[HN Gopher] NYT journalist hacked with Pegasus after reporting o...
___________________________________________________________________
NYT journalist hacked with Pegasus after reporting on previous
hacking attempts
Author : giuliomagnifico
Score : 494 points
Date : 2021-10-24 18:01 UTC (4 hours ago)
(HTM) web link (citizenlab.ca)
(TXT) w3m dump (citizenlab.ca)
| supperburg wrote:
| Good. The New York Times lies. They reviewed the model s in 2013,
| drove it in circles before the review and then said the battery
| died. Flat out lies. They ought to have a taste of their own
| toxic medicine.
| otoh wrote:
| On the other hand, perhaps the hardware/OS designs of iOS and
| Android devices are fundamentally flawed, when viewed from a
| security-first perspective.
| aboringusername wrote:
| It depends what you mean by "security first". If you're a
| person of interest and you're carrying around a personal spy
| with actual data on it and a hardware connected microphone,
| camera, GPS, sensors etc, which sends God knows what over the
| internet then yes, it's not going to go well for you.
|
| But if you use devices with hardware kill switches and the most
| secure OS possible (storing _nothing_ on device, perhaps it 's
| a gateway to another security hardened machine).
|
| Secure computing is possible, but it takes a lot of time,
| effort and dedication.
|
| If you're just using off the shelf hardware and software you're
| going to have a bad time.
|
| One thing that seems to link these Pegasus stories is that
| _none_ of these targeted individuals are practising seemingly
| decent security ops, being hacked over WhatsApp or iMessage
| seems fairly trivial and hopefully now they would reconsider
| their threat model.
| Azsy wrote:
| This is definitely part of the problem. But the fundamental
| flaw is the departure from simplicity.
|
| The solution is to have a processor that is so simple that it
| cant do more then what you expect, and building the tools to
| make the unexpected stand out.
|
| However, there is a bigger market for a processor with 3 extra
| layers of root access to ensure your boss can spy on you and
| Disney&Co really want this to be the norm.
| xtat wrote:
| ...and yet they milk our very livelihood with their app stores
| strictfp wrote:
| I wouldn't say so. The problem is the cyber warfare market
| created by nation states. If it wasn't for those large
| spenders, we wouldn't be where we are right now.
|
| IMO nation states had a very negative influence on the
| internet, bringing secrecy, warfare, balkanized markets,
| mandatory identification and other closed concepts to a place
| that worked on open principles.
|
| If states would invest more in security advancement and open
| research than in warfare, we might have been in a better
| position.
| UweSchmidt wrote:
| By now every piece of software and hardware that is in use,
| every abstraction layer in that computing tower of bable has
| been thoroughly hacked. Anywhere from plaintext passwords on a
| server to insane exploits like Rowhammer, those security
| websites and podcasts have long weekly litanies of tragedy.
| Additionally there is all-knowing Google, chinese phones
| phoning home, undocumented functions in intel processors, ISPs
| sabotaging user encryption, small-time browser plugin writers
| that get offered high sums for their plugin to get a front row
| seat to users' browsers, programmers pulling who-knows-what
| from npm and are probably pwned by time they write 'hello
| world', phishing, billions of smart devices constantly
| listening and often filming and we probably only know 10% of
| what's going on until a Snowden 2.0 comes along.
|
| Yes, all of it is 'fundamentally flawed', and it would take a
| herculean effort to start over with a clean slate, yes, to
| figuratively burn it all down and make simple provably correct
| and safe hardware and a small and minimal OS that has browsing
| and communications built in.
|
| Anyone?
| mijoharas wrote:
| So, what is the legality of this? I've not followed much about
| this at all, but NSO group appears to be an Israeli company.
|
| Do they just sell, or operate the hacking software for their
| clients? If they operate it, is it illegal for an Israeli company
| to hack an American citizen (I assume it is illegal in America,
| but how about Israel?)
|
| Is the sale of hacking software regulated in any way?
| PeterisP wrote:
| Since this is an international issue and there's no global
| "legality", the effect is that locations matter a lot.
|
| Presumably, the hacking was done by Saudi authorities from SA,
| using NSO-developed tools. Citizenship of the target is not
| very relevant, but it does matter where "the event" happened.
|
| If the reporter was in Saudi Arabia when the hack happened,
| then Saudi laws apply and essentially Saudi government gets to
| set conditions on whether it was legal or not, and if it was
| forbidden by their laws, then what consequences (if any!) that
| should have.
|
| If the reporter was in USA at the time, then it would be
| reasonable to apply US jurisdiction and try and investigate it
| as a crime in USA. However, Saudi Arabia can refuse to
| cooperate and even if USA prosecutors identify the culprits and
| convict them, Saudi Arabia can refuse to extradite them and
| choose to protect them. In essence, if it's not a random
| foreign criminal but someone from the actual foreign government
| that has harmed USA citizens in USA, it's not really a criminal
| matter as much as a diplomatic one, where all the other aspects
| of USA-Saudi relationships matter much more than any facts
| about the actual case; USA can choose to make a big deal out of
| it or ignore it, but historical precedent shows that it likely
| will be ignored as the Department of State considers all the
| other factors of Middle Eastern politics as much more
| important, SA could likely get away with literal murder (e.g.
| Khashoggi), not just some hacks.
|
| In a similar manner, perhaps you could argue that NSO is an
| accomplice in that crime (I'm not saying that this would
| succeed - in general, arms exporters are not considered liable
| for whoever the purchasing country harms), but that essentially
| comes down to (a) whether USA prosecutors are willing to pursue
| this, and (b) whether Israel is willing to cooperate, as in the
| absence of specific treaties it would be legitimate for Israel
| to say "NSO did not violate our laws, we won't enforce any
| foreign judgements about this event"; if so, then any action
| would be limited to seizing whatever assets NSO has in USA (if
| any!) and/or trying to capture the involved people (if specific
| people can be identified) when they are traveling outside of
| Israel somewhere within the reach of USA. USA could apply
| diplomatic pressure to get Israel to restrict NSO, however, it
| doesn't seem likely that USA wants it so much to actually try
| and change that.
|
| For another of your questions, sale of hacking software _can_
| be regulated by countries in whatever way each country wishes.
| In this case, as far as I understand, Israel treats is as
| essentially an equivalent of "arms export" where NSO has to
| obtain approval from Israel government for their foreign
| customers, but in this case it is not contested that NSO did
| have all the required approvals to sell their tools to Saudi
| Arabia.
| [deleted]
| caf wrote:
| There are allegations that the NSO Group doesn't provide the
| 0days they're using to their customers, so they are in fact
| performing the intrusions themselves.
| thr0wawayf00 wrote:
| Since the US government has historically been one of the
| largest customers in the zero-day market, my guess would be no.
| krisoft wrote:
| The US government is also one of the largest customers of
| ICBM rockets too. And you would find that it is not an
| unregulated field at all.
|
| I don't know about regulations in the field. All I know is
| that "US gov buys a lot of X, therefore it X is not
| regulated" is not a convincing argument.
| thr0wawayf00 wrote:
| Fair play. I'm thinking more from the perspective that the
| lack of regulation in the space makes it much easier to
| acquire and hoard zero-days at a government scale, as we
| saw with the Vault 7 leaks. Since the government is
| incentivized to hoard vulnerabilities for intelligence
| gathering, it's hard to see them being so willing to give
| it up.
| lostlogin wrote:
| I'm not sure that regulation really applies much when you
| operate at that level. How many countries has the US waged
| war on with the combatants in both sides using US made
| weapons?
|
| The scene has been set again in Afghanistan. It isn't ICBMs
| but it's not a virtuous circle when you are dealing with
| weaponry.
| lukeschlather wrote:
| Has an ICBM ever been used offensively? I would say ICBMs
| are among the most well-regulated weapons in existence.
| AmericanChopper wrote:
| The government's ability to prevent software distribution
| is limited significantly by the first amendment. Selling "a
| tool for hacking" is fine, selling "a tool for committing
| crime" would be illegal, but that distinction just comes
| down to picking the right marketing copy. The government
| can however restrict the import and export of software
| quite broadly.
|
| This is not legal advice, obviously.
| nobody9999 wrote:
| >The government's ability to prevent software
| distribution is limited significantly by the first
| amendment. Selling "a tool for hacking" is fine, selling
| "a tool for committing crime" would be illegal, but that
| distinction just comes down to picking the right
| marketing copy. The government can however restrict the
| import and export of software quite broadly.
