
Facebook wanted NSO spyware to monitor users, NSO CEO claims - clairity
https://www.vice.com/en_us/article/pke9k9/facebook-wanted-nso-spyware-to-monitor-users
======
cantrevealname
I’d like to suggest a fun project for Apple that might allow them to kill off
this NSO malware: Apple should devote a few engineers to create honeypot
iPhones that they could get into the hands of a few carefully chosen
journalists and dissidents who would then “lose” their phones or allow the
phones to be confiscated by governments or organizations who use NSO software.
The objective is to get a copy of the NSO malware and figure out the
exploit(s) they use.

The honeypot phones would behave exactly like normal phones but save all
incoming data at the lowest protocol layer (whether by wifi, cellular,
Lightning connector, and maybe even in-circuit attempts to reflash firmware)
to hidden internal terabyte microSD storage, which it would later exfiltrate
back to Apple at some point —- perhaps by even having a second hidden cellular
connection. I’m assuming that Apple has all the talent it needs to reverse
engineer and plug the NSO malware once it has an actual copy of the malware.

~~~
georgespencer
> governments

I'm sure you know this, but deliberately committing an act of espionage to
directly or indirectly subvert the activities of government agencies would be
a silly thing for Apple to try to do.

Their dollars are better spent on lobbying (make shit like this illegal), and
engineering (make shit like this literally not work because iPhone is as
secure as it can be).

~~~
ipython
Since when does a foreign government performing espionage give a crap about
the target country’s laws? It’s naive to think some adversary is going to see
“hacking is illegal” and just throw up their hands and say gee whiz I guess
there goes our plans...

~~~
georgespencer
You're making some faulty assumptions about what I'm saying, which means I
probably wasn't clear - sorry.

What I mean is: making software like this for sale to the highest bidder
should not be something a company is able to do legally.

It should be as bizarre as the idea of incorporating a business in the US
specifically, and publicly, to rob banks or commit securities fraud.

~~~
hermitdev
> making software like this for sale to the highest bidder should not be
> something a company is able to do legally.

I disagree. There ahould be nothing inherently illegal about owning, making or
selling such software to an entity that can legally use it. (I would assume
any country employing such software would indemnify there agents using it
against foreign adversaries).

Not that I like it, and as a private citizen, I dont like thw prospect of
being spied on, even though I have nothing to hide.

To stop it, I think you'd need to take a step back into the 90s and early
2000s and classify such programs as munitions and restrict export (not that
all offerings are from US countries).

~~~
georgespencer
> I disagree

Have just read your answer and I totally see your point! I don't agree but
it's definitely a judgement call.

Perhaps this would be a better way of expressing my position (with a few
simplifications of the current situation):

1/ It seems morally wrong for it to be possible for an American company to buy
spyware which exploits security vulnerabilities in another American company's
software. The act of exploiting those vulnerabilities is illegal in the United
States and against the terms of service of the software developer. The outcome
of the exploitation (mass clandestine collection of user data without any
permissioning) is also illegal.

2/ The US government could solve this by making it illegal for US companies to
use the software, outright. They and other nations could also solve or
diminish the issue for foreign nations by precluding private companies within
their jurisdiction from building commercial propositions around these
vulnerabilities. So both a ban on domestic "import" of the product, and a ban
on "export" too.

3/ Clearly government agencies need and will continue to produce and procure
software like this in the same way as they need to produce and procure
military-grade assault weapons, surface-to-air missiles, and stealth bombers.
The production, trafficking, and purchase of these items is highly regulated
and tightly controlled: I cannot simply start manufacturing firearms because I
have the equipment! This regulation is in part a means of preventing
widespread availability of dangerous items getting into the hands of consumers
and bad actors.

4/ At the very least, the same ought to apply here: an infosec company wishing
to auction exploits or sell spyware SaaS should have to be very tightly
regulated by the state, and should be unable to sell any of its products or
services to any domestic or foreign entity without state approval — a QUANGO
of sorts.

------
blakesterz
The original report is from Vice:

[https://www.vice.com/en_us/article/pke9k9/facebook-wanted-
ns...](https://www.vice.com/en_us/article/pke9k9/facebook-wanted-nso-spyware-
to-monitor-users)

"The Facebook representatives stated that Facebook was concerned that its
method for gathering user data through Onavo Protect was less effective on
Apple devices than on Android devices," the court filing reads. "The Facebook
representatives also stated that Facebook wanted to use purported capabilities
of Pegasus to monitor users on Apple devices and were willing to pay for the
ability to monitor Onavo Protect users."

~~~
packetslave
And here's the Facebook response from that same article that you neglected to
include:

"NSO is trying to distract from the facts Facebook and WhatsApp filed in court
over six months ago. Their attempt to avoid responsibility includes inaccurate
representations about both their spyware and a discussion with people who work
at Facebook. Our lawsuit describes how NSO is responsible for attacking over
100 human rights activists and journalists around the world. NSO CEO Shalev
Hulio has admitted his company can attack devices without a user knowing and
he can see who has been targeted with Pegasus. We look forward to proving our
case against NSO in court and seeking accountability for their actions," the
statement from a Facebook spokesperson read.

~~~
mfer
2 notes about the parent. 1) The parent is written by an employee at Facebook
and 2) it does not deny the claim instead redirecting the readers attention.

None of this makes the original claim true or false. I'll be curious to see
what comes to light around that. I just like to notice these subtle things.

~~~
ksk
I work for neither, and the claim itself is vague, as it lacks any technical
facts.

"purported capabilities to monitor users" can mean anything from full on CIA
spy-mode with pema-enabling audio and video and 24/7 recording to logging
their IP address when they visit a website.

~~~
twomoretime
Why should Facebook be doing any of that?

Even the best case outcome is negative here.

~~~
rrix2
[https://en.wikipedia.org/wiki/Onavo#Facebook_Research](https://en.wikipedia.org/wiki/Onavo#Facebook_Research)
this should provide some background; this is the software referenced in TFA.
Facebook bought a massively popular VPN service specifically to monitor their
users' web traffic and app usage.

~~~
stedaniels
If all the users data was going through the VPN, Facebook defacto knows what
the user is doing on the web making that suggestion moot. It's the on device
activity they want.

~~~
rrix2
Yup, and they wanted to shove nation-state malware in to Onavo to do it, it
sounds like!

------
Lammy
You can see how important Onavo was to Facebook by the lengths they were
willing to go to protect it, including the whole "distributing it to teens via
enterprise cert" thing Apple slapped them down for. The data from Onavo is how
they knew what up-and-coming competitors were popular, and allowed Facebook to
buy them out before they could become fully established.

------
georgespencer
Not much surprises me about Facebook any more. The leadership is tone deaf.

~~~
ConsiderCrying
I'm baffled that, even with the horrible rep Facebook has, they somehow
decided to put "from Facebook" splash screens into both WhatsApp and
Instagram. Why? What possible benefit could it have? Most people already know
who owns the services but now anybody who opens the app is faced with it. If
anything, it should just make people reluctant to use the apps, surely.

~~~
brenden2
Many people don't realize that WhatsApp and Instagram are the same thing as
Facebook. Facebook's brand is somewhat tarnished, and they want to polish it
up with Instagram and WhatsApp (which have been less impacted by the bad
press).

~~~
jacobush
I'd say most, at least not until the sticker appeared.

------
MR4D
Facebook should buy Zoom.

Then we only need to hate one company.

------
notRobot
I wish I could stop using WhatsApp. It's the only FB service I use, and I
because everyone else in my life relies on it, I can't just uninstall it and
get away with it :(

~~~
gowld
Play dumb, say WA is broken on your phone, ask then to install Signal to work
around. Use Signal with whoever agrees

~~~
avip
I'm not sure you've followed OP. It could well be the case that his workplace
and school activities are communicated via WA. His "playing dumb" results in
him cut-off from valuable information he actually needs.

~~~
notRobot
This is correct. Most workplaces and educational institutions use WhatsApp to
communicate with employees/students.

~~~
avip
<in my country>

Also in mine, but it's not a global thing.

------
phendrenad2
The good news is this NSO thing appears to only work if it's not everywhere.
If every FB app comes bundled with it, it'll be easy to figure out how it
works in aggregate, and then NSO gets to move into the league of the common
spyware/antivirus cat-and-mouse games.

