Hacker News new | past | comments | ask | show | jobs | submit login
NSO Group Hacked (schneier.com)
248 points by thg 9 days ago | hide | past | favorite | 86 comments





I suppose that broadly, the takeaway here (and in all of this) that I’ve missed is that fundamentally, this list of phones that were targeted shouldn’t exist, or shouldn’t be leakable in this way, if we want to believe that NSO Group is targeting the most genuine targets.

To frame it differently: NSO Group sells tools to governments that are apparently trustworthy. Its security and system architecture should be decentralized enough that a list of all targets should be extremely difficult to obtain. If the list is obtainable, then what else is? Are their exploit toolkits just as leakable? Are the internal controls not sufficient to stop these leaks?

How can we continue to allow orgs like NSO Group to exist if they surely can’t keep something like their entire target list safe? Even if we assume of the targets are legitimate threats (which, again, requires enough suspension of disbelief to hold a small army at this point), why would we want that list leakable? If they’re all the most legitimate targets, then that list is essentially 50k people who can now discover this fact and change their patterns to hide. It’s pretty bad to tip off “all the people who we find important enough to 0-day” if that assumption holds.

Now the real question? I’m not sure I know what we can do, actionably. Call Congress and ask them to care?


> Now the real question? I’m not sure I know what we can do, actionably. Call Congress and ask them to care?

I maintain that NSO is just a deniability front for Israel's espionage agencies, otherwise I don't know how they weren't shut down for so long, knowing what kind of a state Israel is.

NSO is well known to the Israeli state, after all it is their cabinet that clears every deal NSO make. Per Israeli laws, pegasus is a "weapon"

So yes, the problem is primarilly in political dimension.


Would you have said the same about HackingTeam [0] and the Italian Government? They were featured on citizen lab a LOT a few of years ago [1]. These guys still operate under the name "Memento Labs".

There's obviously money to be made from selling offensive cybersecurity tools to governments. And you can hardly blame governments for buying these services in the age of end-to-end encryption in the hands of every criminal and terrorist.

While I definitely don't condone spying on human rights activists, journalists, or even regular citizens for that matter, pegasus really is a weapon and as such should definitely be heavily regulated.

But as with other types of weapons, the responsibility for its use (or rather misuse) should lie with the weapon's user first and foremost, not the manufacturer. If NSO/HackingTeam were in the business of selling physical weapons to foreign governments, would they have been responsible for a government killing journalists with said weapons? If they were selling to North Korea, sure. But what about the legitimate governments of stable countries not under sanctions?

[0]: https://en.wikipedia.org/wiki/Hacking_Team

[1]: https://citizenlab.ca/tag/hacking-team/


> If NSO/HackingTeam were in the business of selling physical weapons to foreign governments, would they have been responsible for a government killing journalists with said weapons?

If they were in the businesses of selling weapons of war and caught instead selling covert weapons with no legitimate use in open warfare to countries that disclose illegal acts of war to them, I think they belong in the Hague being tried for war crimes.

(After that, I suppose they can be referred to human rights courts as a defacto part of each government that had violations. Since they were active participants in the use of the weapon as shown by the phone list, they have no argument that they were not active members of every conspiracy involving their service.)


> If they were in the businesses of selling weapons of war and caught instead selling covert weapons with no legitimate use in open warfare to countries that disclose illegal acts of war to them, I think they belong in the Hague being tried for war crimes.

If they were doing that, I agree.

But these weapons have legitimate uses in law enforcement and why do you think that the client government disclose their illegal acts to NSO?


I think you hand wave away the responsibility born by the Governments who regulate, control, and subsidise the arms trade.

Of course it is the fault of the user of the weapons as well - but UK and USA (to just name a couple more egregious examples) governments quite literally give money to foreign governments in order for them to funnel it directly back into arms deals. These weapons can then be used to destroy hospitals and schools in Yemen. Our governments are financing this loss of life in order to further propel the revolving door.

