> When it is successfully deployed against a target, the hacking software – called Graphite – can hack into any phone. By essentially taking control of the mobile phone, the user – in this case, Ice – can not only track an individual’s whereabouts, read their messages, look at their photographs, but it can also open and read information held on encrypted applications, like WhatsApp or Signal. Spyware like Graphite can also be used as a listening device, through the manipulation of the phone’s recorder.
"When it is successfully deployed against a target" is obviously doing incredible lifting here - how is it deployed, and how does The Guardian know whatever details it knows (and isn't sharing)? Is there a background whistleblower between the lines here, or is this just paraphrasing the Wired reporting from last year?
> John Scott-Railton, a senior research at the Citizen Lab at the University of Toronto, who is one of the world’s leading experts on cases in which spyware like Graphite has been abused by governments, said in a statement that such tools “were designed for dictatorships, not democracies built on liberty and protection of individual rights”.
Kind of an odd take shoved into the middle of the article. Presumably this "Senior Research" [sic] had much more to say and this was the quote that The Guardian used. Regardless of for whom these exploits were "designed", obviously we know that power corrupts, and that this corrupting power can push liberal states into more totalitarian states (the article even cites Italy as an example of this).
> The US government has in the past resisted using spyware technology made outside the US because of concerns that any company that sells technology to multiple government agencies around the world represents a potential security risk.
Again, unsourced and unexplained. What does "resisted" mean - is this describing the Biden executive order? Or prior executive procurement policies? Or laws? Clarity is very important here and is not forthcoming.
> “As long as the same mercenary spyware tech is going to multiple governments, there is a baked-in counterintelligence risk. Since all of them now know what secret surveillance tech the US is using, and would have special insights on how to detect it and track what the US is doing with it,” Scott-Railton said. “Short of Paragon cancelling all foreign contracts, I’m not sure how this goes away.”
...again, I want to give this guy the benefit of the doubt. This reads like it was a long interview and The Guardian probably cherry-picked parts of it.
But how this goes away is: we learn how the exploit works and develop countermeasures.
The indication (well, insinuation really) is that the exploit takes control of the OS of the phone, not that it amounts to any new cryptographic vulnerability. So, how does that happen?
The discussion on the front page of HN yesterday on the thread, "We should have the ability to run any code we want on hardware we own" was refreshing and felt like the first real consensus we've had around here on this topic in several months. Specifically, it seems like we all now agree that our mobile devices have reached a combination of complexity and (state-assisted) corporate control that they are no longer safe for everyday use.
And it's important to point out (and I'll bet that Scott-Railton did, in parts of the interview that weren't used for the article), it's not only (perhaps not even primarily) a matter of personal safety from our devices, but an inevitable degradation of societal power structures into surveillance states that necessarily arises from this concentration of power.
I do not believe that there is an avenue for addressing this via institutional influence - the cited examples of Saudi Arabia, Italy, and the United States, despite having dramatically different configurations of state authority (and, probably in most people's minds, levels of legitimacy as states in the first place), all present identical attack surfaces in the face of "Graphite" and similar exploits.
The ongoing imperative is the construction and maintenance of an internet which does not recognize state authority and on which censorship and surveillance cannot be conducted via state fiat.
> "When it is successfully deployed against a target" is obviously doing incredible lifting here - how is it deployed, and how does The Guardian know whatever details it knows (and isn't sharing)?
This is not a research paper where the guardian needs to go into those details. Those details are known based on previous incidents/issues and general knowledge.[1]
> Kind of an odd take shoved into the middle of the article. Presumably this "Senior Research" [sic] had much more to say and this was the quote that The Guardian used. Regardless of for whom these exploits were "designed", obviously we know that power corrupts, and that this corrupting power can push liberal states into more totalitarian states (the article even cites Italy as an example of this).
Guardian articles are pretty short. They're not going to quote someone when all they are trying to get is that these are risky tools that invite abuse. So they interviewed an expert who could give a quote to that effect. Why is that shovelled in? This is very much "WHY" someone should care. It's a core tenant of journalism, don't just present what - but also some analysis for what it means.
> Again, unsourced and unexplained. What does "resisted" mean - is this describing the Biden executive order? Or prior executive procurement policies? Or laws? Clarity is very important here and is not forthcoming.
Yeah, are they going to link to 30 different articles and so forth? Here you go, a quick reference: [2]
> ...again, I want to give this guy the benefit of the doubt. This reads like it was a long interview and The Guardian probably cherry-picked parts of it.
Why does any of the quote sound cherry-picked? The context seems clear: other governments use this tool, if USG does too, then other governments know the capabilities. It's an intrinsic problem. Seems to be completely conveyed via the quotes, and that was presumably the reason to interview this additional person.
> The indication (well, insinuation really) is that the exploit takes control of the OS of the phone, not that it amounts to any new cryptographic vulnerability. So, how does that happen?
How this happens is WAY out of scope of the article. This is a general news article that is around 300 or so words. It's not a security bulletin or a tech focused article. Why do you expect these details? Can you give any other examples from say the LaTimes, BBC.co.uk, or any other similar news services?
> And it's important to point out (and I'll bet that Scott-Railton did, in parts of the interview that weren't used for the article), it's not only (perhaps not even primarily) a matter of personal safety from our devices, but an inevitable degradation of societal power structures into surveillance states that necessarily arises from this concentration of power.
This does seem implied. The quote "were designed for dictatorships, not democracies built on liberty and protection of individual rights" is really saying this, no? Like, it's saying exactly, this technology is a concern because it can be abused and is a tool for authoritarian countries and not democracies.
> The ongoing imperative is the construction and maintenance of an internet which does not recognize state authority and on which censorship and surveillance cannot be conducted via state fiat.
I agree with your premise here. In this case, the article that the USG is adopting these tools should be well alarming to you.
[1] https://citizenlab.ca/2025/06/first-forensic-confirmation-of...
[2] https://www.federalregister.gov/documents/2023/03/30/2023-06...
The actual article is pretty old news and uninteresting - yes US police have used spyware for "surveilence". This is not new by any means. Similarly a number of Israeli private companies have made a name for themselves selling spyware software on, lets say the grey market. This is well known by now.
The only interesting thing to know would be how this particular piece of software works.
The reporting here is markedly more imprecise, and it's frustrating.
I have a iphone that died on vacation and was set to backup only on WiFi (I’ve since changed that setting, haha, whoops) and has a couple days of photos stuck on it that weren’t backed up. It boots and makes noise but the screen is dead. Uncertainty about how broken it is has kept me from paying the not-cheap cost to get a screen replacement, and I haven’t found a way to read its data over a cable without unlocking via the screen first (which doesn’t work, and its touch-sensing capacity also seems to be dead, so blind input doesn’t do it, or else I could probably unlock it with a couple tries and get it to connect to WiFi it already knows and do its backup, but it won’t do that without being unlocked)
That's rich coming from a company in a country that is committing genocide and has run an apartheid regime for decades.
The legal presence / country of a company very likely performing a genocide is very much relevant and ontopic. Look up the dark history of companies like IBM and IG Farben and the term "Wir haben es nicht gewußt".
If, someone proves something, it's proven right then and there, even if it takes years for people to understand it, or for it to make its way into textbooks. This stuff really is very obvious.
and, for example - if you are using one specific LEGAL definition of a genocide then you have to prove LEGALLY, following the regular process. if you're not doing it, then it's per definition not a proof.
Nope. There was a pretty smooth transition from "Nobody has ever wondered about this" to "All educated people know it's a ball shape" a very, very long time ago.
Eratosthenes comes up with a pretty good approximation both for how big the ball is, and how much its axis is off (you also if you think about it realise the planet must be spinning, that's why there's a day-night cycle)
Flat Earthers are a weird modern thing, they aren't somehow a remnant.
I'm curious what your angle here will be - that these events never happened, that these events don't constitute genocide, or that this isn't "proof."
> The world's leading association of genocide scholars has declared that Israel is committing genocide in Gaza.
> A resolution passed by the International Association of Genocide Scholars (IAGS) states that Israel's conduct meets the legal definition as laid out in the UN convention on genocide.
> Across a three-page resolution, the IAGS presents a litany of actions undertaken by Israel throughout the 22-month-long war that it recognises as constituting genocide, war crimes and crimes against humanity.
And then there’s
> B'Tselem and Physicians for Human Rights-Israel released separate reports on Monday based on studies of the past 21 months of conflict. The organisations, which have been active in Israel for decades, said in a joint statement that "in these dark times it is especially important to call things by their name", while "calling on this crime to stop immediately".
What level of proof would you find acceptable?
If we're talking about legal evaluation, then there is a strict formal procedure that collects and evaluates the evidence from both sides controlled by lawyers. And after the court comes to a final conclusion including appeals or whatever steps are provided by the legal system, then you may claim that something was proven.
For a scientific proof, the procedure is much more complex - basically you start with a claim and then you have to disprove or invalidate EVERY SINGLE opposite claim, fact or evidence. And there is actually no time limit here - scientists are still trying to disprove theories from the 17th century.
This is how things work in real world.
Netanyahu is wanted for warcrimes by ICC. Is he convicted? No, he is a suspect. Is he trying to avoid getting arrested? Yes, just like Putin. Both of these countries are likely to have recently commmited warcrimes.
After WWII and 'Wir haben es nicht gewußt' we set up international organizations to avoid this happening again. Unfortunately, not everyone recognizes these organizations but that is also a tell tale of their intentions.
the second point is - these organisations are used to cement the status quo - which is also created by the colonial powers and has absolutely nothing to do with the reality in the world - thus on one hand making all conflicts unavoidable and on the other hand mostly illegal.
the third point is - the rules are not applied to all countries in the same way - e.g. Turkey occupied half of Cyprus and displaced a large part of its population, Turkey is bombing innocent people in Syria, Turkey keeps refugees that originally headed to Europe under very inhuman conditions - not only there are no sanctions for that, Europe is basically funding all of this. As Russia occupied Georgia and annexed parts of it, there were no investigations, no sanctions, nothing. As China occupied Tibet, there were no sanctions but huge investments instead. And there are many more examples.
If you want to have an accepted legal system then it may not be biased and has to apply to everyone without exceptions - what we have at the moment is not even a joke. It's the opposite of a legal system.
Generally speaking, in theory, the occupying power is supposed to be a care taker - they aren't supposed to take any action that integrates the occupied territory into the main territory. Allowing occupied territories to vote in the occupying power's elections is considered a form of integration. Doing so is considered acquiring territory via annexation, which is illegal under the UN charter.
(See for example Israel when the international community yelled at them for allowing people in Golan Heights to vote).
https://www.jns.org/jns/benjamin-netanyahu/23/6/2/292333/
Other data collection/surveillance software from the Epstein circle include PROMIS (Robert Maxwell allegedly sold a backdoored version), Chiliad (FBI search software, Christine Maxwell, seems legit) and CargoMetrics (Ghislaine Maxwell's husband, maritime container tracking).
> Where our devices are access points
Then that would be your exposure
Edit:
Something like this, but for phones
https://learn.microsoft.com/en-us/windows/security/applicati...
As for iOS, to my knowledge it doesn't allow for any such app segregation.
In general, we need stronger per-app isolation such that a zero-day affecting one app doesn't grant any access to anything else.
(Microsoft and security are distinct concepts, btw.)
"Expressive animations" are yet another vector because their rendering can be exploited.
As for MMS, that is a prominent risk.
Is it just that the NSA is unwilling (legally prevented?) to share their toys? Its hard to imagine they don't have capabilities like this.
Like at the very worst - selling "cyberweapons" would follow the same rules as selling actual weapons.
I don't super follow US politics, but i don't think we are at the point where ICE is comitting crimes against humanity - which i think is what would be required for this transaction to violate international law.
One of the few good things revealed by Edward Snowdens leaks was the fact that the NSA has filters for intercepted communications to filter out comms from US citizens. This was in top-secret programs that had no reason to be publicly known, and yet the NSA still had these filters installed anyways, because everyone in the NSA understands that they're not a law-enforcement agency, because of Posse Comitatus.
No, we're allowing that now for some reason.
Sure, but i dont think (ianal) that it prevents technology transfer.
https://www.aclu.org/news/national-security/five-things-to-k...
Strictly speaking, that's not correct. The Posse Comitatus Act just changes the status of using the military as a police force from “allowed because any person or group can be deputized as a police at any time”, to “the US military can be used as a police force only under the laws specifically allowing and governing the US military as a police force.”
(Of course, the Posse Comitatus Act is a criminal law, which means in practice the primary mechanism for enforcing it is for the executive branch to arrest and prosecute offenders. This works tolerably well to prevent, say, a rogue sheriff calling up his buddy who happens to command an infantry company to come help out, but not particularly well to dissuade the President from directing the military for policing as a matter of Administration policy.)
In principal the courts can constrain the government based on it, as well, but it is noteworthy that the determination that the deployment was illegal in the case filed by the State of California almost immediately when courts were open after the initial LA deployment was announced on June 7 and before troops arrived on June 10 was just released, on September 2, nearly 3 months later. And is on hold for 10 days to give the government time to appeal. So, one might consider the courts to not be a meaningful constraint, here.
If one of the Five Eyes are somehow forbidden to analyse something They just send it to one of the others where it is legal.
(2) NSA does not in fact have to outsource spyware (they may do it for convenience/situational logistics).
(3) US federal law enforcement and intelligence agencies all have multiple vendors for this stuff.
Every time a story on HN comes up about how bug bounties are underpaid and how much exploits are worth, I recite the bit about how serious grey-market vendors can run up the score on a serious vulnerability by (1) selling the same vulnerability to every IC/LEO agency in allied countries and (2) selling maintenance contracts to convert those agencies into recurring revenue. These are the companies I'm talking about when I say that. I'm never thinking of Paragon.
Of course ICE has exploit and implant tech.
jsheard•5h ago
> Paragon also refuses to disclose who its clients are and has said it does not have insight into how its clients use the technology against targets.
Well colour me convinced!
ktallett•3h ago
jsheard•3h ago
reflexe•3h ago