US Supremes deny Pegasus spyware maker's immunity claim The US Supreme Court has quashed spyware maker NSO Group's argument that it cannot be held legally responsible for using WhatsApp technology to deploy its Pegasus snoop-ware on users' phones. Facebook and its WhatsApp subsidiary sued the notorious Isreal-based software company in 2019, alleging that NSO exploited a zero-day …
Its nonsense as Meta isn't suing the customers. They're suing NSO for their behaviour illegally using Meta's technology to facilitate the behaviour of their customers (which itself may be covered by immunity).
The NSO Pegasus system is a direct threat to Meta as far as I can see. Journalists now know that WhatsApp was used by the system to target them, so journalists will stop using it - damaging Meta.
Seems like a fairly straightforward case to me! NSO trying to obfuscate their way out of it as they know Meta has them bang to rights.
It does seem eccentric to pick NSO as the scapegoat in this case.
Individuals who have been bugged should be going after the people who bugged them, or (if they can't identify them) the service providers with whom they have a relationship, who failed to exercise reasonable diligence to protect them.
Meta should be fixing its security and learning from the experience. But their defence against lawsuits from their users can only be "We did everything reasonably possible, we can't be held responsible for this". If they can honestly make that case, they should be in the clear; if not, they should be on the hook. But either way, suing NSO is nothing but a diversion.
Of course, as a conveniently foreign company, they are ideally suited to the scapegoat role in some important ways... C.f. HSBC, BP, Cambridge Analytica, Volkswagen...
If Facebook avoided having a zero-day in the first place, that would be ideal. That doesn't stop the fact that there will be security vulnerabilities in any large system and that exploiting those is a crime. NSO built the exploits and launched them, so they share culpability with the people who used the access they paid for. Blaming the criminal isn't misdirection. An affected user can also choose to sue Facebook for this, but on allegations of negligence which may or may not get past the jury. Whether such a claim works or not, NSO is still culpable.
NSO aren't a scapegoat. They're a publisher of malware who deserve everything they get. Yeah, it'd be nice to see the people who deployed it get collared too. If Meta could be held liable for zero day exploits of their software that would be a bit scary and essentially kill software development. Also many other things. Selling wooden furniture that you know could be set on fire by a malicious actor? If Meta are legally culpable for vulnerabilities they didn't know existed then how much more culpable are companies who sell boats while fully aware that they can be sunk if people put holes in the hull?
None of that excuses NSO.
Yes and no.
Software used to be of a much higher quality, because you had to get it as right as possible, before issuing it, because, once it was out, it was difficult to update. No software is ever perfect, but we used to spend months testing new software, before it was released and we would get relatively few bug reports as a result, not zero, but fewer big bugs than we see today.
The problem is, testing is too expensive and too time consuming, so testing teams have been minimised, or scrapped altogether, and, because updates can be pushed out the door at a moments notice, it doesn't matter if there are still big bugs affecting the users, they can be patched on the fly. This has led to a much more laissez-faire attitude in many companies. The scandals, like Pegasus and the increasing crypto malware waves have pushed more light on the slip-shod attitude to security, or quality, but most EULAs indemnify the software producer from culpability.
Maybe they should pay coders a bonus for every bug they fix - what could possibly go wrong?
Software, way back when you're referring it to being "higher quality" was also much, much simpler. Windows NT had about 5 million lines of code. Windows 10 is up around 50 million from what I've read.
So, I would suggest claims that older code was higher quality should be taken with a shovel full of salt.
Yes, but they also had lots of support staff and tester, ensuring the code was ready, before it was pushed out the door. Today it is often push it out the door and see what problems the customers have and we'll fix them.
Just look at the Windows printer driver bugs (2021?) it took them around 8 months of patching patches to finally get it right, each patch they pushed out was proven to not be a fix, and often to have made the problem worse, within hours of its release.
There are three ways of avoiding snooping by users of NSO software (all of these options apply):
(1) Build a burner (that way they won't actually know who you are)
(2) Keep your burner switched off except when you are in a VERY public place (say Trafalgar Square)
(3) Don't own a mobile at all
The main problem with items #1 and #2 is that the NSO snoops can track the folk out there WHO MAKE CONTACT WITH YOUR BURNER!
So:
(4) Make sure all your contacts are also doing items #1 and #2.
