There is an incredibly well produced podcast episode on these ex-NSA engineers working for the UAE that came out a couple of years ago. Check out Darknet Diaries Ep47: Project Raven [1].
Synopsis is that the UAE hires ex-NSA employees as "penetration testers" and when they enter the country for cybersecurity work, some are pulled aside to be briefed to an opportunity called "Project Raven" to assist Emirati intelligence with targeting, allegedly in the interest of counter-terrorism. The thing is, only Emiratis have "hands on keyboard" while the US engineers sit beside them and guide them, which supposedly dodges any legal concerns. Those who Jack interviewed decided to leave Project Raven when it became clear they were targeting dissidents, human rights activists, and later, Americans. As you might imagine, ex-NSA employees who target US citizens for a foreign government are breaking the law. I do wonder if it's these ex-Project Raven engineers that have led prosecutors down the road to where we are now.
+1 for Darknet Diaries. One of the best podcasts I've ever listened to. So simple, yet so gripping, and well told in a sweet spot between hard nerds and casual enthusiasts. I listened to all 100 episodes since discovering the show in July.
If you liked this check out You’re Wrong about. Incredibly well researched and incredibly well presented - information packed and funny at the same time.
It sounds to me like the UAE made a decision to stop paying vast sums of money to the NSO group and started throwing money at trying to develop their own similar domestic capability.
From a purely pragmatic perspective of a UAE royal family member worried about domestic dissent I can see why they would do that, not that I agree with it in the slightest.
> It sounds to me like the UAE made a decision to stop paying vast sums of money to the NSO group and started throwing money at trying to develop their own similar domestic capability.
Presumably, the latter is less of a risk; they probably don't want NSO to know their business and there's going to be at least metadata leaking that points to what they're doing. Plus, presumably, there's always a chance NSO could play them off to a higher bidder?
I agree about UAE wanting to keep their cards close to the chest, but I think the choice between NSO/other third party hacking groups and developing in house is an AND statement, not OR. At the end of the day, developing adequate zero day chains that provide access akin to NSO's Pegasus is an extremely time and talent intensive endeavor, and having multiple options to procure those capabilities is the more likely solution.
the principal agent problem. whenever you hire an agent whose interests are not specifically aligned with yours, theres an existential problem ensuring your principal concerns are acted upon.
so yeah, you want your agents to have a principal stake so havi g a nsa agen direct your staff brings more surety than some random third party like nso doing your dirty work even if its just handing over software. we all know it matters the route your hardware and software comes from if you are involved in national security.
> we all know it matters the route your hardware and software comes from if you are involved in national security.
No security apparatus in the world has the capability to build and execute everything they want to on their own. Hardware and software is always procured from multiple sources.
> It sounds to me like the UAE made a decision to stop paying vast sums of money to the NSO group and started throwing money at trying to develop their own similar domestic capability
Running an intelligence service is a lot more than hacking a random phone once in a while. They buy lots of products from lots of vendors, develop some things in house, and hire a lot of talent from overseas.
It's weird that the agents suddenly discovered their morals. It's not like they didn't know who'd they be working for before being pulled to the side, apart from the fact that the NSA has been helping all sorts of totalitarian governments with information that could have (and likely was) been used against dissidents etc.. It seems more like they pulled out because it was too blatantly illegal and risky and that was the motivation to leave project raven.
The moral of “chicken little” isn’t what you think it is. The key message is that bad authorities fail at listening and create perverse incentives towards misinformation, shirking their accountabilities with disastrous consequences.
People telling it to children are trying to silence their kids. They’re not focused on improving transparency, or on systemic outcomes, they just want to regulate individuals. So they are in fact the selfsame bad authorities.
The target of blame in the story is not the chicken.
Eh, pretty sure there's more than one moral there. No reason to ignore the "don't run off half-cocked spreading information you haven't confirmed or may not mean what you think" just because there's another lesson in there also.
This is the lie told by the failed managers of the community in which the chicken lived, hoping to shift the blame for their own poor attention to contingency planning onto a chicken.
