> The investigation by the Guardian and 16 other media organisations suggests widespread and continuing abuse of NSO’s hacking spyware, Pegasus, which the company insists is only intended for use against criminals and terrorists. (from the Guardian inquiry about the same topic).
Every time we allow special laws or special tools to fight "terrorism" or "child abuse" or other evils that get people worked up, they end up being used against the people in general. Every time. Why are we even surprised.
For politicians in democracies citizens are potential voters, foreigners don't matter.
It's still arguably better than dictatorships, where your citizens don't matter either, as long as you have a good police system.
We act surprised when we notice such things but we shouldn't be, it is a mistake to apply the same standards that we, as the lucky citizens of "free countries" enjoy, to any other system of power.
From a less cynical point of view, as an Israeli, I am not happy at all to see this kind of export products from my country. It is in great part because of the conflict. Te SIGINT units are huge and among the people who graduate from the army with this kind of knowledge you will certainly find many who will turn a blind eye to ethics for a huge paycheck. Not to mention that the research itself that the defense apparatus needs attracts capitals from other countries that will buy some of it and use it for unorthodox means. I wish we exported less of these things, especially to autocratic countries. I agree it's horrible.
The people who work in these companies should be absolutely shunned and black listed from laundering their past by taking up a role at any major tech firm.
The people who work at NSO and companies like this are a stain on the whole tech industry and are outcasted by their own IOF peers for being greedy and morally-lacking.
Absolutely disgusting to think your hands are clean while you make tools that directly empower dictators and keep whole regions of people subjugated.
Aren't these private hacking companies breaking the law though? Does anyone know why no one has sued them or arrested them or something? From what I understand in most cases, any attempts to reverse engineer or exploit any system is against terms of service with the offender held liable. Some teenager who comes up with a game hack can be slapped with a massive fine, but these hacking companies aren't even breaking the law? How does that work?
> Aren't these private hacking companies breaking the law though?
Like Russia, Israel doesn't seem to give a damn when criminal enterprises operating in their borders victimize people in other countries. This shit has been going on for years: https://en.wikipedia.org/wiki/Download_Valley
When you get a government contract in this and similar fields, it usually comes with protection against most laws, no matter which ones are broken and where (see "Blackwater").
Rule of law is a joke. If you work for your government and don't anger the politicians you can workout sweetheart deals that will shield you from the law completely, unless you fall out of political favour.
But they are breaking the law. Same as many security agencies. It just doesn't matter.
Why would anyone sue or arrest them? They develop the software, they do not break into the phones of journalists.
The article says that the governmental agencies are breaking into the phone. These hacking companies just license their software to these governmental agencies.
Snowden needs to repeat and remind people, over and over, that people should just not trust their electronics if they are doing sensitive work that somebody powerful elsewhere (government or a rich company) might not like.
I'm also curious how whatsapp/facebook will respond to those vulns. Hard to really trust them at all, it's really easy to imagine a conspiracy theory when intelligence agency negotiate inserting backdoors into popular software.
I'm really discouraged from working in computer security, it really looks like a shady industry.
I hate to say it, but if what you're communicating could risk your life or that of someone else you might want to avoid using computers to communicate it altogether.
Old-school techniques such as physically smuggling microdots[1] seem much safer than relying on any computer technology, which can always be hacked.
If these hacking firms succeed in chasing journalists off digital communication, I think the totalitarian regimes they serve will consider that "a win."
Journalism is already a profession running on fumes (literally, in the past. More metaphorically, today). It's just not feasible to do without technology.
People sometimes seem to imagine some world inhibited by security-conscious professions that is more akin to a slick movie than real life. Witness the common believe that, say, blocking websites at DNS levels has zero impact on crime because it's easy to circumvent.
Real-life criminals, journalists, or activists prefer Telegram over code tattooed on a messenger's scalp for the same reason we all do: hair grows too slow and nobody is getting on international flights right now. I know it's fun to imagine all these activities involving "threat actors" and steganographic key exchanges via Pornhub (Alex and Bob getting on?). But that road leads to busywork that doesn't get any corrupt politician's name on that white page.
