[HN Gopher] WhatsApp forces Pegasus spyware maker to share its s...
___________________________________________________________________
WhatsApp forces Pegasus spyware maker to share its secret code
Author : Tomte
Score : 425 points
Date : 2024-03-01 21:02 UTC (1 days ago)
(HTM) web link (arstechnica.com)
(TXT) w3m dump (arstechnica.com)
| rdtsc wrote:
| > Initially, the NSO sought to block all discovery in the
| lawsuit, "due to various US and Israeli restrictions," but that
| blanket request was denied.
|
| Interesting approach. The court could probably care less about
| Israeli restrictions as it's a different country.
|
| Officially US govt blacklisted Pegasus
| https://arstechnica.com/tech-policy/2021/11/us-blacklists-ma....
| However, I wouldn't be surprised if some US spy agencies are
| still using it. If that's the case, Pegasus might try asking US
| intel agencies to block the case on the basis of disclose of
| classified info or harming national interests.
|
| It would be interesting to see if all of the sudden "something
| happens" and the case is mysteriously dropped.
| ethbr1 wrote:
| I doubt US spy agencies still use it in any official capacity.
|
| Far easier to just request and obtain the resulting
| intelligence from partner intelligence organizations who _are_
| using it.
|
| Arms-length collection is less legally perilous.
|
| But which does bode poorly for any assertion of national
| security in US courts! "Are you using this software?"
| "Officially, no." "Then on what basis do you claim national
| security?"
| cheeze wrote:
| I don't know much in this space, but if I'm the US Gov I'm
| happy that all of the attention is on Pegasus and not other
| (presumably) tens (hundreds) of similar programs out there.
| gsk22 wrote:
| Thanks to the FISA "court" system, I doubt US spy agencies
| fear any legal reprecussions.
|
| No need to follow the law if you have a secret court where no
| one has standing to challenge your actions.
| ethbr1 wrote:
| Omnipotent and yet completely legally-neutered FISA is a
| lazy excuse to avoid thinking about things.
|
| There are no illuminati.
|
| There are powerful institutions, who nonetheless fear other
| powerful institutions.
|
| In this case, intelligence preferring to remain out of the
| courts and newspapers.
| staplers wrote:
| There are no illuminati.
|
| Interesting psyops to conflate corruption with
| "illuminati"..
| mardifoufs wrote:
| Who said anything about illuminatis? Does FISA
| effectively allow intelligence agencies to hide stuff or
| not? And can you show me a concrete example of IA
| actually getting punished from other powerful
| institutions in any meaningful way?
| ethbr1 wrote:
| FISA allows them to conduct it legally. It doesn't have
| anything to do with hiding.
|
| Before FISA, they generally just did it, without asking
| anyone.
|
| And press reports on intelligence operations led directly
| to the Church/Pike Committees, which led to EO
| 11905/12036.
| mardifoufs wrote:
| Who exactly was punished by that EO? You are proving my
| point, even the most "push back" IAs have seen in terms
| of concrete actions against them led to... a directive
| that forbid them from murdering people in foreign
| countries. No actual consequences for anyone involved, no
| one got even a slap on the wrist in terms of actual
| consequences. And that's after the church committee,
| which revealed some super damning stuff.
|
| Oh, and they went back to doing it after a few decades.
| ethbr1 wrote:
| Are you really asking me to cite classified operations?
|
| And the fact that subsequent Executive Orders explicitly
| loosened the reigns on intelligence collection (and
| assassination with respect to "terrorists") indicates
| that yes, the original orders did restrict intelligence
| operations.
| jtbayly wrote:
| It sounds like you are claiming that IA's have been
| punished for their abuses, but we'll just have to trust
| you on it because the punishments were classified
| operations. Doesn't make sense at all, unless you're
| saying that the punishments were certain spy chiefs
| secretly murdered or something.
| j16sdiz wrote:
| > There are powerful institutions, who nonetheless fear
| other powerful institutions.
|
| They don't "fear" other powerful institution. Just like
| chess players, they "game" with each other.
| asveikau wrote:
| The problem with FISA as I understand it is not
| illuminati. It's that the court probably approves almost
| everything the government asks for without scrutiny. In
| general, most courts probably have issues like this --
| when their job might be oversight and scrutiny they end
| up as a rubber stamp for the powerful, like cops,
| prosecutors, etc. For FISA it's especially bad because
| decisions and arguments made aren't public.
| ethbr1 wrote:
| But it nonetheless exists and could be reformed if there
| were political will. There was a (much worse) time when
| FISA didn't exist.
|
| There can also be a future time in which something even
| stronger exists!
|
| It's annoying to get low-effort whatabout'isms that are
| justifications for inaction on the basis that nothing
| will ever change.
|
| It has and it can.
| asveikau wrote:
| I don't think I'm doing whataboutism by stating common
| criticisms of US criminal justice and of FISA.
|
| Although, having considered these topics over the years,
| I am skeptical that we will do better. Humans are flawed.
| Truth and justice are hard to achieve, even with the best
| intentions. Anyone involved with these topics -- judges,
| prosecutors, lawmakers -- should have a very high sense
| of humility in what they are doing. Often they do not.
| rvba wrote:
| > Far easier to just request and obtain the resulting
| intelligence from partner intelligence organizations who are
| using it.
|
| Couldnt they ask to spy on a phone owned by them to try to
| learn how the phones are infected?
