To frame it differently: NSO Group sells tools to governments that are apparently trustworthy. Its security and system architecture should be decentralized enough that a list of all targets should be extremely difficult to obtain. If the list is obtainable, then what else is? Are their exploit toolkits just as leakable? Are the internal controls not sufficient to stop these leaks?
How can we continue to allow orgs like NSO Group to exist if they surely can’t keep something like their entire target list safe? Even if we assume of the targets are legitimate threats (which, again, requires enough suspension of disbelief to hold a small army at this point), why would we want that list leakable? If they’re all the most legitimate targets, then that list is essentially 50k people who can now discover this fact and change their patterns to hide. It’s pretty bad to tip off “all the people who we find important enough to 0-day” if that assumption holds.
Now the real question? I’m not sure I know what we can do, actionably. Call Congress and ask them to care?
I maintain that NSO is just a deniability front for Israel's espionage agencies, otherwise I don't know how they weren't shut down for so long, knowing what kind of a state Israel is.
NSO is well known to the Israeli state, after all it is their cabinet that clears every deal NSO make. Per Israeli laws, pegasus is a "weapon"
So yes, the problem is primarilly in political dimension.
There's obviously money to be made from selling offensive cybersecurity tools to governments. And you can hardly blame governments for buying these services in the age of end-to-end encryption in the hands of every criminal and terrorist.
While I definitely don't condone spying on human rights activists, journalists, or even regular citizens for that matter, pegasus really is a weapon and as such should definitely be heavily regulated.
But as with other types of weapons, the responsibility for its use (or rather misuse) should lie with the weapon's user first and foremost, not the manufacturer. If NSO/HackingTeam were in the business of selling physical weapons to foreign governments, would they have been responsible for a government killing journalists with said weapons? If they were selling to North Korea, sure. But what about the legitimate governments of stable countries not under sanctions?
If they were in the businesses of selling weapons of war and caught instead selling covert weapons with no legitimate use in open warfare to countries that disclose illegal acts of war to them, I think they belong in the Hague being tried for war crimes.
(After that, I suppose they can be referred to human rights courts as a defacto part of each government that had violations. Since they were active participants in the use of the weapon as shown by the phone list, they have no argument that they were not active members of every conspiracy involving their service.)
If they were doing that, I agree.
But these weapons have legitimate uses in law enforcement and why do you think that the client government disclose their illegal acts to NSO?
Of course it is the fault of the user of the weapons as well - but UK and USA (to just name a couple more egregious examples) governments quite literally give money to foreign governments in order for them to funnel it directly back into arms deals. These weapons can then be used to destroy hospitals and schools in Yemen. Our governments are financing this loss of life in order to further propel the revolving door.
I see this kind of cyber weaponry as a simple subset of the above complex.
This is exactly my point. I think that NSO should be just as responsible for the outcomes as any other arms manufacturer.
And I'm not waving away the government's responsibilities. Just the opposite - cyber weaponry is equivalent to other types of weaponry and should be treated as such.
This is why I feel that the discussion around NSO itself misses the point. It's like discussing Colt's responsibility whenever a government uses an M-16 to shoot a human rights activists. Colt may be responsible in some cases, but the important question is who bought the weapon and why did they use them against that specific target. Also, should the buyer be sanctioned and forbidden from purchasing such weapons in the future.
Going after one perpetrator, building a precedence, seems to have had more lasting effect than going for the abstract.
Don't make the mistake of conflating North Korea with any other state. The people in charge of the intelligence organisations have very similar opinions on the efficacy of these tools no matter where they come from. It's been shown many times that the heads of the relevant agencies in the 5 eyes, let alone the rest of the international intelligence community, aren't very concerned about the legality of their activities.
Two ways to prevent the misuse of this software are 1: ban it and convict those who peddle it, and 2: have independent oversight and transparency over every use of this software. Who it's sold to, who it's used on, what it's capabilities are.
Unfortunately, I don't see either of these as realistic, so basically we're up shit creek without a paddle.
Should Colt be blamed if a foreign government uses an M-16 to shoot a journalist?
Sales, whether direct or through indirectly supported wink-wink business and other organizational structures, to entities who have well documented cases of abuse -- that's a different matter. If Colt is found doing that, I would definitely find them culpable and guilty.
For NSO, Candiru and their ilk, my belief is that they are in a wink-wink, nudge-nudge relationship with the user's of the tools (usually oppressive governments) as well as Israel's intelligence complex (they are the ones clearing the sales).
Can I prove this in a court, no. Does not stop me from forming informed opinions though.
So not only is this a reasonable position, it is the law in several countries, e.g. Heckler&Koch is a German gun manufacturer and has to obey such laws.
One is a multinational corporation with untold influence which hoards exploits for black box software and hardware.
The other is a producer of physical weapons, which are subject to laws to protect civilians - although of course where these laws apply is hypocritical, since the West's weapons have been used to kill many civilians during all the 'peacekeeping' missions by the US (read: interventionism).
colt? or nso? not clear from the comment…
To me, it's hard to justify why they are not responsible.
You could say the same about a knife though, or a brick.
