> Lone wolf creepers or quasi legal harassment companies have access to similar tools.
I would take that for granted, as I do with any government, including mine. But thinking that you're more likely to be kept under surveillance by the same government -no matter the color- you fund with your taxes, than some private or foreign entity, makes this even more revolting.
Makes one think if nationalism was invented as a tool to throw smoke in the eyes and minds of people so that they can't see their rulers for what they really are.
Cheaper than ever for anyone to spy on anyone else, esp with the social media skinner boxes out there with hardware frontends. Getting cheaper by the day…
It continues to strike me as a little odd that (AFAIK) there's no mention in The Guardian's reporting of this story of the parallel technology[1] sold by Gamma Group[2] and licensed for export by UK to several suspect regimes[3].
Extensive (40G) information on this was leaked via reddit in August 2014[4], and the leaker noted[5]:
> I assumed the hacking would be the hard part and once I got the data it would just kinda go viral on it's own or something. But it turn's out without any media access or idea how that shit works, getting people to notice or care is actually kind of hard.
------
1:
"FinSpy Mobile. Version 4.4, released in of Q4 2012, has the ability to collect data through Skype across iOS, Blackberry, Android, and Windows Mobile platforms . An updated Version 4.5, released in Q1 2013, included the ability to target emails, calendars and keylogging of Windows Phones, and an updated ability to collect data through the camera of a Blackberry or iOS phone."
I think there is a licensing procedure in the UK and Germany (Gamma Group) and Israel (NSO), and lip-service to the idea that it's forbidden to sell to repressive regimes, already.
The big deal with the NSO story is the 50K target names, I think, and it is a big deal, but you'd expect in a supposedly oppositional paper like the Grauniad, that there'd be some mention of the current UK government's spotty record in this very department, and a sense of the history of the abuse of this technology. I'd have a hard time believing that any of this is news to the journalists reporting the story.
Countries have very little interest in regulating these groups because of the value of fourth-party collection.
If Israel for example provides software to Morocco that is used to spy on Algeria, Israel gets free intelligence on Algeria. It is even more valuable than directly spying on Algeria because it is absolutely deniable and may target foreign spies or terrorists that might not have been on Israel's radar to start with.
While spying on journalists and NGOs is horrific from a human rights perspective, it is sadly of little significance to how the intelligence game is played.
20 years ago I discovered antivirus software did not detect spyware by design. So never ever trust software that is not FOSS. Use Foss with reproducible builds to be a bit more safe against these by design created weaknesses.
Sadly, most people when hearing this will prefer to argue to the death to support their "choice" of ${favorite giant corporate product} and try to tell you "you're just being paranoid". We live in a world where a great many people will accept the most outlandish conspiracy theories as undeniable fact with little to no supporting evidence, but when you try to warn them about real and verifiable concerns, it doesn't matter how much proof there is… You're automatically wrong in their eyes. What's more terrifying than that? Some of those people hold positions of great power in this world.
We've got to get to them before microsoft and google do. Teach Linux in schools and about the importance of FLOSS. In my school in California it was all windows in the 1990's and 2000's.
> In my school in California it was all windows in the 1990's and 2000's.
Yeah, it was that way even before that. Microsoft and Apple got into a "donation war" tryin'a get their corporate garbage into schools back when I was a kid. Looks like Microsoft largely won that war. Hard to fight multiple generations deep corporate brainwashing.
Ah yes, the efficiency of the free market. Where companies with deep pockets get kids hooked on their product early so they can abuse them for the rest of their lives.
In these cases I think administrative oversight of broad and long term benefits to society is important, rather than the more narrow decision of "this choice will benefit next year's budget". Early offers by Microsoft were in a way a trap that kept schools and students paying for decades.
I suppose I specifically mean free-market thinking applied to government services. This would be a symptom of neoliberalism. [1] Allowing discounts from private corporations to influence government policy, instead of looking at what would be best from a broader perspective.
Eh, I mean, I grew up with Macs at home and school and have definitely seen the light of free/libre software. That said, it took a long time, and it was also largely because I have always been quite conscious of privacy (and to a lesser degree, security). It is still indeed an uphill battle for all the "I have nothing to hide" average people who just act like you're paranoid for even bringing up the subject of privacy.
