[HN Gopher] Apple sues NSO Group to curb the abuse of state-spon... ___________________________________________________________________ Apple sues NSO Group to curb the abuse of state-sponsored spyware Author : todsacerdoti Score : 578 points Date : 2021-11-23 18:04 UTC (4 hours ago) (HTM) web link (www.apple.com) (TXT) w3m dump (www.apple.com) | Adamantisa wrote: | Court has no jurisdiction over NSO. At most, it was foreign | international persons who accepted iCloud's terms and conditions. | They'd have to identify them, prove that they are linked to NSO, | and in fact acting on behalf of NSO in their official capacity. | And even after that, they'd just not travel under their real | names, or even not travel at all, and that's that. | hfern wrote: | What other goodies will they find during discovery? | | Hopefully the public can get snippets like in Epic Games v. | Apple. | nazgulsenpai wrote: | Isn't NSO Group an Israeli firm with close ties to government? | I strongly doubt anything will come of this. | simion314 wrote: | Can an upset judge decide to put the NSO leaders and | employees on a terrorist list? They could argue it was an | attack on national security if they can show some important | person from US would have been hacked by a foreign | government. | | Then if EU could put the same guys also on the list maybe | there would be some effects. | JumpCrisscross wrote: | > _Can an upset judge decide to put the NSO leaders and | employees on a terrorist list?_ | | They can hold them in contempt, which leads to arrest | warrants. Default judgements can then enable the creditor, | in this case Apple, to start seizing assets. But TL; DR no, | a judge can't put someone on a terrorist list; that's a | national security and thus executive function. | monocasa wrote: | > Can an upset judge decide to put the NSO leaders and | employees on a terrorist list? | | For not replying to an EULA suit? I sure hope not, as much | as I'd like to see NSO nailed to the wall. | Dma54rhs wrote: | At least one of the founders can be found from American | homesoil NYC but we know very well nothing will come out of | it because of the Israeli love story Americans have. | nazgulsenpai wrote: | I'm talking about the discovery process. Will we learn | anything we don't know already if NSO isn't required to | cooperate? Probably not. | corin_ wrote: | A piece of advice I was given once and try to remember to | follow is to, when commenting online, think "does this | comment seem wrong if read out of context". | | For example you wouldn't have had to come back to explain | the context of your comment if your "I strongly doubt | anything will come of this." had ended with "..come of | this in discovery." | monocasa wrote: | I'm imagining just a screen shot of a middle finger in | response to discovery requests. | rodgerd wrote: | NSO have started threating to release dirt on Israeli | politicians because they are unhappy that the Israeli | government isn't covering for them. | LegitShady wrote: | source? My thought is if you tried this in israel the | actual intelligence apparatus would have you picked up | pretty quickly and in a dark hole for as long as they | wanted. | monocasa wrote: | Where did they sue NSO group? If it's a US suit, I don't see that | meaning much. Why wouldn't NSO just ignore it in that case? | [deleted] | kingcharles wrote: | "Venue", meaning where the suit may take place, is a | complicated legal beast. Apple is in the US. NSO Group agreed | to certain T+Cs when they opened their fake iCloud accounts. | That T+C probably says you agreed to be sued in California. | CubsFan1060 wrote: | The pdf was literally right in the link: | https://www.apple.com/newsroom/pdfs/Apple_v_NSO_Complaint_11... | | UNITED STATES DISTRICT COURT NORTHERN DISTRICT OF CALIFORNIA | SAN JOSE DIVISION | [deleted] | 0des wrote: | A portion of the community only reads the headlines and forms | their opinion based on that alone, I'm not saying it's right, | I'm just trying to add some context to what appears to be | your incredulity at the parent commenter's question. | monocasa wrote: | I read the whole article, but didn't read the entirety of | the separate element that first contained the link to the | article as printer friendly text. | | There's a pretty big UX failure to stick important content | there. | [deleted] | kingcharles wrote: | I read the whole article and then came here to ask if anyone | knew the court and case number. Now I feel stupid. | kingcharles wrote: | It's not live on PACER yet sadly so I can't get a case | number. | mataug wrote: | Could the company and its executives could be sanctioned based | on this court case ? | JumpCrisscross wrote: | > _Could the company and its executives could be sanctioned | based on this court case_ | | It already has been [1]. | | [1] https://www.commerce.gov/news/press- | releases/2021/11/commerc... | monocasa wrote: | Under what law? | JumpCrisscross wrote: | > _Under what law?_ | | NSO used Apple's services, thereby agreeing to U.S. | jurisdiction. (It also deals in dollars and has customers | in America.) If it ignores U.S. courts, it would be held in | contempt at the very least. That enables the Feds to start | freezing and confiscating assets, possibly even issuing | arrest warrants. That happens domestically first and | through treaties second. | | Given how much bad blood NSO has generated for itself in | D.C., it would be more surprising if this didn't get | escalated to a diplomatic level. | monocasa wrote: | There's no way it hasn't been escalated to a diplomatic | level already, that's probably the biggest impediment to | the suit doing anything. Both NSO's host country and | client base get an incredible amount of protection from | the state department. | JumpCrisscross wrote: | This doesn't take into account recent events, _e.g._ the | U.S. sanctioning NSO after their dealings in India and | with American police departments was confirmed. | | In any case, this is a civil suit in federal courts. Even | if State wanted to intervene, it would have to do so | through informal channels. | monocasa wrote: | Their website is still up, posting news, hosted on AWS on | one of the us-west AZs. | | The US is going at them with less vigor than a whack-a- | mole torrent site de jure. | | > In any case, this is a civil suit in federal courts. | Even if State wanted to intervene, it would have to do so | through informal channels. | | But didn't we just agree that the federal court system is | pretty toothless here without the support of the state | department? | freejazz wrote: | The federal court could only ever do what a federal court | could do which is levy sanctions or judgments against NSO | property. | monocasa wrote: | Against US based NSO property, practically speaking. | freejazz wrote: | "That enables the Feds to start freezing and confiscating | assets, possibly even issuing arrest warrants. That | happens domestically first and through treaties second." | | It's a civil case. | mataug wrote: | Lobbying and political pressure with the result of this | case being used as tool ? | monocasa wrote: | More lobbying and political pressure than the Israeli | government already exudes over the US? And NSO's clients | too? Not likely. | JumpCrisscross wrote: | > _More lobbying and political pressure than the Israeli | government already exudes over the US?_ | | NSO is already on the Entity List, a part of the U.S. | sanctions regime. This has been amply discussed, but TL; | DR they lost their friends in Washington. | monocasa wrote: | Did it affect them? | JumpCrisscross wrote: | > _Did it affect them?_ | | Anecdotally, yes. They lost their U.S. customer base. And | bank and securities firms are closing their and their | employees' accounts. | FridayoLeary wrote: | Apple sues NSO Group to curb the abuse of state-sponsored spyware | | I'm quite cynical about this press release. The key point in the | title is that Apple are cool with state-sponsored spyware, it's | just _abuse_ of it that bothers them. Also why did they wait so | long to file this. I don 't think it's because they lacked | evidence until now. Perhaps they think such a lawsuit will is now | expected of them otherwise they will lose face, and that they | have the general backing of the public now. I remember some | months ago showed that Apple already had grounds to sue for | copyright infringement. Either way, Apple is stepping into a | political minefield. Buy popcorn and expect fireworks. Big ones. | rStar wrote: | apple makes their own hardware and software. our devices are | insecure by apples choice. making this "statement" and "lawsuit" | utter farce. | einpoklum wrote: | *Apple VP of SW Engineering: "Apple devices are the most secure | consumer hardware on the market"* | | ... except for how Apple sends a copy of all of your data that | passes through their servers to the NSA. No, I'm not espousing a | conspiracy theory, this has been brought to light by Edward | Snowden's revelations. Now, we don't know how much of the data on | Apple phones gets sent to Apple's servers, so it's not literally | everything on your phone, but at least everything that's backed | up remotely, and possibly more. | | So, pot calling the kettle black. | | --- | | *"to curb the abuse of state-sponsored spyware"* | | Note that Apple is not saying "to prevent", only "to curb". But | even worse than that, they're saying "curb abuse", not "curb | use", as though that type of state spying is not inherently | abusive. | | --- | | *"State-sponsored actors like the NSO Group spend millions of | dollars on sophisticated surveillance technologies without | effective accountability. That needs to change,"* | | Apple has a larger R&D budget than most world states. In fact, | Apple themselves probably spend more money on sophisticated | surveillance technologies than half the world's states combined. | Certainly if we count things like dynamic image analysis from all | those cameras on phones and cars and such. Why is it an | unaccountable foreign corporation better than a government? | They're both pretty bad. | gbajson wrote: | "We have no clue how our software works, so we will sue you". | | It's a disaster from any point of view. Also ineffective. | | They could easily designate not 10M, but 100M for bug bounties | and simply solve their problems. | 14 wrote: | What about Apples own spyware they were going to force on users | to scan for CSAM did they ever make a final decision on what they | were going to do with that? Update to iOS 15 is what they | recommend but then it is Apple spying on you not some foreign | companies. I don't want either. | strict9 wrote: | It is great to see this happen. | | It's also fascinating that the crux of the Apple's case against | NSO hinges on NSO engineers that accepted iCloud's terms and | conditions. | | From related NYT article: | | > _The sample of Pegasus