Revealed: murdered journalist’s number selected by Mexican NSO client

More from the Guardian here: The Pegasus project
posted by Ahmad Khani at 1:37 PM on July 18, 2021 [3 favorites]

Notwithstanding the horrendous actions of NSO and their enablers, it's worth noting Pinboard's analysis of this issue:


The spyware scandal in the news today is a chance to reiterate that human beings are incapable of producing defect-free software at any scale. In particular, there is no such thing as a secure online system or a secure mobile platform. This foundational issue won't go away (threadreader)
posted by lalochezia at 1:47 PM on July 18, 2021 [9 favorites]

This is the board of the NSO Group
Mexican malfeasance was already suspected in 2017
posted by adamvasco at 1:58 PM on July 18, 2021 [2 favorites]

As a counterpoint to Pinboard's assertion that we are incapable of producing defect-free software, I offer the following articles:

We Could Write Nearly Perfect Software but We Choose Not to -- far, far better software is possible if shipping flawed code hit companies in their bottom lines and either not dealt with at all as an externality or just brushed under the rug of "the cost of doing business."

Programmers: Stop Calling Yourselves Engineers -- far, far better software is possible if developers had a personal professional/career fiduciary duty to not ship flawed, misleading, or unsafe code.

Neither of these things are cheap nor easy, but both are possible. Dismissing the idea of software with minimal or no defects as an impossibility pre-emptively closes the debate on shipping quality code and plays into the desire on the part of companies and developers to not be held responsible for the safety, fitness-for-purpose, and good faith (or bad faith) functional behaviors oif what they ship.
posted by tclark at 2:03 PM on July 18, 2021 [39 favorites]

These two statements by NSO are contradictory:

The targeting of the 37 smartphones would appear to conflict with the stated purpose of NSO’s licensing of the Pegasus spyware, which the company says is intended only for use in surveilling terrorists and major criminals...

[NSO] also said it does not operate the spyware licensed to its clients and “has no insight” into their specific intelligence activities.

Either they know what their product is being used for and they're lying about not knowing, or they just sell to anyone who is a paying customer regardless of customers' intended usage or the outcomes from misuse. Can't claim both.

In any case, NSO executives appear to be accomplices to the murder of at least one more journalist, despite their claims otherwise.
posted by They sucked his brains out! at 2:08 PM on July 18, 2021 [12 favorites]

AP reported that Turkey has recordings of Khashoggi's murder. At the time I assumed that Turkey was admitting that it had bugged the Saudi consulate, but I suppose the more likely explanation is that some of the people killing him had their phones hacked, possibly with the same software that the Saudis used to entrap Khashoggi. There aren't any good guys in this, obviously, but it shows how the technology can be a two-edged sword.
posted by Joe in Australia at 2:29 PM on July 18, 2021 [1 favorite]

...which the company insists is only intended for use against criminals and terrorists.

Ultimately, a criminal or terrorist is whoever a government says is a criminal or terrorist. There's maybe a few extra performance steps in the former compared to the latter, depending on which privileged demographic one falls into or out of in any given polity, but not as many as those in the in-but-not-that-far-in-groups tend to assume. And of course the latter tends to erode the checks and balances intended to protect against declarations of the former; that's part of why the term was embraced.
posted by Drastic at 2:42 PM on July 18, 2021 [18 favorites]

IMHO, to an authoritarian regime, any private citizen who opposes its rule is a (potential?) "terrorist" and any organization that opposes it is a (suspect?) "terrorist organization" because it (officially) sees no difference between itself (the regime) and the governed. People are the state and the state is the people.

It's only in the western views, where there's a clear separation between the government and the people, that points out the difference between terrorist and freedom fighter, using the Just War Theory.

And like a gun, it totally depends on the perspective and who's holding the weapon. Tools are just tools. It's up to the user to determine its purpose.
posted by kschang at 2:56 PM on July 18, 2021 [3 favorites]

Either they know what their product is being used for and they're lying about not knowing, or they just sell to anyone who is a paying customer regardless of customers' intended usage or the outcomes from misuse. Can't claim both.

They require that buyers not express intentions contrary to that statement, they don't operate the software themselves, that's it. It's not contradictory, it's the usual cop out.

Guns programs don't kill, people do.
posted by snuffleupagus at 3:27 PM on July 18, 2021 [6 favorites]

Interesting to see that the Five Eyes countries, Russia and China are absent from the list of clients. Which suggests that NSO is a second-tier substitute for what they have.

I'm guessing the Mossad/Shin Bet also have much better toys that they're not sharing.
posted by acb at 3:41 PM on July 18, 2021 [13 favorites]

Twitter thread
NSO Group's "US branch" Westbridge Technologies received loans worth up to $265,000,000 from Credit Suisse's Cayman Islands branch. NSO has repeatedly sworn in court that they had no US operations.
posted by adamvasco at 4:17 PM on July 18, 2021 [3 favorites]

Edward Snowden: "The Israeli company behind this -- the NSO group -- should bear direct, criminal liability for the deaths and detentions of those targeted by the digital infection vectors it sells, which have no legitimate use."

Why exactly do we still listen to this guy? He did his hero thing but he's an idiot when it comes to infosec. Attack vectors don't go away because someone isn't monetizing them. NSO Group are shitheads but if there are attack vectors that someone is selling then we also know there are attack vectors to be fixed.
posted by Your Childhood Pet Rock at 4:49 PM on July 18, 2021 [4 favorites]

Is any of the bad actors in this story interested in fixing those holes? Is NSO?

