Most the of the conversation around Pegasus has rightly focused around how shocking and casual the widespread sale and use of this malware is.
But, I wonder if there's another story here: nearly all world leaders have a target-able device with cameras, microphones, GPS, and personal and professional conversations (and therefore contact lists) which they carry with them 24/7. At what point does the risk outweigh the convenience? I'm not sure what the solution is, but I wish that smartphones were not seen as a default necessity for everybody. Risks such as Pegasus are introduced, and it seems hard to go back to how things were.
> I'm not sure what the solution is, but I wish that smartphones were
not seen as a default necessity for everybody.
They are not. But that mythology, that they are, is central to the
problem. I just posted on almost exactly this point in another thread
[1] that I'll paste here;
> (From OP[1]) Ultimately, if the technology is not serving you, you
have the choice to not use it.
This is worthy of a book or PhD research project in itself. The person
who states this in terms that resonate with me with is Vint Cerf. I
will quote a little but also paraphrase him in my own way by saying;
"At one time if you didn’t have a horse it was hard to make a
living. But the important right in that case was the right to make
a living, not the right to a horse. Today, if I were granted a
right to have a horse, I’m not sure where I would put
it. Technology is an enabler of rights, not a right itself" [2]
As I see it, if we are to respect the more fundamental human rights of
"life, liberty and security of person" then the greater human right
may be NOT to be connected to the internet. It is freedom from
technologies at least insofar as we are free to manage our own affairs
and engagement.
Other than the European "Right to be forgotten" and legislation
protecting us from surveillance and tracking, I'm not aware of any
popular formulations of this general principle other than Vint Cerf's.
Right now I think people are being forced to stable horses in their
backyards, at the behest of landowners, and under the false premise
that you need one for work.
At one very short time, in only a few places was a horse needed. Most of the world used oxen or buffalo (not bison) for farm tasks not horses. In the American west a horse was needed to pull a plow because a horse moves just enough faster that a steel plow work. If you didn't need that speed a horse was not useful.
Horses were also useful for knights, but not most people in Europe. Herders in Mongolia and other planes areas made good use of horses as well. None of this translated to more than a small part of the world though. We have a romantic view of the cowboy, and just before the mass migration from farms to the city happened horses started taking over so we think of them as the backbone of the farm, but they generally were not.
you completely miss the point that for many, horses were for daily transportation.. to and from work, the store, school, supply houses, meeting halls, civic participation.. all kinds of things
No they were not. Too expensive. Farmers used them because they had them for the plow anyway, and the rich used them. As did a few travelers, but most people walked.
For long distances the human on foot beats the horse. A horse is useful either if you have a lot to haul, or you have a system of trading so you can always have a fresh horse to ride.
this is interesting and there are many times and corners of the world.. so right, agree.. but I meant to include all things horse-drawn.. carts and buggies and all.. but sure, lots of people did not have access to a horse-something often times
Yea, in my opinion thats also the actual problem here. World leaders using run of the mill iphones poses a real security risk. They should be using some hardened ultra secure device or other communication methods.
That kind of goes to the wrong end of the solution for me: Run-of-the-mill phones should be hardened, ultra-secure devices. We all have a right to privacy and security.
Functionality and Security are inversely proportional to each other. If you introduce a "Play Store" in a phone, the security risk automatically increases billion times. In an ideal world, There would be some special devices which have very limited set of functionalities inbuilt like calls, message etc which is used by world leaders to communicate.
Wouldn’t that leader still end up with a personal phone that isn’t that secured ? Or at the other end of spectrum have a work device that is so special that it’s extremely identifiable and targetable ?
What we have now for work devices with manageable profiles seems to me to be a good balance that should possible to harden enough for extreme cases as well.
Nah not really. Having a top-end iPhone or Samsung be a hardened device by default would mean world leaders would be protected on their personal devices. Also, most anyone who talks to a world leader would get that same protection.
On the other hand "run of the mill" phones that you can hand to a teenager (or use as a backup phone) don't need ultra-security and the cost that comes with it.
Really low end devices would probably be secure by simple virtue of not having enough features to enable hacking.
The problem is, even basic functionality apps such as SMS/MMS have been used to exploit phones numerous times, and it's likely that the baseband chipsets (which are in many cases directly connected to the SoC and its memory or at least have a direct connection to the microphone and speaker) are another attack vector that can be remotely targeted.
Those aren't automatically more secure. Their modems and baseband processors running closed sourced firmware are the main entry points.
Ideally, you'd want to build your own phone where you control the supply chain form hardware to software running on it. I do believe the US president has a custom NSA hardened phone.
Yes sure, but the requirements for normal consumers are much lower than for any high profile individual. It all comes down to cost vs. need. Think of the security of the average home users wifi network vs. the networks of a small company. The latter will have to be more hardened and also spend the money for that.
I think (/would hope) the hardening there would be more in procedures and app installation. The base/OS layer should be secure from intrusion for heads of state or for everyday people, help people make good privacy decisions (with granular permissions), etc.
We do all drive cars that meet a mountain of hard standards.
Our phones are still pre-seatbelts, pre-crush zones, pre-lead-free gas, pre-standardized controls and signal lights, etc.
Our phones only meet electrical and rf safety standards. When one phone model one time had a bad battery, it was a big deal. But if someone steals your retirement, oh well.
Here is a crazy idea: maybe the security services like the NSA, GCHQ, etc, should be out there fixing vulnerabilities in common, critical software, rather than hoarding exploits. They're better termed insecurity agencies today, imo. So much waste of talent and resources making the situation worse.
Not to mention the fact we really ought to make selling and buying of that hardware a crime in as many places as possible.
I wonder if the issue is not even worse. If I was an intelligence agency that wanted to listen in on some world leaders, I would not (only) target the devices of the PM/President etc., but on the PAs and bureaucrats in the vicinity. I suspect they would likely be easier targets and one would get as much interesting information from them as from the world leader themself.
> In the Netherlands it came to light a lot of leaders are using private email because it is more easy to use than secure email.
Or rather, because it is more easy to circumvent requirements of public record and archival laws.
What I keep asking myself in any case... why is the European Union unable or unwilling to fund an open source software suite that covers all needs of a modern IT environment? For literally everything that's needed, there are open source solutions - Firefox and Thunderbird for communication, LibreOffice for office needs, AOSP for phones, Linux as an OS, Samba for managing PCs and laptops... that would be a real, tangible benefit for hundreds of millions of people, not to mention a huge saving in costs for software licenses.
They don't have much to show for it though, other than the infamous GAIA-X association which got (as expected...) promptly captured by the US tech industry including Palantir of all companies. A goddamn joke, but what else can be expected when the one to initiate it was Peter f...ing Altmaier of Germany's CDU infamy?!
Turns out there aren't any requirements in the Netherlands, just 'advice'. Regarding the EU and costs : no-one there cares about cost. They just pass them on to taxpayers.
> Regarding the EU and costs : no-one there cares about cost.
They absolutely do care about stuff where ordinary people can save money, thanks to the EU we got a hard cap on CC fees (0.3%!) and free phone roaming EU-wide, for example.
Providing a basic computer software environment would save a lot of money for the population and especially it would also massively reduce electronic waste and lock-in effects. Windows 11 for example won't run on machines without TPMs enabled [1].
It speaks directly to the point that "they" decide to waste money and then turn around and get it from the taxpayer. As long as "they" is the EU, they cannot decide to get more money from the taxpayer. If "they" waste it, "they" have to cut it somewhere else in the budget.
Why would that be the EU's job? You might argue for EU funds that nudge things in a certain direction -- ubiquitous and secure encryption, say -- but general software development really is not in the EU's remit.
Reducing electronic waste is a key issue that the EU will need to tackle rather sooner than later. At the moment, Windows 11 won't run on old computers without TPM 2.0, which will render all PCs without one to either electronic waste or a constant security threat despite that the machines could otherwise run Linux perfectly fine - but no one outside of a bunch of nerds will run Linux on them because the software state of desktop Linux is just abysmal compared to the well-polished offerings of Apple and Microsoft.
