I suppose that broadly, the takeaway here (and in all of this) that I’ve missed is that fundamentally, this list of phones that were targeted shouldn’t exist, or shouldn’t be leakable in this way, if we want to believe that NSO Group is targeting the most genuine targets.
To frame it differently: NSO Group sells tools to governments that are apparently trustworthy. Its security and system architecture should be decentralized enough that a list of all targets should be extremely difficult to obtain. If the list is obtainable, then what else is? Are their exploit toolkits just as leakable? Are the internal controls not sufficient to stop these leaks?
How can we continue to allow orgs like NSO Group to exist if they surely can’t keep something like their entire target list safe? Even if we assume of the targets are legitimate threats (which, again, requires enough suspension of disbelief to hold a small army at this point), why would we want that list leakable? If they’re all the most legitimate targets, then that list is essentially 50k people who can now discover this fact and change their patterns to hide. It’s pretty bad to tip off “all the people who we find important enough to 0-day” if that assumption holds.
Now the real question? I’m not sure I know what we can do, actionably. Call Congress and ask them to care?
> Now the real question? I’m not sure I know what we can do, actionably. Call Congress and ask them to care?
I maintain that NSO is just a deniability front for Israel's espionage agencies, otherwise I don't know how they weren't shut down for so long, knowing what kind of a state Israel is.
NSO is well known to the Israeli state, after all it is their cabinet that clears every deal NSO make. Per Israeli laws, pegasus is a "weapon"
So yes, the problem is primarilly in political dimension.
Would you have said the same about HackingTeam [0] and the Italian Government? They were featured on citizen lab a LOT a few of years ago [1]. These guys still operate under the name "Memento Labs".
There's obviously money to be made from selling offensive cybersecurity tools to governments. And you can hardly blame governments for buying these services in the age of end-to-end encryption in the hands of every criminal and terrorist.
While I definitely don't condone spying on human rights activists, journalists, or even regular citizens for that matter, pegasus really is a weapon and as such should definitely be heavily regulated.
But as with other types of weapons, the responsibility for its use (or rather misuse) should lie with the weapon's user first and foremost, not the manufacturer. If NSO/HackingTeam were in the business of selling physical weapons to foreign governments, would they have been responsible for a government killing journalists with said weapons? If they were selling to North Korea, sure. But what about the legitimate governments of stable countries not under sanctions?
> If NSO/HackingTeam were in the business of selling physical weapons to foreign governments, would they have been responsible for a government killing journalists with said weapons?
If they were in the businesses of selling weapons of war and caught instead selling covert weapons with no legitimate use in open warfare to countries that disclose illegal acts of war to them, I think they belong in the Hague being tried for war crimes.
(After that, I suppose they can be referred to human rights courts as a defacto part of each government that had violations. Since they were active participants in the use of the weapon as shown by the phone list, they have no argument that they were not active members of every conspiracy involving their service.)
> If they were in the businesses of selling weapons of war and caught instead selling covert weapons with no legitimate use in open warfare to countries that disclose illegal acts of war to them, I think they belong in the Hague being tried for war crimes.
If they were doing that, I agree.
But these weapons have legitimate uses in law enforcement and why do you think that the client government disclose their illegal acts to NSO?
I think you hand wave away the responsibility born by the Governments who regulate, control, and subsidise the arms trade.
Of course it is the fault of the user of the weapons as well - but UK and USA (to just name a couple more egregious examples) governments quite literally give money to foreign governments in order for them to funnel it directly back into arms deals. These weapons can then be used to destroy hospitals and schools in Yemen. Our governments are financing this loss of life in order to further propel the revolving door.
I see this kind of cyber weaponry as a simple subset of the above complex.
> I see this kind of cyber weaponry as a simple subset of the above complex.
This is exactly my point. I think that NSO should be just as responsible for the outcomes as any other arms manufacturer.
And I'm not waving away the government's responsibilities. Just the opposite - cyber weaponry is equivalent to other types of weaponry and should be treated as such.
This is why I feel that the discussion around NSO itself misses the point. It's like discussing Colt's responsibility whenever a government uses an M-16 to shoot a human rights activists. Colt may be responsible in some cases, but the important question is who bought the weapon and why did they use them against that specific target. Also, should the buyer be sanctioned and forbidden from purchasing such weapons in the future.
I agree with your larger claim but possibly differ in how to oppose these forces. Opposition in the abstract does nothing, apart from stoking ivory tower feel good emotions.
Going after one perpetrator, building a precedence, seems to have had more lasting effect than going for the abstract.
You seem to be giving these companies a pass to sell software that can be used to create absolute surveillance states. If this sort of software is available, it needs regulations. The people responsible for the regulation are the exact states that would love to acquire the software. Do you not see the conflict of interest here? (Yes, it's the same for other weapons sales. That's a quagmire of corruption and double standards as well.)
