Hacker News new | past | comments | ask | show | jobs | submit login
Three ex-US intelligence officers admit hacking for UAE (justice.gov)
743 points by andrewnicolalde 38 days ago | hide | past | favorite | 237 comments

There is an incredibly well produced podcast episode on these ex-NSA engineers working for the UAE that came out a couple of years ago. Check out Darknet Diaries Ep47: Project Raven [1].

Synopsis is that the UAE hires ex-NSA employees as "penetration testers" and when they enter the country for cybersecurity work, some are pulled aside to be briefed to an opportunity called "Project Raven" to assist Emirati intelligence with targeting, allegedly in the interest of counter-terrorism. The thing is, only Emiratis have "hands on keyboard" while the US engineers sit beside them and guide them, which supposedly dodges any legal concerns. Those who Jack interviewed decided to leave Project Raven when it became clear they were targeting dissidents, human rights activists, and later, Americans. As you might imagine, ex-NSA employees who target US citizens for a foreign government are breaking the law. I do wonder if it's these ex-Project Raven engineers that have led prosecutors down the road to where we are now.

[1] https://darknetdiaries.com/episode/47/

+1 for Darknet Diaries. One of the best podcasts I've ever listened to. So simple, yet so gripping, and well told in a sweet spot between hard nerds and casual enthusiasts. I listened to all 100 episodes since discovering the show in July.

If you liked this check out You’re Wrong about. Incredibly well researched and incredibly well presented - information packed and funny at the same time.

Thanks for the recommendation. I've added the RSS feed to my podcast player. I look forward to digging in.

You’re wrong about is an incredible podcast. Spot on about information density and humor. I love it


I think they meant:

You’re Wrong About is an incredible podcast. Spot on about information density and humor. I love it

Similar experience. I discovered this podcast earlier this year and got completely hooked. Had to listen to them all.

It sounds to me like the UAE made a decision to stop paying vast sums of money to the NSO group and started throwing money at trying to develop their own similar domestic capability.

From a purely pragmatic perspective of a UAE royal family member worried about domestic dissent I can see why they would do that, not that I agree with it in the slightest.

> It sounds to me like the UAE made a decision to stop paying vast sums of money to the NSO group and started throwing money at trying to develop their own similar domestic capability.

Porque no los dos?

Presumably, the latter is less of a risk; they probably don't want NSO to know their business and there's going to be at least metadata leaking that points to what they're doing. Plus, presumably, there's always a chance NSO could play them off to a higher bidder?

I agree about UAE wanting to keep their cards close to the chest, but I think the choice between NSO/other third party hacking groups and developing in house is an AND statement, not OR. At the end of the day, developing adequate zero day chains that provide access akin to NSO's Pegasus is an extremely time and talent intensive endeavor, and having multiple options to procure those capabilities is the more likely solution.

the principal agent problem. whenever you hire an agent whose interests are not specifically aligned with yours, theres an existential problem ensuring your principal concerns are acted upon.

so yeah, you want your agents to have a principal stake so havi g a nsa agen direct your staff brings more surety than some random third party like nso doing your dirty work even if its just handing over software. we all know it matters the route your hardware and software comes from if you are involved in national security.

> we all know it matters the route your hardware and software comes from if you are involved in national security.

No security apparatus in the world has the capability to build and execute everything they want to on their own. Hardware and software is always procured from multiple sources.

The price of a software, or use of an exploit, for a nation state is nothing!

Money is probably not the only factor.

UAE is probably very suspicious of NSO software coming from Israel, and what other, hidden, capabilities it might have.

yeah, no matter how equally dirty your supplier is, they still have different motives than you, regardless of any human bias.

perfect principal-agent problem

> It sounds to me like the UAE made a decision to stop paying vast sums of money to the NSO group and started throwing money at trying to develop their own similar domestic capability

Running an intelligence service is a lot more than hacking a random phone once in a while. They buy lots of products from lots of vendors, develop some things in house, and hire a lot of talent from overseas.

Probably going to pay russia instead...

It's weird that the agents suddenly discovered their morals. It's not like they didn't know who'd they be working for before being pulled to the side, apart from the fact that the NSA has been helping all sorts of totalitarian governments with information that could have (and likely was) been used against dissidents etc.. It seems more like they pulled out because it was too blatantly illegal and risky and that was the motivation to leave project raven.

It's probably a lot more like a bad marriage where you then have a hard time at deciding when to divorce.

Initially the work sounded interesting and good: find and observe terrorists.

DND has some interesting episodes, but "incredibly well produced" is not how I would describe any.

And Jack's sophomoric exaggeration of the otherwise banal often echoes of chicken little.

If anything it highlights a need for better podcasts in this domain.

The moral of “chicken little” isn’t what you think it is. The key message is that bad authorities fail at listening and create perverse incentives towards misinformation, shirking their accountabilities with disastrous consequences.

People telling it to children are trying to silence their kids. They’re not focused on improving transparency, or on systemic outcomes, they just want to regulate individuals. So they are in fact the selfsame bad authorities.

The target of blame in the story is not the chicken.

Eh, pretty sure there's more than one moral there. No reason to ignore the "don't run off half-cocked spreading information you haven't confirmed or may not mean what you think" just because there's another lesson in there also.

This is the lie told by the failed managers of the community in which the chicken lived, hoping to shift the blame for their own poor attention to contingency planning onto a chicken.

If you have an early warning device with a high false positive rate, you don’t avoid catastrophe by ignoring the warning.

No, you don't ignore the warning to avoid a catastrophe, you ignore the warning to avoid alert fatigue, burnout and other bad effects.

If your only early warning device has a sufficiently high false positive rate, scrap it, or find another early warning device with a sufficiently different set of false positives and then require both of them to alert, before you pay attention.

In the Chicken Little story everybody except Chicken Little is eaten by the fox, do you mean the boy who cried wolf? Except oops, everybody dies in that one too.

