You cannot have it both ways, if you're going to sell the software to awful regimes who target people like journalists, you're responsible for the outcomes. The fact they found it was used on Khashoggi family phones would seemingly implicate them in the murder of a journalist. Did they kill him? Probably not. But if their software is being used by governments who did kill him, then they contributed.
I hope they get criminally held responsible for assisting in the murder of Khashoggi if they are found guilty and we need laws and norms to catch up to a place where this kind of business is more restricted/limited.
It's going to be hard to keep software out of the wrong hands. Perhaps it would be better to ensure everyone is using secure/encrypted/private communication and services.
The general population may need to organize this, despite selfish corporations and the politicians they fund.
If your entire business model is to sell covert intrusive software to powerful entities, then the argument is irrelevant.
Isn't NSO's whole shtick their software can get into and read everything from even the latest iPhones ( and probably Androids, I've only seen it stated for iOS though)? What good is a secure/encrypted service when the device you access it from is hacked and sends everything to the hacker?
We shouldn't enable companies to sell cyber weapons to regimes who use them against innocent people. You can debate where that line is all you want, using it to murder journalists in other countries who are critical of your regime is across that line wherever you may draw it.
We also should encourage better privacy and security to protect everyone's communications and data.
We could split the difference and just assign liability for the ones done by serial murderers and people who show up asking for knives that are good for murdering. Knowing that your product is going to be used for some purpose and providing it anyway makes you an accomplice.
1. This quote is frequently taken out of context to mean something very different from its original intent.
2. More importantly, we give up a little "Liberty" for a little "Safety" all the time, it's basically a primary purpose for any government. I mean, should I be able to cruise down the highway at 120 MPH as I'm snorting a line of coke? Liberty-vs-safety tradeoffs are nearly all the tough calls in government.
That being said, I don't think most would consider driving 120 mph while snorting coke an essential liberty. The OP makes a much more reasonable point which you refuse to address.
Your example is not one of "liberty", at most can be one of "licence", and surely not of "essential liberty".
Inequitable societies will prioritize the safety & liberty of some groups above others. People also have different ideas on where the balance should be (well, excluding anarchists) but that is merely a matter of degree, not kind.
Of course that oversimplifies things, but this over used & out of context quote ignores that fundamental fact of any minimally organized group of people.
I agree with what you say about these decisions being made as a society, and there being disagreements.
I would like to point out that you may misunderstand anarchists. Anarchists understand disagreement over such trade-offs better than most, and work harder than most for compromise and census. Anarchists are fine with large political structures and rules, as long as they are not forced upon anyone. Anarchists prioritize not forcing anything on others [0].
An anarchist might refer to what they have been doing in Switzerland for the last 150 years as a great example of bottom-up direct democracy in action [1], which is basically what political anarchy is. Currently a country of 8.5 million people, Switzerland is split into 26 cantons (they divide into more when needed). Each canton has its own constitution and parliament (averaging ~330k people each). Cantons are divided into municipalities (some large, like Zurich, and some small, with only 2-3k people). A big part of their political culture and the structure of their government is that what can be done locally is done locally, and the people are in charge. People can petition for a vote to not only create new laws and amendments, but to have laws they don't like removed.
Many of the problems in the U.S. are due to the fact that the federal government was never meant to be as involved in our lives as it is (10th amendment, powers default to the states) and was not designed to be responsive to the people (technically states vote for president, not people). So now there are 330 million of us arguing about more and more stuff. Even worse we allow rich people and corporations to fund politicians (which is illegal in most civilized countries), to the detriment of most people. The U.S. needs less plutocracy (rule by the rich) and more democracy (rule by the people).
Sorry, this has been on my mind lately. I just learned about how much anarchists are into democracy, and about Switzerland's democracy.
[0] https://en.wikipedia.org/wiki/Anarchists (refer to first sentence)
[1] https://wolf-linder.ch/wp-content/uploads/2010/11/Swiss-poli... (page 4 shows how powers are divided)
The solution is to keep shining light and putting pressure on technology makers to improve security, end-to-end encryption, and keeping the power in the hands of individual users. The pressure piece is critical since the natural business incentives to centralize and collect more data make us more vulnerable to centralized surveillance and compromise.
