What are the odds that NSO has like 20 other zero-days in their arsenal each set ready to deploy the day the current vulnerabilities are discovered and patched? Does Apple know or have a clue how bad this problem could be?
Surely whatever money these guys spend buying these zero-days, Apple is rich enough to increase their bounties large enough to attract them to right side instead?
It’s not clear in the article if the author had to take any action to get this program installed. If that’s not required, what should anyone who even vaguely suspects state sponsored spying do? Sounds like it’s safer to just not use a phone or try and circle through a series of them you buy second hand or something.
This comment pretty much dissects/explains NSO in the best terms ive seen in HN before.
"Pegasus" is not one hacking entity like most articles make it out to be. Its
1) A bunch of services that download data, given root access to a phone
2) a bank of 0-days, we don't know how deep.
For all we know, there are times when "Pegasus" doesn't work for hours, days, weeks, until the 0-day is rotated. We do know from some leaks that they have a mix of non-click and click exploits, and also support all different kinds of phone OS.
Their hacking abilities are definitely overstated, for all we know, for smooth continuous customer support, they could be buying 100% of their 0-days, and not finding any themselves. A 0-click 0-day for iPhones is worth about $2,000,000[1], a company with contracts like NSO can afford a lot of those. IMO the media portraying them as super-hackers is pure hype. Its a bunch of crooked business people who figured out how to extract money out of countries
I factually agree with what you're saying, but I don't think it really changes the practical outcome of the situation: a private organization is available for-hire to arbitrarily root and snoop on fully patched iOS devices at state-level actor scale. If they get the exploits from in-house or elsewhere, the outcome is basically the same.
Whether there's "Pegasus" attribution or not, the reality of the contemporary internet is: if you're targeted hard enough, you're probably screwed. (....but you're probably not actually targeted that hard, so practice good practices)
That being said, I agree with others that it's probably a good technical, PR, and long-term "marketability to regimes" approach for Apple to just double down and spend millions instead of thousands on competing with the black market to buy 0-days.
> a private organization is available for-hire to arbitrarily root and snoop on fully patched iOS devices at state-level actor scale. If they get the exploits from in-house or elsewhere, the outcome is basically the same.
This is a distinction without a difference. The major Great Powers are all cyber powers. The only difference is that NSO services the non-Great Powers too, with the implicit backing of the Israeli state apparatus. The media has created NSO a cyber power broker for the powers that be, but all of the UN Security Council permanent members have their own defence contractors and cybersecurity staff. Talented engineers are everywhere.
An extension to the link [1] above is: the price NSO pays for android zero click is higher than the price they pay foriPhone zero click exploits. This implies they do indeed a catalog of iOS exploits stashed.
I've heard a few people theorize about why Android exploits seem to pay more. The theory is that Android is 1) very fragmented, with each manufacturer having different versions and modifications and 2) updates are much slower/non existent.
To get the top payout, you'd need to come up with something that works across all manufacturers versions of Android and probably across 4 or 5 major versions. You might be able to find an exploit for all Androids running version x, but if that version only has 10% of the android market, you wouldn't get a full payout.
iOS users tend to heavily be on the latest version, or one version behind at most. As an example, most recent iOS exploits in the wild seem to be using iMessages. On iOS, you can focus your efforts at one thing. On Android? Your surface area is much smaller because each manufacturer is going to be shipping their own messenger app, for example.
Looks like there's finally a benefit to Android OS being such a clusterfuck with some many versions being currently active on a significant portion of devices. Not updating quickly increases the number of versions floating around.
The link is about Zerodium, not NSO. Also, 2.5M $ vs 2M $ is not a meaningful difference, neither presents a meaningful road bump to competent attackers. But your point that it indicates a robust stash is fair. They 100% do.
Note that the article is from 2019. The iOS 14 made significant changes to the way messages are processed by adding sandboxing and isolation. Here's a post by Project Zero evaluating the improvements: https://googleprojectzero.blogspot.com/2021/01/a-look-at-ime...
It doesn't really imply anything because iPhone's global market share is less than 30% with customers concentrated in North America and China, both danger zones for NSO operations. Android exploits might also take far longer to patch across all vendors and users might take longer to update compared to iOS.
It's fairly probable that iPhone exploits are just less valuable to a shady intel operation that sells mostly to small authoritarian regimes.
Your comment is not considering that these governments are more likely to target politicians and journalists which are more likely to use iPhone regardless of where they are located. I don’t know if the implication that iPhone is less secure holds but it’s likely.
> Your comment is not considering that these governments are more likely to target politicians and journalists which are more likely to use iPhone regardless of where they are located.
Are you sure that's true? In my experience governments often choose Android because they prefer the platform's organization-wide device management options over iOS. Many dissidents/journalists choose Android because it's easily rootable, giving them more privacy and control (I have a very small sample of the latter, however)
You could use Apple’s lockdown mode. It’s unmatched on Android.
Google and Samsung warn you about enabling root.
Samsung:
Is rooting your smartphone a security risk?
Rooting disables some of the built-in security features of the operating system, and those security features are part of what keeps the operating system safe and your data secure from exposure or corruption. Since today’s smartphones operate in an environment filled with threats from attackers, buggy or malicious applications, as well as occasional accidental missteps by trusted users, anything that reduces the internal controls in the Android operating system represents a higher risk.
Security risks with modified (rooted) Android versions
Google provides device security protections to people around the world using the Android operating system. If you installed a modified (rooted) version of Android on your device, you lose some of the security protection provided by Google.
Important: If your account is enrolled in the Advanced Protection Program, don’t use that account on a device with a modified version of Android. Modified versions of Android can undermine Advanced Protection’s increased security features.
I have great respect for the iOS security model. Seriously a marvel and best-in-class accomplishment.
But this is flatly not true. If you really care, you have Graphene et al, and even without that stock Android has plenty of well-tested features that enable you to lock down the device further than at stock. And rooting as a pathway to undermine security is a well understood aspect of the threat model
When significant functionality and backwards compatibility is required and money is limited, I'll happily work for red team, when brick is a valid solution, I will happily work for blue team.
The US carefully developed its cyber security plan during the word press macro era. Let's send the FBI to foreign countries in the hopes of arresting teenagers who learned how to cut and paste, genius.
Unfortunately, it forgets how to do this if the country is Israel instead of the Philippines.
Is there some solution in that to making sure 100% of possible red team members are more aligned with the profit interests of the US' strategic private companies than the US strategic partners in running illegal conspiracies?
I'm baffled as to what utopia of a profession has global tool collaboration and consequences, but somehow manages to deal with 230 groups of nationalists, thousands of sects, and embargo's on any one group paying people across all of these to provide a regulatory framework for safe and human benefiting tools in their category with no edge cases. If such a regulatory framework existed maybe it would shut down these mobile phone companies over behavioral harm?
Personal responsibility is where this starts. Not with the US, not with Israel or the Philippines. It starts with us, the technical people that do these things.
That makes no sense. A whole bunch of Americans won't do anything in this area because the US legal system is whimsical. But some nationalist professor was going to agree to make StuxNet, and maybe they were right, we certainly aren't going to all get to reach them to debate. So what is achieved?
Would Apple being totally incompetent at security and fighting exploits from NK prison labor, eventually with about the same fail rate, be a better world?
Export control on thoughts didn't work, so total disarmament on thoughts won't work. Prioritize security, cut out some of the entertainment and useless features through regulation because brain candy always wins in an unregulated market.
I'm not in the US. I don't work for Apple. And yet I can guarantee you that my work - assuming I'd be that capable in the first place - is used to reduce the security of various platforms through 'research' that leads to the existence of more zero days. You won't find me on anybody's red team.
So personal responsibility is where it starts and there isn't a fig leaf large enough that would allow you to pretend otherwise.
While I believe selling zero days to NSO group is significantly worse than working for Google or building surveillance capitalism software - we are mercenaries. Like 60% of software work is vehemently anti-middle class. Almost all of us have either contributed to some spying apparatus (analytics platforms), build some automation that replaced several humans, or developed something that contributed to the environmental destruction of our planet.
Let's be clear though, I'm not saying tech is bad. We'd all be doing manual labor on a a farm without it. I do think our demographic (including myself) has completely set aside any consideration for our impact in the name of optimization or a fat paycheck.
I'm curious how selling a multi-million dollar 0-day to a shady company actually works in practice. Like how does the seller demonstrate that their exploit works and isn't already in ShadyCo's catalog without giving up how it works
(at which point ShadyCo could just not pay them and recreate it).
Apparently an escrow arrangement is used by some of these companies. You disclose vague details in exchange for an offer, and once you agree, they escrow the money and then you release the artifacts.
Not sure about NSO specifically, but this actually is how it works. If they screw someone over others won't sell their 0days. Except they don't pay the $2MM up front, they pay out based on a pre-agreed upon lifespan of the exploit.
First you provide a description of the exploit, then you get an estimate, then you have provide the exploit for vetting and the payout has multiple cliffs similar to equity vesting in a company.
