https://old.reddit.com/r/iphone/comments/1c10jai/i_have_rece...

The interesting thing IMO is they claim to just be some random college student. Which seems believable because if they were a real secret squirrel I guess they wouldn’t ask reddit about it, haha.

I wonder if the hackers are targeting people based on phone numbers or something. (I could imagine a college student recently getting a new number and ending up with one that’d been associated with a target—I guess? Although you’d hope there’d be a way to retire numbers that are known to be targets).

I think there's a misunderstanding on what constitutes a valid or ideal target for state sponsored (or "mercenary") attackers. Simply working at a research lab, industrial manufacturer, power station, tech company or knowing a certain professor can put you on a target list.

I’m just going to assume my research is so interesting that they sent the real badasses after me, somebody that Apple can’t catch. The truth is too ego-shattering.

The generous argument is that it's only fair to the student that they should know quickly whether they'll be able to get through the material. Failing fast can be merciful.

The truth is probably more complicated. Let's just say that the student population ended up looking a lot like the TA and professor population. Lather, rinse, repeat.

Or, it could be an intentional misidentification - maybe OP has a friend who was picked up by whatever east european security services, and provided OPs name as some kind of co-conspirator in something OP's friend was into.

People who are "just" college students often are the sons and daughters of people who could be targeted. Not to mention people in their social circles.

Being able to take activists and discredit them is an amazing ability. I would not at all be surprised if the xz compression backdoor was an attempt by a certain government to gain the ability to discredit anyone that is against them in anyway.

I wonder how to quantify this. Even folks in those industries listed while there may be reason we could imagine to target them... I would imagine lots of folks in those same industries are NOT targeted.

Of course we'd have to identify "targeted", personally I wouldn't include "your name ended up on a list after someone grepped a bunch of data". I would think of as targeted as a more curated type list / process / and then the call was made to "target" someone.

Otherwise, heck random scanning on the internet would be "targeted".

Example: Some people think San Junipero, the one positive Black Mirror episode with an actual Happily Ever After romantic ending is a dystopian vision.

Some people think the Primer, the technological device at the heart of Diamond Age, is the problem, not the Neo-Victorian aristocrats like Elizabeth's parents with their pseudo-colonial control over part of China, not the huge corporations whose greed is tearing the world apart and their engineers like Fiona's father, nor the Cyberpunks left over from a previous era like Nell's father - no the problem is the machine.

In the Tweet framing it's easy, it's named a Torment Nexus and the book is literally titled "Don't Create The Torment Nexus" but what about the Horseless Carriage? The Novel? The Television? Are we creating the Urban Sprawl, the Wasted Youth, are we helping to Manufacture Consent ? Or maybe these are Freedom and Art for the Masses ? Framing.

IIRC, after the couple prances away hand-in-hand into the sunset, the camera pulls back through the fourth wall to reveal the darkened server room in which their minds are being emulated, blinkenlights glittering in the darkness among the monotone drone of case fans, zooming out to reveal an endless row of servers receding into the distant blackness in a scene reminiscent of The Matrix. If the showrunners intended it to be unambiguously happy, I feel like they would have omitted that part... Or maybe I'm hallucinating, because I found the implications utterly horrifying, much to my partner's consternation.

The episode is specifically about getting trapped in nostalgia, a non-existent past. Yes, love is found in this pursuit, but so it death. All the music in the show is about living in a box and forgetting about the real world. Other characters talk about forgetting they're in the simulation and they talk about how they live in a graveyard. There's that hole conversation with Greg about how the timelimit exists so people don't kill themselves to permanently leave the world behind and "live" in San Junipero forever.

And I'd expect of all people HN people (computer people) would understand that uploading into a simulated reality is not the same as you entering that reality. Remember, once "you" are data, you can be copied. Then who is the real you. If you can be uploaded without being killed in the process then certainly that entity is not "you," but rather a different entity who has all your memories and is not able to distinguish itself from you. But you are still experiencing your experiences and not their experiences, so you are different entities. It is just an AI double. The promise of an afterlife is no different than the promises of old. A story to help you move on, to help you find comfort in the end. But this story is just more tangible for those who are left. San Junipero is not much different from many of the other stories who approach this topic. Even the happier Upload is quite dystopian between the lines of being a rom-com. It is that happiness that is the dystopia itself, the lure of false promises. The poisoned desert so sweet and tempting it is impossible to not take a bite.

