What good is legal action upon entities that are, by design, extrajudicial to begin with? You can sue NSO out of existence and the people and tradecraft involved will just reappear a few months later under a different name and organization, but keep doing business as before.
The whole point of setups like this is to circumvent legal checks and balances to get information they wouldn't normally be able to get. No intelligence apparatus is going to give up that ability, especially not over some silly foreign lawsuit complaining about hacking. This isn't even a slap on the wrist, it's just legal theater.
You're dealing with what is essentially a front for gray-area extrajudicial hacking. The company itself isn't the issue, it's that it gives governments and other entities cover when they want to do shady shit. Same reason we use private military companies. The profitability of any one such company isn't really terribly important (from a privacy standpoint)... when one goes down, another takes its place, and the willing buyers will just buy from a new one instead. Like drug dealers.
From the privacy angle, nobody cares about NSO profitability... the point is that even if they go bankrupt, the underlying people, technologies, procedures, and overall shadiness will not only remain but grow stronger and more hidden, learning from this incident. Zero-days will keep getting found and bought and used for surveillance, and that is not something the legal system can solve, because a major customer IS state buyers who are funneling resources to it to purposefully circumvent legal protections. Judges aren't almighty, the law is selectively enforced, and almost always overridden for "national security" purposes.
> You're dealing with what is essentially a front for gray-area extrajudicial hacking. The company itself isn't the issue,
It is a game of whack'a'mole. But a business that gets you sued is radioactive for investors. SO while the technology exists, and means will be found by well funded agencies to exploit it, it will become less and less accessible to private corporations as a business model.
That is a good thing. That results from suing them.
If that's the case, then Israeli intelligence attempted to sell an arm of their own intelligence apparatus to a US defense contractor. Have you spent a lot of time looking into NSO?
2 is critical. Tech people tend to fall for “one simple trick” because they believe there is a highly formal rule system we’re any technical loophole is just “oh well, the rules didn’t apply”
But reality is judges and the justice system are intentionally analog and human and fallible, and can use judgment to sledgehammer people trying to use one simple trick.
It imposes a significant cost and friction to their operation and proliferation of the access to what they have, even if they reorganize. So this is a very good action in my book.
As recently as July, the 6th largest defense contractor in America was set to purchase them, so I think whatever radioactivity they had, it was pretty mild.
Another very weird NSO take. There was a whole spate of news stories about NSO shopping themselves to US investors, and ultimately putting the whole company on the block. The sale would have actually occurred had the Biden administration not stopped it. No, I think this is comprehensively false.
I think people on HN have a really bad habit of mythologizing CNE shops. You do not in fact need state sponsorship to do exploit R&D and build software implants; dozens of people have started companies that do exactly that, and they get bought routinely. All of them have state actors as their primary client base.
I wouldn't be at all surprised to learn that NSO has a tight relationship with the IDF, the same way lots of commercial CNE shops in the US have relationships with NSA. I wouldn't even be surprised to learn the relationship is deeper than that. But there is no evidence at all that NSO is an "arm of Israeli intelligence" in any formal sense, and a lot of countervailing evidence.
It's possible the only thing that distinguishes NSO from any of a dozen other shops is that they happen to be Israeli. Somehow, a CNE shop in Auckland just doesn't seem to excite HN the same way. Maybe there's more to the story than I'm suggesting! But, like, you know what they say about extraordinary claims.
> It's possible the only thing that distinguishes NSO from any of a dozen other shops is that they happen to be Israeli. Somehow, a CNE shop in Auckland just doesn't seem to excite HN the same way.
I suspect this is because they operate in a way such that Hacker News doesn’t really hear about them.
In case anyone wants some references, I hadn't been paying much attention to NSO in many years, and so got really curious about the "ultimately putting the whole company on the block" comment, so I figured I'd provide some links that I came across:
> The bottom line: NSO isn't some rogue company being operated out of the basements of shadowy founders. Instead, it's been empowered by institutional investors that appear to have turned a blind eye to its deeds in the pursuit of profit.
