source code – Techdirt (original) (raw)
NSO Group Owes Meta $167 Million In Damages For Using WhatsApp Servers To Deliver Malware
from the going-to-have-to-hold-a-bake-sale-or-something dept
We’ll have to see if NSO Group has this sort of cash just laying around. Seems unlikely, what with its financial backers pulling out in response to a steady stream of negative headlines, as well as the company considering exiting the highly-profitable offensive malware market.
Sure, this will be appealed and NSO will try to get the awarded damages trimmed down to a more manageable number, but for now, this is what NSO Group owes Meta, the parent company of WhatsApp:
NSO Group, the Israeli spyware-maker behind Pegasus, must pay Meta $167.25 million for hacking 1,400 users across WhatsApp. A federal jury in California made the decision on Tuesday after the court found the NSO Group liable for the attacks last year.
[…]
The jury also awarded Meta $444,719 in compensatory damages.
John Scott-Railton of Citizen Lab has a pretty thorough rundown of this litigation over at Bluesky. Citizen Lab, of course, has been instrumental in revealing abusive deployments of NSO Group’s Pegasus malware by some of its shadier customers. And Citizen Lab has been targeted by some of NSO’s investors in hopes of stopping the self-inflicted bleeding the Israeli malware maker endured over the past four years.
A settlement was expected when NSO Group was ordered to turn over its malware source code by a California federal court. But then NSO asked the Israeli government to raid its offices and seize anything it might be forced to produce in response to WhatsApp discovery requests. Then it let the lawsuit play out, which turned out to be a bad idea. A jury said NSO Group was in the wrong, and for now, at least, it’s on the hook for nearly $168 million in damages.
Meta is taking a deserved victory lap on its site. But of more interest to everyone than news that Meta may become slightly richer are the documents posted by the victorious party, which include transcriptions of NSO Group depositions.
Included in the depositions are the actual price tags for Pegasus, NSO Group’s most powerful and profitable product. As of 2020, 7millionboughtgovernmentstheabilitytodeliverspywaretoupto15targets.Ifgovernmentswantedtotargetdevicesnotcurrentlyinthecountry,thataddedfeatureran7 million bought governments the ability to deliver spyware to up to 15 targets. If governments wanted to target devices not currently in the country, that added feature ran 7millionboughtgovernmentstheabilitytodeliverspywaretoupto15targets.Ifgovernmentswantedtotargetdevicesnotcurrentlyinthecountry,thataddedfeatureran1-2 million on its own.
Given that, you’d think NSO would still have plenty of cash in the bank. But spending nearly a half-decade watching your fortunes dwindle and your name become synonymous with humans rights abuses tends to empty the coffers fairly quickly. At some point, NSO will finally have to settle up with WhatsApp. And the success of this lawsuit will hopefully deter other companies with similarly questionable ethics from rushing to fill the void left behind by NSO’s spectacular implosion.
Filed Under: malware, pegasus, source code, spyware, surveillance
Companies: meta, nso group, whatsapp
Fallout 1 & 2 Source Code Preserved Only Through One Person Refusing To Delete Copies Of It
from the phew dept
It can be really amazing just how bad video game companies have been, and currently still are, when it comes to preserving the very culture that they help to create. While groups like GOG are at least attempting to pressure more developers and publishers to take efforts to preserve older games, it’s simply a fact that there is a massive and historical headwind they’re facing. For a long, long time these companies essentially zeroed out any concern about preserving their work in favor of copyright enforcement coupled with a disinterest in their side of the copyright equation.
We’ve already seen how the ability to legitimately buy some games, such as No One Lives Forever, has been blocked for over a decade over a jumble of potential intellectual property concerns. But the story of the source code for two absolute classic games, Fallout 1 and Fallout 2, and how it almost became completely lost in the ether is a great example of the interest deficit in preservation going back years.
In April, Fallout creator Tim Cain explained that when he left Interplay in 1998 he was ordered to destroy any game assets or code he was holding onto that didn’t belong to him. This included the source code for the OG Fallout. Cain complied, which made it awkward when Interplay called a few years later asking if he had Fallout’s source code still. He thought it was a trap; turns out, Interplay had actually lost the code for it and Fallout 2. And Cain had assumed that due to Interplay’s “destroy it all” policy, the source code for the old RPGs were lost and destroyed. Thankfully, that’s not the case.
On May 5, Videogamer reported that it had heard from Interplay founder and game designer Rebecca Heineman that she had the source code for both Fallout and its sequel, as well as many other Interplay classics. She started preserving every Interplay game after working on the studio’s 10 Year Anthology: Classic Collection and realizing how poorly the company’s past work was being saved for the future.
As Kotaku goes on to note, Heineman received the same order to destroy any copies of any source code she may have made or face litigation as well. She simply chose to ignore that demand. No lawsuit was ever filed and Heineman has indicated she kept her copies because she believed any lawsuit from Interplay would be doomed to fail.
And it’s a damned good thing she did. It appears hers is the only copy of the source code for both of these games. And it should cause all of us who care about game preservation to shiver to our spine that the same company that demanded all copies of source code by deleted couldn’t be bothered to secure the master copy itself. What if Heineman had followed orders like a good soldier? The code would simply be lost to the world, gone forever.
