203 comments

[ 4.0 ms ] story [ 208 ms ] thread
Does this kill NSO? It seems like they might be too big and interconnected to be able to reasonably survive this.
From the article:

> NSO and a smaller Tel Aviv-based company, Candiru, were among four companies added by the US commerce department on Wednesday to its so-called entity list, which would restrict exports of US technology to the companies.

From https://www.commerce.gov/news/press-releases/2021/11/commerc...

> The Entity List is a tool utilized by BIS to restrict the export, reexport, and in-country transfer of items subject to the EAR to persons (individuals, organizations, companies) reasonably believed to be involved, have been involved, or pose a significant risk of being or becoming involved, in activities contrary to the national security or foreign policy interests of the United States. For the four entities added to the Entity List in this final rule, BIS imposes a license requirement that applies to all items subject to the EAR. In addition, no license exceptions are available for exports, reexports, or transfers (in-country) to the entities being added to the Entity List in this rule. BIS imposes a license review policy of a presumption of denial for these entities.

General Entity List descriptions are available at https://www.bis.doc.gov/index.php/policy-guidance/lists-of-p...

It seems like it mostly restricts them from using US made tech and punishes US companies that supply them.

> It seems like it mostly restricts them from using US made tech and punishes US companies that supply them.

It’s also not super easy to find banks willing to work with companies publicly blacklisted by the US government.

I got down the rabbit hole (20 open tabs at 1AM local time, you know) and it seems most of the 'normal' software like Operating Systems & Devtools are classified as 'mass market' and are subject only to 'Anti-Terrorism enforcement', meaning you cannot sell them only to Iran and couple other countries.

Meaning NSO Group could not buy tech to build nuclear warheads in their backyard, but otherwise they are good to use any 'usual' US-made software.

Other commenters say it is significantly harder for companies in that list to banks because of that list. Is that true?

Of course not. They liquidate and form another company under assumed aliases.
(comment deleted)
The favorite game of North Koreans. Doesn't work well though.
Yeaah, good luck hiring top talent like this.
If this were not just an utterly meaningless exercise, every single person that has ever worked at or with the NSO group should be blacklisted and untouchable to send an actual signal and make the consequences of participating in such activities actually meaningful and consequential.
This has some meaningful consequences. It makes NSO and any money that has touched NSO poisonous. It's not illegal to touch, but few banks will want to work with you.

If you're an employee receiving salary payments from NSO, expect your bank to be unhappy with you.

I think you might be mixing up trade imbargo with a sanction.
Of course not, I'm simply pointing out that this certainly places you in the "super high risk" category as far as any KYC procedures go.
Perhaps confusing it with the OFAC list, which is directly about banking and blocking transactions for named entities and individuals.
Not confusing with the OFAC list. Being on any list makes you a toxic customer.

Yes, there are other designations which would carry even worse repercussions.

> I think you might be mixing up trade imbargo with a sanction

Being employed, or even having been employed, by an entity on the BIS's Entity List will make doing business in U.S. and in U.S. dollars expensive and tedious. At the very least, you will impose ongoing additional costs for every financial institution you interact with.

That isn't what the Entity List does. See https://www.bis.doc.gov/index.php/policy-guidance/lists-of-p...
Does this mean you can still work with them, you just require a license first?
(comment deleted)
This is very much what the entity list does in practice. Any company listed on the entity list is an incredibly high risk client.

Just like a NYT article accusing you of being a terrorist does not carry any official repercussions, it will certainly ruin your banking relationships.

I don't know enough about this topic, can you show any evidence of this? Maybe through a bank's policy docs or something along those lines?
I can't show evidence, but I don't have to because this is incredibly obvious to anyone with basic banking experience.

FWIW It is practically illegal for banks to discuss their AML/KYC practices, nobody is going to go into detail about this.

It's a very well-understood aspect of the financial industry that banks use a combination of in-house departments and outside providers to perform background research on their clients. The depth and breadth of this research depends on the size of the financial relationship. Things like searching for domestic and foreign news articles that mention the client, and particularly flagging any that indicate a suspect business history or suspect relationships, is basically a minimum requirement for a significant client under today's AML/KYC framework. It's almost explicitly required since there are regulatory requirements pertaining to politically exposed persons (PEPs), and the standards for identification of PEPs directly relate to public profile. i.e. if you are frequently mentioned in the newspaper, even purely positively, a bank is going to have to perform additional diligence.

Since checking all manner of sanction, exclusion, risk, etc. lists published by the government is trivially automatable it is basically a minimum standard, and even the simplest KYC systems are going to flag customers that appear on any of these. For more significant clients additional databases and analyst resources will be used that are likely to uncover a relationship with such entities, especially a simple and easy to check one like prior employment.

This is a world with few black and white rules, and banks are mostly not outright prohibited from providing services to high-risk customers. But higher and higher levels of approval will be required, and the bank will have to go into the situation knowing that they will incur extra costs in terms of analyst time, compliance work, and ultimately liability of potentially huge amounts of money. It will be difficult, although maybe not impossible, to convince a bank to work with you. Everything will end up costing you more. You will have to be very cautious because banks will sometimes change their risk evaluations and decide to terminate the relationship, and you will have to figure out how to start your banking relationship over somewhere else.

While all of this is required under various laws (federally things like the BSA, PATRIOT act, etc), statutes are intentionally vague about the requirements both because banks are encouraged (and pretty much required) to perform internal research and development to improve their AML/KYC methods, and because the system operates in part on secrecy - bank clients need to not know how AML/KYC analysis works in much detail or they may find a way to structure around it. Banks also share information with each other and with governments, much of which is done under strict confidentiality agreements for several different reasons.

Banks that get this wrong can lose hundreds of millions and occasionally even billions of dollars, so there's a lot of hesitance to take on risk. It's also generally perceived that enforcement is becoming more aggressive over time, not less.

McKinsey has a rather generalist and reader friendly take on it that won't break any laws: If you look at their Exhibit 1, "Sanctions" is clearly a contributor to high risk in AML/CFT models. As your link showed, the Entity List is one of the first sanctions list created with CFT in mind.

