This script also pushed ads for a fake AdBlock app that was a dropper for banking trojan apps.
Amazon refused to do anything about it.
More info:
https://forum.xda-developers.com/t/massive-mobile-advertisin...
At a minimum we should demand transparency and accountability from all of these scale-enabling organizations.
In the olden days of the internet, ISPs that ignored abuse complaints would be blocked by their peers. Now that Gmail and AWS are too big to block, they act with impunity.
Does anyone here know what an individual reporter should do? Is there an escalation ramp that exists but was so poorly marked that neither sloshnmosh nor Amazon support was able to find it? Does the ramp go through other organizations (e.g. report to CERT or some other org first and come back with a case ID)? Does the ramp not exist and need to be built?
Those two things are actually the same thing, both are wilfully ignoring situations like this.
No response is a response and in this kind of situation it is explicit "I will not do anything and I'm dishonest enough to not acknowledge that.".
Actually "refused" to do anything about it, or didn't respond to you?
I call it a “constructive refusal”.
Wonder if they are even helping to hack US government employees through China, etc. (besides just helping to torture dissidents).
If you look at the list of customers, it quickly becomes clear that they are the same organizations that make the laws.
More importantly, they are the ones that decide what laws are enforced.
What is sad is that in America, the law around surveillance and security is largely a nice marketing campaign. Sure, you have rights that protect you from the government.
But practically speaking the government won't enforce them, doesn't stop its employees from abusing them even for personal drama, undermines or stops dead any lawsuits by saying the discovery is impossible due to "national security", or will invent terms like "enemy combatant" and then apply them to its own citizens to bypass even the constitution. It will setup "oversight courts" that rubberstamp everything and have no real power or regulatory function/safeguard.
The result of this is that each presidential election is becoming truly dangerous to the opposition. If a McCarthyism movement takes over either party that's in power with the modern surveillance infrastructure, legal "precedents" established by Bush in the war on terror, the confirmation of those powers by the Obama administration holding onto them and continuing funding of infrastructure, undermining of judicial powers, rote acceptance by the people at large, and propaganda outlets available to push messaging, and huge amounts of institutional mores and standards thrown out in the Trump administration, the opposition has real motivation to feel an existential threat.
Israel's unicameral, sovereign, supreme state body, the Knesset [1]?
"NSO does not operate its technology, does not collect, nor possesses, nor has any access to any kind of data of its customers."
If this is true, how do we have a singular list of all phone numbers penetrated? If there was this type of "segmentation" or firewall between NSO and its clients, why was there this huge central data leak?
NSO is tracking what its clients are doing. It may not be telling its clients it is also tracking them. I wouldn't be surprised if NSO could also access every one of those penetrated devices as well independently of its clients.
And that's totally bullshit.
Quoted at https://blog.codinghorror.com/your-favorite-programming-quot...
Something isn't adding up.
NSO seems to be trying to distance themselves from how its software is used by its "clients," but that seems undercut by the plausible supposition that NSO knows exactly who its clients' targets are.
> The Amnesty report said NSO is also using services from other companies such as Digital Ocean, OVH, and Linode ...
We've been using Digital Ocean for a few years now (sqlitebrowser.org), and they've been really good. Hopefully they look into this and take some useful action. :)
Want to run a service with few problems? Here are the 6 companies you better run it through otherwise you can’t guarantee anything.
Everyone at my company loves your tool. Please keep up the great work!
As lokedhs alluded, it clearly breaks established typographic rules.
Also, wasn't that a bit of a fad back in the late 90s early 00s? I know my wee business followed the path of concatenating words for brand ...something... , but I honestly couldn't care less how other people deploy it in their own space, as long as they remember the name.
Ironically, I'm the same way with "PostgreSQL". There used to be _so_ many weird mis-spellings of it. eg "postGreSQL" seemed to be popular for some unknown reason
Some languages tend to be more strict about this. I think it's particularly common to see English play fast and loose with the language compared to other languages.
In Sweden, for example you will see media write Iphone, because it's a name, and names are capitalised.
The same goes for Digital Ocean, or Digitalocean if you prefer. It can definitely be argued fairly that the writer does not have to break language conventions just because a company says they have to.
If someone were to use it against US government entities, maybe the NSA/CIA/etc might decide enough is enough, no matter what country they are in. So far at least publicly it seems like a non-event. But once the phone numbers are identified from that leaked list, things might become more serious for NSO.
People used to fight real wars against adversaries who targeted their country in some way, why should commercial entities supporting such attacks not be treated the same, except via non military action? Spying has always been done, but it can lead to serious consequences.
That's not why Apple is skittish about this. Any action from them would invite the question "What about China?". And Apple loves China('s money).
What are they supposed to do?
Also, they could increase the payout for their bug bounty. Why report to apple for a 0-day when you can make $1 million from these guys? It's not like Apple doesn't have the cash.
I guess the customer is always right up until the point the widow of your murdered employee goes to the press.
