From the article:
“.. a port knocking backdoor with multiple targets such as Solaris, Linux, FreeBSD, HP-UX, JunOS, OS X”
So this was far more reaching than Windows.
To answer what ordinary users can do: Against a well funded adversary hell bent on getting access to your systems/data - probably not a lot! In the case of NSO group even a fully patched iPhone wasn’t going to help you.
However, on reading this article my first thoughts are if this method evades detection by not having a listening port that a network scan or locally using ss/netstat can detect then perhaps you would still be able to benefit from egress filtering (only allowing outbound connections to things you need and blocking the rest). On a router most connections are through the router (FORWARD table) as opposed to directly locally originated and outbound (OUTPUT table).
> To answer what ordinary users can do: Against a well funded adversary hell bent on getting access to your systems/data - probably not a lot! In the case of NSO group even a fully patched iPhone wasn’t going to help you.
Well, you can - you just need to live a mostly offline live with few, highly hardened devices and enter you passwords under a blanket. Edward Snowden does manage, after all. But you'll have to skip on a lot of enjoyment - new software, games, even Netflix - forget it.
The real question is, is it worth to you to live such a live. Probably not.
The NSO could get root on anyone’s device knowing only the phone number.
If NSO does it, so could the intelligence agencies of dozens of countries. Looks like a hopeless situation, where a small percentage of population have access to anyone’s data (but not conversely).
This is posing a threat to the democratic society.
I think one way to add the difficulty is to conduct everything offline. Since they don't have a full profile for you online, they have to mobilize field teams which are scarce and expensive. On the other hand, if they can sniff you online, it's going to be automated and almost free.
But again, maintaining an offline life could be very tricky given that the society as a whole is moving everything online. For example, if you earn salaries like me, there is no way to avoid a bank account and a mobile number.
In this spirit I've been playing with spun up Firefox instances in a Google Cloud Run. The container is stateless and goes away after I close the page that connects to video stream of the other container in my browser.
I'm assuming they want some protection against adtech companies or the local coffee shop sysadmin. Running Firefox in the cloud "to avoid detection by the NSA" would indeed be quite foolish.
Way back in 2009 I helped design and implement basically "Firefox on AWS EC2" - I had YouTube audio and "video" working, in the subwindow, not Fullscreen. It was roughly 5-10FPS, about what you'd get with VNC, with perfect audio.
I had an idea that thin clients were going to be big - and I stupidly pitched ideas for cloud based software to Adobe, Newtek, and Autodesk.
I don't really think ordinary people (and rich people TBF) can completely defend themselves against any state player.
Anonymous guides I read mostly recommend Tor, anonymous sim card and purchasing electronics with cash. But I don't think it's going to render any state player's work impossible. I mean if they are really onto you.
On the other side, three char agencies cannot waste resources on every individual, so the best way is to stay out of the radar.
Most ordinary users will connect to the internet using a router provided by their ISP so port knocking does not work. Unless they plant the malicious code on the router - that would be even harder to detect.
So this was far more reaching than Windows.
To answer what ordinary users can do: Against a well funded adversary hell bent on getting access to your systems/data - probably not a lot! In the case of NSO group even a fully patched iPhone wasn’t going to help you.
However, on reading this article my first thoughts are if this method evades detection by not having a listening port that a network scan or locally using ss/netstat can detect then perhaps you would still be able to benefit from egress filtering (only allowing outbound connections to things you need and blocking the rest). On a router most connections are through the router (FORWARD table) as opposed to directly locally originated and outbound (OUTPUT table).