I'm not a lawyer so maybe I'm misunderstanding something but the plaintiff is Whatsapp, not the journalists. This isn't really about holding NSO Group accountable for hacking journalists at all
The fact journalists were compromised seems only incidental, the ruling is about weather or not NGO Group "exceeded authorization" on WhatsApp by sending the Pegasus installation vector through WhatsApp to the victims and not weather they were unauthorized in accessing the victims. Its a bit of a subtle nuance but I think its important.
Quoting the judgement itself:
> The court reasoned that, because all Whatsapp users are authorized to send messages, defendants did not act without authorization by sending
their messages, even though the messages contained spyware. Instead, the court held that the complaint’s allegations supported only an "exceeds authorization" theory.
> The nub of the fight here is semantic. Essentially, the issue is whether sending the Pegasus installation vector actually did exceed authorized access. Defendants argue
that it passed through the Whatsapp servers just like any other message would, and that any information that was 'obtained' was obtained from the target users' devices (i.e., their cell phones), rather than from the Whatapp servers themselves
> [...removing more detailed defendant argument...]
> For their part, plaintiffs point to section (a)(2) itself, which imposes liability on whoever "accesses a computer" in excess of authorized access, and "thereby obtains information from any protected computer" pointing to the word "any"
> [...]
> As the parties clarified at the hearing, while the WIS does obtain information directly from the target users’ devices, it also obtains information about the target users' device via Whatsapp servers.
Adding a little more detail that comes from the prior dockets and isn't in the judgement directly but basically NSO Group scripted up a fake Whatsapp client that could send messages that the original application wouldn't be able to send. They use this fake client to send some messages that the original application wouldn't be able to send which provide information about the target users' device. In that the fake client is doing something the real client cannot do (and fake clients are prohibited by the terms) they exceeded authorization.
Think about that for a moment and what that can mean. I doubt I'm the only person here who has ever made an alternative client for something before. Whatapp (that I recall) does not claim that the fake client abused any vulnerabilities to get information just that it was a fake client and that was sufficient. Though I should note that there were some redacted parts in this area that could be relevant.
I dunno, I mean the CFAA is a pretty vague law that has had these very broad applications in the past so I'm not actually surprised I was just kinda hopeful to see that rolled back a bit after the Van Bruen case a few years ago and the supreme court had some minor push back against the broad interpretations that allowed ToS violations to become CFAA violations.
> I doubt I'm the only person here who has ever made an alternative client for something before.
I've been on both sides of the issue by authoring unofficial clients, and battling abusive unofficial clients to services I run. The truth is, complete carte blanche for either side is untenable. 99.99% of well-behaved clients are tacitly ignored, I'm not against those that deliver malware, or bypass rate-limiting having their day in court.
Given the nature of who the stakeholders are, the neatest way to achieve an end is to target authorization. It focuses on the how instead of the who or what.
This reduces embarrassment for stakeholders, protects sources and methods, and sends a message.
The law is as broad as can be. If it were a US National instead of NSO Group, some crazy calculation of damages would be used to extract a plea in lieu of a thousand months in prison.
THE CFAA is definitely ripe for reform. It wouldn't be hard to argue it's broad and vague. There's definitely this overarching sweep of online behaviors that could easily be classified as benign.
If someone steals the ownership registry the bank maintains regarding the deposit boxes-- may be the better analogy. Or list of the owner and box number. Clearly this is information the bank controls, not the individual.
> fake client to send some messages that the original application wouldn't be able to send which provide information about the target users' device
> I doubt I'm the only person here who has ever made an alternative client for something before
I think the distinction here for "exceeds authorisation" is pretty apparent. I don't read this judgement as being damning for people wanting to make their own clients.
They made a third party client for deliberately malicious purposes. If you go ahead and make a discord client with the intention of spamming or otherwise causing harm to its users, I think it's completely reasonable for you to get in trouble for that.
Darknet Diaries did a few podcast episodes on the NSO group from the perspective of people who have directly interacted with or have been the target and it really puts it into perspective how horrific they are. They operate under the protection of the US and are directly allowed to spy on US citizens without any recourse whatsoever.
One particularly grotesque case was the illegal wire tapping of Ben Suda after launching a criminal probe in to Israeli war crimes, which they used to threaten the prosecutor and used it to hide evidence that they knew was under scrutiny or take the cases to court just to drop it so they can tell the ICC that they did make an attempt to prosecute, which is a loophole that disallows the ICC to take up those cases.
I'm certain many countries do this stuff, as well as operate botnets and threaten journalists... but the uniqueness here is that these intel groups located in Israel operate under complete protection of the US without any scrutiny or oversight alongside the US government. We are living in this dystopian universe that people have warned about, for decades at this point.
Note here that we are describing firms that produce CNE tools, not organizations (lawfully constituted or otherwise) that actually use them. Production of exploits and implants is broadly legal everywhere in the world, including the US and Europe. The legality gets murky when you sell to non-governmental organizations (if prosecutors can demonstrate you knew the crimes that were to be committed with them), but most of the market appears to be governmental.
It has nothing to do with the OP. Honestly he always jumps in to do whataboutism on Israel posts. He didn’t say who he was talking about, it doesn’t add and only detracts from the discussion here.
I strongly doubt the intent here was whataboutism. Rather, it was more to indicate that things get a lot worse than this; it's just not in the spotlight so not many people know about it.
I refuse to use Israeli tech in my stack if at all possible. I don't see how someone could use software like Snyk and not put themselves at risk (founders are ex-IDF Unit 8200). Especially in the area of security, it seems like using Israeli tech is inviting the wolf straight into the hen house. No thanks.
Yes, I think the pager attack is also an interesting case study. It's one thing to execute a supply chain compromise for information gathering, where the target may never know what happened. On the other hand, flaunting your abilities in that area will just lead you to being cut out of supply chains.
Every tech stack you use regardless of country of origin puts you at risk. You can assess that some of those are higher than others but I would ask you to really think hard about whether you think you are an accurate judge of that.
The big issue in both cases is that the exploit was triggered before the user answered the call.
I think the moral here is that a secure messenger should not execute inherently insecure code (i.e.complex code) on behalf of entities that are not really well trusted by the user. The default should be always plain text.
Was the spyware persistent? That is, would a reboot clear it? Not that it matters. Presumably, the attackers were so motivated they would re-infect the device the moment they saw it go dark.
I think most influential companies such as Microsoft snd Google have said that c and c++ need to be deprecated. I think replacing old code with memory safe languages takes time, effort and money. Hopefully in a decade we can this can be fully done.
Does Rust make RCE impossible?, I don't think it does.
There is the option of not having data and code sharing the same stack, that seems like a better solution to me but that's such an option is not usually talked about.
It makes this kind easy pivot to RCE impossible. Attacks these days are generally more sophisticated than simple buffer overflows, fwiw. Targeting function pointers from a heap overwrite gives the same capabilities.
The encryption isn't alleged to have been compromised. The app itself deals with a lot of untrusted input (eg, thumbnailing video files you've been sent) so there's a meaningful attack surface outside the protocol itself.
It seems like most of the exploits come down to blowing up a parser of one data format or another. Myriad from which to choose, they are written in C for historical reasons, and probably play fast and loose with validation in the name of performance.
The group exploited a bug in WhatsApp to deliver the spyware. It wasn't an E2E issue.
> A U.S. judge ruled on Friday in favor of Meta Platforms' (META.O), opens new tab WhatsApp in a lawsuit accusing Israel's NSO Group of exploiting a bug in the messaging app to install spy software allowing unauthorized surveillance.
People have to start assuming that any communication method in use is compromised. There’s just no way on earth orgs like the NSA would throw their hands up in the air and not find multiple different avenues into an app like signal. Its one of the most downloaded messaging apps. Investment into compromising it is very worth while. People should just assume everything involving a cell phone or computer is inherently insecure. Meanwhile for some analog methods (one time pads, even cupping a hand and whispering into anothers ear, etc), the power balance isn’t so lopsided between the state and the individual as it is with digital communications where everything is probably compromised in some way by now.
A great number of comments and posts on this site rave in favor of password managers and their use for "security" and convenience, despite what you say being such a very obvious flaw.
I’m more worried about financial scams than I am anything related to government. Password managers with random passwords are an excellent guard against that threat.
If I were worried about state actor threats, any keys or passwords would be memorized.
Bitwarden is already a big step up from what most people are doing, then if you want to hide from gouvernement you better make sure you save your password on extremely secured device. But that's another treat level from the average Joe.
Well no Chinese should be using software that involved Americans. That is just common sense. When the chips are down everyone gets drafted by their country's security apparatus.
With end-user-device-controlled e2ee, the only information available to law enforcement is metadata. With a warrant, they could seize your device (or the backups, if unencrypted)
Unfortunately, I don’t think end-to-end encryption guarantees much when it comes to legal intercept in proprietary messaging apps. The intercept functionality could be done in the client and capture data, not just metadata.
Why hasn't any evidence of such client-side interception ever been surfaced? Reversing apps and software has been done since forever, and has been used to discover things the app-makers don't want made public - such as unannounced new products, but this happens perennialy with Apple & OS updates, and upcoming features in apps that are behind flags.
> Why hasn't any evidence of such client-side interception ever been surfaced?
In such scenario only the target of the wiretap would receive the modified client application. Both google and apple allow pushing updates to small subset of users. It's not unthinkable that they also have the (internal) ability to push a specific update to a specific user.
But I guess now you'll move the goalpost to ask "Why hasn't any Googler come forward and admitted it's happening?" That is a fair question, but I think most people would see this legal spying as no big deal and perhaps even a good thing.
> It's not unthinkable that they also have the (internal) ability to push a specific update to a specific user.
So the lack of evidence is itself evidence of another layer of nefarious activity? Are Apple in on it too (since they approve updates control the app store roll-outs)? I have no stomach for debates over unfalsifiable scenarios - your position is clearly set in stone.
Isn't that obvious though? Meta wants exclusive spying rights to its users. You spying on users with Meta's products is not allowed. If you want to spy on your users, build an app that's so popular billions of people sign up willingly to allow you to spy on them. Have you no decency?
There should be no difference with usual botnet owner/ransomware gangs and such companies. Management should go to prison for good 20-30 years for that and being extradited worldwide. Considering that ransomware gangs are probably less harmful to the society than guys who hack journalists and politicians, putting their lifes at literal risks, not just their pockets.
There should be no "legal" hacking of someone's devices apart from extraction of data from already convicted people in public court with the right to defend themselves
Its not like this is that different than traditional "weapons" (i hate the "cyberweapons" analogy, but if the shoe fits).
Sell guns to governments, even unsavoury ones, it is very rare anything will happen to you except in pretty extreme cases. Sell guns to street gangs, well that is a different story. Like i don't think this situation is different because it is "hacking".
The NSO created/ran cloud instances for each client country and reviewed and approved every target. The didn’t sell weapons like in your analogy. They were effectively assassins for hire.
The problem with selling exploits is you want to maintain “ownership” of the exploit details, lest your customer just take the exploit and sell/use it without paying more or use it to attack you or your friends. This means you end up with veto power. I.e. culpability.
Kind of like the CIA importing heroin and cocaine. The laws cover this scenario but we have a problem with especially poor enforcement when the crimes are committed by parts of the government.
