Hacker NewsHacker News
Paragon accidentally uploaded a photo of its spyware control panel
192 points by CGMthrowaway 2 days ago | 47 comments
ronsor 2 days ago
From one Twitter user:

> It's just a demo instance, but, these front ends are barely revealed to the public

This genuinely doesn't look any different from the control panels of commercial infostealers and RATs sold on Russian hacking forums. Those usually sell for between $200 and $20,000 depending on features and pricing model (one-time vs. ongoing subscription).

These spyware companies hype themselves up, but they're really not any different from Ivan's RAT-as-a-Service, besides having extra exploits to burn and wealthier customers.

reply
walletdrainer 2 days ago
As it turns out, you just can’t make malware for targets like these much better.
reply
tamimio 2 days ago
> These spyware companies hype themselves up

Same applies to other industries too btw, in drones world, so many companies that you see their names with multi billions contracts, but if you open the hood and see their hardware/software, it’s built on top of everyday open source tools duct taped together with some UI, and sales selling it as the next big (insert buzzword here) thing ever!

reply
sudoshred 23 hours ago
If it wasn't sold as the next big buzzword you could easily hire 10 new SDR employees who would sell it that way.
reply
NedF 19 hours ago
[dead]
reply
recursivecaveat 2 days ago
This company btw for anyone else who had not heard of them before (there are a lot of companies by that name): https://en.wikipedia.org/wiki/Paragon_Solutions
reply
phendrenad2 2 days ago
It's too bad that "The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized" has become "we can download a full copy of all of your files at any time, or continually, if we feel like it, even if we don't suspect you of a crime".
reply
seanw444 2 days ago
You must be new. The Constitution is an irrelevant piece of toilet paper now.

The first amendment only protects you unless the people in power say it doesn't. The government will pressure private companies to censor you. This was provably demonstrated under the Biden administration.

The second amendment is useless. One third to half of the country doesn't recognize the right to keep the majority of the useful arms that exist, nor the right to bear them in any meaningful way. The (Republican-leaning) Supreme Court has decided that states requiring permission slips to exercise a right is a totally valid precedent. The Republican district attorney for D.C. proudly states that having a gun there for any reason is an immediate offense. Donald Trump has been recorded suggesting to take guns from people before due process. And that's ignoring the Democrats' unfathomably large track record against this amendment. I just wanted to include the fact that neither side actually supports this amendment, as much as people like to believe.

Third amendment is pretty obscure in our era. So far, at least. But you could make the roundabout argument that the Biden admin preventing landlords from evicting their unpaying tenants, particularly if those tenants were currently or previously employed by the military, would violate this amendment.

Fourth amendment doesn't matter anymore. We have entire government agencies whose primary purpose is to ignore this amendment. It's not even a conspiracy, nor a conspiracy theory. They do it in plain sight, and everyone knows, but apparently nobody cares (in which case why does the amendment even matter). Also, as long as the government gets the data from private companies (even if by force), that apparently doesn't constitute a fourth amendment violation these days.

Fifth amendment: civil asset forfeiture is disgustingly rampant all across the country. Not enough people know about it or care.

Sixth amendment: the term "speedy" regarding trials is an extremely loose one, especially now. Especially considering the government is apparently allowed to hold you indefinitely without an actual trial, without facing any repercussions.

Eighth amendment: judges impart excess fines quite often. See the Alex Jones case.

Ninth amendment: completely irrelevant now. If the government believes they have the right, though not explicitly enumerated, then they have the right.

reply
dylan604 24 hours ago
> You must be new. The Constitution is an irrelevant piece of toilet paper now.

Only when convenient, as it is also considered a sacred document when it comes to the first and second amendments.

reply
seanw444 7 hours ago
Did you even read my comment?
reply
fortran77 2 days ago
Third Amendment issues come up every now and then. For example, legislators have tried to force airlines to provide special services for U.S. military at their own expense:

https://www.foxnews.com/politics/lawmaker-wants-to-waive-all...

I'm not saying these men and women aren't deserving, but the taxpayers should foot the bill. A private property owner shouldn't be forced to. Fortunaely, these bills never get far.

reply
seanw444 2 days ago
Interesting. I haven't heard of many examples. Thanks. Seems the issues that do pop up tend to be loosely related to the original wording. It was focused on quartering in homes.

Though it does say "but in a manner to be prescribed by law." Wouldn't that mean that this bill would technically be viable?

reply
killingtime74 15 hours ago
Is there much point blanking the faces when it also names who uploaded the photo....we can easily google them?
reply
phendrenad2 2 days ago
reply
efilife 2 days ago
Can somebody please explain to an idiot (me) how is this possible for this to keep going? I thought that the world has decided that spyware is illegal and can't be produced. Is this company related to israeli government? If not, why is it allowed to function?
reply
muvlon 2 days ago
The world has not decided that spyware can't be produced. Mostly, the powers that be treat it like weapons of war.

That is, companies can make and sell it as long as they only sell it to governments and only the ones that we like.

reply
ra 2 days ago
The general public might be clear that spyware is evil, but governments use it extensively: https://en.wikipedia.org/wiki/Pegasus_Project_(investigation...
reply
userbinator 23 hours ago
Microsoft has decided that spyware is a good thing --- as long as it's theirs.
reply
general1465 2 days ago
What is allowed to companies is not allowed to private citizens. If you want to systematically break copyright laws or steal data from people, do it as Joe's LLC. Joe would go to prison for copyright infringement or hacking other people, Joe's LLC can do as it please.
reply
rtaylorgarlock 2 days ago
Looks like image was removed and maybe only a demo?
reply
arg0x 2 days ago
The original linkedin post is deleted? Is there a way to recover it? Did anyone archive?
reply
xinayder 23 hours ago
Lots of grammar errors in some buttons, is this legit?
reply
moralestapia 2 days ago
[flagged]
reply
thmsths 2 days ago
The message can't be intercepted in transit, since we are talking about spyware, I assume they get it from the device, hard to defend against that if they have access to your process' memory space.
reply
lmm 2 days ago
Certainly very hard to defend against that when the messenger you're using won't let you use a device you control.
reply
Hamuko 2 days ago
Surprising that end-to-end encryption doesn't really matter when you get into one of the ends.
reply
ASalazarMX 2 days ago
Even if you had to input your private key every time you wanted to read or send a message, having malware in your phone voids practically any form of encryption, because it has to be decrypted eventually to be used.
reply
akimbostrawman 2 days ago
not at all. there is no encryption that can save you when one of the legitimate participants is somehow compromised. doesn't even need to be a sophisticated device compromise, literal shoulder surfing does that too.
reply
moralestapia 2 days ago
[flagged]
reply
coldtea 2 days ago
The parent said "it's surprising". It's not surprising.
reply
Talanes 2 days ago
You're correct in the literal sense that they did say those words, but the entire comment clearly demonstrated a lack of surprise that reveals the opening words to be intended ironically.
reply
moralestapia 2 days ago
>The message can't be intercepted in transit

Lol, so like ... all encryption schemes since the 70s?

reply
sowbug 2 days ago
They do have stronger schemes, which are called hash functions.
reply
moralestapia 2 days ago
What?

Hashing is not encrypting.

You can learn more about the topic here, https://www.okta.com/identity-101/hashing-vs-encryption/

reply
coldtea 2 days ago
It's a joke, because hashing loses information, and thus the original is not retrievable, woosh
reply
moralestapia 9 hours ago
Lol, good one, then :)
reply
sowbug 2 days ago
> What?

> Hashing is not encrypting.

> You can learn more about the topic here, https://www.okta.com/identity-101/hashing-vs-encryption/

Thank you for that link. Your original comment implied that Signal's threat model should have included an attacker-controlled end. The only way to do that is to make decryption impossible by anyone, including the intended recipient. A labyrinthine way to do that would be to substitute the symmetric-encryption algorithm with a hash algorithm, which of course destroys the plaintext, but does accomplish the goal of obfuscating it in transit, at rest, and forever.

reply
p-o 2 days ago
Hashing is a part of encryption, maybe you are the one who needs to shore up on the topic?
reply
aipatselarom 2 days ago
Nice try. However, hashing and encryption are two different operations.

Load this page, https://en.wikipedia.org/wiki/Advanced_Encryption_Standard

Ctrl-F "hash". No mention of it.

Before being pedantic at least check out the url in that comment to get the basics going.

reply
sowbug 2 days ago
This entire thread should be annihilated, but since you mentioned being pedantic...

You're correct that a pure encryption algorithm doesn't use hashing. But real-world encryption systems will include an HMAC to detect whether messages were altered in transit. HMACs do use hash functions.

reply
AlotOfReading 2 days ago
A good hash function is surjective. Encryption is bijective. They're very different things.
reply
Insanity 2 days ago
How is this related?
reply
moralestapia 2 days ago
I see there's some room for ambiguity.

See, https://en.wikipedia.org/wiki/Moxie_Marlinspike

reply
dualbus 2 days ago
Apologies for being dense. Could you spell out how you went from Paragon Solutions to the Signal Protocol?
reply
ale42 2 days ago
I guess they've seen a Signal icon in the photo. Of course the interception is done locally on the phone (so it's basically "man-in-the-client" rather than a "man-in-the-middle"), therefore the Signal protocol is not really worth being mentioned as it has nothing to do with local interception.
reply
moralestapia 12 hours ago
While Signal also applies, I was thinking of WhatsApp.
reply
jabwd 2 days ago
Cool, can you now show how the protocol has been broken? Lot of smart people would love to see your novel research.
reply
Insanity 2 days ago
Yea I knew which Moxie it was but that didn’t help at all haha
reply
tamimio 2 days ago
It’s performative security, when an app still requires a phone number, can’t have your own server, and all these audits are meaningless as you might have memory injected spyware later, it is NOT secure, never was.
reply
amai 2 days ago
I read Pentagon instead of Paragon.
reply