{"id":190267,"date":"2021-08-02T12:00:48","date_gmt":"2021-08-02T11:00:48","guid":{"rendered":"https:\/\/www.transcend.org\/tms\/?p=190267"},"modified":"2021-07-28T10:03:33","modified_gmt":"2021-07-28T09:03:33","slug":"the-insecurity-industry","status":"publish","type":"post","link":"https:\/\/www.transcend.org\/tms\/2021\/08\/the-insecurity-industry\/","title":{"rendered":"The Insecurity Industry"},"content":{"rendered":"
\n

26 Jul 2021 – The greatest danger to national security has become the companies that claim to protect it.<\/em><\/p>\n<\/blockquote>\n

1.<\/strong><\/h3>\n

The first thing I do when I get a new phone is take it apart. I don\u2019t do this\u00a0to satisfy a tinkerer\u2019s urge, or out of political principle, but simply because\u00a0it is unsafe to operate. Fixing the hardware, which is to say surgically removing the two or three tiny microphones hidden inside, is only the first step of an arduous process, and yet even after days of these DIY\u00a0security improvements, my smartphone will remain the most dangerous item I possess.<\/p>\n

\n
\"\"<\/a>
The microphones inside my actual phone, prepped for surgery<\/figcaption><\/figure>\n<\/div>\n

Prior to this week\u2019s Pegasus Project<\/a><\/strong>, a global reporting effort by major newspapers to expose the fatal consequences of the NSO Group<\/a>\u2014the new private-sector face of an out-of-control Insecurity Industry\u2014most smartphone manufacturers along with much of the world\u00a0press collectively\u00a0rolled their eyes at me whenever I publicly identified a fresh-out-of-the-box iPhone as a potentially lethal threat.<\/p>\n

Despite years of reporting that implicated the NSO Group\u2019s for-profit hacking of phones in the deaths and detentions of journalists and human rights defenders<\/a>; despite years of reporting that smartphone operating systems were riddled with catastrophic security flaws<\/a> (a circumstance aggravated by their code having been written in aging programming languages that have long been regarded as unsafe); and despite years of reporting that even when everything works as intended<\/em>, the mobile ecosystem is a dystopian hellscape of end-user monitoring<\/a> and outright end-user manipulation, it is still hard for many people to accept that something that feels<\/em> good may not\u00a0in fact\u00a0be <\/em>good. Over the last eight years I\u2019ve often felt like someone trying to convince their one friend who refuses to grow up to quit smoking and cut back on the booze\u2014meanwhile, the magazine ads still say \u201cNine of Ten Doctors Smoke iPhones!\u201d and \u201cUnsecured Mobile Browsing is Refreshing!\u201d<\/p>\n

In my infinite optimism, however, I can\u2019t help but regard the\u00a0arrival of the Pegasus Project<\/a><\/strong>\u00a0as a turning-point\u2014a well-researched, exhaustively-sourced, and frankly crazy-making story about a \u201cwinged\u201d \u201cTrojan Horse\u201d infection named \u201cPegasus\u201d that basically turns the phone in your pocket into an all-powerful tracking device that can be turned on or off, remotely, unbeknownst to you, the pocket\u2019s owner.<\/p>\n

Here is how the Washington Post<\/em> describes<\/a><\/strong> it:<\/p>\n

\"\"<\/a><\/p>\n

In short, the phone in your hand exists in a state of perpetual insecurity, open to infection by anyone willing to put money in the hand of this new Insecurity Industry. The entirety of this Industry\u2019s business involves cooking up new kinds of infections that will bypass the very latest digital vaccines\u2014AKA security updates\u2014and then selling them to countries that occupy the red-hot intersection of a Venn Diagram between \u201cdesperately craves the tools of oppression\u201d and \u201csorely lacks the sophistication to produce them domestically.\u201d<\/p>\n

An Industry like this, whose\u00a0sole purpose is the production of vulnerability, should be dismantled.<\/p>\n

2.<\/strong><\/p>\n

Even if we woke up tomorrow and the NSO Group and all of its private-sector ilk had been wiped out by the eruption of a particularly public-minded volcano,\u00a0it wouldn\u2019t change the fact that we\u2019re in the midst of the greatest crisis of computer security in computer history.\u00a0The people creating the software behind every device of any significance\u2014the people who help to make Apple, Google, Microsoft, an amalgamation of miserly chipmakers who want to sell things, not fix things, and the well-intentioned Linux developers who want to fix things, not sell things\u2014are all happy to write code in programming languages that we know<\/a><\/em> are unsafe, because, well, that\u2019s what they\u2019ve always done, and modernization requires a significant effort, not to mention significant expenditures. The vast<\/em> majority of vulnerabilities that are later discovered and exploited by the Insecurity Industry are introduced, for technical reasons related to how a computer keeps track of what it\u2019s supposed to be doing, at the exact time the code is written, which makes choosing a safer language<\/a> a crucial protection… and yet it\u2019s one that few ever undertake.<\/p>\n

