return to table of content

WhatsApp forces Pegasus spyware maker to share its secret code

rdtsc
55 replies
20h6m

Initially, the NSO sought to block all discovery in the lawsuit, "due to various US and Israeli restrictions," but that blanket request was denied.

Interesting approach. The court could probably care less about Israeli restrictions as it's a different country.

Officially US govt blacklisted Pegasus https://arstechnica.com/tech-policy/2021/11/us-blacklists-ma.... However, I wouldn't be surprised if some US spy agencies are still using it. If that's the case, Pegasus might try asking US intel agencies to block the case on the basis of disclose of classified info or harming national interests.

It would be interesting to see if all of the sudden "something happens" and the case is mysteriously dropped.

pvo50555
34 replies
19h2m

couldn't* care less

libraryofbabel
31 replies
17h56m

Much as it may pain you, “could care less” is an established idiom in American English that’s been in use for 70 years, and Webster’s dictionary has a whole page about it: https://www.merriam-webster.com/grammar/could-couldnt-care-l..., in which they say:

people who go through life expecting informal variant idioms in English to behave logically are setting themselves up for a lifetime of hurt.
SturgeonsLaw
26 replies
17h40m

I couldn't care less if there's a group of people misusing the phrase, logically "I could care less" means the exact opposite of "I couldn't care less".

The majority of the world is not American, and presumably the majority of Americans don't use the incorrect phrase, so why should the rest of the world cater for a minority within a minority by putting their butchered phrase on equal footing with the correct phrase?

skyyler
8 replies
17h36m

Because you knew what they meant and trying to correct them only serves to make you feel good about your own knowledge.

You aren't helping anyone when you correct them on this.

o11c
3 replies
15h28m

It costs everyone time and effort to try to decode nonsensical input.

It's a crime against humanity to not correct grammar.

pests
1 replies
14h58m

Does it? I decode it instantly and understand the meaning just like I know what a "fishbowl" is. There is no "decoding" or even nonsensical input in this case.

You are just being stubborn and trying to adhere to an outdated standard. Upgrade or get replaced.

gifvenut
0 replies
10h55m

But you are not everyone.

zztop44
0 replies
13h16m

It’s not grammar and it’s not a correction. The phrase “I could care less” has only one meaning and that meaning is “I don’t care”. It is being used correctly.

Onawa
2 replies
17h31m

I agree. I've learned to not care when people say 'expresso' instead of 'espresso', and 'ex cetera' instead of 'et cetera'. I know what they mean, you know what they mean, and correcting everyone only serves to alienate others.

skyyler
0 replies
14h46m

A little kindness goes a long way.

petesergeant
0 replies
14h28m

I've learned to not care when people say 'expresso' instead of 'espresso'

I stopped correcting people on stuff like this 20 years ago, but sadly haven’t been able to stop myself caring :-/ “Expresso” still grates

lmm
0 replies
16h24m

If you understood someone with difficulty, offering a correction is constructive, particularly on the web where editing is often easy.

hackerlight
7 replies
16h0m

It doesn't mean the opposite, though.

For a formal linguistic example, see the concept of compound words. The meaning of the compound word does not equal the meaning of any of the constituent words. Often because the definition of the constituent words has drifted over time while usage of the compound word remained fixed.

You may unilaterally think that's wrong because you wish to impose a set of rules on language that others don't share, but that's not how meaning works. A sentence is just a string of bits. Meaning comes from a shared consensus about how to parse those bits into meaning.

delta_p_delta_x
5 replies
8h58m

You may unilaterally think that's wrong because you wish to impose a set of rules on language that others don't share, but that's not how meaning works.

'A set of rules' is called grammar. It may have arisen organically and out of 'shared consensus' but today languages only make sense when we maintain that grammar.

Imagine if the positions of the words in the above sentence were randomly jumbled up. It'd make no sense at all.

English is somewhat more lax than other languages about grammar (stemming from its extremely wide usage) while still being able to get the point through, but striving for correct grammar should always be a goal, even if 'the point has got through'.

Many other stricter and older Indo-European languages that haven't experienced as many changes as English has, can be machine-parsed like a programming language. Sanskrit and Latin come to mind.

hackerlight
3 replies
7h27m

Imagine if the positions of the words in the above sentence were randomly jumbled up.

But "could care less" isn't random. It is an idiom that has the same meaning as "couldn't care less". If you fed it into a LLM it would know what you mean because meaning is created from global context. Meaning is not some kind of programming language where you input the rules of grammar and the definition of each constituent word, and then out pops the meaning of the sentence. It is impossible to derive meaning that way because meaning is constructed by shared consensus about what collections of words mean in different contexts according to common usage.

delta_p_delta_x
2 replies
7h17m

But "could care less" isn't random. It is an idiom that has the same meaning as "couldn't care less".

