I'm not a lawyer so maybe I'm misunderstanding something but the plaintiff is Whatsapp, not the journalists. This isn't really about holding NSO Group accountable for hacking journalists at all
The fact journalists were compromised seems only incidental, the ruling is about weather or not NGO Group "exceeded authorization" on WhatsApp by sending the Pegasus installation vector through WhatsApp to the victims and not weather they were unauthorized in accessing the victims. Its a bit of a subtle nuance but I think its important.
Quoting the judgement itself:
> The court reasoned that, because all Whatsapp users are authorized to send messages, defendants did not act without authorization by sending
their messages, even though the messages contained spyware. Instead, the court held that the complaint’s allegations supported only an "exceeds authorization" theory.
> The nub of the fight here is semantic. Essentially, the issue is whether sending the Pegasus installation vector actually did exceed authorized access. Defendants argue
that it passed through the Whatsapp servers just like any other message would, and that any information that was 'obtained' was obtained from the target users' devices (i.e., their cell phones), rather than from the Whatapp servers themselves
> [...removing more detailed defendant argument...]
> For their part, plaintiffs point to section (a)(2) itself, which imposes liability on whoever "accesses a computer" in excess of authorized access, and "thereby obtains information from any protected computer" pointing to the word "any"
> [...]
> As the parties clarified at the hearing, while the WIS does obtain information directly from the target users’ devices, it also obtains information about the target users' device via Whatsapp servers.
Adding a little more detail that comes from the prior dockets and isn't in the judgement directly but basically NSO Group scripted up a fake Whatsapp client that could send messages that the original application wouldn't be able to send. They use this fake client to send some messages that the original application wouldn't be able to send which provide information about the target users' device. In that the fake client is doing something the real client cannot do (and fake clients are prohibited by the terms) they exceeded authorization.
Think about that for a moment and what that can mean. I doubt I'm the only person here who has ever made an alternative client for something before. Whatapp (that I recall) does not claim that the fake client abused any vulnerabilities to get information just that it was a fake client and that was sufficient. Though I should note that there were some redacted parts in this area that could be relevant.
I dunno, I mean the CFAA is a pretty vague law that has had these very broad applications in the past so I'm not actually surprised I was just kinda hopeful to see that rolled back a bit after the Van Bruen case a few years ago and the supreme court had some minor push back against the broad interpretations that allowed ToS violations to become CFAA violations.
> I doubt I'm the only person here who has ever made an alternative client for something before.
I've been on both sides of the issue by authoring unofficial clients, and battling abusive unofficial clients to services I run. The truth is, complete carte blanche for either side is untenable. 99.99% of well-behaved clients are tacitly ignored, I'm not against those that deliver malware, or bypass rate-limiting having their day in court.
> fake client to send some messages that the original application wouldn't be able to send which provide information about the target users' device
> I doubt I'm the only person here who has ever made an alternative client for something before
I think the distinction here for "exceeds authorisation" is pretty apparent. I don't read this judgement as being damning for people wanting to make their own clients.
They made a third party client for deliberately malicious purposes. If you go ahead and make a discord client with the intention of spamming or otherwise causing harm to its users, I think it's completely reasonable for you to get in trouble for that.
THE CFAA is definitely ripe for reform. It wouldn't be hard to argue it's broad and vague. There's definitely this overarching sweep of online behaviors that could easily be classified as benign.
Darknet Diaries did a few podcast episodes on the NSO group from the perspective of people who have directly interacted with or have been the target and it really puts it into perspective how horrific they are. They operate under the protection of the US and are directly allowed to spy on US citizens without any recourse whatsoever.
One particularly grotesque case was the illegal wire tapping of Ben Suda after launching a criminal probe in to Israeli war crimes, which they used to threaten the prosecutor and used it to hide evidence that they knew was under scrutiny or take the cases to court just to drop it so they can tell the ICC that they did make an attempt to prosecute, which is a loophole that disallows the ICC to take up those cases.
I'm certain many countries do this stuff, as well as operate botnets and threaten journalists... but the uniqueness here is that these intel groups located in Israel operate under complete protection of the US without any scrutiny or oversight alongside the US government. We are living in this dystopian universe that people have warned about, for decades at this point.
The big issue in both cases is that the exploit was triggered before the user answered the call.
I think the moral here is that a secure messenger should not execute inherently insecure code (i.e.complex code) on behalf of entities that are not really well trusted by the user. The default should be always plain text.
The encryption isn't alleged to have been compromised. The app itself deals with a lot of untrusted input (eg, thumbnailing video files you've been sent) so there's a meaningful attack surface outside the protocol itself.
The group exploited a bug in WhatsApp to deliver the spyware. It wasn't an E2E issue.
> A U.S. judge ruled on Friday in favor of Meta Platforms' (META.O), opens new tab WhatsApp in a lawsuit accusing Israel's NSO Group of exploiting a bug in the messaging app to install spy software allowing unauthorized surveillance.
People have to start assuming that any communication method in use is compromised. There’s just no way on earth orgs like the NSA would throw their hands up in the air and not find multiple different avenues into an app like signal. Its one of the most downloaded messaging apps. Investment into compromising it is very worth while. People should just assume everything involving a cell phone or computer is inherently insecure. Meanwhile for some analog methods (one time pads, even cupping a hand and whispering into anothers ear, etc), the power balance isn’t so lopsided between the state and the individual as it is with digital communications where everything is probably compromised in some way by now.
Bitwarden is already a big step up from what most people are doing, then if you want to hide from gouvernement you better make sure you save your password on extremely secured device. But that's another treat level from the average Joe.
There should be no difference with usual botnet owner/ransomware gangs and such companies. Management should go to prison for good 20-30 years for that and being extradited worldwide. Considering that ransomware gangs are probably less harmful to the society than guys who hack journalists and politicians, putting their lifes at literal risks, not just their pockets.
There should be no "legal" hacking of someone's devices apart from extraction of data from already convicted people in public court with the right to defend themselves
Its not like this is that different than traditional "weapons" (i hate the "cyberweapons" analogy, but if the shoe fits).
Sell guns to governments, even unsavoury ones, it is very rare anything will happen to you except in pretty extreme cases. Sell guns to street gangs, well that is a different story. Like i don't think this situation is different because it is "hacking".
The NSO created/ran cloud instances for each client country and reviewed and approved every target. The didn’t sell weapons like in your analogy. They were effectively assassins for hire.
The problem with selling exploits is you want to maintain “ownership” of the exploit details, lest your customer just take the exploit and sell/use it without paying more or use it to attack you or your friends. This means you end up with veto power. I.e. culpability.
And meanwhile, if the government sells guns to cartels... no big deal. Rarely throw a fall guy under the bus. Or often not even that.
Trying to remember the quote I last heard, something to the tune of "we don't want to punish, we want to educate", which was about "educating" LEOs and entire police departments they shouldn't be selling fun switch guns illegally to gangs and private buyers.
(And do I even have to mention "fast and furious?" Hah! Feds get it the easiest.)
The second part though doesn't make sense. If the US president can send drones to kill terrorists without taking them to court, surely he can order hacking their phones. If you think that there's no case where the latter is ok you shouldn't you fight against the former first?
The part that you miss is, are they only killing "terrorists" extrajudicially? To take that propaganda at its face value is to ask, what else could they be killing brown people for, if not terrorism?
I didn't say if I think that drone killing is justified or not, since I have no opinion on that - I don't know enough to form an opinion. I only say that since the government have the right to send killing drone it doesn't make sense to raise pitchforks against phone hacking
I don't get what's happening in this thread. This is a pretty clear statement: hacking isn't worse than the killing that the government is already allowed to do. It's a pretty straightforward argument which for some reason seems to be being misunderstood.
I'll gently push on the premise though: hacking isn't worse for the victims than death, obviously, but I think it's possible weaponizing of exploits does more total damage. Both collateral, due to the manufacturing of exploits which ultimately leak and harm a bunch of unrelated actors, and because the marginal hacking is lower cost, practically and politically. So a given attack is likely to be used against groups we'd recognize less clearly as "terrorists" / deserving of the harm / etc.
The thing is, extrajudicial murder justified by labeling the victim “terrorist” is illegal and should not be accepted in a free and open society.
The ‘terrorist’ label was invented as a means of abrogating human rights by governments who felt they were encumbered by the obligation to protect human rights. “Terrorist” labeling is a totalitarian-authoritarian apparatus to avoid culpability for its actions when a government decides the easiest solution to its problem is outright murder.
It is not hypothetical, the fact is that killing drones are used in practice, and it just doesn't make sense to oppose lesser measures that are being used without judgement when killing is allowed.
I have no idea what you are talking about. Ok is a value judgment which I didn't state. Allowed is a fact. Are you arguing with what I'm saying or with an opponent in your mind?
If the US president can send drones to kill terrorists without taking them to court, surely he can order hacking their phones. If you think that there's no case where the latter is ok you shouldn't you fight against the former first?"
Pretty clear from your rhetoric what your position is. Folks here are not dumb.
> Ok is a value judgment ... Allowed is a fact
Factually, genocidaries are worse than terrorists.
Also by now the number of people killed in Gaza by Netanyahu is very close to the number of Ukrainian people killed by Putin. Did anyone suggest sanctions against Israel for that genocide? Nope, they enjoy their full immunity and keep going forward with a massacre that has the same exact motivation as the Russian invasion: rob other people of their territory and resources.
Two war criminals, two rogue terrorist states, yet two completely different weights.
Flip that statement on it's head. What respectable nation would fire upon a suspect in a press jacket without actually knowing who it is first? Who orders artillery and airstrikes on known press positions? Soviet doctrine? Countries with WWII logistics?
Seems clear to me that this is a deliberate campaign of terror constructed by the IDF to deter any form of independent journalism in Gaza. No different than hasbara or the Hannibal Directive - orders passed down from the top get obeyed, even if it costs the truth or innocent lives.
Like I said, Israel is also often complicit in the murder of legit journalists. But you claim that Israel actively makes it a part of their doctrine to actively target and murder journalists in a bid to repress opposing media voices. I say, it's more Israel treating press as collateral damage - "Here, these are our targets (Israel always publishes airstrike and artillery strike positions online and offline). If they evacuate, good. If they don't, they die. We can't be bothered."
And media outlets like Al Jazeera will literally push their (often zealous) journalists to go to these frontlines, right where the targets are.
My journalist classmate, who worked for Al Jazeera as a videographer in Jordan and the West Bank, would tell us incidents where Al Jazeera (an outlet he joined out of wide-eyed positivity as college graduates have) would often give marching orders for their teams to be at the front lines of whatever protest was taking place in the WB. They would be the ones often directly facing off the IDF.
With end-user-device-controlled e2ee, the only information available to law enforcement is metadata. With a warrant, they could seize your device (or the backups, if unencrypted)
Unfortunately, I don’t think end-to-end encryption guarantees much when it comes to legal intercept in proprietary messaging apps. The intercept functionality could be done in the client and capture data, not just metadata.
Why hasn't any evidence of such client-side interception ever been surfaced? Reversing apps and software has been done since forever, and has been used to discover things the app-makers don't want made public - such as unannounced new products, but this happens perennialy with Apple & OS updates, and upcoming features in apps that are behind flags.
Isn't that obvious though? Meta wants exclusive spying rights to its users. You spying on users with Meta's products is not allowed. If you want to spy on your users, build an app that's so popular billions of people sign up willingly to allow you to spy on them. Have you no decency?
There are many other companies beyond NSO Group, if I were a journalist I would write a more comprehensive list of them and educate about this whole "industry".
Very few companies’ work results in outright murder of the targeted victims.
If you know of any other cyber criminal organizations like the NSO, where governments use their tools to select and murder targets, please describe them.
NSO Group is unique in that they are entirely sheltered from (largely due) criticism by their government, creating an unaccountable and injust basis of relations between the United States and Israel that many readers are concerned by. There simply aren't any other comparably corrupt "cybersecurity" outfits in the world.
Kinda similar to how the IDF has never been charged with war crimes despite several of their service-members being recorded breaking the law in their Israeli fatigues. It's not that international law was never broken, it's that Israel considers themselves above the rule of law and international bases of morality. That type of behavior absolutely must be called out in it's lonesome, such that no nation ever repeats Israel's embarrassing mistake.
I can’t reply directly to your last comment (HN doesn’t allow me to), so I’ll respond here. Your question falls into a kind of fallacy: I could just as easily ask you similar questions—such as showing all the information you have about other countries’ terrible acts and identifying your limitations in obtaining it. If your source is media, then the issue becomes evident: you can never fully answer those questions because you lack direct information. You could then argue that media represents the truth for you, but that would lead us into yet another discussion.
What you're missing is that this isn't a relative position. Nobody in this thread (or much of anywhere on HN) is defending Europe or America's misdoings with the same rhetoric. The reason is that people are willing to accept that their governments make mistakes, and they reflect on these problems and fix them democratically.
Israel, currently, is in a position where a extremely nationalist and conservative ruling party has given all sorts of lawbreakers complete impunity. Violators of internationally recognized borders are ignored because it's a boost to morale. Hackers that sell their services without scruples are given a safe haven in exchange for access to their digital arms. And many people rush to defend their actions (or distract from them) because they tacitly approve these behaviors.
When you refuse to acknowledge or in any way address the countless and even admitted ways in which Israel violates international law, you somewhat tip your hand and reveal that you have no intention of holding them accountable even at their most reprehensible. This thread is about Israeli complacency in breaking the law. You are the one crying whataboutism apropos of... Israel being criticized in a public setting.
He's not missing anything; you're just comprehensively wrong on this. You've heard of NSO, because it's (for totally understandable reasons) a cause celebre. NSO has competitors around the world, presumably none of whom you've heard of.
Decrying NSO as odious is reasonable (and, I think, correct). Extending that critique as evidence against Israel is not; the only thing distinctive about NSO is how comparatively transparent they are.
I'm not interested in litigating the broader question and I'm not saying you're wrong (or right) about it. I'm saying that the dynamics of NSO are not making your case for you, and can't: the fact pattern you're evoking doesn't support your argument.
Media and international scrutiny often focus disproportionately on Israel, compared to countless global issues that remain unreported. Israel’s news density, given its small size, is incredibly high.
This may partly stem from Israel’s democratic framework, which provides transparency and fosters political diversity, enabling more detailed examination of its internal affairs. For example, the new documentary The Bibi Files [1] showcases a level of scrutiny not as commonly observed in less transparent regimes.
You might not have enough data points to draw a definitive conclusion. As I mentioned, unless you are directly witnessing events on a global scale, your observations are largely shaped by the information you consume.
What other nation besides the USA and its 5-eyes lackeys willfully murders children almost every day in their own ‘self defense’? Got a list of states that murder more people than the USA/5-eyes and Israel right now?
Sudan, Ethiopia/Tigray, and Syria would all be recent (or ongoing) examples of non-primarily-US military conflicts where mass civilian death, including children, has been publicly evidenced. Each of these conflicts has seen one (or all) parties use self-defense as an argument.
(This doesn't somehow imply that anything is OK about the US's own role in global war, or anything in particular about the I/P conflict. But it's incorrect to treat US/Israel as uniquely competent or active in terms of immiserating the world's civilians and innocents.)
Are you or your family directly involved on these conflicts? Have they fight with real weapons in the front or your comments are based solely on media interactions or have second-hand information? Have they been involved on this kind of conflicts for many generations? Have you work on any intelligence agency around the world?
Throughout this thread you have refused to address the actual topic and (since the root comment) deflected any criticism of Israel (however well-founded) because you feel like it's not fair relative to other countries. You might want to take a break from responding to these comments if you're going to repeat the same whataboutism whenever people discuss Israel's issues in earnest.
None of the questions you just asked have any relevant salience to what the parent just said. Nobody is forcing you to keep responding here, you might as well leave the discussion where it is if you can't engage without getting emotional or changing the topic.
More crimes happen daily in countries like DPRK, but you never here about it because they don’t have a freedom of the pre— they don’t have any freedoms
Which is ironic considering the FBI and CISA just today announced that you _should_ use WhatsApp and not use SMS for two factor authentication. Although they point out the biggest problem is mobile users click on links in SMS. We live in a mostly captured and anti consumer environment. I'm not sure there's any great advice.
It is hard to believe that NSO group is allowed to operate.
They sell technology to horrible places, they cause death
torture, and a host of less horrible things.
Yet they are protected by the US and Israel,
which I believe is the case that they have backdoors into all of it,
and getting the targets to actually install this malware on their own
saves a lot time.
All good, except for the actual real world victims.
> It is hard to believe that NSO group is allowed to operate. They sell technology to horrible places, they cause death torture, and a host of less horrible things.
That describes the entire Israeli defence industry, and a fair sized portion of Israel's cybersecurity industry, based on the stomach-churning sales pitches I've received.
How do you "not" allow them to operate? People write things like this that seem premised on the idea that Bahrain wouldn't have implant technology if you shuttered NSO, but the only thing that would actually change is who the invoice got sent to. These companies have an unbeatable value proposition, lots of competition, and the lowest capital investment requirements of any intelligence product.
I really feel like people aren't thinking this stuff through. Exploits and implants are not rocket science. There aren't a huge number of people in the world that are world-class at reliably exploiting modern targets, but it's not like there's just like 20 of them or something.
later
In case it's unclear from the comment: I don't think this is a good thing. I'm speaking positively, not normatively.
That’s a bold claim. You have any data on that. Over history people have claimed the Jews controllled XYZ country, and you’ve made, hopefully inadvertently, reference to an anti semetic trope.
This will be the third place on this thread I've made this point, but it's important so I'm going to keep making it.
You know about NSO because they are, relative to the field they operate in, unusually transparent. They have competitors around the world, with varying degrees of coziness with their host countries. The only thing distinctive about NSO is how much you've heard of them.
I mean, that’s true of most businesses and industries, big and small? The average person has no idea what Oracle or SAP exists, or that they are multibillion dollar companies. Most people don’t know you can just go buy plastic and composites at TAP, and all sorts of things at McMaster. Most people don’t even know who builds commercial vehicles besides like Peterbilt maybe.
Is there an argument you are making that Meta/Apple/Google should be suing all the other companies as well?
If they're trespassing on Meta's network, absolutely. The core thing that these companies do though tends not to intersect so directly with Meta's property rights.
There is nothing distinctive about NSO's relationship with its host country, and many (most?) other G20 countries have similar relationships. Seemed kind of straightforward from my first comment?
Wow. No. Most weaponized zero-day exploits are not produced by state actors; in fact, even the US, which has the world's most capable CNE apparatus, also buys exploits from private firms.
I'm quite surprised by the corporate history section.
Specifically, NSO Group is worth a lot less than I thought it was, even at its peak. ($1B+ valuation)
Also, the amount of infighting is... Surprising perhaps? Less surprising is the number of spinoffs out of it, and the number of competing Israeli spyware groups.
I'm constantly surprised by how good he Israeli startup environment seems to be.
Why is this? How are there so many acquisitions out of there?
Things like this are similar to law firms. The shelf life of vulnerabilities means that there isn’t a lot of intellectual property owned by the company. The value is in the people’s skills.
So once people get really good they quickly realize they can make more by starting their own company and siphoning off client relationships.
I'd imagine they have a very limited market as in who they can sell their products and services to, for reasons that might make political power more interesting than valuation.
I don't know about that. Something I think a lot of people sleep on with this stuff is that most countries have multiple security agencies, and you generally cut deals with them individually. The market for this stuff is bigger than it looks.
I was mostly thinking that the customers / clients you have and services you have to offer can be largely dependent by people in positions of power where having the right connections and influence might be the key difference between a service or product being viable.
For example - although not related to NSO - something like operation Trojan Shield required both Australian and Lithuanian cooperation due to fourth amendment interpretations.
Having a zero day in such cases is only part of the work and everything beyond that might be very much dependant on the strings you can pull.
But I can also see the argument that that would be something the government can figure out after they buy the product or service, so maybe I'm wrong on that and it's less important than I thought.
My mental model of how this works --- and I have some (imperfect) evidence for it --- is that a given one of these firms (NSO or one of its competitors) has an addressable market of N countries each with an average of K security agencies, and basically all of those agencies pay subscription fees to be continuously in a position to do a CNE operation when they want to.
(Generally, I don't think countries just "buy exploits"; a significant component of the money in this space comes from "maintenance", so much so that I think it makes more sense to think of exploits as subscription services.)
The victims are the good guys. Meta is just not happy that their platform was exploited. Even if you consider them to be the bad guys, they needed to sue to curtail the bad PR
Note that even my fairly mild statement was not received well. People really don't like discussion of improving the Quality of software, here. Too much money to be made in not-so-good stuff.
Genocide is an attempt to eradicate a group. The only group Israel is trying to eradicate is Hamas. They're not genociding Palestinians, they're genociding Hamas.
Are they killing an excessive number of civilians as collateral damage? Certainly seems like it. But collateral damage is not genocide.
If they wanted to genocide the Palestinians, they'd be shipping 'em to camps and gassing them, like the Nazis did. Looking at it another way: let's say that (hypothetically) Hamas stopped using people as humans shields by firing rockets from hospitals and building tunnels under schools. Do you think the number of non-combatants killed by the IDF would go down? Because I do, and to me that says Israel's goal is not in fact killing non-combatant civilians, even if they're killing far too many as is.
I strive to be impressed only by claims, not by titles.
This professor says that what happens in Gaza is genocide because "Israel is destroying museums, mosques and schools, which are the culture of the people in Gaza". Of course he did not say a word about why this happens (Hamas using these places to launch rockets at Israel), but he says that this is enough for him to decide it's genocide.
I think this definition of genocide is absurd. Genocide is killing of people. Not destroying buildings. Buildings can be rebuilt, and will be rebuilt once the war is over.
It is interesting that every time someone is being asked to explain why they use the word "genocide" in the context of Gaza, they never talk about killing of people. They know there is no real genocide, but still want to blame Israel for doing that, so they find other reasons.
The situation in Gaza is sad. I wish it to be over already. We don't have to lie and say there is genocide when there is none. Saying that only changes the meaning of the word and diminishes other, real genocides, that sadly occur during human history.
This professor says that what happens in Gaza is genocide because ...
That's very plainly not a fair description of what he was saying. He gives plenty of reasons beyond the small snippet you've chosen to zero in on.
It is interesting that every time someone is being asked to explain why they use the word "genocide" in the context of Gaza, they never talk about killing of people.
And this description is even more bizarre. People bring up the egregiously high civilian death toll all the time. It's not the only part of the genocide accusation, but certainly a major part of it.
It seems you aren't really reacting to what "people" are saying, just what you prefer to believe they're saying.
This argument merely serves to justify murder and is inhumane, in and of itself. Please re-consider your position on the subject of the wanton and willful murder of your fellow human beings.
Genocide is not a matter of scale, it is a matter of intent.
The definition fits: the people of Palestine are being genocided. The Nazi’s took years to murder 6 million Jews and other classes of humans they deemed undesirable - should we just wait until Israel catches up in terms of scale of magnitude, or should we stop trying to justify their actions and do everything we can to make sure the scale of the atrocity does not continue to sky-rocket, as it has done for the past 15 months…?
It is because genocide is a matter of intent that people in debates will disagree. Just taking a look on the war on terror. Was the intent to grab oil, revenge, fund the military complex, or was it to liberate people? Its been over 20 years and people are still debating the intent of all those wars that occurred after 9/11. Intent is really hard to prove, and that is even if we have proof of policies that defined every killed male over the age of 15 as terrorist regardless of situation.
We could just define all wars as genocide and be done with it. The definition do fit, with all wars ending up behaving as if the intent was the destruction of a people. If the genocide definition helps to reduce the scale of the atrocity being done then I am also for using it in any war which has that effect. However, if it is just used as a media tool in order to define which side is good or bad then Im unconvinced it will help to reduce atrocities.
From reading other in depth sources it looks more like anti competitive business practices. Certain former politician who is well connected in democratic party cycles basically shutdown the whole Israeli offensive cyber industry except his company which is the main competitor of NSO. This whole drama wouldn't happened otherwise. With Republicans moving in, we might never hear about those issues again.
The fact journalists were compromised seems only incidental, the ruling is about weather or not NGO Group "exceeded authorization" on WhatsApp by sending the Pegasus installation vector through WhatsApp to the victims and not weather they were unauthorized in accessing the victims. Its a bit of a subtle nuance but I think its important.
Quoting the judgement itself:
> The court reasoned that, because all Whatsapp users are authorized to send messages, defendants did not act without authorization by sending their messages, even though the messages contained spyware. Instead, the court held that the complaint’s allegations supported only an "exceeds authorization" theory.
> The nub of the fight here is semantic. Essentially, the issue is whether sending the Pegasus installation vector actually did exceed authorized access. Defendants argue that it passed through the Whatsapp servers just like any other message would, and that any information that was 'obtained' was obtained from the target users' devices (i.e., their cell phones), rather than from the Whatapp servers themselves
> [...removing more detailed defendant argument...]
> For their part, plaintiffs point to section (a)(2) itself, which imposes liability on whoever "accesses a computer" in excess of authorized access, and "thereby obtains information from any protected computer" pointing to the word "any"
> [...]
> As the parties clarified at the hearing, while the WIS does obtain information directly from the target users’ devices, it also obtains information about the target users' device via Whatsapp servers.
Adding a little more detail that comes from the prior dockets and isn't in the judgement directly but basically NSO Group scripted up a fake Whatsapp client that could send messages that the original application wouldn't be able to send. They use this fake client to send some messages that the original application wouldn't be able to send which provide information about the target users' device. In that the fake client is doing something the real client cannot do (and fake clients are prohibited by the terms) they exceeded authorization.
Think about that for a moment and what that can mean. I doubt I'm the only person here who has ever made an alternative client for something before. Whatapp (that I recall) does not claim that the fake client abused any vulnerabilities to get information just that it was a fake client and that was sufficient. Though I should note that there were some redacted parts in this area that could be relevant.
I dunno, I mean the CFAA is a pretty vague law that has had these very broad applications in the past so I'm not actually surprised I was just kinda hopeful to see that rolled back a bit after the Van Bruen case a few years ago and the supreme court had some minor push back against the broad interpretations that allowed ToS violations to become CFAA violations.
Edit: Adding a link to the judgement for anyone interested: https://storage.courtlistener.com/recap/gov.uscourts.cand.35...
Edit2: And CourtListener if you want to read the other dockets that include the arguments from both sides (with redactions) https://www.courtlistener.com/docket/16395340/facebook-inc-v...
I've been on both sides of the issue by authoring unofficial clients, and battling abusive unofficial clients to services I run. The truth is, complete carte blanche for either side is untenable. 99.99% of well-behaved clients are tacitly ignored, I'm not against those that deliver malware, or bypass rate-limiting having their day in court.
> I doubt I'm the only person here who has ever made an alternative client for something before
I think the distinction here for "exceeds authorisation" is pretty apparent. I don't read this judgement as being damning for people wanting to make their own clients.
They made a third party client for deliberately malicious purposes. If you go ahead and make a discord client with the intention of spamming or otherwise causing harm to its users, I think it's completely reasonable for you to get in trouble for that.
whatsapp owns the systems, so its up to whatsapp to sue
One particularly grotesque case was the illegal wire tapping of Ben Suda after launching a criminal probe in to Israeli war crimes, which they used to threaten the prosecutor and used it to hide evidence that they knew was under scrutiny or take the cases to court just to drop it so they can tell the ICC that they did make an attempt to prosecute, which is a loophole that disallows the ICC to take up those cases.
I'm certain many countries do this stuff, as well as operate botnets and threaten journalists... but the uniqueness here is that these intel groups located in Israel operate under complete protection of the US without any scrutiny or oversight alongside the US government. We are living in this dystopian universe that people have warned about, for decades at this point.
* https://www.theverge.com/2019/5/14/18622744/whatsapp-spyware...
Interestingly enough, Signal (and others) had the same sort of vulnerability on Android from a WebRTC stack:
* https://googleprojectzero.blogspot.com/2020/08/exploiting-an...
The big issue in both cases is that the exploit was triggered before the user answered the call.
I think the moral here is that a secure messenger should not execute inherently insecure code (i.e.complex code) on behalf of entities that are not really well trusted by the user. The default should be always plain text.
> A U.S. judge ruled on Friday in favor of Meta Platforms' (META.O), opens new tab WhatsApp in a lawsuit accusing Israel's NSO Group of exploiting a bug in the messaging app to install spy software allowing unauthorized surveillance.
Encryption is important but it often is not the weakest link in the security chain.
Bitwarden is already a big step up from what most people are doing, then if you want to hide from gouvernement you better make sure you save your password on extremely secured device. But that's another treat level from the average Joe.
There should be no "legal" hacking of someone's devices apart from extraction of data from already convicted people in public court with the right to defend themselves
Sell guns to governments, even unsavoury ones, it is very rare anything will happen to you except in pretty extreme cases. Sell guns to street gangs, well that is a different story. Like i don't think this situation is different because it is "hacking".
The problem with selling exploits is you want to maintain “ownership” of the exploit details, lest your customer just take the exploit and sell/use it without paying more or use it to attack you or your friends. This means you end up with veto power. I.e. culpability.
Trying to remember the quote I last heard, something to the tune of "we don't want to punish, we want to educate", which was about "educating" LEOs and entire police departments they shouldn't be selling fun switch guns illegally to gangs and private buyers.
(And do I even have to mention "fast and furious?" Hah! Feds get it the easiest.)
The second part though doesn't make sense. If the US president can send drones to kill terrorists without taking them to court, surely he can order hacking their phones. If you think that there's no case where the latter is ok you shouldn't you fight against the former first?
The part that you miss is, are they only killing "terrorists" extrajudicially? To take that propaganda at its face value is to ask, what else could they be killing brown people for, if not terrorism?
