There is no evidence it's shut down Pegasus – just its PR department.
Maybe, the personnel in the PR department have more integrity and the spokespersons are not able to lie with a straight face.
Or, maybe, their lawyers told them to shut up.
The NSO Group, a purveyor of spyware it hopes governments and law enforcement bodies will use to fight terrorism, has announced it will not answer any further questions about allegations raised by Amnesty International and Forbidden Stories that its products have been widely misused. The company on Wednesday published a …
> the personnel in the PR department have more integrity and the spokespersons are not able to lie with a straight face.
Ummmmm ... the personnel in any PR department is paid to lie with a straight face. That's their job description. They are known as paid liars.
Corporate terminology: shaping the message and staying on message.
It's when the personnel in said PR department suddenly decides to go radio silent, that's when you know the shit has hit the fan.
The whole issue is not just misuse of software. When you give someone a copy of your software, you have no control where it ends up. But this is not the issue at all here.
According to Amnesty, NSO operated the servers. NSO had lists of phone numbers for target people. NSO is not just a software manufacturer in this game. NSO is actively participating in the attacks, including the unlawful ones. They cannot just say: «Someone took our software and did an unlawful attack without our knowledge.» NSO was basically performing the unlawful attack themselves.
it would be punishment enough if NSO associates had an international warrant on them, not being able to travel anywhere without fear of arrest.
Let's not encourage the US to unilaterally decide what someone can do when they're not anywhere near the US, shall we? If an international court (read: a court that acknowledges that other countires exist and have a degree of sovereignty) decided that these people should be on a ban list, fine, I'm game, but letting the US decide on its own what happens outside their borders is a very bad idea.
Underlying all the immediately apparent problems is the basic one that commercial interests are deeply involved in the provision and use of surveillance technologies. Profits demand wide use, and that incentive can easily result in further blunting of already questionable ethics.
The same mechanism is effectively universal in antisocial media, where offensive or illegal posts are left in place until a threshold of embarrassment to the service is crossed, because, regardless of protestations, they attract hits.
You are correct that NSO, while it may have originated as an Israeli government surveillance tool, is now in it for the money. Their products are popular and they operate exactly as intended.
Appealing to ethics or embarrassment is hopeless. They have none of the former and are incapable of the latter.
The statement is basically a big F U.
The key lesson here. Just because you can offer SWaaS. (SpyWare as a Service) doesn't mean you should. I bet this all started with some suit ordering their techies to do it over their objections.
Sometimes arm's length is best. Seldom do arms dealers hang around near a war zone. NSO should take a lesson from them.
"I bet this all started with some suit ordering their techies to do it over their objections."
I don't think so. Technical people have the option not to do this, and they especially have the option not to do this well. To get a successful set of exploits and use them to this effect, it wouldn't appear they have technical people doing this under duress. I would be comfortable assigning guilt to any programmer on their software and I wouldn't be so quick to assume the blame only resides with a subset of those who know what's happening and do it gladly.
The Israeli "spy services" sector provides a very useful function for the US military, which largely funds it through "defence support" funding. By providing a layer of plausible deniability it allows the three-lettered lot to engage in the kind of activities expressly forbidden by the US constitution, such as the warrant-less surveillance of US citizens (the rest of the world is fair game).
There are similar arrangements for medical research because, here too, the US constitution forbids clandestine medical experiments on US citizens, even the non-white ones!
"... nor to deny to any person within its jurisdiction the equal protection of the laws."
If it can be done to anyone within the USA, then citizenship makes no difference. Don't kid yourself. For laws to discriminate in favour of citizens is unconstitutional in itself.
Yes, that is what I assume. AWS has a lot of rented servers. It would be hard for them to know what each one is being used for. They identified some as being connected to NSO, but we don't even know if they got that from the account details or were just told of the service IDs. Either way, it wouldn't be hard for NSO to come back with a fake name and do it all again.
Can someone shed some light on this?
So, from here in Thailand to Shanghai using trace route:
tracert english.sse.com.cn (222.73.229.73) (Shanghai stock exchange on China Telecom, located in Shanghai)
> 30 hops, from TripleT (Thai ISP) it heads to Singapore (e.g. 203.208.172.234 Singtel etc.)
Then to Zayo in the USA zayo.china-telecom.mpr1.lax12.us.zip.zayo.com [64.125.15.95]
Then to 61.152.25.125 (China Telecom in Shanghai) 24 hops 411ms!
Takes more than 30 hops and times out.
So now lets trace the route to 61.162.25.125... that midpoint server located in Shanghai
tracert 61.162.25.125
This time it routes from Thailand to Hong Kong via 203.100.48.185 HongKong
Arrives at 61.152.25.125 in 229ms, a lot faster, 15 hops vs 24 hops.....
OK, so there's an intercept on queries to the Shanghai stock exchange, that reroutes data from Thailand to the USA via Singapore.
If I trace a route to a China Telecom local server I saw in the tracepath on one run, it takes a much shorter path, twice as fast via HongKong.
It strikes me that this is a https connection, and should be secure. So what would be gained by intercepting this unless the certificate is also intercepted?
So lets go look at the certificate... holy fook, it covers like a gazillion domains, was issued to imperva.com Issued by GlobalSign nv-sa in Belgium
Including iplocation ones, and a load of Israeli ones too.
https://www.iplocation.net/ip-lookup
Care to explain GlobalSign?
Nice trace :)
I tend to enable AS numbers in such traces because that shows where traffic transits from one managed environment to the next.
I would like to know how I can examine the certificates used for setting up SSL for SMTP and IMAP - any idea how? Main aim is to compare them between ISPs.
Can someone shed some light on this?
[snip]
Then to 61.152.25.125 (China Telecom in Shanghai) 24 hops 411ms!
[snip]
So now lets trace the route to 61.162.25.125... that midpoint server located in Shanghai
tracert 61.162.25.125
This time it routes from Thailand to Hong Kong via 203.100.48.185 HongKong
Arrives at 61.152.25.125 in 229ms, a lot faster, 15 hops vs 24 hops.....
imperva[.]com is one of those companies offering protection against DOS attacks. Your traffic goes to them to be checked for 'legitimacy' and then goes to the destination. They have powerful machines receiving the traffic of all their clients and only the traffic deemed benign passes through. This explains why so many domains under one certificate. They probably have many certificates with many more domains in them, it's not so obvious who their clients are based on one certificate.
The good thing about certificates is that they are not magical and they don't appear and disappear without leaving a trace.
This trace would be visible in some Certificate Transparency logs. Google, Cloudflare, Facebook, and many other certificate issuers monitor the issuing of certificates so it's damn hard to just issue a certificate linked all the way up to a root CA for a domain you don't own without getting noticed.
For example, the 123-flowers[.]co[.]uk domain mentioned in the globalsign/imperva certificate, a bit down on the cert details page you can see in the "Embedded SCTs" section that this cert in particular was included in 3 transparency logs - Google “Xenon2021”, Cloudflare “Nimbus2021” and Sectigo (Comodo) “Sabre” CT.
I searched a few of these logs and no certificate was ever issued by globalsign to the sse[.]com[.]cn domain or any of subdomains...
It was probably a small mistake in your research that yielded those suspicious results.
Another good thing about certificates and certificate transparency logs is that you get to know a lot of subdomains - even the ones not for general public - for research and academic purposes ofc.
Regarding trace routing changing routes - that's just dynamic routing and traffic shaping working. Two tracert from the same place can have different routes and nothing guarantees you that your web traffic will have the same route as these two, also because you're using different protocols.
NSO is announcing it will no longer be responding to media inquiries on this matter and it will not play along with the vicious and slanderous campaign.
It has been said before, but it is always well worth repeating, and especially so with particular and peculiar regard to neglectful and disrespectful NSO Group firmware? .....
How very wise. If one doesn't open one's mouth one cannot put one's feet in it. But that in itself reveals all that one would really need to know ...... such as there being no viable defence against outrageous suggestions and/or valid accusations ‽ .
On that GlobalSign certificate, the one with a bunch of domains listed, seemingly unrelated, that popped up when I went to look at the cert for Shanghai stock exchange. The plot thickens:
Curious the domains listed don't include sse.com.cn or anything like it.
Cert 09:EF:78:B3:0E:BA:08:05:6D:E4:94:22:93:E9:D3:CF:CE:D7:FA:86
Auth Key id 42:6D:57:2D:4F:1F:26:77:74:A6:27:64:F6:80:FA:8F:48:68:FE:7C
https://english.sse.com.cn/
"Forbidden...." no longer gives me an encrypted link let alone to imperva.com
http://english.sse.com.cn/
Fast and responsive now. Now it defaults to this NON-encrypted site now.
Likewise the tracert for 222.73.229.73 now goes via 116.51.17.189 in Singapore and direct to China Telecom..... 24 hops decent speed now.
Q1. How is it that I get a cert for Imperva.com when I clicked to view the firefox cert for the Shanghai stock exchange, yet the domain isn't listed anywhere as an alias in that cert? How would that work? How would it get verified by GlobalSign???
Q2. I see it has magically fixed itself!
Now Shanghai stock exchange website no longer claims to be encrypted! And certainly not with some magical catch all cert! Is this the same for others?
Q3. Is that how the route was forced? Return it as if it was encrypted, wrap the connection in TLS as imperva.com and route it yourselves? But then how did you inject the redirect to encrypted? The router perhaps (Cisco), a firefox exploit? PC exploit? Some sort of packet injection?
Q4. How do I remove built in certificate authorities I don't trust? GlobalSign Belgium gave this cert out, and yet when I go to each site, I find their domain is slightly different and the cert provided by someone else. So I want to remove GlobalSign from the approved certificate authorities on Firefox.
e.g.
123-flowers.co.uk main domain is their www subdomain, www.123-flowers.co.uk and the cert if from Cloudflare not GlobalSign.
kitkat.com.au is KitKat Australia, their domains is the www subdomain, www.kitkat.com.au and the cert is from LetsEncrypt, not Global Sign.
*.iplocation.net still shows as this magic cert.
hays.com.sg, redirects to www.hays.com.sg and the cert is from DigiCert not GlobalSign
So you can see how I'd want to remove Global Sign from the list of trusted certificate authority. How do I do it?
So you can see how I'd want to remove Global Sign from the list of trusted certificate authority. How do I do it?
I think you mentioned you were using FF so something like this:
- Options->Privacy ~& Security
- Scroll down to certificates
- Click "View Certificates"
- Fine the one you want and click "Delete or Distrust"
First, NSO sell the software, they don't do the hacking themselves (as I understand it).
Second, NSO in Israel, not where the crime (some variation of unlawful access to a device) is committed.
Third, it's likely that most of the time the government security services are the ones that purchased the software - they don't tend to get prosecuted, not even in high-functioning democracies
Fourth - and I've been struggling a bit with this - is that although Amnesty and Forbidden Stories were given a list of 50,000 phone numbers, I think that's pretty much it. So Forbidden Stories check a few of the phones they can access - easy, as plenty of journos were on the list - find Pegasus, and make the reasonable assumption that 1+1=2. They did that on some 67 phones I believe.
But some of the higher profile targets that have been in the press - Macron, Rahul Gandhi etc - are there because their numbers are on the list. But without a forensic examination of the phone there's no way of knowing if their phones were actuallly hacked, and I have to confess I'm struggling to join some of the dots to the conclusions being made in the papers: "Macron phone hacked by Morocco" is a long way from "Macrons number found on a list of phones, some of which are provably targetted by Pegasus, and Morocco the most likely suspects".
That said, I've only just found the technical analysis at https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/, so haven't read it yet. Maybe the links are stronger than I've understood.
EDIT: why not check your own phone? too?
To follow myself up, one of the more interesting quotes from that article:
Several iPhones Amnesty International has inspected indicate that Pegasus has recently started to manipulate system databases and records on infected devices to hide its traces and and impede the research efforts of Amnesty International and other investigators.
i.e. NSO are using their ill-gained root access on your phone to clear up any evidence they were there. So the kind of hard proof required for any prosecution, even if one were being considered, is being removed. They're in full-on damage limitation mode, for sure.
Do you understand nothing?
The State is good and wants to be good so badly that they buy bad systems off a good company that provides bad software, thus allowing the good people to check up on the good (and bad) people which makes it a good thing.
Whereas, if it was a bunch of bad people, they don't give a monkey's about being good so they would buy bad systems off a bad company who provides bad software, thus allowing the bad people to check up on the good (and bad) people which makes it a bad thing.
Obviously.
That's all the argument I need to get a few Motorola v3i again - IMHO the nicest flip ever made (at least the later versions with matte keyboard).
I wish someone would make a smartphone with that exact form factor, and still a replaceable battery (because I suspect it's too small to hold enough juice for a day) - I'd buy a box of them. The only problem: it would be really hard for me to dispose of one like that :)
You mean bribe fund via a bunch of deniable PACs, politicians to start wars and then give directorships to the DoD officials that negotiated the prices for their weapons?
While claiming anybody that objects to the "Ninja 2000 InstaKill child-seeking cluster bomb" is a no good commie hippie peacenik
couldn't happen to nicer people.
btw, "Enough is Enough" - is that a new, creative, PR on how to make the stink dissipate? Other PR departments worldwide watch carefully: if this works, we'll have a n new 'approved!' tactic at our disposal. Hopefully our paymasters do not realize too quickly that, as we do nothing, they should perhaps pay us - nothing..
First NSO claims it has no control over Pegasus or how it's used but then turns around and claims it knows for a fact that it wasn't used on the victims mentioned.
If NSO DOES know who is being targeted than they should be held accountable as giving aid to terrorists and if the DON'T have any idea who is being targeted than there should be criminal liability.
Corporate image-making and image protection gets no more amateurish than this:
"In light of the recent planned and well-orchestrated media campaign lead by Forbidden Stories and pushed by special interest groups, and due to the complete disregard of the facts, NSO is announcing it will no longer be responding to media inquiries on this matter and it will not play along with the vicious and slanderous campaign."
Count up the number of times "and" appears in that text and you'll start wondering if this hysterical bilge was pumped out by the Communist Party of China or Russia, so over-the-top is it in its effort to appear justifiably outraged.
Professional PR departments exist to lie through their teeth, i.e., to be smiling whilst they speak in tones of sweet reason. The outburst from some amateur high up in NSO's management -- because an outburst it is, not a statement -- wasn't said through gritted teeth or even a smile, but with mouth wide open and foaming.
Pathetic. NSO now looks more guilty than ever it did before.