That right there tells me that we as "the tech community" are way too okay with this sort of application of the tech. The tech we're all so convinced will "make the world a better place." /s
It looks like NSO is backed up by the Israeli government. They say their software is only sold to governments which were previously vetted, but the reality is that most of the time they sell to authoritarian states which monitor and persecute people opposing the regime.
The way this works is that in addition to the more colorful clients, you absolutely need to make sure that you have a sufficient number of clients among law enforcement and security services in countries with a decent(-ish) track record regarding human rights. This way, your products and services are not obviously illegal. You can even tell your employees that your products and services are saving lives because it's actually true.
This strategy mostly works because the major operating system suppliers refuse to implement requested lawful intercept solutions for their consumer products. Instead, we end up with companies that try to fill the gaps, making a business of exploiting security flaws. It's possible for the OS vendors to completely dry this swamp, by offering competing services to law enforcement using the interfaces they already have (automated software updates, for example). The reputable clients would migrate rather quickly. These companies would be left with just the shady clients, making it much more difficult to justify their continued existence.
The OS vendors refuse to implement lawful intercept capability because there is no such thing as a lawful intercept capability. There is only intercept capability for any purpose because ROM bootloaders and secure enclaves cannot vet the lawfulness of a request to subvert their owners. You can make a phone relatively secure against people trying to break into it, but only if it has unique access keys for the owner. If you give any government a second key for intercept capabilities, that key will be a single point of failure for the entire system. Eventually it will leak and your phone password will be effectively useless.
I don't even need to invent a scenario for this: you can buy the TSA master keys off Amazon right now. The only reason why it's not a huge problem is that TSA locks are a special thing you buy and use solely for airline luggage that is already in TSA custody anyway. If you use TSA locks on anything else, however, you're just asking for it to be stolen because the locks don't actually provide any security.
The shady clients will get their hands on any intercept key provided by law enforcement, because it's legally unreasonable for Apple or Google to only provide intercept capability to some of the countries they operate in. e.g. if you give the US and UK a decryption key you also have to give it to Saudi Arabia[0]. Hell, in some countries the shady and legit clients are part of the same government - e.g. you can't give the key to just the FBI but not the NSA or CIA.
[0] The Saudis have one very big lever they can use to force the west to do what it wants: gas prices.
2nd is Saudi Arabia then Russia. However it happens that US is also the largest consumer and their production doesn't meet the demand so they have to import from other countries like Canada and Saudi Arabia
So Saudi Arabia most definitely does have a lever, and so does Russia since the rest of the world including US allies like Japan, South Korea, Australia, NATO countries depend on their lovely black gold to have functioning economies.
I want to add that even if the US produced more oil, we currently don't have enough industrial refining capacity for the type of crude that we produce to meet our demand, so we would still need to rely on foreign imports.
> [...] so does Russia since the rest of the world including US allies like Japan, South Korea, Australia, NATO countries depend on their lovely black gold to have functioning economies.
Have you been following the news for the past two years? Russia's sanctioned up the wazoo. No NATO country is buying Russian oil. India is now their number one costumer.
There is truth in that Europe isn’t buying directly from Russia. However plenty are buying from countries are buying refined oil products from India (and possibly others) where the source is Russian crude oil.
If the US was like Saudi Arabia where they exported half of their oil, and could supply most of the world at competitive prices, Russia would have really felt the Sanctions.
But right now Russia doesn’t feel the Sanctions. They’re more isolated and Putin’s propaganda has somewhat worked at making the general population anti-west and support the Ukraine invasion.
That is a slippery slope though, because the OS vendors could offer Law Enforcement everything today, and there will be a special request made for a little something extra tomorrow.
The ties to government are a red herring. Hacking into people’s private phones and computer systems is generally immoral and illegal.
It generally continues to be immoral and illegal when governments do it. Except it also becomes more outrageous, because governments are supposed to protect us from this sort of thing.
I don't see why the government doing it would make it more outrageous. If democratically elected leaders pass a law outlining when and how the cops should be able to access private devices, a judge looks over a specific case and signs a warrant, the cops use a hacking tool to catch a terrorist and the evidence is presented in court, this seems like the most excusable use of hacking tools that I can think of.
