[cp-global] so ... how to address nso group / pegasus
yanosz
cp-global at yanosz.net
Sat Dec 25 10:36:52 GMT 2021
Hei folks,
typically, at crypto-parties, we talk about secure messaging, electronic
mail encryption, private browsing and day-to-day security tools.
Usually, folks entering crypto-parties are concerned about privacy or
surveillance. They're interested in private communications. Usually, we
present a tool-canon comprising of tor-browser / tails, signal / OMEMO,
GPG and browser-extensions, etc.
However, in my perception there's a noticeable change in the quality
surveillance over the past approx. two years.
For instance, during the Snowden revelations, there was the quote
("saying") that strong cryptography is one of the few thinks one can
rely on. Breaking into encrypted communication was not possible on a
larger, (e.g. nation wide) scale and required some kind of special
operations tailored to an intelligence agencies' target.
I don't think that this is the case as of today.
For me, it feels like, tools such as NSO's Pegasus became the de-facto
standard for surveillance and remote forensics:
For instance:
1) Here in Germany, the software was recently purchased by the federal
policy (BKA) [1,2 - sorry, found no English sources). I think that this
noticeable, because the BKA is not seen as a secret service, but as a
regular police agency (big difference here, due to the Nazi-past). The
purchase was execute by the agency itself (not a parliamentary debate -
sic). When asked, the minister of the interior made clear that the
decision was made solely by the vice-deputy of the agency itself. The
software is understood to be needed by the BKA for routine work. The
software is in active use today.
2) Pegasus is used by criminals. The Guardian had a report about year
ago that outlined the capabilities of Mexican drug cartels [3]. Notably,
this does not solely concern Pegasus, but also tools sold by hacking
team an other companies.
3) Recently in Poland, Pegasus was used to monitor political activists.
It was used against Donald Tusk's lawyer. Donald Tusk was a promising
candidate in the Polish election. He was the the Prime Minister of
Poland (2007-2014) and the president of the European Council (2014 -
2019). Notably, by various sources, Pegasus was apparently used in a
domestic context [5]. I'm not aware any sources linking this incident to
foreign governments. I think, it's worth pointing out that poland can be
seen as a western democracy and NATO-member.
Two summarize - the genie is out of the bottle:
- Tools such as Pegasus are available on a global scale, not having any
scaling problems anymore.
- Tools such as Pegasus are used (or will be used, depending on the
country) in the police's day-to-day business, as well as by criminals.
- There's global demand for such tools. It's not just the NSO, but also
hacking team and other vendors (e.g. Gamma group) addressing this
demand. Prices are likely to decrease due to a) competition and b) still
easy-to-break end-devices such as Android [6].
In effect, I think that:
a) Protection against such tools is what a crypto-partie's audience
seeks for. Journalists need ways to protect sources (e.g. meta-data and
phonebooks) during investigations. Political activists need to
coordinate out of the opponent's plain sight.
b) It's not worth teaching and pointing out tools that do not protect
against pegasus (e.g. signal). Tools such as pegasus are the default way
for day-to-day police work on a global scale.
c) It's not possible to provide tools protecting against Pegasus
"it's a weapon against which there is no defense." [7]
So, what to do at a crypt-party? This is a dilemma.
Greetz, yanosz
[1]
https://www.sueddeutsche.de/politik/pegasus-spionage-bka-trojaner-1.5403678
[2]
https://www.zeit.de/politik/deutschland/2021-09/spionagesoftware-pegasus-nso-israel-bundeskriminalamt-kauf-innenauschuss-bundestag-unterrichtung
[3]
https://www.theguardian.com/world/2020/dec/07/mexico-cartels-drugs-spying-corruption
[4]
https://apnews.com/article/technology-business-poland-hacking-warsaw-8b52e16d1af60f9c324cf9f5099b687e
[5]
https://netzpolitik.org/2021/staatstrojaner-polnische-oppositionelle-mit-pegasus-gehackt/
[6] https://source.android.com/security/bulletin
[7]
https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso-zero-click.html
More information about the global
mailing list