Comments
Darknet Diaries did a few podcast episodes on the NSO group from the perspective of people who have directly interacted with or have been the target and it really puts it into perspective how horrific they are. They operate under the protection of the US and are directly allowed to spy on US citizens without any recourse whatsoever.
One particularly grotesque case was the illegal wire tapping of Ben Suda after launching a criminal probe in to Israeli war crimes, which they used to threaten the prosecutor and used it to hide evidence that they knew was under scrutiny or take the cases to court just to drop it so they can tell the ICC that they did make an attempt to prosecute, which is a loophole that disallows the ICC to take up those cases.
I'm certain many countries do this stuff, as well as operate botnets and threaten journalists... but the uniqueness here is that these intel groups located in Israel operate under complete protection of the US without any scrutiny or oversight alongside the US government. We are living in this dystopian universe that people have warned about, for decades at this point.
The US hosts and protects firms that are better at this than NSO, and not just because they're smart enough not to be in the news.
By tptacek 2024-12-221:07 US citizens are routinely targeted by CNE operations enabled by commercial tools, yes.
You don’t need a warrant to target US citizens unless you are the government.
By MaxPock 2024-12-222:59 The arrangement is that UKs GCHQ spies on US citizens and shares the info with CIA/NSA .
On the other hand, if you “target” Americans and you’re not the American government, you’re committing a crime.
By tptacek 2024-12-2220:35 Note here that we are describing firms that produce CNE tools, not organizations (lawfully constituted or otherwise) that actually use them. Production of exploits and implants is broadly legal everywhere in the world, including the US and Europe. The legality gets murky when you sell to non-governmental organizations (if prosecutors can demonstrate you knew the crimes that were to be committed with them), but most of the market appears to be governmental.
By singleshot_ 2024-12-2423:53 Well, this is not really true, given what we know about the government actor doctrine.
Why was this dead? If anything, Thomas' reputation here should at least entitle him to being heard.
By Scoundreller 2024-12-223:351 reply My fellow showdeader, Click the time on the dead post and press “vouch”
By stavros 2024-12-228:32 I did.
By theptip 2024-12-222:36 Agreed that the flag seems highly dubious here.
By newspaper1 2024-12-222:361 reply [flagged]
I don't think it's off topic, we're talking about companies spying. Unsourced, maybe, though I suspect Thomas is a reliable enough source.
By newspaper1 2024-12-222:501 reply It has nothing to do with the OP. Honestly he always jumps in to do whataboutism on Israel posts. He didn’t say who he was talking about, it doesn’t add and only detracts from the discussion here.
I strongly doubt the intent here was whataboutism. Rather, it was more to indicate that things get a lot worse than this; it's just not in the spotlight so not many people know about it.
By newspaper1 2024-12-224:012 reply Does it get worse? He didn’t actually leave a source. NSO is certainly the most nefarious known agency.
By saagarjha 2024-12-224:06 They are but I can corroborate that they are not nearly the only player in this space. Google has done its research on several more of them: https://blog.google/threat-analysis-group/commercial-surveil....
I think the key word there is “known” which I appreciate you saying.
We still don’t know who created Bitcoin, what are the odds there are more… effective? groups than NSO operating in the US? I’d say greater than zero.
By nico 2024-12-2215:48 This is actually really wild
BTC has a current market cap of around $1.9 trillion
And we don’t know who created it!
Additionally, it’s estimated Satoshi’s wallet holds about 1M BTC, out of ~20M BTC total supply
So there is a mystery account of BTC that owns almost $1T or the equivalent of 5% of all BTCs market cap
By hammock 2024-12-220:39 Who are you talking about?
By bawolff 2024-12-223:06 > or take the cases to court just to drop it so they can tell the ICC that they did make an attempt to prosecute, which is a loophole that disallows the ICC to take up those cases.
As an aside, it should be noted that this wouldn't be sufficient to trigger complimentary at the ICC if its obvious the investigation was not in good faith. The icc can ignore any domestic investigation it believes was not a serious attempt to investigate.
Like it'd be a pretty silly court if you could get out of everything by running your own sham investigation.
I refuse to use Israeli tech in my stack if at all possible. I don't see how someone could use software like Snyk and not put themselves at risk (founders are ex-IDF Unit 8200). Especially in the area of security, it seems like using Israeli tech is inviting the wolf straight into the hen house. No thanks.
By aprilthird2021 2024-12-2319:021 reply I didn't know this about Snyk. Taking them out of my tools and unregistering myself immediately. Thanks!
By bbqfog 2024-12-2319:04 You're welcome. One of the founders has since started a new AI venture called Tessl:
https://finance.yahoo.com/news/exclusive-tessl-worth-reporte...
The VC firm Boldstart has deep ties to the Israel intelligence community, so you pretty much want to avoid any of their investments.
Yes, I think the pager attack is also an interesting case study. It's one thing to execute a supply chain compromise for information gathering, where the target may never know what happened. On the other hand, flaunting your abilities in that area will just lead you to being cut out of supply chains.
Hezbolla didn't intentionally include israel in its supply chain. The impressive part of the attack is that they managed to insert themselves into an enemy's military supply chain without their enemy knowing - which is a 101 thing militaries try to prevent. If they were just abusing their known position in a supply chain, it would be much less impressive.
So i don't think it follows that the attack would lead to israel being cut out of supply chains, since the attack didn't involve that.
It wasn't "impressive", it just operated outside the bounds of moral values that the rest of the world holds, so it was unexpected.
I didn't find it technically impressive at all. It was just morally objectionable and a major human rights violation. This along with all of the other human rights violations that Israel has committed are yet another reason I would never do business with anyone or anything even remotely associated with Israel.
Boycotting Israel does help this problem if it means Israel goes the way of apartheid South Africa. That's the whole point, to end the regime.
You can boycott things for whatever political reasons you want, but boycotting something for political reasons is very different than boycotting to improve your own security. My impression is that it is the latter the original post was suggesting, and its the latter that doesn't make sense to me, as a practical matter.
By bbqfog 2024-12-2318:33 Israel blew people up with consumer devices. My number one concern is my own safety.
By Horffupolde 2024-12-223:261 reply [flagged]
By bbqfog 2024-12-223:58 I don’t use Intel either (at least as my main processor).
Israel literally blew people up with a supply chain violation. I’m very comfortable with my assessment.
The supply chain violation was performed by a Hungarian shell company with no links to Israeli tech. Using it as an example of why you would avoid any Israel-based companies is a weird security strategy.
It was an Israeli operation. Israelis celebrated it and bragged about it. It is a prime example of why I don't do business with Israel.
Yes I am boycotting Israel (and Zionism), for genocide, apartheid, human rights violations, interfering with my own government. They've been breaking international law since the Balfour Declaration.
Thank you for having morals.
I find it's really interesting how many comments opinions like this get on reddit and HN. It almost feels like there are orgs similar to marketing firms that get paid to promote zionism on the internet...
By bbqfog 2024-12-2417:21 Yes, you also get censored like crazy for speaking the truth. I don’t even think my upvotes work on this site anymore. I just upvoted your comment if it doesn’t show it.
By bbqfog 2024-12-2316:32 It's definitely a security issue as well as a moral issue. No one in their right mind is rushing to put Israeli tech in their stack and many are working hard to remove it. All of the gaslighting around their actions makes me 10X more likely to advocate against Israel, to help combat the dangerous propaganda.
By FpUser 2024-12-2122:43 Treating NSO owners / decision makers the same way as Gary McKinnon would be more appropriate. But I guess they are more "equal".
I'm not a lawyer so maybe I'm misunderstanding something but the plaintiff is Whatsapp, not the journalists. This isn't really about holding NSO Group accountable for hacking journalists at all
The fact journalists were compromised seems only incidental, the ruling is about weather or not NGO Group "exceeded authorization" on WhatsApp by sending the Pegasus installation vector through WhatsApp to the victims and not weather they were unauthorized in accessing the victims. Its a bit of a subtle nuance but I think its important.
Quoting the judgement itself:
> The court reasoned that, because all Whatsapp users are authorized to send messages, defendants did not act without authorization by sending their messages, even though the messages contained spyware. Instead, the court held that the complaint’s allegations supported only an "exceeds authorization" theory.
> The nub of the fight here is semantic. Essentially, the issue is whether sending the Pegasus installation vector actually did exceed authorized access. Defendants argue that it passed through the Whatsapp servers just like any other message would, and that any information that was 'obtained' was obtained from the target users' devices (i.e., their cell phones), rather than from the Whatapp servers themselves
> [...removing more detailed defendant argument...]
> For their part, plaintiffs point to section (a)(2) itself, which imposes liability on whoever "accesses a computer" in excess of authorized access, and "thereby obtains information from any protected computer" pointing to the word "any"
> [...]
> As the parties clarified at the hearing, while the WIS does obtain information directly from the target users’ devices, it also obtains information about the target users' device via Whatsapp servers.
Adding a little more detail that comes from the prior dockets and isn't in the judgement directly but basically NSO Group scripted up a fake Whatsapp client that could send messages that the original application wouldn't be able to send. They use this fake client to send some messages that the original application wouldn't be able to send which provide information about the target users' device. In that the fake client is doing something the real client cannot do (and fake clients are prohibited by the terms) they exceeded authorization.
Think about that for a moment and what that can mean. I doubt I'm the only person here who has ever made an alternative client for something before. Whatapp (that I recall) does not claim that the fake client abused any vulnerabilities to get information just that it was a fake client and that was sufficient. Though I should note that there were some redacted parts in this area that could be relevant.
I dunno, I mean the CFAA is a pretty vague law that has had these very broad applications in the past so I'm not actually surprised I was just kinda hopeful to see that rolled back a bit after the Van Bruen case a few years ago and the supreme court had some minor push back against the broad interpretations that allowed ToS violations to become CFAA violations.
Edit: Adding a link to the judgement for anyone interested: https://storage.courtlistener.com/recap/gov.uscourts.cand.35...
Edit2: And CourtListener if you want to read the other dockets that include the arguments from both sides (with redactions) https://www.courtlistener.com/docket/16395340/facebook-inc-v...
> I doubt I'm the only person here who has ever made an alternative client for something before.
I've been on both sides of the issue by authoring unofficial clients, and battling abusive unofficial clients to services I run. The truth is, complete carte blanche for either side is untenable. 99.99% of well-behaved clients are tacitly ignored, I'm not against those that deliver malware, or bypass rate-limiting having their day in court.
By fc417fc802 2024-12-224:25 Laws need to be clear about where the line is though. If circumventing rate limiting is illegal then that should be explicit, including the criteria used to determine that a service is in fact rate limited in such a legally binding manner. As it is an API is available but somehow is not considered public (criteria unclear) and thus engaging with it in certain ways (criteria unclear) is out of bounds.
If we want using a service to perpetrate a crime to itself be an additional crime then that should be made explicit. In the (unlikely) event that NSO wasn't actually perpetrating any crimes against the end users then that fact is probably what needs to be fixed.
By Spooky23 2024-12-223:44 Given the nature of who the stakeholders are, the neatest way to achieve an end is to target authorization. It focuses on the how instead of the who or what.
This reduces embarrassment for stakeholders, protects sources and methods, and sends a message.
The law is as broad as can be. If it were a US National instead of NSO Group, some crazy calculation of damages would be used to extract a plea in lieu of a thousand months in prison.
By ganoushoreilly 2024-12-2121:30 THE CFAA is definitely ripe for reform. It wouldn't be hard to argue it's broad and vague. There's definitely this overarching sweep of online behaviors that could easily be classified as benign.
i dont think users of whatsapp would have standing against people hacking whatsapp to get their data.
whatsapp owns the systems, so its up to whatsapp to sue
By Spooky23 2024-12-223:47 The thing of value isn’t in WhatsApp in this case.
You can’t sue a dude for stealing a screwdriver to break into your home with. Your tort is the act against you.
By EMIRELADERO 2024-12-222:013 reply What?
So if someone robs a bank and empties my safety deposit box I can't sue them because it was the bank that had the money, not me?
By endofreach 2024-12-226:50 Well, haven't you heard? The issue with your analogy is: you don't own your data.
(One might argue that it's similar with "your" money ((in the bank)) , but that's not the point)
By Spooky23 2024-12-223:50 Different scenario. The bank is a bailor — they have an duty of care for property in their possession that you retain ownership to.
You can sue the thief for stealing your property and the bank for negligent bailment. Same concept as a valet crashing your car.
By unyttigfjelltol 2024-12-222:27 If someone steals the ownership registry the bank maintains regarding the deposit boxes-- may be the better analogy. Or list of the owner and box number. Clearly this is information the bank controls, not the individual.
By madeofpalk 2024-12-220:231 reply > fake client to send some messages that the original application wouldn't be able to send which provide information about the target users' device
> I doubt I'm the only person here who has ever made an alternative client for something before
I think the distinction here for "exceeds authorisation" is pretty apparent. I don't read this judgement as being damning for people wanting to make their own clients.
They made a third party client for deliberately malicious purposes. If you go ahead and make a discord client with the intention of spamming or otherwise causing harm to its users, I think it's completely reasonable for you to get in trouble for that.
By fc417fc802 2024-12-224:28 > with the intention of spamming or otherwise causing harm to its users
That sounds hopelessly ambiguous to me. What if Google decides that making use of yt-dlp is causing harm to them? What is the criteria here?
We wanted email spam to be illegal and so it was explicitly made illegal. We wanted robocalling to be illegal and so it was explicitly made illegal. In such cases we have (reasonably) clear criteria for what is and is not permitted.
