Revealed: leak uncovers global abuse of cyber-surveillance weapon
July 18, 2021 1:30 PM   Subscribe

Spyware sold to authoritarian regimes used to target activists, politicians and journalists, data suggests. Human rights activists, journalists and lawyers across the world have been targeted by authoritarian governments using hacking software sold by the Israeli surveillance company NSO Group, according to an investigation into a massive data leak. The investigation by the Guardian and 16 other media organisations suggests widespread and continuing abuse of NSO’s hacking spyware, Pegasus, which the company insists is only intended for use against criminals and terrorists.

NSO Group claims that its Pegasus spyware is only used to “investigate terrorism and crime” and “leaves no traces whatsoever”. This Forensic Methodology Report shows that neither of these statements are true. This report accompanies the release of the Pegasus Project, a collaborative investigation that involves more than 80 journalists from 17 media organizations in 10 countries coordinated by Forbidden Stories with technical support of Amnesty International’s Security Lab.

Amnesty International’s Security Lab has performed in-depth forensic analysis of numerous mobile devices from human rights defenders (HRDs) and journalists around the world. This research has uncovered widespread, persistent and ongoing unlawful surveillance and human rights abuses perpetrated using NSO Group’s Pegasus spyware.

PBS: THE PEGASUS PROJECT Live Blog: Major Stories from Partners
posted by Ahmad Khani (57 comments total) 39 users marked this as a favorite
 




This is the board of the NSO Group
Mexican malfeasance was already suspected in 2017
posted by adamvasco at 1:58 PM on July 18 [2 favorites]


As a counterpoint to Pinboard's assertion that we are incapable of producing defect-free software, I offer the following articles:

We Could Write Nearly Perfect Software but We Choose Not to -- far, far better software is possible if shipping flawed code hit companies in their bottom lines and either not dealt with at all as an externality or just brushed under the rug of "the cost of doing business."

Programmers: Stop Calling Yourselves Engineers -- far, far better software is possible if developers had a personal professional/career fiduciary duty to not ship flawed, misleading, or unsafe code.

Neither of these things are cheap nor easy, but both are possible. Dismissing the idea of software with minimal or no defects as an impossibility pre-emptively closes the debate on shipping quality code and plays into the desire on the part of companies and developers to not be held responsible for the safety, fitness-for-purpose, and good faith (or bad faith) functional behaviors oif what they ship.
posted by tclark at 2:03 PM on July 18 [38 favorites]


These two statements by NSO are contradictory:

The targeting of the 37 smartphones would appear to conflict with the stated purpose of NSO’s licensing of the Pegasus spyware, which the company says is intended only for use in surveilling terrorists and major criminals...

[NSO] also said it does not operate the spyware licensed to its clients and “has no insight” into their specific intelligence activities.


Either they know what their product is being used for and they're lying about not knowing, or they just sell to anyone who is a paying customer regardless of customers' intended usage or the outcomes from misuse. Can't claim both.

In any case, NSO executives appear to be accomplices to the murder of at least one more journalist, despite their claims otherwise.
posted by They sucked his brains out! at 2:08 PM on July 18 [10 favorites]


AP reported that Turkey has recordings of Khashoggi's murder. At the time I assumed that Turkey was admitting that it had bugged the Saudi consulate, but I suppose the more likely explanation is that some of the people killing him had their phones hacked, possibly with the same software that the Saudis used to entrap Khashoggi. There aren't any good guys in this, obviously, but it shows how the technology can be a two-edged sword.
posted by Joe in Australia at 2:29 PM on July 18 [1 favorite]


...which the company insists is only intended for use against criminals and terrorists.

Ultimately, a criminal or terrorist is whoever a government says is a criminal or terrorist. There's maybe a few extra performance steps in the former compared to the latter, depending on which privileged demographic one falls into or out of in any given polity, but not as many as those in the in-but-not-that-far-in-groups tend to assume. And of course the latter tends to erode the checks and balances intended to protect against declarations of the former; that's part of why the term was embraced.
posted by Drastic at 2:42 PM on July 18 [16 favorites]


IMHO, to an authoritarian regime, any private citizen who opposes its rule is a (potential?) "terrorist" and any organization that opposes it is a (suspect?) "terrorist organization" because it (officially) sees no difference between itself (the regime) and the governed. People are the state and the state is the people.

It's only in the western views, where there's a clear separation between the government and the people, that points out the difference between terrorist and freedom fighter, using the Just War Theory.

