[3pt14159]

I dated a journalist once. She used some random free app for phone calls because recording calls isn't built into iOS and she needed to record calls. I suggested a small device for her to plug her headphones through, but she declined.

I'm sure there's a few journalists out there that take cybersecurity seriously, but I'd wager the vast majority are pretty trivially monitored.

[pratheekrebala]

I see your point, however, having worked in newsrooms - it really is about their beat and their threat-model. My organization covers a wide range of beats and folks covering national security or other sensitive topics have an entirely different workflow compared to those covering, e.g. housing.

I think being responsive to their needs and building trust will go much further. Also, designing a one-size fits all model will just mean that your reporters will either ignore the guidance or find a way to work around it.

For instance, the most recent credible threat we have had against one of our reporters wasn't a state-level actor, but rather folks on the internet (trivially) finding their address and doxing/harassing them and their family. No amount of technology hygiene will change the fact that voter registrations are public records.

[wolverine876]

If someone gets access to the housing reporter's systems, that seems a great way to move horizontally or vertically to get access to the other reporter or to the entire organization.

I don't envy your challenge. Security must make it more expensive to the attacker than it's worth. Even the housing reporter's data could be highly valuable; with inside knowledge, someone could make a killing on real estate. The value of the national security beat information is astronomical.

I don't grasp why, with all the news about breaches, reporters still don't care.

[3pt14159]

Well, she wrote about scary stuff. Murderers, etc. Feature stories for one of the few fact checked Canadian magazines left. Some stuff in The Atlantic about politics.

Was she getting leaks from NSA staffers? No. But it does feel kinda silly to me that journalists, generally speaking, have insecure setups by default. But I get it, it's a hard industry to squeeze a living out of these days.

[atatatat]

Not giving the voting record your address of residence sounds like a low tech solution.

[xenocratus]

But it also depends on what kind of journalism they're doing, right? Not all report on criminal activity, or on investigating the government. It's kinda like threat-models, no need to be super secure if your work brings no risks to you, your organisation, or those you come in contact with.

[jdavis703]

Journalists from celebrity gossip reporters to foreign affairs correspondents needs to take security seriously. Even gossip journalists receive information from sources that ranges from information that would get the source fired or blacklisted to put in jail (e.g. LA sheriffs leaking celebrity photos).

[certnlyuncertn]

How likely is it that people are exploiting zero days against reporters in any of those examples though. That's why threat models are different for different types of journalism.

[reader_mode]

Does it take a zero day when you install random freeware crapware from the store ?

[c7DJTLrn]

Agreed. The parent comment makes a ridiculous extrapolation.

[newman8r]

That's a fair point, although bad actors will also wait around for years for your work to become more interesting/relevant, if they think there's a chance of it.

[Hamuko]

You can get to the criminal activity or government investigation journalists through the more "trivial" journalists if they work in the same company.

[wolverine876]

Anything that will change a stock price is enormously valuable, for example.

[jdavis703]

I did help desk support at a news agency. We were constantly cleaning up malware from journalists computers... The journalists were constantly downloading all sorts of sketchy files as part of their job. Basically, if you're leaking state secrets / embarrassing repressive governments, don't leave a digital trail that can be traced back to you. Just assume everyone (especially journalists on national security or human rights beats) have been hacked.

[pratheekrebala]

Yes! In our newsroom (which isn't perfect by any means) - I have been testing using Qubes for really sensitive/untrusted documents. We also open un-trusted documents (from e.g. FOIA responses) on a machine live-booting from a CD.

However, it adds enough friction (especially with remote work) that it's hard to get it right 100% of the time.

If you want to share really sensitive documents, one way to ensure proper handling of your documents is to use a service like SecureDrop [0] which for e.g. only accepts submissions over Tor and requires the use of a secure viewing station [1] (air-gapped machine live-booting Tails w coreboot rom + webcam/networking card physically removed) to decrypt/access leaks.