If you're copied that's what "Hang the DJ" is about, and more darkly the short story "Lena". But San Junipero deliberately doesn't do that.

Alas, the thing you claim isn't the same as being is in fact exactly how you work today. Is this an existential nightmare? I got used to it pretty quickly, and in San Junipero you'd have a lot longer to get used to it. Greg Egan posits that, to the extent consciousness is anything it's somehow a consequence of patterns of computation. That is, if somehow the same patterns that you represent came into existence again they'd "be" you in every sense that matters. The "Lena" scenario remains horrifying, all those copies are the same person, instantiated over, and over, and over again to do menial tasks. But San Junipero is just life after death.

I haven't seen the newer seasons. But looking at the synopsis on wiki (Beyond the Sea?), this is a very different scenario. Permutation City might be a better one to look at for what I'm getting at. Remember in that story that you are essentially making a copy of yourself and putting it into that universe. That entity is not you, but it is sentient, conscious, and it's own thing. But you aren't in that simulation with it unless you virtually go in (and in their scenario you need to deal with the time differential).

San Junipero is a corporation promising you life after death. The same way Amazon Prime's Upload does. But San Junipero in Black Mirror itself made no claim, and the writers place a lot of not so subtle hints as to the idea that it isn't. Not only by nature of being a Black Mirror episode, but I suggest you look closer at the soundtrack of the episode and how its used in context.

I understand what you're claiming, as I pointed out under this understanding your current existence is already terrifying. Not just when you fall asleep, but even moment by moment the underpinning compute substrate is repaired and replaced and yet it feels as though this is an ongoing experience, there's no reason Yorkie experiences this any differently even though intellectually she knows the transformation was more... substantial.

It's just Trigger's Broom / the Ship of Theseus, this isn't even a new idea.

> the writers place a lot of not so subtle hints as to the idea that it isn't.

Like the hint where Charlie Brooker specifically said that no it's the Happily Ever After ending ? Maybe he wasn't patting his head like you knew he would be if he was addressing True Fans like you ? Didn't give the secret sign ?

I thought I already spelled this out well enough, that somebody will insist that the heroes are villains, that the bad guys are the good guys and so on. Sometimes they have a point, but more often they just didn't see what was in front of them. I am kinda tangentially interested in the Slash scene (e.g. I know people involved in AO3) and the Slash communities are the same - sometimes you're like sure, this was barely subtext in the movie/ TV show/ novel, in a braver world the writers would have had them kiss on camera, but other times it's like "Where did this even come from? Were you watching the same show?" - and sometimes that's deliberate contrariness but other times it really isn't.

It's not as though I don't have my own divergences from what writers believe about their own works - for example in my opinion Firefly was a TV show about the bad guys (people who lost a civil war and just decide that doesn't count) written by someone who doesn't understand that they're the bad guys. Obvious Whedon doesn't agree and I don't expect him to. Or for example Vinge insisted he doesn't know who/what Rabbit is in "Rainbows End" and in my opinion there's only one option which makes any sense.

But I guess I kinda asked for people to insist their wrong interpretations of San Junipero are the only correct one when I gave the example.

I think this has the same direct purpose as my favourite modern Doctor Who scene but with different larger strategy. To tell the audience something explicitly, because it's not necessarily obvious and otherwise not everybody will have guessed. Often the Doctor understands what's going on and the audience are learning as they go, but in "The Girl In The Fireplace" the Doctor never actually knows why this spaceship chose this girl, in this time. The audience does at the end though, because we pull out to show the spaceship's name.

Both the women know exactly what we're shown at the end of San Junipero. That "Heaven is a place on Earth" in a very literal sense, but while it's explained somewhat, the details aren't mentioned because they'd be clunky as exposition - hence the explicit visualization of the data centre where they're running.

You aren't alone in finding this horrifying, but for Charlie Brooker, myself and a large number of people this is the best case scenario - and since Charlie wrote the show...

> "mercenary spyware", AI war targeting, and death drones

Are not super easy to justify. Like, sure some people obviously think those ought to be a thing, but those people are dicks.

