> When it is successfully deployed against a target, the hacking software – called Graphite – can hack into any phone. By essentially taking control of the mobile phone, the user – in this case, Ice – can not only track an individual’s whereabouts, read their messages, look at their photographs, but it can also open and read information held on encrypted applications, like WhatsApp or Signal. Spyware like Graphite can also be used as a listening device, through the manipulation of the phone’s recorder.
"When it is successfully deployed against a target" is obviously doing incredible lifting here - how is it deployed, and how does The Guardian know whatever details it knows (and isn't sharing)? Is there a background whistleblower between the lines here, or is this just paraphrasing the Wired reporting from last year?
> John Scott-Railton, a senior research at the Citizen Lab at the University of Toronto, who is one of the world’s leading experts on cases in which spyware like Graphite has been abused by governments, said in a statement that such tools “were designed for dictatorships, not democracies built on liberty and protection of individual rights”.
Kind of an odd take shoved into the middle of the article. Presumably this "Senior Research" [sic] had much more to say and this was the quote that The Guardian used. Regardless of for whom these exploits were "designed", obviously we know that power corrupts, and that this corrupting power can push liberal states into more totalitarian states (the article even cites Italy as an example of this).
> The US government has in the past resisted using spyware technology made outside the US because of concerns that any company that sells technology to multiple government agencies around the world represents a potential security risk.
Again, unsourced and unexplained. What does "resisted" mean - is this describing the Biden executive order? Or prior executive procurement policies? Or laws? Clarity is very important here and is not forthcoming.
> “As long as the same mercenary spyware tech is going to multiple governments, there is a baked-in counterintelligence risk. Since all of them now know what secret surveillance tech the US is using, and would have special insights on how to detect it and track what the US is doing with it,” Scott-Railton said. “Short of Paragon cancelling all foreign contracts, I’m not sure how this goes away.”
...again, I want to give this guy the benefit of the doubt. This reads like it was a long interview and The Guardian probably cherry-picked parts of it.
But how this goes away is: we learn how the exploit works and develop countermeasures.
The indication (well, insinuation really) is that the exploit takes control of the OS of the phone, not that it amounts to any new cryptographic vulnerability. So, how does that happen?
The discussion on the front page of HN yesterday on the thread, "We should have the ability to run any code we want on hardware we own" was refreshing and felt like the first real consensus we've had around here on this topic in several months. Specifically, it seems like we all now agree that our mobile devices have reached a combination of complexity and (state-assisted) corporate control that they are no longer safe for everyday use.
And it's important to point out (and I'll bet that Scott-Railton did, in parts of the interview that weren't used for the article), it's not only (perhaps not even primarily) a matter of personal safety from our devices, but an inevitable degradation of societal power structures into surveillance states that necessarily arises from this concentration of power.
I do not believe that there is an avenue for addressing this via institutional influence - the cited examples of Saudi Arabia, Italy, and the United States, despite having dramatically different configurations of state authority (and, probably in most people's minds, levels of legitimacy as states in the first place), all present identical attack surfaces in the face of "Graphite" and similar exploits.
The ongoing imperative is the construction and maintenance of an internet which does not recognize state authority and on which censorship and surveillance cannot be conducted via state fiat.
> "When it is successfully deployed against a target" is obviously doing incredible lifting here - how is it deployed, and how does The Guardian know whatever details it knows (and isn't sharing)?
This is not a research paper where the guardian needs to go into those details. Those details are known based on previous incidents/issues and general knowledge.[1]
> Kind of an odd take shoved into the middle of the article. Presumably this "Senior Research" [sic] had much more to say and this was the quote that The Guardian used. Regardless of for whom these exploits were "designed", obviously we know that power corrupts, and that this corrupting power can push liberal states into more totalitarian states (the article even cites Italy as an example of this).
Guardian articles are pretty short. They're not going to quote someone when all they are trying to get is that these are risky tools that invite abuse. So they interviewed an expert who could give a quote to that effect. Why is that shovelled in? This is very much "WHY" someone should care. It's a core tenant of journalism, don't just present what - but also some analysis for what it means.
> Again, unsourced and unexplained. What does "resisted" mean - is this describing the Biden executive order? Or prior executive procurement policies? Or laws? Clarity is very important here and is not forthcoming.
Yeah, are they going to link to 30 different articles and so forth? Here you go, a quick reference: [2]
> ...again, I want to give this guy the benefit of the doubt. This reads like it was a long interview and The Guardian probably cherry-picked parts of it.
Why does any of the quote sound cherry-picked? The context seems clear: other governments use this tool, if USG does too, then other governments know the capabilities. It's an intrinsic problem. Seems to be completely conveyed via the quotes, and that was presumably the reason to interview this additional person.
> The indication (well, insinuation really) is that the exploit takes control of the OS of the phone, not that it amounts to any new cryptographic vulnerability. So, how does that happen?
How this happens is WAY out of scope of the article. This is a general news article that is around 300 or so words. It's not a security bulletin or a tech focused article. Why do you expect these details? Can you give any other examples from say the LaTimes, BBC.co.uk, or any other similar news services?
> And it's important to point out (and I'll bet that Scott-Railton did, in parts of the interview that weren't used for the article), it's not only (perhaps not even primarily) a matter of personal safety from our devices, but an inevitable degradation of societal power structures into surveillance states that necessarily arises from this concentration of power.
