What is frustrating is the NSO group continues to exist despite all the bad they do. How many people are they responsible for being on the receiving end of a bone saw?
At the risk of being boring: software liability would go a long way towards getting companies to do this work themselves. Even though Apple is the largest company on the planet an entity that has a small fraction of the budget is apparently able to do a better job. I don't see why Apple couldn't make those people an offer they can't refuse. That takes them off the market and has them doing something productive.
> Even though Apple is the largest company on the planet an entity that has a small fraction of the budget is apparently able to do a better job.
NSO Group is Israeli and (most likely) filled to the brim with former Unit 8200 staff. About the best of the best what the IDF has to offer - they've been said to match the NSA in quality.
> I don't see why Apple couldn't make those people an offer they can't refuse.
For all that can be guessed, they're a semi-private company, deeply connected with the Israeli government [1]. No one can pay these guys enough. If you want them to stop, you'll have to get the Israeli government to agree, and they won't give up any asset that gives them an edge over Iran or its numerous other enemies.
So stop shipping iPhones to Israel until they play ball. If they're that smart they can roll their own phones. These companies do immense damage and endanger lives the world over. Given enough time and budget there is nothing that can't be cracked and it's the very worst actors that have access to this stuff.
As much as I agree with you... I think it's most likely that the US NSA, UK's MI(whatever), Israel's Mossad and a bunch of other secret services all cooperate with each other. No way these guys get taken down, and no way that the sanctions that have been nominally announced actually get enforced at the murky, intransparent bottom layer of the secret services.
Someone has to crack open the phones of drug kingpins, terrorists etc. after all.
You are severely underestimating the power of an entity like Apple. HN regularly spouts opinions that if US companies don't like the GDPR they should just stop doing business with the EU. That's a massive block of consumers and I highly doubt any company that likes its bottom line is going to take that approach.
But we're talking about one company here that simply should stop selling their crap to the highest bidder. I'm at some level ok with the Israeli's doing what they do, they're no different than any other nation state. But to allow this sort of entity to operate from your soil in a commercial manner, including selling those exploits on the open market where they will inevitably be used against the home country as well seems 'optional' to me and there is a lot of Israelis that like their smartphones.
Why would an entity the size of Apple risk their reputation and everything they stand for to avoid a run-in with a relatively tiny company in a relatively small part of the world that is causing an enormous amount of problems?
So tourists (or people visiting for family or work) who own iPhones wouldn't be able to use them in Israel? You can probably see how that's a tough sell.
Yes, that's exactly it: you harbor this sort of company you will not be able to pretend it's business as usual on other fronts.
After the 500,000th Facebook post of tourists linking NSO to 'my holiday in Israel was spoiled and I won't be going back there' I'm pretty sure they'd get the message.
I'm ok with whitehat hackers but this shit has to stop. Mind you, I have an old Nokia so it's not as if I'm affected, the only thing I have to worry about is the baseband processor and my telco. But there are plenty of people who need a smartphone for their work and their opsec is pretty much as good as their phones' security.
That would be an extraordinary act of political activism which is never, ever going to happen. I'd argue it's not a corporation's place to take such an action in the first place. This is, if anything, a diplomatic matter and should be left to the state.
I mean what next, stop selling to the KSA because of their gay rights issues? Iran? Russia? Where does that end? Well, it won't even begin, and rightly so. This is a state matter and they should stay in their lane. They're doing all they can, and should.
BTW, I bet there's more than a few USA organisations who are quietly very annoyed about Apple's relentless bug-fixing. Organisations like NSO are tolerated for a reason.
> So stop shipping iPhones to Israel until they play ball.
For what purpose? They would still procure iPhones through gray channels and hack them because that's what their victims use. Should Apple also stop selling phones in every other country, because that's where many of NSO's exploits are actually used?
What other purpose? Annoy the local population? Create a grey/black market where you're even more likely to be given a "pre-hacked" unit?