I'll gently push on the premise though: hacking isn't worse for the victims than death, obviously, but I think it's possible weaponizing of exploits does more total damage. Both collateral, due to the manufacturing of exploits which ultimately leak and harm a bunch of unrelated actors, and because the marginal hacking is lower cost, practically and politically. So a given attack is likely to be used against groups we'd recognize less clearly as "terrorists" / deserving of the harm / etc.
The ‘terrorist’ label was invented as a means of abrogating human rights by governments who felt they were encumbered by the obligation to protect human rights. “Terrorist” labeling is a totalitarian-authoritarian apparatus to avoid culpability for its actions when a government decides the easiest solution to its problem is outright murder.
Why speak in hypotheticals supporting some phantom opinion? Concern trolling is even worse.
You said it is okay / allowed because "terrorists". Otherwise, it is a heinous crime. Just like the Pegasus one.
This is what you wrote:
The second part being: Pretty clear from your rhetoric what your position is. Folks here are not dumb.> Ok is a value judgment ... Allowed is a fact
Factually, genocidaries are worse than terrorists.
[1] https://en.wikipedia.org/wiki/Pablo_Gonz%C3%A1lez_Yag%C3%BCe
Israeli forces killed 38x more journalists than Hamas did on October 7th.
Seems clear to me that this is a deliberate campaign of terror constructed by the IDF to deter any form of independent journalism in Gaza. No different than hasbara or the Hannibal Directive - orders passed down from the top get obeyed, even if it costs the truth or innocent lives.
And media outlets like Al Jazeera will literally push their (often zealous) journalists to go to these frontlines, right where the targets are.
My journalist classmate, who worked for Al Jazeera as a videographer in Jordan and the West Bank, would tell us incidents where Al Jazeera (an outlet he joined out of wide-eyed positivity as college graduates have) would often give marching orders for their teams to be at the front lines of whatever protest was taking place in the WB. They would be the ones often directly facing off the IDF.
Capitalism is neat that way. Diffusion of responsibility.
That is kinda funny, although sad at the same time
On the flip side, I guess that means META allows WhatsApp users being only “legally spied” on
You're allowed to say "The NSA", we're all adults here. No need to speak in euphemisms.
If you know of any other cyber criminal organizations like the NSO, where governments use their tools to select and murder targets, please describe them.
Kinda similar to how the IDF has never been charged with war crimes despite several of their service-members being recorded breaking the law in their Israeli fatigues. It's not that international law was never broken, it's that Israel considers themselves above the rule of law and international bases of morality. That type of behavior absolutely must be called out in it's lonesome, such that no nation ever repeats Israel's embarrassing mistake.
Israel, currently, is in a position where a extremely nationalist and conservative ruling party has given all sorts of lawbreakers complete impunity. Violators of internationally recognized borders are ignored because it's a boost to morale. Hackers that sell their services without scruples are given a safe haven in exchange for access to their digital arms. And many people rush to defend their actions (or distract from them) because they tacitly approve these behaviors.
When you refuse to acknowledge or in any way address the countless and even admitted ways in which Israel violates international law, you somewhat tip your hand and reveal that you have no intention of holding them accountable even at their most reprehensible. This thread is about Israeli complacency in breaking the law. You are the one crying whataboutism apropos of... Israel being criticized in a public setting.
Decrying NSO as odious is reasonable (and, I think, correct). Extending that critique as evidence against Israel is not; the only thing distinctive about NSO is how comparatively transparent they are.
Israel is notorious of dodging responsibility, like carrying assassinations abroad that are set to look like accidents, just like Russia does.
Take the assassination of Waddie Haddad and Yasser Arafat with slow poison as examples.
[1] https://en.wikipedia.org/wiki/Wadie_Haddad#Death [2] https://en.wikipedia.org/wiki/Death_of_Yasser_Arafat#Poisoni...
This may partly stem from Israel’s democratic framework, which provides transparency and fosters political diversity, enabling more detailed examination of its internal affairs. For example, the new documentary The Bibi Files [1] showcases a level of scrutiny not as commonly observed in less transparent regimes.
[1] https://jolt.film/watch/the-bibi-files
(This doesn't somehow imply that anything is OK about the US's own role in global war, or anything in particular about the I/P conflict. But it's incorrect to treat US/Israel as uniquely competent or active in terms of immiserating the world's civilians and innocents.)
Are you or your family directly involved on these conflicts? Have they fight with real weapons in the front or your comments are based solely on media interactions or have second-hand information? Have they been involved on this kind of conflicts for many generations? Have you work on any intelligence agency around the world?
None of the questions you just asked have any relevant salience to what the parent just said. Nobody is forcing you to keep responding here, you might as well leave the discussion where it is if you can't engage without getting emotional or changing the topic.
https://www.newsnationnow.com/business/tech/fbi-warns-agains...
Yet they are protected by the US and Israel, which I believe is the case that they have backdoors into all of it, and getting the targets to actually install this malware on their own saves a lot time.
All good, except for the actual real world victims.
That describes the entire Israeli defence industry, and a fair sized portion of Israel's cybersecurity industry, based on the stomach-churning sales pitches I've received.
NSO are not unique, they just got unlucky.
Care to elaborate? This could be news story-worthy
I really feel like people aren't thinking this stuff through. Exploits and implants are not rocket science. There aren't a huge number of people in the world that are world-class at reliably exploiting modern targets, but it's not like there's just like 20 of them or something.
later
In case it's unclear from the comment: I don't think this is a good thing. I'm speaking positively, not normatively.
If you don't want to be banned, you're welcome to email [email protected] and give us reason to believe that you'll follow the rules in the future. They're here: https://news.ycombinator.com/newsguidelines.html.
https://en.wikipedia.org/wiki/NSO_Group#Relationship_with_th...
You know about NSO because they are, relative to the field they operate in, unusually transparent. They have competitors around the world, with varying degrees of coziness with their host countries. The only thing distinctive about NSO is how much you've heard of them.
Is there an argument you are making that Meta/Apple/Google should be suing all the other companies as well?
Here, how about instead, a podcast episode we did with Mark Dowd:
https://securitycryptographywhatever.com/2024/06/24/mdowd/
Specifically, NSO Group is worth a lot less than I thought it was, even at its peak. ($1B+ valuation)
Also, the amount of infighting is... Surprising perhaps? Less surprising is the number of spinoffs out of it, and the number of competing Israeli spyware groups.
I'm constantly surprised by how good he Israeli startup environment seems to be.
Why is this? How are there so many acquisitions out of there?
So once people get really good they quickly realize they can make more by starting their own company and siphoning off client relationships.
I was mostly thinking that the customers / clients you have and services you have to offer can be largely dependent by people in positions of power where having the right connections and influence might be the key difference between a service or product being viable.
For example - although not related to NSO - something like operation Trojan Shield required both Australian and Lithuanian cooperation due to fourth amendment interpretations.
Having a zero day in such cases is only part of the work and everything beyond that might be very much dependant on the strings you can pull.
But I can also see the argument that that would be something the government can figure out after they buy the product or service, so maybe I'm wrong on that and it's less important than I thought.
(Generally, I don't think countries just "buy exploits"; a significant component of the money in this space comes from "maintenance", so much so that I think it makes more sense to think of exploits as subscription services.)
It’s not possible to be “perfect,” but if we do our best to get there, we’ll make really good stuff.
It’s unlikely to happen, though, as we have a system that explicitly rewards writing crap, because it makes money.
As long as we fail to reward good work, we will continue to get poor work.
I think that's a bit off. The problem is that we continue to reward poor work so the poor work continues.
Note that even my fairly mild statement was not received well. People really don't like discussion of improving the Quality of software, here. Too much money to be made in not-so-good stuff.
Are they killing an excessive number of civilians as collateral damage? Certainly seems like it. But collateral damage is not genocide.
If they wanted to genocide the Palestinians, they'd be shipping 'em to camps and gassing them, like the Nazis did. Looking at it another way: let's say that (hypothetically) Hamas stopped using people as humans shields by firing rockets from hospitals and building tunnels under schools. Do you think the number of non-combatants killed by the IDF would go down? Because I do, and to me that says Israel's goal is not in fact killing non-combatant civilians, even if they're killing far too many as is.
Here is a 15-minute clip of him explaining that what Israel is perpetrating in Gaza is systematic genocide: https://x.com/amanpour/status/1869818758501675259
This professor says that what happens in Gaza is genocide because "Israel is destroying museums, mosques and schools, which are the culture of the people in Gaza". Of course he did not say a word about why this happens (Hamas using these places to launch rockets at Israel), but he says that this is enough for him to decide it's genocide.
I think this definition of genocide is absurd. Genocide is killing of people. Not destroying buildings. Buildings can be rebuilt, and will be rebuilt once the war is over.
It is interesting that every time someone is being asked to explain why they use the word "genocide" in the context of Gaza, they never talk about killing of people. They know there is no real genocide, but still want to blame Israel for doing that, so they find other reasons.
The situation in Gaza is sad. I wish it to be over already. We don't have to lie and say there is genocide when there is none. Saying that only changes the meaning of the word and diminishes other, real genocides, that sadly occur during human history.
That's very plainly not a fair description of what he was saying. He gives plenty of reasons beyond the small snippet you've chosen to zero in on.
It is interesting that every time someone is being asked to explain why they use the word "genocide" in the context of Gaza, they never talk about killing of people.
And this description is even more bizarre. People bring up the egregiously high civilian death toll all the time. It's not the only part of the genocide accusation, but certainly a major part of it.
It seems you aren't really reacting to what "people" are saying, just what you prefer to believe they're saying.
Genocide is not a matter of scale, it is a matter of intent.
The definition fits: the people of Palestine are being genocided. The Nazi’s took years to murder 6 million Jews and other classes of humans they deemed undesirable - should we just wait until Israel catches up in terms of scale of magnitude, or should we stop trying to justify their actions and do everything we can to make sure the scale of the atrocity does not continue to sky-rocket, as it has done for the past 15 months…?
We could just define all wars as genocide and be done with it. The definition do fit, with all wars ending up behaving as if the intent was the destruction of a people. If the genocide definition helps to reduce the scale of the atrocity being done then I am also for using it in any war which has that effect. However, if it is just used as a media tool in order to define which side is good or bad then Im unconvinced it will help to reduce atrocities.