[rjaco31]

The massive PR hit they're taking means their company will most likely die. And "compromising" someone merely by letting one download stuff is at best a gamble, any decent infosec professional will examine this stuff with the same precautions as when analyzing malware.

[Jugurtha]

This is exactly what I'm talking about: What I'm being downvoted for and what each comment is doing is rationalizing why this simply can't happen. Everyone is confident about what Hacking Team is or isn't doing/thinking.

How can someone be so sure what an entity is thinking or doing? Yes, it's not likely. Yes, it's risky.. but what if they were really bold?

The PR hit is a non issue if it is the case, since they can simply say what happened: "Basically, here's how to own a huge number of very sophisticated people". Make nice slides, and show them at Black Hat or something like that. It's "research".

The icing on the cake would be to present this material to the very security researchers who've been ownd. This would be a huge PR stunt since it's basically security researchers who will download the file.. And if security researchers are as confident as most people that this simply can't be a con, then all the better :)

It is still not likely, but it would be beautiful.

PS: Something like that happened at NASA many, many, years ago. There was a security breach and instead of shutting it down, the security team uploaded a ton of bogus classified files, plans, and reports to keep the guy coming and unsuspecting. Until they got him.

[PavlovsCat]

> Yes, it's risky.. but what if they were really bold?

Isn't the question really how careless the people downloading the file are?

Is it possible to infect hardware through a virtual machine? Let's just assume it is; what's to stop someone from using a throwaway, one-way laptop? Get fresh laptop, install the tools you need, copy the files over via USB or network, disconnect the laptop and never connect it to anything ever again. What am I missing?

To transfer a lot of data (e.g. analysis results) back from the potentially infected machine, play back the data encoded as audio, record that with another computer and convert it back to binary/plain text/whatever. (There might be better ways but hey)

Sure, most people probably won't bother with any such stuff, and just stick to "only" viewing text files and images etc., but then all HT would have shown is what has been proven with email spam already: that if you can get people to treat unknown files carelessly, not to mention run executables, you can infect them.