I contacted Amazon to report an advertiser out of Tel Aviv that was using JavaScript hosted on CloudFront to fingerprint user's devices and if an Android device was detected a fake media player or fake CAPTCHA would trick user's into accepting push notifications for fake virus warnings to install questionable apps from the Play Store.
This script also pushed ads for a fake AdBlock app that was a dropper for banking trojan apps.
In the meantime, Google and Amazon simply ignore all complaints about spam originating from their networks.
In the olden days of the internet, ISPs that ignored abuse complaints would be blocked by their peers. Now that Gmail and AWS are too big to block, they act with impunity.
It doesn't really matter how difficult it is. What this demonstrates is that AWS is not a public utility and will be swayed by mob rule to take down companies that are no longer "acceptable".
It feels like this is more a result of Amazon not being able to connect you with the right escalation path to verify & act on these claims than a considered decision to ignore them.
Does anyone here know what an individual reporter should do? Is there an escalation ramp that exists but was so poorly marked that neither sloshnmosh nor Amazon support was able to find it? Does the ramp go through other organizations (e.g. report to CERT or some other org first and come back with a case ID)? Does the ramp not exist and need to be built?
Doesn't cloudfront generally act like cloudflare? Ie. We don't inspect your content. Law enforcement are the only people who can stop us hosting a site.
It feels like this is more a result of Amazon not being able to connect you with the right escalation path to verify & act on these claims than a considered decision to ignore them.
Those two things are actually the same thing, both are wilfully ignoring situations like this.
I’ve had government agencies claim it’s not a refusal/rejection if they refuse at the moment and claim you might (with no guarantee) have success if you try later.
More importantly, they are the ones that decide what laws are enforced.
What is sad is that in America, the law around surveillance and security is largely a nice marketing campaign. Sure, you have rights that protect you from the government.
But practically speaking the government won't enforce them, doesn't stop its employees from abusing them even for personal drama, undermines or stops dead any lawsuits by saying the discovery is impossible due to "national security", or will invent terms like "enemy combatant" and then apply them to its own citizens to bypass even the constitution. It will setup "oversight courts" that rubberstamp everything and have no real power or regulatory function/safeguard.
The result of this is that each presidential election is becoming truly dangerous to the opposition. If a McCarthyism movement takes over either party that's in power with the modern surveillance infrastructure, legal "precedents" established by Bush in the war on terror, the confirmation of those powers by the Obama administration holding onto them and continuing funding of infrastructure, undermining of judicial powers, rote acceptance by the people at large, and propaganda outlets available to push messaging, and huge amounts of institutional mores and standards thrown out in the Trump administration, the opposition has real motivation to feel an existential threat.
Their biggest customers are middle eastern governments according to the WaPo article. US certainly has bought the software but it's mostly Saudi, UAE, Qatar, etc. US has NSA so they don't really need some software. Middle eastern powers dont have the same type of technical expertise to develop their own in-house.
Anyone notice that this statement from NSO in the article doesn't make sense:
"NSO does not operate its technology, does not collect, nor possesses, nor has any access to any kind of data of its customers."
If this is true, how do we have a singular list of all phone numbers penetrated? If there was this type of "segmentation" or firewall between NSO and its clients, why was there this huge central data leak?
NSO is tracking what its clients are doing. It may not be telling its clients it is also tracking them. I wouldn't be surprised if NSO could also access every one of those penetrated devices as well independently of its clients.
They are trying to claim that the service is so fully automated that it is the client that does the selection of the target. They claim that their system does not require any fine-tuning from their side, etc.
“It should be noted that no ethically-trained software engineer would ever consent to write a DestroyBaghdad procedure. Basic professional ethics would instead require him to write a DestroyCity procedure, to which Baghdad could be given as a parameter.”
- Nathaniel Borenstein
It could mean that NSO controls the infrastructure that manages the tool, but that they don't actually collect the data themselves. So what they said could technically be true if all they do is manage the infrastructure that enables their clients to do the collection of data.
But do they have access to the phone numbers that their customers are targeting? That seems by itself to contradict their statement ("nor has any access to any kind of data of its customers") right there.
Thank you. I was trying to understand this myself.
NSO seems to be trying to distance themselves from how its software is used by its "clients," but that seems undercut by the plausible supposition that NSO knows exactly who its clients' targets are.
> The Amnesty report said NSO is also using services from other companies such as Digital Ocean, OVH, and Linode ...
We've been using Digital Ocean for a few years now (sqlitebrowser.org), and they've been really good. Hopefully they look into this and take some useful action. :)
I have to say I'm not surprised that NSO and similar entities are using any CDN/large-scale hosting company they can find. The bigger the better, and spreading their stuff around as widely as possible with as much obfuscation in server purpose as possible. Such things are impossible or problematic to block/null-route without breaking many other things hosted at same AS.
I see you 'helped build' Digital Ocean, so I can understand your personal reasoning, but really - it's not at all important to anyone else.