If you have an early warning device with a high false positive rate, you don’t avoid catastrophe by ignoring the warning.
No, you don't ignore the warning to avoid a catastrophe, you ignore the warning to avoid alert fatigue, burnout and other bad effects.
If your only early warning device has a sufficiently high false positive rate, scrap it, or find another early warning device with a sufficiently different set of false positives and then require both of them to alert, before you pay attention.
In the Chicken Little story everybody except Chicken Little is eaten by the fox, do you mean the boy who cried wolf? Except oops, everybody dies in that one too.
Nobody listens to chicken little because he's overdramatic and hyperbolic, like most children who haven't had enough life experience to temper their reactions.
It's been awhile since I saw the film, but that's what I remember. Regardless, even taking my comment less literally and more like "it feels like a children's show" would still be an accurate take.
> It's been awhile since I saw the film, but that's what I remember.
Slightly OT, but you might want to clarify that you are talking about a film rather than the classical story.
If you haven't had the pleasure of reading it, it might be worthwhile to check it out, the version I read as a child had a suprisingly morbid ending for a children's book.
You don't have to see the film, it was a text fable for a couple thousand years before that. Plus, I'm skeptical that they all die at the end of a Disney movie version of the story.
And as with the Pied Piper, it’s the fault of bad management.
Only an asshole blames the chicken. You had a high sensitivity early warning device, and muted it because you couldn’t handle the false positive rate? That is not the fault of the device.
None of that is the fault of the chicken. The sky would’ve fallen on the idiots in charge anyway. They’re just trying to shift the blame. This is the true moral of that particular fable.
Also, don’t go around tempering children; “seen but not heard” is dark ages, Victorian values nightmare fuel.
In both of those stories the reason that happens is bec the eponymous character loses all credibility by telling many lies, when they finally tell the truth no one believes them.
No, in the Foxy Woxy version everybody believes CL and accompanies them to warn the king. The problem comes when they believe that Foxy Woxy knows a shortcut. Point being: Chicken Little is a crappy analogy to use against doomsayers.
BwCW is a little better in the abstract, but still inapt for this.
> The thing is, only Emiratis have "hands on keyboard" while the US engineers sit beside them and guide them, which supposedly dodges any legal concerns.
I find it pretty hard to believe any judge would buy this.
Yet this would be very familiar to anyone with previous intelligence experience in the US. The person with hands on keyboard will change depending on if the mission is being conducted under Title 10 or Title 50 authority.
Does an instructor who trains someone who goes on to commit murder using the techniques they taught become legally culpable for the murder?
If your company offers some service - consulting to set up their infrastructure, or helping them navigate AWS - necessary to the running of the company, and that company goes on to commit a crime are you at fault? They couldn't have done it with out you, after all.
Legally, it depends. The term you're looking for is "criminal conspiracy". In US law this is, roughly, an agreement between two or more people to commit a crime, and at least one of the people commits an "overt act" in furtherance of the crime. In the case of these officers, and in your two hypotheticals, there is an overt act taking place. An overt act does not need to be illegal, it just has to be an action taken to assist in the planned crime. For instance, buying ski masks is perfectly legal, but if you bought ski masks in preparation for your bank robbery, that counts as an overt act. But is there an agreement to commit a crime? Generally speaking, in the company-offering-services example, if you did not know the other party was going to commit a crime, and a reasonable person in your position wouldn't think the other party was planning to commit a crime, you are not engaged in criminal conspiracy. There's tons of special cases and nuances here, but that's roughly what happens.
That's if they charge conspiracy in the first place.
The more general answer here is that the criminality of exploitation depends a lot on your state of mind (a property of law that something HN always has a hard time with). A professor teaching a class to an anonymous group of students is not at all the same thing, in criminal law, as that same professor standing behind foreign intelligence operatives coaching them on a targeted attack.
The confounder here is that there are statutes you can theoretically violate by providing some specific exploitation tools to foreign nationals.