I guess you could argue that it's some other kind of satire than being anti violence.

The same people who read 1984 and thought the same thing.

Or the people who failed to read 1984, so they didn't get the warnings.

The people who said

  Don't worry about doing it right, just do it fast, we'll fix it later

  “Apple detected that you are being targeted by a mercenary spyware attack that is trying to remotely compromise the iPhone associated with your Apple ID -xxx-,” it wrote in the warning to affected customers."

Edited to add: As a comment below pointed out if you "sign in to appleid.apple.com" it'll confirm, which even I would trust! Thanks to quitit for pointing that out.

https://support.apple.com/en-in/102174

In the screenshot it says the threat notification was sent "via email and iMessage", so it would not be displayed in any different way on your phone, which I also find surprising. I definitely wouldn't expect to receive something like this as an Email, and I have turned off iMessage.

So, if you think you are a likely target of a state sponsored attack, best thing you can do on an Apple device is to turn on lockdown mode, turn off iCloud and iMessage, stop using keychain, use only a yubikey for all authentication, and restrict yourself to a limited number of essential apps on your primary device and use a dedicated burner device for all your throwaway browsing and communications, and erase/reset that device after every session. And still, assume everything you say and do online is fully compromised, because there are always system vulnerabilities that haven't been made known yet ('zero-day' attacks) and are being used to compromise highly targeted individuals. In the end, it is a very convoluted cat and mouse game.

This is such a bizarre comment to make, because OP never suggested that Facebook is "totally okay". You replied to them after their edit window passed, so they didn't say that and then edit it out either.

I am noticing, the social circle I am currently in has now largely moved to Telegram, whereas in other places it's 100% WhatsApp.

imessage and rcs (and arguably mms, although that started as cost cutting) are backdoors for the legal protections on mining telephony provider metadata for marketing. with those two "opt in" (lol) techs, all safeguards are off.

Apple can read approximately everyone’s iMessages out of their backups. It’s not private or secure, and claiming it is end to end encrypted is misleading almost to the point of being actually false.

This can be changed by opting in to the e2ee iCloud data service “Advanced Data Protection.”

iMessages are backed up in duplicate - once on the sender and once on the receiver. You can only control e2ee for half of it, so your conversations are still under surveillance unless everyone you message with has also turned on ADP.

By your terminology, all iOS devices are “compromised” by default from having non-e2ee iCloud Backup enabled by default.

Signal chats on iOS are stored in a storage class that cannot be backed up or exported from the device.

Apple makes privacy claims about iMessage including 'Apple can’t decrypt the data.', which is notably false in this (common) scenario, and requires a large asterisk on those claims, IMO bordering on making them unethical, period.

If my bank sent me something about Credit Card fraud I would be very skeptical if it had a big "CLICK HERE TO LOGIN" type of thing.

But if it was just info, and maybe ended with "Contact your local branch to learn more", but no links, no phone numbers, etc. I would be less skeptical.

A notification that is ONLY a notification about something is very unlikely to be malicious (though could certainly be erroneous). My bank will send me a concerning email or SMS about suspicious activity that needs to be reviewed or confirmed, but because they know it's a vector for attack their specifically ask you to call them at their published number listed on your card.

I'm not sure the US wouldn't at least pretend to shut down/restrain a corporation that's helping Israel's ennemies spy on Netanyahu for example.

If you mean assassinations of nuclear scientists in Iran then sure you are correct but then what do you expect when Iran's leaders again and again say they are going to wipe Israel off the map?

"How is that better than arming Israel's opponents?" - Got me there buddy, how is it better than targeting military targets who fund and direct terror vs aiming blindly 100k rockets into population centers.. gee they are so equivalent

When all your neighbors wants to murder you and throw you to the sea you tend to be a bit overly defensive, why is it any different than the US/Russia/China nuclear arsenal as a deterrent?

That foreign powers abuse that to their own advantage worse than even the local factions do is the true stain on humanity. Why support this?

The country is drunk with US money and arms and hasn't had to really consider rational approaches to anything since big daddy US always funds them regardless of their actions.

I'm seriously considering changing to Apple after this. Not that its secure but that they are willing to go to this length to communicate it.

