Darknet Diaries did a few podcast episodes on the NSO group from the perspective of people who have directly interacted with or have been the target and it really puts it into perspective how horrific they are. They operate under the protection of the US and are directly allowed to spy on US citizens without any recourse whatsoever.
One particularly grotesque case was the illegal wire tapping of Ben Suda after launching a criminal probe in to Israeli war crimes, which they used to threaten the prosecutor and used it to hide evidence that they knew was under scrutiny or take the cases to court just to drop it so they can tell the ICC that they did make an attempt to prosecute, which is a loophole that disallows the ICC to take up those cases.
I'm certain many countries do this stuff, as well as operate botnets and threaten journalists... but the uniqueness here is that these intel groups located in Israel operate under complete protection of the US without any scrutiny or oversight alongside the US government. We are living in this dystopian universe that people have warned about, for decades at this point.
> or take the cases to court just to drop it so they can tell the ICC that they did make an attempt to prosecute, which is a loophole that disallows the ICC to take up those cases.
As an aside, it should be noted that this wouldn't be sufficient to trigger complimentary at the ICC if its obvious the investigation was not in good faith. The icc can ignore any domestic investigation it believes was not a serious attempt to investigate.
Like it'd be a pretty silly court if you could get out of everything by running your own sham investigation.
I refuse to use Israeli tech in my stack if at all possible. I don't see how someone could use software like Snyk and not put themselves at risk (founders are ex-IDF Unit 8200). Especially in the area of security, it seems like using Israeli tech is inviting the wolf straight into the hen house. No thanks.
Yes, I think the pager attack is also an interesting case study. It's one thing to execute a supply chain compromise for information gathering, where the target may never know what happened. On the other hand, flaunting your abilities in that area will just lead you to being cut out of supply chains.
I'm not a lawyer so maybe I'm misunderstanding something but the plaintiff is Whatsapp, not the journalists. This isn't really about holding NSO Group accountable for hacking journalists at all
The fact journalists were compromised seems only incidental, the ruling is about weather or not NGO Group "exceeded authorization" on WhatsApp by sending the Pegasus installation vector through WhatsApp to the victims and not weather they were unauthorized in accessing the victims. Its a bit of a subtle nuance but I think its important.
Quoting the judgement itself:
> The court reasoned that, because all Whatsapp users are authorized to send messages, defendants did not act without authorization by sending
their messages, even though the messages contained spyware. Instead, the court held that the complaint’s allegations supported only an "exceeds authorization" theory.
> The nub of the fight here is semantic. Essentially, the issue is whether sending the Pegasus installation vector actually did exceed authorized access. Defendants argue
that it passed through the Whatsapp servers just like any other message would, and that any information that was 'obtained' was obtained from the target users' devices (i.e., their cell phones), rather than from the Whatapp servers themselves
> [...removing more detailed defendant argument...]
> For their part, plaintiffs point to section (a)(2) itself, which imposes liability on whoever "accesses a computer" in excess of authorized access, and "thereby obtains information from any protected computer" pointing to the word "any"
> [...]
> As the parties clarified at the hearing, while the WIS does obtain information directly from the target users’ devices, it also obtains information about the target users' device via Whatsapp servers.
Adding a little more detail that comes from the prior dockets and isn't in the judgement directly but basically NSO Group scripted up a fake Whatsapp client that could send messages that the original application wouldn't be able to send. They use this fake client to send some messages that the original application wouldn't be able to send which provide information about the target users' device. In that the fake client is doing something the real client cannot do (and fake clients are prohibited by the terms) they exceeded authorization.
Think about that for a moment and what that can mean. I doubt I'm the only person here who has ever made an alternative client for something before. Whatapp (that I recall) does not claim that the fake client abused any vulnerabilities to get information just that it was a fake client and that was sufficient. Though I should note that there were some redacted parts in this area that could be relevant.
I dunno, I mean the CFAA is a pretty vague law that has had these very broad applications in the past so I'm not actually surprised I was just kinda hopeful to see that rolled back a bit after the Van Bruen case a few years ago and the supreme court had some minor push back against the broad interpretations that allowed ToS violations to become CFAA violations.
> I doubt I'm the only person here who has ever made an alternative client for something before.
I've been on both sides of the issue by authoring unofficial clients, and battling abusive unofficial clients to services I run. The truth is, complete carte blanche for either side is untenable. 99.99% of well-behaved clients are tacitly ignored, I'm not against those that deliver malware, or bypass rate-limiting having their day in court.
Laws need to be clear about where the line is though. If circumventing rate limiting is illegal then that should be explicit, including the criteria used to determine that a service is in fact rate limited in such a legally binding manner. As it is an API is available but somehow is not considered public (criteria unclear) and thus engaging with it in certain ways (criteria unclear) is out of bounds.
If we want using a service to perpetrate a crime to itself be an additional crime then that should be made explicit. In the (unlikely) event that NSO wasn't actually perpetrating any crimes against the end users then that fact is probably what needs to be fixed.
