back to article WhatsApp slaps app hacker chaps on the rack for booby-trapped chat: NSO Group accused of illegal hacking by Facebook

Facebook and its WhatsApp subsidiary on Tuesday sued NSO Group alleging the Israel-based spyware maker unlawfully hacked smartphones using a vulnerability in the popular chat app. The complaint [PDF], filed in a US district court in San Francisco, blames NSO for a cyberattack on WhatsApp users that was publicly disclosed in …

  1. TheGhostDeejay

    Dear "people" at NSO

    I use the word "people" very loosely.

    How much Mogadon does it take to enable you creatures to sleep at night?

    Cheers… Ishy

    1. This post has been deleted by its author

    2. paulf Silver badge
      Coat

      Facebook: STOP STEALING...

      our customers data business model.

  2. sbt Silver badge
    Facepalm

    "... a misuse, which is contractually prohibited."

    Oh, well that's totally fine, then.

    That useful tools can be used for bad purposes applies just as much to back-doors as it does to end-to-end encryption.

    1. moiety

      Re: "... a misuse, which is contractually prohibited."

      Just a reminder that WhatsApp's "end to end" encryption has WhatsApp/Facebook as one of the ends.

      1. cb7

        Re: "... a misuse, which is contractually prohibited."

        I thought "end to end" meant message sender to message receiver.

        In any case, that's irrelevant. Everyone who uses WhatsApp and accepted the default switch to WhatsApp backups getting stored on Google Drive now has their precious messages stored in unencrypted format on Google Drive.

        The "backdoor" is in plain sight.

        1. NonSSL-Login

          Re: "... a misuse, which is contractually prohibited."

          It's more a front door than backdoor.

          Maybe that is how the WhatsApp CEO can keep a straight face while saying they don't want backdoors.

          It's ok you choosing to disable backups but has the other end of your conversations? If not, un-encrypted backups on googles/NSA's servers.

      2. phuzz Silver badge
        Stop

        Re: "... a misuse, which is contractually prohibited."

        'End to end' means client device to client device. Whatsapp/Facebook's servers direct the messages (and can presumably pick up a lot of metadata that way), but they can't decrypt the messages.

        (Of course, we have only their word for that.)

        1. moiety

          Re: "... a misuse, which is contractually prohibited."

          "End to end" should mean that, yes. However: consider that:

          1) The app generates the keys; not the user.

          2) WhatsApp changed hands for 19 billion dollars. Billion.

          3) Facebook is the company that bought it.

          Because the app (and therefore Facebook) knows the keys it would be trivial to simply store the keys somewhere and decrypt at will. If you think a bunch of weasels like Facebook spent 19 billion to not do that, then you have more faith in humanity than I do.

          "End to end" coming from Facebook is, I very strongly suspect, marketing-speak designed to mislead people into thinking of the standard usage of the term (ie, client to client). If one of the ends happens to be Facebook then it's technically "end to end encryption"...they're just not specifying where the ends are and letting people assume it's client-to-client.

    2. Anonymous Coward
      Anonymous Coward

      Re: "... a misuse, which is contractually prohibited."

      While I firmly believe that NSO group needs to be disbanded and all it's members charged with crimes against humanity....I just can't get over the irony that Facebook has also given very powerful survailance software to unscrupulous app developers with only a pinky-swear agreement and absolutely zero oversite.

      There are no good guys in this story.

    3. nematoad Silver badge

      Re: "... a misuse, which is contractually prohibited."

      "We take action if we detect any misuse."

      Fine words butter no parsnips.

      Do we have any assurance that NSO is actively looking for misuse or are they complacent and trust that their customers will abide by the rules?

      It seems to me as if NSO is in the business of making as much money as they can and damn the consequences. As others here have said, how do these people sleep at night?

      Or is it a case of "Ignorance is bliss"?

      1. Jimmy2Cows Silver badge
        FAIL

        Re: "... a misuse, which is contractually prohibited."

        Have to wonder what action they could take? Tut a bit and send a strongly worded email to their point of contact in whichever agency is at fault. There you go. See? We took action.

        1. Michael Wojcik Silver badge

          Re: "... a misuse, which is contractually prohibited."

          No discount for that customer on the next sale. And we mean it.

  3. Chris G Silver badge

    So which licensed government agencies had it in for these particular civil rights lawyers and activists?

    1. RunawayLoop

      All of them.

  4. DanceMan

    "Because pedophiles"

    Of course.

    1. LDS Silver badge

      Re: "Because pedophiles"

      Like it or not, they do exist, and are a danger.

      All of these software can be used to fight crime, or to keep some class of people under illegal surveillance. Just like a gun can be used to protect you, or to rob/rape/kill you. It only depends on what legal framework allows their use and sales, and with what kind of control.

