67 comments

[ 0.19 ms ] story [ 256 ms ] thread
> Robert Malley, a longtime American diplomat who was chief negotiator on the US-Iran deal, and who appears to have been selected as a person of interest by Morocco in 2019. NSO has said its government clients are prevented from deploying its software against US numbers because it has been made “technically impossible”.

Is there more info about why this is technically impossible or is it just their PR way of saying "sorry, the day we do this we're screwed as a company"?

(comment deleted)
I would assume it‘s a deliberate „if number.startsWith("+1")" precisely so nobody ends up using it on a US politician or whatever who then goes on a rampage.
I like to imagine that some developer commented out that line to allow for spying on Canadian persons and left a "TODO: find better way to identify US numbers" that was never fixed.
(comment deleted)
That’s hilarious, although I suspect “don’t hack the US” means “don’t hack five eyes” in practice
While it would be funny, Canadian phone numbers are pretty easy to identify, generally. They have their own set of area codes. Granted, there are exceptions, though I guess it depends on your interpretation of what it means to be a "US phone number".
Until they release some sort of irrefutable proof, why give them the benefit of the doubt? Their track record warrants assuming dishonesty.
Everyone cares more about the optics of spying on US citizens than actually spying on US citizens. Like in this example, without the convenient excuse of "it's impossible" the headline likely would have been "Pegasus Project spies on US diplomat and French President."
The Israeli defense ministry has to approve sales contracts. I'm assuming they'd like to avoid spying on citizens of states they depend on militarily/politically or that have the capability of retaliating.
> states they depend on militarily/politically or that have the capability of retaliating

It's almost certainly closer to the former than to the latter.

Not that anyone sane would be likely to consider actual war over something like this, but while the French military may not be the force it once was it's still formidable and they are - theoretical willingness to engage notwithstanding - one of the declared nuclear powers.

> I'm assuming they'd like to avoid spying on citizens of states they depend on militarily/politically or that have the capability of retaliating.

It's an open secret that Israel has been conducting economic and military espionage against the US[0][1][2] and stealing civilian and military technology for decades. This "blocking +1 numbers" is rather a thin veneer to prevent third parties from endangering the "official" Israeli espionage program.

[0] https://www.businessinsider.com/israeli-spying-on-us-has-rea...

[1] https://www.politico.com/story/2019/09/12/israel-white-house...

[2] https://www.nytimes.com/2020/12/30/world/middleeast/jonathan...

NSO effectively operates a SaaS platform for target exploitation and collection. They can easily add a restriction that prevents specific phone numbers from being targeted.

My guess is that such a restriction is in place to meet contractual obligations. If you weaponize an exploit against US targets, you'll never get a US based broker to sell further exploits to you.

>If you weaponize an exploit against US targets, you'll never get a US based broker to sell further exploits to you.

If you weaponize an exploit against US - especially US government - targets you jeopardize the military and intelligence alliance that keeps your country alive, not to mention the standing FBI warrants if you have the misfortune to enter the country, nor the forfeiture of your ability to use the world banking system.

Well that’s probably something that hasn’t crossed their mind. Shitting on the US is not on the "avoid" list of Israelis.
Unclear why it's "technically impossible" but from this Washington Post article [1] it sounds more like "prevented by business logic," at least according to their source:

> A person familiar with NSO operations who spoke on the condition of anonymity to discuss internal company matters said Sunday that +1 phones are safe from Pegasus no matter where they are in the world. The system is programmed to block efforts to hack them, the person said.

> The person also said Pegasus can determine where a phone is geographically and block any efforts to hack a foreign-registered phone while it is inside the United States.

> But there is no way to determine the nationality of the user of a phone registered to a foreign system.

  [1]: https://www.washingtonpost.com/national-security/2021/07/19/us-phone-numbers-nso/
This strikes me as a thing that applies "normally" but can be circumvented with a user privilege flag or so on.

There's no reason an exception to that business logic isn't part of the system (and we have no way to verify/prove one way or the other).

