Readit News logoReadit News
sloshnmosh · 4 years ago
I contacted Amazon to report an advertiser out of Tel Aviv that was using JavaScript hosted on CloudFront to fingerprint user's devices and if an Android device was detected a fake media player or fake CAPTCHA would trick user's into accepting push notifications for fake virus warnings to install questionable apps from the Play Store.

This script also pushed ads for a fake AdBlock app that was a dropper for banking trojan apps.

Amazon refused to do anything about it.

More info:

https://forum.xda-developers.com/t/massive-mobile-advertisin...

TechBro8615 · 4 years ago
I wouldn’t be so quick to rush into a future where Amazon takedowns are as easy as YouTube DMCA requests.
DSingularity · 4 years ago
Yes! Let’s stay in a present where Israeli hackers-for-hire can help dictatorships capture and murder dissidents.

At a minimum we should demand transparency and accountability from all of these scale-enabling organizations.

dpifke · 4 years ago
In the meantime, Google and Amazon simply ignore all complaints about spam originating from their networks.

In the olden days of the internet, ISPs that ignored abuse complaints would be blocked by their peers. Now that Gmail and AWS are too big to block, they act with impunity.

giantg2 · 4 years ago
It doesn't really matter how difficult it is. What this demonstrates is that AWS is not a public utility and will be swayed by mob rule to take down companies that are no longer "acceptable".

Deleted Comment

kjaftaedi · 4 years ago
One would hope Amazon is capable of having a reasonable terms of service and enforcing it without the need for government intervention.
jjoonathan · 4 years ago
It feels like this is more a result of Amazon not being able to connect you with the right escalation path to verify & act on these claims than a considered decision to ignore them.

Does anyone here know what an individual reporter should do? Is there an escalation ramp that exists but was so poorly marked that neither sloshnmosh nor Amazon support was able to find it? Does the ramp go through other organizations (e.g. report to CERT or some other org first and come back with a case ID)? Does the ramp not exist and need to be built?

londons_explore · 4 years ago
Doesn't cloudfront generally act like cloudflare? Ie. We don't inspect your content. Law enforcement are the only people who can stop us hosting a site.
adreamingsoul · 4 years ago
The AWS forums are going to be the best way to start a discussion with people who can escalate.
berto4 · 4 years ago
always a narrative/explanation...right on

Dead Comment

bbarnett · 4 years ago
It feels like this is more a result of Amazon not being able to connect you with the right escalation path to verify & act on these claims than a considered decision to ignore them.

Those two things are actually the same thing, both are wilfully ignoring situations like this.

ericbarrett · 4 years ago
Did they reply in the negative or just not respond?
achow · 4 years ago
How does it matter?

No response is a response and in this kind of situation it is explicit "I will not do anything and I'm dishonest enough to not acknowledge that.".

squarefoot · 4 years ago
That NSO Group infrastructure was burned, the one you reported (still) isn't.
reaperducer · 4 years ago
Amazon refused to do anything about it.

Actually "refused" to do anything about it, or didn't respond to you?

Scoundreller · 4 years ago
I’ve had government agencies claim it’s not a refusal/rejection if they refuse at the moment and claim you might (with no guarantee) have success if you try later.

I call it a “constructive refusal”.

zzleeper · 4 years ago
Perhaps NSO Group should be considered a terrorism-aiding organization. Freeze its assets, track all their employees, backers, etc.

Wonder if they are even helping to hack US government employees through China, etc. (besides just helping to torture dissidents).

bakuninsbart · 4 years ago
The Israeli government classified Pegasus, the software by NSO currently in the news, as a weapon, thus restricting its exports.

If you look at the list of customers, it quickly becomes clear that they are the same organizations that make the laws.

AtlasBarfed · 4 years ago
"same organizations that make the laws"

More importantly, they are the ones that decide what laws are enforced.

What is sad is that in America, the law around surveillance and security is largely a nice marketing campaign. Sure, you have rights that protect you from the government.

