Pegasus and it's capabilities have been publicly known for several years. Pegasus recently appeared in connection with hack that stole Jeff Bezos' nude selfies.
It sounds like the new info putting them back in the new cycle is related to this sentence:
"The Guardian and its media partners will be revealing the identities of people whose number appeared on the list in the coming days. They include hundreds of business executives, religious figures, academics, NGO employees, union officials and government officials, including cabinet ministers, presidents and prime ministers."
This does prove or disprove any other Pegasus related claims but regarding the Bezos “hack”, Brad Stone who is a Bezos biographer says in this interview (https://twitter.com/profgalloway/status/1400539983333793792?...)
that all the evidence about the nude photos leak point to Bezos’ girlfriend’s brother actually just taking the photos from her phone through physical access and leaking them.
Please note: This is the same institution that published outrageous claims of multiple tech companies detecting backdoored Supermicro motherboards, which everyone denied and no one claims to have know anything about.
The most positive thing about this leak is that it includes government officials. The more they realize that the mass surveillance they are pushing on us will also apply to them, the more chances we'll have that they push back against it.
The problem is that politicians often seem to view themselves as an exalted caste. Targeting individuals is only problematic insofar politicians from the ruling parties are targeted. If the Spyware companies promise to exclude them from being targets, all is fine.
The analysis claimed that some video sent by MBS might be malware, but then claimed to be unable to decrypt it and prove that or analyze it in any way.
HN called them out on failing to decrypt and properly analyze the file when that came up:
Some people are just normal people and realise that living in a prison because of the chance of someone leaking your nudes is just isn’t worth it so they just take the chance. It doesn’t mean they would not retaliate if someone actually leak their nudes.
I was exaggerating a bit for effect, but the point is that they are still just as human as everyone else. Just like everyone else, sometimes they don't keep themselves 100% under control.
Personal disclosure: I've never sent nude photos of myself, until I had a super-hot girlfriend repeatedly ask for them. She got the photos. Was it a long-term smart move on my part? Probably not. Anything could happen in the future. Did I care at the time? Not at all. Sometimes a zero-tolerance, "just say no" policy isn't going to work.
I hope you always wear pants while using your phone. Otherwise how can you be sure to never having pointed your smartphone camera in your nude genitalia's direction? A hacker could've been filming and potentially ended your life through a devastating leak.
I'm not judging the importance of the story, but based off past reception of these stories it is wildly naïve to believe this will be the story of the year. That is especially true in a year in which the globe is still not through a global pandemic that has killed millions.
Most people simply don't care that much about digital privacy. Lots of people believe Facebook is spying on them constantly including recording everything said in the presence of their phone and many of those people go right on continuing to use those apps.
> "...wildly naïve to believe this will be the story of the year. That is especially true in a year in which the globe is still not through a global pandemic that has killed millions."
if this were true, cardiovascular disease and cancer would be the top stories everyday, as they combine for tens of millions of deaths per year. the media focuses on novel fear because it's attention-getting, not rationally dire.
You phrased that like a disagreement, but I think it actually goes to support by point. A pandemic that has shutdown much of the planet for going on a year and a half seems like a much more novel fear than someone's phone spying on them.
And you can't just blame this on the generic "media". They sell what the people want to buy. They report on novel fears because that is what attracts more attention from readers/viewers. The story about a murder is always going to get more attention than a dozen people dying of heart disease.
It isn't that the media doesn't care about these privacy issues. It is that people generally don't care about these privacy issues.
ah, the apologist argument. might as well throw up our hands and do nothing then. sheep are easier to tend when subdued and mollified anyway.
the point is that the pandemic isn't a bigger threat to our daily lives than common diseases for most people, yet we've blathered on about it like it's an imminent threat to everyone for over a year and a half. we don't do that for (other) respiratory infections or tuberculosis, for instance, which affect the same order of magnitude of people worldwide every year. this misfocus is acutely irrational (an availability/recency bias). the novelty only exacerbates the misfocus, it doesn't justify it in any way.
the pandemic isn't even a long-term threat in the way that concentration of power, as manifested by this privacy/surveillance issue, is for every person on earth (and the way climate change is for humankind on a multigenerational scale). it's just that the change is so relatively slow and incremental that we don't understand the severity of the threat until it's overwhelming. it's how we boil frogs so easily.
And digital surveillance is still big news 8 years after Snowden's leaks? It has also been normalized. There is little chance that the average person would rate this a bigger story than the pandemic.
The technology is there. It is obvious that if it is being sold, it will be used. And like most things that do give people power, it is likely to be abused. At least in some sectors there is a strict regulation of what can be used and why ( and there is a cost associated with it so companies tend to scrutinize for unnecessary searches ), but an individual with too much money and time on their hands? The only limit is that person.
Did all of the media outlets organize together for months in advance to be able to release everything today? The content and production quality makes it seem like this release was planned months in advance.
Also, assuming they did, what’s the process all of these news organizations go through in order to plan such a release on the same exact day? The planning of the release in such a coordinated way is almost questionable itself, though it would be good to get insight into this.
Hey, former software engineer at the Guardian here. Yes the news outlets are collaborating on stories too big for a single one.
The last I can remember was the Panama papers, which followed a very similar process. I seem to remember they all synchronized through the ICIJ [1], and more or less each journalist would cover their own territory / domain. Then they agreed on a reasonable date to release the news.
They shared more than just information, but also technical infrastructure to do the investigation.
So, if the ICIJ coordinated the last one, then who coordinated this one? It seems like Forbidden Stories is the main organizer though they also make it seem like “The Pegasus Project” is the organizer as well, which seems rather confusing.
> Forbidden Stories, a Paris-based nonprofit media organisation, and Amnesty International initially had access to the leaked list and shared access with media partners as part of the Pegasus project, a reporting consortium.
> The investigation by the Guardian and 16 other media organisations suggests widespread and continuing abuse of NSO’s hacking spyware, Pegasus, which the company insists is only intended for use against criminals and terrorists.
Usually, joint investigations between multiple media outlets are released in a planned fashion. It's rare to see 17 news outlets collaborate on one story, but when "more than 180 journalists" have been targeted with Pegasus, it may be that the targeted journalists worked together on this investigation, using their exploited devices as evidence.
In the US, journalists were long reluctant to discuss Gov surveillance abuses in any meaningful way - even when they were targeted.
Snowden basically dragged news orgs into reporting it. After that initial rush tho, reporting was largely muted. Most DoJ and other abuses were minimally covered if at all.
That improved somewhat during the next administration but authoritarian deference still seemed in play to me.
With this report, the Amnesty International has also released Mobile Verification Toolkit (MVT) - a forensic tool to look for signs of infection in smartphone devices: https://github.com/mvt-project/mvt
NSO is clearly in the business of selling surveillance to foreign entities, and saying they vet people is nothing but smoke as there is zero actual evidence other than their blanket statements. If some government or other customer tells them they only attack terrorists, it's clearly easy to target anyone; how would NSO even know.
Also rather stupid was Apple's statement about their phones being secure, when its obvious there are zero days being sold to NSO instead of telling Apple. Everything is insecure these days, at some level.
If NSO paid people $1M for a zero day (I bet they don't say), and Apple/Google/etc paid $10K, who do you think gets the info.
It's not that cut and dry, ethics and legality are a concern for a lot of researchers such as myself that sell zerodays. In my experience the actual price difference between unethical and ethical outlets is up to 4x, not two orders of magnitude (10K vs 1M?). I can't speak for everyone of course, but even the other researchers I know refuse to sell to unethical buyers, money isn't a factor.
You can almost assuredly sell exploits illegally/unethically for a serious amount if you have the right connections. We know that iOS zerodays have sold north of 2 million $.
First and foremost, the original vendor is always the most ethical place to sell it. That's where you stand the best chance of having it fixed for affected users. Second to the vendor are third parties that report vulnerabilities to the vendor by selling early warnings as a service. I don't know if I would recommend ZDI, they provide zero guidance for what their payout ranges are. There are security companies that purchase zerodays to write about them for PR, which also fixes the issue. And finally there's selling it to branches of the US government with license restrictions and a blanket exclusion for the NSA.
Beyond those buyers, the lines start to blur (defense contractors, companies in countries allied with the US e.g. FVEY). I would not recommend it either. Unethical buyers have completely different interests. I know Zerodium for one is a terrible place to sell to (you may be a target), and anything that is sold to Crowdfense is likely to be used against American interests.
My take away advice is, you can choose between painting a target on your front or one on your back.
When you say "one could be targeted/painting an target on one self" what does this imply? Basically that some group, most likely a nation state actor might hack my systems in the hope to see what else i have and who i am selling to?
Or rather that when i cross the wrong broader in to the wrong country that i might disappear?
Who do companies like ZDI sell early warnings to? I don't quite understand how a vulnerability could be worth more to them than the vendor who could fix it (assuming they don't somehow abuse the vulnerability).
Because ZDI negotiate. As a bug bounty participant in the official programs, you aren't allowed to negotiate.
ZDI, on the other hand can say: "We want $10M for this iOS zero day, or we don't report it to you." And the process of negotiation goes back and forth, but the end result is, Apple will pay considerably more to ZDI than through the direct program.
Correct me if i am wrong. I think another reason why ZDI maybe could pay more is because they also have other paying customers that pay for IDS/IPS subscription.
This isn't very different from the West selling guns, tanks and police equipment to allied 3rd world countries. You hope they'll be used for good causes(preventing crime and terrorism) but knowing that these governments tend to be corrupt, you acknowledge the risk that these weapons will be used by bad elements too.
It's a stretch to argue that "safest, most secure consumer mobile device on the market" is not a claim of security. The average reader would not interpret that statement as you did, which makes the statement misleading.
NSO said that even if Pineda’s phone had been targeted, it did not mean data collected from his phone contributed in any way to his death...
NSO are clearly concerned about any such claims sticking.
Shared and joint liability for such consequences of software and tools strikes me as one of the more viable ways of limiting their over development.
Finding a firm, its officers, its engineers, its salespeople, its investors, and its creditors culpable for assassinations and murders would tend to dampen enthusiasm significantly. That's not enough to utterly quash development, but it makes it far more expensive and unattractive.
I don't have high hopes for this. But one may dream.
Disgusting. When the topic of commercial "cyberweapons" comes up, I immediately wonder about the people who created them. How they can sleep at night knowing how tools of their design are used. I'd argue that it's a completely different class of cybercrime and worse than anything else out there.
Unprecedented action needs to be taken against NSO Group.
Sale of these technologies is heavily regulated. If this kind of technology is deployed in your home country, State of Israel gave permission to sell it and your own state have permission to buy and deploy it.
This is beyond regulation - these tools are infringing on human rights. But frankly, I don't mind what sales the State of Israel permits, they're free to do what they want. However, I would be upset if the government of my own home country permits these sales (which they probably do) or does not reprimand those associated with NSO Group.
Perhaps it should be. Sadly it will probably pass quickly for other headlines. Will any changes in privacy control happen?
Will someone make and market a new secure phone? That would need interesting.
Glad to see reporting on this, but struggling to understand how it's so much more outrageous than the UK's own behaviour in this regard vis-a-vis Gamma Group and the Finspy / Finfisher products.
For example:
> Despite rules saying the UK should not export security goods to countries that might use them for internal repression, ministers have signed off more than £75m in such exports over the past five years to states rated “not free” by the NGO Freedom House.
> The 17 countries include China, Saudi Arabia and Bahrain, as well as the United Arab Emirates, which was the biggest recipient of licences totalling £11.5m alone since 2015.
> Human rights groups said the UK was developing a reputation for not conducting proper checks on who it sold arms to, while Labour called on the government to show it is working to prove that it is complying with its own rules against arming dictators.
- UK selling spyware and wiretaps to 17 repressive regimes including Saudi Arabia and China[1]
Or just search[2] for "gamma" and "privacy international"
Why is this seemingly okay but if my Mom leaves a card in my mailbox, it's illegal? I really hate that our countries are largely run by incompetent corrupt geezers.
Compromising the personal devices of private citizens for nefarious means should be globally illegal and, if perpetrated by a government, should be considered an act of war.
Why does it seem like we're all just kind of okay with citizens being attacked like this?
Why is collecting all this information suddenly OK as long as it's "only" used for Advertising purposes?
Is there a reason we also also forbid Google and FB from gathering this information? Or are their business models too important, and we can't decrease shareholder value?
Or since "the users" click-agreed the business model is absolved and it's okay! What could go wrong, ever?
Or, a modest proposal: we could agree that even corporations who sell HW/SW for personal devices shouldn't be allowed to collect this data, period. No one needs to mine our GPS history, messages, search, etc. Even if it means those who do it today makes less money.
Ads are fine, but maybe we agree it's fine if ads aren't quite as targeted, either.
I'm wondering if we might be better off with "punch the monkey" than hyper tracking and targeting.
Somewhat surprising (disappointing?) for me to find India, Mexico and Hungary on the list: "at least 10 governments believed to be NSO customers who were entering numbers into a system: Azerbaijan, Bahrain, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, Hungary, India, and the United Arab Emirates (UAE)."
Both India and Hungary are currently governed by anti-democratic right wing administrations (Modi and Orban). Not that surprising to see the State try to abuse power.
Um.. just because they happen to be right-wing ( from US perspective - I don't want to derail this conversation ), does not mean they are not democratic and hostile towards democracy.
In fact, I would argue, that they have a mandate from its people ( hence they are democratic ) and their program is very open about the changes they propose ( which may unpopular in EU salons, but not for an ordinary citizen ).
I am sure the big names missing from the list are also doing it. Five eyes, Russia, China probably have much better capabilities than the ones on the list.
The list for India is weird though. It has a lot of names which are in the pro current establishment camp and some of their own leaders as well.
Could it be some other state snooping on them or has it found usage by non state actors as well?
As far what's to come:
"The numbers of those in the database include over 40 journalists, three major opposition figures, one constitutional authority, two serving ministers in the Narendra Modi government, current and former heads and officials of security organisations and scores of businesspersons."[1]
These will be released in further articles of the series "Project Pegasus"
> The list for India is weird though. It has a lot of names which are in the pro current establishment camp and some of their own leaders as well.
It’s not that weird when you look at it. Most news agencies are privately owned. These journalists aren’t born stooges of the Government. Many of them were forced to become pro-Government when the Government threatened to pull advertising by Public corporations on their networks. That’s one lever. Having dirt on the journalists? Another lever.
A reminder, a 20th century US president was found to be openly spying on the opposition, and only faced repercussions for the cover-up. Though I can't prove it, I assume every major political group is doing some amount of surveillance on the opposition.
Possibly other countries (US, UK, Russia, Australia, China, etc) have enough resources to build their own equivalent tools without needing to buy Pegasus.
Governments objecting to the success of drive-by 0-day malware should be investing in safer operating systems and programming languages, not trying to outlaw malware.
Why not both? Western governments should (theoretically) be promoting democratic causes not allowing companies to sell to governments that target those that protect democratic values such as activists and journalists.
I guess but that doesn't sound very realistic. The US, if we accept it as an example western government, will tolerate literally anything from Israel, whether government or private, and doesn't really care how badly the Saudis are acting, either.
If this bothers you the best thing individuals can do is invent better computers.
Landing on the moon once didn't sound very realistic either, doesn't mean we should stop trying. At the current moment there is plenty of public pressure on Israel so if it could be directed at something like this that would be a good thing in my mind. This is a political problem and hence should be solved as such.
Scientific unrealistic is different than socially unrealistic. It's not easy to express, but the knowledge I have of human nature, I feel like I understand better, than the knowledge I have of quantum mechanics.
I am not defending NSO here, but I just want to provide a sample of a simple defense of this. In practical sense, there is very little regulation in this space. And if you add to it some of the territories involved in that race, you will quickly notice that it may be hard to force them to do anything. They are sovereign after all.
Sadly, an haveibeenpawned-like service to know if a number is in the list would be unfeasible ; so, the only way to know if you've been monitored is to be some kind of celebrity that the giardian and co will decide to out.(I suppose it will be better in terms of PR to be outed in this case than in the Panama papers...)
I just pretend my devices are compromised. I'm genuinely surprised this isn't how all business handle IT.
Maybe it isn't practical when you have trade secrets and engineering actively working on development. But maybe if IT was given this constraint, they'd figure out a solution.
> That thesis is supported by forensic analysis on the phones of a small sample of journalists, human rights activists and lawyers whose numbers appeared on the leaked list.
> The research, conducted by Amnesty’s Security Lab, a technical partner on the Pegasus project, found traces of Pegasus activity on 37 out of the 67 phones examined.
> The analysis also uncovered some sequential correlations between the time and date a number was entered into the list and the onset of Pegasus activity on the device, which in some cases occurred just a few seconds later.
> Amnesty shared its forensic work on four iPhones with Citizen Lab, a research group at the University of Toronto that specialises in studying Pegasus, which confirmed they showed signs of Pegasus infection. Citizen Lab also conducted a peer-review of Amnesty’s forensic methods, and found them to be sound.
---
> NSO has always maintained it does “does not operate the systems that it sells to vetted government customers, and does not have access to the data of its customers’ targets”.
How much consideration does NSO and other "forensic tools" makers get from platform makers and malware detection providers? Does intelligence and law enforcement get to keep their vulns longer after they are detected?
From the Guardian article: "The research, conducted by Amnesty’s Security Lab, a technical partner on the Pegasus project, found traces of Pegasus activity on 37 out of the 67 phones examined." The results were released by an international consortium of media entities that includes The Guardian and the WaPo.
> The Pegasus project is a collaborative reporting project led by the French nonprofit organisation Forbidden Stories, including the Guardian and 16 other media outlets. For months, our journalists have been working with reporters across the world to establish the identities of people in the leaked data and see if and how this links to NSO’s software.
It sounds like the new info putting them back in the new cycle is related to this sentence:
"The Guardian and its media partners will be revealing the identities of people whose number appeared on the list in the coming days. They include hundreds of business executives, religious figures, academics, NGO employees, union officials and government officials, including cabinet ministers, presidents and prime ministers."
Should be a very interesting release.