> Do you have an example of someone who holds that belief?
Which belief? The belief that corporate spyware devices and software are infinitely superior to anything in the F/L/OSS world? I literally can't escape 'em. Especially in "gamer" circles, I get endlessly hassled by Windows users tryin'a convince me with decades old Steve Ballmer FUD that Linux is inferior junk and a cancer on the software industry, and that I should just switch to Windows.
> That feels like one of those stereotypes that people are sure exists but actually doesn’t.
Sadly, you name a stereotype, and I promise you there's people out there that'll do their best to prove that stereotype true. Cryin' shame, because they're just doin' harm to an entire group of folks who never asked for it, and harming an entire other group that believes false stereotypes are true by reinforcing their wrongness with "proof".
As to the bein' called "paranoid" from my earlier comment, it happens to me frequently when I try to talk to people about backups, network security practices, or passwords, and I'm not alone there. I've had more'n a few discussions with other IT folks who've met frequent resistance to security ideas until after there's been an issue, and then the "people in charge" still generally wanna seek the absolute minimum solution they can get that they think would cover their asses, even if it's nowhere close to enough of a solution for the problem at hand.
>Sadly, you name a stereotype, and I promise you there's people out there that'll do their best to prove that stereotype true.
The point is that it takes more than just a few people to validate a stereotype; otherwise, I could make up any stereotype I want, and by your admission, it would be valid. But that isn't how sterotypes work.
>The point is that it takes more than just a few people to validate a stereotype; otherwise, I could make up any stereotype I want, and by your admission, it would be valid. But that isn't how sterotypes work.
The point wasn't to have a discussion of the semantic definitions of what makes something a stereotype, GP was merely asserting that such people might not actually exist and asking for an example. An example was provided.
An example wasn’t provided. A claim was made. That is not proof. I’m talking about a blog post, a Twitter thread, or something other than mere “trust me they exist” levels of proof.
Yeah, I'm not going to go do your research for you when literally ten seconds of Google search (yes, I do know what "literally" means, and no, I still won't waste the ten seconds doing your search for you if you can't be bothered to put forth even that much effort to support your assertion that I've never come in contact with these stereotypical FUD-spewing corporate product fanbois) can find you countless examples of exactly the type of hateful posts I describe. I've already wasted far more than ten seconds on this and now I feel bad for having even tried to engage in conversation on the topic.
If I cared to dig up actual examples I could link, I've numerous trolls that follow the word "Linux" around gaming forums spouting Ballmer-era anti-Linux FUD at every opportunity, just to begin the endless thread of examples, but the entire mentality sickens me and I'm actually trying to extricate myself from the Troll-pit that keeps wanting to drag me into pointless discussions of why A is better than B, when the true fact is that operating systems are tools to launch and run software. Use the one that lets you get your job or activity done in the way that works best for you and leave other people to their choice of tool if it's workin' to get their activities done for them.
The burden of proof is upon you, the person made the original claim. As you are unwilling or unable to provide such then the only reasonable conclusion to make is that your claim is false.
>The point wasn't to have a discussion of the semantic definitions of what makes something a stereotype
That wasn't my point either, so we're all in agreement. We're talking about whether or not the stereotype is valid here, so it would be a good idea to use the term correctly instead of using a made up definition. "There's people out there" doesn't cut it.
One person living up to a stereotype is sadly enough to validate that stereotype in the eyes of those who want to believe that stereotype is true. If a certain group of people want badly enough to believe a stereotype, they'll freakin' track down that one and point them out as proof of their belief.
what kinds of examples do you want? A comment that someone bookmarked?
Maybe the Baader Meinhof syndrome will kick in and you'll start noticing Proton mail/vpn users or anybody that took drank some Youtuber's VPN koolaid trying to bargain for impossibly damning evidence about their particular service instead of recognizing the flaw in the entire concept
Since the telemetry is opt-in, some people disagree that Audacity should be called "spyware" for including it as an option. From the original pull request:
> Telemetry is strictly optional and disabled by default. No data is shared unless you choose to opt-in and enable telemetry.