It would be really nice if I could own my phone to the point where I could install an outgoing firewall or harden the os to my abilities instead of blind trust into the diligent but not infallible vendor.
Apologies for commenting before reading the article. But I'm curious what the sales process is for spyware. I understand the underground groups do all their stuff anonymously, but what sales ops do legitimate companies like NSO Group practice? Do they have sales targets/quotas? Do they vet their clients? What channels do they sell through?
Similar channels as any other arms manufacturer or defense contractor, as far as Israel goes they are regulated in the same manner by the same agency DECA.
They likely do not sell to anyone or for any reason that does not contribute to Israel’s foreign policy in some way or another.
That's why I keep it simple. I run things out of a closet with an air gaped computer, a single printer, and a gun...in case the printer starts acting suspicious.
You've already lost, then. Printers' output can be uniquely identified.
Nothing should ever be in dead-tree format. If you need to carry something that does not need electricity to display text, use eInk. Or build your own printer.
Israel has mandatory military service, and a lot of people go to work in their large SIGINT divisions (e.g. https://en.wikipedia.org/wiki/Unit_8200). A lot of them then leave service and go on to use those skills in the cybersecurity industry–on both sides.
Yes, and major VCs, Big Tech companies, self diagnosed contrarians and the establishment OSINT crowd see nothing wrong with it or see it as a legitimate endeavour.
I’m currently reading Nicole Pelroth’s book “This Is How They Tell Me The World Ends”, which has a big section on the NSO Group and the Pegasus Project. If even part of what she uncovered is true, then digital privacy is effectively non-existent.
Are there U.S. laws NSO Group has violated? If not, how would laws define the prohibited activity?
We’re at the point of, at the very least, barring NSO Group, its employees and its investors from travelling to the U.S., using our financial system or keeping assets here. (Which would indirectly bar our police departments and agencies from contracting with them.)
Financing terrorism is a crime. Aiding and abetting journalistic suppression should be in a similar, albeit lower severity, category.
I know it's not a foolproof solution but perhaps there should be a greater focus on ethics in Computer Science curricula? The Israeli developers who wrote this software may not even have been exposed to the moral and ethical questions writing such software ought to raise. Perhaps there should be trade associations for developers that calls out software companies that writes immoral software?
With great power comes great responsibility, and if you knowingly use your great power to write this kind of software you are a terrible person, in my opinion.
> The Israeli developers who wrote this software may not even have been exposed to the moral and ethical questions writing such software ought to raise
Of course they have been exposed to ethical questions for writing the software. If you know Israel well, and the famed Unit 8200 [0], the initial creation of this type of software is definitely built with morals in mind - saving lives is the entire impetus.
Lots of security software out of Israel (see CheckPoint, a now public company) is first born out of the IDF with the goal of fighting terrorism and criminals. I don't see an ethics class being the answer here, as this type of cyber & security software has certainly saved lives. The issue is what happens after this software is developed, with seemingly justified reason to exist, and now in the hands of a business growing around it.
It's also possible that the developers who wrote this software are very aware of the ethical questions surrounding it and have decided that the benefits to society in combatting crime and terrorism outweigh the harms from misuse of the technology. While I don't personally agree, I can see how someone could hold such an opinion.
One of the things you'll learn in an ethics class is that ethical values are heavily influenced by culture and circumstance, and there are vast differences in what different groups of people believe is ethical and not.
How are they different to the Italian developers that worked on Da Vinci/Galileo or the British and German developers that worked on FinFisher?
Plenty of people work on products that may be immoral in some application or frame of reference.
Developing technologies that facilitate the predatory practices for social media networks, ad targeting, gaming/gambling and plenty of other shit.
And this goes beyond tech I don’t think that the 40 something machinist that works at Glock in Austria or the 23 year old EE engineer that works on imagines sensors for BAE in the UK some loses sleep at night because a handgun or some guided bomb somewhere killed someone.
Lol. Sure dude, it's the programmers who are the bad guys, not the people funding the israel/palestine war or in this case the owners of the company who decide to make software that helps assasinate people.
