Synopsis is that the UAE hires ex-NSA employees as "penetration testers" and when they enter the country for cybersecurity work, some are pulled aside to be briefed to an opportunity called "Project Raven" to assist Emirati intelligence with targeting, allegedly in the interest of counter-terrorism. The thing is, only Emiratis have "hands on keyboard" while the US engineers sit beside them and guide them, which supposedly dodges any legal concerns. Those who Jack interviewed decided to leave Project Raven when it became clear they were targeting dissidents, human rights activists, and later, Americans. As you might imagine, ex-NSA employees who target US citizens for a foreign government are breaking the law. I do wonder if it's these ex-Project Raven engineers that have led prosecutors down the road to where we are now.
From a purely pragmatic perspective of a UAE royal family member worried about domestic dissent I can see why they would do that, not that I agree with it in the slightest.
Porque no los dos?
Running an intelligence service is a lot more than hacking a random phone once in a while. They buy lots of products from lots of vendors, develop some things in house, and hire a lot of talent from overseas.
Initially the work sounded interesting and good: find and observe terrorists.
And Jack's sophomoric exaggeration of the otherwise banal often echoes of chicken little.
If anything it highlights a need for better podcasts in this domain.
People telling it to children are trying to silence their kids. They’re not focused on improving transparency, or on systemic outcomes, they just want to regulate individuals. So they are in fact the selfsame bad authorities.
The target of blame in the story is not the chicken.
I find it pretty hard to believe any judge would buy this.
If your company offers some service - consulting to set up their infrastructure, or helping them navigate AWS - necessary to the running of the company, and that company goes on to commit a crime are you at fault? They couldn't have done it with out you, after all.
It's one thing to teach general skills and another to help do the actual hacking
If they are being guided through the actual hacking then that's saying that only the driver in pair programming is producing code
Is a professor at MIT teaching cyber security exploit development guilty of the same crime?
What about a consultant teaching how to use a particular tool or how to look for a particular family of exploits? (Potentially legally dodgy, depending on the client, but probably ok in a lot of grey areas)
What about a consultant which performs a passive audit of a target for a 3rd party? (Starting to get pretty dodgy, but probably depends both on the 3rd party and the target and the nature of the audit)
It's... probably not so cut-and-dry. Though I agree that it doesn't sound like a get-out-of-jail-free card.
Looking thru the feed, 8/10 of the recent casts I've listened to are only about 1/4 the way thru before I had to go into work, answer a call, etc. Then it's too hard to get back into, and two more eps have been released by the time I get another itch for DD.
Of course, real life is complicated and isn't a movie with a plot, and DD's format rewards knowledge and listening. More of a "doing dishes" podcast. Highly recommend!
Snowden just denounced ExpressVPN because of their CIO involvement in this
+1 for anyone who hasn’t listened to him. Defo worth your time
They get no jail time? They get to buy their way out?!
> “Hackers-for-hire and those who otherwise support such activities in violation of U.S. law should fully expect to be prosecuted for their criminal conduct.”
I know they lose their clearances and pay a bunch of money, but this seems like it merits a lot more punishment than that.
>Treason against the United States, shall consist only in levying War against them, or in adhering to their Enemies, giving them Aid and Comfort.
They didn't levy war against the US, or adhere to an enemy (because the UAE isn't one).
But in general, it's not illegal for US citizens to join foreign armies (if they aren't enemies). Lots of Jewish citizens, for example, serve in the IDF.
"According to the U.S. code, any citizen who "enlists or enters himself, or hires or retains another to enlist or enter himself, or to go beyond the jurisdiction of the United States with intent to be enlisted or entered in the service of any foreign prince, state, colony, district, or people as a soldier or as a marine or seaman … shall be fined under this title or imprisoned not more than three years, or both." But a court ruling from 1896 involving U.S. citizens who fought with Cuban revolutionaries against Spanish colonial rule interpreted this to mean that it was only illegal for citizens to be recruited for a foreign army in the United States, not to simply fight in one."
https://foreignpolicy.com/2011/09/02/is-it-legal-for-america...
How many is "Lots"?
Apparently the US doesn't keep records of this phenomenon that are easily accessible.
This article^ from 2017 says 1,000 Jewish Americans serve in the IDF.
Of the ~7,000,000 Jewish Americans, that's ~0.0143% of Jewish Americans serving in the IDF.
If 1,000 joined and served each year, and live to an average age of 70, doesn't that mean ~50,000 people? That would mean ~0.714% of Jewish Americans having served in the IDF.
^ https://www.thedailybeast.com/1000-americans-are-serving-in-...
approximate number. 7.153-7.5 million are good estimates.Specifically, the were charged with:
Violations of U.S. export control, computer fraud and access device fraud laws. The Department filed the DPA today, along with a criminal information alleging that the defendants conspired to violate such laws.
I think they are losers, scumbags and unethical and I hope that no one who reads HN ever hires them and that they never work in any capacity that comes into contact with IT, Infosec or any other hi-tech industry.
https://en.wikipedia.org/wiki/United_Arab_Emirates%E2%80%93U...
Mudge sells Cobalt Strike out in the open.
The only difference is these guys didn’t set up a company first.
The US has a similar process, where companies that sell weapons to foreign governments need to get permission from the US DOD. In this case Marc, Ryan and Daniel did not go through the DOD and that is why they are being charged.
I wonder if Mudge has a license.
[1]: https://www.cnet.com/tech/services-and-software/expressvpn-c... [2]: https://www.techradar.com/news/expressvpn-to-join-kape-in-la...
I don't trust my ISP much at all, but I still trust them more than almost any VPN provider.
Edit: Sorry. Not Switzerland. Sweden. For some reason thought Switzerland.
I would not trust VPNs for any kind of serious privacy, at least not the popular ones. Maybe some small niche VPNs can fly under the radar.
That's like saying: "you really really need to trust a Bitcoin miner"
I'd hope the VPN service is built and operated in a way that doesn't require trust, but provides the same level of security.
edit: Since there is confusion in the responses. I'd prefer to trust no-one.
- That billion more than covers. Given the circumstances, the settlement is a bit paltry.
No. They've always been there, they've always acted this way. It's not a problem because of increasing lack of patriotism, or a divided populace, it's just power and greed and people that see themselves as not beholden to to any one state. Thinking it's something it's not will just lead to proposed solutions that don't actually do much to affect the problem. Any solution needs to be internalized and divorced from the idea that this is a recent problem that we can stop caring about once we "solve" it.
> The Nixon shock was a series of economic measures undertaken by United States President Richard Nixon in 1971, in response to increasing inflation, the most significant of which were wage and price freezes, surcharges on imports, and the unilateral cancellation of the direct international convertibility of the United States dollar to gold.
Nixon shock - https://en.wikipedia.org/wiki/Nixon_shock
Nixon and the End of the Bretton Woods System, 1971–1973 - https://history.state.gov/milestones/1969-1976/nixon-shock
Its really saddening to see the the main objective of people is to own a Lamborghini ,a mansion and live with some hoes, just like that "YouTuber guy".
Glad they included 3000bc short term interest rates in the graph.
What's unusual is that in the past few centuries, the rest of us have been explicitly conditioned to act in national interests.
The idea is that less severe crimes can be handled without the full overhead and without excessive punishment. In practice, this can be 'a bit' controversial, e.g. when Bernie Ecclestone resolved his corruption charges this way by paying 100 million EUR. https://en.wikipedia.org/wiki/Bernie_Ecclestone#Bribery_accu...
I don't know enough to comment on if this is something that happens often (it certainly doesn't feel appropriate) in cases like this.
If the above was documented, I don't think "I didn't know" would have worked in court. Also even if they fought the ITAR charges, they were accused of CFAA charges
I used to build sensing systems, where I'd include an off-the-shelf infra-red camera.
Couldn't sell the combined system abroad because the IR was ITAR restricted.
Soldiers who spent years in the exploit-finding units of 8200 (Israeli NSA) can work for NSO and stay in Israel. But they can also leave the country and work for foreign entities. Sometimes without even knowing who their employer is
One famous case was "Dark Matter" a UAE company who set up offices in Cyprus and offered 8200 soldiers 7 figures (in USD) a year salaries to relocate, outside of the Israeli Government oversight - which NSO need to adhere to, and work for them
https://www.bloomsbury.com/us/this-is-how-they-tell-me-the-w...
[0] https://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act
I was discussing this case with a former DOJ attorney and he was saying that it's hard to know what exactly went into the calculation for penalties. Apparently cooperation with DOJ on future investigations can play a big role so idk what to think.
U.S. Company Two provides a mobile operation system. Hmmm, now who could that be?
But the article says,
> In August 2017, U.S. Company Two updated the operating system for its smartphones and other mobile devices, limiting KARMA 2’s functionality.
I didn't find any meaningful security updates by Apple in August 2017: https://support.apple.com/en-us/HT201222 The only one listed on that page was about using HTTP to send analytics data, which I don't think is the one that disabled KARMA 2.
Then I looked at Google. There are multiple RCE vulns with severity Critical during these two months: https://source.android.com/security/bulletin/2016-09-01 and https://source.android.com/security/bulletin/2017-08-01
Here's KARMA: https://citizenlab.ca/2016/08/million-dollar-dissident-iphon...
Looking at CVEs, my guess for KARMA 2 is CVE-2017-8248, patched in 10.3.3. Bit of a stretch, though. Looks like whatever was patched was never really publicized.
The iOS exploits sound scary. Some of them are even zero click.
> The bureau’s dedication to justice is commendable... the most significant catalyst to bringing this issue to light was investigative journalism - the timely, technical information reported created the awareness and momentum to ensure justice
A lot of moral superiority there when based on how Stroud has talked about her own work with Project Raven [1], she was perfectly happy to help the UAE kidnap, torture, and disappear dissidents (including children), human rights activists, and journalists.
[1] https://www.reuters.com/investigates/special-report/usa-spyi...
https://sofrep.com/news/exclusive-interview-with-an-american...
https://spotterup.com/episode-44-dale-comstock-former-army-s...
Outraged when these countries are hacking individuals? Then also be outraged when you sell them F35s
Who had security patches released in September 2016 and August 2017?
