Apple sues 'amoral 21st century mercenaries' NSO for infecting iPhones with Pegasus spyware Apple today sued NSO Group, which sells spyware to governments and other organizations, for infecting and snooping on people's iPhones. In a strongly worded filing [PDF] Apple described NSO as "amoral 21st century mercenaries who have created highly sophisticated cyber-surveillance machinery that invites routine and flagrant …
> "Apple argued that though NSO sells Pegasus to foreign governments and others, the developer is heavily involved in each deployment of the tracking software, and thus needs to be held responsible for the ultimate use of the code."
Just hope Apple remembers this when their compromises to the Chinese govt ends up with people suffering human rights abuses.
https://www.nytimes.com/2021/05/17/technology/apple-china-censorship-data.html
https://www.nytimes.com/2021/05/17/technology/apple-china-privacy-censorship.html
But, ultimately, if a malformed text message can prompt the installation of malware, then Apple are the ones who bear responsibility for this glaring security oversight.
"In Apple's defence, they repeatedly patched it their poorly secured code according to the article"
The fact that a dedicated, highly focused and extremely well funded operation was able to find and use an exploit which was promptly patched, does not make it 'poorly secured code'. That's like saying Fort Knox is 'poorly secured' because you could drop a nuke on it and it would blow the door off.
"I doubt that there is any nuke that can be so finely-tuned as to blow only the door off."
Special Atomic Demolition Munitions (SADM) are tuneable from 10 to 10kt. Anywhere from 'put a damn big dent in the blast door' right up to 'remove the whole site from the planet'.
https://en.wikipedia.org/wiki/W54
This isn't victim blaming.
They weren't say "you bought an iThing so you deserved it"
This pointing out that the attacks were successful because the vendor wasn't producing acceptable quality code.
Between February & September, NSO used a zero-click technique to infect selected iOS devices
How come NSO can find these holes when the SW originator can't?
Is it because NSO are looking for them while the developers are not?
Or is it because the profit motive, motivates NSO to find these holes while the profit motive for the developer is to saying "Fuck it, that's good enough, can't be arsed to spend any more time/$$$s looking to see whether it's full of holes".
Unless companies are prepared to spend time, effort and cash looking for problems they won't find them and therefore we shouldn't be too surprised if holes are found.
The sad thing is I can't.
See my line on the profit motive.
My feelings one way or the other for Apple were irrelevant here. I carefully avoided saying Apple precisely because I knew my comment applied equally well to lots of other producers of "mass market consumer software".
I suspect that many of the individual developers would love to be allowed to spend the time and effort to:
to be able to produce code without any 0 days, but if they did they'd be doing something no one else has managed.
But that doesn't stop the organization as a whole having the attitude of
"Fuck it, that's good enough, can't be arsed to spend any more time/$$$s looking to see whether it's full of holes"
Because I know that it costs a lot more to make software which isn't so full of holes. I see it much more as a failure of management than a failure of the programmers involved.
I think that Microsoft issues a constant stream of features in order to play market leader and jerk the rest of the industry around, and these feature are widely complained about being poorly tested in the rush to market.
Apple doesn't have the same business model; with a walled garden they don't need to play market leader. I think you are conflated two separate problems (not that Apple lacks its own issues).
Alternatively, there may be two posters who use a similar style? I am old and went to a school that had "illusions" of grandeur - I was taught to use Oxford spelling and commas; longer, adequately punctuated, sentences; and the excessive use of subordinate clauses. I now try to use shorter sentences.
Correct, I'm not MrDamage, so there must be two commentards here who's writing style are sufficiently similar to confuse those looking for ...
If our styles are similar then I pity MrDamage as I know my grammar is appalling. If by collage the poster above meant Uni, then no I never went. As for Oxford commas I had to look those up recently when Word castigated me for not putting a comma in a place my primary school taught me never to put them.
I'm certainly guilty of the "excessive use of subordinate clauses". It probably means I've not thought out the sentence all the way to the end before I start typing.
Apple are not the actual victim here, so pointing out Apple's own failure's to protect its customers is not victim blaming.
When Apple put profit before principle when dealing with China, it lost all claims to be a moral company. They are simply using the Human Rights Industry angle to cover up the marketing disaster that is a no interaction pwnage flaw in their system.
it lost all claims to be a moral company
Despite being an atheist: "Let him who is without sin cast the first stone".
I am also deeply disappointed Apple did not decide to walk out of China (and, indeed, even invest in countering the Chinese government). I was also deeply disappointed by the recent moves to scan private files (such as photos).
These moves mean that I won't invest in them, for example. And, if it wasn't the case that Google is so much, much worse I wouldn't do business with them.
