I do not want to sound shockingly naive, but I wonder how these people can sleep at night. You've just sold software to some of the most brutal governments in the world, who will use your technology to track down and brutally torture incredibly brave human rights activists.
How can you do this, and still get up in the morning while looking at yourself in the mirror? I can understand petty crime if the alternative is watching your family starve, but these are all skilled software developers, it's not like they will have a hard time finding a job.
The people who are involved in this should be forced to watch videos of what those friendly governments do to the civil rights activists they catch.
People who join the US army should be forced to watch videos of Abu Ghraib and Guantanamo torture, they should be forced to watch testimonies of people in drone-bombed municipalities. But I am afraid that for many the "we good, they bad" mentality would justify those atrocities. Like another commenter said, who is bad and who is good really depends on your viewpoint.
Another reply mentioned how the same questions can be asked of people joining the US military. And I'll add the examples of buying clothing made in sweatshops, hi-tech devices made in sweatshops, blood diamonds, bottled water, and even factory-farmed meat if your concern for suffering extends beyond human suffering.
It's easy to ignore the consequences of your choices when they do not directly impact you or the people you know and care about. I am not crying 'hypocrisy!' here--I take part in these systems too--only pointing to things that many of us do that can be viewed with equal abhorrence by those who pay attention to them. And I think that is the answer to your question: it's all in what you pay attention to.
Because they're disconnected from the consequences of their actions.
I really doubt they're getting back business case studies talking about how they tracked down some dude and tortured him thanks to the information gleaned from their products (but now we can find out if they did get these).
I've asked people who work in these fields those same questions. Answers were along the lines of "someone else will do it if I don't" or "it's less violent than the actual violence the government would use otherwise." The reality of it is that you have to stop caring about the effects of your actions at some point: all the stuff we use daily is a product of exploitation and suffering of others with a dash of ruining the planet for future generations, yet we don't have a problem looking ourselves at the mirror.
You know, this is what I keep asking myself about all the fine folks in defense, developing the newest fucking weapons/plane/gun/drone/whatever which _will_ be used people in other countries.
We should introduce a "walk away from your job"-kickstarter thing to encourage leaving those positions.
There is a relatively seductive and possibly correct argument that stability and predictability trumps human rights.
It's the reason Russians can be nostalgic for Stalin, etc. Revolution is messy. If the activists who were pressuring Assad for reforms had known that his reaction and the counter-reaction would lead to 250k+ deaths and the destruction of their country, would they have pushed as hard? Would they have been content with a phased approach, even though that would mean continued violations of their human rights?
One mans freedom fighter or activist is another mans terrorist.
Besides, it is human nature to be morally flexible. Many people don't really register atrocities of any scale as long as they don't affect their daily lives.
That's not to say this isn't terrible or shameful behaviour. It's just common terrible, shameful behaviour.
You've just sold software to some of the most brutal governments in the world, who will use your technology to track down and brutally torture incredibly brave human rights activists.
You make so many assumptions about the viewpoint of the other person and then state that you cannot understand how they behave like this. Of course you cannot, you've phrased the question in a way which doesn't necessarily even make sense from their point of view.
Someone's gonna do it anyways? So the choice is whether you do something and profit off it (and possibly use the money to accomplish good things) or if you let someone else do it and make the money and perhaps do bad things. Pretty easy choice for me.
In fact, I've written software to analyze VoIP networks (troubleshooting) at scale, and now I'm wondering if I can retarget that and sell to larger entities for much more money. I hadn't really though of it before, but I guess some of these shittier countries wouldn't be able to simply do the engineering themselves even if it's really not that hard.
On a separate note, we should be free to pursue scientific and engineering knowledge without having to deal with consequences of idiots that misuse such things. At least in this branch, imagine if all physicists last century had avoided furthering physics over nuclear weapons concerns. Now it's nowhere near as cool, but the challenge of indexing multiple 40G+ connections at linerate? It'll be fun at a minimum.
They are very similar to military contractors and weapon manufacturers, except that their industry has so far no regulations that prevents them for selling their product to anyone that has money to spend. Government could start defining this kind of tools as weapons but that prevent them for using it on their own population, and weapon trade is a very high profit industry.
Even if these outfits only sell to "good" countries there's no guarantee those countries won't give access to shady regimes like Egypt or Saudi Arabia to round up and torture political dissidents as these are supposedly allies of the West.
I've no idea about the whole story and what Hacking Team exactly did during the years, but I started to write serious code around 1998 working for Vincenzetti, so I think I can provide some hint about this to counter-balance all the hate.