\n
\"\"<\/a>
Google said 70% of serious bugs in its Chrome Browser are related to memory safety. These can be reduced by using safer programming languages.<\/figcaption><\/figure>\n<\/div>\n

If you want to see change, you need to incentivize change. For example, if you want to see Microsoft have a heart attack, talk about the idea of defining legal liability for bad code in a commercial product.\u00a0If you want to give Facebook nightmares, talk about the idea of making it legally liable for any and all leaks of our personal records\u00a0that a jury can be persuaded were unnecessarily collected. Imagine how quickly Mark Zuckerberg would start smashing the delete key.<\/p>\n

Where there is no liability, there is no accountability… and this brings us to the State.<\/p>\n

3.<\/strong><\/p>\n

State-sponsored hacking has become such a regular competition that it should have its own Olympic category in Tokyo. Each country denounces the others\u2019 efforts as a crime, while refusing to admit culpability for its own infractions. How, then, can we claim to be surprised when Jamaica shows up with its own bobsled team? Or when a private company calling itself \u201cJamaica\u201d shows up and claims the same right to \u201ccool runnings<\/a>\u201d as a nation-state?<\/p>\n

If hacking is not illegal when we do it, then it will not be illegal when they do it\u2014and \u201cthey\u201d is increasingly becoming the private sector. It\u2019s a basic principle of capitalism: it\u2019s just business. If everyone else is doing it, why not me?<\/p>\n

This is the superficially logical reasoning that has produced pretty much every proliferation problem in the history of arms control, and the same mutually assured destruction implied by a nuclear conflict is all-but guaranteed<\/a> in a digital one, due to the network\u2019s interconnectivity, and homogeneity.<\/p>\n

Recall our earlier topic of the NSO Group\u2019s Pegasus, which especially but not exclusively targets iPhones. While iPhones are more private by default and, occasionally, better-engineered from a security perspective than Google\u2019s Android operating system, they also constitute a monoculture<\/a>: if you find a way to infect one of them, you can (probably) infect all of them, a problem exacerbated by Apple\u2019s black-box refusal to permit customers to make any meaningful modifications to the way iOS\u00a0devices operate. When you combine this monoculture and black-boxing\u00a0with Apple\u2019s nearly universal popularity among the global elite,\u00a0the reasons for the NSO Group\u2019s iPhone fixation become apparent.<\/p>\n

Governments must come to understand that permitting\u2014much less subsidizing\u2014the existence of the NSO Group and its malevolent peers does not serve their interests, regardless of where the client, or the client-state, is situated along the\u00a0authoritarian axis: the last President of the United States spent all of his time in office when he wasn\u2019t playing golf tweeting from an iPhone<\/a>, and I would wager that half of the most senior officials and their associates in every other<\/em> country were reading those tweets on their<\/em> iPhones (maybe on the golf course).<\/p>\n

Whether we like it or not, adversaries and allies share a common environment, and with each passing day, we become increasingly dependent on devices that run a common code.<\/p>\n

The idea that the great powers of our era\u2014America, China, Russia, even Israel\u2014are interested in, say,\u00a0Azerbaijian attaining strategic parity in intelligence-gathering is, of course, profoundly mistaken. These governments have simply failed to grasp the threat,\u00a0because the capability-gap hasn\u2019t vanished\u2014yet.<\/p>\n

4.<\/strong><\/p>\n

In technology as in public health, to protect anyone, we must protect everyone. The first step in this direction\u2014at least the first digital step\u2014must be to ban\u00a0the commercial trade in intrusion software. We do not permit a market in biological infections-as-a-service, and the same must be true for digital infections. Eliminating the profit motive reduces the risks of proliferation while protecting progress, leaving room for publicly-minded research and inherently governmental work.<\/p>\n

While removing intrusion software from the commercial market doesn\u2019t also take it away from states, it does<\/em> ensure that reckless drug dealers and sex-criminal Hollywood producers who can dig a few million out of their couch cushions won\u2019t be able to infect any or every iPhone on the planet, endangering the\u00a0latte-class\u2019 shiny slabs of status.<\/p>\n

