←back to thread

ICE obtains access to Israeli-made spyware that hack phones and encrypted apps

(www.theguardian.com)
192 points pera | 2 comments | 02 Sep 25 18:12 UTC | HN request time: 0.54s | source
Show context
OutOfHere ◴[02 Sep 25 19:56 UTC] No.45108214[source]
There are three main categories of entry into a device via zero-days: WhatsApp/Signal, SMS/MMS, and Firefox/Chrome/Safari. If these can be isolated, entering a device could become harder.
replies(4): >>45108228 #>>45108305 #>>45109523 #>>45112057 #
const_cast ◴[03 Sep 25 03:42 UTC] No.45112057[source]
For all y'all Linux users: run your browsers in a container. You can isolate Firefox to just ~/downloads using Flatpak, it's really easy. Stops those pesky zero days from causing too much damage. Also everything just works.
replies(1): >>45112269 #
OutOfHere ◴[03 Sep 25 04:33 UTC] No.45112269[source]
Is there really a recommended Docker image for Firefox? And does it really work with a UI? Or did you mean to use Flatpak? Can it be run from a Mac?
replies(2): >>45112802 #>>45115271 #
soraminazuki ◴[03 Sep 25 06:27 UTC] No.45112802{3}[source]
I don't think you need to do anything for macOS. It already has a permission system for filesystem access.
replies(1): >>45114733 #
1. OutOfHere ◴[03 Sep 25 12:04 UTC] No.45114733[source]
Zero-day exploits for web browsers routinely compromise the entire system, even on MacOS. Even without admin access, the exploit can do significant harm.
replies(1): >>45117834 #
2. soraminazuki ◴[03 Sep 25 16:39 UTC] No.45117834[source]
The native permission system still works for limiting filesystem access. As for the kinds of things you're describing, I don't think containerization is an effective enough countermeasure. At least definitely not Docker, which includes a root daemon that can be made to run arbitrary commands. A VM, possibly with some of the host integration features disabled, is a better option but is more costly in terms of setup, usability, and power usage. For many, the cost far exceed the risk.