| dkjaudyeqooe wrote:
| What's "interesting" is that they claim protection available to
| governments, as if they speak and act on behalf of those
| governments.
| rdtsc wrote:
| Exactly, that's pretty odd. They could be delusional, just
| bluffing, or they really expect someone from the US
| government to put their finger on the scales for them, or
| make the scale disappear altogether.
| pvo50555 wrote:
| couldn't* care less
| libraryofbabel wrote:
| Much as it may pain you, "could care less" is an established
| idiom in American English that's been in use for 70 years,
| and Webster's dictionary has a whole page about it:
| https://www.merriam-webster.com/grammar/could-couldnt-
| care-l..., in which they say:
|
| > people who go through life expecting informal variant
| idioms in English to behave logically are setting themselves
| up for a lifetime of hurt.
| SturgeonsLaw wrote:
| I couldn't care less if there's a group of people misusing
| the phrase, logically "I could care less" means the exact
| opposite of "I couldn't care less".
|
| The majority of the world is not American, and presumably
| the majority of Americans don't use the incorrect phrase,
| so why should the rest of the world cater for a minority
| within a minority by putting their butchered phrase on
| equal footing with the correct phrase?
| skyyler wrote:
| Because you knew what they meant and trying to correct
| them only serves to make you feel good about your own
| knowledge.
|
| You aren't helping anyone when you correct them on this.
| Onawa wrote:
| I agree. I've learned to not care when people say
| 'expresso' instead of 'espresso', and 'ex cetera' instead
| of 'et cetera'. I know what they mean, you know what they
| mean, and correcting everyone only serves to alienate
| others.
| skyyler wrote:
| A little kindness goes a long way.
| petesergeant wrote:
| > I've learned to not care when people say 'expresso'
| instead of 'espresso'
|
| I stopped correcting people on stuff like this 20 years
| ago, but sadly haven't been able to stop myself caring
| :-/ "Expresso" still grates
| lmm wrote:
| If you understood someone with difficulty, offering a
| correction is constructive, particularly on the web where
| editing is often easy.
| o11c wrote:
| It costs _everyone_ time and effort to try to decode
| nonsensical input.
|
| It's a crime against humanity to _not_ correct grammar.
| pests wrote:
| Does it? I decode it instantly and understand the meaning
| just like I know what a "fishbowl" is. There is no
| "decoding" or even nonsensical input in this case.
|
| You are just being stubborn and trying to adhere to an
| outdated standard. Upgrade or get replaced.
| gifvenut wrote:
| But you are not everyone.
| zztop44 wrote:
| It's not grammar and it's not a correction. The phrase "I
| could care less" has only one meaning and that meaning is
| "I don't care". It is being used correctly.
| sirsinsalot wrote:
| If I make a mistake like this, please correct me. That's
| one way I can improve. This attitude of just not
| correcting people is idiotic.
|
| It's on the person receiving the correction or criticism
| to ignore it if they wish. Not on people to be silent.
| serial_dev wrote:
| Like I could care less (but the "like" is silent)
| hackerlight wrote:
| It doesn't mean the opposite, though.
|
| For a formal linguistic example, see the concept of
| compound words. The meaning of the compound word does not
| equal the meaning of any of the constituent words. Often
| because the definition of the constituent words has
| drifted over time while usage of the compound word
| remained fixed.
|
| You may unilaterally think that's wrong because you wish
| to impose a set of rules on language that others don't
| share, but that's not how meaning works. A sentence is
| just a string of bits. Meaning comes from a _shared
| consensus_ about how to parse those bits into meaning.
| delta_p_delta_x wrote:
| > You may unilaterally think that's wrong because you
| wish to impose a set of rules on language that others
| don't share, but that's not how meaning works.
|
| 'A set of rules' is called grammar. It may have arisen
| organically and out of 'shared consensus' but today
| languages only make sense when we maintain that grammar.
|
| Imagine if the positions of the words in the above
| sentence were randomly jumbled up. It'd make no sense at
| all.
|
| English is somewhat more lax than other languages about
| grammar (stemming from its extremely wide usage) while
| still being able to get the point through, but striving
| for correct grammar should always be a goal, even if 'the
| point has got through'.
|
| Many other stricter and older Indo-European languages
| that haven't experienced as many changes as English has,
| can be machine-parsed like a programming language.
| Sanskrit and Latin come to mind.
| Propelloni wrote:
| The GP is talking semantics, you are talking syntax. We
| are failing the language game here.
| hackerlight wrote:
| > Imagine if the positions of the words in the above
| sentence were randomly jumbled up.
|
| But "could care less" isn't random. It is an idiom that
| has the same _meaning_ as "couldn't care less". If you
| fed it into a LLM it would know what you mean because
| meaning is created from global context. Meaning is not
| some kind of programming language where you input the
| rules of grammar and the definition of each constituent
| word, and then out pops the meaning of the sentence. It
| is impossible to derive meaning that way because meaning
| is constructed by shared consensus about what collections
| of words mean in different contexts according to common
| usage.
| delta_p_delta_x wrote:
| > But "could care less" isn't random. It is an idiom that
| has the same meaning as "couldn't care less".
|
| That is what I meant by 'English is lax enough about its
| grammar that "the point still gets through"'. 'Could care
| less' being _wrong_ but semantically understood is
| exactly along the lines of 'could of' being wrong but
| semantically understood as 'could've', or the frequent
| confusion between 'their' and 'they're', or even any
| other confusion between homophones in written text.
