Sounds extremely targeted, if an attacker is porting the attack to Macs (presumably a lot of work), and combining it with other loaders... I wonder how long this 0-day was in the wild.
Your friend should probably be browsing as a non-admin in a continuously-reimaged VM, separate from an air-gapped machine, if you have those kinds of attackers after you. Spooky..
if an attacker is porting the attack to Macs (presumably a lot of work)
It's worth noting that a professional security and pentest company I know of had a Python-based exploit authoring DSL that automatically generated exploit code across a very wide range of processor architectures and OSes. This was about fifteen years ago.
It's worth noting that a professional security and pentest company I know of had a Python-based exploit authoring DSL that automatically generated exploit code across a very wide range of processor architectures and OSes.
Makes sense. If entire OSes can be written in an intermediate representation, then exploits can be as well.
Just speculation, but "targeting" in this case may be as trivial as checking the user agent header, or other "device recognition" tricks common in web development nowadays. I am sure there are hundreds of libraries that do this for you...
I don't know why you are addressing me, I can't even downvote. Your "conspiracy theory" comment is certainly valid, unfortunately I'm not willing to provide more information so I suppose it will remain a "conspiracy theory" albeit one I believe is true.
I also work in the exchange space like you used to and my thinking is pretty much fully aligned with the way you pose the issue and I'm very excited about your intention behind Dharma. I also agree with your current thoughts on approaching KYC and AML (please see my post in response to this one's parent). I'll reach out to you via your website if you don't mind since HN doesn't have PMs, would love to figure out if there's a way I can contribute.
I am an engineer at a Coinbase competitor company and I have been thinking about this problem (massive amounts of crypto assets lying dormant) and possible leverage (global access to a universal debt market) and I have been researching Kiva since it seems to be the early player in this space. My 2c - Yes KYC and AML is important but it doesn't make sense relying on national identity documentation and storing everyone's PII in your own database. There's a ton of companies working on identity solutions where the user retains ownership of their sensitive information. With GDPR catching on and similar regional legislation popping up pretty much everywhere outside the EU, KYC and AML information pose a significant liability (and rightly so!) to companies in the fintech space. Especially so for early entrepreneurs who want to innovate but don't have the risk and compliance teams to deal with such sensitive information.
The proper solution is not to hold people's PII at all and depend on a provider (ThisIsMe, Civic, Consent, IDNow, etc, etc, etc, etc) combined with the customer's social graph information. If you want to know your customer, you need to know the people who knows your customer. After-all, who knows you better than your family and friends?
Yes, I whole-heartedly agree, the user should own their PII and who has access to it, but the KYC and AML checks still have to happen. Having a provider do it is also great, but Civic (as one of your examples) has explicitly stated they can't do it in international low-income contexts, and they are unlikely to ever be able to in a way that makes financial sense.
That's why folks in this space need to be thinking about how to solve this problem. There's not a clear, easy answer (or if there is it has not been communicated out enough otherwise everyone would be using it).
