Season 5 Episode 1 Jul 22, 2021

Pegasus Cyber Espionage Tool, Steam’s New Console, Gunshot-Detecting Tech, and NATO Condemns a Cyberattack

Pitch

Listen to what some security experts have called “the story of the year."

Description

In this episode, we talk about a gunshot-detecting tech used by law enforcement, the new Steam Deck handheld gaming console, and an unprecedented move by NATO condemning China for a hack exploiting Microsoft's Exchange Server.

Hosts

Saron Yitbarek

Disco - Founder

Saron Yitbarek is the founder of Disco, host of the CodeNewbie podcast, and co-host of the base.cs podcast.

Josh Puetz

Forem - Principal Engineer

Josh Puetz is Principal Software Engineer at Forem.

Guests

Marcus Carey

ReliaQuest - Enterprise Architect

Marcus J. Carey is an Enterprise Architect at ReliaQuest where he does security research and product development. Prior to joining ReliaQuest, Marcus was the founder and CEO at Threatcare (acquired by ReliaQuest) and has 20 years of cybersecurity experience. Marcus has worked in penetration testing, incident response, and digital forensics with federal agencies such as NSA, DC3, DIA, and DARPA.

Show Notes

Audio file size

34845482

Duration

00:36:18

Transcript

[00:00:10] SY: Welcome to DevNews, the news show for developers by developers, where we cover the latest in the world of tech. I’m Saron Yitbarek, Founder of Disco.

 

[00:00:20] JP: And I’m Josh Puetz, Principal Engineer at Forem.

 

[00:00:21] SY: This week, we’re talking about a gunshot detecting tech used by law enforcement, the new Steam Deck handheld gaming console, and an unprecedented move by NATO condemning China for a hack exploiting Microsoft’s Exchange Server.

 

[00:00:36] JP: Then we’ll speak with Marcus Carey, Enterprise Architect at ReliaQuest and co-author of the book, Tribe of Hackers, about an Israeli surveillance company’s hacking spyware, which was originally intended to target terrorists, but was also found to be used by authoritarian governments to spy on journalists, activists, and politicians.

 

[00:00:53] MC: That’s what’s really significant. A zero-day is a non-click or zero click software where you don’t have to do anything and it can compromise a phone.

 

[00:01:02] SY: So we’re starting off this episode with talking about another law enforcement use of artificial intelligence, this time investigated by Motherboard. So this tech is called ShotSpotter and it’s a network of microphone sensors that are being used by law enforcement to detect gunshots and triangulate their location. So in theory, maybe this sounds like a good idea. If you hear a gunshot, you probably want to quickly respond to it, but here’s the problem. For one in all four cities that Motherboard looked at, Chicago, Kansas City, Cleveland, and Atlanta, the sensors were mostly installed in neighborhoods with predominantly black and brown residents, instead of being evenly distributed. This is leading to an unequal flood of police rushing to these neighborhoods with the assumption that anyone there could be armed and dangerous. One of these ShotSpotter alerts even led to the shooting of an unarmed 13-year-old in Chicago.

 

[00:01:59] JP: So this is our new weekly segment, terrible use of AI by law enforcement.

 

[00:02:06] SY: Yeah. So on face value, sure, you hear a gunshot, respond. But besides the uneven distribution of these sensors, which is really problematic, it also makes me wonder, like, there are so many things that sound like gunshots. I'm thinking music. How many times have we heard music blaring down the streets out of some car and there’s like gunshots at the beginning of some song? You know what I mean? Is that going to be picked up? And now there’s armed police flooding into the street because a song was played. Yeah. I just don’t know how much I trust the sensors would adequately pick up true gunshots and not have so many false positives.

 

[00:02:46] JP: The AI aspect here is they’re using AI and machine learning to interpret the sounds and determine if it’s a gunshot or not, which makes me wonder, did they just like take the AI to a shooting range? I know that’s not how it works. Stop your tweets. I know that’s not how AI works. But really, you have to train these models up on something. And so sure, they could have been trained up on a bunch of different gunshots, but what I wonder is what are they going to start scanning for next? Is it loud music? Is it a domestic dispute?

 

[00:03:19] SY: Oh, that’s interesting.

 

[00:03:20] JP: People shouting, people calling for help? And what kind of sounds will they train those models on? I just wonder if the police or these companies are looking to expand the kind of sonic monitoring that can happen, because if you think about it, sonic monitoring is very clever. You don’t have to have line of sight, like you have to have with a video camera. You just put a bunch of little sensors somewhere. They’re probably a lot less complicated than video cameras would be.

 

[00:03:46] SY: A lot cheaper too. Yeah.

 

[00:03:47] JP: It’s kind of frightening how cheap and pervasive they could be.

 

[00:03:51] SY: Absolutely. And then there’s the whole uneven distribution portion, which is frustrating because we’ve kind of set ourselves up to say that these neighborhoods are significantly more violent than white neighborhoods, even though we don’t know if that is going to be true, just because we have more sensors. So in terms of just research and data collection, it just seems like a bad way to kind of start the conversation. It’s a bad introduction to sensors. It’s going to create very biased research and very biased data that’s going to make it look like certain neighborhoods are much, much more troubled than they necessarily are.

 

[00:04:28] JP: I wonder about the aim of this product for law enforcement, like just the very idea that like, “Oh, there’s a gunshot.” Police can rush to the scene. Well, what then? The assumption here is that if there’s a gunshot, someone is hurt, maybe, and they have to be helped. The company isn’t pitching this towards emergency response teams and hospitals and medical professionals. It’s pitched towards police departments.

 

[00:04:56] SY: Yeah.

 

[00:04:57] JP: And so I don’t think the police are rushing there with first aid kits to help someone that’s shot. They’re rushing there to arrest people. And that really strikes me as like the wrong way to approach all this.

 

[00:05:09] SY: And it just really, to me, the sound of a gunshot, there’s too many interpretations of what that could mean, so many different interpretations, and it doesn’t necessarily have to be that someone is armed and dangerous, specifically the dangerous part. Right? And so informing the police so that they come in ready to attack and expecting violence feels like it’s only going to lead to more violence when it doesn’t necessarily have to.

 

[00:05:35] JP: I mean, it’s a clever technology, but I think this is just addressing the symptoms of what’s causing gun violence and not trying to actually help any of the causes.

 

[00:05:45] SY: Yeah, absolutely.

 

[00:05:46] JP: Well, this next bit of news is very exciting for me, personally. The video game publisher, Valve, just announced a handheld console called the Steam Deck, which they hope will rival the Nintendo Switch. So we’ve talked about Steam before on this show, and particularly last season on Episode 4, where we spoke to video game journalist, Jason Schreier, about his new book, Press Reset. But just as a refresher, Steam is an online gaming store where you can download a bunch of games for your PC or Mac. And it’s been instrumental in giving indie developers an avenue to sell their games. Now with the Steam console, these indie developers will be able to create games for a handheld gaming experience, which is relatively new. The console is also supposed to be more higher powered than other video game handheld systems like the Nintendo Switch and it’ll be able to run existing PC-based games. The other really neat thing about this device and the thing that I’m personally really excited about is that it’s essentially a miniaturized computer. It initially runs Linux, but Steam has said that you can swap out the operating system and install Windows if you want on it. They also say you could install competing game stores like the Epic Games Store if you want. You can plug peripherals into it. You could basically do whatever you want with this machine what you could do with a regular PC and Steam is pretty hands-off about it. It sounds amazing to me. The downside, if you are just first hearing about this device and it sounds great to you, you’re going to have to wait a while. There are so many people that have pre-ordered it that right now pre-orders are running into delivery estimates of Q3 2022. So it could be a wait.

