Pluralistic: 24 Oct 2021

Today's links

The FORCEDENTRY exploit on the phone of the Saudi activist, take from Citizen Lab's 'Breaking the News' report.

Cyber-mercenaries helped Saudis hack an NYT reporter (permalink)

The NSO Group are among the world's most notorious cyber-mercenaries; they're an Israeli firm under UK/EU private equity control (the owners have previously threatened to sue me and other journalists for reporting on the company's ownership structure).

The company claims to be a "lawful interception" supplier, helping democratic, human-rights-respecting governments to spy on terrorists. Their extreme secrecy helps them sell this tale, but thanks to a group of academic human rights researchers, we know better.

For years, the University of Toronto's Citizen Lab – a group of tech-savvy human rights defenders – have helped civil society groups defend themselves against cyber-threats from oppressive states. Don't let the "cyber-threats" part fool you: digital surveillance is the prelude to mass arrests, disappearances, torture, and murder. It's thanks to Citizen Lab that we know the truth about the NSO Group.

The truth, then: NSO isn't in the counter-terrorism business. Its signature weapon, a devastating surveillance tool called Pegasus, has been used in at least 45 countries, including some of the world's most brutal autocracies.

It has been widely deployed against human rights workers and journalists – more than 50,000 people have been attacked with NSO's weapons:

There is no target too petty or insignificant for NSO's customers. For example, NSO weapons were used against Mexican anti-sugar campaigners, and their young children:

The NSO Group's intimidation tactics don't stop with legal threats against journalists. After Citizen Lab broke a string of NSO Group stories, it was targeted by ex-Mossad "private security" mercenaries working for the same firm that did Harvey Weinstein's black-bag operations:

Wherever we find brutal autocrats, we find the NSO Group. Their tools were part of the Saudi royals' plot to murder and dismember the journalist Jamal Khashoggi, and were used again in a failed attempt to blackmail Jeff Bezos into ending the Washington Post's investigation into the slaughter:

The Saudi royals are a major NSO customer, and NSO tools like Pegasus are key to helping their secret police track down dissidents for detention, torture and murder.

The Saudi state doesn't always know who those dissidents are, but they know which journalists they talk to. That's why they used NSO Group's Pegasus malware to hack the New York Times's Ben Hubbard.

The technical forensics linking NSO surveillance to the hacks against Hubbard's Iphone can be found in Citizen Lab's new "Breaking the News" report:

Despite the damning evidence, the NSO Group insisted that its tools were not behind the attack, claiming that "contractual reasons and restrictions" made that impossible. It's the same excuse the company gave last July when a consortium revealed 50,000 uses of its malware:

NSO Group insists that its weapons are sold under the condition that they only be trained upon terrorists, thus whenever we discover them being used against journalists or dissidents, it can't possibly be their weapons.

Last July, Edward Snowden published "The Insecurity Industry," rebutting this claim:

Snowden's article reminded us that commercial surveillance and state surveillance can't be disentangled. Companies like the NSO Group are legal because state actors depend on them, so any attempt to rein them in gets clobbered by spy agencies who lean on lawmakers to halt legislation.

According to Citizen Lab's forensics, Hubbard's Iphone was compromised with a "zero-click" exploit – a security vulnerability that could be exploited without any user interactions. These are the scariest kinds of security defects, since there's nothing you, as the owner of an Iphone, can do to defend yourself against them.

Apple has patched that bug, thankfully, but it's certainly not the last defect that will creep into the Iphone's operating systems (indeed, similar defects might lurk in current versions). Apple often (and rightfully) boasts about its security prowess, but as this incident demonstrates, Apple alone can't be trusted to secure its devices.

Schneier's Law tells us that "anyone can design a security system that works so well that they themselves can't think of a way of breaking it." As with other forms of knowledge-creation, security is an adversarial process, requiring transparency and peer-review to validate its conclusions. There is no security in obscurity.

Apple has a managed process for security researchers, paying bounties in exchange for following a proscribed methodology, including restrictions on the timing and manner of disclosures. This is a great idea, but it's not enough. As we see with the NSO Group hacks, Apple's process misses defects that put its customers in mortal danger.

For obvious reasons, companies aren't good stewards of who gets to criticize their products, and how. It's not that it's impossible to report on a defect in irresponsible ways, but companies have an unresolvable conflict of interest that disqualifies them from deciding what constitutes "responsible" criticism.

Which is why it's such bad news that companies – including Apple – have used legal intimidation to control the conduct of security researchers. Most recently, Apple attacked Corellium, a tool that allows independent security researchers to investigate the inner workers of Apple's software to uncover defects.

(Apple lost the suit, thankfully)

The NSO Group and other mercenaries don't care whether Apple approves of their tactics. They will find and weaponize every error, and sell those weapons to monstrous tyrants. We can't afford to let companies' commercial priorities trump their users' right to know about defects in their products.

Rather than directing its fire against security researchers who find and disclose its bugs, Apple should follow Whatsapp's lead and sue the NSO Group for exploiting its technology:

It should terminate the accounts – personal and commercial – associated with NSO Group employees and executives and permanently bar them from using its services.

Last year, I published Attack Surface, the third novel in the Little Brother series, in which I tell the story of Masha, a young woman who works for a company like the NSO Group until she has a crisis of conscience.

At the time, I ran a series of virtual panels ("The Attack Surface Lectures"), exploring the themes in the book. The first one, hosted by the Strand, featured Citizen Lab founder Ron Deibert and EFF's Eva Galperin:

(here's the audio)

Attack Surface just came out in paperback:

My local bookstore, Dark Delicacies, has signed copies in stock and I drop by regularly to personalize them:

Last year, I ran a Kickstarter campaign to produce an indie audiobook (outside of Audible's DRM walled garden), read by Amber Benson. It was the most successful audiobook crowdfunding campaign in world history!

For the rest of this month, I'm selling an audio bundle featuring the audiobooks for all three Little Brother titles (read by Kirby Heyborne, Wil Wheaton and Amber Benson) for $30 (normally $70!).

This day in history (permalink)

#20yrsago Tongan court jester loses millions betting on the deaths of six Americans

#15yrsago Former FCC Chairman shills against Net Neutrality

#15yrsago Warners stiffs African amputee film extras on prosthetics promise

#10yrsago Canada’s Supreme Court: Linking isn’t libel

#10yrsago ACLU: FBI practicing racial profiling on an “industrial scale”

#10yrsago Plotting advice for fiction writers

#10yrsago Densely-linked cluster of 147 companies control 40% of world’s total wealth

#5yrsago Facebook’s crackdown on publishers' feeds has sites paying celebs to repost

#5yrsago Tory minister’s filibuster kills Turing’s law and pardons for 65,000 persecuted gay men

#5yrsago Internet-destroying outages were caused by “amateurish” IoT malware

#1yrago ENDSARS

#1yrago Student loans are dischargeable

Colophon (permalink)

Today's top sources: Gio Pulmonary (

Currently writing:

  • Spill, a Little Brother short story about pipeline protests. Friday's progress: 296 words (26246 words total)

  • Picks and Shovels, a Martin Hench noir thriller about the heroic era of the PC. Yesterday's progress: 1018 words (26617 words total).

  • A Little Brother short story about remote invigilation. PLANNING

  • A nonfiction book about excessive buyer-power in the arts, co-written with Rebecca Giblin, "The Shakedown." FINAL EDITS

  • A post-GND utopian novel, "The Lost Cause." FINISHED

  • A cyberpunk noir thriller novel, "Red Team Blues." FINISHED

Currently reading: Analogia by George Dyson.

Latest podcast: Breaking In
Upcoming appearances:

Recent appearances:

Latest book:

Upcoming books:

  • The Shakedown, with Rebecca Giblin, nonfiction/business/politics, Beacon Press 2022

This work licensed under a Creative Commons Attribution 4.0 license. That means you can use it any way you like, including commercially, provided that you attribute it to me, Cory Doctorow, and include a link to

Quotations and images are not included in this license; they are included either under a limitation or exception to copyright, or on the basis of a separate license. Please exercise caution.

How to get Pluralistic:

Blog (no ads, tracking, or data-collection):

Newsletter (no ads, tracking, or data-collection):

Mastodon (no ads, tracking, or data-collection):

Medium (no ads, paywalled):

(Latest Medium column: "Against the great forces of history," What Ada Palmer’s University of Chicago Papal election LARP can teach us about our own future

Twitter (mass-scale, unrestricted, third-party surveillance and advertising):

Tumblr (mass-scale, unrestricted, third-party surveillance and advertising):

"When life gives you SARS, you make sarsaparilla" -Joey "Accordion Guy" DeVilla