But practically speaking the government won't enforce them, doesn't stop its employees from abusing them even for personal drama, undermines or stops dead any lawsuits by saying the discovery is impossible due to "national security", or will invent terms like "enemy combatant" and then apply them to its own citizens to bypass even the constitution. It will setup "oversight courts" that rubberstamp everything and have no real power or regulatory function/safeguard.

The result of this is that each presidential election is becoming truly dangerous to the opposition. If a McCarthyism movement takes over either party that's in power with the modern surveillance infrastructure, legal "precedents" established by Bush in the war on terror, the confirmation of those powers by the Obama administration holding onto them and continuing funding of infrastructure, undermining of judicial powers, rote acceptance by the people at large, and propaganda outlets available to push messaging, and huge amounts of institutional mores and standards thrown out in the Trump administration, the opposition has real motivation to feel an existential threat.

sorokod · 4 years ago
From an radio interview with NSO spokesman ( an ex spokesman for the IDF ), all sales require the Israeli MoD approval.
JumpCrisscross · 4 years ago
> If you look at the list of customers, it quickly becomes clear that they are the same organizations that make the laws

Israel's unicameral, sovereign, supreme state body, the Knesset [1]?

[1] https://en.wikipedia.org/wiki/Knesset

ashtonkem · 4 years ago
“State backed terrorist group” is a classification that exists, although it’s highly unlikely to be used here for obvious reasons.
ehsankia · 4 years ago
I mean Saudi Arabia literally murdered a American journalist and hacked the cellphone of an American businessman, yet they're still allies. So....
flyinglizard · 4 years ago
The biggest customers for these companies are Western governments. You’re not going to take away their toys.
igorzx31 · 4 years ago
Their biggest customers are middle eastern governments according to the WaPo article. US certainly has bought the software but it's mostly Saudi, UAE, Qatar, etc. US has NSA so they don't really need some software. Middle eastern powers dont have the same type of technical expertise to develop their own in-house.
input_sh · 4 years ago
Western governments mostly make their own. Other with less resources buy off-the-shelf products.

Dead Comment

esens · 4 years ago
Anyone notice that this statement from NSO in the article doesn't make sense:

"NSO does not operate its technology, does not collect, nor possesses, nor has any access to any kind of data of its customers."

If this is true, how do we have a singular list of all phone numbers penetrated? If there was this type of "segmentation" or firewall between NSO and its clients, why was there this huge central data leak?

NSO is tracking what its clients are doing. It may not be telling its clients it is also tracking them. I wouldn't be surprised if NSO could also access every one of those penetrated devices as well independently of its clients.

aritmo · 4 years ago
They are trying to claim that the service is so fully automated that it is the client that does the selection of the target. They claim that their system does not require any fine-tuning from their side, etc.

And that's totally bullshit.

physicles · 4 years ago
“It should be noted that no ethically-trained software engineer would ever consent to write a DestroyBaghdad procedure. Basic professional ethics would instead require him to write a DestroyCity procedure, to which Baghdad could be given as a parameter.” - Nathaniel Borenstein

Quoted at https://blog.codinghorror.com/your-favorite-programming-quot...

Deleted Comment

prox · 4 years ago
So the good old plausible deniability?
hn8788 · 4 years ago
It could mean that NSO controls the infrastructure that manages the tool, but that they don't actually collect the data themselves. So what they said could technically be true if all they do is manage the infrastructure that enables their clients to do the collection of data.
esens · 4 years ago
But do they have access to the phone numbers that their customers are targeting? That seems by itself to contradict their statement ("nor has any access to any kind of data of its customers") right there.

Something isn't adding up.

srswtf123 · 4 years ago
Seems more likely they’re lying.
breakingcups · 4 years ago
How does that clear with "NSO does not operate its technology" though?
ruggeri · 4 years ago
Thank you. I was trying to understand this myself.

