[HN Gopher] Three ex-US intelligence officers admit hacking for UAE
___________________________________________________________________
Three ex-US intelligence officers admit hacking for UAE
Author : andrewnicolalde
Score : 469 points
Date : 2021-09-15 16:26 UTC (6 hours ago)
(HTM) web link (www.justice.gov)
(TXT) w3m dump (www.justice.gov)
| shmatt wrote:
| This is an increasing problem in Israel as well.
|
| Soldiers who spent years in the exploit-finding units of 8200
| (Israeli NSA) can work for NSO and stay in Israel. But they can
| also leave the country and work for foreign entities. Sometimes
| without even knowing who their employer is
|
| One famous case was "Dark Matter" a UAE company who set up
| offices in Cyprus and offered 8200 soldiers 7 figures (in USD) a
| year salaries to relocate, outside of the Israeli Government
| oversight - which NSO need to adhere to, and work for them
| jackpirate wrote:
| I'd love to read more about this if you have a source.
| SpikedCola wrote:
| Darknet Diaries [0] does an episode that involves DarkMatter
|
| [0] https://darknetdiaries.com/episode/47/
| shmatt wrote:
| You'd have to depend on Google Translate quality but this is
| a good article
| https://www.themarker.com/technation/.premium-1.7972249
| ThisIsTheWay wrote:
| In addition to Darknet Diaries, there is a lot of interesting
| info in Nicole Perlroth's new book titled "This Is How They
| Tell Me the World Ends"
|
| https://www.bloomsbury.com/us/this-is-how-they-tell-me-
| the-w...
| azemetre wrote:
| Seconding this recommendation. It's a great history of how
| the exploit market came to be in general.
| burkaman wrote:
| It's DarkMatter again in this case:
| https://www.nytimes.com/2021/09/14/us/politics/darkmatter-ua...
| wwwdonohue wrote:
| Funny quote from Lori Stroud:
|
| > The bureau's dedication to justice is commendable... the most
| significant catalyst to bringing this issue to light was
| investigative journalism - the timely, technical information
| reported created the awareness and momentum to ensure justice
|
| A lot of moral superiority there when based on how Stroud has
| talked about her own work with Project Raven [1], she was
| perfectly happy to help the UAE kidnap, torture, and disappear
| dissidents (including children), human rights activists, and
| journalists.
|
| [1] https://www.reuters.com/investigates/special-report/usa-
| spyi...
| robbiet480 wrote:
| More interesting to me is that one of the named persons, Daniel
| Gericke, is the CIO of ExpressVPN [1] which sold yesterday, the
| same day that the DoJ came to this prosecution agreement (!), for
| just under $1 billion. [2]
|
| [1]: https://www.cnet.com/tech/services-and-
| software/expressvpn-c... [2]:
| https://www.techradar.com/news/expressvpn-to-join-kape-in-la...
| tyingq wrote:
| Hah. Anticipated bail money, perhaps :)
| nostromo wrote:
| It's crazy to me how many unscrupulous actors there are in the
| VPN space where you really _really_ need to trust your
| provider.
|
| I don't trust my ISP much at all, but I still trust them more
| than almost any VPN provider.
| mensetmanusman wrote:
| ISPs send emails immediately if someone uses your IP address
| to download a BBC episode.
| midnightGhost wrote:
| I'm in the same boat. Though I actually do trust my VPN
| provider Mullvad. Highly talked about, based in Switzerland,
| and Mozilla also uses them for their VPN service.
|
| Edit: Sorry. Not Switzerland. Sweden. For some reason thought
| Switzerland.
| croes wrote:
| Switzerland, home of the Crypto AG. Switzerland lost its
| reputation as a secure privacy haven.
| scns wrote:
| The mail service that handed over data of a customer to a
| foreign government and changed the privacy statement on
| their site is based there too IIRC. The name eludes me
| know, surely several readers can provide it.
| TacticalCoder wrote:
| protonmail? Although I take it they are still to be
| trusted more than most.
| ChuckNorris89 wrote:
| Plus the recent Protonmail fiasco.
| legrande wrote:
| > Protonmail fiasco
|
| Not a fiasco as they're required by law to keep IP logs.
| You can disable the logging of IP sessions in the PM
| dashboard, but you can't guarantee that PM will _not_
| keep logs, since their servers are all Public Internet
| Facing. The only way Protonmail is 100% zero knowledge is
| to be a 100% a dark-net /Tor service, which immediately
| turns off 99% of their users.
| dylan604 wrote:
| If you misled your users into thinking that this isn't
| something you would do, but as soon as shit hits the fan
| and the PR makes it impossible to keep the ruse going.
| It's a total fiasco to that business' marketing
| department.
| maxwelldone wrote:
| Mullvad is great. They are from Sweden, not Switzerland.
| Not sure if anyone else does it but you can just mail them
| cash anonymously to get started.
| stef25 wrote:
| Always wondered why people don't just create their own
| using something like Outline on a DO droplet (bithost) ?
| How is Mullvad better?
|
| I don't understand how we should trust a company we know
| nothing about other than the text they put on their website
| which basically means nothing.
| craig131 wrote:
| They're probably trying to separate their billing
| information from public IP address which is the benefit
| of using a service that is crypto friendly
| atmosx wrote:
| Because the threat model is different than the one you
| have in mind. VPN providers for 5$ a month will give you
| multiple proxies throughout the world. Spinning up 70
| droplets in different regions is not a viable cost
| effective solution.
| jaywalk wrote:
| You can use Mullvad without supplying any personal
| information (not even an email address) and pay by
| literally sending them an envelope with cash in it.
| That's as good as it gets when it comes to preserving
| privacy.
| simorley wrote:
| I no more trust VPN providers than I do online pdf
| converters. I wonder how many people submit their sensitive
| documents to these online services to convert their documents
| to pdf.
| Aerroon wrote:
| If the only way they know how to make their document into a
| PDF is an online converter and they need the document as
| PDF them that's what they're going to do. It really doesn't
| help that exporting documents as a PDF was an arcane
| process for a long time.
| kwertyoowiyop wrote:
| I'm going to start an online Excel proofreader and logic
| checker. Should be interesting!
|
| /JK
| beermonster wrote:
| And likewise, although I don't trust Cloud service providers
| all that much... I'd sooner spin up my own VM and run
| strongSwan or WireGuard than use a VPN provider.
| aborsy wrote:
| Now you have to trust your VM provider, mostly US
| providers, that actually mention they collect some data and
| traffic to improve their services and comply with law.
| beermonster wrote:
| This is true. But you can't have an internet connection
| without trusting at least _somebody_ ?
| downWidOutaFite wrote:
| I don't trust any security-oriented software of any kind.
| arthur_sav wrote:
| The US has spent considerable time and money to add backdoors
| to any piece of software & hardware that exists out there.
| So, i'd imagine, VPNs to be high on the list because of their
| nature.
|
| I would not trust VPNs for any kind of serious privacy, at
| least not the popular ones. Maybe some small niche VPNs can
| fly under the radar.
| SahAssar wrote:
| Anyone expecting real privacy would use a VPN paid with
| SnailOnionCoin over a double-TOR homomorphic tunnel on
| tails.
| intricatedetail wrote:
| If VPNs really protected from anything they would be illegal.
| At best you can slightly avoid being targeted by advertisers.
| I assume any system I use is compromised already.
| latchkey wrote:
| Why would you want to trust your VPN provider?
|
| That's like saying: "you really really need to trust a
| Bitcoin miner"
|
| I'd hope the VPN service is built and operated in a way that
| doesn't require trust, but provides the same level of
| security.
|
| edit: Since there is confusion in the responses. I'd prefer
| to trust no-one.
| bcrosby95 wrote:
| > I'd hope the VPN service is built and operated in a way
| that doesn't require trust
|
| Unless you're continuously verifying, this requires trust
| that it is built that way and/or won't be changed in the
| future.
| HappySweeney wrote:
| How would you verify there are no logs kept?
| latchkey wrote:
| Inverse is true as well. How do you prove it?
| cblconfederate wrote:
| Someone can steal their logs
| jonfw wrote:
| You can't prove it, which is why you want to find a VPN
| provider you can trust
| whoknew1122 wrote:
| But then you have to trust that the VPN service is built
| and operated the way they say it is.
|
| Or have we already forgot about Zoom's "end-to-end
| encryption?"
| BenoitEssiambre wrote:
| I don't think VPNs go that far. Wouldn't that be more like
| Tor type of security?
| kbenson wrote:
| There's _always_ trust involved. You have to trust the DNS
| infrastructure, you have to trust your ISP, you have to
| trust the VPN provider. You don 't have to trust them
| completely, but you have to trust them at least somewhat.
|
| We take steps to reduce the amount of trust required, such
| as splitting that trust across many parties, so any one
| party hopefully can't betray us enough that it matters or
| that we don't notice, but there's still a lot of trust. For
| example, we use SSL certificates and certificate
| authorities that are known ahead of time to protect from
| problems on the network, but that requires you trust your
| OS and/or your browser, which is generally how you receive
| those certificate authorities. If I'm able to get my own CA
| on your system and trusted, and I can see your traffic, it
| doesn't matter whether you're using HTTPS connections.
|
| A VPN provider might say they're not keeping logs, or that
| their servers are not beholden to a third party and traffic
| is not being analyzed, but ultimately all you have is their
| word on that. Ultimately, the only thing different between
| you connecting to the NSA and routing all your traffic
| (even if your traffic is mostly encrypted) through them so
| they can look at it and a VPN provider is that you trust
| the VPN provider when they say they aren't the NSA and they
| aren't looking at your traffic.
| aborsy wrote:
| It's worth mentioning that, if you listen to the podcast
| mentioned in this thread, DarkMatter, the hacking
| company, at some point ran a certificate authority that
| was recognized by browsers including Chrome and Firefox,
| until lately that news about them came out.
|
| I wouldn't blindly trust CAs either.
| kbenson wrote:
| Oh, I don't, it's just also really hard to vet that stuff
| adequately as a single person, and also why HTTPS isn't
| always adequate.
|
| There's DNS and root servers to consider as well (but
| that might be harder to hide with all the caching going
| on).
|
| I almost edited my above comment a few minutes afterwards
| to append something like "and honestly, it would be
| pretty hard to convince me the NSA or some other group
| hasn't run one or more VPN providers in the past. The
| only question in my eye is whether it was a popular one
| or not."
| homarp wrote:
| "ExpressVPN Knew 'Key Facts' of Executive Who Worked for UAE
| Spy Unit" - https://www.vice.com/en/article/3aq9p5/expressvpn-
| uae-hackin...
| openasocket wrote:
| I really don't think deferred prosecution is warranted here, this
| should have been a plea deal. I'm ambiguous on whether or not
| these guys should serve jail time, but they deserve a criminal
| conviction and a criminal record.
| 5faulker wrote:
| Won't be the first time this happens...
| truted2 wrote:
| > to obtain remote, unauthorized access to any of the tens of
| millions of smartphones and mobile devices utilizing a U.S.
