This article just reports on <a href="https://www.forbes.com/sites/thomasbrewster/2021/07/22/nso-group-ceo-defends-1-billion-spyware-company-against-pegasus-project-hacking-allegations/" rel="nofollow">https://www.forbes.com/sites/thomasbrewster/2021/07/22/nso-g...</a>, which was discussed a couple days ago:<p><i>‘If You’re Not a Criminal, Don’t Be Afraid’– NSO CEO says</i> - <a href="https://news.ycombinator.com/item?id=27920055" rel="nofollow">https://news.ycombinator.com/item?id=27920055</a> - July 2021 (48 comments)<p>Submitters: "<i>Please submit the original source. If a post reports on something found on another site, submit the latter.</i>"<p><a href="https://news.ycombinator.com/newsguidelines.html" rel="nofollow">https://news.ycombinator.com/newsguidelines.html</a>
The Public: "How do you know if I'm law abiding or not?"<p>NSO: "We checked, you're clean"<p>The Public: "I plan to speak publicly about this violation of my privacy"<p>Local DA: "An investigation revealed some suspicious activity in your secretly subpoenaed browser history... 6 years ago..."<p>The Public: "Investigation? I didn't do anything wrong! Is this because I want to voice my objection to the current privacy laws?! This sounds an awful lot like parallel construction"<p>Local DA: "We are not at liberty to disclose the nature of the information we have on you as it contains information involving other active cases. You are under arrest."
The automaker example is awful in this case. This is a drunk guy going into a car rental and asking to take it for a spin. NSO being the rental company says do you have cash? Drunk guy gives a pile of cash and rental company gives them a car to drive. Drunk driver kills someone. Is the car rental company liable? We just rent cars they say as a defense, but know they are selling to someone who is dangerous and isn't known for abiding by international (or perhaps western) norms of behavior.<p>You cannot have it both ways, if you're going to sell the software to awful regimes who target people like journalists, you're responsible for the outcomes. The fact they found it was used on Khashoggi family phones would seemingly implicate them in the murder of a journalist. Did they kill him? Probably not. But if their software is being used by governments who did kill him, then they contributed.<p>I hope they get criminally held responsible for assisting in the murder of Khashoggi if they are found guilty and we need laws and norms to catch up to a place where this kind of business is more restricted/limited.
I don't have to be personally afraid of NSO's products being used to target me to believe that them being used to suppress dissident journalists and humans rights advocates makes the world a worse place.
> "The people that are not criminals, not the Bin Ladens of the world— there's nothing to be afraid of. They can absolutely trust on the security and privacy of their Google and Apple devices," Hulio said.<p>So is he saying that journalists are the Bin Ladens of the world?
I think their business is ethically dubious but there's an outsize degree of outrage compared to companies like weapons manufacturers. It's the same thing. They make extremely dangerous tools and sell them to governments who can optionally use them for good, evil or a bit of both. You can certainly criticize them for their role in the death of Jamal Khashoggi for example. But he only died because the government of Saudi Arabia wanted him dead. They've also had no trouble acquiring fighter jets they've used to kill thousands of Yemenis.
The CEO comes of as a callous idiot here. That being said, the obsession with NSO is a bit much given that the real culprits are governments. Yes, NSO is supplying a nasty tool to authoritarian governments when it should not but I don’t see anyone vociferously fretting over NSO showing an ounce of concern for the billions in financing and in actual weapons of war being sold, or the material support of these same authoritarian governments by the U.S., Britain, France, Germany, etc., etc.<p>France, for example, has officially done a lot more to prop up Saudi Arabia and its cruelty than NSO ever has or will.<p>The hypocrisy is astounding.
I really hope this will age like the LifeLock CEO's "I can publish my social security number because LifeLock will protect me" statement, and someone will demonstrate what the CEO has to fear by installing something like the NSO spying toolkit on his devices and publishing the findings.
Number of adults alive on earth who have never infringed on some statute somewhere: 0.<p>Especially true in nations where the legal system is captured by special interests and routinely weaponised to suppress dissent, coerce minorities, and perpetuate disparities. Which is to say, of course, every nation.<p>Ergo, you (we) should all be afraid.
Every community or country has people who has no moral compass, and will sell anything to anyone as long as they don't end up in prison over it. It's getting clearer and clearer that the NSO management team is this type of people. Israel needs to have a look at fixing their laws.
I'm hard pressed to see that it's in Israel's interest having their industry assisting Marocco spying on the French, or Saudi killing dissident.
I'm more interested in the "how" of this. Are these intentional backdoors, and what qualifies this group to be privy to the information flows to exploit them? What sort of connections do they have? Are these backdoors/bugs in the baseband or are they in userspace?<p>If it's not an intentional backdoor, do they just have vastly superior technical ability? How did they hire such a talented pool of people, able to consistently find remotely exploitable 0days in every major smartphone brand? This group isn't new, they've been around for over a decade doing this. I doubt they've monetized a single exploit for 10 years. They're adapting.<p>If I had to bet, I'd bet on the former, but I'm curious what everyone else thinks. It just seems unreasonable to me that there exists such a talented pool of exploiters, all aggregated in the same place, able to consistently find 0days that nobody else seems to be able to find.
So... is he afraid of someone pirating his exploit and using it against him? If he isn't, then he's stupid.<p>Because that's entirely possible.<p>There is no such thing as a NOBUS (NObody But US) exploit. Someone else will find it - either your network will get hacked and someone will use the exploit. This is how Wannacry happened. A bunch of NSA-NOBUS exploits got leaked and sold off to people who built a ransomware tool with them. How the leak happens doesn't matter, what matters is the fact that the leak <i>will</i> happen. The only ethical thing to do is to disclose so that the exploit can get fixed.
NSO is not the problem, secrecy and lack of public awareness are the problem. This scandal is good because it's shining light on the power that governments can wield in the shadows which most people are unaware of.<p>The solution is to keep shining light and putting pressure on technology makers to improve security, end-to-end encryption, and keeping the power in the hands of individual users. The pressure piece is critical since the natural business incentives to centralize and collect more data make us more vulnerable to centralized surveillance and compromise.
The "afraid of" or fear is bad framing. Plenty of (justified) distrust and privacy concerns do not fall into this rhetoric. Not yours to view and judge != it's hidden with bad intent.
This is a distraction. Autocrats make law that lets them do as they please. The reality is that this software was designed and sold to repress protest and democracy movements, both directly and by creating a climate of fear and paranoia around them.
1) the 'nothing to be afraid of' statement is just PR, and nothing else, so not going to dig into that.<p>2) government has and will always use whatever tools exist, trust Pegasus is 1 out of many...<p>3) from a realistic standpoint it is up to 'Apple' is anyone to fix this issue from a technical standpoint, there will always be security holes and tools to take advantage of them. Shaming the toolmaker does little.<p>4) the real solution is the people have to control the government, only in those scenarios can you put 'ethical' constraints on this kinda thing... Those who are in countries where the people don't control the government really have no recourse
What about laws that are unjust? Should we accept blanket surveillance and the disruption of social movements? Why should we accept a unidirectional concentration of power into a tiny number of hands?
just curious how many anti-NSO group people use amazon ring devices and are just ok with that cause those devices do enough bad things (still many use them)? In the same spirit I think we should start putting pressure on Boeing, Lockheed Martin and other companies because they literally produce mass distraction tools that do way more harm than NSO made tools. IMHO tools that NSO builds can do good and bad depending on what hands control those tools. I am not sure though how exactly NSO can control what its customers do.
Ah looking back on Project Mayhem, perhaps the antisec crowd was right-<p><a href="https://youtu.be/xDyBIpqZcNI" rel="nofollow">https://youtu.be/xDyBIpqZcNI</a>
Those guys think we are afraid of them. I wish their private information or those of their families get in the wrong hands, so they can understand what's at stake
Somewhat ironic is that people seem to abhor the surveillance state and authoritarianism but the moment the culprit becomes social media there is an instant emotional reaction to the opposite:<p><a href="https://news.ycombinator.com/item?id=27941805" rel="nofollow">https://news.ycombinator.com/item?id=27941805</a>