Also, wasn't that a bit of a fad back in the late 90s early 00s? I know my wee business followed the path of concatenating words for brand ...something... , but I honestly couldn't care less how other people deploy it in their own space, as long as they remember the name.
My pet peeve is publications spelling NASA as Nasa. They've come up with some story to explain their decision that sounds just as bad as some of the lies Walter White told. I don't care how ubiquitous NASA maybe, it is and always will be an acronym. I accept removing the dots so it's not N.A.S.A., but I will only accept Nasa as a formal name if that's the name of a person.
Ironically, I'm the same way with "PostgreSQL". There used to be _so_ many weird mis-spellings of it. eg "postGreSQL" seemed to be popular for some unknown reason
There is another point if view, and that is that corporate marketing should not take precedence over correct use of language.
Some languages tend to be more strict about this. I think it's particularly common to see English play fast and loose with the language compared to other languages.
In Sweden, for example you will see media write Iphone, because it's a name, and names are capitalised.
The same goes for Digital Ocean, or Digitalocean if you prefer. It can definitely be argued fairly that the writer does not have to break language conventions just because a company says they have to.
If someone were to use NSO paid hacking to attack Apple executives's devices and then release everything they found, I bet Apple might take this more seriously instead of having some PR flack write marketing copy. Same is true of any tech company: until it hurts them specifically they can just ignore it or make it sound innocuous. Maybe Amazon has been targeted and they found out.
If someone were to use it against US government entities, maybe the NSA/CIA/etc might decide enough is enough, no matter what country they are in. So far at least publicly it seems like a non-event. But once the phone numbers are identified from that leaked list, things might become more serious for NSO.
People used to fight real wars against adversaries who targeted their country in some way, why should commercial entities supporting such attacks not be treated the same, except via non military action? Spying has always been done, but it can lead to serious consequences.
> If someone were to use NSO paid hacking to attack Apple executives's devices and then release everything they found, I bet Apple might take this more seriously instead of having some PR flack write marketing copy.
That's not why Apple is skittish about this. Any action from them would invite the question "What about China?". And Apple loves China('s money).
Take security a lot more serious than they currently do. They've had some seriously embarrassing security holes in their software the last few years.
Also, they could increase the payout for their bug bounty. Why report to apple for a 0-day when you can make $1 million from these guys? It's not like Apple doesn't have the cash.
Didn't Bloomberg ruin their tech reputation with the still-unproven (years later) and probably baseless claims of nano chips planted in the supply chain of Supermicro ?
Frontline (PBS)in partnership with Forbidden Stories are doing a report [1] on NSO hacking the phone of Khashoggi’s fiancé and other journalist and activists around the world.
Looks like her phone was compromised by NSO based on the reporting on this video.
> De Becker then commissioned an examination of Bezos’s iPhone X. The eventual report by Anthony Ferrante, a longtime colleague of de Becker’s and the former director for cyber incident response for the U.S. National Security Council, concluded that the promotional video about broadband prices that MBS had sent Bezos the previous year likely contained a copy of Pegasus, a piece of nearly invisible malware created by an Israeli company called NSO Group. Once the program was activated, Ferrante found, the volume of data leaving Bezos’s smartphone increased by about 3,000 percent.
> The eventual report by Anthony Ferrante, a longtime colleague of de Becker’s and the former director for cyber incident response for the U.S. National Security Council, concluded that the promotional video about broadband prices that MBS had sent Bezos the previous year likely contained a copy of Pegasus, a piece of nearly invisible malware created by an Israeli company called NSO Group.
Key word in that sentence: "likely." AFAIK, nothing has been proven beyond rumor and conjecture, which isn't proof of anything at all.
Did they find the Pegasus or related code on the phone, or not? That is a yes or no answer. Likely?
I was thinking exactly the same thing. Given what we know about this hack — a Whatsapp or iMessage essentially taking over his whole phone — this seems plausible.
It's not a contradiction. Whoever would have ordered NSO or similar actor to hack Bezos' phone is probably after more juicy info than a dick pic or at least wouldn't leak it for 'lulz' and thereby revealing that the phone is compromised somehow.
This script also pushed ads for a fake AdBlock app that was a dropper for banking trojan apps.
Amazon refused to do anything about it.
More info:
https://forum.xda-developers.com/t/massive-mobile-advertisin...
At a minimum we should demand transparency and accountability from all of these scale-enabling organizations.
In the olden days of the internet, ISPs that ignored abuse complaints would be blocked by their peers. Now that Gmail and AWS are too big to block, they act with impunity.
Deleted Comment
Does anyone here know what an individual reporter should do? Is there an escalation ramp that exists but was so poorly marked that neither sloshnmosh nor Amazon support was able to find it? Does the ramp go through other organizations (e.g. report to CERT or some other org first and come back with a case ID)? Does the ramp not exist and need to be built?
Dead Comment
Those two things are actually the same thing, both are wilfully ignoring situations like this.
No response is a response and in this kind of situation it is explicit "I will not do anything and I'm dishonest enough to not acknowledge that.".
Actually "refused" to do anything about it, or didn't respond to you?
I call it a “constructive refusal”.
Wonder if they are even helping to hack US government employees through China, etc. (besides just helping to torture dissidents).
If you look at the list of customers, it quickly becomes clear that they are the same organizations that make the laws.
More importantly, they are the ones that decide what laws are enforced.
What is sad is that in America, the law around surveillance and security is largely a nice marketing campaign. Sure, you have rights that protect you from the government.
But practically speaking the government won't enforce them, doesn't stop its employees from abusing them even for personal drama, undermines or stops dead any lawsuits by saying the discovery is impossible due to "national security", or will invent terms like "enemy combatant" and then apply them to its own citizens to bypass even the constitution. It will setup "oversight courts" that rubberstamp everything and have no real power or regulatory function/safeguard.
The result of this is that each presidential election is becoming truly dangerous to the opposition. If a McCarthyism movement takes over either party that's in power with the modern surveillance infrastructure, legal "precedents" established by Bush in the war on terror, the confirmation of those powers by the Obama administration holding onto them and continuing funding of infrastructure, undermining of judicial powers, rote acceptance by the people at large, and propaganda outlets available to push messaging, and huge amounts of institutional mores and standards thrown out in the Trump administration, the opposition has real motivation to feel an existential threat.
Israel's unicameral, sovereign, supreme state body, the Knesset [1]?
[1] https://en.wikipedia.org/wiki/Knesset
Dead Comment
"NSO does not operate its technology, does not collect, nor possesses, nor has any access to any kind of data of its customers."
If this is true, how do we have a singular list of all phone numbers penetrated? If there was this type of "segmentation" or firewall between NSO and its clients, why was there this huge central data leak?
NSO is tracking what its clients are doing. It may not be telling its clients it is also tracking them. I wouldn't be surprised if NSO could also access every one of those penetrated devices as well independently of its clients.
And that's totally bullshit.
Quoted at https://blog.codinghorror.com/your-favorite-programming-quot...
Deleted Comment
Something isn't adding up.
NSO seems to be trying to distance themselves from how its software is used by its "clients," but that seems undercut by the plausible supposition that NSO knows exactly who its clients' targets are.
> The Amnesty report said NSO is also using services from other companies such as Digital Ocean, OVH, and Linode ...
We've been using Digital Ocean for a few years now (sqlitebrowser.org), and they've been really good. Hopefully they look into this and take some useful action. :)
Want to run a service with few problems? Here are the 6 companies you better run it through otherwise you can’t guarantee anything.
Everyone at my company loves your tool. Please keep up the great work!
Deleted Comment
As lokedhs alluded, it clearly breaks established typographic rules.
Also, wasn't that a bit of a fad back in the late 90s early 00s? I know my wee business followed the path of concatenating words for brand ...something... , but I honestly couldn't care less how other people deploy it in their own space, as long as they remember the name.
Ironically, I'm the same way with "PostgreSQL". There used to be _so_ many weird mis-spellings of it. eg "postGreSQL" seemed to be popular for some unknown reason
Some languages tend to be more strict about this. I think it's particularly common to see English play fast and loose with the language compared to other languages.
In Sweden, for example you will see media write Iphone, because it's a name, and names are capitalised.
The same goes for Digital Ocean, or Digitalocean if you prefer. It can definitely be argued fairly that the writer does not have to break language conventions just because a company says they have to.
If someone were to use it against US government entities, maybe the NSA/CIA/etc might decide enough is enough, no matter what country they are in. So far at least publicly it seems like a non-event. But once the phone numbers are identified from that leaked list, things might become more serious for NSO.
People used to fight real wars against adversaries who targeted their country in some way, why should commercial entities supporting such attacks not be treated the same, except via non military action? Spying has always been done, but it can lead to serious consequences.
That's not why Apple is skittish about this. Any action from them would invite the question "What about China?". And Apple loves China('s money).
What are they supposed to do?
Also, they could increase the payout for their bug bounty. Why report to apple for a 0-day when you can make $1 million from these guys? It's not like Apple doesn't have the cash.
I guess the customer is always right up until the point the widow of your murdered employee goes to the press.
Bezos' phone probably wasn't hacked.
https://www.bloomberg.com/news/features/2021-05-05/how-jeff-...
Dead Comment
[1] https://www.pbs.org/wgbh/frontline/article/how-nso-group-peg...
> De Becker then commissioned an examination of Bezos’s iPhone X. The eventual report by Anthony Ferrante, a longtime colleague of de Becker’s and the former director for cyber incident response for the U.S. National Security Council, concluded that the promotional video about broadband prices that MBS had sent Bezos the previous year likely contained a copy of Pegasus, a piece of nearly invisible malware created by an Israeli company called NSO Group. Once the program was activated, Ferrante found, the volume of data leaving Bezos’s smartphone increased by about 3,000 percent.
Key word in that sentence: "likely." AFAIK, nothing has been proven beyond rumor and conjecture, which isn't proof of anything at all.
Did they find the Pegasus or related code on the phone, or not? That is a yes or no answer. Likely?