> The F.B.I. had bought a version of Pegasus, NSO’s premier spying tool. For nearly a decade, the Israeli firm had been selling its surveillance software on a subscription basis to law-enforcement and intelligence agencies around the world, promising that it could do what no one else — not a private company, not even a state intelligence service — could do: consistently and reliably crack the encrypted communications of any iPhone or Android smartphone.
> Since NSO had introduced Pegasus to the global market in 2011, it had helped Mexican authorities capture Joaquín Guzmán Loera, the drug lord known as El Chapo. European investigators have quietly used Pegasus to thwart terrorist plots, fight organized crime and, in one case, take down a global child-abuse ring, identifying dozens of suspects in more than 40 countries. In a broader sense, NSO’s products seemed to solve one of the biggest problems facing law-enforcement and intelligence agencies in the 21st century: that criminals and terrorists had better technology for encrypting their communications than investigators had to decrypt them. The criminal world had gone dark even as it was increasingly going global.
> If the deal proceeds, the California-based company would take over the fund that owns NSO at a difficult time for the Israeli company. The French government has called for an investigation into allegations that NSO clients listed key government officials, including most of Emmanuel Macron’s cabinet, as persons of interest. In the US, a senior Biden administration official involved in national security has also raised concerns about the Pegusus project revelations to an Israeli official.
I'm glad someone else who pays attention (more than I do, I'm sure) to NSO is on the thread. Just in case other people here have difficulty with the distinction between positive and normative arguments (we all do sometimes), I'll be clear: I think NSO is a force for evil.
Yeah. And it isn't even always the case that they are magic gods at it... when I first heard about NSO, it was because I learned (as part of Citizen Lab's public analysis of a payload) that they were using some of my software--which I guess they didn't know how to replicate, and, since it wasn't open source, they were awkwardly having to shell out to binaries that I provided in ways that I guess worked well enough--as part of their persistent iPhone spyware.
Ahmed Mansoor--the particular UAE dissident who was being targeted in that analysis--is often in the crosshairs, and I think it just goes to further the point of your narrative that there are other companies from countries people ignore (as they don't get to go "oh no! it's Israel! they're scary!") providing software that people are trying to use to hack his devices. One of the other attempts I had paid some attention to was an Italian company named Hacking Team.
That hack also relied on third-party software, this time written by Collin Mulliner, whom I had known from grad school. He developed software that was somewhat analogous to my work for iOS that ran on Android, and he actually started getting flack as if he had something to do with the hacking, and so ended up publishing a blog post and public statements pointing out his software was both reusable and even sometimes open source, and he had no involvement.
> Instead, it's been empowered by institutional investors that appear to have turned a blind eye to its deeds in the pursuit of profit.
Maybe I should have worded it better.
Yes, companies like NSO most probably do receive institutional money, in the same way that some of the taxes we pay go to purchasing tanks and ammunition (i.e. the military doesn't run from a rogue basement), my point was that if that institutional money were somehow to be gone overnight it will not be the end of the world for companies like NSO, or for the people that they employ.
Worst case scenario the company goes bankrupt and another NSO-like company takes its place, with the same stakeholders behind it. But all the institutional and VC money in the world won't help take a NSO-like company off the ground if it doesn't have the right state-approved and and state-sponsored stakeholders.
NSO operates the spyware. They have tried to claim they are entitled to immunity because they sell to governments but were predictably laughed out of court. So while this might be a civil suit, all NSO employees and certainly its leadership are similarly exposed to criminal liability in all countries their spyware has been operated.
Evidence was presented at trial (including chat transcripts) demonstrating that Watt supplied hacking tools and expertise knowing that he was providing individualized assistance to what was at the time the largest identity theft conspiracy ever uncovered. The getaway driver doesn't stick up the bank either, but he has approximately the same luck in sentencing. These things tend to come down to the level of intent the prosecution can establish, not just to the specific actions conspirators take.
I don't know what that says about NSO. I have no trouble believing NSO has culpability comparable to Watt's. It helps NSO that they're not generally operating under US criminal justice jurisdiction. Nothing special had to be done to convict Watt.
