Paragon accidentally uploaded a photo of its spyware control panel

(twitter.com)

101 points by CGMthrowaway3 hours ago

7 comments

ronsor1 hour ago
From one Twitter user:> It's just a demo instance, but, these front ends are barely revealed to the publicThis genuinely doesn't look any different from the control panels of commercial infostealers and RATs sold on Russian hacking forums. Those usually sell for between $200 and $20,000 depending on features and pricing model (one-time vs. ongoing subscription).These spyware companies hype themselves up, but they're really not any different from Ivan's RAT-as-a-Service, besides having extra exploits to burn and wealthier customers.
- walletdrainer1 hour ago
 As it turns out, you just can’t make malware for targets like these much better.
recursivecaveat2 hours ago
This company btw for anyone else who had not heard of them before (there are a lot of companies by that name): <a href="https://en.wikipedia.org/wiki/Paragon_Solutions" rel="nofollow">https://en.wikipedia.org/wiki/Paragon_Solutions</a>
- phendrenad21 hour ago
 It's too bad that "The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized" has become "we can download a full copy of all of your files at any time, or continually, if we feel like it, even if we don't suspect you of a crime".
efilife55 minutes ago
Can somebody please explain to an idiot (me) how is this possible for this to keep going? I thought that the world has decided that spyware is illegal and can't be produced. Is this company related to israeli government? If not, why is it allowed to function?
- ra0 minutes ago
 [delayed]
- muvlon22 minutes ago
 The world has not decided that spyware can't be produced. Mostly, the powers that be treat it like weapons of war.That is, companies can make and sell it as long as they only sell it to governments and only the ones that we like.
- general146519 minutes ago
 What is allowed to companies is not allowed to private citizens. If you want to systematically break copyright laws or steal data from people, do it as Joe's LLC. Joe would go to prison for copyright infringement or hacking other people, Joe's LLC can do as it please.
phendrenad22 hours ago
Non-X link: <a href="https://archive.is/kqvnH" rel="nofollow">https://archive.is/kqvnH</a>
rtaylorgarlock2 hours ago
Looks like image was removed and maybe only a demo?
moralestapia2 hours ago
Awesome.Moxie's "unbreakable" end-to-end communication protocol.
- thmsths1 hour ago
 The message can't be intercepted in transit, since we are talking about spyware, I assume they get it from the device, hard to defend against that if they have access to your process' memory space.
 - lmm51 minutes ago
 Certainly very hard to defend against that when the messenger you're using won't let you use a device you control.
 - Hamuko1 hour ago
 Surprising that end-to-end encryption doesn't really matter when you get into one of the ends.
 - ASalazarMX1 hour ago
 Even if you had to input your private key every time you wanted to read or send a message, having malware in your phone voids practically any form of encryption, because it has to be decrypted eventually to be used.
 - akimbostrawman1 hour ago
 not at all. there is no encryption that can save you when one of the legitimate participants is somehow compromised. doesn't even need to be a sophisticated device compromise, literal shoulder surfing does that too.
 - moralestapia1 hour ago
 [flagged]
 coldtea54 minutes ago
 The parent said "it's surprising". It's not surprising.
 Talanes33 minutes ago
 You're correct in the literal sense that they did say those words, but the entire comment clearly demonstrated a lack of surprise that reveals the opening words to be intended ironically.
 - moralestapia1 hour ago
 >The message can't be intercepted in transitLol, so like ... all encryption schemes since the 70s?
 - sowbug1 hour ago
 They do have stronger schemes, which are called hash functions.
 - moralestapia1 hour ago
 What?Hashing is not encrypting.You can learn more about the topic here, <a href="https://www.okta.com/identity-101/hashing-vs-encryption/" rel="nofollow">https://www.okta.com/identity-101/hashing-vs-encryption/</a>
 coldtea53 minutes ago
 It's a joke, because hashing losses information, and thus the original is not retrievable, woosh
 p-o1 hour ago
 Hashing is a part of encryption, maybe you are the one who needs to shore up on the topic?
 aipatselarom1 hour ago
 Nice try. However, hashing and encryption are two different operations.Load this page, <a href="https://en.wikipedia.org/wiki/Advanced_Encryption_Standard" rel="nofollow">https://en.wikipedia.org/wiki/Advanced_Encryption_Standard</a>Ctrl-F "hash". No mention of it.Before being pedantic at least check out the url in that comment to get the basics going.
 sowbug46 minutes ago
 This entire thread should be annihilated, but since you mentioned being pedantic...You're correct that a pure encryption algorithm doesn't use hashing. But real-world encryption systems will include an HMAC to detect whether messages were altered in transit. HMACs do use hash functions.
 AlotOfReading50 minutes ago
 A good hash function is surjective. Encryption is bijective. They're very different things.
 sowbug1 hour ago
 > What?> Hashing is not encrypting.> You can learn more about the topic here, <a href="https://www.okta.com/identity-101/hashing-vs-encryption/" rel="nofollow">https://www.okta.com/identity-101/hashing-vs-encryption/</a>Thank you for that link. Your original comment implied that Signal's threat model should have included an attacker-controlled end. The only way to do that is to make decryption impossible by anyone, including the intended recipient. A labyrinthine way to do that would be to substitute the symmetric-encryption algorithm with a hash algorithm, which of course destroys the plaintext, but does accomplish the goal of obfuscating it in transit, at rest, and forever.
- Insanity1 hour ago
 How is this related?
 - moralestapia1 hour ago
 I see there's some room for ambiguity.See, <a href="https://en.wikipedia.org/wiki/Moxie_Marlinspike" rel="nofollow">https://en.wikipedia.org/wiki/Moxie_Marlinspike</a>
 - jabwd6 minutes ago
 Cool, can you now show how the protocol has been broken? Lot of smart people would love to see your novel research.
 - dualbus59 minutes ago
 Apologies for being dense. Could you spell out how you went from Paragon Solutions to the Signal Protocol?
 - ale4241 minutes ago
 I guess they've seen a Signal icon in the photo. Of course the interception is done locally on the phone (so it's basically "man-in-the-client" rather than a "man-in-the-middle"), therefore the Signal protocol is not really worth being mentioned as it has nothing to do with local interception.
 - Insanity31 minutes ago
 Yea I knew which Moxie it was but that didn’t help at all haha
amai1 hour ago
I read Pentagon instead of Paragon.