"In October 2018 Citizen Lab reported on the use of NSO software to spy on the inner circle of Jamal Khashoggi just before his murder. Citizen Lab's October report stated, with high confidence, that NSO's Pegasus had been placed on the iPhone of Saudi dissident Omar Abdulaziz, one of Khashoggi's confidantes, months before. Abdulaziz stated that the software revealed Khashoggi's "private criticisms of the Saudi royal family," which according to Abdulaziz "played a major role" in Khashoggi's death. In December 2018, a New York Times investigation concluded that Pegasus software played a role in the Khashoggi's murder, with a friend of Khashoggi stating in a filing that Saudi authorities had used the Israeli-made software to spy on the dissident. NSO CEO Shalev Hulio stated that the company had not been involved in the "terrible murder", but declined to comment on reports that he had personally traveled to the Saudi capital Riyadh for a $55 million Pegasus sale.
In June 2020, an investigation by Amnesty International alleged that Moroccan journalist Omar Radi was targeted by the Moroccan government using the Israeli spyware Pegasus. The rights group claimed that the journalist was targeted three times and spied on after his device was infected with an NSO tool. Meanwhile, Amnesty also claimed that the attack came after the NSO group updated their policy in September 2019."
Well I'm reinsured by NSO group's statements and their totally existing moral compass lol.
If we treat cooperation like persons, they should be judged and sentenced as person. Including restructuring of malformed processes and life-time-imprisonment for anti-social behaviour
I’m all in favor of the corporate death penalty.
Originally corporations were chartered under authority of the king for a limited time, typically 20 to 30 years, so great was the mistrust in them.
1. As you note: They are made up of people, usually only a few with the ultimate power. Whatever the legal or organizational structures, human morality is inherited from the decision makers.
2. But also: Aside from the individuals, decision making structures within any organization (or mechanism for that matter) can be set up to align with morality or not. I.e. incentives, metrics, business model alignment, transparency, codes of conduct, etc., can all have significant moral implications.
For instance, governments can be designed to be more or less moral. I.e. democracy vs. autocracy.
Human's are not a special moral creation. We would not be surprised by aliens with a moral component, even if they are built very differently than us. Look inside a human and you will also find non- or sub-moral components whose configuration enables moral, immoral, or amoral behavior.
How many commercial business corporate entities are explicitly structured with a moral focus as their principle organising principle?
Would that even stand up under corporate law in most jurisdictions (e.g., Delaware, where the state supreme court has pretty much upheld the Friedman "shareholder value" mistake)?
Because that's what really matters here.
I don't follow your final paragraph. Are you arguing that humans are not moral, or that morality isn't a strictly human phenomenon? I'd disagree with the first, generally, and agree with the second. For the second, experiments with animals show innate senses of "fair" and "unfair" as well as group alignment of behaviours, which may not be a moral code, though they seem to me the evolutionary basis of one.
I don't think a "moral focus as their principle organizing principle" is necessary for a moral corporation any more than I think it is necessary for a moral human.
It's enough that a company's structure, whether implicitly or explicitly, aligns itself with the long term good for all stakeholders, i.e. the greater good. As apposed to aligning with short term or short sighted good at the expense of long term and wider focused good.
After all, some "good" people are just expressing their personality as it naturally developed. Others are intentionally expressing principles they spent years considering. Is one type of "good" person better than the other?
And of course the opposite: Some seemingly evil people are acting on the only instincts they seem to have, while others are well aware of the damage they do. Both people might have the same IQ, access to situational awareness, etc., so we are likely to judge both the same, but their actions can come from very different places internally.
Morality is clearest at the behavioral level of a system or human. Less clear the deeper into the internal causes one looks.
A structure of a firm does not NECESSARILY align with all stakeholders.
That doesn't mean that there are not firms designed by their founders and leaders to be more moral than that.
Moreover, if you're going to engage in moral indignation -- we can't possibly be responsible for what our customers do!!! -- then you can't end with a paragraph about how you're a league of superheroes saving the world from all its evils. I completely believe Pegasus has the ability to help with a kidnapping case, but if they want an ounce of credit for it then they need to take responsibility for egregious abuses.
You reap what you sow. Hope the victims of Pegasus sue these people into oblivion, especially Kashoggi's widows.