.....item #4 is very hard, don't you think? How about item #3?
And don't get caught :)
https://nakedsecurity.sophos.com/2018/03/19/modified-blackberrys-sold-to-drug-dealers-five-indicted/
These modified devices must have been pretty decent for TPTB to go after them.
I imagine a 4G LTE module/Hat and a RPi could build a reasonable end-to-end encrypted peer-to-peer voice app using a wireguard rendezvous like Tailscale's service.
@Bebu
From the article at sophos.com:
Quote: "...a Phantom Secure device whose hardware and software had been modified..."
Quote: "...charged with allegedly helping illegal organizations..."
Dear Bebu:
You are trying (and failing) to use a perverse definition of "burner" -- and in the process implying that setting up and operating a "burner" in the UK might be illegal.
In fact the following procedure is perfectly legal:
(1) Buy an unlocked mobile phone
(2) Go to the convenience store and buy a SIM and some pay-as-you-go (PAYG) minutes for cash
(3) Find a quiet place (not your domicile) and install the SIM
(4) Install the PAYGO minutes
There you have it.....a perfectly legal "burner" with no registered owner.
Pegasus, of course, is the now-infamous malware that NSO claims is only sold to legitimate government agencies — not private companies or individuals — and can only be used "for the purpose of preventing and investigating terrorism and other serious crimes,"
Because governments agencies are not involved in terrorism and other serious crimes.
And pigs fly too.
NSO is an accomplice of every crime committed by its customers thanks to its products.
Are we heading to a place where every manufacturer of a product that is misused by a customer can be sued? Every firearm manufacturer, every auto manufacturer, every cutlery manufacturer, every glass or ceramic manufacturer, every petrochemical manufacturer, etc, etc.
Those other things you listed have a legitimate purpose, but can be misused.
Pegasus is illegally exploiting bugs in other companies' products to infiltrate unsuspecting users' devices. They also claim that they only sell the products to governments who are using it only for tracking terrorists, yet it is abundantly clear, that they are selling it to shady people and governments and allowing it to be misused.
A car manufacturer sells the car to a dealer, the dealer sells it to a member of the public with a driving license. If the driver then causes an accident or goes on a rampage, there isn't much the car manufacturer can do. In NSO's case, they have knowingly sold access to the software to a dodgy regime and provided a portal, where they can request a device be infiltrated, without the requirement that they be provided with a valid court order from a reputable court.
They are working in a grey zone to begin with and they haven't even stuck to their own rules, by the sounds of the case and the people who have had their devices infiltrated. Last time I looked, the French President wasn't a terrorist suspect, for example!
https://www.law.cornell.edu/wex/wiretapping - this seems to indicate that there is a legal and legitimate purpose for the Pegasus system.
So applying the same standard you want to apply to NSO, any manufacturer whose products are sold to any dodgy regime can be sued in the USA for any misuse of that product? I wonder who is selling rope to Iran, because they better get ready for legal action.
There are already international laws and sanctions against the sales of weapons to some countries and manufacturers or dealers caught selling such technology face prosecution. This is no different, they are not supposed to sell to some regimes and to those that they do sell to, they should only be doing it with valid court orders and they state that they only infect terrorists devices, which they obviously haven't been doing.
Also, AFAIK, they don't sell the product, they sell the service. The "customer" doesn't get the Pegasus "application" and can infect devices with it, they get access to a portal, where they can request a device be infected & then they have access to the data on the infected device.
That is very different to an arms manufacturer, who sells arms to a dealer, who sells to a dealer, who sells to someone, who then illegally smuggles them to a banned country... They have their hands in the deal from start to finish.
Whether there is a legal purpose for the tool is actually irrelevant to this issue.
The issue is that Meta makes a tool which says it can be used in a certain way. NSO have abused that tool and are using it against Meta's wishes. They are materially damaging Meta by doing so (as users will be discouraged from using Meta's system as it is perceived as breached by NSO's customers).
Meta get to say how their own software is used. The only people who can override this are governments. NSO is not a government. Their customers may be - and if a government made a tool doing these things, authorised by their laws, then Meta would have no case. But NSO aren't.
Yes, in the legal case the article is about, Meta aren't suing NSO because the Pegasus tool may or may not be legal to use by law enforcement agencies.