Don't make the mistake of conflating North Korea with any other state. The people in charge of the intelligence organisations have very similar opinions on the efficacy of these tools no matter where they come from. It's been shown many times that the heads of the relevant agencies in the 5 eyes, let alone the rest of the international intelligence community, aren't very concerned about the legality of their activities.
Two ways to prevent the misuse of this software are 1: ban it and convict those who peddle it, and 2: have independent oversight and transparency over every use of this software. Who it's sold to, who it's used on, what it's capabilities are.
Unfortunately, I don't see either of these as realistic, so basically we're up shit creek without a paddle.
> If NSO/HackingTeam were in the business of selling physical weapons to foreign governments, would they have been responsible for a government killing journalists with said weapons?
My take here is a little nuanced. Simply for manufacturing, perhaps not. Decisions of this kind I would settle case by case, chemical warfare agents, "no", tear gas, may be 'yes' with well laid out legal checks and balances, 'rubber bullets' more checks and balances needed, etc., etc.
Sales, whether direct or through indirectly supported wink-wink business and other organizational structures, to entities who have well documented cases of abuse -- that's a different matter. If Colt is found doing that, I would definitely find them culpable and guilty.
For NSO, Candiru and their ilk, my belief is that they are in a wink-wink, nudge-nudge relationship with the user's of the tools (usually oppressive governments) as well as Israel's intelligence complex (they are the ones clearing the sales).
Can I prove this in a court, no. Does not stop me from forming informed opinions though.
Yes, that is why there are export restrictions on arms deals. In particular, your company is not allowed to sell to those states which are known to use violence against journalists.
So not only is this a reasonable position, it is the law in several countries, e.g. Heckler&Koch is a German gun manufacturer and has to obey such laws.
One is a multinational corporation with untold influence which hoards exploits for black box software and hardware.
The other is a producer of physical weapons, which are subject to laws to protect civilians - although of course where these laws apply is hypocritical, since the West's weapons have been used to kill many civilians during all the 'peacekeeping' missions by the US (read: interventionism).
A knife or a brick are not (with a few exceptions) tools that are only designed for killing people, so no, I could not say that about them.
(However, if you do sell a "Throat-cutting knife" for cutting people's throats, and someone buys it and cuts somebody's throat, then hell yes you are responsible for that.)
>if you do sell a "Throat-cutting knife" ... you are responsible for that.
Interesting thought. I can't find an example in law. I'm not so sure the seller is responsible on any level once sold, even with that murdering tagline. Guns are sold as lethal force and users are fully responsible post sale.
Yes, only criminals and police. And black market weapons are expensive, so they are also very hard to get for criminals. This works very well in many, many other countries.
Why do we have violent criminals? Also, there actually aren't that many versus say gun sales.
Can we push the number of violent criminals to 0? Maybe not, but we could greatly reduce the numbers with more intelligent social policies (in the US or Canada, say). The wild-west mentally and the fact that it has been co-opted by certain political groups actually leads to more crime and more fear (which sells guns and regressive politics).
What if no one lived in a state or neighbourhood so shitty that they felt the need to arm up? What if they had not been indoctrinated since birth with a wild-west mentality that linked gun-ownership to freedom?
The "only criminals will have weapons" argument is a really low-quality surface-level distraction from getting to grips with problems we could actually solve.
“Deniability front” might be a bit harsh, but revolving doors between government and private sector exist all over the world. Ignoring NSO for a moment, in general they are not always malicious.
But with regards to NSO in particular, there definitely is some linkage, even if it’s not necessarily malicious. According to this Bloomberg columnist[1], (linked article has further hyperlinks to sources)
> How much of this technology is being developed in the U.S., including by U.S. government agencies, and making its way to illiberal autocrats? NSO’s founders are, according to multiple reports, thought to be alumni of Israel’s signals intelligence division, Unit 8200. And we know — including through the Edward Snowden leak — that the U.S. National Security Agency provides Israeli intelligence “controlled access to advanced U.S. technology and equipment.”
In most countries, you simply wouldn't qualify for a job in government if you've spent a career working in the private sector. Civil servants are... civil servants.
I agree with these statements. Although I do not understand why this is not making any nosie internationally? NSO (ergo the supporting state) seems to be stealing data from EU leaders as well. Is this mean we have many NSO like companies out there that we do not know about and each country has one and everyone knows about these? Does anyone know what is the Swedish NSO?
That looks reasonable. The NSO Group malware perform active attacks. By creating this front (the NSO Group) that is supposed to have private customers, they can put in their own targets and have some form of deniability.
It makes perfect sense to me that there would exists a centralized list inside the company of the people being targeted.
There would need to a server serving the exploit and also collecting the data from the comprised phones. Naturally that server would have a list of the phones it collected from, probably keyed by phone number as that would be the most straightforward identifier.
Implicit assumption here is that these super hackers would also have super security.
I am not sure I buy that.
