Hilarious that they think being an arms dealer should afford them 'sovereign immunity'.
I'd like to think the world would be a better place without them. But this is like the MPAA response to Unauthorized Looking - shutting down Napster just made it harder to observe, and this will just push the weapons dealers further underground.
>just push the weapons dealers further underground.
Or will encourage nation-states to actually provide them with sovereign immunity, or some official equivalent protection.
A state having these companies operate within their jurisdiction, and under their influence, is likely viewed as preferable to pushing them underground, or to another country
Along with a legal battle I hope these companies are engaging in a technical battle as well. Because suppressing NSO using legal means will not make the vulnerabilities go away -- it will still be there, waiting to be exploited by someone else.
Microsoft for example has 30+ year old C/C++ code in Office applications that customers install on their machines. This is an attack vector. Adobe Acrobat is another well known attack vector. These products should be rewritten in a safer language, like Rust.
Roughly 70% of the security issues seen by Microsoft are memory safety issues. This means that if that software had been written in Rust, 70% of these security issues would most likely have been eliminated. See: https://msrc-blog.microsoft.com/2019/07/22/why-rust-for-safe...
These companies should be held accountable for not investing in securing their code, instead of brushing them under the carpet and pretending that breaches are simply law-and-order issues, or that we need more laws to solve the problem.
Rewriting isn't the solution to everything, unless the code is really small and well-contained.
High-profile security bugs were found in programs written in C# and Java and every other "safe" language out there.
The unknown-unknowns are often far worse than what you currently have. Check the Uber Swift rewrite horror that was posted last week, and that was a super tiny app compared to even the smallest Office app.
Another critical factor is: C++ is currently the only true "portable" language out there, that can be compiled into Windows/Mac/iOS/Android and everything else that exists or will come up in the future. Nothing else comes even close in terms of native platform support. And its completely unrealistic to have copies with different languages for each platform like "small" apps do like Uber or Facebook. We're talking about business logic that if it isn't exactly the same everywhere (with its bugs), people can lose billions of dollars.
Even if Rust can compile into all of those platforms, I assure you, there will be dozens of very serious compiler bugs that will be uncovered over time if an app the size of Office gets rewritten into it. A good number of those will be of serious security consequences. Hell, back in the day, Excel had its own C++ compiler because of compiler bugs that couldn't be fixed on time!
Microsoft is somewhat notorious for not correctly supporting C in Visual Studio. There's MinGW, which basically works, but it arguably doesn't count as 'native' support.
I've heard people claim that recent versions of VS are better, but I've also heard people claim that they just corrupted the standards process to get everything they didn't support relegated to optional extensions, so... [shrug].
Yes, fixing security bugs may introduce functionality bugs. But that's not a reason to not fix security bugs. Yes, the economics of it would not be great, which is why these companies are not already doing it. But someone else is paying the price, when information systems are compromised and data is stolen. We have to exact a heavy penalty on tech companies each time that happens, until the penalties change the economics.
What's the bigger threat - a theoretical unknown vulnerability in Excel or very real consequence of the entire economy and government grinding to a halt when their Excel macros and Word 97 VBA don't work with the rewritten codebase?
You don't rewrite the entire codebase overnight, or even in a single release. Instead, rewrite 10% of the code in 1 year, and within 10 years the entire product will be rewritten.
You have no idea of the size or complexity of the Office codebase. It's enormous and external developers have taken hard dependencies on every aspect of it, even undocumented behavior. Therr aren't enough Rust experts in the world, much less at Microsoft, to review code changes at that rate.
You fix things as they are discovered, continue adding more static analysis to catch new classes of issue, and continue on. You don't rewrite - certainly not in a new language with all new problems.
This isn't a startup with 10 developers - there are literally thousands of developers working on Office and all sorts of internal tooling built around the codebase.
This will keep companies like NSO in business for decades to come.
> there are literally thousands of developers working on Office and all sorts of internal tooling built around the codebase
That's no excuse for the security hacks this codebase is enabling. They need to stop adding new features for a decade, if that's what it takes, in order to fix the security issues. Think of all the ransomware attacks, identity theft, attacks on journalists, and democracy even, that the security issues in this codebase is enabling, and will continue to enable if business-as-usual is the way forward. The stakes are high, and these tech companies must be made to pay a heavy price for each security breach enabled by their negligence, and then the economics will be in favor of prioritizing security over features.
But you're going to introduce them anyway. Sure, hire the best programmers that you can. But recognize that your rewrite is going to introduce new bugs (funny, your answer to that was "deal with it" instead of "hire better programmers"). And recognize that, better programmers or no, some of those new bugs are going to be security bugs.
Now, that may still be better than the current situation. But glibly saying "just hire better programmers" means you're hiding your head in the sand.
flowerlad seems to have the position that only security bugs matter; other bugs can be dealt with. I disagree with that position - non-security bugs can also be devastating. Second, even if you accept the starting position, I disagree with the idea that re-writing C++ code in Rust will remove all the security bugs.
So there's two categories of "taking those precautions". One is "fix security bugs", which, yes, of course take those precautions.
But the second category of "taking those precautions" is "re-write the whole thing in Rust". That's much more questionable whether it's worth it. How much time and effort will the rewrite take? What else could those people do with that much time? How bad are the security holes? How bad will it be to introduce the new bugs? What fraction of security holes will be closed by the rewrite?
flowerlad's idea seems to be that, in light of this latest attack, it's worth going to any lengths to fix every security hole. I think that idea is mistaken.
And, which software are we talking about? The network stack? Excel? Everything ever written in C/C++? The trade-offs are different for each piece of software. And if the answer is "everything", that sounds like roughly a decade of work for the entire software engineering workforce. That seems totally unrealistic, even in light of this latest attack.
Look, the attack was huge. I'm not trying to minimize it at all. But it still isn't worth the measures that flowerlad proposes.
> If you hesitate to fix security bugs out of fear of introducing new security bugs
I never say that. But maybe you just don't need to rewrite the whole project to fix some bugs? Sometime it is maybe the right answer but it should not be the default answer.
If you think that rewriting huge legacy software that's powering most of the world in a current hot language is a solution to security issues, you clearly have no idea about software security.
>These products should be rewritten in a safer language, like Rust.
Sorry, but get over yourself. Firstly, if stuff had been written in Rust it would have been written 30 years after it was relevant. Secondly, if you're expecting companies to re-write code after 30 years to make it safer and do a good job? Good luck. There's a handful of people on the planet capable of doing it, there's a handful of people on the planet willing to do it, and there's 0 overlap between the two.
If these companies were seriously held accountable for bug free code, there wouldn't be better code, there would be a lot less code. Entire applications just wouldn't exist. Dozens of products would've died due to dev costs.
Stamping out the above board market for hacks, is not a perfect solution. But limiting the free flow of these hacks from private companies to law enforcement and governments will decrease their availability and abuse. The expertise to build these hacks is high, and so is the potential for abuse. If government needs to build it in house instead of calling up a vendor like NSO and forking over a few, we can expect a better outcome.
“Microsoft, Alphabet-owned Google, Cisco, Dell Technologies-owned VMWare, and the Washington-based Internet Association joined forces with Facebook to argue against that, saying that awarding sovereign immunity to NSO would lead to a proliferation of hacking technology and “more foreign governments with powerful and dangerous cyber surveillance tools.”
So I’m to believe nation states having these tools is bad. But Facebook just at handing over data on dissidents to repressive governments is okay?
I think you asked the wrong person for a source. I know it’s untrue, and I would expect that it would be necessary for evidence to accompany such a claim.
How do you "know"? Even if you work inside Microsoft you wouldn't know that unless you're in one of very special positions there, in which case by saying what you're saying here you're violating your Microsoft and government NDA.
e.g. I know the special Windows and Office builds that go to the DOD are prepared by a very small core of engineers to remove all telemetry code and such. The majority of the actual engineers who work on the product have no idea about and don't have access to the source code of those builds to know how different they are from the regular builds.
Even the executives who work in those special projects can not have exact knowledge, and definitely not if they're not US citizens even if they are the actual managers of the engineers doing the work. The engineers can't tell their own bosses any details in those cases.
What "evidence" on Earth do you think can anyone here provide that any company is cooperating with the US government? Closest we got were the Snowden documents, and those did actually indeed provide information that Microsoft in particular was sharing customer data with the US.
I am okay if you want to say there is no evidence of data sharing, but I take issue when you say that lack of public evidence is itself evidence of not sharing.
All it takes is a single machine with the proper certificates to RDP the data center, the same way on call engineers do.
The lack of existence of something like that is impossible to verify even for the data center employees.
I am not saying there is access provided to the government, I am saying no one can say there isn't such access, simply because of how easy it is to have it without anyone knowing besides very higher up execs.
I Think Room 641a put what you say clearly into question, [p]. THe government has hooks into Skype when MS bought them and it went from P2P to P2S2P. I firmly believe the government has direct access to MS, FB, Google, etc.... Either permissively or on their own volition.
It wouldn’t, because it has nothing to do with the companies that were brought up. The skype thing is an old and very silly conspiracy theory. They didn’t rearchitect an entire product as a favor to the US government.
Now, at least, FB/Google/etc can also purchase the hacking tools, and try to defeat them.
If NSO is shut down, their employees will likely be scooped up by any number of underworld markets - the payloads will become larger, more audacious, and better hidden.
Obviously, the big corps know that. My guess is they are more interested in increasing their cover (what could we have done), than they are in security.
It is whack-a-mole, but you just keep doing it. Similar to what happens when the big guys go after the spammers. Anytime they become organized and identifiable, you take them out.
I heard once of a strategy called "mowing the grass", you want to keep your opponents unsophisticated and always regrouping.
Public companies like NSO that are on the books can be taken down. They also limit to whom they sell. And sometimes can help to limit the damage (eg, I suspect Iran cannot use NSO tools to attack the Mossad).