The government is given power over people in order to protect us from other people and this is one tool to do it. They have cops with guns and soldiers with tanks, they can break in, search and seize, they can lock people in prison. All of these things are tools and it's they way they're used that decides what's immoral or outrageous.
The bigger problem here is that a private company has these tools and can use and sell then with no oversight.
It does if we grant the two the same assumptions. If we assume that serious, unjustified harm would occur by failing to act, and they are in a reasonable position to act… then I’d say a private company is equally justified in doing the same thing. However, you’re assuming the government is justified merely because it’s the government.
Private companies aren't, but in certain circumstances private citizens working for those companies are. In the US (except perhaps Georgia?) if a crazy guy comes into your workplace waving a knife around, you're allowed to disarm him and pin him down on the ground.
Depending on the circumstances, absolutely. Assuming that serious unjustified injury or death would occur if they failed to act, there should be some legal window in which they’re allowed to prevent the harm. Private companies (and individuals) should not be required to stand by helplessly while people are hurt.
Indeed, legally, private individuals and companies are allowed to act in emergencies. For example, I generally should not break into my neighbor’s home. However, I am legally allowed (and morally obligated) to forcibly enter their residence if their house is on fire, or they’re being attacked by a burglar, etc. and I am able to prevent some of the harm.
Of course, if we assume we’re talking about situations where the government needs a warrant, the legality becomes more complicated. At what point does something become an emergency? I would say it’s not an emergency if there is time to inform the government and to let the government prevent the injury. If we assume the government is unwilling or unable to act, then the window for action should expand by some measure.
Exactly. Indeed, in Phoenix v State, 455 So.2d 1024, the Florida Supreme Court implies that a private citizen could request and receive a warrant to arrest a felon. They say the citizen could be excused for failing to obtain a warrant by proving the person arrested was actually guilty.
This is obviously a bad idea, private companies or individuals having the power to arrest people because they want to? Look at the recent few years of history in the US where multiple experienced and distinguished (at least by resume), members of the us govt, senators, reps, tried to subvert an elections, dozens of lawyers told them it was illegal, we have their email and texts telling them. That group still acted to do many illegal actions, lie about it, tried to cover it up. And they still deny any problems with their behavior and choices.
Private companies having arrest rights is just a nonstarter of an idea (putting it kindly).
Maybe it depends on the country, but private companies cant generally get warrants to infringe on people's rights afaik. If justified is interpreted as 'legally justified', then it would make sense that only government agents could be justified to act in this manner. Of course, government agents are known to operate outside the law as well.
I wouldn’t assume that private companies and individuals cannot get warrants.
However, they look very different. The major distinction is that when a private party requests an injunction allowing them to e.g. trespass on their neighbor’s land, the court will require notice and a hearing for the defendant. So, if a chemical plant needs to do earth works on a neighbor’s land to prevent a collapse, etc. the judiciary may well issue an order requiring the neighbor to let the company enter.
Frankly, notice and hearing should probably be required for some criminal warrants too. I can think of a few indictments and arrest warrants that have recently been issued where there is a genuine question as to probable cause and the alleged illegality of the conduct. It’s not fair for people who are not a flight risk to be arrested (and often imprisoned) with no opportunity to defend themselves.
Devil's advocate: we have a reasonable expectation that governments using due process to obtain warrants for criminal investigations have a right to break and enter into digital property or wiretap to catch and prosecute malefactors.
How far do you really expect any tech outfit to vet the legitimacy of the warrants issued?
How about the legitimacy of the government? Most of the abuses are governments which have a long history of abusing their power and it wouldn’t be unreasonable to say that entire countries should not be trusted with sales.
Legitimacy based on what? Recongition by the UN? Lots of governments even predating the UN have been long accused of rights abuses. How many people affected, and proven so by what basis constitutes infractions beyond moral right to be trusted by NSO. I'm asking people to really grapple with this.
My point being that there’s precedent for restrictions - we don’t sell nukes to anyone, and the companies which make advanced weapons systems have to get things like ITAR approvals. What would be especially powerful would be revocation: if a country is found abusing their access to this tool, they are blocked from purchases of any sort for a decade. Unfortunately, given Israel’s current politics it’s extremely unlikely that anything would happen since there’s no way to write a policy which would continue to allow their own usage.
The US has their own version, called the NSA. Available to hire via really simple framing. Guaranteed whomever is caught will be in prison for years just to get a trial to prove they're innocent.
