Insane right? If that statement were true imagine what that must mean, 37 out of "a random selection of" 67 phones infected... (because the statement implies the 67 are a random selection from all phones worldwide).
They have more issues if the statement is true than if it is not!
Think about this reasonably. I've worked with intelligence bodies before and they would never run something like pegasus on a cloud or connected to the internet.
Products like Pegasus are almost always an on-prem enterprise-product it's simply the only model that makes sense security wise. If you were a client of NSO would you trust them to not look at the data?
My guess is that the list is from one of NSO's other products or someone trying to gather business intelligence on NSO - for example: location tracking, check when user is online etc - anything that can reasonably justify the data not being sensitive enough for customers like security agencies to be OK with it being in the cloud.
Consider if any of those dictators would want the US and Israeli governments to have access to whomever they're tapping on.
Putting aside whatever contracts governments have with gun manufacturers, the rest of the market is largely the average person that uses them for sporting or for self-defense. There's not that kind of benign market for Pegasus that the NSO Group can hide behind. The average person wouldn't be using Pegasus (if they could even afford it) to go after drug dealers/pedophiles/etc. Something like Pegasus can really only be used for nefarious purposes. I'm not buying their "People kill people!" argument.
Would you agree, that of the total amount of guns sold, that a tiny percentage are used for mass shootings?
A vanishingly small minority of users hurting society.
Let’s compare that with the list we have. All the users are being spied on illegally. Some leading to deaths.
100% of use is society harming.
Guns are a tool statistically not used often for crime.
NSO’s software on the other hand is used for crime exclusively.
(I do not want to get into a gun debate. I’m only using guns in my example because the GP alluded to mass shootings)
I'm confused how you can paint individual violence in broad strikes and promote government violence as sanctioned? Tyranny happens when governments have a monopoly on force. Vigilantism is necessary when the government is corrupt or inefficient. To look past the need for individual retribution and justice is naive.
I don't even have to search for 2 minutes before I can bring up countless articles about missing children, murders, thefts, and other immoral acts that the police or federal agencies do not care or have enough resources to address. These victims' only recourse is vigilantism. It's easy to sit in an ivory tower of bureaucracy when you haven't been affected by the corruption or incompetence of the nanny state.
In germany, the government has a monopoly on force. Often referred to as “Gewaltmonopol des Staates.” or “Staatsgewalt.”, it’s even laid out in the constitution. https://en.m.wikipedia.org/wiki/Monopoly_on_violence
Which illustrates my point - law has nothing to do with proper morality and ethics. Slavery was once legal. And runaway slaves were criminals. Justice is by and for the people. By all means, for the best outcomes, proper channels are desirable. But right is right, and one should strive to do what is right even when it is illegal.
Without a justice system you don't have justice, you have revenge and militias/mafias.
That doesn't mean that every so called justice system brings justice. Most countries have very broken justice systems that just benefit those in power. Preventing corruption is hard. Individual violence can useful on the path towards a solution, but it is never the solution itself.
> Individual violence can useful on the path towards a solution, but it is never the solution itself.
That's a bold statement to make. When mankind is a space civilization, the speed of light will prevent any kind of universal police force from responding to events in an expedient manner. The limit of expansion is guilds and retribution. Defense is never impenetrable. Only punishment and retribution deter future infringements. If you cannot extend your philosophy to the future of civilization, it is a flawed one.
Alliances are the way pretty much all sci-fi writers have written the climate of that era. And for good reasons. When you don't have the ability for defensive policing, all you have left is deterrence through retribution. And that is either personalized or clan/guild based.
> If you cannot extend your philosophy to the future of civilization, it is a flawed one.
I see this attitude in tech a lot and I think it is incorrect, and very harmful. Systems have emergent properties that only exist at certain scales. The best principles for an FTL civilization spanning the universe are not the best principles for present day, and an appeal to claims of first principles is blind to this.
The same logic applies to arguments over censorship of large social media companies citing counterpoints involving small, niche internet forms with a few dozen users. Or amazon scale superstores vs. a grocery chain. Or large nations comprising a mix of heterogeneous cultures vs. small, uniform island nations.