I see this kind of cyber weaponry as a simple subset of the above complex.


> I see this kind of cyber weaponry as a simple subset of the above complex.

This is exactly my point. I think that NSO should be just as responsible for the outcomes as any other arms manufacturer.

And I'm not waving away the government's responsibilities. Just the opposite - cyber weaponry is equivalent to other types of weaponry and should be treated as such.

This is why I feel that the discussion around NSO itself misses the point. It's like discussing Colt's responsibility whenever a government uses an M-16 to shoot a human rights activists. Colt may be responsible in some cases, but the important question is who bought the weapon and why did they use them against that specific target. Also, should the buyer be sanctioned and forbidden from purchasing such weapons in the future.


I agree with your larger claim but possibly differ in how to oppose these forces. Opposition in the abstract does nothing, apart from stoking ivory tower feel good emotions.

Going after one perpetrator, building a precedence, seems to have had more lasting effect than going for the abstract.


You seem to be giving these companies a pass to sell software that can be used to create absolute surveillance states. If this sort of software is available, it needs regulations. The people responsible for the regulation are the exact states that would love to acquire the software. Do you not see the conflict of interest here? (Yes, it's the same for other weapons sales. That's a quagmire of corruption and double standards as well.)

Don't make the mistake of conflating North Korea with any other state. The people in charge of the intelligence organisations have very similar opinions on the efficacy of these tools no matter where they come from. It's been shown many times that the heads of the relevant agencies in the 5 eyes, let alone the rest of the international intelligence community, aren't very concerned about the legality of their activities.

Two ways to prevent the misuse of this software are 1: ban it and convict those who peddle it, and 2: have independent oversight and transparency over every use of this software. Who it's sold to, who it's used on, what it's capabilities are.

Unfortunately, I don't see either of these as realistic, so basically we're up shit creek without a paddle.


> If NSO/HackingTeam were in the business of selling physical weapons to foreign governments, would they have been responsible for a government killing journalists with said weapons?

Yes.


Can you explain your position?

Should Colt be blamed if a foreign government uses an M-16 to shoot a journalist?


My take here is a little nuanced. Simply for manufacturing, perhaps not. Decisions of this kind I would settle case by case, chemical warfare agents, "no", tear gas, may be 'yes' with well laid out legal checks and balances, 'rubber bullets' more checks and balances needed, etc., etc.

Sales, whether direct or through indirectly supported wink-wink business and other organizational structures, to entities who have well documented cases of abuse -- that's a different matter. If Colt is found doing that, I would definitely find them culpable and guilty.

For NSO, Candiru and their ilk, my belief is that they are in a wink-wink, nudge-nudge relationship with the user's of the tools (usually oppressive governments) as well as Israel's intelligence complex (they are the ones clearing the sales).

Can I prove this in a court, no. Does not stop me from forming informed opinions though.


Yes, that is why there are export restrictions on arms deals. In particular, your company is not allowed to sell to those states which are known to use violence against journalists.

So not only is this a reasonable position, it is the law in several countries, e.g. Heckler&Koch is a German gun manufacturer and has to obey such laws.


If colt maintains a list of journalists to be shot, probably.

Those two are not comparable at all.

One is a multinational corporation with untold influence which hoards exploits for black box software and hardware.

The other is a producer of physical weapons, which are subject to laws to protect civilians - although of course where these laws apply is hypocritical, since the West's weapons have been used to kill many civilians during all the 'peacekeeping' missions by the US (read: interventionism).


> One is a multinational corporation with untold influence which hoards exploits for black box software and hardware.

colt? or nso? not clear from the comment…


NSO Group

If anything, that is worse. Colt intentionally made a tool that is only designed for killing people, and it was used to kill someone.

To me, it's hard to justify why they are not responsible.


> Colt intentionally made a tool that is only designed for killing people, and it was used to kill someone.

You could say the same about a knife though, or a brick.