NSO are selling weapons to authoritarian governments who use those weapons to identify and either jail or murder people they don't like. That's bad. End of story.
For example, A company that didn't use Kubernetes [0] had their blog knocked down and the HN crowd was jubilant over the matter to recommend them to use K8s for a blog. It's not even their main service offering.
Then 48 hours later [1], major parts of the internet using Akamai went down and the company that previously was 'the joke' was still up. All I suggested was for Akamai to use K8s as well. [2]
I turned the joke on them and got downvoted due to the irony of the situation. Look at the comments in [0] and [1] and you can see the strength of [2] humiliating their short lived victory parade.
[0] https://news.ycombinator.com/item?id=27893482
NSO: "We checked, you're clean"
The Public: "I plan to speak publicly about this violation of my privacy"
Local DA: "An investigation revealed some suspicious activity in your secretly subpoenaed browser history... 6 years ago..."
The Public: "Investigation? I didn't do anything wrong! Is this because I want to voice my objection to the current privacy laws?! This sounds an awful lot like parallel construction"
Local DA: "We are not at liberty to disclose the nature of the information we have on you as it contains information involving other active cases. You are under arrest."
If it's not an intentional backdoor, do they just have vastly superior technical ability? How did they hire such a talented pool of people, able to consistently find remotely exploitable 0days in every major smartphone brand? This group isn't new, they've been around for over a decade doing this. I doubt they've monetized a single exploit for 10 years. They're adapting.
If I had to bet, I'd bet on the former, but I'm curious what everyone else thinks. It just seems unreasonable to me that there exists such a talented pool of exploiters, all aggregated in the same place, able to consistently find 0days that nobody else seems to be able to find.
It becomes harder to go back and correct the initial triage. At the same time, some people in the company might be connected to their governments and help that bug stay in the grey zone probably not for the NSO group but maybe for the NSA. (Of course this only applies if the exploit is one the government identified and decided to use offensively and doesn't think is being used in the wild.)
Now when you are examining images as a company updates them, you are reviewing what's notable in the fixes in the very least to know how to attack older OSes. You might happen to have the perspective that understands how the triage was wrong. With enough bugs like this it is inevitable that sometimes you will if you can afford to analyze every fix.
2) government has and will always use whatever tools exist, trust Pegasus is 1 out of many...
3) from a realistic standpoint it is up to 'Apple' is anyone to fix this issue from a technical standpoint, there will always be security holes and tools to take advantage of them. Shaming the toolmaker does little.
4) the real solution is the people have to control the government, only in those scenarios can you put 'ethical' constraints on this kinda thing... Those who are in countries where the people don't control the government really have no recourse
And there'll always be ways and weapons to rob banks and kill the clerks,
so selling weapons to bank robbers is fine then, as per that logic
> Those who are in countries where the people don't control the government really have no recourse
They can arrange protests and other things and try to long term change the country to a democracy. And that gets harder and more dangerous, when NSO and others help the dictators track down dissidents.
-Eric Schmidt
‘If You’re Not a Criminal, Don’t Be Afraid’– NSO CEO says - https://news.ycombinator.com/item?id=27920055 - July 2021 (48 comments)
Submitters: "Please submit the original source. If a post reports on something found on another site, submit the latter."
So is he saying that journalists are the Bin Ladens of the world?
France, for example, has officially done a lot more to prop up Saudi Arabia and its cruelty than NSO ever has or will.
The hypocrisy is astounding.
Especially true in nations where the legal system is captured by special interests and routinely weaponised to suppress dissent, coerce minorities, and perpetuate disparities. Which is to say, of course, every nation.
Ergo, you (we) should all be afraid.
Because that's entirely possible.
There is no such thing as a NOBUS (NObody But US) exploit. Someone else will find it - either your network will get hacked and someone will use the exploit. This is how Wannacry happened. A bunch of NSA-NOBUS exploits got leaked and sold off to people who built a ransomware tool with them. How the leak happens doesn't matter, what matters is the fact that the leak will happen. The only ethical thing to do is to disclose so that the exploit can get fixed.
Though what if they laws are unreasonable? Which quite a few are in dictatorships.
-- Cardinal Richelieu