And like a gun, it totally depends on the perspective and who's holding the weapon. Tools are just tools. It's up to the user to determine its purpose.
posted by kschang at 2:56 PM on July 18 [2 favorites]


Edward Snowden: "The Israeli company behind this -- the NSO group -- should bear direct, criminal liability for the deaths and detentions of those targeted by the digital infection vectors it sells, which have no legitimate use."
posted by - at 3:16 PM on July 18 [5 favorites]


Either they know what their product is being used for and they're lying about not knowing, or they just sell to anyone who is a paying customer regardless of customers' intended usage or the outcomes from misuse. Can't claim both.

They require that buyers not express intentions contrary to that statement, they don't operate the software themselves, that's it. It's not contradictory, it's the usual cop out.

Guns programs don't kill, people do.
posted by snuffleupagus at 3:27 PM on July 18 [5 favorites]


By the way, saying that only "authoritarian regimes used to target activists", is a bit misleading. Or perhaps we should start to consider France to be authoritarian regime...

We should take an hard look to authoritarian elements in western "real-existing democracies".
posted by - at 3:30 PM on July 18 [5 favorites]


Interesting to see that the Five Eyes countries, Russia and China are absent from the list of clients. Which suggests that NSO is a second-tier substitute for what they have.

I'm guessing the Mossad/Shin Bet also have much better toys that they're not sharing.
posted by acb at 3:41 PM on July 18 [11 favorites]


Twitter thread
NSO Group's "US branch" Westbridge Technologies received loans worth up to $265,000,000 from Credit Suisse's Cayman Islands branch. NSO has repeatedly sworn in court that they had no US operations.
posted by adamvasco at 4:17 PM on July 18 [2 favorites]


Edward Snowden: "The Israeli company behind this -- the NSO group -- should bear direct, criminal liability for the deaths and detentions of those targeted by the digital infection vectors it sells, which have no legitimate use."

Why exactly do we still listen to this guy? He did his hero thing but he's an idiot when it comes to infosec. Attack vectors don't go away because someone isn't monetizing them. NSO Group are shitheads but if there are attack vectors that someone is selling then we also know there are attack vectors to be fixed.
posted by Your Childhood Pet Rock at 4:49 PM on July 18 [4 favorites]


Is any of the bad actors in this story interested in fixing those holes? Is NSO?

Packaged zero-days for anyone who will pay is in no way "legitimate".
posted by tigrrrlily at 5:03 PM on July 18 [5 favorites]


Depends on whether fix means ‘the same shit we claimed before but for real, as long as we’re being watched” or, you know, actually changing the context that lets this industry exist in its current incarnation.
posted by snuffleupagus at 5:37 PM on July 18


Is any of the bad actors in this story interested in fixing those holes? Is NSO?

The point is that any exploit that's not being kept secret can (will?) eventually be tracked down and removed if the vendor is worth a damn. NSO are not without blame or culpability but to pretend the world would get materially better if they stopped is a fantasy.

Like I get that people think attack surfaces are infinite just by the nature of how many complex parts are interworking but practically they're not. These exploits are well crafted pieces of code that rely on things being broken just right and they're not easy to craft and can't exactly be done on demand. It's like having matches in a box while camping. Once they're burned they're done and it's extremely hard to procure new ones. Selling an exploit might as well be holding one of your valuable and limited matches next to a camp stove for shits and giggles.

Do I think every country with a half decent cyber capability has secret/proprietary zero days in their back pocket? Probably. But those zero days may also get neutered when an exploit that someone was selling either in the light of day or on the dark web makes its way back to Apple or Google. It's a game of inches and NSO, even being bad actors, are giving up valuable information (for free!) that helps gain inches against other bad actors.
posted by Your Childhood Pet Rock at 5:38 PM on July 18 [3 favorites]


If anyone knows, has there been any discussion or exploration of regulating zero days and the like as munitions, and requiring their purveyors to register as arms dealers?

Encryption has famously been treated that way, at least to some extent with export controls.
posted by snuffleupagus at 5:47 PM on July 18


Yes, NSO Group's product is subject to export controls. Israel individually approves each country it is sold to.
posted by ryanrs at 8:44 PM on July 18 [6 favorites]


Edward Snowden: "The Israeli company behind this -- the NSO group -- […]

That's a bit of a dog whistle; it would have been more normal to just say “the company behind this”, or “the NSO group”; it's not more or less wrong just because the people behind it speak Ivrit. And although Snowden has obvious reasons for not criticising Russia's enormous government-controlled hacking enterprises, the fact that he doesn't do so means that his critical utterances on any related subject must be perceived as hypocritical, if not actively tendentious. It's a pity, but there it is: if he's silenced by Putin, we must expect that when he speaks, his statements have been officially approved.