Given the nature of who the stakeholders are, the neatest way to achieve an end is to target authorization. It focuses on the how instead of the who or what.
This reduces embarrassment for stakeholders, protects sources and methods, and sends a message.
The law is as broad as can be. If it were a US National instead of NSO Group, some crazy calculation of damages would be used to extract a plea in lieu of a thousand months in prison.
THE CFAA is definitely ripe for reform. It wouldn't be hard to argue it's broad and vague. There's definitely this overarching sweep of online behaviors that could easily be classified as benign.
> fake client to send some messages that the original application wouldn't be able to send which provide information about the target users' device
> I doubt I'm the only person here who has ever made an alternative client for something before
I think the distinction here for "exceeds authorisation" is pretty apparent. I don't read this judgement as being damning for people wanting to make their own clients.
They made a third party client for deliberately malicious purposes. If you go ahead and make a discord client with the intention of spamming or otherwise causing harm to its users, I think it's completely reasonable for you to get in trouble for that.
> with the intention of spamming or otherwise causing harm to its users
That sounds hopelessly ambiguous to me. What if Google decides that making use of yt-dlp is causing harm to them? What is the criteria here?
We wanted email spam to be illegal and so it was explicitly made illegal. We wanted robocalling to be illegal and so it was explicitly made illegal. In such cases we have (reasonably) clear criteria for what is and is not permitted.
The encryption isn't alleged to have been compromised. The app itself deals with a lot of untrusted input (eg, thumbnailing video files you've been sent) so there's a meaningful attack surface outside the protocol itself.
The big issue in both cases is that the exploit was triggered before the user answered the call.
I think the moral here is that a secure messenger should not execute inherently insecure code (i.e.complex code) on behalf of entities that are not really well trusted by the user. The default should be always plain text.
> I think the moral here is that a secure messenger should not execute inherently insecure code (i.e.complex code) on behalf of entities that are not really well trusted by the user. The default should be always plain text.
Whattsup and co, are very happy to execute untrusted code: images displayed in messages, websites fetched and rendered. Basically a bad actor's wet dream.
Was the spyware persistent? That is, would a reboot clear it? Not that it matters. Presumably, the attackers were so motivated they would re-infect the device the moment they saw it go dark.
The group exploited a bug in WhatsApp to deliver the spyware. It wasn't an E2E issue.
> A U.S. judge ruled on Friday in favor of Meta Platforms' (META.O), opens new tab WhatsApp in a lawsuit accusing Israel's NSO Group of exploiting a bug in the messaging app to install spy software allowing unauthorized surveillance.
People have to start assuming that any communication method in use is compromised. There’s just no way on earth orgs like the NSA would throw their hands up in the air and not find multiple different avenues into an app like signal. Its one of the most downloaded messaging apps. Investment into compromising it is very worth while. People should just assume everything involving a cell phone or computer is inherently insecure. Meanwhile for some analog methods (one time pads, even cupping a hand and whispering into anothers ear, etc), the power balance isn’t so lopsided between the state and the individual as it is with digital communications where everything is probably compromised in some way by now.
Well no Chinese should be using software that involved Americans. That is just common sense. When the chips are down everyone gets drafted by their country's security apparatus.
With end-user-device-controlled e2ee, the only information available to law enforcement is metadata. With a warrant, they could seize your device (or the backups, if unencrypted)
Isn't that obvious though? Meta wants exclusive spying rights to its users. You spying on users with Meta's products is not allowed. If you want to spy on your users, build an app that's so popular billions of people sign up willingly to allow you to spy on them. Have you no decency?
Which is ironic considering the FBI and CISA just today announced that you _should_ use WhatsApp and not use SMS for two factor authentication. Although they point out the biggest problem is mobile users click on links in SMS. We live in a mostly captured and anti consumer environment. I'm not sure there's any great advice.
Readit News
One particularly grotesque case was the illegal wire tapping of Ben Suda after launching a criminal probe in to Israeli war crimes, which they used to threaten the prosecutor and used it to hide evidence that they knew was under scrutiny or take the cases to court just to drop it so they can tell the ICC that they did make an attempt to prosecute, which is a loophole that disallows the ICC to take up those cases.
I'm certain many countries do this stuff, as well as operate botnets and threaten journalists... but the uniqueness here is that these intel groups located in Israel operate under complete protection of the US without any scrutiny or oversight alongside the US government. We are living in this dystopian universe that people have warned about, for decades at this point.
As an aside, it should be noted that this wouldn't be sufficient to trigger complimentary at the ICC if its obvious the investigation was not in good faith. The icc can ignore any domestic investigation it believes was not a serious attempt to investigate.
Like it'd be a pretty silly court if you could get out of everything by running your own sham investigation.
Dead Comment
Dead Comment
The fact journalists were compromised seems only incidental, the ruling is about weather or not NGO Group "exceeded authorization" on WhatsApp by sending the Pegasus installation vector through WhatsApp to the victims and not weather they were unauthorized in accessing the victims. Its a bit of a subtle nuance but I think its important.
Quoting the judgement itself:
> The court reasoned that, because all Whatsapp users are authorized to send messages, defendants did not act without authorization by sending their messages, even though the messages contained spyware. Instead, the court held that the complaint’s allegations supported only an "exceeds authorization" theory.
> The nub of the fight here is semantic. Essentially, the issue is whether sending the Pegasus installation vector actually did exceed authorized access. Defendants argue that it passed through the Whatsapp servers just like any other message would, and that any information that was 'obtained' was obtained from the target users' devices (i.e., their cell phones), rather than from the Whatapp servers themselves
> [...removing more detailed defendant argument...]
> For their part, plaintiffs point to section (a)(2) itself, which imposes liability on whoever "accesses a computer" in excess of authorized access, and "thereby obtains information from any protected computer" pointing to the word "any"
> [...]
> As the parties clarified at the hearing, while the WIS does obtain information directly from the target users’ devices, it also obtains information about the target users' device via Whatsapp servers.
Adding a little more detail that comes from the prior dockets and isn't in the judgement directly but basically NSO Group scripted up a fake Whatsapp client that could send messages that the original application wouldn't be able to send. They use this fake client to send some messages that the original application wouldn't be able to send which provide information about the target users' device. In that the fake client is doing something the real client cannot do (and fake clients are prohibited by the terms) they exceeded authorization.
Think about that for a moment and what that can mean. I doubt I'm the only person here who has ever made an alternative client for something before. Whatapp (that I recall) does not claim that the fake client abused any vulnerabilities to get information just that it was a fake client and that was sufficient. Though I should note that there were some redacted parts in this area that could be relevant.
I dunno, I mean the CFAA is a pretty vague law that has had these very broad applications in the past so I'm not actually surprised I was just kinda hopeful to see that rolled back a bit after the Van Bruen case a few years ago and the supreme court had some minor push back against the broad interpretations that allowed ToS violations to become CFAA violations.
Edit: Adding a link to the judgement for anyone interested: https://storage.courtlistener.com/recap/gov.uscourts.cand.35...
Edit2: And CourtListener if you want to read the other dockets that include the arguments from both sides (with redactions) https://www.courtlistener.com/docket/16395340/facebook-inc-v...
I've been on both sides of the issue by authoring unofficial clients, and battling abusive unofficial clients to services I run. The truth is, complete carte blanche for either side is untenable. 99.99% of well-behaved clients are tacitly ignored, I'm not against those that deliver malware, or bypass rate-limiting having their day in court.
If we want using a service to perpetrate a crime to itself be an additional crime then that should be made explicit. In the (unlikely) event that NSO wasn't actually perpetrating any crimes against the end users then that fact is probably what needs to be fixed.
This reduces embarrassment for stakeholders, protects sources and methods, and sends a message.
The law is as broad as can be. If it were a US National instead of NSO Group, some crazy calculation of damages would be used to extract a plea in lieu of a thousand months in prison.
whatsapp owns the systems, so its up to whatsapp to sue
You can’t sue a dude for stealing a screwdriver to break into your home with. Your tort is the act against you.
So if someone robs a bank and empties my safety deposit box I can't sue them because it was the bank that had the money, not me?
> I doubt I'm the only person here who has ever made an alternative client for something before
I think the distinction here for "exceeds authorisation" is pretty apparent. I don't read this judgement as being damning for people wanting to make their own clients.
They made a third party client for deliberately malicious purposes. If you go ahead and make a discord client with the intention of spamming or otherwise causing harm to its users, I think it's completely reasonable for you to get in trouble for that.
That sounds hopelessly ambiguous to me. What if Google decides that making use of yt-dlp is causing harm to them? What is the criteria here?
We wanted email spam to be illegal and so it was explicitly made illegal. We wanted robocalling to be illegal and so it was explicitly made illegal. In such cases we have (reasonably) clear criteria for what is and is not permitted.
* https://www.theverge.com/2019/5/14/18622744/whatsapp-spyware...
Interestingly enough, Signal (and others) had the same sort of vulnerability on Android from a WebRTC stack:
* https://googleprojectzero.blogspot.com/2020/08/exploiting-an...
The big issue in both cases is that the exploit was triggered before the user answered the call.
I think the moral here is that a secure messenger should not execute inherently insecure code (i.e.complex code) on behalf of entities that are not really well trusted by the user. The default should be always plain text.
Whattsup and co, are very happy to execute untrusted code: images displayed in messages, websites fetched and rendered. Basically a bad actor's wet dream.
> A U.S. judge ruled on Friday in favor of Meta Platforms' (META.O), opens new tab WhatsApp in a lawsuit accusing Israel's NSO Group of exploiting a bug in the messaging app to install spy software allowing unauthorized surveillance.
Encryption is important but it often is not the weakest link in the security chain.
That is kinda funny, although sad at the same time
On the flip side, I guess that means META allows WhatsApp users being only “legally spied” on
You're allowed to say "The NSA", we're all adults here. No need to speak in euphemisms.
https://www.newsnationnow.com/business/tech/fbi-warns-agains...
Deleted Comment