• masklinn 97 days ago

    That'd be the case pretty much any time NSO is implicated. Amnesty had a bit on that back last year[0].

    Despite some mealy-mouthed denials, folks have been noting NSO certainly doesn't mind selling their wares to human rights abusers for years[1][2] and earlier this year NSO's founder pretty much came out defending spyware and hacking of journalists, human rights activists and lawyers, etc…[3]

    [0] https://www.amnesty.org/en/latest/news/2018/08/is-nso-group-...

    [1] https://citizenlab.org/2016/08/million-dollar-dissident-ipho...

    [2] https://www.nytimes.com/2017/06/19/world/americas/mexico-spy...

    [3] https://freedom.press/news/spyware-vendor-defends-hacking-jo...

    • JumpCrisscross 97 days ago

      > Despite some mealy-mouthed denials, folks have been noting NSO certainly doesn't mind selling their wares to human rights abusers for years

      Is there any political push in the U.S. to, if not hold the NSO Group's executives and key engineers responsible, at least make their lives difficult? (For example, through the Global Magnitsky Act [1].)

      [1] https://en.wikipedia.org/wiki/Magnitsky_Act#Law

      • AsyncAwait 96 days ago

        > is there any political push in the U.S. to, if not hold the NSO Group's executives and key engineers responsible, at least make their lives difficult? (For example, through the Global Magnitsky Act)

        NSO is Israeli. The U.S. has proven that it does not care about illegal acts of its friends, not in Israel, nor Egypt, KSA etc.

        Granted, NSO Group is a private entity, but it definitely has the Israeli government looking the other way and so will do the U.S. one as a result.

        The Magnitsky act was targeted at Russia, there's political will for that. Using it to target Israeli actors? I don't think so.

        P.S. Before downvoting because I criticized something Israeli, note that it is such mentality that helps players like NSO to operate with impunity in the first place. Nonetheless, I want to make clear that there are U.S. & European companies, (for example Italian-based, "Hacking Team", that do this and it's just as bankrupt).

        It is the business model that is bankrupt.

        • dalbasal 96 days ago

          Allies/rivals has a lot to do with it, but the framework is military industry... like arms exports, the largest market sector in the world.

          Israeli and US intelligence are very close, and I suspect there are strategic benefits to being the supplier of these technologies that incentivize it. Also, they both have interest in questionable internal security agencies (eg saudi's, Iraq's & Egypt's) succeeding, to avoid isis-like groups getting strong.

          I'm not excusing it (I'm Israeli btw), but the whole approach to military industry is built on treating suppliers as not responsible for how their products/weapons are used. That said, intelligence tech feels more like outright mercenary services than weapons sales. This might get marginally better as the scandals mount.

          Best case, non-radical scenario: any SigInt technology is treated as "strategic," with close oversight.. like anti-aircraft somesuch.

          • gautamdivgi 96 days ago

            Aren't there plenty of such US & European companies as well? Palantir's security/government work especially for foreign entities probably falls square within this realm.

            • mandevil 96 days ago

              Unless they have a separate program that no one has ever reported on, Palantir is a data analysis platform, not a data collection one like NSO Group is alleged to do.

              See, e.g. https://www.bloomberg.com/features/2018-palantir-peter-thiel...

              "The company’s engineers and products don’t do any spying themselves; they’re more like a spy’s brain, collecting and analyzing information that’s fed in from the hands, eyes, nose, and ears."

              • acct1771 96 days ago

                Bloomberg describes them as a data mining company.

                It's named after omniscient crystal balls.

                The CIA’s investment arm, In-Q-Tel, was a seed investor.

                Do you truly believe they don't collect data?

                • mandevil 96 days ago

                  I am 100% sure that somewhere in the US government, a bunch of contractors are working on data collection tools. The Shadowbrokers and Snowden make that clear. I doubt that Palantir is doing it- there has never been any allegations of that, and almost all public articles on them make clear that they specialize in the analysis side. They are sexy enough- you know their name and would definitely click on a link with them in the headline- that I bet it would come out.

                  My guesses would start with Booz Allen Hamilton (who has had two notable people on NSA contracts: Snowden and Harold Martin) for where the data collection tools come from.