Ironically that may be worse for you. iMessage is probably a critical step in 60% (or more) of these exploits, and the various unicode/pdf etc rendering engines are responsible in many exploits. Android's open-source nature likely means that a lot of these things are found by security researchers first. Don't forget that zerodium still pays more for an android 0-day than an iOS 0-day.

Plus, the huge variability between Samsung/Google/Moto/Huawei etc makes it triply hard for a single exploit to be successful.

* Controlling smart home devices

* Messaging and phone calls

* Checking the weather

* Recording data with Apple Health

* Uploading runs to Strava

* Setting wakeup alarms

* Listening to Apple Music

* Using Apple Maps to get around

* Connecting with CarPlay

That variability is a double-edged sword. Manufacturer-added Android bundleware is notorious for being shoddily built and could easily represent added points of ingress.

Which is why I wish it were practical to replace OEM Android versions with GrapheneOS/CalyxOS or similar on the latest devices, similar to how a cutting edge PC can run one’s choice of Linux. As long as more secure or at least more standardized Android distributions can only run on devices with some age on them, their popularity will be limited even among the technically inclined.

I'm replying to someone who said the important factor is android is open sourced. I pointed out the relevant android program is not open sourced.

If we’re talking about having the microphone tapped etc, I don’t think anyone would still be developing 0-days for such old phones. If you want to be safer (assuming fear of old software having unpatched vulnerabilities) Nokia launched a dumb phone not too long ago.

However… GSM networks and cell tower level tracking is much harder/almost impossible to escape short of throwing away your phone. SMSes can be hijacked, hostile agents can force downgrade the connection to 3G/2g to break encryption (iirc, please correct me if wrong), and your location is generally known to your service provider and Uncle Sam.

Plus… the SIM card is its own mini computer, and lots of the firmware between that and the telephony modules is proprietary and closed source. If you’re familiar with intel ME you have an idea of what I’m talking about.

Honestly, if you’re not a journalist going after big names, or a top CEO/president etc you likely don’t need to worry about any of these. But if you are, or just want to be privacy conscious, your best bet is to never use cell towers and only use Wi-Fi/internet from public or untraceable places; along with Wi-Fi calling for telephony. Btw I’m not sure but I think Google fi and a few carriers/MVNOs offer virtual numbers, which can be a good first step for privacy.

I.e. infection is eventually discovered, Apple isolates the vulnerability's entry point, then Apple has some ability to re-scan all devices to detect which may have also had the attack targeted against them

Hashing some data that can serve as a fingerprint makes sense from a herd standpoint (hell, even something as simple as call stack after iMessage received)

Long ago, I co-founded a tiny startup. We had some high profile clients. I was dumb enough to put those clients on our site. I also used to be dumb enough to have a public social media profile, in my name.

I was already somewhat security aware, but one day I almost fell for a spear phishing email. Someone created a gmail account 1 character different from my gf's gmail. They sent me a well worded, but simple email along the lines of "Hey baby, check this out!" and URL shortened link. She happened to be next to me, and I said to her "Hey, what's this?" "What? I didn't send that!" I then opened it in a VM and saw that it resolved to something.ru.

It was a combo of identifying the juicy client of ours, seeing my name as co-founder, finding me on FB, finding my gf in my profile, getting her email, etc.

I then got to learn fun new terms like threat modeling.

Is it possible that someone might think that you have ssh access to a server on an interesting network? You are a target.

Sure, the average person probably doesn't need this (although as another comment pointed out, HN isn't quite representative of the average)... But the net is a hell of a lot wider than just journalists.

All you’ll find here are founders of highly funded startups and software developers at boring companies such as Google, Microsoft and Apple.

No point getting into these people’s phones if you’re a state actor for sure /shrug

I really, really don’t think he meant he was switching to Apple because he’s a CIA spy stationed in Moscow.

What?

Is this just regular Apple fanboy-ism?

So, maybe even provoking an Apple warning to those targets could also be part of a sophisticated operation.

These targets react or have to react in a certain way. Instigate to lure people out of hiding and entice them to react, even if only to observe their behavior.

What do these targeted people do then? Switching phones? Accessing certain digital services, warning their network via conventional lines?

From an observer's perspective, this is pretty thrilling.