However, despite that, I can recognise that they don't claim to be a "moral company" and they deserve praise for this action against NSO. Sure, they have bugs, but they do seem to make some more effort than their competitors to fix them (and, of course, charge a lot more money for their products than those competitors do).
How come NSO can find these holes when the SW originator can't?Is it because NSO are looking for them while the developers are not?
Yeah, it's a common problem in engineering, both hard and soft: creators that are fixated on what a feature is intended to do, not what it can do.
Unless companies are prepared to spend time, effort and cash looking for problems they won't find them and therefore we shouldn't be too surprised if holes are found.
In that context I find it interesting that you attempt to appear to single out Apple (or avoid mentioning others), one of the few vendors that actually puts some effort in (and no, the China argument doesn't really work - it appears people seem to forget that companies have to - or ought to - follow local law). Apple puts the effort in as far as I can tell.
Also, analyse motive: Apple makes most of its money from hardware, followed by services, and has picked up that privacy matters to its users. Google, OTOH, makes most of its money by scraping personal data off everything it touches (which its Terms allow it to retain into perpetuity, although they replaced that word in later versions with more benign looking text). Who would be more inclined to leave "accidental" holes or bother less?
> In that context I find it interesting that you attempt to appear to single out Apple
Please go and re-read my posting, I quite deliberately did not name Apple even when the text would have read batter if I had. I did not name Apple because they are not the only company guilty of producing code with holes in. I don't even consider them the reason that so much SW appears to have been "rushed". It just so happened this conversation started following a story about Apple. Other vendors have produced code where holes can be exploited with zero user interaction. Perhaps they were in the wrong place at the wrong time.
Finding and exploiting vulnerabilities in a time / cost efficient manner often requires different (and rarer) skills than code development, so no surprise there's code issues even top 10% devs do not spot.
If a company wants to test the software it produces for vulnerabilities then it needs people with the right skill set, that will not usually be developers.
Obviously some devs do have the mindset / skills to sniff out exploitable vulnerabilities in (relatively) short timescales, but most do not.
Trolling? I won't rise to your attempt at insulting me, or the FAIL icon. You're clearly against the idea of acceptance of facts. If you won't listen to my point of view, then look around for yourself.
As for trolling, Not at all. Nobody's side but my own. You, they and everyone else can LIKE the universal data collection and surveillance by the 7 eyes or whosoever else you choose, but i dont have to and i wont insofar as i can.
It's Wrong. US, China, Russian, Middle east etc whoever does it. Russia and the other nations probably do similar.
But here in britain, we're served western news and political policies. Again in britain, it seems U.S interefere with everything around the world. You forget about Snowden leaks. And those agencies are all still doing that stuff. We just know about it now. "do as we say not as we do".
I was wondering who the 4 letter agencies were?
The ACUS? https://www.usa.gov/federal-agencies/administrative-conference-of-the-united-states
Perhaps these blackhearts? https://www.usa.gov/federal-agencies/advisory-council-on-historic-preservation
The interesting thing is that an American ruling just has no effect in other countries[+]. So dictators (and the three letter agencies) can continue doing this kind of stuff elsewhere.
The idea that this kind of spyware (or any...) should have no place on people's phones in in principle not too bad, and one has to start in some jurisdiction, and maybe others will follow - and this should also aim[°] at ending Uncle[*] Sam's (and others') actions; this is but a hope, and not a terribly realistic outcome, I fear.
[+] Except that the US do have delusions of grandeur, thinking their laws apply world-wide (DMCA?)
[°] aim at != will hit the target (in this case: achieve anything)
[*] uncle[#]? Yeah, you cannot chose your family, only your friends
[#] maybe a bit like uncle Ernie, or what his name was, in "Tommy".... :/
Reminds me of a Piratebay legal response pearl:
We are well aware of the fact that The Pirate Bay falls outside the scope of the DMCA – after all, the DMCA is a US-specific legislation, and TPB is hosted in the land of vikings, reindeers, Aurora Borealis and cute blonde girls.
.......like the burners in use by me and my pals! Even if the phones got NSO hacks (they haven't), the snoops don't know much about who's talking!
*
Disciplined use also helps......I know......very rare!
*
Throwing phones away regularly also helps.
*
It really is a pity that this is even necessary....but people need to take control of their own privacy and security (as far as they can)......because Apple, Google, the NSA, the GCHQ and who knows who else simply don't care.....too much money......too many folk out there who really want the STASI back.
