I caught a glimpse of the Pegasus scandal while I was in Italy limited by a 4G which is not a real 4G except on the statistics. I say in passing because having only the TV for a few days, when I was with the in-laws, it was mentioned just to hide the fact.
Now that I have a connection again I started looking, and I realized what happened.
So: the name "Scandal Pegasus" is, as usual, wrong. It would be like saying that the scandal of a nymphomaniac prostitute is having had sex with a certain Beppe Rossi, and calling it "Scandal Beppe Rossi".
No, that's not how it works. And the "Pegasus" scandal should be called "Google Scandal", or "Apple Scandal", depending on.
Pegasus, in itself, is one of the many software sold to governments, which are capable of infecting your mobile phones and taking your data directly from the source. So far so good, a few months ago, even in Italy, there was a discussion about the possibility (for the police) of installing "state Trojans", which makes you understand (given the state's IT capabilities: who would he work for a policeman's salary when he knows how to make a Trojan?) that there is a thriving business in these products.
But this is precisely the point: how is it possible to promise that a vulnerability will remain in place?
I mean, imagine the scene: the state buys a trojan horse. He installs it in a network of mobsters, and begins to listen to them. Since there is "fumus", it puts in infiltrators. Suddenly, Google upgrades and the trojan stops working: the security hole (thanks to which the trojan works) is closed.
Yes, it is true that we can look for more and build another Trojan, but in the end we have three undercover agents who have infiltrated a reinforced concrete pillar and an investigation to be thrown away.
So the question is: how do we ensure that the product works? I mean, you are Israeli and you have infiltrated the Iranian physicists working on the atomic bomb. Suddenly an antivirus comes out and catches the trojan and deactivates it. Maybe by mistake. What are we doing? Are we waiting for Tel Aviv to go boom? Hope to have another backdoor for tomorrow? What if it doesn't arrive tomorrow but next week?
You understand that if we are going to use this stuff for "mission critical" issues, we need some kind of QA. That is Quality Assurance. It can't happen that a government loses an entire wiretapping network just because Avast updates. It does not make sense. And if you think Avast is an exaggeration, imagine a company like McAfee, run by a (recently deceased) character like John McAfee – how much could you really control such a character?
So, back to the point: how does it work?
It works that Google and Apple and everyone (except those who do not, like Huawei, and then is marginalized) undertakes to keep some backdoors active, and when it closes them IT COMMITS to governments (because there are laws that require it) to keep some "backdoors" open.
Using these backdoors, spying systems (trojans, various malware and more) are always able to penetrate a given cell phone with the certainty needed for these operations.
All this is possible because the existence of the backdoors is GUARANTEED BY THE MANUFACTURER.
It is therefore not a "Pegasus" scandal, but an "android" scandal, an "IOS scandal", and so on.
That is a "google scandal" or an "Apple scandal".
The truth is that a telco service cannot go live and be sold if backdoors are not guaranteed to law enforcement. And the truth is, your sarcastic Apple version can be sold IF AND ONLY IF the government can get into it.
Once you have entered these "secret doors" to enter your cell phone, the second problem is: how long will these secret doors remain secret?
Probably for a few months. Manufacturers and governments alike have turnover, and you can't reformat a guy's brain just because he quit or retired.
Consequently, immediately after creating, I know, the backdoors for the new OSX or for the new Android, a couple of months pass and the know-how has already reached the companies that produce these trojans, through those markets where you buy zero-days.
BUT, I repeat, the problem is the origin: none of this would really be possible if the producers did not obey the legal obligation to insert backdoors into mobile phones.
Will this phenomenon ever end? In the absence of competition, obviously not.
You can take as a reference, in addition to the RISC-V issue, news like this:
this now clear complicity of the producers with the "spy software companies" is pushing all countries to IT independence. First China did it, then comes a country like Russia, which is much smaller, and makes its own processor.
This independence race also affects furniture:
And of course, besides servers and mobile, desktops too:
There is little time left for the independence of the silicon of each geopolitical block; after which you will switch to the software.
This will obviously reduce European countries to decide who to be spied on, or build their own silicon first, and their software later.