This way you can't sell them a an exploit for $2MM and go play robinhood by reporting it to the vendor once the check clears.
I just don't understand how they are allowed to do this. I thought we had laws against intruding on systems, hacking, and wiretapping. How can a business do this in the clear and not get stopped by some law enforcement?
You can legally hack and wiretap your own phone, and build tools to do that. It's also legal to sell those tools.
The business is not hacking and wiretapping the phones of the victims. They are selling tools to governments, who either have the legal right to do the hacking under their own laws, or can safely flaunt their laws.
> You can legally hack and wiretap your own phone, and build tools to do that. It's also legal to sell those tools.
Just because you have a right to do something to your own device doesn't mean you have a right to sell it. It is not a huge stretch of the imagination to see 0-days being classified as munitions and encumbered by ITAR. I've seen open source drone guidance software taken down for similar reservations, and that was far from a weaponized instance.
Ah, reminds me of the days RSA was restricted for export[0]. Coming from Germany with FinFisher[1] having actively circumvented export restrictions it also appears those only help a bit if $$$ is involved.
There are still plenty of laws that are not in compliance with the digital age of the 21st century. Some laws only apply explicitly to hardware or physical or physically connected devices and you cannot extrapolate to get the law to apply from software standpoint. In some cases even “wireless” hardware such as a cell phone is legally different from a landline. One case is interfering with emergency calls being a Felony California if it’s a landline but a Misdemeanor if it’s a cell phone. That may be the basis for the drone thing but I’m just guessing.
I think Apple should randomize data structure ordering, change flags and logic in the the memory allocator, and choose a different set of compiler optimizations with every release.
At least that way, most exploits and bugs will at least require an expert to put in substantial effort to update them to work on a new OS release, and many exploits won't be possible at all on a new release - if for example the exploit allows a stack buffer to overrun by 1 byte, then it depends what data follows the buffer - and if the compiler randomizes that, then in the next release it might become non-exploitable.
Is it marginal only for best-in-the-world experts and a serious hurdle for everyone else? If so that's still worthwhile as it means the attacker must hire (or be) an expensive expert.
My understanding is that most of these zero-days are runtime so the above wouldn't help at all. The most recent one took advantage of Apple Wallet taking first dibs on a (virus) image and loading in the payload. Changing data structures/flags/compiler optimizations wouldn't have made a difference.
The process of going from [malicious image which gets loaded by apple wallet] to [shellcode running] depends hugely on compiler flags, memory layout, etc.
I could very well imagine that NSO charges per device exploited, and charges more for zero-click exploits used.
Each exploited phone raises the chance of the exploit being found and burned, so they really have to incentivize their customers to use them sparingly.
> What are the odds that NSO has like 20 other zero-days in their arsenal each set ready to deploy the day the current vulnerabilities are discovered and patched?
I feel it's the safe money, certainly. One exploit dev in a given year can churn out multiple weaponized 0 days, surely they have more than one dev working on such things, so you're talking about a stockpile of likely dozens of vulns. Some might collide with public vulns so they lose a few, but you knock one down and I have to assume they have others staged.
> Apple is rich enough to increase their bounties large enough to attract them to right side instead?
That's a good question. I think at NSO's price point the answer is probably "no", but I don't know. At best Apple could be competitive, but bug bounty work is far riskier - you might spend a long time without getting a payout, either due to some bad luck, collisions with already reported vulns, or a vendor just being a dick (pretty sure Apple have been dicks).
> what should anyone who even vaguely suspects state sponsored spying do?
Probably have more than one phone, for starters. Use authenticated protocols, not SMS/MMS. It's insane that anyone can just send data to your phone unprompted. I'd probably disable cell service altogether unless I'm actively making an outbound call to a known contact.
The only way Apple could make them report the vulnerability is if the bounty was not far from the amount of profit that NSO is making with their software.
The comment is not suggesting that Apple make the vulnerability attractive to report for the NSO as an organization, but presumably attractive to report for whatever hackers the NSO may purchase vulnerabilities from - or individuals employed by the NSO.
In such a case, Apple "only" needs to make the bounty high enough to significantly exceed the sale price of the vuln, or the salary of aforementioned employees.
For who had already sold a vuln to a criminal org like NSO once, I wonder will they switch to clean Apple. Perhaps they get more chance to be investigated, or not?.
> The only way Apple could make them report the vulnerability is if the bounty was not far from the amount of profit that NSO is making with their software.
At which point it becomes cheaper to buy a law to force disclosure of those 0 days to vendor?
> Use authenticated protocols, not SMS/MMS. It's insane that anyone can just send data to your phone unprompted. I'd probably disable cell service altogether unless I'm actively making an outbound call to a known contact
I was just listening to Darknet Diaries episode 100 this past weekend and they mentioned an NSO-crafted zero-click vulnerability in Whatsapp that Citizen Lab had detected being exploited.
Though I suppose Whatsapp (anyone with my phone number can message me) wouldn’t qualify as an authenticated protocol.
Why is it on Apple to defend everyone against hackers sponsored by another country to begin with? The governments should be providing any resources necessary to defend here...
Because Apple makes the phones, silly. The iPhone is a 100% proprietary device, we know zilch about what code is running on it. Why should anyone be responsible besides the manufacturer?
Maybe the government should care about the Obamaphone, but not anything beyond that.
If an Israeli hit squad kills someone in a McDonalds, we dont get on McDonalds case for not providing a safe and secure place for their customers. Not putting up a sign when the floor is wet is on them. Assassins is on the government. It's not clear to me why things being different in the software world is so obvious that not seeing why is silly.
Regarding Obamaphone, in the US there is a government agency responsible for such things. The NSA. It's tasked with securing US information infrastructure on top of its more known role of signals intelligence. It just happens to favour the latter over the former so its not about to share its stockpile of iPhone zero days with Apple.
If McDonald's advertised their hamburgers as especially safe from outside influence and you are assassinated by someone poisoning your McDonald's hamburger, people will probably be upset at McDonald's.
Because that is what they advertised they would do [1].
“Apple makes the most secure mobile devices on the market. Lockdown Mode is a groundbreaking capability that reflects our unwavering commitment to protecting users from even the rarest, most sophisticated attacks,” said Ivan Krstić, Apple’s head of Security Engineering and Architecture.
I mean, we know nobody on their team actually believes Lockdown mode can protect against state funded actors with even a tiny $10M budget since their Lockdown mode total bypass bug bounty is only $2M.
But they did say it in their marketing, so they should be held to it even if we know for a fact that they are totally incapable of doing so. This is not a question of money, it is a question of ability, and we know they do not have that.
Wait, the reward for completely bypassing most hardcore security measures in their most important device for the most valuable company in the world worth over 3 trillion is mere 2 millions?
Thats not a honest proposition by its very definition, just look at the assymetry of those numbers. Serious offer would add at least 2 zeroes to that.
It is actually reasonably fair, it only costs around 1-2M $ to find one. You expect Apple to pay 100M $ for 1M $ of work?
The real question is why is Apple allowed to lie about providing meaningful protection against state actors when they only think it only costs 2M $ to break it. In no universe is 1/5 the cost of a tank even a road bump for a state actor.
The other question is why is their security so terrible. The short answer is that they demonstrably know nothing about security since this is the most they have been able to do after decades of work, billions of dollars, and repeated promises of meaningful security. When somebody spends billions of dollars and decades failing to achieve even 1/10th of what they promised, you should take any new statements as extraordinary claims and demand extraordinary evidence.
> The real question is why is Apple allowed to lie about providing meaningful protection against state actors
It's not like anyone has been doing any better. Mobile phones are embedded devices targeted to everyday consumers, basically toys. They've never been engineered for anything like meaningful security against even mildly sophisticated attacks. The industry simply doesn't care about this, e.g. most phone SoC's are still not protected against misbehavior by any of the included devices, each of which is running some unknown proprietary firmware. That's just par for the course in the embedded ecosystem.
Why does the quality of any other product matter here?
Apple marketing claims it provides meaningful protection against state actors. Apple engineering says it does not. Even if nobody can do it, even if Apple is closer than anybody else, that does not excuse lying to people who are betting their lives on Apple’s representations that it works.
Apple can not protect against state actors. Apple knows that. If you are at risk, the only safe thing to do is avoid Apple (and all other smartphones). Apple knows that. They lie and insinuate that a iPhone is fit for this task so they can sell a few more iPhones caring not a single bit for the lives at risk. That is grossly unethical. Yet, it is par for the course in “cybersecurity”. That does not make it acceptable, that just means everything is rotten.
> Apple makes the most secure mobile devices on the market.
Well, they're not wrong on that one point. As it turns out, "most secure" is a pretty low bar. We'll see how Purism's Freedom Phone fares once it reaches genuine daily-driver status and it too becomes a target for this class of attacks.
Being open source doesn't mean immune to vulnerabilities. (and Purism's stuff will likely never be 100% open source due to regulatory complications with basebands)
Niche software often fares very poorly in terms of security because few people are trying to exploit it.
Not really. Even with modern technologies, the Linux desktop technology stack is very, very far behind when it comes to security.