| Company Two-provided operating system
|
| U.S. Company Two provides a mobile operation system. Hmmm, now
| who could that be?
| kccqzy wrote:
| My first thought was that it must be Apple.
|
| But the article says,
|
| > In August 2017, U.S. Company Two updated the operating system
| for its smartphones and other mobile devices, limiting KARMA
| 2's functionality.
|
| I didn't find any meaningful security updates by Apple in
| August 2017: https://support.apple.com/en-us/HT201222 The only
| one listed on that page was about using HTTP to send analytics
| data, which I don't think is the one that disabled KARMA 2.
|
| Then I looked at Google. There are multiple RCE vulns with
| severity Critical during these two months:
| https://source.android.com/security/bulletin/2016-09-01 and
| https://source.android.com/security/bulletin/2017-08-01
| tyrfing wrote:
| It's Apple, see the Reuters report from 2019:
| https://www.reuters.com/investigates/special-report/usa-
| spyi...
|
| Here's KARMA: https://citizenlab.ca/2016/08/million-dollar-
| dissident-iphon...
|
| Looking at CVEs, my guess for KARMA 2 is CVE-2017-8248,
| patched in 10.3.3. Bit of a stretch, though. Looks like
| whatever was patched was never really publicized.
|
| https://nvd.nist.gov/vuln/detail/CVE-2017-8248
| bmcn2020 wrote:
| Does anyone know whether the spyware mentioned is anyhow related
| to Project Pegasus[1? It's also really interesting that Apple
| patched Security issues for iOS that was targeted by NSO Group
| and makes me wonder if that might be the same vulnerabilities
| exploited by the UAE hacker for higher company [2]. [1]
| [https://cybernews.com/news/expressvpn-cio-daniel-gericke-fin...]
| [2] https://www.npr.org/2021/09/14/1036869715/apple-issues-
| criti...
| clarle wrote:
| Based on the timeline, is U.S. Company Two Google or Apple?
|
| Who had security patches released in September 2016 and August
| 2017?
| academia_hack wrote:
| If you actually read OP's link, the charges seem to have nothing
| to do with the fact that these individuals once worked for the US
| gov. Instead, the US federal government seems to be asserting
| that knowledge of offensive security tools and practices in
| Cybersecurity consultancy is somehow ITAR restricted in the same
| way that a weapon blueprint would be. That strikes me as
| absolutely preposterous and I'm disappointed the defendants
| settled rather than pushed back on obvious federal overreach into
| the lives and careers of private persons.
| Cd00d wrote:
| ITAR is extremely restrictive.
|
| I used to build sensing systems, where I'd include an off-the-
| shelf infra-red camera.
|
| Couldn't sell the combined system abroad because the IR was
| ITAR restricted.
| darkarmani wrote:
| Doesn't it say one of the individuals is an ex-US citizen? I'm
| curious around that mention. How is he being charged in that
| case?
| x86_64Ubuntu wrote:
| There's a lot of stuff that's ITAR restricted. You can't be
| privy to classified information such as submarine prop design,
| or turbine blade design, and then branch off your own for other
| clients using said information.
| [deleted]
| sterlind wrote:
| Under ITAR you can't even sell your own submarine props to
| foreign countries, even if you were never exposed to
| classified designs, right? That's why ITAR originally applied
| to PGP.
| LatteLazy wrote:
| Settle now OR spend 20 years and millions of dollars fighting
| it and relying on judges who've never used a computer to
| understand complicated technical matters...
| jacquesm wrote:
| I think the number of judges who have never used a computer
| is going to be vanishingly small by now.
| sigmar wrote:
| "Prior to their departure, U.S. Company One repeatedly informed
| its employees, including the defendants, that the services they
| were providing constituted "defense services" under the ITAR,
| and that U.S. persons could not lawfully provide such services
| to U.A.E."
|
| If the above was documented, I don't think "I didn't know"
| would have worked in court. Also even if they fought the ITAR
| charges, they were accused of CFAA charges
| [deleted]
| thepasswordis wrote:
| Increasingly it seems like our elites look at The US as a
| resource to be mined, not a home, not a collaborative project.
| asdff wrote:
| That's all its ever been. The homestead act made this explicit
| in law.
| kbenson wrote:
| I think there have always been powerful people that feel this
| way, in all countries. The problem is thinking it's something
| new or unique to here, which leads one to think it can be
| solved if we just look for what changed to make them that way.
|
| No. They've always been there, they've always acted this way.
| It's not a problem because of increasing lack of patriotism, or
| a divided populace, it's just power and greed and people that
| see themselves as not beholden to to any one state. Thinking
| it's something it's not will just lead to proposed solutions
| that don't actually do much to affect the problem. Any solution
| needs to be internalized and divorced from the idea that this
| is a recent problem that we can stop caring about once we
| "solve" it.
| gorwell wrote:
| Parasites took over at least since the 70s and are still in
| power today, extracting everything they can. I think it's
| reaching a breaking point now.
|
| https://wtfhappenedin1971.com/
| lioeters wrote:
| The historical reference:
|
| > The Nixon shock was a series of economic measures
| undertaken by United States President Richard Nixon in 1971,
| in response to increasing inflation, the most significant of
| which were wage and price freezes, surcharges on imports, and
| the unilateral cancellation of the direct international
| convertibility of the United States dollar to gold.
|
| Nixon shock - https://en.wikipedia.org/wiki/Nixon_shock
|
| Nixon and the End of the Bretton Woods System, 1971-1973 -
| https://history.state.gov/milestones/1969-1976/nixon-shock
| kbenson wrote:
| The more interesting story with that site is how many of
| those charts indicate whatever is going on with the data it's
| showing happened a decade after _or a decade before_ the date
| in question, and people just blindly take it as evidence of
| something happening in 1971.
| ipaddr wrote:
| Sugar hasn't gone up much. Harvard is so much more expensive.
|
| Glad they included 3000bc short term interest rates in the
| graph.
| typon wrote:
| According to the website the solution is....bitcoin?
| Torwald wrote:
| Are you saying this because of the quote at the end of the
| page?
| ghoward wrote:
| I don't agree with the website, but I think I know where
| they are coming from.
|
| The year 1971 was when the US dollar was made to float,
| instead of being backed by gold. [1]
|
| I think that the website wants to have our monetary system
| change back to being backed by something that is a limited
| resource, and I bet Bitcoin fits the bill in their mind.
|
| [1]: https://en.wikipedia.org/wiki/Gold_standard#In_the_Uni
| ted_St...
|
| Edit: punctuation.
| MattGaiser wrote:
| The definition of "elites" at this point just seems to mean any
| government employee or even anyone educated to the point of a
| bachelor's degree.
| ishjoh wrote:
| For better or worse I've started to think of 'elites' more as
| people that have differential outcomes in regards to the law.
| So in this case these people are 'elites' because they
| managed to stay out of prison for hacking US citizens and
| doing corporate espionage. A non-elite would be in prison for
| these actions, and there are lots of people who are in prison
| for hacking others.
| genericuser314 wrote:
| Isn't your definition an example of a No True Scotsman
| fallacy?
|
| Aren't you liable to wind up in situations where you find
| yourself saying "Ah-hah, now that person I thought was not
| one of the elite is now one of the elite because they
| didn't go to prison. Ah-hah, now that person I thought was
| one of the elite is not one of the elite, because they are
| going to prison."?
| ishjoh wrote:
| From my original comment.
|
| "For better or worse I've started to think of 'elites'
| more as people that have differential outcomes in regards
| to the law"
|
| So it's not that elites don't go to prison, in this case
| they didn't, it's that they get extremely favorable
| outcomes as compared to the average population. Epstein
| is a good example of this. The first time he was
| convicted he spent a meager 1 year in prison in
| conditions that would never be afforded to the general
| public.
|
| These hackers are another good example of this, they got
| a large fine but they're not spending any time in prison,
| and yet lots of people have gotten prison time for
| hacking.
|
| Being elite is a lot different from being Scottish, in
| that there are only vague signals for being elite, and
| none of them are so easy to measure as being Scottish. I
| think it's safe to say that the vast majority of elites
| are wealthy, but I don't believe that all wealthy people
| are elites. There are people with a lot of localized
| power like mayors or state senators, but those people
| certainly aren't nationally elite. To my mind the
| clearest signal is when the system interacts with a
| person, how does the system behave, versus when it
| interacts with an average person. Now this is by no means
| a definition, just how I've started thinking about the
| question of who is elite.
| aborsy wrote:
| How does the security of a Google Pixel phone with Android or
| GrapheneOS compare with iPhone's security?
|
| The iOS exploits sound scary. Some of them are even zero click.
| nebula8804 wrote:
| What makes you think GrapheneOS is any better? Yeah its open
| source but it must be looked at a lot less than any iPhone. Is
| security by 'open but not as well examined' actually more
| secure?
| hikerclimber1 wrote:
| Businesses are allowed to deduct miles driven on cars. But the
| problem with this is they are allowed to use the car for personal
| as well. This should be illegal. With today's technology gps and
| phone we should be able to track where these people go especially
| for business meetings. They should have to disclose this
| information.
| ComodoHacker wrote:
| As a non-US person, could someone explain a legal construct of
| "paying $XXX to resolve criminal charges"? Doesn't "criminal"
| mean there must be some real punishment?
| parhamn wrote:
| Criminal charges can end in fines and no jail time. Prosecutors
| can negotiate plea deals (including fines) to avoid going to
| court.
|
| I don't know enough to comment on if this is something that
| happens often (it certainly doesn't feel appropriate) in cases
| like this.
| Paradox0 wrote:
| Paying a fine isn't a real punishment?
| charonn0 wrote:
| It's not a fine. That's the problem.
| Paradox0 wrote:
| Sure, it's a "financial penalty", technically. Plea deals
| are common in many jurisdictions, and the settlement
| imposes additional penalties. They're being punished.
| tehwebguy wrote:
| You are right that a fine is a real penalty but that's
| not the real problem. The problem is that someone who
| committed the same crime but has less money wouldn't
| qualify for this option.
| Paradox0 wrote:
| Is that true? I'm not a lawyer, but I know that in
| certain criminal plea agreements, such as in antitrust
| cases, the financial penalty can be paid over
| installments, the size of which is tied to the company's
| financial performance. See e.g.
|
| > If the parties agree that the recommended fine needs to
| be paid in installments because of the defendant's
| inability to pay the entire amount immediately, the plea
| agreement will include the installment schedule and any
| interest terms.(58) The payment of a special
| assessment(59) and any recommendation on a term of
| probation(60) or expedited sentencing(61) for
| corporations, or requests by individual defendants to be
| placed in a specific correctional facility,(62) will also
| be addressed in the plea agreement.
|
| https://www.justice.gov/atr/speech/us-model-negotiated-
| plea-...
|
| And to get back to the original comment I replied to,
| this critique seems like it would apply to any financial
| punishment, not something that came down to a technical
| distinction between "fine" and "financial penalty".
| noitpmeder wrote:
| Someone with no/low income will take eons to repay
| $1.685.000, even if made in installments. I doubt it
| would even be a serious option unless you were wealthy.