Such a moratorium, however, is mere triage: it only buys us time. Following a ban, the next step is liability.\u00a0It is crucial to understand that neither the scale of the NSO Group\u2019s business, nor the consequences it has inflicted on global society, would have been possible without access to global capital from amoral firms like Novalpina Capital (Europe) and Francisco Partners (US). The slogan is simple: if companies are not divested, the owners should be arrested. The exclusive product of this industry is intentional, foreseeable harm, and these companies are witting accomplices. Further, when, a business is discovered to be engaging in such activities at the direction of a state<\/a>, liability should move beyond more pedestrian civil and criminal codes to invoke a coordinated international response.<\/p>\n

\"\"<\/a>

Diplomacy by other means<\/p><\/div>\n

5. <\/strong><\/p>\n

Imagine you\u2019re the Washington Post<\/em>\u2019s Editorial Board (first you\u2019ll have to get rid of your spine). Imagine having your columnist murdered<\/em> and responding with a whispered appeal to the architects of that murder that next time they\u00a0should just fill out a bit more paperwork<\/a>. Frankly, the Post<\/em>\u2019s response to the NSO scandal is so embarrassingly weak that it is a scandal in itself: how many of their writers need to die for them to be persuaded that process is not a substitute for prohibition?<\/p>\n

Saudi Arabia, using \u201cPegasus,\u201d hacked the phones<\/a> of Jamal Khashoggi\u2019s ex-wife, and of his fianc\u00e9e, and used the information gleaned to prepare for his monstrous killing and its subsequent cover-up.<\/p>\n

But Khashoggi is merely the most prominent of Pegasus\u2019 victims \u2014 due to the cold-blooded and grisly nature of his murder.\u00a0The NSO Group\u2019s \u201cproduct\u201d (read: \u201ccriminal service\u201d) has been used to spy\u00a0on countless other journalists, judges, and even teachers. On opposition candidates<\/a>, and on targets\u2019 spouses and children, their doctors,\u00a0their lawyers, and even their priests<\/a>. This is what people who think a ban is \u201ctoo extreme\u201d always miss: this Industry sells the opportunity to gun down reporters you don\u2019t like at the car wash<\/a>.<\/p>\n

If we don\u2019t do anything to stop the sale of this technology, it\u2019s not just going to be 50,000 targets: It\u2019s going to be 50 million targets, and it\u2019s going to happen much more quickly than any of us expect.<\/p>\n

This will be the future: a world of people too busy playing with their phones to even notice that someone else\u00a0controls them.<\/p>\n

________________________________________________<\/em><\/p>\n

\"\"<\/a><\/em>Born in North Carolina in 1983 Edward Snowden, <\/em>former CIA officer and whistleblower, worked for the National Security Agency through subcontractor Booz Allen in the NSA’s Oahu (Honolulu) office, where he began collecting top-secret documents regarding NSA surveillance practices that he found disturbing. After he fled to Hong Kong\u00a0 newspapers began printing documents that he leaked to them, many detailing invasive spying practices against American citizens, world leaders, corporations and foreign governments through metadata collection of phone calls, email messages, social media activities, plus dissemination of malicious software and viruses throughout computers worldwide. The U.S. has charged Snowden under the Espionage Act but he is hailed around the world as a hero. He remains in exile in Russia, with the U.S. government working on extradition. <\/em>Snowden is the author of \u201c<\/em>Permanent Record\u201d and is the president of <\/em>Freedom of the Press Foundation<\/em><\/a>, a nonprofit that defends public-interest journalism in the 21st century. <\/em><\/p>\n

Go to Original – edwardsnowden.substack.com<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

26 Jul 2021 – The greatest danger to national security has become the companies that claim to protect it. The first thing I do when I get a new phone is take it apart simply because it is unsafe to operate. Surgically removing the two or three tiny microphones hidden inside is only the first step of an arduous process.<\/p>\n","protected":false},"author":4,"featured_media":187646,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[60],"tags":[910,1082,958,2607,1017,125,88,378,234,2608,2606,1220,1277,1109,911],"class_list":["post-190267","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-whistleblowing-surveillance","tag-big-brother","tag-cellphones","tag-control","tag-forbidden-stories","tag-freedom-of-information","tag-freedom-of-the-press","tag-israel","tag-journalism","tag-media","tag-nso","tag-pegasus-project","tag-privacy","tag-privacy-rights","tag-spying","tag-surveillance"],"_links":{"self":[{"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/posts\/190267","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/comments?post=190267"}],"version-history":[{"count":0,"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/posts\/190267\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/media\/187646"}],"wp:attachment":[{"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/media?parent=190267"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/categories?post=190267"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/tags?post=190267"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}