Don't worry, the trend is changing fast. Pre 2021, i had a lot of friend dismissing violence as a legitimate protection and worker empowerment, now some are buying guns.
Like i said in a previous comment, i personally won't be able to draw a gun on another person, but doing the same as the BPP used to do do have some appeal to me. Walking the door of your company and saying "hi" to your factory manager with a gun on open carry must feel good.
The real worry from these tools is relative power. A man with a knife can kill a few people. A man with a rifle can kill a few dozen people. A man with a few zero days can cripple infrastructure around the country and cause hundreds if not thousands of deaths. Relative power asymmetries are why nuclear, chemical, and biological weapons are banned by international law.
I see their point - I think weapon sales (like Pegasus) should be regulated but blaming the company is kind of silly. It's exactly like blaming Colt for weapon sales.
Should weapon sales be regulated? Sure.
Is NSO regulated by both the Israeli and US government? Sure.
Are those governments doing a good job regulating NSO? No.
Is the poor job of their regulation causing people to get hurt and NSO is complicit? Yes.
The solution in this case is to regulate selling Pegasus as strictly as selling weapons like the F-35 rather than like an AR-15.
the definition of ransomeware tools can be hard imho. There is still an ongoing discussion about what are hacking tools and sometimes wireshark is called as example.
E.g. they describe their tools as:
> develops best-in-class technology to help government agencies detect and prevent a wide-range of local and global threats.
People selling ransomware tools are not legal companies regulated by the Israeli and US government. If NSO didn't pay income tax or wasn't regulated by governments I'd agree.
To be clear: I think the poor job regulating tools like Pegasus by governments is due to their incompetence in regulating this sort of weapon not to gain something.
I also think a lot of this PR is because NSO likes it to get more clients as this sort of PR shows that their tool works - you never hear this sort of PR about their many many competitors in this space (like Verint, HackingTeam etc).
We are enabling them instead of shutting them down which is unfortunate.
Similarly if you were making stealth fighter jets underground and selling them to dictators it'd be more like ransomware.
> To be clear: I think the poor job regulating tools like Pegasus by governments is due to their incompetence in regulating this sort of weapon not to gain something.
What data do you have to back up this belief? Because as the number one customer for these types of tools, it sure doesn’t seem like incompetence to me.
What exactly changed after the Snowden leaks? The US government isn’t in the business of protecting your secrets.
> I see their point - I think weapon sales (like Pegasus) should be regulated but blaming the company is kind of silly. It's exactly like blaming Colt for weapon sales.
It's not entirely the same situation, though.
In the case of Pegasus, NSO don't hand over the tool and that's the end of it. They continue to operate the attack servers on behalf of their clients - they're actively involved in the process.
Colt aren't there handing you each individual bullet, and pretending they can't see your target.
The Colt comparison seems wrong. They don't know their customer do they? It's the gun shop's job to make sure they aren't selling to a crazy person, or ex-con.
NSO know who they're selling to and knowingly sold this software to tyrants that they knew would do bad stuff with it.
There has never been a legitimate application of software of this type since back orifice and sub 7. The only difference is this one is modern and also can be updated to leverage the latest zero day. this type of software should be banned and the company should be dismantled in addition to classifying the software as a weapons sale. In my opinion, it should be classified as a weapon of mass destruction, because it is.
I have seen this software (well, not this software, a military equivalent) save a life in real time so it'd be very hard to convince me.
Quoting an earlier reply from last year:
> When I was in the Israeli army, I personally saw a phone being hacked, info being pulled and the info being used to stop a terrorist attack targeting civilians. I was not involved in the hack (I served in the navy).
> In that particular case (but not the majority of cases) the target of the hack was an Israeli citizen who was practicing terrorism (against the Arab minority). After their info was intercepted they were arrested and the situation was de-escalated.
This is an edge case, and is not a legitimate justification that billions of global users should need to worry about. The right to data privacy and right to free speech is more important than the lives in this scenario. At the permanent cost of inherit human freedoms and rights, you save a few thousand lives within a short time horizon. Over a longer time horizon, that same system that saved thousands of lives will kill millions more, and it will be done in total silence of anyone that dares to speak up and be a dissident.