* They allowed me to work on hping, releasing it as free software during most of my working hours. They supported my research that lead to https://en.wikipedia.org/wiki/Idle_scan
* Vincenzetti taught me personally many things about POSIX, and he was a very skilled programmer. He wrote, AFAIK before SSH existed, a secure shell that was in use at least in Italy for some time. It used UDP and implemented the reliable connection on top of it in a secure way using state of art encryption. So we are talking about serious programmers.
* Bedeschi, the co-founder of the company, is an incredible hacker, from the way he typed to the keyboard to the incredible Unix knowledged he had.
I worked for a couple of months for their "SecLab", then left the company to return in Sicily since I did not wanted to live in Milan. I don't want to provide an ethical evaluation of the people and don't have enough information, but I can assure you that they were an incredible team of talented hackers.
EDIT: For sure they were very competitive people. I remember than when I left, Vincenzetti told me that it was a shame, I was a very talented programmer in his opinion, and I would finish in my little town in Sicily writing "soccer bet programs". He just wanted to push me to stay in the big city to know more hackers and so forth. I'm glad I don't write soccer bet programs BTW.
Poetic justice. Serves the bastards right. I'm sure hackers are flocking to the download in search of awesome tools. If they're there, then we might see independent, malware authors building some interesting things to produce headaches with. Interesting times continue.
Note that many of us in INFOSEC said years ago that these offensive, cyber companies developing weapons was a risk to us if they double-dealed or got breached. Their weapons which we (and others) funded might get turned against us. Depending on what's in the torrent, that scenario might begin playing out.
Looks like they're double dealing, too. Invoices to Egypt and other oppressive governments have already been found in the torrent dump.
Christopher Soghoian on Twitter: "Just from Torrent File listing, Hacking Team's customers includes South Korea, Kazakhstan, Saudi Arabia, Oman, Lebanon, and Mongolia."
Not only for those reasons, but also for creating a malware market driven by nation state money. The way we have found and fixed vulnerabilities in civilian IT systems has been turned into a market where the end result are less secure persons, companies, organizations and states.
A fabulous way to spend tax money aim to protect us imho...
This seems to include all their deals/financial data, the full source code to everything (including some novel things like EFI malware and possibly some Office/Flash 0days), all their mail, badges of every employee, personal screenshots/porn habits etc etc.
What if it was a deliberate effort from Hacking Team itself to fake a breach, produce a torrent file to be downloaded and compromise whoever is downloading it?
The size would need to be large enough that whoever trying to download it will have to stay a relatively long time.
> ...Hacking Team's customers include South Korea, Kazakhstan, Saudi Arabia, Oman, Lebanon, and Mongolia. Yet, the company maintains that it does not do business with oppressive governments.
I was curious if those were all oppressive governments, especially since South Korea was included. According to a couple indices on Wikipedia [1] South Korea is pretty free (only the press freedom index is lower than America's), and Mongolia's not so bad (political freedom, but weakness in press and economic freedom). Pretty hard to lump South Korea in with Saudi Arabia or Kazakhstan.
"We do not sell products to governments or to countries blacklisted by the U.S., E.U., U.N., NATO or ASEAN.
We review potential customers before a sale to determine whether or not there is objective evidence or credible concerns that Hacking Team technology provided to the customer will be used to facilitate human rights violations."
"regulations are annoying, it cuts into our profit margin when we have to find a reseller and give them a percentage"[0]
Well this could certainly shed light on the role that contractors operate in ways we have yet to see from the snowden "leaks" (of which most still remains unleaked[1])…
RE: "Media practice of consulting with governments on what to publish or withhold of material disclosed by risk takers, is anti-democratic, unconsitutional, venal, protective of privilege and betrayal of public trust."[2]
Normally I'm a bit more reserved when a company I dislike gets hacked, but take a look at Hacking Team's history and you'll probably want to celebrate too.
This is actually really bad, happy as I am to see this company get ruined.
People with an agenda are going to latch on to this to further push bad legislation like Wassenar, and criminalize security research, or worse, make it "terrorism", because Soghoian runs his mouth and policy makers don't understand how things really work.
Just looking at the torrent I found Coca Cola, Google, Carrefour, and Movistar. I would love to see an index of this information to quickly search the content.
I had a look at the contents of the files I grepped with Google in the name and it appears most of them are invoices and contracts for things like Maps, Earth and Adwords.
My guess is they use Google Maps for finding addresses from GPS or vice versa. Or something like that.
David Vincenzetti's page on LinkedIn (https://www.linkedin.com/in/vincenzetti) features a recommendation from Tommaso Vincenzetti (brother? Cousin?) and a list of many skills, including "Information Security", "Security Audits", "Vulnerability Management", "Ethical Hacking" and less funny ones.
Marco Valleri, another Hacking Team employee, lists himself on LinkedIn as a "Jedi". Nice corporate culture.
I'm actually surprised this doesn't happen more often.
I think it's hacking organizations like Anonymous that steer away people from "justice" hacking into populism hacking.