Ha! Thats some nice fan fiction. Look at how Elon is torpedoing himself even further trying to take on ADL(lets be frank they clearly have ties to Israel). It took far right wing people + Elon bringing the issue up to even have a discussion on pushing back against ADL (and now ADL can just say thats just clearly anti-semetic people being anti-semetic) so the issue is already dead.
Apple being a public company with many institutional portfolios holding their stock would not survive these portfolios dumping their shares due to pressure if they announced this. This could even be enough to force remove Tim Cook from his role. Why would he take such a drastic position?
This rot is at all layers of the western world(UK, Canada, AUS, NZ, France at least). All the way from state governments passing laws saying you cannot boycott Israel or else you'll be barred from contracts(Anti-BDS laws) to congress removing members from their committees if they criticize Israel(eg. Illhan Omar) and signing loyalty pledges to Israel. When ANY new resistance appears against Israel, multiple groups in all of these countries move at light speed to enact a response.
The downsides of having these exploits is clearly acceptable to all the people that make the decisions. And it's not like a regular person can use these exploits against members of congress to make them feel the pain. They'll just 'Julian Assange' you.
What you are proposing requires massive reform at ALL level of government and across the western world as this is not only a US problem. Good luck with that.
This requires changing fundamental beliefs of the majority of people who vote in these governments. They have a special "bond" with Israel and they wont willingly let go of that. You'll be better off just reverse engineering the complete iOS binary and finding every possible exploit.
> It took far right wing people + Elon bringing the issue up to even have a discussion on pushing back against ADL (and now ADL can just say thats just clearly anti-semetic people being anti-semetic) so the issue is already dead.
The issue is dead because Elon's grievance is patently absurd. He's accusing the ADL of singlehandedly engineering a 60% drop in Twitter ad sales. It would be genuine comedy were it not for the fact he's handing a megaphone to the worst-of-the-worst groyper kindernazis.
Thats my point. Pushing back against the ADL is almost impossible and when it finally happens it is associated with these knuckleheads. Therefore it is easy to dismiss...but there are serious abuses done by the ADL (just look up their history) and they now get to skate free.
You seem to be implying the issue is the messenger and his dimwitted minions, when really it's the message itself. If these guys are as nefarious as you're implying, surely the richest man on the planet could dig up something that's not prima facie absurd?
Thanks for clarifying. I'm not familiar enough with this organization to either stake a position for or against, but one passing observation based on that wiki page :
> Right-wing groups and pundits, including right-wing Jewish groups, have criticized ADL as having moved too far to the left under Jonathan Greenblatt, labeling it a "Democratic Party auxiliary"
> In August 2020, a coalition of progressive organizations launched the "Drop the ADL" campaign, arguing that "the ADL is not an ally" in social justice work. The campaign consisted of an open letter and a website, which were shared on social media with the hashtag "#DropTheADL". Notable signatories included the Democratic Socialists of America, Movement for Black Lives, Jewish Voice for Peace, Center for Constitutional Rights, and Council on American–Islamic Relations.[179] The open letter stated that the ADL "has a history and ongoing pattern of attacking social justice movements led by communities of color, queer people, immigrants, Muslims, Arabs, and other marginalized groups, while aligning itself with police, right-wing leaders, and perpetrators of state violence.
Always interesting to see entities criticized for being both too far left and too far right.
To me, the ADL doesn't seem right or left within the US. The evident goal of their org today is to silence criticism of US-Israel relations and run PR for Israel in general, which makes sense given its founding org. That's its own thing, in fact it'd be counterproductive to do it in a partisan way.
I’m sure there are a lot of committed patriots there but I doubt it’s the whole company. Tim Cook could drop 1% of their cash on hand and see how many of them would turn down a million or two as a signing bonus, and if that didn’t work he could escalate to 10% or toss in some stock. I find it unlikely that wouldn’t tempt a lot of people, especially since the U.S. is one of Israel’s staunchest allies so it’d be pretty easy to tell yourself that pile of cash isn’t selling out.