And before anyone thinks otherwise, no, Heineman isn’t some bad actor simply looking to defy all the rules without any deference to corporate interests.
As for why Heineman hasn’t released the code to the internet, she says that could only happen with permission from Bethesda (now the owners of Fallout) as they are still selling Fallout and Fallout 2 today.
“I need expressed permission to release, despite the source code being pretty much obsolete,” said Heineman. “I [haven’t] gotten around to asking them. They are on my list.” She is a busy woman, working on bringing back MacPlay and porting more games to Mac. But hopefully, when she does ask, Bethesda is cool with her sharing these important pieces of game history online.
Yes, hopefully. Otherwise we may be back at this all over again in the future.
Filed Under: archives, fallout, preservation, source code, video game preservation, video games
Companies: bethesda, interplay
Make It A Trend Part 2: EA (!!!) Releases Source Code For Four ‘Command & Conquer’ Games
from the b-EA-utiful dept
In our recent discussion about Valve releasing the source code for Team Fortress 2, you should have noticed that that post was headlined as a “Part 1.” This post is Part 2 and is arguably way more impressive and important for a couple of reasons we’ll get into. But as a reminder, the entire reason we’re having this discussion about gaming companies releasing the source code for their games, even if that takes more time than we’d like, is that it goes a long, long way to solving the preservation question. The bargain that is copyright law in America is perhaps uniquely broken when it comes to the video game space. That is because many, many games rely on storefronts to keep them available, updates so that these games can run on modern hardware, and sometimes backend infrastructure to keep them either running at all, or capable of providing the full original experience. If any of those requirements go unaddressed, you have a preservation problem, especially when those same games are not legitimately available elsewhere.
Valve is a big company, sure, but it’s revenue is not derived mainly from producing games, but selling them. What we really need to start seeing, if this trend is going to be fruitful for preservation purposes, is major developers and publishers, whose revenue chiefly comes from selling games, getting on board. And to that end, it’s quite significant to see that Electronic Arts, a company that only occasionally receives praise on our pages, has released the source code for four Command & Conquer games.
You may, as someone possibly young enough to have been untroubled by the Command & Conquer games in their heyday, see this as a relatively minor act. It’s really, really not. And if we’re going to be fiercely critical of EA when it does horrible things, it’s also crucial that we celebrate when the publisher does something this important.
Any game being made publicly available for free (as in: yours to keep, copy, share forever) is to be celebrated, in an industry that usually so spitefully clings on to long-dead IPs that it refuses to sell, but still employs lawyers to prevent being accessible. But releasing a game’s source code is next level. This is not the game itself, as in a thing to boot up and play, but rather the flesh and bones that makes the game exist. It’s all the secrets. It offers developers the ability to see exactly how a game was put together, read all the hilariously botched bits of code the devs strung together in desperation to get a game out the door, and learn how the best in the business constructed their games.
This is actually bigger than just releasing the source code, as Kotaku goes on to note. Valve’s release was done under an SDK license, specifically limiting any new output using the code to free projects, rather than commercial projects. EA, however, went way further. The company released the source code for these games under a GNU General Public License, also referred to as a copyleft license. There are still some restrictions put on anyone who makes new content using the code in terms of ensuring that buyers receive the same freedoms the content-maker has, but it does not restrict selling that content. In other words, this is EA saying, “Hey, here’s how we made these games. Here’s the code. Use it if you want. Sell what you make of it, or give it away for free.”
That E-freaking-A is doing this is big.
What makes this Command & Conquer move quite so striking is that it’s EA doing it. They’re not exactly a company known for, let’s say, loving acts of kindness. In more recent years, the publisher has become synonymous with the lowest aspects of video gaming, from forcing its games to be played with an internet connection before the era of widely-available broadband, to gacha awfulness with its gambling-adjacent loot boxes. In fact, the C&C name itself was run into the ground until it was all but worthless after EA forced in always-on DRM to hastily made sequels and released terrible free-to-play mobile versions.
But, soft! What light through yonder window breaks? Is this a crack in their tough, outer veneer? A sign of a future EA that is interested in games preservation, and the open and free sharing of intellectual property from which it no longer has a means to meaningfully profit? Because dear God, I hope so.
Again, that EA is doing this is important for two primary reasons. The most obvious is that it’s a milestone of sorts to see a AAA game publisher be willing to bypass its copyrights on its own work this way. I’m not sure if there is a good comp for this in between today and id Software doing something similar with the Doom franchise (prior to Microsoft gobbling up the rights to later games and not following id Software’s lead, of course). EA has a reputation well earned as an IP protectionist, after all, so this move is fairly striking for the company.
But perhaps just as important is that its stature within the industry is such that perhaps other AAA publishers, and others, will pay attention to the move and duplicate it.
And I hope other publishers sit up and take notice about how we’re all now making cooing noises and scratching EA under its chin, rather than simply scowling at it. This should be normal! It’s essentially free to a publisher—you just stick the source code on Github and eat your lumps. Somehow one of the most controversial things I ever wrote was suggesting that games should go into the public domain a full 20 years after their first release, despite this seeming like the most sensible, industry-boosting action possible, at a point when publishers are no longer making real money from the original versions. OK, so in the case of most the games being made available here, we’re talking closer to 30 years. But I’ll take it!