One thing this underscores is that when it comes to electronic intelligence the world's nations are divided into two groups: the ones who can basically order any phone interception they want, like the US and presumably the other Five Eyes (and, one way or another, probably Russia) and the ones who rely on purchased hacks like this. It says something that Saudi Arabia had to purchase a neatly-wrapped exploit like this: you'd think they'd have access to enough expertise to duplicate it domestically after learning about it.
posted by Joe in Australia at 10:45 PM on July 18 [6 favorites]


Why exactly do we still listen to this guy? He did his hero thing but he's an idiot when it comes to infosec. Attack vectors don't go away because someone isn't monetizing them. NSO Group are shitheads but if there are attack vectors that someone is selling then we also know there are attack vectors to be fixed.

I don’t get this take. That statement doesn’t read as a blanket opposition to professional security research, to me?
posted by atoxyl at 11:31 PM on July 18


Not to derail, but are we saying Snowden is antisemitic now? Just trying to keep track. A few weeks ago we were saying he was antiblack, it's hard to keep up.
posted by flamk at 12:00 AM on July 19 [9 favorites]


I don't know why Snowden chose to emphasise that it was an Israeli company; as if that were the truly significant thing about it, even more than its actual name. It is the sort of thing an antisemite would do, though. People make verbal dog whistles specifically because they're deniable, so all I can say is: it was an awkward and unusual expression and it looks as though it was meant less to inform than to create a particular impression.
posted by Joe in Australia at 12:38 AM on July 19 [7 favorites]


> By the way, saying that only "authoritarian regimes used to target activists", is a bit misleading. Or perhaps we should start to consider France to be authoritarian regime...

From the article: there are French phones in the list of targets, but there is no mention of France having bought the software.
posted by haemanu at 1:05 AM on July 19 [2 favorites]


It's very much a false distinction anyway: look at the way the US and other Western countries have characterised people pushing for social change, at home and abroad.
posted by Joe in Australia at 1:16 AM on July 19


Joe in Australia: your dog whistling is worse. Companies exists in particular jurisdictions, and this matter a lot, especially if the export license of NSO Group weapons are subjected to state approval, as they are.

Also Amnesty International titles "Massive data leak reveals Israeli NSO Group's spyware used to target activists, journalists, and political leaders globally".
posted by - at 1:52 AM on July 19 [8 favorites]


>If anyone knows, has there been any discussion or exploration of regulating zero days and the like as munitions, and requiring their purveyors to register as arms dealers?
Yes, they're munitions under International Traffic in Armaments Regulations (ITAR) and should be controlled when you know the exploit would break laws like Computer Fraud and Abuse Act (CFAA).

That's something done by USA Commerce Department, determining (and imposing sanctions) when traffic in arms breaches these regulations. Crucially it can hinge on whether it involves USA people -- you'll notice that many of the regimes involved are authoritarian and/or adjacent to the rules-based international order.
posted by k3ninho at 2:06 AM on July 19 [3 favorites]


it was an awkward and unusual expression and it looks as though it was meant less to inform than to create a particular impression

But the fact it’s an Israeli company is right there in all the headlines or initial paragraphs in articles about this everywhere, starting with the Guardian... Snowden is hardly the first person to "emphasise". It’s not emphasising even, it’s part of the story. Should the Guardian and other outlets too have purposefully omitted that it’s an Israeli company, just because there are antisemites who will latch on to that?
posted by bitteschoen at 2:26 AM on July 19


Mod note: Joe in Australia, please drop this derail.
posted by taz (staff) at 3:00 AM on July 19


As a general rule, "But everyone's doing it" says nothing one way or another about whether a practice is biased or ethical.
posted by eviemath at 3:30 AM on July 19 [1 favorite]


Should the Guardian and other outlets too have purposefully omitted that it’s an Israeli company, just because there are antisemites who will latch on to that?