> Since the telemetry is opt-in, some people disagree that Audacity should be called "spyware" …
I could totally see that I guess… My point was more that the way folks reacted to that would probably be a pretty accurate indicator of how well "open source spyware" would be likely received. ;)
> It resulted in a spyware/telemetry free fork. Which is how free software spyware will generally go.
Pretty much exactly my thinking on the topic. It also resulted in them changing and/or clarifying some of the things they thought were the cause of the complaints. Still led to a fork anyhow.
I sure do hope not, but these days it sometimes seems like too many humans are waiting for any excuse to chop each other to pieces (figuratively and literally).
Classifying such technology as military weapons would begin to address a number of international and national concerns with for-sale-malware (aka spyware).
The use of such military weapons by civilians (or civilian police) against civilians become more obviously ban-able.
While I agree that the trade in these tools is reprehensible, I worry about creating a new class of software that is prohibited to possess or trade in. It wasn't so long ago that strong encryption was labelled a 'dual use technology', and moving it across national borders was non-trivial.
How long will it take for pentesting tools and end-to-end encryption to be labelled 'military weapons' under such a scheme?
I worry, too. Regulators do hatchet jobs when it comes to software law. But slippery slopes aside, it's pretty clear that selling tools to take over phones en masse is a bad deal for free societies.
Here's what we will find next: military and political leaders' phones have also already been compromised by NSO Group tools. I feel confident it has happened at a higher rate than among journalists. Imagine both your favorite and your most hated political firebrands: how will their rhetoric sound when they realize they've been pwned by the opposition for the past year using COTS tools?
I don't think it's that hard of a sell. The size of the weapon doesn't really matter; there are firearms that aren't much larger than a thumbdrive (i.e. pen guns). On the other hand, there's a longstanding tradition of military technology that is designed to destroy the enemy's infrastructure rather than to directly kill enemy combatants.
The closest parallel is probably an EMP strike. They're designed to inflict 0 casualties, but they cripple the enemy. That mirrors the usage of offensive software; they don't inflict any casualties directly, but they can ruin supply chains, remove communication capabilities from the enemy, etc.
They probably deserve to be classified as weapons, and banned by a subsequent law. I think the government has a compelling case that would almost certainly pass strict scrutiny. It seems a logical place to put them, because they are dangerous, and the strict scrutiny puts an onus on the government to use the least restrictive means possible to legislate them. I fear the alternative is that they aren't classed as weapons, and we get some overly broad CFAA type legislature that threatens to penalize security researchers.
Calling something a weapon does not satisfy the applicability standards outlined in SCOTUS case law.
SCOTUS says that the 2nd applies to weapons which are “bearable”, i.e:
> "“[w]eapo[n] of offence” or “thing that a man wears for his defence, or takes into his hands,” that is “carr[ied] . . . for the purpose of offensive or defensive action.”
Which meets the above definition a 1000x better than software. Not that it matters, the 2nd amendment does not restrict congressional ability to legalize anything. It only prohibits restrictions.
Prohibiting certain software doesn't solve any problem. Did US prohibiting the export of strong cryptography solve any problem?
Instead, we should rather harden the security of our computer. I consider all smartphones are insecure. Anybody who own or relies on smartphones are just trading security for the convenience.
I will never want to own or relies on smartphone... or phone at all.
Chemical weapons were easily banned because they are almost entirely useless as long as you have access to conventional weapons. They are expensive to store, very inefficient for actually killing the opposition, easy to guard against, have a higher chance of turning back on you, and will slow your advance if you use them in an attack. They are at best a tool for terror or desperation.
Think about the Tokyo metro attacks and, not to minimize the tragedy, but how many more lives would have been lost if they had detonated similar quantities of explosives instead of spreading sarin gas - and that is inside a closed tube, with no protection whatsoever and with most victims receiving no medical care until many hours later, as hospitals were entirely unprepared for a gas attack.
Good points. I do wonder about next-gen chemical/genetic weapons that advanced countries could create with the motivation though.
