Profile picture
, 13 tweets, 3 min read
The Whatsapp hack is interesting if not for anything else but being based on something I had written, more than a year ago, in Sultan of Delhi 2. Wish I had published it then for a Jules Verne moment.
Anyways, what has happened now is this. The Pegasus "attack suite" has been known, for some years now, to be the world's most sophisticated malware. The developers have, according to legend, several zero-day exploits on all OSs that they use to gain control over target phones
Zero day exploits are exploitable vulnerabilities in commercial software (typically operating systems like iOS and Android) that allow malware to escalate privilege (i.e. do stuff they are not allowed to do). It takes nation-state-like resources to find zero day exploits.
Pegasus, made by a Israeli company called NSO, has used zero-day exploits before, but usually they had to trigger it by making the target click a link (technically called spear-phishing) by creating a link the target is likely to click. With Whatsapp they have gone bigger.
By finding a zero-day within Whatsapp, they sent a video call which the target did not even have to pick up. The video call, I am guessing, triggered access to what should have been protected memory area, and Pegasus was able to get code running on the target OS
So putting it together, a zero-day in Whatsapp chained to a zero-day (or days) in iOS and Android to give the malware access to OS privileged actions, controlling the microphone, accessing contact lists and call records, and I am also guessing there is a command and control
To which the data would be streamed. Now the concern is that the parent company NSO claims to sell these tools only to government agencies. This I am skeptical of. Government agencies do not directly touch these things, but do so through intermediaries. Like ahem Arjun Bhatia.
How concerned should you be? Not at all. Whatsapp's end-to-end encryption stands. The iOS and Android zero-days I am guessing have already been fixed through patches. So has Whatsapp. The fixes are usually shockingly simple, sometimes just one line in the code-base.
But surely there are other zero-days. There is. The thing is that finding them costs millions of dollars, and when a bad actor uses them, they know using it means losing it (the vendor will fix), which means someone has to pony up *real big bucks* for them to use a Brahmastra.
Now a valid question is "are there really so many zero-days?" The answer is no. A "zero day" is like a Sachin Tendulkar or a Ponting. What is more common are exploits that use the time of discovery by community and time of fixing, which often may be weeks to deliver.
For example, in many open source projects, someone finds a vulnerability, raises a ticket. The evil guys have "eyes", they immediately create an attack. They have time till a patch is developed, patch is tested, patch rolled out to main trunk, patch delivered, patch deployed.
Often in many open source projects (e.g. Linux), a bug fix is rolled out as a "code change". If you are using the software, you yourself have to change the code, rebuild and compile, and deploy the fix. Or you can wait for next release cycle when that is fixed (months)
Most "quasi zero days" take advantage of this. The targets are usually browsers, SDKs, run-time environments, all software that does privileged operations.
Missing some Tweet in this thread? You can try to force a refresh.

Enjoying this thread?

Keep Current with Arnab Ray

Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

More from @greatbong see all

Profile picture
Arnab Ray
@greatbong
Worth reading for a POV that I pretty much disagree with. This is not why the BJP is winning & the Congress is losing.
The perception of a good or bad economy is felt by the middle class through prices. Here is India’s rate of inflation over a ten year period.
Now people of privilege feel the economic pinch under BJP, credit is tight, free money from banks has gone down, advertising has gone down, media income has gone down.
Read 15 tweets
Profile picture
Arnab Ray
@greatbong
Why do Bengali associations break down?

1. Conflict between generations: the prabeens (established professor of civil engineering, Allstate insurance agent) who want Manna Dey & Suchitra Mitra vs the nabeens (senior engineer, data scientist) who want Fossils, and Anupam Roy.
2. Interpersonal conflict: Niloy-da's (association founder) rebellious daughter has just been convinced on the promise of being the lead performer to dance Kathak during Durga Pujo program, while Prabir-da (major donor) wants his newly flown-in wife to do elocution in same slot
3. During annual event, which boudi's sari stall was given prominence over other boudi's handicraft's stall. Why did she get front entrance while I got next to the mans lavatory?
Read 6 tweets

