Right now we have mini crisis in Poland connected with this US/NSO war.
One prosecutor, who is fighting for indepenend judiciary and against her political boss, head prosecutor Minister of Justice, smaller party Coalition member, got notification her iPhone has been hacked multiple time by Pegasus. She angried the rulling coalition, after she wanted to investigate illegal vote by mail election, that didnt take place at the end but cost Poland 23 mil USD.
The other person that was hacked more than ten times, is famous attorney, previous politician. He was an attorney of opositionfuhrer Donald Tusk, former PM. He was representing multiple high level clients that were suing the government, including one that was scammed by the head of rulling party Law and Justice. Hacking took place in times of campaign before elections.
Poland is such a crazy country right now. If you can write an email to ur congressman to fight for biggest US investment in Poland, TVN tv station that sheds light on this corrupt government. They are trying to make the owner (Discovery) sell TVN, worth one billion USD
> As usual, the EU and the powerful countries who make business there have not made much about it.
You do realise the only reason Poland and Hungary still have voting rights in the EU are because they mutually block sanctions against the other one, don’t you?
The recovery funds are blocked and the EU executive is suing Poland for violation of the block law. I think they are doing as much as they can. Obviously from the point of view of a citizen of the EU just expelling Poland would be better - the extension championed by the UK was a terrible mistake after all - but it’s sadly not an option.
yes, I do realize it, but EU procedures are not all a government can do.
For example: Infineon is building a 100M€ plant in HU. The German government(s) could pressure german companies not to do business in countries where democracy is endangered, or where human rights are violated, but it has chosen to not exercise any kind of moral suasion.
HU or PL are not Apartheid-era South Africa, but there is more you can do as a freaking head of government then make a "we are worried" statement.
There is such a polarization right now in Poland between society that let's maybe don't put politics here. I don't like both the opposition and the ruling party but I try to at least read both sides of the story. You are definitely presenting very biased point of view here
> You are definitely presenting very biased point of view here
It’s not biased if the information is accurate, did the hacking take place or not?
That doesn’t mean I’m against your side, or for their side. I have no idea, I’m not polish. Both sides must account for their actions, but one side doing bad things doesn’t in any way justify the other doing bad things. That would be what-about-ism. If the ruling party in Poland used Pegasus to hack opposition phones, that’s scandalous and entirely on-topic for a thread about Pegasus.
“We always knew this thing had an expiration date,” (Hulio) told the friend"
This was clearly the plan all along. Such companies live and die by their low profiles. Was probably not the founders' first such company nor will it be their last.
Next step will be to close up, take the contacts, clients, capital, the lessons learned and the cream of the staff to whatever mercenary, unethical piece of crap they make next.
This is why killing the industry as a whole is so important. It'll mean going after the owners, suppliers and employees/contractors with naming/shaming, coordinated sanctions, criminal charges, designated persons lists etc. until their reputations are trash. No bank would fund it, no parters would supply it and no one with any talent would ever contemplate such a catastrophic career move in future.
"This is why killing the industry as a whole is so important. It'll mean going after the owners, suppliers and employees/contractors with naming/shaming, coordinated sanctions, criminal charges, designated persons lists etc. until their reputations are trash. No bank would fund it, no parters would supply it and no one with any talent would ever contemplate such a catastrophic career move in future."
And no government of any geopolitical significance would ever support such actions. These kinds of people, and their skills/tools, are FAR too useful.
Yet here we are, useful or not. I applaud these kind of movements, since this company's actions were clearly amoral and they supported anybody with enough cash, mass murderer or not.
All those actions mentioned by OP dissuade talent, since when you are on the top you have tons of interesting choices. Why work somewhere you are actually ashamed of to even mention. Why on top of that working for amoral goals that make world a much worse place, innocent people get killed just because of your work etc.
Those talents will find some work easily. Maybe even for competition. But its the right move, the more the better.
Phones should be secure. There will always be people with the talent and desire to attack them—if not private, then state-sponsored. There needs to be more engineering work put into finding vulnerabilities, patching them, and preventing more.