Nobody listens to chicken little because he's overdramatic and hyperbolic, like most children who haven't had enough life experience to temper their reactions.

It's been awhile since I saw the film, but that's what I remember. Regardless, even taking my comment less literally and more like "it feels like a children's show" would still be an accurate take.

> It's been awhile since I saw the film, but that's what I remember.

Slightly OT, but you might want to clarify that you are talking about a film rather than the classical story.

If you haven't had the pleasure of reading it, it might be worthwhile to check it out, the version I read as a child had a suprisingly morbid ending for a children's book.


You don't have to see the film, it was a text fable for a couple thousand years before that. Plus, I'm skeptical that they all die at the end of a Disney movie version of the story.

And as with the Pied Piper, it’s the fault of bad management.

Only an asshole blames the chicken. You had a high sensitivity early warning device, and muted it because you couldn’t handle the false positive rate? That is not the fault of the device.

None of that is the fault of the chicken. The sky would’ve fallen on the idiots in charge anyway. They’re just trying to shift the blame. This is the true moral of that particular fable.

Also, don’t go around tempering children; “seen but not heard” is dark ages, Victorian values nightmare fuel.

In both of those stories the reason that happens is bec the eponymous character loses all credibility by telling many lies, when they finally tell the truth no one believes them.

No, in the Foxy Woxy version everybody believes CL and accompanies them to warn the king. The problem comes when they believe that Foxy Woxy knows a shortcut. Point being: Chicken Little is a crappy analogy to use against doomsayers.

BwCW is a little better in the abstract, but still inapt for this.

Feel free to create one :-)

> The thing is, only Emiratis have "hands on keyboard" while the US engineers sit beside them and guide them, which supposedly dodges any legal concerns.

I find it pretty hard to believe any judge would buy this.

Yet this would be very familiar to anyone with previous intelligence experience in the US. The person with hands on keyboard will change depending on if the mission is being conducted under Title 10 or Title 50 authority.

Does an instructor who trains someone who goes on to commit murder using the techniques they taught become legally culpable for the murder?

If your company offers some service - consulting to set up their infrastructure, or helping them navigate AWS - necessary to the running of the company, and that company goes on to commit a crime are you at fault? They couldn't have done it with out you, after all.

Legally, it depends. The term you're looking for is "criminal conspiracy". In US law this is, roughly, an agreement between two or more people to commit a crime, and at least one of the people commits an "overt act" in furtherance of the crime. In the case of these officers, and in your two hypotheticals, there is an overt act taking place. An overt act does not need to be illegal, it just has to be an action taken to assist in the planned crime. For instance, buying ski masks is perfectly legal, but if you bought ski masks in preparation for your bank robbery, that counts as an overt act. But is there an agreement to commit a crime? Generally speaking, in the company-offering-services example, if you did not know the other party was going to commit a crime, and a reasonable person in your position wouldn't think the other party was planning to commit a crime, you are not engaged in criminal conspiracy. There's tons of special cases and nuances here, but that's roughly what happens.

That's if they charge conspiracy in the first place.

The more general answer here is that the criminality of exploitation depends a lot on your state of mind (a property of law that something HN always has a hard time with). A professor teaching a class to an anonymous group of students is not at all the same thing, in criminal law, as that same professor standing behind foreign intelligence operatives coaching them on a targeted attack.

The confounder here is that there are statutes you can theoretically violate by providing some specific exploitation tools to foreign nationals.

The MIT professor, in an MIT classroom, is never going to be charged (same almost certainly goes for a consultant teaching an exploit class at Black Hat USA).

Let's say you are a gun instructor. You take your student out to the street, hand them a sniper rifle and point at their victim. You walk them through the process of pulling the trigger and how to make sure they get their target.

The judge isn't going to let that slide. In both cases, you are an accessory.

Technically I think both parties would be guilty of murder, but that's specific to murder charges. For instance, getaway drivers have been charged with murder because the robbers they transport shoot someone.

That is specifically "felony murder", which wouldn't apply here (though conspiracy might?). Felony murder is the idea that you are guilty of murder if someone dies as a result of you committing another felony (sometimes from a specific enumerated list).

If you are a direct participant in the murder you might just get charged with it (perhaps as a conspirator which I think often has roughly the same penalties).

How many School of the America's instructors were prosecuted?

Strictly ethically speaking, yes they would be at fault


It's one thing to teach general skills and another to help do the actual hacking

If they are being guided through the actual hacking then that's saying that only the driver in pair programming is producing code

I don't think the UAE is concerned about this.

You're probably right, but I think it also depends...

Is a professor at MIT teaching cyber security exploit development guilty of the same crime?

What about a consultant teaching how to use a particular tool or how to look for a particular family of exploits? (Potentially legally dodgy, depending on the client, but probably ok in a lot of grey areas)

What about a consultant which performs a passive audit of a target for a 3rd party? (Starting to get pretty dodgy, but probably depends both on the 3rd party and the target and the nature of the audit)

It's... probably not so cut-and-dry. Though I agree that it doesn't sound like a get-out-of-jail-free card.

I'm sure the intent of the MIT professor/consultant passing their knowledge on to others is to get ahead of the actual attackers and help prevent further crime(s against humanity), not to actively participate...

You're just being argumentative. You know the answer.

Oh no, that wasn't my intent at all. I was just saying that things in court can get pretty messy when you try to define things precisely with laws that don't directly address edge cases. That's why you see headlines about rulings that seem so counterintuitive and ridiculous upon first glance.

That podcast is great. I just found it a couple weeks ago, and I've listened to a few already.

+1, and that podcast is incredible... jack's story telling skills are amazing....

my one gripe, if it can be called a gripe, is that the episodes are more often than not hard to follow due to the complex topic/length.

Looking thru the feed, 8/10 of the recent casts I've listened to are only about 1/4 the way thru before I had to go into work, answer a call, etc. Then it's too hard to get back into, and two more eps have been released by the time I get another itch for DD.

