Episode Show Notes



JACK: Hey, I can’t believe we made it to Episode 100. Seriously, I couldn’t have done it without all the support from my listeners so truly, thank you so much for tuning in. This has been amazing and I can’t wait to see what the next 100 episodes brings. Okay, so real quick before we get started, this is the second part of a two-part episode. If you haven’t already, go back and listen to the episode just before this, number 99, called The Spy. [MUSIC] There’s this malware called Magic Lantern and I find it fascinating. It usually infects a computer through an e-mail attachment. You get the e-mail which says to open the attachment and when you do, zang; your computer is infected. What Magic Lantern does is it records your keystrokes and sends everything you type back to a central system so the hackers can see everything you type. Now, of course with a keystroke logger like this, it can pick up any message you send to people; private chats and of course, your passwords. So, who’s this shady hacking group that uses Magic Lantern? The FBI. Yeah, in 2001, someone issued a Freedom of Information request and got back information the FBI uses this Magic Lantern malware to capture keystrokes on target computers. Now, I’m under the impression that the FBI would need to get permission to use this software, like a search warrant or something, so this would classify Magic Lantern to be a lawful intercept mechanism, meaning they had permission to basically wire tap someone. But this sparked a debate in the security community. The question was, if the FBI has legal permission to eavesdrop on someone by using Magic Lantern, should antivirus and security companies detect and report on this activity? Of course, the FBI would like to go unnoticed in any kind of stealth mission and would rather antivirus companies not alert when they see this.

But on the other hand, that’s the whole point of antivirus software, to alert when something is going on and shouldn’t be happening. F-Secure, a antivirus company based in Finland, said right away that they would absolutely report on this, but they’re in Finland. The FBI is in the US. McAfee, an American antivirus tool, said they would not alert the user if the tool saw Magic Lantern trigger and that it would ignore it. Later, they denied saying this, saying they do in fact alert when Magic Lantern is detected on a computer, but this opens a door to a strange world of allies and enemies, and it’s hard to know who to trust when the software you buy might be lying to you, or when the FBI is busy infecting people with malware to spy on them.

(INTRO): [INTRO MUSIC] These are true stories from the dark side of the internet. I’m Jack Rhysider. This is Darknet Diaries. [INTRO MUSIC ENDS]

JACK: For this episode, we’re picking right back up where we left off with John Scott-Railton.

JOHN: Yeah.

JACK: This time I want to hear more about the research he’s done specifically on the NSO Group. Oh, and there were some recording issues I had during this interview; I lost the primary recording and had to use a backup and it’s a bit voipy at times, so I’m sorry about that.

JOHN: I’m a senior researcher at the Citizen Lab at the University of Toronto’s Munk School. For a little bit less than the past decade, me and my colleagues have tracked different digital threats against civil society groups.

JACK: [MUSIC] Tracking digital threats against civil society groups. That sounds fascinating, so let’s unpack that for a second. What’s a civil society group? Well, it’s essentially non-government organizations or individuals, but some define civil society as people who exercise their freedom of speech and the things that make up a democratic society. So, having freedom of the press is very important to a civil society, one where journalists are free to investigate and write stories criticizing their own government or society, and it’s important that their own government or other governments don’t stop them from writing certain stories. But the thing is, we live in a world where journalists and human rights activists are being targeted by nation state actors. Since it’s important for a civil society to have journalists and activists spreading the truth, Citizen Lab helps people out when they’re targeted by digital threats.

JOHN: Sometimes people get in touch with us and they say hey, we’ve heard about you and something strange is happening on my phone, on my device. I’m concerned about it. Sometimes our research comes because we sort of set ourselves abroad, research mandated, are busy looking at infrastructure.

JACK: Their goal is to investigate those in civil society who are targeted and report publicly about it. This has caused certain groups to go into hiding, and other groups have been arrested because of their work. But overall, the public is just made more aware that there are certain groups out there who are [00:05:00] targeting activists and journalists. At some point, the folks at Citizen Lab were connected with Ahmed Mansoor.

AHMED: Hello, ladies and gentlemen. My name is Ahmed Mansoor from United Arab Emirates.

JACK: This is tape of him from 2012. He’s from the United Arab Emirates and is a human rights activist there.

AHMED: I always wanted to see change. I believed a lot in equality.

JOHN: In the case of Ahmed Mansoor, we’ve been in touch with this guy for years [MUSIC] because in 2011 Mansoor was targeted by an e-mail with a Trojan that was FinFisher, one of the sort of OG government hacking tools that was being sold.

JACK: If you listen to Episode 47 called Project Raven, you might remember him. He’s been targeted many times by different hacking groups, all because he’s a human rights activist and speaks out against the UAE government. After being targeted multiple times, Mansoor eventually reached out to Bill Marczak, one of John’s colleagues at the Citizen Lab to get help.

JOHN: Then in 2012 Mansoor was targeted again via e-mail with a doc and some kind of old exploit. This was Hacking Team this time. So, when in 2016 Mansoor reached out to us and said hey guys, I think I’m being targeted again, we paid attention because if there’s one person who’s likely to be targeted with this stuff, it was Ahmed Mansoor.

JACK: While Bill Marczak at the Citizen Lab was looking into some phishing reports, he found some other suspect domains that seemed to belong to something new. He looked into those domains and found some were registered to the NSO Group. At the time, Citizen Lab concluded that there was maybe some new kind of malware that the NSO Group had made, but they didn’t know who the victims were or what the malware was. The Citizen Lab looked into those domains and developed a list and some techniques to find more. When Mansoor got in touch with Bill, all he had was a list of domains, but after he saw Mansoor’s text messages, remarkably, that led to some infrastructure that Bill found.

JOHN: We had found links to NSO’s infrastructure and had come up with a list of domains.

JACK: These domains were thought to be used by the NSO Group to carry out certain targeted digital attacks on people. But the team at Citizen Lab didn’t have a good understanding of how any of this worked or how it was used.

JOHN: So, it was a godsend when Mansoor got in touch with us because suddenly we had a person who had been receiving links to this, what we thought of as likely infection domain for Pegasus.

JACK: [MUSIC] Mansoor showed Citizen Lab some text messages. They were in Arabic. They both said the same thing, new secrets about torture of Emirates in state prisons. Then it had a link. The link was to the same domain that they had just begun analyzing but wasn’t sure how it worked.

JOHN: The first thing we did was rouse a colleague, get him to convince his girlfriend to give up her iPhone which we wiped, and then MitM’d the traffic and clicked on that link and were able to get a copy of Pegasus spyware.

