Synopsis is that the UAE hires ex-NSA employees as "penetration testers" and when they enter the country for cybersecurity work, some are pulled aside to be briefed to an opportunity called "Project Raven" to assist Emirati intelligence with targeting, allegedly in the interest of counter-terrorism. The thing is, only Emiratis have "hands on keyboard" while the US engineers sit beside them and guide them, which supposedly dodges any legal concerns. Those who Jack interviewed decided to leave Project Raven when it became clear they were targeting dissidents, human rights activists, and later, Americans. As you might imagine, ex-NSA employees who target US citizens for a foreign government are breaking the law. I do wonder if it's these ex-Project Raven engineers that have led prosecutors down the road to where we are now.
You’re Wrong About is an incredible podcast. Spot on about information density and humor. I love it
From a purely pragmatic perspective of a UAE royal family member worried about domestic dissent I can see why they would do that, not that I agree with it in the slightest.
Porque no los dos?
so yeah, you want your agents to have a principal stake so havi g a nsa agen direct your staff brings more surety than some random third party like nso doing your dirty work even if its just handing over software. we all know it matters the route your hardware and software comes from if you are involved in national security.
No security apparatus in the world has the capability to build and execute everything they want to on their own. Hardware and software is always procured from multiple sources.
Money is probably not the only factor.
perfect principal-agent problem
Running an intelligence service is a lot more than hacking a random phone once in a while. They buy lots of products from lots of vendors, develop some things in house, and hire a lot of talent from overseas.
Initially the work sounded interesting and good: find and observe terrorists.
And Jack's sophomoric exaggeration of the otherwise banal often echoes of chicken little.
If anything it highlights a need for better podcasts in this domain.
People telling it to children are trying to silence their kids. They’re not focused on improving transparency, or on systemic outcomes, they just want to regulate individuals. So they are in fact the selfsame bad authorities.
The target of blame in the story is not the chicken.
If you have an early warning device with a high false positive rate, you don’t avoid catastrophe by ignoring the warning.
If your only early warning device has a sufficiently high false positive rate, scrap it, or find another early warning device with a sufficiently different set of false positives and then require both of them to alert, before you pay attention.
It's been awhile since I saw the film, but that's what I remember. Regardless, even taking my comment less literally and more like "it feels like a children's show" would still be an accurate take.
Slightly OT, but you might want to clarify that you are talking about a film rather than the classical story.
If you haven't had the pleasure of reading it, it might be worthwhile to check it out, the version I read as a child had a suprisingly morbid ending for a children's book.
Only an asshole blames the chicken. You had a high sensitivity early warning device, and muted it because you couldn’t handle the false positive rate? That is not the fault of the device.
Also, don’t go around tempering children; “seen but not heard” is dark ages, Victorian values nightmare fuel.
BwCW is a little better in the abstract, but still inapt for this.
I find it pretty hard to believe any judge would buy this.
If your company offers some service - consulting to set up their infrastructure, or helping them navigate AWS - necessary to the running of the company, and that company goes on to commit a crime are you at fault? They couldn't have done it with out you, after all.
The more general answer here is that the criminality of exploitation depends a lot on your state of mind (a property of law that something HN always has a hard time with). A professor teaching a class to an anonymous group of students is not at all the same thing, in criminal law, as that same professor standing behind foreign intelligence operatives coaching them on a targeted attack.
The confounder here is that there are statutes you can theoretically violate by providing some specific exploitation tools to foreign nationals.
The MIT professor, in an MIT classroom, is never going to be charged (same almost certainly goes for a consultant teaching an exploit class at Black Hat USA).
The judge isn't going to let that slide. In both cases, you are an accessory.
If you are a direct participant in the murder you might just get charged with it (perhaps as a conspirator which I think often has roughly the same penalties).
It's one thing to teach general skills and another to help do the actual hacking
If they are being guided through the actual hacking then that's saying that only the driver in pair programming is producing code
Is a professor at MIT teaching cyber security exploit development guilty of the same crime?
What about a consultant teaching how to use a particular tool or how to look for a particular family of exploits? (Potentially legally dodgy, depending on the client, but probably ok in a lot of grey areas)
What about a consultant which performs a passive audit of a target for a 3rd party? (Starting to get pretty dodgy, but probably depends both on the 3rd party and the target and the nature of the audit)
It's... probably not so cut-and-dry. Though I agree that it doesn't sound like a get-out-of-jail-free card.
Looking thru the feed, 8/10 of the recent casts I've listened to are only about 1/4 the way thru before I had to go into work, answer a call, etc. Then it's too hard to get back into, and two more eps have been released by the time I get another itch for DD.
