Members of this organization need to be pursued as criminals. Internal reform of a criminal organization is a sick joke. They're all accessories to murder; changes to company policy don't change that.
If their government is intent on protecting them from prosecution, then extralegal retributive action taken by an competing spy agency could be suitable payback. Unfortunately that assumes the existence of a competing spy agency that isn't equally morally bankrupt.
> Members of this organization need to be pursued as criminals
Not sure why this is being downvoted. NSO and its employees willfully facilitate criminal violations of CFAA, among other laws. (They have received payment in U.S. dollars, making the question of jurisdiction trivial.)
Given the heinousness of some of the crimes they've aided and abetted, many against American citizens, most Americans would be on board with arresting their employees on arrival to the America or our allies.
Providing tools that could be used to violate the CFAA is not the same thing as violating the CFAA. There are several US companies that do this. There is nothing illegal about it as long as you don’t sell to countries on sanctions lists.
Their customers are far too inept to use their tools, if you can even call them that given that they are specialized for just about every target (group). It's one thing to make a cruise missile but another entirely to sell it with a preloaded flight path and a consultant on hand to help you press the button.
Knowingly assisting organizations that target human rights activists and reporters, and assisting the incarceration and murder of those targets makes you a criminal.
They are criminal accessories to gross human rights violations and murder, and should be prosecuted as such.
That's an interesting comparison. But one difference is that bombs and guns can be used against any target (any human, animal, building), as well as non-violent targets such as for practice, competition, entertainment, or for intimidation (e.g. mutually assured destruction).
Whereas Pegasus was designed to exploit a specific WhatsApp vulnerability, and to interact specifically with WhatsApp's servers. And NSO had paid support relationships with the organizations doing the attacking.
Another difference is that NSO employees themselves had to reverse engineer and exploit the vulnerability during development (possibly illegal under the CFAA). This action also violated WhatsApp's terms of service. There's no parallel to this with guns and bombs.
Another difference is that according to the complaint, NSO-operated servers talked to the exploited devices. So this wasn't just a tool that NSO handed over to governments to be used (like guns and bombs) and then was uninvolved in, it was a service that NSO operated, and governments issued commands to the service telling it who to attack.
The Hacker Team, a similar Italy based outfit were hacked to death several years ago. Seemed quite fitting. Talking about legalities when they supply governments (India is still a democracy btw) sounds naive.
Yes yes, but the supply/demand economics remains so even if you get rid of them they'll be replaced. Governments and laws not catching up with tech and being hostile to their own people is creating the demand.
Are exploit brokers like Zerodium exempt from this criticism because they off load the targeting and execution part to third parties and governments?
There's a limited pool of talent that can generate something like this. If you make is sufficently toxic and/or difficult to work for a company that involved with flagrantly violating human rights (like NSO), you'll substantially starve them of talent.
Worst case, you'll significantly reduce the quality of their exploits. Best case, it'll be effectively unavailable.
Ok but where will that talent go? Countries will just get someone else to start a firm and support it. It's an arms race and you're blaming defense contractors for supplying arms!
The people with power to be hostile to exploit devs who sell their talent to the highest bidder are the same people who are bidding for that talent. So long as NSO group and others dont harm the interests of countries protecting them they will always be in demand.
If even the entire west punished developing exploits for money a high crime, at best you give business to chinese,russian and indian companies. At worse, western devs move to other coubtries or simply sell exploits illegally without getting caught...to non-western entities.
The only way to beat this sort of a problem is to compete with demand. But that means competing against resources of nation states. Perhaps international treaties to control this arms race would help?
And yes, I know at best there are only a few hundred people with enough talent, but I bet you there are even less nuclear bomb scientists and you know how that supply/demand is turning out...
Presumably to another company where they live, or are comfortable relocating to.
You seem to continuously be assuming a perfect market, that doesn't exist.
I agree that just blocking this sort of thing from countries that actually care about human rights won't solve the issue, but stopping a lot of it is still valuable. Additionally, I don't know if this sort of thing could exist in some of the countries you name. For China, at least, it sure seems like if you're good enough at this sort of thing, you get strongarmed into their existing military infrastructure used for spying on everyone else. I can only assume Russia is similar. I don't think either of those countries have free enough markets that a NSO-like company could exist.
India, I don't know enough to comment.
> At worse, western devs move to other coubtries or simply sell exploits illegally without getting caught...to non-western entities.
Do people just up and move to other countries at the drop of the hat? That requirement alone is going to substantially reduce the number of people doing this sort of work.
Again, the goal isn't to completely prevent exploit sales (which I agree is basically impossible), but to reduce the harm. Stomping out these companies (or having MUCH more aggressive oversight) won't substantially impact the hosting state's economy, and it will substantially reduce the available products on the market. I can't see a argument against that.
Here is where out views diverge: you think reducing volume of supply is important, I think controlling supply is important.
You think reducing volume means what little supply is available will be used against high value targets only. In reality, the smaller supply will focus more on high value exploits which will still be leveraged at the same scale. Even if that was not true, you still have no control over exploit sales and use.
Allowing places like NSO and Zerodium to thrive with some control and restrictions is the best outcome. But really, do we even have law makers that understand any of this or perhaps the NSA/CIA can control them. Normal security companies have intel community ties,I think that can be acheived here as well.
the funny part is all this publicity and media outrage actually helps NSO. their customers and potential customers don't give a damn about human rights, and being in the spot light more than competing firms only helps them.
Yes, but I think one problem is Facebook doesn't have direct evidence that the government of India was responsible, so it would be difficult for Facebook to sue India. Maybe if this lawsuit turns up evidence of who ordered the attacks, Facebook can then sue India (and the various other governments that attacked journalists).
Use a $20 flip phone and odds are the baseband is crap enough that you could be spied on easily by someone using a cell-site simulator. Or, heck, since those $20 phones usually use 3G or below, the state-level actor you’re up against will just decrypt all your 3G transmissions directly.
I have to wonder if you’re being serious when you describe the kind of software NSO produces. It’s software to let other people take control of hardware you possess. The better analogy would be to the iOS jailbreaking folks; people aren’t generally mad at them either.
At least you can easily pull out the battery and assume your text/call is being monitored. They give you more control and less complexity but you're right on how they don't add security.
Note: the grandparent comment was substantially edited to remove the references to Apple, $20 flip phones, and Doom9, which might make this and other sibling comments a little out of sync.
What agenda do you think Hacker News has by shortening “NSO Group” to “NSO”, which is what the group calls themselves? The last time this came up it turned out that a bunch of people wanted “Israel” to go in the title, so do your goals differ from this?
You can't seriously be suggesting that we care whether a title says "NSO" instead of "NSO Group"? I've added "Group" above to make the point, but please let's not bother with corporate nomenclature nitpicking. Anyone who recognizes "NSO Group" will recognize "NSO", except maybe subscribers to the Newfoundland Symphony Orchestra.
If their government is intent on protecting them from prosecution, then extralegal retributive action taken by an competing spy agency could be suitable payback. Unfortunately that assumes the existence of a competing spy agency that isn't equally morally bankrupt.