And by the way, anyone who does public communications also has a moral obligation to consider whether their copy text engages in reputation laundering. The person who wrote this sounds stressed and demoralized, and that's a good thing. I hope this is the worst job they ever have in their life, and that they quit as soon as possible because of the misery they're going through.
This is an abdication of responsibility and I agree the substance and tone of the response from them is really bad.
Just because you don't have direct customer data access does not mean that you don't hold some responsibility for how the tools you sell can and will be used. This is especially the case when you sell zero day security exploits in very high risk use cases.
This response suggests the culture on the inside is probably as bad as it looks from the outside. Based on this, I'd guess abuse of their tools is lot worse than what's publicly known.
A serious company operating in a high risk space would lead the messaging with and own the high risk issue directly and how they try to contain it in order to do pragmatic good in difficult areas. Instead we see a childish almost petulant, knee-jerk response that the bad things are 'not their fault' because they're just a software company.
These guys are just rationalizing their own bad behavior.
They’re selling this software to literal tyrants. They knew full well what this would be used for.
> "The list is not a list of targets or potential targets of Pegasus.
> "The numbers in the list are not related to NSO group.
> "Any claim that a name in the list is necessarily related to a Pegasus target or Pegasus potential target is erroneous and false.
> "NSO is a technology company. We do not operate the system, nor do we have access to the data of our customers, yet they are obligated to provide us with such information under investigations."
My read of this is it's the kind of carefully worded intel-like response, basically saying the people targeted are not Pegasus(tm) targets because Pegasus is the name of the product and it 'technically' doesn't do the targeting on its own, the customers do the targeting - therefore not our fault and not related to us, we just sell software. (Even though the customers used NSO software to do the targeting, sold to them by NSO).
They are abdicating responsibility for the list, which doesn't seem unreasonable since the Pegasus Project has been pretty explicit that they don't know where the list came from, who put it together, or why any particular entry was put in to the list. The Pegasus Project guys have already walked back their statement that the list is phones that have been targeted by Pegasus, so...
It very much sounds like someone found some HLR logs and then failed to determine whether that list was specific to Pegasus or not. It seems very unlikely that there'd be HLR logs that would be specific to Pegasus somewhere, so I'm not sure how anyone could expect them to take responsibility for such a list.
This blog post comes across very defensive somewhat clueless, doesn't inspire confidence.
I get why they'd not want to engage with the media (media writers are often useless at best, if not actively/intentionally harmful with regard to this kind of technical nuance), but that's no excuse for the response they have here. If they were going to go direct they should have done it right.
For the curious, their report: https://www.nsogroup.com/wp-content/uploads/2021/06/ReportBo...
I think a skilled and experienced PR professional could have maybe navigated this successfully, but I've seen plenty of them fail in less difficult contexts than this.
Capitalism is often touted as an "engine of wealth generation", but what is in fact measured in financial reports and national GDP accounts is not wealth but profit, revenues less costs, where both seek the advantage of ecnomic externalities (positive externalities for profits, negative externalities for costs) to maximise those profits. The foundations of economics of the firm (microeconomics) are found in cost-accounting, and cost-accounting itself was limited to the expenses and revenues that could be measured (theree's a version of Goodhart's Law buried in here somewhere). Alexander Hamilton Church is the father of modern cost-accounting and gives some interesting insights. (Yes, related to the othere A.H.)
GDP is a measure of cash flows, rather than actual increase in national capital, wealth, or well-being. (With some adjustments.)
Economic definitions of wealth differ, though Adam Smith's was "the annual labour and produce of the nation". In general, it is the notion of productive capability (labour, motive, or change power, effectively available energy) plus stored capital to use that energy, plus resources to act on, and sinks to exhaust to. (Industrial knowledge is a form of copital.)
NSO Group's activities and rhetoric are par for the course.
* Campbell's law — https://en.wikipedia.org/wiki/Campbell%27s_law
* the Lucas critique —https://en.wikipedia.org/wiki/Lucas_critique
* the McNamara fallacy —https://en.wikipedia.org/wiki/McNamara_fallacy
Previous discussion of Goodhart's law on Hacker News:
A good set of additions as well, McNamara Fallacy especially.
Never mind that every authoritarian regime labels its opponents as "terrorists". Thanks, "War On Terror" for enabling this!
The truly good tend to doubt themselves to the extreme.