Of course, real life is complicated and isn't a movie with a plot, and DD's format rewards knowledge and listening. More of a "doing dishes" podcast. Highly recommend!
- The one about Pirate Bay if you want to hear what a collosal, confused prick one of the guys behind it is
99 - The Spy
95 - Jon and Brian's Big Adventure
90 - Jenny
Jack knows how to tell a good physical pentest story, and these are all awesome.
Snowden just denounced ExpressVPN because of their CIO involvement in this
+1 for anyone who hasn’t listened to him. Defo worth your time
I don't trust my ISP much at all, but I still trust them more than almost any VPN provider.
Saving/exporting as a PDF should be something you select in the same menu as saving a file normally. Or at least something very close an obvious.
Also, back when a lot of people first used computers the option to print as pdf might not have been available for them.
Edit: Sorry. Not Switzerland. Sweden. For some reason thought Switzerland.
> The mail service that handed over data of a customer to a foreign government
First, ProtonMail can only hand over meta-data, because data is encrypted.
Second, "ProtonMail does not give data to foreign governments; that’s illegal under Article 271 of the Swiss Criminal code. We only comply with legally binding orders from Swiss authorities."
> and changed the privacy statement on their site
Quotes are taken from:
Not a fiasco as they're required by law to keep IP logs. You can disable the logging of IP sessions in the PM dashboard, but you can't guarantee that PM will not keep logs, since their servers are all Public Internet Facing. The only way Protonmail is 100% zero knowledge is to be a 100% a dark-net/Tor service, which immediately turns off 99% of their users.
In English they are similar as well but spelling and pronunciation are different enough that there should be less confusion, at least on paper. Not sure why there is such confusion in practice.
: Kind of a sub-genre of alternate history and/or history-simulation-game AI timelapse videos.
I don't understand how we should trust a company we know nothing about other than the text they put on their website which basically means nothing.
As for why to trust Mullvad in particular, you can't trust them completely but they list all their employees and their ownership structure publicly, they have a good track record, they have documentation which seems like it's written by people who know about security and their customers' potential threat models, and they don't have a suspiciously large advertising budget.
However, I wouldn't trust any VPN if you have to withstand targeted scrutiny from governments.
> Plus setting up a DO droplet VPN sounds like a PITA
It's actually very easy using https://getoutline.org/ - can highly recommend it if you need a fixed IP. And you can buy DO droplets with cryptocurrency through Bithost
I would not trust VPNs for any kind of serious privacy, at least not the popular ones. Maybe some small niche VPNs can fly under the radar.
That's like saying: "you really really need to trust a Bitcoin miner"
I'd hope the VPN service is built and operated in a way that doesn't require trust, but provides the same level of security.
edit: Since there is confusion in the responses. I'd prefer to trust no-one.
We take steps to reduce the amount of trust required, such as splitting that trust across many parties, so any one party hopefully can't betray us enough that it matters or that we don't notice, but there's still a lot of trust. For example, we use SSL certificates and certificate authorities that are known ahead of time to protect from problems on the network, but that requires you trust your OS and/or your browser, which is generally how you receive those certificate authorities. If I'm able to get my own CA on your system and trusted, and I can see your traffic, it doesn't matter whether you're using HTTPS connections.
A VPN provider might say they're not keeping logs, or that their servers are not beholden to a third party and traffic is not being analyzed, but ultimately all you have is their word on that. Ultimately, the only thing different between you connecting to the NSA and routing all your traffic (even if your traffic is mostly encrypted) through them so they can look at it and a VPN provider is that you trust the VPN provider when they say they aren't the NSA and they aren't looking at your traffic.
I wouldn’t blindly trust CAs either.
There's DNS and root servers to consider as well (but that might be harder to hide with all the caching going on).
I almost edited my above comment a few minutes afterwards to append something like "and honestly, it would be pretty hard to convince me the NSA or some other group hasn't run one or more VPN providers in the past. The only question in my eye is whether it was a popular one or not."
Or have we already forgot about Zoom's "end-to-end encryption?"
Unless you're continuously verifying, this requires trust that it is built that way and/or won't be changed in the future.
Since the VM company (unlike a VPN such as mullvad) makes zero promises with respect to keeping logs, if you visited badsite.com, then later the FBI raids badsite.com, sees a VM company IP address, subpoenas your VM company who says that your particular VM was leasing that specific IP at time XX:XX:XX, then you're done.
Further, mullvad gives you several relatively anonymous means of purchasing a VPN, whereas the vast majority of VM companies (digital ocean, linode) will require and store all manner of personally identifiable information about you.