Packaged zero-days for anyone who will pay is in no way "legitimate".
posted by tigrrrlily at 5:03 PM on July 18, 2021 [5 favorites]

Depends on whether fix means ‘the same shit we claimed before but for real, as long as we’re being watched” or, you know, actually changing the context that lets this industry exist in its current incarnation.
posted by snuffleupagus at 5:37 PM on July 18, 2021

Is any of the bad actors in this story interested in fixing those holes? Is NSO?

The point is that any exploit that's not being kept secret can (will?) eventually be tracked down and removed if the vendor is worth a damn. NSO are not without blame or culpability but to pretend the world would get materially better if they stopped is a fantasy.

Like I get that people think attack surfaces are infinite just by the nature of how many complex parts are interworking but practically they're not. These exploits are well crafted pieces of code that rely on things being broken just right and they're not easy to craft and can't exactly be done on demand. It's like having matches in a box while camping. Once they're burned they're done and it's extremely hard to procure new ones. Selling an exploit might as well be holding one of your valuable and limited matches next to a camp stove for shits and giggles.

Do I think every country with a half decent cyber capability has secret/proprietary zero days in their back pocket? Probably. But those zero days may also get neutered when an exploit that someone was selling either in the light of day or on the dark web makes its way back to Apple or Google. It's a game of inches and NSO, even being bad actors, are giving up valuable information (for free!) that helps gain inches against other bad actors.
posted by Your Childhood Pet Rock at 5:38 PM on July 18, 2021 [3 favorites]

If anyone knows, has there been any discussion or exploration of regulating zero days and the like as munitions, and requiring their purveyors to register as arms dealers?

Encryption has famously been treated that way, at least to some extent with export controls.
posted by snuffleupagus at 5:47 PM on July 18, 2021

Yes, NSO Group's product is subject to export controls. Israel individually approves each country it is sold to.
posted by ryanrs at 8:44 PM on July 18, 2021 [6 favorites]

Edward Snowden: "The Israeli company behind this -- the NSO group -- […]

That's a bit of a dog whistle; it would have been more normal to just say “the company behind this”, or “the NSO group”; it's not more or less wrong just because the people behind it speak Ivrit. And although Snowden has obvious reasons for not criticising Russia's enormous government-controlled hacking enterprises, the fact that he doesn't do so means that his critical utterances on any related subject must be perceived as hypocritical, if not actively tendentious. It's a pity, but there it is: if he's silenced by Putin, we must expect that when he speaks, his statements have been officially approved.

One thing this underscores is that when it comes to electronic intelligence the world's nations are divided into two groups: the ones who can basically order any phone interception they want, like the US and presumably the other Five Eyes (and, one way or another, probably Russia) and the ones who rely on purchased hacks like this. It says something that Saudi Arabia had to purchase a neatly-wrapped exploit like this: you'd think they'd have access to enough expertise to duplicate it domestically after learning about it.
posted by Joe in Australia at 10:45 PM on July 18, 2021 [6 favorites]

Why exactly do we still listen to this guy? He did his hero thing but he's an idiot when it comes to infosec. Attack vectors don't go away because someone isn't monetizing them. NSO Group are shitheads but if there are attack vectors that someone is selling then we also know there are attack vectors to be fixed.

I don’t get this take. That statement doesn’t read as a blanket opposition to professional security research, to me?
posted by atoxyl at 11:31 PM on July 18, 2021

Not to derail, but are we saying Snowden is antisemitic now? Just trying to keep track. A few weeks ago we were saying he was antiblack, it's hard to keep up.
posted by flamk at 12:00 AM on July 19, 2021 [10 favorites]

I don't know why Snowden chose to emphasise that it was an Israeli company; as if that were the truly significant thing about it, even more than its actual name. It is the sort of thing an antisemite would do, though. People make verbal dog whistles specifically because they're deniable, so all I can say is: it was an awkward and unusual expression and it looks as though it was meant less to inform than to create a particular impression.
posted by Joe in Australia at 12:38 AM on July 19, 2021 [7 favorites]

> By the way, saying that only "authoritarian regimes used to target activists", is a bit misleading. Or perhaps we should start to consider France to be authoritarian regime...

From the article: there are French phones in the list of targets, but there is no mention of France having bought the software.
posted by haemanu at 1:05 AM on July 19, 2021 [2 favorites]

It's very much a false distinction anyway: look at the way the US and other Western countries have characterised people pushing for social change, at home and abroad.
posted by Joe in Australia at 1:16 AM on July 19, 2021

>If anyone knows, has there been any discussion or exploration of regulating zero days and the like as munitions, and requiring their purveyors to register as arms dealers?
Yes, they're munitions under International Traffic in Armaments Regulations (ITAR) and should be controlled when you know the exploit would break laws like Computer Fraud and Abuse Act (CFAA).

That's something done by USA Commerce Department, determining (and imposing sanctions) when traffic in arms breaches these regulations. Crucially it can hinge on whether it involves USA people -- you'll notice that many of the regimes involved are authoritarian and/or adjacent to the rules-based international order.
posted by k3ninho at 2:06 AM on July 19, 2021 [3 favorites]

it was an awkward and unusual expression and it looks as though it was meant less to inform than to create a particular impression

But the fact it’s an Israeli company is right there in all the headlines or initial paragraphs in articles about this everywhere, starting with the Guardian... Snowden is hardly the first person to "emphasise". It’s not emphasising even, it’s part of the story. Should the Guardian and other outlets too have purposefully omitted that it’s an Israeli company, just because there are antisemites who will latch on to that?
posted by bitteschoen at 2:26 AM on July 19, 2021 [1 favorite]

As a general rule, "But everyone's doing it" says nothing one way or another about whether a practice is biased or ethical.
posted by eviemath at 3:30 AM on July 19, 2021 [1 favorite]

Should the Guardian and other outlets too have purposefully omitted that it’s an Israeli company, just because there are antisemites who will latch on to that?

Also in general, if the nationality of a company or individual being reported on is not relevant to the story being told by a particular article, then the journalist and editors responsible are likely themselves exhibiting bias. If the nationality is relevant, the manner in which it is relevant (eg. the article discusses export law issues, or is in a finance rag that gives the stock exchange info of all companies mentioned in all articles) will be explained clearly enough that if others latter mention the nationality when it is not relevant, we can draw any relevant conclusions (or not) based on that context without that reflecting on the original journalists. That conclusion might be that someone is kind of lazy or does not have strong critical thinker ng skills if they repeat a standard description of a company or person (beyond just their name) without thinking at all about why they're repeating the whole description and not just the name. Though there are certainly cases where the descriptor has been used by other speakers in a biased or bigoted manner, so it's not unreasonable to be extra sensitive to common examples such as when "Jewish", "Arab"/"Muslim", or "inner city" are the added descriptors.
posted by eviemath at 3:43 AM on July 19, 2021 [3 favorites]

As a general rule, "But everyone's doing it" says nothing one way or another about whether a practice is biased or ethical.

No that wasn’t meant as "but everyone’s doing it" as some kind of moral justification - there is nothing to be justified here, NSO Group is the company in question at the heart of this story and it is an Israeli company, it’s a fact that is very much part of the story - not least because as has already been pointed out above, where a company is located and the jurisdiction it operates under tends to matter too in respect to what that company is doing.
It’s absurd to suggest some kind of antisemitic bias through the mere reporting of a very relevant fact!
posted by bitteschoen at 4:08 AM on July 19, 2021 [3 favorites]

Also in general, if the nationality of a company or individual being reported on is not relevant to the story being told by a particular article, then the journalist and editors responsible are likely themselves exhibiting bias.

Worth noting that one of the newspapers that collaborated with the Guardian on this reporting is Haaretz, a popular Israeli Hebrew/English publication. Haaretz's series of articles on NSO Group consistently refers to the company as Israeli, and another even starts out with the statement "Israel is a longtime weapon exporter to numerous states, some of which frequently violate human rights. Israeli weapons have been used by despotic regimes and, shamefully, even in cases of genocide."
posted by Glegrinof the Pig-Man at 4:11 AM on July 19, 2021 [15 favorites]

More Haaretz reporting on NSO Group and its connections with the former Defense Minister (and current Prime Minister) here: ‘No Tenders in War’: Defense Minister Insists on Team-up With NSO to Battle Coronavirus

Defense Minister Naftali Bennett has no intention of backing off of his plan to partner with controversial Israeli spyware firm NSO in creating a system grading citizens on their likelihood of spreading the coronavirus, despite the Justice Ministry’s reservations.

Earlier on Wednesday, the Justice Ministry said it was an unusual step as it hands private information about citizens to a private company. The problem is even greater given that the Shin Bet was allowed to track citizens only by invoking emergency regulations.

The Shin Bet’s legal department also expressed reservations about sharing information with a private company. Moreover, the Health Ministry has so far not indicated any need for such measures.

Bennett recruited NSO Group, which has been accused of involvement in human rights violations, to build the rating system for citizens based on data collected by the Shin Bet security agency.

Responding to a query from Haaretz, Bennett confirmed that he has “a general familiarity” with NSO Group’s president, Shiri Dolev. When asked whether such a project should require issuing a tender, Bennett replied: “There are no tenders in war.”

Dolev is a close friend of Bennett’s party colleague Ayelet Shaked, who backed the initiative in the Knesset without mentioning the connection. She appeared alongside Shaked on a TV program in 2017, where she was introduced as her best friend.

posted by Glegrinof the Pig-Man at 4:17 AM on July 19, 2021 [6 favorites]

Amazon is shutting down NSO Group infrastructure. Not sure if *all* of it, or just what they deem as relevant. Forensic reports have shown that the Israeli company's spyware uses Amazon Web Services.
In Brazil Carlos Bolsonaro the bolsonazi son was in negotiation with NSO earlier in the year. His father and Netanyahu were bid buddies so yes I am thinking that NSO definitively has government backing and aporoval.
posted by adamvasco at 12:22 PM on July 19, 2021

More updates from the Guardian today.
Fifty people close to Mexico’s president among potential targets of NSO clients

Huge data leak shatters the lie that the innocent need not fear surveillance
posted by Ahmad Khani at 12:55 PM on July 19, 2021 [2 favorites]

it’s a fact that is very much part of the story - not least because as has already been pointed out above, where a company is located and the jurisdiction it operates under tends to matter too in respect to what that company is doing.

For the articles on the specific company that is the subject of this FPP that are reporting on how the national jurisdiction of the company affects things, as some other commenters have quoted and pointed out, that is relevant to those articles, yes. I've certainly seen news articles about other companies or individuals that identify their nationality without following up on how or why that is relevant, however. So making a blanket statement, as you did, that Snowden couldn't have been using "Israeli company NSO" in a biased or dogwhistle way merely because lots of news articles used that phrase is a couple steps shy of being a sufficient argument. One may or may not be able to theoretically fill in those steps: from the links above, a number of articles have explained the relevance of NSO's nationality (personally, I think it brings up a couple important questions in addition to what has already been touched on in this thread), but that doesn't mean all of them have; and, in the second step, from what I've seen so far it doesn't sound like it was relevant to Snowden's comments. But as your comment was written, you didn't fill in those steps, and it didn't sound like you realized that there were missing details to fill in, so you ended up making a statement that was certainly an incorrect argument in the generality it seemed to be applying.
posted by eviemath at 8:15 PM on July 19, 2021

On the list: Ten prime ministers, three presidents and a king [WaPo archive.org link]
Among 50,000 phone numbers, the Pegasus Project found those of hundreds of public officials

But here’s who’s on the list: Three sitting presidents, France’s Emmanuel Macron, Iraq’s Barham Salih and South Africa’s Cyril Ramaphosa. Three current prime ministers, Pakistan’s Imran Khan, Egypt’s Mostafa Madbouly and Morocco’s Saad-Eddine El Othmani.

Seven former prime ministers, who according to time stamps on the list were placed there while they were still in office, including Lebanon’s Saad Hariri, Uganda’s Ruhakana Rugunda, and Belgium’s Charles Michel.

And one king: Morocco’s Mohammed VI.

posted by Ahmad Khani at 11:31 AM on July 20, 2021 [1 favorite]

More from Haaretz:

Where Netanyahu Went, NSO Followed: How Israel Pushed Cyberweapon Sales

The correlation between NSO’s client list and the development of Israel’s diplomatic relations with these countries has become clear. And given this, a question must be asked: What role did Israel officially play in promoting offensive cyber products in these countries?

Based on conversations with a long list of senior executives in Israel’s offensive cyber industry, it appears that Israeli state worked proactively to get Israeli cyberweapon companies, first and foremost NSO, to operate in these countries, despite their problematic records on democracy and human rights.

Revealed: Israel's Cyber-spy Industry Helps World Dictators Hunt Dissidents and Gays

The reports about Pegasus prompted Meretz MK Tamar Zandberg and human rights lawyer Itay Mack to go to court in 2016 with a request to suspend NSO’s export permit. At the state’s request, however, the deliberations were held in camera and a gag order was issued on the judgment. Supreme Court President Justice Esther Hayut summed up the matter by noting, “Our economy, as it happens, rests not a little on that export.”

The Defense Ministry benefits from the news blackout. Supervision takes place far from the public eye – not even the Knesset’s Foreign Affairs and Defense Committee is privy to basic details of the lion’s share of Israel’s defense exports. Contrary to the norms that exist in other democracies, the ministry refuses to disclose the list of countries to which military exports are prohibited, or the criteria and standards that underlie its decisions.

A comprehensive investigation carried out by Haaretz, based on about 100 sources in 15 countries, had as its aim lifting the veil of secrecy from commerce based on means of espionage. The findings show that Israeli industry have not hesitated to sell offensive capabilities to many countries that lack a strong democratic tradition, even when they have no way to ascertain whether the items sold were being used to violate the rights of civilians. The testimonies show that the Israeli equipment has been used to locate and detain human rights activists, persecute members of the LGBT community, silence citizens who were critical of their government and even to fabricate cases of blasphemy against Islam in Muslim countries that don’t maintain formal relations with Israel. The Haaretz investigation also found that Israeli firms continued to sell espionage products even when it was revealed publicly that the equipment was used for malicious purposes.

posted by Glegrinof the Pig-Man at 1:36 PM on July 20, 2021 [7 favorites]

Pegasus: NSO Group's long history of trials and denials
Middle East Eye delves into the long list of accusations NSO has faced over the years, and how the company has responded.
posted by adamvasco at 5:06 PM on July 20, 2021 [4 favorites]

Israeli human rights activist Eitay Mack: Israel's NSO and Pegasus Are a Clear and Present Danger to Democracy Around the World

But even now, when the trickle of information about NSO has become a tsunami, in particular its Pegasus spyware (believed to have been acquired by numerous authoritarian governments as a spyware weapon to target political opponents, journalists and human rights activists), Ben & Jerry's decision to stop selling its products in the occupied territories is still the most discussed issue in Israel – and the trigger for the loudest outrage.

Perhaps there was never any reason to expect otherwise from a state that defines itself as democratic but, for 54 years, has been holding millions of Palestinians hostage to its whims.

After 12 years of Benjamin Netanyahu's tenure as prime minister, in which human rights activists and Knesset members were smeared as supporters of terrorism, critical journalists deemed enemies of the people and left-wing voters as traitors, why would the Israeli public, which had grown accustomed to view dissident voices as enemies, care about what happens to journalists in Azerbaijan, India or Hungary?

If Israel holds hundreds of Palestinians in administrative detention, without trial at all times, why would there be any outcry if new friends Saudi Arabia and Rwanda use an NSO system, born and bred in Israel, to incriminate opposition activists so they then rot in prison?

Israel’s Prime Minister Naftali Bennett, its Ministry of Foreign Affairs, and other cabinet ministers decided it was urgent and essential to condemn in a unified demagogic wave the ice cream brand’s decision and even claimed, implicitly or explicitly, that it fueled antisemitism and terrorism.

But they all retain the right to remain silent regarding the Defense Ministry granting licenses to NSO, which serve in practice as licenses for state-sponsored terrorism against civil society around the world.

posted by Glegrinof the Pig-Man at 5:34 AM on July 21, 2021 [6 favorites]

And more from the Washington Post:

U.S. and E.U. security officials wary of NSO links to Israeli intelligence

U.S. and European security officials regard the company with a degree of suspicion despite the ability of its technology to help combat terrorists and violent criminals. In interviews, several current and former officials said they presumed that the company, which was founded by former Israeli intelligence officers, provides at least some information to the government in Jerusalem about who is using its spying products and what information they’re collecting.

“It’s crazy to think that NSO wouldn’t share sensitive national security information with the government of Israel,” said one former senior U.S. national security official who has worked closely with the Israeli security services and, like others, spoke on the condition of anonymity to candidly describe intelligence operations. “That doesn’t mean they’re a front for the Israeli security agencies, but governments around the world assume that NSO is working with Israel.”

Though NSO is a private company, U.S. officials have long suspected that some information it collects is also viewed by the Israeli government, said a current U.S. official familiar with the matter.

How Washington power brokers gained from NSO’s spyware ambitions

The Israeli surveillance giant NSO Group and companies linked to it or its founders have spent millions of dollars in hopes of wooing their way into the U.S. market, hosting demonstrations for government intelligence officials and hiring Washington’s most prominent names despite pledges that its phone-hacking tool can’t be used inside the United States.

The company’s attempts to secure U.S. contracts appear to have been unsuccessful, with federal and local law enforcement agency representatives saying in emails and interviews that they balked at its Pegasus spyware tool’s million-dollar price tag.

But an influential network of Washington consultants, lawyers, lobbyists and other prominent personalities have earned money from the company, its parent company or its founders, a Washington Post review of government and company filings shows. Those beneficiaries include some of the most powerful members of the Obama, Trump and Biden administrations.

posted by Glegrinof the Pig-Man at 7:04 AM on July 21, 2021

I personally know someone, a journalist in Mexico, who was targeted by Pegasus by both this and the previous administration, who bought the software, and it's not fun. He's been threatened at his home by people either from or pretending to be from several cartels. Many details from his personal conversations have been leaked in the last four years, which led to him being really paranoid, until his number popped up in Amnesty international's research and they let him know. His whole phone was cloned. All his messages, passwords, calls, emails, pictures, browsing history, everything was copied as if it went to one phone. Now he's even more paranoid, but not from his friends and family, at least.
He hasn't stopped writing, though. Respect. I would have quit a long time ago.
posted by omegar at 8:44 AM on July 21, 2021 [6 favorites]

It should be noted that NSO Group isn't the only company in this space. The other big operation is Cellebrite—discussed here on the Blue back in April—and it also "works with law enforcement agencies and has a long list of clients – including regimes with shady human rights records" (Haaretz).

Cellebrite's core product, called UFED (Universal Forensic Extraction Device), works somewhat differently than Pegasus: it's not an over-the-air data extractor, but relies on physical access to the target device. But importantly, it works even if the device is locked, and unlike Pegasus, it can be used clandestinely, leaving no traces on the target device afterwards. In some ways it represents a greater threat than Pegasus: if you've ever let your phone out of your sight (e.g. at a repair shop, or on a charger in your hotel room while out to dinner, or a million other scenarios), everything on it could have been copied without your knowledge—and there's no way to ever be sure.

Although the Israelis seem to be leading the pack in terms of technical capabilities, the US isn't totally out of the game, either: Atlanta-based Grayshift sells a $15,000-30,000 product called GrayKey, which was apparently good enough at its one job of unlocking iPhones that it caused Apple to tighten its security over USB devices significantly.

There is a whole industry at work that deserves to have a lot more light shed on it than it gets.
posted by Kadin2048 at 1:06 PM on July 21, 2021 [4 favorites]

Shouldn't really be surprised about the Israeli State working hand in glove with local hitec security / intel companies. Black Cube was only three years ago and then there was the whatsapp security breach. noted at the time by FT as a harbinger of Pegasus
posted by adamvasco at 6:48 AM on July 22, 2021 [1 favorite]

> The spyware scandal in the news today is a chance to reiterate that human beings are incapable of producing defect-free software at any scale. In particular, there is no such thing as a secure online system or a secure mobile platform. This foundational issue won't go away (threadreader)

A case against security nihilism

In a perfect world, US and European governments would wake up and realize that arming authoritarianism is really is bad for democracy — and that whatever trivial benefit they get from NSO is vastly outweighed by the very real damage this technology is doing to journalism and democratic governance worldwide.

But I’m not holding my breath for that to happen.

In the world I inhabit, I’m hoping that Ivan Krstić wakes up tomorrow and tells his bosses he wants to put NSO out of business. And I’m hoping that his bosses say “great: here’s a blank check.” Maybe they’ll succeed and maybe they’ll fail, but I’ll bet they can at least make NSO’s life interesting.

But Apple isn’t going to do any of this if they don’t think they have to, and they won’t think they have to if people aren’t calling for their heads. The only people who can fix Apple devices are Apple (very much by their own design) and that means Apple has to feel responsible each time an innocent victim gets pwned while using an Apple device. If we simply pat Apple on the head and say “gosh, targeted attacks are hard, it’s not your fault” then this is exactly the level of security we should expect to get — and we’ll deserve it.

posted by tonycpsu at 3:17 PM on July 22, 2021 [2 favorites]

And more from the New Yorker:
The Spyware Tool Tracking Dissidents Around the World: Stephanie Kirchgaessner discusses the Pegasus Project, a series of articles investigating the Israeli surveillance company NSO Group.
posted by Ahmad Khani at 5:08 PM on July 22, 2021 [1 favorite]

The only people who can fix Apple devices are Apple (very much by their own design)

That's not necessarily the case. It's strange that an exploit of this seriousness would have persisted for so long, given that Apple designed the hardware and is the publisher of both the OS and the software responsible. Apple seems to have worked hard to prevent most attacks on iPhones, but the NSA is notorious for sabotaging hardware and I understand that its leaked software has been the basis of many root kits and trojans. It has even subverted cryptography standards in order to subtly weaken them. The USA really, really wants the ability to tap phones and data systems; it has a long system of doing that; and it has a vast array of legal and extra-legal tools at its disposal.

Given all that, I think it's reasonable to think that the NSA is responsible for the existence of the exploit. Maybe it's a subtle flaw in a cryptography standard that Apple can't figure out; maybe it's a backdoor that they were forced to include. I note that the USA is apparently not a customer of the NSO group; I consider that evidence-by-absence to be quite striking: it tells me that they have the same exploit, or something like it; one that doesn't leave the same footprint.
posted by Joe in Australia at 7:26 PM on July 22, 2021 [1 favorite]

It's strange that an exploit of this seriousness would have persisted for so long, given that Apple designed the hardware and is the publisher of both the OS and the software responsible.
…
Given all that, I think it's reasonable to think that the NSA is responsible for the existence of the exploit.

I don’t think you’ll find much support among security professionals for this conspiracy theory. It hasn’t been one exploit but many over the years, carefully guarded to increase the period of time before Apple learns the mechanism and patches it.

The vulnerabilities and that process look exactly like what you’d expect from the parsimonious explanation: Apple, like almost all other large software vendors, has a lot of code written in unsafe languages like C and Objective-C, and they haven’t historically been willing to spend the money comprehensively replacing it with safer modern languages like Swift (clearly that’s a long-term goal but they could get there a lot faster by dropping 0.1% of their profits).

If you follow @lazyfishbarrel note how often this is the case for exploits in just about every major program. There are other ways we see serious problems (e.g. recent news of Microsoft’s botch of the Windows SAM permissions) but most of it comes back to legacy code with insufficient market pressure to be more proactive about replacing it.
posted by adamsc at 6:11 AM on July 23, 2021 [3 favorites]

I think it's reasonable to think that the NSA is responsible for the existence of the exploit.

Seems like a stretch to go there, based on the available evidence so far.

There's a huge worldwide market for zero-day exploits, particularly in iOS, and a no-click vulnerability would be hugely valuable—probably worth several millions at least—but it's not like NSA is the only game in town looking (or paying) for them. It's probably a reasonable hypothesis that NSA knew about it once it started being used, maybe before, and didn't tell Apple about it (which is sort of the problem with NSA's mission: they're simultaneously supposed to be an outward-facing spy agency and an inward-facing security agency to protect US interests), but there are a variety of other state- and non-state actors who could have discovered it originally.

FWIW, there are a fair number of people who think Unit 8200 is at least on par with, if not ahead of, NSA in terms of offensive cyber operations research. (And that's not even Israel's tier-1 cyberwarfare unit; they also have Unit 81, which is reportedly even more selective and secretive.) I think it's also safe to presume that PLA Unit 61398 is well-resourced and has its own stash of zero-days.
posted by Kadin2048 at 10:20 AM on July 23, 2021 [4 favorites]

From Wiki:

Unit 8200 is the largest unit in the Israel Defense Forces, comprising several thousand soldiers...

Unit 8200 is staffed primarily by 18–21 year old conscripts. Selection and recruitment to the unit usually occurs at age 18 through the IDF screening process after high school. However, the unit also scouts potential younger recruits through after-school computer classes. These after-school computer classes, teaching 16–18 year olds computer coding and hacking skills, sometimes act as feeder programs for the unit, with students receiving invitation letters from the IDF.

The 18 year olds selected for the unit are primarily chosen for their ability to teach themselves and to learn very quickly as the unit will only have access to their services for a short time before their military service period ends.

Given conscription, that's going to produce a lot of skilled military-trained infosec specialists. Presumably more than any other one unit specialization.
posted by snuffleupagus at 12:51 PM on July 23, 2021 [1 favorite]

(make that 'more than any other specialized unit,' rather)
posted by snuffleupagus at 1:27 PM on July 23, 2021

Counterpunch: Pegasus Rides Again: the NSO Group, Spyware and Human Rights.
Referenced above but in greater detail, all the article from the Forbidden Stories Pegasus project.
posted by adamvasco at 10:25 AM on July 26, 2021

Three Stories Reveal What Israel Prefers to Hide About NSO:

Perhaps the biggest question is this: Did Israel know who the NSO Group was selling to and what it was doing – or at least hoping to do – with its Pegasus spyware?

Two conversation with Israelis who work in the cyber world may point to a possible answer. One of them, much like the one at the start of this article, was told to lie about where he was from. While the former was advised to say he was from Albania, this Israeli was instructed to say he was from Malta. Why? Because Israelis cannot travel to Saudi Arabia, since Israel and Saudi Arabia do not have official ties.

In fact, another Israeli who traveled to the United Arab Emirates in late 2019, before the UAE and Israel normalized their ties as part of the Abraham Accords, recounts a similar story.

All three also recall a telling detail about their clandestine travels to the Gulf states: they were not clandestine at all. At least, not until the moment the commercial plane they were traveling on landed in the Gulf. They all took off from European capitals, traveling under their own names, with their own Israeli passports. However, they all explain that, upon arrival, an official from the local government boarded their plane, allowing all the other passengers to exit first, and then proceeded to personally examine their Israeli passport.

In all three cases, the official then pocketed the passport and personally walked them off the plane into a car waiting specifically for them on the tarmac. The passport was returned to them at the end of their trip.

What is the significance of these stories? That this is not the treatment a foreign national receives – and certainly not one from a country with no diplomatic ties – when they land uninvited in a foreign land. It strongly indicates that these Israelis were not uninvited and were not there in a purely private business capacity. In fact, it seems to confirm past reporting by Haaretz that suggests officials from both states were involved in helping clear, if not even orchestrate, the meetings.

posted by Glegrinof the Pig-Man at 2:00 PM on July 26, 2021

I Worked at Israeli Phone Hacking Firm Cellebrite. They Lied to Us

The argument that arms exports are worth billions of dollars to the State of Israel shocks me with its selfishness and cruelty. It says that in exchange for lots of money, it’s okay to lend a hand to systematic violations of human rights. Every journalist should see his or her primary task as opposing this.

Other arguments in defense of these exports are no less inane. The claim that NSO operates in Israel for Zionist reasons and could just as well move to Cyprus and no longer employ Israelis is not true. NSO is based on the skills and knowledge of Israeli workers, veterans of the intelligence community who learned the secrets of the trade in the army, the Shin Bet security service, and the Mossad. This is no trivial matter. The skills they have acquired are at the forefront of information security research and development; they cannot be obtained almost anywhere else in the world, certainly not in Cyprus or Saudi Arabia. There are many such professionals in Israel, but smaller numbers in other countries.

That leads directly to another argument, namely that governments could buy the same services from China, therefore better that we sell it to them instead. Beyond the fact that this means that Israel’s defense establishment – by virtue of the fact that it grants approvals for exports – becomes an active collaborator in other countries’ “unpleasant activities”, as TV journalist Alon Ben-David put it, supporters of current policies need to ask themselves why the Saudis turned to Israel and not to China in the first place.

posted by Glegrinof the Pig-Man at 9:35 AM on July 27, 2021 [3 favorites]

NSO Group affair is latest in Israel’s long history of arming shady regimes

Despite the current controversy over the NSO Group, these defense exports to countries with poor human rights records are unlikely to end soon, especially as one of the few potential tools available to opponents of these sales — albeit a largely ineffectual tool — was recently taken away completely. Until last month, petitions could be filed in the courts calling for the Defense Ministry to halt export licenses in cases where Israeli weapons were being used to commit war crimes or human rights violations.

But on June 27, the High Court of Justice issued a ruling in response to such an appeal by Mack that not only rejected his petition — calling for a revocation of the cyber-surveillance firm Cellebrite’s permits to sell its products to Russia — but also deemed the entire issue of weapons sales to no longer be subject to judicial oversight, except for in cases of blatant illegality.

“The considerations in the hands of the country’s authorities are particularly broad. On these issues, this court will not intervene except in extraordinary cases,” the justices Alex Stein, David Mintz and Einat Baron wrote.

Efforts to block defense exports through legal appeals have rarely succeeded. In some cases, these petitions have resulted in firms unilaterally restricting their sales to the country in question — Cellebrite, for instance, agreed to not sign new contracts with Russia and Belarus — but they are generally dismissed by Israeli courts, deferring to the Defense Ministry’s considerations.

The only potential for change now lies in legislation, though there are no longer any clear champions for the cause of regulating defense exports in the Knesset.

posted by Glegrinof the Pig-Man at 12:02 PM on July 28, 2021

Jewish Currents: Exporting the Tools of Apartheid

So how did Israel, a small country running a military occupation, become the premier facilitator of transnational repression through cyber-espionage technology? The answer most likely involves the $3.8 billion a year that Israel receives in US military financing. Though the US Foreign Military Financing program generally requires that participating countries use the money they receive to buy weapons from US manufacturers—the idea being that US taxpayers’ money should be spent with US suppliers—Israel, the sole exception to this rule, is allowed to spend around 25% of its allotment in its own military industry. Since this “off-shore procurement” exception for Israel began in 1984, American taxpayers have pumped billions of dollars into the Israeli military industry. Partly as a result, Israel has become the largest per capita arms exporter in the world—and no small part of those exports fall into the category of military intelligence. Between 2016 and 2020, Israel was eighth on the list of global arms exporters despite ranking around 30th in GDP and 100th in population.

Israel’s prowess in the arms trade is also made possible by the tight relationship between the state’s military intelligence industry and its military intelligence forces, a relationship largely fostered by Unit 8200. Haaretz has reported that 80% of the founders involved in establishing Israel’s 700 local cyber companies “belong to the exclusive club created in the IDF’s intelligence units, notably Unit 8200.” A former leader of Unit 8200 stated it plainly: “This correlation between serving in the intelligence Unit 8200 and starting successful high-tech companies is not coincidental: Many of the technologies in use around the world and developed in Israel were originally military technologies and were developed and improved by Unit veterans.”
. . .
Now, Israeli intelligence products are quite literally performing surveillance work for other undemocratic regimes around the world, and ties built and cemented with arms and intelligence deals are embedding Israel in the very center of a global authoritarian axis. This is another clear reminder that what happens in Palestine doesn’t stay in Palestine. The abuses of the Israeli state against Palestinians—in which US taxpayers are complicit—have consequences around the world.

posted by Glegrinof the Pig-Man at 6:19 AM on July 29, 2021

The cat's out of the bag but anyway : Israeli spyware company NSO Group has temporarily blocked several government clients around the world from using its technology as the company investigates their possible misuse, a company employee told NPR on Thursday.
The fallout continues with Pegasus spyware owner Novalpina to be liquidated after failure to resolve internal bust-up however the winding-up of Novalpina is not directly connected to the NSO scandal, but will raise questions about the future ownership and management of such a controversial business.
posted by adamvasco at 6:21 AM on July 30, 2021

Israel Wants to Have Its Ice Cream and Cybersecurity, Too

Israel is a leading exporter of state-of-the-art surveillance technology such as face recognition, internet monitoring and biometric data collection. (High-tech industry constituted 46 percent of Israeli exports in 2019.) It tests and utilizes these tools every day in the occupied territories as part of its intricate system of control over the movement and lives of millions of Palestinians. In recent years, the Israeli military has installed thousands of cameras and monitoring devices at checkpoints in the West Bank, including facial-recognition software developed by an Israeli company, AnyVision. The director of the Technology and Liberty Project at the ACLU of Washington, Shankar Narayan, described such surveillance as “possibly the most perfect tool for complete government control in public spaces.”

Israel also operates an extensive network of cameras tasked with observing every corner of the Old City of Jerusalem. The city of Hebron, where some 800 Israeli settlers live cordoned off from its 200,000 Palestinian residents, is known in the military as a smart city because of its sophisticated system of data collection that helps field observers monitor the urban landscape from the safety of their control rooms. Israel conducted its last war, in May, with Hamas in Gaza primarily from an underground bunker, relying on intelligence and digital technology to direct its air force on which targets to strike. Many Israeli soldiers and officers who serve in elite intelligence units in the army — for example, Unit 81, known for its covert cybertechniques — have gone on to found cybersecurity start-ups. Roughly 100 veterans of the unit have started 50 companies.

In excoriating Ben & Jerry’s, the Bennett-Lapid coalition is, in effect, defending decades of illiberal policies: military rule of the occupied territories, creeping annexation and a blurred distinction between 1948 and 1967 borders that insists on Israeli sovereignty between the Jordan River and the sea. At the same time, they are implicitly acknowledging that it’s not easy to maintain an enlightened and peace-seeking image (the Abraham Accords notwithstanding) when an ice cream company calls attention to the gap between rhetoric and reality. Nor when a duly licensed Israeli company climbs into bed with some of the most repressive governments on the planet.

posted by Glegrinof the Pig-Man at 1:57 PM on July 30, 2021

'I will not be silenced': Women targeted in hack-and-leak attacks speak out about spyware

Ghada Oueiss, a Lebanese broadcast journalist at Al-Jazeera, was eating dinner at home with her husband last June when she received a message from a colleague telling her to check Twitter. Oueiss opened up the account and was horrified: A private photo taken when she was wearing a bikini in a jacuzzi was being circulated by a network of accounts, accompanied by false claims that the photos were taken at her boss’s house.

Over the next few days she was barraged with thousands of tweets and direct messages attacking her credibility as a journalist, describing her as a prostitute or telling her she was ugly and old. Many of the messages came from accounts that appeared to support Saudi Crown Prince Mohammed bin Salman Al Saud, known as MBS, including some verified accounts belonging to government officials.

“I immediately knew that my phone had been hacked,” said Oueiss, who believes she was targeted in an effort to silence her critical reporting on the Saudi regime. “Those photos were not published anywhere. They were only on my phone.”

“I am used to being harassed online. But this was different,” she added. “It was as if someone had entered my home, my bedroom, my bathroom. I felt so unsafe and traumatized.”

Oueiss is one of several high-profile female journalists and activists who have allegedly been targeted and harassed by authoritarian regimes in the Middle East through hack-and-leak attacks using the Pegasus spyware, created by Israeli surveillance technology company NSO Group. The spyware transforms a phone into a surveillance device, activating microphones and cameras and exporting files without a user knowing.

For Oueiss and several other women whose phones were allegedly targeted, a key part of the harassment and intimidation is the use of private photos. While these photos may seem tame by Western standards, they are considered scandalous in conservative societies like Saudi Arabia and were seemingly used to publicly shame these women and smear their reputations.

“I am an independent, liberal woman and that provokes a misogynistic regime,” Oueiss said.

posted by Glegrinof the Pig-Man at 12:32 PM on August 1, 2021

As NSO Scandal Proves, Israel’s Real Red Line Is the ‘White’ Man

Even when the allegations involved a prominent politician who later became president of Mexico, an OECD member state, the Defense Ministry saw no reason to investigate whether there was any problem with its export policy. It didn’t think a fiasco-in-the-making like this was sufficient grounds for sending representatives of every possible security service to NSO’s offices.

When that same president’s government asked Israel to extradite a former senior official whose closet was overflowing with skeletons, its response, as per an Israeli official quoted by Ronen Bergman in the New York Times, was: “Why would we help Mexico?”

So why did the Defense Ministry suddenly wake up now?

It’s not just because the pressure which is genuinely heavy this time. Nor is it just because of the accumulation of troubling reports; those have been piling higher and higher and higher for years. And it’s not because of the frightening number of potential targets – 50,000.

If you’ll allow me to guess, the new development that really roused the defense establishment was the revelation that the French president’s phone number was hiding in this list.

It’s not pleasant to say this, but it seems the different response this time reveals a somewhat colonialist spirit hidden in the outlook of the state institutions. The only thing that moves us is pressure from the U.S. (that was the only reason Israel even enacted a defense exports law to begin with) and some Western European countries (“classical” Europe, if you like).

In other words, our real red line is the “white” man.

posted by Glegrinof the Pig-Man at 7:32 AM on August 2, 2021