gave Apple a forensic understanding of | how Pegasus worked. The company found that NSO's engineers had | created more than 100 fake Apple IDs to carry out their attacks. | In the process of creating those accounts, NSO's engineers would | have had to agree to Apple's iCloud Terms and Conditions, which | expressly require that iCloud users' engagement with Apple "be | governed by the laws of the state of California." | | The clause helped Apple bring its lawsuit against NSO in the | Northern District of California._ | | https://www.nytimes.com/2021/11/23/technology/apple-nso-grou... | fragmede wrote: | Is it great? The lawsuit is Apple trying to enforce the iCloud | EULA to stop reverse engineering. While NSO Group created | hacking tools, and then did some questionable things with them, | do we really want those inane licenses no one reads, and | everyone scrolls down to hit [agree]; do we really want them to | legally binding? Put another way, if it was someone HN _liked_ | , would we still say this is actually good? Because compared to | the corporation known as Apple, NSO Group and its parent | corporation are still "a little guy", and this move really | doesn't seem like a good thing. Not for hackers in the HN | definition for hackers, ie highly motivated tinkerers. | | This community features not just fans of reverse engineering, | but number of practitioners, eg the popular Nvidia TSEC key | extraction that was featured recently[0]. The defendant's | actions make them an easy target, but, like the ACLU protecting | the civil rights of murderers, because we still live in a | nation of laws, I don't see this as great. This is a | continuation of Apple's continued use of lawsuits to silence | any challenges to their marketing of being the secure computer | choice (eg Apple suing Corellium[1]) rather than their products | _actually_ being secure. | | [0] https://news.ycombinator.com/item?id=29315378 [1] | https://news.ycombinator.com/item?id=28219278 | JohnFen wrote: | > While NSO Group created hacking tools, and then did some | questionable things with them | | Wow, that's some serious softballing there. At a minimum, The | NSO Group knowingly facilitates criminal activity. They | shouldn't be treated as if they were a legitimate | organization. | matheusmoreira wrote: | > do we really want those inane licenses no one reads, and | everyone scrolls down to hit [agree]; do we really want them | to legally binding? | | In this case the contract was made between two businesses. | Consumers deserve protection because they are naturally | disadvantaged. Companies with fully staffed legal departments | really have no excuse. | 2OEH8eoCRo0 wrote: | A court can decide. Apple and many others have been harmed by | this so it makes sense that somebody should be able to sue. | dylan604 wrote: | It seems many laws are written in the hopes everyone just | agrees, but secretly hoping it is never challenged in | court. The easiest hurdle put in place is standing in legal | terms. That's one bit I have trouble with how laws are | challenged is that if a bad law is enacted, it should be | able to be challenged immediately through courts to knock | it back vs having to wait for the first person to be | directly affected by the law to also have the means to | mount the legal challenge. | acdha wrote: | It's not just the iCloud terms of service, though -- they're | using that to strengthen the case that NSO agreed to the | jurisdiction of California courts but they're relying on the | CFAA and especially the claim that the access to the users' | device was not authorized by that user. | | It would be really interesting to see what precedent comes | out of this case and especially how that would affect a | future case where Apple claims a violation of their terms of | service but the user fully consented to that use. | xxpor wrote: | >they're relying on the CFAA and especially the claim that | the access to the users' device was not authorized by that | user. | | What's their theory of standing to sue over damage to their | customers? | | Edit: the main point is this (from the CFAA count): | | Defendants' actions caused Apple to incur a loss as defined | by 18 U.S.C. SS 1030(e)(11), in an amount in excess of | $5,000 during a one-year period, including the expenditure | of resources to investigate and remediate Defendants' | conduct. Apple is entitled to compensatory damages in an | amount to be proven at trial, as well as injunctive relief | or other equitable relief. See 18 U.S.C. SS 1030(g). | ethbr0 wrote: | 18 U.S.C. SS 1030(e)(11) | https://www.law.cornell.edu/uscode/text/18/1030 | | _" (11) the term "loss" means any reasonable cost to any | victim, including the cost of responding to an offense, | conducting a damage assessment, and restoring the data, | program, system, or information to its condition prior to | the offense, and any revenue lost, cost incurred, or | other consequential damages incurred because of | interruption of service;"_ | | 18 U.S.C. SS 1030(g) " | | _" (g) Any person who suffers damage or loss by reason | of a violation of this section may maintain a civil | action against the violator to obtain compensatory | damages and injunctive relief or other equitable relief. | A civil action for a violation of this section may be | brought only if the conduct involves 1 of the factors set | forth in subclauses [5] (I), (II), (III), (IV), or (V) of | subsection (c)(4)(A)(i). Damages for a violation | involving only conduct described in subsection | (c)(4)(A)(i)(I) are limited to economic damages. No | action may be brought under this subsection unless such | action is begun within 2 years of the date of the act | complained of or the date of the discovery of the damage. | No action may be brought under this subsection for the | negligent design or manufacture of computer hardware, | computer software, or firmware."_ | | I assume "negligent" is used in the legal sense? But | it'll be curious if NSO claims they're not liable for | selling flaws that already existed in Apple *ware. | freejazz wrote: | They'd have to prove that Apple was negligent to sell | software with flaws, but that's gonna be tough | considering that much software has flaws. | ethbr0 wrote: | Agreed. I'd assume that's what the large number of words | related to "Apple demonstrates an outstanding security | record, etc etc" is aimed at. And it's a fair argument: | nothing is bugless. | tentacleuno wrote: | > They'd have to prove that Apple was negligent to sell | software with flaws, but that's gonna be tough | considering that much software has flaws. | | It does carry a strange irony when Apple keep saying they | have the best security after iOS has been very badly | hacked by nation state actors, though. I'm not saying | their security isn't good, but I would have rathered | "we're fixing X things" than security hyperbole. | freejazz wrote: | Thanks for sharing your marketing preferences. | SavantIdiot wrote: | > Put another way, if it was someone HN liked, | | I'm sure no one reads TSLA EULAs either. | theginger wrote: | What is great is it could bring some much needed clarity on | the subject. | | A ruling against the EULA might bring some clarity to the | limits of powers tech companies have over us. | | A ruling for the EULA might shine a light the power these | companies DO have and force governments to bring in laws to | curb them. | | It is not a good situation, where Apple / Microsoft could | turn around and say to someone who broke the EULA or perhaps | even to someone who didn't, we are revoking our agreement you | can no longer use our software. Leaving them virtually | unemployable in many sectors, and similarly they are in the | position to absolutely cripple the vast majority of | businesses with the same tactics. | ethbr0 wrote: | What normal people probably want is the state of affairs | that historically existed: | | Government (legislative) mandates via law what rights | consumers are entitled to, that cannot be stripped from | them. | | Companies are free to request waiving or agreeing to | anything not enumerated in the above. | | What's broken down recently is that legislatures aren't | doing their job of proactively mandating consumer rights, | and consequently companies are requiring whatever they | think they can get away with: forced arbitration, lease- | not-own, arbitrary right to revoke usage grants, | prohibiting user / independent repairs, etc. | kmonsen wrote: | Realistically speaking we have no legislature anymore. | ethbr0 wrote: | In what sense? | kmonsen wrote: | In the sense that new laws are really difficult to do in | the age of polarization. So instead the executive branch | issues orders and the judiciary interprets laws in | creative ways. | ethbr0 wrote: | H.R.3684 (aka "Infrastructure Investment and Jobs Act" | aka "INVEST in America Act" aka "the Infrastructure | Bill") passed the House 221/201/8 [0] and the Senate | 69/30/1 [1]. | | Admittedly not the best numbers, but not terrible either. | | [0] https://clerk.house.gov/Votes/2021208 | | [1] https://www.senate.gov/legislative/LIS/roll_call_list | s/roll_... | Barrin92 wrote: | > do we really want those inane licenses no one reads, and | everyone scrolls down to hit [agree]; do we really want them | to legally binding? | | for commercial interactions in particular between two | businesses? Yes, absolutely. How else are two entities | supposed to come to legally binding terms without a contract? | I'm all for a little bit of lenience when an end user didn't | read the terms but you think NSO group doesn't have a lawyer | and just scrolls down and clicks accept? | | The little guy isn't always right because he's little. If the | little guy hacks my software to sell spyware to dictators and | war criminals you bet I want the right to take him to court | lupire wrote: | > If the little guy hacks my software to sell spyware to | dictators and war criminals you bet I want the right to | take him to court | | Why? How are you the wronged party in this case? You are | combining two separate things. | | What if the little used your software as designed, but to | sell to dictators and war criminals? | | what if they hacked your software for interoperability with | non-evil activities? | chrisfinazzo wrote: | (Not a lawyer, but this is the correct answer) | | As much as people might look at this and think Apple is | being heavy-handed, it comes down to the fact that iCloud, | iOS, and the App Store are their IP and they can (within | legal limits) set whatever terms they please. | | Especially for these sorts of arrangements, it seems like a | problem to me if the platform/IP owner doesn't have | absolute, final discretion over what happens. | | Giving them the right to destroy your business at any time | or at least try very hard to make it unprofitable shouldn't | be a surprise to anyone. | rektide wrote: | This sits so unwell with me, gives such limitless | tyrannical & dictatorial control to a company. | | > _As much as people might look at this and think Apple | is being heavy-handed, it comes down to the fact that | iCloud, iOS, and the App Store are their IP and they can | (within legal limits) set whatever terms they please._ | | Agreed. That's exactly what it seems like. And that | sounds like immoral, unjustifiable, sickening hell. That | Apple gets to hold all the cards, no one else on the | planet gets any say in how a device might be used. | | It seems to me like the law is immoral. The law is heavy | handed, an idiot, and wrong. And it seems like Apple is a | user/abuser of unjust power which it does not have any | moral or ethical right to wield. | | > _Especially for these sorts of arrangements, it seems | like a problem to me if the platform /IP owner doesn't | have absolute, final discretion over what happens._ | | This sounds like a nightmare hell world to me. It | contravenes the idea that any of us can ever be owners of | anything. This sounds like the logic that says that only | Tesla can repair Tesla cars, the logic that says only | John Deere can repair John Deere tractors. This is an | anti-human world, this is a bad world, this is immoral, | this is wrong, this destroys & rots away at humanity as a | can-do toolmaker, as an improver of the world about them. | It consigns power away to fragile, remote, limited | corporations. That is not a world I ever want to let | happen to us. I tend towards aethism/agnosticism, but if | there is a god, this flies against what graces the gods | have given us to let ourselves be constrained so. It is | unnatural & against the spirit of the human enterprise. | | I have no love for NSO Group. It feels great seeing such | a group of shady, underhanded, anti-democratic punks get | served. But this is absolutely going to be yet another | move in the ongoing shift towards top-down combined | technocratic/legal control. It's absolutely a | demonstration of Apple wielding legal power to obstruct & | defend that which it simply doesn't want to have to deal | with, brushing aside something inconvenient. It's | absolutely a battle over what terms of service mean & | whether the world has any rights of their own. I for one | am not cheering for Apple's victory in having their | massive iron-clad armor further enhanced. | ziddoap wrote: | > _Agreed. That 's exactly what it seems like. And that | sounds like immoral, unjustifiable, sickening hell. That | Apple gets to hold all the cards, no one else on the | planet gets any say in how a device might be used._ | | I'm not a big proponent of IP, but you're basically | saying it is immoral, unjustifiable, and sickening as | hell that Apple enforces the rules that Apple wants on | Apple products/services, which were created and offered | by Apple? Who should be making the rules if not the | creator and maintainer of the product/service? Why is | using another product/service not an acceptable | alternative? | | I agree with the general direction of your comment, but | certainly not with the same voracity that wouldn't allow | my own company to create the rules for my own service | offerings (within the confines of state/national law). | Caligatio wrote: | Replace "Apple" by any traditional car company and you | should immediately become concerned. Shouldn't a car | company have absolute, one-sided control over the cars | they sell? Like should the car stop working if you agreed | to obey the speed limit but then sped? Or stop working if | you didn't use their branded fluids? | lioeters wrote: | ..Or the warranty becomes void if you open up the hood of | your car and try to repair/replace parts.. | catlikesshrimp wrote: | The law works fine when there is no monopoly. | | But since Apple has 50% of the market share, the law | doesn't work well anymore. | rektide wrote: | This and more. I find it beyond farce that Apple & it's | adherents chief defense seems to be that there are other | people making products that aren't Lawful-Evil to | humanity. If Google one day woke up and said, we're just | going to try to do what Apple does to it's users, there | would be nothing left. This pretense that Apple's | behavior is anything but anti-competitive, anti-trust | worthy rings so hollow to me. The excuses that there are | other places to go completely fail to wash for me. | | It's as if these folks are saying the Carterphone victory | was only won because AT&T was a monopoly. That's not how | consumer rights work. That's not a solid enough platform | for humanity to remain upright. | AnthonyMouse wrote: | > How else are two entities supposed to come to legally | binding terms without a contract? | | The question is what's the threshold for the existence of a | contract. You both go into a conference room with lawyers | and negotiate over the terms and sign it in ink, that's | some pretty good yes vibes. Somebody clicks a button on an | un-negotiated text form in a piece of software, maybe it | should take more than that. | | > I'm all for a little bit of lenience when an end user | didn't read the terms but you think NSO group doesn't have | a lawyer and just scrolls down and clicks accept? | | Tons of bureaucracies do exactly that. The boss says they | need a way to do this thing, so some Danny from the IT | department finds some software to do that thing, it's free | or costs less than the amount he's authorized to spend from | petty cash, so he clicks accept and installs it on the | user's machine. | riedel wrote: | There's always the problem with a little one that has to | accept the big one's terms. Actually in Germany and | probably elsewhere there is clear jurisdiction what is | allowed in a terms and conditions type contract. It | actually applies to any contract that is not created from | scratch on an eye to eye basis. Other laws like the GDPR | also restrict what can be part of a contract. So while | nobody is reading all this stuff at least we have some | assurance that it's not totally unfair. Otherwise is | typically safe to assume that companies try to shape | everything to their own benefit. So it boils down to | trusting a company in general. | | Not being a lawyer and having no clue abou US jurisdiction: | I am really curious if this EULA thing works though. | Normally under copyright law wrongdoing would normally just | mean that your licence is terminated. Illegal use typically | just requires paying damages twice the licence cost afaik. | I would actually find it kind of scary if I could be pulled | into any kind of jurisdiction about something not directly | related to the contract just because I accepted a software | licence agreement. | llamataboot wrote: | hmmm, I mean if we have to agree to things that are | supposedly legally binding, I would like them to be so. If | they are not legally binding, I would like to know that and | not have to agree to them. | Bud wrote: | Yes. We emphatically want the rule of law to persist, and for | legal avenues to be open for combating conduct like what NSO | Group has done here. | | In particular, by any standard, it certainly seems reasonable | for Apple (or even companies we don't like) to prevent _the | use of its own tools and accounts_ for the purposes of | attacking its products and attacking its customers. | Especially when the attackers have explicitly promised not to | do so. | voxic11 wrote: | They are just using the EULA as the basis for claiming | jurisdiction. They are actually suing not to stop reverse | engineering but rather to recover damages incurred by | unlawful business practices. Basically their argument is | that: | | 0) The defendant's can be sued under California law because | they accepted the EULA. | | 1) California law makes businesses liable for damages | incurred by their unlawful business practices. | | 2) Business practices which violate any California or federal | law are unlawful business practices in California. | | 3) The defendant violated the federal computer fraud and | abuse act by hacking into users phones. | | 4) Apple incurred damages to their reputation and from | expenses related to mitigating the hacking of their users. | | 5) Therefor the defendant is liable for Apple's damages under | California law. | | So the defendant could have been fine if they just done | reverse engineering, or even if they developed the hacking | tools, but actually using the tools against Apple's users in | violation of the CFAA was going too far. | | https://www.apple.com/newsroom/pdfs/Apple_v_NSO_Complaint_11. | .. | brutal_chaos_ wrote: | Nit (maybe moot): | | > 4) Apple incurred damages [...] from expenses related to | mitigating the hacking of their users. | | This sounds like no one should be a security researcher for | they risk paying companies to implement the security the | company should have implemented anyway. Put another way, | that also sounds like the corporate open source push, "We | love open source because we don't have to support it, the | community will!" | | "4)" says the community will pay for/support security, just | wait for the hack and make 'em clean it up. Mitigation | costs shouldn't be a recoverable damage, they should be | doubled and paid out to the victims...maybe that'll | incentivise better security over dollar dollar bills y'all. | | This all maybe moot because this was a B2B action and I'm | thinking from a non-monied, single user/security researcher | perspective. What if the company was a non-profit security | research group? Perhaps this is what the 90day grace | periods are for when dealing with responsible disclosure? | | Anyhow, my ignorance must be showing at this point. | ethbr0 wrote: | From Facts(C), | | _" 60. Defendants force Apple to engage in a continual | arms race: Even as Apple develops solutions and enhances | the security of its devices, Defendants are constantly | updating their malware and exploits to overcome Apple's | own security upgrades. | | 61. These constant recovery and prevention efforts | require significant resources and impose huge costs on | Apple. Defendants' unlawful malware activities have | caused and continue to cause Apple significant damages in | excess of $75,000 and in an amount to be proven at | trial."