 

[00:07:27] JP: Whoa!

 

[00:07:28] JP: I'm personally excited about this because I don’t have a Windows or Linux-based PC. I have a Mac PC and I have a very, very tiny desk in a very tiny apartment. And to me, this seems really exciting for a way to plug in a keyboard and plug in a mouse and a monitor and have a tiny little development machine. And I can’t wait to see what I can hack on with this thing.

 

[00:07:52] SY: So here’s the thing. If the whole idea is that it is competing with Nintendo Switch, why do we need Valve’s competitor to be a whole computer?

 

[00:08:03] JP: Okay. I think there’s two separate questions. Number one, I don’t think anyone actually needs it, except for Steam and Valve. Valve desperately needs this because what we’re seeing happening in the video game space is a shift towards people buying consoles and running them locally in their home and we’re seeing over time a shift towards people streaming games and online services. Google has a service called Stadia. Amazon is testing a service called Luna. Microsoft has a service called Xbox something. Microsoft has a service that also does this. And all these services let you play games on servers at a server farm somewhere else and just the video is streamed to you. And Steam primarily sells video games that run on a computer locally in your house. And so that’s a huge threat to their business model. So it behooves them to get a cheaper way for you to play PC games in front of you. Okay. So that’s the B part.

 

[00:09:12] SY: Okay. Got you.

 

[00:09:12] JP: Why is it appealing? I don’t know, it’s a cool gadget. Disclaimer, I buy like every single one of these things that comes along. I buy every little handheld device. I think what’s really exciting about this is it’s not a brand new platform. So if you want to play a game on your Nintendo Switch, the publisher of that game, the creator of that game, they have to write the game specifically to run on the Switch. With the Steam Deck, it’s going to run games that already run on your computer. Keep in mind, Steam has been around for like, oh, gosh, I don’t know, many, many years at this point. So if you buy the Steam Deck, if you have a Steam account, you automatically can play every game you’ve ever bought over, say, the past decade. It’s just right there. You don’t have to buy a whole bunch of new games and that’s a huge change from the existing console market.

 

[00:10:01] SY: Got it.

 

[00:10:01] JP: We kind of talked briefly about this as well. For indie developers, this is really, really exciting. If you are an indie developer and you make a small little game and you want to ship it, you can do that on mobile pretty easily, but it’s very difficult to do that for the PlayStation, the Xbox, the Switch. It has to go through certification. You have to have a contract with these large publishers. It’s really complicated. Steam is much more like publishing a game on mobile. You just set it up to Steam and they publish it for you. This is giving indies a much bigger audience to get in front of, potentially.

 

[00:10:35] SY: Well, good for them. And I hope you enjoy your console when it comes out eventually.

 

[00:10:40] JP: Whenever I get it, next year maybe.

 

[00:10:42] SY: Exactly.

 

[MUSIC BREAK]

 

[00:11:01] SY: So back in March, there was a big hack using a flaw in Microsoft’s Exchange Server with at least 30,000 targets compromised in the US, including businesses and local governments. Now the super interesting thing about this story is that NATO has now officially accused China for the attack. This is the first time that NATO has formally accused a government of a cyberattack, which shows a shift in an antiquated understanding of what is considered an attack on another nation outside of just physical attacks. It’s also the first time the FBI has not only gotten a court order to monitor infected systems, but received permission to go into companies and networks and remove malicious software, allegedly placed there by the Chinese. We should also know that this, of course, isn’t the first time a nation has been caught spying with the NSA leak by Edward Snowden many years ago, which showed wide cyber spying by the US government on other nations as well as the more recent solar winds hack, but those governments never received an official condemnation from NATO.

 

[00:12:04] JP: This is really interesting stuff. I mean, we are talking in this episode about so many instances of cyberattacks and hacks that are being carried out by nation states instead of individuals and ransomware groups. I think it’s been like a really dramatic shift just even in the last couple of weeks.