NSO seems to be trying to distance themselves from how its software is used by its "clients," but that seems undercut by the plausible supposition that NSO knows exactly who its clients' targets are.

justinclift · 4 years ago
Ouch.

> The Amnesty report said NSO is also using services from other companies such as Digital Ocean, OVH, and Linode ...

We've been using Digital Ocean for a few years now (sqlitebrowser.org), and they've been really good. Hopefully they look into this and take some useful action. :)

walrus01 · 4 years ago
I have to say I'm not surprised that NSO and similar entities are using any CDN/large-scale hosting company they can find. The bigger the better, and spreading their stuff around as widely as possible with as much obfuscation in server purpose as possible. Such things are impossible or problematic to block/null-route without breaking many other things hosted at same AS.
Scoundreller · 4 years ago
Which is a sad state of affairs.

Want to run a service with few problems? Here are the 6 companies you better run it through otherwise you can’t guarantee anything.

bob1029 · 4 years ago
> sqlitebrowser.org

Everyone at my company loves your tool. Please keep up the great work!

justinclift · 4 years ago
Awesome, thanks. :)
wila · 4 years ago
Thanks for working on sqlitebrowser!
justinclift · 4 years ago
You're welcome. :)

Deleted Comment

TravelPiglet · 4 years ago
Purged my account at DO now. Sad that companies like DO care more about money than a free society
justinclift · 4 years ago
Hmmm, maybe give them a change to look into it first?
neom · 4 years ago
It's "DigitalOcean" - sorry to be pedantic, it drives me absolutely nuts when people put a space between, especially publications.
Bayart · 4 years ago
Allow me some pedantry as well : if people consistently make the same mistake with the name of a product, is the problem with people or the name ?

As lokedhs alluded, it clearly breaks established typographic rules.

detritus · 4 years ago
I see you 'helped build' Digital Ocean, so I can understand your personal reasoning, but really - it's not at all important to anyone else.

Also, wasn't that a bit of a fad back in the late 90s early 00s? I know my wee business followed the path of concatenating words for brand ...something... , but I honestly couldn't care less how other people deploy it in their own space, as long as they remember the name.

dylan604 · 4 years ago
My pet peeve is publications spelling NASA as Nasa. They've come up with some story to explain their decision that sounds just as bad as some of the lies Walter White told. I don't care how ubiquitous NASA maybe, it is and always will be an acronym. I accept removing the dots so it's not N.A.S.A., but I will only accept Nasa as a formal name if that's the name of a person.
justinclift · 4 years ago
Oh, didn't realise. Sorry about that.

Ironically, I'm the same way with "PostgreSQL". There used to be _so_ many weird mis-spellings of it. eg "postGreSQL" seemed to be popular for some unknown reason

lokedhs · 4 years ago
There is another point if view, and that is that corporate marketing should not take precedence over correct use of language.

Some languages tend to be more strict about this. I think it's particularly common to see English play fast and loose with the language compared to other languages.

In Sweden, for example you will see media write Iphone, because it's a name, and names are capitalised.

The same goes for Digital Ocean, or Digitalocean if you prefer. It can definitely be argued fairly that the writer does not have to break language conventions just because a company says they have to.

LoveLeadAcid · 4 years ago
I call it an iPad and an iPhone, not iPad and iPhone like Apple wants me to.
syspec · 4 years ago
Careful of the Streisand effect.
coldcode · 4 years ago
If someone were to use NSO paid hacking to attack Apple executives's devices and then release everything they found, I bet Apple might take this more seriously instead of having some PR flack write marketing copy. Same is true of any tech company: until it hurts them specifically they can just ignore it or make it sound innocuous. Maybe Amazon has been targeted and they found out.

If someone were to use it against US government entities, maybe the NSA/CIA/etc might decide enough is enough, no matter what country they are in. So far at least publicly it seems like a non-event. But once the phone numbers are identified from that leaked list, things might become more serious for NSO.

