> In 2013, her world changed. While stationed at NSA Hawaii, Stroud says, she made the fateful recommendation to bring a Dell technician already working in the building onto her team. That contractor was Edward Snowden. / “He’s former CIA, he’s local, he’s already cleared,” Stroud, 37, recalled. “He’s perfect!” Booz and the NSA would later approve Snowden’s transfer, providing him with even greater access to classified material.
Then Stroud trusted the Project Raven employers, not only to start but over and over, as they had Stroud violate human rights (spying on journalists, 16 year olds, human rights activists), after Stroud discovered evidence of spying on Americans.
And then Stroud didn't trust the FBI; note that the claimed motivation could simply fabricated - clearly Stroud wanted to do this work.
> Two agents approached Stroud in 2016 at Virginia’s Dulles airport as she was returning to the UAE after a trip home. Stroud, afraid she might be under surveillance by the UAE herself, said she brushed off the FBI investigators. “I’m not telling you guys jack,” she recounted.
And possibly this is related:
> Still, she found the work exhilarating. “It was incredible because there weren’t these limitations like there was at the NSA. There wasn’t that bullshit red tape,” she said. “I feel like we did a lot of good work on counterterrorism.”
Maybe those rules, the principles of human rights, and the FBI are there for a reason. Stroud seems to think they are unrelated to her character:
> “I don’t think Americans should be doing this to other Americans,” she told Reuters. “I’m a spy, I get that. I’m an intelligence officer, but I’m not a bad one.”
> Stroud said her background as an intelligence operative made her comfortable with human rights targets as long as they weren’t Americans. “We’re working on behalf of this country’s government, and they have specific intelligence objectives which differ from the U.S., and understandably so,” Stroud said. “You live with it.”
"Stroud said her background as an intelligence operative made her comfortable with human rights _violations_"
"Three Former U.S. Intelligence Community and Military Personnel Agree to Pay More Than $1.68 Million to Resolve Criminal Charges Arising from Their Provision of Hacking-Related Services to a Foreign Government"
https://www.state.gov/reports/country-reports-on-terrorism-2... “ 2019 Terrorist Incidents: There were no terrorist attacks reported in the UAE in 2019.”
Either they were extraordinarily good at their job or their job was bullshit. IBM Presents You Make the Call.
There aren't even political parties in monarchies making political action more difficult, not to mention the UAE has less crime than Norway.
Maybe that's the key?
Feel good yet?
The going rate for iOS full chain (iMessage, Safari, or BT/WiFi exploit + sandbox escape, protection bypass, and persistence) is over two million dollars. The brokers then sell them for 2x-5x that amount. Reporting that same vulnerability to Apple can net you up to a million.
It's also always worth pointing out, even though it's not relevant to this thread, that the vulnerabilities we're talking about all fit into a similar mold; they're all generally some form of drive-by or click-by clientside RCE (they're some of the harder vulnerabilities to find and weaponize, and, from what we can see in reporting, they're not the kinds of vulnerabilities we see lots of disputes about with vendors, though I'm happy to be corrected).
And, as always, I want to point out that even at these eye-watering figures, vulnerabilities are cheap. The market competition to RCE vulnerabilities and implant kits is human intelligence. You will pay more just in health insurance and benefits overhead to run a single human intelligence program against a target. Every government in the world, from Germany to the Seychelles, can afford what the IC pays for vulnerabilities, and there's probably no figure we can realistically drive vulnerabilities to in the near future that will change that --- Iran can pull this kind of money out from under its couch cushions, and NATO and China's couch cushions are stuffed with it.
Eh, it is very complicated. On one end of the spectrum you can take a cash payout up front for less money, on the other end you are under contract to keep an arsenal with specific coverage at a minimum fixed size. Brokers exist to trade risk for upside and shield parties from each other.
I think we are in alignment on your second point. Oil rich companies lack domestic talent but have massive war chests of money. I have some insights into the numbers they are throwing around to skilled foreign workers and while it is clear the numbers are stupid big, it is nothing in comparison to running a HUMINT asset or buying a drone.
If this is true, I'm super-curious about the economic incentives involved. According to Apple's Sept. 2020 balance sheet, they had over $143 billion in current assets on their books. They have deeper pockets than basically anyone else on Earth, including many state actors. They could 10x their current bounty and it would still basically be couch money for them.
So why are 0-day brokers and their customers able to outbid them? I would think that Apple has much more skin in the game than attackers do, and much more to lose from being the #2 bidder. But judging by the going rates you mentioned, that doesn't seem to be the case. The only thing I can think of is that the small minority of parties with both the means and motive to outbid Apple (the respective governments of the US, China, Russia, etc) are in fact the ones doing so.