(comment deleted)
Or circumvented by overwriting a conditional jump with a nop, though that might be challenging in practice if it's really SaaS.
They have claimed in the past that they have technical measures to prevent the wrong people being targeted. If my memory of the reporting around the lawsuit by Facebook against the NSO is correct, the claims were pretty much rubbish - like, the technical measure may be there, but it pretty clearly wasn't in use.
Inb4 fifty Liberal agents are deployed to debunk this.
This is great news. The more people in power have been hit, the more repercussions we can hope for.

One possible way to force a bit of scrutiny upon NSO group would be to crowdfund an Pegasus subscription and use it against Netanyahu.

Any serious suggestions what we can do to ensure that in the long run there will be less and not more "Hacking for hire" companies lending their tools for use against journalists and the opposition?

Shit will really hit the fan when the "ransomware as a service" discovers the "targeted surveillance as a service" business model.. Interesting times to be alive.

> The more people in power have been hit, the more repercussions we can hope for.

This reminds me of a story I heard at a presentation when working at a bank. A politician was going through a closing process for property he was purchasing. He had an issue and found out that the banks automatically tac on PMI for his type of loan, regardless of loan to value ratios.

A year later, their state passed legislation saying PMI cannot be forced on mortgaged loans with certain ratios and must be disclosed before closing.

Funny how things work :)

Had to look up, PMI = Private mortgage insurance.
For reference, normally banks mandate that stuff when the loan to value (LTV) ratio is very high. Meaning they didn't put a large down payment there. It's insurance you pay so that in case you quit paying or cant, the bank can recoup their losses. Essentially you're forced to pay to insure the bank's investment. Now normally you can remove it once you reach whatever LTV the financial has in their policy (usually 75-80%), but at the time when the politician was dealing with it, you basically had it on for the "life of loan."
This is essentially the argument behind prohibiting private schooling.
Then the argument should be that the children of public servants must go to public schools.
Meaning:

* the people who fund reelection campaigns get to opt out of public education.

* politicians before and after their political careers can opt out.

* a quick change to the law is all that would be required for politicians to opt out while theyre in office.

It would be enough to make them care a bit more, but only an outright prohibition would make them truly committed to public education.

This argument can be applied to anything: “everyone must have or experience the same government thing because otherwise the government provided good will be shitty.”

The counter-argument is the same in all places too, which is that: “freedom is good, so you should have a really good reason for restricting it and restrict it as little as possible, and this isn’t a good enough reason because it probably won’t work out like you intend”

Here's another one. A small town mayor got raided by the state SWAT over marijuana (package shipped to wrong address, at that). Himself and his mother-in-law were handcuffed and held at gunpoint for several hours in their underwear, and his two dogs shot. The mayor went on to sponsor a bill that required all police departments with SWAT teams to publish reports on how often they're deployed, and the reasons for deployments - which showed that the vast majority of SWAT raids are to serve search warrants in non-violent crimes, mostly drugs. Despite strong opposition from law enforcement, the bill passed.

https://en.wikipedia.org/wiki/Berwyn_Heights,_Maryland_mayor...

I'm afraid this story doesn't have a good ending in the long term, though - the law expired in 5 years, and wasn't renewed.

Can we really say "targeted surveillance as a service" isn't already a booming business though? Camera feeds and device breadcrumbs from wireless devices incl. iphone & android, watches, headphones, vehicle toll tags, etc. are aggregated from every big name store, street camera, doorbell camera, etc. and processed by handful of companies that aggregate facial and location data for marketing and trend analysis. Police subscribe to these same services to track people, or get access through warrants if subscription isn't an option.

News articles talking about the massive aggregation of data come up every now and then, but I don't think the general public understands it well enough to be angry let alone scared. They may not have a name to a face, but guaranteed if you've been in a public place in the past few years, there's a record somewhere that you were there.

What may be more frightening is that it's untargeted

The UK has cameras on every block that are staffed by a person watching them. I'm not usually a betting man, but I'd bet they're going to toss this job to software one day and every other nation that lags behind them as a surveillance or nanny state will attempt to follow suit.
No we don’t. 80% of the cameras out there in your statistic don’t actually exist. From what remains, 25% are dummies, 25% don’t work, 25% are potato quality and what remains are staffed by people who aren’t even paying attention.

It’s a typical British implementation of surveillance. The only winners are CCTV installers.