Turning the industry away from longstanding practices is a bit like steering the Titanic, of course, so I’m not sure at what velocity we’ll see this trend expand. But the gaming industry is also one that can pivot quickly, so perhaps I’ll be surprised. Regardless, however fast or not this goes, the trend is a good one and should be encouraged, if for no other reason than for the preservation of games as cultural output.
Filed Under: command and conquer, gpl, open source, source code, video games
Companies: ea
Make It A Trend Part 1: Valve Releases ‘Team Fortress 2’ Source Code
from the preserve-it-all dept
One of the more frustrating aspects of any conversation we have around the preservation of video games, something that is simply not being done for the most part today for the vast majority of titles created, is how easy and simple the ultimate fix is. It isn’t a secret. It’s not an arduous process. It doesn’t require any hoop-jumping for publishers and developers. You just release the source code for games once they’re past their primary sales window and let the public preserve it, and even build on it, from there.
Doing so would accomplish a number of good things. First, it would both free the publishers from the burden of having to preserve this artform themselves while also unleashing an army within the public that are willing to do that work. The bargain that is copyright protection would be preserved, if not achieved with higher velocity, and then people like myself and the folks behind the Video Game History Foundation and Good Old Games (GOG) can finally stop our bitching about how our cultural output is disappearing. Secondly, if these developers and publishers were really smart, they would use the elongated interest timeline in these games that would result from all of this to sell other, tangible things surrounding these games, like figurines, merchandise, and other items. Not to mention driving interest in newer, updated titles within these same franchises.
So if this is all honey and roses, why have such source code releases been so sparse? Several reasons, likely. Some of it, believe it or not, is purely a combination of vanity and insecurity around the code itself. Lots of folks don’t actually want to throw open the factory doors and allow the entire world to inspect precisely how the sausage is made, so to speak. Criticism of code is as ubiquitous as the untidy writing of the code itself. And, of course, there are the big player developers and publishers out there that bow to the altar of intellectual property, instinctually gravitating towards protectionism out of fears they probably couldn’t even articulate if asked to.
Fortunately, we’re now finally starting to see some shifts in the thinking from some big players. First to discuss is Valve, which recently released the source code for Team Fortress 2, both for the client and server code. And while the license under which the code was released doesn’t allow for commercial projects, it does allow for anyone who wants to play with the code to publish what they create on Steam.
Valve’s updates to its classic games evoke Hemingway’s two kinds of going bankrupt: gradually, then suddenly. Nothing is heard, little is seen, and then, one day, Half-Life 2: Deathmatch, Day of Defeat, and other Source-engine-based games get a bevy of modern upgrades. Now, the entirety of Team Fortress 2 (TF2) client and server game code, a boon for modders and fixers, is also being released.
That source code allows for more ambitious projects than have been possible thus far, Valve wrote in a blog post. “Unlike the Steam Workshop or local content mods, this SDK gives mod makers the ability to change, extend, or rewrite TF2, making anything from small tweaks to complete conversions possible.” The SDK license restricts any resulting projects to “a non-commercial basis,” but they can be published on Steam’s store as their own entities.
The timing here is somewhere between slightly late and just about right, honestly. TF2 was released in 2007, nearly twenty years ago, and has had an active player-base for a long, long time. The game’s community had something of an uproar a couple years back, mostly around the prevalence of cheating going on in the game, but that seems to have died down somewhat. Opening the code up to the public might actually help with cheating issues in the game, as well. After all, you’ve now got an entire world’s worth of people who can alter or re-develop portions of the game and code to stave off cheating.
But the most important part of this is both that the game is now able to be preserved by a public that has full access to its underlying code and that interest in the game can be extended by that same public being able to build off the code and create new, interesting content. Valve, meanwhile, gets to have that content listed on its platform, while also retaining interest in the Half-Life series that is at the heart of all of this.
All by relinquishing control. Imagine that.
Filed Under: archives, old video games, source code, steam, team fortress 2, video game preservation, video games
Companies: valve
NSO Group Asked Israeli Government To Help It Hide Malware Docs From WhatsApp
from the surely-something-only-an-honest-company-would-do dept
Before the news had broken that NSO Group’s clients were utilizing its powerful spyware to target journalists, dissidents, activists, religious leaders, opposition party members, and anyone else that might have irritated the autocrats and human rights abusers that made up a disproportionate percentage of its customer list, NSO was sued by Meta and WhatsApp.
That lawsuit alleged NSO Group had illegally accessed and utilized WhatsApp’s software and servers to distribute malware to surveillance targets. It’s a problematic lawsuit — one that seeks to see the CFAA (which has been abused perpetually since its inception) read as outlawing any access that might violate terms of service, including access that simply allowed NSO software to reach targets using WhatsApp.
NSO has since tried multiple times to have the lawsuit thrown out. One of its more creative efforts tried to portray NSO Group as nothing more than a stand-in for the governments it sold to. By portraying itself this way, NSO hoped to invoke sovereign immunity. That argument was rejected by two consecutive levels of the judiciary. NSO would have been better served by sticking to its first argument: that it could not be held directly accountable for actions performed by its customers, especially since that’s pretty much the only argument it’s left with at this point in time.
Having failed to get the lawsuit dismissed, the litigation moved forward. Finally, it reached a point NSO hoped it never would: discovery. Earlier this year, the court ordered NSO to turn over a bunch of info, including the source code of the malware that traveled through Meta’s servers to infect WhatsApp users.
The source code has yet to be delivered to the court and WhatsApp. It may never get there. As Harry Davies and Stephanie Kirchgaessner report for The Guardian, NSO Group called on a higher power to help it dodge its courtroom obligations:
Israeli officials seized documents about Pegasus spyware from its manufacturer, NSO Group, in an effort to prevent the company from being able to comply with demands made by WhatsApp in a US court to hand over information about the invasive technology.
Documents suggest the seizures were part of an unusual legal manoeuvre created by Israel to block the disclosure of information about Pegasus, which the government believed would cause “serious diplomatic and security damage” to the country.
Neat! And it comes with a form of plausible deniability built in: the Israeli government could claim it seized this information as part of its own investigation of NSO Group. Of course, that investigation is already closed and it wasn’t publicly announced until long after NSO was in (international) hot water. The government concluded it did nothing wrong when it used NSO spyware. It didn’t have much to say about NSO itself, although it did (very belatedly) limit the countries NSO could sell to.
But this is just a weird form of regulatory capture. NSO Group was formed by former Israeli intelligence officers. For years, Israel’s government helped broker deals for NSO with nearby nations, engaging in a malware-powered form of diplomacy.
The last thing NSO wanted was for this lawsuit to move to the point where it might need to start producing documents. The outstanding order for code production posed a threat to NSO’s secrecy, even if there’s almost zero chance it would be denied any request to seal these documents. With NSO being mostly former government employees and the Israel government being composed of current government employees, NSO asked and received. With this move, a sovereign that is not party to this lawsuit has done what NSO couldn’t on its own: prevent an American entity from obtaining its source code.
The origin of this information isn’t NSO or the Israeli government. It’s the product of leaks and hacking. And it shows NSO knew this reckoning was coming, long before it became somewhat of a household name following the leak of targeting data. This appears to have happened not long after WhatsApp filed its lawsuit against NSO in late 2019.
Israel’s hidden intervention in the case can be revealed after a consortium of media organisations led by the Paris-based non-profit Forbidden Stories, and including the Guardian and Israeli media partners, obtained a copy of a secret court order relating to the 2020 seizure of NSO’s internal files.
Details of the seizures and Israel’s contacts with NSO regarding the WhatsApp case are laid bare in a separate cache of emails and documents reviewed by the Guardian. They originate from a hack of data from Israel’s ministry of justice obtained by the transparency group Distributed Denial of Secrets and shared with Forbidden Stories.
According to the documents, NSO first approached the Israeli government in the early months of 2020, asking for a “blocking order” that would hopefully prevent it from having to hand over anything to WhatsApp. When WhatsApp served its discovery request in June 2020, NSO Group and government officials met to “discuss issues related to disclosure.” After some back-and-forth between NSO’s legal reps and government officials, the government performed a perfunctory raid of NSO offices for the sole purpose of leaving it with almost nothing to turn over in response to the US court order.
Three days later, in mid-July 2020, Israel made a significant but secret intervention. At an urgent meeting with NSO, Israeli officials presented the company with an order issued by a Tel Aviv court granting the government powers to execute a search warrant at its office, access its internal computer systems and seize files.
This subterfuge appears to have worked, at least so far. According to WhatsApp’s lawyers, NSO has only turned over 17 pages of documents in response to its discovery requests. Obviously, none of these documents are responsive to the court order demanding NSO turn over its software to WhatsApp.
On the surface, it might not look any more unusual than, say, the Justice Department filing a motion to keep documents from being produced by one of its contractors in the interest of public safety, operational secrecy, or whatever other excuse it might use. But it’s nowhere near comparable. NSO Group never informed the US court that these documents had been seized. And it appears its lawyers — some of which are US-based — never informed the court it was seeking the assistance of the Israeli government to keep these documents from being produced.
It will certainly be interesting to see how the court responds to these revelations. However, sanctions can’t make NSO Group turn over information now in the hands of its own personal Jesus: the Israeli government. And it’s unlikely any US court has the power to pierce the sovereign immunity that controls this action, no matter how transparent the self-interest.
Filed Under: distributed denial of secrets, israel, lawsuit, malware, pegasus, privacy, source code, spyware, surveillance
Companies: nso group, whatsapp
NSO Group Continues To Use The Lawsuit Filed Against It By WhatsApp To Harass Canadian Security Researchers
from the if-you-can't-beat-'em,-fuck-with-'em dept
Israeli malware manufacturer NSO Group spent years making good money selling to bad people. Its only concern for the longest time was how long it would take nearby autocrats and totalitarians to start targeting Israeli citizens.
To be fair, the Israeli government shares at least some of the blame. Surrounded by entities that would love to see it erased from the earth, the government helped broker deals with unfriendly countries — a perverse form of diplomacy that allowed some of its worst enemies to gain access to extremely powerful spyware.