I think you're underestimating the power of the spyware that is being used today to blackmail and control those in power.
(However, if you do sell a "Throat-cutting knife" for cutting people's throats, and someone buys it and cuts somebody's throat, then hell yes you are responsible for that.)
Interesting thought. I can't find an example in law. I'm not so sure the seller is responsible on any level once sold, even with that murdering tagline. Guns are sold as lethal force and users are fully responsible post sale.
My position is that I don't think we should be making tools designed for killing people.
As a particularly interesting example: Japan has almost no gun crime at all: https://www.bbc.com/news/magazine-38365729
> In 2014 there were just six gun deaths, compared to 33,599 in the US.
Can we push the number of violent criminals to 0? Maybe not, but we could greatly reduce the numbers with more intelligent social policies (in the US or Canada, say). The wild-west mentally and the fact that it has been co-opted by certain political groups actually leads to more crime and more fear (which sells guns and regressive politics).
What if no one lived in a state or neighbourhood so shitty that they felt the need to arm up? What if they had not been indoctrinated since birth with a wild-west mentality that linked gun-ownership to freedom?
The "only criminals will have weapons" argument is a really low-quality surface-level distraction from getting to grips with problems we could actually solve.
But with regards to NSO in particular, there definitely is some linkage, even if it’s not necessarily malicious. According to this Bloomberg columnist, (linked article has further hyperlinks to sources)
> How much of this technology is being developed in the U.S., including by U.S. government agencies, and making its way to illiberal autocrats? NSO’s founders are, according to multiple reports, thought to be alumni of Israel’s signals intelligence division, Unit 8200. And we know — including through the Edward Snowden leak — that the U.S. National Security Agency provides Israeli intelligence “controlled access to advanced U.S. technology and equipment.”
No... no they don't. It's not normal at all.
What a waste of human resources!
There would need to a server serving the exploit and also collecting the data from the comprised phones. Naturally that server would have a list of the phones it collected from, probably keyed by phone number as that would be the most straightforward identifier.
Also I assume nso bills their clients pr. target.
I am not sure I buy that.
My guess is that NSO operational corpse is made up of young young Israelis straight out of the military plus maybe an engineering school. They are trained in systematic hacking and probably have access to a privileged set of exploits provided by the Israeli military and maybe the US. But not much beyond that in terms of engineering skills.
In short I wouldn’t be surprised if their exploit server and data collection server is maybe with php and mysql.
Also. How do you sell a service like this? Getting Orban and similar as customers. Requires quite a bit of a network.
From 2016 but has the core personalities and the partners owning the company.
San Francisco and London based...
Some additional context:
isn’t this just an assumption at this point? what makes you think those were targets?
> How can we continue to allow orgs like NSO Group to exist if they surely can’t keep something like their entire target list safe?
what exactly is the difference to the NSA leaks from years ago? they couldn’t keep their secrets, allegedly same as this company.
NSO is a spyware-as-a-service company. How else would they provide that service, if not by having a list of all the phones their clients need spied on?
Or are we debating whether or not that part is even true?
If they are not a SaaS platform, then I would agree with you, but so far everything I've seen claims that they are, so by that nature the customer would have to put their use case data into NSO's platform, would they not?
> On Friday, Fisher claimed to have hacked the bank in 2016 and proposed a "Hacktivist Bug Hunting Program" that would offer bounties of up to $100,000 to those who hacked and dumped documents "in the public interest" from companies such as "South America, Israeli spyware vendor NSO Group, and oil company Halliburton."
They’ll be following the story closely as it unfolds.
The first paragraph of the article broadly mentions an alt scenario. "Or, at least, an enormous trove of documents was leaked to journalists."
They are trying to plausibly deny their bullshit by saying "Ey... look -- weez alsa beenz haxd... we no do dis..."
Yep - nope - fuck this company...
*laughs all the way to the bank with palantir folks.....
More importantly, if you believe that digital-weapons-for-hire are not a good idea, spreading doubt about their reliability is probably more effective than painting those companies as invincible hackers. They made an architectural choice that exposed their clients. Therefore, if you are a prospect for a similar technology, think hard when they present their tools, and challenge decisions that might expose you.
Better. it s good that they have bad security. they arent in the security business, quite the opposite. It's a company that has found the legal loophole to sell theft-as-a-service. Kind of like banks compared to robbers.
Official manual: https://archive.org/details/nso-pegasus/
Same reason govts shouldn't spy on their citizens: even when you fully believe in your own govt, they can be hacked.
This doesn't show that we need strong privacy protection, this show that asking for privacy protection isn't enough and goes way beyond privacy protection. Even if you got GDPR in every first world country, NSO will still exist, intelligence gathering will still exist.
Zerodium exist for god sake, it's a public facing company to buy zero days. Even if you got both them and NSO shut down, believe me, others companies will do the exact same, they'll just do it more secretly.
Somehow(!?) it doesn't have any info about NSO Group (or I can't find it), but there are plenty other doggy organisations archived there
Some people will also probably turn up dead, unless they hide or seek asylum.
It's like criticizing a country for not being in the Paris climate accord for their environmental record/refusing to lower emissions - yeah, that's kind of the the point.