People's ethics are all over the spectrum regardless of career path. The root problem is that we need to worry about the ethics of our politicians. Overall, they seem like a pretty bad bunch!
It cannot be understated how much damage this company done, not only to the quest for freedom for untold amounts of ordinary people but also to its own clients.
So - I guess everyone should use WeChat? Because I'm sure the Chinese government wouldn't put up with Israeli software being able to capture that data.
[+] [-] bambax|4 years ago|reply
Every time we allow special laws or special tools to fight "terrorism" or "child abuse" or other evils that get people worked up, they end up being used against the people in general. Every time. Why are we even surprised.
[+] [-] sharikone|4 years ago|reply
It's still arguably better than dictatorships, where your citizens don't matter either, as long as you have a good police system.
We act surprised when we notice such things but we shouldn't be, it is a mistake to apply the same standards that we, as the lucky citizens of "free countries" enjoy, to any other system of power.
From a less cynical point of view, as an Israeli, I am not happy at all to see this kind of export products from my country. It is in great part because of the conflict. Te SIGINT units are huge and among the people who graduate from the army with this kind of knowledge you will certainly find many who will turn a blind eye to ethics for a huge paycheck. Not to mention that the research itself that the defense apparatus needs attracts capitals from other countries that will buy some of it and use it for unorthodox means. I wish we exported less of these things, especially to autocratic countries. I agree it's horrible.
[+] [-] smashah|4 years ago|reply
The people who work at NSO and companies like this are a stain on the whole tech industry and are outcasted by their own IOF peers for being greedy and morally-lacking.
Absolutely disgusting to think your hands are clean while you make tools that directly empower dictators and keep whole regions of people subjugated.
[+] [-] ackbar03|4 years ago|reply
Cause I think I'm in the wrong game
[+] [-] dogorman|4 years ago|reply
Like Russia, Israel doesn't seem to give a damn when criminal enterprises operating in their borders victimize people in other countries. This shit has been going on for years: https://en.wikipedia.org/wiki/Download_Valley
[+] [-] squarefoot|4 years ago|reply
[+] [-] JumpCrisscross|4 years ago|reply
Facebook is suing NSO Group and winning, at least on procedural grounds [1].
[1] https://www.reuters.com/article/us-facebook-nso-cyber-idUSKB...
[+] [-] sudosysgen|4 years ago|reply
But they are breaking the law. Same as many security agencies. It just doesn't matter.
[+] [-] ruined|4 years ago|reply
it would be like trying to sue a ransomware group in russia, or a phone company in america.
[+] [-] notdang|4 years ago|reply
The article says that the governmental agencies are breaking into the phone. These hacking companies just license their software to these governmental agencies.
[+] [-] mromanuk|4 years ago|reply
[+] [-] Ygg2|4 years ago|reply
Same with suits.
[+] [-] markus_zhang|4 years ago|reply
[+] [-] dogma1138|4 years ago|reply
Their sells are export controlled in a similar manner that arms sales are.
[+] [-] jokoon|4 years ago|reply
Snowden needs to repeat and remind people, over and over, that people should just not trust their electronics if they are doing sensitive work that somebody powerful elsewhere (government or a rich company) might not like.
I'm also curious how whatsapp/facebook will respond to those vulns. Hard to really trust them at all, it's really easy to imagine a conspiracy theory when intelligence agency negotiate inserting backdoors into popular software.
I'm really discouraged from working in computer security, it really looks like a shady industry.
[+] [-] pmoriarty|4 years ago|reply
Old-school techniques such as physically smuggling microdots[1] seem much safer than relying on any computer technology, which can always be hacked.
[1] - https://en.wikipedia.org/wiki/Microdot
[+] [-] dogorman|4 years ago|reply
[+] [-] 2OEH8eoCRo0|4 years ago|reply
[+] [-] IfOnlyYouKnew|4 years ago|reply
People sometimes seem to imagine some world inhibited by security-conscious professions that is more akin to a slick movie than real life. Witness the common believe that, say, blocking websites at DNS levels has zero impact on crime because it's easy to circumvent.
Real-life criminals, journalists, or activists prefer Telegram over code tattooed on a messenger's scalp for the same reason we all do: hair grows too slow and nobody is getting on international flights right now. I know it's fun to imagine all these activities involving "threat actors" and steganographic key exchanges via Pornhub (Alex and Bob getting on?). But that road leads to busywork that doesn't get any corrupt politician's name on that white page.
[+] [-] halotrope|4 years ago|reply
[+] [-] colordrops|4 years ago|reply
[+] [-] zajio1am|4 years ago|reply
[+] [-] Magodo|4 years ago|reply
[+] [-] dogma1138|4 years ago|reply
They likely do not sell to anyone or for any reason that does not contribute to Israel’s foreign policy in some way or another.
[+] [-] pope_meat|4 years ago|reply
[+] [-] drummer|4 years ago|reply
These days that is a very real possibility if you run Windows.
[+] [-] toyg|4 years ago|reply
You've already lost, then. Printers' output can be uniquely identified.
Nothing should ever be in dead-tree format. If you need to carry something that does not need electricity to display text, use eInk. Or build your own printer.
[+] [-] throwaway984393|4 years ago|reply
[+] [-] saagarjha|4 years ago|reply
[+] [-] smashah|4 years ago|reply
[+] [-] underdeserver|4 years ago|reply
Nobody mildly self-conscious with a shred of ethics works there.
It's not fair to an entire industry to be painted in this light because of one bad actor.
[+] [-] shever73|4 years ago|reply
[+] [-] malshe|4 years ago|reply
[+] [-] tosh|4 years ago|reply
[+] [-] unknown|4 years ago|reply
[deleted]
[+] [-] JumpCrisscross|4 years ago|reply
We’re at the point of, at the very least, barring NSO Group, its employees and its investors from travelling to the U.S., using our financial system or keeping assets here. (Which would indirectly bar our police departments and agencies from contracting with them.)
Financing terrorism is a crime. Aiding and abetting journalistic suppression should be in a similar, albeit lower severity, category.
[+] [-] bjourne|4 years ago|reply
With great power comes great responsibility, and if you knowingly use your great power to write this kind of software you are a terrible person, in my opinion.
[+] [-] zild3d|4 years ago|reply
Of course they have been exposed to ethical questions for writing the software. If you know Israel well, and the famed Unit 8200 [0], the initial creation of this type of software is definitely built with morals in mind - saving lives is the entire impetus.
Lots of security software out of Israel (see CheckPoint, a now public company) is first born out of the IDF with the goal of fighting terrorism and criminals. I don't see an ethics class being the answer here, as this type of cyber & security software has certainly saved lives. The issue is what happens after this software is developed, with seemingly justified reason to exist, and now in the hands of a business growing around it.
[0] https://en.wikipedia.org/wiki/Unit_8200
[1] https://www.theguardian.com/world/2021/jul/18/revealed-leak-...
[2] https://en.wikipedia.org/wiki/Check_Point
[+] [-] jonas21|4 years ago|reply
One of the things you'll learn in an ethics class is that ethical values are heavily influenced by culture and circumstance, and there are vast differences in what different groups of people believe is ethical and not.
[+] [-] dogma1138|4 years ago|reply
Plenty of people work on products that may be immoral in some application or frame of reference.
Developing technologies that facilitate the predatory practices for social media networks, ad targeting, gaming/gambling and plenty of other shit.
And this goes beyond tech I don’t think that the 40 something machinist that works at Glock in Austria or the 23 year old EE engineer that works on imagines sensors for BAE in the UK some loses sleep at night because a handgun or some guided bomb somewhere killed someone.
[+] [-] jazzyjackson|4 years ago|reply
[+] [-] tomjen3|4 years ago|reply
[+] [-] antonzabirko|4 years ago|reply
[+] [-] heliodor|4 years ago|reply
[+] [-] cf100clunk|4 years ago|reply
https://news.ycombinator.com/item?id=27874027
[+] [-] penguin_booze|4 years ago|reply
[+] [-] smashah|4 years ago|reply
[+] [-] underdeserver|4 years ago|reply
[+] [-] throwaway69123|4 years ago|reply
[+] [-] fma|4 years ago|reply