                  Look at https://www.thenation.com/article/five-corporations-now-domi...

                  Five companies dominate USG intelligence contracting, and Palantir isn't on the list: Leidos, CACI, SAIC, Booz Allen, and CSRA. One or more of those companies do provide data collection tools to the government, I'm certain. They are boring companies that no one really cares about, and you would never click on a link about Leidos, so that's where it's happening.

            • themackhesback 96 days ago

              The U.S. has imposed Magnitsky sanctions on Saudi officials linked to the murder of Jamal Kashoggi, but those were extraordinary circumstances - he was very well connected in D.C. circles.

              • AsyncAwait 96 days ago

                Yeah and it's worth noting that MBS had no sanctions imposed on him at all, despite everybody agreeing that it was done at his request.

            • dalbasal 96 days ago

              That was a different circumstance.

              There's a petition currently in Israel to revoke their export license, basically shutting them down. It's unlikely to succeed though.


              That said, there's an interesting dynamic emerging. The norm till now (in the US and Israel) has been to allow allow arms and military-tech sales to not-banned countries, regardless of human rights records. SigInt tech has been treated the same.

              But... WhatsApp hacks, journalist assassinations and such seem to be drawing more pressure than bullets and bombs. It may result in intelligence technology becoming more restricted in general.

              • themackhesback 96 days ago

                The U.S. government has never and, for the foreseeable future, will never, attempt to hold any Israeli entity or individual accountable for human rights violations.

              • cronix 97 days ago
              • ETHisso2017 96 days ago

                All, here is the investment fund that owns NSO. While they're based in Europe, their LPs are in the US - might be worth shooting them a letter.


                • cascom 96 days ago

                  I’m sure Oregon’s public employees will be thrilled to here how companies like this are part of their pension’s investment portfolio

                  • ETHisso2017 96 days ago

                    Here is the Oregon Public Employees' Retirement Fund contact page. It has their upcoming schedule of board meetings as well as an email address for submitting written testimony. Would be good if they could explore divesting themselves from Novalpina or encouraging Novalpina to divest NSO.


                    Board email: PERS.Board@state.or.us

                • llamataboot 96 days ago

                  NSO is former Israeli intelligence. Much like the gross rich former USMil mercenaries here (Blackwater/Xe) etc these people tend to be pretty well-connected. No way they will be held accountable - and one could argue that both the US and Israel benefit from having more of their dirty work done under the guise of mercenaries.

                  • annolir 96 days ago

                    Aren't NSOs employees as liable as Raytheon, Boeing and Dassault's employees (that is - not at all)?

                    A company is an organism whose goal is to maximize shareholder value - you can't really blame its executives for doing that. At the end of the day, these companies operate within the confines of the laws - and both the US and Israel have export regulations which clarify what's right and wrong. Isn't that really the issue?

                    • llamataboot 96 days ago

                      All those employees are liable as well. So are google engineers, facebook engineers, etc.

                      It may well be the reality that corporations are legal entities set up to externalize every cost, internalize every profit, and sink a healthy amount of them back into rewriting the laws that would constrain such behavior and we all have to live with the results.

                      But that doesn't mean it's ethical.

                      If you write code that you know is going to be used by an authoritarian state to kill human rights activists and you can currently shrug and say, well it's legal and it pays well, then well more power to you I suppose. But I'm not going to say that you aren't liable from /my/ perspective.

                  • magwa101 97 days ago

                    Let me guess, "sophisticated attack vector", "state level actor"...now who would be against human rights?

                    • ionised 97 days ago

                      Israel, China, Russia, Saudi Arabia, Iran and certain individuals, organisations and lobbying groups in the United States.

                      To name a few.

                  • dontbenebby 96 days ago

                    So as a practical matter, what can someone who works for a humans rights group do with this information?

                    Falling back to a dumbphone will send your calls and texts in the clear. (Plus even dumb phones have firmware which can be hacked).

                    The big takeaway I see is to be vigilant about OS/app updates and get them propagated as quickly as possible... but people often put apps like Whatsapp or Signal on their personal devices, which IT has no control over...

                    • breatheoften 96 days ago

                      Has the EFF ever been publicly targeted by proficient hacking entity before?

                      If anyone is capable of describing the appropriate response to this kind of threat — it has to be them.