I hope this becomes a trend against all hacking spyware floating around abusing cyberspace for power and profiteering at any cost. Any company whose software is attacked by known and proven attackers should be sued and their responsible officers be thrown into the slammer in addition to losing their shirts, trousers and being tar/feathered....
People buy gadgets to enhance the quality of their lives, not be spied upon and abused.
Another plague is the telemarketers. Now they have a way to call from fake local numbers and no one is there to defend the taxpayers from these wolves of cyberspace.
Point of view
Israeli government often considers terrorists - Intelligence from Palestine or Pakistan
Palestine or Pakistani government often considers terrorists - Intelligence from Israel
Age of consent - It is cultural
Age of consent in Brazil is 14 years old
Age of consent in India is 15 years old for a married couple, 18 if dont
Age of consent globally varies from 11 to 21
UK folks view guys from Angola marrying 12-year-old girls as paedophiles, people from Angola don't.
I wouldn't be surprised, really, if a (proxy) country somewhere raised the age of consent selectively to the age of 99 for a person of a specific interest to a democratic country expressly founded to foster and defend freedom of its citizens, in order to get the now paedophile arrested and tried for their terrible, abhorrent crime. Or at least getting the contents of their smartphone fought against, because terrorism, paedophiles and pgp keys. These evil paedophile.
""“Thousands of lives were saved around the world thanks to NSO Group's technologies used by its customers,” a spokesperson for the developer told us today."
That's OK then - 'think of the children', 'the end justifies the means', 'collateral damage along the way is acceptable', and NSO should be elevated to Saviours of the World. /s
The fact is NSO Group found a business opening - doing for (any) Government that which that government could not, in all conscience, do it's self. I have no doubt that entities within the UK Government will be using NSO technology as will those in the US, Australia, Canada, ........ etc.
I'm no Apple ambassador, and don't own any iThings, but in this I have sympathy for their plight - not that a US Court determination will stop NSO, Google should join Apple in the action.
Governments will always resort to illegal means when they can't get their way legally - just occasionally they get caught out but then they say sorry and run the "Thousands of lives were saved", "Children were protected", with Minister "I have no recollection" mantras, wash, eat humble pie, and continue as usual. What's the betting Priti Patel's Home Office is using (obviously without 'her knowledge') NSO products to further her draconian ends?
I just hope the hacking community target NSO!
Ah, yet another call for perfect code. I like this site as a news source because most articles assume a degree of technical knowledge, and most participants on the forum seem to have that. Sadly, not always. If I come to your house and determine that I can break in without you knowing, it's still a crime if I do it. You should know this.
I won't indulge in willy waving technical credentials, in any case you missed the point.
Apple Marketing: Our phones are secure, we put your privacy first, our walled garden secures your phone, you don't get malware on Apple products.
Apple Developers: That's the idea but we're not there, people keep finding vulnerabilities. We're playing catch-up.
Apple Legal: We'll sue anyone exploiting vulnerabilities (that they found in our code).
The legal team is highlighting the "over exuberant" nature of the marketing claims.
Also, for the non-technically minded, if I don't lock my door and you steal my stuff, while it's still a crime my insurance won't pay out.
You don't need a lot of technical knowledge to realize that the marketing on more security doesn't mean perfect security, and that you'll never get perfect security. All Apple's marketing means is that you get the security updates they make faster than their competitors (no waiting for device manufacturer and possibly a carrier reseller to release the patch as some Android devices do). They're also happy to praise their App Store review which keeps out more malware (though not all), but as NSO didn't post theirs to the App Store, it's irrelevant in this case. You are asking Apple to produce effectively bugless code and claiming that, when they don't do so, it invalidates every security claim they've made. It doesn't work that way.
And whatever your insurance contract may say, if I walk through your unlocked front door and take your stuff, I've still committed a crime and can go to prison for it. NSO didn't attack a device with no protections; they had to break some protections to get what they wanted, but even if they didn't, it would still have been illegal for them to do it.
It may be hypocrite, but it's a good move anyway.
Apple argued that though NSO sells Pegasus to foreign governments and others, the developer is heavily involved in each deployment of the tracking software, and thus needs to be held responsible for the ultimate use of the code
Good luck with that. It won't happen because the same argument could then be used against weapon makers, and those are untouchables.
Thousands of lives were saved around the world thanks to NSO Group's technologies used by its customers
Tell that to Khashoggi's children! What a weaselish answer. With that kind of answer they show what kind of people they are.
What business is it of Apple what software runs on their devices after they have been sold?
I mean, sure, I wish for NSO Group to die in a collective ditch, along with all similar parasites. But I am rather uncomfortable with the concept that a device manufacturer has any sort of legal path to mandate what can or cannot be run on a device that they have sold.