Um, the British in Ireland started this within a few years after the words “terrorism” and “terrorist” referring initially specifically to the acts of the Jacobin revolutionary regime in France, and the perpetrators of those acts, were coined, and its been pretty common since. Blaming the US’s early 21st Century War on Terror for the trend is... inaccurate.
> I completely believe Pegasus has the ability to help with a kidnapping
These tools cut both ways.
The accepted definition of a widow is a woman who was married to person at the time of that person's death:
(The definition specifies "husband", though I suspect with the rise in gay marriages, a female survivor of an intact legal union will be considered a widow regardless of the deceased spouse's gender.)
There's also the peculiarity of Western (predominantly Christian) tradition to unquestioningly accept serial polygamy, but not simultaneous, despite at least the sexual elements the latter itself being a widespread practice.
I can't speak for notafraudster's intent, though their usage isn't an accepted one.
In its filing, Facebook alleged that NSO had rented a Los Angeles-based server from a U.S. company, QuadraNet, that it used to launch 720 hacks on people’s smartphones or other devices (see https://outline.com/WsUszd)
That case is proceeding, because NSO has not been successful at all in claiming immunity or showing those are not it's servers. NSO rents the servers and they obviously run the C&C. They are not arms suppliers, they are mercenaries.
That's a 100% hit rate on their sampling of the "list".
That makes this statement demonstrably false: "The numbers in the list are not related to NSO group." At this point, why would you even care to read the rest of this statement if it includes a bald-faced lie at the top? (You would have to disbelieve both Amnesty and Citizen Lab (who provided peer review) to see it as anything but a lie.)
But, as others are saying, NSO contradicts itself with respect to what it says it does and does not know about who is attacked with Pegasus. Here's a good thread on that: https://twitter.com/zackwhittaker/status/1417127080672776192
This company's PR communications are so self-contradictory and deceitful that it's insulting.
(I'd like to see the infection rate for an alternate control-group listing of devices.)
Yet they also state: "The list is not a list of targets or potential targets of Pegasus."
How do they know it is not a list of targets if they don't have access to their customer's lists of targets?
None of this is trustworthy and neither are NSO.
It sounds like the "list" is from HLR lookups, which get done all the time without NSO being involved.
If you think about it, none of NSO's clients would want NSO (or anyone else) to know who they are spying on in the first place, so it stands to reason that there'd not be a centralized list anywhere of targets for their software. I'm sure the list is real and all, but there's a distinct lack of clarity about how that list links to NSO and Pegasus specifically.
Now the other bit that the Pegasus Project did was look at phones they suspected of being compromised. I think that's telling in the sense of, "journalists, activists and business people are being targeted". That seems pretty credible, but NSO doesn't seem to be denying that aspect of the story.
HLR: Home Location Register. A phone-number lookup service / protocol.
“Pipe Bombs Inc.” is just a technology company. They don’t use their products, they just sell them to wackos. Where’s the harm in that?!
It's like I tell you "I hacked your computer and stole the list of all people you know" - and you say "no you didn't, because on my computer there was no such list, so whatever list you have it's not that". Of course it's theoretically possible I watched you for your whole whole life and compiled such list independently - but that's not likely and that's not what I am claiming anyway.
Of course, they could be lying and in fact they could have such list (which could then be stolen), but arguing that them claiming they don't have the list contradicts the argument the list is not what it's claimed to be makes no sense. There's no contradiction.
NSO Group is ... rather well-connected. See for example https://theintercept.com/2016/10/17/how-israel-became-a-hub-...
NSO groups clients aren’t going to care. If anything they’d probably prefer them saying nothing at all.
> The list is not a list of targets or potential targets of Pegasus. The numbers in the list are not related to NSO group.
> We do not operate the system, nor do we have access to the data of our customers, yet they are obligated to provide us with such information under investigations.
Did they "investigate" every customer then?
Names and concepts are ultimately just shared mental interfaces for refering to and interacting with things in our environment. Everything above the atomic (in the original philosophical sense, here physically quark, Plank-length, and quantum-energy levels) is comprised of collections of other things, and the behaviours of certain sets of things organised in specific ways is distinctive enough that we apply different labels to them, even when the underlying components are the same.
A tree is a collection of carbon, water, and trace elements, but is more than the sum of its parts. A chair or house (if made of wood) are made of tree but not tree. And so on.
Describing things as behaviourally consistent concepts has been a useful mental model for me.