Also in general, if the nationality of a company or individual being reported on is not relevant to the story being told by a particular article, then the journalist and editors responsible are likely themselves exhibiting bias. If the nationality is relevant, the manner in which it is relevant (eg. the article discusses export law issues, or is in a finance rag that gives the stock exchange info of all companies mentioned in all articles) will be explained clearly enough that if others latter mention the nationality when it is not relevant, we can draw any relevant conclusions (or not) based on that context without that reflecting on the original journalists. That conclusion might be that someone is kind of lazy or does not have strong critical thinker ng skills if they repeat a standard description of a company or person (beyond just their name) without thinking at all about why they're repeating the whole description and not just the name. Though there are certainly cases where the descriptor has been used by other speakers in a biased or bigoted manner, so it's not unreasonable to be extra sensitive to common examples such as when "Jewish", "Arab"/"Muslim", or "inner city" are the added descriptors.
posted by eviemath at 3:43 AM on July 19 [3 favorites]


As a general rule, "But everyone's doing it" says nothing one way or another about whether a practice is biased or ethical.

No that wasn’t meant as "but everyone’s doing it" as some kind of moral justification - there is nothing to be justified here, NSO Group is the company in question at the heart of this story and it is an Israeli company, it’s a fact that is very much part of the story - not least because as has already been pointed out above, where a company is located and the jurisdiction it operates under tends to matter too in respect to what that company is doing.
It’s absurd to suggest some kind of antisemitic bias through the mere reporting of a very relevant fact!
posted by bitteschoen at 4:08 AM on July 19 [3 favorites]


Israeli Companies Aided Saudi Spying Despite Khashoggi Killing (NYT). This is the problem, not Snowden. Let's stay in topic.
posted by - at 4:10 AM on July 19 [2 favorites]


Also in general, if the nationality of a company or individual being reported on is not relevant to the story being told by a particular article, then the journalist and editors responsible are likely themselves exhibiting bias.

Worth noting that one of the newspapers that collaborated with the Guardian on this reporting is Haaretz, a popular Israeli Hebrew/English publication. Haaretz's series of articles on NSO Group consistently refers to the company as Israeli, and another even starts out with the statement "Israel is a longtime weapon exporter to numerous states, some of which frequently violate human rights. Israeli weapons have been used by despotic regimes and, shamefully, even in cases of genocide."
posted by Glegrinof the Pig-Man at 4:11 AM on July 19 [15 favorites]


More Haaretz reporting on NSO Group and its connections with the former Defense Minister (and current Prime Minister) here: ‘No Tenders in War’: Defense Minister Insists on Team-up With NSO to Battle Coronavirus
Defense Minister Naftali Bennett has no intention of backing off of his plan to partner with controversial Israeli spyware firm NSO in creating a system grading citizens on their likelihood of spreading the coronavirus, despite the Justice Ministry’s reservations.

Earlier on Wednesday, the Justice Ministry said it was an unusual step as it hands private information about citizens to a private company. The problem is even greater given that the Shin Bet was allowed to track citizens only by invoking emergency regulations.

The Shin Bet’s legal department also expressed reservations about sharing information with a private company. Moreover, the Health Ministry has so far not indicated any need for such measures.

Bennett recruited NSO Group, which has been accused of involvement in human rights violations, to build the rating system for citizens based on data collected by the Shin Bet security agency.

Responding to a query from Haaretz, Bennett confirmed that he has “a general familiarity” with NSO Group’s president, Shiri Dolev. When asked whether such a project should require issuing a tender, Bennett replied: “There are no tenders in war.”

Dolev is a close friend of Bennett’s party colleague Ayelet Shaked, who backed the initiative in the Knesset without mentioning the connection. She appeared alongside Shaked on a TV program in 2017, where she was introduced as her best friend.
posted by Glegrinof the Pig-Man at 4:17 AM on July 19 [6 favorites]


Amazon is shutting down NSO Group infrastructure. Not sure if *all* of it, or just what they deem as relevant. Forensic reports have shown that the Israeli company's spyware uses Amazon Web Services.
In Brazil Carlos Bolsonaro the bolsonazi son was in negotiation with NSO earlier in the year. His father and Netanyahu were bid buddies so yes I am thinking that NSO definitively has government backing and aporoval.
posted by adamvasco at 12:22 PM on July 19




it’s a fact that is very much part of the story - not least because as has already been pointed out above, where a company is located and the jurisdiction it operates under tends to matter too in respect to what that company is doing.