And meanwhile, if the government sells guns to cartels... no big deal. Rarely throw a fall guy under the bus. Or often not even that.
Trying to remember the quote I last heard, something to the tune of "we don't want to punish, we want to educate", which was about "educating" LEOs and entire police departments they shouldn't be selling fun switch guns illegally to gangs and private buyers.
(And do I even have to mention "fast and furious?" Hah! Feds get it the easiest.)
The second part though doesn't make sense. If the US president can send drones to kill terrorists without taking them to court, surely he can order hacking their phones. If you think that there's no case where the latter is ok you shouldn't you fight against the former first?
The part that you miss is, are they only killing "terrorists" extrajudicially? To take that propaganda at its face value is to ask, what else could they be killing brown people for, if not terrorism?
I didn't say if I think that drone killing is justified or not, since I have no opinion on that - I don't know enough to form an opinion. I only say that since the government have the right to send killing drone it doesn't make sense to raise pitchforks against phone hacking
The thing is, extrajudicial murder justified by labeling the victim “terrorist” is illegal and should not be accepted in a free and open society.
The ‘terrorist’ label was invented as a means of abrogating human rights by governments who felt they were encumbered by the obligation to protect human rights. “Terrorist” labeling is a totalitarian-authoritarian apparatus to avoid culpability for its actions when a government decides the easiest solution to its problem is outright murder.
Do you not think that terrorism exists, that the label has been co-opted for other purposes, that terrorists cannot be treated as combatants, that non-declared-war conflicts should not have deliberate strikes or something else?
It seems to me like terrorism has a pretty plain definition: Using violence against civilians/non-combatants to further a ideological goal, primarily via fear.
It's often misused as an excuse, but there are actual terrorists, the word has a meaning and we should not let it be watered down by either the people wanting to use it as an excuse or the people trying to shroud terrorism in something else.
Every single nation state in the context of this discussion has murdered civilians/non-combatants to further an ideological goal and are thus guilty of acts of terrorism - in the case of the US, for example, terrorism is official doctrine used for regime change across the world. The US literally funds, arms and supports terrorist groups whenever its ruling military determine that their domestic population has no stomach for outright war - in most cases, in fact, terrorism is how the US gets its regime change designs implemented.
As citizens of nations which use terrorism as a tool for their political purposes, it is long since past the point we let ourselves be bullied by terminology and started instead to enforce the legislation required to rid our own ranks of war criminals - who are factually terrorists.
I don't get what's happening in this thread. This is a pretty clear statement: hacking isn't worse than the killing that the government is already allowed to do. It's a pretty straightforward argument which for some reason seems to be being misunderstood.
I'll gently push on the premise though: hacking isn't worse for the victims than death, obviously, but I think it's possible weaponizing of exploits does more total damage. Both collateral, due to the manufacturing of exploits which ultimately leak and harm a bunch of unrelated actors, and because the marginal hacking is lower cost, practically and politically. So a given attack is likely to be used against groups we'd recognize less clearly as "terrorists" / deserving of the harm / etc.
Thanks for the understanding.
I'll say that because of that we should make the price for using the device much higher. For example using it should require authorization by process that will involve a stiff political price/barrier. Maybe a bi-partisan committee. Something of that sort.
It is not hypothetical, the fact is that killing drones are used in practice, and it just doesn't make sense to oppose lesser measures that are being used without judgement when killing is allowed.
I have no idea what you are talking about. Ok is a value judgment which I didn't state. Allowed is a fact. Are you arguing with what I'm saying or with an opponent in your mind?
If the US president can send drones to kill terrorists without taking them to court, surely he can order hacking their phones. If you think that there's no case where the latter is ok you shouldn't you fight against the former first?"
Pretty clear from your rhetoric what your position is. Folks here are not dumb.
> Ok is a value judgment ... Allowed is a fact
Factually, genocidaries are worse than terrorists.
Also by now the number of people killed in Gaza by Netanyahu is very close to the number of Ukrainian people killed by Putin. Did anyone suggest sanctions against Israel for that genocide? Nope, they enjoy their full immunity and keep going forward with a massacre that has the same exact motivation as the Russian invasion: rob other people of their territory and resources.
Two war criminals, two rogue terrorist states, yet two completely different weights.
Flip that statement on it's head. What respectable nation would fire upon a suspect in a press jacket without actually knowing who it is first? Who orders artillery and airstrikes on known press positions? Soviet doctrine? Countries with WWII logistics?
Seems clear to me that this is a deliberate campaign of terror constructed by the IDF to deter any form of independent journalism in Gaza. No different than hasbara or the Hannibal Directive - orders passed down from the top get obeyed, even if it costs the truth or innocent lives.
> Hamas also has a nasty habit of calling certain veterans "journalists".
Ah, kinda like how Israel has a nasty habit of calling their military reservists "innocent civilians" when they're attacked? Or is it more like when they call the Golan Heights colonists "citizens" of a universally unrecognized occupation?
Lot of complex vocabulary here. I invite you to link as many cases of falsely-identified journalist deaths as you can find though. It sounds like a big issue, judging from your tone.
> When they do die, Al Jazeera makes a hue and cry out of it because it serves their agenda and resonates very well with their audience
It could also be that killing civilians is a bad thing, and when Israel ignores the directly communicated press positions it exposes their indifference to collateral damage.
Which is ironic considering the FBI and CISA just today announced that you _should_ use WhatsApp and not use SMS for two factor authentication. Although they point out the biggest problem is mobile users click on links in SMS. We live in a mostly captured and anti consumer environment. I'm not sure there's any great advice.
There are many other companies beyond NSO Group, if I were a journalist I would write a more comprehensive list of them and educate about this whole "industry".
Very few companies’ work results in outright murder of the targeted victims.
If you know of any other cyber criminal organizations like the NSO, where governments use their tools to select and murder targets, please describe them.
NSO Group is unique in that they are entirely sheltered from (largely due) criticism by their government, creating an unaccountable and injust basis of relations between the United States and Israel that many readers are concerned by. There simply aren't any other comparably corrupt "cybersecurity" outfits in the world.
Kinda similar to how the IDF has never been charged with war crimes despite several of their service-members being recorded breaking the law in their Israeli fatigues. It's not that international law was never broken, it's that Israel considers themselves above the rule of law and international bases of morality. That type of behavior absolutely must be called out in it's lonesome, such that no nation ever repeats Israel's embarrassing mistake.
What other nation besides the USA and its 5-eyes lackeys willfully murders children almost every day in their own ‘self defense’? Got a list of states that murder more people than the USA/5-eyes and Israel right now?
Sudan, Ethiopia/Tigray, and Syria would all be recent (or ongoing) examples of non-primarily-US military conflicts where mass civilian death, including children, has been publicly evidenced. Each of these conflicts has seen one (or all) parties use self-defense as an argument.
(This doesn't somehow imply that anything is OK about the US's own role in global war, or anything in particular about the I/P conflict. But it's incorrect to treat US/Israel as uniquely competent or active in terms of immiserating the world's civilians and innocents.)
Yes, but these are not western allies with immense financial and industrial resources, shared among themselves, whose leadership have signaled for decades their intent to create a new world order in the ashes of the wars they have intentionally fought - for decades.
Certainly the genocides in Sudan, Ethiopia, and Syria are atrocities which must be addressed. But they are not the world’s biggest bully thugs. The US and its coalition of willful criminal states, including Israel, are the worlds biggest bully thugs. Sudan doesn’t have a nuclear threat regime which promises to eradicate all life on earth if it doesn’t get its way, politically, across the globe.
> But it's incorrect to treat US/Israel as uniquely competent
I disagree completely. The US and Israel are extremely powerful nations capable of the industrial might required to assemble nuclear weapons. They very definitely should be held to to task - especially since one funds the other, providing immense military power where they could, instead, be using that overwhelming industrial capability to build peace.
I don’t think Western versus non-Western provides absolution. You asked for examples of military conflicts with similar degrees of civilian harm, and I’ve given you three examples that demonstrate that you don’t need to be the world’s primary superpower (or its close ally) to cause damage on its scale.
Consider your own case: China has done plenty to immiserate minorities within its own borders, has made it clear that civilian harm comes secondary to its own development (cf. indirect financing of the Ukraine war), and has geopolitical designs on Taiwan, etc. that entail putting civilians in harm’s way. Unique virtue is not a thing among countries, nor is the capacity or desire for the kinds of violence that affect the world’s innocents today unique.
(Or in other words: having nuclear weapons is mostly a red herring, given that most civilians in conflicts die from the kinds of conventional weapons that have been killing civilians for hundreds of years.)
Throughout this thread you have refused to address the actual topic and (since the root comment) deflected any criticism of Israel (however well-founded) because you feel like it's not fair relative to other countries. You might want to take a break from responding to these comments if you're going to repeat the same whataboutism whenever people discuss Israel's issues in earnest.
None of the questions you just asked have any relevant salience to what the parent just said. Nobody is forcing you to keep responding here, you might as well leave the discussion where it is if you can't engage without getting emotional or changing the topic.
What you're missing is that this isn't a relative position. Nobody in this thread (or much of anywhere on HN) is defending Europe or America's misdoings with the same rhetoric. The reason is that people are willing to accept that their governments make mistakes, and they reflect on these problems and fix them democratically.
Israel, currently, is in a position where a extremely nationalist and conservative ruling party has given all sorts of lawbreakers complete impunity. Violators of internationally recognized borders are ignored because it's a boost to morale. Hackers that sell their services without scruples are given a safe haven in exchange for access to their digital arms. And many people rush to defend their actions (or distract from them) because they tacitly approve these behaviors.
When you refuse to acknowledge or in any way address the countless and even admitted ways in which Israel violates international law, you somewhat tip your hand and reveal that you have no intention of holding them accountable even at their most reprehensible. This thread is about Israeli complacency in breaking the law. You are the one crying whataboutism apropos of... Israel being criticized in a public setting.
It is hard to believe that NSO group is allowed to operate.
They sell technology to horrible places, they cause death
torture, and a host of less horrible things.
Yet they are protected by the US and Israel,
which I believe is the case that they have backdoors into all of it,
and getting the targets to actually install this malware on their own
saves a lot time.
All good, except for the actual real world victims.
> It is hard to believe that NSO group is allowed to operate. They sell technology to horrible places, they cause death torture, and a host of less horrible things.
That describes the entire Israeli defence industry, and a fair sized portion of Israel's cybersecurity industry, based on the stomach-churning sales pitches I've received.
How do you "not" allow them to operate? People write things like this that seem premised on the idea that Bahrain wouldn't have implant technology if you shuttered NSO, but the only thing that would actually change is who the invoice got sent to. These companies have an unbeatable value proposition, lots of competition, and the lowest capital investment requirements of any intelligence product.
I really feel like people aren't thinking this stuff through. Exploits and implants are not rocket science. There aren't a huge number of people in the world that are world-class at reliably exploiting modern targets, but it's not like there's just like 20 of them or something.
later
In case it's unclear from the comment: I don't think this is a good thing. I'm speaking positively, not normatively.
We've banned this account for frequently posting flamewar comments, breaking the site guidelines, and ignoring our requests to stop.
If you don't want to be banned, you're welcome to email hn@ycombinator.com and give us reason to believe that you'll follow the rules in the future. They're here: https://news.ycombinator.com/newsguidelines.html.
I'm quite surprised by the corporate history section.
Specifically, NSO Group is worth a lot less than I thought it was, even at its peak. ($1B+ valuation)
Also, the amount of infighting is... Surprising perhaps? Less surprising is the number of spinoffs out of it, and the number of competing Israeli spyware groups.
I'm constantly surprised by how good he Israeli startup environment seems to be.
Why is this? How are there so many acquisitions out of there?
Things like this are similar to law firms. The shelf life of vulnerabilities means that there isn’t a lot of intellectual property owned by the company. The value is in the people’s skills.
So once people get really good they quickly realize they can make more by starting their own company and siphoning off client relationships.
I'd imagine they have a very limited market as in who they can sell their products and services to, for reasons that might make political power more interesting than valuation.
I don't know about that. Something I think a lot of people sleep on with this stuff is that most countries have multiple security agencies, and you generally cut deals with them individually. The market for this stuff is bigger than it looks.
I was mostly thinking that the customers / clients you have and services you have to offer can be largely dependent by people in positions of power where having the right connections and influence might be the key difference between a service or product being viable.
For example - although not related to NSO - something like operation Trojan Shield required both Australian and Lithuanian cooperation due to fourth amendment interpretations.
Having a zero day in such cases is only part of the work and everything beyond that might be very much dependant on the strings you can pull.
But I can also see the argument that that would be something the government can figure out after they buy the product or service, so maybe I'm wrong on that and it's less important than I thought.
My mental model of how this works --- and I have some (imperfect) evidence for it --- is that a given one of these firms (NSO or one of its competitors) has an addressable market of N countries each with an average of K security agencies, and basically all of those agencies pay subscription fees to be continuously in a position to do a CNE operation when they want to.
(Generally, I don't think countries just "buy exploits"; a significant component of the money in this space comes from "maintenance", so much so that I think it makes more sense to think of exploits as subscription services.)
> so much so that I think it makes more sense to think of exploits as subscription services.
I think this makes sense, especially given the uncertainty of when an exploit gets patched.
To my original argument of political power vs valuations you can probably say that having those same people you'd otherwise try to influence on your board with a financial incentive allows you to achieve the same thing, I'm not sure why I didn't consider that before.
Don't get me wrong: I'm sure there's plenty going on between NSO and Israel, and a lot of politics involved. But I also know it to be a real industry, with lots of players.
I mean, that’s true of most businesses and industries, big and small? The average person has no idea what Oracle or SAP exists, or that they are multibillion dollar companies. Most people don’t know you can just go buy plastic and composites at TAP, and all sorts of things at McMaster. Most people don’t even know who builds commercial vehicles besides like Peterbilt maybe.
Is there an argument you are making that Meta/Apple/Google should be suing all the other companies as well?
If they're trespassing on Meta's network, absolutely. The core thing that these companies do though tends not to intersect so directly with Meta's property rights.
My understanding is that in places like Russia or China they have full blown military units with uniformed officers and men that are developing these sorts of things. In the US a lot of it is (was?) NSA related like EternalBlue. Are you saying in the west now that we are buying exploits from the grey market instead of getting them from NSA researchers? I thought that more broadly the government had been learning its lesson that there is no such thing as a NOBUS vuln and that America has more to lose than our adversaries from these things.
The victims are the good guys. Meta is just not happy that their platform was exploited. Even if you consider them to be the bad guys, they needed to sue to curtail the bad PR
Note that even my fairly mild statement was not received well. People really don't like discussion of improving the Quality of software, here. Too much money to be made in not-so-good stuff.
In this case, the comment fit the conversation. The original comment was a short, pithy, and rather sarcastic one that was, nonetheless, correct. They pointed out that we need to write higher-Quality software, in order to give folks like the NSO people fewer “hooks.” The NSO folks are smart, dedicated people, that, in other circumstances, we would admire for their creativity and intelligence. They often take advantage of mistakes (or deliberate decisions) made by folks that we may find less admirable.
I like this community and medium, and sincerely want to be a “good citizen.” The opportunity to interact with people like you, is a privilege that I respect and value. We may not always agree on everything, but I find many of your contributions to be inspiring, educational, and relevant, so I appreciate you. You have taught me lessons, and have changed my mind, and, I’m sure, will continue to do so. You have great insight, knowledge, and experience, which I value, and appreciate you sharing it (for example: https://saagarjha.com/blog/2023/12/22/swift-concurrency-wait...). People like you, are why I like this place. We have no social interaction, so I have no idea if we’d get along, IRL. I would like to think we would, but I’m often wrong, and not afraid to promptly admit it.
For myself, I try to participate by making very specific suggestions, and “keeping it focused on me.” I don’t attack others, even if I find what they say to be quite offensive (or if they attack me, which is fairly common). Most times, I don’t feel that my comments would improve things, even if I vehemently disagree with someone, so they are best left unsaid. I don’t participate in any other social media, and I’m retired, so I do spend a fair bit of time, here.
I spent most of my career at a corporation that was all about Quality, and I suppose it must have rubbed off on me. At that company, Quality was a religion, and they took it to the point of obsession. After leaving, I have tried to practice their mindset in my continuing work. I write software that can have a big impact on the lives of its users, so I take Quality seriously, in order to reduce things like attack surface. I feel as if the current tech community has a baseline ethos of “write code as badly as we can get away with,” and that ethos is rewarded. I don’t think that treatises on better unit testing will be of interest to folks with that mindset. I feel as if the mindset, itself, is the issue, and code dumps won’t make a difference.
I often reference stuff I’ve written, not because I want traffic (I could absolutely care less, whether or not folks read my stuff. I write for myself), but because I don’t want to litter the place with “wall of text” commentary (as you can see, I lean prolix). A quick link to an article that I wrote, going into great detail, is better than a massive comment that won’t have as much information.
I don’t think you’ll find anyone who would disagree with the premise that we should improve software quality. Yes, even the people who value iteration speed and shipping. All things being equal, better quality is always better, because of course it is.
The problem arises when all things are not equal, and something needs to give. Perfect quality is generally not attainable or even desirable, because it sacrifices things in other areas that we care about even more. Sometimes the value of something is high enough that we will pay the price for it failing in some cases. That’s just how we do a cost-benefit analysis. I say this even though I work in software security, where most of my job exists and is made difficult by “bad” quality, and a lot of my effort goes into figuring out how to improve that. Depending on the circumstances, I may advocate for the balance to be adjusted in favor of more security (at the expense of something else) and sometimes I may actually decide that this is counterproductive. That’s really my actual response to the comment.
However, as you probably noticed, I didn’t reply with that. I called it low-quality. In fact I think the whole discussion is low-quality, not because it is not a real point, but because it’s not interesting. I understand and appreciate that you have worked on software quality throughout your career. I want you to be proud of your efforts in this area. And it’s completely reasonable to point to that and go “this is what’s missing from our industry”. It’s not actually very novel or actionable. So, despite me not actually voting on the thread, I felt it was not valuable.
When I was in high school I happened to be pretty decent at physics. In fact I won some awards and was nationally ranked. This is kind of like your situation, except of course my skills were less general and also more ephemeral. But it’s as if I, given my arguably decent understanding of physics, went “the problem with climate change is that we’re using too much energy”. First of all, this doesn’t actually use any of those skills to proclaim. Even someone who failed high school could probably tell you that. But secondarily, and more importantly, I haven’t actually said anything useful. My knowledge of mechanics is great but solving climate change is a huge problem, both deeply technical but also social and political. It’s a lot harder than going “stop applying force over distance to things”. The same is true for preventing exploits: I’m sure you’re great at writing apps that have low defect rates, but when it comes to protecting against nation-state threats there’s a whole lot going on beyond “let’s not make any mistakes”. More relevant would be a discussion about, say, memory safety, or auditing, or whatever that is actually on-topic and actionable. What you’ve posted is something that is really just a “hear hear here’s an obvious problem let’s fix it” which invites nothing beyond people who will do nothing but agree with you, or somehow twist it into their pet peeve and rant against it. Neither is against the rules but I think it doesn’t make for insightful conversation, so I’m telling you about it now.
> My knowledge of mechanics is great but solving climate change is a huge problem, both deeply technical but also social and political.
> More relevant would be a discussion about, say, memory safety, or auditing, or whatever that is actually on-topic and actionable.
It's curious that the first sentence mentions social and political issues, whereas the second sentence completely ignores them. The original comment of ChrisMarshallNY was addressing the social and political issues in tech, albeit vaguely.
You also mention valuing "iteration speed" without acknowledging the predictable devastation this has on quality.
Shipping less, and shipping slower, is on-topic and actionable.
The biggest barriers to addressing global warming are social and political. Many powerful people don't want to address it. Indeed, they've intentionally promoted the idea that the problem doesn't even exist. Purely technical discussions are futilely rearranging the deck chairs on the Titanic if they ignore this.
I do think that ChrisMarshallNY misdiagnoses the problem a bit:
> I feel as if the current tech community has a baseline ethos of “write code as badly as we can get away with,” and that ethos is rewarded.
The second clause of the sentence is redundant, because the first clause is the heart of the matter. Anyone who operates purely according to financial incentives will inevitably cut corners. Crap is profitable, for various economic reasons that are beyond the scope of this comment. In order to achieve high quality consistently, you have to care about quality, about craftsmanship, independently of financial awards. This doesn't mean you don't care about financial awards, just that you have to care about both quality and money. For lack of a better term, you need business ethics, where some ethical principles are inviolable. You can seek profit without seeking profit maximization.
Note that religion is largely independent of financial considerations:
> At that company, Quality was a religion, and they took it to the point of obsession.
But I feel that the root cause is attitude and encouragement. Sort of “the wolf you feed” kind of thing.
That’s not really something that can be addressed by technology or even education.
That’s the kind of thing that we handle with social infrastructure. Peer pressure, cultural norms, “tribal knowledge,” etc.
In my mind, the best way to approach that, is by contributing small, almost “throwaway” human-interaction-level “course corrections.” We set the examples we want others to follow, and talk about why we do stuff, as opposed to always making it about how.
Some of the most valuable lessons that I learned about Quality, in my career, were offhand comments, made by folks that lived Quality, and demonstrated the required mindset.
Aaaaand it's flagged out of the front page. @dang, so early in the day this is obviously some coordinated manipulation.
31. 206 points 9 hours ago US judge finds Israel's NSO Group liable for hacking journalists via WhatsApp (reuters.com)
22. 37 points 8 hours ago My Pal, the Ancient Philosopher (nautil.us)
15. 4 points 4 hours ago Testing for Thermal Issues Becomes More Difficult (semiengineering.com)
18. 11 points 2 hours ago The Christmas story of one tube station's 'Mind the Gap' voice (2019) (theguardian.com)
Genocide is an attempt to eradicate a group. The only group Israel is trying to eradicate is Hamas. They're not genociding Palestinians, they're genociding Hamas.
Are they killing an excessive number of civilians as collateral damage? Certainly seems like it. But collateral damage is not genocide.
If they wanted to genocide the Palestinians, they'd be shipping 'em to camps and gassing them, like the Nazis did. Looking at it another way: let's say that (hypothetically) Hamas stopped using people as humans shields by firing rockets from hospitals and building tunnels under schools. Do you think the number of non-combatants killed by the IDF would go down? Because I do, and to me that says Israel's goal is not in fact killing non-combatant civilians, even if they're killing far too many as is.