|
| Certainly, most Anglophones know enough English to read
| past these sorts of mistakes and _still_ understand the
| underlying meaning (i.e. semantics) from context, but
| they are _all_ incorrect, full stop.
| hackerlight wrote:
| > but they are all incorrect, full stop.
|
| I don't agree. Correctness is strictly determined by
| common usage. You're viewing language through the lens of
| a software engineer, where there are logical rules and
| primitives that combine together to construct outputs
| from inputs. Language isn't logically airtight like this.
| "Could care less" shouldn't be thought of as three words.
| Think of it as one single new word with its own meaning
| that has no necessary connection to the meaning of the
| constituent parts that make it up. Just like compound
| words and other idioms.
| delta_p_delta_x wrote:
| > I don't agree. Correctness is strictly determined by
| common usage.
|
| Happy to agree to disagree, especially when there is this
| much teeth-gnashing about how 'correct' this usage is--
| just within this thread. My point about 'could of' was
| even brought up elsewhere.
|
| > Language isn't logically airtight like this.
|
| But it is--or at least, people make it so. In a world
| where what people say or write is regularly
| misconstrued/misinterpreted and lands them in jail, or
| persecuted, or even killed, I believe clarity, accuracy,
| (factual and syntactic) correctness, and honesty should
| be something that every writer should strive toward.
| Someone else brought up contronyms--which I believe ought
| to be avoided as much as possible because of their
| potential to cause much confusion even _with_ context (
| 'sanction' is a very powerful example).
|
| This sort of wishy-washy 'it is correct because people
| understand it' only reminds me of 'alternate facts'. I
| don't like it and I wish people wouldn't put up with it.
| wlll wrote:
| > It doesn't mean the opposite, though.
|
| It does in my English though, and it really really grates
| when I hear it. Just because a minority of people have
| started abusing the language doesn't mean I have to go
| along with it.
|
| > compound words
|
| Compound words like "afternoon" where the two words
| themselves make sense together? "couldcare" might be a
| compound word, but "could care" isn't. Plus, if I start
| to say "after noon" to mean "mid morning" then get pissed
| off when people call me out on my language butchery then
| perhaps my minority take and desire to impose it on the
| rest of the world would make me the person in the wrong.
| cortesoft wrote:
| And logically, flammable and inflammable mean the exact
| opposite, but here we are.
| omneity wrote:
| Not quite. "in" here as a prefix is not a negation thing
| but to _do_ something like "en" in "enhance" or
| "encapsulate". The word's actual latin root is
| "inflammare" which means to put something _in_ flames.
| The subject is the one doing the burning and it's
| transitive.
|
| Flammable on the hand comes from "flammare", which means
| for something to catch fire, and is intransitive instead,
| i.e. the subject is the one catching fire.
|
| The actual opposite of inflammable is uninflammable,
| which I reckon is only in British English at this point
| and mostly lost in American English.
| forty wrote:
| In French we don't have flammable, only _inflammable_
| (meaning that it CAN catch fire). And the opposite is
| _ininflammable_ ^^
|
| Something in flames is "enflamme" (there is the en-
| prefix ^^).
| gessha wrote:
| As I've followed the news for many years now, not many
| things in France are inflammable :D
| karim79 wrote:
| Contronyms are what you're referring to. Indeed,
| flammable/inflammable, also sanction/sanction
| (permit/punish) and other examples such as fast/fast
| (going quickly/held in place).
|
| Still, I do find "I could care less" to be less of a
| contronym and more of an "Americanism". I'm quite used to
| it by now, and shall thereby sanction its use.
| mardifoufs wrote:
| The majority of the world doesn't speak English, so why
| care about using correct English at all right? Btw
| American English is still the most common variant on the
| internet. More so than British English.
| wlll wrote:
| > The majority of the world doesn't speak English
|
| And yet here we are.
|
| To paraphrase David Mitchell
| (https://www.youtube.com/watch?v=om7O0MFkmpw), the
| problem is not so much the prevelance of American
| English, which in a lot of situations makes sense. eg.
| "sidewalk" makes a lot of sense, perhaps more, than
| "pavement" for the place that a pedestrian walks at the
| side of a road. "Parking lot" for a lot of land that is
| reserved for parking etc. The issue is that "could care
| less" means the opposite of what people intend them to
| mean, and they're just expecting the people listening to
| interpret what they mean.
| abenga wrote:
| One day, this reasoning will formalize the use of
| "would/could/should of" and I will rage quit English as a
| language.
| ryanjshaw wrote:
| The examples in that article do not actually argue for the
| point being made (that this has been going on for 70
| years):
|
| > His bearing towards male acquaintances, of whom he knew
| little or nothing and could care less, ...
|
| Here, "could care less" refers to how little he knows about
| the male acquaintances, and is effectively saying he cares
| even less than the little he knows. When we see people
| write "could care less', they don't write it in the same
| context, at all.
|
| And then:
|
| > It is impossible that he could care less.
|
| This is clearly a different way to write "couldn't care
| less", and is again not how we see people use the phrase
| "could care less".
|
| That being said, "could care less" is definitely a thing of
| the last 10-20 years and is not going anywhere.