For the articles on the specific company that is the subject of this FPP that are reporting on how the national jurisdiction of the company affects things, as some other commenters have quoted and pointed out, that is relevant to those articles, yes. I've certainly seen news articles about other companies or individuals that identify their nationality without following up on how or why that is relevant, however. So making a blanket statement, as you did, that Snowden couldn't have been using "Israeli company NSO" in a biased or dogwhistle way merely because lots of news articles used that phrase is a couple steps shy of being a sufficient argument. One may or may not be able to theoretically fill in those steps: from the links above, a number of articles have explained the relevance of NSO's nationality (personally, I think it brings up a couple important questions in addition to what has already been touched on in this thread), but that doesn't mean all of them have; and, in the second step, from what I've seen so far it doesn't sound like it was relevant to Snowden's comments. But as your comment was written, you didn't fill in those steps, and it didn't sound like you realized that there were missing details to fill in, so you ended up making a statement that was certainly an incorrect argument in the generality it seemed to be applying.
posted by eviemath at 8:15 PM on July 19




"This NSO story is a blockbuster but at the same time there are very important pieces of this story that are being missed... a thread"
posted by - at 9:34 AM on July 20 [3 favorites]


On the list: Ten prime ministers, three presidents and a king [WaPo archive.org link]
Among 50,000 phone numbers, the Pegasus Project found those of hundreds of public officials
But here’s who’s on the list: Three sitting presidents, France’s Emmanuel Macron, Iraq’s Barham Salih and South Africa’s Cyril Ramaphosa. Three current prime ministers, Pakistan’s Imran Khan, Egypt’s Mostafa Madbouly and Morocco’s Saad-Eddine El Othmani.

Seven former prime ministers, who according to time stamps on the list were placed there while they were still in office, including Lebanon’s Saad Hariri, Uganda’s Ruhakana Rugunda, and Belgium’s Charles Michel.

And one king: Morocco’s Mohammed VI.
posted by Ahmad Khani at 11:31 AM on July 20 [1 favorite]


More from Haaretz:

Where Netanyahu Went, NSO Followed: How Israel Pushed Cyberweapon Sales
The correlation between NSO’s client list and the development of Israel’s diplomatic relations with these countries has become clear. And given this, a question must be asked: What role did Israel officially play in promoting offensive cyber products in these countries?

Based on conversations with a long list of senior executives in Israel’s offensive cyber industry, it appears that Israeli state worked proactively to get Israeli cyberweapon companies, first and foremost NSO, to operate in these countries, despite their problematic records on democracy and human rights.
Revealed: Israel's Cyber-spy Industry Helps World Dictators Hunt Dissidents and Gays
The reports about Pegasus prompted Meretz MK Tamar Zandberg and human rights lawyer Itay Mack to go to court in 2016 with a request to suspend NSO’s export permit. At the state’s request, however, the deliberations were held in camera and a gag order was issued on the judgment. Supreme Court President Justice Esther Hayut summed up the matter by noting, “Our economy, as it happens, rests not a little on that export.”

The Defense Ministry benefits from the news blackout. Supervision takes place far from the public eye – not even the Knesset’s Foreign Affairs and Defense Committee is privy to basic details of the lion’s share of Israel’s defense exports. Contrary to the norms that exist in other democracies, the ministry refuses to disclose the list of countries to which military exports are prohibited, or the criteria and standards that underlie its decisions.

A comprehensive investigation carried out by Haaretz, based on about 100 sources in 15 countries, had as its aim lifting the veil of secrecy from commerce based on means of espionage. The findings show that Israeli industry have not hesitated to sell offensive capabilities to many countries that lack a strong democratic tradition, even when they have no way to ascertain whether the items sold were being used to violate the rights of civilians. The testimonies show that the Israeli equipment has been used to locate and detain human rights activists, persecute members of the LGBT community, silence citizens who were critical of their government and even to fabricate cases of blasphemy against Islam in Muslim countries that don’t maintain formal relations with Israel. The Haaretz investigation also found that Israeli firms continued to sell espionage products even when it was revealed publicly that the equipment was used for malicious purposes.
posted by Glegrinof the Pig-Man at 1:36 PM on July 20 [7 favorites]


Pegasus: NSO Group's long history of trials and denials
Middle East Eye delves into the long list of accusations NSO has faced over the years, and how the company has responded.
posted by adamvasco at 5:06 PM on July 20 [5 favorites]


Israeli human rights activist Eitay Mack: Israel's NSO and Pegasus Are a Clear and Present Danger to Democracy Around the World
But even now, when the trickle of information about NSO has become a tsunami, in particular its Pegasus spyware (believed to have been acquired by numerous authoritarian governments as a spyware weapon to target political opponents, journalists and human rights activists), Ben & Jerry's decision to stop selling its products in the occupied territories is still the most discussed issue in Israel – and the trigger for the loudest outrage.