That being said, I don't think there's a perfect tech-only solution because nothing is stopping folks handling it carelessly after they access the file.

[0] https://securedrop.org/directory/center-public-integrity/

[1] https://docs.securedrop.org/en/stable/set_up_svs.html

[ip_addr]

You could also use Dangerzone [0]. It opens a document in two docker containers and converts it into a safe version. It was created by the director of infosec at The Intercept.

[0] https://dangerzone.rocks/

[heavyset_go]

> I dated a journalist once. She used some random free app for phone calls because recording calls isn't built into iOS and she needed to record calls. I suggested a small device for her to plug her headphones through, but she declined.

Sounds like she dodged a potential honeypot and surveillance attempt.

[swiley]

Apple really doesn't help them. the marketing (lying) that iOS is secure is pretty intense.

[andrewzah]

Perfectly secure computers are an oxymoron. They don’t exist.

iOS is the least worst mobile option and it’s ridiculous to say Apple is lying about security if any exploits are found, ever.

If you look at e.g. how messaging works in iOS 14 [0] you’ll see that they do in fact work on making secure systems. But parsing and memory safety are hard. Like, really hard. The fact that NSO found exploits doesn’t mean Apple is doing anything, but Apple is clearly making it more and more difficult to find and abuse such exploits.

For the average person that isn’t being specifically targeted by sophisticated malware from companies funded by -governments-, iOS is pretty damn secure. Dealing with being attacked is a different threat model.

[0]: https://googleprojectzero.blogspot.com/2021/01/a-look-at-ime...

[heavyset_go]

iOS exploits are cheaper than Android exploits because iOS exploits are so plentiful[1][2].

[1] https://www.theregister.com/2020/05/14/zerodium_ios_flaws/

[2] http://zerodium.com/program.html

[_kbh_]

This doesn't mean that iOS is any less or more secure then Android just that more people where looking at it and finding vulnerabilities.

[atatatat]

........................................

.........

[ekidd]

> But parsing and memory safety are hard. Like, really hard.

This doesn't have to be the case. Start by avoiding C and C++. Use Java (on Android) to write parsers. It is very hard to take a buggy parser written in Java, and to escalate to a memory corruption attack.

If you really can't use a language like Java, write your parser in safe Rust using slices over Vec<u8>. Then run a fuzzer over it. You'll find a few runtime panics, but you're vanishingly unlikely to encounter memory corruption.

Buffer overflows and memory corruption can be almost entirely avoided these days, at a price.

[andrewzah]

Yes, I imagine that in the future we'll be writing these sorts of tools in memory-safe languages like Rust.

In fact I believe that it's hubris to think that we can write massive, complex systems in unsafe languages and -not- overlook some bugs here and there. We had no choice but to use these languages before, but Rust, etc, give us alternate choices now.

[deregulateMed]

>iOS is the least worst mobile option and it’s ridiculous to say Apple is lying about security if any exploits are found, ever.

Speaking of companies lying... You are holding your phone wrong, and your keyboard works fine.

Oh and your apps might have a backdoor, but it took getting sued by Epic for us to let anyone know that.

Apply lying is about as common as a politician lying.

[swiley]

>Perfectly secure computers are an oxymoron. They don’t exist.

Absolutely, but creating a platform the encourages or forces users to do the wrong thing is a regression from where we were ten years ago.

>iOS is the least worst mobile option

No. Devices running a FOSS operating system like the Pinephone are the least worst mobile option, people don't like it because it's not sexy and it's currently very inconvenient. The rest of the options are so bad that you're probably better off without a mobile phone at all.

RE: iMessage

You have everyone using exactly the same messaging client, so you have one piece of software to exploit and now you can attack everyone. The extreme lack of diversity makes these sorts of complex exploits much more profitable.

>iOS is pretty damn secure

Sure, if you don't do anything with it. But it encourages users to download unaditable closed apps and reassures them that doing so is totally safe despite the fact that most of them are using 3rd party telemetry services run by data brokers.