JACK: The colleagues had access to an iPhone they could use to test with. Now, for them to test something like this, they have to be pretty careful. If they just visit the link, it’s hard to tell exactly what’s happening, so they set up all kinds of monitors and sensors. This is what a lab is for, right? First they set up a method to capture all network traffic coming in and out of that phone, and they did this in such a way that they could even capture encrypted traffic and look at that, too. Then they took snapshots of the phone to compare before and after to see what’s changed on the phone. They probably even film the whole thing just in case the phone did something like flash a message across the screen real quick. This way they can go back and look at what happened.

JOHN: Exactly, so we clicked on the link and waited. Browser crashed, and then something began happening. We saw the phone beaconing out and establishing communication with NSO’s servers. We realized that we had just observed a remote jailbreak on this iPhone. It was a big deal because it was the first of its kind that we had certainly seen, and we realized okay, we’ve got our hooks into this infection infrastructure and we were actually able to grab the payload, the actual Pegasus deployment.

JACK: It took them a while to figure out what happened. In fact, they teamed up with Lookout Security to help investigate this. Lookout makes the security software for mobile phones, and together they were able to dissect this malware and see what was going on. They realized right away that this was something that nobody had seen before which made it an amazing discovery.

JOHN: It was a very exciting time because we really felt like okay, here’s a new major piece of spyware. It’s super sophisticated, it’s got all these capabilities, it’s pretty stealthy, and it’s using this chain of zero-days.

JACK: Yes, a whole chain of [00:10:00] zero-day exploits. I want to break this down for you because it’s fascinating to look at a little bit more in-depth. [MUSIC] So, specifically this worked with iPhones which were fully patched and the latest and greatest models. This exploit had three stages to the attack. First, it required the user to click a malicious link using their phone. Clicking the link opens the Safari browser and the user visits the website. Safari uses a thing called WebKit which is like the browser’s engine. When a user clicks the link, a JavaScript program runs. That JavaScript program tries to exploit a bug in WebKit which would allow it to write data to the phone. Through this bug and WebKit, the JavaScript program downloads a malicious program. This brings us to stage two of the exploit chain.

Apple has locked down their iPhone pretty well to prevent stuff like this from happening. The only apps that are allowed to run on an iPhone are those that are downloaded from the official Apple App Store. There’s simply no way to put a new app on it through any other way and run it. This means the malicious program that was just downloaded cannot execute unless the iPhone is jailbroken. That’s exactly what this stage of the implant does. The malware uses an exploit to jailbreak the iPhone which allows it to run any app that’s on the phone, not just the ones downloaded through the App Store. In order for this program to jailbreak the phone, it used two totally different exploits in the iPhone’s kernel which were completely unknown to Apple at the time. Once it’s jailbroke, then the last step is just for it to run the malicious app and at this point, the app is just a normal iPhone app and it can be started like any other app. The app itself doesn’t use any exploits or bugs; it just takes advantage of the features on the phone.

The app does things like turn on the microphone, the camera, and read WhatsApp messages or listen to calls or track location, and then it sends all that data back to the attackers without the victim knowing that any of this happened. This is crazy and I’d say a pretty amazing exploit chain. I mean, it was using three zero-day exploits to get this going, bugs that the trillion-dollar tech giant Apple could not even catch through their bug bounty program, which is very impressive work. To create this exploit took a lot of work. Probably a lot of money and a lot of time went into making this. Exploits like this can be sold for hundreds of thousands of dollars, probably over a million dollars, but what makes it so good is how easy it is for the attackers to use. All they need to do is get someone to click that link and boom, that victim is now being spied on through their phone. Someone spent a great deal of time and money to make this. Not only make it, but turn it into an easy to use point-and-shoot type of an attack. It’s elegant, it’s slick, but it’s extremely dangerous.

JOHN: The feeling that we had, if I remember right – other than being a little bit underslept during that week – that this was high stakes because this was an order of magnitude more sophisticated than the Hacking Team and FinFisher stuff that we had looked at in the past. It was also mobile which was really interesting to us. We really felt the time like oh man, we’ve cracked another dimension of the way that surveillance is happening online. I think we’re both excited but there’s also this sense that comes with this of like, okay, we need to make sure that we have our own house in order, that we’re reasonably secure, because we’re playing with some very sophisticated, very dangerous stuff. We also experienced a lot of gratitude towards Mansoor.

Here was a guy who, just by virtue of his wits, had managed to catch something that had eluded us for almost a year and that eluded other researchers and investigators and he had just done it because a text message didn’t feel right, which highlights the kind of symbiosis and synergy that usually exists between Citizen Lab and the groups that we work with and support, which is we count on them and their intuition to help us get started. We don’t have a global network of sensors, we’re not running antivirus on a bunch of phones, but with people – may become the firewall and the human antivirus that gets us what we need to get ourselves started.

JACK: But now what do you do with this information? I mean yeah, sure, this confirms Mansoor’s hunch that something wasn’t right with those texts, and it’s nice to know he was right, but what do you do when you find an exploit like this? Well, you want to work as fast as you can to get it fixed.

JOHN: We then worked really quickly. We got in touch with Apple, we let them know what was going on. Apple immediately began spinning up to do investigation and then patching. We worked as fast as we could to try to characterize the malware and get ready to do a public report. Then co-timed with Apple releasing its CV in patching, we published. What we didn’t realize at the time is just how big of a deal NSO was gonna be for our next year or two as cases just started pouring out of the woodwork.

JACK: [MUSIC] I found an interesting side story here. Citizen Lab discovered this exploit and malware [00:15:00] in August of 2016. The exploit used a methodology outlined in the latest Phrack magazine which came out three months earlier, and apparently the same WebKit browser engine is used on the Nintendo Switch and is also vulnerable to this exploit. So, people who are trying to hack into and jailbreak the Nintendo Switch started using this exploit to get their Nintendo to do things it wasn’t supposed to do. It’s crazy that once an exploit becomes known where things end up. But anyway, how did this link back to the NSO Group? Well, Citizen Lab kept investigating this and discovered a network of IPs and domains that were involved with this malware. From there they did WHOIS lookups, reverse DNS lookups, and other searches which eventually led them to two domains which they knew were owned by the NSO Group. They felt pretty confident that the NSO Group was behind this and published all this in a report. So, who exactly is the NSO Group? Well, it’s an Israeli company started by three guys; Niv, Shalev, and Omri. The initials of those names are what give NSO its name.

JOHN: So, NSO is a company that sometimes flies under the flag of other names like Q Cyber Technologies, and they sell really sophisticated mobile spyware. Their customers are governments.

JACK: They meet with these governments and basically say look, you have legal ways of intercepting communications for criminals in your countries, like you can do wire taps or whatever, but we know you have trouble collecting data on encrypted mobile devices.