That is what I meant by 'English is lax enough about its grammar that "the point still gets through"'. 'Could care less' being wrong but semantically understood is exactly along the lines of 'could of' being wrong but semantically understood as 'could've', or the frequent confusion between 'their' and 'they're', or even any other confusion between homophones in written text.

Certainly, most Anglophones know enough English to read past these sorts of mistakes and still understand the underlying meaning (i.e. semantics) from context, but they are all incorrect, full stop.

hackerlight
1 replies
6h12m

but they are all incorrect, full stop.

I don't agree. Correctness is strictly determined by common usage. You're viewing language through the lens of a software engineer, where there are logical rules and primitives that combine together to construct outputs from inputs. Language isn't logically airtight like this. "Could care less" shouldn't be thought of as three words. Think of it as one single new word with its own meaning that has no necessary connection to the meaning of the constituent parts that make it up. Just like compound words and other idioms.

delta_p_delta_x
0 replies
5h42m

I don't agree. Correctness is strictly determined by common usage.

Happy to agree to disagree, especially when there is this much teeth-gnashing about how 'correct' this usage is—just within this thread. My point about 'could of' was even brought up elsewhere.

Language isn't logically airtight like this.

But it is—or at least, people make it so. In a world where what people say or write is regularly misconstrued/misinterpreted and lands them in jail, or persecuted, or even killed, I believe clarity, accuracy, (factual and syntactic) correctness, and honesty should be something that every writer should strive toward. Someone else brought up contronyms—which I believe ought to be avoided as much as possible because of their potential to cause much confusion even with context ('sanction' is a very powerful example).

This sort of wishy-washy 'it is correct because people understand it' only reminds me of 'alternate facts'. I don't like it and I wish people wouldn't put up with it.

Propelloni
0 replies
7h49m

The GP is talking semantics, you are talking syntax. We are failing the language game here.

wlll
0 replies
4h52m

It doesn't mean the opposite, though.

It does in my English though, and it really really grates when I hear it. Just because a minority of people have started abusing the language doesn't mean I have to go along with it.

compound words

Compound words like "afternoon" where the two words themselves make sense together? "couldcare" might be a compound word, but "could care" isn't. Plus, if I start to say "after noon" to mean "mid morning" then get pissed off when people call me out on my language butchery then perhaps my minority take and desire to impose it on the rest of the world would make me the person in the wrong.

cortesoft
4 replies
14h9m

And logically, flammable and inflammable mean the exact opposite, but here we are.

omneity
2 replies
11h57m

Not quite. "in" here as a prefix is not a negation thing but to _do_ something like "en" in "enhance" or "encapsulate". The word's actual latin root is "inflammare" which means to put something _in_ flames. The subject is the one doing the burning and it's transitive.

Flammable on the hand comes from "flammare", which means for something to catch fire, and is intransitive instead, i.e. the subject is the one catching fire.

The actual opposite of inflammable is uninflammable, which I reckon is only in British English at this point and mostly lost in American English.

forty
1 replies
8h8m

In French we don't have flammable, only _inflammable_ (meaning that it CAN catch fire). And the opposite is _ininflammable_ ^^

Something in flames is "enflammé" (there is the en- prefix ^^).

gessha
0 replies
2h59m

As I’ve followed the news for many years now, not many things in France are inflammable :D

karim79
0 replies
5h54m

Contronyms are what you're referring to. Indeed, flammable/inflammable, also sanction/sanction (permit/punish) and other examples such as fast/fast (going quickly/held in place).

Still, I do find "I could care less" to be less of a contronym and more of an "Americanism". I'm quite used to it by now, and shall thereby sanction its use.

sirsinsalot
1 replies
16h53m

If I make a mistake like this, please correct me. That's one way I can improve. This attitude of just not correcting people is idiotic.

It's on the person receiving the correction or criticism to ignore it if they wish. Not on people to be silent.

serial_dev
0 replies
13h43m

Like I could care less (but the "like" is silent)

mardifoufs
1 replies
13h49m

The majority of the world doesn't speak English, so why care about using correct English at all right? Btw American English is still the most common variant on the internet. More so than British English.

wlll
0 replies
5h3m

The majority of the world doesn't speak English

And yet here we are.

To paraphrase David Mitchell (https://www.youtube.com/watch?v=om7O0MFkmpw), the problem is not so much the prevelance of American English, which in a lot of situations makes sense. eg. "sidewalk" makes a lot of sense, perhaps more, than "pavement" for the place that a pedestrian walks at the side of a road. "Parking lot" for a lot of land that is reserved for parking etc. The issue is that "could care less" means the opposite of what people intend them to mean, and they're just expecting the people listening to interpret what they mean.

ryanjshaw
0 replies
10h48m

The examples in that article do not actually argue for the point being made (that this has been going on for 70 years):

His bearing towards male acquaintances, of whom he knew little or nothing and could care less, ...

Here, "could care less" refers to how little he knows about the male acquaintances, and is effectively saying he cares even less than the little he knows. When we see people write "could care less', they don't write it in the same context, at all.

And then:

It is impossible that he could care less.

This is clearly a different way to write "couldn't care less", and is again not how we see people use the phrase "could care less".

That being said, "could care less" is definitely a thing of the last 10-20 years and is not going anywhere.

choxi
0 replies
3h40m

Why do they do this instead of just maintaining the correct usage? The redefining of the word “literal” to mean “potentially not literal” really grinds my gears.

abenga
0 replies
11h51m

One day, this reasoning will formalize the use of "would/could/should of" and I will rage quit English as a language.

BeFlatXIII
0 replies
2h59m

I enjoy deliberately misinterpreting the nonsense idioms to frustrate their users.

Jerrrry
0 replies
15h47m

Per my "troll metric" / rage bait/"le reddit quantification", formalized as a response's comment's conversational entropy divided by parent comment length, this is a fantastic comment.

Pure, distilled, thought provocation.

Thank you.

ethbr1
13 replies
19h56m

I doubt US spy agencies still use it in any official capacity.

Far easier to just request and obtain the resulting intelligence from partner intelligence organizations who are using it.

Arms-length collection is less legally perilous.

But which does bode poorly for any assertion of national security in US courts! "Are you using this software?" "Officially, no." "Then on what basis do you claim national security?"

gsk22
10 replies
18h39m

Thanks to the FISA "court" system, I doubt US spy agencies fear any legal reprecussions.

No need to follow the law if you have a secret court where no one has standing to challenge your actions.

ethbr1
9 replies
17h22m

Omnipotent and yet completely legally-neutered FISA is a lazy excuse to avoid thinking about things.

There are no illuminati.

There are powerful institutions, who nonetheless fear other powerful institutions.

In this case, intelligence preferring to remain out of the courts and newspapers.

mardifoufs
4 replies
13h51m

Who said anything about illuminatis? Does FISA effectively allow intelligence agencies to hide stuff or not? And can you show me a concrete example of IA actually getting punished from other powerful institutions in any meaningful way?

ethbr1
3 replies
11h46m

FISA allows them to conduct it legally. It doesn't have anything to do with hiding.

Before FISA, they generally just did it, without asking anyone.

And press reports on intelligence operations led directly to the Church/Pike Committees, which led to EO 11905/12036.

mardifoufs
2 replies
11h21m

Who exactly was punished by that EO? You are proving my point, even the most "push back" IAs have seen in terms of concrete actions against them led to... a directive that forbid them from murdering people in foreign countries. No actual consequences for anyone involved, no one got even a slap on the wrist in terms of actual consequences. And that's after the church committee, which revealed some super damning stuff.

Oh, and they went back to doing it after a few decades.

ethbr1
1 replies
9h47m

Are you really asking me to cite classified operations?

And the fact that subsequent Executive Orders explicitly loosened the reigns on intelligence collection (and assassination with respect to "terrorists") indicates that yes, the original orders did restrict intelligence operations.

jtbayly
0 replies
6h24m

It sounds like you are claiming that IA’s have been punished for their abuses, but we’ll just have to trust you on it because the punishments were classified operations. Doesn’t make sense at all, unless you’re saying that the punishments were certain spy chiefs secretly murdered or something.

asveikau
1 replies
12h27m

The problem with FISA as I understand it is not illuminati. It's that the court probably approves almost everything the government asks for without scrutiny. In general, most courts probably have issues like this -- when their job might be oversight and scrutiny they end up as a rubber stamp for the powerful, like cops, prosecutors, etc. For FISA it's especially bad because decisions and arguments made aren't public.

ethbr1
0 replies
11h43m

But it nonetheless exists and could be reformed if there were political will. There was a (much worse) time when FISA didn't exist.

There can also be a future time in which something even stronger exists!

It's annoying to get low-effort whatabout'isms that are justifications for inaction on the basis that nothing will ever change.

It has and it can.

staplers
0 replies
14h12m

  There are no illuminati.
Interesting psyops to conflate corruption with "illuminati"..

j16sdiz
0 replies
12h54m

There are powerful institutions, who nonetheless fear other powerful institutions.

They don't "fear" other powerful institution. Just like chess players, they "game" with each other.

rvba
0 replies
6h18m

Far easier to just request and obtain the resulting intelligence from partner intelligence organizations who are using it.

