"The Canadian researchers who reported that Israeli software was used to spy on Washington Post journalist Jamal Khashoggi's inner circle before his gruesome death are being targeted in turn by international undercover operatives, The Associated Press has found."
> The truth is that strongly encrypted platforms are often used by pedophile rings, drug kingpins, and terrorists to shield their criminal activity.
> Without sophisticated technologies, the law enforcement agencies meant to keep us all safe face insurmountable hurdles.
> NSO's technologies provide proportionate, lawful solutions to this issue.
Funny how the same technologies meant to protect children are also being used to intimidate researchers and kill dissidents and journalists. Nobody could possibly have foreseen this!
This should be upvoted. While the net deaths from murders, drug overdoses, and manslaughter of various cases might be a really high number, they are not even close to what a single government can do in a year or a nuclear-armed government can do in a few minutes.
In regards to the whole NSO thing, I’m completely baffled how their principals and employees are not on a sanctions list and don’t have arrest warrants out for them. Consider how much trouble non-malicious hackers have gotten in for pointing out security holes publicly. What we have here is a company actively conducting espionage against some of the most valuable public companies in the United States. Even more egregious, they are targeting those companies’ customers, illegally.
>>>In regards to the whole NSO thing, I’m completely baffled how their principals and employees are not on a sanctions list and don’t have arrest warrants out for them.
Lemme see if I can communicate this without committing karmic suicide like the other responder.... putting an Israeli cybersecurity firm on a sanctions list, or issuing arrest warrants, is simply a political non-starter in the US. It would be career suicide for most Congresspeople to take such a position.
all fighter jet principals and employees should have arrest warrants out for them.
those damn fighter jets makers, killing people around the world with their jets.
I mean, what did they think they are making a fighter jet for, they chose to work there and should have known the risks of being in the jet fighter business.
Yeah, that's the part that seems to get dropped in the discourse. Even when these vices had well-known places to gather - like the Silk Road, for example - they still leaked through into the world. But, after some of the most prominent platforms got busted, they're now scattered, so of course, some will try to get on encrypted platforms.
It's the same as a social media platform dying. Kik's recent demise undoubtedly brought a bunch of teens onto similar apps while some maybe reverted back to Facebook.
Funny how most of those could easily be eliminated by other means... drug kingpins by legalizing drugs, and terrorists (to a large extent) by stronger KYC requirements (which are already being implemented). But, of course, those measures don't provide ability to spy on your political opponents and dissidents / journalists.
This shouldn't be such a big surprise to those who inform themselves about the war business and its criminal usurpation of democracy in the West.
The same legal machinations that are used to suppress free speech in the West, especially regarding Western military failures, are also being used to suppress reporting on Julian Assange's torture in Bellmarsh today.
> Twice in the past two months, men masquerading as socially conscious investors have lured members of the Citizen Lab internet watchdog group to meetings at luxury hotels to quiz them for hours about their work exposing Israeli surveillance and the details of their personal lives. In both cases, the researchers believe they were secretly recorded.
Apparently Canada has a digital rights advocacy group that is being intimidated through these meetings?
On the plus side, now we know their group exists. Hope they get some more funding now!
Yes, kudos to Citizen Lab and Raphael Satter for detecting this and exposing it publicly. I've seen many attacks like this by corporate intelligence targeting activists over the years and the extent that they will go to are very concerning. Moreover they seem to be increasing. Bugging, physical surveillance, digital surveillance, placing someone inside, turning someone inside, private/public smear campaigns etc - the list goes on. We see it all the time but for obvious reasons having public examples that we can reference when training or investigating others is really useful.
Employees of the same company targeted the email accounts of Laura Codruta Kovesi a few years ago (she’s now the first ever European Public Prosecutor [1]).
Back at that time she was the chief of the Romanian anti-corruption agency and she was doing a pretty good job, which was unfortunate for some of the local oligarchs and corrupt politicians who tried everything to bring her down. Afaik the Black Cube employees’ hacking actions were pretty lame, I remember reading that some of them had checked in at one of the most expensive Bucharest hotels during their operation, literally a couple of hundred meters away from one of the headquarters of our local counter-intelligence agency. I had been under the false impression that if you try to carry out such an action you at least try not to phisically show yourself in front of the people who are supposed to catch you.
Always annoys me when news reports leave that out.
Edit: IANAL, but quick take: WhatsApp might succeed, but their case would be much stronger if they had one or more of the victims as co-plaintiffs. As it is:
- Their CFAA claim can only cover unauthorized access to WhatsApp’s servers – but NSO didn’t hack those servers; the servers just fulfilled their normal job of acting as a relay for WhatsApp messages, except in this case the messages were designed to exploit other clients. A victim would be able to sue over unauthorized access to their phone itself. (WhatsApp does also have the terms-of-service complaint though.)
- WhatsApp can only seek damages for reputational harm the hacks caused to the company itself - not any kind of harm to the victims. However, they’re also seeking an injunction preventing NSO from continuing to exploit WhatsApp, which might be more interesting than damages if they can get it.
> Their CFAA claim can only cover unauthorized access to WhatsApp’s servers – but NSO didn’t hack those servers; the servers just fulfilled their normal job of acting as a relay for WhatsApp messages,
By that logic a website provider wouldn't have standing if they suffered an XSS attack (though any affected users would), which is interesting.
IANAL, but it looks like the CFAA defines offenses in terms of the "protected computer" that was accessed - for instance, unauthorized access to that computer, or stealing information from that computer, or damages that computer.
That seems weird, but the alternative would be weirder: if every computer in the chain were a violation, the ISP for each hop of the network connection would have standing together. It's hard to make a case that WhatsApp is different from a regular router which might also pass malicious messages.
That's debatable. Also, it depends if it's persistent, reflected, or DOM-based XSS. Persistent XSS would be more likely to be considered an attack against the server/application, though I could see the counterargument as well. Reflected could go either way, and DOM-based would be the least likely to be considered a server attack.
