Apple Allowed Government Spying For 3 Years'

[ShroomDr]

http://www.telegraph.co.uk/technolo...aw-allowed-government-spying-for-3-years.html

Apple iTunes flaw 'allowed government spying for 3 years'
An unpatched security flaw in Apple’s iTunes software allowed intelligence agencies and police to hack into users’ computers for more than three years, it’s claimed.
Apple's iTunes software is installed on more than a quarter of a billion computers

By Christopher Williams, Technology Correpsondent 1:27PM GMT 24 Nov 2011


A British company called Gamma International marketed hacking software to governments that exploited the vulnerability via a bogus update to iTunes, Apple's media player, which is installed on more than 250 million machines worldwide.

The hacking software, FinFisher, is used to spy on intelligence targets’ computers. It is known to be used by British agencies and earlier this year records were discovered in abandoned offices of that showed it had been offered to Egypt’s feared secret police.

Apple was informed about the relevant flaw in iTunes in 2008, according to Brian Krebs, a security writer, but did not patch the software until earlier this month, a delay of more than three years.

“A prominent security researcher warned Apple about this dangerous vulnerability in mid-2008, yet the company waited more than 1,200 days to fix the flaw,” he said in a blog post.

"The disclosure raises questions about whether and when Apple knew about the Trojan offering, and its timing in choosing to sew up the security hole in this ubiquitous software title."

On average Apple takes just 91 days to fix security flaws after they are disclosed, Mr Krebs wrote.

Francisco Amato, the Argentinian security researcher who warned Apple about the problem suggested that "maybe they forgot about it, or it was just on the bottom of their to-do list".

In response to reports that FinFisher targeted iTunes, Apple has said that it works "to find and fix any issues that could compromise systems".

"The security and privacy of our users is extremely important,” a spokeswoman said.

This month's iTunes update 10.5.1 explained that "a man-in-the-middle attacker may offer software that appears to originate from Apple", adding that the "issue has been mitigated".

Gamma International has not commented on the matter. Registered in Winchester, the firm is one of several companies that sell computer hacking services to governments. They offer "zero day" security flaws, which have not been publicly disclosed, so attempts to exploit them are unlikely to be detected by anti-virus programs.

Great. I dont have anything Apple, but im sure they have exploited other software too.

its 1984.

 

[trichrider]

fuck!!!
the godamned government now has my playlists. i knew this shit would happen!
fuck!!!

 

[m314]

I don't know the details of this exploit, but I'm sure it's more serious than playlists. A compromised application running on your computer could allow someone to see everything you do on that computer. Emails, chat logs, web history, pictures, etc.

 

[GP73LPC]

I don't know the details of this exploit, but I'm sure it's more serious than playlists. A compromised application running on your computer could allow someone to see everything you do on that computer. Emails, chat logs, web history, pictures, etc.

scary shit...

 

[waveguide]

as far as i'm aware, the gov't already has a backdoor to everything, so this isn't really news.

eg. there's a certain encryption level that describes a complexity of encryption.. i'm not up on the lingo but it has a name.. and it's illegal to encrypt beyond this complexity.. so i've read.

 

[gaiusmarius]

not really surprised by this at all. if isp's have to cooperate with spying on customers, why would it be different for computer manufacturers and software creators? maybe if you have linux or other open source operating system you have a chance at privacy on your machine.

 

[Iron_Lion]

Good ol Steve

 

[Classy@Home]

1984 indeed - the hip cats LET Big Brother watch - crime of omission is still a crime, even worse...

 

[resinryder]

Damn gubment. What is the point in all this shit. Why is gubment interested in what I or my teenage daughter look at on the web? Why do they feel they need this control? Is it for future blackmail? Denial of benefits? Do they want new links to midget porn? What the fuck do you guys really want? Unplug me Sven, I'm going black.

 

[m314]

as far as i'm aware, the gov't already has a backdoor to everything, so this isn't really news.

eg. there's a certain encryption level that describes a complexity of encryption.. i'm not up on the lingo but it has a name.. and it's illegal to encrypt beyond this complexity.. so i've read.

I wouldn't be surprised if the government had a backdoor for commercial operating systems like Windows. If it's not built into the code, they probably know of some exploits into the system that aren't publicly known yet. They can't build a backdoor into open source operating systems like the various flavors of Linux, but there's always a chance that they know of some vulnerability in the code that hasn't been published yet.

Good open source encryption is pretty much unbreakable by anyone right now. The RSA algorithm for public key cryptography is almost certainly unbreakable right now if you use sufficiently large keys (2048 bits or higher). The algorithm used can encrypt large amounts of data very quickly, but it's extremely difficult to decrypt that data without the key. Multiplying two very large prime numbers is easy; factoring a large number as a product of two primes is much harder. This is known as a "one way" function since going one way (encryption) is easy but going the other way (decryption) is virtually impossible with today's technology. Using all the supercomputers in the world today, it would literally take billions of years to decrypt a file that was encrypted with a large key. A quantum computer could theoretically compute all paths in parallel to find a solution quickly, but that technology is probably 20 years away or more.

With encryption technology that strong, the government would just find an easier way to get what they want. Finding a vulnerability in software like iTunes or Windows is easy for organizations like the NSA. Breaking into someone's house to install a keylogger is easy. Intercepting internet traffic is easy, especially when they have the cooperation of the major ISPs. I don't know enough about all the technology involved to stay completely anonymous and safe on the internet. I'm just guessing they won't go after small time personal growers like me. If I was growing and selling hundreds of pounds, I'd probably avoid the internet as much as possible.

 

[Harry Gypsna]

Fuckers read 1984 and, instead of thinking
"Oh my god, how terrible, what a nightmare vision-surely a warning, we'd better buck our ideas up and stop the world developing into this"
They thought
"Wow, perfect, a complete manual-a "For dummies" guide of how to completely enslave humanity"

 

[TripleDraw27]

I am pretty sure theres an App for that.

 

[Tronic]

Are you guys serious? Obviously apple has been tracking things - every time you try to open an app it asks you 'can we use your location?'

What you should really be concerned about is GOOGLE. They fucking track every keystroke ever put on the internet... including these.

Oh well.

Hey Sergei

 

[GP73LPC]

i often think about Google's roll in this... they are gathering a shitload of data on everyone...

 

[Tronic]

Ever check out Google Cache? Everyone who thinks their 'guest' account can't be found is kidding themselves.

How do you think the tech world finds out about FCC rulings and announcements (hint new electronic announcements)? They find them through google cache. They are up for 15 seconds, approved, then deleted. Google cache finds them - well, rather, the geeks who care about this shit find them. The point is, if the FCC can't keep shit away from google... who the FUCK do you think you are hahahahahahah

But seriously, don't worry about it. If you worry, you're not important enough for them to even bother looking after.

 

[TripleDraw27]

Similar article today in the press about the Android today. Its like people in these articles are " shocked " about smart phones and privacy. Silly turds.

 

[Stoner4Life]

Great. I dont have anything Apple, but im sure they have exploited other software too.

its 1984.

and let me remind all you Orwellian conspiracy theorists out there that the govt didn't have to sneak into your crib one night and plant a microchip under your skin; fuck no, you stood online drooling over your new 3G/4G (oh gee!) purchase and you pay a huge monthly bill for the privilege to be spied on.

Did any of you really expect any less intrusion?

I'm still the simple minded mofo that considers having a cell phone a luxury, silly me, I turn it on only when I need to call out on it too. that's how I've decided to limit technological spying on me.

I'm the cheapskate on the Consumer Cellular $10 (about $13.10 w/taxes) plan, sometimes my usage is as low as 5 or 10 minutes per month.

 

[Bionic]

Misleading thread title is misleading. Nothing indicates that  "allowed" anyone to do anything. The gubmint exploited a glitch in the matrix and  didn't or couldn't patch it until recently. This is similar to jailbreaking your device.  doesn't "allow" it and eventually patches up the holes which then causes devs to search for, locate and exploit another hole. No system is 100% bulletproof. TrueCrypt, FTMFW!!!!!

 

[Maj.Cottonmouth]

You don't think Apple left this vulnerability unpatched on purpose? Their track record with the backdoor in the iPhone should let you know they are a shill for the man.

 

[Bionic]

Then why did they close it? No phone (short of NSA certified secure cells and I'm not even 100% sold on those) are invulnerable. Where there's software, there's holes. Quick fixes aren't always possible... especially if you may have a government leaning on you.