Source: https://www.mckinsey.com/business-functions/risk-and-resilie...

It means, among other things, that no US company or person can sell them technology or offer technical services under threat of significant penalty. How is that meaningless?
Companies can be disbanded and reformed. The people in charge can distance themselves from the "failed" attempt and make a new, nonblacklisted one. That's why punishment and blacklisting has to extend to decision-makers, rather then flimsy symbolic entities.
In this hypothetical, creating a new entity seems like a fair bit of work, but adding the new entity to the list so it faces the same controls is trivial. What am I missing?

I certainly wouldn't send technology subject to export control to anyone I knew to be a part of NSO Group or any successor.

If this was done as a reaction to changing public opinion and not genuine concern, then it will be a while before public opinion catches up with the new entity.
I doubt the people at the US Treasury would be blind to such an obvious maneuver. Not matter what the public opinion says I think they won't let NSO try and evade their blacklist.
> Companies can be disbanded and reformed

This is the U.S. Treasury. The concerns you're worried about have been contemplated.

Exactly. Which means that it's intentional to leave this relatively meaningless, more posturing and a slap on the wrist instead of an actual punishment for the people involved.

If they really wanted to stop this kind of activity, they'd sanction the individuals involved. This would deter others from forming a successor - would you accept an extremely well paid job if there was a risk that the US will put you on its official international shitlist for that?

> it's intentional to leave this relatively meaningless

That's not how the Entity or SDN lists work. Every individual ever employed by NSO Group is going to start having difficulties with their bank and securities accounts starting today. Affiliation with a blacklisted entity moves you from "person who does not generate hits on OFAC" to "person who does." For many institutions, that's a dealbreaker.

You can't get around a blacklist by shutting down shop and re-starting under a new name. These are old, battle-hardened tools originally designed to go after state actors. The loopholes have been thoroughly explored.

Furthermore this means that US police departments and intelligence agencies will be banned from purchasing and deploying NSO spying tools to attack their own citizens.
That probably just means that they don't need these tools (because they helped develop them or have something much better/scarier already). These types of laws/export bans only exist because the security community allows it.
Trade protection?
The programmers who i've read about getting hit with penalties as a consequence of working with companies such as NSO or with governments such as the UAE seem to be exposing a significant gap in the US' treatment of their most prized minds.

The NSA and other government agencies seem to not be attractive from the point of view of a great place to work and the money to be made in the private sector in the US alone is thin. . . economic forces dictate that supply will meet demand especially when the demand is rich middle eastern wealth.

There is no obvious "red team" or similar career for these people in the US to help defend the nations systems for a fee. All government contracts for cybersecurity go out in tenders that prioritize entities that can navigate the complex logistics of filing a response with the Government and working their way.

That's the biggest concern for me seeing this pattern emerge. On the specific entity here, the NSO group being blacklisted, that will change little. There is a systemic risk of us continuing to lose great talent to more attractive ventures.

These are the same people (ex 8200 - Israeli NSA) who sell security startups for 9 figures within a year of opening them. Then the next year open another one

The same people are playing both sides

It's not like the government doesn't purchase private sector cyber security. It's just 1 group of very smart people doing all the work for both sides

I'm not speaking about the founders. I should have been more specific. The talent in the NSA that leaves and ends up working for the UAE, as an example[1]

[1]https://darknetdiaries.com/episode/47/

(comment deleted)
Episode 100 of darknetdiaries is devoted to NSO and talks about usage of Pegasus in Mexico and other countries https://darknetdiaries.com/episode/100/

I think there might have been pressure on NSO as part of trial of Google|Fb.. against them. https://www.theverge.com/2020/12/22/22194930/microsoft-googl...

Okay, let me repeat. I’m not speaking about NSOs founders or the org. The concern I’m highlighting is that we’re not treating our most brilliant minds with the care that keeps them happy here.

That is the link to episode 47 of dark net diaries.

I guess Hacker News has devolved into a place of talking over each other and downvotes.

I wouldn't say that being the most morally bankrupt (actively working on the attack on journalists, critics and minorities) automatically qualifies someone as a "most prized mind", it's not like they are developing all of those zero days inhouse, they buy them for the most part.

It seems to me like you are overestimating the skills of people that just don't have any moral barrier while underestimating the skills of many proper security researchers. Companies like NSO are most of the time able to do what they do because they shake the right hands and get the right support (or the right people to look the other way), not because they have some special people that you can't find anywhere else.

I'd recommend listening to episode 47 of the Darknet diaries and see if you still hold those beliefs that these people are indeed morally bankrupt https://darknetdiaries.com/episode/47/

The thing with this line of work is that one mans ethics becomes another mans sin. The tl;dr of that episode is that some of these people were led on to believe they were actually targeting criminals and terrorists. It later became clear that was not the case.

The road to hell is paved with good intentions and all that. It would surprise you that even the most noble of pursuits in engineering have very cruel applications in war.

I'm not particularly bothered by losing access to the kind of 'prized mind' who sees no problem with creating tools to enforce a totalitarian state.

I find it logically untenable that a 'prized mind' would not be completely aware of the types of things they were building and the intended usage thereof. If they aren't smart enough to figure it out, then we're not losing access to some particular genius. If they are smart enough to figure it out and continue to contribute to the work they have become complicit at best, and likely are an amoral psychopath.

Controversial statement but this reminds me of Jews as moneylenders. Government lets them do an unpopular thing the benefits it, and if anyone throws a stink they throw them out and wash their hands and act like they were shocked. This seems like the government outsourcing controversial activities to Israel.
huh, that sounds like the nazis saying the jews were the rich ones taking advantage of everyone.
Historically in Germany kings would use Jews for their business skills and when they needed money they’d kill/banish them and steal their accumulations. Nazis just perpetuated that cycle but instead made it more racist and eugenics based rather than pragmatic as their ancestors did. They did not understand the cycle of history.
As I doubt the US needed the recent stories to know what the NSO Group was up to, this will cause similar groups to treat any potential leak source with even more hostility. The US is making it clear that targeting dissidents, journalists or activists is fine but getting caught is a problem.
> The US is making it clear that targeting dissidents, journalists or activists is fine but getting caught is a problem.