This professor says that what happens in Gaza is genocide because ...
That's very plainly not a fair description of what he was saying. He gives plenty of reasons beyond the small snippet you've chosen to zero in on.
It is interesting that every time someone is being asked to explain why they use the word "genocide" in the context of Gaza, they never talk about killing of people.
And this description is even more bizarre. People bring up the egregiously high civilian death toll all the time. It's not the only part of the genocide accusation, but certainly a major part of it.
It seems you aren't really reacting to what "people" are saying, just what you prefer to believe they're saying.
This argument merely serves to justify murder and is inhumane, in and of itself. Please re-consider your position on the subject of the wanton and willful murder of your fellow human beings.
Genocide is not a matter of scale, it is a matter of intent.
The definition fits: the people of Palestine are being genocided. The Nazi’s took years to murder 6 million Jews and other classes of humans they deemed undesirable - should we just wait until Israel catches up in terms of scale of magnitude, or should we stop trying to justify their actions and do everything we can to make sure the scale of the atrocity does not continue to sky-rocket, as it has done for the past 15 months…?
It is because genocide is a matter of intent that people in debates will disagree. Just taking a look on the war on terror. Was the intent to grab oil, revenge, fund the military complex, or was it to liberate people? Its been over 20 years and people are still debating the intent of all those wars that occurred after 9/11. Intent is really hard to prove, and that is even if we have proof of policies that defined every killed male over the age of 15 as terrorist regardless of situation.
We could just define all wars as genocide and be done with it. The definition do fit, with all wars ending up behaving as if the intent was the destruction of a people. If the genocide definition helps to reduce the scale of the atrocity being done then I am also for using it in any war which has that effect. However, if it is just used as a media tool in order to define which side is good or bad then Im unconvinced it will help to reduce atrocities.
The war on terror is a criminal farce, with the purpose of fleecing the Western states of, literally, trillions and trillions of dollars. It has not successfully defeated terrorism - in fact, the architects of the war on terror have only produced more terror, in more places around the world, than ever before.
It is important to define and use the word genocide when it happens because we have international institutions that were built - because of the genocide of the Jewish people in fact - explicitly to prevent the world from experiencing yet another holocaust.
But as we can see, we in the West would rather argue semantics and play tribal politics than hold our own war criminals to account for their heinous crimes.
> Intent is really hard to prove
In the case of the genocide currently happening in Gaza, alas, intent has been very, very easy to prove.
Did you actually read what I wrote? I completely agree that genocide is a matter of intent. That is why my comment was about intent, not about scale. in fact I specifically said Israel is killing too many non-combatants, indicating the scale is bad and if scale is what mattered I probably would call it genocide. But as you say, it is not about scale. That is why I made the point that the non-combatant casualties would almost certainly significantly decrease if one side of this conflict was not aggressively using humans as shields – that to me speaks to the intent of Israel/IDF.
The people ultimately to blame for the high civilian casualties are the people who 1. started the war and 2. insist on staging that war entirely in civilian areas. That is Hamas on both counts. I am certain that if tomorrow Hamas said "hey, let's have a pitched battle in the style of Middle Ages Europe, where we go to a field and send all our fighters against all your fighters and and the victor is the one left standing", the IDF would be happy to oblige.
But Hamas will not do that, because they want the destruction of Palestinian peoples more than Israel does. After all, it helps their cause much more than it does the cause of Israel (and they clearly can't actually win the war without the human shields).
Do you speak for the IDF? How is it then that you can also represent Hamas?
> insist on staging that war entirely in civilian areas.
Gaza is an open-air concentration camp which has suffered under Israeli military control for decades. Where else are they going to fight - specially constructed stadiums built for the purpose? Outside, in the no-mans land between Gaza and Israel? 2.1 million human beings have been uprooted from their homes and herded into a 360km2 area by their oppressors - should they escape the military barriers that surround them and bring the fight elsewhere?
> But Hamas will not do that, because they want the destruction of Palestinian peoples more than Israel does.
This position is duplicitous and preposterous. The Palestinian people want to be free from the oppression they have suffered for decades. Israel, a powerful nation, had many, many chances to make peace happen in Gaza - it didn’t happen because Israeli society is fundamentalist, militaristic and racist, and I challenge you to prove otherwise.
You keep conflating Hamas with Palestinians. It seems deliberate. I for one do not think they are the same thing, but if you do I'm not sure this conversation can go anywhere. I am also unsure why you think you should be able to speak to the motives of Hamas and Israel (and therefore assert the intent is genocide) while I cannot.
As a side note, you argue like you are on Reddit. It might be helpful to review the site guidelines[1] about discussion on Hacker News.
I don’t conflate Hamas with Palestinians at all, in fact I believe that it is those justifying the wanton murder of the Palestinian population by an oppressive military force who are doing exactly that.
But we know full well that duplicity has been weaponized in this conflict.
As for your ‘tone policing’, I’m not sure I can take your advice to heart given the position you take, of justifying the inhumane treatment of the Palestinian people. Provide evidence that this statement is true and then perhaps we can discuss your desire to manipulate my position to fit your rhetoric:
“But Hamas will not do that, because they want the destruction of Palestinian peoples more than Israel does.”
The only ones destroying the Palestinian people are the IDF.
How many non-combatants have died due to being killed deliberately, and how many have died due to being collateral damage in a warzone?
I believe the distinction and ratio between the two things is very important when trying to determine the intent of Israel (as outside observers) and whether or not they are perpetrating genocide.
I appreciate the attempt to frame the discussion in more reasonable terms.
However, I'm afraid you drained my batteries with the unwise decision to employ the plainly untenable "It's either gas chambers or it's no big deal, really" technique. Which by itself (through the use of such trivializing language) carries an air of callous disregard for the plight of those suffering from the situation we were attempting to talk about.
I'm not a lawyer so maybe I'm misunderstanding something but the plaintiff is Whatsapp, not the journalists. This isn't really about holding NSO Group accountable for hacking journalists at all
The fact journalists were compromised seems only incidental, the ruling is about weather or not NGO Group "exceeded authorization" on WhatsApp by sending the Pegasus installation vector through WhatsApp to the victims and not weather they were unauthorized in accessing the victims. Its a bit of a subtle nuance but I think its important.
Quoting the judgement itself:
> The court reasoned that, because all Whatsapp users are authorized to send messages, defendants did not act without authorization by sending their messages, even though the messages contained spyware. Instead, the court held that the complaint’s allegations supported only an "exceeds authorization" theory.
> The nub of the fight here is semantic. Essentially, the issue is whether sending the Pegasus installation vector actually did exceed authorized access. Defendants argue that it passed through the Whatsapp servers just like any other message would, and that any information that was 'obtained' was obtained from the target users' devices (i.e., their cell phones), rather than from the Whatapp servers themselves
> [...removing more detailed defendant argument...]
> For their part, plaintiffs point to section (a)(2) itself, which imposes liability on whoever "accesses a computer" in excess of authorized access, and "thereby obtains information from any protected computer" pointing to the word "any"
> [...]
> As the parties clarified at the hearing, while the WIS does obtain information directly from the target users’ devices, it also obtains information about the target users' device via Whatsapp servers.
Adding a little more detail that comes from the prior dockets and isn't in the judgement directly but basically NSO Group scripted up a fake Whatsapp client that could send messages that the original application wouldn't be able to send. They use this fake client to send some messages that the original application wouldn't be able to send which provide information about the target users' device. In that the fake client is doing something the real client cannot do (and fake clients are prohibited by the terms) they exceeded authorization.
Think about that for a moment and what that can mean. I doubt I'm the only person here who has ever made an alternative client for something before. Whatapp (that I recall) does not claim that the fake client abused any vulnerabilities to get information just that it was a fake client and that was sufficient. Though I should note that there were some redacted parts in this area that could be relevant.
I dunno, I mean the CFAA is a pretty vague law that has had these very broad applications in the past so I'm not actually surprised I was just kinda hopeful to see that rolled back a bit after the Van Bruen case a few years ago and the supreme court had some minor push back against the broad interpretations that allowed ToS violations to become CFAA violations.
Edit: Adding a link to the judgement for anyone interested: https://storage.courtlistener.com/recap/gov.uscourts.cand.35...
Edit2: And CourtListener if you want to read the other dockets that include the arguments from both sides (with redactions) https://www.courtlistener.com/docket/16395340/facebook-inc-v...
> I doubt I'm the only person here who has ever made an alternative client for something before.
I've been on both sides of the issue by authoring unofficial clients, and battling abusive unofficial clients to services I run. The truth is, complete carte blanche for either side is untenable. 99.99% of well-behaved clients are tacitly ignored, I'm not against those that deliver malware, or bypass rate-limiting having their day in court.
[dead]
Given the nature of who the stakeholders are, the neatest way to achieve an end is to target authorization. It focuses on the how instead of the who or what.
This reduces embarrassment for stakeholders, protects sources and methods, and sends a message.
The law is as broad as can be. If it were a US National instead of NSO Group, some crazy calculation of damages would be used to extract a plea in lieu of a thousand months in prison.
THE CFAA is definitely ripe for reform. It wouldn't be hard to argue it's broad and vague. There's definitely this overarching sweep of online behaviors that could easily be classified as benign.
i dont think users of whatsapp would have standing against people hacking whatsapp to get their data.
whatsapp owns the systems, so its up to whatsapp to sue
The thing of value isn’t in WhatsApp in this case.
You can’t sue a dude for stealing a screwdriver to break into your home with. Your tort is the act against you.
What?
So if someone robs a bank and empties my safety deposit box I can't sue them because it was the bank that had the money, not me?
Well, haven't you heard? The issue with your analogy is: you don't own your data.
(One might argue that it's similar with "your" money ((in the bank)) , but that's not the point)
Different scenario. The bank is a bailor — they have an duty of care for property in their possession that you retain ownership to.
You can sue the thief for stealing your property and the bank for negligent bailment. Same concept as a valet crashing your car.
If someone steals the ownership registry the bank maintains regarding the deposit boxes-- may be the better analogy. Or list of the owner and box number. Clearly this is information the bank controls, not the individual.
> fake client to send some messages that the original application wouldn't be able to send which provide information about the target users' device
> I doubt I'm the only person here who has ever made an alternative client for something before
I think the distinction here for "exceeds authorisation" is pretty apparent. I don't read this judgement as being damning for people wanting to make their own clients.
They made a third party client for deliberately malicious purposes. If you go ahead and make a discord client with the intention of spamming or otherwise causing harm to its users, I think it's completely reasonable for you to get in trouble for that.
[dead]
Darknet Diaries did a few podcast episodes on the NSO group from the perspective of people who have directly interacted with or have been the target and it really puts it into perspective how horrific they are. They operate under the protection of the US and are directly allowed to spy on US citizens without any recourse whatsoever.
One particularly grotesque case was the illegal wire tapping of Ben Suda after launching a criminal probe in to Israeli war crimes, which they used to threaten the prosecutor and used it to hide evidence that they knew was under scrutiny or take the cases to court just to drop it so they can tell the ICC that they did make an attempt to prosecute, which is a loophole that disallows the ICC to take up those cases.
I'm certain many countries do this stuff, as well as operate botnets and threaten journalists... but the uniqueness here is that these intel groups located in Israel operate under complete protection of the US without any scrutiny or oversight alongside the US government. We are living in this dystopian universe that people have warned about, for decades at this point.
The US hosts and protects firms that are better at this than NSO, and not just because they're smart enough not to be in the news.
Do these firms target US citizens without a US warrant?
US citizens are routinely targeted by CNE operations enabled by commercial tools, yes.
You don’t need a warrant to target US citizens unless you are the government.
On the other hand, if you “target” Americans and you’re not the American government, you’re committing a crime.
Note here that we are describing firms that produce CNE tools, not organizations (lawfully constituted or otherwise) that actually use them. Production of exploits and implants is broadly legal everywhere in the world, including the US and Europe. The legality gets murky when you sell to non-governmental organizations (if prosecutors can demonstrate you knew the crimes that were to be committed with them), but most of the market appears to be governmental.
The arrangement is that UKs GCHQ spies on US citizens and shares the info with CIA/NSA .
Why was this dead? If anything, Thomas' reputation here should at least entitle him to being heard.
My fellow showdeader, Click the time on the dead post and press “vouch”
I did.
Agreed that the flag seems highly dubious here.
[flagged]
I don't think it's off topic, we're talking about companies spying. Unsourced, maybe, though I suspect Thomas is a reliable enough source.
It has nothing to do with the OP. Honestly he always jumps in to do whataboutism on Israel posts. He didn’t say who he was talking about, it doesn’t add and only detracts from the discussion here.
I strongly doubt the intent here was whataboutism. Rather, it was more to indicate that things get a lot worse than this; it's just not in the spotlight so not many people know about it.
Does it get worse? He didn’t actually leave a source. NSO is certainly the most nefarious known agency.
They are but I can corroborate that they are not nearly the only player in this space. Google has done its research on several more of them: https://blog.google/threat-analysis-group/commercial-surveil....
I think the key word there is “known” which I appreciate you saying.
We still don’t know who created Bitcoin, what are the odds there are more… effective? groups than NSO operating in the US? I’d say greater than zero.
This is actually really wild
BTC has a current market cap of around $1.9 trillion
And we don’t know who created it!
Additionally, it’s estimated Satoshi’s wallet holds about 1M BTC, out of ~20M BTC total supply
So there is a mystery account of BTC that owns almost $1T or the equivalent of 5% of all BTCs market cap
Who are you talking about?
I refuse to use Israeli tech in my stack if at all possible. I don't see how someone could use software like Snyk and not put themselves at risk (founders are ex-IDF Unit 8200). Especially in the area of security, it seems like using Israeli tech is inviting the wolf straight into the hen house. No thanks.
Yes, I think the pager attack is also an interesting case study. It's one thing to execute a supply chain compromise for information gathering, where the target may never know what happened. On the other hand, flaunting your abilities in that area will just lead you to being cut out of supply chains.
[flagged]
Every tech stack you use regardless of country of origin puts you at risk. You can assess that some of those are higher than others but I would ask you to really think hard about whether you think you are an accurate judge of that.
Israel literally blew people up with a supply chain violation. I’m very comfortable with my assessment.
[flagged]
Ok, no Intel for you.
I don’t use Intel either (at least as my main processor).
[flagged]
I thought Whatsapp and signal share the same encryption
It was a buffer overflow in a VOIP stack:
* https://www.theverge.com/2019/5/14/18622744/whatsapp-spyware...
Interestingly enough, Signal (and others) had the same sort of vulnerability on Android from a WebRTC stack:
* https://googleprojectzero.blogspot.com/2020/08/exploiting-an...
The big issue in both cases is that the exploit was triggered before the user answered the call.
I think the moral here is that a secure messenger should not execute inherently insecure code (i.e.complex code) on behalf of entities that are not really well trusted by the user. The default should be always plain text.
Was the spyware persistent? That is, would a reboot clear it? Not that it matters. Presumably, the attackers were so motivated they would re-infect the device the moment they saw it go dark.
No and you've provided a good reason why it doesn't have to.
The other moral here is to stop using memory unsafe languages. It's just so incredibly dumb that we keep making excuses for this.
I think most influential companies such as Microsoft snd Google have said that c and c++ need to be deprecated. I think replacing old code with memory safe languages takes time, effort and money. Hopefully in a decade we can this can be fully done.
Does Rust make RCE impossible?, I don't think it does.
There is the option of not having data and code sharing the same stack, that seems like a better solution to me but that's such an option is not usually talked about.
It makes this kind easy pivot to RCE impossible. Attacks these days are generally more sophisticated than simple buffer overflows, fwiw. Targeting function pointers from a heap overwrite gives the same capabilities.
The encryption isn't alleged to have been compromised. The app itself deals with a lot of untrusted input (eg, thumbnailing video files you've been sent) so there's a meaningful attack surface outside the protocol itself.
note for signal users: in settings, you can disable link previews and automatic media download.
Why are link previews a problem? Presumably I only generate previews for links I've vetted.
It seems like most of the exploits come down to blowing up a parser of one data format or another. Myriad from which to choose, they are written in C for historical reasons, and probably play fast and loose with validation in the name of performance.
True, I guess you're right.
The group exploited a bug in WhatsApp to deliver the spyware. It wasn't an E2E issue.
> A U.S. judge ruled on Friday in favor of Meta Platforms' (META.O), opens new tab WhatsApp in a lawsuit accusing Israel's NSO Group of exploiting a bug in the messaging app to install spy software allowing unauthorized surveillance.
The attack wasn't targeting the encryption part of whatsapp (afaik).
Encryption is important but it often is not the weakest link in the security chain.
People have to start assuming that any communication method in use is compromised. There’s just no way on earth orgs like the NSA would throw their hands up in the air and not find multiple different avenues into an app like signal. Its one of the most downloaded messaging apps. Investment into compromising it is very worth while. People should just assume everything involving a cell phone or computer is inherently insecure. Meanwhile for some analog methods (one time pads, even cupping a hand and whispering into anothers ear, etc), the power balance isn’t so lopsided between the state and the individual as it is with digital communications where everything is probably compromised in some way by now.
Password managers are such a high target that I wonder how we’ve convinced people to put all their passwords in the same software.
A great number of comments and posts on this site rave in favor of password managers and their use for "security" and convenience, despite what you say being such a very obvious flaw.
Depends on your threats.
I’m more worried about financial scams than I am anything related to government. Password managers with random passwords are an excellent guard against that threat.
If I were worried about state actor threats, any keys or passwords would be memorized.
I'm not sure that would be a good idea. Do you, personally, want to be the weak link in the chain to something a nation state wants?
Back to using the same password everywhere then.
Bitwarden is already a big step up from what most people are doing, then if you want to hide from gouvernement you better make sure you save your password on extremely secured device. But that's another treat level from the average Joe.
KeePass has been around for ages for free.... surprised cloud solutions are so popular
[dead]
Well no Chinese should be using software that involved Americans. That is just common sense. When the chips are down everyone gets drafted by their country's security apparatus.
Treating NSO owners / decision makers the same way as Gary McKinnon would be more appropriate. But I guess they are more "equal".
> "Surveillance companies should be on notice that illegal spying will not be tolerated."
That is kinda funny, although sad at the same time
On the flip side, I guess that means META allows WhatsApp users being only “legally spied” on
Every social media company allows legal spying. Warrants and wiretap orders are issued every day in the United States.
With end-user-device-controlled e2ee, the only information available to law enforcement is metadata. With a warrant, they could seize your device (or the backups, if unencrypted)
Unfortunately, I don’t think end-to-end encryption guarantees much when it comes to legal intercept in proprietary messaging apps. The intercept functionality could be done in the client and capture data, not just metadata.
Why hasn't any evidence of such client-side interception ever been surfaced? Reversing apps and software has been done since forever, and has been used to discover things the app-makers don't want made public - such as unannounced new products, but this happens perennialy with Apple & OS updates, and upcoming features in apps that are behind flags.
> Why hasn't any evidence of such client-side interception ever been surfaced?
In such scenario only the target of the wiretap would receive the modified client application. Both google and apple allow pushing updates to small subset of users. It's not unthinkable that they also have the (internal) ability to push a specific update to a specific user.
But I guess now you'll move the goalpost to ask "Why hasn't any Googler come forward and admitted it's happening?" That is a fair question, but I think most people would see this legal spying as no big deal and perhaps even a good thing.
> It's not unthinkable that they also have the (internal) ability to push a specific update to a specific user.
So the lack of evidence is itself evidence of another layer of nefarious activity? Are Apple in on it too (since they approve updates control the app store roll-outs)? I have no stomach for debates over unfalsifiable scenarios - your position is clearly set in stone.
Isn't that obvious though? Meta wants exclusive spying rights to its users. You spying on users with Meta's products is not allowed. If you want to spy on your users, build an app that's so popular billions of people sign up willingly to allow you to spy on them. Have you no decency?
> Meta wants exclusive spying rights
You're allowed to say "The NSA", we're all adults here. No need to speak in euphemisms.
"Unauthorized hostility against pioneer detected"
There should be no difference with usual botnet owner/ransomware gangs and such companies. Management should go to prison for good 20-30 years for that and being extradited worldwide. Considering that ransomware gangs are probably less harmful to the society than guys who hack journalists and politicians, putting their lifes at literal risks, not just their pockets.
There should be no "legal" hacking of someone's devices apart from extraction of data from already convicted people in public court with the right to defend themselves
Its not like this is that different than traditional "weapons" (i hate the "cyberweapons" analogy, but if the shoe fits).
Sell guns to governments, even unsavoury ones, it is very rare anything will happen to you except in pretty extreme cases. Sell guns to street gangs, well that is a different story. Like i don't think this situation is different because it is "hacking".
The NSO created/ran cloud instances for each client country and reviewed and approved every target. The didn’t sell weapons like in your analogy. They were effectively assassins for hire.
The problem with selling exploits is you want to maintain “ownership” of the exploit details, lest your customer just take the exploit and sell/use it without paying more or use it to attack you or your friends. This means you end up with veto power. I.e. culpability.
All the cartels in Mexico buy their guns from America and nobody is going to jail over it.
People do in fact get sent to prison for that, straw purchases are a federal felony. Not all of them actually get caught, which is true of any crime.
Except when the ATF does it, no big deal
More information about this: https://en.wikipedia.org/wiki/ATF_gunwalking_scandal
Kind of like the CIA importing heroin and cocaine. The laws cover this scenario but we have a problem with especially poor enforcement when the crimes are committed by parts of the government.
And meanwhile, if the government sells guns to cartels... no big deal. Rarely throw a fall guy under the bus. Or often not even that.
Trying to remember the quote I last heard, something to the tune of "we don't want to punish, we want to educate", which was about "educating" LEOs and entire police departments they shouldn't be selling fun switch guns illegally to gangs and private buyers.
(And do I even have to mention "fast and furious?" Hah! Feds get it the easiest.)
I agree with the first part, at least in spirit.
The second part though doesn't make sense. If the US president can send drones to kill terrorists without taking them to court, surely he can order hacking their phones. If you think that there's no case where the latter is ok you shouldn't you fight against the former first?
> send drones to kill terrorists
The part that you miss is, are they only killing "terrorists" extrajudicially? To take that propaganda at its face value is to ask, what else could they be killing brown people for, if not terrorism?
