I'm glad
The Supreme Court rejected their ridiculous idea of "diplomatic immunity" for a foreign company!
But I'm unsure exactly what leverage the US court system will have to force them to produce that source code.
NSO Group, the Israel-based maker of super-charged snoopware Pegasus, has been ordered by a federal judge in California to share the source code for "all relevant spyware" with Meta's WhatsApp. The order [PDF] from Judge Phyllis Hamilton at the end of last month stems from WhatsApp's 2019 lawsuit [PDF] against NSO for …
Even if we had a president willing to use that leverage, congress would not let him. Other than the far left wing of the democrats, everyone else is in thrall to Israel for some inexplicable reason. Few things would unify congress more than this, they'd pass a bill by an easily veto proof margin tying the hands of any president who dares to stand up to Israeli leadership.
The only reason congress hasn't voted for Israeli aid already is that the democrats are holding out on it to get Ukraine aid, similarly to how the republicans were doing with border security (until Trump told them he wanted to pass on the best border deal they were ever gonna get so he could campaign on it)
Depending on the circumstances, opposing Israel may not be antisemitism, however, suggesting that Israel controls the USA is antisemitic.
Stating that Israel is perpetrating a genocide is also a grossly antisemitic distortion of the facts. It is Hamas who wants to commit genocide. While Hamas still exists and uses the civilian population of Gaza as human shields, it is also committing crimes against humanity on the Gazans.
Stating that Israel is perpetrating a genocide is stating the facts. The International Court of Justice agrees with me, ordered them to stop, and they're ignoring the ruling.
I suppose you also think it's antisemitic to state the fact that Israel has been committing the crime against humanity of apartheid for years? It's not, of course. The government of Israel does not speak or act for all Jews.
Are you sure about that? There has been no such ruling. The court recently requested they continue to not commit genocide.
And then you roll out the broken apartheid accusation, just to unfurl your true colours.
And who claimed the government of Israel speaks for all jews? Where has that come from?
You mean this ruling (where the word continue does not appear at all):
78. The Court considers that, with regard to the situation described above, Israel must, in accordance with its obligations under the Genocide Convention, in relation to Palestinians in Gaza, take all measures within its power to prevent the commission of all acts within the scope of Article II of this Convention, in particular: (a) killing members of the group; (b) causing serious bodily or mental harm to members of the group; (c) deliberately inflicting on the group conditions of life calculated to bring about its physical destruction in whole or in part; and (d) imposing measures intended to prevent births within the group.
The Israeli Law Professors’ Forum for Democracy (at https://www.lawprofsforum.org/post/pp24-e) notes of the power sharing agreement signed on 23 February 2023, "The agreement is an overt and formal measure that gives validity to claims that Israel’s practices constitute apartheid, which is prohibited under international law."
It was you that equated criticism of actions of the government of the state of Israel with being antisemitic, the inference being that you seem to consider that the government of Israel represents Jewish people or Jewishness. Should we also infer that you would similarly consider criticism of the actions of Hamas to be Islamophobic?
The ruling doesn't say they must stop, because you can't stop doing something you are not already doing. The instruction is to continue to observe its obligations, with specific obligations highlighted, presumably because these are the ones the court feels would be the areas that would be targetted in the unlikely situation that Israel decided to become like most other middle eastern states and start to engage in genocide.
Israeli Law Professors’ Forum is a political entity, and your quoted opinion does not make it a fact.
You've completely made up that I "equated criticism of actions of the government of the state of Israel with being antisemitic", but as you've raised this, let's be clear, if the criticisms are based on antisemitic sentiment, then those criticisms are antisemitic. It would be Islamophobic to criticise Hamas for being Muslim, but it is not Islamophobic, for example, to criticise them for being a genocidal set of thugs driven by Jew hatred, or to criticise them for deliberately putting non-combatants in harms way, maximising their fatalities and casualties as a tactic in the fight against Israel.
"Our technology is not designed or licensed for use against human rights activists and journalists," the outfit told The Register in 2019.
That's like a gun retailer telling a customer, "Now, I won't sell you this gun unless you promise to never use it to shoot good people. Do you promise to never use it to shoot good people?", and the customer replying, "Uhhhh, yeah. Yeah, I promise."
Let's think about that. Are there laws against exploiting a vulnerability without authorization? Yes, most definitely. Are there laws that prohibit the existence of any vulnerability, including ones you don't know about? Not exactly. So it looks like it's NSO's responsibility. You could sue Facebook for negligence which might or might not work? Any other questions?
As I said, that would probably come under the heading of negligence, and you can charge Facebook with that. However, you generally have to prove that it should have been predicted and prevented, not just that it was a problem. If everyone's steering wheels are coming off in the first month, you're likely to win that one. If your steering wheel came off after six years and nobody else's did, almost certainly not. The complicated stuff comes in the middle where some wheels came off but there is some chance it's related to your actions more than their design, or the design that caused the wheel to come off didn't seem all that faulty when they tested it. So you can try, but there is no law saying that any fault qualifies.
This analogy is not very exact. If I try to work with it anyway, the recall of a faulty part is equivalent to fixing the software vulnerability, which Facebook did. It does not follow either that Facebook has additional liability for the existence of the vulnerability, nor that responsibility for abusing it has decreased in any way.
And then they get the source code which will be Redacted because of National/International Security so any and all detail is lost.
They may then fight the national/international agency/agencies that demanded the code redacted, if they can find out which agency/agencies are to blame, can prove standing to top national/international interests, have time to the end of time and have pockets deeper than any and all nation/state.
Yes, call me sceptical.
Considering the CVE that NSO were using to hack into Whatsapp is from 5 years ago and i assume has been patched for some time and NSO aren't obliged to give them up to date source code for Pagasus, only from April 29, 2018 to May 10, 2020 (something the Reg article didn't mention btw) Then surely most if not all of the zero days they were using back then have probably already been patched, And the current 2024 version of the Pegasus spyware will be using a whole new set of vulnerabilities which the source code won't show?
Absolutely agree with all of that but if I were NSO I would be reticent to release anything that could give away the structure of the primary system. There are always clues in a section of software that can provide insights to further investigation of the wider system.
Additionally NSO should ignore any and all foreign court orders until they have been processed by their own court system, because as we all know, a states jurisdiction ends at its internationally recognised borders.
a states jurisdiction ends at its internationally recognised borders.
Not for crimes of universal jurisdiction, which any state can try. And it's beginning to look as though this sort of thing is considered a crime of universal jurisdiction, because it is being done by citizens and the state apparatchiks of one state against many others.
where said internationally recognized borders is also an interesting matter when considering Israel. May-be NSO should re-locate to Gaza so they're in a no-man's-land that doesn't belong to any country and thus can be exempted from any international jurisdiction ?
This is true, because the point of asking for the source isn't so Facebook can start fighting against them, but to prove Facebook's allegation that NSO has violated contracts against Facebook, and therefore Facebook has been harmed, can sue them, and can collect a judgement. I doubt they'll get it, but that's the theoretical result if they do.
What the F, dude? Indeed, What the F. Israel is NOT committing crimes against humanity. It's fighting an ideology driven bunch of thugs that wants to wipe Jews off the face of the earth and is happy to sacrifice as many of its own women and children as possible in order to further that aim. Why are you carrying water for the genocidal ideology of Hamas? What the F, dude....
The vuln that was used has been fixed and does not work if you have updated. One of two situations are true now, but we don't know which one:
1. The Pegasus developers have found new vulns, are using them, but we don't know what they are so we can't fix them.
2. The Pegasus developers have been locked out of all the ones they've found and are busy looking for more.
Either way, don't count on option 2 lasting for very long. NSO earns a lot from finding new vulnerabilities and putting them to use. They probably keep a long list of possibilities so they don't have to tell their customers that someone is immune for the moment.
"NSO Group, the Israel-based maker of super-charged snoopware Pegasus, has been ordered by a federal judge in California to share the source code for "all relevant spyware" with Meta's WhatsApp."
Given Facebook being caught multiple times in obtaining very elaborate permissions on users devices and devices that did belong to people who even don't use Facebook services, and the offending Facebook software being hidden and installed (and very hard to uninstall) by exploiting device operating system weaknesses, Facebook might learn to do that better next time, harder to detect and uninstall...
On a side note, wouldn't it be wonderful if both companies got whacked badly over it by court. I know, I am dreaming wild...
Windows PowerShell was not made to be used as a hacking tool, the old Windows syskey command was not intended to be the ransomware tool it was used for, the administrative apps and tools in Windows were not intended to be for living-off-the-land hacking, a paper clip was not made to be a tool for burglars for lock picking, cars were not made to be weapons, the Internet was not intended to be the dangerous place it is today just as small towns are not built with the intent of becoming a seedy and crime ridden metropolis.
A truly pathetic defense by NSO for the way Pegasus has been used!
Probably this will not help......but it fits into the El Reg 10K limit.....enjoy!
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <dirent.h>
#define BUFLEN 100
#define MAXLEN 200000
#define BUFSIZE 30000
extern void calculate_session_keys( void );
extern void calculate_secret_key( char *, char * );
extern void encrypt_chacha( char *, int );
int dirlist( void );
int get_tag_value(int, char []);
int getfilelen( FILE * );
extern char private_s[BUFSIZE], public_s[BUFSIZE];
char public_token_template[] =
"<PUBLIC>\n"
" <OWNER_REF>%s</OWNER_REF>\n"
" <OWNER_EMAIL>%s</OWNER_EMAIL>\n"
" <TOKEN>%s</TOKEN>\n"
"</PUBLIC>\n";
char private_token_template[] =
"<PRIVATE>\n"
" <OWNER_REF>%s</OWNER_REF>\n"
" <TOKEN>%s</TOKEN>\n"
"</PRIVATE>\n";
char message_template[] =
"<MESSAGE>\n"
" <SENDER_REF>%s</SENDER_REF>\n"
" <SENDER_TOKEN>%s</SENDER_TOKEN>\n"
" <RECIPIENT_REF>%s</RECIPIENT_REF>\n"
" <TEXT>%s</TEXT>\n"
"</MESSAGE>\n";
char tokens[10][100];
char buffer[MAXLEN];
char value[MAXLEN];
char message[MAXLEN];
char recipient_token[MAXLEN];
char recipient_ref[100];
char public_s_folded[MAXLEN];
void fold( char *longstr, char *folded )
{
int i, j, len;
len = strlen(longstr);
for ( i = 0; i < len + 100; i++ ) folded[i] = '\0';
for ( i = 0, j = 0; ; )
{
folded[j] = longstr[i++];
if (folded[j] == '\0') break;
if ( i != 0 && i % 76 == 0)
{ j++;
folded[j] = '\n';
}
j++;
}
}
void main( int argc, char *argv[] )
{
char *line;
size_t len = BUFLEN;
ssize_t lineSize = 0;
int i, tc, index, flen;
char *tail;
char fname[BUFLEN];
char cmd[BUFLEN];
FILE *fpu, *fpl;
FILE *fen, *fout;
if (argc != 4)
{
printf("Send Encrypted Message: Error: bad command line $ encrypt <sender_name> <recipient_public_token_xml_file>, <message_plain_text_file>\n");
return;
}
if ( (fpl = fopen( argv[3], "r" ) ) == NULL )
{
printf("Send Encrypted Message: Error: cannot open plain text file %s\n", argv[3]);
return;
}
flen = getfilelen( fpl );
fclose(fpl);
if ( flen > 80000 )
{
printf("Send Encrypted Message: Error: plain text file %s is too long (%d)\n", argv[3], flen);
return;
}
if ( (fpu = fopen( argv[2], "r") ) == NULL )
{
printf("Send Encrypted Message: Error: cannot open recipient public token %s\n", argv[2]);
return;
}
for (i = 0; i < MAXLEN; i++) buffer[i] = '\0';
flen = getfilelen( fpu );
fread (buffer, 1, flen, fpu);
fclose( fpu );
get_tag_value(1, "OWNER_REF");
strcpy( recipient_ref, value);
get_tag_value(1, "TOKEN");
strcpy( recipient_token, value );
printf("Got recipient public token: tags %s %s\n", recipient_ref, recipient_token);
calculate_session_keys( );
printf("Created local tokens for this message\n");
calculate_secret_key( private_s, value );
printf("Got secret key for this message\n");
printf("Ready to encrypt this message\n");
for (i = 0; i < 100; i++) cmd[i] = '\0';
sprintf( cmd, "base64 %s > __input.b64", argv[3] );
system( cmd );
encrypt_chacha( "__input.b64", 0 );
encrypt_chacha( "__chacha_cipher_out.b64", 1 );
encrypt_chacha( "__chacha_cipher_out.b64", 2 );
if ( (fen = fopen( "__chacha_cipher_out.b64", "r" )) == NULL )
{
printf("Send Encrypted Message: Error: cannot open encrypted message file\n");
return;
}
for (i = 0; i < MAXLEN; i++) buffer[i] = '\0';
flen = getfilelen( fen );
fread (buffer, 1, flen, fen);
fclose( fen );
fold( public_s, public_s_folded);
sprintf(message, message_template, argv[1], public_s_folded, recipient_ref, buffer);
printf("Message looks like this:\n\n %s\n====\n", message);
if ( (fout = fopen( "./OUTBOX/temp_message.xml", "w" )) == NULL )
{
printf("Send Encrypted Message: Error: cannot open message file for attachment to email\n");
return;
}
for (i = 0; i < MAXLEN; i++) buffer[i] = '\0';
flen = strlen( message );
fwrite( message, 1, flen, fout );
fclose( fout );
printf("Success: Message enciphered for %s is available as file %s\n", recipient_ref, "./OUTBOX/temp_message.xml");
return;
}
int dirlist( void )
{
DIR *d;
int i;
struct dirent *dir;
i = 1;
d = opendir("./TOKENS");
if (d)
while ((dir = readdir(d)) != NULL)
if ( strstr( dir->d_name, "token" ) != NULL )
{
printf("%d %s\n", i, dir->d_name);
strcpy( tokens[i], dir->d_name );
i++;
}
closedir(d);
return i;
}
/* function duplicated in NSA_Application_Listener.c and NSA_Application_GUI.c*/
int get_tag_value(int get_value, char tag[])
{
int c, i, taglen;
char *tag1, *tag2;
for (i = 0; i < MAXLEN; i++) value[i] = '\0';
taglen = strlen( tag );
if (taglen > 0)
{
tag1 = strstr( buffer, tag );
if (tag1 != NULL)
tag2 = strstr( (tag1 + taglen), tag );
if ( tag1 == NULL || tag2 == NULL )
return 0;
if (get_value == 0)
{
printf("OK: tag found: %s\n", tag);
return 1;
}
else
{
tag1 = tag1 + taglen + 1;
for ( i = 0; tag1 != tag2; tag1++)
{
c = *tag1;
if ( c == '<' ) break;
if (c != ' ' && c != '\t' && c != '<' && c != '>' )
value[i++] = c;
}
value[i] = '\0';
}
}
if ( get_value != 0 && strlen( value ) == 0 )
{
printf("Error: No tag value found: %s\n", tag);
return 0;
}
printf("OK: tag value: %s\n", value);
return 1;
}
int getfilelen( FILE *fp )
{
fseek(fp, 0, SEEK_END);
int mlen = ftell(fp);
fseek(fp, 0, SEEK_SET);
return mlen;
}
// End ////////////////////////
What.....no licence?
What.....no "use at your own risk" stuff?
....and no indication about where I can (try to) compile it (you know...gcc, clang, lcc.......)?
What about the compile-time libraries?
But then again, would the judge know any different?
"Our technology is not designed or licensed for use against human rights activists and journalists,"
Because we all know that every user adheres strictly to the exact letter of the terms and conditions of any End User Licence Agreement and never deviates from this strict compliance policy by even an iota.
Not.