Apple:

"If you have received an Apple threat notification We strongly suggest you enlist expert help, such as the rapid-response emergency security assistance provided by the Digital Security Helpline at the nonprofit Access Now. Apple threat notification recipients can contact the Digital Security Helpline 24 hours a day, seven days a week through their website. Outside organizations do not have any information about what caused Apple to send a threat notification, but they can assist targeted users with tailored security advice."

https://support.apple.com/en-lamr/102174

Amnesty International:

"The Access Now Helpline and other Security Lab civil society partners are also equipped to support individuals who have received these Apple notifications."

https://securitylab.amnesty.org/latest/2024/04/apple-threat-...

But there has never ever been non-trivial software that has been completely free of such defects.

In other words (in my opinion), iOS is probably better than most other platforms against this type of attack.

Any government has to take Apple's word seriously it is not like an individual or small time company claiming that government illegally tapped their phones or hacked computer and government doesn't even bother to respond because its not worth their time.

Not that they have a choice, given that their most profitable product lines are all basically 95%+ manufactured in China by Chinese nationals working for Chinese companies.

I would guess it’s obvious for everyone who gets the message that they are political targets. However it is also important to call out abuse of power, like is in the case of India, Spain, Poland, where the governing party is spying the opposition in order to find ways to get rid of them.

Not only is this objectively true, I also have an iPhone. It's not news to me but it still makes me do a double take every time.

Maybe I should try oscillating to Linux and FairPhone again...

A relative of mine in the defense industry has told me that, generally speaking, the DoD requires that none of the components in missiles have parts manufactured by potential adversaries, which makes enough sense but is also extremely difficult now.

Thanks Delta Airlines, whose metal nametags are literally just cut sheets of aluminum with some paint on them and are still Made in China. Someone seriously wants to tell me we can manufacture bleeding edge tech when we can't even cut and paint our own fucking sheet metal?

There's plenty of places to get metal nametags made in the U.S.A. But Delta chose to go the cheapest route to save a few pennies.

As far as I know most of the machinery is made in Europe, mostly Germany, again generally higher cost than the US. So I find it difficult to believe that it can't be done in the US.

Cost cutting seems to be done much more deeply in the US than in Europe. For example, economy class on all North American airlines is rather miserable, while most European non budget carriers have a better experience in economy.

In a lot of ways, this is obviously good, most people benefit from lower prices, more value being created, etc, but I think it's also made it so that cheap-but-ethically-dubious manufacturing from other countries becomes increasingly appealing, especially since it's abstracted enough from the end-user to where they can comfortably say "out of site out of mind".

I'm no better; I know very well the conditions of some other countries, and think they're very bad. I also think it's bad that America fought a whole war to end slavery, and instead we just launder it through other countries. Still, despite me thinking all of this, I still generally shop for reasonable prices instead of trying to focus on ethical stuff.

When we can't make our own fucking blue jeans we absolutely cannot try for a technology victory.

However the longer we allow revenues to be generated in relationships with authoritarian economies-states, the more we're empowering them.

That in a way is also a carrot - at least until a certain point of no return - where in America there's an effort to collapse the USD, and they might succeed - and then where BRICS will have buying power to influence the rest of the world to align with bad actors in each countries who aren't yet toeing the tyrannical line - and help them navigate towards a totalitarian state.

Knowing who is your ally in each nation is important, and keeping communication lines open is the bare minimum - and tyrant wannabes in different nations, except in places like China where they already are locked down in their systems, still need to creep forward in as incognito method as possible until they've captured all of the various positions necessary before they can recruit and grow their Gestapo.

Most people are unaware that Canada is about to be captured by fascists, and where laws and mandates have already passed that could allow those politicians to pretend they won the next election (multiple people in our intelligence agency CSIS already whistleblowing that China, the CCP is confirmed to have interfered in at least our last 2 elections which kept Trudeau-NDP in power) - and then pump that out and control the narratives in our state-funded media channels like CBC; mainstream news - including the biggest dissident media company called Rebel News - aren't shown on Facebook, for vector example, another vector being an arguably manufactured false flag 3-day outage of Rogers Telecommunications - where this fascist government immediately afterward mandated all telecommunications companies cross-integrate their services "to act as a backup" for other companies - which conveniently creates-allows for a centralized system for monitoring, etc.