_ | | Hopefully the judgement is able to split the hairs | between reputational and development harm to a company | for security vulnerabilities, and harm to users for | organized exploitation of those vulnerabilities. | | The former feels like it _should_ be free speech -- | statement of facts related to the company 's product(s). | The latter is an obvious wrong. | LogonType10 wrote: | >This sounds like no one should be a security researcher | for they risk paying companies to implement the security | the company should have implemented anyway. | | No, read again, this only refers to damages from unlawful | activity. "White hat hackers" need not fear. | AnthonyMouse wrote: | Assuming they're lawyers who know every law and don't get | skewered by something like DMCA 1201. | shkkmo wrote: | I don't know of any legitimate security research group | that hacks user accounts they don't own. | | NSO hacked devices they didn't own and infected them with | spyware. Apple had to pay to repair / replace those | devices. | | I don't see how this sets any sort of precedent with | security researchers are liable for the costs of fixing | vulnerabilities that they uncover. | eganist wrote: | > I don't know of any legitimate security research group | that hacks user accounts they don't own. | | nit: "user accounts to which they're not authorized" | | I work with friends' accounts all the time provided they | authorized me to do so and provided I'm permitted to do | so as part of the vuln disclosure program terms and rules | of engagement, though I usually split the bounty with | them in a meaningful way to make it worth their while. | FridayoLeary wrote: | >0) The defendant's can be sued under California law | because they accepted the EULA The Court | has personal jurisdiction over Defendants because, on | information and belief, they created more than | one hundred Apple IDs to carry out their attacks and | also agreed to Apple's iCloud Terms and Conditions | ("iCloud Terms"), including a mandatory and | enforceable forum selection and exclusive | jurisdiction clause that constitutes express consent | to the jurisdiction of this Court.7 | | I'm not a legal expert but shouldn't that be stupidly easy | to deny? | | Judge: did you, NSO agree to the Terms and conditions by | pressing "I Agree" | | NSO representative: No, Your honor. | | Apple Lawyer: Then how did you gain access to my clients | services? | | NSO Rep: A totally unrelated third party gave us 100 | unlocked iPhones as a free gift. We never saw the terms and | conditions, nor agreed to them. We can fully prove our | claims. | | Apple Lawyer: (spluttering) but... but... but... | | Judge: (bangs gavel) case dismissed! | | This is assuming NSO were far- sighted enough to actually | create such a paper trail. Also, since Apple is disputing | more then 100 accounts, maybe such a defence would be ruled | as improbable, or some other legal jargon. Maybe someone | better informed can chip in. | AnthonyMouse wrote: | > they created more than one hundred Apple IDs to carry | out their attacks | | Maybe the most interesting thing about this is how it | proves that their code signing system is worthless. If | the same bad actor can get a hundred Apple IDs to sign | literal malware with, why are they imposing this burden | on random small developers? | TillE wrote: | Nerds always want to interpret the law in some strict | pedantic fashion, but in practice this is almost never | how it works. Law is not applied stupidly or | mechanically, you can't fashion yourself some ad hoc | workaround unless you're extremely certain about what | you're doing, preferably with a mountain of precedent | behind you. | AnthonyMouse wrote: | Nerds always want the law to be consistent. Lawyers are | Machiavellian professionals trained in getting it to say | "heads I win tails you lose" for their clients, and often | succeed. | | That doesn't mean the nerds are wrong to want what they | want. | phkahler wrote: | >> They are just using the EULA as the basis for claiming | jurisdiction. | | IANAL but it's always seemed to me that if I reject the | terms of a EULA then the EULA doesn't apply to me. Pushing | the "button" does not mean anything because only the EULA | gives it meaning and I reject that. | | 50 years from now if someone is doing software archaeology | and they go to install some software from a long gone | company, who does clicking the button form an agreement | with? Will it be legal to try that software? Can existing | software companies list people they have click-through | agreements with? These things seem like a bad joke in | practical terms. | eganist wrote: | > 50 years from now if someone is doing software | archaeology and they go to install some software from a | long gone company, who does clicking the button form an | agreement with? Will it be legal to try that software? | Can existing software companies list people they have | click-through agreements with? These things seem like a | bad joke in practical terms. | | I mean, this seems pretty easily addressed: | | I can't sign a contract with a dead company, can I? Well, | literally I can, but the agreement wouldn't be binding. | | Same applies here. Unless the entity still exists, in | which case congratulations, you're in a binding agreement | lol | AnthonyMouse wrote: | There are some practical problems with this. | | Suppose that Small Co sells the assets of a business unit | to Big Co. Do you now have a contract with Small Co. or | Big Co.? Small Co. no longer has the rights to the | software. Big Co. may not agree to the terms of the old | license. | | Suppose someone dies and their assets go to their heirs. | Do you now have a contract with the heirs? | | What if there are no heirs, so the assets go to the | government? Do you now have a contract with the | government? I can think of some fun terms to add to a | software license from someone on their deathbed if that's | the case. | SQueeeeeL wrote: | I like how suddenly the intense legal minuate are the | most important details of a system as if we're in a | contract law class, as opposed to the obvious point that | in general these agreements are fairly obvious | AnthonyMouse wrote: | Making up rules without thinking about the consequences | of those rules is a Bad Idea. | SQueeeeeL wrote: | Edge cases aren't consequences; they're trivia. And at | the the of day, our legal system is governed by humans | who interpret and argue. Until humans are perfect, we'll | never write a perfect law. | AnthonyMouse wrote: | "Perfection is impossible, therefore don't try" is a | dodge. | voxic11 wrote: | US contract law jurisprudence doesn't really seem to | support you here. | | > The mental assent of the parties is not requisite for | the formation of a contract. If the words or other acts | of one of the parties have but one reasonable meaning, | his undisclosed intention is immaterial except when an | unreasonable meaning which he attaches to his | manifestations is known to the other party. | | https://en.wikipedia.org/wiki/Lucy_v._Zehmer | leecb wrote: | > those inane licenses no one reads, do we really want them | to legally binding? | | What all would be possible if software EULAs weren't legally | binding? | | One thing that EULAs typically do is reduce liability for the | company producing the software. Imagine if Google/Apple were | liable for damages from all the miscommunications caused by | autocorrect? | roblabla wrote: | EULAs are also used to protect IP, such as by prohibiting | reverse engineering. Preventing reverse engineering would | prevent modding games, fixing bugs in software that aren't | supported anymore, security analysis, etc... In my view, | it'd be a net negative for society. | lupire wrote: | and if software business becomes unsustainable due to | piracy, that's also a net negative. | chongli wrote: | There's a difference between clauses in an EULA that | release the software vendor from liability and those that | impose additional liability on the user. I think it's | perfectly fine for an EULA or "non-warranty warranty" to be | included in open source software. If a person or a company | wants to release software and they should be able to do so | without being held liable for damages caused by the user's | improper use of the software. | | On the other hand, if a click-through license can expose | users to a potential lawsuit then that fundamentally | changes the regime we all live in. It creates a world where | the countless pieces of software we all use on a daily | basis become hidden legal threats, lurking in the shadows | like so many snakes waiting to strike. That's not a world I | want to live in and I think most HNers would agree. | mistrial9 wrote: | I am a straight-up GPL coder and advocate, and I find this | line of reasoning, difficult to support. Additionally, it is | a habit of lying, thieving security people to use every inch | of freedom that GPL-advocates give them.. really torn here | balls187 wrote: | > While NSO Group created hacking tools, and then did some | questionable things with them | | Such as selling their software to the Saudi Government which | in turn used the software in a highly targeted cyber attack | leading to the grisly murder of a dissident journalist? | dylan604 wrote: | If this is ruled in Apple's favor, can that be a stepping stone | to allow NSO to be charged with aiding in murder? | edge17 wrote: | I will just add, the author of the NYT piece has a book out on | this subject. The book is decent, has some cringe worthy | descriptions of technical things if you are a technical person, | but overall I learned a huge amount reading it. | | A lot of the commentary, accusations, and opinions in the | comments here would be addressed or better colored if you're | interested enough to read her book | (https://www.amazon.com/This-They-Tell-World- | Ends/dp/16355760...). | | Also, just to be clear, one of the reasons I _like_ the book is | because it 's written by a person that doesn't understand all | the deep technical aspects of these things. | threeseed wrote: | > has some cringe worthy descriptions of technical things | | Par for the course when trying to explain things to non- | technical people. | | People joke but you can see the thought process in explaining | to a politician that the internet is a "series of tubes" for | example. | sam-2727 wrote: | Reminds me of when the Oracle v. Google case was argued in | front of the Supreme Court on a series of metaphors, among | other things comparing Java to football teams: | https://www.theverge.com/2020/10/9/21506172/oracle-google- | ja... | amelius wrote: | So they used iCloud to spy on NSO? | | Sounds not right, regardless of what you think of NSO's | actions. | strict9 wrote: | No. | | The information on fake accounts was passed to Apple by | Citizen Lab, which discovered the zero click vulnerability. | drdaeman wrote: | I guess they haven't done this, but isn't this trivially | mitigated by hiring someone to create the accounts, outside of | the US entirely, in a jurisdiction where T&C violation doesn't | mean anything? Especially if the accounts are needed in bulk, | where it makes sense not just to work around the legal | arguments but simply economically. | kingcharles wrote: | I was the victim of a state-sponsored attack. I took it to | court. I tried to subpoena the contents of the government | agents' iPhones but Apple came and filed a Joinder in Motion | and sent expensive lawyers to lie to the judge about the | judge's power to subpoena digital evidence. The lawyer | specifically told me all he does is go around the country and | lie to judges to get them to cancel subpoenas. | | We introduced the T+Cs from one major online provider to show | how the government violated them. The government stipulated | that they had violated the T+Cs and that they had broken the | law. Two different courts both stated that government agents | are allowed to violate federal and state computer and data | access laws to conduct intelligence-gathering operations, and | they are certainly allowed to violate T+Cs even when a | violation of a T+C is a criminal act (which it is in many | jurisdictions). | | One thing that is lulzy is that I recently received a letter | from one government agency stating that the evidence I had | requested by subpoena was no longer available because they left | it on a server in violation of the T+Cs and never took a copy | of it and the provider deleted the account. | | It hasn't reached the appellate courts yet. | jp57 wrote: | > Apple came and filed a Joinder in Motion and sent expensive | lawyers to lie to the judge about the judge's power to | subpoena digital evidence. | | If a lawyer makes an argument in court about the law | governing a case (as opposed to the facts of the case), and | the judge accepts the argument, and the judge's decision | survives all its appeals, then the lawyer's argument is, by | definition, true. | | EDIT: I'm objecting here to the characterization of the | lawyers' arguments as "lying". The judge's "power" to suboena | digital evidence sounds like a question of interpretation of | the law. Many (all?) US court cases have at least one | question of law in which the parties make opposing arguments. | One party prevails, the other does not, or maybe one party | prevails on some points and the other prevails on other | points. But however those questions are ultimately decided, | that's the law, as it pertains to that case. In that context, | it seems very strange to characterize either party as "lying" | in such arguments. | | If, on the other hand, "the judge's power to subpoena digital | evidence" really means Apple's technical ability to produce | such evidence, then I would agree that those are facts about | which some statements could be considered truthful or not. | bannable wrote: | Case law, not truth. Judges do not decide fact. | dragonwriter wrote: | > Judges do not decide fact. | | Trial court judges in jury trials do not (in principal) | decide fact questions (though even that is misleading, | since they can decide "as a matter of law" that offered | evidence is insufficient for a particular fact conclusion | even over the jury's determination of fact, _except_ in | the case where that would be unfavorable to the defense | in a _criminal_ trial.) | | Judges in bench trial, and appellate judges in many | cases, do, in fact, decide matters of fact, though in the | latter case the usual rules are generally, but not | infinitely, deferential to trial court decisions. | nickff wrote: | > _" If a lawyer makes an argument in court about the law | governing a case (as opposed to the facts of the case), and | the judge accepts the argument, and the judge's decision | survives all its appeals, then the lawyer's argument is, by | definition, true. "_ | | This is a Kafkaesque and wrong understanding of the legal | system. There are all sorts of errors of law and errors of | fact that are non-appealable. | kingcharles wrote: | I think poster above is right, certainly with respect to | the legal system in the USA. | | In the USA you often get one direct appeal - an appeal by | right - and then if that fails, a discretionary appeal by | a more superior court. | | I've seen some bone-headed decisions made by the trial | judge, then the same error made by the appellate judges, | and you know the superior court would reverse, but they | only take 0.01% of the cases they see every year and so | they just don't have time to fix every mistake. So some | really stupid legal decisions become "the law of the | case" simply because society doesn't have the funds to | pay more judges to check the work of lesser judges. | threeseed wrote: | > sent expensive lawyers to lie to the judge about the | judge's power to subpoena digital evidence. | | You're being unreasonable here since it is a very grey area. | | If Apple is compelled for example to hand over encryption | keys to a judge (which often means a bunch of junior lawyers) | then that would infringe everybody's right to have their | information be secure. | fsflover wrote: | Perhaps you may want to ask https://eff.org for help. | kingcharles wrote: | I tried at the time, but received no response. | lotsofpulp wrote: | > and they are certainly allowed to violate T+Cs even when a | violation of a T+C is a criminal act (which it is in many | jurisdictions). | | Is violating a T&C criminal in the US, if the violating | action itself is not a crime? I have not heard of this. Are | there any examples that can be linked to? I thought it was | always a civil matter. | lights0123 wrote: | https://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act | | Yes it is a federal crime, but was recently limited by | https://en.wikipedia.org/wiki/Van_Buren_v._United_States | haswell wrote: | US based? I understand if you can't divulge any specifics, | but I'm always curious about the nature of these attacks, | e.g. we know certain types of journalists/activists are often | targeted. | kingcharles wrote: | US-based, yes. | rasengan wrote: | Legal methods are a crutch at best. Apple would be wise to put | forth the same budget into their security team's research and | development and properly address these weaknesses. | kelnos wrote: | The problem is that this approach requires that Apple expend | enough resources for their security to be perfect all the time. | Outfits like NSO Group need only be lucky once (well, with some | consistency, as Apple finds and fixes the vulnerabilities they | use). | | It's a cat-and-mouse game where Apple has a distinct | disadvantage, one that's likely impossible to fully overcome. | | They certainly should (continue to) spend a bunch of money to | make their OS and hardware as secure as possible. But at a | point returns start to diminish, and perfection just isn't an | attainable goal. | speeder wrote: | Some people even can conclude from this that being evil is | better idea. | | A fictional example: there is a character in Wheel of Time, | that realized that for the good guys to win, they must win | every time the bad guy attempts something, but the bad guy | must win only once (since his goal is destruction of the | universe), thus this character concludes that being evil is a | better goal, since you can keep trying until you succeed, he | imagines eventually he WILL succeed, as a matter of "when", | not of "if". | monocasa wrote: | Their lawyers are probably on retainer, or just straight up in | house counsel. I doubt it costs them any more than a rounding | error. | jmondi wrote: | Would your solution to weapons exporting to have everyone buy a | bigger bunker? Doesn't it just make more sense to control the | export of weapons? | riseagain wrote: | Surprised to see this coming from the person that killed | freenode with questionable bullying involving lawyers and "life | ruining" consequences... | | Hypocrisy at it's finest... | | For the record. I'm not sympathetic to NSO group either. | rStar wrote: | apple controls the hardware and software on apple devices. nso | does not. this is public relations for apple, as much as a | holiday advert as any they put on tv. if apple wanted to | provide their customers secure devices, apple would provide | their customers secure devices. | rodgerd wrote: | Well, that's one way of outing yourself as someone who knows | literally nothing about modern computer security. | josh2600 wrote: | Ok normally I'd just let something like this go but I just have | to pull my hair out when I see a comment like this. | | The attack surface of software as complicated as a modern | operating system (iOS or MacOS, etc.) is simply too large to | lockdown without dramatically hurting the user experience | (assuming you could actually achieve a lockdown in the first | place!!). | | Let's, just for a second, propose that apple went full Monty | and locked the whole shebang down with the kind of tech they'd | need to resist NSO. That's more custom silicon, signed binaries | everywhere, even fewer per app permissions, literally treating | any piece of software running on the device as a potential | threat vector even more than they already do. What would this | get you? | | The BoM cost would go up, a lot. The cost of writing software | would go up, a lot. And perhaps worst of all: it would only | raise the cost of a chain of exploits, not eradicate it. | | Right now a chain of exploits is ~$5M on iOS. What if it was | $50M? Would that actually stop a nation state? | | I'm sorry but there's no world where Apple can make perfect | security. | | Finally, the cost of this lawsuit is a drop in the ocean | compared to what they already spend trying to secure the | software and hardware in iOS devices. | Sporktacular wrote: | "Right now a chain of exploits is ~$5M on iOS. What if it was | $50M? Would that actually stop a nation state?" | | Yes, some states yes it would. That could make it | unaffordable for many of NSOs clients. | | The result would not be perfect, just better. | DSingularity wrote: | Apple will advance the security of their platform more by | suing NSO and lobbying the US gov to position the official | view of the US gov regarding nation-state sponsorship for | malicious software as reprehensible efforts which harm | everyone (eg like biological/chemical weapons). If the US | sanctioned Israel and critiqued them as reckless maybe less | countries will support organizations like the NSO group. | high_byte wrote: | if it was 50m there would be significant increase in reports, | for sure. problem is Apple has a reputation for not paying | bounties... | matheusmoreira wrote: | > literally treating any piece of software running on the | device as a potential threat vector even more than they | already do | | Sounds amazing. Every operating system should be designed | this way. Only free software should have full access. | Proprietary software cannot be trusted and must be regulated | and controlled. | fsflover wrote: | > The attack surface of software as complicated as a modern | operating system (iOS or MacOS, etc.) is simply too large to | lockdown without dramatically hurting the user experience | (assuming you could actually achieve a lockdown in the first | place!!). | | https://qubes-os.org | tptacek wrote: | You talk to a lot of people who use Qubes day to day? I do. | What have you heard about how Qubes life is? | fsflover wrote: | I