                      • dontbenebby 95 days ago

                        >If anyone is capable of describing the appropriate response to this kind of threat — it has to be them.

                        I'd be willing to bet any competent actor would realize trying to use something on EFF would probably result in their staff noticing their computer acting oddly and passing along the malware sample to a place like Citizen Lab. Then they can wave bye bye to their zero day.

                        I don't have a source but I could have sworn some leaked doc at some point mentioned they (various intel agencies) don't like to use fancy 0 days on savvy targets. Probably something that's used on places that want to Free Tibet or let Saudi women drive, not savvy tech people.

                        I also think EFF probably practice what they preach (another poster mentioned their great surveillance self defense guide).

                        There's also lot to be said for just leaving your phones in the other room, turning on the radio, then having a meeting in a conference room free of electronics.

                        People often focus too much on infosec, instead of opsec IMHO.

                        • acct1771 96 days ago

                          Want a security starter pack? | Surveillance Self-Defense https://ssd.eff.org/en/playlist/want-security-starter-pack



                          Links from (E)lectronic (F)rontier (F)oundation. Should point someone in the right direction.

                        • acct1771 96 days ago

                          Read until you're not asking that =] Only option. You're in control.

                          Start here: disable auto-download of MMS.

                          ...and then, of course, don't download them from random numbers you're not expecting them from.

                        • devoply 97 days ago

                          How about putting pressure on Israel to shut down all these companies looking to supply dictators with tools of oppression?

                          • CodeSheikh 97 days ago

                            These "extra-curricular" activities of Israeli govt's involvement with rogue entities cast a bad shadow on the tech culture of Israel. Something not good for brooding startups coming out of Tel Aviv.

                            • Udik 97 days ago

                              The curricular activities of the Israeli government, democratically elected, include building illegal settlements in occupied territories, annexing territory in violation of international agreements, shooting unarmed civilians protesting inside their own borders.

                            • _jal 97 days ago

                              I'm sure our betters will get right on that, right after they tighten up international money laundering from bad actors.

                              Sorry, I'll stop laughing eventually.

                              • vb6lives 97 days ago

                                Never gonna happen. The bulk of their business comes from the "good" guys

                                • nyolfen 97 days ago

                                  nso is already being sued in israeli court by some of the more sympathetic victims

                                  • sudoaza 97 days ago

                                    Maybe blackwater offers to help there...

                                    • King-Aaron 96 days ago

                                      Oh, I don't think that's how it works when it comes to Israel doing terrible things.

                                      • ionised 97 days ago

                                        There's no political will to do this unfortunately.

                                        • themackhesback 96 days ago

                                          From where could such pressure arise?

                                          There is a bipartisan consensus in the United States supporting Israel’s ongoing establishment of an ethnically pure police state. If there is no serious opposition to that, there will certainly be no serious opposition to this kind of thing.

                                        • yzssi 97 days ago
                                          • beiller 97 days ago

                                            Do you think it was aliens?

                                            • o10449366 97 days ago

                                              Google left China nearly a decade ago in part because it suspected Chinese government operatives of hacking their systems to target human rights activists. If they double down on their commitment and re-enter China I can only see it as an inevitability that the same thing will happen again.

                                              • vorpalhex 97 days ago

                                                Or they've simply decided it's more profitable to directly sell to China and save them the effort of hacking in.

                                              • MagicPropmaker 97 days ago

                                                _may have_. Those are weasel words. Why demonize a nation and a group of people because of Apple's buggy operating system that's falsely marketed as "Secure by design?"

                                                • permatech 97 days ago

                                                  What does WhatsApp have to do with Apple? Sounds like using iPhone's internal messaging app would have been safer than WhatsApp on Android.

                                                  • miohtama 96 days ago

                                                    Mobile apps, both iOS and Android, are sandboxed. Effectively one should be not able to root and install malware just by exploiting an user mode app.

                                                    However, in this case, looks like it might have been chained with a iOS kernel exploit - a bad memcpy is suspected.

                                                    So we should blame unsafe programming languages and C culture once again.

                                                    • dontbenebby 96 days ago

                                                      Signal was not affected either, is cross platform, and has a lot of eyeballs on its source