Of course, real life is complicated and isn't a movie with a plot, and DD's format rewards knowledge and listening. More of a "doing dishes" podcast. Highly recommend!

Short-form security podcasts are a dime a dozen though, and they usually fail to gain traction because Sec is a nuanced technical/social topic that doesn’t get covered in 20 mins. DD is very popular, IMO, because it handles this well by longer episodes.

I came here to say this. Best podcast ever btw.

Any other episode recommendations?

- The Stuxnet one is pretty good. Went straight out and bought the book.

- The one about Pirate Bay if you want to hear what a collosal, confused prick one of the guys behind it is

"Jeremy From Marketing" (Ep. 36) is another one about a pen tester, and it's really engrossing, like an action thriller in your ears.

Some of the best more recent episodes not mentioned yet:

99 - The Spy

95 - Jon and Brian's Big Adventure

90 - Jenny

Jack knows how to tell a good physical pentest story, and these are all awesome.

The LinkedIn ep + the next few follow the same story. very good!

Start from the beginning! Manfred Part 1 and Part 2 are great.

I loved the XBox Underground ones.


Snowden just denounced ExpressVPN because of their CIO involvement in this

I’m a regular listener to darknet diaries. Geez that guy is awesome, listening to his podcast is like watching a movie. Love it

+1 for anyone who hasn’t listened to him. Defo worth your time

Darknet Diaries podcast host and Talk to me in Python Podcast host sound like the exact same person(they are not), its wild

I just got the chance to listen to this podcast and I want to thank you a lot for mentioning it.


This has nothing to do with the post nor the comment you're replying to. There's no need to inject an unrelated political point into the top post's top comment; just make your own post about the subject so it can be discussed there.

I take your point but disagree that they are unrelated. They are different news items, so I’ll try and isolate my comments in that way. I just think that people working infosec should care a lot about the sanctity of law and the importance of judicial review. If we let the court of popular opinion reign supreme, hackers will always lose and the powers that be, the elite, will always maintain control. Just my opinion, which I will try and keep more narrowly focused in the future.

You're right. Nothing is anything.

And anything is everything. Then we can deduce that everything is nothing.

I think there should be a corollary to Godwin's law to call out any thread that is very much subtle in trying to showcase just how much Donald Trump has been wronged by 'the media'. Sadly there's a surprisingly high amount of these on hn.

More interesting to me is that one of the named persons, Daniel Gericke, is the CIO of ExpressVPN [1] which sold yesterday, the same day that the DoJ came to this prosecution agreement (!), for just under $1 billion. [2]

[1]: https://www.cnet.com/tech/services-and-software/expressvpn-c... [2]: https://www.techradar.com/news/expressvpn-to-join-kape-in-la...

It's crazy to me how many unscrupulous actors there are in the VPN space where you really really need to trust your provider.

I don't trust my ISP much at all, but I still trust them more than almost any VPN provider.

I no more trust VPN providers than I do online pdf converters. I wonder how many people submit their sensitive documents to these online services to convert their documents to pdf.

If the only way they know how to make their document into a PDF is an online converter and they need the document as PDF them that's what they're going to do. It really doesn't help that exporting documents as a PDF was an arcane process for a long time.

press print document, select pdf, confirm - done! arcane?

For a lot of people? Yes, this is not intuitive. If a user wants to "save a file" then why do they have to press the "print" button and select a "printer" that's not actually a printer?

Saving/exporting as a PDF should be something you select in the same menu as saving a file normally. Or at least something very close an obvious.

Also, back when a lot of people first used computers the option to print as pdf might not have been available for them.

How quickly we forget the dark days before PDF print drivers.

I’m going to start an online Excel proofreader and logic checker. Should be interesting!


I'm in the same boat. Though I actually do trust my VPN provider Mullvad. Highly talked about, based in Switzerland, and Mozilla also uses them for their VPN service.

Edit: Sorry. Not Switzerland. Sweden. For some reason thought Switzerland.

Switzerland, home of the Crypto AG. Switzerland lost its reputation as a secure privacy haven.

The mail service that handed over data of a customer to a foreign government and changed the privacy statement on their site is based there too IIRC. The name eludes me know, surely several readers can provide it.

There are several issues with your statement.

> The mail service that handed over data of a customer to a foreign government

First, ProtonMail can only hand over meta-data, because data is encrypted.

Second, "ProtonMail does not give data to foreign governments; that’s illegal under Article 271 of the Swiss Criminal code. We only comply with legally binding orders from Swiss authorities."

> and changed the privacy statement on their site

The privacy policy was not misleading if you read it carefully. It was not "changed" as in removing a lie from the statement. At best, it was clarified to ensure *everyone* would correctly understand it in the future. It is accessible at https://protonmail.com/privacy-policy

What may have been misleading was the marketing message on the homepage. If you pondered each word of the one-sentence marketing message, you could have guessed that the expression "by default" was there for a purpose. Companies do not add useless words for marketing, they do it to avoid false advertisement. However, this is not the same thing as the privacy policy. And ProtonMail stated that they would fix that: "we will be making updates to our website to better clarify ProtonMail’s obligations in cases of criminal prosecution".

Quotes are taken from: https://protonmail.com/blog/climate-activist-arrest/

Thank you very much for those clarifications.

protonmail? Although I take it they are still to be trusted more than most.

Plus the recent Protonmail fiasco.

> Protonmail fiasco

Not a fiasco as they're required by law to keep IP logs. You can disable the logging of IP sessions in the PM dashboard, but you can't guarantee that PM will not keep logs, since their servers are all Public Internet Facing. The only way Protonmail is 100% zero knowledge is to be a 100% a dark-net/Tor service, which immediately turns off 99% of their users.

If you misled your users into thinking that this isn't something you would do, but as soon as shit hits the fan and the PR makes it impossible to keep the ruse going. It's a total fiasco to that business' marketing department.

my understanding is they only logged the IP details after receiving the Swiss LI request and did so only for the user in question.