The Linux kernel itself is a very weak foundation security-wise, the only way Android and ChromeOS get away with it is by using a very small feature set and restricting everything else as much as possible with seccomp, SELinux and heavy sandboxing.
The Linux desktop userland doesn't have meaningful hardening features compared to other platforms (even Windows is ahead, sadly). For example, practically all distros use glibc's memory allocator which has both poor performance and security [1] and their toolchain is based on gcc, with no support for modern compiler security features such as CFI (with the sole exception of Chimera Linux). Not to mention the permission model is completely outdated, like in that xkcd comic. Flatpak only mitigates this partially, because the Flatpak sandbox is very weak. The people working on Flatpak are doing their best, but from reading some GitHub issues, it's clear they are badly overworked and not security experts. The person responsible for Flatpak's seccomp sandbox has said it isn't even his main responsibility and he doesn't have much knowledge about seccomp and is learning along the way [2]. The Flatpak seccomp filter is based on a denylist rather than an allowlist, and many dangerous syscalls can't be blocked because applications rely on them (e.g. Firefox needs ptrace for the crash reporter). You also have to be very careful and use Flatseal (which is not officially supported) to deny permissions such as /home filesystem access, because it lets Flatpak apps override their own permissions by design [3]. And dangerous kernel components like io_uring are exposed [4], while Google disables them on their systems because of their exploitation potential.
That's the question, though. The NSA is known to have strongly conflicting objectives. On the one hand, they're supposed to secure US government devices and sometimes assist US companies in securing devices. On the other hand, they're supposed to surveil foreign citizens using such devices and the devices of US citizens who communicate with foreign citizens, as well as assisting other US agencies in doing that.
In a nutshell, whether they will increase or subvert your security depends on factors outside of your control. But unless they have found ways of surveilling foreigners without compromising the security of any Apple device, it's almost certain that they won't disclose their own 0-day exploits to Apple.
The US government have already "assisted" plenty. Every assist is a setback. IE. Snowden's revelations, encryption standard weaknesses, backdoored devices, etc.
No, but that is exactly why Apple might be a little bit reluctant to go for assistance. It's a bit like going to the neighborhood burglar to ask him how to secure your house. "I'll be right over to take a good look at your property" is not the answer you think it is.
That's an absurdly narrow view of the USG security positioning. USG pours billions of dollars into defensive infrastructure through a number of methods.
I didn’t find any mention of Lockdown Mode in the article, which is advertised as something a user in this position could use to decrease their attack surface. I find it surprising journalists covering high-risk stories don’t just all have this on by default. A lot of these no-user-interaction exploits are via vulnerabilities in decoders for images and such that run when a message is received, unless the phone has Lockdown Mode enabled (LM also disables other types of functionality). Has anyone seen evidence of a phone with Lockdown Mode enabled being compromised (not saying it’s impossible, just curious)?
So far there has not been a confirmed Pegasus infection with lockdown mode enabled. It's certainly possible but will require more sophisticated exploits, thus increasing the price per infection.
I will assume that unless the cost per infection is a staggering number, if a "baddie" wants to "get in" they wouldn't be phazed by $50k or $100k.
I assume that the value of the intel collected (contacts, eavesdropping, etc.) would be far more valuable as it would reveal whistleblowers, opposition tactics, contacts, candidates to fall off windows/balconies, candidates to be chopped up, etc.
>Sounds like it’s safer to just not use a phone or try and circle through a series of them you buy second hand or something.
the book Pegasus by laurent richard chronicles the challenges the journalists who brought us the pegasus leaked list with 50k + targets had to go through. Anyone who has grown cynical to journalism over time will be humbled by the death and terror that journalists endure to challenge regimes like SA or morocco. Pegasus was on jamal Kashoggi and his mistress(? iirc) phones.
They probably have around 3-10 other zero-click zero days on hand. And if NSO somehow burns all of their in-house production, the vulnerability brokers I know have a couple tens ready for usage in their inventory for a few million dollars each. This is not even private knowledge; the brokers run legal US incorporated businesses that sell to governments, businesses, and the vendors who make the insecure products such as Microsoft and Apple. Apple knows for a fact that they are delivering products with tens to hundreds of known critical security defects.
Apple does not buy out the zero-days for two reasons: First, you can not buy your way to security. Second, the benefits do not outweigh the costs.
For the first point, it is impossible to buy your way to serious security. Apple currently pays a $1M bounty for a zero-click RCE with persistence [1] and $2M to do the same to Lockdown Mode, around the cost of a single Tomahawk cruise missile. They set this price because it takes around 1-3 engineer-years to find such a security defect, so the bounty is approximately the cost of labor. If they paid $10M, around the cost of a single M1 Abrams tank, they would get a absolute flood of new reports since suddenly the ROI is 10x and the number of security defects detectable at the $10M level is vastly more than at the $1M level. However, to deter countries, you need to get to at least the $100M level, the cost of a single F-16. At the few million dollar level there are already tens to hundreds of known security defects, so at the $100M level there are almost certainly thousands to tens of thousands of vulnerabilities. So, to buy their way to protection against state-funded attackers would cost them trillions to tens of trillions of dollars, if it is even possible at all. Note that literally nobody has ever gotten past the few million dollar range using this strategy, or frankly using any strategy when attempting to retrofit a system not designed for security like iOS or Windows.
For the second point, what does Apple gain by buying the zero-days? People keep buying iPhones no matter how many thousands of security defects get reported. All they have to do is make up new bullshit like Lockdown mode and everybody feels warm and fuzzy inside. The company, that has never once made a product within a factor of 100x of what is needed to protect against state-funded attackers, just makes up a marketing spiel about how they are "totally going to do it this time for sure, pay no attention to our record exclusively consisting of hundreds of failures" and everybody eats it up. We know they do not believe their own marketing fluff because they set the bounty for lockdown mode at $2M, only double the $1M for regular iOS, which is still only 1/5 of a single tank. Do you think a single state-funded attackers will be dissuaded by the price of a fractional tank? It costs more money to start a new McDonalds store. All the companies like Apple, Microsoft, Amazon, Google, Cisco, Crowdstrike, etc. need to do is lie and for some reason everybody keeps believing them for the thousandth time and their sales are protected.
Commercial IT systems are completely and utterly insecure against attacks by moderately funded attackers. If you have operations worth more than $1M or are at the risk of targeted attacks, you are completely, 100%, vulnerable no matter what or how many of these systems you use. If that is not acceptable, then you must not use standard commercial IT systems with connectivity. That is, unfortunately, the only solution that currently works. It is up to you if you think the tradeoff is worth it.
A third reason Apple doesn’t increase their bounties: they don’t need to. There is no secure phone on the market. Your only options are insecure phone (iOS, android, whatever) or no phone at all. So while it might be nice to be able to claim that you’re relatively secure, there’s very little to be gained by spending all of the resources required to buy up all exploits.
> Surely whatever money these guys spend buying these zero-days, Apple is rich enough to increase their bounties large enough to attract them to right side instead?
TL;DR, Apple probably doesn't care enough
You're in a very exclusive club if you're targeted by NSO (ie. very few people are victims) and most of the general public probably doesn't understand or care enough to get their pitch forks out.
Personally if I was anywhere near being a possible NSO target I'd dump all my devices or at least have them fully airgapped, the only way you'll win that fight.
> You're in a very exclusive club if you're targeted by NSO (ie. very few people are victims)
That's a dangerous assumption. We only know about the victims who are clueful enough about OPSEC to even be informed about the issue, let alone find out about an attack.
It's hard to make yourself a target to highly qualified subgroups of intelligence people, for reasons rightful or not. Simply committing or conspiring for crimes with e.g. extremist terrorist groups won't do that(not recommending to do so, obviously).
Journalists and political activists seem to manage this feat with comparative ease (as shown by OP, but not only) without even doing anything illegal. There's a meaningful question about who else might end up being targeted, that we wouldn't necessarily know about all that easily.
How do you define illegal here? Because a lot of journalists do illegal stuff from the POV of their country. What is the difference between a journalist/political activist/terrorist? Violence?
>Personally if I was anywhere near being a possible NSO target I'd dump all my devices or at least have them fully airgapped, the only way you'll win that fight.
You still wouldn't win that fight without applying those rules to everyone you come in contact with. And even then, the absence of such data could create a pattern enough to identify parts of your life if they have enough data from people that are not around you.
Escaping surveillance from bad actors is essentially no longer a winnable fight. you can only do your best to mitigate it.
> TL;DR, Apple probably doesn't care enough
You're in a very exclusive club if you're targeted by NSO (ie. very few people are victims) and most of the general public probably doesn't understand or care enough to get their pitch forks out.
And yet:
(a) Lockdown Mode cost money to develop and will cost support time from casuals turning it when they shouldn't but Apple did it anyway, and
(b) the journalists only know this happened because Apple told them proactively.
Someone also cared about programming Minesweeper in Windows. That doesn't mean Microsoft as a company care even a miniscule amount about it. Someone at Apple cared more than not at all is as true.