am gladly using Qubes myself as a daily driver. Can't | recommend it enough. | tptacek wrote: | Hey, my Qubes friends keep using it too. I'm not saying | it's un-usable. Is dys-usable a word? | fsflover wrote: | This is a vague and unconstructive criticism. Perhaps you | could say something more to the point. | | In my opinion, most of the HN audience would be able to | use it to their benefit. | tptacek wrote: | That might be true! But it's not very relevant to the NSO | problem, because the mass market will not be able to use | it. | rStar wrote: | > I'm sorry but there's no world where Apple can make perfect | security | | i think everyone knows that perfect security is not possible, | the operative word being 'perfect'. i think what we want is | for apple to 'actually try' to provide security, in some way | that results in security order of magnitudes better than we | enjoy today, which would still be miles and miles away from | 'perfect', vulnerable to nation state actors etc etc etc | josh2600 wrote: | Can you point to a single instance of a cellphone vendor | who takes security more seriously than Apple? | | Put a different way, is there any device with a high | monthly active user count that has a higher cost to | purchase a black market exploit than the iPhone? | | Apple can always do better. It should also scare the living | hell out of us that they're currently the best in the | world. | | My point is that if Apple can't secure your phones, who | can? It's enough to make one think about security through | obscurity. | ccouzens wrote: | > Put a different way, is there any device with a high | monthly active user count that has a higher cost to | purchase a black market exploit than the iPhone? | | I'm going to answer about operating system rather than | device. | | The selling price of an Android full chain with | persistence zero click is up to $2.5 million. The selling | price of an iOS full chain with persistence zero click is | up to $2 million. | | https://zerodium.com/program.html | | Both are better than any desktop operating system. | LogonType10 wrote: | This isn't the benchmark of how secure those systems are, | just a benchmark of how valuable exploiting them is. | Hypothetically speaking, iOS could be more secure, but an | Android exploit could be valued more if high valued | targets tend to use Android. Keep in mind that phone OS | usage varies quite a bit by country and wealth. | ccouzens wrote: | I was responding to a specific comment about prices. | | You're right that the price doesn't fully correlate with | security. It will reflect supply (security and interest | of researchers) and demand (how much there is to be | gained by breaking into each platform). | | Android is more widely used, but I gather more money is | spent in the app store than the play store. I don't know | the market share of "interesting" users. | | My analysis would be that the number shows they're not | that far apart. I'd be skeptical of anyone (IE apple's | press release) saying that either platform is more | secure. Security is too nuanced to be expressed as a | total order. | LogonType10 wrote: | Agreed! Thank you for posting that Zerodium link. It's | always great to bring substantive data into a security | discussion. | fsflover wrote: | > is there any device with a high monthly active user | count that has a higher cost to purchase a black market | exploit than the iPhone? | | This is unfair, because there is a duopoly and the only | alternative on mass market is Android. Of course in such | circumstances the exploits will be expensive, even if | security is awful. | | Ignoring this, Purism takes security more seriously, | because they give the user full control over the OS with | possibility to replace/reinstall or harden it. In | contrast to that, rarely updated iMessage is impossible | to uninstall on iOs. | kelnos wrote: | > _i think what we want is for apple to 'actually try' to | provide security, in some way that results in security | order of magnitudes better than we enjoy today_ | | That's a pretty tall order, and would likely result in a | device that is much more expensive and has a user | experience that users would not like. Assuming "orders of | magnitude better" is even possible, of which I am | skeptical. | tptacek wrote: | I co-sign this whole comment and answer the rhetorical | question: $50MM for an exploit chain would not stop a state- | level adversary. Their alternatives for these kinds of | operations is human intelligence; they'd pay more just in | health benefits to staff those operations. | snowwrestler wrote: | You're not wrong about the impossibility of perfect security. | | But Apple is praising and promising to support independent | security research in this press release. Meanwhile they have | a reputation among independent security researchers for being | standoffish, opaque, slow to respond, and even outright | hostile in suing Corellium. They settled that suit but the | reputation remains. | | Apple is the most valuable company in the world. They do not | appear to have the best security program in the world. | Whatever Citizen Lab can do, Apple should be able to do | better; they have a lot more resources and expertise. | | I'm not doubting that Apple puts a lot of effort into | securing their products. But it seems like they still have | significant room for improvement. | concinds wrote: | Seconded. There are many, many low hanging fruits that | would substantially improve Apple users' security that | Apple has not yet implemented, for example delivering | Safari updates independently from macOS updates and having | a seamless auto-update mechanism equivalent to every other | modern browser. Apple repeatedly claims that most malware | targets Android, which is true, but it includes Play Store | adware and side-loaded malware; if you only take RCE | exploits, which are the relevant class of malware here, one | could argue Android is as secure, or more secure than iOS. | I would argue the latter, given that Safari and iMessage | (as well as integrated WebKit webviews, like Apple Music) | seem like the primary attack vectors, and the ones used by | NSO; and that security updates to those components, unlike | the Android equivalents, are delayed to match Apple's | preferred iOS release schedule, instead of being | autoupdated separately and transparently to the user. | nicce wrote: | One could also argue, that as Apple is commonly branded | as "secure" alternative, and therefore high profile | targets are potentially using their products. This might | mean that interest is much higher for attackers on that | side. They might not care so much about Android. | Increased interest and effort means that more likely | something is found. | | Also, Apple's sandboxing settings and permission managing | makes the most malware pretty useless with App store | policies (no sideloading), so only RCE exploits are kinda | useful. | | What it comes to iMessages, that is the most interesting | channel with Safari to deliver exploits, iMessage without | user interaction and Safari with some. All you need to | know is that target is using iPhone. Other non-default | applications as target introduces new challenges. | iMessage and Safaring being part of OS updates might | indicate, that they are handled differently compared to | other apps - is security policy same, worse or better? Is | there larger attack interface to system by using these | apps? | miohtama wrote: | Recently | | https://arstechnica.com/information- | technology/2021/09/three... | jolux wrote: | > They do not appear to have the best security program in | the world. | | By what measure? That they don't find all the security | bugs? Have you seen what iOS exploit chains look like these | days? They're not exactly simple. I think there is | literally no amount of money that could be spent that would | eliminate all the security bugs in iOS, or Apple would be | figuring out how to spend that much right now. So yes, you | can always argue that they should spend more, and I'm sure | they do spend more every time something like Pegasus | happens, but it's not some grand revelation. This is just | how things are. | | > Whatever Citizen Lab can do, Apple should be able to do | better; they have a lot more resources and expertise. | | At the tail, this doesn't matter. Other people find bugs | because there are _always_ more bugs to be found. There | will never be a situation where only Apple can find more | bugs in its operating system. | Sporktacular wrote: | It's not clear the user experience would have to suffer. | Maybe there are more groups doing for software architecture | what Signal did for messaging. Groups like Heisers' SEL4 and | Qubes. As for expense, imagine how much more we would have | paid today, in real and opportunity costs, if over the last | 20 years everyone used this "no such thing a perfect | security" fatalism as the excuse to not just do things a bit | better. | kingcharles wrote: | Why not both? | jmull wrote: | As if there's a magic button trillion dollar companies can buy | that, when pushed, removed all security vulnerabilities from | software and hardware, no matter how complex! | sorry_outta_gas wrote: | hah! that'll show 'em /s | Sporktacular wrote: | We need to target the pos engineers and management at NSO, | Finfisher, Hacking Group etc. who sell their souls for a fast | buck. These pricks are likely already setting up the next | corporate front for when this one collapses. Let's make the | mercenary business a cripplingly expensive line of work. | fortran77 wrote: | Apple enabled them by making insecure operating systems. Aren't | we on Hacker News all for the ability to side-load software on | your platform? | threeseed wrote: | Do you have some statistical evidence that macOS is | fundamentally more insecure than other operating systems ? That | would be surprising to me given many controls e.g. application | signing I've not seen implemented on other platforms. | fortran77 wrote: | NSO seems to concentrate on making products for iOS | yuvadam wrote: | The framing of NSO as "state-sponsored" cannot be overstated, and | Apple didn't miss the chance to do just that. | | A hard blow to Israel's policy just as much as it is to NSO | itself. | badRNG wrote: | One could interpret this as the software is "sponsored" by the | governments that finance their operations and purchase their | products. This would be countries like Saudi Arabia, Mexico, | Germany, and Kazakhstan, not _necessarily_ Israel. | | Though the fact the US has sanctioned an Israeli business does | seem to have potential implications on Israeli policy. [1] | | [1] https://www.reuters.com/technology/us-blacklists-four- | compan... | DSingularity wrote: | NSO would not sell to those countries if the regional | interests of Saudi /UAE were unaligned with the Israeli | desires for the