I was going to interject, but I learned that the American definition of Weapon of Mass Destruction is actually wide, and not limited to what is actually causing mass destruction like an atomic bomb or a biological attack.
> In its criminal complaint against the main suspect of the Boston Marathon bombing of 15 April 2013, the FBI refers to a pressure-cooker improvised bomb as a "weapon of mass destruction."
In this context, classifying it as a WMD could make sense (especially for a ransomware which can disable hospitals and sensitive infrastructure), but I think that using WMD to describe it is really watering down the word : an atomic bomb is creating orders of magnitudes more destruction than a spyware
I agree with you. You would have to find some accurate definition for "What is a democracy?", e.g. look at the freedom of press, freedom of election (E.g. are there any inconsistencies in the last elections), conflicts in a country. Based on a lot of factors you could probably say "This is a democracy" or "This is somewhere between".
But still no good solution.
And criminal would be too far, as such spyware should only be used against extremely serious crimes, e.g. warcrimes or terrorism
Rather the opposite, they should be used only against “small crimes”, since those crimes are universal.
What you call serious crimes are highly political topics. Ones hero is anothers war criminal, and the same guy may be both freedom fighter and terrorist, depending who you ask.
According to Wassenaar arrangement (the loose moral analogue of Geneva convention but regulating the export of dual use weapons) the seller is under obligation to ensure that the buyer uses the weapon in a compliant way. Its a little complicated because Israel is not a direct signatory (but indirectly it is, see my other comment on this thread).
Passing the buck is not an option if one wants to stay with the Wassenaar agreement. But then USA found a way to skirt around Geneva convention too during Iraq war.
This is a pretty reasonable point in my opinion. These are all countries allied with many of our own. Where is the government to government pressure to curb this bad behavior? Why is the private sector expected to be the guardian of civil liberties in other countries and the public sector let off the hook?
I live in India ! and I severely oppose indiscriminate use of this weaponry for political advantage. As far as I recall French judiciary has started investigations.
Shouldn’t you and your fellow voters being holding your government accountable for what it is doing with these tools rather than getting angry with vendors for selling things to your democratically elected government?
That was a rather judgmental, presumptuous and a personal accusation, but why should we be doing only one and not the other, when like minded folks can and in my mind should do both.
Why do you feel the need to defend a company that is in breach of internationally accepted norms of legal behavior with such dual use weapon systems. Anything personal ?
Even if they were straight out weapons and not dual use technology why would I object to an Israeli company selling it to India and EU governments? These nations are allies of my own (USA).
I would be upset if it sold them to North Korea or Iran.
The upsetting bit is the part where they are not living up to the expected obligation that is now the international norm as spelled out in Wassenaar arrangement -- for this category of weapons, its also the producers obligation to monitor usage and see to it that compliance with national and international laws are met.
Apart from that, I wouldnt call it a redeeming quality to ally with governments that spy on its own citizens to hold on to power.
Apart from that, I don't think Iran does anything wrong. Any other country in the same position would very likely be doing the same things for securing their own future. That they aren't in love with a nation that sabotaged their emerging organic democracy, shot down domestic airliner without any apologies forthcoming, is quite understandable. (I understand that this is off topic)
In the same spirit that you told me what I should and should not be doing, may I raise the same to you -- re-examine the moral ground for choosing the governments you ally with. I believe Saudia Arabia is one such, true champions of democracy I suppose, perhaps North Korea too going by your ex-president.
It’s interesting to me that NSO spokesperson says “we don’t have any customer data”, but they also confidently assert they know how many times these hacks are used. I’ve seen the same pattern in other stories. Unfortunately the reporting never goes into how the tech works. I assume there have to be at least some SaaS aspects given what is known about its capabilities, which would mean they have access to a lot more information than they are letting on.
The common way to do this in on-prem deployments is to hard-limit the user to a small amount of hacks (let's say 10).
The more a tool like Pegasus is used the more it's exposed and the bigger the risk companies like Verint (or NSO in this case) of losing their 0-days take.
Another part of this story is that the company completely denies their connection to this "list".