What's that saying? "Better late than never."? Or how about "Never let perfect be the enemy of good."?

Obviously the US intelligence agencies knew about this well before the public did... and while I'm not quite ready to put this all on the goodwill of the Biden administration, it's also a reminder that civilian leadership changes do effect change, despite all the "Deep State" nonsense going on these days.

You can always count on the Americans to do the right thing, after they've exhausted all other options.
What about everyone else, goody two shoes?
The snark is unwarranted. The US has far more political, economic, and military power than any other country. Stands to reason that more is expected from them especially when "morality", "freedom", "rights", "doing the right thing" etc. seem to be the publicly stated cornerstones of most US initiatives. Do you think Denmark putting something on a blacklist will have anywhere near the same effect?

Also your question is rarely asked when the US is doing something... questionable but certainly to their advantage when the rest of the world didn't do. It seems unfair to bring up the "whatabout" argument only when you feel insulted especially since it's not a strong defense to begin with, it's even weaker in this particular case.

If you can do the right thing but decide to put your morals to sleep for as long as it's advantageous to you, then any positive spin (like protecting "the rules-based international order") is just a spin.

America prosecutes American hackers who hack foreign nationals. This already gives them the moral high ground over their peers. See: Russian ransomware gangs that are de facto state sponsored. Cyberspace is a new frontier that wasn't built to conform to your sense of right and wrong.

>questionable but certainly to their advantage when the rest of the world didn't do

They would if they could.

>America prosecutes American hackers who hack foreign nationals

America prosecutes the NSA? :-D

I'm not sure what point you're trying to make. Was this supposed to be a funny joke?
You're being intentionally obtuse. The only country which actively spies on pretty much everyone in the world is the US, via the NSA. And the NSA is the very definition of "state sponsored". In effect the US is running the largest state sponsored hacking programme that the world has ever seen. So who did the US prosecute for that?

> America prosecutes American hackers who hack foreign nationals

To this day the only person connected to US state sponsored hacking who was prosecuted is Edward Snowden, the guy who blew the whistle on said program. That says everything about the situation. The US is hacking everything that can be hacked, then floods western media with reports of Russian, Iranian, Chinese, and North Korean state sponsored hacks.

> They would if they could.

"Solid" defense there. The kind of argument the Mafia would use as a defense, which just happens to be really unprovable.

(comment deleted)
>The only country which actively spies on pretty much everyone in the world is the US

Why are you sure about that? I think Sunburst burned everyone.

There might be a subtle difference here not captured by just labelling all this under the umbrella term "hacking". The American government typically exploits devices for gathering information for authorized espionage, which is something that every country on earth conducts. Russian gangs infect hospitals and water treatment facilities with ransomware. The latter has something we might call "kinetic effects" and is closer to all out cyber war.

We don’t know what the American government does. We know (some of) what it’s done in the past, and thus we can safely assume it’s up to no good.
This is the genetic fallacy, no? Americans are bad, so they must be hacking hospitals even though we can't see it.
Even ignoring the fact that US doesn't need to hack hospitals, they just declare sanctions to prevent given country from receiving medical supplies...

How do we know various attacks come from Russia, and not from US? Mostly because the US says so.

On the subject at hand, Israeli misdeeds in international law, I think the USA has been and continues to be uniquely dedicated to doing the wrong thing at all costs.
Unique compared to? Costa Rica? Ok. Compared to Iran, Russia, China, Turkey, Saudi Arabia, Cuba, etc…
It's telling that you have to pick Iran, Russia, China, Turkey, Saudi Arabia to show that the US is not unique in their actions. Especially since 2 of those countries are close US allies. That's a very interesting bar to set, and very unflattering company.

I mean you're correct, all superpowers will eventually resort to the same tactics to get, maintain, or increase their power, even if some are able to give them that fresh, clean smell. But having those countries as a moral baseline doesn't paint the bright picture you're looking for.

It’s telling but not in the way you think it’s telling.

Anyone who has power wilds it: colonial France, Spain, Japan, etc.

You should also learn when to stop digging, especially when you're in the hole.

Again it's really telling that you had to move to comparing today's US to decades or centuries ago France, Spain, or that country on which you had to drop 2 atomic bombs to get it to stop. Is everything acceptable today because it was done in the past? And if it's not acceptable than what point are you trying to make? That it's abysmal but at least that totalitarian regime is also doing it?

Ted Bundy, John Wayne Gacy, or Jeffrey Dahmer had power and wielded it. But whenever you are desperate enough to make yourself look good by comparing to them you lost the battle before it began.

The NSO Group is clearly being punished for being caught. If you agree that the intelligence knew about this earlier, they could have punished them years ago and prevented basically all the intrusions found in the leaks.

And taking the most favorable view of the Biden administration on this move, "Biden punishes foreign private competitor to US intelligence agencies" wouldn't be a sign of him addressing US intelligence.

Oh thanks for the Biden mention. I was confused by your convoluted yet harsh complaint about the US for this action, but now I see it was more of a partisan thing.
Im sure boom boom would also criticize the last President for failing to do the same thing. Mentioning a government official who belongs to a party doesnt make you a partisan for a different party. That would be a shallow dismissal of his valid point.
The person I was replying to brought up the Biden administration, I personally don't think any president in the last fifty years would have handled this differently.
>>despite all the "Deep State" nonsense

You believe it is nonsense? I figured it was just generally understood that the President is more or less powerless really at this point, This is not new under Trump, hell this really was that way before 9/11 but accelerated ALOT after.

NSA, CIA, FBI, etc do not really answer to elected officials, I am surprised people still believe they do

Life is not binary, just because the president isn’t an absolute monarch doesn’t make him powerless
Life is not binary, just because the president isn’t an absolute monarch doesn’t make him powerless

The USA system was designed to balance powers between the three branches of government.