> Surely whatever money these guys spend buying these zero-days, Apple is rich enough to increase their bounties large enough to attract them to right side instead?
Apple is a commercial organisation with a sole purpose of generating profit. And the bounties are at their equilibrium points already (or at least supposed to be).
Apple is rich enough sure, but they will only spend money if this makes Apple even richer.
"Surely whatever money these guys spend buying these zero-days, Apple is rich enough to increase their bounties large enough to attract them to right side instead?"
You assume it's just money and not poltical idealogy or "because I can, when I can."
Almost zero, if China with 1.5 billion people, unlimited money and lots of motivation couldn't hack into iOS then there is no way Israel can do it Multiple times... Just think about it...
It would be a lot easier to just believe Apple gave backdoor access to the Israeli intelligence, it would explain why Europe is at their throat recently after Israel sold Pegasus to Morocco who used it to spy on French journalists and politicians which led to Morocco recognizing Israel and the US recognizing the western sahara and putting an embassy there, now those waters (between the canary islands and morocco) aren't the EU's but are shared with Morocco aka the US, and it all happened after discovering that mineral rich mountain (mount Tropic) that has lots of minerals used in battery manufactoring. That's just my tinfoily theory for the day... I don't believe all of it but I don't disregard that possibility...
my guess, probably lesser.
people carry their phones as an extension of themselves, while cars takes us from point a to b.
And most modern cars have a Secure Gateway[1] that are mostly not connected to internet, that only allow limited NW access for the connected systems to rest of the vehicle (Engine, powertrain, brakes...)
so the possibility of a remote scaled attack is low IMO.
Reprogramming the navigation to take you to the ambush site or sending your route to mossad would be valuable. That’s without even considering the lethal options like disabling breaking, setting lane assist to swerve you into traffic etc
I’ll admit I always thought ‘Meduza’ was from the Russian /meduza/, meaning jellyfish, but they did indeed mean the Greek Medusa (1):
> Question - why Meduza in particular? That's a slippery, unpleasant creature
> Journalists are generally unpleasant and slippery and there are few who love them - such is the job. Also "Medusa" turns its subject to stone with a glance, which is true of journalists, too. But to be completely honest, we ended up with "Meduza" by chance. We thought the paper should be named after the ancient Greek monster that had its head cut off but came alive anyway. We chose "Meduza" and then remembered that it was a hydra, but it was too late.
The Russian word for jellyfish comes from the Greek myth. In Russian, Medusa is spelled with a Z instead of an S (Медуза). The jellyfish is called such in Russian because the tentacles are similar to Medusa's snakes.
I wonder how Apple decides who to inform and who not to when they detect malware like pegasus. Good they did inform a person in question.
However, what if this person was much lower profile? Let's say a person that lives in a democratic country. Does Apple even know who targeted them? If they do, let's say "if its China or Russia" we inform. Then what if China or Russia does the exact same thing but using a paid agent in a democratic country?
This raises so many questions. And finally, if Apple can detect such malware why isn't there an immediate notification from some local app? Like an anti virus for your phone. They must already have something like this, otherwise how would they know?
(Disclaimer: I have no idea how this actually works.) I would guess that running this on-device would be prohibitive and they probably get told accounts and whatnot that are known to have sent the messages, then go in their server logs and check who they reached out to.
Sounds like that would not leave much time for actual journalism. Or room for carrying other equipment. And it would make crossing borders very exciting, explaining all those phones to border control or customs.
Just turn on Lockdown Mode on iOS. It was designed to protect against exactly this. It has been confirmed that if Lockdown Mode had been on, this attack would have failed.
Disable iMessage and don't use iCloud at all, for a belt and suspenders approach.
This probably isn’t a bad idea for an open-source project.
Something akin to Graphene OS where there’s a constant drive to narrow the attack surfaces, but also removing any concessions related to installing apps or Google services entirely.
Basically, a phone that has access to encrypted messaging and the camera/mics under very controlled circumstances and that’s about it.
The restrictions would also limit the popularity enough that it would likely never be worth the cost of targeting, but also provide greater protection to the few people that really need that protection enough to make those sacrifices.
I'd love a phone with a bank of iPhone style mute switches, but each hooked up physically to disable the cellular radio, gps antenna, mic, camera and etc.
An open-source project is actually worse for security because the attacker can just read your source and find the exploits.
Assembly is a pain to understand even with the latest disassemblers. Cut that out and you’re cutting out 90% of the work.
Now sure in theory having it open source means good people will find the exploit. But have you ever found an exploit and reported it? Of course not. Only attackers are motivated to put thousands of hours of work into looking for vulnerabilities. Unless you pay someone to actually put the same work in, it being open source is meaningless.
Not publishing source code demotivates the white hats and "good people" more than the bad actors, IMHO. There's a reason a lot of cryptography-related libraries have open/available source code
> But have you ever found an exploit and reported it?
Yes, actually. It was for a project I had already contributed to, so I was just reading source code and stumbled upon a somewhat critical bug. The main problem there was figuring out how to fix it without breaking API, really.
There's probably a way to quickly detect infection, too: constantly look at all network traffic. It's probably pretty difficult to hide the outgoing traffic when they are pulling all your messages and run frequent screen capture. They will encrypt it, but the volume of data should be impossible to hide.
Even easier if you have your phone stripped down and locked up in the first place, less apps to ever cause outgoing traffic.
> “I’m absolutely shocked we’re seriously discussing that a European state could have done this,” says Ivan Kolpakov, Meduza’s editor-in-chief. “I’m probably naive"
Rather then naive, I think his main problem is that he hasn't investigated before the discussed event what the European states actually do in that context. Then he would be just worried, not shocked.
Another possibility is that the "shocked" is the "Casablanca shocked":
> Rick: How can you close me up? On what grounds?
> Captain Renault: I'm shocked, shocked to find that gambling is going on in here!
Is there anything that prevents Pegasus from spreading by itself or must it be installed via a targeted attack? And is there a way of scanning for it to see if a phone is infected?
There is nothing technical that prevents Pegasus from spreading by itself, some of the reportedly involved vulnerabilities could be "wormable", however, there are practical reasons that prevent that - for malware like Pegasus, the operator has an interest to avoid uncontrolled spread, since it relies on certain undiscovered and unpatched vulnerabilities staying undiscovered and unpatched, and uncontrolled spread makes it much more likely to be discovered, analyzed and "killing the goose that lays golden eggs".
So at least for now we'd expect all Pegasus installations to be a result of targeted attacks. On the other hand, if the tool leaks and becomes readily available to multiple actors, then the incentives change and one of them might decide to make a worm that infects everyone in the world who's not patched.
I suspect that it was not because it was hurtful or destructive, but because I chose to use the national currency of Israel as the denomination (instead of dollars, which would actually be disrespectful), and someone that skipped Social Studies, thought it was being "anti-semitic."
Sort of like the paediatrician in UK, that was attacked, because some idiot thought the sign outside her office meant she was a paedophile.
There is no self propagation code built into Pegasus.
It would be relatively trivial to write such - simply have it send the exploit via iMessage to all of a targets contacts, rinse and repeat.
This would be counterproductive though - the whole selling point of Pegasus is targeted surveillance, and such exploits are very costly - uncontrolled spreading would make it detected much faster, burning a valuable resource.
If such exploits were cheap, it’s plausible you could justify writing a variant that automatically attacks a targets entire address book to mine their social graph, but then you have the problem of analysing a shitload of probably worthless data…
If some hacker gets a clearly infectious Pegasus link they should make it spread through messages to everyone. Bricking everyone’s iPhone will probably make all the governments and Apple sit up and do some real damage to these actors.
Many of the Pegasus attacks are zero-click, so no link is needed. All they need to do is send you a message and you are compromised.
They presumably also configure their command and control to only persist if it is one of the designated targets and wipe all traces if it is not, so even forwarding the attack payload would probably not do anything. You would need to determine you have been compromised and then reverse engineer the exploit so you could replace the command payload with a irreversible bricking operation to do what you suggest.
At that point you might as well spend the $5M-$10M to develop the entire attack yourself. If you are a competitor to Apple spending $10M to completely destroy the $2.7T Apple is literal pocket change; too small to even show up on your financials.
> If you are a competitor to Apple spending $10M to completely destroy the $2.7T Apple is literal pocket change; too small to even show up on your financials.
You're comparing two near completely unrelated numbers here. That's not what enterprise value means; it doesn't mean much of anything really.
It works the usual way -- you make a payload that, when processed by a buggy code, executes itself. If the buggy code happens to be SMS packet parser, image decoder, text rendering, blocklist check or another 2 millions of things that happen to show you incoming SMS (or even better, flash message, or something not visible to user), then you don't have to click on it.
I mean if the bug in the browser, you have to visit the page to have the payload get to you, but it's a phone. A device for other people to contact you.
> make all the governments and Apple sit up and do some real damage to these actors.
International weapons dealing doesn't work that way. Point to any manufacturer of weapons and there's a bunch of people that don't like them. But the countries that benefit from those weapons don't agree.