Bezos' phone probably wasn't hacked.
https://www.bloomberg.com/news/features/2021-05-05/how-jeff-...
[1] https://www.pbs.org/wgbh/frontline/article/how-nso-group-peg...
> De Becker then commissioned an examination of Bezos’s iPhone X. The eventual report by Anthony Ferrante, a longtime colleague of de Becker’s and the former director for cyber incident response for the U.S. National Security Council, concluded that the promotional video about broadband prices that MBS had sent Bezos the previous year likely contained a copy of Pegasus, a piece of nearly invisible malware created by an Israeli company called NSO Group. Once the program was activated, Ferrante found, the volume of data leaving Bezos’s smartphone increased by about 3,000 percent.
Key word in that sentence: "likely." AFAIK, nothing has been proven beyond rumor and conjecture, which isn't proof of anything at all.
Did they find the Pegasus or related code on the phone, or not? That is a yes or no answer. Likely?
You can't really spin them up with any significant quota on short notice (ask me how I know, AWS service team) so having established ones with workable limits in advance across multiple cloud providers would be table stakes for any competent spying organization.
I've no problem with AWS or anyone playing whack-a-mole and giving them the run around in the meantime ...
It kinda describes how NGO operated and it's great infographic!
Who is spying on “CEOs, politicians, religious leaders, union bosses”? And once these people are compromised, what are they being asked to do?
The problem with this model is that NSO are, as with heat shields, replaceable. A new target will appear to take its place.
But that too will draw attention, it will have to assemble talent (leadership, engineering, sales, operations), and will itself have vulnerabilities. As I suggested in a thread yesterday, playing in the field of dirty ops raises prospects for piercing the corporate shield of liability for all those involved: the firm, its personnel, investors, creditors, suppliers, and where identifiable, clients.
NSO is used to keep those with money and access to NSO in power undermine their legitimate rivals. It can be used to plant evidence on their devices as well as monitor everything they do.
If so, I'm not sure I buy what you seem to be arguing, that "NSO case in India" and "It can be used to plant evidence" makes it anywhere near as bad as what the NSA has done/does. In my opinion this is exactly how a "poor-man's NSA" would look: What your money can buy from greedy corporations protected by nasty governments.
>legitimate opposition
Who decides what is legitimate though? It sounds like weasel words to me, just like "terrorists" (that get defined by those in power and then maybe later becomes revolutionists and heroes if they actually win). Going after Snowden, torture in Guantanamo, and using three letter agencies for industrial espionage is also "legitimate".
No, definitely not.
When Facebook or Google blocks extremist propaganda, it’s a big thing. What jurisdiction’s laws were broken by this company?
Only if someone was one of the many people who don't understand what Free Speech is or incorrectly think of rights only in terms of themselves and people they like, not for those who they don't. In this case, Amazon is exercising their own Free Speech rights. Free speech necessarily (and as a matter of law) means the freedom to not speak and to not associate with other people. If I want to lend my support to a specific candidate with a sign in my field, I necessarily must have the right to refuse signs by everyone else. If the government puts a gun to my head and forces me to let every single candidate put a sign in my field, then the effect is no special endorsement for anyone and a flagrant violation of my free speech rights.
Someone denying another person the use of their own private property because of disapproval over their behavior doesn't generally mean any free speech issues, quite the contrary. As always there are certainly very rare edge cases, but none of them apply to a situation like this. Amazon refusing business to someone due to their race or gender or the like would be a problem, but "spies working with authoritarians" is not a Protected Class.
>What jurisdiction’s laws were broken by this company?
Why would that matter? Amazon isn't the government. They aren't threatening with force/arresting/jailing/killing the NSO Group, just refusing to continue their business relationship. So they aren't restricted to caring about only illegal behavior. In fact a core part of the whole point of free speech is to move consequences into the realms of social and economic, rather then force, not to eliminate all consequences entirely. There are a few limited legal instances they can't discriminate over. Otherwise they can deal with whomever the hell they want.
As pointed out elsewhere, this is a business relationship.
In any case, the grave human rights violations that are the result of the use of Pegasus - including loss of life and liberty - weigh much more than an abstract notion of a corporation's freedom to act and impose their will on other corporations.
NSO group seems to be a not-so-nice company. But why does what they do justify blackballing, while similar companies (say BlueCoat or any of a dozen companies that provide solutions to hack on behalf of the police) are ok?
Corporations aren't humans; they don't have free speech rights.
That's besides the point. And BTW yes, distributing data can constitute speech.
Free speech has nothing to do with providing services to antidemocratic entities.
Is "seems like" enough of a reason now for private companies to choose not to contract with other private companies? Or should we go to a judge and jury in both cases?
At least, that's what I heard during the debates about deplatforming Parler. It was apparently very bad for private companies to decide that a customer was engaging in distasteful but legal actions. What is the principled argument that it was not okay for AWS to take down Parler but it's okay for AWS to take down NSO?