Quite. Depends on your threat model and what you’re using the VPN for in the first place.
- That billion more than covers. Given the circumstances, the settlement is a bit paltry.
They get no jail time? They get to buy their way out?!
> “Hackers-for-hire and those who otherwise support such activities in violation of U.S. law should fully expect to be prosecuted for their criminal conduct.”
I know they lose their clearances and pay a bunch of money, but this seems like it merits a lot more punishment than that.
>Treason against the United States, shall consist only in levying War against them, or in adhering to their Enemies, giving them Aid and Comfort.
They didn't levy war against the US, or adhere to an enemy (because the UAE isn't one).
But in general, it's not illegal for US citizens to join foreign armies (if they aren't enemies). Lots of Jewish citizens, for example, serve in the IDF.
"According to the U.S. code, any citizen who "enlists or enters himself, or hires or retains another to enlist or enter himself, or to go beyond the jurisdiction of the United States with intent to be enlisted or entered in the service of any foreign prince, state, colony, district, or people as a soldier or as a marine or seaman … shall be fined under this title or imprisoned not more than three years, or both." But a court ruling from 1896 involving U.S. citizens who fought with Cuban revolutionaries against Spanish colonial rule interpreted this to mean that it was only illegal for citizens to be recruited for a foreign army in the United States, not to simply fight in one."
How many is "Lots"?
Apparently the US doesn't keep records of this phenomenon that are easily accessible.
This article^ from 2017 says 1,000 Jewish Americans serve in the IDF.
Of the ~7,000,000 Jewish Americans, that's ~0.0143% of Jewish Americans serving in the IDF.
If 1,000 joined and served each year, and live to an average age of 70, doesn't that mean ~50,000 people? That would mean ~0.714% of Jewish Americans having served in the IDF.
approximate number. 7.153-7.5 million are good estimates.
Specifically, the were charged with:
Violations of U.S. export control, computer fraud and access device fraud laws. The Department filed the DPA today, along with a criminal information alleging that the defendants conspired to violate such laws.
I think they are losers, scumbags and unethical and I hope that no one who reads HN ever hires them and that they never work in any capacity that comes into contact with IT, Infosec or any other hi-tech industry.
I have worked with various companies that have contracts with the US military and other agencies. I wouldn't say they underpay. I would actually say they pay pretty well, but once again, this has to align with whatever your personal values are. Some people are quite happy to work for a three letter acronym agency and couldn't ever conceive of working for a FAANG or a foreign entity.
I am sorry that a general perception of Americans might be that we are mercenary and will run after the highest paying opportunity. There are 300 million of us, and I would say that a majority of Americans are driven by values that don't include the theft of national intelligence assets or chasing after money no matter the consequence.
Most people feel in the software field feel the ITAR regulations as applied to code are ridiculous including but not limited to the EFF. Most consider it to be an abridgment of their 1st amendment rights.
Mudge sells Cobalt Strike out in the open.
The only difference is these guys didn’t set up a company first.
The US has a similar process, where companies that sell weapons to foreign governments need to get permission from the US DOD. In this case Marc, Ryan and Daniel did not go through the DOD and that is why they are being charged.
I wonder if Mudge has a license.
"House Speaker Nancy Pelosi said she spoke to Joint Chiefs of Staff Gen. Mark Milley about precautions that could block President Trump from “ordering a nuclear strike” or accessing launch codes and starting military hostilities"
Soldiers who spent years in the exploit-finding units of 8200 (Israeli NSA) can work for NSO and stay in Israel. But they can also leave the country and work for foreign entities. Sometimes without even knowing who their employer is
One famous case was "Dark Matter" a UAE company who set up offices in Cyprus and offered 8200 soldiers 7 figures (in USD) a year salaries to relocate, outside of the Israeli Government oversight - which NSO need to adhere to, and work for them
> The bureau’s dedication to justice is commendable... the most significant catalyst to bringing this issue to light was investigative journalism - the timely, technical information reported created the awareness and momentum to ensure justice
A lot of moral superiority there when based on how Stroud has talked about her own work with Project Raven , she was perfectly happy to help the UAE kidnap, torture, and disappear dissidents (including children), human rights activists, and journalists.
If the above was documented, I don't think "I didn't know" would have worked in court. Also even if they fought the ITAR charges, they were accused of CFAA charges
I used to build sensing systems, where I'd include an off-the-shelf infra-red camera.
Couldn't sell the combined system abroad because the IR was ITAR restricted.
The idea is that less severe crimes can be handled without the full overhead and without excessive punishment. In practice, this can be 'a bit' controversial, e.g. when Bernie Ecclestone resolved his corruption charges this way by paying 100 million EUR. https://en.wikipedia.org/wiki/Bernie_Ecclestone#Bribery_accu...
