The company that makes the software "says it sells the tool exclusively to governments" as though they're trying to take a moral stand and say "we only see it to the good guys". When in fact they sell to governments that are highly oppressive and corrupt. It's a farce.
From what I've heard, there are extensive connections between the Sinaloa cartel and the Mexican federal government too. The cartels laundered over a billion dollars one year through the state-owned oil company Pemex, for example. It's even been alleged [0] by ex-cartel leaders that the US government props up the Sinaloa cartel with weapons and other material support, since in general the Sinaloa cartel tends to be less outrageously brutal toward civilians than for instance Los Zetas (whose founders unsurprisingly studied at the infamous School of the Americas [1]).
This is usually referred to as fourth party intelligence.
Say Russia compromises a high ranking ISIS member. The United States could compromise the infrastructure used by the Russians, and collect all the same intelligence. Not only have they gained knowledge about ISIS, they also strategically have a picture into what Russia actually knows.
We need to avoid the slippery slope of blaming the tools. There are open source and commercial solutions that implement much of the same functionality.
If you blame the tools Hacking Team or NSO or whomever, disappears into the oblivion, and two more spawn to take their place. Meanwhile we build a popular opinion that these things are dangerous and need to be restricted or regulated. Software ends up as the new "burglary tools."
We need to shame the people that would have used any means available to the same ends.
Having up to date Android and iOS zero days plus the rootkit / RAT software is not something you can get open source or find easily commercially.
There's a reason this company is charging hundreds of thousands of dollars to target only 10s of phones...
I wouldn't downplay the gatekeeper aspect of these companies and the technical investment it takes for non technical governments to do this stuff.
But generally I agree that attempting to control it via the tools is a bad idea or merely putting the blame on the tools is missing the bigger picture. Plus limiting zero day sales will only harm legitimate security research and encourage unrealistic pen testing.
Mexico's government is the primary issue here. They have a serious human rights abuse issue at various layers of government.
But that said if we're going to try to protect these people from abusive government tactics, since it happens in secrecy and their 'self-regulation' totally fails to stop abuse (even in the US), then there is some value on pushing back against these more sophisticated companies that sell the high end tools that are harder to detect. Since it is a niche market at the moment and a niche expensive skillset... Unlike guns in the US that will be everywhere regardless of gun control, since it's the biggest gun exporter and gun ownership rate in the world, we can hold these companies to a higher degree of responsibility.
Eventually though it will have to come down to holding the governments responsible and pushing back by protecting our software.
The fact NSO has publicly said they will continue to sell to Mexico despite the clear evidence here that they are not following their stated policy of only targeting cartels, criminals, and terrorists... Then clearly they are shady as hell and their stated policy is bullshit.
NSO is hardly without fault here. Unlike the AK47 analogy used in this article which are sold once and then the manufacturer loses control of how its used, this exploitation software needs to be updated with new zero days, new RAT software for new iOS/Android versions, and support/training staff. NSO has chosen to continue offering these services so they are just as much liable as far as I'm concerned.
> Having up to date Android and iOS zero days plus the rootkit / RAT software is not something you can get open source or find easily commercially.
You might be right about not being able to find 0days that target the latest versions of iOS or Android so easily, but there are dark web markets stuffed with 0days that target specific versions, or a range of versions. Not sure about pricing, but they're typically cheaper than the exploits that target the latest and greatest.
It's by pure chance that the owner of a device is using an out-dated O.S on their phone. Others may argue it's not by chance, but by design, and that some phones can't upgrade properly and remain locked to a specific version..You know, because governments sometimes demand that phones are deliberately left unpatched so they can do interception or do ex-filtration on them?
> We need to avoid the slippery slope of blaming the tools
If you are designing, developing, marketing and delivering a tool for surveillance to a government agency, you have a pretty good idea of what it will be used for.
I think you also have a pretty good idea that all governments, to a greater or lesser degree, cheat. They'll pinky-swear to use it only against teh terra, or pedophiles, or drug dealers, or sidewalk-spitters if that gets people's dander up. And then they use it against anyone who threatens the current power arrangement.
So yes, I blame NSO, Hacking Team, and the rest of them. They deserve the blame, because they design, develop, market and sell these things knowing full well the use to which they will be put. They also know these tools will leak and be used by third parties, because that's how this works and they analyze third party malware themselves.