"every block" was a bit of hyperbole, but any American would be shocked at this visibility and acceptance of these kind of cameras. You can argue that the quality makes them ineffective right now but that can be iterated on, especially as cost is reduced. I don't think it's an unreasonable thing to express a good deal of concern over.
> "targeted surveillance as a service"

Is it just a commercial service in the first place? Or a deniability cover for Israeli spy agencies?

Remember, every pegasos hit was cleared by Israeli cabinet as a "weapon export"

  One possible way to force a bit of scrutiny upon NSO group would be to crowdfund an Pegasus subscription and use it against Netanyahu.
I think it's naive to think this has any chance to succeed. This company is in a close relationship with israeli intelligence. As close as imaginable imho. Every target is vetted. The "surveillance as a service" thing is only marketing. It's just a private intelligence agency hacking people for profit without any ethics.
This looks like a shocking news, but there are probably hundreds of countries that are trying to tap on the French and other presidents.

This is just the moroccan gov that is too incompetent to do it by themselves but have to use a third party consulting firm for the job.

And so, there will be no consequence, because all the other governments know very well that they are dirty too, so there will just be a few soft offense word and then trying to have the population forget as fast as possible...

> This looks like a shocking news

It _is_ shocking news: the Israelis are selling munitions to the Moroccan government explicitly for use against the French state.

Is it more shocking news than the market places that offer exploits to Russia and China that are used as munitions against the US?
Israel is notionally one of US’ top allies, Russia and China are adversaries.
Yes, Russia and China are openly hostile to the US and to the world order in general.
So, who stands behind the hack? Scary Russians?
There wasn't necessarily a hack, I don't think how the information leaked has been shared.
Interesting that in one recent article NSO claimed they had no control or information about who their customers targeted with their software and in this article they insist Macron was definitely not a target of any of their customers...
It's a typical PR strategy for damage control to only admit what you can not longer plausibly deny.
If Macron is involved then the shenanigan is definitely for a good cause.

The trampling of our rights is a small price to pay for safety from the covid demon.

Not only Macron, but also Charles Michel of the EU. By the same Morrocan government.

> Charles Michel, the president of the European Council, who appears to have been chosen as a person of interest by Morocco in 2019, when he was prime minister of Belgium.

The French have a pretty dirty history of spying on "friendly allies", too, including European competitors to Airbus/Dassault.
Interesting, you have a source on that please ?
Seems the gun is not quite smoking for both... Tittle of the first paper : "French plane constructor Airbus in spying probe"

Airbus is not a French Company, it's a European company. France and Germany States hold each 11% of the shares, while Spain as about 4%. So that is less than 30% in States ownership shares. The rest is privately owned free float. True the main production line and headquarters are in Toulouse, France, but that doesn't make it a "French Company". It's as much German than French, with some Spanish too... Tittle is completely misleading and incorrect.

Other paper is behind a paywall for me.

(comment deleted)
This is like the biggest non issue ever. If governments did not what this type of thing to happen just make an example of of the ceo/leaders of this company and raise the stakes of all future terrorists. Espionage for hire should be a capitol offense.
This will likely not result in much, EXCEPT for in Morocco. If the King and Prime Minister believe that their own security forces were spying on them, well, that might result in some consequences for them...
Given they’d never admit to it and that the phone number showed up, it’s very likely
Any word yet on where we can see the full list? I have some friends that may qualify and it would be nice to see how close I am to this mess. They should just get on with it and release the data instead of dragging it out for clicks and ad impressions.
Dragging the reporting on this a bit out prevents it from being easily buried under a single (manufactured) 'distraction'[0] news cycle in US media.

Also this gives NSO the opportunity to hang themself with their own rope: have NSO specifically deny allegations from one update, then show the allegations to be true in the next update and thereby revealing the company management to be liars.

[0]https://www.npr.org/2021/07/19/1017844801/biden-administrati...

I would assume the president of a country like France would not use a common Android or iPhone with WhatsApp and I message, dont they have special blackberries like in the US?
The French government has custom made phones by Thales, running neither Android or iOS, for secure, important communications. It's not surprising that the president would still have a personal phone too.
> The French government has custom made phones by Thales, ..., for secure, important communications. Secured ... by Thales?