> Their CFAA claim can only cover unauthorized access to WhatsApp’s servers – but NSO didn’t hack those servers;
Walking into an unlocked building is still breaking and entering. This is why people are tried for recording information but technically accessible but unauthorized-for-access pages.
> Walking into an unlocked building is still breaking and entering.
Yes, if you weren't authorized to be in the building. But this is more like... walking into an open store and then punching another customer. You didn't exceed your access to the store; you just used your authorized access to do something the store owner wouldn't want you to do (and which constitutes a crime and a tort against someone else). That's not trespassing. However, if the store owner noticed, they could then tell you to leave, at which point remaining in the store would be trespassing.
Does the same apply to the CFAA? Well, it's not entirely clear. There's been a spate of precedents in the last decade, the most recent from just last month, and, well... they're a bit of a mess, including a circuit split which will have to be resolved by the Supreme Court eventually [2], and even within the Ninth Circuit, a "zigzagg[ing]" series of decisions [1] with ambiguous dividing lines.
In particular, unlike in the store analogy, NSO had to agree to a ToS before using WhatsApp, which NSO then violated. That definitely gives WhatsApp a claim for breach of contract. But do actions that violate a ToS also automatically "exceed authorized access" and give WhatsApp a CFAA claim? Not according to Ninth Circuit precedent, but potentially yes according to other circuits' precedents.
That said, many of those precedents turned on the question of whether it makes sense to apply a "hacking" statute to something that's clearly not hacking. In this case, there undoubtedly is hacking involved, and the court may not draw as fine distinctions as I have regarding what exactly was being hacked.
By the way, like in the store analogy, WhatsApp could notify NSO that they're banned from accessing their service altogether, and ignoring that would result in a CFAA violation according to Ninth Circuit precedent. And indeed it seems that WhatsApp has banned NSO now. But they apparently didn't do so prior to the conduct the lawsuit complains about, so that isn't a factor in this case.
Not a lawyer either but CFAA has been used for more than plain hacking. WhatsApp servers and infrastructure was used to hack WhatsApp users. Clearly they violated the spirit of the law, it's fraud at least.
I find it interesting that NSO, an Israeli surveillance technology company, was allowed to have such dealings with Saudi Arabia. Their statement that "the sole purpose of NSO is to provide technology to licensed government intelligence and law enforcement agencies [...]" implies that their technology is subject to export controls.
My understanding is that Saudi Arabia has poor diplomatic relations with Israel.
It's complicated. Officially Saudi Arabia has no diplomatic relations with Israel and considers them as illegal occupiers in Palestine. But that's just for PR purposes in the Arab Muslim world. However behind the scenes they frequently cooperate and share intelligence on matters of mutual interest.
It reminds me of Canadian telecoms. While they officially compete to extract more cash from customers, they’ll also call each other up and share infrastructure instead of duplicating builds.
E.g. Telus built towers in its territory, and Bell did in its, and they just share them. Much cheaper than redundant builds and customers usually won’t notice when everyone in the car loses reception at the same time.
Then there’s the stuff that they just do through signalling. Huh, our “competitor” is going to start charging for incoming SMS and the billing vendor that we all use just rolled it out as a new feature. Great!
Sorry to say this but your understanding on Israel - Saudi relations is poor: they are excellent.
I don’t blame you since the media usually carry that narrative.
Anyone who can protect the rulers from the people is in excellent terms with the rulers. The rest is just posturing.
Your understanding is wrong. Saudi Arabia has great relations with Israel - they're just not being officially flaunted that much. In fact, not only is Israel's politicians and state apparatus acting in synch with Saudi positions and interests, but even the media and academia are awash with pundits and so-called experts which are essentially parroting the skewed Saudi outlook: Demonization of Iran, presentation of almost every conflict in the region as Shiites vs Sunni, suppression of criticism of US/Saudi-supported regimes and strong men, ignoring the government's active support of Islamic fundamentalists etc.
An incredible quote: "Defendants subsequently complained that WhatsApp had closed the vulnerability. Specifically, NSO Employee 1 stated, “You just closed our biggest remote for cellular ... It’s on the news all over the world.”"
Won't someone think of the malware company? How are they suppposed to sell their services to oppressive governments if WhatsApp keeps patching all the vulnerabilities they depend on?
Specifically page 10. Still wondering where the original quote came from. Who was this person talking to? Presumably "you" refers to FB, but what was the situation that an NSO employee was complaining to FB?
Wait... is it CFAA? That would be... an interesting door to open!
Found the complaint, yep!
> Plaintiffs bring this action for injunctive relief and damages pursuant to the Computer Fraud and Abuse Act, 18 U.S.C. § 1030, and the California Comprehensive Computer Data Access and Fraud Act, California Penal Code § 502, and for breach of contract and trespass to chattels.
I like the idea of using the CFAA like this, of that becoming a thing.
Had to find the complaint cause none of the articles I could find on it mentioned the CFAA, which is weird since that's news.
Civil CFAA (unauthorized access to WhatsApp infrastructure, including their relay servers, to target WhatsApp users), California's Computer Data Access & Fraud act (same, but CCDAF also has kickers like specific liability for spreading malware), breach (WhatsApp has a EULA), and trespass to chattels.
(sorry, wrote this before you fleshed out your comment, but presumably it's helpful to someone else)
My wife works for NSO, Facebook closed down the personal accounts of anyone working for NSO which is quite the aggressive move. I definitely see things warming up.
> Facebook closed down the personal accounts of anyone working for NSO which is quite the aggressive move
I’m sure your wife is a lovely lady. But NSO Group is a hostile intelligence asset. They actively undermine Americans and American security interests, here and abroad.