regions. Israel wants dictatorships | throughout the Arabian peninsula and turmoil within the | borders of all of its neighbors. The NSO software helps | advance Israeli interests on both those fronts. | technobabbler wrote: | Beyond merely selling their products to Israel, the NSO Group | itself is an Israeli firm, founded by ex-Israeli | intelligence, and whose products are subject to Israeli | national export controls. | | https://en.wikipedia.org/wiki/NSO_Group | | That's a level of sponsorship way beyond simply being a | customer... that's state espionage served with a side of | profit. It's evil when the USA does it, it's evil when the | Russians do it, it's evil when China does it, it's evil when | Israel does it... but nobody does anything about it because | all those states would prefer strong surveillance rather than | rights for activists and journalists. | einpoklum wrote: | > Israeli national export controls | | A crash course in Israeli national export control: | | 1. You can sell everything except for nuclear tech (and | maybe even that, I don't know). | | 2. If the client is not officially an enemy of Israel then | do whatever you want, we don't give an f'ing f'. | | 3. If the client _is_ officially an enemy of Israel, then | all sales must be conducted through official (secret) state | channels. Independent side-action will not be tolerated | (see the cases of Nahum Manbar or Shim'on Sheves). This | might be a hassle, but the upside is that the courts will | uphold complete secrecy of your affairs and the military | censorship (yes, Israel has that) will likely prevent any | nasty exposes. | | 4. If the US throws a tantrum, then sections (1.) and (2.) | are abrogated. But don't worry: There plenty of generals | and other high-ranking retired officers are in key | positions in politics, and a bunch of us are wanted for war | crimes anyways with ICC cases pending, so... we're all | friends here and we got your back. | nickff wrote: | None of this seems like 'sponsorship' to me, it seems more | like 'restriction' or 'regulation'. 'Sponsorship' implies | that someone is providing a level of funding beyond just | being a paying customer. Is there any evidence that the | government of Israel (or any of the other governments you | mention) are actually providing loans or share capital to | NSO Group? | high_byte wrote: | my brother has vans sponsorship. he gets shirts and | shoes, not money ;) | | you get my point? | nickff wrote: | I agree that the word 'sponsorship' has been quite | diluted, as you point out, but it should mean something | more than 'be a customer of'. Do I sponsor my local | sports team when I buy tickets to a game? Am I sponsoring | Netflix by subscribing? Do I sponsor my local government | by paying property taxes? On the flip side, does my | government sponsor me by granting a driver's license? | Sporktacular wrote: | I get bothered by the use of the term "nation-state" in | this context. | | And I thought I was pedantic. | nickff wrote: | > _" I get bothered by the use of the term "nation-state" | in this context. | | And I thought I was pedantic. "_ | | I don't think I'm being pedantic, it seems like people | use the word 'sponsor' in these contexts to exaggerate | and vilify. | | Nobody seems to have used the word 'nation-state' in this | post; what made you think of it? | Sporktacular wrote: | It's used throughout the comments and the topic | generally. I don't call it out (for meaning a state with | a since ethnic because I get the point being made. | | As for sponsorship, states sponsor their industries by | providing labor trained at public expense, promoting them | abroad through trade agreements, access to trade | representation etc. so there is the technical definition | of sponsorship met. | | The revolving door between Unit 8200 and surveillance | startups is documented as is Israel's courting of KSA and | the UAE with access to intelligence sharing and | capabilities as a bargaining chip. Most of all, it's just | logical, why wouldn't they? It's good for the state and | its industry. Just sucks for everyone else. | threeseed wrote: | Dictionary defines it broader than just money i.e. | support, advice etc. | | In this case it is clear that the Israeli government is | sponsoring NSO. | fortran77 wrote: | The very wikipedia article you linked to says that the NSO | Group is owned by " Novalpina Capital" They describe | themselves this way: | | > Novalpina Capital is an independent European private | equity firm that focuses on making control equity | investments in middle market companies throughout the | continent. Novalpina Capital has a solution-orientated, | entrepreneurial approach to investing and creating value in | its portfolio companies. | | > Novalpina Capital was established by Stephen Peel, Stefan | Kowski and Bastian Lueken in 2017. The Founding Partners | bring combined experience of 48 years in private equity | investing, including senior positions in the European | operations of leading global private equity investment | firms, and have a shared history of working together for | nearly a decade. | rodgerd wrote: | Every Israeli citizen, except religious extremists, serves | in the IDF or equivalent; if you look useful to the | intelligence apparatus, that's where you'll end up. | | You literally cannot find an Israeli company that isn't | founded, run, and staffed by people with military or | intelligence links, unless you're only dealing with | religious extremists. | tzahifadida wrote: | If you think that israel is doing anything not sanctioned by the | US government you are mistaken. In Israel NSO cant make a move | without 7 agencies regulating it. This is considered a weapon | sale. The same weapons the US are sponsoring israel and buy them | from israeli industry. There is no way NSO will fail from this. | So eula or whatever these are matters between states for national | security interests. | shmatt wrote: | Yes, the many US government 3 letter agencies would love to | have full read access to every single iPhone in the world. It | doesn't mean Apple needs to comply, or that doing so without a | search warrant is legal in California | jjcon wrote: | >the many US government 3 letter agencies would love to have | full read access to every single iPhone in the world | | They 100% already do | VWWHFSfQ wrote: | Baseless speculation is not useful here. Especially when | it's toned as some kind of truth. | azernik wrote: | You are extrapolating very tight Israeli state control of the | Israeli arms industry (very true) to very tight _US_ state | control of the Israeli arms industry, which is not actually how | the relationship works. | | The US has influence over Israeli sales of Israeli-made arms, | but this is costly to exert and only used sparingly. | Historically, it's restricted to preventing Israeli arms sales | to direct US rivals like China or Russia. When Israel sells | guns to dictatorships in Africa or Southeast Asia that the US | doesn't like, the Americans are perfectly willing to agree to | disagree. | | EULAs and other civilian contractual arrangements are important | here because these weapons were used against US civilians and | US civilian property. When Soltam howitzers kill villagers in | Myanmar, the US executive branch doesn't give a damn; but as | soon as a US corporation (Apple) has to pay for warranty | returns the courts wake up and pay attention. | einpoklum wrote: | Actually, the US allows Israel quite a bit of leeway in its | underhanded weapons and security services trade. There was that | time when Israel almost sold AWACS systems to China: | | https://nationalinterest.org/blog/buzz/israel-wont-sell-awac... | | so, the sale didn't go through due to US pressure, but the | point is that Israel not only contemplated it, but was going to | carry it through. | ribosometronome wrote: | The US Government is not a single-minded entity. Covert actions | sanctioned by a balding old men in a dingy fluorescent lit room | can still end up quashed when they come to light and the courts | get involved. | sharklazer wrote: | The only thing I can add to what you said is another cynical | thought of mine, starting with the question of why would Apple | waste the money in this case? And the only answer I can come up | with is that they need to re-establish their image of | "security". I can't help but feel with various actions taken by | them in recent times this being anything more than theatre | unfortunately. If they prevail, I wonder if it will simply be a | case of Blackwater renaming themselves. | boomboomsubban wrote: | >why would Apple waste the money in this case? | | To set a precedent that they can claim damages for violating | their terms and conditions. | thetinguy wrote: | Wait until you out about five eyes and the run around the 4th | amendment. | melony wrote: | Agreed, there is a channel for private entities to resolve | matters of the state and that is via lobbying the executive or | the legislative. Going after Israel's outsourced intelligence | technology research group via the judiciary branch risks Apple | being caught in the political crossfire. Apple at the end of | the day is not Blackwater, they do not have any form of | influence over force if things really hits the fan. Israel | isn't a South American banana republic that can be easily | overthrown by private corporations either. To put it in | perspective, how would you react if (hypothetically) Lockheed | Martin gets sued by Yandex if one of their missiles blew up a | self driving car being tested in some far flung Central Asian | state? Do you expect Lockheed Martin to be bound by contractual | laws in the city of Moscow and for the matter to be settled via | civilian lawsuit or arbitration? | udev wrote: | The amount of time that Apple sat on this is telling. | | First reports on NSO activity are from 2016, Facebook filed in | 2019, Apple iOS 14.8 fix released in Sept 2021. | | Only when the constant negative news about NSO started chipping | at their reputation, did they decide to make this symbolic (and | ultimately ineffective) move. | reaperducer wrote: | Read the New York Times article. It says that Apple was only | able to file this suit because of a court ruling in a similar | suit by Facebook and because it was given code that showed it | how Pegasus works. | | There is nothing at all "telling" about Apple's timing. | udev wrote: | I am all for Hanlon's razor. | | But it reads to me as: Apple legal team has to act because | Facebook suit (and the info made public) makes it impossible | to say that "Apple was not aware" of such and such details. | | To me it is much easier to believe the above, compared to | your "Apple is only now seeing this info, and only now is | aware, and only now can act". | freejazz wrote: | Look, if you don't know how legal standing works, that's | one thing. But to reject the