Turns out there is a fourth branch: Bureaucracy

>Turns out there is a fourth branch: Bureaucracy

yes that is also known as the Deep State, which the grand parent claims is "nonsense"

> yes that is also known as the Deep State, which the grand parent claims is "nonsense"

"Deep State" implies more than acknowledging the bureaucracy. It's the claim that the bureaucracy is unresponsive to, or even controlling over, our elected leaders. (And presumably, the courts, though I don't tend to see that part addressed in common tellings.)

If you don't believe the latter bit, using the term "deep state" unnecessarily tarnishes the credibility of your argument. (Federal bureaucracy is a more neutral term.)

It responds perfectly well to people that understand its knobs. But when you elect a guy who's never been in a government position before, is it really any surprise he can't bend it to his will?

It's like if you pulled someone random off the street and made them CEO of a Fortune 500. Do you think the entire org would just turn on a dime and listen to them? No chance.

There is a bit of unrealistic faith there... even if a president knows how to turn the knobs the bureaucracy has its own beliefs and positions, and can absolutely slow things down to where it is impossible to make the change if the bureaucracy does not agree with the change

So sure it may not be outright insubordination, but the result is the same

They can also use other levers to ensure any they dislike fails, etc....

This is the deep state, where if the bureaucracy does not like a policy they can and do resist it.

Seems like that'd be a good incentive to not align your political axis around educated vs uneducated.

As for simply installing uneducated people in the bureaucracy instead, that's how you end up with the Soviet Union.

I am not sure where educated vs uneducated comes into play here. I know the media seems to play this up and it seems you buy into this narrative.

Also I resist the idea that attaining a degree, any degree, qualifies as "educated" and anyone that has not attained a degree is "uneducated" that type of credentialism leads to all kinds of negative outcomes, and false assumptions. Which is the metric the media uses to label the electorate is "educated" or "uneducated". There are a huge number of people that have high levels of informal education, and there are people that have degree's that one can objectively argue are uneducated by any reasonable measure.

So over all I reject completely on different levels the entire premise of your comment

> just because the president isn’t an absolute monarch doesn’t make him powerless

In fact, the US people specifically don't want and prevent a monarchy, as you say ...

> The USA system was designed to balance powers between the three branches of government.

> Turns out there is a fourth branch: Bureaucracy

Bureaucracy isn't a fourth branch, it's the laws made by prior governments. You don't get to start fresh; you are the steward of an ongoing institution. The American people, through representatives, made laws that define what the executive branch must, can, and cannot do. Bureaucracy is, in a sense, the execution of those laws. A new president may not like those laws, but that's the job - to carry out the will of the people.

ROFL.. that is rich..

No the US Congress in their political cowardliness passes objectives they wish to see, they then empower unconstitutionally the executive branch to create numerous "administrative laws" to achieve those objectives.

The Supreme Court refuses to strike down these vague laws as unconstitutional, which over the decades has grown the bureaucracy exponentially until we have at present what is in effect a 4th branch of government not answerable to any of the 3 official branch, not with out wide reaching reform, and upending of governmental structure.

>>You don't get to start fresh;

This is where the I wish Jefferson would have gotten his way.. "The question Whether one generation of men has a right to bind another, seems never to have been started either on this or our side of the water… (But) between society and society, or generation and generation there is no municipal obligation, no umpire but the law of nature. We seem not to have perceived that, by the law of nature, one generation is to another as one independent nation to another… On similar ground it may be proved that no society can make a perpetual constitution, or even a perpetual law. The earth belongs always to the living generation… Every constitution, then, and every law, naturally expires at the end of 19. years. If it be enforced longer, it is an act of force and not of right." -- Thomas Jefferson...

We should start fresh every 19 years

If mockery was an argument, we wouldn't need any others. It doesn't strengthen reasons, it renders them moot. I wish we could have had a serious discussion and moved things forward a little.
Maybe if you would read beyond the first line of the response we could, but each to their own.
The first line suggests to the reader something about the likely content of the remainder; suggests that if I respond, I will just get more of the same; suggests that the writer is just another person who follows the herd of Internet rhetoric, which doesn't bode well for insight, original thought, and expression; and it doesn't exactly put me in the mood to be open minded about ideas.

Those are just indicators. The rest of the comment could still be great, but I can't read everything.

Sounds like a doge to me. An easy out so you do not have have a real conversation and acknowledge the failings of your stance.
Does that line work for you? Have a good one! Hopefully our next conversation works out better.
Concentrating power in hands of a president is not really a widely shared democratic ideal. In the US the president has exceptional powers compared to almost all other democracies.
I dont believe I said anything about concentrating the power into the hands of the president. If anything the 4th branch was created by the congress, and its continued existence is allowed because the US Supreme Court will not stop the congress from unconstitutionally passing vague goal based laws instead of actual legislation that proscribes exactly what the executive branch is to execute.

Instead they give the executive branch broad "goals" to achieve to be achieve by means and methods to be determined by the unelected administrative state

This unchecked power is also not an democratic ideal.

It's hard to punish people for not getting caught.
As long as attackers are sending their exploits to their targets they're going to have trouble remaining in the shadows. Perhaps if we continue unmasking the attackers they'll think twice about operating so brazenly.
This feels a lot like faux outrage. "How dare they!!! That's our job!!"
There’s every reason to be skeptical of the US government’s use of spyware, but at least it is, notionally, a democracy responsive to its citizens. A for profit company selling to the highest bidder is surely even worse, no?

Like, yeah, I want nuclear weapons to be abolished. But if NSO were selling briefcase nukes to everyone interested, I wouldn’t say, “but what about the SAC?”

Maybe the way to conceive of them is as mercenaries.
I think that's accurate. And historically, there's been more moral opprobrium directed at mercenaries than those who fight for a country.
Who said life's fair?

The fact of the matter is, given the way the world works, you probably don't want to piss off the US Treasury Department.

> Who said life's fair?