People used to fight real wars against adversaries who targeted their country in some way, why should commercial entities supporting such attacks not be treated the same, except via non military action? Spying has always been done, but it can lead to serious consequences.

fjtktkgnfnr · 4 years ago
> If someone were to use NSO paid hacking to attack Apple executives's devices and then release everything they found, I bet Apple might take this more seriously instead of having some PR flack write marketing copy.

That's not why Apple is skittish about this. Any action from them would invite the question "What about China?". And Apple loves China('s money).

JumpCrisscross · 4 years ago
> Apple might take this more seriously instead of having some PR flack write marketing copy

What are they supposed to do?

kilroy123 · 4 years ago
Take security a lot more serious than they currently do. They've had some seriously embarrassing security holes in their software the last few years.

Also, they could increase the payout for their bug bounty. Why report to apple for a 0-day when you can make $1 million from these guys? It's not like Apple doesn't have the cash.

CTDOCodebases · 4 years ago
WTF? Wasn’t it the NSO that hacked Bezos’s and Khashoggi’s phone?

I guess the customer is always right up until the point the widow of your murdered employee goes to the press.

polar · 4 years ago
> Bezos

Bezos' phone probably wasn't hacked.

https://www.bloomberg.com/news/features/2021-05-05/how-jeff-...

sofixa · 4 years ago
Didn't Bloomberg ruin their tech reputation with the still-unproven (years later) and probably baseless claims of nano chips planted in the supply chain of Supermicro ?

Dead Comment

salimmadjd · 4 years ago
Frontline (PBS)in partnership with Forbidden Stories are doing a report [1] on NSO hacking the phone of Khashoggi’s fiancé and other journalist and activists around the world. Looks like her phone was compromised by NSO based on the reporting on this video.

[1] https://www.pbs.org/wgbh/frontline/article/how-nso-group-peg...

bluetwo · 4 years ago
Wonder if NSO was involved in that leak of Bezo's phone data awhile back.
kaonwarb · 4 years ago
From Amazon Unbound, p.344:

> De Becker then commissioned an examination of Bezos’s iPhone X. The eventual report by Anthony Ferrante, a longtime colleague of de Becker’s and the former director for cyber incident response for the U.S. National Security Council, concluded that the promotional video about broadband prices that MBS had sent Bezos the previous year likely contained a copy of Pegasus, a piece of nearly invisible malware created by an Israeli company called NSO Group. Once the program was activated, Ferrante found, the volume of data leaving Bezos’s smartphone increased by about 3,000 percent.

cronix · 4 years ago
> The eventual report by Anthony Ferrante, a longtime colleague of de Becker’s and the former director for cyber incident response for the U.S. National Security Council, concluded that the promotional video about broadband prices that MBS had sent Bezos the previous year likely contained a copy of Pegasus, a piece of nearly invisible malware created by an Israeli company called NSO Group.

Key word in that sentence: "likely." AFAIK, nothing has been proven beyond rumor and conjecture, which isn't proof of anything at all.

Did they find the Pegasus or related code on the phone, or not? That is a yes or no answer. Likely?

whymauri · 4 years ago
Jesus Christ, this software really is a weapon.
tnolet · 4 years ago
I was thinking exactly the same thing. Given what we know about this hack — a Whatsapp or iMessage essentially taking over his whole phone — this seems plausible.
tptacek · 4 years ago
Wasn't there recently a whole huge story about how it turned out to be his girlfriend's brother?
largbae · 4 years ago
I'd like a link if so, I have been interested in why that story isn't more important, given the attention other state-sponsored hacks have received...
Leparamour · 4 years ago
It's not a contradiction. Whoever would have ordered NSO or similar actor to hack Bezos' phone is probably after more juicy info than a dick pic or at least wouldn't leak it for 'lulz' and thereby revealing that the phone is compromised somehow.
sva_ · 4 years ago
I thought about the same. Perhaps an "order from the top."