The media thus far has presented very little evidence that this list is actually from NSO Group.
They have provided no information on how this list was obtained and 67 phones (out of 50k) seems like a very small amount of phones (with a 55 percent success rate) to use as a basis for an international story across many major media outlets. These stories only consist of that this or this person is on the "list" (no evidence at all of spyware on their phone).
My theory is that NSO is paying for this PR blitz since companies like NSO need physical sales and now that international travel is back they need a lot of articles that talk about how powerful/dangerous the NSO hacking tools are.
Basically "look at it from a Saudi prince's perspective".
I've seen no PR blitz. I'm honestly just a little skeptical seeing how some stories gained mainstream acceptance over the years without much basis in fact
A spyware company denying their connection to a list that would cause them embarrassment is so unsurprising that we should probably simply ignore it — not a relevant data point.
While I agree "the media" ought to back up their data with sources I think we can agree that data like this is only going to be provided with extraordinary precautions. Therefore I am also unsurprised that the source has not been revealed.
I'm probably more skeptical than the average person (the past so many years has convinced me of that) but if you're going to suggest this list of phone numbers is a plant and part of a conspiracy you ought to at least suggest who would be behind this and why. That "the media" made this up whole cloth strains credibility.
I'm not suggesting we take their word for it at all. I brought this point because some times in the "denial" you see their admittance (which isn't the case here).
It's just a bit weird that media couldnt bother to test more than 67 phones before coming out with this breaking international story.
The media has presented it's evidence and reasoning for why they believe the list of 50k numbers is from NSO. In the original Washington Post article, they link to the methodology used by Amnesty to determine why they concluded it's likely from NSO.
"The media consortium, titled the Pegasus Project, analyzed the list through interviews and forensic analysis of the phones, and by comparing details with previously reported information about NSO. Amnesty’s Security Lab examined 67 smartphones where attacks were suspected. Of those, 23 were successfully infected and 14 showed signs of attempted penetration.
For the remaining 30, the tests were inconclusive, in several cases because the phones had been replaced. Fifteen of the phones were Android devices, none of which showed evidence of successful infection. However, unlike iPhones, Androids do not log the kinds of information required for Amnesty’s detective work. Three Android phones showed signs of targeting, such as Pegasus-linked SMS messages."
I don't dispute that there is evidence that 67 phones had been targeted with Pegasus software. I am however skeptical of that justifying an international breaking news story that so-and-so is on the "list" without having checked if their phone has been infected.
I assume that getting a new phone would make you a miss unless there was a new request for you to be tracked.
And unless the 67 people who agreed to have their phone examined were terrorists or felons, 37 positives proves the broader point of the story that the software is being abused even if there's some discrepancy with the 50,000 number list.
If there is no NSO master list of numbers targeted and they have no possession of customer data, then how are they also aware of how many numbers their clients target a year?
It is an on prem system. The customer pays per agent deployed. They buy a license for some number (N) of agents. NSO doesn’t know where those N agents are, but it knows that there are N of them.
If you make software that is designed to disable power installations you are telling me you shouldn’t be held responsible when it’s used? The company and all of its employees are complicit in multiple murders and acts of espionage. They all deserve to rot in jail as an example to others
In all this I am thinking about scale, and how many political leaders are using same tool to spy their political opponents?
I am thinking about just a few countries in which governments have discretionary right not do disclose how and where they spending tax money to the public.
Does anyone know's technically how is this tool exactly deployed, in the sense what prevents Chinese intelligence using same tool to spy on US officials?
The US and Israeli governments approve the sales according to news articles I've found: so one thing preventing China from using Pegasus is the US government not green-lighting it.
Additionally: you can count on China already having comparable technology anyway.
I guess once you have a phone it would not be too difficult to do reverse engineering, but I am still confused with level of vulnerability SMS / WhatUp / IMessage what does it mean a link other type "unknown" zero-day !?
It is very odd, on one side governments complaining about other govs are hacking and safty, and at the same time requesting back-doors from tech giants, all the while tech people are saying "crying at loud you cannot have both at the same time", and this is going on for past 20 years ...