| monetus wrote:
| Eric holder, the former attorney general, wrote a memo
| outlining the concepts around the time of the 2008 financial
| crisis iirc. The idea behind a deferred prosecution agreement
| is that extracting money and good behavior out of
| powerful/wealthy defendants is the best possible option when
| compared to the "collateral consequences" of fully prosecuting
| them.
| jacquesm wrote:
| A great example of class-justice by design.
| quantified wrote:
| Right. Let's see how bad the "collateral consequences"
| actually are. Though, the result of inept or malfeasant
| prosecution could be the equivalent of formal immunity
| thereafter. I'd still like to take my chances.
| noitpmeder wrote:
| For reference: June 16th, 1999 -
| https://www.justice.gov/sites/default/files/criminal-
| fraud/l...
| Jerry2 wrote:
| No jail time? I guess when you're a member of IC, regular laws
| don't apply to you.
| badRNG wrote:
| There is an incredibly well produced podcast episode on these ex-
| NSA engineers working for the UAE that came out a couple of years
| ago. Check out Darknet Diaries Ep47: Project Raven [1].
|
| Synopsis is that the UAE hires ex-NSA employees as "penetration
| testers" and when they enter the country for cybersecurity work,
| some are pulled aside to be briefed to an opportunity called
| "Project Raven" to assist Emirati intelligence with targeting,
| allegedly in the interest of counter-terrorism. The thing is,
| only Emiratis have "hands on keyboard" while the US engineers sit
| beside them and guide them, which supposedly dodges any legal
| concerns. Those who Jack interviewed decided to leave Project
| Raven when it became clear they were targeting dissidents, human
| rights activists, and later, Americans. As you might imagine, ex-
| NSA employees who target US citizens for a foreign government are
| breaking the law. I do wonder if it's these ex-Project Raven
| engineers that have led prosecutors down the road to where we are
| now.
|
| [1] https://darknetdiaries.com/episode/47/
| walrus01 wrote:
| It sounds to me like the UAE made a decision to stop paying
| vast sums of money to the NSO group and started throwing money
| at trying to develop their own similar domestic capability.
|
| From a purely pragmatic perspective of a UAE royal family
| member worried about domestic dissent I can see why they would
| do that, not that I agree with it in the slightest.
| ThisIsTheWay wrote:
| > It sounds to me like the UAE made a decision to stop paying
| vast sums of money to the NSO group and started throwing
| money at trying to develop their own similar domestic
| capability.
|
| Porque no los dos?
| pbhjpbhj wrote:
| Presumably, the latter is less of a risk; they probably
| don't want NSO to know their business and there's going to
| be at least metadata leaking that points to what they're
| doing. Plus, presumably, there's always a chance NSO could
| play them off to a higher bidder?
| ThisIsTheWay wrote:
| I agree about UAE wanting to keep their cards close to
| the chest, but I think the choice between NSO/other third
| party hacking groups and developing in house is an AND
| statement, not OR. At the end of the day, developing
| adequate zero day chains that provide access akin to
| NSO's Pegasus is an extremely time and talent intensive
| endeavor, and having multiple options to procure those
| capabilities is the more likely solution.
| aborsy wrote:
| The price of a software, or use of an exploit, for a nation
| state is nothing!
|
| Money is probably not the only factor.
| snovv_crash wrote:
| UAE is probably very suspicious of NSO software coming
| from Israel, and what other, hidden, capabilities it
| might have.
| cyanydeez wrote:
| yeah, no matter how equally dirty your supplier is, they
| still have different motives than you, regardless of any
| human bias.
|
| perfect principal-agent problem
| cyanydeez wrote:
| the principal agent problem. whenever you hire an agent
| whose interests are not specifically aligned with yours,
| theres an existential problem ensuring your principal
| concerns are acted upon.
|
| so yeah, you want your agents to have a principal stake so
| havi g a nsa agen direct your staff brings more surety than
| some random third party like nso doing your dirty work even
| if its just handing over software. we all know it matters
| the route your hardware and software comes from if you are
| involved in national security.
| ThisIsTheWay wrote:
| > we all know it matters the route your hardware and
| software comes from if you are involved in national
| security.
|
| No security apparatus in the world has the capability to
| build and execute everything they want to on their own.
| Hardware and software is always procured from multiple
| sources.
| dr-detroit wrote:
| They stopped back in 2017 when Wannacry happened when we
| found out that Chinese Russians any mid to high level player
| has full access to the NSA suite of tools for cheaper than
| the US traitors. (sorry, not traitors. on HN they are
| "patriots" lol. I just say traitor because they specifically
| hate me.)
| mike_d wrote:
| > It sounds to me like the UAE made a decision to stop paying
| vast sums of money to the NSO group and started throwing
| money at trying to develop their own similar domestic
| capability
|
| Running an intelligence service is a lot more than hacking a
| random phone once in a while. They buy lots of products from
| lots of vendors, develop some things in house, and hire a lot
| of talent from overseas.
| josephd79 wrote:
| That podcast is great. I just found it a couple weeks ago, and
| I've listened to a few already.
| pengaru wrote:
| DND has some interesting episodes, but "incredibly well
| produced" is not how I would describe any.
|
| And Jack's sophomoric exaggeration of the otherwise banal often
| echoes of chicken little.
|
| If anything it highlights a need for better podcasts in this
| domain.
| atmosx wrote:
| Feel free to create one :-)
| rhizome wrote:
| In the Chicken Little story everybody except Chicken Little
| is eaten by the fox, do you mean the boy who cried wolf?
| Except oops, everybody dies in that one too.
| vxNsr wrote:
| In both of those stories the reason that happens is bec the
| eponymous character loses all credibility by telling many
| lies, when they finally tell the truth no one believes
| them.
| InvOfSmallC wrote:
| I came here to say this. Best podcast ever btw.
| WillPostForFood wrote:
| Any other episode recommendations?
| hoten wrote:
| The LinkedIn ep + the next few follow the same story. very
| good!
| throwaway287391 wrote:
| "Jeremy From Marketing" (Ep. 36) is another one about a pen
| tester, and it's really engrossing, like an action thriller
| in your ears.
| dqv wrote:
| Start from the beginning! Manfred Part 1 and Part 2 are
| great.
| mh8h wrote:
| I loved the XBox Underground ones.
| stef25 wrote:
| - The Stuxnet one is pretty good. Went straight out and
| bought the book.
|
| - The one about Pirate Bay if you want to hear what a
| collosal, confused prick one of the guys behind it is
| bpodgursky wrote:
| > The thing is, only Emiratis have "hands on keyboard" while
| the US engineers sit beside them and guide them, which
| supposedly dodges any legal concerns.
|
| I find it pretty hard to believe any judge would buy this.
| circular_logic wrote:
| Agreed.
|
| It's one thing to teach general skills and another to help do
| the actual hacking
|
| If they are being guided through the actual hacking then
| that's saying that only the driver in pair programming is
| producing code
| Enginerrrd wrote:
| You're probably right, but I think it also depends...
|
| Is a professor at MIT teaching cyber security exploit
| development guilty of the same crime?
|
| What about a consultant teaching how to use a particular tool
| or how to look for a particular family of exploits?
| (Potentially legally dodgy, depending on the client, but
| probably ok in a lot of grey areas)
|
| What about a consultant which performs a passive audit of a
| target for a 3rd party? (Starting to get pretty dodgy, but
| probably depends both on the 3rd party and the target and the
| nature of the audit)
|
| It's... probably not so cut-and-dry. Though I agree that it
| doesn't sound like a get-out-of-jail-free card.
| jareklupinski wrote:
| I'm sure the intent of the MIT professor/consultant passing
| their knowledge on to others is to get ahead of the actual
| attackers and help prevent further crime(s against
| humanity), not to actively participate...
| gentle wrote:
| You're just being argumentative. You know the answer.
| [deleted]
| mike_d wrote:
| Yet this would be very familiar to anyone with previous
| intelligence experience in the US. The person with hands on
| keyboard will change depending on if the mission is being
| conducted under Title 10 or Title 50 authority.
| hguant wrote:
| Does an instructor who trains someone who goes on to commit
| murder using the techniques they taught become legally
| culpable for the murder?
|
| If your company offers some service - consulting to set up
| their infrastructure, or helping them navigate AWS -
| necessary to the running of the company, and that company
| goes on to commit a crime are you at fault? They couldn't
| have done it with out you, after all.
| [deleted]
| zardo wrote:
| How many School of the America's instructors were
| prosecuted?
| openasocket wrote:
| Legally, it depends. The term you're looking for is
| "criminal conspiracy". In US law this is, roughly, an
| agreement between two or more people to commit a crime, and
| at least one of the people commits an "overt act" in
| furtherance of the crime. In the case of these officers,
| and in your two hypotheticals, there is an overt act taking
| place. An overt act does not need to be illegal, it just
| has to be an action taken to assist in the planned crime.
| For instance, buying ski masks is perfectly legal, but if
| you bought ski masks in preparation for your bank robbery,
| that counts as an overt act. But is there an agreement to
| commit a crime? Generally speaking, in the company-
| offering-services example, if you did not know the other
| party was going to commit a crime, and a reasonable person
| in your position wouldn't think the other party was
| planning to commit a crime, you are not engaged in criminal
| conspiracy. There's tons of special cases and nuances here,
| but that's roughly what happens.
| tptacek wrote:
| That's if they charge conspiracy in the first place.
|
| The more general answer here is that the criminality of
| exploitation depends a lot on your state of mind (a
| property of law that something HN always has a hard time
| with). A professor teaching a class to an anonymous group
| of students is not at all the same thing, in criminal
| law, as that same professor standing behind foreign
| intelligence operatives coaching them on a targeted
| attack.
|
| The confounder here is that there are statutes you can
| theoretically violate by providing some specific
| exploitation tools to foreign nationals.
|
| The MIT professor, in an MIT classroom, is never going to
| be charged (same almost certainly goes for a consultant
| teaching an exploit class at Black Hat USA).
| corv wrote:
| Strictly ethically speaking, yes they would be at fault
| mmastrac wrote:
| Let's say you are a gun instructor. You take your student
| out to the street, hand them a sniper rifle and point at
| their victim. You walk them through the process of pulling
| the trigger and how to make sure they get their target.
|
| The judge isn't going to let that slide. In both cases, you
| are an accessory.
| sterlind wrote:
| Technically I think both parties would be guilty of
| murder, but that's specific to murder charges. For
| instance, getaway drivers have been charged with murder
| because the robbers they transport shoot someone.
| likpok wrote:
| That is specifically "felony murder", which wouldn't
| apply here (though conspiracy might?). Felony murder is
| the idea that you are guilty of murder if someone dies as
| a result of you committing another felony (sometimes from
| a specific enumerated list).
|
| If you are a direct participant in the murder you might
| just get charged with it (perhaps as a conspirator which
| I think often has roughly the same penalties).
| newbamboo wrote:
| The law seems very debatable at present. See for instance the
| current uproar over milley/esper decision to resist well
| established presidential powers. The law is whatever the media
| conglomerates collectively decide.
| badRNG wrote:
| This has nothing to do with the post nor the comment you're
| replying to. There's no need to inject an unrelated political
| point into the top post's top comment; just make your own
| post about the subject so it can be discussed there.
| newbamboo wrote:
| I take your point but disagree that they are unrelated.
| They are different news items, so I'll try and isolate my
| comments in that way. I just think that people working
| infosec should care a lot about the sanctity of law and the
| importance of judicial review. If we let the court of
| popular opinion reign supreme, hackers will always lose and
| the powers that be, the elite, will always maintain
| control. Just my opinion, which I will try and keep more
| narrowly focused in the future.
| decebalus1 wrote:
| I think there should be a corollary to Godwin's law to call
| out any thread that is very much subtle in trying to showcase
| just how much Donald Trump has been wronged by 'the media'.
| Sadly there's a surprisingly high amount of these on hn.
| darkerside wrote:
| You're right. Nothing is anything.
| decebalus1 wrote:
| And anything is everything. Then we can deduce that
| everything is nothing.
| fidesomnes wrote:
| The NSA breaks so many laws for so long they might as we be
| their own country. To call them out of control is an
| understatement of unparalleled power.
| topicseed wrote:
| +1, and that podcast is incredible... jack's story telling
| skills are amazing....
| Reubachi wrote:
| my one gripe, if it can be called a gripe, is that the
| episodes are more often than not hard to follow due to the
| complex topic/length.
|
| Looking thru the feed, 8/10 of the recent casts I've listened
| to are only about 1/4 the way thru before I had to go into
| work, answer a call, etc. Then it's too hard to get back
| into, and two more eps have been released by the time I get
| another itch for DD.
|
| Of course, real life is complicated and isn't a movie with a
| plot, and DD's format rewards knowledge and listening. More
| of a "doing dishes" podcast. Highly recommend!
| dogman144 wrote:
| Short-form security podcasts are a dime a dozen though, and
| they usually fail to gain traction because Sec is a nuanced
| technical/social topic that doesn't get covered in 20 mins.
| DD is very popular, IMO, because it handles this well by
| longer episodes.
| akulbe wrote:
| I'm confused. Isn't this considered _treason_??
|
| They get no jail time? They get to buy their way out?!
|
| > "Hackers-for-hire and those who otherwise support such
| activities in violation of U.S. law should fully expect to be
| prosecuted for their criminal conduct."
|
| I know they lose their clearances and pay a bunch of money, but
| this seems like it merits a lot more punishment than that.
| freeslave wrote:
| UAE is a US ally and so they likely do not want to put a chill
| on their relations. "The United Arab Emirates has been
| described as the United States' best counter-terrorism ally in
| the Gulf by Richard A. Clarke, the U.S. national security
| advisor and counter-terrorism expert."
|
| https://en.wikipedia.org/wiki/United_Arab_Emirates%E2%80%93U...
| Aeolun wrote:
| Isn't that just because they hate everyone around?
| snarf21 wrote:
| Treason is only for poor and unconnected people. The rule
| makers are very careful to never make white collar crime super
| punishable.
| colechristensen wrote:
| Treason has a pretty narrow definition, if you aren't directly
| conspiring with a foreign power (and at that probably an enemy)
| against the US, it probably isn't treason. People like to jump
| to that judgement, but it almost never happens.
| cheschire wrote:
| It's not probably, title 18[0] is pretty clear that it's an
| _enemy_ that matters. However, since the United States is at
| war with a noun, then that makes the definition of _enemy_
| very flexible.
|
| 0: https://www.law.cornell.edu/uscode/text/18/2381
| colechristensen wrote:
| Yes that flexibility of what counts as an enemy is why the
| word "probably" was used.
| xxpor wrote:
| Well first, treason specifically is _very_ narrowly defined in
| the US.
|
| >Treason against the United States, shall consist only in
| levying War against them, or in adhering to their Enemies,
| giving them Aid and Comfort.
|
| They didn't levy war against the US, or adhere to an enemy
| (because the UAE isn't one).
|
| But in general, it's not illegal for US citizens to join
| foreign armies (if they aren't enemies). Lots of Jewish
| citizens, for example, serve in the IDF.
|
| "According to the U.S. code, any citizen who "enlists or enters
| himself, or hires or retains another to enlist or enter
| himself, or to go beyond the jurisdiction of the United States
| with intent to be enlisted or entered in the service of any
| foreign prince, state, colony, district, or people as a soldier
| or as a marine or seaman ... shall be fined under this title or
| imprisoned not more than three years, or both." But a court
| ruling from 1896 involving U.S. citizens who fought with Cuban
| revolutionaries against Spanish colonial rule interpreted this
| to mean that it was only illegal for citizens to be recruited
| for a foreign army in the United States, not to simply fight in
| one."
|
| https://foreignpolicy.com/2011/09/02/is-it-legal-for-america...
| ChrisMarshallNY wrote:
| There were also the Flying Tigers, in 1941. I think they may
| have been enlisted soldiers, though, as opposed to private
| citizens.
|
| https://en.wikipedia.org/wiki/Flying_Tigers
| this2shallPass wrote:
| > Lots of Jewish citizens, for example, serve in the IDF.
|
| How many is "Lots"?
|
| Apparently the US doesn't keep records of this phenomenon
| that are easily accessible.
|
| This article^ from 2017 says 1,000 Jewish Americans serve in
| the IDF.
|
| Of the ~7,000,000 Jewish Americans _, that 's ~0.0143% of
| Jewish Americans serving in the IDF.
|
| If 1,000 joined and served each year, and live to an average
| age of 70, doesn't that mean ~50,000 people? That would mean
| ~0.714% of Jewish Americans having served in the IDF.
|
| ^ https://www.thedailybeast.com/1000-americans-are-serving-
| in-...
|
| _ approximate number. 7.153-7.5 million are good estimates.
| [deleted]
| RealityVoid wrote:
| It's really, historically no different than any soldier that
| chooses to fight in another country's war, and that is pretty
| common along history. Usually, they were only punished if the
| geopolitical scenery called for it.
| lainga wrote:
| Famously https://en.wikipedia.org/wiki/Karl_Llewellyn was in
| Paris when WWI broke out, but managed to reach Germany, and
| briefly fought alongside (without joining) the German Army.
| literallyaduck wrote:
| Laws are for the little people who don't have important
| friends. Want to hack? Want to call China as a US general? As
| long as you are in good standing with the Party you can write
| your own ticket.
|
| Edit: Just a year ago our feeds were full of people complaining
| about a call to Russia from an underlying who was not a US
| general.
| x86_64Ubuntu wrote:
| I don't think calling China as a US general is in the same
| bucket as hacking for hire.
| _3u10 wrote:
| Informing the Chinese of an insurrection in the US chain of
| command that the general himself is leading is far worse.
| dukeofdoom wrote:
| Pelosi said Trump will be 'fumigated out' if he refuses
| to leave the White House. How was that supposed to
| happen, if not for the military. Communication between
| Pelosi and Military leaders were ongoing.
|
| "House Speaker Nancy Pelosi said she spoke to Joint
| Chiefs of Staff Gen. Mark Milley about precautions that
| could block President Trump from "ordering a nuclear
| strike" or accessing launch codes and starting military
| hostilities"
|
| Source: https://www.cnbc.com/2021/01/08/pelosi-prevent-
| trump-from-la...
| [deleted]
| _3u10 wrote:
| Did he refuse to leave?
| dukeofdoom wrote:
| He refused concede the election like he was supposed to,
| and continued to question the validity of mail in ballots
| and challenge the election results. Probably not after he
| found out the military was going to fumigate him out.
| _3u10 wrote:
| I'll take that as a no, he left when and as required by
| law.
| [deleted]
| andrewnicolalde wrote:
| Maybe not treason, but surely espionage?
| diskzero wrote:
| People like to use the term treason a lot, but as it is defined
| under Article III, Section 3 of the US Constitution, their
| actions are not treasonous. If you can prove otherwise, I am
| all for it though!
|
| Specifically, the were charged with:
|
| _Violations of U.S. export control, computer fraud and access
| device fraud laws. The Department filed the DPA today, along
| with a criminal information alleging that the defendants
| conspired to violate such laws._
|
| I think they are losers, scumbags and unethical and I hope that
| no one who reads HN ever hires them and that they never work in
| any capacity that comes into contact with IT, Infosec or any
| other hi-tech industry.
| _3u10 wrote:
| How is going to work for more money a loserish activity? My
| understanding is that the US contractors underpay so being
| patriotic Americans they went to work for a better company.
| truted2 wrote:
| "Few men have virtue to withstand the highest bidder."
| -founding father and first president of the United States
| of America
| _3u10 wrote:
| Likely why he offered the Hessians 30 acres in addition
| to citizenship to defect.
| jjulius wrote:
| Is income really the only signifier of what makes an
| activity loserish to you? Not who they work for, the work
| they're doing, who it may target, the rules they may
| actively be choosing to break in the process, etc.?
| _3u10 wrote:
| Looking at the document it appears that they are working
| for the same nation state, they just cut out the red tape
| and a few layers of middlemen.
|
| Most people feel in the software field feel the ITAR
| regulations as applied to code are ridiculous including
| but not limited to the EFF. Most consider it to be an
| abridgment of their 1st amendment rights.
| [deleted]
| diskzero wrote:
| Having a desire to increase your income is fine. For some,
| it is their primary motivation, for others it is a result
| of being recognized for producing valuable results. Each
| person has their own moral code; for some, even working for
| Google or Facebook falls outside of that code.
|
| I have worked with various companies that have contracts
| with the US military and other agencies. I wouldn't say
| they underpay. I would actually say they pay pretty well,
| but once again, this has to align with whatever your
| personal values are. Some people are quite happy to work
| for a three letter acronym agency and couldn't ever
| conceive of working for a FAANG or a foreign entity.
|
| I am sorry that a general perception of Americans might be
| that we are mercenary and will run after the highest paying
| opportunity. There are 300 million of us, and I would say
| that a majority of Americans are driven by values that
| don't include the theft of national intelligence assets or
| chasing after money no matter the consequence.
| _3u10 wrote:
| Why apologize for greatness, the entire ethos of America
| is that it's the best place for the individual. That
| other countries choose to impoverish and restrict rights
| is nothing that require apology.
| MattGaiser wrote:
| I assume because the country is an ally they don't get in as
| much trouble.
| mhh__ wrote:
| Jonathan Pollard, though? It definitely varies.
| rank0 wrote:
| The punishment seems pretty insignificant here. I am surprised
| the DoJ isn't pursuing prison time.
| pianoben wrote:
| It sounds like the three defendants are also cooperating with
| ongoing investigations; that would certainly play a role in the
| terms of the deal, if so.
| legrande wrote:
| There is a _lot_ of CFAA[0] trial evasion going on perhaps?
|
| [0] https://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act
___________________________________________________________________
(page generated 2021-09-15 23:00 UTC)