[nemothekid]

>No. Devices running a FOSS operating system like the Pinephone are the least worst mobile option, people don't like it because it's not sexy and it's currently very inconvenient

Just because it's FOSS doesn't mean it's secure. If your problem is privacy then sure, the PinePhone is the least worst mobile option. If your problem is security I don't see how a phone that doesn't have hardware embedded key manager is a step up. It's not like the Linux Kernel, and whatever messenger you do decide to use is free from zero-days either.

>But it encourages users to download unaditable closed apps and reassures them that doing so is totally safe despite the fact that most of them are using 3rd party telemetry services run by data brokers.

And for the very same reason your bicycle is safer than a car because it doesn't encourage you to drive 75mph. I agree the world might be a lot better if we "return to monkey" but I don't think anarcho-primitivism is a solution.

[swiley]

>Just because it's FOSS doesn't mean it's secure.

Right, but it does mean you won't be forced to do things the wrong way because it makes Apple money.

>hardware embedded key manager

This means keeping copies of keys unencrypted (or encrypted with a key on the same device which is effectively the same) on the device. You're just a couple exploits away from sharing the keys at that point so many people argue that these make things worse and not better.

>It's not like the Linux Kernel, and whatever messenger you do decide to use is free from zero-days either.

Sure but you can't even guess at which messenger I use. Attacking me means taking expensive professional time and focusing it on one person. As for zero days in the kernel, they seem to appear less often than for iOS but I could be missing some.

>anarcho-primitivism

There's nothing more primitive than flinging binary artifacts around the way you do on closed OSes. The FOSS OS approach where knowledgeable people protect those who aren't knowledgeable (without restricting their rights) is a significantly more advanced social structure.

[nemothekid]

>Right, but it does mean you won't be forced to do things the wrong way because it makes Apple money.

I don't understand this point. What's wrong with downloading binaries from a trusted distributor (Apple)?. If you agree that just because it's FOSS doesn't mean it's secure, then downloading binaries is as "right" as you are going to get when it comes to mobile app distribution. It's no different than downloading binaries from apt.

>This means keeping copies of keys unencrypted (or encrypted with a key on the same device which is effectively the same) on the device.

No. The whole point of the Secure Enclave means the keys never leaves the hardware - they never touch the main memory and the keys can never be read out of the chip. You are never "a few exploits away" from getting the keys because there is no mechanism to read the keys at all. This also prevents attacks on the device itself - you cannot brute force an iPhone without the Secure Enclave locking you out. I'm not certain (and I really doubt) the PinePhone is resistant to physical attacks.

>Sure but you can't even guess at which messenger I use. Attacking me means taking expensive professional time and focusing it on one person.

The article is about journalists who were targeted by a state sponsored cyber security firm. This is a moot point, not to mention security by obscurity doesn't work.

>The FOSS OS approach where knowledgeable people protect those who aren't knowledgeable (without restricting their rights) is a significantly more advanced social structure.

Except that, in practice, this is no different (and arguably worse) than just trusting Apple. It turns out knowledgeable people do not work for free, most other knowledgeable people don't read the code or recompile sources, and FOSS maintainers aren't always properly equipped to ship secured software. Heartbleed is poster child for this.

I'm not saying that it's impossible for there to be secure FOSS code, but that it's incredibly difficult to ship secure code at all in any situation. For the non-technical person it's far easier to trust platform that is hardened from the outset (like the iPhone) that has a well-funded security team (like Apple) and is recommended by other security professionals.

[tablespoon]

> No. Devices running a FOSS operating system like the Pinephone are the least worst mobile option, people don't like it because it's not sexy and it's currently very inconvenient. The rest of the options are so bad that you're probably better off without a mobile phone at all.

There's nothing about FOSS that makes something secure, and building secure software is so hard and expensive that my guess is that you need the sponsorship of a government of major corporation to do so. Some FOSS does have such sponsorships, but a lot doesn't.

