Eh, I can’t be bothered to care. Cellebrite hoards 0-days so they can use them to hack phones. They know about exploitable vulnerabilities but aren’t saying anything about them because they profit from insecurity. Thing is, just because Cellebrite knows about a thing doesn’t mean, say, China’s CCP or the Russian mafia or anyone else doesn’t also know about that thing. You and I are less safe just because Cellebrite wants to profit off of those vulnerabilities.

I just can’t work up the ability to sympathize with Cellebrite. The law may have something to say about Moxie’s writing, but in my opinion he has the clear ethical upper ground in this argument.

I disagree with this. Signal isn't hacking Cellebrite by creating a malformed file that causes Cellebrite's software to implode.

I would be interested in seeing this go in front of a court because Signal isn't directly targeting any specific person, and the files are fine until they are processed through a specific broken pipeline.

If I put a fake USB port on my phone that was a USB zapper to kill the device it's connected to, it would not be illegal and it would be on the people seizing my phone to take responsibility for it. You cannot repackage vulnerabilities for police and then turn around and play coy because you're not able to keep your software up to date.

In the defense attorney section, the argument shouldn't be about the PoC but the fact that the PoC shows that Cellebrite's software is outdated and could be compromised. You can specifically ask for the backup that was extracted from the mobile device to be analyzed by third party software.

I wouldn't find a website where professional lawyers opine on startups and programming especially compelling.

I don't find HN threads where tech folk opine on what their opinion of how the law should be interpreted to be especially compelling either.

This is especially true here where I note that the author of the post folks are commenting on has an incredibly notable credentials and frankly it's somewhat ridiculous for lay-folk to be arguing with someone with such bone fides:

Riana [Pfefferkorn] was the Associate Director of Surveillance and Cybersecurity at the Stanford Center for Internet and Society. Prior to joining Stanford, Riana was an associate in the Internet Strategy & Litigation group at the law firm of Wilson Sonsini Goodrich & Rosati, where she worked on litigation and counseling matters involving online privacy, Internet intermediary liability, consumer protection, copyright, trademark, and trade secrets and was actively involved in the firm's pro bono program. Before that, Riana clerked for the Honorable Bruce J. McGiverin of the U.S. District Court for the District of Puerto Rico. She also interned during law school for the Honorable Stephen Reinhardt of the U.S. Court of Appeals for the Ninth Circuit. Riana earned her law degree from the University of Washington School of Law and her undergraduate degree from Whitman College."

The standard in U.S. criminal courts is "beyond a reasonable doubt."

All I understood Moxie's original article to be doing was sowing that seed of "reasonable doubt." Is it now reasonable, based on Moxie's article, to doubt that information obtained by a Cellebrite device from a device running Signal is reliable? If I were a juror, I would probably think so.

That doesn't at all mean someone couldn't be convicted on the strength of other evidence, but if the primary evidence the prosecution relied on was Cellebrited off a phone running Signal, I'd have some trouble trusting it enough to render a guilty verdict.

A somewhat tangential point: I think Signal's overall response was quite poor and somewhat concerning. Putting aside the usual discussion (Cellebrite sketch, Signal secure), I think the fact that this got published is evidence that Signal does not have very good self-control; or, possibly even worse, that Moxie does not have good self-control and Signal can't stop him from making snap decisions. Doing this kind of stunt is cool when you're a sole hacker working on your own, but when you run a company that makes software for many millions of people you cannot be this cavalier. There should be someone at Signal whose job is to moderate these kinds of responses, and obviously they either do not exist or are not able to do their job, and that is deeply problematic for the company. The blog post showed that Moxie (dragging along Signal) will go scorched earth against anyone who slights him–I mean, really, does a lazy PR blog post from Cellebrite really deserve this kind of response? They're living "rent free" in your head, dude.

(And, just to be fully clear, my support for Cellebrite/law enforcement in this situation is approximately zero. I just think that Signal could spend their time in better ways than going full nuclear against anyone who pisses the CEO off, which is what happened here.)

> No, intentionally spoiling evidence — or “spoliating,” to use the legal term — is definitely not legal.

> If they’re saying what they’re hinting they’re saying, Signal basically announced that they plan to update their app to hack law enforcement computers and also tamper with and spoliate evidence in criminal cases.

If you set up an anti-hack tool on your phone, you have no way to know if it's going to be the police hacking it.

If what signal is doing illegal then how do tv satellite provides get away pushing malicious updates on their feeds? Before you claim that cellebrite is only used by law enforcement, signal got their hands on a device and cellebrite sells to other governments besides the US. I should legally allowed to protect my device from foreign adversary from stealing my company’s trade secrets.

Besides the technical and legal points raised it's in the last paragraphs that the most important point is raised:

> The timing looks kinda fash. I also think the timing of Signal’s blog post was suboptimal. Why? Because Cellebrite devices were used in some of the criminal cases against the Capitol rioters, to extract data from their phones after they were arrested. It’s still early days in those criminal prosecutions, those cases are still ongoing, and there are hundreds of them. (I don’t know how many of them involve Cellebrite evidence.) The DOJ is already stretched extremely thin because of how damn many of these cases there are, and if even a fraction of those defendants got Cellebrited-upon, and they all decide to file a motion to examine the Cellebrite device and throw out the Cellebrite evidence, that will add further strain.

> Now, don’t get me wrong, I’m no fan of the DOJ, as you may have guessed by now. But I also don’t like seditious fascists, and I think the people who tried to violently overthrow our democratically-elected government should be caught and held accountable. And the timing of this blog post kinda makes it look like Moxie — who is famously an anarchist — is giving the fascists ammunition in their legal cases to try to get off the hook. As said, I don’t think it’ll work, and even fascists deserve due process and not to be convicted on the basis of bug-riddled spy machines, but it’s helpful to them nonetheless.

It's the usual knife/gun conversation again but indeed - as in the author's words - that likely won't get him anymore job with Signal.

Signal announced they have the know-how to disrupt any Cellebrite-extracted files and then likely sprinkled "poison pill" files in their data. So if a Cellebrite user was to extract data from a Signal user's phone, the data would corrupt Cellebrite's data.

This simply disrupts trust in Cellebrite. Nothing illegal. All Moxie is saying is "Don't want potentially corrupted data? Don't use Cellebrite." It absolutely is retribution for Cellebrite coming at Signal.

I disagree and this was far too much writing to get your point across. Signal isn’t Facebook; they don’t have to act (or try to be) politically correct. Cellebrite deserved what they got, and if this writer understood how painful vuln reporting is they would understand why a (semi) full disclosure release works and when to use it.

If it’s illegal to secure your own property, then something has gone badly wrong with society. Time for open resistance and support for regime change I think. Legal scholars can then engage in beard stroking around the new laws. In a democracy, the laws are not king; the people are. Time to re-learn that lesson.

Cellebrite no doubt thought that hoarding vulnerabilities made them super smart, forgetting that everything they need to operate is now riddled with vulnerabilities that someone else has hoarded.

Doesn’t affect their business model though, which just requires bamboozling a jury of people who think the word crypto means ‘pyramid scheme my uncle invested in’.

slightly bizarre to see the author explain that Cellebrite have major contracts w/ US law enforcement & ICE then go on to say "but they have bad clients too!"

& I don't like the Capitol rioters either, but I don't see how you can evince a belief in due process & the "rule of law" then criticise someone for potentially providing exculpatory evidence to a group of defendants you dislike. you can't have it both ways. and the implication that someone being an anarchist makes them more likely to want to help out fascists is odd, to say the least

I am not a fancy legal expert so I only have two things to say:

1. Abolish the CFAA. All of it. It is unsalvageable. Nothing good has ever come from it.

2. I will never listen to Stanford and anyone associated with Stanford about ethics. You profit from parent trolls. You have zero moral high ground.

Jesus, what a depressing post. We must allow the existence of shitty "backup" software because otherwise they'll just mandate backdoors? Have you already given up?

How about citizens have an expectation of integrity in using their computation devices that the state may not infringe upon. The state buying these tools and using them, in what is often a constitutional gray area, is harming all of us by making our devices less secure.