NSO is no longer the local darling in Israel. In fact, none of its competitors are either. The country achieved terminal embarrassment velocity following the leak of documents that appeared to show many of NSO’s customers were abusing access to its Pegasus spyware to target journalists, dissidents, human rights lawyers, political opponents, and even the occasional ex-wife and her lawyer.
NSO has also been sued multiple times. The first tech firm to sue NSO was WhatsApp. Backed by Meta, WhatsApp took NSO to court for using WhatsApp’s US-based servers to deliver malware packages to users targeted by NSO’s absolute shitlist of customers.
Some of what WhatsApp observed might have been due to the FBI taking a bespoke version of NSO’s Pegasus for a spin before deciding it would be pretty much impossible to use it without doing a ton of damage to the Fourth Amendment.
This lawsuit has not gone well for NSO. It invoked a variety of defenses, including sovereign immunity, reasoning that it was a stand-in for the governments it sold to. And, as such, it was entitled to the same immunity often granted foreign governments by US courts.
This tactic didn’t work. Not only did multiple courts (district, appellate, the Top Court in the Land) reject NSO immunity overtures, but the original court handling this lawsuit ordered the company to turn over its code to WhatsApp. And that order meant all the code, not just the stuff involving NSO’s flagship spyware, Pegasus.
Far from the nation’s courts, Canadians have been giving NSO (and its competitors) fits for years. Citizen Lab — a group of Canadian malware researchers linked to the University of Toronto — has been examining NSO’s malware for years. More importantly, it’s been detecting infections and allowing those targeted by NSO spyware to rid themselves of these infections. In every case, Citizen Lab has exposed the targeting of the usual people: dissidents, opposition leaders, journalists, lawyers, diplomats, etc. The company continues to pretend this malware is sold to target the most dangerous criminals despite all evidence to the contrary.
With NSO now being asked to turn over its source code, it has decided to drag a non-party into the mix by going after Citizen Lab repeatedly during this lawsuit. (This is something its financial backers did years before NSO was a defendant in multiple lawsuits and an international pariah.)
As Shawn Musgrave reports for The Intercept, NSO appears to be engaged in a campaign of harassment against Citizen Lab… presumably because it has run out of believable defenses and/or solid litigation strategies.
FOR YEARS, CYBERSECURITY researchers at Citizen Lab have monitored Israeli spyware firm NSO Group and its banner product, Pegasus. In 2019, Citizen Lab reported finding dozens of cases in which Pegasus was used to target the phones of journalists and human rights defenders via a WhatsApp security vulnerability.
Now NSO, which is blacklisted by the U.S. government for selling spyware to repressive regimes, is trying to use a lawsuit over the WhatsApp exploit to learn “how Citizen Lab conducted its analysis.”
[…]
With the lawsuit now moving forward, NSO is trying a different tactic: demanding repeatedly that Citizen Lab, which is based in Canada, hand over every single document about its Pegasus investigation. A judge denied NSO’s latest attempt to get access to Citizen Lab’s materials last week.
While it’s good to see a court shut down this obvious attempt to turn Citizen Lab into a co-litigant, the fact remains that Citizen Lab has never been a party to this lawsuit. This is nothing more than NSO attempting to obtain information it has no legal reason to request, possibly because it’s still aching from being ordered to turn over its own information: i.e, its source code.
It also may be even more petty than the previous hypothetical: it may be trying to get Citizen Lab to burn up some of its limited resources fighting stupid requests for stuff Citizen Lab should even be asking for, much less expecting a judge to sign off on.
Whatever it is, it certainly isn’t good litigation. This reeks of desperation. These are the acts of litigant that has run out of options. NSO is just flailing, hoping to drag down a non-party with it as it heads towards a seemingly-inevitable loss.
And this certainly isn’t a winning strategy. It’s not even capable of maintaining the miserable status quo NSO Group is currently mired in. Citizen Lab (obviously) refused these demands for information (justifiably!) and the judge handling the case has made it clear there’s almost zero chance of NSO being able to drag anything out of this particular thorn in its side.
Citizen Lab opposed NSO’s demands on numerous grounds, particularly given “NSO’s animosity” toward its research.
In the latest order, Hamilton concluded that NSO’s demand was “plainly overbroad.” She left open the possibility for NSO to try again, but only if it can point to evidence that specific individuals that Citizen Lab categorized as “civil society” targets were actually involved in “criminal/terrorist activity.”
lol at that last sentence. Does anyone think anyone, much less an aggrieved NSO Group, has any evidence Citizen Lab is involved in “criminal/terrorist activity?” All it has done is expose abuse of malware sold by NSO Group to governments with long histories of corruption and/or human rights abuses.
NSO is just going to keep on losing. Reap/sow. Lie down with dogs. The foreseeable consequences of actions. Etc. Etc. Etc. Citizen Lab will keep performing its important work. And, with any luck, NSO will soon collapse under the weight of its hubris. Hope the (temporary) shekels were worth it.
Filed Under: canada, discovery, harassment, source code, spyware, surveillance
Companies: citizen lab, meta, nso group, whatsapp
NSO Group Ordered To Turn Over Spyware Code To WhatsApp
from the UNDERSEAL.EXE dept
The time has come to pay the discovery piper for NSO Group. The phone exploit firm formed by former Israeli spies was supported unilaterally by the Israeli government as it courted human rights abusers and autocrats. The Israeli government apparently felt selling powerful phone exploits to its enemies got caught with its third-party pants down when numerous news agencies exposed just how often NSO’s customers abused its powerful spyware to target journalists, activists, lawyers, dissidents, religious leaders, and anyone else who annoyed its customers.