The industry being comprehensively destroyed: that won't happen. Too useful to the wannabe masters of the world in the CIA and other intelligence agencies, and, well, I guess the true "richest people in the world": despot leaders of large economies.
A better question is that while these companies are basically cyber weapons companies, what do the truly big players have: the US and China? We got a glimpse with the viruses targeting hard drive firmware and others, but maybe they are lazy because they get to enforce backdoors.
Why not? Mercenary tech didn't exist 15 years ago, so it's not like an industry is needed to create useful state hackers. Top talent would just continue to be nurtured in-house in more accountable government agencies.
These are just like any other weapons manufacturer, really.
Top talent will make way more in private firms, it's the only way to make a ton of money. Government pay is basically capped. The government pay also encourages the government employees to hire contractors, because that's how you get side benefits (not bribes! tooootallly not bribes), like ultra cushy jobs for relatives, a "consulting" job once you get sick of the government, etc.
I'd say it's like aerospace contractors. Just wayyyy to high tech for a government project and mediocre pool. Even NASA can't efficiently design complicated engineering projects, and they probably are the only government agency with a good reputation and decent people.
The only interesting thing about these vendors is that their weapons are in active, constant use, but it's not that obvious to the victims.
"Even NASA can't efficiently design complicated engineering projects"
Um, the Apollo Program... or did you mean cost efficient?
Mercenaries are a better analog. Are you saying that soldiers of fortune make better soldiers? Better armies?
The public vs private sector debate isn't as simple or settled as you suggest. For example, and more on topic, given relatively modest salaries the NSA has produced some of the most capable, respected hackers in existence. Creating a parasitic new industry just isn't necessary. Creating risks to global stability isn't either.
>"It'll mean going after the owners, suppliers and employees/contractors with naming/shaming, coordinated sanctions, criminal charges, designated persons lists etc. until their reputations are trash."
What a brave approach. Especially in regards to employees. This would close down every other major US company.
I commented previously that the Uganda case was the first truly legitimate application of NSO's tech and the first one that wasn't actually a scandal, as it was by a state without a mature domestic intelligence capability going to market to buy tools of one, to spy on actual spies in its borders. It seems this particular NSO case is being used as bargaining leverage to discredit Israel's position in the Iran nuclear talks. NSO is subject to being a pawn on that board, it's plausible they get sacrificed and this is the story around it. It's a very weird place to be even lightly defending this company based on abstract principles, but they weren't taken out by some of the really egregious things they've done, and this seems fait accompli and we're just waiting for the narrative to complete. I suppose everything within a degree of the world they operate in is smoke and mirrors, but accepting the sanctimony around it at face value makes me feel like a rube.
That's not why anything was done over it. If they had kept it to political opposition they'd still be using it today. It's specifically using it to root out spies that the US dislikes.
But that would be a scope shift, so if we're going there, now do Stingrays, PRISM, paralell construction, and FISA - but I won't say these are quality arguments. Outside this admitted whataboutism on my part, the very narrow defense I'm indicating for NSO in this specific case is it was within the sovereign right of this customer to use it, and it's only going to happen more often as this market is infinite.
I still think the Americans are just mad they got owned by Uganda. I'd bet this isn't the first time they have scored points against the low expectations of their "advisors," either so: well played. Point Uganda. I think this is a really funny precedent, and I can't believe I'm defending either of them, but the arguments back just aren't powerful when compared to demand for the tools of sovereignty, and we should give the conseqeunces of that due consideration.
> as it was by a state without a mature domestic intelligence capability going to market to buy tools of one, to spy on actual spies in its borders
How do you intend to support your claim that the 11 US diplomats and employees from the US embassy are spies (and thus are supposedly legitimate targets in your view)?
Nowhere does it say US spies were the targets. And no other story on this subject has presented evidence of that either.
US intelligence organizations openly state that a common way for them to operate in a country is to give their agents cover "jobs" at the state department. When state department employees or "employees" work at an embassy they are diplomats. Apparently this is common in the intelligence world.
Whether these particular people were spies, it seems like proper counter-intelligence to track all diplomats pretty closely because at least some of them are going to be intelligence operatives.
