Hacker News Re-Imagined

Apple sues NSO Group to curb the abuse of state-sponsored spyware

  • 1121 points
  • 7 days ago

  • @todsacerdoti
  • Created a post
  • • 443 comments

Apple sues NSO Group to curb the abuse of state-sponsored spyware


@ramijames 6 days

Replying to @todsacerdoti 🎙

As an Israeli, NSO is deeply embarassing. I do not understand why this is allowed to continue.

Reply


@Adamantisa 7 days

Court has no jurisdiction over NSO. At most, it was foreign international persons who accepted iCloud's terms and conditions. They'd have to identify them, prove that they are linked to NSO, and in fact acting on behalf of NSO in their official capacity. And even after that, they'd just not travel under their real names, or even not travel at all, and that's that.

Reply


@Siira 6 days

So that we are only spied on by bigger agents (e.g., China), and Apple can continue to lie to the roof about how its anti-user, anti-competitive behaviors are for our own good, and are not mere security theater designed first and foremost to enforce Apple’s rent-seeking.

Reply


@hfern 7 days

What other goodies will they find during discovery?

Hopefully the public can get snippets like in Epic Games v. Apple.

Reply


@monocasa 7 days

Where did they sue NSO group? If it's a US suit, I don't see that meaning much. Why wouldn't NSO just ignore it in that case?

Reply


@estranhosidade 7 days

>make products/services more secure

>sue others to make them stop trying to hack your products/services

Chooses the second one. I'm pretty sure this is just a PR stunt for Apple to try to appeal and brand themselves as "oh, we stand for security" and all the other bullshit.

Reply


@FridayoLeary 7 days

Apple sues NSO Group to curb the abuse of state-sponsored spyware

I'm quite cynical about this press release. The key point in the title is that Apple are cool with state-sponsored spyware, it's just abuse of it that bothers them. Also why did they wait so long to file this. I don't think it's because they lacked evidence until now. Perhaps they think such a lawsuit will is now expected of them otherwise they will lose face, and that they have the general backing of the public now. I remember some months ago showed that Apple already had grounds to sue for copyright infringement. Either way, Apple is stepping into a political minefield. Buy popcorn and expect fireworks. Big ones.

Reply


@rStar 7 days

apple makes their own hardware and software. our devices are insecure by apples choice. making this “statement” and “lawsuit” utter farce.

Reply


@joecool1029 7 days

Link to the docket (including complaint) for those interested: https://www.courtlistener.com/docket/61570971/apple-inc-v-ns...

Reply


@einpoklum 7 days

*Apple VP of SW Engineering: "Apple devices are the most secure consumer hardware on the market"*

... except for how Apple sends a copy of all of your data that passes through their servers to the NSA. No, I'm not espousing a conspiracy theory, this has been brought to light by Edward Snowden's revelations. Now, we don't know how much of the data on Apple phones gets sent to Apple's servers, so it's not literally everything on your phone, but at least everything that's backed up remotely, and possibly more.

So, pot calling the kettle black.

---

*"to curb the abuse of state-sponsored spyware"*

Note that Apple is not saying "to prevent", only "to curb". But even worse than that, they're saying "curb abuse", not "curb use", as though that type of state spying is not inherently abusive.

---

*"State-sponsored actors like the NSO Group spend millions of dollars on sophisticated surveillance technologies without effective accountability. That needs to change,"*

Apple has a larger R&D budget than most world states. In fact, Apple themselves probably spend more money on sophisticated surveillance technologies than half the world's states combined. Certainly if we count things like dynamic image analysis from all those cameras on phones and cars and such. Why is it an unaccountable foreign corporation better than a government? They're both pretty bad.

Reply


@gbajson 7 days

"We have no clue how our software works, so we will sue you".

It's a disaster from any point of view. Also ineffective.

They could easily designate not 10M, but 100M for bug bounties and simply solve their problems.