I don't know enough to comment on if this is something that happens often (it certainly doesn't feel appropriate) in cases like this.
> If the parties agree that the recommended fine needs to be paid in installments because of the defendant's inability to pay the entire amount immediately, the plea agreement will include the installment schedule and any interest terms.(58) The payment of a special assessment(59) and any recommendation on a term of probation(60) or expedited sentencing(61) for corporations, or requests by individual defendants to be placed in a specific correctional facility,(62) will also be addressed in the plea agreement.
And to get back to the original comment I replied to, this critique seems like it would apply to any financial punishment, not something that came down to a technical distinction between "fine" and "financial penalty".
No. They've always been there, they've always acted this way. It's not a problem because of increasing lack of patriotism, or a divided populace, it's just power and greed and people that see themselves as not beholden to to any one state. Thinking it's something it's not will just lead to proposed solutions that don't actually do much to affect the problem. Any solution needs to be internalized and divorced from the idea that this is a recent problem that we can stop caring about once we "solve" it.
> The Nixon shock was a series of economic measures undertaken by United States President Richard Nixon in 1971, in response to increasing inflation, the most significant of which were wage and price freezes, surcharges on imports, and the unilateral cancellation of the direct international convertibility of the United States dollar to gold.
Nixon shock - https://en.wikipedia.org/wiki/Nixon_shock
Nixon and the End of the Bretton Woods System, 1971–1973 - https://history.state.gov/milestones/1969-1976/nixon-shock
Its really saddening to see the the main objective of people is to own a Lamborghini ,a mansion and live with some hoes, just like that "YouTuber guy".
The year 1971 was when the US dollar was made to float, instead of being backed by gold. 
I think that the website wants to have our monetary system change back to being backed by something that is a limited resource, and I bet Bitcoin fits the bill in their mind.
Glad they included 3000bc short term interest rates in the graph.
Aren't you liable to wind up in situations where you find yourself saying "Ah-hah, now that person I thought was not one of the elite is now one of the elite because they didn't go to prison. Ah-hah, now that person I thought was one of the elite is not one of the elite, because they are going to prison."?
"For better or worse I've started to think of 'elites' more as people that have differential outcomes in regards to the law"
So it's not that elites don't go to prison, in this case they didn't, it's that they get extremely favorable outcomes as compared to the average population. Epstein is a good example of this. The first time he was convicted he spent a meager 1 year in prison in conditions that would never be afforded to the general public.
These hackers are another good example of this, they got a large fine but they're not spending any time in prison, and yet lots of people have gotten prison time for hacking.
Being elite is a lot different from being Scottish, in that there are only vague signals for being elite, and none of them are so easy to measure as being Scottish. I think it's safe to say that the vast majority of elites are wealthy, but I don't believe that all wealthy people are elites. There are people with a lot of localized power like mayors or state senators, but those people certainly aren't nationally elite. To my mind the clearest signal is when the system interacts with a person, how does the system behave, versus when it interacts with an average person. Now this is by no means a definition, just how I've started thinking about the question of who is elite.
Whether someone is Scottish, or any "easy to measure" fact, has nothing to do with the No True Scotsman fallacy.
What's unusual is that in the past few centuries, the rest of us have been explicitly conditioned to act in national interests.
I was discussing this case with a former DOJ attorney and he was saying that it's hard to know what exactly went into the calculation for penalties. Apparently cooperation with DOJ on future investigations can play a big role so idk what to think.
Outraged when these countries are hacking individuals? Then also be outraged when you sell them F35s
U.S. Company Two provides a mobile operation system. Hmmm, now who could that be?
But the article says,
> In August 2017, U.S. Company Two updated the operating system for its smartphones and other mobile devices, limiting KARMA 2’s functionality.
I didn't find any meaningful security updates by Apple in August 2017: https://support.apple.com/en-us/HT201222 The only one listed on that page was about using HTTP to send analytics data, which I don't think is the one that disabled KARMA 2.
Then I looked at Google. There are multiple RCE vulns with severity Critical during these two months: https://source.android.com/security/bulletin/2016-09-01 and https://source.android.com/security/bulletin/2017-08-01
Here's KARMA: https://citizenlab.ca/2016/08/million-dollar-dissident-iphon...
Looking at CVEs, my guess for KARMA 2 is CVE-2017-8248, patched in 10.3.3. Bit of a stretch, though. Looks like whatever was patched was never really publicized.
The iOS exploits sound scary. Some of them are even zero click.
Who had security patches released in September 2016 and August 2017?