This does seem implied. The quote "were designed for dictatorships, not democracies built on liberty and protection of individual rights" is really saying this, no? Like, it's saying exactly, this technology is a concern because it can be abused and is a tool for authoritarian countries and not democracies.
> The ongoing imperative is the construction and maintenance of an internet which does not recognize state authority and on which censorship and surveillance cannot be conducted via state fiat.
I agree with your premise here. In this case, the article that the USG is adopting these tools should be well alarming to you.
[1] https://citizenlab.ca/2025/06/first-forensic-confirmation-of...
[2] https://www.federalregister.gov/documents/2023/03/30/2023-06...
The actual article is pretty old news and uninteresting - yes US police have used spyware for "surveilence". This is not new by any means. Similarly a number of Israeli private companies have made a name for themselves selling spyware software on, lets say the grey market. This is well known by now.
The only interesting thing to know would be how this particular piece of software works.
The reporting here is markedly more imprecise, and it's frustrating.
I have a iphone that died on vacation and was set to backup only on WiFi (I’ve since changed that setting, haha, whoops) and has a couple days of photos stuck on it that weren’t backed up. It boots and makes noise but the screen is dead. Uncertainty about how broken it is has kept me from paying the not-cheap cost to get a screen replacement, and I haven’t found a way to read its data over a cable without unlocking via the screen first (which doesn’t work, and its touch-sensing capacity also seems to be dead, so blind input doesn’t do it, or else I could probably unlock it with a couple tries and get it to connect to WiFi it already knows and do its backup, but it won’t do that without being unlocked)
https://www.jns.org/jns/benjamin-netanyahu/23/6/2/292333/
Other data collection/surveillance software from the Epstein circle include PROMIS (Robert Maxwell allegedly sold a backdoored version), Chiliad (FBI search software, Christine Maxwell, seems legit) and CargoMetrics (Ghislaine Maxwell's husband, maritime container tracking).
> Where our devices are access points
Then that would be your exposure
Edit:
Something like this, but for phones
https://learn.microsoft.com/en-us/windows/security/applicati...
As for iOS, to my knowledge it doesn't allow for any such app segregation.
In general, we need stronger per-app isolation such that a zero-day affecting one app doesn't grant any access to anything else.
(Microsoft and security are distinct concepts, btw.)
"Expressive animations" are yet another vector because their rendering can be exploited.
As for MMS, it is a known prominent risk.
You can do tons of neat things with it. You can also cut off environment variables, cut off the x11 socket, only allow certain dbus channels, etc. You don't need a docker container or anything, Flatpak is a container technology.
Is it just that the NSA is unwilling (legally prevented?) to share their toys? Its hard to imagine they don't have capabilities like this.
Like at the very worst - selling "cyberweapons" would follow the same rules as selling actual weapons.
I don't super follow US politics, but i don't think we are at the point where ICE is comitting crimes against humanity - which i think is what would be required for this transaction to violate international law.
One of the few good things revealed by Edward Snowdens leaks was the fact that the NSA has filters for intercepted communications to filter out comms from US citizens. This was in top-secret programs that had no reason to be publicly known, and yet the NSA still had these filters installed anyways, because everyone in the NSA understands that they're not a law-enforcement agency, because of Posse Comitatus.
No, we're allowing that now for some reason.
Sure, but i dont think (ianal) that it prevents technology transfer.
https://www.aclu.org/news/national-security/five-things-to-k...
Strictly speaking, that's not correct. The Posse Comitatus Act just changes the status of using the military as a police force from “allowed because any person or group can be deputized as a police at any time”, to “the US military can be used as a police force only under the laws specifically allowing and governing the US military as a police force.”
(Of course, the Posse Comitatus Act is a criminal law, which means in practice the primary mechanism for enforcing it is for the executive branch to arrest and prosecute offenders. This works tolerably well to prevent, say, a rogue sheriff calling up his buddy who happens to command an infantry company to come help out, but not particularly well to dissuade the President from directing the military for policing as a matter of Administration policy.)
In principal the courts can constrain the government based on it, as well, but it is noteworthy that the determination that the deployment was illegal in the case filed by the State of California almost immediately when courts were open after the initial LA deployment was announced on June 7 and before troops arrived on June 10 was just released, on September 2, nearly 3 months later. And is on hold for 10 days to give the government time to appeal. So, one might consider the courts to not be a meaningful constraint, here.
If one of the Five Eyes are somehow forbidden to analyse something They just send it to one of the others where it is legal.
(2) NSA does not in fact have to outsource spyware (they may do it for convenience/situational logistics).
(3) US federal law enforcement and intelligence agencies all have multiple vendors for this stuff.
Every time a story on HN comes up about how bug bounties are underpaid and how much exploits are worth, I recite the bit about how serious grey-market vendors can run up the score on a serious vulnerability by (1) selling the same vulnerability to every IC/LEO agency in allied countries and (2) selling maintenance contracts to convert those agencies into recurring revenue. These are the companies I'm talking about when I say that. I'm never thinking of Paragon.
Of course ICE has exploit and implant tech.
jsheard•5mo ago
> Paragon also refuses to disclose who its clients are and has said it does not have insight into how its clients use the technology against targets.
Well colour me convinced!
ktallett•5mo ago
jsheard•5mo ago
reflexe•5mo ago