 

[00:12:25] SY: Yeah, absolutely. I mean, it’s really interesting to see it wasn’t just the US, it was all of NATO condemning China as a whole, and this kind of escalates the value of cyberattacks one step up and makes people go like, “Oh, we all know cyberattacks were bad, but it’s so bad that NATO is going to call you out.” This is how seriously we’re taking this now. I think that’s really great and that we are really focusing on this problem and it feels like we’re taking it more seriously than maybe we have in the past.

 

[00:12:55] JP: Right.

 

[00:12:56] SY: Not that we weren’t taking it seriously, but more.

 

[00:12:58] JP: I’m really fascinated by this idea that the FBI got permission to go into systems and remove the malicious code. I envisioned the FBI as like the geek squad, just cruising into servers and applying patches. That’s kind of bonkers to me.

 

[00:13:15] SY: That’s weird.

 

[00:13:15] JP: In my company, if we got a note one day from the FBI that said, “Hey, by the way, we just cruised on into your Microsoft Exchange Server and removed some Chinese code, you’re welcome.” There are so many questions I would have, like, “How did you get in there? Who let you do this?”

 

[00:13:31] SY: Yeah. Yeah.

 

[00:13:32] JP: But on the other hand, if you think of it from a national defense perspective, if there was a foreign country invading, you would expect the army to come in and protect you.

 

[00:13:48] SY: That’s very, very true. Yeah.

 

[00:13:49] JP: But I think the analogy is hard to bring over to the world of tech and online services and computer systems. I don’t think it’s a perfect example.

 

[00:13:59] SY: No, it’s not perfect, but when you put it that way though, it does make it sound less invasive. You know? So how do you think it works? Is it that the FBI goes and says like, “Hey, just so you know, we’re going to do this”? Do they get a heads up? Is it permission? Do they say, “Hey, we think you’re vulnerable. We would like to do this”? Or is it just like sneak attack, go do your thing, and then at the end of it, you’re like, “Surprise! It happened”?

 

[00:14:24] JP: Yeah. I don’t know. This is the part that I get frustrated with the reporting on some of this stuff because it’s all from politics and geopolitical aspects. I'm like, “I want to know about the hack.” I really want to know how the FBI removes this code. From what I’ve read, it’s a flaw in Microsoft Exchange Server. So it kind of sounds like it’s some sort of malware that’s getting installed on these systems. The FBI is removing the malware. Nothing that these companies couldn’t do, but I think the scope of the hack and the potential breach of data to the Chinese government is so severe that the FBI wants to make sure it’s gone from every place they find it versus just sending a very nice note to beleaguered email administrators at 30,000 different companies and saying, “Hey, could you please apply the latest patch?” Or, “Hey, could you please run this and remove this?” They don’t want to wait around for that.

 

[00:15:18] SY: Yeah. That makes sense. Yeah. Much faster if not, a creepier to just go in and do it yourself.

 

[00:15:24] JP: Yeah. I think it's really creepy. So the next hack? Is this going to be a regular thing? You would expect Microsoft to be issuing security patches and it’s up to individual companies to apply those, but if the US government starts saying, “Oh, no, it’s a matter of national security and we have to come in and apply these security patches for you,” that strikes me as a really, really dangerous precedent.

 

[00:15:48] SY: Yeah. I don’t know how I feel about that. Not excited about that one.

 

[00:15:52] JP: Well, what some security experts have called the story of the year, there was a huge leak to a consortium of news organizations involving an Israeli cyber surveillance company by the name of NSO Group. The company reportedly had multiple dealings with authoritarian governments for the use of its cyber espionage software called Pegasus, which was originally created with the purpose of keeping track of terrorists and criminals, but has been instead used to spy on journalists, activists, and even opposing politicians. The leak contained a list of 50,000 phone numbers of potential targets and included 10 prime ministers, three presidents, and the King of Morocco. The Israeli government even reportedly continued to allow the company to do business with the Saudi Arabian government after it was implicated in the assassination of Saudi journalist, Jamal Khashoggi in 2018. The NSO Group denies these allegations. Coming up next, we’ll speak with Marcus Carey, Enterprise Architect at ReliaQuest and co-author of the book, Tribe of Hackers, about this leak and how Pegasus works after this.