Certainly NSO can't complain about being victims of unfairness and government abuse.

> US is making it clear that targeting dissidents, journalists or activists is fine but getting caught is a problem

The U.S. was willing to look the other way when NSO was selling its crap to e.g. the UAE, an American ally.

In my opinion, NSO fucked up twice: first, by selling to America police departments, thereby putting it on one side of a partisan issue. Second, by helping subvert democracy in India, thereby pissing off its allies in State. The first mistake made them persona non grata. The second removed the protection their being Israeli granted.

I wonder if this will make NSO group focus even more on selling to dictatorships and subvert-democracy-groups in India hereafter, and drug lord politicians in Mexico?

Hereafter, why not, they're already blacklisted (in the US) anyway

Not being able to sell to US firms/agencies will greatly reduce their potential revenue. Less money coming in means less money to spend on the black market for exploits, which means less incentive for security researches to sell to NSO.

Edit: I apparently didn't read closely enough

Oh this is much worse than that. They can't (in theory) buy any US software or hardware.

That's essentially everything. Including mainstream x86 and ARM implementations. And Linux. And Windows. and iOS. And most foreign software, since nearly everything includes various libraries, which have Americans writing code for them.

This is the same list Huawei was added to.

> Oh this is much worse than that. They can't (in theory) buy any US software or hardware.

Practically speaking, it also means they and their affiliates will have a difficult time maintaining bank accounts and getting financing.

Yeah, and that's the real enforcement mechanism. No one's going to stop them from walking into a store and buying a copy of Windows (is that even a thing you can do any more regardless?)
Well it's a good thing you can't download software anonymously from any place on the internet. That'll show 'em we're serious by telling them no. /s

toothless is toothless no matter if it is wrapped in state level dressings.

But on the other hand, for anything physical you wish to buy on the internet, it's nearly impossible to be completely anonymous. Or at least a much bigger pain in the ass.
Maybe the employees will need to buy their own laptops etc as freelancers or something, and then they'll get reimbursed
In organizations, that's not how acquisition works - you acquire licenses in bulk, implement a licensing server (or use the vendor's), etc., and like consumers, your license has to be authenticated. Also, much software is hosted now (e.g., Office 365) or has hosted elements, and many licenses are subscriptions. And after all that, acquisition is a minor part of IT. Support, for example, is more critical, and also maintenance, such as patches, upgrades, etc. It does depend on how large the organization is, but even at 10-20 users, you want that kind of scaled up administration.

Implementing IT with no access to US vendors would be a PITA. No Microsoft Windows or Office, no Google Apps, no Red Hat, no Apple .... How could that be done? Will some flavor of Linux suffice? Would it be in compliance with their license?

We're talking about a group of glorified hackers working as an organization. You really think they won't be able to aquire what they need?
> We're talking about a group of glorified hackers working as an organization.

Is that how they are? Seriously, I wonder about their organizational culture. Many security firms are very corporate. Many such firms in Israel come out of their military, which suggests a different culture. Some are a bunch of hackers, but it would be hard to be effective in selling to and retaining large institutional customers, or even running your own organization from day to day. And how large are they?

> You really think they won't be able to aquire what they need?

They expose themselves to lawsuits - they are trying to operate in the legal business domain. And again, acquisition is only a fraction of IT (see the GP).

They probably keep their customers. News like these might even fortify their customer base even more and I could believe that states will say the spying is reprehensible and then buy the full software suite.
I was wondering if the recent falling out with France had something to do with it. Maybe this is a cheap way to earn some points with Macron after NSO was caught potentially? spying on him/his government.
> wondering if the recent falling out with France had something to do with it

Forgot about that. Almost certainly.

I doubt it was an explicit deal. NSO was protected, to a degree, because State didn't want to piss off Israel. (I don't think the IC ever came to bat for them.) But systematically screwing with American allies, democracies at that, and then getting undeniably caught, makes one difficult to defend. The French part not only contributed to this erosion of their defensibility, but may have made throwing them under the bus diplomatically advantageous.

Since when does the US federal government care about democracy?
> Since when does the US federal government care about democracy?

The U.S. government doesn't care about anything. The people who join, make it to and remain at the Foreign Service, the 13,000-odd professionals who make up the bulk of the State Department, tend to care deeply about it. That doesn't trump national interest. And at the end of the day, a political appointee is in charge. But it's a human factor that can tip issues on the knife's edge.

Not just the foreign service, of course.

> The U.S. government doesn't care about anything.

An essential point. Below excerpts a great article that addresses it, by Jeremy Shapiro of the State Department, Brookings, and elsewhere:

http://mideast.foreignpolicy.com/posts/2013/12/05/how_the_us...

People often talk about the government as if it were a human being. It 'thinks,' it 'believes,' and sometimes it even 'knows' -- or 'should know.' Critics frequently demand that the government should understand and learn certain key facts or lessons of history. But of course the government is not an individual. It is rather a vast constellation of people and institutions, and as such it learns information and processes knowledge quite differently than do individuals. Most importantly, government 'knowledge' about foreign policy issues is not learned or deduced. Rather, it is formed through a process of bureaucratic or political compromise between often conflicting theories or goals.

The result is that the government does not think and learn in clear and consistent ways. First, the government often lacks logical consistency. As a collection of people and institutions, the government is much more capable than individuals of holding deeply inconsistent beliefs. If, as F. Scott Fitzgerald said, '[t]he test of a first-rate intelligence is the ability to hold two opposing ideas in mind at the same time and still retain the ability to function,' then the government is a genius. The U.S. government can 'know,' for example, that it is simultaneously both the leading global advocate for Internet freedom and the leading violator of privacy on the Internet.

Second, the government often relies on old information or disproven ideas. Changes in conditions on the ground or new academic insights are less likely to affect government thinking than personnel changes or domestic political developments. The U.S. government can therefore continue to know that nuclear weapons threaten to spread like a virus even if it has continually over-predicted the spread of such weapons.

