Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Maddie Stone Profile picture
@maddiestone
Feb 6 5 tweets 2 min read Read on X
We're naming names 🔥 because the harm is not hypothetical.

Today we share "Buying Spying", our new report diving into the commercial surveillance/spyware industry. We dive into the players, the campaigns, the spyware, & the harm it perpetuates.

blog.google/threat-analysi…
Headline image that is blue with a lighter blue shield. It's covered with white text that says: "Buying Spying: How the commercial surveillance industry works and what can be done about it". At the bottom it says "Google -- Threat Analysis Group"
There's also lots of goodies that we've never released before like:

👀 That Chrome 0-day (CVE-2023-7024) @_clem1 discovered in Dec? NSO Group
🤔 Which vendor gets caught the most
🕐 In April, it took Intellexa 45 days to come back after their Chrome 0days were caught & patched
And of course the attribution chart for in-the-wild 0-days in the appendix 🔥 Screenshot of page 47 from https://storage.googleapis.com/gweb-uniblog-publish-prod/documents/Buying_Spying_-_Insights_into_Commercial_Surveillance_Vendors.pdf. The first part of the appendix table which lists commercial surveillance vendors with the CVEs we attribute to them.
While most are not at risk of being personally targeted with these capabilities, the impacts affect us all. When the most at-risk in our society: human rights defenders, journalists, opposition politicians, etc are targeted, that threatens & harms our free societies as a whole.
I'm so thrilled that we're getting this out to share and so thankful that I got to work with some incredible people on this: @auroracath @k_dennesen @az_matazz @charley_snyder_ @Kimberly_Samra @_clem1

Go check out the full 50 page report:
storage.googleapis.com/gweb-uniblog-p…
Screenshot of the top half the page of the beginning of the full reprot at https://storage.googleapis.com/gweb-uniblog-publish-prod/documents/Buying_Spying_-_Insights_into_Commercial_Surveillance_Vendors.pdf

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Maddie Stone

Maddie Stone Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @maddiestone

Maddie Stone Profile picture
Jan 25, 2022
Lesley is right on the money (literally).

My therapist said something to me back in 2020 (we talked about my anxiety around money a lot) that's stuck with me: How does you making your life more difficult help anyone else?
It's only been in the last few years that I have truly felt stable and comfortable financially. Previously I was always trying to pay bills, debts, and just dreaming of being able to maybe save an emergency fund and donate to causes I care about.
So the idea of spending $ on things that aren't strictly necessary has always felt uncomfortable. So my therapist's q has helped when I consider where my $ goes. Which ever way the answer is, it helps me feel more at peace.
Read 4 tweets
Maddie Stone Profile picture
Jan 6, 2022
2021 was a wild year for 0-day exploitation detection. 2021 was also full of Google Project Zero & TAG publishing lots of good (in my biased opinion) stuff on 0-day exploits. 🧵ICYMI here they are:

#itw0days
1. In January, Project Zero published a 6 part series about a watering hole attack. The series covers the Chrome, Android, & Windows exploits, & the Android post-exploitation behavior of this attack.
Part #1: googleprojectzero.blogspot.com/2021/01/introd…
2. Also in January, @digivector of TAG published about a North Korean campaign targeting security researchers. While 0-day use was never confirmed, evidence suggested that the attackers did use 0-days in some cases.
blog.google/threat-analysi…
Read 11 tweets
Maddie Stone Profile picture
Jun 30, 2021
Here we go. I read NSO's 32 page "Transparency Report" published today so you don't have to. 🧵

It says nothing of substance. None of the "approvals" and "processes" and "misuse" and "human rights" that make up much of the report are defined.

nsogroup.com/wp-content/upl…
The few glimmers of details we get confirm to me we need to be concerned about who NSO's technology is being sold to & how it's being used.

I "live chatted" my reading of this to my teammates as my frustration & rage grew. There was so much. I'll limit this to just a few. 2/12
The main two points are:
1. We have strict processes to ensure our technology is not misused in ways that violate human rights.
2. We have no insight into how our customers use our technology.
🤔
This leads in to claims of how little misuse there is. 3/12
Read 12 tweets
Maddie Stone Profile picture
Jun 19, 2021
This thread from ~yr ago was a turning point for me. Not because the harassment stopped, but because I finally no longer dealt with all this bs predominantly alone. As illogical & irrational as it is, I think I felt shame every time I received one of these messages. 1/x
*I* must have been doing something wrong, *I* must have been less than if all these people took the effort to say these things to me. If colleagues weren’t dealing with this, then *I* must be the problem. I’m *drama*. These were the quiet thoughts. 2/x
And while each time I came out of it knowing those thoughts were incorrect, it was exhausting & took capacity to process the messages and get to that point. Capacity & energy I would have much preferred to spend elsewhere...like maybe my actual work. 3/x
Read 9 tweets
Maddie Stone Profile picture
Dec 15, 2020
Along with many others in infosec, I've always cautioned against any of the voice activated smart gadgets, largely thinking there's only marginal benefit for the risks of an always-on microphone.

Recovering from surgery with only one usable arm has completely changed my views.1/
Using voice control, which has required turning on the mics on my phone and home mini, has made my quality of life substantially better and even prevented physical pain. 2/
2 days post-op I was staying at family's house & had gone for a nap. I woke up & was completely tangled in the velcro straps from the sling and ice pack. Hair & a pillowcase were involved in the velcro nightmare too. 3/
Read 9 tweets
Maddie Stone Profile picture
Oct 31, 2020
Can't believe I'm voluntarily wading into this, but here we go.

When you share those full details, that's when I drop everything & get to work (and I usually pull in my teammates too 💁🏽‍♀️). It's not just another cool vuln, it's something being used to harm. 1/6
As an example, here's how I approach it as soon as the details are out:
-understand the root cause & exploit method
-think of potential detection methods & talk to the folks who can implement them if it's not us 2/6
-find variants that the attackers either already have (and may even be using) or could easily switch to and try to get them fixed at the same time as the original bug
-brainstorm fixes, mitigations, system improvements & share them 3/6
Read 6 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

Send Email!

:(