Hacker News new | past | comments | ask | show | jobs | submit login

It's not just the NSO group. Hacking Team is not exactly shy about the services they offer.

https://en.wikipedia.org/wiki/Hacking_Team

FinFisher: https://en.wikipedia.org/wiki/FinFisher

MiniPanzer: https://en.wikipedia.org/wiki/MiniPanzer_and_MegaPanzer




Yeah, there's a cottage industry of security firms who sell exploits to the U.S. government directly or indirectly through big defense contractors. Many, and I personally have assumed _most_ (but without checking), are American firms.

And, frankly, the Israeli industry has much to gain by advertising their prowess in order to bolster their IT security bone fides internationally. American firms are probably more discrete, so tabulating widely published exploits by country of origin wouldn't be a great metric to determine which country is doing the most work crafting exploits.


>the Israeli industry has much to gain by advertising their prowess in order to bolster their IT security bone fides internationally

Absolutely. The Israeli Cybersecurity brand is built partially on such (sometimes unsubstantial) PR.

The bubble is doing well though! almost 500 startups, > 1Billion$ VC funding in 2018 alone. Devs are happy.


Curious as to why you think it's a bubble. Israeli startups have had many successful exits in recent years, although mostly acquisitions, and not many big flops.


It's just my unsubstantial opinion. Too many players raising too much money in a consolidated market. Bar some notable exceptions (NSO), this herd of misguided lemmings has one way out - acquisition by Checkpoint/Imperva/SalesForce.

But maybe I'm wrong and we'll see 100 Mobileyes in the coming decade.


At the risk of being pedantic- did you by chance mean "unsubstantiated"? :-)

unsubstantiated (adj)- not supported or proven by evidence.

unsubstantial (adj)- lacking material substance


Thanks. Your correction is welcome and not pedantic at all (it's rather substantial). More so as I've repeated this mistake twice.


> it's rather substantial

I see what you did there.


Oh, in case you meant infosec in particular, you might be right, I don't really know much about this industry.


Yes the numbers given above are just for the cyber sector.


Wow! I had no idea there was a whole industry selling spyware to dictatorships. Surveillance equipment, yes, but not actual hacking tools. Really sickening. Must be why governments in Europe are so afraid of Huawei building 5G networks - they will only run Chinese spyware.


Huawei's equipment will almost assuredly run anyone's spyware. Huawei uses a medley of ancient, highly vulnerable OpenSSL libraries sprinkled through their basestation code, and apparently they've forgone any kind of version control to ensure an optimally confusing work environment for their development teams: https://hmgstrategy.com/resource-center/articles/2019/04/04/...

Frankly, these products are likely unmaintainable long term without a total refactoring of the codebase, nevermind the abject lack of security.

The trick with these vendors is the codebase will never see serious improvement, as these basestations aren't going to be sold for the next decade, so Huawei will do the bare minimum and shelve support in short order.


Huawei's software development practices seem quite horrifying. Critical systems like these ideally would be written in specially-designed programming languages that support mathematically proving correctness (Coq comes to mind). There's probably still room in the programming language design field to create new languages that are user-friendly but also integrate Coq-like systems plus other verifiability and correctness techniques into the language itself.


If you find that horrifying, don't look at Cisco CVEs ;)


Or Juniper's constant flow of new CVEs, they are a popular alternative to Cisco that many ISPs use heavily :P

Network security is piss poor, most of these vendors add vulnerabilties atop secure distros (OpenWRT, Debian, etc) and flog it as the best thing since sliced bread.


It's not that much different from mercenary outfits like The Company Formerly Known As Blackwater. They offer services to all sorts of unsavory regimes. Hackers for hire are just another iteration on the idea.


No, it is very much dissimilar. Security personnel who work for Blackwater make a conscious decision to do so and are flown overseas to physically enact Blackwater's business decisions. Many (maybe most?) of the people who sell vulnerabilities and (to a lesser extent) exploitation tools to spyware firms are selling through brokers, and aren't directly connected to the ultimate end purpose of their work.

You can say that people who sell vulnerabilities to unaffiliated-seeming, neutral-seeming, innocuous-seeming brokers ought to know better where their work is going to end up, and I suppose that's true, but it's still not the same dynamic as exists with Blackwater.


Normally I agree with you on almost everything in this realm, since, well, it's your field of expertise.

But XE/Blackwater/whatever has plenty of support staff enabling operators overseas. Just because you don't carry an M4 while you cash your check from the organization doesn't mean you aren't helping them in their missions.

If you sell vulns and tools to spyware firms, you know exactly who the most likely high bidders are. It ain't the Bill and Melinda Gates Foundation.


Those people actually work for Blackwater. People who sell vulnerabilities by and large have only a vague idea of their customers. Many exploit developers would, for instance, draw a line between enablement of FVEY national SIGINT and shady spyware shops like NSO, and can rationalize that it's the good guys who are getting their bugs.

I'm not saying that makes it OK (I think the opposite thing, in fact, though I feel like I always need to add the disclaimer that the kinds of bugs that have commercial/operational relevance aren't the kind I develop). I'm saying that the dynamics are different than they are with Blackwater.


I think your mental model of how blackwater (and other contracting firms) works is off.

The vast majority of employees at these firms work for Aramark, or its equivalent.


If that's the case, I stand corrected, and they're actually pretty similar.


This kind of story in particular sure reads like digital mercenaries to me. It's not quite the same as what Hacking Group does! But a shady corporation hired former NSA hackers and partnered closely with the UAE to the point that the hackers themselves get cold feet because they learn exactly what their consulting was being used for.

I don't know enough about Hacking Group to know how closely they work with the people they sell to.

https://www.reuters.com/investigates/special-report/usa-spyi...


It wouldn't even matter if Huawei doesn’t and has never used their position in infrastructure to conduct spying or surveillance. The very fact that they’re entirely reliant on the Chinese government makes them (and any of their employees on an individual level) vulnerable to Chinese policy needs, now or in the future.


I don't quite understand the Huawei analogy. NSO isn't partnering with Israeli companies to preinstall malware on their stuff. So I don't see how this is an indication that a Chinese version of NSO will partner with Huawei to preinstall malware on Huawei stuff. If NSO can hack American software, then Chinese NSO can hack American software too.


The Israeli military-industrial ELINT industry and C4I people sell stuff to all sorts of authoritarian regimes. Even the ones that the US and UK won't touch.


Based on the Phalcon affair I don't think Israel exports to anyone the US didn't want them to have it, the last time they tried it basically toppled an Israeli government.


Why should a RAN have Internet connection?


IIRC FinFisher was founded by the same guy who created Backtrack (now Kali Linux)?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: