Hacker News new | past | comments | ask | show | jobs | submit login
Enough is enough (nsogroup.com)
166 points by beermonster 2 days ago | hide | past | favorite | 124 comments

>"NSO will thoroughly investigate any credible proof of misuse of its technologies, as we always had, and will shut down the system where necessary."

From Wikipedia:

"In October 2018 Citizen Lab reported on the use of NSO software to spy on the inner circle of Jamal Khashoggi just before his murder. Citizen Lab's October report[65] stated, with high confidence, that NSO's Pegasus had been placed on the iPhone of Saudi dissident Omar Abdulaziz, one of Khashoggi's confidantes, months before. Abdulaziz stated that the software revealed Khashoggi's "private criticisms of the Saudi royal family," which according to Abdulaziz "played a major role" in Khashoggi's death.[24] In December 2018, a New York Times investigation concluded that Pegasus software played a role in the Khashoggi's murder, with a friend of Khashoggi stating in a filing that Saudi authorities had used the Israeli-made software to spy on the dissident.[66] NSO CEO Shalev Hulio stated that the company had not been involved in the "terrible murder", but declined to comment on reports that he had personally traveled to the Saudi capital Riyadh for a $55 million Pegasus sale.[14]

In June 2020, an investigation by Amnesty International alleged that Moroccan journalist Omar Radi was targeted by the Moroccan government using the Israeli spyware Pegasus. The rights group claimed that the journalist was targeted three times and spied on after his device was infected with an NSO tool. Meanwhile, Amnesty also claimed that the attack came after the NSO group updated their policy in September 2019.[67]"

Well I'm reinsured by NSO group's statements and their totally existing moral compass lol.

We can safely assume that “moral products” and “things a Saudi prince would pay $55 million for” are independent sets.

Corporations do not have any moral at all. It is always virtue signaling when they pretend they do have.

While broadly I can agree with you, a corporation is still made up of people, and is lead by people. It’s perfectly possible for someone with a backbone to lead a corporation in a moral way.

The cells in the body of a murderer could have stopped him/her, if they had seized the moment. But they did not. Thus there are endless philosophical arguments about free will to be had, but for practicality, we assume the outermost shell with the most control, is responsible for the inner components.

If we treat cooperation like persons, they should be judged and sentenced as person. Including restructuring of malformed processes and life-time-imprisonment for anti-social behaviour

Could you imagine the criminal reforms that would result from a world in which corporations could be sentenced to death?

That’s what actually happened to accounting firm Arthur Andersen for its role in the Enron fraud and bankruptcy.

I’m all in favor of the corporate death penalty.

Originally corporations were chartered under authority of the king for a limited time, typically 20 to 30 years, so great was the mistrust in them.

That... actually sounds like a very interesting idea.

Once upon a time, I was in a situation to stand against a project which I judged morally unacceptable. Colleagues actually reacted more harshly than management. "What are you doing!? This is work!", I was told, as if moral considerations had no room in the work place. Reaction from management was smoother: "We're glad everyone can express their opinions here. But we'll do it anyway." (luckily for me in the end they didn't get the contract)

In which case, it's the people and not the corporate structure itself which are providing that moral guide.

Organizations can be moral in two ways:

1. As you note: They are made up of people, usually only a few with the ultimate power. Whatever the legal or organizational structures, human morality is inherited from the decision makers.

2. But also: Aside from the individuals, decision making structures within any organization (or mechanism for that matter) can be set up to align with morality or not. I.e. incentives, metrics, business model alignment, transparency, codes of conduct, etc., can all have significant moral implications.

For instance, governments can be designed to be more or less moral. I.e. democracy vs. autocracy.

Human's are not a special moral creation. We would not be surprised by aliens with a moral component, even if they are built very differently than us. Look inside a human and you will also find non- or sub-moral components whose configuration enables moral, immoral, or amoral behavior.

In the "can be" vs. "is" argument, a point that's frequently neglected is what's the prevelance of the circumstance argued?

How many commercial business corporate entities are explicitly structured with a moral focus as their principle organising principle?

Would that even stand up under corporate law in most jurisdictions (e.g., Delaware, where the state supreme court has pretty much upheld the Friedman "shareholder value" mistake)?

Because that's what really matters here.

I don't follow your final paragraph. Are you arguing that humans are not moral, or that morality isn't a strictly human phenomenon? I'd disagree with the first, generally, and agree with the second. For the second, experiments with animals show innate senses of "fair" and "unfair" as well as group alignment of behaviours, which may not be a moral code, though they seem to me the evolutionary basis of one.

I was arguing that morality isn't a strictly human phenomenon.


I don't think a "moral focus as their principle organizing principle" is necessary for a moral corporation any more than I think it is necessary for a moral human.

It's enough that a company's structure, whether implicitly or explicitly, aligns itself with the long term good for all stakeholders, i.e. the greater good. As apposed to aligning with short term or short sighted good at the expense of long term and wider focused good.

After all, some "good" people are just expressing their personality as it naturally developed. Others are intentionally expressing principles they spent years considering. Is one type of "good" person better than the other?

And of course the opposite: Some seemingly evil people are acting on the only instincts they seem to have, while others are well aware of the damage they do. Both people might have the same IQ, access to situational awareness, etc., so we are likely to judge both the same, but their actions can come from very different places internally.

Morality is clearest at the behavioral level of a system or human. Less clear the deeper into the internal causes one looks.

The structure of a firm does NOT align with all stakeholders. It aligns principally with shareholders and creditors. The strongest advocates of the firm would have you believe it aligns only with shareholders.

I disagree with what you stated explicitly. But from the nuance of what you stated, maybe we are in agreement.

A structure of a firm does not NECESSARILY align with all stakeholders.

That doesn't mean that there are not firms designed by their founders and leaders to be more moral than that.

Often, the share holders will make sure that is not the case, at least not for long.

Do no evil... Except when it's profitable.

Pretty embarrassing response, honestly. If you specifically work in an area that can be used for sensitive purposes, you have a moral responsibility as to who you choose to sell to and what you choose to enable them to do.

Moreover, if you're going to engage in moral indignation -- we can't possibly be responsible for what our customers do!!! -- then you can't end with a paragraph about how you're a league of superheroes saving the world from all its evils. I completely believe Pegasus has the ability to help with a kidnapping case, but if they want an ounce of credit for it then they need to take responsibility for egregious abuses.

You reap what you sow. Hope the victims of Pegasus sue these people into oblivion, especially Kashoggi's widows.

And by the way, anyone who does public communications also has a moral obligation to consider whether their copy text engages in reputation laundering. The person who wrote this sounds stressed and demoralized, and that's a good thing. I hope this is the worst job they ever have in their life, and that they quit as soon as possible because of the misery they're going through.

> "NSO is a technology company. We do not operate the system, nor do we have access to the data of our customers, yet they are obligated to provide us with such information under investigations."

This is an abdication of responsibility and I agree the substance and tone of the response from them is really bad.

Just because you don't have direct customer data access does not mean that you don't hold some responsibility for how the tools you sell can and will be used. This is especially the case when you sell zero day security exploits in very high risk use cases.

This response suggests the culture on the inside is probably as bad as it looks from the outside. Based on this, I'd guess abuse of their tools is lot worse than what's publicly known.

A serious company operating in a high risk space would lead the messaging with and own the high risk issue directly and how they try to contain it in order to do pragmatic good in difficult areas. Instead we see a childish almost petulant, knee-jerk response that the bad things are 'not their fault' because they're just a software company.

These guys are just rationalizing their own bad behavior.


I think it’s worse than just abdicating responsibility. As if they just didn’t know bad things cound happen.

They’re selling this software to literal tyrants. They knew full well what this would be used for.

I don't think they're claiming they didn't know bad things could happen. Their "Transparency and Responsibility Report" is essentially a detailed accounting of how they weighed that risk when licensing their software. I think one can certainly take issue with their approach, but they don't appear to be naive about the risks.

Their response in this post suggests they don't view this targeting as related to them or their responsibility.

> "The list is not a list of targets or potential targets of Pegasus.

> "The numbers in the list are not related to NSO group.

> "Any claim that a name in the list is necessarily related to a Pegasus target or Pegasus potential target is erroneous and false.

> "NSO is a technology company. We do not operate the system, nor do we have access to the data of our customers, yet they are obligated to provide us with such information under investigations."

My read of this is it's the kind of carefully worded intel-like response, basically saying the people targeted are not Pegasus(tm) targets because Pegasus is the name of the product and it 'technically' doesn't do the targeting on its own, the customers do the targeting - therefore not our fault and not related to us, we just sell software. (Even though the customers used NSO software to do the targeting, sold to them by NSO).

I said they don't appear to be abdicating responsibility for the risk their software could be used for bad things to happen. If you look at the report, it's all about weighing that risk against the risks of not licensing their software.

They are abdicating responsibility for the list, which doesn't seem unreasonable since the Pegasus Project has been pretty explicit that they don't know where the list came from, who put it together, or why any particular entry was put in to the list. The Pegasus Project guys have already walked back their statement that the list is phones that have been targeted by Pegasus, so...

It very much sounds like someone found some HLR logs and then failed to determine whether that list was specific to Pegasus or not. It seems very unlikely that there'd be HLR logs that would be specific to Pegasus somewhere, so I'm not sure how anyone could expect them to take responsibility for such a list.

Thanks for the details - given that, they could have written a real response to the allegations rather than this blog post they posted and it would have come across better.

This blog post comes across very defensive somewhat clueless, doesn't inspire confidence.

I get why they'd not want to engage with the media (media writers are often useless at best, if not actively/intentionally harmful with regard to this kind of technical nuance), but that's no excuse for the response they have here. If they were going to go direct they should have done it right.

For the curious, their report: https://www.nsogroup.com/wp-content/uploads/2021/06/ReportBo...

The tough thing about being attacked in the press with misinformation is it is very difficult to respond in a way that comes across well. As you can see from the Post's publication of the correspondence from NSO (https://www.washingtonpost.com/investigations/2021/07/18/nso...), they did try to inform the media about the technical nuance, but it's hard to get between a journalist and what looks like a great story.

I think a skilled and experienced PR professional could have maybe navigated this successfully, but I've seen plenty of them fail in less difficult contexts than this.

It's also tougher when you're an organization that blew its credibility before this latest thing even happened.

This is an excellent point. "We're responsible for the good applications, just not the bad ones"

The modern commecial business corporation is ineherently a risk-externalising structure, which is specifically indicated in certain naming conventions, notably the "limited liability corporation". Legally it exists to sheild investors, as well as creditors and officers, from full personal liability. That has certain advantages, but as with all forms of impunity is subject to and the direct source of tremendous abuses.

Capitalism is often touted as an "engine of wealth generation", but what is in fact measured in financial reports and national GDP accounts is not wealth but profit, revenues less costs, where both seek the advantage of ecnomic externalities (positive externalities for profits, negative externalities for costs) to maximise those profits. The foundations of economics of the firm (microeconomics) are found in cost-accounting, and cost-accounting itself was limited to the expenses and revenues that could be measured (theree's a version of Goodhart's Law buried in here somewhere). Alexander Hamilton Church is the father of modern cost-accounting and gives some interesting insights. (Yes, related to the othere A.H.)

GDP is a measure of cash flows, rather than actual increase in national capital, wealth, or well-being. (With some adjustments.)

Economic definitions of wealth differ, though Adam Smith's was "the annual labour and produce of the nation". In general, it is the notion of productive capability (labour, motive, or change power, effectively available energy) plus stored capital to use that energy, plus resources to act on, and sinks to exhaust to. (Industrial knowledge is a form of copital.)

NSO Group's activities and rhetoric are par for the course.

>there's a version of Goodhart's Law [ https://en.wikipedia.org/wiki/Goodhart%27s_law ] buried in here somewhere


* Campbell's law — https://en.wikipedia.org/wiki/Campbell%27s_law

* the Lucas critique —https://en.wikipedia.org/wiki/Lucas_critique

* the McNamara fallacy —https://en.wikipedia.org/wiki/McNamara_fallacy

Previous discussion of Goodhart's law on Hacker News: https://news.ycombinator.com/item?id=23762526

Thanks, and also for the spell-check (corrected in original).

A good set of additions as well, McNamara Fallacy especially.

> you're a league of superheroes saving the world from all its evils.

Never mind that every authoritarian regime labels its opponents as "terrorists". Thanks, "War On Terror" for enabling this!

Being convinced beyond any shred of doubt that you are on the sight of light and righteousness is a very common gateway to ultimate evil.

The truly good tend to doubt themselves to the extreme.

> Never mind that every authoritarian regime labels its opponents as "terrorists". Thanks, "War On Terror" for enabling this!

Um, the British in Ireland started this within a few years after the words “terrorism” and “terrorist” referring initially specifically to the acts of the Jacobin revolutionary regime in France, and the perpetrators of those acts, were coined, and its been pretty common since. Blaming the US’s early 21st Century War on Terror for the trend is... inaccurate.

Malicious context removal exposes another truth...

> I completely believe Pegasus has the ability to help with a kidnapping

These tools cut both ways.

> Kashoggi's widows


Jamal Khashoggi was married three times.


It’s unusual to call his ex-wives his widows?

It is. That's not the aspect I was addressing. The number of former wives of Khashoggi is, however, trivial to research.

