The infosec apocalypse is nigh

mostlysignssomeportents:

When the Pegasus Project dropped last week, it was both an ordinary and exceptional moment. The report — from Amnesty, Citizenlab, Forbidden Stories, and 80 journalists in 10 countries — documented 50,000 uses of the NSO Group’s Pegasus malware.

https://www.occrp.org/en/the-pegasus-project/

The 50,000 targets of NSO’s cyberweapon include politicians, activists and journalists. The Israeli arms-dealer — controlled by Novalpina Capital and Francisco Partners — has gone into full spin mode.

NSO insists that the report is wrong, but also that it’s fine to spy on people, and also that terrorists will murder us all if they aren’t allowed to reap vast fortunes by helping the world’s most brutal dictators figure out whom to kidnap, imprison and murder.

As I say, all of this is rather ordinary. The NSO Group’s bloody hands, immoral practices and vicious retaliation against critics are well established.

It’s been four years since NSO’s assurances that it only sold spying tools to democratic states to hunt terrorists were revealed as lies, when Citizenlab revealed that its weapons targeted Mexican anti-sugar activists (and their children).

https://citizenlab.ca/2017/06/reckless-exploit-mexico-nso/

Then Citizenlab found 45 more countries where NSO’s Pegasus weapon had been used, and demonstrated that notorious human-rights abusers got help from NSO to target everyday citizens to neutralize justice struggles.

https://citizenlab.ca/2018/09/hide-and-seek-tracking-nso-groups-pegasus-spyware-to-operations-in-45-countries/

Outside of human rights and cybersecurity circles, the story drew little attention, but it did prick NSO’s notoriously thin skin — the company dispatched (inept) private spooks, late of the Mossad, to entrap Citizenlab’s researchers.

https://www.nytimes.com/2019/01/28/world/black-cube-nso-citizen-lab-intelligence.html

As far as we know, the company never managed to infiltrate any of Citizenlab’s systems — but their weapons were found on the devices of an Israeli lawyer suing them for their role in human rights abuses.

https://www.nytimes.com/2019/05/13/technology/nso-group-whatsapp-spying.html

That had some consequences. The attack exploited a vulnerability in Whatsapp, owned by Facebook. FB retaliated by suing — and terminating NSO Group employees’ Facebook accounts. Judging from NSO’s outraged squeals, getting kicked of FB hurt far worse.

https://www.vice.com/en/article/7x5nnz/nso-employees-take-legal-action-against-facebook-for-banning-their-accounts

Through it all, the NSO Group insisted that its tools were vital anti-terror weapons — not the playthings of rich sociopaths with long enemies lists.

They continued these claims even after Pegasus was linked to the blackmail attempt against Jeff Bezos, in a bid by Saudi royals to end the Washington Post’s investigative reporting on the murder and dismemberment of the journalist Jamal Khashoggi.

https://www.vice.com/en/article/v74v34/saudi-arabia-hacked-jeff-bezos-phone-technical-report

Despite all this — attacks on the powerful and the powerless, grisly deaths and farce-comedy entrapment attempts — NSO Group plowed on, raking in millions while undermining the security of the devices that billions of us rely on for our own safety.

Until now.

Something about the Pegasus Project shifted the narrative. Maybe it’s the ransomware epidemic, shutting down hospitals, energy infrastructure, and governments — or maybe it’s the changing tide that has turned on elite profiteers. Whatever it is, people are pissed.

Finally.

I mean, when Edward Snowden calls for the owners of a cybercrime company to be arrested, people sit up and pay attention. But Snowden’s condemnation of NSO and its industry are just for openers.

https://edwardsnowden.substack.com/p/ns-oh-god-how-is-this-legal

Snowden describes NSO as part of an “Insecurity Industry” that owes its existence to critical vulnerabilities in digital devices in widespread use. They spend huge sums discovering these vulns — and then, rather than reporting them so they can be fixed, they weaponize them.

As Snowden points out, this is not merely a private sector pathology. Governments — notably the US government, through the NSA’s Tailor Access Operations Group — engage in the same conduct.

Indeed, as with all digital surveillance, there’s no meaningful difference between private and public spying. Governments rely on tech and telecoms giants for data (which they buy, commandeer, or steal, depending on circumstances).

This, in turn, creates powerful security/public safety advocates for unlimited commercial surveillance, to ensure low-cost, high-reliability access to our private data. Those agencies stand ready to quietly scuttle comprehensive commercial privacy legislation.

This private-public partnership from hell extends into the malware industry: the NSA and CIA can’t, on their own, create enough cyber-weapons to satisfy all government agencies’ demand, so they rely on (and thus protect) the Insecurity Industry.

But as Snowden points out, none of this would be possible were it not for the vast, looming, grotesque tech-security debt that the IT industry has created for us. Everything we use is insecure, and it’s built atop more insecure foundations.

We live in an information society with catastrophic information security. If our society was a house, the walls would all be made of flaking asbestos and the attic would be stuffed with oily rags.

It’s hard to overstate just how much risk we face right now, and while the Insecurity Industry didn’t create that risk, they’re actively trying to increase it — finding every weak spot and widening it as far as possible, rather than shoring it up.

It’s a cliche: “Security is a team sport.” But I like how Snowden puts it: security is a public health matter. “To protect anyone, we must protect everyone.”

Step one is “to ban the commercial trade in intrusion software” for the same reason we “do not permit a market in biological infections-as-a-service.”

We should punish the cyber-arms dealers — but also use international courts to target the state actors who pay them.

But this fight will be a tough one. The huge sums that governments funnel to cyber arms-dealers allows them to silence their critics — I’ve been forced to remove some of my own coverage thanks to baseless threats I couldn’t afford to fight.

Writing in today’s Guardian (who also removed unfavorable coverage of NSO Group following legal threats), Arundhati Roy demolishes the company’s claims of clean hands.

https://www.theguardian.com/commentisfree/2021/jul/27/spying-pegasus-project-states-arundhati-roy

After all, NSO charges a 17% “system maintenance fee” that gives them oversight and insight into how their tools are being used by the demagogues and dictators who shower them with money.

https://www.thecitizen.in/index.php/en/newsdetail/index/9/20672/pegasus-hack-how-much-did-it-cost-to-spy-on-citizens

“There has to be something treasonous about a foreign corporation servicing and maintaining a spy network that is monitoring a country’s private citizens on behalf of that country’s government.” -Roy

The NSO Group claims that the human rights abuses it abets are exceptions that slip through the cracks, but the reality is, it has no business model without state terror — without powerful thugs who demand weapons to help jail, torture and kill their critics.

NSO, more than anyone, should know this. But as Upton Sinclair wrote, “It is difficult to get a man to understand something when his salary depends upon his not understanding it.”