Most likely the base/server tool "calls home". i.e. there is a client loaded on the target device, there is a server at the gov agency. The server has number of uses and targets. When the uses are exhausted, it phones home to NSO Group.
This is very much the model for other spyware tools, forensic tools, and phone repair tools.
This would also work well with the objection that they "don't have servers in Cyprus".
It also explain how NSO Group would know how many targets the tool maybe loaded on, but not actually have the list.
That is a line that signatories of the Wassenar arrangement cannot take. Israel is not officially a signatory but their own laws pull-requests the Wassenar arrangement and its amendments.
The agreement legislates what dual-use systems (that is weapons systems that also have civilian use) can countries export and under what legal obligations and conditions.
According to the agreement, producer/seller of dual use weapons systems is under obligation to ensure that the buyer is not abusing the weapon. Break in compliance makes the producer/seller culpable.
I think what this means is that if a country wants they can find legal ways of making Israel culpable. Realistically though, I doubt USA will let that happen.
Not under normal export control laws that legislate the sale of dual purpose weaponry. As per Wassenaar arrangement the producer is liable for abuse by the buyer. Its the sellers obligation to monitor that it is being used according to all applicable national and international laws.
Yeah that might apply to things where the use is mostly legitimate like a car but not so much when the thing you are making is by design used for espionage. These sorts of tools sold only be sold to the country you reside in and you better not be planning any international travel
I really wish the public narrative concerning spyware would shift to something analogous to how we see the state monopoly on violence.
The police are a necessary institution that needs oversight and criticism to ensure that the dignity and rights of the population are preserved as much as possible. To that end, we don't hand over the role to private militia that has sparse regulation and no accountability.
NSO Group are the private police with sparse regulation and no accountability of the spyware world. They don't simply sell the means to an end, they operate and deploy those means on behalf of customers.
Just as we shouldn't accept police hiring private forces to kick down doors to check in on suspects, we shouldn't accept the contracting of services from NSO Group.
If I were Apple, I'd try to arbitrage these exploits by getting somebody on the inside to find out where the attack vectors are. I blame the companies for being exploitable.
They operate the infrastructure. For me it's clear a SaaS (spyware as a service (TM))
But to avoid the whataboutism, the flip side of the coin is that NSO democratize the access to those tools, normally restricted to just a small group of countries.
> So there should not be a list like this at all anywhere.
No there really shouldn't and yet there is, this is why every one is pissed at you NSO.
> You know, if a customer decides to misuse the system, he will not be a customer anymore.
If NSO has no access to customer data how do they know if their customers misuse the system? If they did find evidence of their customers misusing the system what stops them just ignoring it as a coincidence while putting out the pr message "We must hold ourselves to a higher standard"
Drug dealers: blame our customers not us for selling drugs
No one will ever accept this kind of argument from a drug dealer, but yet they happily admit this kind of argument from this and other countless companies that business practices go against the public interest.
Uh, plenty of people accept this argument, it’s part of the idea of the movement behind legalizing all/most drugs.
Look at marijuana, the drug dealer is now a business, and very few people are mad at dispensaries for selling pot.
In the end, if it wasn’t them, it would be someone else. If governments weren’t buying spyware from NSO, they would be making it themselves or finding another group who builds exploits.
That's just not true.
They say the list is fake. The proofs are false. That they can't have 50ĸ targets. And that all clients sign to only track terrorists, and will lose much if not.
Sounds like how Amesys tried to defend itself in french public media a decade ago when the arab spring surveillance contracts were made public: "We make software that catches terrorists and pedophiles" was the slogan back then.
110 comments
[ 4.7 ms ] story [ 204 ms ] thread"Spyware doesn't spy on you. [Other] People spy on you."
Guns are a much better analogy than cars.
They have more issues if the statement is true than if it is not!
Products like Pegasus are almost always an on-prem enterprise-product it's simply the only model that makes sense security wise. If you were a client of NSO would you trust them to not look at the data?
My guess is that the list is from one of NSO's other products or someone trying to gather business intelligence on NSO - for example: location tracking, check when user is online etc - anything that can reasonably justify the data not being sensitive enough for customers like security agencies to be OK with it being in the cloud.