I'm sure that makes the one user feel all warm and fuzzy. Also, what about next. Or the time after, or after or...

Mullvad is great. They are from Sweden, not Switzerland. Not sure if anyone else does it but you can just mail them cash anonymously to get started.

People (mostly Americans) getting the two mixed up has been a meme in Sweden for many many years; it predates the Internet.

It is even worse in Portuguese; there is only a two letter difference: Suécia (Sweden) vs Suíça (Switzerland) — or three letters depending on your perspective, but in Portuguese the c with cedilla is not considered to be a different letter from a plain c, and in this case both forms are pronounced the same. Therefore some level of confusion is understandable, even expected.

In English they are similar as well but spelling and pronunciation are different enough that there should be less confusion, at least on paper. Not sure why there is such confusion in practice.

Austria - Australia is another common mistake.

Just yesterday or so I watched an "Alternative Contries"[1] video on YouTube where the most hilarious proposal -- took me a while to grok -- was Australia-Hungary.


[1]: Kind of a sub-genre of alternate history and/or history-simulation-game AI timelapse videos.

Always wondered why people don't just create their own using something like Outline on a DO droplet (bithost) ? How is Mullvad better?

I don't understand how we should trust a company we know nothing about other than the text they put on their website which basically means nothing.

Using a public VPN anonymizes your traffic if you assume many other people are using the same VPN server. A MITM can easily see you're using the VPN but not easily what websites you're accessing. If the VPN provider is truthful about not keeping logs, it's hard to prove that you visited a particular website and not someone else using the VPN. A DO droplet does not provide the same thing. You can visit a website, the website can store your IP for months or years, then LE can subpoena DO for the person with that IP at a given time. Plus setting up a DO droplet VPN sounds like a PITA.

As for why to trust Mullvad in particular, you can't trust them completely but they list all their employees and their ownership structure publicly, they have a good track record, they have documentation which seems like it's written by people who know about security and their customers' potential threat models, and they don't have a suspiciously large advertising budget.

However, I wouldn't trust any VPN if you have to withstand targeted scrutiny from governments.

> Using a public VPN anonymizes your traffic if you assume many other people are using the same VPN server


> Plus setting up a DO droplet VPN sounds like a PITA

It's actually very easy using https://getoutline.org/ - can highly recommend it if you need a fixed IP. And you can buy DO droplets with cryptocurrency through Bithost

If you torrent through a DO droplet they will send you a warning. So your traffic is monitored

Because the threat model is different than the one you have in mind. VPN providers for 5$ a month will give you multiple proxies throughout the world. Spinning up 70 droplets in different regions is not a viable cost effective solution.

You can use Mullvad without supplying any personal information (not even an email address) and pay by literally sending them an envelope with cash in it. That's as good as it gets when it comes to preserving privacy.

They’re probably trying to separate their billing information from public IP address which is the benefit of using a service that is crypto friendly

The US has spent considerable time and money to add backdoors to any piece of software & hardware that exists out there. So, i'd imagine, VPNs to be high on the list because of their nature.

I would not trust VPNs for any kind of serious privacy, at least not the popular ones. Maybe some small niche VPNs can fly under the radar.

Anyone expecting real privacy would use a VPN paid with SnailOnionCoin over a double-TOR homomorphic tunnel on tails.

If VPNs really protected from anything they would be illegal. At best you can slightly avoid being targeted by advertisers. I assume any system I use is compromised already.

Why would you want to trust your VPN provider?

That's like saying: "you really really need to trust a Bitcoin miner"

I'd hope the VPN service is built and operated in a way that doesn't require trust, but provides the same level of security.

edit: Since there is confusion in the responses. I'd prefer to trust no-one.

There's always trust involved. You have to trust the DNS infrastructure, you have to trust your ISP, you have to trust the VPN provider. You don't have to trust them completely, but you have to trust them at least somewhat.

We take steps to reduce the amount of trust required, such as splitting that trust across many parties, so any one party hopefully can't betray us enough that it matters or that we don't notice, but there's still a lot of trust. For example, we use SSL certificates and certificate authorities that are known ahead of time to protect from problems on the network, but that requires you trust your OS and/or your browser, which is generally how you receive those certificate authorities. If I'm able to get my own CA on your system and trusted, and I can see your traffic, it doesn't matter whether you're using HTTPS connections.

A VPN provider might say they're not keeping logs, or that their servers are not beholden to a third party and traffic is not being analyzed, but ultimately all you have is their word on that. Ultimately, the only thing different between you connecting to the NSA and routing all your traffic (even if your traffic is mostly encrypted) through them so they can look at it and a VPN provider is that you trust the VPN provider when they say they aren't the NSA and they aren't looking at your traffic.

It’s worth mentioning that, if you listen to the podcast mentioned in this thread, DarkMatter, the hacking company, at some point ran a certificate authority that was recognized by browsers including Chrome and Firefox, until lately that news about them came out.

I wouldn’t blindly trust CAs either.

Oh, I don't, it's just also really hard to vet that stuff adequately as a single person, and also why HTTPS isn't always adequate.

There's DNS and root servers to consider as well (but that might be harder to hide with all the caching going on).

I almost edited my above comment a few minutes afterwards to append something like "and honestly, it would be pretty hard to convince me the NSA or some other group hasn't run one or more VPN providers in the past. The only question in my eye is whether it was a popular one or not."

But then you have to trust that the VPN service is built and operated the way they say it is.

Or have we already forgot about Zoom's "end-to-end encryption?"

> I'd hope the VPN service is built and operated in a way that doesn't require trust

Unless you're continuously verifying, this requires trust that it is built that way and/or won't be changed in the future.

I don't think VPNs go that far. Wouldn't that be more like Tor type of security?

How would you verify there are no logs kept?

Inverse is true as well. How do you prove it?

You can't prove it, which is why you want to find a VPN provider you can trust

Someone can steal their logs

I don't trust any security-oriented software of any kind.