We need more of these shady & dirty secrets to come to light.
[+] [-] Fede_V|10 years ago|reply
How can you do this, and still get up in the morning while looking at yourself in the mirror? I can understand petty crime if the alternative is watching your family starve, but these are all skilled software developers, it's not like they will have a hard time finding a job.
The people who are involved in this should be forced to watch videos of what those friendly governments do to the civil rights activists they catch.
[+] [-] anc84|10 years ago|reply
[+] [-] filoeleven|10 years ago|reply
It's easy to ignore the consequences of your choices when they do not directly impact you or the people you know and care about. I am not crying 'hypocrisy!' here--I take part in these systems too--only pointing to things that many of us do that can be viewed with equal abhorrence by those who pay attention to them. And I think that is the answer to your question: it's all in what you pay attention to.
[+] [-] a3n|10 years ago|reply
These people are not you. They don't care.
We should be mindful that there is a large fraction of people who care only about their own well being, regardless of consequences.
[+] [-] FLUX-YOU|10 years ago|reply
I really doubt they're getting back business case studies talking about how they tracked down some dude and tortured him thanks to the information gleaned from their products (but now we can find out if they did get these).
[+] [-] digitalneal|10 years ago|reply
As the famed hip hop scholar Rocko once said "Umma Do Me".
That is how they sleep at night.
[+] [-] shenberg|10 years ago|reply
[+] [-] chinathrow|10 years ago|reply
We should introduce a "walk away from your job"-kickstarter thing to encourage leaving those positions.
[+] [-] JabavuAdams|10 years ago|reply
It's the reason Russians can be nostalgic for Stalin, etc. Revolution is messy. If the activists who were pressuring Assad for reforms had known that his reaction and the counter-reaction would lead to 250k+ deaths and the destruction of their country, would they have pushed as hard? Would they have been content with a phased approach, even though that would mean continued violations of their human rights?
[+] [-] sspiff|10 years ago|reply
Besides, it is human nature to be morally flexible. Many people don't really register atrocities of any scale as long as they don't affect their daily lives.
That's not to say this isn't terrible or shameful behaviour. It's just common terrible, shameful behaviour.
[+] [-] Ntrails|10 years ago|reply
You make so many assumptions about the viewpoint of the other person and then state that you cannot understand how they behave like this. Of course you cannot, you've phrased the question in a way which doesn't necessarily even make sense from their point of view.
[+] [-] MichaelGG|10 years ago|reply
In fact, I've written software to analyze VoIP networks (troubleshooting) at scale, and now I'm wondering if I can retarget that and sell to larger entities for much more money. I hadn't really though of it before, but I guess some of these shittier countries wouldn't be able to simply do the engineering themselves even if it's really not that hard.
On a separate note, we should be free to pursue scientific and engineering knowledge without having to deal with consequences of idiots that misuse such things. At least in this branch, imagine if all physicists last century had avoided furthering physics over nuclear weapons concerns. Now it's nowhere near as cool, but the challenge of indexing multiple 40G+ connections at linerate? It'll be fun at a minimum.
[+] [-] belorn|10 years ago|reply
[+] [-] pakled_engineer|10 years ago|reply
[+] [-] cronjobber|10 years ago|reply
Because, you know, that makes it good.
[+] [-] lubesGordi|10 years ago|reply
[+] [-] alltakendamned|10 years ago|reply
[+] [-] unknown|10 years ago|reply
[deleted]
[+] [-] JabavuAdams|10 years ago|reply
[+] [-] caskance|10 years ago|reply
[+] [-] antirez|10 years ago|reply
* They allowed me to work on hping, releasing it as free software during most of my working hours. They supported my research that lead to https://en.wikipedia.org/wiki/Idle_scan
* Vincenzetti taught me personally many things about POSIX, and he was a very skilled programmer. He wrote, AFAIK before SSH existed, a secure shell that was in use at least in Italy for some time. It used UDP and implemented the reliable connection on top of it in a secure way using state of art encryption. So we are talking about serious programmers.
* Bedeschi, the co-founder of the company, is an incredible hacker, from the way he typed to the keyboard to the incredible Unix knowledged he had.
I worked for a couple of months for their "SecLab", then left the company to return in Sicily since I did not wanted to live in Milan. I don't want to provide an ethical evaluation of the people and don't have enough information, but I can assure you that they were an incredible team of talented hackers.
EDIT: For sure they were very competitive people. I remember than when I left, Vincenzetti told me that it was a shame, I was a very talented programmer in his opinion, and I would finish in my little town in Sicily writing "soccer bet programs". He just wanted to push me to stay in the big city to know more hackers and so forth. I'm glad I don't write soccer bet programs BTW.
[+] [-] nickpsecurity|10 years ago|reply
Note that many of us in INFOSEC said years ago that these offensive, cyber companies developing weapons was a risk to us if they double-dealed or got breached. Their weapons which we (and others) funded might get turned against us. Depending on what's in the torrent, that scenario might begin playing out.
[+] [-] themartorana|10 years ago|reply
Christopher Soghoian on Twitter: "Just from Torrent File listing, Hacking Team's customers includes South Korea, Kazakhstan, Saudi Arabia, Oman, Lebanon, and Mongolia."
https://mobile.twitter.com/csoghoian/status/6178628794050641...
Edit - just read Christopher Soghoian's entire Twitter stream for the juicy bits. It's bad news for Hacking Team:
https://mobile.twitter.com/csoghoian
[+] [-] JoachimS|10 years ago|reply
A fabulous way to spend tax money aim to protect us imho...
[+] [-] veddox|10 years ago|reply
But their software is a risk now, I agree.
[+] [-] bobcostas55|10 years ago|reply
Take a look at the GeoTrust repo...
This is a very interesting file, too: https://github.com/hackedteam/rcs-common/blob/master/lib/rcs...
[+] [-] kristofferR|10 years ago|reply
This seems to include all their deals/financial data, the full source code to everything (including some novel things like EFI malware and possibly some Office/Flash 0days), all their mail, badges of every employee, personal screenshots/porn habits etc etc.
It's not possible to get hacked harder than this.
[+] [-] chinathrow|10 years ago|reply
https://www.youtube.com/watch?v=5BrdX7VdOr0
Anyway, serves them right.
[+] [-] Jugurtha|10 years ago|reply
The size would need to be large enough that whoever trying to download it will have to stay a relatively long time.
[+] [-] bjterry|10 years ago|reply
I was curious if those were all oppressive governments, especially since South Korea was included. According to a couple indices on Wikipedia [1] South Korea is pretty free (only the press freedom index is lower than America's), and Mongolia's not so bad (political freedom, but weakness in press and economic freedom). Pretty hard to lump South Korea in with Saudi Arabia or Kazakhstan.
1: https://en.wikipedia.org/wiki/List_of_freedom_indices
[+] [-] mikeyouse|10 years ago|reply
https://twitter.com/csoghoian/status/617892200618291200
[+] [-] HelloNurse|10 years ago|reply
"We do not sell products to governments or to countries blacklisted by the U.S., E.U., U.N., NATO or ASEAN.
We review potential customers before a sale to determine whether or not there is objective evidence or credible concerns that Hacking Team technology provided to the customer will be used to facilitate human rights violations."
[+] [-] cinquemb|10 years ago|reply
Well this could certainly shed light on the role that contractors operate in ways we have yet to see from the snowden "leaks" (of which most still remains unleaked[1])…
RE: "Media practice of consulting with governments on what to publish or withhold of material disclosed by risk takers, is anti-democratic, unconsitutional, venal, protective of privilege and betrayal of public trust."[2]
[0]: https://twitter.com/hackingteam/status/617892908583243776
[1]: http://cryptome.org/2013/11/snowden-tally.htm
[2]: http://thecryptosphere.com/2014/07/24/cryptome-kills-the-kic...
[+] [-] tptacek|10 years ago|reply
[+] [-] sarciszewski|10 years ago|reply
Normally I'm a bit more reserved when a company I dislike gets hacked, but take a look at Hacking Team's history and you'll probably want to celebrate too.
[+] [-] nickpsecurity|10 years ago|reply
H A C K E D !!!!!
Maybe we'll get lucky and they'll face bankruptcy with their stuff available for free now. :)
[+] [-] justinjlynn|10 years ago|reply
[+] [-] lawnchair_larry|10 years ago|reply
People with an agenda are going to latch on to this to further push bad legislation like Wassenar, and criminalize security research, or worse, make it "terrorism", because Soghoian runs his mouth and policy makers don't understand how things really work.
[+] [-] wslh|10 years ago|reply
[+] [-] Veratyr|10 years ago|reply
My guess is they use Google Maps for finding addresses from GPS or vice versa. Or something like that.
[+] [-] kiproping|10 years ago|reply
[+] [-] randomguy400|10 years ago|reply
[deleted]
[+] [-] gruez|10 years ago|reply
[+] [-] evilDagmar|10 years ago|reply
Seriously, guys? Live by sword, die by the sword.
[+] [-] HelloNurse|10 years ago|reply
Marco Valleri, another Hacking Team employee, lists himself on LinkedIn as a "Jedi". Nice corporate culture.
[+] [-] infinitysgame|10 years ago|reply
[+] [-] Globz|10 years ago|reply
[+] [-] Globz|10 years ago|reply
This one is about "Soldier"
[+] [-] danr4|10 years ago|reply