  5. Oneil Stuart

    Their defense?

    Did they really just use "what about the children and the poor terrorists and drug dealers" as their defense? In the same sentence?

  6. revenant Silver badge

    "This technology is rooted in the protection of human rights"

    'Rooted' as in 'root-kit', I presume.

    1. Michael Wojcik Silver badge

      Re: "This technology is rooted in the protection of human rights"

      It was a typo for "rooting out".

  7. Velv Silver badge
    Headmaster

    The complaint alleges [the NSO Group] violated both US and California laws as well as the WhatsApp Terms of Service, which prohibits this type of abuse.

    If you're breaking national laws, especially those of the prison happy USA, who gives a fuck about breaking the Terms of Service.

    1. Cxwf

      This group isn’t based in the USA, so adding something that’s valid in the defendent’s home country, even if it’s a much smaller crime, is probably a good first step to getting the court to even pick up the case?

  8. Venerable and Fragrant Wind of Change
    Mushroom

    Civil case - no jail time

    Remind me. How long did the 'merkin legal system hold Marcus Hutchins on suspicion of developing malware?

    NSO not merely developed it, they actively marketed it. Why is this Whatsapp rather than the Government pursuing this?

    Or could the feds pick this one up, as they did against Sklyarov, or even US citizen Schwartz?

    AIUI the Israeli courts are not exactly toothless, either. Unless of course TPTB there protect NSO by keeping the whole thing out of court.

    1. BebopWeBop Silver badge

      Re: Civil case - no jail time

      It would be very surprising if Israeli TLAs did noy only know about this but at least tacitly approved their use overseas. If they didn't then heads will roll I am sure.

  9. Pascal Monett Silver badge

    "strongly encrypted platforms are often used by pedophile rings, drug kingpins and terrorists"

    There we go again. Since some bad people use encryption, nobody else should be able to.

    Well I have some similar information for you : guns are often used by drug kingpins and terrorists in the course of their criminal activity.

    Funnily enough, there is no call to limit the availability of guns.

    We need a merry-go-round icon.

    1. katrinab Silver badge
      WTF?

      Re: "strongly encrypted platforms are often used by pedophile rings, drug kingpins and terrorists"

      > "Funnily enough, there is no call to limit the availability of guns."

      There are pleny of people out there who want to repeal the 2nd. Also, here in the UK, availability of guns is very limited, and nobody wants to change that.

    2. Cxwf

      Re: "strongly encrypted platforms are often used by pedophile rings, drug kingpins and terrorists"

      While I appreciate your sentiment, you’ve missed the mark on both sides of this one.

      —there are LOTS of calls to limit the availability of guns.

      —This group didn’t call for reducing access to encryption. They are creating tools for targeted attacks on encryption, which is still bad, but in a different way.

      1. LDS Silver badge
        Facepalm

        "for targeted attacks on encryption, which is still bad, "

        You mean Turing & C. were bad people attacking Nazi encryption?

        1. Cxwf

          Re: "for targeted attacks on encryption, which is still bad, "

          A tool like this is only so good as the people wielding it. Turing & co were good people wielding their tools for a good purpose. Less good people would later use some of the principles they developed for bad purposes. And it appears that today, someone has used NSO’s tools for bad purposes (possibly NSO themselves, but I don’t know enough to say either way).

    3. LDS Silver badge

      Re: "strongly encrypted platforms are often used by pedophile rings, drug kingpins and terrorists"

      In any decent country guns availability is strictly controlled. Only US has a second amendment, and its actual interpretation.

      Face it: or law enforcing agencies are able to investigate criminal somehow, including using vulnerabilities to get onto criminals devices, or they will force the adoptions of backdoors for everyone - and more people will suffer from damages inflicted by criminals - you can't break for example a mafia gang without intercepting communications - more people will be ready to accept backdoors - and then large scale surveillance will be even easier for anybody willingly to use such power for their advantage.

      If you believe they will accept a "safe haven" for criminals, I have a bridge to sell you.

      1. Malcolm Weir Silver badge

        Re: "strongly encrypted platforms are often used by pedophile rings, drug kingpins and terrorists"

        Truly unbreakable encryption is trivial, although can get quite cumbersome (a one-time pad handling all 256 values for a byte requires 64K per plaintext character, which means a DVD could hold enough data to send about 73K of plaintext). So fundamentally what "law enforcement" are asking for are ways to snoop on suspects that are too lazy or stupid to use better privacy tools, so by definition _not_ the biggest threats.

  10. HmYiss

    In the strongest possible terms, we dispute today’s allegations etc etc etc

    yawn

    *slow clap*

    of course you do.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019