Oh, but you see, NSO targets only "terrorists and criminals", so if you're a law-abiding citizen with nothing to hide, there's nothing to be concerned about. Right? It's not like there's any regimes out there where, say, casual investigative journalism or opposition politics would ever land you with criminal or terrorist charges, no sirree.
In Hungary, for example, which is an EU country and democracy (i.e. there are elections), investigative journalists have been targeted with Pegasus by the government.
To compare US elections to Russian or Syrian elections is both incredibly naive and dangerous. In one country, you have a leading political opponent having stolen classified docs treated with kid gloves; in the other, you have political opponents poisoned and literally blown out of the sky.
Sounds like you don't like the outcome and dismiss the possibility that it's the result of the system. From what I understand Orban has a decent approval rating in his country. For Putin it's hard to say since Russia is so foreign and separated, just like China - the only source of info is random crap by your preferred biased media source.
But for Hungary - I've been there multiple times in the last few years, know a few people, and I have no trouble believing he won democratic elections.
Selling malware/software weapons to US entities is generally legal for other US entities*, with the main caveat that if it ends up ITAR regulated then you can only sell it to the US government and other ITAR-cleared suppliers unless it's open source (in which case you'd be selling the platform).
NSO Group is bad because they have been caught selling to oppressive regimes and allegedly actively supported (and potentially continue to support) the deployment of their software for oppressive regimes to harm innocent civilians. They should be (and iirc are) sanctioned for their bad behaviors, bad intentions, and mishandling of their responsibilities.
* There are plenty of caveats (e.g. the seller & buyer need to have good intentions and only plan to use the malware in accordance with the law). I am not a lawyer and this is not legal advice.
Much of this stuff is classified as a weapon, and thus really sold by the Israeli government, not by the company. It's no different from a MANPADS that sometimes is used to destroy a Ka-52 over Ukraine, and sometimes is used to shoot down a civilian airliner - that is to say it's directed by the foreign policy (and foreign policy errors) of the manufacturing country.
There's no reason to expect the world to disarm any time soon, so the best approach is to be aware and democratically influence policy, rooting out bad ideas and bad actors.
Israel is constantly trying to woo Saudi Arabia so that they can be allies during a potential war with Iran. Israel will definitely sacrifice some human rights activists just for the ability to cross the Saudi airspace. But it has not been going well for Israel lately.
There's multiple responses echoing this idea that it's a defense company like any other and thus an evil we'll have to accept exists.
That may be true, but these companies (NSO group is by no means worse than the rest of them, just more notorious) have been caught over and over again, selling these "weapons" to dictators, companies, etc, who in turn use them to spy on journalists and activists, not terrorists or anything of the sort. And that doesn't even go into keeping 0-days for the benefit of the few, keeping literally everyone on the planet less safe, which is arguably as big an issue, if more systemic.
These companies may exist in some form or another because the nation state & private surveillance systems that form their client base want them to exist.
But my point is that the individuals working at this company should be ashamed of themselves. I'm not appealing to their sense of morals, I'm talking purely about "us the tech community" making it abundantly clear that having one of these companies on your CV will make it very hard to find any decent job afterwards. It needs to be socially expensive to work there. To loan from Max Goldt's opinion on the BILD newspaper [1]:
> NSO Group and the like are an organ of infamy. It is wrong to use their products. Someone who contributes to these products is absolutely socially unacceptable. It would be remiss to be friendly or even polite to any of their developers or managers. One must be as unkind to them as the law will just allow. They are bad people who do wrong.
Yeah, I think the appropriate comparison is if a weapons manufacturer made "selling to dictatorships for suppressing dissidents" the core of its business strategy.
This is true, but then you have to also socially shame a large part of the US military, for invading Iraq. At least those that didn't resign as soon as it became clear that there are no WMDs there, and the large amount of Iraqis were killed pretty much for nothing.
In short - you have a point, but it's not quite that simple.
Yeah, every single US soldier who voluntarily stepped on Iraqi soil should be sent to the ICC and tried for war crimes. Some of them would be exonerated for being too stupid/brainwashed to understand that they were committing criminal acts. Others wouldn't.
However, those who develop the NSO spyware are middle class Israeli citizens who easily could get a well-paying job at a less repugnant company. There are no extenuating circumstances, no "had to put food on my table", no claims of being fooled/brainwashed. They 100% deserve to be punished and they 100% deserve our disgust.
