zlacker

"What can we do to make NSO’s life harder?" That seems pretty simple to me: We ask Western democratic governments (which include Israel) to properly regulate the cybersecurity industry.

This is the purpose of governments; it is why we keep them around. There is no really defensible reason why the chemical, biological, radiological and nuclear industries are heavily regulated, but "cyber" isn't.

>>gnfarg+(OP)
This still leaves us with threats from state actors and cybersecurity firms answering only to Eastern, undemocratic governments.

>>gnfarg+(OP)
Nobody has any credible story for how regulations would prevent stuff like this from happening. The problem is simple economics: with the current state of the art in software engineering, there is no way to push the cost of exploits (let alone supporting implant tech) high enough to exceed the petty cash budget of state-level actors.

I think we all understand that the medium-term answer to this is replacing C with memory-safe languages; it turns out, this was the real Y2K problem. But there's no clear way for regulations to address that effectively; assure yourself, the major vendors are all pushing forward with memory safe software.

>>gnfarg+(OP)
The whole approach of regulating on the level of "please don't exploit vulnerable systems" seems reactive to me. If the cats out of the bag on a vulnerability and it's just data to copy and proliferate - not much a government can do other than threaten with repercussions which only applies if you get caught.

The only tractable way to deal with cyber security is to implement systems that are secure by default. That means working on hard problems in cryptography, hardware, and operating systems.

>>gnfarg+(OP)
Yeah, it seems kind of silly to start with the fact that the something has caused "the bad thing everyone said would happen" to happen and somehow not see that thing as a blatant security hole in and of itself.

I mean sure technical solutions are available and do help, but to only look at the technical side and ignore the original issue seems like a mistake.

>>tptace+M
Well, first of all the NGO group in its current form wouldn't exist if Israel regulated them, at the very least it wouldn't exist as a state-level equivalent actor.

Second of all if you can't push the costs high enough then it becomes time to limit the cash budget of state level actors. Which is hardly without precedent.

For some reason you seem to only be looking at this as a technology problem, while at the core it is far more political. Sure technology might help, but that's the raison d'etre of technology.

>>mrdoop+e1
By the exact same logic, implementing physical security on the level of "please don't kill vulnerable people" would also be reactive. If the cat's out of the bag on a way to kill people, well, don't we need to implement humans that are unkillable in that way? That's going to mean working on some hard problems...

No. We don't operate that way, and we don't want to.

But for us to not operate that way in cyberspace, we need crackers (to use the officially approved term) to be at least as likely to be caught (and prosecuted) as murderers are. That's a hard problem that we should be working on.

(And, yes, we need to work on the other problems as well.)

>>tptace+M
Nor does anyone need one, yet. Again, the point of government -- force the dang discussion; that's what investigations, committees, et al are for.

It's fun to make fun of old people in ties asking (to us) stupid questions about technology in front of cameras, but at the end of the day, it's a crucial step in actually getting something done about all this.

>>gnfarg+(OP)
> to properly regulate the cybersecurity industry

Regulated Cybersecurity: Must include all mandatory government backdoors.

>>contra+N3
Sure, you can outlaw NSO itself. I won't complain! But all you're doing is smearing the problem over the globe. You can push this kind of work all the way to "universally acknowledged as organized crime", and it'll still happen, exactly the same way, with basically the same actors. You might even increase the incentives by doing it. Policy is complicated.

>>Animal+t4
Despite the enforcement mechanisms against murders (which work less than 2/3s of the time), you see many places that implement preventive security measures to make killing people more difficult.

I think it is wholey reasonable to work on both preventive and punitive approaches. For online crimes, jurisdictional issues are major hurdles for the punitive approach.

>>tptace+M
You're extremely correct, of course, but what I'm really proposing here is something much more boring than actually solving the technical problem(s). How about a dose of good old-fashioned bureaucracy? If you want to sell exploits, in a Western country, then yeah sure you can, but first you should have to go through an approval process and fill in a form for every customer and have them vetted, yada yada.

This wouldn't do anything to stop companies who base themselves in places like Russia. It wouldn't even really do anything to stop those who base themselves in the Seychelles. But, you want to base yourself in a real bona-fide country, like the USA or France or Israel or Singapore? Then you should have to play by some rules.

>>gnfarg+b9
If you make people fill out paperwork to sell exploits in Israel, Germany, and the United States, they will sell exploits in Kuala Lumpur, Manila, and Kigali. I'm not saying you're expressing it at all, but there is a lot of chauvinism built into the most popular ideas for regulating exploits.

>>tptace+16
I really don't get this line of argument that regulation is useless. For example if you made it illegal for ex US gov workers to work at companies like these I would expect the vast majority to comply with this, so at the very minimum you would be limiting the available talent pool. The post several parents up talked about regulation for biological, nuclear, etc industries being effective, and although 'cyber' would never be treated in the same way, they're right, after all you don't see organized criminals running around with biological or radiological weapons now do you?

>>tptace+ra
Yes, they certainly will. I'm not naive, or colonial, about that. But what more can we do than live out the standards that we want to see upheld in the world?

>>mjreac+lb
I don't know if it's useless. I just know it isn't going to stop NSO-type attacks by state-level actors. People on message boards have very strange ideas about what the available talent pool is; for starters, they seem strangely convinced that it's all people who are choosing between writing exploits and working at a Google office.

>>gnfarg+(OP)
> We ask Western democratic governments (which include Israel) to properly regulate the cybersecurity industry.

That's a bit naive. Governments want surveillance technology, and will pay for it. The tools will exist, and like backdoors and keys in escrow, they will leak, or be leaked.

The reason why all those other industries are regulated as much as they are is because governments don't need those types weapons they way they need information. It's messy and somewhat distasteful to overthrow an enemy in war, but undermining a government, through surveillance, disinformation, propaganda, until it collapses and is replaced by a more compliant government is the bread-and-butter of world affairs.

>>contra+M2
> a blatant security hole in and of itself

That means our society, our governments, our economic systems are security holes. Everyone saying the Bad Thing would happen did so by looking, not at technology, but at how our world is organized and run. The Bad Thing happened because all those actors behaved exactly as they are designed to behave.

>>tptace+bd
Of course you will never stop all attacks, however you can try limit them in amount by making them more expensive to do, whether this be by limiting where they can hire from, the kind of political consequences they will incur, etc.

>>mjreac+Sf
On this thread, we're talking about state-level attackers targeting iMessage.

>>tptace+M
>Nobody has any credible story for how regulations would prevent stuff like this from happening.

We do have some of those already.

https://www.faa.gov/space/streamlined_licensing_process/medi...

>>shkkmo+i8
> For online crimes, jurisdictional issues are major hurdles for the punitive approach.

Yeah. If you can catch people in your jurisdiction (without the problems of spoofing and false flags), then people are just going to attack you from outside your jurisdiction. You'd have to firewall your jurisdiction against outside attacks. (You might even be able to do that, by controlling every cable into the country. But then there's satellites...)

>>tptace+M
If the governments can't ban exploits, perhaps they can ban writing commercial programs in memory unsafe languages? Countries could agree on setting a goal, e.g. that by 2040 all OSs etc. need to use a memory safe language.

>>crater+6e
The thing is, countries with vast intellectual property base have more to lose in the game, thus they should favor defense over offense. Like Schneier says, we must choose between security for everyone, or security for no-one.

>>gnfarg+(OP)
“Cyber” is pretty “well” regulated, NSO exports under essentially an arm export license.

>>contra+N3
Israel does regulate them, you may think not well enough but likely there isn’t a single sale that wasn’t approved at a pretty high level based on their export license every sale requires an authorization.

I doubt they made a deal that didn’t directly served either Israeli or US foreign policy and security interest.

I don’t know about the NSO but another player in mobile tracking (Verint) tho very much more LEO oriented (SS7 tracking) had about a million failsafes that ensure that their software cannot be used to track or intercept US or Israeli numbers.

>>tptace+16
Well you can hardly complain it's impossible to make the cost of exploits high enough if you do nothing to restrict their funding. If a country lets them openly conduct business then it's no surprise they're well funded, which wouldn't be a problem if that country kept an eye on them to ensure they're not doing anything harmful, but predictably that didn't work out.

>>tptace+ra
I'd be surprised if Israel didn't already regulate who NSO does business with.

>>Animal+xj
the original tale of international cyber espionage was accomplished via a satellite link

https://en.wikipedia.org/wiki/The_Cuckoo%27s_Egg_(book)

>>contra+hu
NSO is just the exploit vendor you hear about. There are lots more.

>>mjreac+lb
Removing NSO won't limit access to the talent pool in practice because the key assets of NSO - the vulnerabilities - does not rely on people they employ directly but rather on the global market for exploits.

Currently, some blackhat somewhere finds a vulnerability and sells it to NSO and then NSO sells it to various countries. If Israel forbids such deals, then the same "someone's" (without regard of where they're located - those deals are essentially unregulatable, you might anonymously trade knowledge/PoC for crypto) will sell the vulnerability to NSOv2 headquartered in Panama or Mozambique, and NSOv2 will sell it to the same customers.

>>crater+6e
They want nukes too, which also exist. It doesnt mean theyll get them.

Non proliferation treaties are effective against nuclear weapons theyd be effective against "cyber" weapons.

>>pydry+sq1
> They want nukes too

No, they want weapons that can project and multiply threat. Nukes are just one way of doing that.

>>maqp+rm
Except that the big money IP owners consider piracy and loss of revenue far more important than merely securing their assets. The kinds of software they buy, DRM, copy protection, automatic DMCA takedown of automatically-detected infringing works, doesn't have any applicability to cybersecurity.

>>tptace+16
Isn’t this the security nihilism the article is addressing?