86 comments

[ 5.0 ms ] story [ 138 ms ] thread
They always talk about phone numbers, does that mean without a number I am safe from that attack?
I would bet they have a semi-persistent "non-logged user session cookies" to track you. Just like every other Advertising/publisher does already.

basically instead of "Credit card purchase -> phone number -> person ID" they would use "credit card purchase -> semi-persistent hash -> person ID"

But how would that basically clone my phone's content on their servers? (Which is claimed in the article) it must be some kind of weakness within the system, with some entry point other than some 'cookie'
I had the same question, and this article seems to at least attempt to answer this question referring to an ongoing legal case by several tech companies against NSO. Essentially, they're leveraging exploits in various apps (iMessage, WhatsApp, Gmail, etc) commonly found on phones to infect the end user.

So in essence, they're selling limited time exploits to load malware and I guess having to constantly find new exploits to sell. Hell of a business model for sure.

https://www.occrp.org/en/the-pegasus-project/how-does-pegasu...

That sounds horrible, but thanks for the link!

In that case it can't be as perfect as they claim, except they have a huge list of apps to target what very well could be the case.

Edit:// Oh

> including Gmail, Facebook, WhatsApp, FaceTime, Viber, WeChat, Telegram, Apple’s built-in messaging and email apps, and others.

> it must be some kind of weakness within the system

You can assume there are many such weaknesses. Nothing is perfectly secure. Nuclear weapons plans are stolen, RSA's crypto keys were stolen ... your phone isn't protected on that level. Security is about raising the cost for an attacker beyond the value to that attacker: if you have data perceived to be worth $1M, make it cost $10M to steal it.

But the cost to the defender is relatively high. There is no way your phone, whatever you use, is perfectly secure; there is no way every app on your phone is perfectly secure; the cost would be astromical to the vendors. There are endless possible holes.

The question is, what is the perceived value of the contents of your phone? Are you the Secretary of Defense or the CEO of a Fortune 100 company? An international terrorist? If they really want you, they've got you (unless you pay for some serious personnel). They could just replace your phone with an identical one containing a little extra hardware, for example.

But your phone almost certainly isn't perceived to have that level of value.

They could think I am a terrorist and I am not even aware until I put a food in their country. I can't know, as I only have a marginal understanding what they think terrorism is.
Why is the FBI paying to get Pegasus? Doesn't the US have NSA to do this kind of hacks or find no click zero days in Android/iPhone and share the zero days with the FBI? Or why hasn't someone try to trick NSO to hack a monitored phone and find out the zero day? I am having these questions because every time I hear about NSO there is this question in my head "What is so special about NSO?". I see 2017, 2018, etc. how can someone have zero days for years and no one copy the zero day or fix the zero day? Why I don't hear about NSO competition? Does it have competition?
Paying is the key. NSA doing it for FBI would generate no profit for anyone. Given various loopholes exploiting arrangements between allied security services, I'd not be surprised if NSA were a source of 0days for NSO.
I would 100% be surprised if NSO was being supplied with vulnerabilities from government agencies. If anything it is likely to be the other way around.
> NSA were a source of 0days for NSO

Not directly, NSA requests tech companies to slow down 0day research so they and others can exploid them.

the competition for NSO within the US would be traditional defense contractors: raytheon, l3harris, etc.

One can make much more money with the DoD than the DoJ.

I don’t think it’s a single or even a fixed collection of zero days, it’s an arms race that requires constant updates to the vulnerability catalog in order to be able to exploit the latest fully patched phones.
Because NSO is on a different level completely. Google engineers who analyzed NSA hacks found it to be "terrifying". See https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-i...
Wow, thanks for that link. That's incredible:

> JBIG2 doesn't have scripting capabilities, but when combined with a vulnerability, it does have the ability to emulate circuits of arbitrary logic gates operating on arbitrary memory. So why not just use that to build your own computer architecture and script that!? That's exactly what this exploit does. Using over 70,000 segment commands defining logical bit operations, they define a small computer architecture with features such as registers and a full 64-bit adder and comparator which they use to search memory and perform arithmetic operations. It's not as fast as Javascript, but it's fundamentally computationally equivalent.