To further this. Look at how easily they are bringing terrorism charges on American citizens now (check out the Mangione case)
And I would guess they’ll use the opportunity to increase the reach as well
I didn't say if I think that drone killing is justified or not, since I have no opinion on that - I don't know enough to form an opinion. I only say that since the government have the right to send killing drone it doesn't make sense to raise pitchforks against phone hacking
The thing is, extrajudicial murder justified by labeling the victim “terrorist” is illegal and should not be accepted in a free and open society.
The ‘terrorist’ label was invented as a means of abrogating human rights by governments who felt they were encumbered by the obligation to protect human rights. “Terrorist” labeling is a totalitarian-authoritarian apparatus to avoid culpability for its actions when a government decides the easiest solution to its problem is outright murder.
Do you not think that terrorism exists, that the label has been co-opted for other purposes, that terrorists cannot be treated as combatants, that non-declared-war conflicts should not have deliberate strikes or something else?
It seems to me like terrorism has a pretty plain definition: Using violence against civilians/non-combatants to further a ideological goal, primarily via fear.
It's often misused as an excuse, but there are actual terrorists, the word has a meaning and we should not let it be watered down by either the people wanting to use it as an excuse or the people trying to shroud terrorism in something else.
Every single nation state in the context of this discussion has murdered civilians/non-combatants to further an ideological goal and are thus guilty of acts of terrorism - in the case of the US, for example, terrorism is official doctrine used for regime change across the world. The US literally funds, arms and supports terrorist groups whenever its ruling military determine that their domestic population has no stomach for outright war - in most cases, in fact, terrorism is how the US gets its regime change designs implemented.
As citizens of nations which use terrorism as a tool for their political purposes, it is long since past the point we let ourselves be bullied by terminology and started instead to enforce the legislation required to rid our own ranks of war criminals - who are factually terrorists.
And now watch as the definition is stretched to fit whatever the powerful want to do
Like how they are now charging the UHC CEO suspect with terrorism
Then, if you support the guy, now a terrorist, well then you can be called a terrorist too
I don't get what's happening in this thread. This is a pretty clear statement: hacking isn't worse than the killing that the government is already allowed to do. It's a pretty straightforward argument which for some reason seems to be being misunderstood.
I'll gently push on the premise though: hacking isn't worse for the victims than death, obviously, but I think it's possible weaponizing of exploits does more total damage. Both collateral, due to the manufacturing of exploits which ultimately leak and harm a bunch of unrelated actors, and because the marginal hacking is lower cost, practically and politically. So a given attack is likely to be used against groups we'd recognize less clearly as "terrorists" / deserving of the harm / etc.
Thanks for the understanding. I'll say that because of that we should make the price for using the device much higher. For example using it should require authorization by process that will involve a stiff political price/barrier. Maybe a bi-partisan committee. Something of that sort.
> I have no opinion ... I don't know enough to form an opinion.
Why speak in hypotheticals supporting some phantom opinion? Concern trolling is even worse.
It is not hypothetical, the fact is that killing drones are used in practice, and it just doesn't make sense to oppose lesser measures that are being used without judgement when killing is allowed.
> killing is allowed
You said it is okay / allowed because "terrorists". Otherwise, it is a heinous crime. Just like the Pegasus one.
Ever heard of drone papers?
https://theintercept.com/drone-papers/
https://en.m.wikipedia.org/wiki/Daniel_Hale
I have no idea what you are talking about. Ok is a value judgment which I didn't state. Allowed is a fact. Are you arguing with what I'm saying or with an opponent in your mind?
> I have no idea ...
This is what you wrote:
The second part being: Pretty clear from your rhetoric what your position is. Folks here are not dumb.> Ok is a value judgment ... Allowed is a fact
Factually, genocidaries are worse than terrorists.
[flagged]
Certainly the ones that hack journalists should go to prison.
Anyone can be a journalist, so the requirement should be that all of us have our human rights protected by criminalizing this heinous behavior.
Why should journalist badge provide some kind of protection shield? [1]
[1] https://en.wikipedia.org/wiki/Pablo_Gonz%C3%A1lez_Yag%C3%BCe
In Israel's opinion? It shouldn't: https://en.wikipedia.org/wiki/List_of_journalists_killed_in_...
Israeli forces killed 38x more journalists than Hamas did on October 7th.
Also by now the number of people killed in Gaza by Netanyahu is very close to the number of Ukrainian people killed by Putin. Did anyone suggest sanctions against Israel for that genocide? Nope, they enjoy their full immunity and keep going forward with a massacre that has the same exact motivation as the Russian invasion: rob other people of their territory and resources. Two war criminals, two rogue terrorist states, yet two completely different weights.
[flagged]
Anyone has a right to be a journalist. This right shall not be abrogated by any state.
[flagged]
Flip that statement on it's head. What respectable nation would fire upon a suspect in a press jacket without actually knowing who it is first? Who orders artillery and airstrikes on known press positions? Soviet doctrine? Countries with WWII logistics?
Seems clear to me that this is a deliberate campaign of terror constructed by the IDF to deter any form of independent journalism in Gaza. No different than hasbara or the Hannibal Directive - orders passed down from the top get obeyed, even if it costs the truth or innocent lives.
[flagged]
> Hamas also has a nasty habit of calling certain veterans "journalists".
Ah, kinda like how Israel has a nasty habit of calling their military reservists "innocent civilians" when they're attacked? Or is it more like when they call the Golan Heights colonists "citizens" of a universally unrecognized occupation?
Lot of complex vocabulary here. I invite you to link as many cases of falsely-identified journalist deaths as you can find though. It sounds like a big issue, judging from your tone.
> When they do die, Al Jazeera makes a hue and cry out of it because it serves their agenda and resonates very well with their audience
It could also be that killing civilians is a bad thing, and when Israel ignores the directly communicated press positions it exposes their indifference to collateral damage.
Imagine if they chase NSO as hard as they chased Wikileaks
Well NSO does their work for them, so that’s not gonna happen
Also, look at how the govt has acted in the last year or so, they will never move against Israel
Unfortunately, incorporation is how you whitewash normal criminal culpability to just a cost of doing business fine.
Capitalism is neat that way. Diffusion of responsibility.
Which is ironic considering the FBI and CISA just today announced that you _should_ use WhatsApp and not use SMS for two factor authentication. Although they point out the biggest problem is mobile users click on links in SMS. We live in a mostly captured and anti consumer environment. I'm not sure there's any great advice.
https://www.newsnationnow.com/business/tech/fbi-warns-agains...
Of course there is. Always prefer an authenticator app over SMS. Also, Passkeys are supposed to be a big upgrade in this regard.
Whatsapp is not still vulnerable to the hack (as far as we know) and SMS applications have had similar vulnerabilities in the past.
There are many other companies beyond NSO Group, if I were a journalist I would write a more comprehensive list of them and educate about this whole "industry".
Very few companies’ work results in outright murder of the targeted victims.
If you know of any other cyber criminal organizations like the NSO, where governments use their tools to select and murder targets, please describe them.
The previous commenter's point is that NSO is simply the firm in this space that you happened to have heard of. There are many more.
[dead]
NSO Group is unique in that they are entirely sheltered from (largely due) criticism by their government, creating an unaccountable and injust basis of relations between the United States and Israel that many readers are concerned by. There simply aren't any other comparably corrupt "cybersecurity" outfits in the world.
Kinda similar to how the IDF has never been charged with war crimes despite several of their service-members being recorded breaking the law in their Israeli fatigues. It's not that international law was never broken, it's that Israel considers themselves above the rule of law and international bases of morality. That type of behavior absolutely must be called out in it's lonesome, such that no nation ever repeats Israel's embarrassing mistake.
[flagged]
The number of crimes they've committed is also disproportional to their size.
[flagged]
What other nation besides the USA and its 5-eyes lackeys willfully murders children almost every day in their own ‘self defense’? Got a list of states that murder more people than the USA/5-eyes and Israel right now?
Sudan, Ethiopia/Tigray, and Syria would all be recent (or ongoing) examples of non-primarily-US military conflicts where mass civilian death, including children, has been publicly evidenced. Each of these conflicts has seen one (or all) parties use self-defense as an argument.
(This doesn't somehow imply that anything is OK about the US's own role in global war, or anything in particular about the I/P conflict. But it's incorrect to treat US/Israel as uniquely competent or active in terms of immiserating the world's civilians and innocents.)
> Sudan, Ethiopia/Tigray, and Syria
Yes, but these are not western allies with immense financial and industrial resources, shared among themselves, whose leadership have signaled for decades their intent to create a new world order in the ashes of the wars they have intentionally fought - for decades.
Certainly the genocides in Sudan, Ethiopia, and Syria are atrocities which must be addressed. But they are not the world’s biggest bully thugs. The US and its coalition of willful criminal states, including Israel, are the worlds biggest bully thugs. Sudan doesn’t have a nuclear threat regime which promises to eradicate all life on earth if it doesn’t get its way, politically, across the globe.
> But it's incorrect to treat US/Israel as uniquely competent
I disagree completely. The US and Israel are extremely powerful nations capable of the industrial might required to assemble nuclear weapons. They very definitely should be held to to task - especially since one funds the other, providing immense military power where they could, instead, be using that overwhelming industrial capability to build peace.
Like China does, for example.
I don’t think Western versus non-Western provides absolution. You asked for examples of military conflicts with similar degrees of civilian harm, and I’ve given you three examples that demonstrate that you don’t need to be the world’s primary superpower (or its close ally) to cause damage on its scale.
Consider your own case: China has done plenty to immiserate minorities within its own borders, has made it clear that civilian harm comes secondary to its own development (cf. indirect financing of the Ukraine war), and has geopolitical designs on Taiwan, etc. that entail putting civilians in harm’s way. Unique virtue is not a thing among countries, nor is the capacity or desire for the kinds of violence that affect the world’s innocents today unique.
(Or in other words: having nuclear weapons is mostly a red herring, given that most civilians in conflicts die from the kinds of conventional weapons that have been killing civilians for hundreds of years.)
[flagged]
Throughout this thread you have refused to address the actual topic and (since the root comment) deflected any criticism of Israel (however well-founded) because you feel like it's not fair relative to other countries. You might want to take a break from responding to these comments if you're going to repeat the same whataboutism whenever people discuss Israel's issues in earnest.
None of the questions you just asked have any relevant salience to what the parent just said. Nobody is forcing you to keep responding here, you might as well leave the discussion where it is if you can't engage without getting emotional or changing the topic.
[flagged]
[flagged]
If that's the only comparison that comes to mind, then you're basically proving the commenter's point.
[flagged]
What you're missing is that this isn't a relative position. Nobody in this thread (or much of anywhere on HN) is defending Europe or America's misdoings with the same rhetoric. The reason is that people are willing to accept that their governments make mistakes, and they reflect on these problems and fix them democratically.
Israel, currently, is in a position where a extremely nationalist and conservative ruling party has given all sorts of lawbreakers complete impunity. Violators of internationally recognized borders are ignored because it's a boost to morale. Hackers that sell their services without scruples are given a safe haven in exchange for access to their digital arms. And many people rush to defend their actions (or distract from them) because they tacitly approve these behaviors.
When you refuse to acknowledge or in any way address the countless and even admitted ways in which Israel violates international law, you somewhat tip your hand and reveal that you have no intention of holding them accountable even at their most reprehensible. This thread is about Israeli complacency in breaking the law. You are the one crying whataboutism apropos of... Israel being criticized in a public setting.