What skin in the game do they have? As long as they aren’t viewed as way more insecure than Android vulnerabilities don’t really cost them anything.
I think there was a post on HN awhile back where the guy just got 100K for a a very major bug. So you will definitely get more money if you go rouge
Past that, who knows where they get exploits from? I imagine if they're renting servers with Bitcoins to perform computer attacks, these operatives are probably familiar with darknet sites for trading secrets as well.
Using exploits is complicated, expensive, and risky. In most cases - to quote XKCD - it's cheaper and easier to just hit the victim on the head w/ a proverbial $5 wrench until they cough up their password, e.g.: have them download your "secure messaging app" which is actually just your implant.
From the article:
> To get close to Donaghy, a Raven operative should attempt to “ingratiate himself to the target by espousing similar beliefs,” the cyber-mercenaries wrote. Donaghy would be “unable to resist an overture of this nature,” they believed. Posing as a single human rights activist, Raven operatives emailed Donaghy asking for his help to “bring hope to those who are long suffering,” the email message said. The operative convinced Donaghy to download software he claimed would make messages “difficult to trace.” In reality, the malware allowed the Emiratis to continuously monitor Donaghy’s email account and Internet browsing.
The last days in Afghan they kill 10 people, and no one hell accountable. All they do is labeled them as ISIS members.
hopefully one day US will be held responsible for the death and destruction it has caused world wide, maybe we could have a version of the Nuremberg trials for the US.
instead US leaves the international criminal court and pardons war criminals, so the world has no way to get justice.
That was 1000% preventable. You don't get to kill people based on circumstantial evidence without even counting the number of bystanders, without verifying their identity, without doing any level of human intelligence, all easily accomplished tasks, and then claim that you did everything you could.
It's absolutely clear the US did not give a single shit about civilians. Many US and coalition soldiers were even happy to kill civilians. You don't authorize a policy of systematically killing first responders ("double tap strikes") and then claim you were trying to minimize civilians casualties. It wasn't a mistake, it was knowingly just not giving a shit.
It's clear where stand: "Things happen in war"
But I would think murder war crime implies intent not negligence.
The two(+) that are perhaps the most relevant are those that provided the intelligence (framing), and those that made the decision to act on it.
 I don't know how much liberty drone operators have to make live decisions in the .. "field" about whether to engage or not, but I suspect this case involved some level of abstraction.
If there were a massive amount of charges filed for everyone involved with the strike, I'd agree that the servicemen should also be charged. I'm not sure that's where we should start, as I feel it's too likely that's also where we would end and they are the least responsible of the related parties.
Anwar al-Awlaki was a American citizen born in New Mexico.
Didn't stop several US administrations from hunting down him and his family to the other side of the planet to systematically assassinate them.
He was killed by a drone strike in September 2011 , in October 2011 his 16 years old son, also a American citizen, was killed in another drone strike in Yemen.
One of his surviving daughters, was killed during a NAVY Seal raid in 2017, when she was only 8 years old. It was the first mission greenlit under Trump, the Pentagon and US press claimed "no civilian casulties" , while local sources later reported dozens of dead women and children .
For over a decade this family of Americans has been targeted and hunted down with the full might of the American military and Five Eyes surveillance apparatus, but it's all okay because they are "terrorists".
The US openly admits firing the missile. That seems more likely than ISIS acquiring and launching a missile at an Afghanistan home then the US taking "credit" for it.
Absolute horseshit. This is 100% a loophole to give them some flimsy plausible deniability. If the NSA approves they should have confirmed with the actual NSA.
Looks like the whistleblower wasn't charged, which is good, though you still have to be a pretty shitty person to go work on targeting journalists and dissidents in the first place. I suspect she didn't have moral qualms as much as she realized how much trouble she'd get in unless she came clean.
I'm interested to learn how exactly any of this is legal. Isn't it illegal for Americans to hack anyone, regardless of where you live? Like could I really go to Russia and openly hack Ukraine as an American and not get charged when I come back to the US?
OK let me do that to you:
You are commenting some good things, but i suspect you aren't doing it because you believe it, but rather you want some sweet karma. Therefore you are shitty human being. Feel shame person I've never interacted with before and have no other knowledge of.
(Maybe check out the Darknet Diaries episode linked in the comments here and learn about the situation a bit before declaring the motives of a person you admit having no knowledge of.)
They are throwing the book at them. But there's also this other, amusing, cachet-related viewpoint:
"I'm so badass that I was labeled a restricted military asset"...
Nothing new in this day and age but you have to wonder what is causing these rifts.