I think you're underestimating the power of the spyware that is being used today to blackmail and control those in power.


A knife or a brick are not (with a few exceptions) tools that are only designed for killing people, so no, I could not say that about them.

(However, if you do sell a "Throat-cutting knife" for cutting people's throats, and someone buys it and cuts somebody's throat, then hell yes you are responsible for that.)


>if you do sell a "Throat-cutting knife" ... you are responsible for that.

Interesting thought. I can't find an example in law. I'm not so sure the seller is responsible on any level once sold, even with that murdering tagline. Guns are sold as lethal force and users are fully responsible post sale.


I am intensely uninterested in what the law says about any of this. I am interested in morality, not legality.

Weapons are designed to intimidate targets into compliants, not necessarily to harm them.

No, they are designed specifically to harm. No part of a handgun is designed to intimidate, but every part of it is designed to kill a person.

Ultimately, the human pulling the trigger is responsible; no matter the sales pitch or law.

Yes.

My position is that I don't think we should be making tools designed for killing people.


I think with the dual-use tools, it's more about the user instead of the inanimate tool itself

This is a utopian fantasy. Humans have been making tools for killing people since we were living in caves.

So only criminals should have weapons? Who will stop the criminals, without weapons?

Yes, only criminals and police. And black market weapons are expensive, so they are also very hard to get for criminals. This works very well in many, many other countries.

As a particularly interesting example: Japan has almost no gun crime at all: https://www.bbc.com/news/magazine-38365729

> In 2014 there were just six gun deaths, compared to 33,599 in the US.


Why do we have violent criminals? Also, there actually aren't that many versus say gun sales.

Can we push the number of violent criminals to 0? Maybe not, but we could greatly reduce the numbers with more intelligent social policies (in the US or Canada, say). The wild-west mentally and the fact that it has been co-opted by certain political groups actually leads to more crime and more fear (which sells guns and regressive politics).

What if no one lived in a state or neighbourhood so shitty that they felt the need to arm up? What if they had not been indoctrinated since birth with a wild-west mentality that linked gun-ownership to freedom?

The "only criminals will have weapons" argument is a really low-quality surface-level distraction from getting to grips with problems we could actually solve.


Where would the criminals get them, if they are not made?

“Deniability front” might be a bit harsh, but revolving doors between government and private sector exist all over the world. Ignoring NSO for a moment, in general they are not always malicious.

But with regards to NSO in particular, there definitely is some linkage, even if it’s not necessarily malicious. According to this Bloomberg columnist[1], (linked article has further hyperlinks to sources)

> How much of this technology is being developed in the U.S., including by U.S. government agencies, and making its way to illiberal autocrats? NSO’s founders are, according to multiple reports, thought to be alumni of Israel’s signals intelligence division, Unit 8200. And we know — including through the Edward Snowden leak — that the U.S. National Security Agency provides Israeli intelligence “controlled access to advanced U.S. technology and equipment.”

[1] https://www.bloomberg.com/opinion/articles/2021-07-19/pegasu...


> but revolving doors between government and private sector exist all over the world.

No... no they don't. It's not normal at all.


What do you mean? Should you be denied a job in the government after working in the private sector and vice versa?

In most countries, you simply wouldn't qualify for a job in government if you've spent a career working in the private sector. Civil servants are... civil servants.

Never heard about it. Can you name a few?

What a waste of human resources!


Most commonwealth countries.

I agree with these statements. Although I do not understand why this is not making any nosie internationally? NSO (ergo the supporting state) seems to be stealing data from EU leaders as well. Is this mean we have many NSO like companies out there that we do not know about and each country has one and everyone knows about these? Does anyone know what is the Swedish NSO?

No evidence of that yet. Their numbers were in the list, but hasn't been confirmed yet whether Pegasus was installed.

A very believable hypothesis. NSO is also not the only one of this kind, Candiru is another.