The real reason they don’t do that is trust: how could you ever be confident that someone wasn’t passing information back to Unit 8200 or even helping them out?
I understood but am skeptical of that - they'd block sale of the entire company but I think it'd be a surprise if they prevented a bunch of Israeli nationals from accepting prestigious jobs with an American company.
Consider as well that designing (known obsolete at the time, with no practical threat to Israel) long range weaponry for a relatively benign enemy (Iraq was never Iran or Egypt) is likely far more forgivable than assisting a far more powerful foreign power with a history of at times cool relations with Israel with the current high priority useful intelligence tool which they are known to have a unusual world class edge in right now.
Gerald Bull was annoying. Someone good leaving any of the APT groups in Israel to help Apple get better security or anyone else would be borderline treason.
NSO seems more like a business. If Israel wanted to, they could pay NSO to keep their software internal/private, no?
The more devices that get exploited, the more exploits that get closed. That's how you lose your edge against your enemies.
Unless they're so confident in their stream of exploits that it's worth burning a few. Or these nation states are buying the devices to operate these exploits and operating them in their security labs...hrmmmmm...
It appears that the Israeli government operates the same way as the Russian government with respect to their private black/gray hat companies and groups: hacking other people is OK, just don't hack our nationals or our institutions, and we're cool. And if they hack companies or people seen as hostile, so much the better.
If Apple buys NSO Group and shuts it down, other firms are incentivized to enter the market especially because of the prospect of a nice payday if Apple buys the new firm, too.
Anyone buying them and shutting them down won't even temporarily make the problem better, as NSO has competitors who would immediately hire the best people.
That's true, but I'm not entirely sure why this would be relevant to include in my comment? It's just pointing out that other vendors exist in this space other than NSO Group. I don't even see the hypocrisy if I had posted that while working at one of the places I mentioned? How would you rephrase it?
(It seems like you know me, are you someone I've met before?)
Yes they can? It's totally possible for a small, well connected, group to be writing small pieces of custom code in very critical applications, like core reactor controls system for navy submarines.
...implying the scrutiny Boeing is held to does anything beneficial.
The regulatory capture resulted in a pathological operating module that put over 346 in an early grave because they couldn't be arsed to not cut corners; then on top of ot all, there's no substantive finding of liability or wrongdoing.
Laws that are ultimately unenforced due to 2B2F might as well not exist at all.
I don't want to defend Boeing's management but even with the worst failure in, what, half a century? it's still much safer to fly than drive so I wouldn't be so quick to throw aviation security culture under the bus.
I think you should really think about what you're saying. Would you cut makers of physical artifacts the same slack, say a small prepared food producer who just can't afford to vet their supply chain or final product to make sure it's not contaminated?
This has already played out. Most consumer software specifies that it cannot be used in medical devices, or for nuclear energy production. So some version of this already exists. But should this apply to video games? Horoscope websites? Random number generators? I'm just pointing out that it isn't a universal argument.
I don’t understand your comment. Are you saying that involving trial lawyers and US juries to collect big settlements from Apple is going to stop the NSO Group? Or is it that the NSO Group should be liable for the actions of their clients?
I don't understand your comment either. You say you don't understand and then you give a choice between two narrow interpretations neither of which seems to cover what I wrote.
To make this a bit more productive:
If Apple were liable for their defective products then they might decide not to ship them at all until they can be sure enough that the risk of the lawsuits putting them out of business is small enough that they can absorb it.
This worked wonders for other industries (notably: automotive, airlines, medicine). It may slow them down a bit, you may have a wait a bit longer for the next iteration of some gadget. But that's a small price to pay in my opinion.
As for the NSO group: I'm suggesting that Apple use their well filled cash coffers to buy these guys out, and failing that that they use some of that money to sue them for all of the damages that Apple incurs as a result of their actions as well as any criminal charges that they might get to stick. See 'Skylarov'.