[flagged]
That is like saying that Russia is not liable for the cyber-sabotage done by hackers it harbors (and presumably funds, covertly).
Israel is notorious of dodging responsibility, like carrying assassinations abroad that are set to look like accidents, just like Russia does.
Take the assassination of Waddie Haddad and Yasser Arafat with slow poison as examples.
[1] https://en.wikipedia.org/wiki/Wadie_Haddad#Death [2] https://en.wikipedia.org/wiki/Death_of_Yasser_Arafat#Poisoni...
[flagged]
Can you share some?
Like Verint, who tried to buy the NSO group, and has security DVRs in Walmarts all over the world...
Source?
this is a really good source: https://www.surveillancewatch.io/
It is hard to believe that NSO group is allowed to operate. They sell technology to horrible places, they cause death torture, and a host of less horrible things.
Yet they are protected by the US and Israel, which I believe is the case that they have backdoors into all of it, and getting the targets to actually install this malware on their own saves a lot time.
All good, except for the actual real world victims.
> It is hard to believe that NSO group is allowed to operate. They sell technology to horrible places, they cause death torture, and a host of less horrible things.
That describes the entire Israeli defence industry, and a fair sized portion of Israel's cybersecurity industry, based on the stomach-churning sales pitches I've received.
NSO are not unique, they just got unlucky.
It describes the entire defense industry, and a fair sized portion of the cybersecurity industry, full stop.
> based on the stomach-churning sales pitches I've received.
Care to elaborate? This could be news story-worthy
How do you "not" allow them to operate? People write things like this that seem premised on the idea that Bahrain wouldn't have implant technology if you shuttered NSO, but the only thing that would actually change is who the invoice got sent to. These companies have an unbeatable value proposition, lots of competition, and the lowest capital investment requirements of any intelligence product.
I really feel like people aren't thinking this stuff through. Exploits and implants are not rocket science. There aren't a huge number of people in the world that are world-class at reliably exploiting modern targets, but it's not like there's just like 20 of them or something.
later
In case it's unclear from the comment: I don't think this is a good thing. I'm speaking positively, not normatively.
[dead]
[flagged]
We've banned this account for frequently posting flamewar comments, breaking the site guidelines, and ignoring our requests to stop.
If you don't want to be banned, you're welcome to email hn@ycombinator.com and give us reason to believe that you'll follow the rules in the future. They're here: https://news.ycombinator.com/newsguidelines.html.
[flagged]
[flagged]
[flagged]
NSO Group: Relationship with the Israeli state
https://en.wikipedia.org/wiki/NSO_Group#Relationship_with_th...
I'm quite surprised by the corporate history section.
Specifically, NSO Group is worth a lot less than I thought it was, even at its peak. ($1B+ valuation)
Also, the amount of infighting is... Surprising perhaps? Less surprising is the number of spinoffs out of it, and the number of competing Israeli spyware groups.
I'm constantly surprised by how good he Israeli startup environment seems to be.
Why is this? How are there so many acquisitions out of there?
Things like this are similar to law firms. The shelf life of vulnerabilities means that there isn’t a lot of intellectual property owned by the company. The value is in the people’s skills.
So once people get really good they quickly realize they can make more by starting their own company and siphoning off client relationships.
Valuations don’t really matter in their playing field. It’s more about power and politics, rather than raw numbers.
[flagged]
I'd imagine they have a very limited market as in who they can sell their products and services to, for reasons that might make political power more interesting than valuation.
I don't know about that. Something I think a lot of people sleep on with this stuff is that most countries have multiple security agencies, and you generally cut deals with them individually. The market for this stuff is bigger than it looks.
That's probably a fair assumption too.
I was mostly thinking that the customers / clients you have and services you have to offer can be largely dependent by people in positions of power where having the right connections and influence might be the key difference between a service or product being viable.
For example - although not related to NSO - something like operation Trojan Shield required both Australian and Lithuanian cooperation due to fourth amendment interpretations.
Having a zero day in such cases is only part of the work and everything beyond that might be very much dependant on the strings you can pull.
But I can also see the argument that that would be something the government can figure out after they buy the product or service, so maybe I'm wrong on that and it's less important than I thought.
My mental model of how this works --- and I have some (imperfect) evidence for it --- is that a given one of these firms (NSO or one of its competitors) has an addressable market of N countries each with an average of K security agencies, and basically all of those agencies pay subscription fees to be continuously in a position to do a CNE operation when they want to.
(Generally, I don't think countries just "buy exploits"; a significant component of the money in this space comes from "maintenance", so much so that I think it makes more sense to think of exploits as subscription services.)
> so much so that I think it makes more sense to think of exploits as subscription services.
I think this makes sense, especially given the uncertainty of when an exploit gets patched.
To my original argument of political power vs valuations you can probably say that having those same people you'd otherwise try to influence on your board with a financial incentive allows you to achieve the same thing, I'm not sure why I didn't consider that before.
Don't get me wrong: I'm sure there's plenty going on between NSO and Israel, and a lot of politics involved. But I also know it to be a real industry, with lots of players.
[flagged]
I mean, that’s true of most businesses and industries, big and small? The average person has no idea what Oracle or SAP exists, or that they are multibillion dollar companies. Most people don’t know you can just go buy plastic and composites at TAP, and all sorts of things at McMaster. Most people don’t even know who builds commercial vehicles besides like Peterbilt maybe.
Is there an argument you are making that Meta/Apple/Google should be suing all the other companies as well?
If they're trespassing on Meta's network, absolutely. The core thing that these companies do though tends not to intersect so directly with Meta's property rights.
"Many criminals got away with their crimes so let them get away with it or you are accused of anti-Semitism"
"But what about Iran? Would you please get distracted by that?"
"But we warned them before with hack them/blow their houses to rubble"
Okay, so? What is your point?
What was the point of the parent comment?
[flagged]
Usually zero days being used in the wild get found and analyzed. Who else is making exploit packages like this other than state actors?
[flagged]
What exploit packages in recent years that aren’t NSO haven’t been attributed to an APT?
[flagged]
My understanding is that in places like Russia or China they have full blown military units with uniformed officers and men that are developing these sorts of things. In the US a lot of it is (was?) NSA related like EternalBlue. Are you saying in the west now that we are buying exploits from the grey market instead of getting them from NSA researchers? I thought that more broadly the government had been learning its lesson that there is no such thing as a NOBUS vuln and that America has more to lose than our adversaries from these things.
[flagged]
[dead]
You have to be really bad if Meta are somehow the good guys in the article.
The victims are the good guys. Meta is just not happy that their platform was exploited. Even if you consider them to be the bad guys, they needed to sue to curtail the bad PR
You’re right. That’s the right way to look at it.
Didn't the US fund those guys to do exactly that?
The US often does unlawful things.
Especially using willing 3rd parties to allow for plausible deniability.
It is only legal and ethical when we do it.
Well, good. But also: build better software.
Ahem we don't do that here. We get to market faster before our runway ends so we don't risk our exit.
If it's approved by the AppStore, then it should be good, no?
[dead]
I support this.
It’s not possible to be “perfect,” but if we do our best to get there, we’ll make really good stuff.
It’s unlikely to happen, though, as we have a system that explicitly rewards writing crap, because it makes money.
As long as we fail to reward good work, we will continue to get poor work.
> As long as we fail to reward good work, we will continue to get poor work.
I think that's a bit off. The problem is that we continue to reward poor work so the poor work continues.
That's correct. I was being generous.
Note that even my fairly mild statement was not received well. People really don't like discussion of improving the Quality of software, here. Too much money to be made in not-so-good stuff.
Correction: people don't really like low-quality comments that don't bring anything to the table beyond "let's make everything better".
Come on, you know me better than that.
In this case, the comment fit the conversation. The original comment was a short, pithy, and rather sarcastic one that was, nonetheless, correct. They pointed out that we need to write higher-Quality software, in order to give folks like the NSO people fewer “hooks.” The NSO folks are smart, dedicated people, that, in other circumstances, we would admire for their creativity and intelligence. They often take advantage of mistakes (or deliberate decisions) made by folks that we may find less admirable.
I like this community and medium, and sincerely want to be a “good citizen.” The opportunity to interact with people like you, is a privilege that I respect and value. We may not always agree on everything, but I find many of your contributions to be inspiring, educational, and relevant, so I appreciate you. You have taught me lessons, and have changed my mind, and, I’m sure, will continue to do so. You have great insight, knowledge, and experience, which I value, and appreciate you sharing it (for example: https://saagarjha.com/blog/2023/12/22/swift-concurrency-wait...). People like you, are why I like this place. We have no social interaction, so I have no idea if we’d get along, IRL. I would like to think we would, but I’m often wrong, and not afraid to promptly admit it.
For myself, I try to participate by making very specific suggestions, and “keeping it focused on me.” I don’t attack others, even if I find what they say to be quite offensive (or if they attack me, which is fairly common). Most times, I don’t feel that my comments would improve things, even if I vehemently disagree with someone, so they are best left unsaid. I don’t participate in any other social media, and I’m retired, so I do spend a fair bit of time, here.
I spent most of my career at a corporation that was all about Quality, and I suppose it must have rubbed off on me. At that company, Quality was a religion, and they took it to the point of obsession. After leaving, I have tried to practice their mindset in my continuing work. I write software that can have a big impact on the lives of its users, so I take Quality seriously, in order to reduce things like attack surface. I feel as if the current tech community has a baseline ethos of “write code as badly as we can get away with,” and that ethos is rewarded. I don’t think that treatises on better unit testing will be of interest to folks with that mindset. I feel as if the mindset, itself, is the issue, and code dumps won’t make a difference.
I often reference stuff I’ve written, not because I want traffic (I could absolutely care less, whether or not folks read my stuff. I write for myself), but because I don’t want to litter the place with “wall of text” commentary (as you can see, I lean prolix). A quick link to an article that I wrote, going into great detail, is better than a massive comment that won’t have as much information.
For example: https://news.ycombinator.com/item?id=42478993
Are those articles specific enough?
I don’t think you’ll find anyone who would disagree with the premise that we should improve software quality. Yes, even the people who value iteration speed and shipping. All things being equal, better quality is always better, because of course it is.
The problem arises when all things are not equal, and something needs to give. Perfect quality is generally not attainable or even desirable, because it sacrifices things in other areas that we care about even more. Sometimes the value of something is high enough that we will pay the price for it failing in some cases. That’s just how we do a cost-benefit analysis. I say this even though I work in software security, where most of my job exists and is made difficult by “bad” quality, and a lot of my effort goes into figuring out how to improve that. Depending on the circumstances, I may advocate for the balance to be adjusted in favor of more security (at the expense of something else) and sometimes I may actually decide that this is counterproductive. That’s really my actual response to the comment.
However, as you probably noticed, I didn’t reply with that. I called it low-quality. In fact I think the whole discussion is low-quality, not because it is not a real point, but because it’s not interesting. I understand and appreciate that you have worked on software quality throughout your career. I want you to be proud of your efforts in this area. And it’s completely reasonable to point to that and go “this is what’s missing from our industry”. It’s not actually very novel or actionable. So, despite me not actually voting on the thread, I felt it was not valuable.
