When the Pegasus Project dropped last week, it was both an ordinary and exceptional moment. The report - from Amnesty, Citizenlab, Forbidden Stories, and 80 journalists in 10 countries - documented 50,000 uses of the NSO Group's Pegasus malware.
https://www.occrp.org/en/the-pegasus-project/
The 50,000 targets of NSO's cyberweapon include politicians, activists and journalists. The Israeli arms-dealer - controlled by Novalpina Capital and Francisco Partners - has gone in to full spin mode.
1/
NSO insists that the report is wrong, but also that it's fine to spy on people, and also that terrorists will murder us all if they aren't allowed to reap vast fortunes by helping the world's most brutal dictators figure out whom to kidnap, imprison and murder.
As I say, all of this is rather ordinary. The NSO Group's bloody hands, immoral practices and vicious retaliation against critics are well established.
2/
It's been 4 years since NSO's assurances that it only sold spying tools to democracies to hunt terrorists were revealed as lies, when Citizenlab revealed that its weapons targeted Mexican anti-sugar activists (and their children).
https://citizenlab.ca/2017/06/reckless-exploit-mexico-nso/
Then Citizenlab found 45 more countries where NSO's Pegasus weapon had been used, and demonstrated that notorious human-rights abusers got help from NSO to target everyday citizens to neutralize justice struggles.
3/
Outside of human rights and cybersecurity circles, the story drew little attention, but it did prick NSO's notoriously thin skin - the company dispatched (inept) private spooks, late of the Mossad, to entrap Citizenlab's researchers.
https://www.nytimes.com/2019/01/28/world/black-cube-nso-citizen-lab-intelligence.html
As far as we know, the company never managed to infiltrate any of Citizenlab's systems - but their weapons were found on the devices of an Israeli lawyer suing them for their role in human rights abuses.
https://www.nytimes.com/2019/05/13/technology/nso-group-whatsapp-spying.html
4/
*That* had *some* consequences. The attack exploited a vulnerability in Whatsapp, owned by Facebook. FB retaliated by suing - and terminating NSO Group employees' Facebook accounts. Judging from NSO's outraged squeals, getting kicked of FB hurt far worse.
Through it all, the NSO Group insisted that its tools were vital anti-terror weapons - not the playthings of rich sociopaths with long enemies lists.
5/
They continued these claims even after Pegasus was linked to the blackmail attempt against Jeff Bezos, in a bid by Saudi royals to end the Washington Post's investigative reporting on the murder and dismemberment of the journalist Jamal Khashoggi.
https://www.vice.com/en/article/v74v34/saudi-arabia-hacked-jeff-bezos-phone-technical-report
6/
Despite all this - attacks on the powerful and the powerless, grisly deaths and farce-comedy entrapment attempts - NSO Group plowed on, raking in millions while undermining the security of the devices that billions of us rely on for our own safety.
Until now.
7/
Something about the Pegasus Project shifted the narrative. Maybe it's the ransomware epidemic, shutting down hospitals, energy infrastructure, and governments - maybe it's the changing tide that has turned on elite profiteers. Whatever it is, people are *pissed*.
Finally.
I mean, when Edward Snowden calls for the owners of a cybercrime company to be arrested, people sit up and pay attention. But Snowden's condemnation of NSO and its industry are just for openers.
https://edwardsnowden.substack.com/p/ns-oh-god-how-is-this-legal
8/
Snowden describes NSO as part of an "Insecurity Industry" that owes its existence to critical vulnerabilities in digital devices in widespread use. They spend huge sums discovering these vulns - and then, rather than reporting them so they can be fixed, they weaponize them.
As Snowden points out, this is not merely a private sector pathology. Governments - notably the US government, through the NSA's Tailor Access Operations Group - engage in the same conduct.
9/
Indeed, as with all digital surveillance, there's no meaningful difference between private and public spying. Governments rely on tech and telecoms giants for data (which they buy, commandeer, or steal, depending on circumstances).
This, in turn, creates powerful security/public safety advocates for unlimited commercial surveillance, to ensure low-cost, high-reliability access to our private data. Those agencies stand ready to quietly scuttle comprehensive commercial privacy legislation.
10/
This private-public partnership from hell extends into the malware industry: the NSA and CIA can't, on their own, create enough cyber-weapons to satisfy all government agencies' demand, so they rely on (and thus protect) the Insecurity Industry.
But as Snowden points out, none of this would be possible were it not for the vast, looming, grotesque tech-security debt that the IT industry has created for us. Everything we use is insecure, and it's built atop more insecure foundations.
11/
@pluralistic I could rant about this for hours. But I'm really happy Snowden mentioned Rust as a way of making computer systems more secure. It's not going to make all security vulnerabilities go away, but we could at least make them less frequent.