|
| An interesting point. Given the vendor and customers for
| NSO's products, Federal law (in the US) would apply,
| rather than state law.
|
| That said, an interesting parallel would be _possession
| of burglary tools_ [0], which is a crime in many places
| in the US. However, given that "burglary tools" are
| generally just tools (e.g., bolt cutters), intent or
| _mens rea_ [2] becomes important.
|
| Presumably, a similar argument could be made about tools
| like nmap, nc, ettercap, metasploit, etc., since they
| _can_ be used for legitimate purposes, even though they
| 're also used for site intrusions/compromises.
|
| NSO's tools, presumably, are _mostly_ used for the latter
| rather than the former. I 'm guessing (IANAL) that's one
| of the rationales used to restrict sales/exports.
|
| Is that a convincing argument to criminalize activity and
| saddle it with strict liability[1]? I'm not so sure, but
| I'm also not a DOJ lawyer.
|
| All that said, I don't think it's all just "marketing
| copy." As with most things, context and nuance matter. I
| make no judgement WRT the appropriateness of such
| restrictions, as I'm not in possession of all the facts.
|
| Even so, while I tend toward the free flow of
| information, there is something to the idea that if
| you're caught at the back door of a jewelry store late at
| night with bolt cutters, that implies mens rea much more
| than having bolt cutters in the toolbox in your garage.
| YMMV.
|
| [0] https://codes.findlaw.com/ny/penal-law/pen-
| sect-140-35.html
|
| [1] https://www.law.cornell.edu/wex/strict_liability
|
| [2] https://www.law.cornell.edu/wex/mens_rea
|
| Edit: Fixed typo.
| AmericanChopper wrote:
| The sales pitch is basically the only thing that can make
| it illegal, because it's illegal to knowingly do anything
| for the purpose of assisting somebody else commit a
| crime. That's why it would be illegal to have a "burglary
| tools" section at a hardware store, even if they only
| difference between that and any other hardware store is
| words on a sign.
|
| Even with regards the restricting import, the government
| is largely limited to sanctioning particular actors
| involved in the transaction.
|
| I'm really a bit surprised that this isn't more widely
| understood on HN. Anybody who operated a web server in
| the 90s is likely to know about Bernstein vs DoJ, and
| even if you operate one today you're still likely to
| encounter the idea of an "export cipher".
| nobody9999 wrote:
| >The sales pitch is basically the only thing that can
| make it illegal, because it's illegal to knowingly do
| anything for the purpose of assisting somebody else
| commit a crime.
|
| I misunderstood your point. I (mistakenly) thought that
| your reference to "marketing copy" related to the US
| Government's justification of restrictions on tech
| exports, not NSO's sales pitches.
|
| My apologies.
| lazide wrote:
| Well, and the first amendment only matters if someone
| gets it to court, the court accepts it (not easy to get
| against the federal gov't), the evidence or the plaintiff
| doesn't 'disappear' in the mean time, etc.
| AmericanChopper wrote:
| Depends on what kind of court you're talking about. If
| you're talking about civil court, then any software (or
| anything at all really) can be used for committing a
| tort.
|
| If the government tried to ban certain types of software
| from being made/distributed, they would either make a law
| that's never enforced (like the obviously
| unconstitutional DMCA anti-circumvention law), or a law
| that's immediately struck down by the courts.
| mensetmanusman wrote:
| It is marketed to law enforcement like most spy-craft. If it
| gets in to the wrong hands what do you do?
| eyeball wrote:
| https://darknetdiaries.com/episode/100/
|
| Interesting podcast on NSO group from darknet diaries.
| fidesomnes wrote:
| yes. mostly just ITAR as far as I know back in 2016.
| cronix wrote:
| My understanding is they sell it, after the Israeli gov't
| (Israeli Defense Ministry) vets the sale. It is operated by the
| client. NSO has claimed they do not have any info on targets by
| the purchaser, and has no way to find out post-sale.
|
| https://www.cbsnews.com/news/interview-with-ceo-of-nso-group...
| _jal wrote:
| > NSO has claimed they do not have any info on targets by the
| purchaser, and has no way to find out post-sale.
|
| They've also made other claims that only make sense if they
| do.
|
| https://www.techdirt.com/articles/20210723/22444547234/nso-g.
| ..
| ianhawes wrote:
| US DOJ has notably secured convictions against spyware
| authors that simply sold the software. There is no legal
| distinction between "dude in his apartment" versus
| "multinational Israeli defense contractor" in this regard.
| sva_ wrote:
| A german article[0] claimed that only a hashvalue of the
| telephone number is transmitted to NSO Group:
|
| _> "Das BKA hat nach Angaben der stellvertretenden
| Behordenleiterin sichergestellt, dass keine sensiblen Daten
| bei der Firma NSO landen wurden. So wurden Hashwerte fur
| Telefonnummern vergeben, damit das Unternehmen die
| Zielpersonen nicht identifizieren konne."_
|
| They claim that this way the NSO Group would not be able to
| identify the victims. Obviously that is a fat lie, as a phone
| number hash could trivially be brute-forced, even on a home
| pc.
|
| From the sounds of it, NSO Group does not give out the
| zeroday exploits, but rather do the dirty work of
| exploiting/infecting the victim themselves, and then hand
| over control. But the writing is pretty vague.
|
| Seeing all these democratic countries, including my home
| country support this kind of stuff by buying their malware,
| is extremely disheartening to me, when there is clear
| evidence that it is being misused by authoritarian
| governments. It also makes me feel powerless.
|
| [0] https://www.tagesschau.de/investigativ/ndr-wdr/spaeh-
| softwar...
| caf wrote:
| Right. If the US can file charges against Assange and
| attempt to have him extradited to face them, it should be
| able to do the same with the NSO Group principals.
| Fnoord wrote:
| If I hire you to shoot someone I am complicit.
|
| So I don't see how a government hiring someone to hack
| someone else is not complicit.
|
| Unless if that government branch had the legal right to
| execute that hack. Because if they were legally able to,
| but were unable to themselves, it makes sense to hire
| someone to do the job for them (if that is legal?)
|
| I am quite in awe how for example exploit brokers like
| Zerodium and Thaddeus Grugq are allowed to sell their
| services to oppressive regimes, and getting away with it (a
| clear case of morally bankrupt). They are powerful weapons,
| and should be treated as such (export controlled etc).
| perihelions wrote:
| I read that it's export-controlled now in the US,
|
| https://www.theverge.com/2021/10/22/22740155/commerce-depart...
| ( _" New US rules on spyware exports try to limit surveillance
| tech like Pegasus"_)
|
| edit: and HN thread
|
| https://news.ycombinator.com/item?id=28933981 ( _" U.S.
| tightens export controls on items used in surveillance of
| private citizens"_)
| [deleted]
| cronix wrote:
| > (I assume it is illegal in America, but how about Israel?)
|
| This part doesn't matter much in practicality. Like it is
| illegal for the US gov't to spy on their citizens. It is
| illegal for the UK to spy on their citizens. So the NSA made a
| deal with the UK. They spy on us, we spy on them, and exchange
| the info. There, the US didn't break the law and neither did
| the UK. They worked around it.
|
| We live in a shadowy world.
|
| https://www.theguardian.com/world/2013/nov/20/us-uk-secret-d...
| zionic wrote:
| > Like it is illegal for the US gov't to spy on their
| citizens. It is illegal for the UK to spy on their citizens.
| So the NSA made a deal with the UK. They spy on us, we spy on
| them, and exchange the info. There, the US didn't break the
| law and neither did the UK.
|
| Let's not mince words, this is officials of the United States
| of America conspiring with foreign hostile [0] powers to
| undermine the rights and security of the American public.
| It's treason, and an incoming president with the stones
| required could arrest much of the former administration's
| "intelligence community" leadership in midnight raids via the
| insurrection act.
|
| [0] Foreign intelligence services are, by design, hostile
| powers even if they belong to an ally. The UK is an ally, but
| GCHQ is a hostile agency from the perspective of the United
| States public which these agencies supposedly serve.
| input_sh wrote:
| > and an incoming president with the stones required could
| arrest much of the former administration's "intelligence
| community" leadership in midnight raids via the
| insurrection act.
|
| Sure they could, but they won't. No president will, if for
| no other reason then out of fear that the next one from the
| opposite party will do the same to their administration.
| Unless they outright shoot someone in front of witnesses, I
| don't expect this ever to happen, regardless of the level
| of corruption.
| rapind wrote:
| But terrorists! Pedophiles!
| cronix wrote:
| But then we'd have to get into other messy things like the
| US Chairman of the Joint Chiefs of Staff Mark Milley
| bypassing the president's constitutional executive
| authorities ability to launch a nuclear attack. Of course
| it's framed as him saving humanity, but at it's core you
| had a treasonous act.
|
| > Chairman of the Joint Chiefs of Staff Mark Milley took
| steps to prevent then-President Donald Trump from misusing
| the country's nuclear arsenal during the last month of his
| presidency, according to a new book by The Washington
| Post's Bob Woodward and Robert Costa obtained by NBC News.
|
| > The book, set to be released Sept. 21, also recounted a
| phone conversation Milley had with House Speaker Nancy
| Pelosi after the Jan. 6 violence at the Capitol, which
| Pelosi blamed on an "unhinged" Trump. Pelosi said in
| January that she spoke to Milley about "preventing an
| unstable president from initiating military hostilities or
| accessing the launch codes and ordering a nuclear strike."
|
| > "I can guarantee you, you can take it to the bank, that
| there'll be, that the nuclear triggers are secure and we're
| not going to do -- we're not going to allow anything crazy,
| illegal, immoral or unethical to happen," Milley told her,
| according to a transcript of the call obtained by the
| authors.
|
| > "The president alone can order the use of nuclear
| weapons. But he doesn't make the decision alone. One person
| can order it, several people have to launch it," he said
| later in the conversation.
|
| > After the call, Milley summoned senior officers from the
| National Military Command Center to go over the procedures
| for launching nuclear weapons, the book said. He told the
| officers that if they got a call, "you do the procedure.
| You do the process. And I'm part of that procedure," he
| said -- making sure he was in the loop on any planned
| military actions, the book said.
|
| https://www.nbcnews.com/news/military/milley-acted-
| prevent-t...
|
| There is no constitution. Take the politics out of it. This
| is treason.
| will4274 wrote:
| The lines are a bit blurrier here than you might think.
| Soldiers are required to disobey illegal orders. Congress
| declares war. But the President has the right to respond
| militarily in an emergency - war does not wait on
| committees. If Trump had said that e.g. NK had attacked,
| and ordered that NK be nuked, but NK had not actually
| attacked (i.e. there was not actually an emergency), that
| would have been an illegal order, which soldiers would
| have been legally bound to disobey.
|
| It would be treason for Milley to countermand a legal
| order, but asking for key servicemen to review the
| details of an admittedly complicated bit of military law
| and to prepare themselves for exactly what decision they
| might need to make in realtime - nothing illegal about
| that.
| White_Wolf wrote:
| I'm not sure if this counts as spying but in UK they are
| allowed to monitor people to quite a large extent if I got
| this right. I think refusing to decrypt your device when
| requested is also punishable.
|
| https://www.theverge.com/2016/11/23/13718768/uk-
| surveillance...
| cesaref wrote:
| Indeed, I don't think the UK government has any problem
| hacking phones if they believe this is required, but it's
| likely to involve disclosure to the courts, and hence in
| some way be accountable.
|
| It's therefore easier to get a friendly government to do
| the hacking and to pass on the discovered info, which side-
| steps any legal accountability.
| xxpor wrote:
| Yeah the whole "unwritten constitution" thing is very
| laughable, if we're honest. At least the US Federal gov has
| to pretend to care about the 4th and 5th amendments.
| FridayoLeary wrote:
| If were honest, the us is held together by a few pieces
| of paper written by a bunch of men 250 years ago that
| wasn't meant to last 20 years and has since become the
| sparring ground of lawyers who have twisted it beyond
| recognition no doubt.
| bink wrote:
| Hacking is a crime in both Israel and the US. If either
| government wanted to they could pursue charges. Selling
| exploits is not illegal in either country AFAIK, and is in fact
| a booming business.
| lazide wrote:
| Hacking someone in Israel is the crime right? Same as in the
| US it's a crime to hack someone in the US? If the US group
| hacks someone in Israel and the Israeli group hacks someone
| in the US, then they're fine as long as they don't vacation
| in the country while someone is looking to serve them with a
| warrant?
| megous wrote:
| Extraditions are a thing. (in general)
| lazide wrote:
| But also have to meet a relatively high bar
| internationally, and require some evidence gathering to
| meet that bar which is nearly impossible in the
| situations we are describing.
|
| No US law enforcement is going to honor an Israeli
| subpeona I believe, and vice versa.
| kevin_thibedeau wrote:
| > Hacking is a crime in both Israel and the US.
|
| It isn't a crime to exploit your own property.
| runnerup wrote:
| This feels like a much, much better analysis/exposition than Jeff
| Bezo's report via Gavin de Becker.
| catlikesshrimp wrote:
| Why aren't political exposed persons leaving iphones? It has been
| known for a while that it is not secure for them.
|
| An android tablet connecting to wifi hotspots only, or even lan
| only, with minimal software, and a dumb phone are more secure
| than iphone.
| seniorivn wrote:
| no they are not, targeted attack of someone who is capable of
| using Pegasus is going to be successful regardless a consumer
| device u choose to use.
| catlikesshrimp wrote:
| "No they are not?" I deserved more than that.
|
| Iphones are a standardized attack surface. Apple prefers
| vulnerabilities not to be found than to be discovered and
| patched, leading to NSO holding on their discovered
| vulnerabilities for longer.
|
| An android device with no modem (baseband) is definitely more
| secure. Throw in a hardware switch for camera, mics, and
| wifi, which iphones will never have.
| estaseuropano wrote:
| they need an actual functional phone. You can't be a journalist
| and not have a fully functional phone that access the internet
| whenever needed. I'm sure they use burners for sensitive stuff,
| but what are they supposed to use for their regular work, calls
| with the school, car navigation, ...
| catlikesshrimp wrote:
| There are portable hotspots, you know....
|
| I am assuming you use a killswitch VPN to your trusted
| network. NYT for this journalist.
|
| My proposed setup is 3 devices: hotspot, android device
| without baseband, dumbphone. Hotspot would be the weak link
| here, security wise, but is easier and cheaper to replace.
| Nothing on dumbphone would be encrypted.
|
| If I were a journalist, I would consider this alternative to
| being hacked. Remember he even knew there were at least
| attempts to hack his devices, years in advance.
|
| They are just biting the "apple is the most secure
| alternative" propaganda.
| amerine wrote:
| What!? You're statement is really wrong. Android tablets on
| hotspots only??? What?
| atdt wrote:
| Forget Y Combinator -- come build the next great surveillance
| start-up at the IDF's Unit 8200, the world's greatest hacker
| school and incubator for mass surveillance start-ups. With
| generous subsidies from US taxpayers, Unit 8200 lets you level up
| your surveillance game by practicing on 4.5 million Palestinian
| beta-testers. (Go nuts, it's not like they can sue you!) Plus,
| say goodbye to those moral qualms -- at 8200, you'll acquire the
| unshakeable conviction that you're a Good Guy fighting the Bad
| Guys. When you graduate, the IDF will keep the data you
| collected, but the skills you acquire and the friends you make
| are yours to keep forever.
| [deleted]
| greatjack613 wrote:
| @dang This comment is negative, and doesn't contribute anything
| productive to the conversation. Please remove
| kvathupo wrote:
| Eh, the comment made me google to learn more about Unit 8200.
|
| That said, surely you can agree the removal of comments we
| don't like is undemocratic. Further, no one user is the boss
| of this site's moderators. Here's a relevant article [1]:
| moderators are human too :)
|
| [1] - https://www.newyorker.com/news/letter-from-silicon-
| valley/th...
| a1369209993 wrote:
| > the IDF's Unit 8200
|
| Motto: "At least we're less evil than Unit 731, right?"
| midasuni wrote:
| 8200 has many alumni including many security products,
| including those protesting about the treatment of Palestinians
|
| This is despite being members of the IDF
|
| https://www.richardsilverstein.com/2014/09/12/israels-nsa-st...
| [deleted]
| vnchr wrote:
| Where do I sign up?
| RNCTX wrote:
| Your local ADL office
| fortran77 wrote:
| Unit 8200 gets no money from U.S. Taxpayers.
| jprd wrote:
| I will presume that this comment was made with forthrightness
| and lack of information rather than attempting to obfuscate a
| fairly obvious funding funnel from the US -> IDF -> 8200.
|
| The US gov't provides billions, yearly, in monetary aid and
| guaranteed loans to Israel specifically for military funding.
| Sure, most of that has earmarks, but that's the way the game
| is played.
|
| This doesn't account for anything in the black budget, which
| as you can imagine, probably includes quite a bit for this
| realm. With Israel currently considered an indispensable
| intelligence partner (and thusly an outsourced R&D partner),
| I find it hard to suspend disbelief enough to accept that
| U.S. taxpayers aren't funding Unit 8200 just because there
| isn't a line item in public budgets.
| fortran77 wrote:
| So you admit this claim is just based on your hunch. This
| makes it a malicious lie.
| appleshaveholes wrote:
| My security researcher buddy at Apple responsible for
| investigating this vulnerability told me that the hack is very
| complex; Apple couldn't even fully figure it out before pushing
| patches; the patches do not fix all the known bugs used in the
| vulnerability; the attackers most likely have access to Apple
| internal source code as well. They are very thankful for Citizen
| Lab without which the bugs wouldn't have been discovered. Also,
| there are likely many more compromised phones out there and Apple
| is kind of scratching their heads on how to fix, or even detect
| it. How do you fix a vulnerability that's secret and that no one
| knows is actively exploited?
| dpratt wrote:
| I am but one atom in a molecule in a drop in an ocean, but I have
| pledged to never be involved in the hiring of any person who has
| had any willing association with any organization responsible for
| efforts similar to Pegasus, with no exceptions. I will also
| immediately resign any job that violates the above as well.
| Trends like this are not to be taken lightly - for the first time
| in human history, the concept of an all encompassing tyrannical
| dystopia is a realistic possibility, and you deceive yourself if
| you think that there aren't very very powerful people that get an
| almost erotic thrill at this possibility. Contributing to the
| advancement and deployment of this technological capability is
| the very definition of a violation of whatever meager ethics our
| profession possesses, and should be taken as essentially a
| credible threat against literally every other living person.
| systemvoltage wrote:
| I can't get behind bifurcation of job market based on what
| political side you belong to. This seems destructive at best,
| dangerous at worse. It's like the classic Palantir vs Google
| argument.
|
| I won't hire anyone if they show any sort of activism at work.
| dpratt wrote:
| This is not a political argument. If you willingly
| participate in the construction and deployment of
| technological systems that are designed to be used to
| monitor, suppress and ultimately threaten the physical
| security of people who are non-violently opposed to the
| current group of people in power, you have essentially
| declared yourself an enemy of mankind, and I choose to
| personally act accordingly.
| systemvoltage wrote:
| Would you hire a plumber if they worked at an ammunitions
| factory before?
| [deleted]
| dpratt wrote:
| This is not a correct analogy. There are multiple
| legitimate and moral usages of ammunition.
|
| A better comparison would be to ask if I would hire
| someone who worked for the East German Stasi, or someone
| who had helped to build the systems used to identify,
| target and kidnap dissidents in mainland China.
|
| Edit: Additionally, no, I would not hire an ammunition
| manufacturer who produced ammunition knowing that the
| entirety of his output was exclusively purchased by a
| government for the exclusive purpose of assassinating
| those who were non-violently opposed to said government.
| dredmorbius wrote:
| Keep in mind that one mechanism for control is to slowly
| suck someone into a scheme over time. I'm sure this has a
| name, or many names, though I'm not aware of it.
|
| A friend had a professor at uni who'd been recruited to
| join a deep-sea scientific mission which was an
| absolutely incredible opportunity: a phenomenally well-
| appointed ship, newly constructed, a large scientific
| crew, and funding was completely assured.
|
| He went on the project, returned home, and read much
| later in the paper that he'd been part of the cover
| mission for the recovery of the sunken Soviet submarine
| K-129, aboard the _Glomar Explorer_. According to the
| professor, he 'd had absolutely no inkling of that
| mission.
|
| https://en.wikipedia.org/wiki/Glomar_Explorer
|
| That's one method.
|
| The one used by Saddam Hussein as he executed (so to
| speak) his 1979 coup was rather more direct, and is
| explained here by Christopher Hitchens:
|
| https://youtube.com/watch?v=CR1X3zV6X5Y
|
| During WWII, numerous individuals turned on their own
| countrymen, comrades, and fellow Jews, as Quislings,
| collaborators, and capos, through a mix of threats and
| rewards.
|
| And of course, various paths toward corruption are seen
| all the time in gangs, business, government,
| institutions, and other contexts.
|
| That said, I'd have a very hard time working with anyone
| who is still working for a Facebook, Google, Amazon,
| Oracle, Palantir, AT&T, Verizon, or numerous other firms
| in the surveillance capitalism space today.
| systemvoltage wrote:
| Good point, and the NSO example from OP is definitely
| extreme. But it rings alarm bells for me. It is year 2025
| and there are distinct and two separate job markets. One
| cannot cross the line because your resume reflects your
| political choice.
|
| This kind of dystopia sucks and I am gonna push back as
| much as I can. OP's tone was definitely about activism
| and I can't stand behind it at all.
|
| Also ammunitions producers have no idea where the
| ammunitions are used. It could be for saving lives in a
| hostage situation or assassination. Don't blame Intel for
| making processors that are then mounted on missiles that
| kill people. This is exactly what's wrong with illiberal
| ideology.
| caf wrote:
| Once the rockets are up Who cares where they come
| down? That's not my department Says Wernher
| Von Braun
| throwawayboise wrote:
| Most of what Facebook and Google have developed _could_ be
| used to do these things. In fact it _has_ been used to do
| those things, perhaps with the exception of the physical
| threat. But monitor and suppress? Yes.
|
| Is everyone who worked on this stuff also an enemy of
| mankind?
| dpratt wrote:
| While I find what Google and Facebook do personally
| distasteful, it would be foolish and short-sighted to
| assume everyone who had worked there was complicit. It's
| one thing to be an employee at a giant company that does
| a multitude of things, one of which when misused can
| present a threat, and an entirely different thing to sign
| up to work at a place who's product's _intended use_ is
| to support tyranny.
| Atreiden wrote:
| Preach!
|
| This should not be misconstrued as a partisan issue. Those
| who desire these outcomes will make every attempt to
| conflate it with one political movement or another. They'll
| appeal to auth sensibilities and moral panics.
|
| It must be made clear that these represent efforts by the
| powerful to squash dissent and free society. It is an
| attack on the rest of humankind.
| [deleted]
| newbie789 wrote:
| Is "not wanting to work with surveillance" an example of a
| political opinion from the left, or from the right? It kinda
| just seems like a personal preference.
| systemvoltage wrote:
| Yea I mean how often do you come across a resume that has
| NSO on it.
|
| I am attacking the underlying tone of political activism in
| hiring committees. This seems deeply oppressive to me and
| signals 'internal rot' in corporations.
| Epa095 wrote:
| Do we somehow stop beeing moral beeing when we are at
| work? I thought that whole discussion were settled 65
| years ago. But I notice that you are using the term
| "political activism", so maybe its rather that you find
| this particular cause not worthy of a real moral issue,
| its merely "political activism"? And if so, what causes
| would actually be important enough for you that you would
| consider them relevant for you, even at work?
| dpratt wrote:
| It's entirely apolitical. I view it as entirely identical
| to a refusing to hire anyone who had been a chemist at a
| tobacco company.
| ruraljuror wrote:
| Unless I am missing some irony in it, the last sentence
| contradicts the preceding claims. Denying activism ia
| activism itself; you are enforcing a reactionary culture.
| systemvoltage wrote:
| It was deliberate and I realize it.
| [deleted]
| FridayoLeary wrote:
| So how do we protect our privacy from the advance of technology?
| It doesn't seem possible. Just going after NSO is useless.
| OminousWeapons wrote:
| It depends on what your threat model is. If its individuals,
| local law enforcement, or even national law enforcement
| (context dependent) you are trying to hide from, you can obtain
| phones with cash and make it very difficult to link them to you
| (use a sim card bought with cash and never give out that
| number, use a VOIP service for your primary number, use an OS
| that doesn't send back much telemetry, turn off location, never
| use the phone near your home, etc).
|
| If your threat model includes targeted attack by a major
| intelligence agency, just accept that you are likely screwed.
| Teichopsia wrote:
| I'm going to go on a tangent if you don't mind.
|
| I was recently asked how to make an anonymous post to a local
| news organization where all they wanted to do was hide their
| IP. I said if their only worry is the news organization then
| a VPN would be enough... Now that I'm reading your comment
| I'm having second thoughts whether it was right.
| dredmorbius wrote:
| Any phone's location and call history will effectively
| identify it.
|
| Location can be determine with sufficient accuracy for this
| purpose from cell-tower connections. More so as 5G, with its
| greater tower density and shorter range, is rolled out.
|
| (An actual 5G threat you can get behind.)
| wolverine876 wrote:
| They specified using a VOIP number, so there are no calls
| associated with the phone by the cellular service provider.
| Wouldn't the attacker need access to both the VOIP service,
| to obtain the IP address, and the cellular provider, to
| link the IP address to a device and obtain the location?
|
| If you add a VPN to the stack, the VOIP service doesn't
| know your IP (though I wonder if a VOIP service would work
| well through a VPN, due to added latency).
| dredmorbius wrote:
| So, now you have two problems.
|
| If you're _making_ VOIP calls over a device that is
| itself connected to mobile networks ... you 've still got
| the connectivity of the device itself to track.
| Presumably that's a long-lived relationship. At this
| point the information is limited to _location_ data, but
| that, _at the postal-code level_ is again sufficient to
| identify 90% of individuals within the US, based largely
| on residential and workplace locations.
|
| The notion of having short-lived individually-
| attributable 5G connection history, perhaps through a
| dongle- or tether-swapping system, in which many
| individuals utilise devices for a short period of time,
| might work. With a sufficient budget, disposable devices
| might also be an option. (As the cost of SBCs / SOCs
| falls through $0.10/device, the disposable option might
| be tractable, leaving SIM card provisioning as the
| bottleneck.)
|
| The tether is connected over WiFi (the MAC address space
| is already repetitive, and MAC addresses can be
| arbitrarily changed at the OS kernel level), giving a
| two-stage connection to the actual mobile network itself.
| Frequently-relocating (via a swap) or short-lived /
| previously unknon tethers, as identified through IMEI is
| required for mobile connections to work, would still be
| possible, but at a much greater workload. (I'm _very_
| sketch on how 5G identifies specific devices, take what I
| 'm saying here with a few kilos of salt.)
|
| I'd still have concerns with a VOIP device _that itself
| has access to information and computing capabilities_ ,
| but at least the degree of tracking that's possible over
| a PSTN direct-dialed mobile handset on a 4G/5G network
| would be sharply reduced. Other threat vectors remain.
|
| Burner phones on a one-use / short-use cycle would
| probably be preferable.
| wolverine876 wrote:
| Thanks ... To emphasize a point that you seem to imply,
| the goal of security is to raise the costs of the
| attacker; anything can be defeated, of course.
|
| If by "two problems" you mean that VOIP adds an
| additional problem, I don't quite grok it. It isn't a
| panacea, as you point out, but seems like a clear
| improvement.
|
| Another advantage of VOIP is that you can easily obtain
| throwaway phone numbers.
|
| > If you're making VOIP calls over a device that is
| itself connected to mobile networks ... you've still got
| the connectivity of the device itself to track.
| Presumably that's a long-lived relationship. At this
| point the information is limited to location data, but
| that, at the postal-code level is again sufficient to
| identify 90% of individuals within the US, based largely
| on residential and workplace locations.
|
| Good point. They still don't know who I talk to and when,
| but they certainly can figure out who I am. I wonder how
| expensive the latter is, which I'd guess it depends on
| whether that analysis and the sharing of it is done
| automatically or takes a special request.
|
| > The tether is connected over WiFi
|
| I'm not sure that helps privacy: Wifi networks are likely
| shorter range than 5G cells, and the networks are well
| mapped. I suppose it does require involvement of someone
| with the map, but that might be easy to obtain.
|
| > the MAC address space is already repetitive, and MAC
| addresses can be arbitrarily changed at the OS kernel
| level
|
| I think iOS and Android randomize MAC addresses these
| days ?
|
| > Burner phones on a one-use / short-use cycle would
| probably be preferable.
|
| Yes, but a single burner phone, between the hardware and
| a one month plan, can cost $75-100. Using lots of them is
| out of reach for many people.
| dredmorbius wrote:
| The "two problems" is an additional attack surface ---
| the cellular network tether, _which by design and
| function leaks subscriber-linked information without any
| compromise necessary_ , and the VOIP device itself, which
| continues to be susceptible to its own attacks leaking
| information, including contacts, call data, messaging
| data and metadata, email, browser history, and its own
| location history through both WiFi connections and in all
| probability, GPS-based location.
|
| On connecting to the tether over WiFi, the advantages
| over cellular data or Bluetooth is that a WiFi identity
| (MAC address, SSID) can be arbitrarily changed, and in
| fact _are_ in consumer-grade hardware (yes, iOS uses a
| distinct MAC per connected network AFAIU, not positive of
| Android). This could be modified on every network
| connection, or even within a single session (requiring
| periodic reconnects). Other means of specific host
| identification via TCP /IP and 802.11 protocols are
| fairly limited.
|
| On increasing workload, much surveillance is done via
| mass-produced hardware and software, and targets
| frequently-encountered devices (e.g., stock mobile
| phones, iOS, and Android systems). Adopting measures and
| methods _other_ than these ... leaves a signature, but
| also means that specific new surveillance methods need to
| be devised for a specific target.
|
| Also: in case anyone mistakes me for an expert on this
| area, I'm not. I've general familiarity with methods,
| techniques, protocols, devices, and operating systems.
| FridayoLeary wrote:
| What will happen when hiding even small illegal activities
| becomes impossible?
| hedgedoops2 wrote:
| Selective prosecution
| lifeisstillgood wrote:
| This depends on your threat model (what is illegal, who
| chooses to prosecute, etc)
|
| I was driving home today and the satnav warned us about
| driving over speed limit (74 mph on UK motorway). Ok. But
| the solution to that is technology - and organisation.
| There are speed cameras on this road. But most of the time
| they don't take images or don't trigger an action. If
| _every_ road camera triggered a warning / fine on _every_
| violation then speeding would stop in a few months.
|
| Is that something socially beneficial ? Probably. Would it
| be disruptive and cause great anger and political
| resentment? Yes.
|
| That is one tiny example but I think that pretty much every
| criminal act can be _detected_ with technology - it 's
| going to become which one we care enough about to prosecute
| and which we give up and decriminialise?
| wolverine876 wrote:
| The problem is applying those rules to people whom the
| government wants to persecute.
| zizee wrote:
| > which we give up and decriminialise
|
| Or governments will continue to have those laws on the
| books and prosecute them with discretion (which is what
| happens today). It is very convenient for those in power
| when every person is already guilty of something.
| hyperstar wrote:
| Rejecting the smartphone might be a start.
| newbamboo wrote:
| This is the only solution, and one with very minimal
| downside. In fact, within a year society would be so greatly
| improved, we'd look back in horror at the current state of
| affairs and wonder how we'd all gone so mad in the first
| place.
| wolverine876 wrote:
| Many restaurants only provide menus via smartphones. Sporting
| events only accept electronic tickets. How can you reject it,
| practically?
| hyperstar wrote:
| By going to restaurants with proper service (if at all) and
| not going to sporting events.
| wolverine876 wrote:
| Not practical for 99.99% of the population.
| bbarnett wrote:
| I have never eaten in such a restaurant and I eat out a
| lot.
|
| Is this really true where you are? No menus?
| lostmsu wrote:
| This is a COVID trend. They still provide physical copy
| on request.
| wolverine876 wrote:
| Not all, but many restaurants in multiple cities. They
| use QR codes, no doubt to identify you better (tie you to
| a specific place and time, maybe to a specific table).
| Usually I just load the restaurant's website on my phone
| and read the menu that way.
|
| I was also at a play where a QR code was the only way to
| get the program.
| joe_the_user wrote:
| I don't think you can escape the use of the smart phone. But
| treating them as "throw-away", as not your device, etc.
|
| I think the original landlines, which were/are a few switches
| connected to a write on one side and some microphones on the
| other, were close to inherently insecure. Phones haven't ever
| been "your device" whereas a laptop might, maybe be rendered
| trustworthy.
| throwawayay02 wrote:
| How can you possibly not escape the use of a smartphone?
| bart_spoon wrote:
| Plenty of jobs these days essentially require one, be it
| for communication, authentication, or what have you.
| heavyset_go wrote:
| I recently had to file an insurance claim with my car
| insurer. The entire process happened through their app.
| They require you to send them pictures that you took
| using their app.
|
| One of my banks has been closing branches left and right,
| and if I want to use my accounts for anything other than
| debit purchases, I need to use the app. Some banks even
| charge you when you go to a branch location in person and
| use a teller to access your accounts.
|
| Some jobs require you to install and use apps on your
| phone. Last time I was a big box retailer, the floor
| staff had the company's app installed on their phones so
| they could do instant price look ups and confirm
| discounts on their store's inventory.
|
| Even just applying for a job requires an internet
| browser, and many people's only access to the internet is
| through their phone.
| travoc wrote:
| Lobby your government to make selling or using cyber
| vulnerabilities by nations an act of war?
|
| Very unlikely give that the US does this as much as anyone. We
| are all potential victims in this new form of warfare.
| wolverine876 wrote:
| > So how do we protect our privacy from the advance of
| technology? It doesn't seem possible. Just going after NSO is
| useless.
|
| Like we do with anything else:
|
| These are crimes, but we are stuck in the mindset of the
| nascent Internet, when it was a growing experiment, a
| subculture in our society, harmless, and we wanted to nurture
| it and give it maximum freedom.
|
| Those days are long gone. The Internet is completely integral
| to our society, like a major city (an extraordinarily large
| one) - in fact, anything not integrated into the Internet is on
| the fringe, like a business without a website. The idea of a
| harmless Internet has been antiquated for a long time; it is a
| serious place of serious money, serious criminals, and serious
| political actors.
|
| Yet we still don't have serious law or law enforcement, not as
| an oppressive force but in the tradition of free, open
| societies. It would be like New York or Tokyo without law or
| law enforcement. We should create in the federal government
| (not state governments, given the Internet's borderless nature)
| a major domestic law enforcement agency, on the scale of the
| FBI, to protect people and enforce laws; I suspect we need a
| major addition to or revision of our legal code to go with it.
| That is how we deal with crime in other parts of society; the
| Internet is no different. We need divisions dealing with theft,
| fraud, destruction or property, invasions (hacking), etc. It's
| long past time to stop applying the antiquated notions to the
| current reality. Why do you accept this Wild West chaos; it no
| long fuels creativity and growth, it greatly hampers it.
| buildbuildbuild wrote:
| Why a new agency? This is already very much within the FBI's
| jurisdiction. Why is the international surveillance of U.S.
| journalists and their sources not visibly a priority? In my
| opinion it's a matter of policy. This comes from the top
| down.
|
| Bringing justice to international actors opposing democratic
| ethics is regrettably less of a priority today than enforcing
| highly publicized and politicized criminal cases.
| wolverine876 wrote:
| > Why a new agency? This is already very much within the
| FBI's jurisdiction.
|
| Based on an estimate of the design of organizations:
| Sometimes you expand an existing function within an
| organization, sometimes you add a sub-organzation (e.g., a
| division), sometimes you create a new organization. Which,
| when, and why? Standard CEO fare. A couple basic
| considerations off the top of my head:
|
| Organizations have priorities. As one example, the story (I
| can't promise perfect details here) is that the US Air
| Force has always had the priority of pilots - it's run by
| pilots, they are glorified - strategic bombers and air
| superiority (air-to-air) fighter planes. Tasked also with
| providing close air support for ground soldiers, drones for
| surveillance, and orbital operations, they don't quite get
| around to those needs: They want bombers and air
| superiority fighters, flown by pilots, so that's what gets
| attention, that's what they invest in researching,
| developing, and buying - F-35's, B-21's, etc. (name a high-
| price uber-tech platform they've built for close air
| support, surveillance, or space). For close air support,
| they insist the F-35 will do it well enough as a secondary
| function, and want to cut other options - 'well enough' is
| not the language of priority. It's a constant battle to get
| them to deliver on these other needs. Partly for that
| reason, the Marines provide their own air support and the
| Army has helicopters - they have different priorities than
| the Air Force - and the US created a separate Space Force.
|
| Organizations also have competencies, which affects the
| expertise of leaders, the acquired deep organizational
| knowledge, the asset investments, the organizational
| structure, and the culture - systems engineers have a
| different culture than movie actors. If the people in the
| executive meeting know storage but not networking, you can
| imagine the results for the networking function. Consider
| recruiting, training, mentoring, and promotion for
| networking personnel. Just consider office locations, which
| will be near the storage talent and facilities, but not
| near the Internet exchange and networking talent hotbed.
|
| The FBI's priority has been terrorism. Catching domestic
| terrorists seems much different than investigating
| cybercrime. The FBI leaders have little expertise in the
| latter; the entire organization is built around the former.
| The agent training and skills needed for cybercrime and
| terrorism seem completely different, the assets needed seem
| completely different (field offices versus high-
| performance, highly secure computing centers). I would
| guess the culture would be very different, with cybercrime
| placing a very high priority on intellectual ability seated
| in a room, not interpersonal skill (interviews, etc.),
| tactical decisions, and physical action around the world.
| My impression is that a different agency, or at least a
| major FBI division that reports directly to the top, is
| needed.
| tremon wrote:
| IIRC, _within the FBI's jurisdiction_ and _international_
| don 't go together. Isn't the FBI restricted to operating
| nationally only?
|
| But to answer your question more fully, you can't solve
| this problem without supranational cooperation. A "police
| force" working to safeguard the Internet would have to work
| under authority of the UN, not any single nation.
| wolverine876 wrote:
| The UN isn't a government; it has no real legal authority
| (international 'law' is something different), no law
| enforcement. It has no legitimacy - who elected them?
|
| It's an association of governments, where they get
| together and organize things. All the power is in the
| individual governments. There are some grey areas and
| exceptions, but overwhelmingly the above is the case.
|
| The UN could coordinate cybercrime law and national
| agencies.
| loopback_device wrote:
| There is INTERPOL
| smoldesu wrote:
| Nothing bad has ever come from letting the government control
| more of the internet, right?
| SavantIdiot wrote:
| Hope that White Hats publish? The zero-click exploits have to
| be patched by Apple after they've been exposed. It all depends
| who finds it and when.
|
| Really not much you can do with zero-clicks.
|
| Don't be rich or famous I guess? Or don't use smartphones.
| PeterisP wrote:
| A proper bug bounty program facilitates that, however, it
| seems that Apple has mismanaged theirs to the effect that it
| drives frustrated researchers to not report their findings to
| Apple.
|
| E.g. https://news.ycombinator.com/item?id=28469193 and
| https://news.ycombinator.com/item?id=27564236
| monopoledance wrote:
| Legislation holding companies liable for breaches and leaks,
| which were in their capabilities to prevent. Simple and fair,
| scales well. No downsides.
|
| Sure, not everything is always their fault, but usually it is
| and comes with yoloing from the first line of code, shipping
| alph... proof of concept software, or outsourcing their
| network's security to MS Word. If a breach could ruin a company
| beyond reputation, people may stop storing cleartext
| credentials or testing merely their app's UI at best; if a
| hacker could stop your show, companies may take bug bounty
| programs serious, and be grateful for disclosures instead of
| filing reports, when someone edit-and-resend'ed on a web API
| and accidentally got a copy of their database.
|
| Today, a breach has zero consequences. Why would you spend a
| shitton of money on security, when marketing's budget isn't
| downright ridiculous yet?
|
| And of course it would be super helpful, if governments would
| stop encouraging insecurity by buying e.g. NSO's products for
| what they do. Always awkward persecuting someone you depend
| on... The NSO's business should be straight illegal, including
| export/import. Since hacking someone without their consent
| usually comes with the ability to tamper with evidence, it's
| really questionable for law enforcement and straight unethical
| for anyone else. Just kill the whole sector IMO.
| smoldesu wrote:
| You can't. It's all marketing fluff at this point, because
| significant enough state actors will see the ~$10,000,000 R&D
| cost for a few iOS/Android zero-days as a drop in the bucket.
| We live in a post-security world, where it's economically
| feasible to develop malware at a pace that outruns Blue Teams.
| We live in a post-privacy world because Apple and Google
| happily pass your data back to world governments in the name of
| stopping terrorism, or whatever the social cause du-jour is.
|
| There's no escape really, your only option is to embrace the
| paranoia and learn to love the cat-and-mouse game, or (what
| most people choose) give up. Remember, this is the future you
| voted for when you signed up for Google Drive and bought your
| iPhone. This is the future you willingly supported with each ad
| that YouTube showed you on movie night, and the one you opted-
| into when you noticed you were low on popcorn and got 2-day
| delivery on kernels from Amazon.
| heavyset_go wrote:
| > _We live in a post-privacy world because Apple and Google
| happily pass your data back to world governments in the name
| of stopping terrorism, or whatever the social cause du-jour
| is._
|
| To illustrate this point, Apple gives up users' data for
| about 150,000 users/accounts in the US[1] a year in response
| to government data requests.
|
| [1] https://www.apple.com/legal/transparency/us.html
| girvo wrote:
| What can a company do when presented with a legal,
| legitimate warrant? We talk like Apple in this example has
| a choice to say "no": they don't, though.
| heavyset_go wrote:
| Apple gives up customers' data when presented with simple
| data _requests_. Not all of the data they gave up was in
| response to subpeonas or warrants. Most tech companies
| have portals for law enforcement to simply ask, without a
| warrant, for users ' data, and the companies often
| voluntarily share the requested data without any coercion
| from courts.
|
| Yes, Apple is no different than any other tech company in
| that regard. The difference is that Apple's PR tells you
| otherwise. The whole San Bernardino shooting case had
| many people on HN saying that it meant that Apple would
| refuse to work with law enforcement when law enforcement
| would ask for users' data, even to the point of
| challenging subpeonas and warrants in court. That is
| clearly not the case.
| leppr wrote:
| The company shouldn't have your plaintext data in the
| first place.
| tyrfing wrote:
| By valuing it. Apple's annual revenue is more than the entire
| government budget of Saudi Arabia. That's a pretty meaningless
| comparison, but certainly gives an idea of the scale. There's
| asymmetry in security, but only one side is trying right now.
| intsar10 wrote:
| Edward Snowden still hasn't withdrawn his allegation that the NSA
| routinely hacks allies' phones - most notably, Angela Merkel's.
| 1cvmask wrote:
| It would seem to be the rational thing for NSO to hack a
| journalist who is writing on them, so that they better prepare
| for what's coming. As for all the countries that buy and use NSO,
| to target and kill journalists, they are all close all allies of
| the US and Israel.
|
| And the US and England were also spying on the journalist Julian
| Assange, and have kept him in prison and tortured him for over a
| decade. Ben Hubbard luckily just got hacked.
| chinathrow wrote:
| Rational? Maybe.
|
| Ethical? No.
|
| Legitimate? Hell no.
| nix23 wrote:
| Fun fact, the CIA had/has a rule not to impersonate priests
| etc, journalist or personnel of NGO's in undercover missions
| (because they have a hard life in some country's already).
|
| But then there is that excellent movie Spy Game....
| pessimizer wrote:
| Sadly, they didn't have any such rule about impersonating
| healthcare workers or weapons inspectors, making vaccine
| outreach an extremely dangerous occupation for charities
| and making treaties that rely on inspections extremely
| difficult.
| 1cvmask wrote:
| In fact the CIA uses all the above you mentioned ranging
| from priests, charities, NGOS, humanitarian outfits,
| journalists and the media as fronts and covers for their
| spying. It is documented multiple times over decades. The
| CIA even has it's own official NGO called the National
| Endowment for Democracy.
|
| My favorite is the US AID CIA spy who goes into Afghanistan
| in the 1980s that is profiled in Charlie Wilson's war. Or
| the fake vaccination program they conducted with
| "humanitarian" NGOs and charities:
|
| https://www.scientificamerican.com/article/how-cia-fake-
| vacc...
|
| My favorite CIA journalists are the ones who worked for CBS
| and other publications and were involved in promoting
| Modern Art around the world with NGOs like MoMA, the
| Rockefeller and Ford Foundations:
|
| https://news.artnet.com/art-world/artcurious-cia-art-
| excerpt...
|
| https://daily.jstor.org/was-modern-art-really-a-cia-psy-op/
|
| https://www.bbc.com/culture/article/20161004-was-modern-
| art-...
|
| https://www.independent.co.uk/news/world/modern-art-was-
| cia-...
|
| https://www.amazon.com/Cultural-Cold-War-World-
| Letters/dp/15...
|
| https://www.amazon.com/ArtCurious-Unexpected-Slightly-
| Strang...
|
| There is a humorous scene in Men In Black where they refer
| to Andy Warhol as a CIA spy.
| nuclearnice1 wrote:
| The CIA reportedly used the "Save the Children" charity as
| a front for a fake hepatitis B vaccination program in
| Pakistan to help confirm Bin Laden's location.
|
| A ban on the polio vaccination program in some Taliban
| territory and attacks on vaccine workers followed.
| nix23 wrote:
| Hint to Spy Game where Brad Pitt plays a Journalist as an
| active CIA agent was no mistake.
| gerdesj wrote:
| "And the US and England"
|
| When you are doing the information from the inside thing, you
| do need to get your players in line.
|
| England?
|
| I'm English ... and Welsh, Cornish, Scottish and tangentially
| Irish, not to mention German (check my username).
|
| The country is called Britain, the Great thing is only to
| distinguish from the other Britain - Brittany (part of France).
| You might as well call everyone from the USA as Texans.
|
| Julian Assange spent rather a long time here:
| https://www.google.co.uk/maps/@51.4992504,-0.1614713,3a,75y,...
|
| He was not tortured in the embassy - he was a guest who
| gradually outstayed his welcome. He was always treated well. As
| you can see Harrods is just to the right. This is not the
| roughest place to be a prisoner in Christendom.
|
| Whilst he was in there, there were always several Police
| stationed nearby. They stood in doorways and kept watch.
| Probably a boring job but nice and simple. The whole thing
| basically costed the UK tax payer a fair old wodge and
| obviously Ecuador too.
|
| I know that area and what goes on because I run internets for
| some flats nearby.
| cyberpunk wrote:
| > I'm English ... and Welsh, Cornish, Scottish and
| tangentially Irish, not to mention German (check my
| username).
|
| Sorry, but this is absolutely nonsensical to me, how can you
| be all these nationalities? Were you born on the most insane
| round trip flight ever or what?
|
| Edit: And sorry, as a Scot (One actually born there); 'the
| country' is not called 'Great Britain'. As a nationality we
| group identify as both $member-country and also
| British/members of the United Kingdom. The UK itself, is made
| up of four separate countries, Scotland, England, Wales and
| Northern Ireland. Great Britain is simply our name for 'the
| big island (and all the little ones) excluding ireland', the
| UK is the big island + NI. Holy cow where did you learn such
| nonsense? :/
| gerdesj wrote:
| We are called Great Britain because that is what James VI
| (I in England) called us when Scotland and England finally
| merged into Great Britain. He was our first joint King.
|
| The other Britain is Brittany -
| https://en.wikipedia.org/wiki/Brittany. Have a look at the
| county names in Brittany and see if they look suspiciously
| like Devon and Cornwall.
|
| My family/surname is Gerdes. In Scotland, that is rendered
| as Girders. Only you can pronounce it properly 8)
| cyberpunk wrote:
| Sorry but: https://en.wikipedia.org/wiki/Great_Britain GB
| is the island. It has fuck all to do with France.
|
| Edit: sigh, okay you are a little bit right, but besides
| of course the settling after the whole Gallic period, and
| the Brittons, the Normans, and the Saxons -- please,
| forget all that we are talking about the term GB right
| now and this only refers to the island.
| gerdesj wrote:
| My (properly) researched family tree is 15 generations deep
| for me personally, so far.
|
| My uncle has done quite a lot of research. Quite a lot. At
| the extreme 15 gens down, you get this in your Ahnentafel:
|
| "26921. Alice15 John (14829). Her married name was
| Trelowarth (14829). She was born circa 1550. She married
| Robert Trelowarth (14828) on 3 Oct 1574 at Wendron,
| Cornwall, UK. She died circa 1603 at Wendron, Cornwall,
| UK."
| cyberpunk wrote:
| Oh, you're American? I'm pretty sure 15 generations ago I
| was probably Danish but that doesn't make me one of
| them... I kind of understand need to identify as someone
| more interesting though, I suppose. Perhaps you should
| just own who you are instead of pretending though my
| friend, maybe look into some meditation or such..
|
| Edit: Apologies, I see you say you are British, however
| I've never met a British person who would ever identify
| as coming from more than one of our member countries. An
| Englishman calling himself Welsh? A Scot calling himself
| English? I mean.. I find it unlikely somehow.. But, hey
| ho, I'm often wrong and presumably this was one of those
| occasions. No offence intended.
| gerdesj wrote:
| Piss off, I'm British.
| [deleted]
| simlevesque wrote:
| So, any end justifies every means ?
| geofft wrote:
| I don't think the comment you're replying to is talking about
| justification or justice, just rationality.
|
| If I say "Your bike lock doesn't have to be unbreakable, it
| just has to be strong enough that a rational thief will look
| for another target," that doesn't mean I think the thief is
| justified in stealing other people's bikes instead of yours.
| billiam wrote:
| There is no point to saying it is rational for NSO (or the
| Saudis) to act this way. It was quite rational for MBS to
| order his minions to lure Khashoggi to the embassy and cut
| him into pieces. It brings nothing to the discussion of
| just how this company and its clients continue to ignore
| laws and decency.
| pessimizer wrote:
| > It brings nothing to the discussion of just how this
| company and its clients continue to ignore laws and
| decency.
|
| This is not worth discussing, it's a factual observation.
| Are we supposed to compete for who can make the most
| indignant face?
| midasuni wrote:
| He was arrested in 2019 so your "over a decade" claim is
| demonstrably wrong. Could you point to amnesty international
| claiming belmarsh is torture?
| mjsir911 wrote:
| I mean, it's not amnesty international, but a UN Special
| Rapporteur on Torture claimed:
|
| "Mr. Assange has been deliberately exposed, for a period of
| several years, to progressively severe forms of cruel,
| inhuman or degrading treatment or punishment, the cumulative
| effects of which can only be described as psychological
| torture."
|
| https://www.ohchr.org/EN/NewsEvents/Pages/DisplayNews.aspx?N.
| ..
| 1cvmask wrote:
| Amnesty International is a mouthpiece for the UK/US
| governments on so many subjects including Syria and Chevron.
| They even famously withdrew their "support" for Steven
| DOnzinger who was prosecuted by Chevron for exposing their
| environmental damages in Latin America.
|
| It is a tainted and biased source. Use it as a source at your
| own peril.
| nix23 wrote:
| Is the UN supported by Chevron too?
| 1cvmask wrote:
| The corporate prosecution of Steven Donzinger by Chevron
| is in the US. The UN is not the one prosecuting him.
|
| https://en.wikipedia.org/wiki/Steven_Donziger
| stareatgoats wrote:
| His confinement to the Embassy of Equador since 2010 amply
| qualify as both imprisonment and torture [0]. If you like to
| argue that it does not _literally_ qualify then I suggest you
| don 't in the interest of not wasting everybody's time.
|
| [0] https://www.bbc.com/news/world-48473898
| nobody9999 wrote:
| >His confinement to the Embassy of Equador since 2010
|
| Assange, as a bail jumper and fugitive, requested and
| received asylum from Ecuador.
|
| He could have, at any time, left the Ecuadorian embassy. In
| fact, had he done so, he'd likely have been investigated,
| prosecuted and _potentially_ convicted of the charges
| against him.
|
| Had that come to pass, it's entirely likely that Assange
| would have completed any sentence of incarceration years
| ago and have been back to banging Swedish girls for quite a
| while.
|
| As we'll see, Assange _might_ be convicted of violating the
| Computer Fraud and Abuse Act[0] which, under these specific
| circumstances (n.b.: IANAL) would carry a sentence of not
| more than five years, with the opportunity to reduce that
| sentence[1] by more than six months, assuming he is not
| given parole.
|
| As to the completely bogus "charges" of violating the
| Espionage Act of 1917[2], no _journalist_ has _ever_ been
| convicted under that law.
|
| As such, had Assange not decided for himself to jump bail
| and become a fugitive, he would most likely have been a
| free man for at least several years right now.
|
| [0] https://www.law.cornell.edu/uscode/text/18/1030
|
| [1] https://www.carmichaellegal.com/federal-sentencing-
| reduction...
|
| [2] https://en.wikipedia.org/wiki/Espionage_Act_of_1917
|
| Edit: Fixed typo. I need to do better proofreading before I
| post. :(
| ChrisKnott wrote:
| Nils Melzer dismissed the fact that he was free to leave by
| making the analogy that someone in shark tank is "free to
| leave" their boat - but what is the analogy to being eaten
| by sharks here? Just the normal experience of being in
| prison in the UK? Is it the position of the UN that every
| person in prison in the UK is being "tortured"?
| patrec wrote:
| > but what is the analogy to being eaten by sharks here?
|
| https://www.theguardian.com/media/2021/sep/27/senior-cia-
| off...
| Angostura wrote:
| I'll take that argument on - he was charged by the Swedish
| Prosecution Authority, extradition was agreed by the UK
| authorities and he sought sanctuary in the Ecudorian
| embassy which granted him sanctury.
|
| So which of these imprisoned him? Presumably not Ecuador.
| The UK for agreeing to extradict him? Sweden? Similarly -
| what who was the perpetrator of the torture? Ecuador for
| not offering sufficiently spacious accomodation in the
| embassy?
| throwawayay02 wrote:
| The US as I'm sure you are not that naive.
| varjag wrote:
| By making these ridiculous comparisons you only erase
| experiences of real torture victims.
| allemagne wrote:
| Are we not ignoring the fact that any internet argument
| regarding Julian Assange where we can seemingly only deal
| in maximalist, black-and-white terms is also tantamount to
| torture?
| iso1210 wrote:
| He literally chose to be there - skipping bail to do so.
|
| It's like saying that a criminal on the run hiding out in
| the woods is being tortured.
| wolverine876 wrote:
| > the US and England were also spying on the journalist Julian
| Assange, and have kept him in prison and tortured him for over
| a decade. Ben Hubbard luckily just got hacked.
|
| As you probably know, these assertions are a big stretch for
| many people. Not everyone considers Assange a journalist. He
| was living in an embassy for most of those years, so while he
| was confined, it's not a prison and not torture. Hubbard isn't
| lucky; neither the US or UK have ever imprisoned and tortured a
| journalist from a major publication (unless I'm overlooking
| someone). There may be legitimate debate about Assange, but
| it's not credible to pretend that these are facts.
| Ansil849 wrote:
| > neither the US or UK have ever imprisoned and tortured a
| journalist from a major publication (unless I'm overlooking
| someone).
|
| This was in the news just last month:
| https://www.thetimes.co.uk/article/soldiers-burst-in-the-
| bac...
|
| > A Belfast-born writer who has been a consistent critic of
| IRA violence has revealed how the British Army subjected him
| to electric shock torture outside his family home in the
| early years of the Northern Ireland conflict.
|
| > Journalist turned novelist Malachi O'Doherty describes in a
| new memoir how soldiers first threatened to shoot him, then
| dragged him through a hedge, kicked him and eventually
| resorted to inflicting electric shocks to try to extract
| information about the local IRA.
| wolverine876 wrote:
| Thanks, great point. I think there's a distinction between
| peaceful open society - they wouldn't do it to a Guardian
| or Times journalist today in London - and a military
| occupation (Northern Ireland), but I'm not sure it's such a
| bright line: The government created that occupation
| (whatever its merits, I'm not debating them here) and could
| create another.
| tgsovlerkhgsel wrote:
| I really hope the blur on the picture (https://citizenlab.ca/wp-
| content/uploads/2021/10/Hubbard-Ima...) isn't hiding anything
| actually important because that can almost certainly be de-
| blurred with the right tooling.
| boppo1 wrote:
| Really? Seems blurred enough to me that even some sort of ML
| would spit out wrong characters.
| generalizations wrote:
| Known font, known range of possible characters (almost
| certainly ascii), and probably several blurred characters in
| there that we know (like the t in attachment). If the blur is
| differentiable per-character, it's probably reversible.
| derac wrote:
| You don't need ml. If you know the font and blurring
| algorithm (or a close approximation), you blur all letters of
| the font at that size and compare output.
| birdyrooster wrote:
| Not at all, I can already make out the characters and
| recognized quickly that all but the last 4 blurred characters
| are hexadecimal and the last appear to be [a-z][A-Z]
| peanut_worm wrote:
| man why do people even take the gamble of using a blur just use
| a opaque box
| smoldesu wrote:
| A certain subset of hackers have had a Gaussian-blur fetish
| for half a decade now, at least.
___________________________________________________________________
(page generated 2021-10-24 23:00 UTC)