Third, the government often lacks forward thinking. An important rule of governance holds that once agreement is reached on step one of the policy process, stop arguing over future questions until they are posed. This means even deep divisions over next moves are papered over until they become immediately relevant, often causing inconsistent behavior or long delays to work through internal disputes. Accordingly, the U.S. government can decide to invade Iraq without really discussing whether the goal is democratization or simple regime change.

both the leading global advocate for Internet freedom and the leading violator of privacy on the Internet

Freedom and privacy are orthogonal.

You can have Freedom without privacy.

Why do we keep our ballots private when casting votes? I thought it was to remain free of coercion in the voting process.
People really think this will have an impact? Look at post snowden leaks, on orgs that dissolved and what new orgs popped up around the world (and even some ex-employees, moved from one country to another to the new orgs). I live in a country that's deep into all this, so I am not going to put any names or links here, but search HN historic links a bit and you see them.
Assumed innocence is one of the pillars of the justice estate and public relations. I believe it's a sign of civilisation.

I know that in this case puts the whole thing in a bad light, but still as a principle assumed innocence is worth preserving IMHO.

Then this verdict should come after a trial, and NSO should still have the presumption of innocence. Plus, the NSA should basically just shut down.
How and when has the US made it clear that targeting dissidents, journalists or activists is fine? Can you elaborate on specific incidents?

Isn't this black listing a shot across the bow?

This will impact Title 28. Will it impact Title 50?
Considering how powerful politically Israel is in the US and how seemingly the NSO Group was government-sanctioned, this seems crazy to me.

I would not be silly enough to think this means less unconditional support for Israel in general, though. NSO Group just specifically got too toxic.

Israel is hardly powerful in the US. US foreign policy is overall pretty antisemitic. Israel would own half of Egypt at least if the US didn't drive them out in the Yom Kippur War.
Says whom?

Israelis themselves prided themselves on invading but with every intention to not take Egyptian land. Israelis weren’t driven out, they beat Egypt to show their power and created a good relationship with them. No Israeli I have ever talked to says half of Egypt should have been theirs or the US drove them out, they always make a point they bargain and prefer peace.

I'd like you to define how US policy is "antisemitic". Why are these horrible US antisemites giving Israel military aid and money?

Also, I cannot imagine Israel would want to conduct an occupation of half of Egypt. Look at the difficulty of occupying the Palestinian territories. Look at US occupations recently, and the US has far more resources and Egypt would be far more hostile to Israel than Iraq and Afghanistan were to the US.
I have never heard such crazy ideas before from anyone. Its completely ridiculous, not even the most fringe right wing Yigal Amir supporting Israeli would say what he did.
Very much so, a paradox given millions flying in defence aid to both Egypt, and Israel.

The kind of lobbyists in Washington are not rooting for the secular state of Israel, but pretty much specifically for the orthodox Haradrim, or the kind of Neftali Bennet.

Equally so, Israelis hating Arabs don't preclude them propping up the criminal Saudi state, and a small portion of Saudi elites who hate Turkey.

Israel and Egypt both being top recipients of US aid is part of the peace arrangement. Egypt is by far Israel's strongest neighbor, militarily. No coalition of neighboring states has any chance defeating Israel without them, so the US pays Egypt not to mess around with Israel.
Egypt was defeated by Israel who had no intention of keeping their land, and they have had a better relationship than most other countries in that region for a long time.
OK? The US aid arrangement is also part of the whole thing, though.

[EDIT] Oh damn, when did Jordan rocket up the list of US aid recipients? I gotta start keeping up with geopolitical shenanigans again, I'm clearly behind the times. But yes, the Egypt thing was, if not publicly the case, one of those open-secret things that're taken for granted in poli-sci and policy circles, like "Israel has nukes", or "the US removing MRBMs from Turkey was part of the deal for keeping Soviet nukes out of Cuba". The US pays Egypt not to mess with Israel.

It’s as useful as the money they used in Afghanistan. This isn’t the 70s anymore. Egypt isn’t incentivized to battle Israel, and Israel isn’t incapable of defending itself.
It wasn't incapable then, either. Clearly. But this takes some of the heat off them, and discourages Egypt from permitting—or encouraging—non-conventional anti-israel forces within its borders, or abroad, even as its domestic politics shift (no-one wants to shut off the money hose).
(comment deleted)
And in return for said aid, Israel has become an American puppet and stays about the size of New Jersey without us having to use force. Between sending in troops and paying them, the US decided to pay. Imagine if a bully promised to not beat you up as long as he could pay you a small sum to sit in a corner in a fetal position all day. These politics are a lot more complex than you're making them out to be.
If the US hated Israel it wouldn't have supported its creation, and last I checked the US is paying Israel not the opposite. Your analogy is stupid and pointless. Are you crying in a fetal position all day making analogies out of your own delusional fantasies?
Yes sorry I mistyped, it was early, I meant the bully pays you to sit in the corner, otherwise he beats you up. Sure he's paying you, but it's still clearly coercive.
Israelis don't see the US as a bully. I have never heard of this viewpoint, Israel has settlers, it has borders, and if it chooses to change its borders the US won't be the bully, it will be a battle with the other countries in the middle east. I don't get any of your points, you are complaining about money that Israel takes and how its coersive, so you don't have to take the money?

Trump moved the US embassy to Jersusalem, and the US gives billions of aid to Israel. What is your criteria for "antisemitism"? If accepting the capital of Israel, giving money, military aid, is your definition of antisemetic it dimimishes Nazis activity if you group aid into "bullying" and "antisemitism".

Basically his position, when you strip out the inflammatory rhetoric, is that the US wants to keep Israel weak and dependent on US aid. i.e. Get Israel to make concessions (say returning the Sinai to Egypt), the US covers up for that with aid, but the aid can always be withdrawn (say if Israel dares make the US upset, or if some radical President is elected), leaving Israel dependent, and at risk in the long term.

I don't think that accurately describes US policy anymore, if it ever did. Modern day US administrations have withdrawn from the world, and that means their ME policies are not determined by reality, but by domestic ideologies and domestic political considerations.