Perhaps there was never any reason to expect otherwise from a state that defines itself as democratic but, for 54 years, has been holding millions of Palestinians hostage to its whims.

After 12 years of Benjamin Netanyahu's tenure as prime minister, in which human rights activists and Knesset members were smeared as supporters of terrorism, critical journalists deemed enemies of the people and left-wing voters as traitors, why would the Israeli public, which had grown accustomed to view dissident voices as enemies, care about what happens to journalists in Azerbaijan, India or Hungary?

If Israel holds hundreds of Palestinians in administrative detention, without trial at all times, why would there be any outcry if new friends Saudi Arabia and Rwanda use an NSO system, born and bred in Israel, to incriminate opposition activists so they then rot in prison?

Israel’s Prime Minister Naftali Bennett, its Ministry of Foreign Affairs, and other cabinet ministers decided it was urgent and essential to condemn in a unified demagogic wave the ice cream brand’s decision and even claimed, implicitly or explicitly, that it fueled antisemitism and terrorism.

But they all retain the right to remain silent regarding the Defense Ministry granting licenses to NSO, which serve in practice as licenses for state-sponsored terrorism against civil society around the world.
posted by Glegrinof the Pig-Man at 5:34 AM on July 21 [6 favorites]


And more from the Washington Post:

U.S. and E.U. security officials wary of NSO links to Israeli intelligence
U.S. and European security officials regard the company with a degree of suspicion despite the ability of its technology to help combat terrorists and violent criminals. In interviews, several current and former officials said they presumed that the company, which was founded by former Israeli intelligence officers, provides at least some information to the government in Jerusalem about who is using its spying products and what information they’re collecting.

“It’s crazy to think that NSO wouldn’t share sensitive national security information with the government of Israel,” said one former senior U.S. national security official who has worked closely with the Israeli security services and, like others, spoke on the condition of anonymity to candidly describe intelligence operations. “That doesn’t mean they’re a front for the Israeli security agencies, but governments around the world assume that NSO is working with Israel.”

Though NSO is a private company, U.S. officials have long suspected that some information it collects is also viewed by the Israeli government, said a current U.S. official familiar with the matter.
How Washington power brokers gained from NSO’s spyware ambitions
The Israeli surveillance giant NSO Group and companies linked to it or its founders have spent millions of dollars in hopes of wooing their way into the U.S. market, hosting demonstrations for government intelligence officials and hiring Washington’s most prominent names despite pledges that its phone-hacking tool can’t be used inside the United States.

The company’s attempts to secure U.S. contracts appear to have been unsuccessful, with federal and local law enforcement agency representatives saying in emails and interviews that they balked at its Pegasus spyware tool’s million-dollar price tag.

But an influential network of Washington consultants, lawyers, lobbyists and other prominent personalities have earned money from the company, its parent company or its founders, a Washington Post review of government and company filings shows. Those beneficiaries include some of the most powerful members of the Obama, Trump and Biden administrations.
posted by Glegrinof the Pig-Man at 7:04 AM on July 21


I personally know someone, a journalist in Mexico, who was targeted by Pegasus by both this and the previous administration, who bought the software, and it's not fun. He's been threatened at his home by people either from or pretending to be from several cartels. Many details from his personal conversations have been leaked in the last four years, which led to him being really paranoid, until his number popped up in Amnesty international's research and they let him know. His whole phone was cloned. All his messages, passwords, calls, emails, pictures, browsing history, everything was copied as if it went to one phone. Now he's even more paranoid, but not from his friends and family, at least.
He hasn't stopped writing, though. Respect. I would have quit a long time ago.
posted by omegar at 8:44 AM on July 21 [4 favorites]


It should be noted that NSO Group isn't the only company in this space. The other big operation is Cellebrite—discussed here on the Blue back in April—and it also "works with law enforcement agencies and has a long list of clients – including regimes with shady human rights records" (Haaretz).

Cellebrite's core product, called UFED (Universal Forensic Extraction Device), works somewhat differently than Pegasus: it's not an over-the-air data extractor, but relies on physical access to the target device. But importantly, it works even if the device is locked, and unlike Pegasus, it can be used clandestinely, leaving no traces on the target device afterwards. In some ways it represents a greater threat than Pegasus: if you've ever let your phone out of your sight (e.g. at a repair shop, or on a charger in your hotel room while out to dinner, or a million other scenarios), everything on it could have been copied without your knowledge—and there's no way to ever be sure.

Although the Israelis seem to be leading the pack in terms of technical capabilities, the US isn't totally out of the game, either: Atlanta-based Grayshift sells a $15,000-30,000 product called GrayKey, which was apparently good enough at its one job of unlocking iPhones that it caused Apple to tighten its security over USB devices significantly.

There is a whole industry at work that deserves to have a lot more light shed on it than it gets.
posted by Kadin2048 at 1:06 PM on July 21 [3 favorites]


Shouldn't really be surprised about the Israeli State working hand in glove with local hitec security / intel companies. Black Cube was only three years ago and then there was the whatsapp security breach. noted at the time by FT as a harbinger of Pegasus
posted by adamvasco at 6:48 AM on July 22 [1 favorite]


> The spyware scandal in the news today is a chance to reiterate that human beings are incapable of producing defect-free software at any scale. In particular, there is no such thing as a secure online system or a secure mobile platform. This foundational issue won't go away (threadreader)

A case against security nihilism
In a perfect world, US and European governments would wake up and realize that arming authoritarianism is really is bad for democracy — and that whatever trivial benefit they get from NSO is vastly outweighed by the very real damage this technology is doing to journalism and democratic governance worldwide.

But I’m not holding my breath for that to happen.

In the world I inhabit, I’m hoping that Ivan Krstić wakes up tomorrow and tells his bosses he wants to put NSO out of business. And I’m hoping that his bosses say “great: here’s a blank check.” Maybe they’ll succeed and maybe they’ll fail, but I’ll bet they can at least make NSO’s life interesting.

But Apple isn’t going to do any of this if they don’t think they have to, and they won’t think they have to if people aren’t calling for their heads. The only people who can fix Apple devices are Apple (very much by their own design) and that means Apple has to feel responsible each time an innocent victim gets pwned while using an Apple device. If we simply pat Apple on the head and say “gosh, targeted attacks are hard, it’s not your fault” then this is exactly the level of security we should expect to get — and we’ll deserve it.
posted by tonycpsu at 3:17 PM on July 22 [2 favorites]




The only people who can fix Apple devices are Apple (very much by their own design)

That's not necessarily the case. It's strange that an exploit of this seriousness would have persisted for so long, given that Apple designed the hardware and is the publisher of both the OS and the software responsible. Apple seems to have worked hard to prevent most attacks on iPhones, but the NSA is notorious for sabotaging hardware and I understand that its leaked software has been the basis of many root kits and trojans. It has even subverted cryptography standards in order to subtly weaken them. The USA really, really wants the ability to tap phones and data systems; it has a long system of doing that; and it has a vast array of legal and extra-legal tools at its disposal.

Given all that, I think it's reasonable to think that the NSA is responsible for the existence of the exploit. Maybe it's a subtle flaw in a cryptography standard that Apple can't figure out; maybe it's a backdoor that they were forced to include. I note that the USA is apparently not a customer of the NSO group; I consider that evidence-by-absence to be quite striking: it tells me that they have the same exploit, or something like it; one that doesn't leave the same footprint.
posted by Joe in Australia at 7:26 PM on July 22 [1 favorite]


It's strange that an exploit of this seriousness would have persisted for so long, given that Apple designed the hardware and is the publisher of both the OS and the software responsible.

Given all that, I think it's reasonable to think that the NSA is responsible for the existence of the exploit.
I don’t think you’ll find much support among security professionals for this conspiracy theory. It hasn’t been one exploit but many over the years, carefully guarded to increase the period of time before Apple learns the mechanism and patches it.

The vulnerabilities and that process look exactly like what you’d expect from the parsimonious explanation: Apple, like almost all other large software vendors, has a lot of code written in unsafe languages like C and Objective-C, and they haven’t historically been willing to spend the money comprehensively replacing it with safer modern languages like Swift (clearly that’s a long-term goal but they could get there a lot faster by dropping 0.1% of their profits).