Tracking movement vs intercepting communication is a very different thing. In general, any attempt to spy on an ally is going to get a lot of egg on your face if it comes out, and if it's using tools your ally helped finance and/etc, you can bet it's going to get complicated.
In this instance, Israel needs the US, Pegasus was Israel's technical gorilla in the spy world, and it got used on the US by someone they sold it to. This level of fallout given that is not unexpected; Israel cares more about maintaining ties with the US than they do about a given tool, company, or to enable Ugandan spying operations.
> it seems like proper counter-intelligence to track all diplomats pretty closely because at least some of them are going to be intelligence operatives.
Curious, do you happen to know what such spies do?
I'm wondering if it's just a reporting the news, talking to people and collecting information that can be legally obtained.
I think the general idea is that the USG doubtlessly conducts espionage on Uganda, thus making all formal employees of the USG fair game for espionage. Which makes a good deal of sense. The reason NSO spyware on State Department phones is upsetting isn't that it targets the State Department employees, but that it targets the USG.
I wouldn’t hazard a guess about the exact number, but spies being given diplomatic cover (and diplomats spying) has been the norm for centuries. A huge chunk of Cold War spy craft was about diplomatic personnel trying to evade their followers in order to meet with their contacts without exposing them.
You're absolutely right, and I don't think anyone else has made that point. The problem was the spies they tried to fuck with were American spies and American wasn't going to stand for that. As you say, NSO are now just a toy, and if they are destroyed thanks to this, no-one is going to give a fuck.
I cannot see a world in which use of NSO tech is legitimate. Get a court order to tap the phone line, etc.
How can usage of a Mossad / IDF tool be considered legitimate? Just because the ruling party in a state decides so, doesn't mean this has any bearing on human rights or _legitimacy_.
China is eradicating Uyghur culture and running for-profit concentration camps. These are legitimate uses of their Governmental powers. Does that make them ethical? Of course not.
Technology like this is dystopian and anti-humanity. There is no way that this technology is profitable, exported and somehow used for "legitimate" purposes. The entire enterprise is predicated on making vulnerable people more vulnerable. The end result is more Khashoggi awfulness, how could it NOT be?
Countries conducting espionage is a well established and has been done for centuries. At the same time, the CIA doesn't get court orders when they want to listen in on FSB agents, nor vice versa. I don't see why Uganda should be held to different standards or why partnering with an Israeli company instead of developing the tools themselves should matter here.
I'd say mostly because we don't have transnational law that has teeth. Most nations have laws prohibiting murder, yet if one nation does it to another nation, somehow it's not illegal.
I think many of us may fear a transnational government, yet we have transnational organized crime, transnational companies, transnational communication networks, etc. at some point, I hope we also get more transnational governance to balance some of those other entities.
In a well-functioning system (of which there are very few in this world), it's possible to use these tools responsibly.
For example, you could secure access and get insight into a terrorist ring using encrypted messengers, once the necessary paperwork has been done, reviewed and approved by an independent judge. Phone taps and internet taps worked great until everything became encrypted. Hard drives that cannot be accessed, conversations that cannot be monitored, you name it; the governments of the world have a difficult decision to make after about 120 years of easy access to criminal's conspiracies.
I'm not sure if there's any system of government in the world I'd currently trust with this power, but it's not inherently impossible to use these tools ethically. At the end of the day, governments are desperate for a solution for the encrypted nature of modern data and communications and don't think that there are any other solutions than either allowing the police to hack or banning/restricting encryption. I'm not sure which option I prefer, but I believe (fear) either will become the accepted norm within our lifetimes.
> I cannot see a world in which use of NSO tech is legitimate. Get a court order to tap the phone line, etc.
In general, I am against government overreach, so I agree with a lot of what you said.
However, let us say I have a court order to surveil person X - how am I ever going to get all the information when they could be communicating via a phone call, SMS, iMessage, whatsapp, gmail, facebook messenger, signal, telegram, discord and a myriad of other mechanisms with a myriad of identities. The easiest solution for me (the snooper) would be to surveil your entire phone, including click history and screenshots when feasible. No?
Once again, let us forget the person side for a minute. Let us talk about someone with genuine need to surveil. How will ever do it with today's technology? It aint easy.
Half of those services will happily share all of that person’s data when handed a warrant. Some don’t even require that much.
On the flipside, a snooper will always have to do a monumental and maybe impossible amount of work to break a one-time pad by chipping away at the security that surrounds it.
What makes security tech fundamentally different? Why should it be easy to break? A warrant lets someone search my belongings; it does not compel me to give law enforcement the information they are seeking.
> A warrant lets someone search my belongings; it does not compel me
> to give law enforcement the information they are seeking.
This is the issue. An investigator's limited permission to search a specific aspect of one's belongings does not infringe upon one's right to be secure in the remainder of his belongings. At least, not in the context of nations which have explicitly granted that right.
Uganda has a very capable domestic intelligence network and I would be surprised if all they were doing to these "diplomats" (spies for the US) is hacking into their phones. This has made the news, but it is the one of the least egregious things Museveni and his son - esp the son - have done in the past two or so years as they faced the strongest challenge to his rule ever yet. I am very sure that locals, particularly the opposition, had it much worse than American spies, although that most likely won't make the news.
>when Google reverse-engineered the hack used against American diplomats in Uganda, they found an elegant, tiny piece of code that adapted software from 1990s Xerox machines to fit a so-called Turing machine — essentially a complete computer — into a single GIF file.
LOL at describing PDFs as "adapted software from 1990s Xerox machines"
The NSO exploit started by pretending to send a GIF, that was sent down to some decoder that did automatic file-type detection based on data rather than filetype and "correctly" detected an PDF, the Apple PDF decoder in turn supports JBIG2 images where the actual exploit lives.
Having spent some time with OCR and scanning recently, I'd have to agree.
A lot of news articles are describing JBIG2 as something archaic, when it seems to be as relevant and commonplace as ever. (see MRC, for a modern application)
Basically, you scan a paper document. It contains a mixture of line art, text, and photographs—“mixed” types of content. You can segment it and use different codecs to encode these different segments, and then combine the results in a PDF.
News articles, plural. Eg, here is another story by way of Ars:
> Essentially, 1990's algorithms used in photocopying and scanning compression are still lurking in modern communication software, with all of the flaws and baggage that come with them.
Given than JBIG2 wasn't standardized until 2000, and that the Apple vulnerability was in their implementation (vs the standard) I just don't understand this characterization.
Which is odd because NSO made many assurances to the US govt they were in control of the tech and that US nationals were not to be included. Looks like they weren't in as much control as they stated they were.
US nationals have never been protected. If you make an international phone call the government can track it[1]. If its internal they can't without a warrant
NSO built in a complete block of +1 phone numbers. But those US diplomats were not using +1. Which itself is a security issue that i'm sure is already being discussed at the state department
Seems silly to call it a security issue when the bulk of the day to day activities for many state department employees is working closely with local nationals. Do you really want to make your average Ugandan caterer make an international call to the US in order to coordinate food delivery for an embassy event?
And the fact that you're not likely to answer a call from an international number because it'll probably look more like spam.
Also, for them to have a +1 number outside the USA means they have to be on a USA network and then roaming onto a local network. This presents dozens of problems, such as often not being able to get the best connection, not being able to get data connections, not being able to get any local support, and it costing a small fortune.
All the embassy employees I have ever known have gone full native with all of their technology etc.
Presumably, linked to what the sibling said, any actual business probably ought to go over high-security data connections anyways if it's going to go over any mobile network at all. No telling who's tapping into telecom systems in third-world countries, and normal phone calls probably go in the clear no matter what the registered phone number or roaming agreement is for the device.
To be fair, I think many (most?) people use Strava without a cellphone. At least in cycling. The problem there was everything being public by default as it is a social network of sorts.
But from what I can see, nanpa is also a Japanese word for something that sounds like random approaches on women in malls, etc. for dating. I forget the term in English.
Maybe NSO didn't allow it to be used on US numbers. How are they supposed to know the nationality of the user of a phone?