The MIT professor, in an MIT classroom, is never going to be charged (same almost certainly goes for a consultant teaching an exploit class at Black Hat USA).
Let's say you are a gun instructor. You take your student out to the street, hand them a sniper rifle and point at their victim. You walk them through the process of pulling the trigger and how to make sure they get their target.
The judge isn't going to let that slide. In both cases, you are an accessory.
Technically I think both parties would be guilty of murder, but that's specific to murder charges. For instance, getaway drivers have been charged with murder because the robbers they transport shoot someone.
That is specifically "felony murder", which wouldn't apply here (though conspiracy might?). Felony murder is the idea that you are guilty of murder if someone dies as a result of you committing another felony (sometimes from a specific enumerated list).
If you are a direct participant in the murder you might just get charged with it (perhaps as a conspirator which I think often has roughly the same penalties).
You're probably right, but I think it also depends...
Is a professor at MIT teaching cyber security exploit development guilty of the same crime?
What about a consultant teaching how to use a particular tool or how to look for a particular family of exploits? (Potentially legally dodgy, depending on the client, but probably ok in a lot of grey areas)
What about a consultant which performs a passive audit of a target for a 3rd party? (Starting to get pretty dodgy, but probably depends both on the 3rd party and the target and the nature of the audit)
It's... probably not so cut-and-dry. Though I agree that it doesn't sound like a get-out-of-jail-free card.
I'm sure the intent of the MIT professor/consultant passing their knowledge on to others is to get ahead of the actual attackers and help prevent further crime(s against humanity), not to actively participate...
Oh no, that wasn't my intent at all. I was just saying that things in court can get pretty messy when you try to define things precisely with laws that don't directly address edge cases. That's why you see headlines about rulings that seem so counterintuitive and ridiculous upon first glance.
my one gripe, if it can be called a gripe, is that the episodes are more often than not hard to follow due to the complex topic/length.
Looking thru the feed, 8/10 of the recent casts I've listened to are only about 1/4 the way thru before I had to go into work, answer a call, etc. Then it's too hard to get back into, and two more eps have been released by the time I get another itch for DD.
Of course, real life is complicated and isn't a movie with a plot, and DD's format rewards knowledge and listening. More of a "doing dishes" podcast. Highly recommend!
Short-form security podcasts are a dime a dozen though, and they usually fail to gain traction because Sec is a nuanced technical/social topic that doesn’t get covered in 20 mins. DD is very popular, IMO, because it handles this well by longer episodes.
This has nothing to do with the post nor the comment you're replying to. There's no need to inject an unrelated political point into the top post's top comment; just make your own post about the subject so it can be discussed there.
I take your point but disagree that they are unrelated. They are different news items, so I’ll try and isolate my comments in that way. I just think that people working infosec should care a lot about the sanctity of law and the importance of judicial review. If we let the court of popular opinion reign supreme, hackers will always lose and the powers that be, the elite, will always maintain control. Just my opinion, which I will try and keep more narrowly focused in the future.
I think there should be a corollary to Godwin's law to call out any thread that is very much subtle in trying to showcase just how much Donald Trump has been wronged by 'the media'. Sadly there's a surprisingly high amount of these on hn.
Synopsis is that the UAE hires ex-NSA employees as "penetration testers" and when they enter the country for cybersecurity work, some are pulled aside to be briefed to an opportunity called "Project Raven" to assist Emirati intelligence with targeting, allegedly in the interest of counter-terrorism. The thing is, only Emiratis have "hands on keyboard" while the US engineers sit beside them and guide them, which supposedly dodges any legal concerns. Those who Jack interviewed decided to leave Project Raven when it became clear they were targeting dissidents, human rights activists, and later, Americans. As you might imagine, ex-NSA employees who target US citizens for a foreign government are breaking the law. I do wonder if it's these ex-Project Raven engineers that have led prosecutors down the road to where we are now.
[1] https://darknetdiaries.com/episode/47/