 

[MUSIC BREAK]

 

[00:17:13] SY: Here with us is Marcus Carey, Enterprise Architect at ReliaQuest and co-author of the book, Tribe of Hackers. Thank you so much for joining us.

 

[00:17:22] MC: Thanks for having me.

 

[00:17:23] SY: So tell us a bit about your career background.

 

[00:17:25] MC: So I began my career in technology by going to the US Navy when I was 18. I did cryptography. So that means I was an asset for the National Security Agency. So my background is military intelligence and it’s a kind of apropos for the thing we’re going to be talking about today.

 

[00:17:42] JP: Very cool. Can you talk about your role as an enterprise architect at ReliaQuest?

 

[00:17:47] MC: Yeah. At ReliaQuest what I do is I help build security software solutions and piece together different technologies to help secure enterprises. Sometimes customers they’re trying to execute a certain thing and then I help them use the best technology or sometimes I write technology from scratch to help them put that in.

 

[00:18:06] SY: So let’s talk about this massive leak about NSO Group. Can you walk us through the story and what happened?

 

[00:18:12] MC: Yeah, it sounds like some insider leaked a long list, thousands of phone numbers that were being tracked by, allegedly, the NSO Group software for Amnesty International. Citizen Lab did a lot of research on it. And there’s been a lot of reporters that are getting into the action because what happened was that NSO Group writes us surveillance software, this surveillance software is sold to nation states and governments. And the purpose of this software, according to NSO Group, is to track terrorists and criminals. And so it isn't supposed to be used for human rights activists, journalists and even though there’s been prime ministers and even at least one king that was a subject of the surveillance. So it’s the kind of the problem that we have in cybersecurity. You create offensive tools. You can’t control where that tool is going to be used really. So the governments, I guess, when they buy the software from NSO Group, they say, “Hey, look, we’re only going to use this for criminals and terrorists.” But it’s kind of up to the interpretation of the nations that buy it. And so they’re like, “Hey, this person, we don’t like this person. So they’re on our list.” And so what happens is you have a lot of people that if these companies are oppressive regimes, it’s going to be a lot of people caught up into that net.

 

[00:19:28] JP: So how does this Pegasus technology work and what makes this spyware different from other spywares that the average phone user might encounter?

 

[00:19:38] MC: Well, I don’t think it’s really different, to be honest with you, but what I think is super targeted and they do use zero-day attacks. That’s what’s really significant. A zero-day is a non-click or zero click software where you don’t have to do anything and it can compromise a phone. They’ve been targeting iPhones and Androids and it had really good success. So I don’t think this is a lot different from a lot of other software that you’re going to see from an offensive perspective. The big thing is that they target phones and they’re very successful at doing it.

 

[00:20:11] SY: So can you talk a bit about the technology and how these zero-click attacks work? Because as you said, they are targeting phones, SMS, iMessage, and even a simple WhatsApp call and even if the call isn’t answered, you don’t click on anything, you can still be compromised. How is this possible?

 

[00:20:30] MC: Yeah. So many of these attacks, they take advantage of pre-rendering. If somebody sends you a text message, sometimes you see that text message even if your screen is locked. That means that sometimes there’s emojis and fonts and even kind of Unicode characters and different things like that. When these things are drawn together, it could exploit the phone. What the attackers are doing is they’re taking advantage of the situation on iMessage. If you know somebody’s email address or phone number, you can send them an iMessage with an exploit payload anybody in the world. So if I know your email address associated with your iCloud or your iMessage account, I can send you an exploit and that’s a big problem. However, users can actually go into their settings and change it so you don’t get messages from unknown people. Many of the times, the people that have been exploited by this software, they’re getting random messages from unknown people, kind of like spam. But in many cases, the user can’t visually see what’s going on. They just see a message and it could be a text message or it could be nothing there. But what happened on the back end is that an exploit was leveraged and used and now the people can spy on your phone and they have access to your camera, all your contacts and things of that nature.

 

[00:21:51] JP: That totally leads into my next question. I was curious. What kind of things Pegasus can do on your phone once it’s there? You mentioned looking at your pictures, looking at your messages. Are there other things that it does? And how often is it like transmitting that data back? Does the phone have to be stolen? Is this being transmitted back to the people that installed the spyware? How do they get the data off of the phone and what kind of data is it getting?

 

[00:22:16] MC: Yeah. So from what I understand, it has unlimited access to everything on the phone. So the typical basis for this would be, supposedly what the software is for is this for tracking terrorists and criminals. So what it typically would be used for is they get a ring of terrorists or a ring of criminals, the organized crime. I think terrorist is “organized crime” as well. So the thing is what you want to do is you want to get that person’s information as far as like who were they’re communicating with because that could be a ring. Right? And so what’s happening is with the journalists and all that, they’re probably trying to track their sources. They’re trying to see if there’s government leaks. You know what I’m saying? That’s what they’re targeting the journalists for. They have a grievance with the journalists because the journalists are probably saying things that make the regime uncomfortable. And now what the regime is doing targeting the journalists is they want to see if they can identify any whistleblowers or any kind of people of that nature. So the nation state, in their mind, these people are violating national security for that nation state, if you think about it. Even though it could be an oppressive regime, their perspective is this person is a criminal to us.

 

[00:23:28] SY: So do we know if Android and iPhone are equally vulnerable to these attacks?

 

[00:23:34] MC: The people that have looked into this, they know they can actually do really good forensics. You can do better forensics on an iPhone than you can with an Android. They looked at hundreds of phones that were targeted and it was a high success rate of exploitation on the iPhone. So the iPhone definitely can be targeted, but this is nothing new and it shouldn’t be a surprise. If a nation state, once they come after you, they have unlimited amount of resources to come after you. Right? So it’s an NSO Group story because they’re using the software that they did. And NSO Group said, “This is against our license and we don’t want people going after these people,” is what they’re saying. And at the same time, Apple was like, “Look, we’re trying our best.” Google was saying, “We’re trying our best.” So as far as Apple and Google, I think that if a nation state wants to attack you, they’re going to be able to find a way to try to get you. Funny enough, the NSO Group says that if you have an American phone, like a +1 area code, one of the things about the exploitation is they look up where you’re at. If it’s an American phone, supposedly, they won’t exploit you. But if you have an overseas number, if you’re an American overseas, they will definitely try to exploit you. And the reason why is because in America, believe it or not, we have really strong laws in America that criminalize people spying on American citizens. In those laws, even the NSA, funny enough, has to follow those laws. CIA has to follow those laws. FBI has to follow those laws. So supposedly they need a warrant before they can surveil an American citizen. So that’s actually a result of our strong laws and people talk about privacy in America and people think that people are spying on you in America and think NSA is spying on them. We actually have pretty good laws to protect your privacy, believe it or not. Most people, people listening to this are going to think I’m crazy, but it’s true.

 

[00:25:32] JP: Do we know if the NSO Group is the only company that has the ability to create products like this or is creating products like this?

 

[00:25:42] MC: There’s open source projects that are being used by nation state actors.

 

[00:25:47] JP: Oh, wow!

 

[00:25:47] MC: There are US commercial companies that create software that do similar things that NSO Group does. NSO Group is very popular because they’re good at it and many of the people are former spies for Israel. So they have some beasts that is working for them. So they’re probably one of the most talented organizations when it comes to this, but we have companies in America to do this same thing. Like I said, there are open source projects that do similar things. You don’t have to have their software to exploit computers or phones, but they’re super effective at it. And the reason why they have this name is because of these nation states and these regimes are using their software, but those same regimes use a lot of open source software. If I drop the hack intel today, I can guarantee you that somebody would pick that hacking tool up and it would be incorporated into some kind of kit for bad.

 

[00:26:43] SY: So would you say the software at these companies, the other companies you mentioned, the open source projects, are they as powerful as Pegasus? Are they comparable? Or is what Pegasus is doing, does it stand out?

 

[00:26:55] MC: Obviously, supposedly there are over 40 countries that use Pegasus software. I could imagine that that software is probably hundreds of thousand dollars, if not millions of dollars to use that software. So the difference is you have millions of dollars being poured into the NSO Group. They’re making a lot of money off this. So what they can do is they can afford to buy exploits. So if I was an independent researcher and I was like, “Oh, I got this Apple exploit. Well, how can I leverage that?” There’s two ways to go about that. You can go directly to Apple because Apple has a bug bounty program and submit it to them. They might pay you a couple of thousand dollars, right? If you go to NSO Group, they could actually give you ten thousand, a hundred thousand dollars. So you have resources all over the world. As soon as they get a really good exploit, you can actually use exploit brokers to leverage and they would actually try to sell it to the highest bidder. You can sell those to nation states or you can sell it to somebody like NSO Group or you can sell it to like American research companies or British research companies or pick a country. So those exploits, usually the highest bidder is going to buy those exploits. And as a group, they might have some really good researchers, but in addition to that, they could be buying zero days off this market.

 

[00:28:15] JP: So this is really scary, obviously. Is there anything end users can do to make their phones more secure against attacks like this? Because the attack is on the phone, are using encrypted communication apps like Signal, does that even help?

 

[00:28:33] MC: I think you should always have your phone updated as much as possible. In addition to that, you try to go into settings and reject any unknown text messages and things of that nature. It’s really tough. From a developer perspective, this is why we try to build secure software. This is why you want to understand how to build secure software. And when you update software, you want to make sure that that new code is updated every time you push. We’re doing all kinds of continuous pushing of code, continues to develop. All these things you want to make sure that you’re building in security because Apple, Apple is getting beat up over this whole story. Google’s getting beat up over this story. I actually have friends that work for Apple and they’re trying their best. There’s a fine line between calling somebody out and blaming the victim. And so to be clear, I think that they’re violating law. I think that what should happen from a developer perspective, try to write the best code as you can, from a security perspective, also what we want to do, I think you can put pressure from a legal perspective and we need to have better international laws protecting journalists and people like that. Like I said, funny enough, it’s American law that actually impacts the NSO Group software not being able to “work”. And another thing that’s crazy about this, right? Once NSO Group gives the software to a nation state, that nation state can actually take that and modify it in any way they want to really. So I said that there’s restrictions against American users of the phone number. Well, you could probably go in there and take the exploit and then you could modify stuff to say, “Oh, cool. I don’t care if you’re in America.” I do believe Signal is cool. I think Signal is probably the best case scenario for people trying to be secure from a communications standpoint. I’ve asked people to hide their iMessage email address. This is kind of random, but I tell people all the time. I’ve actually emailed people and caught them by surprise by their iMessage. I don’t have your number. I just know your email address with the iCloud. And what’s funny about that, anybody can go in your iPhone right now and you can type in the email address. And if that email address is associated with iCloud, it’ll turn blue. So it’s easy. At least with Google, you kind of have to know their phone number. So with iMessage, I tell people that don’t put your iMessage on your website. It’s kind of weird, but maybe you want a burner email address for your iCloud. It’s like little stuff like that. Also, you can go into your settings and reject messages from unknown people.