> NSO has always told its customers that US phone numbers are off-limits. In this case, all 11 targets were using Ugandan numbers, but had Apple logins using their state department emails, according to the two US officials.
> How are they supposed to know the nationality of the user of a phone?
That's why you do recon before targeting somebody.
Do you suppose they just sprayed the malware onto random phones?
I get the impression that Pegasus is meant to be used in a very targeted way, at people you have identified before, and have some reason to spy on. If you do that way, what are you chances of wanting to target somebody else, and accidentally getting 11 US embassy employees?
NSO promised oversight, they can't just weasel they way out by saying "there's no way would could have implemented effective oversight".
There's a pretty big difference between israel, the country spying on somebody out of national interest, and israel allowing what is essentially an arms-dealer based in israel to help random other people spy on countries they are allied with.
I highly doubt that israel the country wanted this turn of events, for the simple reason they are not stupid and the cost-benefit ratio of this seems bad for them.
The state of Israel is already one of the most prolific arms dealers in the world. Something like 10% of weapons (everything from rifles and ammo to tanks and precision guided missiles) sold every year globally are made in Israel. They will sell to anyone (through intermediaries if the political optics don’t align), and have ample opportunity to combat test weapons thanks to the low-grade civil war they’ve been waging against the Arabs for the last 70 years.
They won’t want to be seen as reining in Israeli military overreach because there’s a feeder pipeline from the Israeli military into both politics and the weapons industry. It’s the same people running the country that are selling these weapons.
History has shown that the two are tightly involved. Plus it's not like they will ever really be held accountable. Pollard the traitor is a hero to Israel
> There's a pretty big difference between israel, the country spying on somebody out of national interest, and israel allowing what is essentially an arms-dealer based in israel to help random other people spy on countries they are allied with.
Yes and sort of and no.
The thing with weapons is that occasionally you sell them to people you end up fighting. Take the Falklands war - Argentina was using American, French, and British weapons to fight the British. It happens, it's a bit of egg on everyone's face, but it is what it is.
When you're a major arms dealer, you'll eventually end up selling guns to an enemy of your ally, or supposed ally.
A bit of both. I assume they can spy on the US through 5-eyes, 9-eyes, 27eyes, etc. But to allow Uganda to do it was a bridge too far. If NSO had been in almost any other country there wouldn't be a building left standing. The US regards cyberattacks as an act of war.
If the US really regarded cyberattacks as an act of war, it would be actively shooting missiles and bullets at China right now. The US regards cyberattacks as acts of war when convenient, nothing more.
"Act of war" is a legal and diplomatic nicety that, like essentially all international law, you talk about when it happens to align with your realpolitik.
It doesn't mean you immediately launch the nukes whenever someone arrests one of your diplomats.
Nuclear powers can't make full-scale war on each other. If they ever do, the death toll would make WW2 look like a skirmish. So any attacks are at the edges (respond in kind, or proportionately, rather than escalate to a shooting war).
So the US regards cyberattacks as acts of war if it comes from a non-nuclear country, and tomfoolery from a nuclear one?
I don't disagree with your point, simply saying that IMO the US doesn't take cyberattacks seriously precisely because it leads down a dark path with China (and probably Russia too if we're being honest).
It doesn't mean they don't take them seriously, it means that responding with missiles isn't an option if the other guy has the ability to massively retaliate. Other options, like sanctions or retaliating in kind, plus shoring up defenses, are a better bet. Even retaliating in kind is problematic if the result is that the Internet becomes almost unusable.
All during the Cold War the USA and USSR engaged in various kinds of low-level sabotage against each other. Fortunately for us all, it didn't escalate out of control.
Yeah, it looks like they used a pretty basic whitelist:
> In this case, all 11 targets were using Ugandan numbers, but had Apple logins using their state department emails, according to the two US officials.
>It is actually possible to not sell software that spies on US diplomats. Why, I achieve this goal every single day.
it isn't that easy :) If you work on any major and/or popular software it is most probably used by State Dept (even if it is just an obscure part of some software stack that some State Dept LOB is using implicitly). Theoretically any software may have bugs/holes and thus be a part of such a spying.
I think NSO are scapegoats, because how hard is it for a country to setup up a honeypot device to analyse NSO'a attack vectors and then copy it for their own use whilst being able to blame it on NSO?
I say this because I've had stuff done to my phones in the past, one strange incident with a "hacked" phone was selecting an AirBnB, which I believe directed me to a few of their "safe" houses. Other examples, include batteries going flat over night when asleep despite phone being switched off, not charging but was fully charged before it was switched off. The phone signal is weak when that took place so it would have burned through the battery amplifying the signal, but listening in to people sleeping can elucidate what might be on their mind!
It is astounding to me that a state as paranoid as Israel has leaned so hard into the far-right that they would actively sell some of that highly sensitive tech to other states that not that long ago had a death wish for Israel as a main position of said state.
A state born of hard-edged refugees escaping a world that had recently written them off to die, carried through several existential wars, and now they are EMPOWERING that same evil.
Also, please please do not trot out the "NSO isn't Mossad/IDF" nonsense. I wouldn't be surprised if all of this was a façade to penetrate the infrastructure of states that Israel wanted to monitor.
There has never been a more competent, sophisticated, and dedicated group than that of Israeli intelligence. To imagine that they would allow all this as an oversight without some state benefit is not something my brain can comprehend.
I don't doubt the Mossad/NSO link either but as for "empowering and giving away" I wouldn't reach that far.
Rather I suspect they were selling it as hacking-as-a-service and the clients they had never actually got their hands on the software or any physical servers (apart from possibly NSO relays), rather everything probably passed through their servers hosted in Israel where they could control that +1 and +972 numbers were never targeted.
The people they had as client only cared as long as they got into the iPhones,etc they wanted, I doubt they cared if they had control of the software or not.
You dont have a clue do you! Have you thought your prejudices are being played here, the hatred of Jews goes back centuries its engrained in cultures around the world. NSO were too bloody clever for their own good because they never thought about how their hack-as-a-service could be _spun_ against them.
Have you not thought how US companies like MS, Apple, Google do stuff for the US govt, just like when it comes to financial sanctions on Russians, its the US asking the UK to do it. Look at the Ukraine and the NordStream2 pipeline between Germany and Russia, US leaned on the EU to make things difficult for Russia.
Look at the criticisms of China's HueWei spying using 5G networks, the fact HueWei hold more global 5G patents seems to be irrelevant to the US except its not because its a classic case of leap frogging in technology whilst older tech patents are milked.
Its what you would expect from the leading nation on this planet ie the US to engage in behaviour wise but all this US repression makes those countries double down and come back with something better.
NSO is just the latest fallout, but its nuanced and not everyone picks this up when reading the global news.
The US is end of empires time, its just natural just like Afghanistan is the only country on the planet to have never have been colonised by an outside force, namely Russia empire, British empire and US empire and how many people knew that?
> It is astounding to me that a state as paranoid as Israel [...] would actively sell some of that highly sensitive tech to other states that not that long ago had a death wish for Israel
You should google up the story of the Swiss company Crypto AG Tl;dr; bought by the CIA and the BND (German counterpart) in 1970 and sold security software to governments all around the world. With built in backdoors for the CIA and BND. It was the main source of foreign intel for decades for the CIA.
Its not conspiracy, if you consume a few grams of lecithin before bed, your dreams will be based on what you saw just before bed. So if you can use a phone to make sounds or says things to someone in their sleep at pertinent moments, you could start having a conversation with them in their sleep or just trigger them to see what they say! You should try it, its fascinating!
I’ve recorded my sleep many a time. What I say is entirely random and garbage. To suggest someone hacked your phone to listen to your dreams requires extraordinary proof, and would also be far less effective than listening to your day while you’re actually awake. And even then, you need quite a high bar of proof. This is only been documented to occur for high value targets, so unless you’re one of them, I’d be far less concerned.
You havent had a conversation with someone sleep walking then or just dreaming out loud then? Thats a little different to just recording yourself snoring. Well my proof keeps being nicked or destroyed so the state could make anything up and it does make stuff up.