The accepted definition of a widow is a woman who was married to person at the time of that person's death:


(The definition specifies "husband", though I suspect with the rise in gay marriages, a female survivor of an intact legal union will be considered a widow regardless of the deceased spouse's gender.)

There's also the peculiarity of Western (predominantly Christian) tradition to unquestioningly accept serial polygamy, but not simultaneous, despite at least the sexual elements the latter itself being a widespread practice.

I can't speak for notafraudster's intent, though their usage isn't an accepted one.

He had a religious marriage with Hatice, not a civil one, and in fact was reluctantly going to the Saudi consulate to finalize the divorce papers for his separated second wife, which they told him could only be done in person. Apparently MBS has assured him personally no harm would come to him.

In some cultures muslims can have four wives.

Muslims can marry four wives, but it is generally not recommended. Most muslim-majority countries place restrictions on polygny, and at least one (Turkey) has outlawed it entirely.

This was already disproved in the WhatsApp vs. NSO case:

In its filing, Facebook alleged that NSO had rented a Los Angeles-based server from a U.S. company, QuadraNet, that it used to launch 720 hacks on people’s smartphones or other devices (see https://outline.com/WsUszd)

That case is proceeding, because NSO has not been successful at all in claiming immunity or showing those are not it's servers. NSO rents the servers and they obviously run the C&C. They are not arms suppliers, they are mercenaries.

Regarding the "list": Amnesty said 34 iPhones were forensically checked. 23 successfully had malware (specifically NSO's Pegasus) installed on them. The other 11 saw attempts at malware infection. [0]

That's a 100% hit rate on their sampling of the "list".

That makes this statement demonstrably false: "The numbers in the list are not related to NSO group." At this point, why would you even care to read the rest of this statement if it includes a bald-faced lie at the top? (You would have to disbelieve both Amnesty and Citizen Lab (who provided peer review) to see it as anything but a lie.)

But, as others are saying, NSO contradicts itself with respect to what it says it does and does not know about who is attacked with Pegasus. Here's a good thread on that: https://twitter.com/zackwhittaker/status/1417127080672776192

This company's PR communications are so self-contradictory and deceitful that it's insulting.

[0] -https://www.washingtonpost.com/technology/2021/07/19/apple-i...

Another possbility is that every mobile device has been targeted or compromised.

(I'd like to see the infection rate for an alternate control-group listing of devices.)

Upvotes are not endorsements. Usually, folks upvote because they think a post is noteworthy enough to warrant an extended discussion that the front-page affords.

They state: "NSO is a technology company. We do not operate the system, nor do we have access to the data of our customers"

Yet they also state: "The list is not a list of targets or potential targets of Pegasus."

How do they know it is not a list of targets if they don't have access to their customer's lists of targets?

None of this is trustworthy and neither are NSO.

In another article - they apparently asked their clients whether they people named in the news stories had been targeted, and then they took their clients' word for it. Just comical. "Hey MBS, did you use our product to target Khashoggi? No? Great, that's a load off."

You can't trust anyone, but... The Pegasus Project did change their statement from "thousands of numbers that were selected as targets by NSO’s Group clients" to "a list of phone numbers concentrated in countries known to surveil their citizens and also known to have been clients of NSO Group", and they specifically say: "The list does not identify who put the numbers on it, or why, and it is unknown how many of the phones were targeted or surveilled".

It sounds like the "list" is from HLR lookups, which get done all the time without NSO being involved.

If you think about it, none of NSO's clients would want NSO (or anyone else) to know who they are spying on in the first place, so it stands to reason that there'd not be a centralized list anywhere of targets for their software. I'm sure the list is real and all, but there's a distinct lack of clarity about how that list links to NSO and Pegasus specifically.

Now the other bit that the Pegasus Project did was look at phones they suspected of being compromised. I think that's telling in the sense of, "journalists, activists and business people are being targeted". That seems pretty credible, but NSO doesn't seem to be denying that aspect of the story.

For those like me unfamiliar.

HLR: Home Location Register. A phone-number lookup service / protocol.

Is it relevant even if they are “just a technology company”?

“Pipe Bombs Inc.” is just a technology company. They don’t use their products, they just sell them to wackos. Where’s the harm in that?!

That's a wrong take. Of course they can't claim the list does not include targets or potential (!!) targets at all - if they don't know the potential targets. What they are claiming is that they didn't have such list, and nobody else can plausibly have such list (as they never compiled it, and nobody else had any way to compile it without being able to access data of all clients - which is pretty unlikely), so whatever this list is, it's not what it is claimed to be.