Does anyone have any good recommendations for getting a decent overview of NSO/Pegasus? A comprehensive Zero Days-type book is likely still years away, but I’m fine with a basic video/audio/read for the time being, as the whole thing kind of passed me by, apart from a few headlines here and there.
Ha! I’ve actually downloaded the episode months ago, but I’ve completely forgotten about it until now. I’ll give it a listen, Darknet Diaries is always a quality show…
> The bootstrapping operations for the sandbox escape exploit are written to run on this logic circuit and the whole thing runs in this weird, emulated environment created out of a single decompression pass through a JBIG2 stream. It's pretty incredible, and at the same time, pretty terrifying.
> The supply of spyware to authoritarian and other rights-abusing governments has become a truly urgent threat to human rights and press freedom—an “existential crisis for journalism around the world,” as the Committee to Protect Journalists put it in a recent statement. David Kaye, the former U.N. special rapporteur for freedom of opinion and expression, has called for a moratorium on the sale of spyware, and in recent months others have joined his call.
There is no principled take here. This is a problem with who the software was sold to, not that the software was sold.
> There is no principled take here. This is a problem with who the software was sold to, not that the software was sold.
Untrue. In any hands tools like these, combined with the vulnerable consumer products, are dreadful. Selling tools like these to anybody is unethical. If they buy these tools they are up to no good.
If such a tool could have prevented 9/11 (the argument that NSO makes) isn’t that a good?
What is problematic is that these tools are used with very little transparency and oversight (not necessarily disclosing vulnerabilities) which allows such tools to be targeted on not just “criminals” but also anyone organizations/nation states deems problematic (journalists, advocates, dissidents, etc)
Breaking into foreign computing assets is literally NSA's chartered job. Other countries could sue NSA for their CNE operations! At a certain point there is a sort of tacit understanding that the intelligence community operates in a sort of Hobbesian state of nature, and not under the laws of any one state.
A country wanting to penalize one of NSA's suppliers could single out a commercial CNE supplier and sue them the way US entities are suing NSO. That would jam the target company up, and prevent them from getting investment or doing M&A with companies under that country's jurisdiction. But for obvious reasons, US jurisdiction is a lot more commercially impactful than, say, Indonesian or Russian. Suing NSO is thus probably more impactful than suing a random NSA xdev supplier.
The understanding about SIGINT between intelligence agencies is especially strong within NATO (it probably doesn't need saying that the US and major Commonwealth countries have an even closer relationship still). For a long time, it was "common knowledge" that the biggest SIGINT challenge the US had was France, not any actual global military adversary. It's a little unlikely any major western market country is going to go to the mattresses over state-sponsored CNE from one of their own countries. I assume they have better ways of working this stuff out than lawsuits, which is why we never hear about them.
(I am out over my skis on at least the last paragraph of this analysis so take it for what it's worth.)
You’re suing NSO because it is not a USA based company tied into the US MIIC (military-intelligence-industrial-complex) and supporting legislators. You’re suing NSO because it is highly successful at what it does, putting the unsuccessful competitors who do have said ties to shame. Eliminating opposition via lawsuits is something we see increasingly use in the political system as well. Same players weaponizing the legal system.
From what I understand, no one does cyber warfare better than the US.
Eliminating the competition doesn’t really make a lot of sense as a justification.
If the US Military felt threatened by a private Israeli company, wouldn’t it be more effective to put significant pressure on the Israeli government instead?
While the article lauds El Faro's "fearless independent reporting", if you follow politics in El Salvador, they are aligned with El Salvador's left wing socialist party, the FMLN, as discussed in this video:
Why is there so much hatred against NSO. They are an arms manufacturer. Arms will be acquired with or without them. If you are suing them them there are many other companies, some in the US that do similar things but for law enforcement. How is it fair to blame the weapons maker for selling to legitimate governments.
Let's use the same logic and apply it to kinetic weapons: US defense contractors made and sold weapons to saudi arabia who used it to kill a lot of Yemenis, mostly civilians. Should not these defense contractors be sued by any Yemeni-American whose relatives were killed by saudi arabia? Well that can't happen for many reasons but my favorite is the fact that private companies selling to foreign governments are not required to evaluate the intentions of that government, merely its legitimacy and follow the country's laws on foreign arms sales.