That looks reasonable. The NSO Group malware perform active attacks. By creating this front (the NSO Group) that is supposed to have private customers, they can put in their own targets and have some form of deniability.

It makes perfect sense to me that there would exists a centralized list inside the company of the people being targeted.

There would need to a server serving the exploit and also collecting the data from the comprised phones. Naturally that server would have a list of the phones it collected from, probably keyed by phone number as that would be the most straightforward identifier.

Also I assume nso bills their clients pr. target.


Implicit assumption here is that these super hackers would also have super security.

I am not sure I buy that.

My guess is that NSO operational corpse is made up of young young Israelis straight out of the military plus maybe an engineering school. They are trained in systematic hacking and probably have access to a privileged set of exploits provided by the Israeli military and maybe the US. But not much beyond that in terms of engineering skills.

In short I wouldn’t be surprised if their exploit server and data collection server is maybe with php and mysql.

Also. How do you sell a service like this? Getting Orban and similar as customers. Requires quite a bit of a network.


"Everything We Know About NSO Group"

https://www.forbes.com/sites/thomasbrewster/2016/08/25/every...

From 2016 but has the core personalities and the partners owning the company.

San Francisco and London based...

Some additional context: https://www.bloomberg.com/news/features/2021-01-26/private-e...


> this list of phones that were targeted

isn’t this just an assumption at this point? what makes you think those were targets?

> How can we continue to allow orgs like NSO Group to exist if they surely can’t keep something like their entire target list safe?

what exactly is the difference to the NSA leaks from years ago? they couldn’t keep their secrets, allegedly same as this company.


I don't think anyone should have the authority to "allow" or "disallow" such companies to exist.

I can't imagine that there's a "list of targeted phones." Either this alleged "leak" is nonsense, or it's some unrelated collection of data.

Can you expand on why you find this unimaginable?

NSO is a spyware-as-a-service company. How else would they provide that service, if not by having a list of all the phones their clients need spied on?


Because the customers who use NSO’s forensic tools aren’t going to share their use cases with NSO without a good reason.

They are a SaaS platform.

Or are we debating whether or not that part is even true?

If they are not a SaaS platform, then I would agree with you, but so far everything I've seen claims that they are, so by that nature the customer would have to put their use case data into NSO's platform, would they not?


The "hacked" part is only an assumption, isn't it? The leaked information could also come from, say, a whistleblower. An employee that suddenly developed a sense of ethics.

Seems like there was a $100,000 bounty on hacking them:

> On Friday, Fisher claimed to have hacked the bank in 2016 and proposed a "Hacktivist Bug Hunting Program" that would offer bounties of up to $100,000 to those who hacked and dumped documents "in the public interest" from companies such as "South America, Israeli spyware vendor NSO Group, and oil company Halliburton."

https://boingboing.net/2019/11/19/2tb-and-counting.html


I had assumed a whistleblower until now. The worry with them being hacked is their tools leaking to public domain. If they do I hope Apple et al can plug the vectors

One unnamed company is still struggling to secure a print spooler after most of a month. I don't have the optimism you do.

I think Apple have been trying to secure iMessage for nearly as long !

They’ll be following the story closely as it unfolds.


I think apple have added a much more restricted sandbox for iMessage in the past few releases

Yes [1] but it’s been proven to be ineffective for its intended purpose in these recent revelations.

[1] https://googleprojectzero.blogspot.com/2021/01/a-look-at-ime...


>only an assumption... leaked information could also come from...

The first paragraph of the article broadly mentions an alt scenario. "Or, at least, an enormous trove of documents was leaked to journalists."


Yeah… the press loves the term “hacked”. Remember when Voicemail PIN guessing was “phone hacking”?

"hacked" is a distraction - you think that NSO is going to be "hacked" without a honeypot - or some other "thing" as to make them look weak?

Nope.

They are trying to plausibly deny their bullshit by saying "Ey... look -- weez alsa beenz haxd... we no do dis..."

