Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
View Regular
Jonathan Scott Profile picture
Jonathan Scott
@jonathandata1
American Mobile, IoT & Crypto Researcher (Malware/Spyware/Forensics) Founder @TheMiladGroup, Doctoral Student - Comp Sci - Digital Espionage

Oct 26, 2022, 11 tweets

The #CatalanGate report by @citizenlab and @amnesty is filled with many unknowns, but this seems par for the course.

Elisenda Paluzie - said to be Infected with Pegasus shows a false positive result in the Amnesty validation report.

@josejolivas @jordi_canyas @foroprofesores

Meritxell Bonet - Also said to be infected with Pegasus has a false positive result in the Amnesty Tech validation report

Jordi Sànchez - Another said to be infected 25 times has a false positive result

Sònia Urpí Garcia - Has an even stranger issue in her "forensics validation"

She is now connected to a Hungarian Forensics Report.

Artur Mas - is said to be infected with Pegasus, but Citizen Lab was

"[Unable to determine specific infection date(s)]"

We can see an alleged "Malicious" SMS sent to
Jordi Sànchez 2017-07-11

Is this how @citizenlab and @amnesty are determining who is infected?

The false positive results mentioned above can be seen be seen in a Github issue raised by an MVT-Tool user

Etienne Maynier of Amnesty Tech acknowledged the false positive, and removes the indicator from the Stix2 file, but keeps it in the main code base

github.com/AmnestyTech/in…

The iOS developer that raised the issue in says the "malicious" file

Library/Preferences/com.apple.CrashReporter.plist

is a normal file in an iPhone & suggests checks to see if it is an IOC

Etienne says Amnesty doesn't read the content of the file just looks for a name.

🤯

We can see that loading a Stix2 file that contains

Library/Preferences/com.apple.CrashReporter.plist

is delivering a false positive result for more than 1 person. I have posted this before, but Amnesty Tech acknowledges the false positive and removes it

Let me break this down

1. Amnesty created a list with keywords that are believed to be Pegasus

2. MVT-Tool is made to detect Pegasus

3. If you tell MVT to cross check with the keyword list, false positive results for com.apple.CrashReporter.plist came back

4. Amnesty acknowledged this issue with the keyword list, and removed com.apple.CrashReporter.plist from the keyword list

5. By the time this was removed from the keyword list, 17 people had already been confirmed to be infected with Pegasus base on this keyword.

Last part of clarification b/c ppl refuse to see what is really happening

The iOS developer in this issue is stating Amnesty should do more than just look for a file name com.apple.CrashReporter.plist

b/c just looking for a name can show a false positive result

Share this Scrolly Tale with your friends.

A Scrolly Tale is a new way to read Twitter threads with a more visually immersive experience.
Discover more beautiful Scrolly Tales like this.

Keep scrolling