The fact journalists were compromised seems only incidental, the ruling is about weather or not NGO Group "exceeded authorization" on WhatsApp by sending the Pegasus installation vector through WhatsApp to the victims and not weather they were unauthorized in accessing the victims. Its a bit of a subtle nuance but I think its important.
Quoting the judgement itself:
> The court reasoned that, because all Whatsapp users are authorized to send messages, defendants did not act without authorization by sending their messages, even though the messages contained spyware. Instead, the court held that the complaint’s allegations supported only an "exceeds authorization" theory.
> The nub of the fight here is semantic. Essentially, the issue is whether sending the Pegasus installation vector actually did exceed authorized access. Defendants argue that it passed through the Whatsapp servers just like any other message would, and that any information that was 'obtained' was obtained from the target users' devices (i.e., their cell phones), rather than from the Whatapp servers themselves
> [...removing more detailed defendant argument...]
> For their part, plaintiffs point to section (a)(2) itself, which imposes liability on whoever "accesses a computer" in excess of authorized access, and "thereby obtains information from any protected computer" pointing to the word "any"
> [...]
> As the parties clarified at the hearing, while the WIS does obtain information directly from the target users’ devices, it also obtains information about the target users' device via Whatsapp servers.
Adding a little more detail that comes from the prior dockets and isn't in the judgement directly but basically NSO Group scripted up a fake Whatsapp client that could send messages that the original application wouldn't be able to send. They use this fake client to send some messages that the original application wouldn't be able to send which provide information about the target users' device. In that the fake client is doing something the real client cannot do (and fake clients are prohibited by the terms) they exceeded authorization.
Think about that for a moment and what that can mean. I doubt I'm the only person here who has ever made an alternative client for something before. Whatapp (that I recall) does not claim that the fake client abused any vulnerabilities to get information just that it was a fake client and that was sufficient. Though I should note that there were some redacted parts in this area that could be relevant.
I dunno, I mean the CFAA is a pretty vague law that has had these very broad applications in the past so I'm not actually surprised I was just kinda hopeful to see that rolled back a bit after the Van Bruen case a few years ago and the supreme court had some minor push back against the broad interpretations that allowed ToS violations to become CFAA violations.
Edit: Adding a link to the judgement for anyone interested: https://storage.courtlistener.com/recap/gov.uscourts.cand.35...
Edit2: And CourtListener if you want to read the other dockets that include the arguments from both sides (with redactions) https://www.courtlistener.com/docket/16395340/facebook-inc-v...
I've been on both sides of the issue by authoring unofficial clients, and battling abusive unofficial clients to services I run. The truth is, complete carte blanche for either side is untenable. 99.99% of well-behaved clients are tacitly ignored, I'm not against those that deliver malware, or bypass rate-limiting having their day in court.
whatsapp owns the systems, so its up to whatsapp to sue
So if someone robs a bank and empties my safety deposit box I can't sue them because it was the bank that had the money, not me?
> I doubt I'm the only person here who has ever made an alternative client for something before
I think the distinction here for "exceeds authorisation" is pretty apparent. I don't read this judgement as being damning for people wanting to make their own clients.
They made a third party client for deliberately malicious purposes. If you go ahead and make a discord client with the intention of spamming or otherwise causing harm to its users, I think it's completely reasonable for you to get in trouble for that.
One particularly grotesque case was the illegal wire tapping of Ben Suda after launching a criminal probe in to Israeli war crimes, which they used to threaten the prosecutor and used it to hide evidence that they knew was under scrutiny or take the cases to court just to drop it so they can tell the ICC that they did make an attempt to prosecute, which is a loophole that disallows the ICC to take up those cases.
I'm certain many countries do this stuff, as well as operate botnets and threaten journalists... but the uniqueness here is that these intel groups located in Israel operate under complete protection of the US without any scrutiny or oversight alongside the US government. We are living in this dystopian universe that people have warned about, for decades at this point.
* https://www.theverge.com/2019/5/14/18622744/whatsapp-spyware...
Interestingly enough, Signal (and others) had the same sort of vulnerability on Android from a WebRTC stack:
* https://googleprojectzero.blogspot.com/2020/08/exploiting-an...
The big issue in both cases is that the exploit was triggered before the user answered the call.
I think the moral here is that a secure messenger should not execute inherently insecure code (i.e.complex code) on behalf of entities that are not really well trusted by the user. The default should be always plain text.
> A U.S. judge ruled on Friday in favor of Meta Platforms' (META.O), opens new tab WhatsApp in a lawsuit accusing Israel's NSO Group of exploiting a bug in the messaging app to install spy software allowing unauthorized surveillance.
Encryption is important but it often is not the weakest link in the security chain.
I’m more worried about financial scams than I am anything related to government. Password managers with random passwords are an excellent guard against that threat.
If I were worried about state actor threats, any keys or passwords would be memorized.
Bitwarden is already a big step up from what most people are doing, then if you want to hide from gouvernement you better make sure you save your password on extremely secured device. But that's another treat level from the average Joe.
There should be no "legal" hacking of someone's devices apart from extraction of data from already convicted people in public court with the right to defend themselves
Sell guns to governments, even unsavoury ones, it is very rare anything will happen to you except in pretty extreme cases. Sell guns to street gangs, well that is a different story. Like i don't think this situation is different because it is "hacking".
The problem with selling exploits is you want to maintain “ownership” of the exploit details, lest your customer just take the exploit and sell/use it without paying more or use it to attack you or your friends. This means you end up with veto power. I.e. culpability.
Trying to remember the quote I last heard, something to the tune of "we don't want to punish, we want to educate", which was about "educating" LEOs and entire police departments they shouldn't be selling fun switch guns illegally to gangs and private buyers.
(And do I even have to mention "fast and furious?" Hah! Feds get it the easiest.)
The second part though doesn't make sense. If the US president can send drones to kill terrorists without taking them to court, surely he can order hacking their phones. If you think that there's no case where the latter is ok you shouldn't you fight against the former first?
The part that you miss is, are they only killing "terrorists" extrajudicially? To take that propaganda at its face value is to ask, what else could they be killing brown people for, if not terrorism?
The ‘terrorist’ label was invented as a means of abrogating human rights by governments who felt they were encumbered by the obligation to protect human rights. “Terrorist” labeling is a totalitarian-authoritarian apparatus to avoid culpability for its actions when a government decides the easiest solution to its problem is outright murder.
It seems to me like terrorism has a pretty plain definition: Using violence against civilians/non-combatants to further a ideological goal, primarily via fear.
It's often misused as an excuse, but there are actual terrorists, the word has a meaning and we should not let it be watered down by either the people wanting to use it as an excuse or the people trying to shroud terrorism in something else.
I'll gently push on the premise though: hacking isn't worse for the victims than death, obviously, but I think it's possible weaponizing of exploits does more total damage. Both collateral, due to the manufacturing of exploits which ultimately leak and harm a bunch of unrelated actors, and because the marginal hacking is lower cost, practically and politically. So a given attack is likely to be used against groups we'd recognize less clearly as "terrorists" / deserving of the harm / etc.
Why speak in hypotheticals supporting some phantom opinion? Concern trolling is even worse.
You said it is okay / allowed because "terrorists". Otherwise, it is a heinous crime. Just like the Pegasus one.
This is what you wrote:
"The second part though doesn't make sense."
If the US president can send drones to kill terrorists without taking them to court, surely he can order hacking their phones. If you think that there's no case where the latter is ok you shouldn't you fight against the former first?"
> Ok is a value judgment ... Allowed is a fact
Factually, genocidaries are worse than terrorists.
[1] https://en.wikipedia.org/wiki/Pablo_Gonz%C3%A1lez_Yag%C3%BCe
Israeli forces killed 38x more journalists than Hamas did on October 7th.