 

[00:31:19] SY: So you mentioned that Google and Apple have kind of taken some heat over this. To what extent can they actually do anything? Is there something they can do to change their software to better protect from hacks like this? You mentioned the bug bounty, which is kind of after the fact, right? It’s after an issue has already arisen that wherever they’re able to address it. Is there anything they can do or should be doing differently to prevent this from happening?

 

[00:31:47] MC: Well, I think that you could always push to hire probably more security researchers. I think on the disclosure side of the house, I think that they sometimes take too long to address things. I think that they can move faster to plug exploits. The thing is if you have a bug bounty program and you have a researcher that submitted you a bug, you should probably assume that somebody else has that exploit as well. And it’s probably a nation state. So in your bug bounty program, somebody submits a bug and you can’t think that that’s the only person in the world. They found that bug. There was an old saying, “There’s no idea new under the sun.” I say, “There’s no exploit new under the sun.” So those nations, they probably have the same thing that they submit it. So what happens is sometimes Apple, from an engineering perspective, they have to put things, and Google the same way, they put things into just like any other sprint. As a sprint, we got to do this on this sprint, but I think they should prioritize moving stuff up like that in their development cycles because some random researcher found it on their own dime. Just imagine what a multimillion dollar company that’s dedicated to finding exploits, what are they funding? Right? So that’s how you have to think of it. If I’m Google or Apple, I just have to prioritize those security fixes. They are making waves. I’m not blaming them. Again, I don’t blame Google or Apple for criminal behavior against their operating system, just like I wouldn’t blame a victim of any kind. But I would say that, hey, there’s people out here depending on you and we just need to step it up even more. You’re doing a lot of good stuff, but we need to step it up even more.

 

[00:33:32] JP: I saw some coverage about some tools that purport to let you know if your phone is infected by a Pegasus attack or anything else. They’re open source, they’re available on GitHub. Would you recommend people run that if they’re curious? I mean, I imagine most of our audience are not prime ministers or kings or presidents and have to worry about this. And you said, there’s a potential threat in everything. Would you recommend people check their phones for this sort of thing?

 

[00:34:04] MC: Well, I recommend that you can actually go to Amnesty International who has written on this, also Citizen Lab, they’re out of I think Toronto, I believe, out of Canada, go look at their papers. If you’re a technical person, read their stuff. And if they recommend something, I would do it. I would not follow some random Yahoo that posted some GitHub code.

 

[00:34:25] JP: Got you.

 

[00:34:26] MC: But yeah. So be super careful. This is the prime opportunity. When anything happens like this, there’s going to be some wolves out there as sheep clothing per se. They, “Oh, yeah, I love this or install this.” Yeah. Okay. Whatever. Right? If you think you’re a victim or you can fall prey to this, yeah, check out the right resources.

 

[00:34:46] SY: Is there anything else that we didn’t cover here that you want to talk about?

 

[00:34:50] MC: From a development perspective, again, I want to emphasize that, hey, cool, let’s try to build the best software we can build. And when somebody tells you, “Hey, there’s a bug in your software,” try to update as soon as possible. If you work for a company or you’re starting to work, make sure that the companies you work with do bug bounty programs. This whole thing is not limited to Apple or Google. I mean, think of all the SaaS services that we use on a day-to-day basis. If there’s something like trade secrets or your intellectual property and all those different things, there are foreign countries that want that data too. There are people out there that want to spy on you. For all kinds of different reasons, we all from a development community. And if you build software, try to make it as secure as possible so people can’t get in.

 

[00:35:35] SY: Wonderful. That was great. Well, thank you so much, Marcus, for joining us.

 

[00:35:38] MC: Thanks for having me.

 

[00:35:50] SY: Thank you for listening to DevNews. This show is produced and mixed by Levi Sharpe. Editorial oversight is provided by Peter Frank, Ben Halpern, and Jess Lee. Our theme music is by Dan Powell. If you have any questions or comments, dial into our Google Voice at +1 (929) 500-1513 or email us at [email protected] Please rate and subscribe to this show wherever you get your podcasts.