And likewise, although I don’t trust Cloud service providers all that much… I’d sooner spin up my own VM and run strongSwan or WireGuard than use a VPN provider.

Wouldn't it just be a different type of vector in terms of being able to nail you though?

Since the VM company (unlike a VPN such as mullvad) makes zero promises with respect to keeping logs, if you visited badsite.com, then later the FBI raids badsite.com, sees a VM company IP address, subpoenas your VM company who says that your particular VM was leasing that specific IP at time XX:XX:XX, then you're done.

Further, mullvad gives you several relatively anonymous means of purchasing a VPN, whereas the vast majority of VM companies (digital ocean, linode) will require and store all manner of personally identifiable information about you.

> Wouldn't it just be a different type of vector in terms of being able to nail you though?

Quite. Depends on your threat model and what you’re using the VPN for in the first place.

Now you have to trust your VM provider, mostly US providers, that actually mention they collect some data and traffic to improve their services and comply with law.

This is true. But you can’t have an internet connection without trusting at least somebody ?

ISPs send emails immediately if someone uses your IP address to download a BBC episode.

"ExpressVPN Knew 'Key Facts' of Executive Who Worked for UAE Spy Unit" - https://www.vice.com/en/article/3aq9p5/expressvpn-uae-hackin...

"former citizen Daniel Gericke". Which country does he pledge his allegiance to now?

https://www.softether.org/ it's not that hard to set up your own VPN.

Hah. Anticipated bail money, perhaps :)

Double hah, original headline: "Three Former U.S. Intelligence Community and Military Personnel Agree to Pay More Than $1.68 Million to Resolve Criminal Charges"

- That billion more than covers. Given the circumstances, the settlement is a bit paltry.

I'm confused. Isn't this considered treason??

They get no jail time? They get to buy their way out?!

> “Hackers-for-hire and those who otherwise support such activities in violation of U.S. law should fully expect to be prosecuted for their criminal conduct.”

I know they lose their clearances and pay a bunch of money, but this seems like it merits a lot more punishment than that.

Well first, treason specifically is very narrowly defined in the US.

>Treason against the United States, shall consist only in levying War against them, or in adhering to their Enemies, giving them Aid and Comfort.

They didn't levy war against the US, or adhere to an enemy (because the UAE isn't one).

But in general, it's not illegal for US citizens to join foreign armies (if they aren't enemies). Lots of Jewish citizens, for example, serve in the IDF.

"According to the U.S. code, any citizen who "enlists or enters himself, or hires or retains another to enlist or enter himself, or to go beyond the jurisdiction of the United States with intent to be enlisted or entered in the service of any foreign prince, state, colony, district, or people as a soldier or as a marine or seaman … shall be fined under this title or imprisoned not more than three years, or both." But a court ruling from 1896 involving U.S. citizens who fought with Cuban revolutionaries against Spanish colonial rule interpreted this to mean that it was only illegal for citizens to be recruited for a foreign army in the United States, not to simply fight in one."


> Lots of Jewish citizens, for example, serve in the IDF.

How many is "Lots"?

Apparently the US doesn't keep records of this phenomenon that are easily accessible.

This article^ from 2017 says 1,000 Jewish Americans serve in the IDF.

Of the ~7,000,000 Jewish Americans, that's ~0.0143% of Jewish Americans serving in the IDF.

If 1,000 joined and served each year, and live to an average age of 70, doesn't that mean ~50,000 people? That would mean ~0.714% of Jewish Americans having served in the IDF.

^ https://www.thedailybeast.com/1000-americans-are-serving-in-...

approximate number. 7.153-7.5 million are good estimates.

In context, I think "lots" meant "more than I would want to list here", or "enough that we can say it's not just one fluke case".

There were also the Flying Tigers, in 1941. I think they may have been enlisted soldiers, though, as opposed to private citizens.


People like to use the term treason a lot, but as it is defined under Article III, Section 3 of the US Constitution, their actions are not treasonous. If you can prove otherwise, I am all for it though!

Specifically, the were charged with:

Violations of U.S. export control, computer fraud and access device fraud laws. The Department filed the DPA today, along with a criminal information alleging that the defendants conspired to violate such laws.

I think they are losers, scumbags and unethical and I hope that no one who reads HN ever hires them and that they never work in any capacity that comes into contact with IT, Infosec or any other hi-tech industry.

How is going to work for more money a loserish activity? My understanding is that the US contractors underpay so being patriotic Americans they went to work for a better company.

Having a desire to increase your income is fine. For some, it is their primary motivation, for others it is a result of being recognized for producing valuable results. Each person has their own moral code; for some, even working for Google or Facebook falls outside of that code.

I have worked with various companies that have contracts with the US military and other agencies. I wouldn't say they underpay. I would actually say they pay pretty well, but once again, this has to align with whatever your personal values are. Some people are quite happy to work for a three letter acronym agency and couldn't ever conceive of working for a FAANG or a foreign entity.

I am sorry that a general perception of Americans might be that we are mercenary and will run after the highest paying opportunity. There are 300 million of us, and I would say that a majority of Americans are driven by values that don't include the theft of national intelligence assets or chasing after money no matter the consequence.

Why apologize for greatness, the entire ethos of America is that it’s the best place for the individual. That other countries choose to impoverish and restrict rights is nothing that require apology.

"Few men have virtue to withstand the highest bidder." -founding father and first president of the United States of America

Likely why he offered the Hessians 30 acres in addition to citizenship to defect.

Is income really the only signifier of what makes an activity loserish to you? Not who they work for, the work they're doing, who it may target, the rules they may actively be choosing to break in the process, etc.?

Looking at the document it appears that they are working for the same nation state, they just cut out the red tape and a few layers of middlemen.

Most people feel in the software field feel the ITAR regulations as applied to code are ridiculous including but not limited to the EFF. Most consider it to be an abridgment of their 1st amendment rights.

