Comment by tptacek
4 years ago
Nobody has any credible story for how regulations would prevent stuff like this from happening. The problem is simple economics: with the current state of the art in software engineering, there is no way to push the cost of exploits (let alone supporting implant tech) high enough to exceed the petty cash budget of state-level actors.
I think we all understand that the medium-term answer to this is replacing C with memory-safe languages; it turns out, this was the real Y2K problem. But there's no clear way for regulations to address that effectively; assure yourself, the major vendors are all pushing forward with memory safe software.
Well, first of all the NGO group in its current form wouldn't exist if Israel regulated them, at the very least it wouldn't exist as a state-level equivalent actor.
Second of all if you can't push the costs high enough then it becomes time to limit the cash budget of state level actors. Which is hardly without precedent.
For some reason you seem to only be looking at this as a technology problem, while at the core it is far more political. Sure technology might help, but that's the raison d'etre of technology.
Sure, you can outlaw NSO itself. I won't complain! But all you're doing is smearing the problem over the globe. You can push this kind of work all the way to "universally acknowledged as organized crime", and it'll still happen, exactly the same way, with basically the same actors. You might even increase the incentives by doing it. Policy is complicated.
I really don't get this line of argument that regulation is useless. For example if you made it illegal for ex US gov workers to work at companies like these I would expect the vast majority to comply with this, so at the very minimum you would be limiting the available talent pool. The post several parents up talked about regulation for biological, nuclear, etc industries being effective, and although 'cyber' would never be treated in the same way, they're right, after all you don't see organized criminals running around with biological or radiological weapons now do you?
5 replies →
Well you can hardly complain it's impossible to make the cost of exploits high enough if you do nothing to restrict their funding. If a country lets them openly conduct business then it's no surprise they're well funded, which wouldn't be a problem if that country kept an eye on them to ensure they're not doing anything harmful, but predictably that didn't work out.
1 reply →
Isn’t this the security nihilism the article is addressing?
Israel does regulate them, you may think not well enough but likely there isn’t a single sale that wasn’t approved at a pretty high level based on their export license every sale requires an authorization.
I doubt they made a deal that didn’t directly served either Israeli or US foreign policy and security interest.
I don’t know about the NSO but another player in mobile tracking (Verint) tho very much more LEO oriented (SS7 tracking) had about a million failsafes that ensure that their software cannot be used to track or intercept US or Israeli numbers.
You're extremely correct, of course, but what I'm really proposing here is something much more boring than actually solving the technical problem(s). How about a dose of good old-fashioned bureaucracy? If you want to sell exploits, in a Western country, then yeah sure you can, but first you should have to go through an approval process and fill in a form for every customer and have them vetted, yada yada.
This wouldn't do anything to stop companies who base themselves in places like Russia. It wouldn't even really do anything to stop those who base themselves in the Seychelles. But, you want to base yourself in a real bona-fide country, like the USA or France or Israel or Singapore? Then you should have to play by some rules.
If you make people fill out paperwork to sell exploits in Israel, Germany, and the United States, they will sell exploits in Kuala Lumpur, Manila, and Kigali. I'm not saying you're expressing it at all, but there is a lot of chauvinism built into the most popular ideas for regulating exploits.
Yes, they certainly will. I'm not naive, or colonial, about that. But what more can we do than live out the standards that we want to see upheld in the world?
I'd be surprised if Israel didn't already regulate who NSO does business with.
Nor does anyone need one, yet. Again, the point of government -- force the dang discussion; that's what investigations, committees, et al are for.
It's fun to make fun of old people in ties asking (to us) stupid questions about technology in front of cameras, but at the end of the day, it's a crucial step in actually getting something done about all this.
>Nobody has any credible story for how regulations would prevent stuff like this from happening.
We do have some of those already.
https://www.faa.gov/space/streamlined_licensing_process/medi...
If the governments can't ban exploits, perhaps they can ban writing commercial programs in memory unsafe languages? Countries could agree on setting a goal, e.g. that by 2040 all OSs etc. need to use a memory safe language.