
How Spy Tech Firms Let Governments See Everything on a Smartphone - xacaxulu
http://www.nytimes.com/2016/09/03/technology/nso-group-how-spy-tech-firms-let-governments-see-everything-on-a-smartphone.html
======
feelix
I wrote some really effective data recovery software a decade ago. Before I
knew it governments around the world were buying it up in droves. I then got
pushed (not by the governments, but by my partner at the company I had) to
write a special forensics edition, that does a byte-by-byte scan of the source
disk rather than a block-by-block scan, which would extract embedded files out
of a hard disk and basically ensure that nothing would be missed.

That code eventually got a big fancy "forensics" UI wrapped around it with a
bunch of other functionality such as logging the process, and it got sold for
$1k / copy. It would sell upwards of 80 copies at a time in a single batch. It
was very profitable (though I personally did not see much of that profit).

I always felt very uneasy about it and I stopped developing that line of
software even though at this point I could get ~50% of the profit if I were to
continue it. I had no idea what it was actually being used for all of the time
and I had no way to find out. I do know however that some of the time it was
used for good, to catch people distributing child pornography and so forth,
however I don't know what percentage of the time it was used for that kind of
thing, and I'm also aware that that is the justification that is used for a
lot of surveillance. Philosophically I believe in counter-survelliance more
than surveillance, because I'm pro privacy and pro citizen empowerment rather
than the other way around, I think the balance of power has gotten out of
whack as this article nicely illustrates.

~~~
colejohnson66
Just out of curiosity, if you don't mind, what is it called?

~~~
johnchristopher
My money is on test????/photo???.

~~~
johnchristopher
Not that I care for the karma but why is it being downvoted ?

~~~
gaur
As the sister comment says, it's because your comment doesn't make sense. What
does "test????/photo????" mean?

~~~
davb
It's an obfuscated reference to a popular open source data recovery toolset. I
think the parent was trying to avoid potentially "outing" GP against their
wishes, by making a vague reference that some might get.

------
bojo
The moral issue aside, I can't even begin to fathom how their software would
even work. How do you stealth install software to a random phone out in the
wild? Social engineering, or purely technical?

~~~
McKayDavis
The linked NYTimes article references 3 exploits dubbed the "Trident Exploit
Chain" that are detailed in an excellent Lookout / Citizen Lab writeup [1]
discussed on HN 8 days ago [2].

The target is sent an SMS containing a link to site that triggers the explot
chain to remotely jailbreak the phone and clandestinely install the monitoring
software.

Ahmed Mansoor, a UAE journalist, was recently targeted with one of these SMS
messages and was immediately suspicious. Instead of clicking the link he
contacted Citizen Lab researchers who connected it back to NSO group.

[1] [https://citizenlab.org/2016/08/million-dollar-dissident-
ipho...](https://citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-
day-nso-group-uae/) [2]
[https://news.ycombinator.com/item?id=12360662](https://news.ycombinator.com/item?id=12360662)

~~~
SturgeonsLaw
Anyone else think it's a bit of a joke that a $1M+ bug still relies on the
user clicking a phishing sms to work?

~~~
wepple
I'd suspect there's a disconnect between the group selling/providing the
tools, and the group using them.

A webkit 0day could've been delivered via a watering-hole attack or something
even just a tiny bit more sophisticated (compromise a trusted contacts social
media account, send the link from there) and succeeded.

Whoever put the effort/time/money into developing the exploit chain is likely
pissed off it got burnt via such an amateur delivery.

------
gggggggg
I you were high profile it would be a good reason for a dumb phone or a lesser
known smartphone.

~~~
applecore
The most secure option would be not to carry a mobile phone at all. Otherwise,
iOS is probably the most secure mobile operating system, simply based on the
price of remote exploits: a remote exploit for iOS is worth several times more
($500K-1M) than the equivalent one for Android ($100K-200K).

~~~
awqrre
that seems like a small difference in cost for high value data...

------
jiqiren
Sickening. This company doesn't seem to have even a basic moral compass. Even
when their tools are being used against human rights workers or journalist
they have no qualms.

~~~
andrei_says_
This is the disturbing thing about corporations, profit is their moral
compass.

It takes people with power in the corporate structure to contradict that
default.

~~~
dantheman
No this is the thing about anything involving people, as soon as you have a
group -- the moral .

Governments have done horrible things. Researchers have done horrible things.
Religious Groups have done horrible things. NonProfits have done horrible
things.

It's not about profits.

~~~
damptowel
It's about motivations, or, in bad cases, necessity. About necessities (like
not going bankrupt, or feeding a hungry tribe by claiming the land of your
neighbor, etc) I'm not sure much can be done. But I do think it's about
profits when it comes to corporations. Shareholders are often relatively
passive and in it for the money, they aren't "mission driven" (being the best
at one thing in your industry, spearheading a new way of transportation, etc).
Their field or artisanship isn't their motivation, the profit is.

When you're designing a new engine, you might decide to use 10% more expensive
parts to make it 20% more fuel efficient, but this additional cost might
result in 10% lower sales, so the board decides against it since exhaust is
just an externality. If those people were considered with ecology they might
consider a lower rate of profit but instead take pride in the fact that
they're helping humanity combat global warming while maintaining the standard
of living.

It's easier to rationalize away "bad things" when making money is at the top
of your value scale. I think it resembles the individualism of our age, people
used to be more aware that they were a cog in the machinery of history, no one
thinks like that anymore, it's all "be the best you can be" rather than "be
the best we can be".

~~~
hackuser
> It's easier to rationalize away "bad things" when making money is at the top
> of your value scale.

I agree. The purist free market ideology, for lack of a better term (or maybe
Objectivism?), is a convenient justification for not dealing with difficult
issues. 'The ideology says I can/should only care about money, so I don't need
to worry about all that.' If only life were so simple that we could rely on an
ideology.

------
soufron
Is it me, or is the NYT suggesting that they have been victims of this Pegasus
system?

------
urza
We need protection against governments. They are the mafia of today's world.

~~~
lifeisstillgood
Ironically studies of mafia show that they win by providing government
services to those without. Anarchy is desirable by no one and when government
a not reach then we turn to any strongman to bring order and predictability -
it is the essential definition of government.

Don't blame governments for being mafia, blame us for not forcing them to
behave. We need a public debate on the meaning of privacy and the ownership of
personal computing.

~~~
indymike
There is a school of thought in political science that government is simply
the big, legitimate mafia.

~~~
cryoshon
(responding to the school of thought you are referencing) "might makes right"
school of political realism never made sense for me in a domestic context.

the relationship of the state to the citizen at the citizen's birth is
completely one directional: the state provides infrastructure, security, and
economic activity while expecting nothing in return until much later in a
person's life-- and if the person doesn't ever proffer anything in return to
the state, that doesn't guarantee violence against the individual, nor
exclusion from services.

if the platonic form of a state were that it has to be a mafia of sorts
reliant on the threat of physical force, it'd quickly go extinct for lack of
younger replacements. can't have the young replacing the old if they never
make it to middle age due to a lack of investment and all.

that being said, the current governments of the west do have plenty of
similarities with the various mafias... but in my opinion the issue of runaway
government is a failure mode resulting from particular circumstances rather
than a problem of government in the abstract.

