There is an incredibly well produced podcast episode on these ex-NSA engineers working for the UAE that came out a couple of years ago. Check out Darknet Diaries Ep47: Project Raven [1].<p>Synopsis is that the UAE hires ex-NSA employees as "penetration testers" and when they enter the country for cybersecurity work, some are pulled aside to be briefed to an opportunity called "Project Raven" to assist Emirati intelligence with targeting, allegedly in the interest of counter-terrorism. The thing is, only Emiratis have "hands on keyboard" while the US engineers sit beside them and guide them, which supposedly dodges any legal concerns. Those who Jack interviewed decided to leave Project Raven when it became clear they were targeting dissidents, human rights activists, and later, Americans. As you might imagine, ex-NSA employees who target US citizens for a foreign government are breaking the law. I do wonder if it's these ex-Project Raven engineers that have led prosecutors down the road to where we are now.<p>[1] <a href="https://darknetdiaries.com/episode/47/" rel="nofollow">https://darknetdiaries.com/episode/47/</a>
More interesting to me is that one of the named persons, Daniel Gericke, is the CIO of ExpressVPN [1] which sold yesterday, the same day that the DoJ came to this prosecution agreement (!), for just under $1 billion. [2]<p>[1]: <a href="https://www.cnet.com/tech/services-and-software/expressvpn-cio-among-three-facing-1-6-million-doj-fine-project-raven/" rel="nofollow">https://www.cnet.com/tech/services-and-software/expressvpn-c...</a>
[2]: <a href="https://www.techradar.com/news/expressvpn-to-join-kape-in-largest-deal-ever-in-vpn-industry" rel="nofollow">https://www.techradar.com/news/expressvpn-to-join-kape-in-la...</a>
I'm confused. Isn't this considered <i>treason</i>??<p>They get no jail time? They get to buy their way out?!<p>> “Hackers-for-hire and those who otherwise support such activities in violation of U.S. law should fully expect to be prosecuted for their criminal conduct.”<p>I know they lose their clearances and pay a bunch of money, but this seems like it merits a lot more punishment than that.
This is an increasing problem in Israel as well.<p>Soldiers who spent years in the exploit-finding units of 8200 (Israeli NSA) can work for NSO and stay in Israel. But they can also leave the country and work for foreign entities. Sometimes without even knowing who their employer is<p>One famous case was "Dark Matter" a UAE company who set up offices in Cyprus and offered 8200 soldiers 7 figures (in USD) a year salaries to relocate, outside of the Israeli Government oversight - which NSO need to adhere to, and work for them
Funny quote from Lori Stroud:<p>> The bureau’s dedication to justice is commendable... the most significant catalyst to bringing this issue to light was investigative journalism - the timely, technical information reported created the awareness and momentum to ensure justice<p>A lot of moral superiority there when based on how Stroud has talked about her own work with Project Raven [1], she was perfectly happy to help the UAE kidnap, torture, and disappear dissidents (including children), human rights activists, and journalists.<p>[1] <a href="https://www.reuters.com/investigates/special-report/usa-spying-raven/" rel="nofollow">https://www.reuters.com/investigates/special-report/usa-spyi...</a>
If you actually read OP's link, the charges seem to have nothing to do with the fact that these individuals once worked for the US gov. Instead, the US federal government seems to be asserting that knowledge of offensive security tools and practices in Cybersecurity consultancy is somehow ITAR restricted in the same way that a weapon blueprint would be. That strikes me as absolutely preposterous and I'm disappointed the defendants settled rather than pushed back on obvious federal overreach into the lives and careers of private persons.
As a non-US person, could someone explain a legal construct of "paying $XXX to resolve criminal charges"? Doesn't "criminal" mean there must be some real punishment?
Does anyone know whether the spyware mentioned is anyhow related to Project Pegasus[1?
It's also really interesting that Apple patched Security issues for iOS that was targeted by NSO Group and makes me wonder if that might be the same vulnerabilities exploited by the UAE hacker for higher company [2].
[1] [<a href="https://cybernews.com/news/expressvpn-cio-daniel-gericke-fined-335-000-for-cyber-espionage" rel="nofollow">https://cybernews.com/news/expressvpn-cio-daniel-gericke-fin...</a>]
[2] <a href="https://www.npr.org/2021/09/14/1036869715/apple-issues-critical-patch-to-fix-security-hole-exploited-by-spyware-company" rel="nofollow">https://www.npr.org/2021/09/14/1036869715/apple-issues-criti...</a>
I really don't think deferred prosecution is warranted here, this should have been a plea deal. I'm ambiguous on whether or not these guys should serve jail time, but they deserve a criminal conviction and a criminal record.
One of these officers is CIO of ExpressVPN. Can you really trust a service with these ties, which also just sold to an ad agency? I personally would not.
A reminder that former members of military special operations units admitted assassinating political opponents for UAE. No one was prosecuted.<p><a href="https://sofrep.com/news/exclusive-interview-with-an-american-mercenary-who-ran-combat-ops-in-yemen/" rel="nofollow">https://sofrep.com/news/exclusive-interview-with-an-american...</a><p><a href="https://spotterup.com/episode-44-dale-comstock-former-army-special-forces-cag-operator-merc-and-much-more/" rel="nofollow">https://spotterup.com/episode-44-dale-comstock-former-army-s...</a>
While being federal agents they try to spread democracy with bombs. Once they leave, the pretence is dropped and squash any organic calls for democracy and dissent with hacking.<p>Outraged when these countries are hacking individuals? Then also be outraged when you sell them F35s
> to obtain remote, unauthorized access to any of the tens of millions of smartphones and mobile devices utilizing a U.S. Company Two-provided operating system<p>U.S. Company Two provides a mobile operation system. Hmmm, now who could that be?
There's really no reason why they should be able to buy their way out of prison time. It's kind of a shame. Justice is supposed to be blind, including to financial assets of the perps.
How does the security of a Google Pixel phone with Android or GrapheneOS compare with iPhone’s security?<p>The iOS exploits sound scary. Some of them are even zero click.