The moral element comes into play where there's intentionality in organisation and a realisation of misdirection in general public understanding. Interests groups and lobbying organisations often present themselves as freestanding or general member organisations, but in truth are mostly representing the interests of their largest members (the MPAA, RIAA, and various software interest / piracy groups come to mind). These have an "ablative heat shield effect" in drawing fire away from the principle member firms themselves. (This is played out across many, many such instances, not just the three I've given.)
The modern business corporation is in fact specifically a risk-externalising engine, and both it and its executive leadership play that role in at least part. I'd just addressed that in an earlier comment on this thread:
Pavel Durov listed in leaked Pegasus project data - https://news.ycombinator.com/item?id=27906667 - July 2021 (12 comments so far)
Pegasus Project found numbers of Ten PMs, three presidents and a king - https://news.ycombinator.com/item?id=27904236 - July 2021 (17 comments)
NSO Group Hacked - https://news.ycombinator.com/item?id=27902544 - July 2021 (78 comments)
Emmanuel Macron identified in leaked Pegasus project data - https://news.ycombinator.com/item?id=27899133 - July 2021 (58 comments)
Hungarian journalists and critics of Orbán were targeted with Pegasus - https://news.ycombinator.com/item?id=27890735 - July 2021 (501 comments)
Edward Snowden calls for spyware trade ban amid Pegasus revelations - https://news.ycombinator.com/item?id=27886209 - July 2021 (80 comments)
iMessage, Apple Music used by NSO Pegasus to attack journalist iPhones - https://news.ycombinator.com/item?id=27882992 - July 2021 (164 comments)
Key Modi rival Rahul Gandhi among potential Indian targets of NSO client - https://news.ycombinator.com/item?id=27882877 - July 2021 (137 comments)
Amazon Shuts Down NSO Group Infrastructure - https://news.ycombinator.com/item?id=27882619 - July 2021 (240 comments)
Private Israeli malware 'Pegasus' used to spy on journalists, activists - https://news.ycombinator.com/item?id=27880409 - July 2021 (7 comments)
iOS 14.6 device hacked with a zero-click iMessage exploit to install Pegasus - https://news.ycombinator.com/item?id=27875976 - July 2021 (162 comments)
How NSO's Pegasus Is Used to Spy on Journalists - https://news.ycombinator.com/item?id=27874173 - July 2021 (24 comments)
Private Israeli spyware used to hack cellphones of journalists, activists - https://news.ycombinator.com/item?id=27874100 - July 2021 (167 comments)
Leak uncovers global abuse of cyber-surveillance weapon - https://news.ycombinator.com/item?id=27874027 - July 2021 (136 comments)
Digital Violence: How the NSO Group Enables State Terror - https://news.ycombinator.com/item?id=27727733 - July 2021 (37 comments)
If NSO group truly cared about that mission statement, they'd be more than happy to continue engaging in the media where beneficial towards those ends while comdemning the rest. They'd want to engage wherever possible to shine light on situations where their tools are leaked or abused in order to get as much pressure put on those groups as possible.
NSO is a pure manifestation of peace, wholesomeness and everything that is good in the world including but not limited to your mother and apple pie. After all they only work with governments with strong human rights records like Morocco, Saudi Arabia, Russia, Afghanistan, China and the United States.
Do you hate freedom?
Israel could always do with an extra friend or two and providing this software gains them a friend while costing them nothing.
The geopolitical clout of the US and Saudi Arabia are in decline.
The only way this backfires is if somebody sends men with guns after them.
You and I are not target customers for NSO. They don't care if we think they are bad. There answer is literally just saying "we are going to claim we aren't legally liable and we aren't answering questions".
This is probably sufficient to the people it needs to be sufficient to. If anything, all of this is probably great marketing for them.
With these kinds of attacks becoming the new normal, security should be top of mind for everyone when buying a phone...
Except the gun manufacturers are not aiming the gun for their customers.
It's going to be interesting to see how this reversal of discourse carries out.
Nobody saves stuff if you don't react. They only save copies when you are seen as trying to delete the copies.
Their operations sound like that of a criminal group just dressed up with a nice logo and website, but as long as Israel doesn't care, it doesn't matter.
This isn't even subtle. Their logic is so flawed that they should be embarrassed to hide behind it.
It is an absolute joke that the “Justice” department allows these organizations to operate freely and uncontested.
- Says What?
- In Which Channel?
- To Whom?