Are you Israeli? I read his rhetoric and I have never seen such ridiculous statements made by anyone. They are so disconnected from reality I never seen this kind of belief in my life.
I've read all kinds of absolutely insane rhetoric on I/P (way beyond this), I don't think much would surprise me anymore. That conflict used to generate way more of this type of rhetoric than anything else, but recently other issues seems to have caught up in this department...
Hope the JIDF is paying you well.
>If the US hated Israel it wouldn't have supported its creation

The US did not support Israel past the original vote, rather it tried to push a series of measures that would have been detrimental to Israel. At the time Israel was far more reliant on the USSR.

So it supported its creation just like I stated? What kind of antisemite country supports the creation of Israel? Do non antisemites by that logic not support the creation of Israel?
I never said the US was an antisemitic country? Both that and 'the US unconditionally supports Israel' are myths. The US position is occasionally cynical but consistent and unemotional.

Anyway, the US policy at the time was determined by the State Department which was very anti-Israel for various reasons. Truman overrode them for the US vote, but was too busy with other affairs to set policy afterwards.

My mistake I thought you supported the person that I originally responded to. Is that why they had kibbutz? I know Israel was more communist at the beginning and it even worked for a while, but they ended it. I remember Milton Friedman talking about how he liked Likud in the 60s.
Well, that was the local Socialists' idea of how to implement "a new society", not much to do with the USSR. It couldn't scale for obvious reasons, and their own descendants abandoned this almost entirely.
Aren't Kibbutz still around?
In the technical sense of 'place still existing', yes. In the sense of 'non-capitalist economic arrangements' most have abandoned their former arrangements.
Without US support Israel would have had to deal with the full might of the USSR.
You are either unbelievably uninformed, or you’re purposely spreading nonsense to defend Israel.
I have never heard once of an Israeli who thought Egypt belonged to them after the war. This viewpoint is so foreign from any Israeli I ever spoken to it’s completely new.
> Israel is hardly powerful in the US. US foreign policy is overall pretty antisemitic.

I was speaking more so to this first part of their statement. Someone making this claim is very uninformed on geopolitics.

In 2020, we gave more foreign aid to Egypt + Jordan than we did to Israel[0], for the others that are going to bring up foreign aid.

[0]: https://foreignassistance.gov/cd

You're combining both countries though? Israel was still the largest receiver in the region.
AFAIK, a major reason the US gives aid to Egypt and Jordan is to buy peace for Israel and the Mideast. Certainly if they attacked Israel, that would be the end of the line for those two countries. IIRC, Egypt's aid is tied to the Camp David peace agreement with Israel.
> Israel is hardly powerful in the US.

In the words of a famous ex-tennis player, "You can't be serious, man. You can not be serious!"

I don't know any other country able to influence US domestic and foreign policy more than Israel. Feel free to name one.

> NSO Group just specifically got too toxic

It would never have happened without good Western journalism. Basically NSO was allowed to operate unless they screw up. Which they did with all the scandals, making Israeli look like crooks.

I'd put the attribution mainly on Citizen Lab [1], and they're not what I'd call Western journalism. Without them, there would've been nothing to report on. Ie. they did the technical research, and the funding behind such technical researchers.

[1] https://en.wikipedia.org/wiki/Citizen_Lab

I considered Citizen Lab journalists when they came out with this. Highly-technical investigative journalists, maybe, but they were doing investigative journalism.
There's a dead comment from a throwaway that I mostly disagree with. Except for this last line:

>This seems like the government outsourcing controversial activities to Israel.

It certainly feels that way to me, as well. The US is in a sticky situation. This just feels like a standard burn. You're caught, now you're out. NSO made too much noise and got cut loose. Obviously the NSA and others are going to continue this kind of work.

It makes perfect sense for the US to outsource controversial work to the Israeli military industrial complex, just like it makes perfect sense for fortune 500 corporations to outsource controversial work to mckinsey. Plausible deniability for the party that cares about their image, money for the party that has embraced the destruction of theirs. I guess the US could use domestic contractors instead, but then they'd have to admit the contractors were sanctioned when they don't bring criminal charges.

I'd be much more worried if US government was found to be hacking/assassinating Saudi dissidents, because that would mean the leaders of the US government are completely incompetent. That's not to say it's not happening, just that it would be idiotic for the government to do that themselves when they can use foreign contractors instead.

Yep. Also see: Wuhan lab, and the US ties to it.
Here is the formerly dead comment[1]. I just vouched for it so it is no longer dead. I'm not sure why you would agree with the quoted portion and disagree with the rest. The rest is documented historical fact.[2]

[1] - https://news.ycombinator.com/item?id=29095907

[2] - https://en.wikipedia.org/wiki/Edict_of_Expulsion

'Jews as moneylenders' has a strong religious context I don't see in this story. That's all. Thanks for vouching for the comment.
Jews as moneylenders is a stereotype that originates from history due to both religious and political motivations such as those previously mentioned. I can understand being uneasy with that in a modern context. I have also criticized people on HN before for equating all Jews with Israel or vice versa, but I don't see that happening here. The analogy works if the modern equivalent is any other country because the primary link is the outsourcing of a controversial job and not Jewishness.
Do you think US intelligence agencies were hindered whatsoever by their bad reputation?
Absolutely. Look at the Patriot Act. It took a national crisis to justify that for them.
What did they do after the patriot act that they weren't doing before it?
NSO is a private company which is unrelated to the US intelligence relations with Israel, there’s no outsourcing here and it actually makes more sense NSO causes major headaches to the US (see murder of Khashoggi) than otherwise
(comment deleted)
It seems there is no safe cell phone. They all run closed source software, written in unsafe languages (C and C++) and can be abused by cyber criminals and governments to spy on and track people at will.

Why do we carry these things in our pockets?

And I'm not convinced Signal or any other privacy protecting app is really useful. If we assume all cell phones are owned (or can be at any time) then the criminals own all the private keys on the phones as well.

It's impossible to have private communications with a cell phone.

>It seems there is no safe cell phone. They all run closed source software, written in unsafe languages (C and C++) and can be abused by cyber criminals and governments to spy on and track people at will.

Why should we have any expectation of privacy when we use a cell phone at all? It is triangualating your location 24/7 even if its not a smartphone. When/why did we expect them to be private in any way? How can you expect privacy when your location data is being broadcast and you're carrying a tracking device?

>Why do we carry these things in our pockets?

Its worth it for the tradeoffs.

(comment deleted)
GrapheneOS runs all open source software (no closed source Google code), doesn't phone home to Google, doesn't allow for targeted updates based on IMEI, has strong app memory isolation, and isn't vulnerable to run of the mill NSO zero days. Buy a Mint Mobile SIM card with cash and boom, anonymous phone not tied to your name.
Yet you're connecting to T-mobile towers and having your location tracked 24/7. How is that in any way private?
My phone is in a faraday bag when it gets anywhere close to my home or place of work. Even if you were bulk collecting cell tower data and location data you couldn't identify my phone, it's lost in the noise.
Your disconnects will flag it in the metadata. You don’t think they can identify phones in bulk collection? What evidence is there of that?
>Your disconnects will flag it in the metadata.

This would make too many false positives, for which you'd have to do in person surveillance to verify.

>You don’t think they can identify phones in bulk collection? What evidence is there of that?

It doesn't matter if a cell tower can read your IMEI. It matters if that IMEI can be associated with your real name. Have you seen anyone's location data successfully correlated with a real identity when that location data doesn't include travel to residence or place of work? If you can solve this problem, you can sell it for more money than you could fathom.

You don’t think they can match location data with metadata and figure it out? Circumstantial evidence is easily used to figure it out.
>You don’t think they can match location data with metadata and figure it out?

Automatically, with dragnet surveillance? Not a chance, the search space is too huge. But if you think it's so easy, feel free to try building this and selling it, you would become the next billionaire.

Already made. It’s automatically matched to other databases like apartment records and other public information. Signature electronic radiation leak is easily traceable, probably logged unless you never connect it to any other devices. The delusion you have about being private while having a device that tracks your location has no logic or evidence of privacy. Expecting cell phones using cellular towers for privacy is the equivalent of joining a botnet and saying you’re private if you block the signal occasionally.
Please don't be snarky and assume the weakest possible interpretation of what someone says (I already talked about faraday bags near residences and workplaces). Repeatedly calling another's argument delusional without substantive discussion isn't helpful and it's not what people use HN for.

https://news.ycombinator.com/newsguidelines.html

You say snarky things like build a database, it'll make you a billionare, (which already exists) to track you that you were ignorant about then try to feint innocence and attack my conduct?

There is no snark in facts. You’re connecting to a triangulating system that traces your location and expect privacy if you use some open source android distribution which you assume has zero bugs that others can't exploit and trace you. That is delusional. The device has a signature electronic radiation that is easily identifiable whenever its on, which you ignored as a method of tracing.

There is zero factual evidence that you can be private when using cell phones at all. It is a delusion with no basis. You don’t make any substantive arguments that proves privacy aside from hopeful/delusional assumptions that aren’t sourced or prove any privacy. You think buying a sim card with cash is enough to protect your identity when stores have cameras and your fingerprint is on cash? Where is your evidence that you are private?

> They all [are] written in unsafe languages (C and C++) and can be abused by cyber criminals and governments to spy on and track people at will.

All major OSes (regardless of formfactor) that a consumer uses are written in C.

All languages, including C, are "unsafe" if the standard is that software in said language can be written in an unsafe way. Writing an operating system, firmware, or embedded software is a fundamentally different category of activity from writing some CRUD app (other than unhelpfully sharing terms like "engineering", "language", and "software.") OSes are written in C because the task demands it; the reason that there isn't a Javascript-based kernel isn't an arbitrary one. Perhaps Rust will change the game at some point, however as it stands, it doesn't make any sense to draw a distinction between OSes written in so-called "unsafe" and "safe" languages.

Programming languages won’t stop triangulation. The assumption of privacy is not rooted in any fact. In Japan people can disappear if they want to because of the culture. Privacy is a culture. You can’t use tech as the panacea, because the US is not inherently culturally private. Privacy occurs because others aren’t tracking you, if you’re being traced by computers, motivated people with advanced tools, living in a world where you’re supposed to share and a paparazzi celebrity culture, you’re not going to get privacy no matter how “safe” you program your memory to be.
The fact that "spyware firm" is a thing is comical. Don't let the world know
Basically the US didn't like the competition, they are going to do the same things only with American companies. They don't really mind when Google are spying their users and has the power to control information so suddenly they care about some spying software?

This is not the first time the US is clipping the wings of the Israeli security industry, it is part of the dance between the too nations, if Israel wants the support they need to stop compete.

In general Israel doesn't need the American money and considering the racism against Israelis among the progressives and the extreme right maybe it is about time that Israel should reconsider their alliance with the deteriorating American empire.

Somehow I doubt this will prevent US Government itself from being a customer. They always exempt themselves from restrictions they put on others. That said, I still welcome the move. NSO is scum, that much we've established years ago.
Being a software company, what prevents N, S and O from founding another company? OSN, for instance?

There is no need to transfer any wealth from NSO and the code is both illegal and secret, anyways.

Edit: it should not be that obvious, but I don't think NSO will close shop because the trademark was flagged. Rename to meta, or something like that.

(comment deleted)
I came here hoping someone would be able to answer this question. Unfortunately it's just the usual Israel bit you get on /r/politics.
>"NSO and a competitor, Tel Aviv-based Candiru, were among four companies added by the commerce department on Wednesday to its so-called entity list, which would restrict exports of US hardware and software to the companies."

What is going on in Israel where there are this many companies engaging spyware for sale to any customer who simply has enough funds to buy them? What's the commonality here? Is these NSO stories in in Israeli media?

Lastly what is meant by "military grade spyware." That sounds like marketing fluff.