UAE is a US ally and so they likely do not want to put a chill on their relations. "The United Arab Emirates has been described as the United States' best counter-terrorism ally in the Gulf by Richard A. Clarke, the U.S. national security advisor and counter-terrorism expert."


Isn’t that just because they hate everyone around?

That seems like a simplistic, even childish perspective.

Treason has a pretty narrow definition, if you aren’t directly conspiring with a foreign power (and at that probably an enemy) against the US, it probably isn’t treason. People like to jump to that judgement, but it almost never happens.

It's not probably, title 18[0] is pretty clear that it's an enemy that matters. However, since the United States is at war with a noun, then that makes the definition of enemy very flexible.

0: https://www.law.cornell.edu/uscode/text/18/2381

Yes that flexibility of what counts as an enemy is why the word “probably” was used.

It's really, historically no different than any soldier that chooses to fight in another country's war, and that is pretty common along history. Usually, they were only punished if the geopolitical scenery called for it.

Famously https://en.wikipedia.org/wiki/Karl_Llewellyn was in Paris when WWI broke out, but managed to reach Germany, and briefly fought alongside (without joining) the German Army.

This is exactly what NSO does and they don’t get charged with anything.

Mudge sells Cobalt Strike out in the open.

The only difference is these guys didn’t set up a company first.

NSO is an Israeli company, which means they need to follow Israeli export laws when it comes to weapons. All of NSO contracts will first go through the Israel Defense Ministry.

The US has a similar process, where companies that sell weapons to foreign governments need to get permission from the US DOD. In this case Marc, Ryan and Daniel did not go through the DOD and that is why they are being charged.

NSO employees aren't US citizens.

I wonder if Mudge has a license.

Maybe not treason, but surely espionage?

I assume because the country is an ally they don't get in as much trouble.

Jonathan Pollard, though? It definitely varies.


I don't think calling China as a US general is in the same bucket as hacking for hire.

Informing the Chinese of an insurrection in the US chain of command that the general himself is leading is far worse.

Pelosi said Trump will be 'fumigated out' if he refuses to leave the White House. How was that supposed to happen, if not for the military. Communication between Pelosi and Military leaders were ongoing.

"House Speaker Nancy Pelosi said she spoke to Joint Chiefs of Staff Gen. Mark Milley about precautions that could block President Trump from “ordering a nuclear strike” or accessing launch codes and starting military hostilities"

Source: https://www.cnbc.com/2021/01/08/pelosi-prevent-trump-from-la...

Did he refuse to leave?

He refused concede the election like he was supposed to, and continued to question the validity of mail in ballots and challenge the election results. Probably not after he found out the military was going to fumigate him out.

I'll take that as a no, he left when and as required by law.

Treason is only for poor and unconnected people. The rule makers are very careful to never make white collar crime super punishable.

This is an increasing problem in Israel as well.

Soldiers who spent years in the exploit-finding units of 8200 (Israeli NSA) can work for NSO and stay in Israel. But they can also leave the country and work for foreign entities. Sometimes without even knowing who their employer is

One famous case was "Dark Matter" a UAE company who set up offices in Cyprus and offered 8200 soldiers 7 figures (in USD) a year salaries to relocate, outside of the Israeli Government oversight - which NSO need to adhere to, and work for them

I'd love to read more about this if you have a source.

In addition to Darknet Diaries, there is a lot of interesting info in Nicole Perlroth's new book titled "This Is How They Tell Me the World Ends"


Seconding this recommendation. It's a great history of how the exploit market came to be in general.

Darknet Diaries [0] does an episode that involves DarkMatter

[0] https://darknetdiaries.com/episode/47/

You'd have to depend on Google Translate quality but this is a good article https://www.themarker.com/technation/.premium-1.7972249

Funny quote from Lori Stroud:

> The bureau’s dedication to justice is commendable... the most significant catalyst to bringing this issue to light was investigative journalism - the timely, technical information reported created the awareness and momentum to ensure justice

A lot of moral superiority there when based on how Stroud has talked about her own work with Project Raven [1], she was perfectly happy to help the UAE kidnap, torture, and disappear dissidents (including children), human rights activists, and journalists.

[1] https://www.reuters.com/investigates/special-report/usa-spyi...

Yeah I don’t understand how what they did isn’t an ITAR violation. The contractor Cyberpoint is still active on IC contracts (https://www.cyberpointllc.com/joinus/#/jobs)

If you actually read OP's link, the charges seem to have nothing to do with the fact that these individuals once worked for the US gov. Instead, the US federal government seems to be asserting that knowledge of offensive security tools and practices in Cybersecurity consultancy is somehow ITAR restricted in the same way that a weapon blueprint would be. That strikes me as absolutely preposterous and I'm disappointed the defendants settled rather than pushed back on obvious federal overreach into the lives and careers of private persons.

There's a lot of stuff that's ITAR restricted. You can't be privy to classified information such as submarine prop design, or turbine blade design, and then branch off your own for other clients using said information.

Under ITAR you can't even sell your own submarine props to foreign countries, even if you were never exposed to classified designs, right? That's why ITAR originally applied to PGP.

Yes, and I thought DJB settled once and for all that computer code doesn’t fall under ITAR.

"Prior to their departure, U.S. Company One repeatedly informed its employees, including the defendants, that the services they were providing constituted “defense services” under the ITAR, and that U.S. persons could not lawfully provide such services to U.A.E."

If the above was documented, I don't think "I didn't know" would have worked in court. Also even if they fought the ITAR charges, they were accused of CFAA charges

ITAR is extremely restrictive.

I used to build sensing systems, where I'd include an off-the-shelf infra-red camera.

Couldn't sell the combined system abroad because the IR was ITAR restricted.

Doesn't it say one of the individuals is an ex-US citizen? I'm curious around that mention. How is he being charged in that case?

Settle now OR spend 20 years and millions of dollars fighting it and relying on judges who've never used a computer to understand complicated technical matters...

I think the number of judges who have never used a computer is going to be vanishingly small by now.