JOHN: We’re gonna help you regain visibility and we’re gonna do it by selling you a powerful mobile phone hacking solution. Part of their pitch is you don’t need much sophistication; just sit at this console, enter a phone number, and presto, you can start pulling data from that phone. Their business model is kind of somewhere between hacking as a service and the provision of software. We’ve learned about them more recently as they often play a fairly active role in setting up and operating some of the exploit servers that are used. Basically what they’re offering to their customers is the ability to target an arbitrary cell phone and gain access and persistence.

JACK: That’s what the Pegasus spyware is. It’s the malware that Citizen Lab discovered from Ahmed Mansoor’s text messages. It’s the flag ship software that NSO sells. It’s not the only product they sell, but it’s their main one. Now, one thing I hate doing is talking about someone for like an hour without them being part of the conversation. It just feels wrong, so I reached out to NSO first with Omri who’s the O part of NSO. I invited him on the show back in 2018 and he told me actually he listened to my episode on Unit 8200 and liked it. I was like great; come on, let’s do an interview then. He said and I quote, “Every major media outlet in the world wants to interview me. Why should I do your podcast? :)” end quote. I’m like, because you actually listen to my show and like it; duh. But really, you should come on because I’m going to talk about NSO for an hour and you could either be part of this conversation or not. That was 2018. For three years I’ve been trying to convince him to be interviewed. I later moved on to going through their official PR channel. I contacted them asking for an interview.

I went back and forth with them for a long time. They wanted to know exactly what questions I was going to ask and more importantly, they wanted to know what sources I was talking with for this story. We went back and forth for months. I kept saying look, do you want to give your side and be part of this conversation or not? They ultimately left me hanging. I also contacted another PR person involved with them and they denied me, too. In the end, NSO had every single opportunity to have their voice in this episode, but they refused which means all I can go on is what’s been reported by victims, researchers, and news agencies. I really wanted to have them on this show for Episode 100 but it just didn’t work out. But NSO has given multiple interviews with other news agencies in the past. They’ve been interviewed by Forbes, New York Times, and some Israeli news outlets. But the interview I find the most interesting is the one that happened in 2019 where Lesley Stahl from 60 Minutes went to Israel and interviewed them in their own office.

LESLEY: [BACKGROUND STREET NOISE/TALK] Headquartered in the Israeli city of Herzliya, NSO Group operates in strict secrecy. In the company’s eight-year history, they have never let cameras in, but they wanted to show us they’re like any high-tech company, with PlayStations and Pilates. But there was a lot we couldn’t show. Notice no faces. The work is top-secret and some employees are ex-military intelligence and Mossad. Pegasus is [00:20:00] such a sensitive spy tool, NSO has to get approval before it can be licensed to any client from the Israeli Defence Ministry as though it’s an arms deal. Why would the government of Israel want what seems to be an enemy to have this technology?

SHALEV: I’m not gonna talk about specific customer.

LESLEY: But can you say that you won’t and haven’t sold Pegasus to a country that is known to violate human rights and imprison journalists and go after activists?

SHALEV: I only say that we are selling Pegasus in order to prevent crime and terror.

JACK: That’s Shalev Hulio, the S in NSO, and that’s the typical response from the NSO Group. What they do is they sell their software to governments and intelligence agencies to help prevent crime and terrorism.

LESLEY: How many lives do you think Pegasus has saved?

SHALEV: Ten of thousands of people.

LESLEY: Really?


JOHN: It’s interesting; NSO has made so many claims about their product that turn out not to be accurate. I want to believe that it’s true that they’ve saved lives, and I have to imagine that this is how the smart people who work at that company continue to come to their desks everyday, which is their management shows them cases and says look, here’s a case where we did some good. What concerns me is that that narrative is used to paper over these really problematic cases of abuse. At the end of the day, the measure of any technology is how it winds up getting used against vulnerable people, not just how it helps. What really concerns me is the idea that you can just sort of say you know, here’s a technology that saves lives. Well, no; what saves lives is police and security forces doing their jobs. They may be enabled by technology, but doing their jobs. What takes lives is when those same security services abuse their power and abuse the technology that they have to harm people. We don’t have many public cases of NSO successes. We’ve got a lot of cases of harm.

JACK: We know about cases where NSO has done harm because when things go wrong for NSO, it becomes known. It’s big news and when things go right, it’s kept quiet and the secrets are retained. But there is one story that we do know of where Pegasus actually helped.

JOHN: [MUSIC] Let’s talk about Mexico. So, from that initial discovery of Ahmed Mansoor, a lot of things followed. We found evidence that the spyware was potentially active in Mexico.

JACK: So, before John at Citizen Lab even had a copy of the Pegasus spyware, the Mexican government likely purchased Pegasus to aid them in catching cartel leaders and drug lords, because it’s hard to know where their hideouts are or how they’re organizing since they use phones and encrypted messaging apps to communicate. Again, here’s Lesley Stahl with 60 Minutes talking with one of the founders of NSO.

LESLEY: It’s been reported that Mexican authorities used Pegasus to capture drug lord Joaquin Guzman, better known as El Chapo, by tapping the phones of a few people he talked to while he was on the lam.

SHALEV: I read it in the newspaper, the same as you.


SHALEV: In order to catch El Chapo, for example, they had to intercept a journalist, an actress, and a lawyer. Now, by themself, they’re not criminals, right?

LESLEY: Right.

SHALEV: But if they are in touch with a drug lord and in order to catch them you need to intercept them, that’s a decision that intelligence agencies should get. What if you can prevent the 9/11 terror attack? For that, you had to intercept the son, the sixteen-years-old son of Bin Laden. [MUSIC] Would that be legit or not?

JACK: That is an interesting ethical issue. If you’re trying to capture a really dangerous person, you might have to go through someone they trust to get to him. So, now you’ll have people who are totally innocent getting spied on and infected with the Pegasus malware.

JOHN: Well, that’s a really interesting case and one funny feature about it is that NSO has made a bunch of claims about the use of Pegasus targeting El Chapo which have been contradicted by many statements by the Mexican government, so the truth – who knows exactly where it lies in that case? But to the greater point which is the question about off-center targeting; now, it’s obviously the case that investigations sometimes proceed that way, right? You climb your way towards a potential target. The issue, really, is cases of success don’t falsify the problem of abuse. At the end of the day, even if a technology like this can be used for good, there’s really good evidence [00:25:00] that it’s susceptible to abuse, and the conclusion that I think people should draw is not hacking is – you know, they should never be technologically empowered to conduct investigations, but rather their behavior needs to be carefully overseen, otherwise there will be abuses and those abuses will have deleterious effects on our democracy. It’s the same as police in the United States and anywhere else. It’s not that we don’t need them; it’s that they need to be carefully overseen and legally accountable. What we saw in Mexico was that when you shook that tree, you just found more cases of abuses than you could count.