Additionally, right now almost all economic and public activity depends on Microsoft to an unhealthy degree. We couldn't even get Microsoft to supply GDPR-compliant versions of MS Teams for schools during the pandemic, it's extremely hard to disable telemetry on anything Microsoft. Microsoft simply does whatever the fuck it wants and can get away with it, simply because there is no meaningful competition for anything they offer. And that dependency is extremely bad - just imagine the 45th coming back as the 47th in two years. The CoJ tore down two "agreements" for data transfer already because it cannot be assured that the US government does not steal our data (or worse, serve us malware) based on a secret NSL.
Europe needs independence, not just from Russia and China where it's long overdue, but also from the US.
The big hole I think that's missing is something to manage policies for all those device and enforce them, as well as roaming profile and account management. Microsoft basically has a monopoly on this right now with Active Directory. I can't think of any open source projects off the top of my head which offer something similar.
For a modern IT environment used by a business, such a system is absolutely necessary
You can absolutely run GPOs using Samba as a DC if your clients are Windows, same for profile and account management. For a client-side GPO replacement on Linux and macOS one can use Ansible.
100% agree. If it is not Pegasus it would be Medusa, Zeus, Robotech, or Mazinger Z ;-).
States are part of the security attack vector and Pegasus is just a signal of what is really happening in the field. Pesonally I was involved in selling exploits since late 90s.
Every time I heard from Pegasus I wonder why nobody is talking about how illegal this business is and how EU and other countries are talking nothing about the use of this.
The impression I have — and I’d be very interested to find out if I’m right or wrong — is that governments basically all spy on each other all the time, and they consider this normal and only problematic when it touches certain very specific projects.
Something about it being important to know the capabilities of your friends and your enemies, and to test the quality of your intelligence and counterintelligence assets before it becomes critical: you don’t want to start stupid wars you can’t win, nor waste money fighting wars to end the non-existent threat of non-existent WMDs.
I can’t tell the difference between espionage that gets overlooked, espionage that gets chest-thumping and wailing and gnashing of teeth, and espionage that gets kinetic responses, but I assume there must be such divisions.
You'd be wrong. All of the available evidence points to a tiered system, with some countries spying on everyone, some spying on very specific other countries, and some just not doing much at all.
Yes, you can claim that that last category just hasn't been caught yet. But there are some, like the US and Israel, that have been caught several times while others have, so far, escaped notice. Is Belgium so much smarter, or are they maybe just not doing as much?
And the funny thing is that most of the spies are actually known to each nation. Whenever you hear about country X has evicted Y number of "diplomats" from the embassy, that is just a few spies getting thrown out to make a point (and of course the evicted country will throw out a few spies in retaliation).
What has been interesting of late is the mass evictions of known Russian spies from even the smallest of nations like Belgium. And of course, Russian has been throwing out Western agents at an equal rate these last few weeks. There are a lot of spies on desk duty right now...
> The impression I have — and I’d be very interested to find out if
I’m right or wrong — is that governments basically all spy on each
other all the time
Yes. That's exactly what NSA, GCHQ, MI6 etc are tasked to do.[1]
The problem came when foreign intelligence got confused with domestic
intelligence. This is further compounded by the change in procurement
of specialist technologies that the army or government offices might
once have had. In the 80s a prime-minister would communicate with a
special "scrambler" (supplied by the security services and designed
against foreign espionage). Today everyone uses the same gear made in
China, and the market for offensive cyberweapons is both international
and privatised.
Here is a quote from [2]
"" For complex reasons the US embargo on Huawei, while looking like
a trade dispute, more or less proves this. Simply; western phones
have backdoors and remote controls for western governments. Chinese
phones have backdoors for Communist Party intelligence
apparatus. Each spies on their own citizens and everybody is happy
(except the citizens that end up in camps). It's the presence of the
other's spyware within the respective borders/markets that is the
problem, do you see?
So when these powers fell out, or failed to reach agreement on data
sharing, this escalated into an issue with clear symmetry. We see
that products by Apple, Google or Amazon are to be trusted no more
than Huawei handsets. Indeed, the safest phone for a Chinese citizen
is probably an Apple iPhone, whereas the safest phone for a western
civilian would be a Huawei, because historically, people are most
risk from their *own* government's domestic surveillance than a
foreign government's international surveillance. ""
The upshot of this is that offensive cyberweapons, which are
indiscriminate, persistent, reusable and infinitely replicatable at
near zero cost (all the worst qualities of a weapon on par with
bioweapons) affect all strata of society. Politicians, military
generals, schoolteachers and pizza delivery guys are equally exposed.
This marks a significant transition that blurs the boundaries between
civil and military war, as the current Russo-Ukraine conflict shows.
We're all soldiers now.
>how EU and other countries are talking nothing about the use of this
You mean the customers of such malware (even if not necessarily Pegasus in particular)?
E.g. the German government bought FinFisher licenses, the German federal police bought Pegasus licenses. France was reportedly in late talks with NSO to buy Pegasus when the latest scandal hit that included Pegasus apparently having been used against Macron (tho the French government denies it was about to buy Pegasus). The UK might have been a customer too - at the very least the UK government hosted NSO at a trade show.
Aside from buying spyware, governments are keen on spying not just on foreigners but also their own citizens, in the EU too, e.g. the EU Data Retention Directive [0] or the German "remote forensic software" which is commonly known as the "Staatstrojaner" ("state trojans") which is basically the same as Pegasus just in blue. Or in the UK Theresa May's "snooper charter" (which eventually became the "Investigatory Powers Act").
Note that Germany failed to buy Pegasus in 2017 because their in-house lawyers decided that it would be illegal to use. After a lot of back-and-forth, they did eventually sign a contract for modified version in 2021. That version was supposed to include changes making its use legal. It isn't quite known what the alterations were, but it's been speculated that data would have to match a case-specific wordlist to be exfiltrated, excluding, for example, irrelevant private data.
Finfisher was bought despite every legal expert they asked, including those they had on permanent payroll, saying it would be illegal to use. They later claimed they didn't use it only paid for the license.
They also said they'd only use a special Pegasus version that would be within the law, laws that they made and that then had to be severely limited later on by the Bundesverfassungsgericht (German constitutional court) again and again. If the government parties back then (one of which is still leading the new federal government coalition, both of which are leading different state legislators, 14 out of 16) had their way back then, things would be a lot worse.
If "they" (for various theys, as in federal government, state governments, federal/state police, intelligence services including internal ones such as the Verfassungsschutz and the MAD) actually did abide by the law is another matter E.g. they (intelligence services, in particular the BND) "helped" the US spy on German citizens including politicians via the XKeyscore program, and only admitted what was already known thanks to journalists, or even less actually, and didn't comment on anything else even when questioned by the German parliament, doing the whole "national security" yadayada or "I cannot recall".
In a day and age where government agencies write guides on how to carry out "parallel construction"[0], and after all that Snowden and others revealed, I am a bit skeptical when "they" tell the citizens that "they" only bought spyware but never used it, or only bought spyware with undisclosed modifications that allegedly made it lawful (under framework of law that indeed is of a questionable constitutionality in itself, and which had major parts struck or severely limited by courts) - a claim nobody was ever able to check thus far.
I don't see it. All states, in fact all structures of organization or governance, from states to companies to bowling leagues, seek to surveil and control as much as they can get away with. Even rinkydink little local groups, if you give them some phone app that let's them know things they had no business knowing yesterday, will happily use it.
They don't always get away with everything they want on the first try, but they always want and they always try and the acceptable standard norm always progresses only in one direction. Wins in the other direction are local wins against, not examples of some state actually deciding they don't want.
> wonder why nobody is talking about how illegal this business is and how EU and other countries are talking nothing about the use of this
The ground is shifting with Israel’s (albeit forced) hesitance to criticise Russia too loudly. Prior to a few weeks ago, maintaining security ties outweighed NSO’s nuisance factor. (In Europe. The U.S. is already fed up with NSO.)
As all these damn names blend together, Pegasus is the Israeli NSO Group's spyware. Usually you could read the article to be reminded which spyware it was, but this is in Spanish and the term "NSO" isn't on the page.
If you'd have bothered to click on the link that mentions it has been illegally used in 20 countries, you'd have been able to read that. But what's the importance anyway?
I wonder how many more high-profile targets will be revealed before anything is done. Last I remember, Israel said it's not at any fault and that Pegasus was a defensive project or some such excuse.
Between Israel and a country like Spain the US will always, always choose Israel, the ties between the two countries and especially between their political systems are too strong. As such, nothing at all will be done.
> Between Israel and a country like Spain the US will always, always choose Israel
This is no longer a safe assumption. Trans-Atlantic coöperation is at a high. This satisfies deep American geostrategic aims, ones far deeper than those around Israel.
The Israeli line isn't that Pegasus is a "defensive project"; it's that they sell it to governments for spying on targets in their own countries that they have jurisdiction over.
Given that the spying on catalan independentists started under the previous government (right wing, strongly centralist), I wouldn't discard it extended subsequently to the current one (coalition of left wing and extreme left, some of which friendly to catalan nationalists). It remains to be seen if the analysis they are conducting now reveals other members of the government who have been spied too.
I guess this could come from the previous government, rogue elements of the state, or an international actor, but I wonder if we wil be told when and if it is found out.
Well, if you can get your device infected by playing Candy Crush and similar, I expect the entire Spanish parliament to be spied by Pegasus:
https://www.youtube.com/watch?v=xfcIMCYXSxQ
Pretty much everyone spies everyone, and that includes several institutions inside spain who are constantly against each other, not to mention the central gov vs other regional govs, being the Catalan one the most notorious for obvious reasons.
Are there technical details about Pegasus available?
If the public could look into the installed executable, map out its internals, see the attack vector,... then some countermeasures could be developed by interested people.
“Pegasus” is supposed to be a bundle of exploits with a dashboard. There’s no open sourcing that could help since each exploit is zero day or close to it.
Yes, and from what we have seen so far the malware taking advantage of the exploits is extremely sophisticated, such as the one taking advantage of a flaw in the iPhones PDF reader which was used to bootstrap an entire custom made virtual machine used to read contents from memory.
Even if you patch one exploit and analyze the malware, there are plenty more to be found, and it seems like they develop custom made malware solutions for each one.
The PROMIS scandal (involving none other than ghislaine maxwell's father Robert Maxwell) is an interesting historical on where we are today and who the west should consider as an ally with regards to creating malicious software in order violate human rights.
The fact that states control these programs like military weapons makes things really murky. Is Apple even allowed to buy a copy and close all the backdoors it uses? Or sue the Israeli government for compromising their operating systems? I doubt it.
Might just be selection bias though? Western countries are a lot more open about that sort of thing than many other cultures, and most Western countries are also US allies. Therefore even if every single leader of a country got targeted, you would still expect the majority of (published) stories to be about US allies.
Or ... the forces interested in spying on politicians answer neither to him nor to the catalans. While I don't disagree with your characterisation of Prime Minister Sanchez, is it not at least as likely that the forces doing the spying view both Sanchez and the catalans as valid targets? When you look around the Spanish monarchical/military/judicial/political landscape, are there not several more likely sources of hidden and not-so-hidden power that want to keep their vassals under control?
I can understand not liking Sanchez, although your comment seems too much.
But El Diario, while being biased to the left, has never seemed to me like particularly loyal to PSOE. I used to read El País and I stopped exactly for that reason, but El Diario seems to me like one of the few still doing real journalism.
I love it when I find comments on HN discussing their own countries politics, especially if I don’t know a lot about their country. I hope other readers remember to take your comment, and of course mine, with generous pinches of salt.
According to the government, these hacks occurred between May and June 2021, and they are announcing and denouncing this today. After the reports of the catalan independency politicians being spied with the same tool. The timing is terrible and raises obvious suspicions.
I don't totally agree with this, but I agree with the think that this is likely a strategy to avoid people talking about his government spying other parties politicians using Pegasus.
But, I wonder if there's another story here: nearly all world leaders have a target-able device with cameras, microphones, GPS, and personal and professional conversations (and therefore contact lists) which they carry with them 24/7. At what point does the risk outweigh the convenience? I'm not sure what the solution is, but I wish that smartphones were not seen as a default necessity for everybody. Risks such as Pegasus are introduced, and it seems hard to go back to how things were.