explanation provided to you | and to cite your own ignorance as a legitimate source of | disbelief while you poo-poo away a dispositive fact isn't | reasoning. | udev wrote: | Apple knows since at least 2016 of NSO activities on | their devices and servers, while selling this image of | privacy competence. | | This long period of inaction, from 2016 to now is | unacceptable. | freejazz wrote: | It's as if you don't get the point about legal standing. | Apple can only take action now because of a court | deciding that Facebook's TOS forum clause is actually | binding. If they filed the case prior to such a holding, | it'd have been dismissed. | spiderice wrote: | Sounds to me like GP really WANTS this to be "telling", | when in reality it obviously isn't. | udev wrote: | What if Facebook never filed? Would Apple never be able | to act on this? | | If they would have acted, why didn't they do it before | Facebook? | freejazz wrote: | "What if Facebook never filed? Would Apple never be able | to act on this?" | | If there wasn't precedent that Apple's TOS venue clause | was binding, then the case would have been thrown out as | I just previously explained. | | "If they would have acted, why didn't they do it before | Facebook?" | | Because the case would have been dismissed as I just | explained. | udev wrote: | Before Facebook filed, was there precedent for their TOS? | freejazz wrote: | No, but Apple probably didn't want to spend 4 years | litigating the TOS issue prior to ever reaching the | merits. There's also the risk that they lose the TOS | issue. | [deleted] | cronix wrote: | I think it also didn't hurt for the US Dept. of Commerce to | add NSO Group to the Entity List for Malicious Cyber | Activities just 2 weeks ago. It certainly doesn't hurt your | case for the US Gov't to officially list them. | | > NSO Group and Candiru (Israel) were added to the Entity | List based on evidence that these entities developed and | supplied spyware to foreign governments that used these tools | to maliciously target government officials, journalists, | businesspeople, activists, academics, and embassy workers. | These tools have also enabled foreign governments to conduct | transnational repression, which is the practice of | authoritarian governments targeting dissidents, journalists | and activists outside of their sovereign borders to silence | dissent. Such practices threaten the rules-based | international order. | | https://www.commerce.gov/news/press- | releases/2021/11/commerc... | rStar wrote: | except thats it's curiously well timed for this news to drop | at the beginning of holiday shopping, like an advertisement, | or possibly, this is pure marketing. nso and apple are | partners. apple leaves holes, nso exploit, said holes. | tpush wrote: | Conspiratorial nonsense. | rStar wrote: | unless you understand how tech, business, governments and | security services work, then not so much | haswell wrote: | That's a pretty massive thing to imply without any | followup. As someone who understands how tech, business, | governments and security services work, care to enlighten | the rest of us? | DisjointedHunt wrote: | I've been heavily critical of Apple for their on device scanning | plans but credit where it's due. This act hopefully exposes the | sheer abuse of Public funds to find and exploit vulnerabilities | and somehow those same vulns find themselves in the commercial | domain, available to the fucking despots in the Middle East and | wherever else? | | It's about time those that took the oath to protect the nation | from harm step up and do so instead of creating a million more | problems by shipping these exploits off to a later time while | they sit on them. | suthakamal wrote: | I think the most important part of this announcement (I cried | genuine tears of joy when I read it) is that Apple is committing | to give Citizen Lab whatever they need. That kind of internal | access to Apple's people and infrastructure is tremendous. | | I've never heard anyone but a despot (or vendor to despots) claim | anything untoward about Citizen Lab, it sure seems like they're | genuine "good" folks. They do great work, and they'll do better | with support and access. The announcement makes it sound like | Apple is willing to offer similar support to other good actors. I | imagine Apple putting the word out will yield a few more. | | It raises - again - the question of what we expect from big | companies vs governments, and questions of sovereignty. Where's | the line between supporting good work and cyber vigilantes (if | it's not a thing today, it will be, and what will society's place | be with respect to them)? | lehi wrote: | Only curbing "abuse" implies that "normal use" of state-sponsored | spyware remains kosher. | miohtama wrote: | > Apple believes privacy is a fundamental human right, and | security is a constant focus for teams across the company. | | This in the press release. It is missing the bit "except in | China." | Sporktacular wrote: | +1 | rStar wrote: | apple builds their own hardware and software. security, or lack | thereof, is clearly apples choice. apple blaming nso here is | pure public relations and optics, nee propaganda, which many on | this board drink like the koolaid it is. it's confirmation | bias. | kevinh wrote: | Ah, yes, Apple just neglected to flip the security switch on. | smoldesu wrote: | They certainly haven't flipped the "US-sanctioned spyware" | switch off. | jbverschoor wrote: | Thank you, Tim | khana wrote: | Better yet Apple, write better software. | sekura wrote: | NSO is pretty well covered by Darknet Diaries: | | https://darknetdiaries.com/episode/99/ | https://darknetdiaries.com/episode/100/ | | I have no sympathy for NSO. | daneel_w wrote: | Great. Also, don't forget to secure your operating systems, which | is the root problem. | ksec wrote: | I guess I am getting cynical. What is the context in which | trigger Apple to sue them _now_ , and not any time before? | | And what if NSO Group closed the branch in US? I assume you cant | really do anything to an Israeli company. | | Because half of it reads a lot like a PR pieces to me. And Apple | easily gets the marketing message response they wanted. They are | fighting " _State Sponsored_ " spyware. The privacy message they | are sending out ( fighting on behalf of their user ), in the mist | of a worldwide App Store battle and Anti-Trust. | | And I am willing to bet this message will be used in their future | PR message when they discuss it in Anti-Trust to gain public | support. | cwkoss wrote: | NSO Group and any organization who does business with them | should be placed on the OFAC list | jmull wrote: | > What is the context in which trigger Apple to sue them now, | and not any time before? | | Apparently Facebook has a similar suit against NSO and just had | a significant ruling go their way. NSO had claimed they were | immune since they were acting as foreign government agent. | | I'm guessing Apple was waiting to see how that ruling went | before proceeding, since if NSO had won Apple would have to | take a completely different approach. | aborsy wrote: | What does state-sponsor mean here exactly? Is NSO supported by | Israel intelligence? | | And if charges are laid against NSO, will its sponsors be | charged/sanctioned too (for sponsoring terrorism)? | | If this was a company in another country, the reaction would have | been totally different (in some cases calls for bombing would | have been made, and continued for decades). | givemeethekeys wrote: | I think it means that they're pissing in the wind and hoping | that the direction is away from them. | michaelbuckbee wrote: | Ellsworth is a personal hero of mine - incredibly smart, wildly | talented and has a real vision for this space. | | All that being said, it's a nightmare of a space which is why I | don't think there's been a big funding event for Tilt5. | | "Meta View" was an AR company that raised $75mil, had a star | studded list of VR/AR technology folks, only ever shipped a | couple thousand units and now is defunct. | | Magic Leap raised $3.5 Billion and now has given up on shipping a | consumer device (Enterprise only). | | Microsoft's Hololens exited consumer applications even earlier, | enterprise only. | | Oculus Quest is the most successful consumer VR tech (about 5 | million sold) but it's really unclear if they're anywhere close | to turning a profit and they've spent tons to try and jump start | game developers in VR. | | Tilt5 would require from the ground up games to be made, large | volumes of orders/units to be profitable and even if all that | came together could still be kneecapped by chip shortages and | supply chain issues. | ksec wrote: | Wrong thread? | | Edit: I guess it is for Tilt-5 Was Magical [1], I copied your | reply over there. | | [1] https://news.ycombinator.com/item?id=29317390 | davidf18 wrote: | This is amazing publicity for NSO. | | Is NSO is able to crack Apple security you can bet the NSA, | Chinese, Russians as well as Israel's Mossad is doing much the | same. | | With this lawsuit, Apple is basically admitting that they need | lawyers and not engineers to combat the hacking. | | But suing NSO would not stop the other agents from hacking Apple. | | That is why it is best that Apple spend $100 million or more to | cybersecurity harden their software. | | In addition, Apple should offer $1 million awards for breaking | their security. | | One should also ask, how many lives were saved from terrorist | attacks by NSO. That would be an interesting story. | null_object wrote: | Wow you have to be on HN to see Pegasus portrayed by some people | as 'the little guy' fighting 'evil' Apple. | [deleted] | elzbardico wrote: | In a just world, Israel should suffer sanctions for sheltering | what is basically a criminal enterprise. | 0xcde4c3db wrote: | Anyone have a sense of the odds that the state secrets privilege | gets invoked, and if so how damaging it's likely to be to Apple's | case? Most examples involve a government entity being a party to | the case, but the privilege did shut down a patent infringement | suit between private entities not too long ago ( _Crater v. | Lucent_ ) [1]. | | [1] https://www.wired.com/2005/09/secrecy-power-sinks-patent- | cas... | dinkblam wrote: | meanwhile Google happily continues to run ads for malware like | the infamous 'MacKeeper' | notyourday wrote: | Apple simply needs to exercise its right to deplatform everyone | who works for NSO. Oh and deplatform all government wonks of | government of Israel as it is allowing NSO Group to operate. | | Life in 2021 is very difficult without a smartphone. In fact it | is so difficult that if working for NSO comes with "no smartphone | forever" sticker NSO won't be able to find people to work for it. ___________________________________________________________________ (page generated 2021-11-23 23:00 UTC)