It's like I tell you "I hacked your computer and stole the list of all people you know" - and you say "no you didn't, because on my computer there was no such list, so whatever list you have it's not that". Of course it's theoretically possible I watched you for your whole whole life and compiled such list independently - but that's not likely and that's not what I am claiming anyway.

Of course, they could be lying and in fact they could have such list (which could then be stolen), but arguing that them claiming they don't have the list contradicts the argument the list is not what it's claimed to be makes no sense. There's no contradiction.

hmm.. "yet they are obligated to provide us with such information under investigations"

Translation: we are going to get away with it whether we spend money on PR or not, so we are going to save the money. Fuck You.

Also, presumably, the firm feels it has the support of its own major interests in this course of action.

NSO Group is ... rather well-connected. See for example https://theintercept.com/2016/10/17/how-israel-became-a-hub-...

And also do not call during business hours, we are not going to pick up the phone…

Worked for Tesla.

NSO groups clients aren’t going to care. If anything they’d probably prefer them saying nothing at all.

Your comment would be better without the last sentence. This is not Twitter.

To be honest, that last sentence was my interpretation of the press release as well.

Same, this is literally "fuck you all".

The last sentence is part of the response to the public, not my opinion of the company.

To be honest, "Fuck you," is just a condensed version of NSO's first paragraph.

How is

> The list is not a list of targets or potential targets of Pegasus. The numbers in the list are not related to NSO group.

consistent with

> We do not operate the system, nor do we have access to the data of our customers, yet they are obligated to provide us with such information under investigations.

Did they "investigate" every customer then?

Serious question: We talk always about companies like they are are organisms and not run by people making decisions. I see texts referring to group, company, people. Who's making the decisions and why don't we address them by name? Would this not make them more accountable if we did?

That ultimately becomes a metaphysical question about existence, though it also has elements of morality and pragmatism.

Names and concepts are ultimately just shared mental interfaces for refering to and interacting with things in our environment. Everything above the atomic (in the original philosophical sense, here physically quark, Plank-length, and quantum-energy levels) is comprised of collections of other things, and the behaviours of certain sets of things organised in specific ways is distinctive enough that we apply different labels to them, even when the underlying components are the same.

A tree is a collection of carbon, water, and trace elements, but is more than the sum of its parts. A chair or house (if made of wood) are made of tree but not tree. And so on.

Describing things as behaviourally consistent concepts has been a useful mental model for me.

The moral element comes into play where there's intentionality in organisation and a realisation of misdirection in general public understanding. Interests groups and lobbying organisations often present themselves as freestanding or general member organisations, but in truth are mostly representing the interests of their largest members (the MPAA, RIAA, and various software interest / piracy groups come to mind). These have an "ablative heat shield effect" in drawing fire away from the principle member firms themselves. (This is played out across many, many such instances, not just the three I've given.)

The modern business corporation is in fact specifically a risk-externalising engine, and both it and its executive leadership play that role in at least part. I'd just addressed that in an earlier comment on this thread:


Here are the significant threads to date. Additions are welcome.

Pavel Durov listed in leaked Pegasus project data - https://news.ycombinator.com/item?id=27906667 - July 2021 (12 comments so far)

Pegasus Project found numbers of Ten PMs, three presidents and a king - https://news.ycombinator.com/item?id=27904236 - July 2021 (17 comments)

NSO Group Hacked - https://news.ycombinator.com/item?id=27902544 - July 2021 (78 comments)

Emmanuel Macron identified in leaked Pegasus project data - https://news.ycombinator.com/item?id=27899133 - July 2021 (58 comments)

Hungarian journalists and critics of Orbán were targeted with Pegasus - https://news.ycombinator.com/item?id=27890735 - July 2021 (501 comments)

Edward Snowden calls for spyware trade ban amid Pegasus revelations - https://news.ycombinator.com/item?id=27886209 - July 2021 (80 comments)

iMessage, Apple Music used by NSO Pegasus to attack journalist iPhones - https://news.ycombinator.com/item?id=27882992 - July 2021 (164 comments)

Key Modi rival Rahul Gandhi among potential Indian targets of NSO client - https://news.ycombinator.com/item?id=27882877 - July 2021 (137 comments)

Amazon Shuts Down NSO Group Infrastructure - https://news.ycombinator.com/item?id=27882619 - July 2021 (240 comments)

Private Israeli malware 'Pegasus' used to spy on journalists, activists - https://news.ycombinator.com/item?id=27880409 - July 2021 (7 comments)

iOS 14.6 device hacked with a zero-click iMessage exploit to install Pegasus - https://news.ycombinator.com/item?id=27875976 - July 2021 (162 comments)

