Arcade (XBLA) hit Fez. (More specifically, a patch to fix the original patch, which corrupted a certain percentage of players' saves.) The issue at hand wasn't a lack of desire to throw man hours at a finished game, but rather that Microsoft's XBLA policy only allows for one free patch, with subsequent patches requiring the game to go through a recertification process at a cost of $40,000.

Plenty of articles were written on all sides of the issue. Microsoft's policy on patching has its heart in the right place. It simply wants developers to release polished products, rather than dump unfinished software into the XBLA market and let paying customers do the beta testing. (If only Microsoft felt that way about its own software, but that's an entirely different rant...) But surely there's more than a fine line separating buggy shovelware and a developer trying to improve the gameplay experience for its paying customers.

Some of the articles focused on Polytron's obligation to fix the game despite the cost, especially considering the bug left unpatched affected gamers closer to end of the game. Other press has focused on the fact that Fez's mastermind, Fish, is a bit of a polarizing individual (understatement) and somehow, as such, is possibly just being a crybaby/dick about this issue.

The best commentary on this issue looks at something these others have missed with their focus on contractual obligations, Microsoft/Fez behaving badly, or whether paying customers should be unwilling participants in a contractual feud. Rob at the inexplicably-titled We Make the Cops Look Dumb (home of Mersey Remakes) says they're missing the point. This isn't about everything surrounding the patch and its attendant $40,000. It's about making (and selling) great games.

I’m uncomfortable with any debate that can argue around patches being seen as bad things to have, things that customers or services need to be protected from. Patches are to improve games. Patches are to make games better. Arguing against patches is to argue against the right to have better games. This is a ridiculous thing, beyond absurd. I’m uncomfortable when an imaginary line is drawn between services where patches are ok and where patches are not. Why is a patch to an iThing seen as desirable but XBLA not, beyond the whims of Microsoft?

Rob also looks at some of the other arguments, many of which we've seen used in the comment threads here at Techdirt, especially when dealing with artists finding themselves being manhandled by contractual details. This one in particular surfaces (too) often: "Too bad. They signed a contract."

I’m uncomfortable when people feel comfortable pulling the getting into bed with the devil argument, you signed a contract for fame and fortune and now, this is the price you must pay. I’m uncomfortable because it leaves no room for nuance, it leaves no room for context. It becomes a moral argument with nothing that hinges around whether something is fair, whether something is unfair, whether something is even viable. I would not like to be the person to cast such a judgement because I would not like to be the person if something went titsupus contractualus for me, to have the same argument thrown in my face.

This argument has always bothered me as well. Those espousing it seem hold two contradictory thoughts: that those holding the contract (label, studio, etc.) are somehow both massively benefitting the artists (simply by being the "infallible" system) and allowed to screw their signed artists without being called out for it. So, if the contract allows for screwing of said artists, it's just too bad. Legalese trumps any effort towards making it a mutually beneficial situation.

Then there's this argument: it's ok if this creator gets screwed because he's a jerk on the internet/IRL. This is like saying police brutality is ok as long as the person being beaten is a criminal. Is this rhetorical device still cool if you're the one who happens to be the jerk? Or worse, you could be one of the "good people" that "bad things" happen to.

I’m uncomfortable with the “but it’s Fish” train of thought because next time, it might not be Fish. It might be me. It might be you. It might be your friend or a developer you love not a developer you love to hate.

Then, of course, there's the "helpful" percentage of the crowd, always willing to suggest how things might have been done differently. It's one thing to suggest a solution while suggestions are still being welcomed. It's quite another to roll in post-mortem and point out everywhere the victim went wrong.

I’m uncomfortable when people say “you should have just released on Steam in the first place” when contracts were signed at a time when Steam was still 12 months away from showing its indie selling claws to one and all, when its notorious difficulty to get greenlit was at its peak. When other services were seen as behind the XBLA curve. I’m uncomfortable with hindsight being used as a stick to berate people with.

That's a tough one to avoid. Nearly everyone who's ever posted a comment or written for a blog has at one point or another found it impossible to resist playing a few downs as armchair quarterback. "What you should do next time" is definitely preferable to anything containing the past tense ("What you should have done..."), but neither does much to address the actual roadblock in question.

Rob's main concern is one that should be the main concern for gamers and developers alike: making great games. And Microsoft, for all its well-intended ways, is aligning itself against that very goal.

Right now, I’m just uncomfortable with the whole charade that’s sprung from a statement which points out the ridiculousness of a system that can penalise people for wanting to make better games. And I’m uncomfortable with how comfortably we let this shit slide over us.

Say what you will about Fish's divisive personality or the rigged system that is XBLA. Talk about how an indie studio with a million paying customers shouldn't complain about costs and time. Point out rival services and their advantages. But don't forget that underneath it all, a developer wanted to improve its game and the gatekeeper decided that the developers and customers would be better off if everyone "played by the rules" and nothing got fixed.

Filed Under: patches, video games, xbla, xbox
Companies: fish, microsoft