When I was in high school I happened to be pretty decent at physics. In fact I won some awards and was nationally ranked. This is kind of like your situation, except of course my skills were less general and also more ephemeral. But it’s as if I, given my arguably decent understanding of physics, went “the problem with climate change is that we’re using too much energy”. First of all, this doesn’t actually use any of those skills to proclaim. Even someone who failed high school could probably tell you that. But secondarily, and more importantly, I haven’t actually said anything useful. My knowledge of mechanics is great but solving climate change is a huge problem, both deeply technical but also social and political. It’s a lot harder than going “stop applying force over distance to things”. The same is true for preventing exploits: I’m sure you’re great at writing apps that have low defect rates, but when it comes to protecting against nation-state threats there’s a whole lot going on beyond “let’s not make any mistakes”. More relevant would be a discussion about, say, memory safety, or auditing, or whatever that is actually on-topic and actionable. What you’ve posted is something that is really just a “hear hear here’s an obvious problem let’s fix it” which invites nothing beyond people who will do nothing but agree with you, or somehow twist it into their pet peeve and rant against it. Neither is against the rules but I think it doesn’t make for insightful conversation, so I’m telling you about it now.
> My knowledge of mechanics is great but solving climate change is a huge problem, both deeply technical but also social and political.
> More relevant would be a discussion about, say, memory safety, or auditing, or whatever that is actually on-topic and actionable.
It's curious that the first sentence mentions social and political issues, whereas the second sentence completely ignores them. The original comment of ChrisMarshallNY was addressing the social and political issues in tech, albeit vaguely.
You also mention valuing "iteration speed" without acknowledging the predictable devastation this has on quality.
Shipping less, and shipping slower, is on-topic and actionable.
The biggest barriers to addressing global warming are social and political. Many powerful people don't want to address it. Indeed, they've intentionally promoted the idea that the problem doesn't even exist. Purely technical discussions are futilely rearranging the deck chairs on the Titanic if they ignore this.
I do think that ChrisMarshallNY misdiagnoses the problem a bit:
> I feel as if the current tech community has a baseline ethos of “write code as badly as we can get away with,” and that ethos is rewarded.
The second clause of the sentence is redundant, because the first clause is the heart of the matter. Anyone who operates purely according to financial incentives will inevitably cut corners. Crap is profitable, for various economic reasons that are beyond the scope of this comment. In order to achieve high quality consistently, you have to care about quality, about craftsmanship, independently of financial awards. This doesn't mean you don't care about financial awards, just that you have to care about both quality and money. For lack of a better term, you need business ethics, where some ethical principles are inviolable. You can seek profit without seeking profit maximization.
Note that religion is largely independent of financial considerations:
> At that company, Quality was a religion, and they took it to the point of obsession.
Point taken.
But I feel that the root cause is attitude and encouragement. Sort of “the wolf you feed” kind of thing.
That’s not really something that can be addressed by technology or even education.
That’s the kind of thing that we handle with social infrastructure. Peer pressure, cultural norms, “tribal knowledge,” etc.
In my mind, the best way to approach that, is by contributing small, almost “throwaway” human-interaction-level “course corrections.” We set the examples we want others to follow, and talk about why we do stuff, as opposed to always making it about how.
Some of the most valuable lessons that I learned about Quality, in my career, were offhand comments, made by folks that lived Quality, and demonstrated the required mindset.
[dead]
[dead]
[dead]
[flagged]
[flagged]
[dead]
Aaaaand it's flagged out of the front page. @dang, so early in the day this is obviously some coordinated manipulation.
“@dang” doesn’t do anything. Email hn@ycombinator.com.
Correct. If someone had emailed hn@ycombinator.com sooner, we would have fixed this sooner.
Dang doesn’t buy that anything ever actually happens here (just like the meme). I’m pretty sure dang is deeply associated with the IC.
Oh you guys.
Probably done by the same NSO Group. But for US americans they are the good criminals, the chosen criminals
I'm shocked! But don't worry, I'm sure the nytimes, wsj, ap, etc will run hit pieces on this outrageous behavior by israel.
[flagged]
[flagged]
[flagged]
[flagged]
[flagged]
[flagged]
Agreed. And no sensible adult should refer to the genecide in Gaza as being deep in the algorithm.
Genocide is an attempt to eradicate a group. The only group Israel is trying to eradicate is Hamas. They're not genociding Palestinians, they're genociding Hamas.
Are they killing an excessive number of civilians as collateral damage? Certainly seems like it. But collateral damage is not genocide.
If they wanted to genocide the Palestinians, they'd be shipping 'em to camps and gassing them, like the Nazis did. Looking at it another way: let's say that (hypothetically) Hamas stopped using people as humans shields by firing rockets from hospitals and building tunnels under schools. Do you think the number of non-combatants killed by the IDF would go down? Because I do, and to me that says Israel's goal is not in fact killing non-combatant civilians, even if they're killing far too many as is.
Omer Bartov is an Israeli-American Professor of Holocaust and Genocide Studies. He is considered one of the world's leading authorities on genocide.
Here is a 15-minute clip of him explaining that what Israel is perpetrating in Gaza is systematic genocide: https://x.com/amanpour/status/1869818758501675259
[flagged]
This professor says that what happens in Gaza is genocide because ...
That's very plainly not a fair description of what he was saying. He gives plenty of reasons beyond the small snippet you've chosen to zero in on.
It is interesting that every time someone is being asked to explain why they use the word "genocide" in the context of Gaza, they never talk about killing of people.
And this description is even more bizarre. People bring up the egregiously high civilian death toll all the time. It's not the only part of the genocide accusation, but certainly a major part of it.
It seems you aren't really reacting to what "people" are saying, just what you prefer to believe they're saying.
This argument merely serves to justify murder and is inhumane, in and of itself. Please re-consider your position on the subject of the wanton and willful murder of your fellow human beings.
Genocide is not a matter of scale, it is a matter of intent.
The definition fits: the people of Palestine are being genocided. The Nazi’s took years to murder 6 million Jews and other classes of humans they deemed undesirable - should we just wait until Israel catches up in terms of scale of magnitude, or should we stop trying to justify their actions and do everything we can to make sure the scale of the atrocity does not continue to sky-rocket, as it has done for the past 15 months…?
It is because genocide is a matter of intent that people in debates will disagree. Just taking a look on the war on terror. Was the intent to grab oil, revenge, fund the military complex, or was it to liberate people? Its been over 20 years and people are still debating the intent of all those wars that occurred after 9/11. Intent is really hard to prove, and that is even if we have proof of policies that defined every killed male over the age of 15 as terrorist regardless of situation.
We could just define all wars as genocide and be done with it. The definition do fit, with all wars ending up behaving as if the intent was the destruction of a people. If the genocide definition helps to reduce the scale of the atrocity being done then I am also for using it in any war which has that effect. However, if it is just used as a media tool in order to define which side is good or bad then Im unconvinced it will help to reduce atrocities.
> Just taking a look on the war on terror.
The war on terror is a criminal farce, with the purpose of fleecing the Western states of, literally, trillions and trillions of dollars. It has not successfully defeated terrorism - in fact, the architects of the war on terror have only produced more terror, in more places around the world, than ever before.
It is important to define and use the word genocide when it happens because we have international institutions that were built - because of the genocide of the Jewish people in fact - explicitly to prevent the world from experiencing yet another holocaust.
But as we can see, we in the West would rather argue semantics and play tribal politics than hold our own war criminals to account for their heinous crimes.
> Intent is really hard to prove
In the case of the genocide currently happening in Gaza, alas, intent has been very, very easy to prove.
Did you actually read what I wrote? I completely agree that genocide is a matter of intent. That is why my comment was about intent, not about scale. in fact I specifically said Israel is killing too many non-combatants, indicating the scale is bad and if scale is what mattered I probably would call it genocide. But as you say, it is not about scale. That is why I made the point that the non-combatant casualties would almost certainly significantly decrease if one side of this conflict was not aggressively using humans as shields – that to me speaks to the intent of Israel/IDF.
The people ultimately to blame for the high civilian casualties are the people who 1. started the war and 2. insist on staging that war entirely in civilian areas. That is Hamas on both counts. I am certain that if tomorrow Hamas said "hey, let's have a pitched battle in the style of Middle Ages Europe, where we go to a field and send all our fighters against all your fighters and and the victor is the one left standing", the IDF would be happy to oblige.
But Hamas will not do that, because they want the destruction of Palestinian peoples more than Israel does. After all, it helps their cause much more than it does the cause of Israel (and they clearly can't actually win the war without the human shields).
> the IDF would be happy to oblige
Do you speak for the IDF? How is it then that you can also represent Hamas?
> insist on staging that war entirely in civilian areas.
Gaza is an open-air concentration camp which has suffered under Israeli military control for decades. Where else are they going to fight - specially constructed stadiums built for the purpose? Outside, in the no-mans land between Gaza and Israel? 2.1 million human beings have been uprooted from their homes and herded into a 360km2 area by their oppressors - should they escape the military barriers that surround them and bring the fight elsewhere?
> But Hamas will not do that, because they want the destruction of Palestinian peoples more than Israel does.
This position is duplicitous and preposterous. The Palestinian people want to be free from the oppression they have suffered for decades. Israel, a powerful nation, had many, many chances to make peace happen in Gaza - it didn’t happen because Israeli society is fundamentalist, militaristic and racist, and I challenge you to prove otherwise.
> Gaza is an open-air concentration camp
Really? How many concentration camps have car dealers in them?
e.g. Kia Motors Gaza https://g.co/kgs/pVeLh8E
Maybe you should rethink your rhetoric.
Maybe you should re-think what it takes to violate human rights at massive scale while fooling the rest of the world into believing its not happening…
You keep conflating Hamas with Palestinians. It seems deliberate. I for one do not think they are the same thing, but if you do I'm not sure this conversation can go anywhere. I am also unsure why you think you should be able to speak to the motives of Hamas and Israel (and therefore assert the intent is genocide) while I cannot.
As a side note, you argue like you are on Reddit. It might be helpful to review the site guidelines[1] about discussion on Hacker News.
[1] https://news.ycombinator.com/newsguidelines.html
I don’t conflate Hamas with Palestinians at all, in fact I believe that it is those justifying the wanton murder of the Palestinian population by an oppressive military force who are doing exactly that.
But we know full well that duplicity has been weaponized in this conflict.
As for your ‘tone policing’, I’m not sure I can take your advice to heart given the position you take, of justifying the inhumane treatment of the Palestinian people. Provide evidence that this statement is true and then perhaps we can discuss your desire to manipulate my position to fit your rhetoric:
“But Hamas will not do that, because they want the destruction of Palestinian peoples more than Israel does.”
The only ones destroying the Palestinian people are the IDF.
[flagged]
How many non-combatants have died due to being killed deliberately, and how many have died due to being collateral damage in a warzone?
I believe the distinction and ratio between the two things is very important when trying to determine the intent of Israel (as outside observers) and whether or not they are perpetrating genocide.
I appreciate the attempt to frame the discussion in more reasonable terms.
However, I'm afraid you drained my batteries with the unwise decision to employ the plainly untenable "It's either gas chambers or it's no big deal, really" technique. Which by itself (through the use of such trivializing language) carries an air of callous disregard for the plight of those suffering from the situation we were attempting to talk about.
[flagged]
[flagged]
[flagged]
[flagged]
What was editorialized? I checked the page and the title is the same
[flagged]
[flagged]
[dead]