←back to thread

ICE obtains access to Israeli-made spyware that hack phones and encrypted apps

(www.theguardian.com)
192 points pera | 5 comments | 02 Sep 25 18:12 UTC | HN request time: 0.458s | source
Show context
OutOfHere ◴[02 Sep 25 19:56 UTC] No.45108214[source]
There are three main categories of entry into a device via zero-days: WhatsApp/Signal, SMS/MMS, and Firefox/Chrome/Safari. If these can be isolated, entering a device could become harder.
replies(4): >>45108228 #>>45108305 #>>45109523 #>>45112057 #
const_cast ◴[03 Sep 25 03:42 UTC] No.45112057[source]
For all y'all Linux users: run your browsers in a container. You can isolate Firefox to just ~/downloads using Flatpak, it's really easy. Stops those pesky zero days from causing too much damage. Also everything just works.
replies(1): >>45112269 #
1. OutOfHere ◴[03 Sep 25 04:33 UTC] No.45112269[source]
Is there really a recommended Docker image for Firefox? And does it really work with a UI? Or did you mean to use Flatpak? Can it be run from a Mac?
replies(2): >>45112802 #>>45115271 #
2. soraminazuki ◴[03 Sep 25 06:27 UTC] No.45112802[source]
I don't think you need to do anything for macOS. It already has a permission system for filesystem access.
replies(1): >>45114733 #
3. OutOfHere ◴[03 Sep 25 12:04 UTC] No.45114733[source]
Zero-day exploits for web browsers routinely compromise the entire system, even on MacOS. Even without admin access, the exploit can do significant harm.
replies(1): >>45117834 #
4. const_cast ◴[03 Sep 25 13:07 UTC] No.45115271[source]
I believe Flatpak is linux-only. There's a UI to edit Flatpak settings from KDE settings or you can use flatseal.

You can do tons of neat things with it. You can also cut off environment variables, cut off the x11 socket, only allow certain dbus channels, etc. You don't need a docker container or anything, Flatpak is a container technology.

5. soraminazuki ◴[03 Sep 25 16:39 UTC] No.45117834{3}[source]
The native permission system still works for limiting filesystem access. As for the kinds of things you're describing, I don't think containerization is an effective enough countermeasure. At least definitely not Docker, which includes a root daemon that can be made to run arbitrary commands. A VM, possibly with some of the host integration features disabled, is a better option but is more costly in terms of setup, usability, and power usage. For many, the cost far exceed the risk.