Arms dealers are awful people, no matter who's flag they wave.
I don't understand this argument. If you build and sell tools that enable online surveillance, you bear a special responsibility not to sell them to people who will abuse them. Building surveillance tools and selling them to repressive governments is blameworthy.
Equally blameworthy, but rarely remarked upon, is the practice of selling generic computing infrastructure that you know will be used to build surveillance infrastructure.
How do we apply that special responsibility to open source software? Say, Metasploit.
I'm proficient with both commercial and open source tools, and in most cases the open source ones are more powerful.
Not saying enabling isn't a shameful act, but it is a slippery slope. As you pointed out, at what point does AWS need to start investigating customer workloads.
The only solution then is not to sell them at all because a government that can't gain the tools directly will simply set up a blind to do the procurement and there is only so much research you can do on your customers before you start to lose money on a sale.
I don't agree that that's the only option, but I think selling offensive security technology is so complicated and fraught that I'll never do it myself. So, "don't sell to governments" is definitely one viable option.
> Equally blameworthy, but rarely remarked upon, is the practice of selling generic computing infrastructure that you know will be used to build surveillance infrastructure.
Truly, Linus Torvalds is a monster for enabling the NSA.
> Meanwhile we build a popular opinion that these things are dangerous and need to be restricted or regulated. Software ends up as the new "burglary tools."
If I'm against the regulation of software, it's because I don't trust the would-be regulators and deem the effort unrealistic - not because it "isn't dangerous". Software (particularly of the surveillance, de-anonymization, & big-spy-data variety) has an absolutely massive potential for horrific abuse, and hence is unequivocally dangerous both to the individual and free society as a whole.
> We need to shame the people that would have used any means available to the same ends.
Why not both? I don't see why the investors, executives & engineers who make a cushy living off of developing tools that they know will be used to reduce the freedom of others don't also deserve to be shamed. You don't see many talented people flocking to work for big tobacco anymore.
I totally agree with you in this regard, and the point of my comment is not that we should blame them, but that it's silly for them put on this facade of being morally responsible.
If they were to simply say "we're just selling stuff, and what people do with these tools is none of our business" I'd have a lot more respect for them. But instead, they say this stuff about only selling to goverments that promise not to do anything bad. It's a joke.
Meanwhile, Germany sends automatic weapons to Mexico. Of course only to the good guys. The police that was involved in the killing in Iguala (the missing 43) was equipped with them.
...not to mention any definition of "good guys" tends to fade at scale. When you're selling to governments it will either leak or be used directly for anti-humanitarian ends.
I mean just look at the recent NSA leak. It's the same "conspiracy" patterns we've seen for ages.
Hell, the best kept secrets in front of the western world remain the secret cults of rome. Those sonsofbitches knew how to hype a secret. Probably not possible with the internet!
We are heading into an interesting future. The NSO Groups biggest owner Francisco Partners has both Software and Semiconductor companies in its portfolio, like Dell Software. Should I be worried about the firmware in my Dell computer? When everything becomes entangled like this it's impossible to know who to trust. And in the end it doesn't really matter what intent you have if people don't trust you.
Buy parts and run your own firewall/dns setup to drop anything odd.
Its honestly the only way to be "sure" if worry about a manufacturer doing that sort of thing. It won't be perfect but the odds of someone targeting you for hardware spyware is prettttttttty low. And most manufacturers of comp enthusiast parts know its suicide to do it mass-market like that.
Important note: while in other countries the information acquired via this hacking could be used to blackmail or imprison their targets, in Mexico they are just shot dead.
Governments are distinctly different than most other organizations, primarily because they can force you to do something you don't want to do. Corporations can't do this (unless there is a monopoly on a needed utility (water company, etc). Even cartels and gangs are terrible because they act as a government in small/local areas, but have incredibly unfair punishments when people don't comply. Governments are ultimately far more dangerous than almost any other organization.
I don't suppose you think differently, but in general: I think it's worth reminding ourselves that "a government" is made up of multiple people, which may be largely influenced by distinct cliques, whether or not those cliques are within the government. It may be the case that real danger lies predominantly within those cliques.
Of course it does. These days, just imagine the most insidious and nightmarish overreach and wait a few weeks. 2017 is looking like a benchmark year in this regard.