Couldnt they ask to spy on a phone owned by them to try to learn how the phones are infected?

cheeze
0 replies
19h44m

I don't know much in this space, but if I'm the US Gov I'm happy that all of the attention is on Pegasus and not other (presumably) tens (hundreds) of similar programs out there.

saagarjha
1 replies
16h52m

I would be very surprised if they were. Sanctions are no joke and there are plenty of Five Eye-aligned shops with similar capabilities.

ignoramous
0 replies
6h22m

Yep, here's TAG's (Threat Analysis Group) recent report on Commercial Surveillance Vendors (CSVs) making millions with SaaS-like business models: https://storage.googleapis.com/gweb-uniblog-publish-prod/doc...

Apparently, the social & political elites worldwide are tripping themselves over to purchase licenses from these CSVs that cost millions.

dkjaudyeqooe
1 replies
19h27m

What's "interesting" is that they claim protection available to governments, as if they speak and act on behalf of those governments.

rdtsc
0 replies
14h43m

Exactly, that's pretty odd. They could be delusional, just bluffing, or they really expect someone from the US government to put their finger on the scales for them, or make the scale disappear altogether.

bradleyjg
1 replies
4h16m

It would be interesting to see if all of the sudden "something happens" and the case is mysteriously dropped.

Conspiracy theories notwithstanding you’d see a sealed court filing and not “something happens.”

qingcharles
0 replies
2h47m

Right. I don't know that I've ever just seen a case vanish from a docketing system like that...!

kristofferR
33 replies
18h56m

Can anyone explain this case?

Why would a US court have any jurisdiction over a foreign Israeli spyware vendor that has already been blacklisted by the US government?

And why would Israel send their spyware source code to WhatsApp even if they lose the case?

xxpor
28 replies
18h25m

Because the NSO group handles dollars.

If they didn't respond, they'd lose by default, and the court could order any assets the US can get their hands on seized. If they're getting paid in NIS by countries outside of Israel, the currency conversion happens with dollars as the intermediary. There's the US's window.

jevoten
23 replies
17h38m

How is "Because the NSO group handles dollars" related to "the court could order any assets the US can get their hands on seized"? Presumably, if they were getting paid in bars of gold, the US could seize those too, if they could get their hands on them, no?

On the other hand, if they were paid in US dollars, but in cash, that wouldn't establish jurisdiction, nor could it be seized, if the transfer happened outside US territory?

vineyardmike
7 replies
16h54m

How would they get paid? Almost every bank in every us-allied countries would have to comply to hand over the money. The US banking regulations apply overseas because those banks want to interact with US entities. That's the nature of the US-Dollar economy.

Are you a French wine maker that wants to sell to America? You better be using USD with a friendly bank to pay for things like import fees/tariffs (or the American company you work with better do that). Sure you can deal only in Euros if you want, but at some point there's a conversion to USD when you sell to Americans. Middle Eastern Oil Company? Same thing. German Car company? Same. Brazilian fruit farm? Same. How about importing your Coca Cola products, and iPhones? Buying ads from Google? USD and a US-friendly banks are everywhere in the global economy because the US is such a big market.

Those banks will be banned from US commerce if they work with the NSO and don't hand over the NSO's money, and will lose tons of "innocent" business (like those nice wine makers in France). Their governments probably have treaties with the US, so they don't have a legal choice anyways. The US influence is viral.

jevoten
6 replies
14h48m

But that's because they're doing business with banks that want to remain friendly with the US, not because they're doing business specifically in US dollars. If they got paid in Turkish liras, but through a bank under US influence, those liras would also get seized, wouldn't they?

On the other hand, if someone used a local bank in their country to transact with an entity in China, and China demanded their assets in that bank be seized because they defamed a revolutionary hero [1], I would expect that country to block that seizure, regardless of how the bank itself might feel. I.e. they would demand any seizures comply with their local laws, similar to how extraditions (are supposed to) work, and not let other countries essentially steal from their citizens. Or looking at it a bit different, a bank can't take from its customers on behalf of a foreign country, since locals laws, unless they explicitly allow that taking, would consider it theft.

[1] https://www.reuters.com/article/us-china-lawmaking-idUSKBN1H...

Edit as reply because "I'm posting too fast" (thanks HN for not telling when I can post again by the way):

Discussion about the US dollar misses the point. They do it because they can

I'd argue it doesn't miss the point, but rather, hides the true cause - that as you say, they do it because they can (as quickly becomes obvious when no other currency has this viral jurisdictional effect).