Reply


@14 7 days

What about Apples own spyware they were going to force on users to scan for CSAM did they ever make a final decision on what they were going to do with that? Update to iOS 15 is what they recommend but then it is Apple spying on you not some foreign companies. I don’t want either.

Reply


@theknocker 6 days

Why the fuck is it up to Apple and not the fucking U.S. military?

Reply


@strict9 7 days

It is great to see this happen.

It's also fascinating that the crux of the Apple's case against NSO hinges on NSO engineers that accepted iCloud's terms and conditions.

From related NYT article:

>The sample of Pegasus gave Apple a forensic understanding of how Pegasus worked. The company found that NSO’s engineers had created more than 100 fake Apple IDs to carry out their attacks. In the process of creating those accounts, NSO’s engineers would have had to agree to Apple’s iCloud Terms and Conditions, which expressly require that iCloud users’ engagement with Apple “be governed by the laws of the state of California.”

The clause helped Apple bring its lawsuit against NSO in the Northern District of California.

https://www.nytimes.com/2021/11/23/technology/apple-nso-grou...

Reply


@rasengan 7 days

Legal methods are a crutch at best. Apple would be wise to put forth the same budget into their security team's research and development and properly address these weaknesses.

Reply


@ece 6 days

Apple mentions PAC, PPL, and BlastDoor, and I'm left wondering if SELinux+JIT sanboxing on Android isn't better than all three combined. Though, I can't wait to see ARMv9/Intel CET processors and associated software being more widespread as well for CFI+W^X+Sandbox/Memory Encryption features.

Reply


hah! that'll show 'em /s

Reply


@Sporktacular 7 days

We need to target the pos engineers and management at NSO, Finfisher, Hacking Group etc. who sell their souls for a fast buck. These pricks are likely already setting up the next corporate front for when this one collapses. Let's make the mercenary business a cripplingly expensive line of work.

Reply


@cannabis_sam 6 days

Every single individual that has ever worked for NSO in any capacity, should be treated as an extremely serious security threat…

Employ these psychotic assholes at your own risk.

Reply


@fortran77 7 days

Apple enabled them by making insecure operating systems. Aren't we on Hacker News all for the ability to side-load software on your platform?

Reply


@yuvadam 7 days

The framing of NSO as "state-sponsored" cannot be overstated, and Apple didn't miss the chance to do just that.

A hard blow to Israel's policy just as much as it is to NSO itself.

Reply


@tzahifadida 7 days

If you think that israel is doing anything not sanctioned by the US government you are mistaken. In Israel NSO cant make a move without 7 agencies regulating it. This is considered a weapon sale. The same weapons the US are sponsoring israel and buy them from israeli industry. There is no way NSO will fail from this. So eula or whatever these are matters between states for national security interests.

Reply


@udev 7 days

The amount of time that Apple sat on this is telling.

First reports on NSO activity are from 2016, Facebook filed in 2019, Apple iOS 14.8 fix released in Sept 2021.

Only when the constant negative news about NSO started chipping at their reputation, did they decide to make this symbolic (and ultimately ineffective) move.

Reply


@Ldorigo 6 days

If you're interested in Apple & privacy, you should listen to Polymatter's videos on Apple, in particular https://www.youtube.com/watch?v=CjLHuhOTnaI - it really helped me understand their whole strategy around privacy and PR "stunts" like this. From that video:

"Google embraces gathering your data, arguing you shouldn't just tolerate them using your data, you should want it - first, because giving your phone more information makes it more useful. And second, because all this data [...] makes this services cheaper and more accessible to, say, people in poverty. [...] Apple, meanwhile, rejects the whole concept. Tim Cook argues that’s a fake trade-off designed to justify a business model where you are the product, not the customer. Not only does your iPhone not need your data to be useful, it says, it doesn’t even want it. For Apple, storing your information is only a liability. Now, whether you buy that logic or not, you have to stop and admire its genius. Because, if Google says your data is what allows it to sell cheaper products, then Apple can argue it’s higher prices are a feature. You should feel good paying more for an iPhone, because it’s proof Apple doesn’t need to sell you out to advertisers. On the other hand, this argument is also harder to explain. While Tim is busy waxing poetic about privacy, Google just points to the price tag - everyone wants to save money. [...] Whenever there’s a big hack, Tim Cook will, predictably, do a few interviews about privacy, trying to convince you that Apple’s interests are most aligned with yours. "

Reply


@DisjointedHunt 7 days

I’ve been heavily critical of Apple for their on device scanning plans but credit where it’s due. This act hopefully exposes the sheer abuse of Public funds to find and exploit vulnerabilities and somehow those same vulns find themselves in the commercial domain, available to the fucking despots in the Middle East and wherever else?

It’s about time those that took the oath to protect the nation from harm step up and do so instead of creating a million more problems by shipping these exploits off to a later time while they sit on them.

Reply


@suthakamal 7 days

I think the most important part of this announcement (I cried genuine tears of joy when I read it) is that Apple is committing to give Citizen Lab whatever they need. That kind of internal access to Apple's people and infrastructure is tremendous.

I've never heard anyone but a despot (or vendor to despots) claim anything untoward about Citizen Lab, it sure seems like they're genuine "good" folks. They do great work, and they'll do better with support and access. The announcement makes it sound like Apple is willing to offer similar support to other good actors. I imagine Apple putting the word out will yield a few more.

It raises - again - the question of what we expect from big companies vs governments, and questions of sovereignty. Where's the line between supporting good work and cyber vigilantes (if it's not a thing today, it will be, and what will society's place be with respect to them)?

Reply


@lehi 7 days

Only curbing "abuse" implies that "normal use" of state-sponsored spyware remains kosher.

Reply


@spunkmeyer 6 days

Peculiar stance from a company that has repeatedly ignored critical security issues when reported directly to them, on their own preferred channel, sometimes for as long as 10 months.

Only U.S-controlled spyware is to be allowed on iPhones.

Reply


@jbverschoor 7 days

Thank you, Tim

Reply


@cronix 7 days

> to hold it accountable for the surveillance and targeting of Apple users.

What exactly does that mean? Fine them? Get them to stop? Have them publicly say, "my bad?" I suspect the larger goal is to find out exactly how NSO is bypassing Apple's very expensive security and plugging it? Is that specific info the type of thing Apple can get their hands on (actual code, etc) for this type of trial?

Reply


@khana 7 days

Better yet Apple, write better software.

Reply


@sekura 7 days

NSO is pretty well covered by Darknet Diaries:

https://darknetdiaries.com/episode/99/ https://darknetdiaries.com/episode/100/

I have no sympathy for NSO.

Reply


@daneel_w 7 days

Great. Also, don't forget to secure your operating systems, which is the root problem.

Reply


@napmo 7 days

Let's see the big picture: It's not only about a spyware, but it's about a vast range of malicious tools used for targeting human right activists around the world, at first through spywares and other malicious software, but if they needed, physically harming them. It is actually part of the Israeli state-sponsored terrorism around the world. Other dictatorships like Saudi Arabia also use their tools. Brutally killing Jamal Khashoggi was one of the instances.

Reply


@ksec 7 days

I guess I am getting cynical. What is the context in which trigger Apple to sue them now, and not any time before?

And what if NSO Group closed the branch in US? I assume you cant really do anything to an Israeli company.

Because half of it reads a lot like a PR pieces to me. And Apple easily gets the marketing message response they wanted. They are fighting "State Sponsored" spyware. The privacy message they are sending out ( fighting on behalf of their user ), in the mist of a worldwide App Store battle and Anti-Trust.

And I am willing to bet this message will be used in their future PR message when they discuss it in Anti-Trust to gain public support.

Reply


@aborsy 7 days

What does state-sponsor mean here exactly? Is NSO supported by Israel intelligence?

And if charges are laid against NSO, will its sponsors be charged/sanctioned too (for sponsoring terrorism)?

If this was a company in another country, the reaction would have been totally different (in some cases calls for bombing would have been made, and continued for decades).

Reply


@amachefe 6 days

This is an interesting case.

But in the long term, its also seems Apple can sue anyone who hacks the iOS, eg mods and rooting

Reply


@michaelbuckbee 7 days

Ellsworth is a personal hero of mine - incredibly smart, wildly talented and has a real vision for this space.

All that being said, it's a nightmare of a space which is why I don't think there's been a big funding event for Tilt5.

"Meta View" was an AR company that raised $75mil, had a star studded list of VR/AR technology folks, only ever shipped a couple thousand units and now is defunct.

Magic Leap raised $3.5 Billion and now has given up on shipping a consumer device (Enterprise only).

Microsoft's Hololens exited consumer applications even earlier, enterprise only.

Oculus Quest is the most successful consumer VR tech (about 5 million sold) but it's really unclear if they're anywhere close to turning a profit and they've spent tons to try and jump start game developers in VR.

Tilt5 would require from the ground up games to be made, large volumes of orders/units to be profitable and even if all that came together could still be kneecapped by chip shortages and supply chain issues.

Reply


@davidf18 7 days

This is amazing publicity for NSO.

Is NSO is able to crack Apple security you can bet the NSA, Chinese, Russians as well as Israel's Mossad is doing much the same.

With this lawsuit, Apple is basically admitting that they need lawyers and not engineers to combat the hacking.

But suing NSO would not stop the other agents from hacking Apple.

That is why it is best that Apple spend $100 million or more to cybersecurity harden their software.

In addition, Apple should offer $1 million awards for breaking their security.

One should also ask, how many lives were saved from terrorist attacks by NSO. That would be an interesting story.

Reply


@xtat 7 days

Apple's playing both sides.

Reply


@null_object 7 days

Wow you have to be on HN to see Pegasus portrayed by some people as ‘the little guy’ fighting ‘evil’ Apple.

Reply


@zalequin 6 days

Good, I hope this is just the start of a crackdown on the whole offensive cybersecurity industry of Israel, which is an extension arm of the intelligence departments of the IDF.

Reply


@elzbardico 7 days

In a just world, Israel should suffer sanctions for sheltering what is basically a criminal enterprise.

Reply


This is good

Reply


@YeBanKo 7 days

Hm… > Apple believes privacy is a fundamental human right

Unless you are a user in China or Russia.

Reply


@0xcde4c3db 7 days

Anyone have a sense of the odds that the state secrets privilege gets invoked, and if so how damaging it's likely to be to Apple's case? Most examples involve a government entity being a party to the case, but the privilege did shut down a patent infringement suit between private entities not too long ago (Crater v. Lucent) [1].

[1] https://www.wired.com/2005/09/secrecy-power-sinks-patent-cas...

Reply


@dng88 6 days

It is not that they break Apple, but more important they break it to destroy people fighting for liberty etc. Who can fight Russia, China ... it is very hard by itself. And then this guys with relatives escaped from Nazi now come to help these present day totalitarian regimes.

Hope they go to Hell.

Reply


@dinkblam 7 days

meanwhile Google happily continues to run ads for malware like the infamous 'MacKeeper'

Reply


@qwerty456127 6 days

Nice! I'm not sure if I want them to win though. Perhaps this may create a precedent also applicable to people exploring Apple firmwares for sake of user freedom and privacy rather than spying on people.

Reply


@notyourday 7 days

Apple simply needs to exercise its right to deplatform everyone who works for NSO. Oh and deplatform all government wonks of government of Israel as it is allowing NSO Group to operate.

Life in 2021 is very difficult without a smartphone. In fact it is so difficult that if working for NSO comes with "no smartphone forever" sticker NSO won't be able to find people to work for it.

Reply


About Us

site design / logo © 2021 Box Piper