They say it's terrifying but this doesn't seem like an incredible advancement on any previous "weird machine" exploits. It's just nobody else has this problem to need to write a compiler like this.
Indeed. It’s a fairly logical step in exploit development, and (while a significant amount of impressive work) not a particularly novel idea.
The NSA does have an organization devoted to developing these sorts of attacks that make the NSO group look like a bunch of kindergarteners as evidenced by the Snowden leaks. The CIA also, independently of the NSA, has an organization that develops these sorts of attacks that make the NSO group also look like a bunch of kindergarteners as evidenced by the Vault 7 leaks. Almost without a doubt, the FBI, DHS, US Navy, US Army, and US Air Force all also have their own independent organizations that each make the NSO group looks like a bunch of kindergarteners given that developing a capability that makes NSO look like kindergarteners only costs on the order of ~$100M (i.e. less than a single jet fighter). There is absolutely nothing special about the NSO other than that they got caught and brought under the limelight.

The most likely reasons the FBI paid for access to Pegasus are: 1. It is another tool that frankly does not cost very much if you are the FBI. 2. The part of the FBI that bought it likely does not have authorization or possibly even knowledge of the other tools and contracted with NSO to gain those capabilities at the cost of just some money. This is like how a developer team in large stodgy old mega corporation might not be able to get IT to setup their servers so they just get a budget that they spend on AWS to do an end-run around their own IT organization.

The zero days are likely occasionally being discovered and fixed, but buying a zero-click zero day for Android/iPhone on the black market only costs on the order of $1-2M at retail. If you have your own competent team you can reasonably expect to find a zero-click zero day with only a few person-months of effort which, even at US wages, is only a few 100k per zero day. At those prices, you could keep a dozen or so stockpiled for less than the cost of starting a McDonalds franchise, so they likely did maintain a dozen or so at any one time, so if one was discovered they could just switch over to a different one and write off the old one as a cost of doing business.

They absolutely do have competition. One high profile example is Hacking Team. In terms of overall competition, I do not have any hard information, but given the size of the vulnerability markets there are probably at least a couple dozen to a few hundred organizations similar in scope to the NSO group. We do not hear about them because they mostly sell to governments.

As someone who has worked Vulnerability Research/Exploit Dev for US based companies I'd consider this a bit misguided and is likely coming from someone not in the Vulnerability Research/Exploit Dev industry. I'm guessing you're getting these numbers from just reading Zerodium:

""" The zero days are likely occasionally being discovered and fixed, but buying a zero-click zero day for Android/iPhone on the black market only costs on the order of $1-2M at retail """

In reality the final packaged product is worth exponentially more.

Also, Israel produces some of the best security research talent on the planet due to their national focus on cybersecurity, and funneling some of the most talented students in the country directly to 8200 starting in high school, and some of them end up going to NSO group after. None of the vulnerabilities/exploits in the Vault 7 leaks come close to the sophistication of the FORCEDENTRY exploit. I'm not saying the US doesn't have better capabilities and the NSA most certainly does because they have suppliers like Azimuth, but a lot of what you've stated is based in fantasy.

The sophistication of individual exploits is largely uninteresting, a bullet and a cruise missile both go through a piece of cardboard. Even quantity per target is largely uninteresting past the first couple in much the same way that having 23 snipers trained on a person is not so different than 8. It is the breadth of attacks in the Vault 7 leak that make the NSO group look like nothing. Maybe the NSO group could redirect their ~$250M/yr revenue and equalize in breadth with the CIA, but currently, from a strategic perspective, the CIA's programs are far more terrifying from a "what can they do" perspective. And, with high probability, there are at least a half dozen equivalent programs running in parallel just in the US government. That is how absurdly easy this all is, they do not even need to band together, each and every one can individually exploit a significant fraction of devices.

You are correct, I do not work in exploit development. My numbers are based on quotes vulnerability brokers have given for their inventory of zero-click iOS vulnerabilities (and other OS and application vulnerabilities) to some of my coworkers over the years. I have heard they have increased in price recently, though due to increased demand rather than increased difficulty of discovery, but I doubt the price of a raw exploit has breached the $10M mark yet. I have no knowledge as to the pricing on a final packaged consumer-friendly UI product.

.
Okay. Since you say I am underestimating according to your experience can you supply a, in your opinion, 68% confidence interval estimate for the cost or effort required to purchase or develop a zero click iOS exploit (i.e. give a general range for the median case).

Reasonable forms for a sufficiently quantified answer include, but are not limited to:

1. A numerical value to purchase from a broker.

2. A numerical value for the budget a competent organization (such as NSO) might allocate to a team to restock their hoard at a profitable return.

3. The number, skill, likely salary, and time/person-months a competent organization might allocate to restock their hoard at a profitable return.