As a non-US person, could someone explain a legal construct of "paying $XXX to resolve criminal charges"? Doesn't "criminal" mean there must be some real punishment?

Eric holder, the former attorney general, wrote a memo outlining the concepts around the time of the 2008 financial crisis iirc. The idea behind a deferred prosecution agreement is that extracting money and good behavior out of powerful/wealthy defendants is the best possible option when compared to the "collateral consequences" of fully prosecuting them.

A great example of class-justice by design.

Right. Let’s see how bad the “collateral consequences” actually are. Though, the result of inept or malfeasant prosecution could be the equivalent of formal immunity thereafter. I’d still like to take my chances.

Is this what GP is talking about? It's about charging corporations.

Unfortunately it is - the collateral consequences discussed is oriented towards companies labeled too big to fail, but is used to make it easier on prosecuters to attain a form of conviction on less economically impactful prosecutions as well.

The German legal system knows a similar concept in § 153a StPO. Basically, if a crime isn't considered particularly severe, and both the prosecutor, the accused, and in some cases the judge agree, the criminal charges are dropped in exchange for "stipulations" (typically restitution, paying a certain amount of money to the state or a nonprofit, working community service, anger management courses, ...) - which means you're never found guilty, making it a great deal in most cases.

The idea is that less severe crimes can be handled without the full overhead and without excessive punishment. In practice, this can be 'a bit' controversial, e.g. when Bernie Ecclestone resolved his corruption charges this way by paying 100 million EUR. https://en.wikipedia.org/wiki/Bernie_Ecclestone#Bribery_accu...

Criminal charges can end in fines and no jail time. Prosecutors can negotiate plea deals (including fines) to avoid going to court.

I don't know enough to comment on if this is something that happens often (it certainly doesn't feel appropriate) in cases like this.

Paying a fine isn't a real punishment?

It's not a fine. That's the problem.

Sure, it's a "financial penalty", technically. Plea deals are common in many jurisdictions, and the settlement imposes additional penalties. They're being punished.

You are right that a fine is a real penalty but that’s not the real problem. The problem is that someone who committed the same crime but has less money wouldn’t qualify for this option.

Is that true? I'm not a lawyer, but I know that in certain criminal plea agreements, such as in antitrust cases, the financial penalty can be paid over installments, the size of which is tied to the company's financial performance. See e.g.

> If the parties agree that the recommended fine needs to be paid in installments because of the defendant's inability to pay the entire amount immediately, the plea agreement will include the installment schedule and any interest terms.(58) The payment of a special assessment(59) and any recommendation on a term of probation(60) or expedited sentencing(61) for corporations, or requests by individual defendants to be placed in a specific correctional facility,(62) will also be addressed in the plea agreement.


And to get back to the original comment I replied to, this critique seems like it would apply to any financial punishment, not something that came down to a technical distinction between "fine" and "financial penalty".

Someone with no/low income will take eons to repay $1.685.000, even if made in installments. I doubt it would even be a serious option unless you were wealthy.

Increasingly it seems like our elites look at The US as a resource to be mined, not a home, not a collaborative project.

I think there have always been powerful people that feel this way, in all countries. The problem is thinking it's something new or unique to here, which leads one to think it can be solved if we just look for what changed to make them that way.

No. They've always been there, they've always acted this way. It's not a problem because of increasing lack of patriotism, or a divided populace, it's just power and greed and people that see themselves as not beholden to to any one state. Thinking it's something it's not will just lead to proposed solutions that don't actually do much to affect the problem. Any solution needs to be internalized and divorced from the idea that this is a recent problem that we can stop caring about once we "solve" it.

Parasites took over at least since the 70s and are still in power today, extracting everything they can. I think it's reaching a breaking point now.


The more interesting story with that site is how many of those charts indicate whatever is going on with the data it's showing happened a decade after or a decade before the date in question, and people just blindly take it as evidence of something happening in 1971.

The historical reference:

> The Nixon shock was a series of economic measures undertaken by United States President Richard Nixon in 1971, in response to increasing inflation, the most significant of which were wage and price freezes, surcharges on imports, and the unilateral cancellation of the direct international convertibility of the United States dollar to gold.

Nixon shock - https://en.wikipedia.org/wiki/Nixon_shock

Nixon and the End of the Bretton Woods System, 1971–1973 - https://history.state.gov/milestones/1969-1976/nixon-shock

Back in my school days, we used to have lots of poems which would often go on to say that money is the biggest trouble of life, or that money is the biggest corrupter of people's minds, or that money is the root cause of all evil. Most of these poems were written before the 20th century. I would often disagree with these poems, naively thinking that one just had to have some sort of self-control when it comes to money. Now I know I was terribly wrong.

Its really saddening to see the the main objective of people is to own a Lamborghini ,a mansion and live with some hoes, just like that "YouTuber guy".

According to the website the solution is....bitcoin?

I don't agree with the website, but I think I know where they are coming from.

The year 1971 was when the US dollar was made to float, instead of being backed by gold. [1]

I think that the website wants to have our monetary system change back to being backed by something that is a limited resource, and I bet Bitcoin fits the bill in their mind.

[1]: https://en.wikipedia.org/wiki/Gold_standard#In_the_United_St...

Edit: punctuation.

Are you saying this because of the quote at the end of the page?

Sugar hasn't gone up much. Harvard is so much more expensive.

Glad they included 3000bc short term interest rates in the graph.

The definition of "elites" at this point just seems to mean any government employee or even anyone educated to the point of a bachelor's degree.

For better or worse I've started to think of 'elites' more as people that have differential outcomes in regards to the law. So in this case these people are 'elites' because they managed to stay out of prison for hacking US citizens and doing corporate espionage. A non-elite would be in prison for these actions, and there are lots of people who are in prison for hacking others.

Isn't your definition an example of a No True Scotsman fallacy?

Aren't you liable to wind up in situations where you find yourself saying "Ah-hah, now that person I thought was not one of the elite is now one of the elite because they didn't go to prison. Ah-hah, now that person I thought was one of the elite is not one of the elite, because they are going to prison."?