My guess is that NSO operational corpse is made up of young young Israelis straight out of the military plus maybe an engineering school. They are trained in systematic hacking and probably have access to a privileged set of exploits provided by the Israeli military and maybe the US. But not much beyond that in terms of engineering skills.
In short I wouldn’t be surprised if their exploit server and data collection server is maybe with php and mysql.
Also. How do you sell a service like this? Getting Orban and similar as customers. Requires quite a bit of a network.
NSO is a spyware-as-a-service company. How else would they provide that service, if not by having a list of all the phones their clients need spied on?
Or are we debating whether or not that part is even true?
If they are not a SaaS platform, then I would agree with you, but so far everything I've seen claims that they are, so by that nature the customer would have to put their use case data into NSO's platform, would they not?
The "hacked" part is only an assumption, isn't it? The leaked information could also come from, say, a whistleblower. An employee that suddenly developed a sense of ethics.
Seems like there was a $100,000 bounty on hacking them:
> On Friday, Fisher claimed to have hacked the bank in 2016 and proposed a "Hacktivist Bug Hunting Program" that would offer bounties of up to $100,000 to those who hacked and dumped documents "in the public interest" from companies such as "South America, Israeli spyware vendor NSO Group, and oil company Halliburton."
I had assumed a whistleblower until now. The worry with them being hacked is their tools leaking to public domain. If they do I hope Apple et al can plug the vectors
I understand that the title makes an assumption that the first paragraph has to walk away from in its last sentence, but I appreciate Schneier’s nuance when framing the question. The spying isn’t new. The list is probably broader than many people assumed, but the real news is that NSO own security isn’t great.
More importantly, if you believe that digital-weapons-for-hire are not a good idea, spreading doubt about their reliability is probably more effective than painting those companies as invincible hackers. They made an architectural choice that exposed their clients. Therefore, if you are a prospect for a similar technology, think hard when they present their tools, and challenge decisions that might expose you.
Better. it s good that they have bad security. they arent in the security business, quite the opposite. It's a company that has found the legal loophole to sell theft-as-a-service. Kind of like banks compared to robbers.
Right here is another argument in favor of string privacy protection. Even if NSO was a righteous and holy actor (spoiler: it's not), they can be hacked any time and now that data is public.
Same reason govts shouldn't spy on their citizens: even when you fully believe in your own govt, they can be hacked.
Same reason why encryption shouldn't be weakened or backdoored ("think of the children / terrorists!"); if there's a weakness or backdoor, someone that shouldn't will find and exploit it. Or it'll leak from the one point that can decrypt it.
> Right here is another argument in favor of string privacy protection. Even if NSO was a righteous and holy actor (spoiler: it's not), they can be hacked any time and now that data is public.
This doesn't show that we need strong privacy protection, this show that asking for privacy protection isn't enough and goes way beyond privacy protection. Even if you got GDPR in every first world country, NSO will still exist, intelligence gathering will still exist.
Zerodium exist for god sake, it's a public facing company to buy zero days. Even if you got both them and NSO shut down, believe me, others companies will do the exact same, they'll just do it more secretly.
If I were a similarly acronym’ed three letter intelligence agency that wanted to shut down a private sector competitor, this is exactly what I would do.
The iOS tool scans a backup, but the Android tool "check-for-infection tool" checks for messages pointing to NSO domains. I recently got a strange massage, is this list public?
My first reaction to this was that all would need mobile phones with physical off switches for camera/microphone and internet but even such swtiches do not protect against such advanced spy operations. I think such software should be treated like weapons of war for which there are international regulations and obervations
After Snowden leaked the documents a group of voluneers created a project to watch the watchers. They started scraping data from public profiles, social media, job offers etc. They were harassed for it, project was taken under wikileaks umbrella, it's not much maintained anymore.
Somehow(!?) it doesn't have any info about NSO Group (or I can't find it), but there are plenty other doggy organisations archived there
Because the treaty exists to prevent the very thing Israel did - covert nuclear arms development and covert sharing of know-how ( like Israel probably did with Apartheid South Africa).
It's like criticizing a country for not being in the Paris climate accord for their environmental record/refusing to lower emissions - yeah, that's kind of the the point.
To frame it differently: NSO Group sells tools to governments that are apparently trustworthy. Its security and system architecture should be decentralized enough that a list of all targets should be extremely difficult to obtain. If the list is obtainable, then what else is? Are their exploit toolkits just as leakable? Are the internal controls not sufficient to stop these leaks?
How can we continue to allow orgs like NSO Group to exist if they surely can’t keep something like their entire target list safe? Even if we assume of the targets are legitimate threats (which, again, requires enough suspension of disbelief to hold a small army at this point), why would we want that list leakable? If they’re all the most legitimate targets, then that list is essentially 50k people who can now discover this fact and change their patterns to hide. It’s pretty bad to tip off “all the people who we find important enough to 0-day” if that assumption holds.
Now the real question? I’m not sure I know what we can do, actionably. Call Congress and ask them to care?