NSO Group has been sued multiple times. One of the first lawsuits filed in the US featured Meta (formerly Facebook) as a plaintiff, suing on behalf of WhatsApp, its encrypted communications acquisition. NSO tried multiple times to escape this lawsuit. It claimed it was a private sector equivalent of a government agency and, therefore, should be protected by sovereign immunity. This argument was rejected, leaving NSO with the option of arguing its actions (or, rather, the actions of its customers, which it claimed it couldn’t control) weren’t subject to US law.
That other argument might have worked if NSO Group’s customers weren’t using WhatsApp’s US-based servers to deliver malware payloads. Once something like this happens, US law comes into play and, without the protective cover of sovereign immunity, NSO Group must continue to respond to lawsuits filed by US tech companies.
Everything NSO tried in hopes of earning an early exit from US lawsuits was aimed at preventing the very thing that’s happening now. NSO and its (few remaining) backers can probably survive an expensive settlement. What the company is unlikely to survive is a (possibly) public outing of its malware code.
As Stephanie Kirchgaessner reports for The Guardian, NSO has been ordered to turn over the source code for pretty much all of its malware to Meta/WhatsApp.
NSO Group, the maker of one the world’s most sophisticated cyber weapons, has been ordered by a US court to hand its code for Pegasus and other spyware products to WhatsApp as part of the company’s ongoing litigation.
[…]
In reaching her decision, Hamilton considered a plea by NSO to excuse it of all its discovery obligations in the case due to “various US and Israeli restrictions”.
Ultimately, however, [Judge Phyllis Hamilton] sided with WhatsApp in ordering the company to produce “all relevant spyware” for a period of one year before and after the two weeks in which WhatsApp users were allegedly attacked: from 29 April 2018 to 10 May 2020. NSO must also give WhatsApp information “concerning the full functionality of the relevant spyware”.
WhatsApp already has a pretty good idea how NSO Group malware operates. It has already managed to detect actual deployments via its servers. The irony here, of course, is that the incidents that most likely exposed NSO’s exploitation of WhatsApp servers were trial runs of a US-oriented version of NSO’s Pegasus phone exploit by the FBI. (The FBI ultimately decided it couldn’t deploy this malware constitutionally.) A months-long investigation by the FBI into the “mysterious” NSO purchase by a supposedly “unknown” government agency ultimately revealed that it was the FBI itself shelling out bucks for malware it couldn’t deploy without violating the Constitution.
The order [PDF] issued by Judge Hamilton makes it clear NSO has to hand over more than just its Pegasus code to WhatsApp.
As to category (1), as stated at the hearing, the court adopts plaintiffs’ definition of “all relevant spyware” as set forth in their motion: “any NSO spyware targeting or directed at Whatsapp servers, or using Whatsapp in any way to access Target Devices.” As also stated at the hearing, defendants have not identified a basis for limiting its production to the Pegasus program, or to any particular single operating system.
[…]
As to the timeframe of documents that must be produced, the court concludes that, at this stage of the case, the Richmark factors weigh in favor of production for “all relevant spyware” for a period of one year before the alleged attack to one year after the alleged attack; in other words, from April 29, 2018 to May 10, 2020. If, after reviewing the relevant spyware from that timeframe, plaintiffs are able to provide evidence that any attack lasted beyond that timeframe, plaintiffs may seek further discovery at that time.
hahahahaaaaaaaaaa
We can be sure NSO’s lawyers are now busy crafting extremely restrictive proposed protective orders to prevent WhatsApp/Meta for making this information available to the public via court filings, blogs posts, transparency reports, or any other options this company has at its disposal.
I imagine these motions (along with other efforts to seal docket entries) will be granted, since NSO has continually claimed its customers use its malware to target high-value targets like suspected terrorists and other violent criminals. But this court remains free to weigh NSO’s CYA statements against the brutal reality: that its malware is often used to target people governments don’t like, rather than the “terrorists” and “violent criminals” governments claim they’re interested in apprehending.
Equally amusing is the fact that the same court has denied NSO’s demands for any communications between WhatsApp/Meta and Toronto’s Citizen Lab that were initiated following the filing of this lawsuit. It’s easy to see why NSO would love access to these communications, considering Citizen Lab has constantly and continually exposed abusive NSO malware deployments over the past several years while also publishing whatever exploit code it’s been able to extract during these investigations.
But, as the court notes, NSO has already undercut its own argument for additional discovery on its end by attempting to move the goalposts to cover only perceived misuses against “civil society” by its customers. This attempt to obtain further communications is backed only by NSO’s perception of the tone of WhatsApp’s lawsuit, rather than its listed causes for action — allegations that cover not only “abusive” deployments of malware but also “legitimate” deployments that, nonetheless, occurred without the platform’s permission and definitely violated WhatsApp’s terms of service.