How NSO's Pegasus Is Used to Spy on Journalists - https://news.ycombinator.com/item?id=27874173 - July 2021 (24 comments)

Private Israeli spyware used to hack cellphones of journalists, activists - https://news.ycombinator.com/item?id=27874100 - July 2021 (167 comments)

Leak uncovers global abuse of cyber-surveillance weapon - https://news.ycombinator.com/item?id=27874027 - July 2021 (136 comments)

Digital Violence: How the NSO Group Enables State Terror - https://news.ycombinator.com/item?id=27727733 - July 2021 (37 comments)

For those seeking a single-point summary and compilation of complex stories, Wikipedia is very often the best available source. No, it's not HN discussions but it is a best-current-information compilation.


>NSO will continue its mission of saving lives, helping governments around the world prevent terror attacks, break up pedophilia, sex, and drug-trafficking rings, locate missing and kidnapped children, locate survivors trapped under collapsed buildings, and protect airspace against disruptive penetration by dangerous drones.

If NSO group truly cared about that mission statement, they'd be more than happy to continue engaging in the media where beneficial towards those ends while comdemning the rest. They'd want to engage wherever possible to shine light on situations where their tools are leaked or abused in order to get as much pressure put on those groups as possible.

It sounds to me like you are pro-terrorism and hate children, ponies and other cute animals.

NSO is a pure manifestation of peace, wholesomeness and everything that is good in the world including but not limited to your mother and apple pie. After all they only work with governments with strong human rights records like Morocco, Saudi Arabia, Russia, Afghanistan, China and the United States.

Do you hate freedom?

I’m pretty sure at a minimum $25K per target, the software is only used for cases where a higher-up is heavily motivated, i.e. his own ass is on the line. Thus whistleblowers, journalists, political opposition and untrustworthy underlings. Possibly terrorists if they are thought likely to attempt an assassination on the said higher-up. Pedophiles? Don’t make me laugh.

Yeah its like the US DoD: Sell weapons and wage wars to keep peace and spread democracy.

NSO Group is dead at this point. They fucked with the wrong people. Hacking human rights advocates is fine but when Presidents and PMs start getting their phones hacked I am sure they will implement legislation to outlaw this type of software.

It’s an Israeli weapon, subject to arms control legislation. But that legislation can only be authored by Israel itself. So it doesn’t matter what other countries outlaw, Israel will continue to authorise NSO to sell the software to state actors around the world.

Israel could always do with an extra friend or two and providing this software gains them a friend while costing them nothing.

It really doesn't cost them nothing - it makes them the target to offensive operations of other states. I'd be very, very surprised if NSO itself isn't hacked.

Israel is not immune from international pressure though.

Um, they kind of are? Or at least think they are? Any sort of international pressure is met with cries of 'anti-semitism' which quickly shuts down anyone. It is used to combat the BDS movement, which itself is intended to put pressure on Israel over the occupation of Palestine. A non-violent option similar to what happened with South Africa.

Attacking NSO would be like attacking the Israeli government and you don't do that because your PM's shitty OpSec was exposed.

The only overtly pro-nomatterwhat-Israel government is the United States so at most 1 of the 193 countries in the United Nations would avoid regulating NSO on international relations grounds.

That is not true at all. The US is just as critical of Israel as many other countries.

This is actually one of the best reasons to hack another government.

Remember the Israelis also need allies.

Allies are allies because of strategic positioning, and many of Israel's proximal allies are authoritarian nations who have interest in this kind of technology. Israel's strategic value hardly shifted at all from this slate of embarrassing news.

The Israeli's have two allies of note, the US and Saudi Arabia. Everyone else dislikes to hates them.

The geopolitical clout of the US and Saudi Arabia are in decline.

Europe like them, kind of, many other gulf states, China, many african countries, I can go on and on

I'd guess that those same presidents will call them up and buy. They'd rather be a customer than try and change a behemoth with political power like these guys.

Unlikely. If anything this is good PR: look we have this great tool that can hack anything and we will totally sell it to shit countries run by tin pot dictators.

The only way this backfires is if somebody sends men with guns after them.

What evidence is there that a PM has been hacked? Their number was on the list but haven't seen anything about Pegasus having been found on their devices.

This reads like literal satire, jesus christ...

Everyone here is saying "NSO bad", which I agree with, but it misses the point.

You and I are not target customers for NSO. They don't care if we think they are bad. There answer is literally just saying "we are going to claim we aren't legally liable and we aren't answering questions".

This is probably sufficient to the people it needs to be sufficient to. If anything, all of this is probably great marketing for them.

Seems like NSO is saying "We don't operate our software directly, so stop asking us to be accountable for its use". Kind of like we accept that gun manufacturers have no liability if their guns are used in crimes.

With these kinds of attacks becoming the new normal, security should be top of mind for everyone when buying a phone...

> Kind of like we accept that gun manufacturers have no liability if their guns are used in crimes.

Except the gun manufacturers are not aiming the gun for their customers.

Another interesting example of a company choosing to simply route around the media. Not making a value judgement, but I'm seeing more companies opt to simply disengage and try to create their own narratives rather than go through the media via interviews/statements/etc.

I have always had a suspicion that this is the most expedient course of action from a company's perspective: the velocity of media is so fast nowadays that any controversy will be forgotten by the next week.

Judging by the panicked responses by the media, I'd say NSO is in a unique position, and the media just has to accept this. What we will likely see soon is a shift in focus from the company itself to individuals perceived to be motivators or shot-callers within the org being called out by the media in an attempt to garner the attention that NSO so steadfastly claims to be denying going forward.

It's going to be interesting to see how this reversal of discourse carries out.

Myself and my companies have gotten around streisand effect before by just ignoring everyone and then doing takedown requests a few weeks later.

Nobody saves stuff if you don't react. They only save copies when you are seen as trying to delete the copies.

How do you sleep at night?

"On top of a pile of money with many beautiful ladies." --Rainier Wolfcastle (S06E18)

It would be interesting if everybody just pulled an Elon and when Wapo asked for comment they would just say something like "Tell Jeff we say hi". It completely takes the moral high ground from the journalists.

This reads like both an intentional trolling and a "How Not to Do PR 101" guide. It's almost as if they've taken a page from the PR playbook of the type of morally bankrupt and corrupt governments they count as customers. Their official response from a few of days ago was equally laughable:

[1] https://www.theguardian.com/news/2021/jul/18/response-from-n...

They know they're probably going to get away with it, and there's not much more that can be done to target them specifically.

Their operations sound like that of a criminal group just dressed up with a nice logo and website, but as long as Israel doesn't care, it doesn't matter.

Pegasus is considered a munition; Israel has to approve its sale and export. Israel's attitude is a bit stronger than "doesn't care".

"But our customers have to tell us who they target! It's in the signed contract! And I'm sure the people who lured a journalist into an embassy and murdered him are totally honorable people who would always disclose this to us!"

This isn't even subtle. Their logic is so flawed that they should be embarrassed to hide behind it.

These people and their employees need to be on terrorist watch lists, their assets and passports frozen, domains seized etc.

It is an absolute joke that the “Justice” department allows these organizations to operate freely and uncontested.

The company is not under US jurisdiction. The lawsuit against it (Facebook/WhatsApp v. NSO) is ongoing.

Harold Lasswell has an interesting model of communications:

- Who?

- Says What?

- In Which Channel?

- To Whom?

- With What Effect?


Lasswell, Harold (1948). Bryson, L. (ed.). The Structure and Function of Communication in Society. The Communication of Ideas. New York: Institute for Religious and Social Studies. p. 117.

All communication is performative art. The performances and audiences differ. Often for the same work.

Communications such as these have two principle audiences:

- The general public - The interests for which the speaker is operating.

The message to the public is pretty clearly "fuck you".

The message to organisations which may have used such services, and who may or may not have a history of acting with lethal force to protect their interests, is "we deny everything, we are the shield between you and the world, and we will not be talking further, and we can say this as bluntly as possible because we have major institutional, interest, and/or state backing."

That's not an uncommon message. It's generally not phrased quite so bluntly. That it is here may in fact be part of the signaling.

(All clearly conjecture, though it coheres.)

The statement is internally contradictory:

"[W]e [do not] have access to the data of our customers, yet they are obligated to provide us with such information under investigations."

If your customers "are obligated to" provide you with the information, and they meet that obligation, then you have access to the data, because manifestly your customers have given it to you.

This makes it hard for me to see this as anything other than an attempt to obscure the truth (and not a particularly skillful one).

There's also this:

"Any claim that a name in the list is necessarily related to a Pegasus target or Pegasus potential target is erroneous and false." [Emphasis added.]

This is obviously intended to look like a denial, but it isn't. It could well be that all of the names on the list are targets in point of actual fact even if they are not necessarily targets.

That's one site I'm iffy on enabling JavaScript for.. is there an alternative host for the release?