- With What Effect?
Lasswell, Harold (1948). Bryson, L. (ed.). The Structure and Function of Communication in Society. The Communication of Ideas. New York: Institute for Religious and Social Studies. p. 117.
All communication is performative art. The performances and audiences differ. Often for the same work.
Communications such as these have two principle audiences:
- The general public
- The interests for which the speaker is operating.
The message to the public is pretty clearly "fuck you".
The message to organisations which may have used such services, and who may or may not have a history of acting with lethal force to protect their interests, is "we deny everything, we are the shield between you and the world, and we will not be talking further, and we can say this as bluntly as possible because we have major institutional, interest, and/or state backing."
That's not an uncommon message. It's generally not phrased quite so bluntly. That it is here may in fact be part of the signaling.
(All clearly conjecture, though it coheres.)
"[W]e [do not] have access to the data of our customers, yet they are obligated to provide us with such information under investigations."
If your customers "are obligated to" provide you with the information, and they meet that obligation, then you have access to the data, because manifestly your customers have given it to you.
This makes it hard for me to see this as anything other than an attempt to obscure the truth (and not a particularly skillful one).
There's also this:
"Any claim that a name in the list is necessarily related to a Pegasus target or Pegasus potential target is erroneous and false." [Emphasis added.]
This is obviously intended to look like a denial, but it isn't. It could well be that all of the names on the list are targets in point of actual fact even if they are not necessarily targets.
Enough Is Enough
In light of the recent planned and well-orchestrated media campaign lead by Forbidden Stories and pushed by special interest groups, and due to the complete disregard of the facts, NSO is announcing it will no longer be responding to media inquiries on this matter and it will not play along with the vicious and slanderous campaign.
We will state again:
The list is not a list of targets or potential targets of Pegasus.
The numbers in the list are not related to NSO group.
Any claim that a name in the list is necessarily related to a Pegasus target or Pegasus potential target is erroneous and false.
NSO is a technology company. We do not operate the system, nor do we have access to the data of our customers, yet they are obligated to provide us with such information under investigations.
NSO will thoroughly investigate any credible proof of misuse of its technologies, as we always had, and will shut down the system where necessary.
NSO will continue its mission of saving lives, helping governments around the world prevent terror attacks, break up pedophilia, sex, and drug-trafficking rings, locate missing and kidnapped children, locate survivors trapped under collapsed buildings, and protect airspace against disruptive penetration by dangerous drones.
Their argument of "we're trying to stop terrorists, pedophiles etc" is the same argument as all the government organizations that are cracking down on encryption, and how bad guys can benefit from it.
NSO knows that they've fuked up, and the tone of the article clearly indicates that. They just want to plead ignorance. Hopefully they get sued and bankrupt their butts, but again they're just going to rebrand and start doing the same thing over again
Last time I said this, people said that's like accusing relatives for the actions of a e.g. a cousin. No, the people working there chose to work there and chose to disregard any morals for their paycheck. I hope the people working at this place will never find another job in this space, once NSO (hopefully) goes under. However, unfortunately this is unlikely because there is enough other companies doing essentially the same thing, who'd likely take those people on happily.
> The list is not a list of targets or potential targets of Pegasus.
> The numbers in the list are not related to NSO group.
Unbelievable: first tech company I see that has this… Creepy as hell.
If they state all those things, it makes me think they do not act accordingly.
It's a brilliant strategy in a way: they just let the story be, and they will keep doing what they are doing.
I guess their political connections with Israeli élite allows them this peace of mind.
And, NSO response is "Enough is Enough". This is not enough, this is just starting.
> and kidnapped children, locate survivors trapped under collapsed
> buildings, and protect airspace against disruptive penetration by
> dangerous drones.
Well, that's an interesting market niche if I've ever seen one.
Sounds exactly like Lt. Col. Jessep from A Few Good Men. The film teaches to never trust that line or those who utter it.
I appreciate the faux outrage tho.
Their real blunder is allowing cross-country hacking, and now they have to answer for the fact the morocan government abused their tool against Macron.
As for countries with no human rights abusing their citizens, any outraged American should start right at home with how their own government deals with peaceful protesters of 1/6. Human rights are practically an illusion, and governments abusing citizens is nothing new, NSO is literally a drop in the ocean, the only real difference between countries are whether the press is free enough to even report what's happening.
(Hint to Americans: your is not free, either).