So, the lawsuit will move forward. And it’s NSO that obligated to start explaining itself — not just to Meta/WhatsApp, but the court itself. Now that there’s source code on the line, NSO Group might start examining it other options, the most likely of which would be paying WhatsApp a considerable sum of money while promising not to use the company’s US servers to deploy malware. Most entities, at worst, have to deal with the consequences often expressed as having to lay in a bed that they’ve made. But NSO’s actions exceed this idiom. NSO, for all intents and purposes, shat the bed before making it, which makes lying it it feel that much worse.
Filed Under: malware, pegasus, source code, spyware, surveillance
Companies: meta, nso group, whatsapp
As Free Speech Enthusiast Elon Plans To Release Twitter’s Source Code, Twitter Desperately Seeking Identity Of FreeSpeechEnthusiast Who Leaked Twitter Source Code
from the troll-speech-enthusiast dept
Ever since Elon Musk made his initial bid to buy Twitter, he’s talked about “open sourcing” the algorithm. He mentioned it last April in the first interview he gave, on the TED stage, to talk about his plans with Twitter. And since taking over the company at the end of October, he’s mentioned it over and over again.
Indeed, on February 21st, he promised that Twitter would release its “algorithm” as open source code “next week.”
And then, two weeks ago, he announced that “all code used to recommend tweets” will be released as open source on March 31st (i.e., this Friday).
Who knows if he’ll meet his deadline this time (he has a habit of missing deadlines pretty regularly).
However, over the weekend something vaguely interesting happened, in that it was revealed that someone had already, um, “open sourced” Twitter’s source code for it, by posting a repository of at least some of the code to Github. This was revealed in a DMCA notice that Twitter sent to Github, followed by a DMCA subpoena demanding the identity of the person who posted it along with any one who downloaded it.
Now, I initially wasn’t going to write about this. Leaks happen, and I think it’s perfectly fine for Twitter to issue the DMCA takedown for such a leak. But what caught my attention was the username of the leaker. According to the DMCA notice, the leaker went by “FreeSpeechEnthusiast,” and their account is (at the moment) still up on GitHub showing a single contribution on January 3rd (which makes me wonder if the code was sitting there for anyone to find for a whole month and a half):
That name choice takes this from a garden variety leak operation to an ultimate troll attempt against admitted troll Elon Musk. After all, Musk himself continually (if ridiculously) refers to himself as a “free speech absolutist.”
So, given both Elon’s repeated promises to reveal the source code and his publicly stated (if often violated) commitment to “free speech,” the leak of the source code by someone using the name FreeSpeechEnthusiast seems like it was designed directly as a troll move to Musk, goading him into exposing his own hypocrisy (which is way easier than many people may have thought).
Well played, FreeSpeechEnthusiast, well played.
As for the actual leak, again, it’s not clear how much source code was actually leaked or how problematic it is. As I understand it (and would expect) the full source code for Twitter is cumbersome and complex. Releasing a full dump of it would be difficult even if authorized, so I’m guessing it’s not everything.
And while you can find lots of quotes from “cybersecurity experts” about how this may expose vulnerabilities, my guess is that the risk of that is actually fairly low at first? Given enough time, yes, someone can probably find some messy code and some vulnerabilities, but Twitter had (at one time) lots of engineers who were focused on finding and patching those vulnerabilities themselves, and so whatever remains is likely nothing obvious, and anyone going through the code now would first have to figure out how it all worked, which may be no easy task in the first place.
Indeed, this is why, from the beginning, I’ve said that Elon’s promises to open source the code was mostly meaningless, because there are almost no examples of companies taking large, complex systems in proprietary code, and open sourcing them and finding anything valuable come out of it, because there’s so much baggage and complexity for people to even figuring out what the hell anything really does.
This is also why Musk’s announced plans to fix things that people find in the code he still promises to release this week also seems a bit silly, as there’s a reasonable interpretation of this as: “we fired everyone who understands our code, so we’re going to open it up to get engineers to clean up our code for free for the world’s richest man.”
It’s also why the better approach would have just been to improve the API and to allow more developers to build more tools, services, and features on top of Twitter code, but Elon’s already killed off that whole idea.
In the end, this particular story isn’t likely to be that big a deal, but it seemed worth commenting on solely for the lulz of the epic trolling job whoever leaked the code did in highlighting Musk’s hypocrisy. Again.
Filed Under: copyright, dmca, elon musk, free speech, freespeechenthusiast, leak, open source, release, source code, subpoena, troll
Companies: github, twitter
Trump Given 30 Days To Have His Social Media Site Comply With Open Source License
from the tick-tock dept
Plenty of people have raised concerns that Donald Trump’s sketchy new social media site, Truth Social, is just a lightly reskinned Mastodon, which is violating Mastodon’s fairly strict AGPLv3 license. As we had previously discussed, the aggressive (and sloppy) terms of service for the site claim that the code is proprietary, and even claims that “all source code, databases, functionality, software, website designs, audio, video, text, photographs, and graphics on the Site (collectively, the ?Content?) and the trademarks, service marks, and logos contained therein (the ?Marks?) are owned or controlled by us or licensed to us…”
Of course, part of the reason that Mastodon uses such a license is to encourage others to take the code and build on it if they abide by the terms of the license. And the nature of Mastodon’s license is that if you use it, you must make the complete source code available of what you build with it. The key bit of the license:
You may convey a work based on the Program, or the modifications to produce it from the Program, in the form of source code under the terms of section 4, provided that you also meet all of these conditions:
> a) The work must carry prominent notices stating that you modified it, and giving a relevant date. > > b) The work must carry prominent notices stating that it is released under this License and any conditions added under section 7. This requirement modifies the requirement in section 4 to “keep intact all notices”. > > c) You must license the entire work, as a whole, under this License to anyone who comes into possession of a copy. This License will therefore apply, along with any applicable section 7 additional terms, to the whole of the work, and all its parts, regardless of how they are packaged. This License gives no permission to license the work in any other way, but it does not invalidate such permission if you have separately received it. > > d) If the work has interactive user interfaces, each must display Appropriate Legal Notices; however, if the Program has interactive interfaces that do not display Appropriate Legal Notices, your work need not make them do so.
It’s not clear that any of these conditions have been met. So, now the Software Freedom Conservancy has given Trump 30 days to bring the code into compliance — specifically by providing the source code to Truth Social to the early users who were able to sign up — or, under the license terms, Trump’s “rights in the software are permanently terminated.”
Early evidence strongly supports that Trump’s Group publicly launched a so-called ?test site? of their ?Truth Social? product, based on the AGPLv3’d Mastodon software platform. Many users were able to create accounts and use it ? briefly. However, when you put any site on the Internet licensed under AGPLv3, the AGPLv3requires that you provide (to every user) an opportunity to receive the entire Corresponding Source for the website based on that code. These early users did not receive that source code, and Trump’s Group is currently ignoring their very public requests for it. To comply with this important FOSS license, Trump’s Group needs to immediately make that Corresponding Source available to all who used the site today while it was live. If they fail to do this within 30 days, their rights and permissions in the software are automatically and permanently terminated. That’s how AGPLv3’s cure provision works ? no exceptions ? even if you’re a real estate mogul, reality television star, or even a former POTUS.
I and my colleagues at Software Freedom Conservancy are experts at investigating non-compliance with copyleft license and enforcing those licenses once we confirm the violations. We will be following this issue very closely and insisting that Trump’s Group give the Corresponding Source to all who use the site.
I think that’s called being put on notice. It will be interesting to see how Trump responds — and what happens next.
Filed Under: agpl, copyright, donald trump, licenses, open source, source code
Companies: mastodon, software freedom conservancy, truth social
One Developer Gets GTA3 And Vice City Source Code Un-DMCAd On GitHub
from the rockstar dept
The strange flip-flop by Rockstar Games on being open and cool with its fans continues. By way of context and a bit of throat clearing, recall that Rockstar is both the company that whipped out the ban-hammer on Grand Theft Auto 5 players over the use of mods, and the company that paid out money to a modder that fixed that same games long loading times. In addition, Rockstar is both the company that happily used intellectual property to try to silence a documentary while also being the company that enthusiastically embraced gamers making short films out of GTA footage.
In other words, when it comes to being open with the gaming and modding community surrounding its games, Rockstar has something of a dual personality. The restrictive side of the company is the one that showed up early in 2021 when a bunch of GTA fans managed to reverse engineer the source code for GTA3 and GTA: Vice City.
Deriving the source code through reverse-engineering was a huge milestone for the GTA hacking scene. Players would still need the original game assets to run either classic GTA title, but with accessible source code, modders and devs could begin porting the game to new platforms or adding new features. That’s exactly what’s happened this past year with Super Mario 64.
A week after the code went public on GitHub, Rockstar’s parent company, Take-Two Interactive, issued a DMCA takedown claiming that the reversed-engineered source code contained “copyrighted materials owned by Take-Two.” GitHub pulled the fan-derived code and all its related forks.
Entirely too often, that would be the end of the story. Modders and enthusiasts go out and try to do something cool with a Rockstar game, get their hands slapped, and give it all up. That didn’t happen in this case. Instead, one developer out of New Zealand, named Theo, issued a counter-notice to GitHub. Theo’s notice explained that, no, the code that had been produced did not contain the original work done by Rockstar. Instead, this was all brand new coding done by these fan-developers to produce essentially the same game. As Theo explained, this new code functions like the original source code, but is not identical.
As of now, Theo’s fork has been restored to GitHub. And, now, everyone waits to see if Rockstar wants to turn this all into an actual legal battle or not.
While it’s possible Take-Two could challenge Theo’s counter-claim in court at a later date, this is still a nice win for the Grand Theft Auto III and Vice City modding scene. It’s also another reminder that modders, pirates, and fan developers are often the only ones doing the work to keep old games around in an easily playable form.
One would hope Rockstar would see the wisdom in letting this go. It seems hard to imagine how this reverse-engineered code and it allowing modders to try and do new and interesting things with two games that are 20 years old at this point could somehow be a serious threat to Rockstar. More to the point, this is an opportunity for the company to instead embrace and encourage its fans to do these new and interesting things, potentially keeping alive the interest in these games and the franchise as a whole.
As to whether Rockstar will see the wisdom in that, well, for now we wait.
Filed Under: copyright, dmca, gta, gta3, source code
Companies: rockstar