However, the notion that NSO are guilty of the crimes that the users of the Pegasus may have committed was put forward, and it was on that point that I commented. If NSO are guilty of its clients actions, looking at one high profile case for example, why aren't the makers of the saw that was used to dismember Khashoggi also as guilty as the KSA/NSO, or the building contractors who built the KSA embassy where he was killed. Without either of these elements, Khashoggi couldn't have been killed at the embassy and his body disposed of, regardless of if the Saudi's knew in advance he was coming to the embassy.
I understand where the vitriol against NSO is coming from, but that vitriol is tarnishing people's thought process. Why are NSO blamed for the actions of its clients when those clients misuse the tool, but the other components in any misuse ignored?
And as for the idiotic comparison made with bullets that when fired can only target children - no, it's like normal bullets. There may be a valid case for having regular, non child-targeting, bullets, there may be a valid case for shooting a child, but if there isn't, then it is not the fault of the legally authorised bullet manufacture if someone shoots a child.
I think the issue is one of intent, in the legal, mens rea, sense. NSO have built a tool specifically designed to hack into people's devices and spy on them, and with that they know full well it is likely to be abused. In most people's minds, this is problematic.
From my POV, claims that they only let governments use it doesn't really provide a decent cover for the potential for it being used illegally or immorally. After all, governments regularly tread on their citizens rights.
So, the "intent" of the tool is, from the start, problematic.
So much outrage in this thread.
Not so much here - https://forums.theregister.com/forum/all/2023/01/10/apple_wiretap_lawsuit/
The first effects a tiny number of people, the other millions, but you can't blame NSO for the second one, so yawn...
NSO derangement syndrome
"every manufacturer of a product that is misused by a customer can be sued?"
If somebody paid for a bag of bullets, and these bullets had some sort of ability that, when fired, would aim at children...
...who do you think should be responsible? The gun manufacturer or the people that created the bullets?
It's a situation a bit like that - a company abusing an issue in a well known and used application in order to put malware and tracking stuff onto the phones of certain people.
But, then, the fact that their first argument was to claim immunity should tell you all you need to know about them.
Auto manufacturers, glass or ceramic manufacturers, petrochemical manufacturers, etc? No, clearly not. The primary use and intent of the product is entirely legal and reasonable. Rifle manufacturers? As they could reasonably argue that they're designed for hunting (except for 30-round magazines, bump stocks, etc.), they shouldn't be liable for crimes committed by customers. Pistol manufacturers might have a harder time arguing this; the one and only purpose of a pistol is to shoot at humans. As many people get them for self-defense, that's a position that can be argued either way.
NSO, however, produces a product specifically designed to perform activities that are illegal in a lot of countries and is intended to be harmful to the people it's used against. They supposedly sell only to governments, but have a long history of their product being used illegally and immorally. It's more like selling grenades; they have a very strong responsibility to sell only to carefully-vetted customers. Add the fact that they don't sell the product, but instead sell the service - they should be checking who owns the device before they hack it for somone else.
Pegasus is not harmful. The information that it gathers could be used to harm someone, but Pegasus as a system can't do that harm. It can't make a phone explode or aim a gun and pull the trigger.
Owning a gun is illegal in many countries, but I don't see why that would have any bearing on gun manufactures, gun shops or owners in countries where it is legal. All because wiretapping is illegal in country Y doesn't mean that a firm in country I can't make a wiretapping system, especially if it is used by country X where wiretapping is legal.
"Pegasus is not harmful."
Yes, it is. Harmful doesn't just mean physical harm, and attacking someone's devices to steal their data is causing them harm. That's why it's a crime almost everywhere. If you don't think it's harmful, then would you be happy to give me total access to all your devices as long as I didn't use any data I took to cause physical injury to you? Seriously, nobody will come hurt you from it. I might take all your money and make public information you didn't want others to know. This would still be harming you.
"Owning a gun is illegal in many countries, but I don't see why that would have any bearing on gun manufactures, gun shops or owners in countries where it is legal."
It doesn't, but if those gun shops sell across the border into a country where it is illegal, that country can press charges.
"All because wiretapping is illegal in country Y doesn't mean that a firm in country I can't make a wiretapping system, especially if it is used by country X where wiretapping is legal."
Wrong. If the thing is illegal in country Y then building it in country Y is a crime. In this specific case, there is also no country X, as wiretapping is illegal in the countries against which it has been used.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
