You're dealing with what is essentially a front for gray-area extrajudicial hacking. The company itself isn't the issue, it's that it gives governments and other entities cover when they want to do shady shit. Same reason we use private military companies. The profitability of any one such company isn't really terribly important (from a privacy standpoint)... when one goes down, another takes its place, and the willing buyers will just buy from a new one instead. Like drug dealers.
From the privacy angle, nobody cares about NSO profitability... the point is that even if they go bankrupt, the underlying people, technologies, procedures, and overall shadiness will not only remain but grow stronger and more hidden, learning from this incident. Zero-days will keep getting found and bought and used for surveillance, and that is not something the legal system can solve, because a major customer IS state buyers who are funneling resources to it to purposefully circumvent legal protections. Judges aren't almighty, the law is selectively enforced, and almost always overridden for "national security" purposes.
> You're dealing with what is essentially a front for gray-area extrajudicial hacking. The company itself isn't the issue,
It is a game of whack'a'mole. But a business that gets you sued is radioactive for investors. SO while the technology exists, and means will be found by well funded agencies to exploit it, it will become less and less accessible to private corporations as a business model.
That is a good thing. That results from suing them.
If that's the case, then Israeli intelligence attempted to sell an arm of their own intelligence apparatus to a US defense contractor. Have you spent a lot of time looking into NSO?
2 is critical. Tech people tend to fall for “one simple trick” because they believe there is a highly formal rule system we’re any technical loophole is just “oh well, the rules didn’t apply”
But reality is judges and the justice system are intentionally analog and human and fallible, and can use judgment to sledgehammer people trying to use one simple trick.
It imposes a significant cost and friction to their operation and proliferation of the access to what they have, even if they reorganize. So this is a very good action in my book.
As recently as July, the 6th largest defense contractor in America was set to purchase them, so I think whatever radioactivity they had, it was pretty mild.
Another very weird NSO take. There was a whole spate of news stories about NSO shopping themselves to US investors, and ultimately putting the whole company on the block. The sale would have actually occurred had the Biden administration not stopped it. No, I think this is comprehensively false.
I think people on HN have a really bad habit of mythologizing CNE shops. You do not in fact need state sponsorship to do exploit R&D and build software implants; dozens of people have started companies that do exactly that, and they get bought routinely. All of them have state actors as their primary client base.
I wouldn't be at all surprised to learn that NSO has a tight relationship with the IDF, the same way lots of commercial CNE shops in the US have relationships with NSA. I wouldn't even be surprised to learn the relationship is deeper than that. But there is no evidence at all that NSO is an "arm of Israeli intelligence" in any formal sense, and a lot of countervailing evidence.
It's possible the only thing that distinguishes NSO from any of a dozen other shops is that they happen to be Israeli. Somehow, a CNE shop in Auckland just doesn't seem to excite HN the same way. Maybe there's more to the story than I'm suggesting! But, like, you know what they say about extraordinary claims.
> It's possible the only thing that distinguishes NSO from any of a dozen other shops is that they happen to be Israeli. Somehow, a CNE shop in Auckland just doesn't seem to excite HN the same way.
I suspect this is because they operate in a way such that Hacker News doesn’t really hear about them.
In case anyone wants some references, I hadn't been paying much attention to NSO in many years, and so got really curious about the "ultimately putting the whole company on the block" comment, so I figured I'd provide some links that I came across:
> The bottom line: NSO isn't some rogue company being operated out of the basements of shadowy founders. Instead, it's been empowered by institutional investors that appear to have turned a blind eye to its deeds in the pursuit of profit.
> The F.B.I. had bought a version of Pegasus, NSO’s premier spying tool. For nearly a decade, the Israeli firm had been selling its surveillance software on a subscription basis to law-enforcement and intelligence agencies around the world, promising that it could do what no one else — not a private company, not even a state intelligence service — could do: consistently and reliably crack the encrypted communications of any iPhone or Android smartphone.
> Since NSO had introduced Pegasus to the global market in 2011, it had helped Mexican authorities capture Joaquín Guzmán Loera, the drug lord known as El Chapo. European investigators have quietly used Pegasus to thwart terrorist plots, fight organized crime and, in one case, take down a global child-abuse ring, identifying dozens of suspects in more than 40 countries. In a broader sense, NSO’s products seemed to solve one of the biggest problems facing law-enforcement and intelligence agencies in the 21st century: that criminals and terrorists had better technology for encrypting their communications than investigators had to decrypt them. The criminal world had gone dark even as it was increasingly going global.
> If the deal proceeds, the California-based company would take over the fund that owns NSO at a difficult time for the Israeli company. The French government has called for an investigation into allegations that NSO clients listed key government officials, including most of Emmanuel Macron’s cabinet, as persons of interest. In the US, a senior Biden administration official involved in national security has also raised concerns about the Pegusus project revelations to an Israeli official.
I'm glad someone else who pays attention (more than I do, I'm sure) to NSO is on the thread. Just in case other people here have difficulty with the distinction between positive and normative arguments (we all do sometimes), I'll be clear: I think NSO is a force for evil.
Yeah. And it isn't even always the case that they are magic gods at it... when I first heard about NSO, it was because I learned (as part of Citizen Lab's public analysis of a payload) that they were using some of my software--which I guess they didn't know how to replicate, and, since it wasn't open source, they were awkwardly having to shell out to binaries that I provided in ways that I guess worked well enough--as part of their persistent iPhone spyware.
Ahmed Mansoor--the particular UAE dissident who was being targeted in that analysis--is often in the crosshairs, and I think it just goes to further the point of your narrative that there are other companies from countries people ignore (as they don't get to go "oh no! it's Israel! they're scary!") providing software that people are trying to use to hack his devices. One of the other attempts I had paid some attention to was an Italian company named Hacking Team.
That hack also relied on third-party software, this time written by Collin Mulliner, whom I had known from grad school. He developed software that was somewhat analogous to my work for iOS that ran on Android, and he actually started getting flack as if he had something to do with the hacking, and so ended up publishing a blog post and public statements pointing out his software was both reusable and even sometimes open source, and he had no involvement.
> Instead, it's been empowered by institutional investors that appear to have turned a blind eye to its deeds in the pursuit of profit.
Maybe I should have worded it better.
Yes, companies like NSO most probably do receive institutional money, in the same way that some of the taxes we pay go to purchasing tanks and ammunition (i.e. the military doesn't run from a rogue basement), my point was that if that institutional money were somehow to be gone overnight it will not be the end of the world for companies like NSO, or for the people that they employ.
Worst case scenario the company goes bankrupt and another NSO-like company takes its place, with the same stakeholders behind it. But all the institutional and VC money in the world won't help take a NSO-like company off the ground if it doesn't have the right state-approved and and state-sponsored stakeholders.