If you follow @lazyfishbarrel note how often this is the case for exploits in just about every major program. There are other ways we see serious problems (e.g. recent news of Microsoft’s botch of the Windows SAM permissions) but most of it comes back to legacy code with insufficient market pressure to be more proactive about replacing it.
posted by adamsc at 6:11 AM on July 23 [2 favorites]


I think it's reasonable to think that the NSA is responsible for the existence of the exploit.

Seems like a stretch to go there, based on the available evidence so far.

There's a huge worldwide market for zero-day exploits, particularly in iOS, and a no-click vulnerability would be hugely valuable—probably worth several millions at least—but it's not like NSA is the only game in town looking (or paying) for them. It's probably a reasonable hypothesis that NSA knew about it once it started being used, maybe before, and didn't tell Apple about it (which is sort of the problem with NSA's mission: they're simultaneously supposed to be an outward-facing spy agency and an inward-facing security agency to protect US interests), but there are a variety of other state- and non-state actors who could have discovered it originally.

FWIW, there are a fair number of people who think Unit 8200 is at least on par with, if not ahead of, NSA in terms of offensive cyber operations research. (And that's not even Israel's tier-1 cyberwarfare unit; they also have Unit 81, which is reportedly even more selective and secretive.) I think it's also safe to presume that PLA Unit 61398 is well-resourced and has its own stash of zero-days.
posted by Kadin2048 at 10:20 AM on July 23 [3 favorites]


From Wiki:

Unit 8200 is the largest unit in the Israel Defense Forces, comprising several thousand soldiers...

Unit 8200 is staffed primarily by 18–21 year old conscripts. Selection and recruitment to the unit usually occurs at age 18 through the IDF screening process after high school. However, the unit also scouts potential younger recruits through after-school computer classes. These after-school computer classes, teaching 16–18 year olds computer coding and hacking skills, sometimes act as feeder programs for the unit, with students receiving invitation letters from the IDF.

The 18 year olds selected for the unit are primarily chosen for their ability to teach themselves and to learn very quickly as the unit will only have access to their services for a short time before their military service period ends.


Given conscription, that's going to produce a lot of skilled military-trained infosec specialists. Presumably more than any other one unit specialization.
posted by snuffleupagus at 12:51 PM on July 23 [1 favorite]


(make that 'more than any other specialized unit,' rather)
posted by snuffleupagus at 1:27 PM on July 23


Counterpunch: Pegasus Rides Again: the NSO Group, Spyware and Human Rights.
Referenced above but in greater detail, all the article from the Forbidden Stories Pegasus project.
posted by adamvasco at 10:25 AM on July 26


Three Stories Reveal What Israel Prefers to Hide About NSO:
Perhaps the biggest question is this: Did Israel know who the NSO Group was selling to and what it was doing – or at least hoping to do – with its Pegasus spyware?

Two conversation with Israelis who work in the cyber world may point to a possible answer. One of them, much like the one at the start of this article, was told to lie about where he was from. While the former was advised to say he was from Albania, this Israeli was instructed to say he was from Malta. Why? Because Israelis cannot travel to Saudi Arabia, since Israel and Saudi Arabia do not have official ties.

In fact, another Israeli who traveled to the United Arab Emirates in late 2019, before the UAE and Israel normalized their ties as part of the Abraham Accords, recounts a similar story.

All three also recall a telling detail about their clandestine travels to the Gulf states: they were not clandestine at all. At least, not until the moment the commercial plane they were traveling on landed in the Gulf. They all took off from European capitals, traveling under their own names, with their own Israeli passports. However, they all explain that, upon arrival, an official from the local government boarded their plane, allowing all the other passengers to exit first, and then proceeded to personally examine their Israeli passport.

In all three cases, the official then pocketed the passport and personally walked them off the plane into a car waiting specifically for them on the tarmac. The passport was returned to them at the end of their trip.

What is the significance of these stories? That this is not the treatment a foreign national receives – and certainly not one from a country with no diplomatic ties – when they land uninvited in a foreign land. It strongly indicates that these Israelis were not uninvited and were not there in a purely private business capacity. In fact, it seems to confirm past reporting by Haaretz that suggests officials from both states were involved in helping clear, if not even orchestrate, the meetings.
posted by Glegrinof the Pig-Man at 2:00 PM on July 26


« Older Inside the Imaginarium of a Solarpunk Architect   |   "Be sure to be seated upon your golden chairs for... Newer »


You are not currently logged in. Log in or create a new account to post comments.