JACK: Let’s take a look at some of those cases. John and the team at Citizen Lab were seeing lots more cases of Pegasus being used on people in Mexico.

JOHN: We found that a consumer advocate, a public health scientist, and a health advocacy organization had all been targeted with Pegasus spyware. [MUSIC] This really caught our attention because one of the people, the public health researcher, was the director of a national public health lab, a government lab in Mexico. Why were these people being targeted with Pegasus? Well, it turned out that the thread that sort of connected them together was that they had all been advocating for more taxes on soda as a means to reduce childhood obesity. Now, why on earth, you might say, are a bunch of people who are concerned about childhood obesity being targeted with this creepy nation state tool? We don’t really know, but the most likely explanation is that somebody linked to the Mexican Pegasus operator was doing a favor for business, business that saw this kind of taxation as a potentially serious threat to their bottom line.

JACK: Hm, that’s some shady stuff. I mean, we know about lobbyist groups that pay or bribe government officials so they can vote a specific way on issues like increasing soda tax. This is along those lines, but it takes it a step further. It sounds like certain big businesses who would be hurt by this soda tax were somehow getting the Mexican government to use Pegasus to spy on people who wanted to raise the tax. This is obviously not used to fight terrorism or crime. In fact, it’s the opposite; it’s using the spyware to actually conduct criminal behavior.

JOHN: From that initial case of three, we found a dozen cases of Mexican reporters; their minor children located in the United States, lawyers representing the families of victims of cartel kidnappings, the wife and colleagues of a journalist who had been slain by a cartel, and so many other people in Mexico all targeted with Pegasus. The way that that research worked kind of encapsulate our approach at the lab, which is we worked with a bunch of local organizations, gave them guidance on the kinds of things that we were looking for, messages that might look like this, and then worked through large sets of messages comparing them and examining them against lists that we had previously developed of NSO exploit infrastructure, and this allowed us to quickly parse through large volumes of potentially suspect messages.

JACK: I just want to recap something here for a second for clarity; NSO doesn’t operate the Pegasus spyware. They just make it and then license it or sell it to governments around the world. Then from there it’s then operated by law enforcement entities, military, and intelligence agencies. In this case, NSO sold the tool to the Mexican government and from there, it’s now someone within the Mexican government or affiliated organization who has control of it. They must first send a text message to their target to get them to click the link. Once the victims click the link, the phone becomes infected with spyware, unveiling their location, turning on their mic, and everything. But then that data is not sent to NSO; it’s sent to their Mexican government or whoever’s operating the tool. So, NSO is really hands-off on the whole operation and claims they don’t know how the tool is used or who it’s being used on.

JOHN: The first case that we found was a Mexican journalist named Rafael Cabrera. [MUSIC] He was tweeting that he had been getting these messages masquerading as Uno TV, so masquerading as a TV station providing updates, and they were specifically referring to updates around a presidential scandal, the so-called Casa Blanca scandal. So, it’s a big scandal in Mexico, Watergate scale, and these messages were purporting to be information about that scandal. We actually learned later that the primary journalist who discovered that whose name was Carmen Aristegui, a tenacious investigator, she had also been targeted with this kind of message, and much of the targeting that we saw in Mexico wasn’t just tailored and relevant; some of it was gross. So, one of the victims of Pegasus, of targeting, was sent messages saying [00:30:00] your daughter has just been in a car accident. Here’s the hospital she was taken to, naming his daughter by name. I mean, these messages were ridiculous. One of them was like, you don’t have the balls to watch how I make-out with your partner. Look at how good we’re – in bed.

Just ridiculous jokey stuff, like things that would be preposterous. Some of this stuff is just like boring, super untargeted, like a purchase notification; your card has been charged with the amount of $3,500. Please see details here, right, or stuff about – dear client, there’s a payment problem associated with your service; please see here. But then it would get really pretty direct, so for example, one of the messages coming from usembassy.gov sent to a person who had an embassy – who had a Visa application with the US embassy in Mexico City, and it was usembassy.gov; we detected a problem with your Visa. Please go to the embassy quickly. See details here. Right? That’s the kind of thing that’s gonna get discovered pretty quickly. But it again suggested the operators doing this were pretty brazen. Then you get stuff that’s fairly personalized, right? So like, Carlos; hi. Again, they’re spreading rumors about you and supposedly they took pictures of you and put them on TV. Here, have a look. Or hey, Juan, my father died this morning and we’re devastated. I’m sending you information about the funeral. I hope you can come.

Or Carmen, my daughter has been missing for five days and we’re desperate. I would be so grateful if you could help me by sharing a photograph of her. Or people pretending to be sources, so like, hey, I have key and trustworthy evidence against public service. Please help me do something with this information. Like, they even sent messages to the minor child of Carmen Aristegui who’s away at boarding school in the United States. He was a kid, okay? Messages that he got included; beheaded journalist found in Veracruz threatening narcos. Details in photos. Link; right? This is a kid whose mother is a journalist. Obviously, I’m – these are my janky translations from Spanish, but the point is the messages are crude, but in many ways they’re effective. It makes my blood pressure bump up just reading some of this stuff, which to me pointed to the broader issue which was this technology was in the hands of a bunch of operators who were behaving like thugs and who couldn’t resist sexual taunts even as they were trying to infect people.

JACK: The point of all these messages were simply to get someone to tap on the link on their phone. It sounds like there was no ethical line that they couldn’t cross when trying to get people to click a link.

JOHN: One thing worth keeping in mind, right; human behavior is the forever day and clearly the security people who were behind this were trying to sort of amp up the emotional con to their messages in order to get a click.

JACK: Mexico seems to have used this tool for much more than just catching drug traffickers.

JOHN: What’s interesting about the Mexican case is its scope. It’s like, every sector of what we would call civil society in Mexico, from reporters to people trying to hold the government accountable, to people defending the families of kids who had been abducted by narco gangs, to the family members of people who had been assassinated. Everybody got targeted with this stuff. The case though that really has stuck with me the most in Mexico was the case of Javier Valdez. Valdez was the publisher of a small newspaper called Riodoce based in Sinaloa. Riodoce did the very dangerous thing of exposing official corruption and contacts with narco gangs. Not a very safe thing, but this guy was tenacious and he was well-known and he was absolutely without fear. One day as he was just outside of his office, he was pulled from his vehicle, riddled with bullets, and then his laptop and phone were taken and he was left lying in the middle of the street.

JACK: Since his phone and laptop were taken, we don’t know what was on it but we do know the days after his death, his grieving wife and his colleagues were all targeted by Pegasus.

JOHN: They were targeted during a time period when they were arguing that the official investigation was not proceeding forward.

JACK: This is definitely strange, that instead of them investigating the narco gang that did this, the Mexican government was spying on his colleagues and his widowed wife. I mean, this is no way to run an investigation, that’s for sure. If you want to get answers from his wife, sit her down and talk with her. Don’t place spyware on her phone. The question arises now, is this NSO’s fault for spying on these innocent people or is it the Mexican government’s fault? One person stands out in the Mexican government; Tomas Zeron. He was the director of Mexico’s equivalent of the FBI when all this was happening.

EDWARD: [MUSIC] It was Zeron’s office that had purchased a license [00:35:00] of NSO’s Pegasus.

JACK: Yeah, that’s Edward Snowden’s voice. Citizen Lab, Amnesty International, and Forensic Architecture put together an interactive site to explore this timeline and to hear stories from victims of Pegasus. This site is called digitalviolence.org and there you can watch a video about Pegasus spyware. Yeah, they have Snowden narrate it. Anyways, it was this Zeron guy who was working for the Mexican government who probably bought Pegasus.

EDWARD: Zeron was subsequently charged by the incoming Mexican administration with torture and enforced disappearance. He was issued an Interpol arrest warrant and has fled Mexico. Incidentally, his last recorded movement is to have entered Israel in August of 2019 where he’s believed to be currently hiding.

JACK: We’re gonna take a quick break, but when we come back we’ll learn how Saudi Arabia uses Pegasus. NSO has also sold their spyware to the government of Saudi Arabia and there’s a case that made world news which involves Pegasus.

HOST1: As investigators try to find out what happened to Jamal Khashoggi…

HOST2: Saudi Arabia confirms that the journalist Jamal Khashoggi is dead.

HOST3: Jamal Khashoggi’s loved ones want some form of closure.

HOST4: Saudi foreign minister saying this was all a terrible mistake.

JACK: Jamal Khashoggi was a journalist from Saudi Arabia. He was close to the royal family until Mohammed bin Salman was appointed Crown Prince. After that, Khashoggi was banned from writing and tweeting and was facing repression from the government of Saudi Arabia. He then fled the country and started speaking out against the repression of Saudi Arabia. [MUSIC] In October 2018 he went to Turkey and was lured to the Saudi consulate building to arrange for papers for a safe return to Saudi Arabia. As soon as he entered the consulate building, he was strangled, killed, and dismembered. A month later, the CIA determined that it was an assassination ordered by the Crown Prince Mohammed bin Salman. At that same time, the team at Citizen Lab was busy trying to figure out new ways to find who was infected with Pegasus spyware, and this led them to a Saudi living in Montreal, Canada whose phone was infected with Pegasus. So, Citizen Lab reached out to this person and it turned out that he was in close contact with Jamal Khashoggi, texting with him frequently.

If Khashoggi’s close friend had Pegasus on his phone and if Saudi Arabia had bought Pegasus to use as they wish, and adding it up, the theory is that the Saudi government used Pegasus to spy on Khashoggi in order to ultimately assassinate him. After his assassination, his phone was not recovered so we don’t know for sure if it was infected or targeted, but if so, this is a case when a human rights activist or journalist was killed with the help of Pegasus. It’s a bit strange to me because his killers didn’t need to know where Khashoggi was because he had an appointment to meet them at the Saudi consulate building in Turkey. Instead, it’s more likely that they used Pegasus to see what he was going to do next and who else connected with him. Having this kind of information is likely what they used to make the case to assassinate a journalist.

JOHN: It highlighted something that later became increasingly apparent which is there was a troubling nexus between cases of physical violence and the use of this kind of targeted spyware, adding a new dimension to the concept of find, fix, and finish.

JACK: [MUSIC] Looking at all the times Pegasus was used, there’s a common thread that some kind of physical action often takes place after a victim is targeted. In this case someone was murdered, but in other cases there’s jail time, physical threats, attacks, and intimidation that happens to Pegasus’ targets.

LESLEY: The word is that you sold Pegasus to them and then they turned it around to get Khashoggi.

SHALEV: Khashoggi murder is horrible, really horrible, and therefore when I first heard their accusations that our technology had been used on Jamal Khashoggi or on his relatives, I started an immediate check about it and I can tell you very clear, we had nothing to do with this horrible murder.

LESLEY: It’s been reported that you yourself went to Riyadh in Saudi Arabia. You yourself sold Pegasus to the Saudis for 55 million dollars.

SHALEV: Don’t believe newspapers.

LESLEY: Is that a denial? No.

JACK: The Washington Post published an article which said that Khashoggi’s wife’s phone was analyzed after his death and it was discovered that his wife’s phone received multiple [00:40:00] messages that if she clicked it would infect her phone with Pegasus. But she does not remember if she clicked the link or not, and there’s no forensic evidence that her phone was infected. Khashoggi also had a fiance and her phone was in fact infected with Pegasus days after Jamal’s murder. So, we have a conflicting story here. Shalev told us that they had nothing to do with the murder, and then there are three phones of family and friends of Khashoggi that were targeted. Someone’s not telling the whole truth.

LESLEY: We asked Shalev Hulio if his investigation explored the wider circumference around the slain journalist.

SHALEV: I can tell you that we’ve checked and we have a lot of ways to check, and I can guarantee to you our technology was not used on Jamal Khashoggi or his relatives.

LESLEY: Or the dissidents?

SHALEV: Or the relatives.

LESLEY: Like, Omar Abdulaziz and…

SHALEV: I’m not going to get into specific. I’ll tell you that if we will figure out that somebody’s misused the system, we will shut down the system immediately. We have the right to do it and we have the technology to do it.

LESLEY: It begs the question, did you shut down the Saudis?

SHALEV: I’m not gonna talk about customers and I’m not gonna go into specific. We do what we need to do. We help create a safer world.

JOHN: My big concern is that there is a market that is pushing companies like NSO to put their technology in the hands of as many people as they can. When that happens, abuse is just a certainty.

JACK: Hm, obviously NSO is a for-profit company and wants to make money from their software. Obviously there are people around the world who want this software to make it easier to spy on people. But there’s no good regulations on who can sell software like this and who can buy it. Snowden wants there to be a ban on all mobile spyware. I personally think something is wrong when a company’s business model is not to sell the cure but instead to sell the virus. But since there’s no international law forbidding this, it means we have to rely on the ethical and moral judgments made by NSO Group’s staff and leadership.

LESLEY: What do you do when your customer has a definition of terrorist that isn’t our definition? In some countries, the opposition are terrorists.

SHALEV: No such thing. Every customer that we sold had a very clear definition of what terrorism is, and it’s basically bad guys doing bad things in order to kill innocent people in order to change the political agenda. I never met with a customer that told me that oppositions are terrorists.

LESLEY: Well, they’re not gonna tell you.