Advanced technology was once held mainly in the hands of governments.
In recent years, corps and mega-corps are getting far more advanced technology than the government has.
For governments, this means loss of power.
So governments around the world use whatever means they have to prevent such technologies to prolifirate.
US govm't tried to stop the export of strong encryption. The it shutdown Facebooks crypto-currency - to prevent FB to have its own global-dollar.
That's why the US just waited for the right time to end the party where dollars could buy you cyber abilities only reserved to the NSA and CIA.
It's not about civil rights, it's ont about money laundring, its just about the US trying to keep ahead of everyone else.
The difference in response from the US to hacking of their diplomat phones compared to the response in Germany to the US listening on calls from Merkel and others is really telling. It makes you question how independent European countries really are from the US.
If the US diplomats Uganda used the NSO technology to spy on are intelligence agents, they still possess diplomatic immunity. They are in Uganda with cover (as opposed to non-cover; that is, they are in country without being a public US goernment employee).
If you replace your handset, keep your SIM, how does NSO recapture you? I don't understand how rich powerful technocrats get stung so often: surely the path out is to swap device and move on?
I should be clear I do believe they are being recaptured. I just don't understand how. In the pre digital world, most phone steals were inside jobs: somebody leaked info leading to a voicemail hack or a stingray type cell listen in. Post digital, i suspect a lot of things are still inside jobs, but on phone compromise feels like a problem moving platform solves.
NSO used a zero-click exploit. Swapping the device for another vulnerable iPhone wouldn't put up much of a hurdle. They'd just a message with the exploit an reinfect the phone in under 30 seconds. Changing the phone and SIM would only work until the new phone number became known. For high-value public targets (with lot of contacts) it porobably won't take long until the new number leaks again.
> “We always knew this thing had an expiration date,” he told the friend, complaining that some clients had asked to shift their contracts to lesser-known rivals, according to a person familiar with the conversation.
I guess if you have this perspective, you want to maximize revenues and IPO before your product gets misused and invites US sanctions.
I wonder what the reaction would be if this was a US company and not an Israeli one. Apple would still sue them, of course. But they couldn't be sanctioned by USG, right?
What would happen if it was a US company? Probably they would be forbidden from selling anything outside of the US. Remember what the US did with crypto exports for decades? Next, if you tried to investigate anything that it was doing, you would be persecuted relentlessly by the US government. Note what happened to Julian Assange. It really is not like the US government is a nice organization or anything.
> What would happen if it was a US company? Probably they would be forbidden from selling anything outside of the US.
That's just false. The NSA bought the Swiss company Crypto AG and has been selling backdoored crypto devices all over the world for decades before being found out.
This is why that mutual practice that say British spy on US companies/people, and US in exchange spies on British companies/people, and both thus don't violate their own laws.
My understanding is that various US private, political and government forces have been using Israeli private physical and cyber security/intelligence services like NSO against US targets in particular for that reason. For example:
"In 2017 aides to U.S. President Donald Trump had contracted with Black Cube in order to undermine the Iran Nuclear Deal by discrediting two of former Obama administration officials such as Colin Kahl and Ben Rhodes."
> I guess if you have this perspective, you want to maximize revenues and IPO
Why would you IPO this business? Disclosures associated with the IPO might accelerate the expiration date, you don't need the capital, and IPOs cost real money, which you could instead move into your own pockets. What does it bring — besides lowkey defrauding investors, who don't know what they're getting theirselves into, so they can be left with a worthless business at the end of the game?
Would depend on the US government of the day. Hacking Team and Finfisher weren't US based, they attracted lots of shit from their governments and the EU where they were based. The reaction so far doesn't seem to be negative just because they are Israeli.
A US company wouldn't be selling a CCL-restricted product to a foreign state without going through USG review -- or at least, they'd get to do that once, before DOJ comes in with the search warrants.
According to TFA their real trouble comes from the massive loans they took in order to take the firm private. If CEO really said the above, he seems really squirrelly.
There is a unclear reference to Intel in the article. Was Intel working with NSO?
"In recent weeks, for instance, Intel asked all its employees to cease any ongoing business relationships with NSO, one person familiar with the matter said. Intel said in a statement that it “complies with all applicable US laws, including US export control regulations”."
I thought the paragraph preceding that one gave the context:
> The blacklisting, which came in November, means that NSO cannot buy any equipment, service, or intellectual property from US-based companies without approval, crippling a company whose terminals ran on servers from Dell and Intel, routers from Cisco, and whose desktop computers run on Windows operating systems, according to a spec sheet from a sale to Ghana, in West Africa
You would think Apple, the company that makes the platform which enables all this, would be held accountable too. But people turn a blind eye to their false claims of a secure platform.
If I leave my bike locked up outside my office and come back to find it's been stolen with a handheld circular saw, I don't see how that's my fault. I implemented a reasonable level of security, but there's not much I can do against a circular saw.
iOS is massive. Operating systems are massive, from an attack-surface perspective. NSO is hiring out of the Israeli intelligence pool: these are among the best security engineers in the world. They don't always find exploits (IIRC there are some versions of iOS they don't have hacks for at a given time), but the game is in their favor, simply because the OS is, well, the size of an OS.
> “We always knew this thing had an expiration date,” he told the friend
after $200mm in revenue, I love the cavalier nature of that. it humanizes the operation more than anything I've read
and NSO group is even at risk of defaulting on some loans, that it must have taken out for no reason aside from having extra totally fuckable capital to default on.
honestly, hope I run into this guy in Monaco and have a drink. just won't exchange contact information
You can't really equate the rules that should apply to full democracies with those that should apply to partial democracies or totalitarian regimes.
There's no evidence the US has used NSO like tools to spy on the opposition (post Watergate, anyway).
Partial democracies or totalitarian regimes shouldn't be given these tools under any circumstances since they can't be trusted to only use them to investigate legitimate crimes. They will present some bona fide use scenario, then use the tools for other undisclosed purposes.
If NSO Group had an ounce of ethics, it wouldn't provide the software, but would request a dossier/brief which outlines, with evidence, the basis on which intrusion into the target device is sought. It would then have an agent carry out exploitation. Political "crimes" should be refused service.
The USA is a big supporter of Saudi Arabia and the UAE, which have waged a destructive war in Yemen. Ergo, the USA and it's leaders are largely responsible for what has happened in Yemen. Yet I am sure that you would argue that Uganda is authoritarian but the USA is a "mature democracy".
Yes, according to the US gov. I imagine that according to the Ugandan gov, it's ok to hack phones of foreign govs but not of the Ugandan gov. In fact, I strongly suspect that for any nation X, it's ok to hack non-X gov phones but not X gov phones. I don't understand why this surprises anyone.
> In February 2019, an Israeli woman sat across from the son of Uganda’s president, and made an audacious pitch — would he want to secretly hack any phone in the world? [ ... ] for NSO, the Israeli company that created Pegasus, this dalliance into east Africa would prove to be the moment it crossed a red line, infuriating US diplomats and triggering a chain of events that would see it blacklisted by the commerce department, pursued by Apple, and driven to the verge of defaulting on its loans, according to interviews with US and Israeli officials, industry insiders and NSO employees.
Looks like Uganda tried to hack 11 US diplomats, which ended up giving away the game, and getting everyone upset — and for but a pittance in revenue.
One prosecutor, who is fighting for indepenend judiciary and against her political boss, head prosecutor Minister of Justice, smaller party Coalition member, got notification her iPhone has been hacked multiple time by Pegasus. She angried the rulling coalition, after she wanted to investigate illegal vote by mail election, that didnt take place at the end but cost Poland 23 mil USD.
The other person that was hacked more than ten times, is famous attorney, previous politician. He was an attorney of opositionfuhrer Donald Tusk, former PM. He was representing multiple high level clients that were suing the government, including one that was scammed by the head of rulling party Law and Justice. Hacking took place in times of campaign before elections.
Poland is such a crazy country right now. If you can write an email to ur congressman to fight for biggest US investment in Poland, TVN tv station that sheds light on this corrupt government. They are trying to make the owner (Discovery) sell TVN, worth one billion USD