| choxi wrote:
| Why do they do this instead of just maintaining the correct
| usage? The redefining of the word "literal" to mean
| "potentially not literal" really grinds my gears.
| BeFlatXIII wrote:
| I enjoy deliberately misinterpreting the nonsense idioms to
| frustrate their users.
| Jerrrry wrote:
| Per my "troll metric" / rage bait/"le reddit quantification",
| formalized as a response's comment's conversational entropy
| divided by parent comment length, this is a fantastic
| comment.
|
| Pure, distilled, thought provocation.
|
| Thank you.
| acidburnNSA wrote:
| I love this humorous video on this topic:
| https://www.youtube.com/watch?v=om7O0MFkmpw
| saagarjha wrote:
| I would be very surprised if they were. Sanctions are no joke
| and there are plenty of Five Eye-aligned shops with similar
| capabilities.
| ignoramous wrote:
| Yep, here's TAG's (Threat Analysis Group) recent report on
| _Commercial Surveillance Vendors_ (CSVs) making millions with
| SaaS-like business models:
| https://storage.googleapis.com/gweb-uniblog-publish-
| prod/doc...
|
| Apparently, the social & political elites worldwide are
| tripping themselves over to purchase licenses from these CSVs
| that cost millions.
| bradleyjg wrote:
| _It would be interesting to see if all of the sudden "something
| happens" and the case is mysteriously dropped._
|
| Conspiracy theories notwithstanding you'd see a sealed court
| filing and not "something happens."
| qingcharles wrote:
| Right. I don't know that I've ever just seen a case vanish
| from a docketing system like that...!
| lupire wrote:
| Is this a new precedent, that "legal" hackers that operate in two
| countries can be forced to divulge their vulns?
| SturgeonsLaw wrote:
| I hope so, the fact that attackers can hide behind
| international borders is an eternal thorn in the side of us
| blue teamers. Anyone who commits a crime in another country
| should be subject to that country seeking legal redress.
| bluGill wrote:
| That is typically the case. If you commit a crime and flee to
| a different country, where you go will arrest you and turn
| you over to the country that you did the crime in.
|
| there are many treaties on this. It gets complex, some
| countries will not turn criminals over if the death pentalty
| is would be used for example. However in general if you
| commit a crime you can't flee to a different country.
|
| countries like north Korea and Russia are exceptions. Which
| is why malware so often comes from them. Anyone else and you
| are likely to be caught.
| andyferris wrote:
| The one that gets me is when someone does something on the
| internet that is legal in their country, but not in
| another, and the other tries to extradite and charge the
| person as a criminal.
|
| If I run an Internet-facing server, where is it deemed to
| be? Everywhere?
| sjy wrote:
| That generally doesn't happen.
| https://en.wikipedia.org/wiki/Double_criminality
| rangestransform wrote:
| If an extradition treaty would mean recognizing the
| judgments of Russian kangaroo courts in the US, I'd rather
| not
| cedws wrote:
| I don't understand why the NSO Group, and by extension Israel,
| has not been sanctioned over this spyware. It's a dangerous
| company that sells tools ripe for abuse to some of the West's
| worst anti-democractic enemies.
| devwastaken wrote:
| Peace and "defense" are marketing. Eisenhower warned of the
| military industrial complex and it's growing power.
|
| It's mainly not "the wests" enemies contracting NSO, it is the
| west.
| FactKnower69 wrote:
| -1 because this comment made me feel bad. The US and its
| client states have never done anything to deserve this
| reputation, and to suggest that they have is frankly nothing
| short of unpatriotic. The Lavon Affair never happened.
| roywiggins wrote:
| NSO has been:
|
| https://www.state.gov/the-united-states-adds-foreign-compani...
| cedws wrote:
| Ah, didn't know that, thanks. It seems NSO Group are still
| alive and kicking in spite of this.
| dkjaudyeqooe wrote:
| For the same reason it hasn't had any of $10 billion in
| military aid reduced even after acting counter to numerous US
| interests and values:
|
| Politics.
| halJordan wrote:
| Nso group has been put on the same punitive sanctions Chinese
| companies have been. You dont have to be wrong just to
| confirm your biases.
| richardw wrote:
| /engage tinfoil hat.
|
| I'd guess there are some deep benefits in having a strong
| partner selling this stuff compared to a rival. Not great for
| the target countries at all, but good for the Israeli and US
| intelligence apparatus.
| MattGaiser wrote:
| Because NSO group has been sanctioned?
|
| https://www.washingtonpost.com/technology/2021/11/03/pegasus...
| photochemsyn wrote:
| Israel has long served a kind of cut-out role for delivering
| weapons to states with atrocious 'Western values' records but
| which are compliant with US corporate interests. Equatorial
| Guinea was one such example, with dictator Obiang and his
| ExxonMobil contract. Steve Coll mentions this in "Private
| Empire: ExxonMobil and American Power" (2012):
|
| > "Fortunately for Obiang, coup-prone African governments
| rolling in oil but lacking in arms and intelligence to defend
| their bounty had a discrete alternative to the Pentagon and
| C.I.A. for defense support: Israel. Quietly, the Bush
| Administration encouraged Obiang to enter into security and
| commercial ties with Tel Aviv."
|
| Azerbaijan is a similar example as US weapons sales were banned
| for human rights abuse reasons. A Wikileaked US State Dept
| cable stated (2009) "Through its close relations with Israel,
| Azerbaijan gets a level of access to the quality weapon systems
| it needs to develop its army that it can not obtain from the
| U.S. and Europe due to various legal limitations..."