Capitalism is neat that way. Diffusion of responsibility.
That is kinda funny, although sad at the same time
On the flip side, I guess that means META allows WhatsApp users being only “legally spied” on
In such scenario only the target of the wiretap would receive the modified client application. Both google and apple allow pushing updates to small subset of users. It's not unthinkable that they also have the (internal) ability to push a specific update to a specific user.
But I guess now you'll move the goalpost to ask "Why hasn't any Googler come forward and admitted it's happening?" That is a fair question, but I think most people would see this legal spying as no big deal and perhaps even a good thing.
You're allowed to say "The NSA", we're all adults here. No need to speak in euphemisms.
https://www.newsnationnow.com/business/tech/fbi-warns-agains...
If you know of any other cyber criminal organizations like the NSO, where governments use their tools to select and murder targets, please describe them.
Kinda similar to how the IDF has never been charged with war crimes despite several of their service-members being recorded breaking the law in their Israeli fatigues. It's not that international law was never broken, it's that Israel considers themselves above the rule of law and international bases of morality. That type of behavior absolutely must be called out in it's lonesome, such that no nation ever repeats Israel's embarrassing mistake.
Yet they are protected by the US and Israel, which I believe is the case that they have backdoors into all of it, and getting the targets to actually install this malware on their own saves a lot time.
All good, except for the actual real world victims.
That describes the entire Israeli defence industry, and a fair sized portion of Israel's cybersecurity industry, based on the stomach-churning sales pitches I've received.
NSO are not unique, they just got unlucky.
Care to elaborate? This could be news story-worthy
https://en.wikipedia.org/wiki/NSO_Group#Relationship_with_th...
You know about NSO because they are, relative to the field they operate in, unusually transparent. They have competitors around the world, with varying degrees of coziness with their host countries. The only thing distinctive about NSO is how much you've heard of them.
Is there an argument you are making that Meta/Apple/Google should be suing all the other companies as well?
Here, how about instead, a podcast episode we did with Mark Dowd:
Specifically, NSO Group is worth a lot less than I thought it was, even at its peak. ($1B+ valuation)
Also, the amount of infighting is... Surprising perhaps? Less surprising is the number of spinoffs out of it, and the number of competing Israeli spyware groups.
I'm constantly surprised by how good he Israeli startup environment seems to be.
Why is this? How are there so many acquisitions out of there?
So once people get really good they quickly realize they can make more by starting their own company and siphoning off client relationships.
I was mostly thinking that the customers / clients you have and services you have to offer can be largely dependent by people in positions of power where having the right connections and influence might be the key difference between a service or product being viable.
For example - although not related to NSO - something like operation Trojan Shield required both Australian and Lithuanian cooperation due to fourth amendment interpretations.
Having a zero day in such cases is only part of the work and everything beyond that might be very much dependant on the strings you can pull.
But I can also see the argument that that would be something the government can figure out after they buy the product or service, so maybe I'm wrong on that and it's less important than I thought.
(Generally, I don't think countries just "buy exploits"; a significant component of the money in this space comes from "maintenance", so much so that I think it makes more sense to think of exploits as subscription services.)
I think this makes sense, especially given the uncertainty of when an exploit gets patched.
To my original argument of political power vs valuations you can probably say that having those same people you'd otherwise try to influence on your board with a financial incentive allows you to achieve the same thing, I'm not sure why I didn't consider that before.
It’s not possible to be “perfect,” but if we do our best to get there, we’ll make really good stuff.
It’s unlikely to happen, though, as we have a system that explicitly rewards writing crap, because it makes money.
As long as we fail to reward good work, we will continue to get poor work.
I think that's a bit off. The problem is that we continue to reward poor work so the poor work continues.
Note that even my fairly mild statement was not received well. People really don't like discussion of improving the Quality of software, here. Too much money to be made in not-so-good stuff.