But if their employees are hired by companies that are hacking for profit or "national security", there is no one to "take down". Or even keep your eye on.
And if they are hired by companies that sell this software in markets that are impossible to regulate (such as is done with hacked credit cards et al, from Russia, N. Korea, and elsewhere), then their hacks will be made available in such a manner that you perhaps could eventually take down some of them (if you spend dozens of years and gobs of money and arm-twisting), but by then the damage will be 100-fold, since there are no limits to whom it is sold. And even then, you can never know what else you missed.
I am not sure that is the case. Remember when it was said that BTC anonymous marketplaces couldn't be stopped. They are regularly broken up and many prosecuted and put in jail. Of course more arise but the FBI and others are constantly "mowing the grass" to keep it under control. Mowing the grass works, it doesn't make the problem worse, it reduces the scope and number of players, and disincentives many players.
If companies such as these do not exist or are killed then the employees you mention will have a hard existing. Sure there are self taught people but a lot learn on the job.
If companies are killed off then investments will be harder to come by and the tech to do the hacks will be harder to get to.
Those employees if they decide to collaborate with Iran/NK/Russia vs the US will find US can easily arrest them once they set foot anywhere in the western world.
Why the implicit antisemitism and need to list Israel in the name. I find it interesting that we never list other country origins when discussing their issues
Why the implicit antisemitism and need to list Israel in the name. I find it interesting that we never list other country origins when discussing their issues
"Post-truth"? Did you look for any evidence of this supposed pattern?
Exactly. Although it's a bit odd they added "Israeli". Israel != Judaism, yet the common automatic cry of "antisemitism" when criticising Israel is problematic.
> I find it interesting that we never list other country origins when discussing their issues
I don't remember ever reading a headline, clicking into it, and discovering that it's about something happening in China. The country origin is almost always advertised right in the headline itself.
In fact, since I'm not a fan of most China coverage in mainstream media, the above fact allows me to filter much of it out simply by CSS (using uBlock's implementation of the :has-text selector), with no need for JS (via userscripts).
Sounds like MS, Google and FB has just confirmed that they store in their database information allowing "surveil" on people. Good we have that stated clearly.
Big Guys, solution is simple: just delete or anonymize those data, so it is not possible to surveil people, you will not have to fight legal battles and NSO will not try to break into your database.
In addition you will avoid temptation to surveil people by yourself!
And you will not need to hand over these data to parties that are able to force you do this. Be that Chinese government or FBI or some other 3 letter agency.
You appear to have totally misunderstood what happened. This case is about NSO using a vulnerability in WhatsApp's client application, to do nasty things client-side. It is not about anything stored in server side databases.
The data in question was probably WhatsApp/iMessage messages and e-mails. And the data was stolen from the victims device. I actually want my phone to keep my messages until I chose to delete them.
It does suggest a possible new privacy-respecting phone, though, that does not store any phone numbers, messages, voicemails, or other sensitive information. It also does not allow any telecom or other organization like NSO to monitor your phone calls, because it doesn't allow you to make any. We could call it the iBrick (tm).
> Big Guys, solution is simple: just delete or anonymize those data, so it is not possible to surveil people, you will not have to fight legal battles and NSO will not try to break into your database.
Playing the devil’s advocate: isn’t it mandated for them to actually track people, in case some 3-letter government agency wants access?
I doubt the sort of tracking government agencies push or request from them is nearly as detailed as what they're currently collecting for advertising.
It's not that such agencies that spy on their own citizens don't want such information, its likely that they don't know just what derived information products are available to even make the requests.
Technology is making anonymity nearly impossible in all facets of life and I don't think that's healthy for human development. Sometimes you need to assume an identity know one else knows so you can try things, fail, and develop socially as a person without fear of harming your identity. People need to be able to experiment and fail without fear of repercussion (obviously within legal bounds of what they're doing). I need to be able to walk in a bar, get drunk, and "sing" karaoke embarrassingly poorly and not have everyone at work the next day ostracize that behavior and have video evidence of it (just an example). Anonymity often grants failure and adventure without criticism and the direction we're headed is going to stiffle people's ability to explore themselves and life.
> Technology is making anonymity nearly impossible in all facets of life and I don't think that's healthy for human development.
This sentiment is dying at an alarming rate. Even here, after reading some of these comments I am taken aback at how normalized the idea of total surveillance has become. It doesn't matter where it comes from, big corp or big gov, taking away personal privacy takes away a fundamental part of what makes us human. It's not healthy. It's not right.
Tracking is different than historical data, for tracking can be a live, forwarded feed. And even with that, you'd need a court order to force compulsion.
Historical data, if it doesn't exist, cannot be revealed. And so far, there is no legislation forcing web activity to be stored for, well, months and years, like some of these jokers do.
I'd like to think the world would be a better place without them. But this is like the MPAA response to Unauthorized Looking - shutting down Napster just made it harder to observe, and this will just push the weapons dealers further underground.