I wonder if someone has made a “De-bullshitify English” Chrome add on to replace phrases like “mercenary hacker” and “officer-involved shooting” with more semantically correct phrases.

Basically the distinction is one of law enforcement authority, not legality.

Even in USA that likely could be legal with an appropriate court warrant, and many other countries have more permissive constitutions.

Can you expand upon this? I'm not particularly familiar but it doesn't seem right. Obviously LEO agencies are allowed to subpoena private information, but can they legally use exploits with a warrant? Are there recorded examples of this?

[Based on your reference to warrants, I guess I'm excluding the NSA or other supposed state-level spy agencies that supposedly secretively deploy such tactics]

It's well established that with an appropriate warrant, LEO have always been able to come into your house without telling you and add hidden surveillance bugs to listen on your communications; they have always been allowed to physically modify or replace your phone (e.g. physical phone wiretaps a century ago); Electronic Communications Privacy Act reasserts that this applies also to electronic surveillance and digital communications; so (as a non-expert) I don't really see why that wouldn't apply to smartphone exploits as well. We do see exploits being applied to devices in LEO possession (e.g. https://www.theverge.com/2021/4/14/22383957/fbi-san-bernadin... for one random example) to recover evidence.

The main restriction is the constitutional limits of 4th amendment which requires specific warrants for each case - which is a significant practical obstacle, so the circumstances in which warrantless wiretapping is permitted (e.g. by PATRIOT act) is a contentious issue; however, it's not relevant if a proper warrant is obtained.

> As part of this effort, the End-User Review Committee of the BIS decided to add four foreign entities, among them two Israeli companies, NSO Group and Candiru, to the Entity List. The U.S. Export Administration Regulations (‘EAR’) impose additional license requirements for exports to listed entities, and limits the exceptions for exports, reexports, and transfers to such entities.

But they continue:

> The existing international and national frameworks regulating the export of sensitive spyware technologies lack the teeth necessary to deal with contemporary issues relating to the abuse of these technologies and the growing need for their enhanced supervision.

[0]: https://www.law.georgetown.edu/ctbl/blog/managing-risky-busi...

The reason it's called that is literally because of the Indian government.

> Apple's removal of the term "state-sponsored" from its description of threat notifications comes after it repeatedly faced pressure from the Indian government on linking such breaches to state actors, said a source with direct knowledge.

https://www.reuters.com/technology/cybersecurity/apple-warns...

I would hope people aren't using flags for low-value comments, but you make a great point that it could have been edited to remove something that was deserving of a flag.

They could, and if you ask me, they should. They gum up threads and often start meta discussions about exactly how low-value they are. Many are even explicitly listed in the guidelines - snark, tropes and memes, 'broke the back button', shallow putdowns, etc. Righteously flaggable, one and all.

What (in your opinion) is the purpose of the down-vote button?

[1]: https://xkcd.com/1053/

In a site with the ostensible goal of 'curious conversation', that's not really good enough - it's not the job of your potential interlocutors to figure out what sincere, reasoned beliefs and positions hide behind the throwaway trope line. If you want to have a conversation, it's on you to try to converse. There are lots of other places where the trope line is fine - from the group chat with friends or colleagues to twitter. But those places work in different ways.

What (in your opinion) is the purpose of the down-vote button?

It's a way to say 'this comment is misranked'. There are lots of reasons to feel a comment is misranked - including simple disagreement.

Because God knows how many times Five Eyes have tampered with elections across the Middle East in the past 50 years.

I wouldn’t be naive to believe everything totally and just putting another perspective out there which may be worth considering (even for just a few seconds).

Unless I'm misunderstanding "turn it off and on again" suggest a kind of pointless, "just start over and try again" kind of suggestion, no?

To be fair, does any Android device alert you to a compromise like this?

Don't pay attention to Samsung though, that company is probably the Apple equivalent of android.

This needs citations, and more than just referencing 0-day bounties.

0-day bounties are an incredibly weak signal in regards to security posture.

I'm not sure what the "and for more" you are referencing. The site lists prices, an FAQ, and events. None of that supports the argument made by parent comment.