> But Cellebrite has lots of customers besides U.S. law enforcement agencies. And some of them aren’t so nice.

> But a lot of vendors [...] sell not only to the U.S. and other countries that respect the rule of law,

They lost me at the presumption that USA respects the (international) rule of law and has nice law enforcement.

From my experience, most _independently_ owned cell phone retail stores (Verizon, Sprint, AT&T, etc) have several Cellebrite devices no site which are used daily to aid in device migration from old to new.

As I understand it, Cellebrite devices are not exactly hard to acquire.

Does the Cellebrite device exploit hacks in iOS? My understanding is that iOS shouldn't ever allow something plugged in over USB to read data on the device like this. I've been assuming the only reason they continue to work is that they found some unpatched vulnerabilities in iOS, and that Apple hasn't been able to obtain a cellebrite device to reverse engineer so they can fix the bugs.

But if Signal got one, I'd be surprised if Apple couldn't. (Or if Signal wants to really stick it to cellebrite, they should loan their device to apple so apple can fix the security holes that cellebrite exploits.)

> “I’ll show you mine if you show me yours.” That is not generally how vulnerability disclosure works

My understanding was that people will responsibly disclose information to protect the public.

Signal disclosing these vulnerabilities would have mostly protected Cellebrite, who have made it abundantly clear that the good of the general population is none of their concern and who's business model is based on keeping everyone insecure for their own profit. Now that is how responsible disclosure doesn't work.

And the Cellebrite/Signal sockpuppet/commercial continues... Can anyone please wake me up when actual (0day) code is reversed ? Because so far its all speculation, theory crafting and blah blah - in case somebody didn't notice.

> Plus, admittedly I haven’t actually looked into this at all, but it seems like it could get Signal kicked out of the Apple and Google app stores, if the companies interpret this as a violation of their app store rules against malware.

This is an interesting question, since Apple/Google are actually on the same side as Signal on this one (vis a vis Cellebrite). If Signal is being vague/coy enough about what they're doing, will the app stores overlook the possible bad behavior on the grounds that "the enemy of my enemy is my friend"?

> This blog post was plainly written in order to impress and entertain other hackers and computer people. But other hackers aren’t the real target audience; it’s lawyers and judges and the law enforcement agencies

Says who? The intentional ambiguity may have had multiple audiences, quite possibly including computer people that handle the use of these products, their procurement, or their adversarial study.

> No, intentionally spoiling evidence — or “spoliating,” to use the legal term — is definitely not legal.

> Neither is hacking somebody’s computer, which is what Signal’s blog post is saying a “real exploit payload” could do. It said, “a real exploit payload would likely seek to undetectably alter previous reports, compromise the integrity of future reports (perhaps at random!), or exfiltrate data from the Cellebrite machine.” All of those things are a violation of the federal anti-hacking law known as the Computer Fraud and Abuse Act, or CFAA, and probably also of many state-law versions of the CFAA

I'm not sure if that will hold in court. You can argue that the Signal app has built in hacking defenses. A more common case would be that Signal app detects that it is being hacked by Celebrite and self destructs (i.e. deletes all data) -- that's what an iphone does, if you make too many passcode attempts. In this case Signal jokes that it might counter hack even, but since it's a defense to being hacked in the first place, it shouldn't illegal.

If Moxie and team get taken to court, I'll happily donate to their legal fund... and I'm sure a lot of other people here will too.

I do not have to help a third party possibly incriminate myself in all legislations signal is used.

I might also be charged with protecting information by constitution, law or international statute (e.g. as a health or legal professional), something that border officials often like to ignore, actually possibly even incriminating themselves in third countries and the us

I am also not responsible if a tool a third party provides is defect by choice and this defect causes damage - especially if the defect is already known and we'll documented through responsible disclosure (thx signal).

If I then warn them (in a general way) and they plug in anyway...

might be an interesting case, but should be well prepared, best with the help of a third countries lawyer's association as a test case ;)

Well now that folks know how the software works, I'm surprised nobody has set up a public repo with similar files-- especially since the exploits for a lot of these older vulnerabilities are already out there.

