NSO caught with its pants down
They can pretend all they want but the game is up. Israel will try to whitewash NSO's behavior but they will have to back off.
Israel's Ministry of Defense says the nation's government has visited spyware-for-governments developer NSO Group to investigate allegations its wares have been widely – and perhaps willingly – misused. A Ministry tweet delivered the news in Hebrew, and online translate-o-tronic services render the text as follows: …
And if other nations determine that NSOG is guilty then those nations will put pressure on Israel. If Israel refuses to acknowledge those concerns then they could find themselves the target of U.N. sanctions. They can defend NSOG if they want, but doing so may leave them in a position where the rest of the world says "Wrong answer. Do not pass Go, do not collect $200, go directly to Jail." It will be a proverbial jail, but Israel may find itself just as trapped as if it were real.
Well whoop-dee-doo. As if that mattered when you're selling spyware to governments.
Besides, you're not the one deciding what is a matter of national security. By your own definition, there are no governments using your software illegally - all they need to do is define each usage as a matter of national security.
And everyone is operating legally. Ba-doum, tish !
Something I've not been able to work out from the coverage so far - does NSO retain some control over it's product after they have sold it? The seem adamant that many of the phone numbers on the lists which the press have published aren't targets, which implies that they have knowledge of their customers' targets. I sort of find this hard to believe, but also can imagine that they'd want to keep some sort of control of the product, given how dangerous it could be if it got into the wild. Then again, if everything went through their servers that could bring its own dangers!
Anyone know?
We don't have knowledge of everything in their code, so these points are based on partial information which has been released:
First, NSO operates several servers which are used to install and operate the malware. This means they know at least some of the targets because they are infecting them on behalf of their clients. We don't know whether it's possible to change those servers to ones that NSO don't operate. Similarly, we know that NSO has target limits where certain licenses are paid depending on how many devices you want to force spyware onto. That implies but doesn't necessarily mean that there is some mechanism for checking whether a client has complied with those licenses or preventing them from infecting others when they have run out of credits. This would also imply that they know when and by whom someone was infected even if they go to some effort not to know who the victim was.
More speculatively now, I think NSO must continue to control the malware after they've sold it because they are operating in a very ambiguous area. They do have some protection from Israel for some reason which has never really made sense to me, but if Israel decided they no longer supported NSO, there would be major problems for the company. Therefore, NSO needs to make sure that, whichever governments or groups (yeah, I'm not buying their claims) they sell it to, they don't sell it to someone who will cause Israel to abandon them. For instance, they could sell it to governments for repression of the local populace, but selling it to someone who would use it against Israeli government figures is something they'll do a lot to avoid. Making a version available which is easily controlled without their knowledge is an invitation to do exactly that. They have strong financial and safety incentives to control who gets to buy and who gets to be the victims, and I'm going to assume that they know these things very well.
Regardless of whether you think what NSO are doing is right or wrong I always wonder why:
When members of the International Left, of which Amnesty is a major player, "steal" proprietary and confidential intellectual information or communications from a government or corporation it is seen as some public service but when it is done in the reverse, i.e. The DNC emails it is viewed as a crime! This smacks of the typical legal double standard the Left always wants to operate under.
This incident requires answer:
1. Does NSO retain control of the distribution of the spyware to targeted individuals.
2. Is this supposed list accurate as to submitted targets by their customers. or
3 Has Amnesty just made up this list (including the dead journalists) as a way to target a known adversary of theirs, Israel.
4. If the list is genuine, was it obtained legally? An insider leaking the list is NOT legal.
5. If not then those who stole it and those who received it should be prosecuted.
Command and Control as with much of the malware used to lock systems will be in overall control of the main designer/operator.It will undoubtedly be licensed out on a per-user basis with the end user only having a basic interface, not the actual code required to achieve the access and lock.
That is unless a third party or state nation has somehow copied the code from their servers and is using/selling it themselves or a facsimile which leaves traces of other vendors spyware as a feint if discovered.
There are a bunch of them - Cellebrite is another that's been the subject of multiple Register articles that's based in Israel. Not that the US lacks them, but while Cisco and AT&T may do some bad things on the side that's not their entire business model like the ones in Israel.
I imagine the US and other "five eyes" prefer not having such companies in their country to avoid the risk of their lawmakers getting upset and passing inconvenient laws when big revelations come out like the recent NSO Group news. Israeli citizens long ago surrendered to the idea that giving up privacy for security is a good thing, so there's no worry about that there.
Suppose your country was surrounded by hostile nations.
Suppose you saw your military's job to defend the country and not just shuffle defense spending to each politician's locale
Suppose you saw that cyber gave you an asymetric advantage compared to massed ranks of infantry trooping past a saluting stand or aircraft carriers with no planes.
Suppose your military recruitment was based on which school you went to - but for the courses you took and grades you got rather than knowing which direction to pass the port.
This isn't really accurate. For example, you've mentioned Cellebrite, whose most well-known product is a tool for breaking into mobile devices. They aren't the only company to make products for that purpose. Another well-known one is Grayshift, which is based in the U.S. You can find companies producing malware with government support in many countries.
Israel is a special case mostly because they have an unusually large tech sector for the size of their country, and many of their tech people have trained in security-related issues and chose to make that the core of their companies. They just have a lot of companies in that area, meaning they're bound to have some well-known malware ones in that mix. Some of those companies also get unusual levels of support by the Israeli government, but that's not unique to them either. This doesn't exonerate Israel for the crimes its companies engage in without investigation, but there are other countries who are culpable of the same.
Offence is the best defence. Whatever Israel has to do to survive in a hostile world, it will. When your neighbours are Hamas, Hezbollah, Assad and the Ayatollahs, you do not need to make excuses. Instead of singling out this state for one-sided and hypocritical venom, we should be standing up for it as the only place in the region or indeed the world where Arab citizens have free and fair elections or where you can safely have LGBTQ marches in public. It is remarkable what they have achieved in high-tech and so much else despite living in such a hostile environment.
Most major Governments using spyware on its citizens phones - worldwide. Not a surprise. That the spyware was devloped by a commercial group - not a surprise. A country like Israel has such groups and produced a very successful piece of spyware which they sold and cannot really control the use - not surprising certainly after Russian Federation, Five Eyes and ROC actions. That Israels enemys will use its existance, it or knockoffs against Israel - only to be expected.
That we live in an electronic Panoptican that is getting worse each year - are you surprised?