Yep - nope - fuck this company...

*laughs all the way to the bank with palantir folks.....


I understand that the title makes an assumption that the first paragraph has to walk away from in its last sentence, but I appreciate Schneier’s nuance when framing the question. The spying isn’t new. The list is probably broader than many people assumed, but the real news is that NSO own security isn’t great.

More importantly, if you believe that digital-weapons-for-hire are not a good idea, spreading doubt about their reliability is probably more effective than painting those companies as invincible hackers. They made an architectural choice that exposed their clients. Therefore, if you are a prospect for a similar technology, think hard when they present their tools, and challenge decisions that might expose you.


> that NSO own security isn’t great

Better. it s good that they have bad security. they arent in the security business, quite the opposite. It's a company that has found the legal loophole to sell theft-as-a-service. Kind of like banks compared to robbers.



This interesting analysis was written in 2016. Is there a more recent version ?

Right here is another argument in favor of string privacy protection. Even if NSO was a righteous and holy actor (spoiler: it's not), they can be hacked any time and now that data is public.

Same reason govts shouldn't spy on their citizens: even when you fully believe in your own govt, they can be hacked.


Same reason why encryption shouldn't be weakened or backdoored ("think of the children / terrorists!"); if there's a weakness or backdoor, someone that shouldn't will find and exploit it. Or it'll leak from the one point that can decrypt it.

> Right here is another argument in favor of string privacy protection. Even if NSO was a righteous and holy actor (spoiler: it's not), they can be hacked any time and now that data is public.

This doesn't show that we need strong privacy protection, this show that asking for privacy protection isn't enough and goes way beyond privacy protection. Even if you got GDPR in every first world country, NSO will still exist, intelligence gathering will still exist.

Zerodium exist for god sake, it's a public facing company to buy zero days. Even if you got both them and NSO shut down, believe me, others companies will do the exact same, they'll just do it more secretly.


If I were a similarly acronym’ed three letter intelligence agency that wanted to shut down a private sector competitor, this is exactly what I would do.

Let them destroy each other then.

The iOS tool scans a backup, but the Android tool "check-for-infection tool" checks for messages pointing to NSO domains. I recently got a strange massage, is this list public?


My first reaction to this was that all would need mobile phones with physical off switches for camera/microphone and internet but even such swtiches do not protect against such advanced spy operations. I think such software should be treated like weapons of war for which there are international regulations and obervations

Hardware kill switches do protect from spying whenever they are off. How can they not? Librem 5 phone has them.

Too bad it didn’t include the list of employees.

After Snowden leaked the documents a group of voluneers created a project to watch the watchers. They started scraping data from public profiles, social media, job offers etc. They were harassed for it, project was taken under wikileaks umbrella, it's not much maintained anymore.

Somehow(!?) it doesn't have any info about NSO Group (or I can't find it), but there are plenty other doggy organisations archived there

https://icwatch.wikileaks.org/

https://www.youtube.com/watch?v=xipI-0HU010


What a shame /s

Is there any good explanation of what that list actually is and where it came from?

Yeah, well, not really happy about this, because the goal was probably to delete traces of involvement and clients.

Some people will also probably turn up dead, unless they hide or seek asylum.


time to shut down this company.

Live by the hack, die by the hack, i suppose.

So how do we defend the defenseless?

You could start by not funding an expansionist apartheid state?

and a nuclear power who didn't sign the Treaty on the Non-Proliferation of Nuclear Weapons...

Why is that worse than a nuclear power who did, and contravened it? Not sure why you think countries should be bound by treaties they didn't sign.

Because the treaty exists to prevent the very thing Israel did - covert nuclear arms development and covert sharing of know-how ( like Israel probably did with Apartheid South Africa).

It's like criticizing a country for not being in the Paris climate accord for their environmental record/refusing to lower emissions - yeah, that's kind of the the point.




Applications are open for YC Winter 2022

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: