[HN Gopher] Apple sues NSO Group to curb the abuse of state-spon...
___________________________________________________________________
Apple sues NSO Group to curb the abuse of state-sponsored spyware
Author : todsacerdoti
Score : 578 points
Date : 2021-11-23 18:04 UTC (4 hours ago)
(HTM) web link (www.apple.com)
(TXT) w3m dump (www.apple.com)
| Adamantisa wrote:
| Court has no jurisdiction over NSO. At most, it was foreign
| international persons who accepted iCloud's terms and conditions.
| They'd have to identify them, prove that they are linked to NSO,
| and in fact acting on behalf of NSO in their official capacity.
| And even after that, they'd just not travel under their real
| names, or even not travel at all, and that's that.
| hfern wrote:
| What other goodies will they find during discovery?
|
| Hopefully the public can get snippets like in Epic Games v.
| Apple.
| nazgulsenpai wrote:
| Isn't NSO Group an Israeli firm with close ties to government?
| I strongly doubt anything will come of this.
| simion314 wrote:
| Can an upset judge decide to put the NSO leaders and
| employees on a terrorist list? They could argue it was an
| attack on national security if they can show some important
| person from US would have been hacked by a foreign
| government.
|
| Then if EU could put the same guys also on the list maybe
| there would be some effects.
| JumpCrisscross wrote:
| > _Can an upset judge decide to put the NSO leaders and
| employees on a terrorist list?_
|
| They can hold them in contempt, which leads to arrest
| warrants. Default judgements can then enable the creditor,
| in this case Apple, to start seizing assets. But TL; DR no,
| a judge can't put someone on a terrorist list; that's a
| national security and thus executive function.
| monocasa wrote:
| > Can an upset judge decide to put the NSO leaders and
| employees on a terrorist list?
|
| For not replying to an EULA suit? I sure hope not, as much
| as I'd like to see NSO nailed to the wall.
| Dma54rhs wrote:
| At least one of the founders can be found from American
| homesoil NYC but we know very well nothing will come out of
| it because of the Israeli love story Americans have.
| nazgulsenpai wrote:
| I'm talking about the discovery process. Will we learn
| anything we don't know already if NSO isn't required to
| cooperate? Probably not.
| corin_ wrote:
| A piece of advice I was given once and try to remember to
| follow is to, when commenting online, think "does this
| comment seem wrong if read out of context".
|
| For example you wouldn't have had to come back to explain
| the context of your comment if your "I strongly doubt
| anything will come of this." had ended with "..come of
| this in discovery."
| monocasa wrote:
| I'm imagining just a screen shot of a middle finger in
| response to discovery requests.
| rodgerd wrote:
| NSO have started threating to release dirt on Israeli
| politicians because they are unhappy that the Israeli
| government isn't covering for them.
| LegitShady wrote:
| source? My thought is if you tried this in israel the
| actual intelligence apparatus would have you picked up
| pretty quickly and in a dark hole for as long as they
| wanted.
| monocasa wrote:
| Where did they sue NSO group? If it's a US suit, I don't see that
| meaning much. Why wouldn't NSO just ignore it in that case?
| [deleted]
| kingcharles wrote:
| "Venue", meaning where the suit may take place, is a
| complicated legal beast. Apple is in the US. NSO Group agreed
| to certain T+Cs when they opened their fake iCloud accounts.
| That T+C probably says you agreed to be sued in California.
| CubsFan1060 wrote:
| The pdf was literally right in the link:
| https://www.apple.com/newsroom/pdfs/Apple_v_NSO_Complaint_11...
|
| UNITED STATES DISTRICT COURT NORTHERN DISTRICT OF CALIFORNIA
| SAN JOSE DIVISION
| [deleted]
| 0des wrote:
| A portion of the community only reads the headlines and forms
| their opinion based on that alone, I'm not saying it's right,
| I'm just trying to add some context to what appears to be
| your incredulity at the parent commenter's question.
| monocasa wrote:
| I read the whole article, but didn't read the entirety of
| the separate element that first contained the link to the
| article as printer friendly text.
|
| There's a pretty big UX failure to stick important content
| there.
| [deleted]
| kingcharles wrote:
| I read the whole article and then came here to ask if anyone
| knew the court and case number. Now I feel stupid.
| kingcharles wrote:
| It's not live on PACER yet sadly so I can't get a case
| number.
| mataug wrote:
| Could the company and its executives could be sanctioned based
| on this court case ?
| JumpCrisscross wrote:
| > _Could the company and its executives could be sanctioned
| based on this court case_
|
| It already has been [1].
|
| [1] https://www.commerce.gov/news/press-
| releases/2021/11/commerc...
| monocasa wrote:
| Under what law?
| JumpCrisscross wrote:
| > _Under what law?_
|
| NSO used Apple's services, thereby agreeing to U.S.
| jurisdiction. (It also deals in dollars and has customers
| in America.) If it ignores U.S. courts, it would be held in
| contempt at the very least. That enables the Feds to start
| freezing and confiscating assets, possibly even issuing
| arrest warrants. That happens domestically first and
| through treaties second.
|
| Given how much bad blood NSO has generated for itself in
| D.C., it would be more surprising if this didn't get
| escalated to a diplomatic level.
| monocasa wrote:
| There's no way it hasn't been escalated to a diplomatic
| level already, that's probably the biggest impediment to
| the suit doing anything. Both NSO's host country and
| client base get an incredible amount of protection from
| the state department.
| JumpCrisscross wrote:
| This doesn't take into account recent events, _e.g._ the
| U.S. sanctioning NSO after their dealings in India and
| with American police departments was confirmed.
|
| In any case, this is a civil suit in federal courts. Even
| if State wanted to intervene, it would have to do so
| through informal channels.
| monocasa wrote:
| Their website is still up, posting news, hosted on AWS on
| one of the us-west AZs.
|
| The US is going at them with less vigor than a whack-a-
| mole torrent site de jure.
|
| > In any case, this is a civil suit in federal courts.
| Even if State wanted to intervene, it would have to do so
| through informal channels.
|
| But didn't we just agree that the federal court system is
| pretty toothless here without the support of the state
| department?
| freejazz wrote:
| The federal court could only ever do what a federal court
| could do which is levy sanctions or judgments against NSO
| property.
| monocasa wrote:
| Against US based NSO property, practically speaking.
| freejazz wrote:
| "That enables the Feds to start freezing and confiscating
| assets, possibly even issuing arrest warrants. That
| happens domestically first and through treaties second."
|
| It's a civil case.
| mataug wrote:
| Lobbying and political pressure with the result of this
| case being used as tool ?
| monocasa wrote:
| More lobbying and political pressure than the Israeli
| government already exudes over the US? And NSO's clients
| too? Not likely.
| JumpCrisscross wrote:
| > _More lobbying and political pressure than the Israeli
| government already exudes over the US?_
|
| NSO is already on the Entity List, a part of the U.S.
| sanctions regime. This has been amply discussed, but TL;
| DR they lost their friends in Washington.
| monocasa wrote:
| Did it affect them?
| JumpCrisscross wrote:
| > _Did it affect them?_
|
| Anecdotally, yes. They lost their U.S. customer base. And
| bank and securities firms are closing their and their
| employees' accounts.
| FridayoLeary wrote:
| Apple sues NSO Group to curb the abuse of state-sponsored spyware
|
| I'm quite cynical about this press release. The key point in the
| title is that Apple are cool with state-sponsored spyware, it's
| just _abuse_ of it that bothers them. Also why did they wait so
| long to file this. I don 't think it's because they lacked
| evidence until now. Perhaps they think such a lawsuit will is now
| expected of them otherwise they will lose face, and that they
| have the general backing of the public now. I remember some
| months ago showed that Apple already had grounds to sue for
| copyright infringement. Either way, Apple is stepping into a
| political minefield. Buy popcorn and expect fireworks. Big ones.
| rStar wrote:
| apple makes their own hardware and software. our devices are
| insecure by apples choice. making this "statement" and "lawsuit"
| utter farce.
| einpoklum wrote:
| *Apple VP of SW Engineering: "Apple devices are the most secure
| consumer hardware on the market"*
|
| ... except for how Apple sends a copy of all of your data that
| passes through their servers to the NSA. No, I'm not espousing a
| conspiracy theory, this has been brought to light by Edward
| Snowden's revelations. Now, we don't know how much of the data on
| Apple phones gets sent to Apple's servers, so it's not literally
| everything on your phone, but at least everything that's backed
| up remotely, and possibly more.
|
| So, pot calling the kettle black.
|
| ---
|
| *"to curb the abuse of state-sponsored spyware"*
|
| Note that Apple is not saying "to prevent", only "to curb". But
| even worse than that, they're saying "curb abuse", not "curb
| use", as though that type of state spying is not inherently
| abusive.
|
| ---
|
| *"State-sponsored actors like the NSO Group spend millions of
| dollars on sophisticated surveillance technologies without
| effective accountability. That needs to change,"*
|
| Apple has a larger R&D budget than most world states. In fact,
| Apple themselves probably spend more money on sophisticated
| surveillance technologies than half the world's states combined.
| Certainly if we count things like dynamic image analysis from all
| those cameras on phones and cars and such. Why is it an
| unaccountable foreign corporation better than a government?
| They're both pretty bad.
| gbajson wrote:
| "We have no clue how our software works, so we will sue you".
|
| It's a disaster from any point of view. Also ineffective.
|
| They could easily designate not 10M, but 100M for bug bounties
| and simply solve their problems.
| 14 wrote:
| What about Apples own spyware they were going to force on users
| to scan for CSAM did they ever make a final decision on what they
| were going to do with that? Update to iOS 15 is what they
| recommend but then it is Apple spying on you not some foreign
| companies. I don't want either.
| strict9 wrote:
| It is great to see this happen.
|
| It's also fascinating that the crux of the Apple's case against
| NSO hinges on NSO engineers that accepted iCloud's terms and
| conditions.
|
| From related NYT article:
|
| > _The sample of Pegasus gave Apple a forensic understanding of
| how Pegasus worked. The company found that NSO's engineers had
| created more than 100 fake Apple IDs to carry out their attacks.
| In the process of creating those accounts, NSO's engineers would
| have had to agree to Apple's iCloud Terms and Conditions, which
| expressly require that iCloud users' engagement with Apple "be
| governed by the laws of the state of California."
|
| The clause helped Apple bring its lawsuit against NSO in the
| Northern District of California._
|
| https://www.nytimes.com/2021/11/23/technology/apple-nso-grou...
| fragmede wrote:
| Is it great? The lawsuit is Apple trying to enforce the iCloud
| EULA to stop reverse engineering. While NSO Group created
| hacking tools, and then did some questionable things with them,
| do we really want those inane licenses no one reads, and
| everyone scrolls down to hit [agree]; do we really want them to
| legally binding? Put another way, if it was someone HN _liked_
| , would we still say this is actually good? Because compared to
| the corporation known as Apple, NSO Group and its parent
| corporation are still "a little guy", and this move really
| doesn't seem like a good thing. Not for hackers in the HN
| definition for hackers, ie highly motivated tinkerers.
|
| This community features not just fans of reverse engineering,
| but number of practitioners, eg the popular Nvidia TSEC key
| extraction that was featured recently[0]. The defendant's
| actions make them an easy target, but, like the ACLU protecting
| the civil rights of murderers, because we still live in a
| nation of laws, I don't see this as great. This is a
| continuation of Apple's continued use of lawsuits to silence
| any challenges to their marketing of being the secure computer
| choice (eg Apple suing Corellium[1]) rather than their products
| _actually_ being secure.
|
| [0] https://news.ycombinator.com/item?id=29315378 [1]
| https://news.ycombinator.com/item?id=28219278
| JohnFen wrote:
| > While NSO Group created hacking tools, and then did some
| questionable things with them
|
| Wow, that's some serious softballing there. At a minimum, The
| NSO Group knowingly facilitates criminal activity. They
| shouldn't be treated as if they were a legitimate
| organization.
| matheusmoreira wrote:
| > do we really want those inane licenses no one reads, and
| everyone scrolls down to hit [agree]; do we really want them
| to legally binding?
|
| In this case the contract was made between two businesses.
| Consumers deserve protection because they are naturally
| disadvantaged. Companies with fully staffed legal departments
| really have no excuse.
| 2OEH8eoCRo0 wrote:
| A court can decide. Apple and many others have been harmed by
| this so it makes sense that somebody should be able to sue.
| dylan604 wrote:
| It seems many laws are written in the hopes everyone just
| agrees, but secretly hoping it is never challenged in
| court. The easiest hurdle put in place is standing in legal
| terms. That's one bit I have trouble with how laws are
| challenged is that if a bad law is enacted, it should be
| able to be challenged immediately through courts to knock
| it back vs having to wait for the first person to be
| directly affected by the law to also have the means to
| mount the legal challenge.
| acdha wrote:
| It's not just the iCloud terms of service, though -- they're
| using that to strengthen the case that NSO agreed to the
| jurisdiction of California courts but they're relying on the
| CFAA and especially the claim that the access to the users'
| device was not authorized by that user.
|
| It would be really interesting to see what precedent comes
| out of this case and especially how that would affect a
| future case where Apple claims a violation of their terms of
| service but the user fully consented to that use.
| xxpor wrote:
| >they're relying on the CFAA and especially the claim that
| the access to the users' device was not authorized by that
| user.
|
| What's their theory of standing to sue over damage to their
| customers?
|
| Edit: the main point is this (from the CFAA count):
|
| Defendants' actions caused Apple to incur a loss as defined
| by 18 U.S.C. SS 1030(e)(11), in an amount in excess of
| $5,000 during a one-year period, including the expenditure
| of resources to investigate and remediate Defendants'
| conduct. Apple is entitled to compensatory damages in an
| amount to be proven at trial, as well as injunctive relief
| or other equitable relief. See 18 U.S.C. SS 1030(g).
| ethbr0 wrote:
| 18 U.S.C. SS 1030(e)(11)
| https://www.law.cornell.edu/uscode/text/18/1030
|
| _" (11) the term "loss" means any reasonable cost to any
| victim, including the cost of responding to an offense,
| conducting a damage assessment, and restoring the data,
| program, system, or information to its condition prior to
| the offense, and any revenue lost, cost incurred, or
| other consequential damages incurred because of
| interruption of service;"_
|
| 18 U.S.C. SS 1030(g) "
|
| _" (g) Any person who suffers damage or loss by reason
| of a violation of this section may maintain a civil
| action against the violator to obtain compensatory
| damages and injunctive relief or other equitable relief.
| A civil action for a violation of this section may be
| brought only if the conduct involves 1 of the factors set
| forth in subclauses [5] (I), (II), (III), (IV), or (V) of
| subsection (c)(4)(A)(i). Damages for a violation
| involving only conduct described in subsection
| (c)(4)(A)(i)(I) are limited to economic damages. No
| action may be brought under this subsection unless such
| action is begun within 2 years of the date of the act
| complained of or the date of the discovery of the damage.
| No action may be brought under this subsection for the
| negligent design or manufacture of computer hardware,
| computer software, or firmware."_
|
| I assume "negligent" is used in the legal sense? But
| it'll be curious if NSO claims they're not liable for
| selling flaws that already existed in Apple *ware.
| freejazz wrote:
| They'd have to prove that Apple was negligent to sell
| software with flaws, but that's gonna be tough
| considering that much software has flaws.
| ethbr0 wrote:
| Agreed. I'd assume that's what the large number of words
| related to "Apple demonstrates an outstanding security
| record, etc etc" is aimed at. And it's a fair argument:
| nothing is bugless.
| tentacleuno wrote:
| > They'd have to prove that Apple was negligent to sell
| software with flaws, but that's gonna be tough
| considering that much software has flaws.
|
| It does carry a strange irony when Apple keep saying they
| have the best security after iOS has been very badly
| hacked by nation state actors, though. I'm not saying
| their security isn't good, but I would have rathered
| "we're fixing X things" than security hyperbole.
| freejazz wrote:
| Thanks for sharing your marketing preferences.
| SavantIdiot wrote:
| > Put another way, if it was someone HN liked,
|
| I'm sure no one reads TSLA EULAs either.
| theginger wrote:
| What is great is it could bring some much needed clarity on
| the subject.
|
| A ruling against the EULA might bring some clarity to the
| limits of powers tech companies have over us.
|
| A ruling for the EULA might shine a light the power these
| companies DO have and force governments to bring in laws to
| curb them.
|
| It is not a good situation, where Apple / Microsoft could
| turn around and say to someone who broke the EULA or perhaps
| even to someone who didn't, we are revoking our agreement you
| can no longer use our software. Leaving them virtually
| unemployable in many sectors, and similarly they are in the
| position to absolutely cripple the vast majority of
| businesses with the same tactics.
| ethbr0 wrote:
| What normal people probably want is the state of affairs
| that historically existed:
|
| Government (legislative) mandates via law what rights
| consumers are entitled to, that cannot be stripped from
| them.
|
| Companies are free to request waiving or agreeing to
| anything not enumerated in the above.
|
| What's broken down recently is that legislatures aren't
| doing their job of proactively mandating consumer rights,
| and consequently companies are requiring whatever they
| think they can get away with: forced arbitration, lease-
| not-own, arbitrary right to revoke usage grants,
| prohibiting user / independent repairs, etc.
| kmonsen wrote:
| Realistically speaking we have no legislature anymore.
| ethbr0 wrote:
| In what sense?
| kmonsen wrote:
| In the sense that new laws are really difficult to do in
| the age of polarization. So instead the executive branch
| issues orders and the judiciary interprets laws in
| creative ways.
| ethbr0 wrote:
| H.R.3684 (aka "Infrastructure Investment and Jobs Act"
| aka "INVEST in America Act" aka "the Infrastructure
| Bill") passed the House 221/201/8 [0] and the Senate
| 69/30/1 [1].
|
| Admittedly not the best numbers, but not terrible either.
|
| [0] https://clerk.house.gov/Votes/2021208
|
| [1] https://www.senate.gov/legislative/LIS/roll_call_list
| s/roll_...
| Barrin92 wrote:
| > do we really want those inane licenses no one reads, and
| everyone scrolls down to hit [agree]; do we really want them
| to legally binding?
|
| for commercial interactions in particular between two
| businesses? Yes, absolutely. How else are two entities
| supposed to come to legally binding terms without a contract?
| I'm all for a little bit of lenience when an end user didn't
| read the terms but you think NSO group doesn't have a lawyer
| and just scrolls down and clicks accept?
|
| The little guy isn't always right because he's little. If the
| little guy hacks my software to sell spyware to dictators and
| war criminals you bet I want the right to take him to court
| lupire wrote:
| > If the little guy hacks my software to sell spyware to
| dictators and war criminals you bet I want the right to
| take him to court
|
| Why? How are you the wronged party in this case? You are
| combining two separate things.
|
| What if the little used your software as designed, but to
| sell to dictators and war criminals?
|
| what if they hacked your software for interoperability with
| non-evil activities?
| chrisfinazzo wrote:
| (Not a lawyer, but this is the correct answer)
|
| As much as people might look at this and think Apple is
| being heavy-handed, it comes down to the fact that iCloud,
| iOS, and the App Store are their IP and they can (within
| legal limits) set whatever terms they please.
|
| Especially for these sorts of arrangements, it seems like a
| problem to me if the platform/IP owner doesn't have
| absolute, final discretion over what happens.
|
| Giving them the right to destroy your business at any time
| or at least try very hard to make it unprofitable shouldn't
| be a surprise to anyone.
| rektide wrote:
| This sits so unwell with me, gives such limitless
| tyrannical & dictatorial control to a company.
|
| > _As much as people might look at this and think Apple
| is being heavy-handed, it comes down to the fact that
| iCloud, iOS, and the App Store are their IP and they can
| (within legal limits) set whatever terms they please._
|
| Agreed. That's exactly what it seems like. And that
| sounds like immoral, unjustifiable, sickening hell. That
| Apple gets to hold all the cards, no one else on the
| planet gets any say in how a device might be used.
|
| It seems to me like the law is immoral. The law is heavy
| handed, an idiot, and wrong. And it seems like Apple is a
| user/abuser of unjust power which it does not have any
| moral or ethical right to wield.
|
| > _Especially for these sorts of arrangements, it seems
| like a problem to me if the platform /IP owner doesn't
| have absolute, final discretion over what happens._
|
| This sounds like a nightmare hell world to me. It
| contravenes the idea that any of us can ever be owners of
| anything. This sounds like the logic that says that only
| Tesla can repair Tesla cars, the logic that says only
| John Deere can repair John Deere tractors. This is an
| anti-human world, this is a bad world, this is immoral,
| this is wrong, this destroys & rots away at humanity as a
| can-do toolmaker, as an improver of the world about them.
| It consigns power away to fragile, remote, limited
| corporations. That is not a world I ever want to let
| happen to us. I tend towards aethism/agnosticism, but if
| there is a god, this flies against what graces the gods
| have given us to let ourselves be constrained so. It is
| unnatural & against the spirit of the human enterprise.
|
| I have no love for NSO Group. It feels great seeing such
| a group of shady, underhanded, anti-democratic punks get
| served. But this is absolutely going to be yet another
| move in the ongoing shift towards top-down combined
| technocratic/legal control. It's absolutely a
| demonstration of Apple wielding legal power to obstruct &
| defend that which it simply doesn't want to have to deal
| with, brushing aside something inconvenient. It's
| absolutely a battle over what terms of service mean &
| whether the world has any rights of their own. I for one
| am not cheering for Apple's victory in having their
| massive iron-clad armor further enhanced.
| ziddoap wrote:
| > _Agreed. That 's exactly what it seems like. And that
| sounds like immoral, unjustifiable, sickening hell. That
| Apple gets to hold all the cards, no one else on the
| planet gets any say in how a device might be used._
|
| I'm not a big proponent of IP, but you're basically
| saying it is immoral, unjustifiable, and sickening as
| hell that Apple enforces the rules that Apple wants on
| Apple products/services, which were created and offered
| by Apple? Who should be making the rules if not the
| creator and maintainer of the product/service? Why is
| using another product/service not an acceptable
| alternative?
|
| I agree with the general direction of your comment, but
| certainly not with the same voracity that wouldn't allow
| my own company to create the rules for my own service
| offerings (within the confines of state/national law).
| Caligatio wrote:
| Replace "Apple" by any traditional car company and you
| should immediately become concerned. Shouldn't a car
| company have absolute, one-sided control over the cars
| they sell? Like should the car stop working if you agreed
| to obey the speed limit but then sped? Or stop working if
| you didn't use their branded fluids?
| lioeters wrote:
| ..Or the warranty becomes void if you open up the hood of
| your car and try to repair/replace parts..
| catlikesshrimp wrote:
| The law works fine when there is no monopoly.
|
| But since Apple has 50% of the market share, the law
| doesn't work well anymore.
| rektide wrote:
| This and more. I find it beyond farce that Apple & it's
| adherents chief defense seems to be that there are other
| people making products that aren't Lawful-Evil to
| humanity. If Google one day woke up and said, we're just
| going to try to do what Apple does to it's users, there
| would be nothing left. This pretense that Apple's
| behavior is anything but anti-competitive, anti-trust
| worthy rings so hollow to me. The excuses that there are
| other places to go completely fail to wash for me.
|
| It's as if these folks are saying the Carterphone victory
| was only won because AT&T was a monopoly. That's not how
| consumer rights work. That's not a solid enough platform
| for humanity to remain upright.
| AnthonyMouse wrote:
| > How else are two entities supposed to come to legally
| binding terms without a contract?
|
| The question is what's the threshold for the existence of a
| contract. You both go into a conference room with lawyers
| and negotiate over the terms and sign it in ink, that's
| some pretty good yes vibes. Somebody clicks a button on an
| un-negotiated text form in a piece of software, maybe it
| should take more than that.
|
| > I'm all for a little bit of lenience when an end user
| didn't read the terms but you think NSO group doesn't have
| a lawyer and just scrolls down and clicks accept?
|
| Tons of bureaucracies do exactly that. The boss says they
| need a way to do this thing, so some Danny from the IT
| department finds some software to do that thing, it's free
| or costs less than the amount he's authorized to spend from
| petty cash, so he clicks accept and installs it on the
| user's machine.
| riedel wrote:
| There's always the problem with a little one that has to
| accept the big one's terms. Actually in Germany and
| probably elsewhere there is clear jurisdiction what is
| allowed in a terms and conditions type contract. It
| actually applies to any contract that is not created from
| scratch on an eye to eye basis. Other laws like the GDPR
| also restrict what can be part of a contract. So while
| nobody is reading all this stuff at least we have some
| assurance that it's not totally unfair. Otherwise is
| typically safe to assume that companies try to shape
| everything to their own benefit. So it boils down to
| trusting a company in general.
|
| Not being a lawyer and having no clue abou US jurisdiction:
| I am really curious if this EULA thing works though.
| Normally under copyright law wrongdoing would normally just
| mean that your licence is terminated. Illegal use typically
| just requires paying damages twice the licence cost afaik.
| I would actually find it kind of scary if I could be pulled
| into any kind of jurisdiction about something not directly
| related to the contract just because I accepted a software
| licence agreement.
| llamataboot wrote:
| hmmm, I mean if we have to agree to things that are
| supposedly legally binding, I would like them to be so. If
| they are not legally binding, I would like to know that and
| not have to agree to them.
| Bud wrote:
| Yes. We emphatically want the rule of law to persist, and for
| legal avenues to be open for combating conduct like what NSO
| Group has done here.
|
| In particular, by any standard, it certainly seems reasonable
| for Apple (or even companies we don't like) to prevent _the
| use of its own tools and accounts_ for the purposes of
| attacking its products and attacking its customers.
| Especially when the attackers have explicitly promised not to
| do so.
| voxic11 wrote:
| They are just using the EULA as the basis for claiming
| jurisdiction. They are actually suing not to stop reverse
| engineering but rather to recover damages incurred by
| unlawful business practices. Basically their argument is
| that:
|
| 0) The defendant's can be sued under California law because
| they accepted the EULA.
|
| 1) California law makes businesses liable for damages
| incurred by their unlawful business practices.
|
| 2) Business practices which violate any California or federal
| law are unlawful business practices in California.
|
| 3) The defendant violated the federal computer fraud and
| abuse act by hacking into users phones.
|
| 4) Apple incurred damages to their reputation and from
| expenses related to mitigating the hacking of their users.
|
| 5) Therefor the defendant is liable for Apple's damages under
| California law.
|
| So the defendant could have been fine if they just done
| reverse engineering, or even if they developed the hacking
| tools, but actually using the tools against Apple's users in
| violation of the CFAA was going too far.
|
| https://www.apple.com/newsroom/pdfs/Apple_v_NSO_Complaint_11.
| ..
| brutal_chaos_ wrote:
| Nit (maybe moot):
|
| > 4) Apple incurred damages [...] from expenses related to
| mitigating the hacking of their users.
|
| This sounds like no one should be a security researcher for
| they risk paying companies to implement the security the
| company should have implemented anyway. Put another way,
| that also sounds like the corporate open source push, "We
| love open source because we don't have to support it, the
| community will!"
|
| "4)" says the community will pay for/support security, just
| wait for the hack and make 'em clean it up. Mitigation
| costs shouldn't be a recoverable damage, they should be
| doubled and paid out to the victims...maybe that'll
| incentivise better security over dollar dollar bills y'all.
|
| This all maybe moot because this was a B2B action and I'm
| thinking from a non-monied, single user/security researcher
| perspective. What if the company was a non-profit security
| research group? Perhaps this is what the 90day grace
| periods are for when dealing with responsible disclosure?
|
| Anyhow, my ignorance must be showing at this point.
| ethbr0 wrote:
| From Facts(C),
|
| _" 60. Defendants force Apple to engage in a continual
| arms race: Even as Apple develops solutions and enhances
| the security of its devices, Defendants are constantly
| updating their malware and exploits to overcome Apple's
| own security upgrades.
|
| 61. These constant recovery and prevention efforts
| require significant resources and impose huge costs on
| Apple. Defendants' unlawful malware activities have
| caused and continue to cause Apple significant damages in
| excess of $75,000 and in an amount to be proven at
| trial."_
|
| Hopefully the judgement is able to split the hairs
| between reputational and development harm to a company
| for security vulnerabilities, and harm to users for
| organized exploitation of those vulnerabilities.
|
| The former feels like it _should_ be free speech --
| statement of facts related to the company 's product(s).
| The latter is an obvious wrong.
| LogonType10 wrote:
| >This sounds like no one should be a security researcher
| for they risk paying companies to implement the security
| the company should have implemented anyway.
|
| No, read again, this only refers to damages from unlawful
| activity. "White hat hackers" need not fear.
| AnthonyMouse wrote:
| Assuming they're lawyers who know every law and don't get
| skewered by something like DMCA 1201.
| shkkmo wrote:
| I don't know of any legitimate security research group
| that hacks user accounts they don't own.
|
| NSO hacked devices they didn't own and infected them with
| spyware. Apple had to pay to repair / replace those
| devices.
|
| I don't see how this sets any sort of precedent with
| security researchers are liable for the costs of fixing
| vulnerabilities that they uncover.
| eganist wrote:
| > I don't know of any legitimate security research group
| that hacks user accounts they don't own.
|
| nit: "user accounts to which they're not authorized"
|
| I work with friends' accounts all the time provided they
| authorized me to do so and provided I'm permitted to do
| so as part of the vuln disclosure program terms and rules
| of engagement, though I usually split the bounty with
| them in a meaningful way to make it worth their while.
| FridayoLeary wrote:
| >0) The defendant's can be sued under California law
| because they accepted the EULA The Court
| has personal jurisdiction over Defendants because, on
| information and belief, they created more than
| one hundred Apple IDs to carry out their attacks and
| also agreed to Apple's iCloud Terms and Conditions
| ("iCloud Terms"), including a mandatory and
| enforceable forum selection and exclusive
| jurisdiction clause that constitutes express consent
| to the jurisdiction of this Court.7
|
| I'm not a legal expert but shouldn't that be stupidly easy
| to deny?
|
| Judge: did you, NSO agree to the Terms and conditions by
| pressing "I Agree"
|
| NSO representative: No, Your honor.
|
| Apple Lawyer: Then how did you gain access to my clients
| services?
|
| NSO Rep: A totally unrelated third party gave us 100
| unlocked iPhones as a free gift. We never saw the terms and
| conditions, nor agreed to them. We can fully prove our
| claims.
|
| Apple Lawyer: (spluttering) but... but... but...
|
| Judge: (bangs gavel) case dismissed!
|
| This is assuming NSO were far- sighted enough to actually
| create such a paper trail. Also, since Apple is disputing
| more then 100 accounts, maybe such a defence would be ruled
| as improbable, or some other legal jargon. Maybe someone
| better informed can chip in.
| AnthonyMouse wrote:
| > they created more than one hundred Apple IDs to carry
| out their attacks
|
| Maybe the most interesting thing about this is how it
| proves that their code signing system is worthless. If
| the same bad actor can get a hundred Apple IDs to sign
| literal malware with, why are they imposing this burden
| on random small developers?
| TillE wrote:
| Nerds always want to interpret the law in some strict
| pedantic fashion, but in practice this is almost never
| how it works. Law is not applied stupidly or
| mechanically, you can't fashion yourself some ad hoc
| workaround unless you're extremely certain about what
| you're doing, preferably with a mountain of precedent
| behind you.
| AnthonyMouse wrote:
| Nerds always want the law to be consistent. Lawyers are
| Machiavellian professionals trained in getting it to say
| "heads I win tails you lose" for their clients, and often
| succeed.
|
| That doesn't mean the nerds are wrong to want what they
| want.
| phkahler wrote:
| >> They are just using the EULA as the basis for claiming
| jurisdiction.
|
| IANAL but it's always seemed to me that if I reject the
| terms of a EULA then the EULA doesn't apply to me. Pushing
| the "button" does not mean anything because only the EULA
| gives it meaning and I reject that.
|
| 50 years from now if someone is doing software archaeology
| and they go to install some software from a long gone
| company, who does clicking the button form an agreement
| with? Will it be legal to try that software? Can existing
| software companies list people they have click-through
| agreements with? These things seem like a bad joke in
| practical terms.
| eganist wrote:
| > 50 years from now if someone is doing software
| archaeology and they go to install some software from a
| long gone company, who does clicking the button form an
| agreement with? Will it be legal to try that software?
| Can existing software companies list people they have
| click-through agreements with? These things seem like a
| bad joke in practical terms.
|
| I mean, this seems pretty easily addressed:
|
| I can't sign a contract with a dead company, can I? Well,
| literally I can, but the agreement wouldn't be binding.
|
| Same applies here. Unless the entity still exists, in
| which case congratulations, you're in a binding agreement
| lol
| AnthonyMouse wrote:
| There are some practical problems with this.
|
| Suppose that Small Co sells the assets of a business unit
| to Big Co. Do you now have a contract with Small Co. or
| Big Co.? Small Co. no longer has the rights to the
| software. Big Co. may not agree to the terms of the old
| license.
|
| Suppose someone dies and their assets go to their heirs.
| Do you now have a contract with the heirs?
|
| What if there are no heirs, so the assets go to the
| government? Do you now have a contract with the
| government? I can think of some fun terms to add to a
| software license from someone on their deathbed if that's
| the case.
| SQueeeeeL wrote:
| I like how suddenly the intense legal minuate are the
| most important details of a system as if we're in a
| contract law class, as opposed to the obvious point that
| in general these agreements are fairly obvious
| AnthonyMouse wrote:
| Making up rules without thinking about the consequences
| of those rules is a Bad Idea.
| SQueeeeeL wrote:
| Edge cases aren't consequences; they're trivia. And at
| the the of day, our legal system is governed by humans
| who interpret and argue. Until humans are perfect, we'll
| never write a perfect law.
| AnthonyMouse wrote:
| "Perfection is impossible, therefore don't try" is a
| dodge.
| voxic11 wrote:
| US contract law jurisprudence doesn't really seem to
| support you here.
|
| > The mental assent of the parties is not requisite for
| the formation of a contract. If the words or other acts
| of one of the parties have but one reasonable meaning,
| his undisclosed intention is immaterial except when an
| unreasonable meaning which he attaches to his
| manifestations is known to the other party.
|
| https://en.wikipedia.org/wiki/Lucy_v._Zehmer
| leecb wrote:
| > those inane licenses no one reads, do we really want them
| to legally binding?
|
| What all would be possible if software EULAs weren't legally
| binding?
|
| One thing that EULAs typically do is reduce liability for the
| company producing the software. Imagine if Google/Apple were
| liable for damages from all the miscommunications caused by
| autocorrect?
| roblabla wrote:
| EULAs are also used to protect IP, such as by prohibiting
| reverse engineering. Preventing reverse engineering would
| prevent modding games, fixing bugs in software that aren't
| supported anymore, security analysis, etc... In my view,
| it'd be a net negative for society.
| lupire wrote:
| and if software business becomes unsustainable due to
| piracy, that's also a net negative.
| chongli wrote:
| There's a difference between clauses in an EULA that
| release the software vendor from liability and those that
| impose additional liability on the user. I think it's
| perfectly fine for an EULA or "non-warranty warranty" to be
| included in open source software. If a person or a company
| wants to release software and they should be able to do so
| without being held liable for damages caused by the user's
| improper use of the software.
|
| On the other hand, if a click-through license can expose
| users to a potential lawsuit then that fundamentally
| changes the regime we all live in. It creates a world where
| the countless pieces of software we all use on a daily
| basis become hidden legal threats, lurking in the shadows
| like so many snakes waiting to strike. That's not a world I
| want to live in and I think most HNers would agree.
| mistrial9 wrote:
| I am a straight-up GPL coder and advocate, and I find this
| line of reasoning, difficult to support. Additionally, it is
| a habit of lying, thieving security people to use every inch
| of freedom that GPL-advocates give them.. really torn here
| balls187 wrote:
| > While NSO Group created hacking tools, and then did some
| questionable things with them
|
| Such as selling their software to the Saudi Government which
| in turn used the software in a highly targeted cyber attack
| leading to the grisly murder of a dissident journalist?
| dylan604 wrote:
| If this is ruled in Apple's favor, can that be a stepping stone
| to allow NSO to be charged with aiding in murder?
| edge17 wrote:
| I will just add, the author of the NYT piece has a book out on
| this subject. The book is decent, has some cringe worthy
| descriptions of technical things if you are a technical person,
| but overall I learned a huge amount reading it.
|
| A lot of the commentary, accusations, and opinions in the
| comments here would be addressed or better colored if you're
| interested enough to read her book
| (https://www.amazon.com/This-They-Tell-World-
| Ends/dp/16355760...).
|
| Also, just to be clear, one of the reasons I _like_ the book is
| because it 's written by a person that doesn't understand all
| the deep technical aspects of these things.
| threeseed wrote:
| > has some cringe worthy descriptions of technical things
|
| Par for the course when trying to explain things to non-
| technical people.
|
| People joke but you can see the thought process in explaining
| to a politician that the internet is a "series of tubes" for
| example.
| sam-2727 wrote:
| Reminds me of when the Oracle v. Google case was argued in
| front of the Supreme Court on a series of metaphors, among
| other things comparing Java to football teams:
| https://www.theverge.com/2020/10/9/21506172/oracle-google-
| ja...
| amelius wrote:
| So they used iCloud to spy on NSO?
|
| Sounds not right, regardless of what you think of NSO's
| actions.
| strict9 wrote:
| No.
|
| The information on fake accounts was passed to Apple by
| Citizen Lab, which discovered the zero click vulnerability.
| drdaeman wrote:
| I guess they haven't done this, but isn't this trivially
| mitigated by hiring someone to create the accounts, outside of
| the US entirely, in a jurisdiction where T&C violation doesn't
| mean anything? Especially if the accounts are needed in bulk,
| where it makes sense not just to work around the legal
| arguments but simply economically.
| kingcharles wrote:
| I was the victim of a state-sponsored attack. I took it to
| court. I tried to subpoena the contents of the government
| agents' iPhones but Apple came and filed a Joinder in Motion
| and sent expensive lawyers to lie to the judge about the
| judge's power to subpoena digital evidence. The lawyer
| specifically told me all he does is go around the country and
| lie to judges to get them to cancel subpoenas.
|
| We introduced the T+Cs from one major online provider to show
| how the government violated them. The government stipulated
| that they had violated the T+Cs and that they had broken the
| law. Two different courts both stated that government agents
| are allowed to violate federal and state computer and data
| access laws to conduct intelligence-gathering operations, and
| they are certainly allowed to violate T+Cs even when a
| violation of a T+C is a criminal act (which it is in many
| jurisdictions).
|
| One thing that is lulzy is that I recently received a letter
| from one government agency stating that the evidence I had
| requested by subpoena was no longer available because they left
| it on a server in violation of the T+Cs and never took a copy
| of it and the provider deleted the account.
|
| It hasn't reached the appellate courts yet.
| jp57 wrote:
| > Apple came and filed a Joinder in Motion and sent expensive
| lawyers to lie to the judge about the judge's power to
| subpoena digital evidence.
|
| If a lawyer makes an argument in court about the law
| governing a case (as opposed to the facts of the case), and
| the judge accepts the argument, and the judge's decision
| survives all its appeals, then the lawyer's argument is, by
| definition, true.
|
| EDIT: I'm objecting here to the characterization of the
| lawyers' arguments as "lying". The judge's "power" to suboena
| digital evidence sounds like a question of interpretation of
| the law. Many (all?) US court cases have at least one
| question of law in which the parties make opposing arguments.
| One party prevails, the other does not, or maybe one party
| prevails on some points and the other prevails on other
| points. But however those questions are ultimately decided,
| that's the law, as it pertains to that case. In that context,
| it seems very strange to characterize either party as "lying"
| in such arguments.
|
| If, on the other hand, "the judge's power to subpoena digital
| evidence" really means Apple's technical ability to produce
| such evidence, then I would agree that those are facts about
| which some statements could be considered truthful or not.
| bannable wrote:
| Case law, not truth. Judges do not decide fact.
| dragonwriter wrote:
| > Judges do not decide fact.
|
| Trial court judges in jury trials do not (in principal)
| decide fact questions (though even that is misleading,
| since they can decide "as a matter of law" that offered
| evidence is insufficient for a particular fact conclusion
| even over the jury's determination of fact, _except_ in
| the case where that would be unfavorable to the defense
| in a _criminal_ trial.)
|
| Judges in bench trial, and appellate judges in many
| cases, do, in fact, decide matters of fact, though in the
| latter case the usual rules are generally, but not
| infinitely, deferential to trial court decisions.
| nickff wrote:
| > _" If a lawyer makes an argument in court about the law
| governing a case (as opposed to the facts of the case), and
| the judge accepts the argument, and the judge's decision
| survives all its appeals, then the lawyer's argument is, by
| definition, true. "_
|
| This is a Kafkaesque and wrong understanding of the legal
| system. There are all sorts of errors of law and errors of
| fact that are non-appealable.
| kingcharles wrote:
| I think poster above is right, certainly with respect to
| the legal system in the USA.
|
| In the USA you often get one direct appeal - an appeal by
| right - and then if that fails, a discretionary appeal by
| a more superior court.
|
| I've seen some bone-headed decisions made by the trial
| judge, then the same error made by the appellate judges,
| and you know the superior court would reverse, but they
| only take 0.01% of the cases they see every year and so
| they just don't have time to fix every mistake. So some
| really stupid legal decisions become "the law of the
| case" simply because society doesn't have the funds to
| pay more judges to check the work of lesser judges.
| threeseed wrote:
| > sent expensive lawyers to lie to the judge about the
| judge's power to subpoena digital evidence.
|
| You're being unreasonable here since it is a very grey area.
|
| If Apple is compelled for example to hand over encryption
| keys to a judge (which often means a bunch of junior lawyers)
| then that would infringe everybody's right to have their
| information be secure.
| fsflover wrote:
| Perhaps you may want to ask https://eff.org for help.
| kingcharles wrote:
| I tried at the time, but received no response.
| lotsofpulp wrote:
| > and they are certainly allowed to violate T+Cs even when a
| violation of a T+C is a criminal act (which it is in many
| jurisdictions).
|
| Is violating a T&C criminal in the US, if the violating
| action itself is not a crime? I have not heard of this. Are
| there any examples that can be linked to? I thought it was
| always a civil matter.
| lights0123 wrote:
| https://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act
|
| Yes it is a federal crime, but was recently limited by
| https://en.wikipedia.org/wiki/Van_Buren_v._United_States
| haswell wrote:
| US based? I understand if you can't divulge any specifics,
| but I'm always curious about the nature of these attacks,
| e.g. we know certain types of journalists/activists are often
| targeted.
| kingcharles wrote:
| US-based, yes.
| rasengan wrote:
| Legal methods are a crutch at best. Apple would be wise to put
| forth the same budget into their security team's research and
| development and properly address these weaknesses.
| kelnos wrote:
| The problem is that this approach requires that Apple expend
| enough resources for their security to be perfect all the time.
| Outfits like NSO Group need only be lucky once (well, with some
| consistency, as Apple finds and fixes the vulnerabilities they
| use).
|
| It's a cat-and-mouse game where Apple has a distinct
| disadvantage, one that's likely impossible to fully overcome.
|
| They certainly should (continue to) spend a bunch of money to
| make their OS and hardware as secure as possible. But at a
| point returns start to diminish, and perfection just isn't an
| attainable goal.
| speeder wrote:
| Some people even can conclude from this that being evil is
| better idea.
|
| A fictional example: there is a character in Wheel of Time,
| that realized that for the good guys to win, they must win
| every time the bad guy attempts something, but the bad guy
| must win only once (since his goal is destruction of the
| universe), thus this character concludes that being evil is a
| better goal, since you can keep trying until you succeed, he
| imagines eventually he WILL succeed, as a matter of "when",
| not of "if".
| monocasa wrote:
| Their lawyers are probably on retainer, or just straight up in
| house counsel. I doubt it costs them any more than a rounding
| error.
| jmondi wrote:
| Would your solution to weapons exporting to have everyone buy a
| bigger bunker? Doesn't it just make more sense to control the
| export of weapons?
| riseagain wrote:
| Surprised to see this coming from the person that killed
| freenode with questionable bullying involving lawyers and "life
| ruining" consequences...
|
| Hypocrisy at it's finest...
|
| For the record. I'm not sympathetic to NSO group either.
| rStar wrote:
| apple controls the hardware and software on apple devices. nso
| does not. this is public relations for apple, as much as a
| holiday advert as any they put on tv. if apple wanted to
| provide their customers secure devices, apple would provide
| their customers secure devices.
| rodgerd wrote:
| Well, that's one way of outing yourself as someone who knows
| literally nothing about modern computer security.
| josh2600 wrote:
| Ok normally I'd just let something like this go but I just have
| to pull my hair out when I see a comment like this.
|
| The attack surface of software as complicated as a modern
| operating system (iOS or MacOS, etc.) is simply too large to
| lockdown without dramatically hurting the user experience
| (assuming you could actually achieve a lockdown in the first
| place!!).
|
| Let's, just for a second, propose that apple went full Monty
| and locked the whole shebang down with the kind of tech they'd
| need to resist NSO. That's more custom silicon, signed binaries
| everywhere, even fewer per app permissions, literally treating
| any piece of software running on the device as a potential
| threat vector even more than they already do. What would this
| get you?
|
| The BoM cost would go up, a lot. The cost of writing software
| would go up, a lot. And perhaps worst of all: it would only
| raise the cost of a chain of exploits, not eradicate it.
|
| Right now a chain of exploits is ~$5M on iOS. What if it was
| $50M? Would that actually stop a nation state?
|
| I'm sorry but there's no world where Apple can make perfect
| security.
|
| Finally, the cost of this lawsuit is a drop in the ocean
| compared to what they already spend trying to secure the
| software and hardware in iOS devices.
| Sporktacular wrote:
| "Right now a chain of exploits is ~$5M on iOS. What if it was
| $50M? Would that actually stop a nation state?"
|
| Yes, some states yes it would. That could make it
| unaffordable for many of NSOs clients.
|
| The result would not be perfect, just better.
| DSingularity wrote:
| Apple will advance the security of their platform more by
| suing NSO and lobbying the US gov to position the official
| view of the US gov regarding nation-state sponsorship for
| malicious software as reprehensible efforts which harm
| everyone (eg like biological/chemical weapons). If the US
| sanctioned Israel and critiqued them as reckless maybe less
| countries will support organizations like the NSO group.
| high_byte wrote:
| if it was 50m there would be significant increase in reports,
| for sure. problem is Apple has a reputation for not paying
| bounties...
| matheusmoreira wrote:
| > literally treating any piece of software running on the
| device as a potential threat vector even more than they
| already do
|
| Sounds amazing. Every operating system should be designed
| this way. Only free software should have full access.
| Proprietary software cannot be trusted and must be regulated
| and controlled.
| fsflover wrote:
| > The attack surface of software as complicated as a modern
| operating system (iOS or MacOS, etc.) is simply too large to
| lockdown without dramatically hurting the user experience
| (assuming you could actually achieve a lockdown in the first
| place!!).
|
| https://qubes-os.org
| tptacek wrote:
| You talk to a lot of people who use Qubes day to day? I do.
| What have you heard about how Qubes life is?
| fsflover wrote:
| I am gladly using Qubes myself as a daily driver. Can't
| recommend it enough.
| tptacek wrote:
| Hey, my Qubes friends keep using it too. I'm not saying
| it's un-usable. Is dys-usable a word?
| fsflover wrote:
| This is a vague and unconstructive criticism. Perhaps you
| could say something more to the point.
|
| In my opinion, most of the HN audience would be able to
| use it to their benefit.
| tptacek wrote:
| That might be true! But it's not very relevant to the NSO
| problem, because the mass market will not be able to use
| it.
| rStar wrote:
| > I'm sorry but there's no world where Apple can make perfect
| security
|
| i think everyone knows that perfect security is not possible,
| the operative word being 'perfect'. i think what we want is
| for apple to 'actually try' to provide security, in some way
| that results in security order of magnitudes better than we
| enjoy today, which would still be miles and miles away from
| 'perfect', vulnerable to nation state actors etc etc etc
| josh2600 wrote:
| Can you point to a single instance of a cellphone vendor
| who takes security more seriously than Apple?
|
| Put a different way, is there any device with a high
| monthly active user count that has a higher cost to
| purchase a black market exploit than the iPhone?
|
| Apple can always do better. It should also scare the living
| hell out of us that they're currently the best in the
| world.
|
| My point is that if Apple can't secure your phones, who
| can? It's enough to make one think about security through
| obscurity.
| ccouzens wrote:
| > Put a different way, is there any device with a high
| monthly active user count that has a higher cost to
| purchase a black market exploit than the iPhone?
|
| I'm going to answer about operating system rather than
| device.
|
| The selling price of an Android full chain with
| persistence zero click is up to $2.5 million. The selling
| price of an iOS full chain with persistence zero click is
| up to $2 million.
|
| https://zerodium.com/program.html
|
| Both are better than any desktop operating system.
| LogonType10 wrote:
| This isn't the benchmark of how secure those systems are,
| just a benchmark of how valuable exploiting them is.
| Hypothetically speaking, iOS could be more secure, but an
| Android exploit could be valued more if high valued
| targets tend to use Android. Keep in mind that phone OS
| usage varies quite a bit by country and wealth.
| ccouzens wrote:
| I was responding to a specific comment about prices.
|
| You're right that the price doesn't fully correlate with
| security. It will reflect supply (security and interest
| of researchers) and demand (how much there is to be
| gained by breaking into each platform).
|
| Android is more widely used, but I gather more money is
| spent in the app store than the play store. I don't know
| the market share of "interesting" users.
|
| My analysis would be that the number shows they're not
| that far apart. I'd be skeptical of anyone (IE apple's
| press release) saying that either platform is more
| secure. Security is too nuanced to be expressed as a
| total order.
| LogonType10 wrote:
| Agreed! Thank you for posting that Zerodium link. It's
| always great to bring substantive data into a security
| discussion.
| fsflover wrote:
| > is there any device with a high monthly active user
| count that has a higher cost to purchase a black market
| exploit than the iPhone?
|
| This is unfair, because there is a duopoly and the only
| alternative on mass market is Android. Of course in such
| circumstances the exploits will be expensive, even if
| security is awful.
|
| Ignoring this, Purism takes security more seriously,
| because they give the user full control over the OS with
| possibility to replace/reinstall or harden it. In
| contrast to that, rarely updated iMessage is impossible
| to uninstall on iOs.
| kelnos wrote:
| > _i think what we want is for apple to 'actually try' to
| provide security, in some way that results in security
| order of magnitudes better than we enjoy today_
|
| That's a pretty tall order, and would likely result in a
| device that is much more expensive and has a user
| experience that users would not like. Assuming "orders of
| magnitude better" is even possible, of which I am
| skeptical.
| tptacek wrote:
| I co-sign this whole comment and answer the rhetorical
| question: $50MM for an exploit chain would not stop a state-
| level adversary. Their alternatives for these kinds of
| operations is human intelligence; they'd pay more just in
| health benefits to staff those operations.
| snowwrestler wrote:
| You're not wrong about the impossibility of perfect security.
|
| But Apple is praising and promising to support independent
| security research in this press release. Meanwhile they have
| a reputation among independent security researchers for being
| standoffish, opaque, slow to respond, and even outright
| hostile in suing Corellium. They settled that suit but the
| reputation remains.
|
| Apple is the most valuable company in the world. They do not
| appear to have the best security program in the world.
| Whatever Citizen Lab can do, Apple should be able to do
| better; they have a lot more resources and expertise.
|
| I'm not doubting that Apple puts a lot of effort into
| securing their products. But it seems like they still have
| significant room for improvement.
| concinds wrote:
| Seconded. There are many, many low hanging fruits that
| would substantially improve Apple users' security that
| Apple has not yet implemented, for example delivering
| Safari updates independently from macOS updates and having
| a seamless auto-update mechanism equivalent to every other
| modern browser. Apple repeatedly claims that most malware
| targets Android, which is true, but it includes Play Store
| adware and side-loaded malware; if you only take RCE
| exploits, which are the relevant class of malware here, one
| could argue Android is as secure, or more secure than iOS.
| I would argue the latter, given that Safari and iMessage
| (as well as integrated WebKit webviews, like Apple Music)
| seem like the primary attack vectors, and the ones used by
| NSO; and that security updates to those components, unlike
| the Android equivalents, are delayed to match Apple's
| preferred iOS release schedule, instead of being
| autoupdated separately and transparently to the user.
| nicce wrote:
| One could also argue, that as Apple is commonly branded
| as "secure" alternative, and therefore high profile
| targets are potentially using their products. This might
| mean that interest is much higher for attackers on that
| side. They might not care so much about Android.
| Increased interest and effort means that more likely
| something is found.
|
| Also, Apple's sandboxing settings and permission managing
| makes the most malware pretty useless with App store
| policies (no sideloading), so only RCE exploits are kinda
| useful.
|
| What it comes to iMessages, that is the most interesting
| channel with Safari to deliver exploits, iMessage without
| user interaction and Safari with some. All you need to
| know is that target is using iPhone. Other non-default
| applications as target introduces new challenges.
| iMessage and Safaring being part of OS updates might
| indicate, that they are handled differently compared to
| other apps - is security policy same, worse or better? Is
| there larger attack interface to system by using these
| apps?
| miohtama wrote:
| Recently
|
| https://arstechnica.com/information-
| technology/2021/09/three...
| jolux wrote:
| > They do not appear to have the best security program in
| the world.
|
| By what measure? That they don't find all the security
| bugs? Have you seen what iOS exploit chains look like these
| days? They're not exactly simple. I think there is
| literally no amount of money that could be spent that would
| eliminate all the security bugs in iOS, or Apple would be
| figuring out how to spend that much right now. So yes, you
| can always argue that they should spend more, and I'm sure
| they do spend more every time something like Pegasus
| happens, but it's not some grand revelation. This is just
| how things are.
|
| > Whatever Citizen Lab can do, Apple should be able to do
| better; they have a lot more resources and expertise.
|
| At the tail, this doesn't matter. Other people find bugs
| because there are _always_ more bugs to be found. There
| will never be a situation where only Apple can find more
| bugs in its operating system.
| Sporktacular wrote:
| It's not clear the user experience would have to suffer.
| Maybe there are more groups doing for software architecture
| what Signal did for messaging. Groups like Heisers' SEL4 and
| Qubes. As for expense, imagine how much more we would have
| paid today, in real and opportunity costs, if over the last
| 20 years everyone used this "no such thing a perfect
| security" fatalism as the excuse to not just do things a bit
| better.
| kingcharles wrote:
| Why not both?
| jmull wrote:
| As if there's a magic button trillion dollar companies can buy
| that, when pushed, removed all security vulnerabilities from
| software and hardware, no matter how complex!
| sorry_outta_gas wrote:
| hah! that'll show 'em /s
| Sporktacular wrote:
| We need to target the pos engineers and management at NSO,
| Finfisher, Hacking Group etc. who sell their souls for a fast
| buck. These pricks are likely already setting up the next
| corporate front for when this one collapses. Let's make the
| mercenary business a cripplingly expensive line of work.
| fortran77 wrote:
| Apple enabled them by making insecure operating systems. Aren't
| we on Hacker News all for the ability to side-load software on
| your platform?
| threeseed wrote:
| Do you have some statistical evidence that macOS is
| fundamentally more insecure than other operating systems ? That
| would be surprising to me given many controls e.g. application
| signing I've not seen implemented on other platforms.
| fortran77 wrote:
| NSO seems to concentrate on making products for iOS
| yuvadam wrote:
| The framing of NSO as "state-sponsored" cannot be overstated, and
| Apple didn't miss the chance to do just that.
|
| A hard blow to Israel's policy just as much as it is to NSO
| itself.
| badRNG wrote:
| One could interpret this as the software is "sponsored" by the
| governments that finance their operations and purchase their
| products. This would be countries like Saudi Arabia, Mexico,
| Germany, and Kazakhstan, not _necessarily_ Israel.
|
| Though the fact the US has sanctioned an Israeli business does
| seem to have potential implications on Israeli policy. [1]
|
| [1] https://www.reuters.com/technology/us-blacklists-four-
| compan...
| DSingularity wrote:
| NSO would not sell to those countries if the regional
| interests of Saudi /UAE were unaligned with the Israeli
| desires for the regions. Israel wants dictatorships
| throughout the Arabian peninsula and turmoil within the
| borders of all of its neighbors. The NSO software helps
| advance Israeli interests on both those fronts.
| technobabbler wrote:
| Beyond merely selling their products to Israel, the NSO Group
| itself is an Israeli firm, founded by ex-Israeli
| intelligence, and whose products are subject to Israeli
| national export controls.
|
| https://en.wikipedia.org/wiki/NSO_Group
|
| That's a level of sponsorship way beyond simply being a
| customer... that's state espionage served with a side of
| profit. It's evil when the USA does it, it's evil when the
| Russians do it, it's evil when China does it, it's evil when
| Israel does it... but nobody does anything about it because
| all those states would prefer strong surveillance rather than
| rights for activists and journalists.
| einpoklum wrote:
| > Israeli national export controls
|
| A crash course in Israeli national export control:
|
| 1. You can sell everything except for nuclear tech (and
| maybe even that, I don't know).
|
| 2. If the client is not officially an enemy of Israel then
| do whatever you want, we don't give an f'ing f'.
|
| 3. If the client _is_ officially an enemy of Israel, then
| all sales must be conducted through official (secret) state
| channels. Independent side-action will not be tolerated
| (see the cases of Nahum Manbar or Shim'on Sheves). This
| might be a hassle, but the upside is that the courts will
| uphold complete secrecy of your affairs and the military
| censorship (yes, Israel has that) will likely prevent any
| nasty exposes.
|
| 4. If the US throws a tantrum, then sections (1.) and (2.)
| are abrogated. But don't worry: There plenty of generals
| and other high-ranking retired officers are in key
| positions in politics, and a bunch of us are wanted for war
| crimes anyways with ICC cases pending, so... we're all
| friends here and we got your back.
| nickff wrote:
| None of this seems like 'sponsorship' to me, it seems more
| like 'restriction' or 'regulation'. 'Sponsorship' implies
| that someone is providing a level of funding beyond just
| being a paying customer. Is there any evidence that the
| government of Israel (or any of the other governments you
| mention) are actually providing loans or share capital to
| NSO Group?
| high_byte wrote:
| my brother has vans sponsorship. he gets shirts and
| shoes, not money ;)
|
| you get my point?
| nickff wrote:
| I agree that the word 'sponsorship' has been quite
| diluted, as you point out, but it should mean something
| more than 'be a customer of'. Do I sponsor my local
| sports team when I buy tickets to a game? Am I sponsoring
| Netflix by subscribing? Do I sponsor my local government
| by paying property taxes? On the flip side, does my
| government sponsor me by granting a driver's license?
| Sporktacular wrote:
| I get bothered by the use of the term "nation-state" in
| this context.
|
| And I thought I was pedantic.
| nickff wrote:
| > _" I get bothered by the use of the term "nation-state"
| in this context.
|
| And I thought I was pedantic. "_
|
| I don't think I'm being pedantic, it seems like people
| use the word 'sponsor' in these contexts to exaggerate
| and vilify.
|
| Nobody seems to have used the word 'nation-state' in this
| post; what made you think of it?
| Sporktacular wrote:
| It's used throughout the comments and the topic
| generally. I don't call it out (for meaning a state with
| a since ethnic because I get the point being made.
|
| As for sponsorship, states sponsor their industries by
| providing labor trained at public expense, promoting them
| abroad through trade agreements, access to trade
| representation etc. so there is the technical definition
| of sponsorship met.
|
| The revolving door between Unit 8200 and surveillance
| startups is documented as is Israel's courting of KSA and
| the UAE with access to intelligence sharing and
| capabilities as a bargaining chip. Most of all, it's just
| logical, why wouldn't they? It's good for the state and
| its industry. Just sucks for everyone else.
| threeseed wrote:
| Dictionary defines it broader than just money i.e.
| support, advice etc.
|
| In this case it is clear that the Israeli government is
| sponsoring NSO.
| fortran77 wrote:
| The very wikipedia article you linked to says that the NSO
| Group is owned by " Novalpina Capital" They describe
| themselves this way:
|
| > Novalpina Capital is an independent European private
| equity firm that focuses on making control equity
| investments in middle market companies throughout the
| continent. Novalpina Capital has a solution-orientated,
| entrepreneurial approach to investing and creating value in
| its portfolio companies.
|
| > Novalpina Capital was established by Stephen Peel, Stefan
| Kowski and Bastian Lueken in 2017. The Founding Partners
| bring combined experience of 48 years in private equity
| investing, including senior positions in the European
| operations of leading global private equity investment
| firms, and have a shared history of working together for
| nearly a decade.
| rodgerd wrote:
| Every Israeli citizen, except religious extremists, serves
| in the IDF or equivalent; if you look useful to the
| intelligence apparatus, that's where you'll end up.
|
| You literally cannot find an Israeli company that isn't
| founded, run, and staffed by people with military or
| intelligence links, unless you're only dealing with
| religious extremists.
| tzahifadida wrote:
| If you think that israel is doing anything not sanctioned by the
| US government you are mistaken. In Israel NSO cant make a move
| without 7 agencies regulating it. This is considered a weapon
| sale. The same weapons the US are sponsoring israel and buy them
| from israeli industry. There is no way NSO will fail from this.
| So eula or whatever these are matters between states for national
| security interests.
| shmatt wrote:
| Yes, the many US government 3 letter agencies would love to
| have full read access to every single iPhone in the world. It
| doesn't mean Apple needs to comply, or that doing so without a
| search warrant is legal in California
| jjcon wrote:
| >the many US government 3 letter agencies would love to have
| full read access to every single iPhone in the world
|
| They 100% already do
| VWWHFSfQ wrote:
| Baseless speculation is not useful here. Especially when
| it's toned as some kind of truth.
| azernik wrote:
| You are extrapolating very tight Israeli state control of the
| Israeli arms industry (very true) to very tight _US_ state
| control of the Israeli arms industry, which is not actually how
| the relationship works.
|
| The US has influence over Israeli sales of Israeli-made arms,
| but this is costly to exert and only used sparingly.
| Historically, it's restricted to preventing Israeli arms sales
| to direct US rivals like China or Russia. When Israel sells
| guns to dictatorships in Africa or Southeast Asia that the US
| doesn't like, the Americans are perfectly willing to agree to
| disagree.
|
| EULAs and other civilian contractual arrangements are important
| here because these weapons were used against US civilians and
| US civilian property. When Soltam howitzers kill villagers in
| Myanmar, the US executive branch doesn't give a damn; but as
| soon as a US corporation (Apple) has to pay for warranty
| returns the courts wake up and pay attention.
| einpoklum wrote:
| Actually, the US allows Israel quite a bit of leeway in its
| underhanded weapons and security services trade. There was that
| time when Israel almost sold AWACS systems to China:
|
| https://nationalinterest.org/blog/buzz/israel-wont-sell-awac...
|
| so, the sale didn't go through due to US pressure, but the
| point is that Israel not only contemplated it, but was going to
| carry it through.
| ribosometronome wrote:
| The US Government is not a single-minded entity. Covert actions
| sanctioned by a balding old men in a dingy fluorescent lit room
| can still end up quashed when they come to light and the courts
| get involved.
| sharklazer wrote:
| The only thing I can add to what you said is another cynical
| thought of mine, starting with the question of why would Apple
| waste the money in this case? And the only answer I can come up
| with is that they need to re-establish their image of
| "security". I can't help but feel with various actions taken by
| them in recent times this being anything more than theatre
| unfortunately. If they prevail, I wonder if it will simply be a
| case of Blackwater renaming themselves.
| boomboomsubban wrote:
| >why would Apple waste the money in this case?
|
| To set a precedent that they can claim damages for violating
| their terms and conditions.
| thetinguy wrote:
| Wait until you out about five eyes and the run around the 4th
| amendment.
| melony wrote:
| Agreed, there is a channel for private entities to resolve
| matters of the state and that is via lobbying the executive or
| the legislative. Going after Israel's outsourced intelligence
| technology research group via the judiciary branch risks Apple
| being caught in the political crossfire. Apple at the end of
| the day is not Blackwater, they do not have any form of
| influence over force if things really hits the fan. Israel
| isn't a South American banana republic that can be easily
| overthrown by private corporations either. To put it in
| perspective, how would you react if (hypothetically) Lockheed
| Martin gets sued by Yandex if one of their missiles blew up a
| self driving car being tested in some far flung Central Asian
| state? Do you expect Lockheed Martin to be bound by contractual
| laws in the city of Moscow and for the matter to be settled via
| civilian lawsuit or arbitration?
| udev wrote:
| The amount of time that Apple sat on this is telling.
|
| First reports on NSO activity are from 2016, Facebook filed in
| 2019, Apple iOS 14.8 fix released in Sept 2021.
|
| Only when the constant negative news about NSO started chipping
| at their reputation, did they decide to make this symbolic (and
| ultimately ineffective) move.
| reaperducer wrote:
| Read the New York Times article. It says that Apple was only
| able to file this suit because of a court ruling in a similar
| suit by Facebook and because it was given code that showed it
| how Pegasus works.
|
| There is nothing at all "telling" about Apple's timing.
| udev wrote:
| I am all for Hanlon's razor.
|
| But it reads to me as: Apple legal team has to act because
| Facebook suit (and the info made public) makes it impossible
| to say that "Apple was not aware" of such and such details.
|
| To me it is much easier to believe the above, compared to
| your "Apple is only now seeing this info, and only now is
| aware, and only now can act".
| freejazz wrote:
| Look, if you don't know how legal standing works, that's
| one thing. But to reject the explanation provided to you
| and to cite your own ignorance as a legitimate source of
| disbelief while you poo-poo away a dispositive fact isn't
| reasoning.
| udev wrote:
| Apple knows since at least 2016 of NSO activities on
| their devices and servers, while selling this image of
| privacy competence.
|
| This long period of inaction, from 2016 to now is
| unacceptable.
| freejazz wrote:
| It's as if you don't get the point about legal standing.
| Apple can only take action now because of a court
| deciding that Facebook's TOS forum clause is actually
| binding. If they filed the case prior to such a holding,
| it'd have been dismissed.
| spiderice wrote:
| Sounds to me like GP really WANTS this to be "telling",
| when in reality it obviously isn't.
| udev wrote:
| What if Facebook never filed? Would Apple never be able
| to act on this?
|
| If they would have acted, why didn't they do it before
| Facebook?
| freejazz wrote:
| "What if Facebook never filed? Would Apple never be able
| to act on this?"
|
| If there wasn't precedent that Apple's TOS venue clause
| was binding, then the case would have been thrown out as
| I just previously explained.
|
| "If they would have acted, why didn't they do it before
| Facebook?"
|
| Because the case would have been dismissed as I just
| explained.
| udev wrote:
| Before Facebook filed, was there precedent for their TOS?
| freejazz wrote:
| No, but Apple probably didn't want to spend 4 years
| litigating the TOS issue prior to ever reaching the
| merits. There's also the risk that they lose the TOS
| issue.
| [deleted]
| cronix wrote:
| I think it also didn't hurt for the US Dept. of Commerce to
| add NSO Group to the Entity List for Malicious Cyber
| Activities just 2 weeks ago. It certainly doesn't hurt your
| case for the US Gov't to officially list them.
|
| > NSO Group and Candiru (Israel) were added to the Entity
| List based on evidence that these entities developed and
| supplied spyware to foreign governments that used these tools
| to maliciously target government officials, journalists,
| businesspeople, activists, academics, and embassy workers.
| These tools have also enabled foreign governments to conduct
| transnational repression, which is the practice of
| authoritarian governments targeting dissidents, journalists
| and activists outside of their sovereign borders to silence
| dissent. Such practices threaten the rules-based
| international order.
|
| https://www.commerce.gov/news/press-
| releases/2021/11/commerc...
| rStar wrote:
| except thats it's curiously well timed for this news to drop
| at the beginning of holiday shopping, like an advertisement,
| or possibly, this is pure marketing. nso and apple are
| partners. apple leaves holes, nso exploit, said holes.
| tpush wrote:
| Conspiratorial nonsense.
| rStar wrote:
| unless you understand how tech, business, governments and
| security services work, then not so much
| haswell wrote:
| That's a pretty massive thing to imply without any
| followup. As someone who understands how tech, business,
| governments and security services work, care to enlighten
| the rest of us?
| DisjointedHunt wrote:
| I've been heavily critical of Apple for their on device scanning
| plans but credit where it's due. This act hopefully exposes the
| sheer abuse of Public funds to find and exploit vulnerabilities
| and somehow those same vulns find themselves in the commercial
| domain, available to the fucking despots in the Middle East and
| wherever else?
|
| It's about time those that took the oath to protect the nation
| from harm step up and do so instead of creating a million more
| problems by shipping these exploits off to a later time while
| they sit on them.
| suthakamal wrote:
| I think the most important part of this announcement (I cried
| genuine tears of joy when I read it) is that Apple is committing
| to give Citizen Lab whatever they need. That kind of internal
| access to Apple's people and infrastructure is tremendous.
|
| I've never heard anyone but a despot (or vendor to despots) claim
| anything untoward about Citizen Lab, it sure seems like they're
| genuine "good" folks. They do great work, and they'll do better
| with support and access. The announcement makes it sound like
| Apple is willing to offer similar support to other good actors. I
| imagine Apple putting the word out will yield a few more.
|
| It raises - again - the question of what we expect from big
| companies vs governments, and questions of sovereignty. Where's
| the line between supporting good work and cyber vigilantes (if
| it's not a thing today, it will be, and what will society's place
| be with respect to them)?
| lehi wrote:
| Only curbing "abuse" implies that "normal use" of state-sponsored
| spyware remains kosher.
| miohtama wrote:
| > Apple believes privacy is a fundamental human right, and
| security is a constant focus for teams across the company.
|
| This in the press release. It is missing the bit "except in
| China."
| Sporktacular wrote:
| +1
| rStar wrote:
| apple builds their own hardware and software. security, or lack
| thereof, is clearly apples choice. apple blaming nso here is
| pure public relations and optics, nee propaganda, which many on
| this board drink like the koolaid it is. it's confirmation
| bias.
| kevinh wrote:
| Ah, yes, Apple just neglected to flip the security switch on.
| smoldesu wrote:
| They certainly haven't flipped the "US-sanctioned spyware"
| switch off.
| jbverschoor wrote:
| Thank you, Tim
| khana wrote:
| Better yet Apple, write better software.
| sekura wrote:
| NSO is pretty well covered by Darknet Diaries:
|
| https://darknetdiaries.com/episode/99/
| https://darknetdiaries.com/episode/100/
|
| I have no sympathy for NSO.
| daneel_w wrote:
| Great. Also, don't forget to secure your operating systems, which
| is the root problem.
| ksec wrote:
| I guess I am getting cynical. What is the context in which
| trigger Apple to sue them _now_ , and not any time before?
|
| And what if NSO Group closed the branch in US? I assume you cant
| really do anything to an Israeli company.
|
| Because half of it reads a lot like a PR pieces to me. And Apple
| easily gets the marketing message response they wanted. They are
| fighting " _State Sponsored_ " spyware. The privacy message they
| are sending out ( fighting on behalf of their user ), in the mist
| of a worldwide App Store battle and Anti-Trust.
|
| And I am willing to bet this message will be used in their future
| PR message when they discuss it in Anti-Trust to gain public
| support.
| cwkoss wrote:
| NSO Group and any organization who does business with them
| should be placed on the OFAC list
| jmull wrote:
| > What is the context in which trigger Apple to sue them now,
| and not any time before?
|
| Apparently Facebook has a similar suit against NSO and just had
| a significant ruling go their way. NSO had claimed they were
| immune since they were acting as foreign government agent.
|
| I'm guessing Apple was waiting to see how that ruling went
| before proceeding, since if NSO had won Apple would have to
| take a completely different approach.
| aborsy wrote:
| What does state-sponsor mean here exactly? Is NSO supported by
| Israel intelligence?
|
| And if charges are laid against NSO, will its sponsors be
| charged/sanctioned too (for sponsoring terrorism)?
|
| If this was a company in another country, the reaction would have
| been totally different (in some cases calls for bombing would
| have been made, and continued for decades).
| givemeethekeys wrote:
| I think it means that they're pissing in the wind and hoping
| that the direction is away from them.
| michaelbuckbee wrote:
| Ellsworth is a personal hero of mine - incredibly smart, wildly
| talented and has a real vision for this space.
|
| All that being said, it's a nightmare of a space which is why I
| don't think there's been a big funding event for Tilt5.
|
| "Meta View" was an AR company that raised $75mil, had a star
| studded list of VR/AR technology folks, only ever shipped a
| couple thousand units and now is defunct.
|
| Magic Leap raised $3.5 Billion and now has given up on shipping a
| consumer device (Enterprise only).
|
| Microsoft's Hololens exited consumer applications even earlier,
| enterprise only.
|
| Oculus Quest is the most successful consumer VR tech (about 5
| million sold) but it's really unclear if they're anywhere close
| to turning a profit and they've spent tons to try and jump start
| game developers in VR.
|
| Tilt5 would require from the ground up games to be made, large
| volumes of orders/units to be profitable and even if all that
| came together could still be kneecapped by chip shortages and
| supply chain issues.
| ksec wrote:
| Wrong thread?
|
| Edit: I guess it is for Tilt-5 Was Magical [1], I copied your
| reply over there.
|
| [1] https://news.ycombinator.com/item?id=29317390
| davidf18 wrote:
| This is amazing publicity for NSO.
|
| Is NSO is able to crack Apple security you can bet the NSA,
| Chinese, Russians as well as Israel's Mossad is doing much the
| same.
|
| With this lawsuit, Apple is basically admitting that they need
| lawyers and not engineers to combat the hacking.
|
| But suing NSO would not stop the other agents from hacking Apple.
|
| That is why it is best that Apple spend $100 million or more to
| cybersecurity harden their software.
|
| In addition, Apple should offer $1 million awards for breaking
| their security.
|
| One should also ask, how many lives were saved from terrorist
| attacks by NSO. That would be an interesting story.
| null_object wrote:
| Wow you have to be on HN to see Pegasus portrayed by some people
| as 'the little guy' fighting 'evil' Apple.
| [deleted]
| elzbardico wrote:
| In a just world, Israel should suffer sanctions for sheltering
| what is basically a criminal enterprise.
| 0xcde4c3db wrote:
| Anyone have a sense of the odds that the state secrets privilege
| gets invoked, and if so how damaging it's likely to be to Apple's
| case? Most examples involve a government entity being a party to
| the case, but the privilege did shut down a patent infringement
| suit between private entities not too long ago ( _Crater v.
| Lucent_ ) [1].
|
| [1] https://www.wired.com/2005/09/secrecy-power-sinks-patent-
| cas...
| dinkblam wrote:
| meanwhile Google happily continues to run ads for malware like
| the infamous 'MacKeeper'
| notyourday wrote:
| Apple simply needs to exercise its right to deplatform everyone
| who works for NSO. Oh and deplatform all government wonks of
| government of Israel as it is allowing NSO Group to operate.
|
| Life in 2021 is very difficult without a smartphone. In fact it
| is so difficult that if working for NSO comes with "no smartphone
| forever" sticker NSO won't be able to find people to work for it.
___________________________________________________________________
(page generated 2021-11-23 23:00 UTC)