Like some crazy airborne virus but only the good guys™ have the antidote/vaccine.
>how many more lives would have been lost if they had detonated similar quantities of explosives
Wasn't it just a few guys with suitcases, and I think one of them didn't even puncture the container? With conventional weapons there might be more deaths but maybe not.
It's possible, but still unlikely to be as effective or safe as bombing your target to the ground.
> Wasn't it just a few guys with suitcases, and I think one of them didn't even puncture the container? With conventional weapons there might be more deaths but maybe not.
They had several liters of sarin gas, most of which was splashed on the ground entirely. If they had had some way to spread it as an aerosol the death toll would have been much greater, but still sarin is apparently the most volatile nerve agent, so even in liquid form it evaporates relatively quickly.
Even so, if they had started a fire with a few liters of fuel, even without an explosion, they would have probably killed more than 14 people. If they had pulled out guns, or detonated bombs, the death toll would certainly have been worse.
This is somewhat of a tangent but I think hoarding zerodays should be illegal for an individual, company, or state. It would be seen as highly irresponsible if someone held back critical information about a vulnerability in a dam, I don't see how a zeroday is any different.
What is especially stupid is that the US does this as well, while they're the ones who are the most vulnerable. Just look at the debacle with WannaCry. These attacks come from countries who have a lot less to lose than the US, yet the US insists on throwing stones from their glass house.
Trade ban wouldn't help because instead of having 2 or 3 spyware you would have 20 or 30 domestically produced spyware. Or in another words every nation would try to make their own national spyware. Now they outsource it so you can easily pinpoint who the producer is.
Is the existence of this product not completely offensive to Apple? If I were them, I would be looking for ways to sue NSO, or otherwise to obtain the Pegasus software and patch all of the vulnerabilities it exploits.
Every single government uses such tools. The ones that don't likely have bigger problems such as sustenance, lack of electricity, etc.
What people should be looking at is the crazy amount of Israeli presence in the so called cyber security sector. I can think of a few such companies that literally spy and track hundreds of thousands of people all over the world. The government is using their services and therefore lets them whatever they want.
I know a few guys working for such companies. No longer friends with them. Works foriteral evil. No better than military types
> What people should be looking at is the crazy amount of Israeli presence in the so called cyber security sector.
Limiting the ability of nations to export this kind of capability as a product for other entities to use is precisely what "trade ban" would do.
You're right that a trade ban won't affect the ability of nations to develop and deploy their own spyware, but most of the targets in the Pegasus dump seem to be of people peripheral to smaller governments that don't have this kind of capability themselves (which is exactly why they buy it!).
For a start, yes. Also Israel, of course, and anywhere else countries host these kinds of malware companies. A trade ban would inevitably be best implemented via a treaty, but there's no reason unilateral action can't happen first.
I can't tell what your point is, exactly. You're just making a cynical point that this won't work so we shouldn't even try?
> Nations that want to do this will do it, and trade bans won't stop them.
Again, that's experimentally false. Saudi and Mexico didn't develop their own home-grown spyware. They bought an Israeli product instead. This stuff is harder than you think.
this stuff is vastly easier than traditional weapons development.
if you're in a precarious political position, a homegrown entity that produces these tools can quickly become a threat; the citizens you train/employ will have their own political ambitions, nationalistic tendencies, empathy for their fellow citizens, etc.
there are most certainly situations where it's safer to just outsource your natsec/tradecraft to an entity that only cares about their bottom line.
> this stuff is vastly easier than traditional weapons development.
Saudi and Mexico don't produce many homegrown weapons systems either. Again, non-proliferation is well-travelled territory. In fact most of these things are not something small governments will have access to if big governments don't give it to them. And treaties restricting trade in these things are known to work.
https://www.bbc.com/news/technology-50166147
Lone wolf creepers or quasi legal harassment companies have access to similar tools.
https://www.nefariousjobsmain.com/the-works
https://www.vice.com/en/article/ppmpe8/a-revenge-for-hire-bu...
Although of course the state sponsored aspect of this is very real too, and the greatest threat.