Seems that the NSO business model is based on ultra exclusivity and a very small number of business clients. Technically, Pegasus could probably retransmit itself to infect another device, but it doesn't fit their business model so I doubt NSO would do this regularly.
Nation states (like KSA) will likely pay very large sums of money to use this against their perceived enemies abroad. A small and exclusive clientele is how a company like this stays out of the lime light.
From what I was able to read previously, it has no ability to spread by itself and has to be installed by a targeted attack. There is also a tool from Amnesty International that can detect it (or was able to): https://github.com/mvt-project/mvt
It is a race though, so past info may no longer be valid. However, I doubt it will ever be able to spread by itself, since it uses very expensive zero days to infect and they will be quickly fixed after detection.
AFAIK, phone numbers are the entry point, it’s the easiest and quickest way to target someone with it, else, it will be more involved to isolate the target, so don’t activate any number on your phone in addition to the lockdown mode, plus the usual security precautions should be in theory enough to protect you, ultimately, don’t use a “smart” phone.
Phone numbers are not targets. Baseband is the big fear vector due to it being a black box, but in reality the apps themselves are being targeted where your phone number is the primary key.
Since the type of exploit pegasus has been using has been recently seen in the wild and Apple has had to release more than one security update to address this attack vector it leads me to believe that not just targetted individuals should enable "lock down mode" on their apple devices. Although apple doesn't recommend it, it could be useful if there is a major malware outbreak across the iPhone ecosystem.
> For a brief period, targets that had enabled iOS 16’s Lockdown Mode feature received real-time warnings when PWNYOURHOME exploitation was attempted against their devices. Although NSO Group may have later devised a workaround for this real-time warning, we have not seen PWNYOURHOME successfully used against any devices on which Lockdown Mode is enabled.
Can't these attacks could be detected with a personal deep packet inspector running at router level, or a simple packet capturer?, another simple solution could be a diy portable router with inbuilt dpi or network analyser
I have been wondering if it could be possible to make a honeypot for all the known attacks NSO has been using, and warn the user if any such are detected. I bet some of the attackers try a few exploits before they get in, and might trigger an alert.
If many people had such alerts, it would draw attention to the action.
I am not an expert, but my belief is that Pegasus does not maintain persistence.
While the Wikipedia article claims Pegasus "jailbreaks" the iPhone to maintain persistence. Every technical article I've read says that a reboot clears Pegasus (albeit, it is easy to re-infect with a no-click exploit without the user's knowledge).
Hopefully, someone more knowledgeable can chime in with citations.
Haven't read about Pegasus, but what you describe is the behavior of bootkits.
Factory reset does not imply that you erase 100% of your permanent storage: some part of it should contain the system programs to restore the system. If these system programs or the clean OS image are modified, then factory reset won't help
I don’t know about the original claim either way, but I would be even more impressed and scared if it survived an iTunes restore (basically a PC reflashes the iPhone’s OS image with an image downloaded from Apple.)
Apple has firmware restore features in ROM. I would also assume (hope?) that there’s a procedure to enter the ROM-based restore that is impossible to intercept in software (maybe holding the power button for 10 seconds initiates a hardware reset into the ROM.)
If you're being targeted with anything like Pegasus (i.e. a state sponsored attack), you should definitely assume that even a factory reset will not fix the issue. It's more about "better safe than sorry" than anything that can be said with certainty, since these attacks may evolve over time.
Apple should use financial means to destroy these companies. Working at these companies should be a black mark on the records of the employees. I won't hire someone who worked at one of these companies. I know probably my own government tries to hack into people's phones, I don't want that either; my govt should not be selling their capabilities to other governments. If we make working at these companies something terrible on someone's jobs record, we might prevent people from going there.
Companies that do these kinds of things are a menace to society, because those tools get used for evil purposes (not just spying on terrorists). Plenty of other governments benefit from using these spy tools themselves, but we all know they fall into the hands of despotic governments like Saudi Arabia and they are used to harass and attempt to control journalists, people advocating against their governments.
What I'd like to see is Apple uses their enormous influence and financial power to sue these companies and drive them out of business. They should financially attack the companies doing this and make it known they will work to destroy them.
Sure. Same logic fits anyone working for anything Snowden revealed too. Previous work at USG/NSO/other places as bad? "Sorry, we don't see you as a good fit in our company".
How would apple suing the NSO work? They're based out of Israel. I wouldn't imagine Israeli courts are going to let an american megacorp take down one of their biggest industries
Suing across borders is not a problem at all. It is only an issue if you want to sue someone protected by the state. So, well, yes, in this case it world be allowed as much as if NSO tried the same to a US company.
No, they should just be treated like the criminals that they are. Subject to arrest and prosecution to the full extent of the law should their engineers, managers, executives, owners, and financial backers even think of setting a foot outside Israel.
This will provide decent privacy for most people against casual mass-surveilance. But you should not assume that it's anything like sufficient protection against these kinds of state-sponsored attacks.
This is absolutely not enough against targeted attacks. It will be harder to detect you but once they do, Firefox (which Tor is based on) is a lot more vulnerable than Chrome.
Same for Android, the locked bootloader and such can be helpful in this situation.
2 phones. One is used only for hostspot. Second is used only in wifi mode. You take a sim card that you can obtain without id. Register signal, whatsapp, whatever with pin on the second phone. Use threema. Second phone should be rooted with very strict firewall. That should make someone sweat if they want to get in the endpoint.
No, they are not selling their software specifically to the Ukraine and Baltic states.
They do sell it for UK, for example. UK spies definitely actively working against Russia.
By the way, Pegasus doesn't work against US phone numbers.
Daily reader of Meduza here. They publish consistent and high quality coverage both about headline events in the war as well as odd ramifications of it in Russia and Ukraine. And it doesn’t have the annoying US-centrism of Ukraine coverage that you get elsewhere.
Well, yes and no, even people who are strongly anti-Russian-regime-oriented told me that they stopped reading Meduza because it's giving info which is extremely one sided and not objective, like it's propaganda but opposite to a Russian-state one
They might not be as anti-regime as they like to think. Apart from Meduza, I also read mainstream UK, US, German and Ukrainian media, and Meduza doesn't seem to be more biased than either of those. Their predictions of regime's difficulties seem to be exaggerated (compared to what seems to be happening in reality), but so are predictions of Western media.
Most people are like this for many issues on either side. If your media outlet isn't pouring kool-aid over your personally held belief it's viewed as suspect. Meanwhile your mind quickly discounts obvious contradictions to your held belief.
Popular contradictions today:
It's a human right to dress and act like any sex one chooses. It's evil and horrible to dress and act like a different race.
Global warming is the biggest threat to mankind. Coming into the office is more important.
Flying around the globe is to talk down to others who are doing more about global warming earns praise.
> while Russia is responsible for invading, Victoria Nuland was caught red-handed orchestrating the Ukrainian coup/government that precipitated it
Fyi the leaked Nuland call (which I assume is what you're referring to), is of her discussing who they should support after the massive protests started and Yanukovych and his ministers left the country. She did not "orchestrate a coup". At most, it's the US trying to get Ukrainian parliament to pick the interim candidate they want which while is still manipulative, is far from "orchestrating a coup".
The call was leaked on the 4th of February (and apparently recorded on the 28th of January), Yanukovych fled on the 21st. The correct context is that negotiations were ongoing between Yanukovych and the Maidan organisations, with him offering Yatsenyuk the prime minister job on the 25th of January as part of a potential deal to end the protests.
It's a very tired canard to call it a coup, of course, but it's important to be accurate about these details.
Giving her support of a particular candidate is not "orchestrating" any coup. By that logic, the Democratic party giving support to Biden means the Democratic party enacted a coup on the US. Following the law of a country is not a coup.
In order for there to be a coup, there has to be an unlawful seizure of power and that never happened. The president and his ministers left. I assume because the unrest of the people was so massive, he expected there would be a revolution. That would have been a coup, but even giving her support to a particular candidate the revolutionaries put forward, is not her causing a coup. Giving the revolutionaries weapons would be causing a coup. Sparking the revolution would be causing a coup. Getting one part of the government to overthrow the controlling part would be a coup. She did none of those things though (as far as we know).
Facing the reality of having no president and having no line of succession remaining, the Ukrainian parliament selected an interim president for an interim government until a new, full president could be elected and that is what happened.
There's a relatively reasonable timeline of the coup available here. [1] And it was a coup in the most classical definition of the word. The military began refusing to carry out government orders, entire regional police departments were defecting to the protesters, cities were openly refusing to recognize the government, and so on. Had Yanukovych stayed, he would likely have been killed, with or without a Ceaușescu style kangaroo court.
And if you want to see the sparking of the coup, this [2] is a video of John McCain (who was working alongside Nuland) instigating and emboldening the protesters, "America is with you. Europe is with you. The destiny you seek lies in Europe!" At the same time this was happening, Nuland was on the ground with protesters, memed as 'handing out cookies.'
