They're Israeli's who also sell to the UAE. Lol.
Say Russia compromises a high ranking ISIS member. The United States could compromise the infrastructure used by the Russians, and collect all the same intelligence. Not only have they gained knowledge about ISIS, they also strategically have a picture into what Russia actually knows.
If you blame the tools Hacking Team or NSO or whomever, disappears into the oblivion, and two more spawn to take their place. Meanwhile we build a popular opinion that these things are dangerous and need to be restricted or regulated. Software ends up as the new "burglary tools."
We need to shame the people that would have used any means available to the same ends.
There's a reason this company is charging hundreds of thousands of dollars to target only 10s of phones...
I wouldn't downplay the gatekeeper aspect of these companies and the technical investment it takes for non technical governments to do this stuff.
But generally I agree that attempting to control it via the tools is a bad idea or merely putting the blame on the tools is missing the bigger picture. Plus limiting zero day sales will only harm legitimate security research and encourage unrealistic pen testing.
Mexico's government is the primary issue here. They have a serious human rights abuse issue at various layers of government.
But that said if we're going to try to protect these people from abusive government tactics, since it happens in secrecy and their 'self-regulation' totally fails to stop abuse (even in the US), then there is some value on pushing back against these more sophisticated companies that sell the high end tools that are harder to detect. Since it is a niche market at the moment and a niche expensive skillset... Unlike guns in the US that will be everywhere regardless of gun control, since it's the biggest gun exporter and gun ownership rate in the world, we can hold these companies to a higher degree of responsibility.
Eventually though it will have to come down to holding the governments responsible and pushing back by protecting our software.
The fact NSO has publicly said they will continue to sell to Mexico despite the clear evidence here that they are not following their stated policy of only targeting cartels, criminals, and terrorists... Then clearly they are shady as hell and their stated policy is bullshit.
NSO is hardly without fault here. Unlike the AK47 analogy used in this article which are sold once and then the manufacturer loses control of how its used, this exploitation software needs to be updated with new zero days, new RAT software for new iOS/Android versions, and support/training staff. NSO has chosen to continue offering these services so they are just as much liable as far as I'm concerned.
You might be right about not being able to find 0days that target the latest versions of iOS or Android so easily, but there are dark web markets stuffed with 0days that target specific versions, or a range of versions. Not sure about pricing, but they're typically cheaper than the exploits that target the latest and greatest.
It's by pure chance that the owner of a device is using an out-dated O.S on their phone. Others may argue it's not by chance, but by design, and that some phones can't upgrade properly and remain locked to a specific version..You know, because governments sometimes demand that phones are deliberately left unpatched so they can do interception or do ex-filtration on them?
If you are designing, developing, marketing and delivering a tool for surveillance to a government agency, you have a pretty good idea of what it will be used for.
I think you also have a pretty good idea that all governments, to a greater or lesser degree, cheat. They'll pinky-swear to use it only against teh terra, or pedophiles, or drug dealers, or sidewalk-spitters if that gets people's dander up. And then they use it against anyone who threatens the current power arrangement.
So yes, I blame NSO, Hacking Team, and the rest of them. They deserve the blame, because they design, develop, market and sell these things knowing full well the use to which they will be put. They also know these tools will leak and be used by third parties, because that's how this works and they analyze third party malware themselves.
Arms dealers are awful people, no matter who's flag they wave.
Equally blameworthy, but rarely remarked upon, is the practice of selling generic computing infrastructure that you know will be used to build surveillance infrastructure.
I'm proficient with both commercial and open source tools, and in most cases the open source ones are more powerful.
Not saying enabling isn't a shameful act, but it is a slippery slope. As you pointed out, at what point does AWS need to start investigating customer workloads.
Truly, Linus Torvalds is a monster for enabling the NSA.
If I'm against the regulation of software, it's because I don't trust the would-be regulators and deem the effort unrealistic - not because it "isn't dangerous". Software (particularly of the surveillance, de-anonymization, & big-spy-data variety) has an absolutely massive potential for horrific abuse, and hence is unequivocally dangerous both to the individual and free society as a whole.
> We need to shame the people that would have used any means available to the same ends.
Why not both? I don't see why the investors, executives & engineers who make a cushy living off of developing tools that they know will be used to reduce the freedom of others don't also deserve to be shamed. You don't see many talented people flocking to work for big tobacco anymore.
If they were to simply say "we're just selling stuff, and what people do with these tools is none of our business" I'd have a lot more respect for them. But instead, they say this stuff about only selling to goverments that promise not to do anything bad. It's a joke.
There is evil, and there is more evil.
I mean just look at the recent NSA leak. It's the same "conspiracy" patterns we've seen for ages.
Hell, the best kept secrets in front of the western world remain the secret cults of rome. Those sonsofbitches knew how to hype a secret. Probably not possible with the internet!
Its honestly the only way to be "sure" if worry about a manufacturer doing that sort of thing. It won't be perfect but the odds of someone targeting you for hardware spyware is prettttttttty low. And most manufacturers of comp enthusiast parts know its suicide to do it mass-market like that.
I don't suppose you think differently, but in general: I think it's worth reminding ourselves that "a government" is made up of multiple people, which may be largely influenced by distinct cliques, whether or not those cliques are within the government. It may be the case that real danger lies predominantly within those cliques.
I wish the New York Times had asked the US Government for a response to this allegation in particular.