Consider if any of those dictators would want the US and Israeli governments to have access to whomever they're tapping on.
That's why they don't buy from the US or Israeli government: they buy from NSO who are a bunch of crooks.
Intel agencies use the cloud extensively for all sorts of use cases. This is 100% fact. Google “Amazon C2E”
Has anyone successfully used your software to drive their kids to school?
Has anyone successfully used your software to kill an enemy?
I'm with the guns analogy, probably closer to illicit arms dealer in NSO's case.
Let’s compare that with the list we have. All the users are being spied on illegally. Some leading to deaths. 100% of use is society harming.
Guns are a tool statistically not used often for crime.
NSO’s software on the other hand is used for crime exclusively.
(I do not want to get into a gun debate. I’m only using guns in my example because the GP alluded to mass shootings)
Vigilante justice certainly wouldn't be a benign market, even if someone did that with Pegasus (or guns)
I don't even have to search for 2 minutes before I can bring up countless articles about missing children, murders, thefts, and other immoral acts that the police or federal agencies do not care or have enough resources to address. These victims' only recourse is vigilantism. It's easy to sit in an ivory tower of bureaucracy when you haven't been affected by the corruption or incompetence of the nanny state.
Read this for size: https://www.nytimes.com/2020/12/13/world/americas/miriam-rod...
Necessary but insufficient condition.
Tyranny happens when ... tyranny happens.
[ EDIT: actually, it's not even a necessary condition. Plenty of tyranny has occured even when non-government actors have recourse to use force ]
That doesn't mean that every so called justice system brings justice. Most countries have very broken justice systems that just benefit those in power. Preventing corruption is hard. Individual violence can useful on the path towards a solution, but it is never the solution itself.
That's a bold statement to make. When mankind is a space civilization, the speed of light will prevent any kind of universal police force from responding to events in an expedient manner. The limit of expansion is guilds and retribution. Defense is never impenetrable. Only punishment and retribution deter future infringements. If you cannot extend your philosophy to the future of civilization, it is a flawed one.
Alliances are the way pretty much all sci-fi writers have written the climate of that era. And for good reasons. When you don't have the ability for defensive policing, all you have left is deterrence through retribution. And that is either personalized or clan/guild based.
I see this attitude in tech a lot and I think it is incorrect, and very harmful. Systems have emergent properties that only exist at certain scales. The best principles for an FTL civilization spanning the universe are not the best principles for present day, and an appeal to claims of first principles is blind to this.
The same logic applies to arguments over censorship of large social media companies citing counterpoints involving small, niche internet forms with a few dozen users. Or amazon scale superstores vs. a grocery chain. Or large nations comprising a mix of heterogeneous cultures vs. small, uniform island nations.
That is, the right and legitimacy of that right, is restricted to the state.
Absent this, one of three conditions exist;
1. There is no monopoly. In which case violence is widespread, and there is no state.
2. There is no legitimacy. In which case violence is capricious. This is your condition of tyranny (unaccountable power).
3. Some non-state power or agent assumes the monopoly on legitimate violence. In which case it becomes, by definition the State.
The state's claim is to legitimacy. A capricious exercise would be an abrogation of legitimacy
The flower children have returned apparently.
Like i said in a previous comment, i personally won't be able to draw a gun on another person, but doing the same as the BPP used to do do have some appeal to me. Walking the door of your company and saying "hi" to your factory manager with a gun on open carry must feel good.
the idea that we can scatter tools of enormous power around and just not worry about it is crazy
Should weapon sales be regulated? Sure. Is NSO regulated by both the Israeli and US government? Sure.
Are those governments doing a good job regulating NSO? No.
Is the poor job of their regulation causing people to get hurt and NSO is complicit? Yes.
The solution in this case is to regulate selling Pegasus as strictly as selling weapons like the F-35 rather than like an AR-15.
E.g. they describe their tools as:
> develops best-in-class technology to help government agencies detect and prevent a wide-range of local and global threats.
To be clear: I think the poor job regulating tools like Pegasus by governments is due to their incompetence in regulating this sort of weapon not to gain something.
