Despite some mealy-mouthed denials, folks have been noting NSO certainly doesn't mind selling their wares to human rights abusers for years and earlier this year NSO's founder pretty much came out defending spyware and hacking of journalists, human rights activists and lawyers, etc…
Is there any political push in the U.S. to, if not hold the NSO Group's executives and key engineers responsible, at least make their lives difficult? (For example, through the Global Magnitsky Act .)
NSO is Israeli. The U.S. has proven that it does not care about illegal acts of its friends, not in Israel, nor Egypt, KSA etc.
Granted, NSO Group is a private entity, but it definitely has the Israeli government looking the other way and so will do the U.S. one as a result.
The Magnitsky act was targeted at Russia, there's political will for that. Using it to target Israeli actors? I don't think so.
P.S. Before downvoting because I criticized something Israeli, note that it is such mentality that helps players like NSO to operate with impunity in the first place. Nonetheless, I want to make clear that there are U.S. & European companies, (for example Italian-based, "Hacking Team", that do this and it's just as bankrupt).
It is the business model that is bankrupt.
Israeli and US intelligence are very close, and I suspect there are strategic benefits to being the supplier of these technologies that incentivize it. Also, they both have interest in questionable internal security agencies (eg saudi's, Iraq's & Egypt's) succeeding, to avoid isis-like groups getting strong.
I'm not excusing it (I'm Israeli btw), but the whole approach to military industry is built on treating suppliers as not responsible for how their products/weapons are used. That said, intelligence tech feels more like outright mercenary services than weapons sales. This might get marginally better as the scandals mount.
Best case, non-radical scenario: any SigInt technology is treated as "strategic," with close oversight.. like anti-aircraft somesuch.
See, e.g. https://www.bloomberg.com/features/2018-palantir-peter-thiel...
"The company’s engineers and products don’t do any spying themselves; they’re more like a spy’s brain, collecting and analyzing information that’s fed in from the hands, eyes, nose, and ears."
It's named after omniscient crystal balls.
The CIA’s investment arm, In-Q-Tel, was a seed investor.
Do you truly believe they don't collect data?
There's a petition currently in Israel to revoke their export license, basically shutting them down. It's unlikely to succeed though.
That said, there's an interesting dynamic emerging. The norm till now (in the US and Israel) has been to allow allow arms and military-tech sales to not-banned countries, regardless of human rights records. SigInt tech has been treated the same.
But... WhatsApp hacks, journalist assassinations and such seem to be drawing more pressure than bullets and bombs. It may result in intelligence technology becoming more restricted in general.
Board email: PERS.Board@state.or.us
A company is an organism whose goal is to maximize shareholder value - you can't really blame its executives for doing that. At the end of the day, these companies operate within the confines of the laws - and both the US and Israel have export regulations which clarify what's right and wrong. Isn't that really the issue?
It may well be the reality that corporations are legal entities set up to externalize every cost, internalize every profit, and sink a healthy amount of them back into rewriting the laws that would constrain such behavior and we all have to live with the results.
But that doesn't mean it's ethical.
If you write code that you know is going to be used by an authoritarian state to kill human rights activists and you can currently shrug and say, well it's legal and it pays well, then well more power to you I suppose. But I'm not going to say that you aren't liable from /my/ perspective.
To name a few.
Falling back to a dumbphone will send your calls and texts in the clear. (Plus even dumb phones have firmware which can be hacked).
The big takeaway I see is to be vigilant about OS/app updates and get them propagated as quickly as possible... but people often put apps like Whatsapp or Signal on their personal devices, which IT has no control over...
If anyone is capable of describing the appropriate response to this kind of threat — it has to be them.
I'd be willing to bet any competent actor would realize trying to use something on EFF would probably result in their staff noticing their computer acting oddly and passing along the malware sample to a place like Citizen Lab. Then they can wave bye bye to their zero day.
I don't have a source but I could have sworn some leaked doc at some point mentioned they (various intel agencies) don't like to use fancy 0 days on savvy targets. Probably something that's used on places that want to Free Tibet or let Saudi women drive, not savvy tech people.
I also think EFF probably practice what they preach (another poster mentioned their great surveillance self defense guide).
There's also lot to be said for just leaving your phones in the other room, turning on the radio, then having a meeting in a conference room free of electronics.
People often focus too much on infosec, instead of opsec IMHO.
Links from (E)lectronic (F)rontier (F)oundation. Should point someone in the right direction.
Start here: disable auto-download of MMS.
...and then, of course, don't download them from random numbers you're not expecting them from.
Sorry, I'll stop laughing eventually.
However, in this case, looks like it might have been chained with a iOS kernel exploit - a bad memcpy is suspected.
So we should blame unsafe programming languages and C culture once again.