
Spyware Maker NSO Group Promises Reform but Keeps Snooping - haasted
https://www.nytimes.com/2019/11/09/technology/nso-group-spyware-india.html
======
catalogia
Members of this organization need to be pursued as criminals. Internal reform
of a criminal organization is a sick joke. They're all accessories to murder;
changes to company policy don't change that.

If their government is intent on protecting them from prosecution, then
extralegal retributive action taken by an competing spy agency could be
suitable payback. Unfortunately that assumes the existence of a competing spy
agency that isn't equally morally bankrupt.

~~~
JumpCrisscross
> _Members of this organization need to be pursued as criminals_

Not sure why this is being downvoted. NSO and its employees willfully
facilitate criminal violations of CFAA, among other laws. (They have received
payment in U.S. dollars, making the question of jurisdiction trivial.)

Given the heinousness of some of the crimes they've aided and abetted, many
against American citizens, most Americans would be on board with arresting
their employees on arrival to the America or our allies.

~~~
lawnchair_larry
Providing tools that could be used to violate the CFAA is not the same thing
as violating the CFAA. There are several US companies that do this. There is
nothing illegal about it as long as you don’t sell to countries on sanctions
lists.

~~~
olliej
Knowingly assisting organizations that target human rights activists and
reporters, and assisting the incarceration and murder of those targets makes
you a criminal.

They are criminal accessories to gross human rights violations and murder, and
should be prosecuted as such.

~~~
senderista
At the very least all US internet companies should follow Facebook’s lead and
deplatform their employees.

------
badrabbit
Yes yes, but the supply/demand economics remains so even if you get rid of
them they'll be replaced. Governments and laws not catching up with tech and
being hostile to their own people is creating the demand.

Are exploit brokers like Zerodium exempt from this criticism because they off
load the targeting and execution part to third parties and governments?

~~~
fake-name
Bullshit.

There's a limited pool of talent that can generate something like this. If you
make is sufficently toxic and/or difficult to work for a company that involved
with flagrantly violating human rights (like NSO), you'll substantially starve
them of talent.

Worst case, you'll significantly reduce the quality of their exploits. Best
case, it'll be effectively unavailable.

~~~
badrabbit
Ok but where will that talent go? Countries will just get someone else to
start a firm and support it. It's an arms race and you're blaming defense
contractors for supplying arms!

The people with power to be hostile to exploit devs who sell their talent to
the highest bidder are the same people who are bidding for that talent. So
long as NSO group and others dont harm the interests of countries protecting
them they will always be in demand.

If even the entire west punished developing exploits for money a high crime,
at best you give business to chinese,russian and indian companies. At worse,
western devs move to other coubtries or simply sell exploits illegally without
getting caught...to non-western entities.

The only way to beat this sort of a problem is to compete with demand. But
that means competing against resources of nation states. Perhaps international
treaties to control this arms race would help?

And yes, I know at best there are only a few hundred people with enough
talent, but I bet you there are even less nuclear bomb scientists and you know
how that supply/demand is turning out...

~~~
fake-name
> Ok but where will that talent go?

Presumably to another company where they live, or are comfortable relocating
to.

You seem to continuously be assuming a perfect market, that doesn't exist.

I agree that just blocking this sort of thing from countries that actually
care about human rights won't solve the issue, but stopping a _lot_ of it is
still valuable. Additionally, I don't know if this sort of thing could exist
in some of the countries you name. For China, at least, it sure seems like if
you're good enough at this sort of thing, you get strongarmed into their
existing military infrastructure used for spying on everyone else. I can only
assume Russia is similar. I don't think either of those countries have free
enough markets that a NSO-like company _could_ exist.

India, I don't know enough to comment.

> At worse, western devs move to other coubtries or simply sell exploits
> illegally without getting caught...to non-western entities.

Do people just up and move to other countries at the drop of the hat? That
requirement alone is going to substantially reduce the number of people doing
this sort of work.

Again, the goal isn't to completely prevent exploit sales (which I agree is
basically impossible), but to reduce the harm. Stomping out these companies
(or having _MUCH_ more aggressive oversight) won't substantially impact the
hosting state's economy, and it will substantially reduce the available
products on the market. I can't see a argument against that.

~~~
badrabbit
Here is where out views diverge: you think reducing volume of supply is
important, I think controlling supply is important.

You think reducing volume means what little supply is available will be used
against high value targets only. In reality, the smaller supply will focus
more on high value exploits which will still be leveraged at the same scale.
Even if that was not true, you still have no control over exploit sales and
use.

Allowing places like NSO and Zerodium to thrive with some control and
restrictions is the best outcome. But really, do we even have law makers that
understand any of this or perhaps the NSA/CIA can control them. Normal
security companies have intel community ties,I think that can be acheived here
as well.

------
neonate
[http://archive.is/xrM8p](http://archive.is/xrM8p)

~~~
godelmachine
Thank you kindly _/\\_

------
godelmachine
I never knew the Bhima Koregaon would be such a politically contentious issue
that would compel the government to spy onto citizen’s cellphones.

What further surprises me is that this article speaks only about India. Hasn’t
Pegasus been used by other governments too?

[https://en.m.wikipedia.org/wiki/Pegasus_(spyware)](https://en.m.wikipedia.org/wiki/Pegasus_\(spyware\))

------
bronzeage
the funny part is all this publicity and media outrage actually helps NSO.
their customers and potential customers don't give a damn about human rights,
and being in the spot light more than competing firms only helps them.

------
ars
Shouldn't we be holding the government of India to account instead of the
toolmaker?

Or is the toolmaker a much easier target? This criticism really seems
misplaced to me.

~~~
Thorrez
Yes, but I think one problem is Facebook doesn't have direct evidence that the
government of India was responsible, so it would be difficult for Facebook to
sue India. Maybe if this lawsuit turns up evidence of who ordered the attacks,
Facebook can then sue India (and the various other governments that attacked
journalists).

------
sol_remmy2
What country is NSO group based in?

------
fortran77
Is it really fair to put all the blame on the toolmaker for finding flaws in
devices that were sold as "secure"?

~~~
nneonneo
Use a $20 flip phone and odds are the baseband is crap enough that you could
be spied on easily by someone using a cell-site simulator. Or, heck, since
those $20 phones usually use 3G or below, the state-level actor you’re up
against will just decrypt all your 3G transmissions directly.

I have to wonder if you’re being serious when you describe the kind of
software NSO produces. It’s software to let _other_ people take control of
hardware you possess. The better analogy would be to the iOS jailbreaking
folks; people aren’t generally mad at them either.

~~~
badrabbit
At least you can easily pull out the battery and assume your text/call is
being monitored. They give you more control and less complexity but you're
right on how they don't add security.

------
eternalban
This is a very interesting trend. The name of the company is "NSO Group" but
there is this peculiar insistence on calling it "NSO" in titles.

Let's try this NYTimes: "Israeli company NSO Group Promises Reform but Keeps
Snooping". That conveys the essential facts at a glance.

~~~
thenewnewguy
Their own website ([https://www.nsogroup.com/](https://www.nsogroup.com/))
calls themselves by the name NSO. Here's a direct quote of the first sentence
on that site:

"NSO creates technology that helps government agencies prevent and investigate
terrorism and crime to save thousands of lives around the globe."