|
| If the dictatorial government funnels the oil money into the
| Western banking system, then the US turns a blind eye to this
| kind of thing (e.g. Saudi and UAE use of Pegasus to persecute
| pro-democracy activists) and if not, it's sanctions and regime
| change time.
| CatWChainsaw wrote:
| Well it probably sells those same tools to the West as well.
| Gotta stalk those pesky journalists covering genocide somehow.
| Plus it helps if someone other than you is seen with the dirty
| hands.
| jokoon wrote:
| This is why I don't want to work in cyber security.
|
| You are dealing with dangerous people.
| wkat4242 wrote:
| Meh. The same goes for police work and even more so for
| military.
|
| And cyber is a very wide range. A lot of roles are simply about
| training personnel in security principles and procedures,
| implementing data classification etc. Not everyone deals
| directly with attacks. Most of the work is preventative. In our
| company probably less than 20% of people who technically work
| in cyber, although that's in part because our SOC is
| outsourced.
| nicce wrote:
| > Most of the work is preventative.
|
| Current work culture is bizarre in cyber security. I am not
| personally very fan of it.
|
| Nobody wants to work on defensive side. You are not getting
| either fame or money if you do your work well. The
| expectation is that you do your work perfectly. There is no
| actually measurements in place to prove that your good code
| prevented 100 data breaches!
|
| But on the other hand, if you are on offensive side,
| sometimes find cool bugs, you get fame and money. Does not
| matter if there is a long break sometimes. Your goodness is
| measures based on how much money you got.
|
| What does it mean? People start doing bug bounties. They
| hoard tools only for themselves to make more money, instead
| of releasing them to improve general security. They keep
| small bugs themselves so that they can be used in exploit
| chains to get bigger bounties.
|
| If the reputation of the company is based on the
| participations of the bug bounty program, they start doing
| less and less in-house engineering and outsource the cyber
| security testing for bug bounty platforms.
|
| And vicious cycle starts.
| rompledorph wrote:
| Your view on cyber security seems to be painted by bug
| bounty programs. But I agree that the offensive side is
| more sexy than the defensive side, but it easy to forget
| that in the end, we are all really working on defense
| saagarjha wrote:
| Plenty of people working on the defensive side are famous,
| sometimes even more famous than those who do offensive
| work. Take, for example, Google Project Zero, or the
| numerous people on "infosec Twitter" who are almost
| invariably doing defensive work. People who do exploit
| development tend to be a lot more quiet about what they do
| and where they work.
| kevinbowman wrote:
| I think Project Zero would count as offensive work in
| this regard; they are actively trying to find problems in
| other systems, rather than trying to stop other people
| trying to find problems in their systems.
| saagarjha wrote:
| Project Zero is an offensive team doing defensive work.
| nicce wrote:
| But their work is essentially penetration testing and
| exploit development. That usually counts as offensive
| side. They are not designing and building secure-by-
| design stuff, for example.
|
| They are known for breaking stuff, and everyone wants to
| be the same.
|
| Goal might be defensive in everything cyber security
| researchers do, but that was not my point.
| hashstring wrote:
| Project Zero is not defensive. Infosec Twitter has both
| sides.
|
| I do agree with you that defense is a large part of the
| industry. My perspective is even that most organizations
| are looking for "defense" roles. The field is very wide
| (e.g., folks working on cryptography to sec ops).
| nicce wrote:
| It is defensive, but for the best guys out there, the
| carrot is on offensive side. You are not getting rewarded
| for doing perfectly secure systems, unless you work in
| very big company.
|
| It means that most of the average guys build defense, and
| then the best guys test them and pick the money when
| something is found. While we could prevent most issues if
| those best guys help on building the systems instead.
|
| But they have no motivation, because they get more money
| from other things.
| hashstring wrote:
| I think that you might actually observe that finding
| attacks on systems is common, while developing a
| "perfectly secure system" is much harder to do, if not
| impossible.
| snotrockets wrote:
| Police tends to avoid dealing with dangerous people, unless
| you mean cops themselves.
| LispSporks22 wrote:
| Is Signal one of the other platforms they mention?
| klabb3 wrote:
| I think they mention every platform for marketing because once
| the device is rooted, they can extract data from any app. That
| doesn't mean the vulnerability was in the app mentioned, nor
| that it was the fault of an app at all.
|
| At the end of the day, it's between platforms (specifically iOS
| and Apple) and these exploit devs/traders, afaiu. That's why
| Apple hates them. For better or worse, putting a torch under
| Apple's ass is probably a good thing for the rest of us.
|
| OTOH, you could argue that Apple should be more of top of these
| things and reward the security researchers better. Things are
| better than 20y ago, but still it's probably more lucrative to
| sell exploits to these shady actors than to scrape the floor
| for peanuts in hope that mega corps will reward their
| discoveries.
| xvector wrote:
| > than to scrape the floor for peanuts in hope that mega
| corps will reward their discoveries.
|
| Security researchers capable of finding these exploits aren't
| exactly starving for food. They could easily land a $500k+
| job at any big tech company or make a similar amount bug
| bounty hunting.
| eyegor wrote:
| Ah yes, the lambos come out in force at the bsides
| conferences.
| jmkni wrote:
| I guess that once the device is rooted, they can just take
| screenshots/record the screen without the user knowing, so
| the specifics of how any particular app works don't matter?
| geraldhh wrote:
| true, thou knowing the specifics of the app will allow for
| a more convenient and complete data extraction
| kristofferR wrote:
| Can anyone explain this case?
|
| Why would a US court have any jurisdiction over a foreign Israeli
| spyware vendor that has already been blacklisted by the US
| government?
|
| And why would Israel send their spyware source code to WhatsApp
| even if they lose the case?
| Izikiel43 wrote:
| Because it's the US. Same reason they can do FATCA
| xxpor wrote:
| Because the NSO group handles dollars.
|
| If they didn't respond, they'd lose by default, and the court
| could order any assets the US can get their hands on seized. If
| they're getting paid in NIS by countries outside of Israel, the
| currency conversion happens with dollars as the intermediary.
| There's the US's window.
| jevoten wrote:
| How is "Because the NSO group handles dollars" related to
| "the court could order any assets the US can get their hands
| on seized"? Presumably, if they were getting paid in bars of
| gold, the US could seize those too, _if_ they could get their
| hands on them, no?
|
| On the other hand, if they were paid in US dollars, but in
| cash, that wouldn't establish jurisdiction, nor could it be
| seized, if the transfer happened outside US territory?
| xxpor wrote:
| The US government has jurisdiction over all US dollars.
| That's how sanctions work.
| jeroenhd wrote:
| If I bring a suitcase full of dollars home with me from a
| trip to the US (assuming I make it through border control
| with that much cash), I don't see what kind of
| jurisdiction the USA would have over me for simply owning
| dollars.
|
| These are just pieces of paper, they don't provide any
| kind of jurisdiction. The American banking system may
| refuse to serve me perhaps, but it's not the dollars that
| give the American government any control. Hell, several
| countries outdid e the USA use American dollars as an
| official currency, but that doesn't make them vassal
| states to the USA.
| colechristensen wrote:
| Your local bank won't protect you from the American
| judicial system. If they get a court order they'll just
| fork over your assets. Your bank wants to maintain it's
| ability to exchange funds with American banks. The
| American banking system will refuse to serve _your bank_
| if they refuse to comply. Or more like they 'll just
| order JP Morgan or whomever to fork over your bank's cash
| because that's how banks interact with each other.
|
| If you got a pile of dollars in the US, you did business
| in the US and if that business has any tenuous connection
| to what the courts are after you about, we have
| jurisdiction.
|
| If you don't like it you have to run to China, Russia,
| Iran, etc.
| tempodox wrote:
| > These are just pieces of paper
|
| I let you have one guess which entity gives those pieces
| of paper their value.
| Kwpolska wrote:
| The US and most of the world may recognise those pieces
| of paper as worth some of their currency. This doesn't
| mean I can't recognise them as toilet paper.
| tempodox wrote:
| You're free to make your toilet paper as expensive as you
| like, as long as you pay for it legally.
| jeroenhd wrote:
| > which entity gives those pieces of paper their value
|
| The USA can print and lend dollars to control the value
| of the currency on the global marketplace. When trading
| outside of the USA, people give the bills their value.
|
| You can substitute a suitcase with a million dollars for
| a suitcase full of gold or a suitcase full of diamonds,
| or a suitcase full of Pokemon cards. Outside the official
| banking system, the value of paper money is whatever the
| people trading perceive it to be. In some cases, that
| value can be larger than a million dollars (i.e. in
| countries where their own currency is in a free-fall,
| where the government is trying to limit the supply of
| foreign currency, but people want to exchange their local
| currency for something more stable; people in Argentina,
| Lebanon, Sri Lanka, and Turkey might want to do that).
|
| If, for whatever reason, Russia pays for North Korean
| drones to murder Ukrainians, there's absolutely nothing
| the American government can do about that.
| netsharc wrote:
| Geez, no? Sanctions work only if the sanctioning entity
| has power. If the US govt sanctions you, they can tell
| all banks in the world that if they touch your (virtual)
| money they'll be sanctioned too. If some podunk
| dictatorship no one did business with announced "Any bank
| doing business with xxpor will be barred from working in
| our country!" then many banks will probably say "Fine,
| you're a tiny economy that we don't have anyone that does
| business with a business in your country anyway, so you
| can take that sanctions and shove it".
|
| Ironically paper money is the way to "escape" sanctions,
| because anyone around the world knows that that 100
| dollar bill can be exchanged for goods and services. And
| it doesn't even have to involve a bank, just another
| person who recognizes the value of that paper, in a chain
| of transactions. Depending on the hassle you may need to
| pay more..
| colechristensen wrote:
| If you do business in the US you're subject to
| jurisdiction. If you're a foreign bank, to transact with
| anyone in the US you have to do business in the US. The
| court orders the bank to fork over somebody's cash, they do
| because they have to and the alternative is disconnecting
| themselves from the rest of the financial system. Several
| Swiss banks got the death penalty because they failed to be
| quite as isolated and secretive as advertised (i.e. they
| had agents in the US doing business)
|
| To seize somebody's gold you'd have to go physically get
| it. To seize their dollars you just go say hi to their
| bank. Unless you're an "enemy combatant" the US isn't going
| to go do extraordinary rendition on your assets, so you're
| pile of foreign gold is safe.
|
| The reach of the American legal system is long, you don't
| have to do much as a foreign entity to put you under our
| umbrella.
| vineyardmike wrote:
| How would they get paid? Almost every bank in every us-
| allied countries would have to comply to hand over the
| money. The US banking regulations apply overseas because
| those banks want to interact with US entities. That's the
| nature of the US-Dollar economy.
|
| Are you a French wine maker that wants to sell to America?
| You better be using USD with a friendly bank to pay for
| things like import fees/tariffs (or the American company
| you work with better do that). Sure you can deal only in
| Euros if you want, but at some point there's a conversion
| to USD when you sell to Americans. Middle Eastern Oil
| Company? Same thing. German Car company? Same. Brazilian
| fruit farm? Same. How about importing your Coca Cola
| products, and iPhones? Buying ads from Google? USD and a
| US-friendly banks are everywhere in the global economy
| because the US is such a big market.
|
| Those banks will be banned from US commerce if they work
| with the NSO and don't hand over the NSO's money, and will
| lose tons of "innocent" business (like those nice wine
| makers in France). Their governments probably have treaties
| with the US, so they don't have a legal choice anyways. The
| US influence is viral.
| jevoten wrote:
| But that's because they're doing business with banks that
| want to remain friendly with the US, not because they're
| doing business specifically in US dollars. If they got
| paid in Turkish liras, but through a bank under US
| influence, those liras would also get seized, wouldn't
| they?
|
| On the other hand, if someone used a local bank in their
| country to transact with an entity in China, and China
| demanded their assets in that bank be seized because they
| defamed a revolutionary hero [1], I would expect that
| country to block that seizure, regardless of how the bank
| itself might feel. I.e. they would demand any seizures
| comply with their local laws, similar to how extraditions
| (are supposed to) work, and not let other countries
| essentially steal from their citizens. Or looking at it a
| bit different, a bank can't take from its customers on
| behalf of a foreign country, since locals laws, unless
| they explicitly allow that taking, would consider it
| theft.
|
| [1] https://www.reuters.com/article/us-china-lawmaking-
| idUSKBN1H...
|
| Edit as reply because "I'm posting too fast" (thanks HN
| for not telling when I can post again by the way):
|
| > Discussion about the US dollar misses the point. They
| do it because they can
|
| I'd argue it doesn't miss the point, but rather, hides
| the true cause - that as you say, they do it because they
| can (as quickly becomes obvious when no other currency
| has this viral jurisdictional effect).
|
| But I'm curious if anyone has ever tried suing their
| bank, in a non-US court, alleging that their seizure of
| their assets was illegal under local law. I can
| understand a bank rolling over for the US government, but
| it would be interesting to see if and how their legal
| system would justify it. Especially for something that is
| not a crime in their country.
| selectodude wrote:
| There are very few FOREX currency pairs that aren't USD
| to whatever. Most cross currency trades are currency A to
| USD and then USD to currency B. So USD is involved and
| thus the US Government has jurisdiction.
| silverliver wrote:
| Again, that's only for foreign orgs that want to comply
| with foreign US law. The involvement of USD in and of
| itself is not relevant to whether the US government has
| jurisdiction.
| jajko wrote:
| It seems you lack understanding how international banking
| works in general
| serial_dev wrote:
| Discussion about the US dollar misses the point.
|
| They do it because they can, basically we all live under
| the influence of the US empire, they can put pressure on
| most banks of they _really_ want to, and if they really
| want to, details like which currency was used will not
| stop them.
| qazwse_ wrote:
| I think a similar situation you can look into is the
| sanctions on Carrie Lam. While they are sanctions instead
| of a lawsuit, they did result in her losing access to all
| banking facilities in HK and China regardless of the fact
| they probably didn't think she didn't anything wrong. I
| think for most countries, keeping their banks working
| trumps almost all other considerations.
|
| https://www.theguardian.com/world/2020/nov/28/hong-kong-
| carr...
| vineyardmike wrote:
| If someone tried transacting with USD cash in a foreign
| country it'd probably be fine. (Who knows, some countries
| probably have laws that limit the validity of
| transactions in foreign denominationed currencies, but
| that's beside the point). Banks are among the most
| regulated institutions in the world. I doubt there are
| many banks that have USD-denominated depository accounts
| that also don't touch the US banking system (because what
| good would it be), so the pragmatic reality is that USD
| requires the Us government blessing. Even if, yes, the
| government can't do anything about a few sheets of paper
| in your wallet. Banks can't really do currency conversion
| to/from USD without open access to American-influenced
| finance markets. So any hypothetical situation that's not
| real but totally an imaginable edge case could exist- but
| it's not very practical.
|
| > If they got paid in Turkish liras, but through a bank
| under US influence, those liras would also get seized,
| wouldn't they?
|
| Yea except no one wants Liras. They want USD (and
| sometimes Euros). So whoever accepts those liras will
| want USD, and they'll transfer them to the USD-backed
| banking system, and back to the original points. Because
| again, how do you have access to high-volume USD/lira
| forex markets without using a US-blessed banking system.
|
| The reality is that international finance largely runs on
| USD, and orbits US banks. One of the main international
| influence efforts the Us considers is a stable currency.
| So much so that other nations use USD as a formal
| currency. The US exerts significant political pressure
| and political capital to ensure that everyone needs USD
| in their economy. America literally made international
| treaties with every oil producing nations requiring oil
| to be sold in USD just to ensure that every country
| needed to inject USD into their economy.
|
| > I can understand a bank rolling over for the US
| government, but it would be interesting to see if and how
| their legal system would justify it.
|
| They'd justify it by having laws that say they'd
| reciprocate and recognize US crimes. It's what the
| international community does.
| lmm wrote:
| The overwhelming majority of dollars are not physical cash,
| and the overwhelming majority of dollar transactions by
| volume happen in a fashion which New York claims
| jurisdiction over (and, ultimately, has a big army that
| will back them on, which is what really matters in
| international law), even when neither party has any obvious
| connection to the US.
|
| Even for physical cash, they might claim jurisdiction.
| Dollars are sometimes best understood as a particularly
| degenerate form of US government bonds.
| diego_sandoval wrote:
| And then people say that cryptocurrencies have no reason
| to exist. This one right here is a pretty powerful
| reason.
| o11c wrote:
| And yet it is exactly this that allows major criminal
| organizations like the NSO Group to be prosecuted.
| "Liberty [from powerful factions]" is explicitly the
| whole purpose of governments being instituted with the
| consent of the governed.
|
| I for one would trend toward banning cryptocurrency even
| if it weren't a complete waste of energy.
| tempodox wrote:
| Of course criminal organizations would prefer a currency
| not controlled by an unfriendly government. "Reason to
| exist" alone doesn't make it a good idea.
| Andrex wrote:
| > Even for physical cash, they might claim jurisdiction.
| Dollars are sometimes best understood as a particularly
| degenerate form of US government bonds.
|
| Never thought about it that way, well said.
| greenavocado wrote:
| America's primary tool in warfare is economic in nature.
| Anybody that does business with the United States must
| comply with US sanctions.
| wyldfire wrote:
| > that wouldn't establish jurisdiction
|
| The harm is happening in the US, to WhatsApp's customers
| (among other places). The US court has jurisdiction.
|
| Whether any remedy could be applied is independent of the
| court's findings.
| danlugo92 wrote:
| #BitcoinFixesThis
| snotrockets wrote:
| Not really. If you want to end up with money you can
| actually use for things other than paying ransomware, you
| have to end up with a bank account somewhere. And as banks
| wants to transact in USD, they play nice with the US
| government.
| pcdoodle wrote:
| Or sell it for cash at a slight discount. People go
| through worse things when their local fiat goes out of
| wack.
| bradleyjg wrote:
| It doesn't matter that they use US dollars. It matters that
| they need to do business with entities and in countries that
| will cooperate with US law. The U.S. government is perfectly
| capable of putting in an intergovernmental request to seize
| euros, not too mention yachts.
|
| Israel able to get away with being a frenemy to the West but
| there are limits.
| stefan_ wrote:
| Because they are being sued in the US over conduct that
| happened in the US? It's really not very difficult or special.
|
| They can of course choose to ignore the lawsuit, if their
| principals want to never enter the US again, which is frankly
| recommended for all their employees given their operations are
| prima facie criminal in nature.
| mike31fr wrote:
| This is called extraterritoriality.
|
| Crazy stories happened here in France.
|
| USA basically sent Alstom, a huge French company, to
| bankruptcy, then bought it for pennies, and then they tried to
| destroy Airbus. In both cases they used this right they gave
| themselves they call extraterritoriality.
|
| The stories I mentioned are documented in this reportage:
| https://www.arte.tv/fr/videos/093798-000-A/la-bataille-d-air...
|
| The video used to be available on YouTube at the following url
| : https://youtu.be/Sa22eu1FWyo but it seems it was set to
| private. Annoying revelations?
| halJordan wrote:
| What is there to explain? There are reciprocal treaties that
| the us signs with their allies. "The international liberal
| order" that the govt is always bleating about. Israel has
| signed a treaty that says we will respect US court decisions
| and enforce them. The US has also signed a treaty that says "we
| will respect and enforce israeli court decisions."
|
| So if a US judge signs and an order and sends the order to an
| Israeli judge, the israeli judge enforces it (and vice versa).
| submeta wrote:
| Snowden revelations were years ago. And what we saw back then was
| unbelievable. I can't even imqgine what the agencies are using
| these days. So what's Pegasus anyway compared to what the
| agencies might have and use.
| sylware wrote:
| And whatsapp?
|
| When are they "forced" to provide a simple and stable in time
| interop protocol stack ? (with reuse of irc,smtp,noscript/basic
| (x)html/etc?)
|
| This one is not better than the other.
| jamesrom wrote:
| Apple and Google can disable Pegasus whenever they wish.
| eli wrote:
| How?
| mh8h wrote:
| No way Israel allows the export
| ametrau wrote:
| That is a rogue nation that somehow is always treated with kid
| gloves.
| brettermeier wrote:
| I don't get why Pegasus should send their real source code to
| WhatsApp, even if they lose this case. They could just send over
| some nonsense, or am I missing something?
| halJordan wrote:
| You're missing courts and their legal powers.
| brettermeier wrote:
| Couldn't they rip out the sensitive stuff and if it's noticed
| nobody from Israels government will know about it? Or is the
| power of the US too big to cover such thing? I guess it is,
| but really?
| acqbu wrote:
| Just so you know: https://grapheneos.org/ and https://signal.org/
| do exist!
___________________________________________________________________
(page generated 2024-03-02 23:02 UTC)