I also think a lot of this PR is because NSO likes it to get more clients as this sort of PR shows that their tool works - you never hear this sort of PR about their many many competitors in this space (like Verint, HackingTeam etc).
We are enabling them instead of shutting them down which is unfortunate.
Similarly if you were making stealth fighter jets underground and selling them to dictators it'd be more like ransomware.
What data do you have to back up this belief? Because as the number one customer for these types of tools, it sure doesn’t seem like incompetence to me.
What exactly changed after the Snowden leaks? The US government isn’t in the business of protecting your secrets.
It's not entirely the same situation, though.
In the case of Pegasus, NSO don't hand over the tool and that's the end of it. They continue to operate the attack servers on behalf of their clients - they're actively involved in the process.
Colt aren't there handing you each individual bullet, and pretending they can't see your target.
NSO know who they're selling to and knowingly sold this software to tyrants that they knew would do bad stuff with it.
“Man with Hunting Rifle Foils Attempted Mass Shooting at Apartment Complex” https://www.5newsonline.com/article/news/local/fort-smith-po...
This is exactly the point I was trying to make.
(BTW: Colt sell weapons to dictator armies too)
But I guess (at least in theory) these are for use in military operations, not against civilians and journalists.
Quoting an earlier reply from last year:
> When I was in the Israeli army, I personally saw a phone being hacked, info being pulled and the info being used to stop a terrorist attack targeting civilians. I was not involved in the hack (I served in the navy).
> In that particular case (but not the majority of cases) the target of the hack was an Israeli citizen who was practicing terrorism (against the Arab minority). After their info was intercepted they were arrested and the situation was de-escalated.
> In its criminal complaint against the main suspect of the Boston Marathon bombing of 15 April 2013, the FBI refers to a pressure-cooker improvised bomb as a "weapon of mass destruction."
In this context, classifying it as a WMD could make sense (especially for a ransomware which can disable hospitals and sensitive infrastructure), but I think that using WMD to describe it is really watering down the word : an atomic bomb is creating orders of magnitudes more destruction than a spyware
But still no good solution.
And criminal would be too far, as such spyware should only be used against extremely serious crimes, e.g. warcrimes or terrorism
What you call serious crimes are highly political topics. Ones hero is anothers war criminal, and the same guy may be both freedom fighter and terrorist, depending who you ask.
https://en.wikipedia.org/wiki/Wassenaar_Arrangement#2013_ame...
Passing the buck is not an option if one wants to stay with the Wassenaar agreement. But then USA found a way to skirt around Geneva convention too during Iraq war.
https://en.wikipedia.org/wiki/Wassenaar_Arrangement#2013_ame...
Why do you feel the need to defend a company that is in breach of internationally accepted norms of legal behavior with such dual use weapon systems. Anything personal ?
I would be upset if it sold them to North Korea or Iran.
Apart from that, I wouldnt call it a redeeming quality to ally with governments that spy on its own citizens to hold on to power.
Apart from that, I don't think Iran does anything wrong. Any other country in the same position would very likely be doing the same things for securing their own future. That they aren't in love with a nation that sabotaged their emerging organic democracy, shot down domestic airliner without any apologies forthcoming, is quite understandable. (I understand that this is off topic)
In the same spirit that you told me what I should and should not be doing, may I raise the same to you -- re-examine the moral ground for choosing the governments you ally with. I believe Saudia Arabia is one such, true champions of democracy I suppose, perhaps North Korea too going by your ex-president.
The more a tool like Pegasus is used the more it's exposed and the bigger the risk companies like Verint (or NSO in this case) of losing their 0-days take.
The media thus far has presented very little evidence that this list is actually from NSO Group.
They have provided no information on how this list was obtained and 67 phones (out of 50k) seems like a very small amount of phones (with a 55 percent success rate) to use as a basis for an international story across many major media outlets. These stories only consist of that this or this person is on the "list" (no evidence at all of spyware on their phone).
Basically "look at it from a Saudi prince's perspective".
While I agree "the media" ought to back up their data with sources I think we can agree that data like this is only going to be provided with extraordinary precautions. Therefore I am also unsurprised that the source has not been revealed.