Did the NSO group violate Israeli law? No. So they traded with the legitimate governments of foreign nations lawfully. Is there a US law that requires evaluating the intent of foreign governments by foreign (or domestic) companies when selling cyber or other weapons? No.
The fact is, selling to governments is not the same as selling to individuals. When an individual wants to murder someone, selling them a weapon knowingly makes you complicit in the murder. Governments are special because so long as they are legitimate, they can murder their own people as much as they want. Even commit genocide (unless they signed a treaty in the past to make them accountable to an international court).
I keep running into this frustraring sentiment that so many of my fellow americans (and westerners) for some reason refuse to understand and honor a foreign nation's sovreignity. Of course I disagree with what the central american governments are doing to their own journalists. But it is up to those sovreign nations to self-determine, with or without fairness or democracy or the will of the people their own fate. They are sovreign, that means external people or governments don't get to impose their will or ways or hold them accountable without the consent of their government. I can't decide if this arrogant view is a left over from manifest destiny in the US or europe's claim that they colonized forein sovreign nations because their ways were barbaric and wrong. Every native american government the US eradicated or african,latin and asian country whose governments were removed by force to colonize them was neither democratic nor did they trear their own people under the same rules against cruelty and fairness that existed in the west and their invasion was justified as "better for them" in every case. Let those journalists and people fight for the change they desire and fail or succeed under their own terms. It is their own neighbors and citizens that are members of any police or military force keeping their government in power and revolutions happen without the CIA or the west meddling and installing a puppet or undermining sovreignity.
A person cannot claim to have learned from the errors of their ancestors if that person refuses to let go of those very same erring ways.
I believe that's why it's important that an American organization is suing them in American courts. Of course, there is a chance you become a target of Mossad, but if they do away with too many American citizen they risk the US voters getting pissed and withdrawing support that's vital for Israel's continued existence.
The US’s support is political as well as financial, and the political support is arguably more important: the US provides a bulwark against international sanctions and UN resolutions, while also exercising influence over Israel’s primary geopolitical adversaries.
I think a more apples to apples comparison would be the percentage of their governmental budget which was ~133B USD in 2022 (making the 3.8B you cited ~3% of that) and IIUC (3.8B) represents ~15% of Israel's military spending (which given that it is already very high for their budget and GDP, will be difficult to increase otherwise).
Though as other posters pointed out, the non financial support is also very important both in things like Anti-BDS (and opposing sanctions on Israel or similar negative ation) and in things like slowing down Iran's nuclear program.
> And Israel seems to have no issue trading military equipment or creating mutually beneficial deals with Russia and China[2][3]
I think there are two important things to be aware of here.
First, Israel sells military equipment primarily to finance its own R&D and manufacture of weapons. In fact, US foreign aid is a partial driver for that here, since the aid money can only be used to purchase US equipment and in that sense Israeli weapons companies have a really tough time selling to Israel itself since they are competing with "free" and so have to supplement with foreign sales. In the other direction, taking away the aid would be to severe of a blow to Israel's military supplies that they can't afford to make deals that the US will disapprove of too much. There's also some unwritten rules between Israel and the US about what sorts of deals Israel can make. I'd go so far as to say that any deal you see Israel make in this space is one that the US at least doesn't really disapprove of (as otherwise the deal would not happen).
The second thing is that Israel can't really afford to strain their relationship with Russia. Syria is a major military threat to Israel's existence and prosperity and Russia has tremendous influence over Syria. You may have heard of Israel bombing Iranian military units and bases in Syria and that can only happen "peacefully" thanks to collaboration with Russia. But that doesn't mean that a relationship with Russia could replace one with the US (much like Europian countries depending on Russian gas doesn't mean they'll leave NATO).
On the relationship with China I actually don't really know that much, as it is not often discussed in the media (or outside of it really). Israel and the majority of Israeli citizens see Israel as a west-aligned Democracy, so I'd be surprised if the relationship with China became too close or went much beyond the utilitarian. Will be interesting to see where it develops.