4. The estimated return on a vulnerability. Giving an estimate of the expenditure bound to maintain profitability.

5. The estimated number of vulnerabilities NSO is finding per year given their budget.

6. The estimated number of vulnerabilities NSO has currently hoarded given their budget. Giving an estimate of the embodied expenditures to date.

7. The estimated amount of time for a NSO vulnerability to be burned allowing the estimation of required replenishment rate.

This is not an exhaustive list of reasonable quantifications, but I think at least something along these lines should provide an adequate quantification to demonstrate the degree to which I am underestimating the state of affairs.

.
Thank you for the reply. I was actually only expecting an answer to 1 or 2 of them rather than all of them. 2 and 3 were more questions on the business side of (expenditure on staff finding exploits / expected number to find per year) rather than raw expenses and 4 was more a monetary return rather than a ROI, but thank you for all the answers nonetheless.

Just for clarification, am I correctly understanding your answer to 1b as the price of a zero-click iOS exploit being ~$4M in contrast to my stated $1-2M? If so, I will not openly contest that claim here and thank you for your time. Anybody reading to this point can substitute my earlier claims for $4M if so.

I think it's funny that you were able to exploit someone working in the industry into giving up information they shouldn't have merely by stating your speculation as fact.

Who needs 0-days when you have Cunningham's Law[1]?

I'm just trolling, but it apparently did happen here. :)

1: https://meta.wikimedia.org/wiki/Cunningham%27s_Law

Anyone has copy of the answers? Seems that it was interesting but was edited.
From memory it was approximately:

1a. $2M for something. Maybe a messenger/important app?

1b. $3.5-4M for zero click in default install (sandbox escape + local privilege escalation)

2. $20M for high level individual talent for a firm like NSO with a $250M revenue/$150M expenses.

3. $400k for a senior engineer. $250k-500k spot bonus for a person in the team who finds a zero-click. Some other words.

4. 500% to 1000%. Some other words.

5. 0-2 zero-click on-hand or maybe per year. 1-3 lesser ones in messaging/browsers/etc I think? Some other words.

6. The answer to 5 is sparse enough that statistics do not really apply.

7. 7-15 months.

Israel did not need bullets or cruise missiles to shut down Iran's centrifiges twice. But I generally agree that the US 3 letter agencies are better funded and have more sophisticated cyberwarfare tooklits.
These are great points.

I dont see why the FBI wouldn't buy Pegasus. Does the above poster think the FBI can just call the NSA and tell it to decrypt a bunch of stuff? The NSA has its own mission and its based on national security interests, not solving the everyday crime the FBI works on. The government isn't just one big club. I'm guessing its likely the NSA isn't going to offer up its best tools to catch someone providing abortion access in Texas or "stealing" academic papers from JSTOR or "pirating" comic book movies. Not only is it a waste of their resources but every time a tool like this is used, the detection of that tool is possible, and with that detection Apple or whomever would figure out what the exploit is doing and patch against it. Now that tool is wasted because some FBI boss wanted a promotion thinking if he impersonated an Associated Press journalist to hack a teenager again like they did in 2007 it would impress some authoritarian higher up.

They can't waste these precious exploits on some culture war, IP enforcement thuggery, leftist organizers, unions, and mid-range drug dealers the FBI regularly beats up, murders (think Filiberto Ojeda Rios), harasses, and spies on. Even the NSA is low-key ACAB. So they just say no and tell the FBI to just let NSO potentially burn their exploits. The NSA and military intelligence has better things to spend it on (think Stuxnet-like scenarios).

tldr; the FBI operates on a level far below these other organizations and are far less important than any of them in the grand scheme of things. They're just well funded cops with all the problems cops bring. They're not getting NSA tools because they don't need them the same way your county sheriff doesn't need MRAPs to drive around in.

> The CIA also, independently of the NSA, has an organization that develops these sorts of attacks that make the NSO group also look like a bunch of kindergarteners as evidenced by the Vault 7 leaks

Anyone even vaguely familiar with the Vault 7 leaks knows that they made the CIA look like a bunch of kindergarteners.

There’s no doubt about the NSAs capabilities, but the Vault 7 crowd was clearly playing in the same league as most NSO group customers.

The FBI comment in this article is interesting in they give an offhand excuse that it could be for evaluating foreign software and threats. holds water. But so to does them buying it to use it
> The CIA also, independently of the NSA, has an organization that develops these sorts of attacks that make the NSO group also look like a bunch of kindergarteners as evidenced by the Vault 7 leaks.

Have you actually looked at the Vault 7 leaks? There’s nothing there far beyond the capabilities of a NSO-type actor. NSO is at the level of a nation state, but so are all the nation states. It’s easy to think that funneling infinite money at something will just make you that much better at something, but this isn’t true at all. Otherwise Apple and Google and Microsoft would just be unimaginably distanced from every other smaller company, and I’m sure you agree that they are not ;)

My hunch is that size is harming MS and Google. I bet smaller companies, more focused and with the same budget would achieve more.
wow, the word kindergarten is repeated four times, that doesn't communicate an abundance of confidence...
NSO doesn't ask to see your warrant...
Law enforcement is not NSA's job. They have no reason to help FBI here.
The most powerful cyberweapon is making sure every human understands an inkling of number theory
So everyone's invented their own cryptography. Great! I'll just buffer-overflow the TCP stack and let myself in; then I can read all their messages after they've decrypted them.

Rock, meet paper.

So we have evolved best practice in secure commumication using the most rigorous scientific review methods available to math. We just need to help each other understand how we're modelling this stuff.
All cryptography is based on the assumption that the inverse of some operation is hard to compute, because nobody's found an easy way to do it (yet).

RSA is based on the assumptions that factoring prime numbers and finding discrete logarithms are both hard. ECC is based on the assumption that the subtraction analogue of that weird additiony thingy is hard. Afaik, neither of these things has been proven.

> Afaik, neither of these things has been proven.

It's not even clear (at least to me) what a proof of "difficulty" would look like. You would have to prove that no mathematical process could exist that was capable of (for example) factoring a composite number N in less than M steps (where M is a function of N), and prove that each step has some minimum energy or time requirement, to ground the "difficulty" in terms of things that we can use our current understanding of physics to reason about.

It would be a reduction of discrete-log/factorization to some algorithm with known lower bounds on runtime/space for a given probability of success.
But could there ever be a guarantee that no more efficient algorithm could be found? I agree that, given an algorithm, you can reason about the runtime/space/probability requirements that it places on an implementation, but you also have to contend with different models of computation.

According to Wikipedia, the "quantum complexity-theoretic Church–Turing thesis" states that: "A quantum Turing machine can efficiently simulate any realistic model of computation."[0] but even assuming this is true, and that we could build a practical general purpose quantum computer, the word "efficiently" here only means "up to polynomial-time reductions", and I don't think we can know in advance what polynomial-time reductions could be discovered.

[0] https://en.wikipedia.org/wiki/Church%E2%80%93Turing_thesis#V...

We can prove that it is a logical impossibility for some algorithm to exist, but I don't think we can say, given an algorithm with a certain set of steps, that there isn't an equivalent algorithm that requires fewer steps.

Also, "steps" here would have to be measured in terms of operations on a physical machine (or at least an idealised perfectly efficient physical machine), but different architectures would allow different operations, and that's before we start considering different models of computation.

After reading the title I thought this article was about the Intel Management Engine.
LOL A full OS including webserver embedded in every PC's firmware.
How is it that we can't have an OS that stops such things?

I'm of the opinion that the NSA must have a long running covert program to discourage the adoption of secure operating systems.

Multilevel Secure Operating Systems have existed since the 1980s, yet most people haven't even heard of them.

For the same reason we can't have pick-proof locks. Total security is physically impossible. You have to defend every access surface with equal flawlessness. Attackers can all coordinate on a single point of failure. By nature of this equation, any time you make a part more secure, attackers will simply focus their efforts on the next weakest link and go at it again.

Immunity can't prevent disease from entering your body either; They can only make it harder and actively respond to intrusion.

There's insufficient motivation for OS creators. It's possible to compile C code with various hardening options and pay a few percent overhead for it, but it remains almost entirely in the realm of academia...

Except for the Xbox. Someone hacking an Xbox would lose _Microsoft_ money through piracy, which hurts their bottom line!

As a result, the Xbox runs a type 1 hypervisor with various compiler hardening options like Control Flow Integrity enabled, and are generally some of the most locked down consumer devices sold today.

What's Apple's motivation beyond bad press? iMessage was parsing media sent to it with a pdf parser. Sure, some activists in repressive regimes will get spied on and executed, but it's just so much effort to invest dev effort on rewrites for security when you could find new ways to send cute animated gifs to each other.

Which hardening options are Apple ignoring? I would have thought the standard types of ones (debian's default) would also be set on macos/ios, eg https://help.apple.com/xcode/mac/current/#/devf87a2ac8f

From what I can tell all NSO's rigmarole of making a virtual machine in the PDF parser is to work around the existing mitigations.

I guess they could also turn on asan etc in production but that's more than a few percent slowdown.

I don‘t know anything about the benefits of these options but if the tradeoff is only a slowdown of the device this should be an option given to the user. Maybe even payed for („hardened version“ at buy time) or through a subscription.
Just an anecdote but I use GrapheneOS on my phone. It's a security focused OS based on Android AOSP with in particular a secure memory allocation function.

The whole OS feels much slower than regular Google Android, Osmand (map app) is barely usable (on a Pixel 4XL which isn't a low end phone by any means).

So I don't think we can discount how much slower a device will be with a more secure OS. It might be invisible on desktops, but certainly not on mobile.

If the secure OS had the same development velocity as the OEM profit OS, the secure OS would be much better optimized than it currently is and likely much much more secure, too.

Android and iOS are optimized in general and for example Google or Samsung also optimize and distribute it for specific hardware. GrapheneOS is not well funded and has little influence in hardware development. The development of Graphene from AOSP is pretty much guaranteed to de-optimize it in the short term.

While there is little about mobile that would cause a secure OS to be noticably slower, much less mature software with many fewer deployments is expectedly less optimized.

Address Sanitizer is not meant to be used as security hardening.
Maybe we should use Xbox instead of phones for secure communication?
It is the official policy of the US government that a Common Criteria EAL2 certification (i.e. "demonstrating resistance to penetration attackers with a basic attack potential" [1]) is adequate for government systems. This would likely correspond to a Class D, the lowest class, under the old Orange Book standard. In contrast, the only protection profile under Common Criteria designed to evaluate a MLS system, SKPP (Separation Kernel Protection Profile) [2], corresponds to a standard beyond EAL6 [3] (i.e. "demonstrating resistance to penetration attackers with a high attack potential"[4]), MLS systems evaluated under the old Orange Book standard correspond to Class B3 or A1.

In contrast, until a few years ago, it was official government policy that EAL4 certification (i.e. "demonstrating resistance to penetration attackers with an Enhanced-Basic attack potential"[5]) was adequate for government systems. This likely corresponds to Class C2 under the old Orange Book standard. This standard was chosen in the interest of allowing standard IT commercial vendors, such as Microsoft and Unix vendors, to submit competitive bids because it was deemed economically and technically infeasible for those systems to be retrofitted with adequate security to achieve a higher standard[6]. So, they instead set the standard to a level achievable by standard commercial IT vendors. They have since reduced it to EAL2 because they determined that requiring a EAL4 certification was too onerous, disqualified large vendors such as FireEye, and was unnecessary as the layering of enough EAL2 systems, each like a piece of swiss cheese, would result in systems comparable to EAL4 systems.

[1] https://www.commoncriteriaportal.org/files/ccfiles/CCPART3V3... Page 34

[2] https://www.niap-ccevs.org/profile/Info.cfm?PPID=65&id=65

[3] https://www.niap-ccevs.org/MMO/PP/pp_skpp_hr_v1.03.pdf Page 84

[4] https://www.commoncriteriaportal.org/files/ccfiles/CCPART3V3... Page 42

[5] https://www.commoncriteriaportal.org/files/ccfiles/CCPART3V3... Page 38

[6] https://www.commoncriteriaportal.org/files/ccfiles/CCPART3V3... Page 38

I wonder if governments quietly talk the companies behind the mainstream consumer OSes (Windows, Android, iOS and macOS) and components (I'm thinking about the device drivers) into not to try too hard to make them invulnerable to attacks. They can do all sort of subtle and not too subtle things to companies that cost them more money than they can lose because of zero days and zero clicks. After all nearly everybody has a phone that NSO could spy into and we didn't go back to Nokia 3310.
Just imagine if we had a key escrow or other backdoor like FBI asked for. If governments were made up of 99.9% very honest people, hundreds of untrustworthy individuals would still have enormous power ready to be abused.
And having that much inscrutable and unaccountable power would very quickly attract hundreds more untrustworthy individuals who would be tempted by the very fact that the power could be abused. Once their capability became self-reinforcing, the number of very honest people in the government would trend towards zero.
We already have a form of key escrow in the form of public PKI infra/root CAs, etc.
We also have a certificate transparency system to detect misissuance, and some precedent for economically ruining CAs who break the public's trust.

I'm not sure what would happen, though, if someone claimed that a CA had issued a certificate for their domain without permission. Assuming they could detect this and get the certificate revoked quickly, any attack could at least be stopped (after the damage had potentially already been done).

You're right, though, that there's little incentive for a government to not use "legal" methods to subvert a CA within its jurisdiction, and accuse the complaining site owner of false-flag attacking their own domain for media attention, or some other excuse.

If anything, I'm surprised that a government hasn't tried to poison-the-well of this system by creating a few boy-who-cried-wolf scenarios already.

Remember that rogue driver signed by a “leaked” cert?

Things like that are a lot more useful than fooling someone about some silly website.

Updates to your OS or secure apps (lmao) funded by the abc soup (Signal and Free Radio Asia, read up) could be signed by the government.

For the greater good, citizen.

Does Chrome do certificate transparency on its own updates?
Apps and OSes shouldn't (and don't need to) make their security dependent on the web PKI. Linux distros come with their own public keys, for example, which are used to check the signatures on package updates.

Things have got a bit worse recently, with the Google Play Store requiring app developers to let it build and sign the packages itself[0], but I suppose the argument is that if you don't trust Alphabet with the app signing keys, you shouldn't trust it with the signing keys for the OS updates you download.

(If your Android updates are signed by keys controlled by an entity other than Alphabet, then you can presumably use an alternative app repo too).

[0] https://www.theregister.com/2021/07/01/android_app_bundle/

(comment deleted)
I always find it amusing when a particular software artifact is treated as some kind of powerful weapon in itself, and not just the codification of some really smart people's ideas on the current state of the art in some domain. The number of people on earth that can do this kind of stuff would fit in football stadium. The people are the weapon, not the specific executable.
I mean that’s kind of the definition of a weapon. The atomic bomb was also just the codification of some ideas into a physical machine.
>The atomic bomb was also just the codification of some ideas into a physical machine.

No, it wasn't. It was the product of the entire industrial capacity of the United States. The amount of Deuterium required for a fission bomb took years of labor by hundreds of thousands of people to produce. The "ideas" were worthless without the physical infrastructure and industrial capacity to carry out the construction.

Software, on the other hand, requires nothing more than really really smart people and a $200 laptop.

I see. So if we could have developed a nuclear bomb for $200 and destroyed a city using it, it wouldn’t have been a weapon? I don’t understand the reason cost is being brought into the definition.
They make it sound like a nuke. A dozen of you devs here can band together and come up with something better in a few months. The post compromise capability is not what makes it powerful but the zerodays used to deliver it.

How about we do a YC startup and buy a few RCEs for android and iphone from zerodium and do this? (Just kidding to undermine the "most powerful" exaggeration in the title)

I thought Pokemon Go was the world's most powerful cyberweapon. It can magically summon hordes of zombies to any location on Earth.
I thought this would be about: https://sailfishos.org/

MSM editors are a little tech literate these days but they have no authority on the matter. Any other contenders?

If you are interested in a detailed account of the cyberarms race, check out "This Is How They Tell Me the World Ends: The Cyberweapons Arms Race" by New York Times reporter Nicole Perlroth. While the books tends to get a tad repetitive after a while, and definitely skirts many of the technicalities, its definitely provides a lot of insight into the underground zero-day exploits markets and the cyberarms race that we are in right now.

https://www.amazon.com/This-They-Tell-World-Ends/dp/16355760...

Not often we get to witness such a clear spread of a new technological evil in, what, half a generation? The potential this industry has to inexpensively damage nascent democracies and justice efforts is astounding.

They've 'democratised' the coup d'état and the absolute cover-up.

Shame on all of them.

Just a reminder that Capitalism doesn't care for politics only how much profit can be extracted from it.
And ethics doesn't care about economic systems. If capitalism is part of the problem here then capitalism needs to be addressed too.
(comment deleted)
For some reason, the only previously unpublished piece of info in this long article is in the last paragraph.

When they first presented their case against NSO, Facebook’s lawyers thought they had evidence to disprove one of the Israeli company’s longtime claims — that the Israeli government strictly prohibits the firm from hacking any phone numbers in the United States. In court documents, Facebook asserted it had evidence that at least one number with a Washington area code had been attacked. Clearly someone was using NSO spyware to monitor an American phone number.

But the tech giant didn’t have the entire picture. What Facebook didn’t appear to know was that the attack on a U.S. phone number, far from being an assault by a foreign power, was part of the NSO demonstrations to the F.B.I. of Phantom — the system NSO designed for American law-enforcement agencies to turn the nation’s smartphones into an “intelligence gold mine.”