Try to imagine something comparable happening in America. Imagine America was a relatively weak nation, and you had e.g. leading politicians from China out there rallying the protesters in DC, telling them that "China is with you! The destiny you seek lies in China!" That is going to not only dramatically embolden the existing protesters, but also draw out people from everywhere in the country who start thinking 'this could be it.' And indeed it was "it."
I can see how it can be called a coup because of the protesters' violence and arguing that difference is pretty pedantic so I have no problem with that.
The main point I was making was in response to the person confidently claiming Nuland orchestrated the coup. I don't think the call shows evidence of that. They only talk about coordinating their support for a candidate.
> And if you want to see the sparking of the coup, this [2] is a video of John McCain (who was working alongside Nuland) instigating and emboldening the protesters, "America is with you. Europe is with you. The destiny you seek lies in Europe!" At the same time this was happening, Nuland was on the ground with protesters, memed as 'handing out cookies.'
I've seen this mentioned before. While I think it's clear who the US supported in this coup and the US was certainly trying to influence the situation, calling John McCain's speech three months before Yanukovych left, the sparking of the coup, is very disingenuous. That speech didn't cause the coup.
I could definitely see the US actually being behind the coup though. They've shamelessly done it countless times throughout history. It's just nothing out there so far is evidence of it.
The US would not have been in the ground riling up protesters if they thought the protests could organically overthrow their government, which was the US goal. It 'taints' the protesting by making it seem like it's just another US puppet protest. And it also makes a complete mockery of any efforts for us to make claims like 'foreign countries shouldn't interfere in the democratic process of other nations.' There is 0 doubt that Yanukovych was the legitimate democratically elected leader of Ukraine, but because he made interests that were not aligned with those of the US, of course it didn't matter.
Beyond this, I think you're also aware that if the US is sending people like McCain and Nuland to visibly rile up protesters, "we" were also doing far more behind the scenes, to make sure the coup could succeed. The number of protesters involved in the final attack on the Ukrainian Parliament was extremely small, relative to the earlier mass gatherings - numbering about 20,000 people. There was no real reason to think they would win, yet you had cities, police departments, and others openly and overtly defecting to the protesters, the military refusing to carry out orders and so on. That seems extremely unlikely to be organic, because if the protesters had failed overthrow Yanukovych, which one had every reason to think would be the case, then the defectors would have faced extremely severe consequences, up to and including charges of treason.
Oh there's also another funny little point. When the final charge on the parliament began, riot police managed to successfully scatter the first wave. Many protesters being pursued by riot police managed to evade them by taking shelter in... the Canadian Embassy. It's all about as organic as nuclear waste.
> The US would not have been in the ground riling up protesters if they thought the protests could organically overthrow their government, which was the US goal
The US can show their support for the protesters (if only to get them to think favorably of the US), regardless of whether or not they think the coup will work. It's not evidence they caused the coup.
I agree with the rest of that paragraph up until the last sentence:
> There is 0 doubt that Yanukovych was the legitimate democratically elected leader of Ukraine, but because he made interests that were not aligned with those of the US, of course it didn't matter.
I think the people of Kyiv are the cause of the coup, not the US.
The rest of your comment does not provide good evidence of the US causing the coup. Like I said before, it's clear who the US supported, but none of what you presented is good evidence toward the US causing the coup.
Unless you have evidence of a bribe, staging of protests, blackmail of officials, puppeteering of officials, attempted assassination of officials, government spy, some record of this plot, or some other good evidence along those lines directed toward causing the overthrow of the Ukrainian government, I don't think you can say the Ukrainian coup was orchestrated by the US.
...under threat of lethal violence. Their offices/residences were assaulted soon after they fled. Many people were murdered during the "protests". Is a "coup" really determined by whether the overthrown leader is nimble enough to evade arrest/murder?
> Giving her support of a particular candidate is not "orchestrating" any coup.
Please, let's be real. If Lavrov were caught saying things like "Trump should be President over Desantis. Let's keep Desantis out of government for now. Also let's be discreet about this. Putin is on board." and then all of that actually happened, like Desantis dropped out and endorsed Trump, what do you think the American reaction would be?
Some Americans even believe that something like this happened in 2016 ("Russiagate conspiracy theory"), but there is scant evidence to support it. In reality, Trump was impeached over far less evidence.
We can debate semantics over the preferred definition of coup, but the bottom line is there was extraordinarily blatant foreign interference in Ukraine's democratic process, and the US government clearly played a central role and achieved their goals.
I can see how it can be called a coup because of the protesters' violence and arguing that difference is pretty pedantic so I have no problem with that.
The main point I was making was in response to you confidently claiming Nuland orchestrated the coup. I don't think the call shows evidence of that. They only talk about coordinating their support for a candidate.
> If Lavrov were caught saying things like "Trump should be President over Desantis. Let's keep Desantis out of government for now. Also let's be discreet about this. Putin is on board." and then all of that actually happened, like Desantis dropped out and endorsed Trump, what do you think the American reaction would be?
If DeSantis dropped out because of Putin, it would be Russian influence again but on another level. Going to war level. DeSantis and Trump would be traitors and Russian co-conspirators, but I'm not sure if it would be a coup. Although I'm sure some would say that, the fact he was voted in would remain.
There is something to be said for manipulating the electoral process to a degree where it can't be called democratic, such as the situation in Russia at the moment where Putin's potential electoral opponents are jailed, killed, scared off, or oppressed to the point there is no other viable candidate to choose. So yes, I'd say there is a point where manipulating the democratic process prevents it from being fair and is unlawful and it could be considered a coup in that scenario, but I don't think the US meets that threshold here. Would you call every other leader selection process where the US has given their support for a candidate a coup? I agree it is wrong and shouldn't be done, but do you really think it qualifies as a coup?
The US caused a coup in Panama when it bombed their infrastructure, invaded, and took their leader under arrest. The US caused a coup in Iraq when it invaded. The US caused a coup in Iran when it staged riots, paid off journalists, and paid off generals resulting in a change of leadership. There are many more examples of this, but all that was shown here was Nuland coordinated US support for a candidate. That's not enough.
You said the US orchestrated the coup so confidently and absolutely as if it was another one of these scenarios. It was a call for coordinating and exercising the US' influence on Ukraine. Not a coup though.
> We can debate semantics over the preferred definition of coup, but the bottom line is there was extraordinarily blatant foreign interference in Ukraine's democratic process, and the US government clearly played a central role and achieved their goals.
Unfortunately semantics is where we have gone. The call does not show the US orchestrated any coup. That's a significant mischaracterization. Influenced? Yes. Interfered with? By talking to their politicians, probably. Orchestrated the overthrow of their government? No.
I could definitely see the US actually being behind the coup though. They've shamelessly done it countless times throughout history. It's just nothing out there so far is evidence of it.
> Would you call every other leader selection process where the US has given their support for a candidate a coup?
That's clearly a mischaracterization of what happened in Ukraine. Yes, Washington declared its support for the opposition in Ukraine. It also:
- bragged about spending $5 billion funding the opposition over preceding years.
- participated closely in the Yalta European Solution for decades, which was a forum for Washington power brokers + Ukrainian oligarchs.
- endorsed the overthrow of Yanukovych (i.e. by not demanding his democratic government was restored, which e.g. Washington did in Niger recently).
- and so on
It was a coup. It was primarily achieved through covert action, which by definition avoids yielding smoking guns that would cater to your personal, precise, technical definition of "coup", but given the totality of the circumstances we can only conclude that it was a coup.
> It was a coup. It was primarily achieved through covert action, which by definition avoids yielding smoking guns that would cater to your personal, precise, technical definition of "coup", but given the totality of the circumstances we can only conclude that it was a coup.
What it seems like is that there isn't much evidence or sources. Anyone could claim anything was achieved through primary covert action and has not yielded any smoking guns or real evidence.
I could claim that all the coup hubbub was started by Russia as an attempt to ferment a civil war in Ukraine as a pretext for invading as achieved through covert action.
And when that failed they used there 'little green men' to start the civil war instead.
Exactly. There is no real evidence, so we can't conclude one way or another. A lot of people are treating the Nuland call like a smoking gun, but it isn't one.
That call happened around the time when the opposition, the government, the EU and Russia were negotiating the "Agreement on settlement of political crisis in Ukraine"[1].
The gist of the agreement was that the opposition candidate would become prime minister and Yanukovych would remain president until the elections (which didn't materialize because he fled the country).
Note that there was no US at the table. Nuland and Pyatt weren't "orchestrating" anything. In fact, they were frustrated that the US wasn't participating in the talks, hence the "fuck the EU" in that call.
All this leak shows is that US officials were trying to influence negotiations to which they weren't invited.
Most of the world's population that do live in liberal democracies with free press also believes all kinds of conspiracy theories. I doubt you could find a single trustworthy source that could prove any significant difference between the two.
I'd say the US and Russian populations are just as susceptible to conspiracy theories and propaganda, but Russia's propaganda is on another level and much more blatant. Their line seems to be further than the US'.