NSO Group

Enough Is Enough

In light of the recent planned and well-orchestrated media campaign lead by Forbidden Stories and pushed by special interest groups, and due to the complete disregard of the facts, NSO is announcing it will no longer be responding to media inquiries on this matter and it will not play along with the vicious and slanderous campaign.

We will state again:

The list is not a list of targets or potential targets of Pegasus.

The numbers in the list are not related to NSO group.

Any claim that a name in the list is necessarily related to a Pegasus target or Pegasus potential target is erroneous and false.

NSO is a technology company. We do not operate the system, nor do we have access to the data of our customers, yet they are obligated to provide us with such information under investigations.

NSO will thoroughly investigate any credible proof of misuse of its technologies, as we always had, and will shut down the system where necessary.

NSO will continue its mission of saving lives, helping governments around the world prevent terror attacks, break up pedophilia, sex, and drug-trafficking rings, locate missing and kidnapped children, locate survivors trapped under collapsed buildings, and protect airspace against disruptive penetration by dangerous drones.

If you discover a 0-day, as as software developer, you have the moral responsibility to report it to the manufacturer, not to sell it and make money off of it.

Their argument of "we're trying to stop terrorists, pedophiles etc" is the same argument as all the government organizations that are cracking down on encryption, and how bad guys can benefit from it.

NSO knows that they've fuked up, and the tone of the article clearly indicates that. They just want to plead ignorance. Hopefully they get sued and bankrupt their butts, but again they're just going to rebrand and start doing the same thing over again

I really hope that people who are in hiring positions here will make sure to never hire someone involved with this company.

Last time I said this, people said that's like accusing relatives for the actions of a e.g. a cousin. No, the people working there chose to work there and chose to disregard any morals for their paycheck. I hope the people working at this place will never find another job in this space, once NSO (hopefully) goes under. However, unfortunately this is unlikely because there is enough other companies doing essentially the same thing, who'd likely take those people on happily.

NSO's responses seem to intentionally redirect from Amnesty's forensic work identifying Pegasus to the list per se:

> The list is not a list of targets or potential targets of Pegasus.

> The numbers in the list are not related to NSO group.

Is there an explanation why hacking-as-a-service is not illegal under https://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act? The page goes on at such length I admit I barely skimmed it, beyond checking that yes cell phones are deemed computers.

It's not in US jurisdiction?

It's not in US jurisdiction, and its not one of the things Washington feels so strongly about that it tries to suppress it in other jurisdictions?

They have a page on “Human Rights Policy”


Unbelievable: first tech company I see that has this… Creepy as hell.

If they state all those things, it makes me think they do not act accordingly.

this press release doesn't explain anything... NSO doesn't even try to attempt to explain what's going on. And the proofs against them are piling up.

It's a brilliant strategy in a way: they just let the story be, and they will keep doing what they are doing.

I guess their political connections with Israeli élite allows them this peace of mind.

In India, NSO's Pegasus allegedly used for toppling two state Governments by Central Government plus used for various Political gains be it opposition politicians, election commissioner, Judges, Journalists, Activists etc.

And, NSO response is "Enough is Enough". This is not enough, this is just starting.

> break up pedophilia, sex, and drug-trafficking rings, locate missing

> and kidnapped children, locate survivors trapped under collapsed

> buildings, and protect airspace against disruptive penetration by

> dangerous drones.

Well, that's an interesting market niche if I've ever seen one.

> NSO will continue its mission of saving lives

Sounds exactly like Lt. Col. Jessep from A Few Good Men. The film teaches to never trust that line or those who utter it.

What is unique to NSO and a small sample of companies like them is that they are the ones who get caught.

Yeah I'm not buying it, and I don't think anyone else worth their weight is either.

In the court of public opinion and most sovereignties, this is analogous to yelling at a hurricane.

They been helping terrorists kill activists for years.

I appreciate the faux outrage tho.

Honestly, most of the outrage would be prevented if they just limited each government to just attacking their own civilians. Who would outlaw them then, those same governments?

Their real blunder is allowing cross-country hacking, and now they have to answer for the fact the morocan government abused their tool against Macron.

As for countries with no human rights abusing their citizens, any outraged American should start right at home with how their own government deals with peaceful protesters of 1/6. Human rights are practically an illusion, and governments abusing citizens is nothing new, NSO is literally a drop in the ocean, the only real difference between countries are whether the press is free enough to even report what's happening.

(Hint to Americans: your is not free, either).

They may as well have put "<h1>Won't someone think of the children!?</h1>" instead.

Applications are open for YC Winter 2022

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact