[conspire] Signal's Chef's Kiss to Cellebrite

Rick Moen rick at linuxmafia.com
Sun Apr 25 22:18:23 PDT 2021 

Quoting Dire Red (deirdre at deirdre.net):

> 1. First, Signal goes off on Cellebrite, in a *chef's kiss* sort of way:

_Lots_ of gold in this piece, starting with Signal correctly
characterising Cellebrite as part of a huge but little-known and rather
nefarious industry:

   Cellebrite makes software to automate physically extracting and
   indexing data from mobile devices.  They exist within the grey – where
   enterprise branding joins together with the larcenous to be called
   “digital intelligence.”  Their customer list has included authoritarian
   regimes in Belarus, Russia, Venezuela, and China; death squads in
   Bangladesh; military juntas in Myanmar; and those seeking to abuse
   and oppress in Turkey, UAE, and elsewhere.

These firms are (obviously) even nastier than the almost equally
reclusive "behavioural marketing" / "Web analytics" spying-on-users
adtech companies, and I regard even those as nasty little thieving
cockroaches.

The article goes on to stress that Cellebrite's software prys into a
user's data after the user has _deliberately_ done something to deploy a
Cellebrite codebase for some allegedly useful purpose, e.g., installing
UFED backup software for MS-Windows, which then leverages the fact that
the user has set it loose on his/her MS-Windows box to parse and analyse
among other things any Signal data files present on any adb-connected,
unlocked smartphone connected to the MS-Windows workstation at the time.

As the Signal devs point out, this is essentially equivalent to
permitting someone to hold your smartphone in his/her hand, and that
person then turning around and covertly using physical access to crack
into your private smartphone data.

I've long claimed that Facebook, Inc. and Google, Inc. are the #1 and #2
most nosy corporations in the world, but maybe they're merely the most
famous, large nosy corporations.


This is rich:

   Looking at both UFED and Physical Analyzer, though, we were surprised
   to find that very little care seems to have been given to
   Cellebrite’s _own_ software security.  Industry-standard exploit
   mitigation defenses are missing, and many opportunities for
   exploitation are present.

   As just one example (unrelated to what follows), their software
   bundles FFmpeg DLLs that were built in 2012 and have not been updated
   since then.  There have been over a hundred security updates in that
   time, none of which have been applied.

We've all seen it:  Security is not a revenue centre, so it gets short
shrift.  However, the above is worse than usual.

And:

   It seems unlikely to us that Apple has granted Cellebrite a license
   to redistribute and incorporate Apple DLLs in its own product, so this
   might present a legal risk for Cellebrite and its users.

No honour among thieves.

Reminds me:  You may recall the second of two places Nick and I both
worked, where one Amy Abascal Turner was the final of five managers I
had, where the prior four had given me glowing reviews.  Ms. Abascal
Turner happened to be the (alleged) manager of my department during the
company's transition from a Linux-oriented hardware company to a
proprietary software firm.  Oddly enough, Ms. Abascal Turner's very
first directive to me after that happened was to reinstall a local print
server box with the single copy of MS-Windows XP Pro that had the
previous few days been used with the same single serial number elsewhere
around the firm.  I replied very politely that I'd be glad to install
WinXP Pro as soon as the firm acquired a separate product serial number
that would render the installation not a copyright violation.  (Ms.
Abascal Turner of course did _not_ do so, but instead ordered one othe
junior techs to do it, one of the ones with no backbone.)  And that was
the beginning of Ms. Abascal Turner's campaign against me as an
employee.

No honour among thieves.

> https://signal.org/blog/cellebrite-and-clickbait/

Yes, this was such a pathetic, deliberate misrepresentation that even
the conventional IT press didn't buy it, and Schneier debunked it in
about a millisecond.


> 2. John Gruber linked to a fantastic four-part piece from 2009 in the
> Los Altos Town Crier about the kidnapping of (recently deceased) Adobe
> co-founder Chuck Greshke.
> 
> https://daringfireball.net/linked/2021/04/21/geshke-kidnapping

It was after this incident, and reportedly in response, that Adobe
Systems turned its HQ building in San Jose into a high-security
fortress.  Even the Free Dmitry Sklyarov milquetoast-like protest
gatherings outside the building on the sidewalk put their private army
of security people into a lather, and they had the building under full
lockdown as long as there was even a single skinny nerd with a cardboard
sign on the sidewalk.

More information about the conspire mailing list