Placing aesthetic files needn't be illegal; see eg: https://en.wikipedia.org/wiki/Intelligent_banknote_neutralis... for a similar situation with banks, banknotes, and -presumably aesthetic- dye packs.

This is pretty similar. Only hostile breach attempts are thwarted.

It may need precedent or legislation to be fully legal, however. I would hope for EU-wide legislation to that effect in short order.

if you're aware of the details of the situation feel free to skip ahead to part IV, and save yourself a lot of reading. the first 3 parts are mostly just summarizing what happened

It looks like the linked post may have been taken down. There is a mirror here https://web.archive.org/web/20210513030656/https://cyberlaw.....

undefined

Regardless of the legal position, I would be very happy if every device I owned would attack, corrupt, disable, etc. any system or software that attempts to use the device or access its contents without my authorisation.

So the government should have the right to rifle through your shit and can deny you access to e2e encryption and we have to put up with Cellebrite or else they'll just start banning encryption and mandating backdoors, along with the horseshoe theory that the Anarchist is helping out all the Fash. Oh and he's not directly worried kiddie porn he just accepts that the governments will get whatever they want in the name of kiddie porn.

This is how moderates get you to give up your rights, because they'll convince you that if you don't give up some of your rights, you'll wind up losing all of them, and nobody wants that to happen. It is very Good Cop / Bad Cop.

Where is the ‘software bill of materials’ the US president’s executive order requires of government software vendors, like Cellebrite?

Is this applicable?

Signal hasn't hacked Cellebrite, to the best of my knowledge.

They just pointed out that the software is poorly constructed in a blog post.

Any claims otherwise are premature.

Even their claims they they might put such exploit files on Signal devices were written in such a way as to be plausibly deniable.

Until and unless a Cellebrite device is known to have been exploited by such a file, we are speculating idly.

(FWIW, Signal doesn't even need to deploy the files now to have tainted the evidence that comes out of any Cellebrite device. The blog post was sufficient.)

>My guess is that it’s pretty rare that the Cellebrite evidence is the dispositive crux of a case, meaning, but for evidence pulled from a phone using a Cellebrite device, the jury would not have voted to convict.

Let's also consider cases that could have warrants that would not have been approved if the integrity of the data from a Cellebrite extraction was questionable. I could see some defense lawyers challenge the validity of warrants from this.

Anybody got any of that payload software that you could install on your phone to corrupt Cellebrite's data?

as best i can tell, this person wrote too many words to say:

1. cellebrite is ultimately good because it allows governments to spy on, harass, imprison, terrorize, torture, and murder its citizens, esp its journalist citizens, and

2. moxie used the wrong tone in his blog post.

something tells me this person doesn't think of themself as a typical government hack, which is presumably the only reason this blog post would be interesting enough to HN to show up here?

also interesting that this person thinks that cellebrite only sells their tech to 'authoritarian' governments.

which ones are those?

With that argument, How is what cellbright is doing legal? Is it just that they are not responsible for actions taken by their users?

>But a lot of vendors in this industry, the industry of selling surveillance technologies to governments, sell not only to the U.S. and other countries that respect the rule of law, but also to repressive governments that persecute their own people, where the definition of “criminal” might just mean being gay or criticizing the government.

And then I suddenly don't care what this person has to say.

The US persecutes its own people and many others around the world. The US is extraditing Assange for criticizing them. The US still operates Guantanamo Bay contrary to its own "laws". The US still invaded both Iraq and Afghanistan (the former based on lies they circulated through the media about how Saddam Hussein had "ties" to Al Qaeda). The US has a kill list of its own citizens which no citizen can appeal once their name is put on there (even if it's a mix up since many people have the same name). The US sends over $3 billion to Israel yearly, and also much money to Saudi Arabia yearly so both countries can oppress their people, butcher innocents, and flatten press buildings.

So spare me the handwriting about "those evil governments that criminalize being gay" because the US is far worse than that and even supports many of those governments.

> The timing looks kinda fash

Who is this fucking clown?

I worked with a guy at a startup who wrote and designed a Mac hacking system that exploited Firewire because it can read memory directly. Firewire is basically a security nightmare like several other peripheral interfaces (Wikipedia says "PCI Express, PC Card, ExpressCard, FireWire [yeap], PCI, and PCI-X")

Thunderbolt 4 allegedly includes mitigations to prevent arbitrary DMA transactions and Thunderspy.

https://en.wikipedia.org/wiki/Thunderbolt_(interface)#Vulner...

Btw, partial list of USB attacks:

https://www.bleepingcomputer.com/news/security/heres-a-list-...

https://www.sciencedirect.com/science/article/pii/S016740481...

My only complaint in this otherwise entertaining and informative read was the politics...

For the record, the rioters weren’t seditionists (no charges anyways), nor were most (all) fascists (they were pro constitution), nor did they intend to overthrow the government (they wanted a election fraud looked into as they believe there was a coup via ballot stuffing) - not justifying actions or agreeing FYI. Just correcting the record.

And two I believe moxie said why he hacked them? Wasn’t it because they said they could get signal messages?

> I also don’t like seditious fascists, and I think the people who tried to violently overthrow our democratically-elected government should be caught and held accountable. And the timing of this blog post kinda makes it look like Moxie — who is famously an anarchist — is giving the fascists ammunition in their legal cases to try to get off the hook. As said, I don’t think it’ll work, and even fascists deserve due process and not to be convicted on the basis of bug-riddled spy machines, but it’s helpful to them nonetheless.

As an American, I see this as a right to bear arms in the modern day.

IMO law enforcement as a whole is evil, particularly on a global lev. So anything that messes with law enforcement, as a whole, is good with me.

I think it's an opinion that messing with law enforcement is _bad_.

I said this at the time, the things Signal was saying it might do were so clearly illegal that it was more for the naive star-struck blog reader than anything else. It got a lot of play here and Reddit bec they eat this nonsense up. But any lawyer will tell you that by disclosing this vuln in the way they did Signal only opened themselves up to lawsuits.

If they do hire in house counsel the first that guy would tell this is “call Cellbrite and tell them exactly what the vuln is and how to mitigate it.”

The article says that "it should be pretty straightforward for law enforcement to disprove an accusation about the Cellebrite machine", because they can perform the same extraction with another vendor's machine and compare the results.

But if some app actually decided to use this hack, then wouldn't it be likely that in addition to modifying the contents of the data dump it would also modify the on-device data? In that case it wouldn't matter if the other vendors have vulnerabilities, since the device itself was already compromised.

Most of this was better left unsaid.

So many words to state the obvious that like, for example, this would be illegal? Did the coy language not tip you off to the fact they realize that? Then suddenly trying to champion Cellbrite as the reason we something as anti-privacy as backdoor mandates and encryption bans while at the same we're already seeing countries inch towards that?

And then seriously, acting like because Cellbrite is being used against rioters somehow this was a bad time for Signal to point out the fact that Cellbrite is an insecure pos on top of it's dubious intended purpose?? Didn't I just go through 1000 words explaining why what Signal did won't matter anyways?

-

This whole thing just reads like someone who needed to go "well actually", it's not really saying anything novel or interesting, and in the pursuit of defending Cellebrite of all things, it makes some pretty dubious connections.

I am a little confused on why the author makes a distinction between Cellebrite using zero-days to hack a phone to read data and Signal's hack. While the US government might have the framework to not be considered violating CFAA, what about when other governments use Cellebrite? From this point of view, Cellebrite isn't a valve that's stopping back door decryption in systems, it is the back door. Signal including these files is in a sense covering a back door.

Also, is leaving a file that breaks the admissibility of previously gathered evidence considered active hacking? Am I misunderstanding something about the function of the files in Signal? I thought the only way Cellebrite's software is interacted with is if it tries to access Signal on the device. Signal isn't actively searching to hack back. It's triggered by Cellebrite's software, not Signal's.

The straightforward workaround would be to delete Signal before using the Cellebrite software which I think is the real point. Signal isn't trying to protect the end user actively and can't do anything if it's not installed on a phone.