Why the soldiers? They aren't the ones that made the decision. Sure, if they committed war crimes themselves, but for anything else you have to address the people that actually were responsible. Prosecuting soldiers would be futile and certainly no justice.
There was a lot of media propaganda to make the war popular. It wasn't at first but it didn't even take half a year until people ate it up. Liberal, conservative, didn't even matter. It was scary to see how quickly people were manipulated. It had large support in the population. People should stop and reflect what made them support the war, which messages and by whom. That is the responsibility they can take here and it would be much more constructive than putting the blame on soldiers...
Israel citizens might have a better excuse to develop weapons than most other countries, so I don't see the point. Not an excuse, but at least an explanation.
Because no American was forced to commit war crimes in Iraq. Yes, participating in an attack on a state that is of no imminent threat to your own is a war crime. Brainwashing may have been an extenuating circumstance, but a lot of Americans were staunchly against the war so how come they let themselves be brainwashed? If I join a gang can I claim to have been brainwashed when most people in fact do not join gangs? People are responsible for their own actions.
I don't know- I imagine deserting your brothers in arms (which may include your literal brother or sister) would be akin to deserting your family in a deadly situation. Regardless of how stupid the causes, once you're in the shit and people are at risk that you care about, the reasons you're there probably arent your biggest concern. The people that should be held accountable are the ones who orchestrated and perpetuated the whole thing, not the soldiers (unless they commit war crimes obviously).
I mean, to follow that analogy, yeah people absolutely should abandon their families if the families are out there actively murdering innocents.
The person saying that they're only staying to murder with their families because they care about them is not a redeeming quality, and they should definitely be held accountable and not excused for their crimes.
For the record, I consider any armed person outside their home country should be considered as a terrorist and a militia and treated as such. There is no reason someone from country A should be carrying a weapon in country B and attacking people there. This is 100 times even more valid when country B has not authorized this.
I agree, but the world just isn't this simple. It's not about murdering with you family- it's about protecting your family. Kids I knew that went to Iraq were the protective types, not murderous. People can enlist in the military with the intention of protecting their country only to be ordered overseas caught up in some bullshit war. Historically, drafts were the main reason. And no man is an island, so whatever situation pulls one person in, is bound to ripple through other people's lives and pull others in as well.
> I consider any armed person outside their home country should be considered as a terrorist and a militia
I mean, there are situations like hostage crises where foreign countries send in soldiers that I think are completely justified. But, I agree, in general. Our foreign policy has been fucked since the CIA started after WWII. I'm just grateful I never had to fight a war- chances are I would've being born in the last couple hundred years
So then, by this logic, once you've worked for NSO Group or the like, there's no way back for you. How then, can someone reform or "see the light"? Is someone once tainted, always tainted? Or do they have to do 10 years in the NFP space before we see them as worthy?
The problem is that by walling off developers who participate in these activities, we essentially force them to continue these activities. I'm not sure that's net positive.
It’s not like we don’t accept that people change, but stigma is useful for both discouraging starting there or staying. If your first job out of college or the military is a defense contractor, oil company, Palantir, etc. a lot of people will sympathize with needing to make rent. If you’re still there a decade later, they’ll assume you’re okay with what they do.
That’s a personal ethics shirk. For example, policy makers haven’t outright banned tobacco companies but a large number of people would not spend their time trying to make such companies successful.
They should be ashamed of themselves, but you are still barking at the wrong tree in the long run. You should demand your own government to outlaw this type of surveillance.
I can do both, actually. Just because something is technically legal doesn't mean it has to be socially acceptable. The two systems are often complementary, and often even contradictory.
Regulation at all is hard enough, expecting it to work by social norm is just impossible. Even more so in a country where all women do 22 months mandatory millitary training and all men do 36.
> have been caught over and over again, selling these "weapons" to dictators, companies, etc
Meanwhile, a nice silent worm propagates among their network... I have 0-faith that the version they have sold to bad actors is clean when they probably are begging you to take their software into your internal network.
From being in MI, collateral damage is a thing... decisions like "if we act on this information, 100 people will be saved but they'll know we know and 1,000s could die. If we let 100 people die, we can save 1,000s" are more common than we'd like.
1. There's no compelling reason to think that this applies in NSO's case, since a lot of the bad actors are geopolitically aligned with "good" governments.
2. One needs only study the cold war briefly to see how the group-think in these unaccountable environments can become completely detached from reality.
Pardon me if I'm skeptical of unaccountable officials making those decisions, and orders of magnitude more skeptical of random people on the internet alluding to such actions as if we can all just assume abuses are justified by unspecified good ends.
They don't just make a gun, sell it and then it's up to whoever uses it. It is well established they run the C&C servers and tailor operations - they are combatants.
> Israel is constantly trying to woo Saudi Arabia so that they can be allies during a potential war with Iran.
You have that reversed. Recent Iranian regimes have been especially hostile toward Israel, but that's nowhere near as longstanding an enmity as Saudi/Iran.
AFAIK Israeli government audits NSO and stuff, but they are separate... And Intellexa (authors of Predator I think?) doesn't even get audited because it's "not israeli" on paper
It's more like they leverage it for diplomacy. The auditing means nothing really, it's being given to authoritarian government like Saudi Arabia as long as they are OK with Israel existing. The bar to get access to NSO tools is too low...
They don't really leverage it for diplomacy. Israeli arms exports policy consistently prioritizes getting better R&D economies of scale over actually affecting foreign states' behavior.
Definitely part of diplomacy effort of netanyahu with the despots if the world. NSO CEO travelled with him to Saudi t among other places.
It's software there's economics of scale by default.
Economies of scale only apply if you have scale, ie lots of (paying) users. If you're making this fancy thing for only the Israeli security services you won't be able to pay your developers.
Economy of scale is actually inverted with 0 days. The more you use it the higher the risk it's detected and fixed so value and scale are inversely proportional.
If they are dumb and get caught during audit for selling to Sudan or something then sure, Israeli government will probably tell them they're bad. (And what, shut them down? Lol.)
It gives me the impression that you find "the tech community" to be a cohesive collective that has the organization to switch gears in a given direction.
I wonder why you expect it to be like that.
In reality, "the tech community" is extremely diverse and not cohesive at all.
For one example, a large proportion of developers are barely making enough money to pay their most basic bills. They don't have enough mental space to even know what NSO is...
> In reality, "the tech community" is extremely diverse and not cohesive at all.
I really dislike this phrasing "the X community" which seems to be so popular nowadays. Lumping together many millions of people worldwide who have a single thing in common–how did people end up using the word "community" to describe that?
I’m in the Tech Community. I’m fine with the NSO group. (Which, btw, is owned by U.K. Novalpina Capital, and managed by a firm out of Luxembourg. But for some reason you all here aren’t obsessed with those countries.)
That is the problem, we are not cohesive enough in shaming these people. They are criminals, and criminals don't post openly on linkedin proud of their work.
I just got finished listening to the most recent episode of Darknet Diaries this morning on the way into the office! It was about similar companies to the NSO group: https://darknetdiaries.com/episode/137/
I listened to the first half this morning. Was thinking about going back and watching the NSO group episode he mentioned again. Then I get to work, and the first thing I see is this link.
Actual headline: mentions NSO group and nothing about Apple.
Top comment (+50 comments): Why do we talk about Apple so much and so little about NSO group.
The absurdly pro-Apple PR on HN is tough to bear. I have to say it's so overt it made me more hostile to Apple (NSO is obviously a worthy topic, but we do discuss it).
Plenty of these comments are about NSO. And that's fine! But trying to catch every blackhat won't solve our security problems. Ultimately, the only solution to these security holes is more secure software, and the only way to get that is to pressure Apple to invest more resources. The main question should be how come 'secure' Apple software keeps having 0-click exploits.
Pressuring Microsoft led them to adopt a much more secure culture compared to previously. Apple shouldn't be exempt from the same pressure.
To be fair, when I made my post I had to go through 3 pages of threads to verify there was indeed, at that moment, very little discussion about NSO, and mostly discussion about remedies and how bad apple is handling imessage. But I'm glad that enough other people seem to care. :)
The NSO is less of an issue to me than the fact they are finding exploits Apple isn't (assuming Apple truly isn't aware of these and/or building them in on request) and that Apple has more than enough to budget for. To me, the NSO (as evil as they are) is like a regulator who cuts through a company's "self-regulation" claims and proves that the company they are regulating is either intentionally making their own platform insecure or is at best, negligent to mitigating and being proactive in addressing obvious issues.