I'm probably more skeptical than the average person (the past so many years has convinced me of that) but if you're going to suggest this list of phone numbers is a plant and part of a conspiracy you ought to at least suggest who would be behind this and why. That "the media" made this up whole cloth strains credibility.
It's just a bit weird that media couldnt bother to test more than 67 phones before coming out with this breaking international story.
https://www.washingtonpost.com/investigations/interactive/20...
https://www.amnesty.org/en/latest/research/2021/07/forensic-...
From the Washington Post article:
"The media consortium, titled the Pegasus Project, analyzed the list through interviews and forensic analysis of the phones, and by comparing details with previously reported information about NSO. Amnesty’s Security Lab examined 67 smartphones where attacks were suspected. Of those, 23 were successfully infected and 14 showed signs of attempted penetration.
For the remaining 30, the tests were inconclusive, in several cases because the phones had been replaced. Fifteen of the phones were Android devices, none of which showed evidence of successful infection. However, unlike iPhones, Androids do not log the kinds of information required for Amnesty’s detective work. Three Android phones showed signs of targeting, such as Pegasus-linked SMS messages."
I assume that getting a new phone would make you a miss unless there was a new request for you to be tracked.
And unless the 67 people who agreed to have their phone examined were terrorists or felons, 37 positives proves the broader point of the story that the software is being abused even if there's some discrepancy with the 50,000 number list.
No? This has nothing to do with my post about how their denial of having customer data includes them saying they have customer data.
Does anyone know's technically how is this tool exactly deployed, in the sense what prevents Chinese intelligence using same tool to spy on US officials?
Additionally: you can count on China already having comparable technology anyway.
It is very odd, on one side governments complaining about other govs are hacking and safty, and at the same time requesting back-doors from tech giants, all the while tech people are saying "crying at loud you cannot have both at the same time", and this is going on for past 20 years ...
Link to this news article, please.
This is very much the model for other spyware tools, forensic tools, and phone repair tools.
This would also work well with the objection that they "don't have servers in Cyprus".
It also explain how NSO Group would know how many targets the tool maybe loaded on, but not actually have the list.
The agreement legislates what dual-use systems (that is weapons systems that also have civilian use) can countries export and under what legal obligations and conditions.
According to the agreement, producer/seller of dual use weapons systems is under obligation to ensure that the buyer is not abusing the weapon. Break in compliance makes the producer/seller culpable.
I think what this means is that if a country wants they can find legal ways of making Israel culpable. Realistically though, I doubt USA will let that happen.
> It could be "a coincidence", the spokesman said.
I guess it could, but probably not
Pure and simple.
https://en.wikipedia.org/wiki/Wassenaar_Arrangement#2013_ame...
The police are a necessary institution that needs oversight and criticism to ensure that the dignity and rights of the population are preserved as much as possible. To that end, we don't hand over the role to private militia that has sparse regulation and no accountability.
NSO Group are the private police with sparse regulation and no accountability of the spyware world. They don't simply sell the means to an end, they operate and deploy those means on behalf of customers.
Just as we shouldn't accept police hiring private forces to kick down doors to check in on suspects, we shouldn't accept the contracting of services from NSO Group.
They don't simply develop the malware and give it to customers to deploy, they operate and deploy their spyware on behalf of those customers as well.
But to avoid the whataboutism, the flip side of the coin is that NSO democratize the access to those tools, normally restricted to just a small group of countries.
No there really shouldn't and yet there is, this is why every one is pissed at you NSO.
> You know, if a customer decides to misuse the system, he will not be a customer anymore.
If NSO has no access to customer data how do they know if their customers misuse the system? If they did find evidence of their customers misusing the system what stops them just ignoring it as a coincidence while putting out the pr message "We must hold ourselves to a higher standard"
No one will ever accept this kind of argument from a drug dealer, but yet they happily admit this kind of argument from this and other countless companies that business practices go against the public interest.
Anyone can tell me why?
Look at marijuana, the drug dealer is now a business, and very few people are mad at dispensaries for selling pot.
In the end, if it wasn’t them, it would be someone else. If governments weren’t buying spyware from NSO, they would be making it themselves or finding another group who builds exploits.