But I'm curious if anyone has ever tried suing their bank, in a non-US court, alleging that their seizure of their assets was illegal under local law. I can understand a bank rolling over for the US government, but it would be interesting to see if and how their legal system would justify it. Especially for something that is not a crime in their country.

selectodude
2 replies
14h38m

There are very few FOREX currency pairs that aren’t USD to whatever. Most cross currency trades are currency A to USD and then USD to currency B. So USD is involved and thus the US Government has jurisdiction.

silverliver
1 replies
12h38m

Again, that's only for foreign orgs that want to comply with foreign US law. The involvement of USD in and of itself is not relevant to whether the US government has jurisdiction.

jajko
0 replies
4h26m

It seems you lack understanding how international banking works in general

vineyardmike
0 replies
7h23m

If someone tried transacting with USD cash in a foreign country it’d probably be fine. (Who knows, some countries probably have laws that limit the validity of transactions in foreign denominationed currencies, but that’s beside the point). Banks are among the most regulated institutions in the world. I doubt there are many banks that have USD-denominated depository accounts that also don’t touch the US banking system (because what good would it be), so the pragmatic reality is that USD requires the Us government blessing. Even if, yes, the government can’t do anything about a few sheets of paper in your wallet. Banks can’t really do currency conversion to/from USD without open access to American-influenced finance markets. So any hypothetical situation that’s not real but totally an imaginable edge case could exist- but it’s not very practical.

If they got paid in Turkish liras, but through a bank under US influence, those liras would also get seized, wouldn't they?

Yea except no one wants Liras. They want USD (and sometimes Euros). So whoever accepts those liras will want USD, and they’ll transfer them to the USD-backed banking system, and back to the original points. Because again, how do you have access to high-volume USD/lira forex markets without using a US-blessed banking system.

The reality is that international finance largely runs on USD, and orbits US banks. One of the main international influence efforts the Us considers is a stable currency. So much so that other nations use USD as a formal currency. The US exerts significant political pressure and political capital to ensure that everyone needs USD in their economy. America literally made international treaties with every oil producing nations requiring oil to be sold in USD just to ensure that every country needed to inject USD into their economy.

I can understand a bank rolling over for the US government, but it would be interesting to see if and how their legal system would justify it.

They’d justify it by having laws that say they’d reciprocate and recognize US crimes. It’s what the international community does.

serial_dev
0 replies
13h36m

Discussion about the US dollar misses the point.

They do it because they can, basically we all live under the influence of the US empire, they can put pressure on most banks of they really want to, and if they really want to, details like which currency was used will not stop them.

qazwse_
0 replies
12h41m

I think a similar situation you can look into is the sanctions on Carrie Lam. While they are sanctions instead of a lawsuit, they did result in her losing access to all banking facilities in HK and China regardless of the fact they probably didn't think she didn't anything wrong. I think for most countries, keeping their banks working trumps almost all other considerations.

https://www.theguardian.com/world/2020/nov/28/hong-kong-carr...

xxpor
6 replies
17h30m

The US government has jurisdiction over all US dollars. That's how sanctions work.

jeroenhd
4 replies
17h11m

If I bring a suitcase full of dollars home with me from a trip to the US (assuming I make it through border control with that much cash), I don't see what kind of jurisdiction the USA would have over me for simply owning dollars.

These are just pieces of paper, they don't provide any kind of jurisdiction. The American banking system may refuse to serve me perhaps, but it's not the dollars that give the American government any control. Hell, several countries outdid e the USA use American dollars as an official currency, but that doesn't make them vassal states to the USA.

tempodox
2 replies
12h48m

These are just pieces of paper

I let you have one guess which entity gives those pieces of paper their value.

Kwpolska
1 replies
10h4m

The US and most of the world may recognise those pieces of paper as worth some of their currency. This doesn't mean I can't recognise them as toilet paper.

tempodox
0 replies
3h29m

You're free to make your toilet paper as expensive as you like, as long as you pay for it legally.

colechristensen
0 replies
17h2m

Your local bank won't protect you from the American judicial system. If they get a court order they'll just fork over your assets. Your bank wants to maintain it's ability to exchange funds with American banks. The American banking system will refuse to serve your bank if they refuse to comply. Or more like they'll just order JP Morgan or whomever to fork over your bank's cash because that's how banks interact with each other.

If you got a pile of dollars in the US, you did business in the US and if that business has any tenuous connection to what the courts are after you about, we have jurisdiction.

If you don't like it you have to run to China, Russia, Iran, etc.

netsharc
0 replies
9h31m

Geez, no? Sanctions work only if the sanctioning entity has power. If the US govt sanctions you, they can tell all banks in the world that if they touch your (virtual) money they'll be sanctioned too. If some podunk dictatorship no one did business with announced "Any bank doing business with xxpor will be barred from working in our country!" then many banks will probably say "Fine, you're a tiny economy that we don't have anyone that does business with a business in your country anyway, so you can take that sanctions and shove it".