SHALEV: But if they will act like that…


SHALEV: …they will – not gonna be a customer. There are more than a hundred countries, hundred countries that we will never sell our technologies to. I can tell you that in the last eight years that the company exist, we only had real three cases of misuse. Three cases out of thousands of cases of saving lives. Three were the misuse, and those people or those organization that misused the system, they are no longer a customer. They will never be a customer again.

JACK: Well, in Mexico alone, Citizen Lab discovered twenty-five cases of abuse, so all they need to do is read Citizen Lab’s report to find more, and they do read Citizen Lab’s report and have said publicly that those reports are not accurate.

JOHN: I think one of the interesting things about NSO is that NSO has lost a lot of credibility among reporters and others because they keep issuing denials that later prove to be falsified. Part of the problem is I would prefer a world in which the developers of spyware acknowledge that there was a problem and try and work to limit that problem. Instead of which, you have a company that basically denies the problem until they can’t deny it anymore, then they fall silent and switch to talking about something else. Right? That’s exactly what we don’t need if as a society we’re gonna figure out how to live in a world where this kind of sophisticated technology is used by police and security services.

JACK: There’s one more clip from this 60 Minutes interview I want to play for you. In this part, Lesley Stahl is interviewing Tami Shachar, NSO’s co-president.

LESLEY: To protect against misuse, she says, NSO has three layers of vetting potential customers. One by the Israeli Defense Ministry, a second by its own business ethics committee, and thirdly…

TAMI: Our contractual agreements have our customers sign that the only intended use of the system will be against terror and crime.

LESLEY: Oh, they sign. Come on. You have an autocratic government and they say oh, we’re not gonna use it except against criminals, and you just believe them? [00:45:00] No. Come on. Come on.

TAMI: As I said, the contractual agreement comes after two layers, and you know, I would love for you to sit in one of our business ethics committee. We have a tough discussion, because imagine a country is facing major terrorist threats. At the same time, they have some corruption issues and you have to sit in that room and weigh what is more important; to help them fight terror or maybe there is a chance that it’s gonna be misused. It’s not a black and white answer. It’s a tough ethical question.

JOHN: This language of like, saving lives and stopping terrorists, we know that language. We know it because it was the same language that was used right after September 11th to push the Patriot Act and it’s the same language that tyrants have used to promote nationalism and authoritarianism. So, what scares me is that we inadvertently – if we buy into that language without being critical about it, without thinking critically, we inadvertently play into it and we inadvertently support that world. I think there’s absolutely room for smart people to work with authorities to do lawful targeting, absolutely. In fact, it happens every day. What’s concerning to me about players like NSO is that they’re totally unaccountable. In fact, they’re in court right now denying that they should even be accountable for hacking a US company and its users.

JACK: Ah, yes. So, let’s talk about that court case.

PETER: [MUSIC] Hello, and welcome to the program. I am Peter Dobbie. NSO has faced a number of lawsuits, one of them from WhatsApp.

JOHN: [MUSIC] This was a really interesting case. In the spring of 2019 it became apparent to us that something was going on with WhatsApp. We had been working with a lawyer who was representing some victims of Pegasus spyware, and he had been getting these bizarre missed video call notifications. As he described it, something really weird would happen. He would get woken up in the middle of the night and look at his phone and see a missed video call. He’d go back to sleep, he’d wake up in the morning, he’d look at his phone…

JACK: But there were no missed video calls when he looked at his phone. This would happen over and over; attempted video call on WhatsApp, he wouldn’t answer the call, and then it wouldn’t show him that someone tried to call.

JOHN: So, we began monitoring his device to try to figure out what might be going on. It turned out that he was targeted with what we now know to have been a zero-click exploit against WhatsApp users.

JACK: A zero-click exploit. Oh man, this just got so much worse. Now you don’t even need to click a link. NSO found a way to exploit WhatsApp to take over someone’s phone without them needing to do anything. Of course, once the phone is taken over, they can go back and delete all traces, like that missed video call where the infection took place. A zero-click exploit like this means there is nothing you can do to protect yourself against this. There’s no link that you need to click and your phone is infected automatically even if you have the latest and greatest model and software. Citizen Lab reported this to WhatsApp but WhatsApp was already investigating similar attacks through its protocol. They patched the app so this couldn’t be exploited anymore and as it turned out, NSO was in fact selling this exploit to its customers which I guess makes sense; WhatsApp is a wildly popular chat app that exists on a good percentage of all phones worldwide. NSO sorta needs multiple exploits depending on who the target is. They already had a way to exploit iPhone users but now they have a way to exploit WhatsApp users.

JOHN: Since the time of that initial discovery, WhatsApp has sued NSO…

JACK: Keep in mind, WhatsApp is owned by Facebook, so they have quite the team of lawyers.

JOHN: …and has, in some recent court filings, published some kinda bombshells suggesting that NSO owned and operated the servers that were used for the exploitation.

JACK: Whoa, if NSO owns the hacking systems and servers that these exploits are carried out from, then this changes a lot.

JOHN: Because for years, NSO – these other spyware companies have kind of said whenever they’re questioned about abuses, look, we don’t run this stuff. We sell it to customers and they do their thing. What WhatsApp’s latest filings in this case have shown is that NSO does appear to run some of this infrastructure which makes it look like they’re doing something more like hacking as a service. This is interesting for a number of reasons. It’s interesting because it challenges the idea that NSO wouldn’t know what its customers are doing and wouldn’t be able to exercise some oversight. [00:50:00] From a national security standpoint, it’s also really interesting because it suggests that NSO might be able to look over its customers’ shoulders and see who they were infecting with this technology.

JACK: It also means that NSO isn’t being honest when they explain how this software works, that they just sell it and have nothing to do with it after. This lawsuit was issued in October 2019 in San Francisco, but as of this recording in 2021, the case has not yet gone to trial.

JOHN: So, what’s happened with that case is that NSO has tried to appeal the case perhaps in a strategy to stop discovery. So, right now the effort by NSO to basically have the case dismissed is currently underway. Both sides have presented their arguments. In addition, a who’s-who of tech companies and civil society organizations have all thrown weight behind the WhatsApp/Facebook case.

JACK: Companies joining in on this case are Microsoft, Cisco, GitHub, Google, LinkedIn, and VMware.

JOHN: Major players have all come in and said look, this case is really important and we think that this is a really critical case. You have a whole bunch of tech companies plus a bunch of civil society organizations all coming in and saying to the judge look, don’t let this case be dismissed. This is super important. Besides, NSO’s legal claims don’t hold water. Citizen Lab isn’t a part of that case but we’re of course watching it really closely.

JACK: [MUSIC] Just a few weeks ago, NSO hit the news again, something called the Pegasus Project, which is a group made up of eighty journalists and seventeen media companies in ten different countries. They all came together to compile and investigate all reported cases of Pegasus infections. During their research, they somehow got ahold of a leaked list of 50,000 phone numbers who they claim are possible targets for Pegasus spyware. These potential targets include activists, human rights defenders, journalists, and even government officials like the president of France and the daughter and ex-wife of the ruler of Dubai. But I feel like this news story was slightly misreported; the 50,000 phone numbers on this list were potential targets. It doesn’t mean that they actually were targeted by Pegasus. It just means that people who had access to the Pegasus spyware were interested in these 50,000 people. Shalev Hulio, who is the S in NSO, was questioned about this in an Israeli news outlet called Calcalist.

He said that this list of 50,000 phone numbers has nothing to do with the NSO Group and they wouldn’t even have such a list like this to begin with. He thinks the list was probably derived from some kind of HLR lookup system. HLR stands for Home Location Register and it’s like a database that phone companies have that you can use to look up phone numbers to see if those are registered phone numbers. Someone familiar with how Pegasus works said that Pegasus has HLR lookup capabilities within the tool. But Shalev Hulio said something else that’s really interesting to me. He said he was first notified of this weeks before the list was announced and that someone notified him that one of his servers in Cyprus was hacked and the entire NSO target list was stolen. I confirmed they do have servers in Cyprus, but Shalev said it’s impossible to have the NSO target list stolen since NSO doesn’t have such a database or list of targets because each customer runs their own instance and infrastructure for Pegasus to run, and there’s no central repository of data. But something isn’t adding up here. Why is there a list of 50,000 phone numbers and why would Shalev admit that the NSO was breached and tell us the entire NSO target list was stolen but then deny that such a list even exists?

A few months ago, the NSO Group put out their very first transparency and responsibility report. In it, they say that customers are contractually obligated to provide logs to NSO which includes which NSO product they use, how the process was done, why they used it, the duration of use, and who was targeted. So, if that’s the case, then the NSO does have a way to collect logs from its customers and maybe they do have a central place to store those logs. Amnesty International is who initially released this report about the 50,000 phone numbers, but they won’t say how they got it since that could put certain people in danger or burn their source. The Pegasus Project does list eleven countries which show signs that they probably have Pegasus. Those countries are Azerbaijan, Bahrain, Hungary, India, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, Togo, and the United Arab Emirates. Oh, and I learned more about Rwanda’s use of Pegasus. If you know the story of Hotel Rwanda, then you might have heard that the manager of the hotel was arrested last year on terrorism charges. He is not a terrorist; he’s a human rights activist. Now, I don’t know what’s going on with his phone, but a report from The Guardian recently came out and said that the American [00:55:00] daughter of the manager of the hotel was targeted with Pegasus. This leads me to believe that the Rwanda government is using it to spy on activists.

Officially, the Rwanda government says they deny that they have Pegasus or use it at all, but one of the former heads of Rwanda’s national intelligence was actively spied on with Pegasus when he became an opposition for the current administration. On top of that, there’s a Financial Times article that came out which also outlined how over six Rwanda activists were targeted by Pegasus, and the article goes on to say that people who are opposed or outspoken of the current government party of Rwanda sometimes become missing or go to prison or have to flee the country because of threats or end up killed. This just adds to the pattern of abuse that follows this spyware around. The transparency report that the NSO Group put out said they have sixty customers in forty countries. Forty countries are their customers. That’s 20% of the countries in the world have access to this Pegasus spyware. The NSO transparency report says the NSO Group has a list of fifty-five countries that they refuse to do business with because of human rights abuse, corruption, or regulatory restrictions.

They do say in the report over and over how much they support human rights, and they say they continually investigate their customers, looking for signs where their customers have abused the tool, and they say that they’ve found that the tool has been abused only half a percent of the time, which would mean that one out of every two hundred targets is a misuse of the tool, which I find to be an unbelievable statistic because in one interview with Forbes, Shalev Hulio from NSO said the average customer has only one hundred targets and we know of over twenty instances where in Mexico alone this tool was misused. But this Pegasus Project highlights hundreds of cases of misuse. Overall, this NSO transparency report seems like PR fluff to me. There’s nothing transparent about it. Like, Lesley Stahl from 60 Minutes asked Shalev point-blank if he cut ties with Saudi Arabia after it came out that Khashoggi was spied on with Pegasus and murdered. But Shalev refused to talk about any customers. Well, this transparency report refuses to talk about customers, too. It would have been nice if they highlighted the same instances of abuse that the Pegasus Project highlighted and pointed out that these are the specific reasons why we cut ties with these specific countries and listed those countries by name. That would be transparent.

But that’s not what was in this report, so I’m hesitant to believe any of the stuff written in this transparency report is even true. But when this bombshell allegation came out that there’s a list of 50,000 potential targets of Pegasus, NSO got mad and posted a new article on their website titled Enough is Enough, and it said the Pegasus Project report had complete disregard of the facts and that NSO will no longer be responding to media inquiries. I’ve gotta laugh at that part; no longer responding to media inquiries? Are you kidding me? I’ve been inquiring for three years now and you’ve refused to talk before this was happening. Now you’re telling me your official stance is to refuse to talk about it because another report came out. I don’t know how you think this makes you look, but it doesn’t make you look good. Anyway, the article goes on to say that there are no connections between the 50,000 phone numbers and NSO and any claim that there is a connection is erroneous and false. They give a flip-flop statement saying that they don’t have any of their customers’ data, but their customers are obligated to provide data if the NSO Group asks for it. NSO, this means you do have customer data. You need to pick a side here; you either don’t have any customer data or you have total access to customer data. You can’t say it’s both.

Then they end by saying NSO’s mission is to save lives by helping governments around the world prevent terror attacks, break up pedophilia, sex and drug trafficking rings, and locate missing children and people, and protect airspace from unauthorized drones flying over. Yeah, that’s great, but again, if countries use the tool for good, it doesn’t negate the fact that the tool is frequently used to spy on the wrong people and do harm to civil society. Someone needs to hold NSO accountable for getting this tool into the wrong customers’ hands. Think about it like this; a while back I did an episode on the Butterfly Botnet. The people who used this botnet to attack with and cause destruction with, they got arrested. Okay, that makes sense; they did a criminal act. But the person who made the Butterfly Botnet got even more prison time than the criminals, and that’s because he created malware with the intent to do harm with it. Here we have NSO creating malware to hack into people’s phones. But the only difference [01:00:00] is NSO says they make the tool to help save lives.

But if they continue to do multi-million dollar deals with oppressive regimes who use the malware to attack civil society over and over, then the NSO Group needs to be held accountable for that. They obviously know how dangerous this malware is and if they had any kind of notice that a person they’re selling it to may use it to commit some non-lawful activity with it, then that alone should be enough to get them in trouble for what they’ve been doing. Anyway, in July 2021, Israeli government officials visited the offices of the NSO Group. It looks like they came to review their export licenses and audited NSO to see if they’ve done anything wrong. It’s fuzzy and we’re not sure what actually happened here or what’s going to happen, but it’s not a good sign when your government comes to your offices and starts looking through your documents. Now, you might be wondering wait a minute, haven’t all these Pegasus vulnerabilities been fixed? Like, didn’t Apple fix that one when John reported it and WhatsApp fixed theirs? Is this even an issue still? Actually, yeah, it is an issue still. They have a new version of Pegasus. Apparently NSO has many different exploits that they can use to get the Pegasus spyware onto phones.

JOHN: Every time there’s an exposure like this, NSO makes a bunch of brave claims in public and off the record to people that they came right back online with some new exploits, and their narrative is that they’ve always got something in the pipe. I think one thing to consider here is that we know, of course, you burn an exploit chain, you make something public, there’s a big technological cost to getting back online. Moreover, you may have a whole lot of customers with devices that are already infected out there but that are now beaconing to infrastructure that is known by security researchers and others. It’s a huge cost to customers of getting back online. I think we’re still learning as we watch the NSO example just what constitutes real disruption and what constitutes the cost of doing business. It seems to be in the same way that certain cowboy capitalist firms view fines; I’m tempted to say NSO may view the exposure of some of its exploits as part of its cost of doing business. Certainly it’s not – it seems – in want for capital.

JACK: I guess this is one reason why NSO is so focused on Citizen Lab, because Citizen Lab has fixed these vulnerabilities that Pegasus uses a few times, and it’s extremely costly for NSO whenever Citizen Lab discovers a new one and reports it. So, it makes sense for NSO to be very interested in what John and his colleagues are doing at Citizen Lab, because they’re exposing a very powerful organization. But this isn’t just the work of Citizen Lab. Lots of other organizations have all researched and published articles about NSO’s spyware. Lookout Security has analyzed malware and published reports. Amnesty International has also publicly exposed other things that NSO Group has done. So, that brings us back to Black Cube spying on John Scott-Railton and Citizen Lab. Why would they do that? Well, Black Cube is just a for-hire spy agency, so they likely didn’t come up with this idea themselves. Somebody probably hired them to send a spy to the US to meet with John. As John was thinking about who could have possibly hired Black Cube to spy on him, some news came out with more information.

JOHN: After we realized that both myself and my colleague Bahr were targeted, the AP uncovered four more people who all were supporting victims, including a journalist and lawyers. It appeared part of a coordinated effort to get information about legal cases against NSO, and ultimately if you look at it, to frustrate the ability of victims to get justice. These were lawyers representing the parents and – parents of children who had been disappeared by the Mexican government. These were not lawyers for wealthy people. These were lawyers for victims. The case really to me highlighted the extent to which somebody with deep pockets was trying to basically blunt any attempt by those victims to gain justice.

JACK: John and his colleague at Citizen Lab were targeted by Black Cube spies, and they asked a bunch of questions about Citizen Lab’s interest with the NSO Group. Then there were a few lawyers of victims of NSO who were also spied on by Black Cube. So, if you connect these dots together, does this answer the question of who paid Black Cube to spy on John?

JOHN: Well, I think I’ll let your listeners make the judgement of what this might indicate.

JACK: [MUSIC] [01:05:00] Hm, okay, let’s do a thought experiment here. If the NSO Group paid Black Cube to spy on its critics, then what does that mean? Well, in my opinion, it puts the NSO Group in an ethically indefensible area because NSO just sells spy tools. They claim they don’t do any of the spying themselves, and so every time you try to put your finger on some action that the NSO Group did wrong, they just step aside and put blame on their customer. Since they are so secret and hidden about what they do, you really don’t know how much they should be blamed for. But in this case where Black Cube spied on Citizen Lab and lawyers of victims of the Pegasus software, if the NSO Group is who paid Black Cube to do that, then this is a clear case of where the NSO Group themselves did something unethical. Not their customers, but them. If that’s the case, does that show their true colors of what kind of company they really are? Because if they are an unethical company, you can’t believe what they tell you and you can’t trust them to make ethical choices like who to sell their spyware to.

Oh, and I also want to mention that this spyware might be coming to a police department near you. Joseph Cox at Motherboard wrote a story last year that the NSO Group tried to sell its spyware to the San Diego Police Department. NSO Group goes by many names. Here in the US they call themselves Westbridge Technologies, and Omri, the O in NSO, has spearheaded NSO’s presence in the US. In fact, his office is in New York. It also sounds like the FBI might be conducting an investigation on the NSO Group. Joseph Menn at Reuters wrote an article saying that the FBI was trying to determine if the NSO Group got any of its exploits from Americans. But I also imagine that the FBI would be concerned about whether or not foreign entities use Pegasus to spy on Americans. I mean, it should be a crime under the Computer Fraud and Abuse Act to gain unauthorized access to someone’s phone or computer, because you can’t just hack into someone’s device without their express consent. That’s illegal.

So, I do hope US authorities are collecting information on what Americans have been targeted and whoever’s doing it get in a lot of trouble for it. But this is the sort of grey area of this whole thing. NSO claims that what they’re doing is selling a lawful intercept technology and should only be used when law permits and there’s permission to do so. But there doesn’t seem to be any consequences to governments who abuse this tool. I just hope that my country has my best interest in mind and that if I get spied on illegally using this tool that the authorities care enough about it and punish those behind it, because I’ll never be able to win a security battle which is me versus a billion-dollar company like the NSO Group. I can do things to be safer but I will never feel safe, not until my government fully has my back on these issues.

(OUTRO): [OUTRO MUSIC] A big thank you to JSR, John Scott-Railton, from Citizen Lab for doing all this research, being fearless in the face of the enemy, and publishing countless reports on threats towards civil society. You can learn more about his work by visiting citizenlab.ca. Okay, so, I made it to Episode 100. Whew. With that, I’m gonna take a break, but just for two weeks. So, I’m sorry, but there will just not be an episode in two weeks. If you’re wondering, I’m headed to the beach and I’m just gonna unplug and be as low-tech as I can for a while. If I add up all the episodes, I’ve written about fifteen novels worth of stories now. My fingers are sore. But look for another episode in four weeks. This show is made by me, the spaghetti coder, Jack Rhysider. Our theme music is by the elusive Breakmaster Cylinder. Even though I’ll be on break next week, I’m still going to my hacker support group that I’m in. It’s called Anonymous Anonymous. This is Darknet Diaries.



Transcription performed by LeahTranscribes