It wouldn't be the first time that a US judge finds fault with a foreign company. At a minimum it would slow them and their employees down to the point that they will be in a US jail the next time they visit Disneyland. If it works against illegal gambling operations I see no reason why that sort of mechanism can't be brought to bear against state sponsored hacking groups and their employees.
> If Apple were liable for their defective products then they might decide not to ship them at all until they can be sure enough that the risk of the lawsuits putting them out of business is small enough that they can absorb it.
I think this works best at that level, like if there’s a sliding scale based on your company’s importance to normal people’s security. I think a lot of developers are worried that their two person consulting team is suddenly liable for bugs but it’s totally reasonable to say that Tim Cook should shake the spare change out of his office couch, call Graydon Hoare into his office and say “here’s a billion dollars, who should we hire so I never hear the phrase ‘buffer overflow’ again?”
> If Apple were liable for their defective products then they might decide not to ship them at all until they can be sure enough that the risk of the lawsuits putting them out of business is small enough that they can absorb it.
> This worked wonders for other industries (notably: automotive, airlines, medicine). It may slow them down a bit, you may have a wait a bit longer for the next iteration of some gadget. But that's a small price to pay in my opinion.
That's quite a big price for non life-critical equipment that is a billion times more complex than a pacemaker or the safety-critical parts of an airplane or car.
A billion times more complex than the safety-critical parts of an airplane? I think you lack perspective on avionics packages and the safety measures that are undertaken in that industry. Additionally, I think you're vastly over estimating how complex a smartphone is.
A billion might be hyperoble (although i dont think its a totally unreasonable guess either), but phone software is many GB large, i could easily believe that there are a million more MC/DC points in phone software, than in the safety critical part of airplane software.
Pacemakers are one of literally millions of regulated medical devices. If my CPAP fails one night, I don't die, but it's still regulated to ensure it's not gonna fail. You want this to be pacemakers vs Tetris but it's not. It's hearing aids and contact lenses and insulin pumps and wheelchairs and nebulizers and all kinds of devices that will not get you killed if they fail AND YET they are highly regulated and rightly so.
I mean, i assumed from context it was meant regulated in the way life-critical devices are regulated, since the mentioned industries like airlines that have elements that must apply with the regulations life-critical software has to be (e.g. full mc/dc test coverage and what not).
If the goal posts are being moved to regulated in any form, phones already meet this criteria as there exists regulations they are subject to.
So what regulation precisely did you have in mind and would it prevent the issue being discussed?
Maybe that’s true, it probably is, but they should still be sanctioned into oblivion considering they consistently are in the headlines on the wrong end of this being used for deeply questionable purposes.
The US enjoys some fruits of their labor and they're conveniently distanced from any explicitly funded operations to avoid blow back when exploits are publicized. They won't enforce sanctions or, more practically, withhold the massive defense subsidies they give to Israel.
>... as greed leads them into bed with the wrong people.
I'd hope they're at least targeting their own customers as part of state-sanctioned operations. Still, that doesn't justify the dissidents they indirectly facilitate being thrown under the bus. Or on the receiving end of a bone saw, as another commenter put it.
Allowing a US+Israel-approved* company to do this makes higher revenues possible, meaning they can attract higher talent => more hacks. Which would be fine if we prevented them from selling to unwanted customers. With weapons, we control who gets them, regardless of money.
* I was going to say "sanctioned," but that word can mean two entirely opposite things, it's dumb
True, but there’s a real question about how effective they’d be. NSO has the veneer of legitimacy which means they can hire top notch talent by pretending their products are just law enforcement tools – fewer people would be comfortable working for a Russian mercenary group or able to tell their friends and family their work for a Chinese government vendor wasn’t helping oppression. That doesn't mean that everyone in the world is comfortable working for them but think about how it is for Palantir where a significant percentage of top tech talent don't seek employment there due to ethical concerns - NSO has similar problems but they'd be an order of magnitude worse if they weren't in a close ally country.