Related threads

Profile picture
ApiFeelGood
@ApiFeelGood
@Comey @SallyQYates @RepCummings @USArmy @USArmyEurope @USNationalGuard @Refugee @usairforce @USNavy @us_navyseals @UNOCHA @UN_News_Centre @UN_PGA @HelenClarkNZ @UNODC @USMC @USCG @TomSteyer TIMELINE-NAZI-WHITE SUPREMACIST-WHITE NATIONALIST-KKK-FACT CHECK (THREAD) -API🌅
@AOC @IlhanMN @AyannaPressley @RashidaTlaib @Alyssa_Milano @ACLU @UN @NATO @Lacroix_UN @IntlCrimCourt @KenRoth @SadiqKhan @UNReliefChief @NATOpress @antonioguterres @RepJerryNadler @tedlieu @repjohnlewis TIMELINE-NAZI-WHITE SUPREMACIST-WHITE NATIONALIST-KKK-FACT CHECK -API🌅
@INTERPOL_CYBER @INTERPOL_HQ DIRECTION @Pontifex_es @DalaiLama @1stArmoredDiv @SHAPE_NATO @ResoluteSupport @coe @EU_Commission @OSCE @DefenseHQ @BritishArmy @Gottemoeller @EmmanuelMacron @Pontifex TIMELINE-NAZI-WHITE SUPREMACIST-WHITE NATIONALIST-KKK-FACT CHECK (THREAD) -API🌅
Read 1003 tweets
Profile picture
Rob O'Dell
@robodellaz
More than a year ago, I was asked to do the impossible. Help build an algorithm that could tease out what statehouse bills were created from model legislation (ie copy-paste legislation). Along with a terrific team @USATODAY and @azcentral. We did it. Here’s how. (THREAD)
We examined almost 1 million bills in all 50 statehouses and Congress from 2010 to 2018. We compared them to a database of more than 2,000 model bills that we collected by hand. We used a method similar to how plagiarism is detected.
azcentral.com/in-depth/news/…
We found that many model bills are misleading and disguise their true intent – like this one about asbestos “transparency” that makes it harder for those people dying of mesothelioma to sue:
Read 15 tweets
Profile picture
George Colgrove III ⭐️⭐️⭐️
@colgrove11
@bigredwavenow said this was #Interesting, lets see why...

Boeing 757-200
Delivered to USAF in August 2010

757-200 >> 7572 >> 21
2010 >> 21
JK >> 21

757-200 >> 19-20

19 - seclusion
20 - year of reveal

Since there is JK, what about CK?

CK >> 17 = 7+7

...
...

77 52 >> 14 52 <> 14 25

14 << CK
25 - JFK Jr. Birthdate.

August 2010 >> 92 >> 11 - The Plan

Built 28 years ago in Renton, Washington (RTN)

RTN >>
Modern - 52 <> 25 - JFK Jr. Birthdate
Pythagorean - 16 - Date of the Crash
Reverse Ordinal - 29 - JFK's Birthdate
...
...
Reverse Full Reduction - 20 - Year of reveal
Chaldean - 11 - The Plan

28 >:> 14:14

CK >> 14 - Carolyn
LB >> 14 - Laura Bessette

Renton, Washington >> 216 (Modern & Rev. Ord)

216 >> 36 or 27

36 <> 63 - Year of JFK Assasination
27 << JFK
...
Read 8 tweets
Profile picture
🐳🌌
@flyfarahway
yoonjin time travel au

On his 55th birthday, Kim Seokjin, also known in his neighborhood as “insufferable old Kim”, makes a wish to feel genuine happiness. The next day he wakes up 22 years old again and on the day he first meets his ex-boyfriend, Min Yoongi.

#YJweek18 #day1
to anyone who might read, qt only & don't reply so thread doesn't break cuz this is a looong au and my first uwu
there is some swearing just a heads up and this is angst w a happy ending so im sorry in advance
also this is lowkey inspired by Miss Granny (ph ver). haven’t watched the film but there’s a song on the OST that just FITS and i cry

here's the song:
Read 721 tweets
Profile picture
Amit Paranjape
@aparanjape
Some general comments about #WhatsApp forwards (especially during emergencies). Please try and verify news, before blindly forwarding. (1/n)
Google for more details, check multiple sources, VALIDATE against Websites/Twitter/Facebook feeds of 'official', 'verified' entities. (2/n)
When forwarding information, try and avoid plane text (it has no validating authority or time-stamp). Instead forward validated links. (3/n)
Read 6 tweets

Trending hashtags

#FBICoverUp #FridayMotivation #StillLife #TREASON #Javanka #RETWEET #NeverForget #WhatsApp #Israeli #ISTANDWITHGENFYLNN #foreignfighters #CorpMedia #FBI #Pegasus #NutShellReport #CIA #JobsReport #HarveyWeinstein #Syria #ABCNews #HillaryClinton #QResearch #LIBLABCONGONE #CorporateMedia #France
Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!