From my experience living in Russia I would say if you _don't_ believe in conspiracy theories, somewhat in the line of all democratic regimes being fake and secretly ruled by some invisible shadow global government, you are perceived as weirdo and an outlier. That's purely anecdotal of course, I couldn't find any studies that would show the numbers.
Edward Bernays, the father of modern public relations/propaganda, wrote in the 1920s about such flaws of democracy. He directly employed terms similar to "shadow government". He was not a fringe dissident or "conspiracy theorist", he was a influential member of the establishment, who participated in the overthrow of Latin American governments. You really should read at least the intro of Propaganda (1928). Here are the first three sentences:
> The conscious and intelligent manipulation of the organized habits and opinions of the masses is an important element in democratic society. Those who manipulate this unseen mechanism of society constitute an invisible government which is the true ruling power of our country. We are governed, our minds are molded, our tastes formed, our ideas suggested, largely by men we have never heard of.
This is written by a guy who did that for a living.
Acknowledging the systemic flaws of liberal democracy is not a conspiracy theory. In fact, it is the opposite: it explains the reality of modern democracy in terms of structural factors and incentives. That said, he also describes actual conspiracies e.g. how particular advertisement campaigns operated.
This was well-understood a century ago.
The people who regurgitate what they learn in their state-approved textbooks/movies are more akin to conspiracy theorists; it requires a certain level of fantastical thinking to believe that USA (or RF), on a national level, is a de facto democracy.
There is a lot of actual conspiracies. Much more than conspiracy theories. The only known working process to uncover a conspiracy is to conduct an investigation and then prove the findings in a court.
> e.g. while Russia is responsible for invading, Victoria Nuland was caught red-handed orchestrating the Ukrainian coup/government that precipitated it.
The claim of "orchestrating a coup" is unsupported by evidence, and any both-sidesism does not do justice to the fact that:
a) Ukraine has the right to elect whomever they want to govern their country, despite Russia's preferences to create vassals of its neighbor states
b) Russia has twice invaded Ukraine (as well as other neighbors like Georgia) and thus directly caused hundreds of thousands of deaths on both sides
Between Ukraine and Russia, only one of them is illegally occupying the territory of the other, only one of them is operating torture chambers in the territory of the other, and only one of them has kidnapped more than a million children from the territory of the other. There is no both sides between Russia and Ukraine in terms of guilt.
Israel is doing a great deal to support Ukraine with humanitarian and non-lethal military aid (like helmets) because Iran is on the other side, although you are correct to note that the situation is complicated, largely because of Russia support for a bloody regime in Syria.
People focused on US actions during the Yanukovych years seem to believe that he himself was legitimate, when there is much evidence that he was corrupt, anti-democratic and supported by Russia:
As for the 15% claim, I would add that a large part of that 15% supporting Ukraine includes countries that share a border with Russia or its vassals, including eastern EU and NATO states, as well as Japan and S. Korea. Those countries have the most skin in the game, and their position and actions in this conflict should be given much greater weight than the rest of the world. It's not a coincidence that they want Russia's wars of expansion to stop in Donbass.
Ask Finland, Poland, Romania, or any of the Baltic states about who they want to win in Ukraine and you will get a very clear answer. Their populations have all been under the Kremlin's yoke or fought a war against Moscow in living memory.
The anglosphere (US/UK/Australia/New Zealand/Canada) + EU is 470 million + 448 million respectively. That's the entirety of the Western world, and less than 12% of the world's population. One of JFK's greatest speeches [1] hit on this point:
"We must face the fact that the United States is neither omnipotent nor omniscient that we are only six percent [4% now] of the world's population, and that we cannot impose our will upon the other 94 percent of mankind that we cannot write every wrong or reverse each adversity and that therefore there cannot be an American solution to every world problem."
The sort of wisdom and pragmatism completely absent from politicians since JFK.
Just because the government of a country considers it politically expedient to treat the situation as morally grey does not mean the population uniformly shares the same opinion.
Vis a vis, just because the government of a country considers it politically expedient to treat the situation as the embodiment of Good vs Evil, does not mean the population uniformly shares the same opinion. In fact, I think this is the case nowhere in the world, including Russia and Ukraine.
Well I mean you can look at what polls do exist, and it's not ambiguous. But I'd also appeal to a logical aspect here. Homogeneous dogmatic thinking, at scale, is not natural - and arguably doesn't exist. Instead it's primarily a product of propaganda and efforts to drive people to self-censor.
Both of these are absolutely rampant in the West at the moment, but not so much in most of the rest of the world (at least not on this topic). People, left to their own devices, are generally pretty awesome. It's only when you introduce self righteousness and propaganda that we turn into unthinking animals. It's no coincidence that self righteousness and propaganda go hand in hand with war.
I'd argue the opposite. Some things, in the moment, are really quite morally obvious — and then propaganda starts doing its work to make them seem more ambiguous than they actually are.
> Both of these are absolutely rampant in the West at the moment, but not so much in most of the rest of the world.
You think propaganda-driven homogeneous dogmatic thinking doesn't exist in China and India...?!
Can you offer any examples? In general, I think you'll immediately run into a relativism problem. What is moral for one person is amoral for another. This is one of the main reasons I think it's safe to say that dogmatic thinking at scale is so unnatural.
As for my comment, I was obviously just referring to this topic.
What wrong with that? We have moral compasses built-in. When someone says that murdering of people is OK, because Russia will be great again, should we throw out our moral beliefs and carefully listen to both sides?
This can be applied to literally anybody. I've been reading them for many years (since their editor and most of their journalists were at lenta.ru — which they were thrown out of in ~2015 for daring to criticize the annexation of Crimea). They are not angels, but they have always at least tried to remain impartial and use relatively reliable sources of information. Many (most?) news outlets don't even try.
This is the actual reason why people treat Meduza as parent poster does.
The job of a news source it not to criticize, or not criticize, the annexation of Crimea. They're not a political party. Nobody but their mom really wants to know their private opinion.
The job of a news source is to provide news. All the news and articles Meduza produces follows the same pattern, where they would arrive at a predetermined conclusion regardless of the facts they are discussing, and the train of thought would go from A to B in a reasonably short route. If it's hard to derive the conclusion from some facts, they will be skipping reporting these where possible. If it's very convenient to derive the conclusion for unproven facts, they will be using these eagerly.
Propaganda is annoying to read, especially if you know you will disagree with their conclusion, which you obviously know in advance.
Yes, and I should write bug-free code, and doctors should never make mistakes. If you have any examples of a completely neutral news outlet that never made any blunders, I'd be very interested to know about and follow them. Until then, I see no point in comparing anyone against an unattainable ideal which can only exist in one's imagination. I try to correct for their biases by reading Kremlin propaganda (and US, and Chinese, and some others) and comparing what they are saying. Know of any better ways?
The amount of junk isn't boolean, it matters how much you have to filter. If you can find news with less junk, you can filter them with less effort. And big news are reported by everyone so you can't miss them.
It is the century XXI, and the mainstream way seems to be subscribing to Telegram channels whose vibe resonates with you.
Yes, you will be living in a tiny bubble. But at least you do not get to read propaganda pieces trying to derive prefabricated conclusions out of irrelevant small events. If anything large happens, you are going to hear of it earlier or later.
If you really want balanced coverage, choose a source from the other side which is so blatantly propagandist that you can have good laughs instead of grinding your teeth.
I am reading The Guardian for that purpose.
Perhaps there are better ways to consume your news, but I don't know these.
I think you misread their comment. If you didn't realize, you also misquoted their comment (unless it was edited).
> It is the century XXI, and the mainstream way seems to be subscribing to Telegram channels whose vibe resonates with you.
Yes, you will be living in a tiny bubble.
I believe they mean "the mainstream way" puts you into a tiny bubble, but they go on to say:
> But at least you do not get to read propaganda pieces trying to derive prefabricated conclusions out of irrelevant small events. If anything large happens, you are going to hear of it earlier or later.
Thus, I believe they were advocating for a tiny bubble -- not accusing the previous commenter of being in a tiny bubble.
In many (most?) developed countries, major media sources like newspapers and TV channels are each aligned with a specific political party or a specific political wing. So, their reportage is done through that political lens, and people have historically bought that newspaper because they want issues reported through that lens. It is mainly in American fora where people have this belief that news sources should be neutral.
What I said has nothing to do with the US. Do you think that if the US is wrong in a bunch of unrelated matters, it makes Russia's actions ok?
But even given this... Would you say "Nobody cares what you think about Iraq, except your mother, so don't bother telling me about ..." Yeah it doesn't hold.
> Would you be visiting an news site where every piece gravitates towards the many failings of USA in Iraq?
In the mid 2000s, I pretty much did this, and I don't regret it. It would have been better for the world if the New York Times and Washington Post had leaned a bit more that way.
There are Russians who do just that, and not an insignificant number, but certainly not enough to affect things. They also do not have any plan even if they wanted to try.
Nazi annexation of the Sudetenland objectively happened, and was not undone until the very end of Nazi regime.
Not everybody wants to read how mr. Hanz from "Der Jellyfisch" thinks that that the annexation of Sudetenland is wrong, day after day for a decade. We've got that already from you being in Switzerland, mr. Hanz.
On the contrary, it must be repeated, when an authoritarian regime conducting a murderous war of conquest of their neighbours promulgates their twisted justifications very loudly, and have entire state bodies devoted to manipulating the press, promoting a message that if left unopposed will become the prevailing narrative, as it has in their home nation.
Head-in-the-sand bullshit neutrality is why Switzerland is a moral toilet. Demanding that journalists be "neutral" is a sliproad to manipulation. These are nothing more than an abandonment of principles.
The public in functioning democracies is most definitely interested in reading opinionated editorial. Representing otherwise is downright obnoxious.
Why more so than when the US destroy Afghanistan or some other place? What makes it worse and more worthy of being repeated because of authoritarianism?
The structural distinction is in domestic accountability to moral standards that limits the scope of action. This highlights the false equivalence (the US did not annex Afghanistan, nor has it attempted a genocide there) that imbues the whataboutism inherent to such questions.
A better comparison would be to the imperialist colonialism of the the 17th-19th centuries, as characterised by massacre, dictatorship, annexation, rape, child abduction, and the systematic and intentional destruction of entire cultures. This corresponds much more directly to the multiple Russian invasions of its neighbours in recent decades.
It doesn't matter what word you use: Genocide of X people is not worse than killing X+n in another country while calling it "victims from war on terror". This is not a competition of killing the most (if it were, the US would be in the lead).
The question is why does it matter what kind of government is causing the deaths? Why is it worse if X people are killed by an authoritarian regime than X people killed by a liberal democracy? If your Mother is killed by an authoritarian regime, is it worse than if your mother and child are killed by a democracy?
Instead of throwing whataboutism around, why not answer the question?
You are very obviously avoiding the question and trying to paint something that isn't there. It seems you have some very sore point about the US in Afghanistan? Swap US with France in Afghanistan then. It makes no difference to the question. Why is it worse? Or is it actually not different but the point was from the start to attack between the lines? It reads like someone using weasel words or whataboutism: Writing one thing but clearly trying to convey something completely different.
What's the difference with regards to annexing or not annexing?
You storm into a country, you kill a lot of people, repeatedly, you do not care about these people in the slightest, you bomb weddings for a decade, you put up whatever government that you want there. But at least you did not annex the country, i.e. did not take responsibility for it and its citizens.
You will keep the audience who already agree with you, and often bet on that agreement (for example, by fleeing the country). You will, however, lose the rest of your potential audience by repeating your opinion over and over again. Since they know your position, they do not share it, and they no longer need that information.
Especially as you cannot answer any hard questions about your position, and you could not answer even if you didn't. As a journalist, you cannot really suggest any solutions, since you are not a politician. You can only whine. That gets old pretty fast.
- promote the idea of a ruling class separate from the people
- journalists that publish uncomfortable truths are "whining"
- just give up because no-one is listening
These are neo-Tsarist civics. As before, they form conditions for decay and conflict.
In reality, people have never stopped listening, and never will. They may stop hearing - when voices are intentionally silenced. It follows that a critical and editorial press is the hallmark of democracy.
Russia is an authoritarian state. "Hallmarks of democracy" do not work here and likely never did.
Meduza and their ilk publishes the same uncomfortable truth tailored at comparatively small demographics. They fail to deliver their message to a wider audience because they don't understand it, have no message for it and perhaps don't really want to talk to it. That's what I was explaining. The only thing I'm seriously criticizing Meduza here is for their failure as journalists to get better coverage of their ideas. Part of which, their ideas aren't great.
Thank you for the link. It is interesting read, but it didn't say what you are implying. The article in the link states that 90% of the predictions of 1 Medusa corespondent were wrong.
This is very different than the entire publication being 90% wrong.
Non-Americans should not, and usually do not believe either. It's funny when Republicans/Democrats treat either as reputable.
They're politicking 101 made into 24/7 news media panic.
They're both charlatans and peddlers of lies and cheap tricks; they engage in propaganda and employ journalists who seem to believe that they're anything other than foot soldiers to stir up the masses against XYZ.
Everyone knows Fox News is trash, it's laughable when some continue to argue that CNN isn't.
Where XYZ can be anything, depending on which way the wind is blowing, sometimes it's each other, sometimes it's internal to the US, sometimes it's external
They're both plain ragebait. I wouldn't even take their world news seriously, mainly cause it's low quality. We have better options for mainstream news here, even though it's also under control.
what I'm saying is that there are very few sources that don't publish lies or have bents, so we have to do with what we have. Use many sources and triangulate. Some sources are more believable in some areas, less believable in other areas. Some contributors are more believable/truthful than others. It's not all on or off.
Well, again as I stated previously - it is hypocritical and these companies and states should be held accountable. If someone feeds the soil for the next dictator to grow and then all of a sudden there is a political crisis involving said dictator aren't you directly responsible for such crisis?
> these companies and states should be held accountable.
Hold the companies accountable... okay sure. I'll write some letters to my elected officials and federal prosecutors about holding Apple and Google accountable. Just one thing... which laws were they breaking? Or do you propose consumer boycotts of both Google and Apple? If your plan is for everybody to give up their smartphones, your plan is DOA.
Hold the states accountable... What does it mean to hold a sovereign state accountable? Are you going to bend the US Government itself over your knee and spank it? I don't think so. What exactly do you mean by holding the state itself accountable?
The non-reaction to the invasion of Crimea and Donbas in 2014, the non-reaction to breaking numerous "red lines" in Syria or our (=German) continued support for Nord Stream is evidence enough.
there are ~ 190+ countries, each of which is guilty of this "non-reaction" you speak of
russia, of course, is more guilty than all these other countries, because not only are they guilty of the same "non-reaction", but they are guilty of the initial action, too!
> there are ~ 190+ countries, each of which is guilty of this "non-reaction" you speak of
While I agree with you, most of the blame lies on us Europeans here. We knew what a continuation of this war and the constant erosion of basic rules of war would cause (most importantly, a ton of refugees), and yet we did nothing despite us being in a position to help from a military perspective in contrast to most Global South countries. We just let Assad and Russia bomb their own people with chemical weapons and barrel bombs.
We stuck our heads into the desert sand and hoped the storm would pass, and then we had the audacity of letting tens of thousands of people drown in the Mediterranean or on the Turkey-Greece route.
everything you say is true of all 190+ countries: they all knew what a continuation of russia's genocide of Ukraine would cause, and yet each one did nothing despite being capable of sending at least minimal aid to Ukraine, or publicly voicing opposition to russia's genocide of Ukraine
so, again, each of those countries (russia alone more than any other) is equally guilty, be they China, USA, Iran, Canada, North Korea,
etc: none had any responsibility to intervene more or less than the others, and EU receives no special blame for russia's genocide of Ukraine
or, more to the point, they are all equally innocent, except for the aggressor, russia, who started the genocide of Ukraine in the first place
> Western states were aiding and abetting Putin's regime up until last years.
> until last years.
Very strange phrasing, that's not idiomatic English. How many years? That should say something like "until last year" or "until X years ago" or "until the last X years".
What is the value of X?
I might presume that you mean the last year, e.g. 2022, but there are some problems with that. You've claims that western states were assisting Russia, and cited the supposed actions of two American companies. But the American state itself is not those companies, and has been arming and training Ukraine to fight Russia since at least 2014.
I have no idea what US voters/leaders "want Russia to be".
I don't believe EU voters/leaders wanted Putin's international military aggression. I believe they were cowards. They thought cheap Russian gas was the solution to their political (and perhaps personal) problems, and they set aside the potential consequences.
German leaders, in particular, welcomed "trade" with Russia on the basis that if they could entangle Russia in enough mutually-beneficial trading relationships, Russia would never attack Europe with militay force. This is what's called Ostpolitik, and perhaps Realpolitik (i.e. "practical politics"). Nowadays it looks much more like "cynical politics"; make hay while the sun shines, and damn the consequences.
It is clear now that the objective of Ostpolitik was not achieved, but the simple alternative (don't trade) does not seem to be obviously better either (Russians would have had even less reasons not to invade more). If that Ostpolitik delayed the issues with Russia and gave Ukraine some more time, maybe it was the best of the bad options available.
They still do to some extent. Remember that gas heater you have has to have gas from somewhere. And that somewhere is Russia.
If you consider recent rulings in baltic states blocking vehicles, phones, laptops and et cetera from entering that is the highest displays of hypocrisy. Oil is fine but people with phones are not.
Pegasus is classified as a weapon and Israel is supposed to vet each contract, this has been discussed extensively here. If Russia is not the buyer in this case, then I am curious to hear suggestions about whom they could be instead.
Surely whatever money these guys spend buying these zero-days, Apple is rich enough to increase their bounties large enough to attract them to right side instead?
It’s not clear in the article if the author had to take any action to get this program installed. If that’s not required, what should anyone who even vaguely suspects state sponsored spying do? Sounds like it’s safer to just not use a phone or try and circle through a series of them you buy second hand or something.