It’s not only reasonable for American companies to block them and their affiliates, it would also be reasonable for their travel to the country to be restricted (or monitored in the way a known spy would be).
I am not so sure. People who knowingly work for organizations that help plots to torture, murder and dismember journalists are not "lovely". She might not have known about it before, but she does now, and yet she still works for them.
Banks did a lot of money laundering for drug dealers, terrorists, etc before (maybe they're still doing it today) but that doesn't mean all those working at banks are bad.
If a bank was created with that purpose in mind I guess it's bad. NSO was created to hack people's phones. I guess there's a legit use, but then, maybe they got greedy and sold to governments that define "crime" and "terrorism" quite a bit different from us.
Define bad. Are these employees actively involved in an organization that has demonstrated the inability to function in a socially responsible and cohesive manner?
That's a rich interpretation. Tech that's at the infrastructure layer has both good and bad uses. An email can be used to deliver a greeting, or a malware payload.
You've conveniently omitted your work place information, else one could guilt trip you for continuing to work for your employer despite their worst acts being widely known. We shouldn't support this kind of specious virtue signaling, maybe the lady genuinely worked/works there for the company's publicly stated good intentions.
Also, how the Sauds use the tech is beyond NSO's, and especially the lady's control. Just like how the Sauds use American defense tech to wage war on Yemeni civilians - defense tech subsidized by the American taxpayer - that is you. And still, you continue to live in, and pay taxes to the US, instead of moving to a non-exporter of arms, like Greenland. All while casting blame on a lady working for an Israeli tech firm. For Shame!
It's not. They aided this regime, and other regimes, and chose to do so. And they knew that they weren't just selling them a few cars or some designer handbags, but actively aided in operations against everybody the house of Saud considers an enemy, and knew - just like anybody else who did some cursory googling - about the regime's targeting of any civilian opposition and protests, handing out gruesome "penalties" which can only be described as state sponsored murder, mutilation and torture.
>and especially the lady's control
She decides where she works. This is the old "I was only following orders, and wasn't even directly involved in any of the evils" excuse deep down.
>Just like how the Sauds use American defense tech to wage war on Yemeni civilians - defense tech subsidized by the American taxpayer - that is you. And still, you continue to live in, and pay taxes to the US, instead of moving to a non-exporter of arms, like Greenland.
I am not living in the US, but a country that still exports arm to the Saudis, so I kind of get your point. However, there is considerable societal backslash against this here, me being tiny part of it, to the point where the government "froze" such exports for the time being[1].
Your "just fuck off then to a nicer country" argument is built on a false premise anyway. You fix things in your society that are wrong, and you don't get to tell those people who raise concerns, which is the first step in fixing things, to just fuck off to some other nation.
They directly sell proprietary tools and services to governments, including cruel and oppressive totalitarian governments who use those products and services to spy on, imprison, torture, and kill journalists, dissidents, activists, and political rivals. There's no justifying it whatsoever. It's not like these are consumer products which some governments happen to use; leaks show they work very closely with governments to provide support. They take feature requests and bug reports from those governments. They sit on calls with them.
If they had announced they were blacklisting those governments as customers, maybe they could've partly repaired their reputation, but that would destroy their entire business model, so they don't and won't. Their total addressable market is strictly capped. They need every government in the world as a prospective customer, else their business probably isn't financially sustainable. Ethics stop where sales start. In response to all of the reporting, they actually do claim to now be factoring ethics into their sales decisions, but the rigor behind it seems extremely questionable, to say the least. [1]
There is absolutely no other employer someone could work for (besides those in the same niche, like Hacking Team, or military contractors that work with such governments) which is anywhere near as unethical as companies like NSO. Not Facebook, not Google, not even CIA/NSA/FBI, probably.
Also, you can't liken living in a country with a government who you know does unethical things to working for an employer who you know does unethical things.
>The company has established an ethics committee, which decides whether it can sell its spyware to countries based on their human rights records as reported by global organizations like the World Bank’s human capital index, and other indicators. NSO would not sell to Turkey, for example, because of its poor record on human rights, current and former employees said.
>But on the World Bank index, Turkey ranks higher than Mexico and Saudi Arabia, both NSO clients. A spokesman for Israel’s Ministry of Defense, which needs to authorize any contract that NSO wins from a foreign government, declined to answer questions about the company.
It depends. The CIA/NSA probably do contribute to the torture of people, or they did in the recent past, which is abhorrent. But the people they tortured were believed to be violent terrorists, whereas these countries torture and kill people just for speaking out about their government. Both are unjustifiable and unforgivable crimes against humanity, but the latter is still worse.
I didn't say the CIA/NSA weren't unethical; just that they're probably not as unethical as NSO. But I could also be unaware of awful things CIA/NSA have done which are worse than what is publicly known, in which case I cede the point.
There's no real distinction between US intelligence and "hostile" intelligence. They're both hostile to most people in the world, including most US residents and citizens.
So I would say NSO is just another outfit of money-grubbing intelligence-industrial complex SOBs, who happen to be mostly Israelis rather than US citizens.
> They actively undermine Americans and American security interests
NSO can be justifiably blamed for selling to a regime like Saudi Arabia, but it can't be blamed for undermining 'Americans and American security interests' when the American government itself does not see SA's actions as contrary to 'American security interests'.
NSO could at least argue that they did not predict beforehand that SA would go to such lengths - Khashoggi himself did not expect it - but the US obviously knew after the fact. Yet, the US keeps selling weapons to SA and applied no penalty.
We can't expect NSO Group to take a stricter view of 'American security interests' than the US government does.
> We can't expect NSO Group to take a stricter view of 'American security interests' than the US government does.
No, but we as people can take a stricter view. The people working for companies like NSO Group are torture and murder facilitators, plain and simple. There is no legitimate use case for products like these in a democracy. Police forces working under rule of law are not in need of these products.
Alas, according to statements and actions by US police forces, they do feel these types of products are legitimate for use by themselves. The way to change that is by making this illegal - there will always be suppliers so long as use is legal given how deep the police forces' warchest is.
This logic about suppliers isn't necessarily solid. Check out the difficulties for the US in continuing to execute people as European drug companies don't want to supply them with drugs for lethal injection. You can't buy drugs suitable for lethal injection over the counter, and so if an American outfit that wants to kill prisoners can't get approved to buy from a supplier then it has to resort to drastic experiments...
I feel that the demand is so large that limiting supply isn't enough in this case.
The agencies are willing to invest far more in 'breaking computer security' than in 'finding lethal injection drugs for people who are anyway in custody' . 'Breaking security' is a priority to them in the way 'finding lethal drugs' never was.
That does not get NSO Group off the hook, they did agree to work with SA in the first place - but I suspect we'll just discover there are other outfits (and inhouse talent) out there, and that lasting change requires looking also at the demand and infrastructure sides.
Israel and Saudi Arabia being allies of America doesn't mean that murdering journalists critical of Saudi Arabia is in America's interests (or for that matter, Israel's.)
It would be hard to even make the case that the murder was good for Saudi Arabian interests. It was apparently done for Mohammad bin Salman and it's a stretch to say that the interests of Mohammad bin Salman are categorically the interests of Saudi Arabia.
> it's a stretch to say that the interests of Mohammad bin Salman are categorically the interests of Saudi Arabia.
Saudi Arabia has been an extremist, terrorist plutocratic religious dictatorship since the house of saud was influenced by the terrorist philosopher Wahabbi.
Bin Salman matches the character of the average Saudi, I've spent a great deal of time there.
Be that as it may, the whole thing looks to me like a tyrant prince using his power for personal affairs. I don't see a clear path from that to "satisfying this guy's thirst for blood is in the national of America and Israel."
In life, Khashoggi may have been a critic of Saudi Arabia, but I don't think he was an existential threat to Saudi Arabia's ability to be an effective ally to America or Israel.
I think it's funny to say that about a company regulated and controlled by the US intelligence community.
The US is truly great at claiming things are bad while _controlling those things_ at the same time.
For what it's worth _personally_ I believe that NSO is a bad company and US regulation needs to change - but those things need to change together at the same time.
It's not equivalent. Being in China / Chinese does not mean compliance with or involvement in Chinese spying. (Or at least not voluntarily) Working for NSO does though.
> rolling with that line of thinking, it seems that anyone who takes a job at a company is somehow involved with promoting that company's mission.
Yes, that is literally the meaning of working for a company. If the company created a job opening and hired a person, they did so because they have reason to believe that this employee will promote the company's mission.
As to your example, an accountant at Facebook is most definitely promoting the company's mission. I would argue that if a person is against the company's mission, then there is a serious ethical issue with them taking the job.
Do we have to break down into WhatAboutIsm this soon in the conversation? Can't we just agree that they're all awful companies, and the people who work for them should be ashamed of that?
Aggressive? More like pitiful. This is export controlled technology sold indiscriminately to third world nation states custom tailored by NSO to target and entrap journalists and civilians, many in different locales or conflict zones. Ideally, NSO employees would be in chains In Den Hague charged with the very war crimes they enabled.
Facebook doesn’t have the ability to prosecute people for War Crimes. They can (and routinely) share information with law enforcement for things that they deem abhorrent (human trafficking, notably of children).
What they can do —like in this case— is to sue in civil court. What they can also do is to kick the people that they are suing away from their platform for violating their terms. It’s actually not rare (several people involved with Cambridge Analytica were locked out of their account) so “aggressive” is a stretch, but that kind of side-show is representative of the internal tone of the discussion.
A friend talked about “their large legal team” and, yes, that’s more to the point. Said legal team has a lot of friends familiar with Den Hague so I wouldn’t be surprised if your wishes become reality.
AM I supposed to be looked at page 92 and onwards? Is there a third party analysis of this? I can't see any part which makes the OPs comments true, just posting a link to a law document doesn't really help me understand.
It looks like they sold software that could breach whatsapp security. Where can I read more (something that's understandable) about how this is export restricted?
If it was export restricted, who is responsible for enforcing the law?
The relevant section is category 4 A. 5. (page 79)
>4. A. 5. Systems, equipment, and components therefor, specially designed or modified for the generation, command and control, or delivery of "intrusion software".
Who is enforcing this? These types of sales happen all the time. I sold an exploit to Vupen who then resold it. Did I break the law? Did Vupen break the law?
Check the relevant laws and regulations for your country (the state section on the Wassenaar website should link to them, or at least name them to look them up). You can probably still sell exploits as long as you get an export license for them.
As I understand it, VUPEN was buying exploits before the exploit section was added to the Wassenaar agreement. They attempted to dodge the agreement by moving the company from France to Singapore (which is not a Wassenaar signatory), but then Singapore still added the exploit section to their laws [0]. VUPEN shut down before that law change anyway, due to bad press from the Hacking Team leaks.
Vupen turned into Zerodium. How would this law be enforced if (hypothetically) I took an encrypted pen drive to Zorodium's office, they like what I demo and pay me, they then resell.
Who is tracking / investigating what just happened? How would they even know?
>Who is tracking / investigating what just happened? How would they even know?
For you selling to Zerodium, it would be the government agency in your country in charge of managing export controls. Unless you are bragging about it on social media, it is unlikely that they would know about you selling the exploit. As long as Zerodium doesn't tell your country about you selling the exploit, it will be very difficult for your country to find out (unless they investigate where you are getting tens of thousands of dollars from).
For Zerodium reselling, it primarily falls under the US Department of Commerce’s Bureau of Industry and Security (BIS). If they are selling to somebody nasty the Department of State's Bureau of International Security and Nonproliferation could be involved, along with Homeland Security. Since Zerodium is very public about buying and selling exploits, they are certainly on the radar of these agencies. If they don't see Zerodium applying for export licenses, they will investigate.
>Would getting an export license even be possible?
Contact your local government. It might be difficult to do so as an individual, so you could need to form a small company.
I'm not sure why they would grant an export license, that completely defeats the point of the law. Me making a million bucks can't possibly be good justification to allow my transaction to be exempt?
I think this law changes everything when it comes to trading exploits.
>I'm not sure why they would grant an export license, that completely defeats the point of the law. Me making a million bucks can't possibly be good justification to allow my transaction to be exempt?
What would they get in taxes from that million bucks? Export controlled things still get sold all the time, look at any country with a weapons industry. The goal of licensing is to control who they get sold to, not to stop them from being sold.
"Eschew flamebait. Don't introduce flamewar topics unless you have something genuinely new to say. Avoid unrelated controversies and generic tangents."
NSO are directly implicated in aiding the Saudis murder a US resident and Washington Post journalist. They knew exactly who they were selling to and how their tools would be used.
NSO are of the same level of people as those who sold cattle prods to Saddam after knowing how their tool would be used.
The NSO contributed to the murder of a journalist, has repeatedly aided in attacks on human rights activists, and according to the complaint, actively assisted or even ran these "operations".
Any of those would have been sufficient to ensure I wouldn't work for them for any amount of money, and I'd quit if I found out about them after I was employed.
Your "morals" precludes anyone from working at any major company. Let alone companies like WashingtonPost who helped start many illegal wars and led to the death of millions of innocent people with their lies.
Using your logic, the murdered journalist took blood money.
If you work for pretty much any major company in the world, you are receiving "blood money". If you are working for the US government or any major government, you are receiving "blood money".
Can you point me to a company that is "without sin"?
1. I think everyone would agree there is an obvious moral difference between working for your neighbourhood builder who occasionally overcharges and maintaining the fences on a concentration camp. IE there are degrees of harm, we don't deal in black and whites. Working as a kindergarten teacher for a government does not imply you are any more or less responsible for that government going to war than say a local independent farmer.
2. Not many people would conflate working for washington post and helping to kill civilians in the middle east. But perhaps if shown enough evidence they would maybe do so and act accordingly. So knowledge, like the knowledge in this article, enabled the OP to make an ethical decision.
3. Your comment doesn't help anyone. Because you have discounted degrees of harm ("any major company in the world", "any government") and this then undermined the small bit of knowledge imparted (the WP link). The nett effect is a call to inaction.
My assertion is that there is no distinction between Lockheed and NSO. Both are military systems manufacturers with a similar list of clientele, and their products are deployed for better or for worse.
I don't generally condone punishing employees for what their employers do, but this is a company whose whole business centers on unauthorized control of private resources. It's not at all a stretch to suppose that they exert such control over their own employees' accounts, or would consider doing so, making those accounts effectively proxies for the company. It's unfortunate that the employees are caught in the middle, but their inconvenience (this is social media not bank accounts) is outweighed by other concerns.
I think this IS probably too aggressive and this move probably would not change anything but make such organization just more hostile towards Facebook and their products.
I don’t see them as such a big deal, they are somewhat monitored (might be imperfect) aside from the fact that every intelligence corps (including US) is also attacking civilians, tourists and more - even if not with “bad purpose”, sometimes it might even save lives (if they prevent a terrorist attack or so, using that technology).
So why not let other countries have this ability? Obviously if you give someone a weapon it might turn against you but how can you be so sure it won’t help defend the lives of their citizens?
Everyone is using this “weapon” the same way, the only question is on what side you’re on.
In my opinion, this is not a very destructive weapon that actually risks people’s lives so it’s fair to share, it will also get there one way or another.
She claims they are more regulated then other companies with the tech and like all weapons mistakes can happen. Also that they did not do a lot of the stuff they are blamed for.
Aw shoot. All they need to do is spy on a few high ranking FB people and blackmail them with their dirty laundry to get their accounts back. A walk in the park for them
I would not work for NSO myself but I am extremely privileged to have written some popular open source stuff and it's a great market for software.
My wife is in finance, it was this or an abusive boss and constant unpaid overtime.
For what it's worth I think it's the same as working for any weapons producing company (a big no no for me but plenty of people there who are very idiological)
Not really, no.
Weapons manufacturers, as despicable some of them are, do not set out or actively help murder civilians and journalists.
Some of them might have in the past, but those are criminals, first and foremost, just as NGO as a bunch of criminals in my humble opinion.
>My wife is in finance, it was this or an abusive boss and constant unpaid overtime.
Or not working at all, considering you are so "privileged". Or working for some NGO, probono even, if it's about finding meaning in life and not about paying the bills.
Or working as a walmart greeter or meter maid or orderly in a hospital. I'd rather work my really shit orderly job I used to work years ago, than work for scum like NSO.
Given she works in finance, she sounds educated enough and privileged enough to find a nice job that does not involve deliberately targeting and killing civilians. Maybe less "prestigious" or paying less, but still enough to make a nice living on your double income.
I am not buying your excuse, even tho you and your wife might be buying it yourself. Rationalization can be a problem.
The whole point of weapons is to help murder civilians. If weapons were only useful when pointed at military personnel, nobody would fear an invading army or even bother putting up resistance at all: what is that army going to do, exactly? Just get into street fights mano-mano without weapons?
Weapons are created so they can be pointed at living things, regardless of who they work for. I'm not defending NSO but let's not pretend selling exploits is any different to e.g. a Tazer or rifle manufacturer.
> The whole point of weapons is to help murder civilians.
The sanctioned use of weapons is against belligerents. The intentional killing or torture of civilians or prisoners is a human rights violation, or a war crime during warfare.
Saudi Arabia is an Israeli ally. I'm not condoning anything, just pointing out obvious things. NSO Group was founded by Mossad personnel, so it's not surprising that they would sell stuff to their allies.
I'm a bit skeptical of the idea that it was patriotism for Israel that motivated these people to participate in the murder of a journalist critical of Saudi Arabia, even if Saudi Arabia is an ally of Israel.
I'm pretty sure these people are mercs without morals.
Even most mercenaries have some code of ethics. And murdering journalists is not in it as acceptable behavior. This is sociopathic thug behavior you'd expect from mafia hitmen.
Sadly NSO can't share their customers and they actually don't know many of them and are not exposed to the data. Whomever gets vetted by the US government and the hr Israeli government gets a copy.
I really dislike NSO to the point I don't join my wife on company vacations but she is her own person and I support her choises. She is not in software and the finance and accounting market here isn't nearly as nice.
You can support her as a person but you should not support her choice to work for a clearly unethical company who has actively contributed to the violation of human rights and murder of innocents.
It’s not that rare: breaking terms of services will get your kicked out quite rapidly.
Being a little assertive with your marketing will get you a couple of warnings and temporary bans but systematic efforts, after Facebook sent Cease & Desist letters, etc. will. Being one of the very few able to hack WhatsApp, refusing to submit the generous bug bounties but instead using that to get US journalists killed… that will get you at the top of the naughty list.
I understand that, without details, OC’s wife might be an innocent accountant, someone motivated by good values but misinformed or an active and knowledgeable participant to gruesome abuses. We can agree that Facebook doesn’t know yet. I would understand why once the problem is detected, Facebook might want to take precautions and only revise their individual bans later.
The morals of these employees aren't at question here. The problem is that Facebook, a private company not answerable to anyone, get to decide who is naughty and who isn't, while being a monopoly on online communications.
That doesn't scale terribly well for urls shared in a public space. How many subscriptions do I need? WaPo, NYT, Guardian, Financial Times, Medium, Boston Globe, LA Times, Scientific American, GQ, Epicurios, etc. Those folks should get together and offer a shared subscription model.
The economics have never really worked for a shared subscription model despite many attempts. Apple News+ is the most recent example.
So, yeah, if you regularly read more than the free allocation for each of those publications in a month, you should consider paying for them. Which ones you "need" is your call.
I get that it's maybe unsolvable. But in the narrow space of sharing urls on HN, downvoting complaints about paywalls feels silly to me.
They made their own bed, they can lie in it. I actively work around paywalls, and have ZERO guilt about it. Your business model failed, and I give zero shits. I want to know what's happening, and am willing to pay $10/month to to fix that across ALL of you that were affected. If you can't solve it entirely, I don't care. Take my $10/month, split it, and shut up or quit bitching.
Ahh, yeah...thanks for the context. To me, if you have an aggresive paywall, then public moaning about globally sharing your useless urls is expected. Deal with it. The complainers and workarounders aren't the core problem.
Attention @dang and other HN admin people, this is a constant annoyance. It's time to deal with it. I totally get your position, and your limitations, but it happens EVERY DAY. It is NOT going away, and it's getting worse. It is very clearly making HN less useful.
Is there someone more infutiential than me that could post an "Ask HN" thread that people might rally around? Feeling enflamed, but not particularly influential. Alternatively, is there a way for me to msg @dang personally? (mentioned specifically because I personally applaud and respect his past history and responses)
Thanks for the direct contact point. Disappointed, though, at the implication. Why wouldn't HN care that paywalls were reducing their value in a big way? (my 'unlikely to succeed' rebuttle: https://news.ycombinator.com/item?id=21393799)
It's interesting that WhatsApp is suing NSO for CFAA violations under the theory that NSO violated WhatsApp's T&C (paragraph 54). This is the same theory that organizations like the EFF believe is too vague and gives too much freedom to prosecutors to bring criminal charges against people. So I'm curious how the EFF will react to this.
The implication is probably pointing to Kushner's alleged habit of talking to foreign contacts on the app, speaking officially, rather than his use on its own:
You are explicitly (and, if you read Dan's moderator comments, repeatedly) asked not to conduct public hunts for astroturf comments on HN threads. If you think you've seen a pattern of corrupt comments, tell hn@ycombinator.com directly.
I don’t like NSO or what they do, but I don’t think I’m comfortable with the idea that there is legal liability here.
I wonder how much of that hinges on the fact that the messages had to transit WhatsApp servers, even if they didn’t actually hack any WhatsApp infrastructure.
By that same logic, it seems like an SMS exploit targeting a handset could make you liable to AT&T as well.
> By that same logic, it seems like an SMS exploit targeting a handset could make you liable to AT&T as well.
This seems fine to me. Take a different common carrier like the US post office - using the mail to carry out a crime can lead to the additional (and oft-prosecuted) additional crime of mail fraud.
I am not sure that I am uncomfortable with that. If you are using AT&T's network to commit abuse then you are disrupting the usefulness of that network.
I think that the equivalent would be if you committed fraud using the postal system the postal service being able to take legal action against you.
I'm very uncomfortable with the criminal aspects of cfaa (US government vs Joe Small Man) but I think I'm ok with civil cases as long as we agree that we are not into boats.
True. Though I can see some situations where the criminal aspects would be acceptable. Such as a case where hacking was the proximate cause of catastrophic harm (like a criminal using an insecure industrial control system to crash a power grid).
I am almost willing to support criminal aspects in this case. Extrajudicial killing was a predictable result in giving these tools to repressive governments.
I really hope they lose. If they win, WhatsApp (and by precedent, everyone else) is less incentivized to invest in technical solutions, and exploits will still be bought and sold among even shadier players.
Take the Saudis for example. They have a desire to hack phones, an unlimited budget for hacking tools, and no ethics. The market will create other players to capture the millions of dollars they have on the table, and they’ll do it out of reach of the courts.
WhatsApp is facing brand damage because people are hearing that they can get hacked (and in some cases, possibly die) if they use their software. Their two options are to either invest in better security, or use the legal system. I think it’s better for everyone if the only option is for companies to actually fix their software.
If WhatsApp paid whatever NSO does to acquire bugs, nobody would sell to NSO.
This is the same reason that Apple recently increased their bounty. Nobody was giving bugs to Apple because the grey market paid more.
WhatsApp would still be plenty incentivized to make their software secure. They understand that this wouldn't get rid of the exploit market, or state actors. I'm sure WhatsApp has been focusing a lot on security lately because of the brand damage.
Even if it wasn't effective in practice, entering this lawsuit can be seen as a message to users that WhatsApp is serious about protecting people's privacy.
Setting a precedent here might force remaining actors to stay shady instead of acting in the open, which would make it harder for them to operate (so they'd be less effective).
However, I have no idea what other consequences a precedent here might have. Definitely interesting.
I’m wondering if this is the specific reason(or one of the reasons) why serving 5 Eyes military folks I know all seemed to ditch WhatsApp approx 20 months ago.
So Facebook are suing NSO for having hacked Apples or Googles software?
My point is once end to end encryption is enabled -- no MITM vulnearabilities should exist. Kind of like how password managers protect your password -- not even they can see it.
I think this is indicative that Facebook doesn't enable true end to end encryption so they can read messages themselves but advertise that they don't to attract the privacy dollar.
You misunderstand how end to end encryption works and what the vulnerabilities were. These are not MITM attacks. I suggest you read the article or the affidavit, they do a good job explaining what happened.
I saw this article earlier wanted to read comments on it here. It had already been posted five or six times, but never made it to the front page. Glad it finally did as it should. But what a weird dynamic.
It wouldn't surprise me, even if it were not officially sanctioned. Perhaps this is just the human desire to find patterns in everything, but I have seen at least some evidence of coordinated up/downvoting that pushes specific agendas on here. The unending GDPR fanboyism is one example. It's either the worst case of groupthink I have ever seen, or people are coordinating.
I don't want to get into a long GDPR discussion, but the idea of privacy regulation is great. GDPR, however, is deeply flawed. Yet any comment even attempting to discuss those flaws in a rational manner are instantly downvoted into oblivion, while comments glossing over its flaws are instantly upvoted. It's pretty clear that there is some coordination going on.
Not trying to be snarky, but my experience is almost exactly the opposite.
I can't comment on voting patterns, but while GDPR was being prepared, and after it was released, there was an endless barrage of posts claiming how it was flawed, lead to the ruin of technology companies in Europe etc, and it should be replaced by something else (anything else, at some point in the future - and in the meanwhile please stop getting in the way of tech companies trying to make a profit)
Frankly I would not be surprised if there was indeed a reflexive downvote effect that is not caused by a shady conspiracy but rather people like me who are tired of posts like that.
The article title is "WhatsApp sues Israel's NSO for allegedly helping spies hack phones around the world", which exceeds HN's 80 char limit, so it had to be shortened somehow. The submitted title was "WhatsApp sues Israel's NSO for allegedly helping hack phones around the world". I changed that to "WhatsApp sues NSO for allegedly helping spies hack phones around the world" because it seemed to me that the "spies" bit adds more information than the "Israel's" bit. There's a difference between "helping hack" and "helping spies hack".
For completeness, I do think the commenters pointing out a slightly nonstandard weirdness in the phrase "Israel's NSO"—like the one comparing to "America's Google"—have a fair point. (Exercise for the curious: have there ever been many titles like that?) But it was not the determining factor.
NSO founders' ties to the Israeli government are a bit more essential to their business than the Google example. See also the China examples from another commenter. I'll bet there are examples of "Russian company XYZ" as well. In cases like these, the nationality of the company and especially of its former-unit-8200 founders does seem rather germane.
The way the name "NSO" sounds like a government intelligence agency reminds me of the way "United States Chamber of Commerce" also confuses people: https://0x0.st/zYWr.png
Given how strongly the Israelian security sector is tied to its national government, including directly recruiting from the military and often acting on its behalf the distinction is quite ridiculous.
Would HN have censored "China's Huawei?" Obviously not, it's the typical bias concerning western governments and allies that seems to be getting more blunt as time goes on the website.
Tech companies in Israel, security-related or otherwise, are tied to the government just as much as, if not less than, in the US, the UK, or France. There's nothing even remotely resembling the situation in China. "Recruiting from the military" is true for virtually every company in Israel, including sewage treatment companies, because military service is mandatory, and that's where people usually are before they get a job.
On the other hand, "Israel's" makes it sound like it's a governmental intelligence agency rather than a company. Misleading context could be worse than no context.
I respectfully disagree. A three letter acronym implies shared understanding. NSA, CIA, GHQ, MI6, KGB, IBM, AMZ, USA, etc, are globally recongized. NSO is ambiguous and confusing in a headline and demands explanation.
Google tells me that "NSO" is "Nurse Malpractice" for the entire first page fold. I assume it's similarly unhelpful in other regions for other people. 'Cmon, it's not a big, recognized, entity. Wait a year and the problem will be even more apperent.
There have been a number of posts about NSO on HN, and most of them do not say Israel in the title. But most of them do say "NSO Group" instead of "NSO", so maybe this title should have said that too. Although you might blame that on Reuters as well for not having "Group" in their title when that is actually in the name of the company.
Literally the first sentence of the Reuters article says what it is. It's not as if this is hard to answer.
The principle that it's good for readers to work a little is bedrock on HN. We want users who figure things out for themselves. That spurs the intellectual curiosity HN exists for.
You disagree with calling a company by their name?
If you have an issue with how they named their company, you could write to their CEO and let him know that he is using 3 letter entity names improperly. Unless you want the community to pick a new name to bestow upon them, I’m not sure what you expect from us.
Seriously, that's a lame answer. There's almost certainly another "NSO" company with more past or future notoriety/revenue/whatever. Why be ambiguous when that's not actually their name? The name is , "NSO Group".
Without clarification it's unclear exactly what NSO stands for. If Google was relatively unknown, it probably would be referred to "America's Google."
Also, NSO's founders were members of the Israeli Intelligence Corp (source: Wikipedia). Given the military links it would be reasonable to include its origin. News outlets would likely do the same for a Chinese company.
That they served in the intelligence corp does not imply "military links" in Israel (I'm not familiar with the company, and there could, indeed, be military links, but that fact is not any evidence in support of that). Probably 80% of people with technical background in Israel have done their mandatory military service in the Intelligence Corp or the air force. Among startup founders the ratio is probably higher. In other words, virtually much everyone with a higher education served in the military, and those in STEM fields are likelier than not to have done it in the intelligence corp.
Ummmm...Israel Govt allows them to export these tools. So yeah. The Israeli probably gets something in return from countries, in addition to NSO getting paid.
If you haven't heard of NSO, does "Isreael's NSO" actually clarify anything? Maybe now you know where they are, but you're still no more informed as to what they are.
Yes, it tells me a lot about intent, where people's opinions might lie, and so on. We can pretend like global politics doesn't set context, but it just...does.
"Israelie Security Firm NSO" would totally clarify it for me.
Once I clicked through to see "Israel's", it immediately clarified who they were, at least to me -- in fact I recently watched an entire 60 Minutes segment about them.
Just NSO sounds like some government agency I had forgotten about.
I don't see any reason to have a policy about this one way or the other, but in most cases there's no need to say which country a well-known company is from. There are a couple instances of "China's Huawei" from over a year ago, but that's negligible compared to the number of headlines about Huawei overall.
Israel is home to many industries focused on fraud or crime against citizens of other nations. And they generally don't extradite their citizens which makes the problem worse. See also the "forex" and "binary" industry based out of Israel.
I believe that the distinction lies in "state actor" immunity.
A USA company selling stuff to USA state agencies won't be prosecuted by USA courts because that use presumably isn't criminal in US law; you could have legal challenges to the agency itself but in general the seller can assume that it's the responsibility of USA gov't if they break their own laws.
An Israeli company selling stuff to foreign agencies that gets used "elsewhere" on other citizens won't be prosecuted by USA courts because they don't have jurisdiction and it's none of their business if some other government decides to wiretap or torture-murder some of their citizens in their territory with the assistance of that stuff.
But if a foreign government hacks a phone of someone on USA soil, then that's a crime in USA and it doesn't matter if it was legal under their laws or they had proper warrants or whatever, USA law doesn't have an exception for that unless that wiretapping was done in cooperation with USA authorities under whatever procedures they consider appropriate. And if some company is complicit with assisting that crime then it can be targeted by USA courts, if it can reach their people or assets somehow.
I.e. it's not that "doing this is unaccaptable as such", but "doing this in USA requires permission from USA - we had it, you did not".
I'd argue if it turns out that after the sale those exploits and implants would get used in USA against US citizens without sanction of USA gov't, then those companies might be found (co)liable for damages in a US court.
Oh yes, that's definitely a long game - detecting a compromise often takes a long time, attribution is tricky and takes time, and after that court cases will take years, e.g. the ongoing whether-NotPetya-is-act-of-war insurance civil case.
Whatsapp still processes complex data from any stranger in the world entirely without a sandbox. It's E2E encryption is like sending and receiving messages with a top security truck, but then on arrival, storing them in a tent.
The fault here really relies on the design of whatsapp. Not the thieves who saw an open door.
The fact that you leave your door unlocked doesn't excuse someone burglarizing your house. Facebook and Whatsapp totally deserve blame for lax security here, but that does absolutely nothing to absolve NSO of exploiting that weak security.
* If I leave the door unlocked is someone entering it and taking my property my fault? According to insurance companies it often is, but not the law. Who's side are you on?
* If I've locked the door, but there's a window that doesn't latch properly, is it my fault?
* If my door doesn't have a kick plate, is it my fault for not providing adequate security?
* if they break the windows, is it my fault for not having bars on my windows?
Making software secure is hard, but saying that the existence of any bug instantly means that the software manufacturer is culpable for how someone [ab?]uses those flaws is clearly nonsense. No one wants to deliver software with bugs in it, but NSO is clearly ok using those flaws to attack and kill reporters and HRAs.
A magic one that fixes all security holes of course :)
More seriously: I thought they popped WhatsApp on iOS as well? That would imply sandbox escape there as well - although the default iOS sandbox is more a quarry :)
Rooting an iphone is certainly useful, but just having access to all of a target's WhatsApp messages would also be very interesting to NSO's customers. Further, WhatsApp likely has permission to access photos, etc.
I tend to agree with op. Surely the NSO has blame but the real problem is the hole in WhatsApp and the fact that their security could use serious improvement. They even allow making backups of the unencrypted database to the cloud defeating the whole e2e encryption.
Facebook (which owns WhatsApp) engages in mass surveillance / info gathering / spying on its users. It does so on behalf of its paying clients (= not the users); and also on behalf of the US government: The NSA gets a copy of most of everything (as we know due following Snowden's revelations).
So, Facebook definitely intrudes on people privacy, even if it doesn't "hack phones".
Still, I wish _both_ companies had to face harsh consequences for their conduct.
Facebook has been selling information about journalists to governments who intend to assassinate said journalists? Do you have a source for that claim?
Facebook has been giving out information for free, about all people, including anyone the US intends to assassinate, to the US government.
Whether the US government was actually intending to assassinate any of Facebook's users - I have no idea; I don't have access to the assassination lists the president signs.
https://www.cbc.ca/news/technology/citizen-lab-toronto-under...