I suppose that broadly, the takeaway here (and in all of this) that I’ve missed is that fundamentally, this list of phones that were targeted shouldn’t exist, or shouldn’t be leakable in this way, if we want to believe that NSO Group is targeting the most genuine targets.<p>To frame it differently: NSO Group sells tools to governments that are apparently trustworthy. Its security and system architecture should be decentralized enough that a list of all targets should be extremely difficult to obtain. If the list is obtainable, then what else is? Are their exploit toolkits just as leakable? Are the internal controls not sufficient to stop these leaks?<p>How can we continue to allow orgs like NSO Group to exist if they surely can’t keep something like their entire target list safe? Even if we assume of the targets are legitimate threats (which, again, requires enough suspension of disbelief to hold a small army at this point), why would we want that list leakable? If they’re all the most legitimate targets, then that list is essentially 50k people who can now discover this fact and change their patterns to hide. It’s pretty bad to tip off “all the people who we find important enough to 0-day” if that assumption holds.<p>Now the real question? I’m not sure I know what we can do, actionably. Call Congress and ask them to care?
The "hacked" part is only an assumption, isn't it? The leaked information could also come from, say, a whistleblower. An employee that suddenly developed a sense of ethics.
I understand that the title makes an assumption that the first paragraph has to walk away from in its last sentence, but I appreciate Schneier’s nuance when framing the question. The spying isn’t new. The list is probably broader than many people assumed, but the real news is that NSO own security isn’t great.<p>More importantly, if you believe that digital-weapons-for-hire are not a good idea, spreading doubt about their reliability is probably more effective than painting those companies as invincible hackers. They made an architectural choice that exposed their clients. Therefore, if you are a prospect for a similar technology, think hard when they present their tools, and challenge decisions that might expose you.
Here is a detailed analysis: <a href="http://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf" rel="nofollow">http://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasu...</a><p>Official manual: <a href="https://archive.org/details/nso-pegasus/" rel="nofollow">https://archive.org/details/nso-pegasus/</a>
Right here is another argument in favor of string privacy protection. Even if NSO was a righteous and holy actor (spoiler: it's not), they can be hacked any time and now that data is public.<p>Same reason govts shouldn't spy on their citizens: even when you fully believe in your own govt, they can be hacked.
If I were a similarly acronym’ed three letter intelligence agency that wanted to shut down a private sector competitor, this is exactly what I would do.
The iOS tool scans a backup, but the Android tool "check-for-infection tool" checks for messages pointing to NSO domains. I recently got a strange massage, is this list public?
My first reaction to this was that all would need mobile phones with physical off switches for camera/microphone and internet but even such swtiches do not protect against such advanced spy operations. I think such software should be treated like weapons of war for which there are international regulations and obervations
Yeah, well, not really happy about this, because the goal was probably to delete traces of involvement and clients.<p>Some people will also probably turn up dead, unless they hide or seek asylum.