Ironically paper money is the way to "escape" sanctions, because anyone around the world knows that that 100 dollar bill can be exchanged for goods and services. And it doesn't even have to involve a bank, just another person who recognizes the value of that paper, in a chain of transactions. Depending on the hassle you may need to pay more..

lmm
4 replies
16h18m

The overwhelming majority of dollars are not physical cash, and the overwhelming majority of dollar transactions by volume happen in a fashion which New York claims jurisdiction over (and, ultimately, has a big army that will back them on, which is what really matters in international law), even when neither party has any obvious connection to the US.

Even for physical cash, they might claim jurisdiction. Dollars are sometimes best understood as a particularly degenerate form of US government bonds.

diego_sandoval
2 replies
15h38m

And then people say that cryptocurrencies have no reason to exist. This one right here is a pretty powerful reason.

tempodox
0 replies
12h52m

Of course criminal organizations would prefer a currency not controlled by an unfriendly government. “Reason to exist” alone doesn't make it a good idea.

o11c
0 replies
15h23m

And yet it is exactly this that allows major criminal organizations like the NSO Group to be prosecuted. "Liberty [from powerful factions]" is explicitly the whole purpose of governments being instituted with the consent of the governed.

I for one would trend toward banning cryptocurrency even if it weren't a complete waste of energy.

Andrex
0 replies
15h35m

Even for physical cash, they might claim jurisdiction. Dollars are sometimes best understood as a particularly degenerate form of US government bonds.

Never thought about it that way, well said.

wyldfire
0 replies
4h9m

that wouldn't establish jurisdiction

The harm is happening in the US, to WhatsApp's customers (among other places). The US court has jurisdiction.

Whether any remedy could be applied is independent of the court's findings.

greenavocado
0 replies
15h2m

America's primary tool in warfare is economic in nature. Anybody that does business with the United States must comply with US sanctions.

colechristensen
0 replies
17h7m

If you do business in the US you're subject to jurisdiction. If you're a foreign bank, to transact with anyone in the US you have to do business in the US. The court orders the bank to fork over somebody's cash, they do because they have to and the alternative is disconnecting themselves from the rest of the financial system. Several Swiss banks got the death penalty because they failed to be quite as isolated and secretive as advertised (i.e. they had agents in the US doing business)

To seize somebody's gold you'd have to go physically get it. To seize their dollars you just go say hi to their bank. Unless you're an "enemy combatant" the US isn't going to go do extraordinary rendition on your assets, so you're pile of foreign gold is safe.

The reach of the American legal system is long, you don't have to do much as a foreign entity to put you under our umbrella.

danlugo92
2 replies
10h27m

#BitcoinFixesThis

snotrockets
1 replies
10h21m

Not really. If you want to end up with money you can actually use for things other than paying ransomware, you have to end up with a bank account somewhere. And as banks wants to transact in USD, they play nice with the US government.

pcdoodle
0 replies
4h51m

Or sell it for cash at a slight discount. People go through worse things when their local fiat goes out of wack.

bradleyjg
0 replies
4h7m

It doesn’t matter that they use US dollars. It matters that they need to do business with entities and in countries that will cooperate with US law. The U.S. government is perfectly capable of putting in an intergovernmental request to seize euros, not too mention yachts.

Israel able to get away with being a frenemy to the West but there are limits.

stefan_
0 replies
16h52m

Because they are being sued in the US over conduct that happened in the US? It’s really not very difficult or special.

They can of course choose to ignore the lawsuit, if their principals want to never enter the US again, which is frankly recommended for all their employees given their operations are prima facie criminal in nature.

mike31fr
0 replies
3h21m

This is called extraterritoriality.

Crazy stories happened here in France.

USA basically sent Alstom, a huge French company, to bankruptcy, then bought it for pennies, and then they tried to destroy Airbus. In both cases they used this right they gave themselves they call extraterritoriality.

The stories I mentioned are documented in this reportage: https://www.arte.tv/fr/videos/093798-000-A/la-bataille-d-air...

The video used to be available on YouTube at the following url : https://youtu.be/Sa22eu1FWyo but it seems it was set to private. Annoying revelations?

halJordan
0 replies
1h10m

What is there to explain? There are reciprocal treaties that the us signs with their allies. "The international liberal order" that the govt is always bleating about. Israel has signed a treaty that says we will respect US court decisions and enforce them. The US has also signed a treaty that says "we will respect and enforce israeli court decisions."

So if a US judge signs and an order and sends the order to an Israeli judge, the israeli judge enforces it (and vice versa).

Izikiel43
0 replies
18h36m

Because it's the US. Same reason they can do FATCA

jokoon
11 replies
19h43m

This is why I don't want to work in cyber security.

You are dealing with dangerous people.

wkat4242
10 replies
18h32m

Meh. The same goes for police work and even more so for military.