Apple could pay all these people and companies way more than they could ever hope to earn on the free world market to simply fuck off. They are notoriously stingy with bug bounties and constantly disillusion those who are helping to ostensibly make their platforms more secure. I view NSO in a similar light to Correllium, whom Apple has tried to shutdown (unsuccessfully).
Its like trying to blame a whistleblower rather than prosecuting the misconduct that comes to light. The energy and blame is misplaced and this lawsuit only distracts from the fact that iMessage is basically the skeleton key to access anything and everything on a modern iPhone, after all this time.
The NSO group is the easiest to spot. The other parties involved in their operations are not so easily traced, such as Team Jorge, AIMS, Legion, Xaknet etc.
For once, I am not okay with what they are doing, and I've started to fight them actively.
If NSO did not exist the vulnerabilities they discover would still be there. So I guess the complaint should not be that they exist, so much as their motivations and applications being questionable. It's an argument for something similarly funded to exist, but with an aim to responsibly report the bugs and get them fixed.
I dont think its the "tech community" being okay with this application of the tech as much as it is fear of standing up to Israelis in any way.
Imagine you own a infosec company and an applicant with excellent skills applies. You look at the CV in detail before the interview and you see that they proudly declare their NSO background. Tell me what will you do? Cancel the interview? How comfortable would you be to deny the applicant a job for that reason alone?
I would wager the majority would consciously hire them out of fear of blowback and most of the remainder would unconsciously suppress their opinions on the NSO.
Nah. Joining NSO or such displays a moral "flexibility" and/or a lack of judgement that pretty much precludes the individual from taking on significant responsibility.
Imagine having a business handling privacy relevant data and when someone asks about your stance on data security you have to admit you hired people who are okay with keeping the whole planet insecure for their own benefit.
I know, I know, in my more cynical moments I see it your way as well. But that doesn't make it right.
I don't see why companies that facilitate criminal acts are not swiftly brought to legal justice. We should not be tolerating companies like NSO group in any sense. If the Israeli government wants to look the other way, we should designate NSO group a terrorist organization and start sanctioning any country that won't bring them to justice.
If Snowden and Assange can be extradited to the US and tried for crimes, executives of NSO group absolutely should as well. Lock 'em up!
> That right there tells me that we as "the tech community" are way too okay with this sort of application of the tech. The tech we're all so convinced will "make the world a better place."
This calls for a larger discussion of individual choices of every one of us. It would not be an easy discussion, because things are far from simple, and yet every one of us should actively think, instead of falling into the whataboutism trap and doing nothing.
For example, there are probably thousands of tech people in Russia right now either breaking into Ukrainian systems or writing software for missiles, drones, targeting systems, etc. These systems do not write themselves. Each of those people should ask themselves if this is really what they should be doing. I am certainly asking myself if I want to ever work with people who were complicit in these crimes (and how will I know?).
I know some people who pledged to never work on any military systems. I was close to that point of view, until Russia started dropping bombs on my Ukrainian friends. Now I don't see it quite in the same light anymore.
Similarly, the NSO group is not an amorphous entity, PEOPLE work there and write these exploits. In each case, it is a conscious decision.
My point is that we can't abstract tech from moral choices. There is always right and wrong, there is always the right thing to do. It might not be universally applicable, and there will always be endless discussions on HN ("but what about..."), but each of us can and should think about how our work is applied.
No big political leaders out of the tech world yet. So "the tech community" doesnt have anyone to rally around. And this more a political prob than a technical problem.
This is a problem of legislation. It would be trivially easy to stop this behavior, but governments in the western sphere tend to like surveillance as well.
It sad true that tech would make the world a better place (in some ways). But not because of the infinite goodness and wisdom of the first movers, who happened to entrench themselves at the right moment in time.
The same is true today. Eg LLMs have huge potential. What worries me are the sociopaths who draw the same conclusion.
I just want to add this: these people operate pretty much in the open. They're not ashamed of it either, or else they wouldn't put it on their CV:
https://www.linkedin.com/company/nso-group/people/
That right there tells me that we as "the tech community" are way too okay with this sort of application of the tech. The tech we're all so convinced will "make the world a better place." /s