I think this is one of those cases where I fervently wish that both sides could lose.
GJC
Please read the article. They didn't say that they're entitled to damages because "You ran code on devices we made and those are ours". They said that NSO used Apple's services, the ones that run on Apple's servers, that you have to agree to a contract to use, and that you can choose not to use, and that NSO broke the contract in their malicious use of those services. Entirely different.
You have objected to an argument they never used, and your conclusions are entirely built on your failure to follow their claims.
If you're still uncomfortable based on your points from the first comment, then your discomfort is based on a misunderstanding. Apple never said what you think they did. Maybe you will also dislike the argument they did make, but you do have to understand the argument they're making so you don't assume they have exerted an ownership or control right that they haven't done. When they have implied that elsewhere, most recently in their App Store monopoly case, I have agreed with you and opposed them. That's not what's happening this time.
"The steps we’re taking today will send a clear message: in a free society, it is unacceptable to weaponize powerful state-sponsored spyware against those who seek to make the world a better place,” said Ivan Krstić, head of Apple Security Engineering and Architecture
OK mate so what you're saying here is that Apple phones are vulnerable to malware installation? Something that Apple keep on denying.
You're also effectively admitting that you can't do anything to prevent this without resorting to legal action?
Your job title is Head of Apple Security Engineering and Architecture?
Maybe you're not as good at your job as you think you are?
"OK mate so what you're saying here is that Apple phones are vulnerable to malware installation? Something that Apple keep on denying."
No, they don't. They call out security fixes in literally every IOS update. That indicates that IOS was in need of security fixes then, and they've never said it would now be perfect.
"You're also effectively admitting that you can't do anything to prevent this without resorting to legal action?"
No, he didn't. He said that the abuse of security holes was illegal, so they were justified in bringing legal action. He did not say that was the only method available to him, and Apple's patching of NSO's exploits proves that it is not.
Since Apple claim to be the good guys I hope that should they win they will be handing the cash to every iPhobe owner who's device was infected with this malware.
If they don't I suggest that every iPhone owner who suspects they may have been infected sues Apple. After all Apple's lawsuit clearly states that they believe that this malware getting onto iPhones is a very bad thing. A thing so bad that financial recompense is necessary. In that case the very fact that they allowed this software to be installed means that they are jointly responsible and should compensate their customers.
"the very fact that they allowed this software to be installed means that they are jointly responsible and should compensate their customers."
They did not allow it to be installed. They didn't know, so didn't allow or deny. They do not have the responsibility to police everything you do on your device, and when they take a few steps toward even thinking they have the right to do that, we complain about them and they get sued for limiting user choice, actions I emphatically support.
This is really about embarrassing Apple. They're a trillion dollar company who make most of their profit from one product and one of the two of 3 biggest marketing points about the iPhone is privacy.
It's not explicit, but the point of their marketing is that Android shares your data, and it's well worth spending 5 times the price of a Moto for a nice piece of jewellery and that your data won't be shared.
Stories about malware that can work by simply opening an email damage that reputation. Yes, I'm sure that Android has the same problems, but Apple explicitly market on this point, like Android doesn't. And if you're just saying that your phone is as secure as an Android, why not buy an Android (they still work as jewellery, I suppose).
The footnote to Apple's filing is;
"We strongly resent any external 3rd party spying on Apple device users and collecting data without their consent. We believe only we (Apple) should have the right to do that, and will continue to defend that right to the utmost extent of the law"
That about sums it up!
It's the fact that companies like NSO(which are stated sponsored) pay massive bounties for zero-day exploits. I seem to recall the bounty on Pidgin messenger was $100k that was more than the project had in finances for 3 years. So whether you like Apple or not at least their going after the likes of the NSO does help, the smaller devs can't defend themselves against this, but, Apple & Facebook etc can hit them hard, hopefully, hard enough to break them. Also remember apple will be going for discovery, which should make very interesting reading for all.
"Any time Apple discovers activity consistent with a state-sponsored spyware attack, Apple will notify the affected users in accordance with industry best practices."
Yeah, right. When NSOs software is installed at the behest of one of our TLAs, lets see how long they stand by this principle. Even warrant canaries have not stood up well in the face of executives being offered holidays at Club Fed.
Other countries reach might vary, but I wouldn't wany to be the Apple sales rep making a sales call on some despotic regime following a violation of their edicts. And Russia (for one) is getting set to demand in-country offices (hostages).
Think Apple have always been clear on this if it's on a users phone they won't help. If it is on their servers and you have a legal right to the data here you go take it. Same as Google, Microsoft et all. I don't like their stance on China, but, that's another matter.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