If Mossad kills US citizens and it becomes widely known then Pulling support will be what Israel prays to god for. The US populace will demand its military defeat.
that way overstates how much coordination or common interest there is between these agencies or firms. Here in Germany we had our own version of this with FinFisher which without federal license started to sell surveillance tech to foreign governments. The rest of the ingelligence community wasn't very amused by it.
Intelligence/military contractors and agencies have a mind of their own, the extent of this stuff may not be known or desired by formally in charge officials.
However, in this case NSO also operates the tank / spyware. They are more like weapons company and an army for hire at the same time, where you can't just buy the weapons and use them yourself.
What? There are NSO equivalents in many European countries. A certain Italian company was famously counter-hacked and run out of business by vigilant hackers.
> Most western societies wouldn't allow it except within police and military agencies.
The answer is partially included in the latter part of your comment. Companies like NSO are "out-sourced" entities of the Israeli intelligence apparatus. If the shit hits the fan, as it happened in this company's case, then the intelligence agencies can say that they had nothing to do with it all.
NSO was almost acquired by a US defense contractor, and would have been if the Biden administration hadn't stopped it. NSO is not an "outsourced entity of the Israeli intelligence apparatus", at least not in way that Oracle or Cisco aren't also.
There are companies like NSO all over the world, many competing in the same legal jurisdiction. Like I said upthread: nobody on HN has a weird theory about how an Auckland CNE/xdev shop is an arm of NZSIS, but everyone thinks they understand the IDF well enough to attribute NSO to it.
> HN has a weird theory about how an Auckland CNE/xdev shop is an arm of NZSIS
Some of us do, i.e. even though we might have never personally heard of those companies we almost automatically equate cybersecurity/surveillance stuff with state entities. In this geopolitical climate it would be foolish not to do it.
The thing that is different with Israel is that it has got its mandatory 2-year military conscription and that it has a dedicated cyber unit which is manned by fresh and very bright conscripts. Afaik no other state entity around the world has that.
I did a bit of digging on this just now, since I was curious why the Biden administration would want to stop a US defense contractor from pursuing this acquisition. Strictly from a strategic perspective, the purchase seems like it would have benefited the US, since NSO possesses uniquely valuable capabilities, and bringing them under the wing of a US defense contractor would mean the US would get to determine which zero-days it kept for itself and which it parsed out to its allies.
According to The Guardian:
"...a senior White House official suggested that any possible deal could be seen as an effort by a foreign government to circumvent US export control measures. The senior White House official also said that a transaction with a blacklisted company involving any American company – particularly a cleared defence contractor – 'would spur intensive review to examine whether the transaction poses a counterintelligence threat to the US government and its systems and information'.
...
There were other complications. The Israeli ministry of defence would have had to sign off on any takeover of NSO surveillance technology by a US company and it is far from clear whether officials were willing to bless any deal that took control of NSO’s licences away from Israel.
...the person also said that the deal faced several unresolved issues, including whether the technology would be housed in Israel or the US and whether Israel would be allowed to continue to use the technology as a customer." [1]
Of these obstacles, it seems like the biggest was related to counter-intelligence, i.e. that the Israeli intelligence services could feed any disinformation they liked to the American intelligence services via NSO? That's how I read this, anyway. I'm a noob to this though, and would love to be corrected if I'm wrong.
You really don't have to be a government to do this sort of stuff. I know people who work for these kinds of companies (which does NOT make me happy, fwiw; one of them really really needs a job and is constantly applying elsewhere, but feels stuck), and many of them exist in western societies. Hacking Team got a lot of press a while back because a ton of their e-mails were stolen and leaked to Wikileaks, showing the extent of their client base, and they are run out of Italy (though they got bought a few years ago, apparently; the article referenced about it on Wikipedia is in Italian, so maybe the new company is also Italian, but I'd be shocked if it were not also in western society, so it really doesn't matter that much exactly where).
The whole point of setups like this is to circumvent legal checks and balances to get information they wouldn't normally be able to get. No intelligence apparatus is going to give up that ability, especially not over some silly foreign lawsuit complaining about hacking. This isn't even a slap on the wrist, it's just legal theater.