IIRC I've even heard that OpenBSD, despite its reputation, may no longer more secure than Linux due to Linux's manpower advantage. I don't even have to look up the numbers, but Apple definitely has a major security manpower advantage over the people making the Pinephone.

That's not to put down the Pinephone, but we have to be reasonable about what a project like that is and what is can (and cannot) achieve.

[ascagnel_]

> There's nothing about FOSS that makes something secure, and building secure software is so hard and expensive that my guess is that you needs the sponsorship of a government of major corporation to do so. Some FOSS does have such sponsorships, but a lot doesn't

The F/OSS community has a weird collective amnesia about exploits that rubs me the wrong way -- just because someone can look at it doesn't mean that someone is looking at it, or even that the person looking at it is going to fix it instead of exploit it. Heartbleed was sitting out in the open for 2+ years, despite OpenSSL being a very popular package available under a permissive license.

[tablespoon]

> The F/OSS community has a weird collective amnesia about exploits that rubs me the wrong way...

If you repeat something frequently enough, a lot of people will regard it as true. And a lot of people are extremely reluctant to reevaluate their judgements after they've made them, even in light of new information.

IIRC, the "FOSS is more secure" refrain started in the 90s/00s, when security was an afterthought even at companies like Microsoft and Apple and Linux was unusual enough to fly under the radar when there were a lot of big, high-profile worms circulating. But since then some closed-source commercial software has gotten much more secure, and FOSS has gotten more popular, but remains plagued by important projects that get by on shoestring resources.

[ComodoHacker]

>so you have one piece of software to exploit and now you can attack everyone. The extreme lack of diversity makes these sorts of complex exploits much more profitable.

The flip side is the lack of diversity makes patching easy. Good luck pushing an update patching a 0-day affecting 3-4 Android versions to 60% of devices.

[swiley]

That's why you should be using dynamic linking, something these closed mobile OSes effectively prohibit.

[cunthorpe]

To be fair it's probably the most secure environment for the average Joe, you're just saying that it's not perfectly secure, which would be impossible in this world.

[swiley]

You could do far better than iOS. Worse though is that it encourages very poor infosec because when it's profitable for Apple and often makes doing things correctly difficult or impossible.

[LucidLynx]

I suppose you have examples to propose?

[swiley]

It makes checking the hygiene of apps you use impossible, building them from source artificially difficult and expensive and pushes users towards services with serious flaws like icloud backup.

[jonfw]

> average joe

> building them from source

An average joe doesn't even know what 'build from source' means

[nemothekid]

>the marketing (lying) that iOS is secure is pretty intense.

I don't see how it's lying. If you are going to consider that iOS is not secure because they got owned by a couple 0 days, then by that definition there isn't a secure piece of software on the planet.

[slivanes]

iOS exploits are paying less than Android - http://zerodium.com/program.html.

Based on supply and demand it would appear that iOS is less secure right?

[LucidLynx]

True, and many many good researchers boast the Android security compared to iOS, thanks to Google and Samsung (mostly) since many years now (https://onezero.medium.com/is-android-getting-safer-than-ios...).

But as a *platform* I am intimately convinced that iOS is far more secure than Android... I agree that a few apps have been authorised by Apple to be published on the App Store, but when it happens to the Play Store it is not only one or two apps... it is mostly 5 to 10 apps developed by the same developer and which contain *the same* flaws.

Also, as demonstrated AdGuard a few years now (https://adguard.com/en/blog/popular-android-apps-are-stealin...), it is way easier to extract user informations from random apps on Android than iOS. However the Android API has been improved since two years now (and Android 12 is better than ever to secure user informations).

[j45]

iOS is currently the least worst mobile solution as a daily driver for the majority of people who are users before techies.

It doesn’t mean it’s good enough but I’d be curious to hear your ideas for what could work as easily for the masses.