And cyber is a very wide range. A lot of roles are simply about training personnel in security principles and procedures, implementing data classification etc. Not everyone deals directly with attacks. Most of the work is preventative. In our company probably less than 20% of people who technically work in cyber, although that's in part because our SOC is outsourced.

nicce
8 replies
17h42m

Most of the work is preventative.

Current work culture is bizarre in cyber security. I am not personally very fan of it.

Nobody wants to work on defensive side. You are not getting either fame or money if you do your work well. The expectation is that you do your work perfectly. There is no actually measurements in place to prove that your good code prevented 100 data breaches!

But on the other hand, if you are on offensive side, sometimes find cool bugs, you get fame and money. Does not matter if there is a long break sometimes. Your goodness is measures based on how much money you got.

What does it mean? People start doing bug bounties. They hoard tools only for themselves to make more money, instead of releasing them to improve general security. They keep small bugs themselves so that they can be used in exploit chains to get bigger bounties.

If the reputation of the company is based on the participations of the bug bounty program, they start doing less and less in-house engineering and outsource the cyber security testing for bug bounty platforms.

And vicious cycle starts.

saagarjha
6 replies
16h32m

Plenty of people working on the defensive side are famous, sometimes even more famous than those who do offensive work. Take, for example, Google Project Zero, or the numerous people on “infosec Twitter” who are almost invariably doing defensive work. People who do exploit development tend to be a lot more quiet about what they do and where they work.

kevinbowman
2 replies
11h7m

I think Project Zero would count as offensive work in this regard; they are actively trying to find problems in other systems, rather than trying to stop other people trying to find problems in their systems.

saagarjha
1 replies
9h31m

Project Zero is an offensive team doing defensive work.

nicce
0 replies
6h33m

But their work is essentially penetration testing and exploit development. That usually counts as offensive side. They are not designing and building secure-by-design stuff, for example.

They are known for breaking stuff, and everyone wants to be the same.

Goal might be defensive in everything cyber security researchers do, but that was not my point.

hashstring
2 replies
9h37m

Project Zero is not defensive. Infosec Twitter has both sides.

I do agree with you that defense is a large part of the industry. My perspective is even that most organizations are looking for “defense” roles. The field is very wide (e.g., folks working on cryptography to sec ops).

nicce
1 replies
6h29m

It is defensive, but for the best guys out there, the carrot is on offensive side. You are not getting rewarded for doing perfectly secure systems, unless you work in very big company.

It means that most of the average guys build defense, and then the best guys test them and pick the money when something is found. While we could prevent most issues if those best guys help on building the systems instead.

But they have no motivation, because they get more money from other things.

hashstring
0 replies
4h7m

I think that you might actually observe that finding attacks on systems is common, while developing a “perfectly secure system” is much harder to do, if not impossible.

rompledorph
0 replies
16h58m

Your view on cyber security seems to be painted by bug bounty programs. But I agree that the offensive side is more sexy than the defensive side, but it easy to forget that in the end, we are all really working on defense

snotrockets
0 replies
10h20m

Police tends to avoid dealing with dangerous people, unless you mean cops themselves.

cedws
10 replies
19h54m

I don't understand why the NSO Group, and by extension Israel, has not been sanctioned over this spyware. It's a dangerous company that sells tools ripe for abuse to some of the West's worst anti-democractic enemies.

cedws
0 replies
18h57m

Ah, didn't know that, thanks. It seems NSO Group are still alive and kicking in spite of this.

dkjaudyeqooe
1 replies
19h30m

For the same reason it hasn't had any of $10 billion in military aid reduced even after acting counter to numerous US interests and values:

Politics.

halJordan
0 replies
1h8m

Nso group has been put on the same punitive sanctions Chinese companies have been. You dont have to be wrong just to confirm your biases.

devwastaken
1 replies
19h40m

Peace and "defense" are marketing. Eisenhower warned of the military industrial complex and it's growing power.

It's mainly not "the wests" enemies contracting NSO, it is the west.

FactKnower69
0 replies
19h10m

-1 because this comment made me feel bad. The US and its client states have never done anything to deserve this reputation, and to suggest that they have is frankly nothing short of unpatriotic. The Lavon Affair never happened.

richardw
0 replies
19h22m

/engage tinfoil hat.

I’d guess there are some deep benefits in having a strong partner selling this stuff compared to a rival. Not great for the target countries at all, but good for the Israeli and US intelligence apparatus.

photochemsyn
0 replies
19h10m

Israel has long served a kind of cut-out role for delivering weapons to states with atrocious 'Western values' records but which are compliant with US corporate interests. Equatorial Guinea was one such example, with dictator Obiang and his ExxonMobil contract. Steve Coll mentions this in "Private Empire: ExxonMobil and American Power" (2012):

"Fortunately for Obiang, coup-prone African governments rolling in oil but lacking in arms and intelligence to defend their bounty had a discrete alternative to the Pentagon and C.I.A. for defense support: Israel. Quietly, the Bush Administration encouraged Obiang to enter into security and commercial ties with Tel Aviv."

Azerbaijan is a similar example as US weapons sales were banned for human rights abuse reasons. A Wikileaked US State Dept cable stated (2009) "Through its close relations with Israel, Azerbaijan gets a level of access to the quality weapon systems it needs to develop its army that it can not obtain from the U.S. and Europe due to various legal limitations..."

If the dictatorial government funnels the oil money into the Western banking system, then the US turns a blind eye to this kind of thing (e.g. Saudi and UAE use of Pegasus to persecute pro-democracy activists) and if not, it's sanctions and regime change time.

CatWChainsaw
0 replies
14h16m

Well it probably sells those same tools to the West as well. Gotta stalk those pesky journalists covering genocide somehow. Plus it helps if someone other than you is seen with the dirty hands.

lupire
5 replies
19h55m

Is this a new precedent, that "legal" hackers that operate in two countries can be forced to divulge their vulns?

SturgeonsLaw
4 replies
17h31m

I hope so, the fact that attackers can hide behind international borders is an eternal thorn in the side of us blue teamers. Anyone who commits a crime in another country should be subject to that country seeking legal redress.

bluGill
3 replies
16h35m

That is typically the case. If you commit a crime and flee to a different country, where you go will arrest you and turn you over to the country that you did the crime in.

there are many treaties on this. It gets complex, some countries will not turn criminals over if the death pentalty is would be used for example. However in general if you commit a crime you can't flee to a different country.

countries like north Korea and Russia are exceptions. Which is why malware so often comes from them. Anyone else and you are likely to be caught.

andyferris
1 replies
15h38m

The one that gets me is when someone does something on the internet that is legal in their country, but not in another, and the other tries to extradite and charge the person as a criminal.

If I run an Internet-facing server, where is it deemed to be? Everywhere?

rangestransform
0 replies
15h32m

If an extradition treaty would mean recognizing the judgments of Russian kangaroo courts in the US, I’d rather not

LispSporks22
5 replies
19h29m

Is Signal one of the other platforms they mention?

klabb3
4 replies
19h0m

I think they mention every platform for marketing because once the device is rooted, they can extract data from any app. That doesn’t mean the vulnerability was in the app mentioned, nor that it was the fault of an app at all.

At the end of the day, it’s between platforms (specifically iOS and Apple) and these exploit devs/traders, afaiu. That’s why Apple hates them. For better or worse, putting a torch under Apple’s ass is probably a good thing for the rest of us.

OTOH, you could argue that Apple should be more of top of these things and reward the security researchers better. Things are better than 20y ago, but still it’s probably more lucrative to sell exploits to these shady actors than to scrape the floor for peanuts in hope that mega corps will reward their discoveries.

xvector
1 replies
16h26m

than to scrape the floor for peanuts in hope that mega corps will reward their discoveries.

Security researchers capable of finding these exploits aren't exactly starving for food. They could easily land a $500k+ job at any big tech company or make a similar amount bug bounty hunting.

eyegor
0 replies
15h43m

Ah yes, the lambos come out in force at the bsides conferences.

jmkni
1 replies
8h10m

I guess that once the device is rooted, they can just take screenshots/record the screen without the user knowing, so the specifics of how any particular app works don't matter?

geraldhh
0 replies
3h41m

true, thou knowing the specifics of the app will allow for a more convenient and complete data extraction

brettermeier
2 replies
1h29m

I don't get why Pegasus should send their real source code to WhatsApp, even if they lose this case. They could just send over some nonsense, or am I missing something?

halJordan
1 replies
1h15m

You're missing courts and their legal powers.

brettermeier
0 replies
1h12m

Couldn't they rip out the sensitive stuff and if it's noticed nobody from Israels government will know about it? Or is the power of the US too big to cover such thing? I guess it is, but really?

mh8h
1 replies
3h49m

No way Israel allows the export

ametrau
0 replies
8m

That is a rogue nation that somehow is always treated with kid gloves.

jamesrom
1 replies
6h26m

Apple and Google can disable Pegasus whenever they wish.

eli
0 replies
5h17m

How?

sylware
0 replies
8h17m

And whatsapp?

When are they "forced" to provide a simple and stable in time interop protocol stack ? (with reuse of irc,smtp,noscript/basic (x)html/etc?)

This one is not better than the other.

submeta
0 replies
11h18m

Snowden revelations were years ago. And what we saw back then was unbelievable. I can’t even imqgine what the agencies are using these days. So what’s Pegasus anyway compared to what the agencies might have and use.