From my original comment.

"For better or worse I've started to think of 'elites' more as people that have differential outcomes in regards to the law"

So it's not that elites don't go to prison, in this case they didn't, it's that they get extremely favorable outcomes as compared to the average population. Epstein is a good example of this. The first time he was convicted he spent a meager 1 year in prison in conditions that would never be afforded to the general public.

These hackers are another good example of this, they got a large fine but they're not spending any time in prison, and yet lots of people have gotten prison time for hacking.

Being elite is a lot different from being Scottish, in that there are only vague signals for being elite, and none of them are so easy to measure as being Scottish. I think it's safe to say that the vast majority of elites are wealthy, but I don't believe that all wealthy people are elites. There are people with a lot of localized power like mayors or state senators, but those people certainly aren't nationally elite. To my mind the clearest signal is when the system interacts with a person, how does the system behave, versus when it interacts with an average person. Now this is by no means a definition, just how I've started thinking about the question of who is elite.

I was being too indirect. Your framework doesn't have predictive value. 'This person had an extremely favorable outcome, therefore they are elite' is a retrospective judgment, it can't be used to form a hypothesis. It is unfalsifiable.

Whether someone is Scottish, or any "easy to measure" fact, has nothing to do with the No True Scotsman fallacy.

https://en.wikipedia.org/wiki/Falsifiability https://en.wikipedia.org/wiki/No_true_Scotsman

Elites across history have seen their countries as a resource to be mined long before the invention of the concept of a nation-state. This concept significantly predates nationalism.

What's unusual is that in the past few centuries, the rest of us have been explicitly conditioned to act in national interests.

That's all its ever been. The homestead act made this explicit in law.

The punishment seems pretty insignificant here. I am surprised the DoJ isn't pursuing prison time.

There is a lot of CFAA[0] trial evasion going on perhaps?

[0] https://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act

It sounds like the three defendants are also cooperating with ongoing investigations; that would certainly play a role in the terms of the deal, if so.

Just so I'm clear: are you saying the DOJ is on whole more or less corrupted than the orgs "below" it?

I'm not making any assertion about DOJ corruption. I just thought they took this sort of behavior very seriously. (violating export controls, computer fraud and access device fraud)

I was discussing this case with a former DOJ attorney and he was saying that it's hard to know what exactly went into the calculation for penalties. Apparently cooperation with DOJ on future investigations can play a big role so idk what to think.

Does anyone know whether the spyware mentioned is anyhow related to Project Pegasus[1? It's also really interesting that Apple patched Security issues for iOS that was targeted by NSO Group and makes me wonder if that might be the same vulnerabilities exploited by the UAE hacker for higher company [2]. [1] [https://cybernews.com/news/expressvpn-cio-daniel-gericke-fin...] [2] https://www.npr.org/2021/09/14/1036869715/apple-issues-criti...

UAE, NSO and minimal punishment or reaction from the US. Story of the last few decades

I really don't think deferred prosecution is warranted here, this should have been a plea deal. I'm ambiguous on whether or not these guys should serve jail time, but they deserve a criminal conviction and a criminal record.

One of these officers is CIO of ExpressVPN. Can you really trust a service with these ties, which also just sold to an ad agency? I personally would not.

A reminder that former members of military special operations units admitted assassinating political opponents for UAE. No one was prosecuted.



While being federal agents they try to spread democracy with bombs. Once they leave, the pretence is dropped and squash any organic calls for democracy and dissent with hacking.

Outraged when these countries are hacking individuals? Then also be outraged when you sell them F35s

No jail time? I guess when you're a member of IC, regular laws don't apply to you.

> to obtain remote, unauthorized access to any of the tens of millions of smartphones and mobile devices utilizing a U.S. Company Two-provided operating system

U.S. Company Two provides a mobile operation system. Hmmm, now who could that be?

My first thought was that it must be Apple.

But the article says,

> In August 2017, U.S. Company Two updated the operating system for its smartphones and other mobile devices, limiting KARMA 2’s functionality.

I didn't find any meaningful security updates by Apple in August 2017: https://support.apple.com/en-us/HT201222 The only one listed on that page was about using HTTP to send analytics data, which I don't think is the one that disabled KARMA 2.

Then I looked at Google. There are multiple RCE vulns with severity Critical during these two months: https://source.android.com/security/bulletin/2016-09-01 and https://source.android.com/security/bulletin/2017-08-01

It's Apple, see the Reuters report from 2019: https://www.reuters.com/investigates/special-report/usa-spyi...

Here's KARMA: https://citizenlab.ca/2016/08/million-dollar-dissident-iphon...

Looking at CVEs, my guess for KARMA 2 is CVE-2017-8248, patched in 10.3.3. Bit of a stretch, though. Looks like whatever was patched was never really publicized.


There's really no reason why they should be able to buy their way out of prison time. It's kind of a shame. Justice is supposed to be blind, including to financial assets of the perps.

I wish my friends could buy their way out of hacking charges from the DOJ instead of having to get tortured for months and months in US prisons.

How does the security of a Google Pixel phone with Android or GrapheneOS compare with iPhone’s security?

The iOS exploits sound scary. Some of them are even zero click.

What makes you think GrapheneOS is any better? Yeah its open source but it must be looked at a lot less than any iPhone. Is security by 'open but not as well examined' actually more secure?

This specific example is kind of a bad place to prove that generally correct mindset.

I seriously doubt the developers of GrapheneOS have really done as much due diligence on their custom ROM as Apple has done on iOS. For one, Apple controls the whole stack down to the CPU. GrapheneOS is forced to rely on many external parties to not be hostile from Google with their Android stack to the Linux base to whatever the SOC maker has put into their silicon.

Based on the timeline, is U.S. Company Two Google or Apple?

Who had security patches released in September 2016 and August 2017?

Won't be the first time this happens...


Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact