#being sold outside nso | Explore Tumblr Posts and Blogs

mostlysignssomeportents · 3 years

Text

The infosec apocalypse is nigh

When the Pegasus Project dropped last week, it was both an ordinary and exceptional moment. The report — from Amnesty, Citizenlab, Forbidden Stories, and 80 journalists in 10 countries — documented 50,000 uses of the NSO Group’s Pegasus malware.

https://www.occrp.org/en/the-pegasus-project/

The 50,000 targets of NSO’s cyberweapon include politicians, activists and journalists. The Israeli arms-dealer — controlled by Novalpina Capital and Francisco Partners — has gone into full spin mode.

NSO insists that the report is wrong, but also that it’s fine to spy on people, and also that terrorists will murder us all if they aren’t allowed to reap vast fortunes by helping the world’s most brutal dictators figure out whom to kidnap, imprison and murder.

As I say, all of this is rather ordinary. The NSO Group’s bloody hands, immoral practices and vicious retaliation against critics are well established.

It’s been four years since NSO’s assurances that it only sold spying tools to democratic states to hunt terrorists were revealed as lies, when Citizenlab revealed that its weapons targeted Mexican anti-sugar activists (and their children).

https://citizenlab.ca/2017/06/reckless-exploit-mexico-nso/

Then Citizenlab found 45 more countries where NSO’s Pegasus weapon had been used, and demonstrated that notorious human-rights abusers got help from NSO to target everyday citizens to neutralize justice struggles.

https://citizenlab.ca/2018/09/hide-and-seek-tracking-nso-groups-pegasus-spyware-to-operations-in-45-countries/

Outside of human rights and cybersecurity circles, the story drew little attention, but it did prick NSO’s notoriously thin skin — the company dispatched (inept) private spooks, late of the Mossad, to entrap Citizenlab’s researchers.

https://www.nytimes.com/2019/01/28/world/black-cube-nso-citizen-lab-intelligence.html

As far as we know, the company never managed to infiltrate any of Citizenlab’s systems — but their weapons were found on the devices of an Israeli lawyer suing them for their role in human rights abuses.

https://www.nytimes.com/2019/05/13/technology/nso-group-whatsapp-spying.html

That had some consequences. The attack exploited a vulnerability in Whatsapp, owned by Facebook. FB retaliated by suing — and terminating NSO Group employees’ Facebook accounts. Judging from NSO’s outraged squeals, getting kicked of FB hurt far worse.

https://www.vice.com/en/article/7x5nnz/nso-employees-take-legal-action-against-facebook-for-banning-their-accounts

Through it all, the NSO Group insisted that its tools were vital anti-terror weapons — not the playthings of rich sociopaths with long enemies lists.

They continued these claims even after Pegasus was linked to the blackmail attempt against Jeff Bezos, in a bid by Saudi royals to end the Washington Post’s investigative reporting on the murder and dismemberment of the journalist Jamal Khashoggi.

https://www.vice.com/en/article/v74v34/saudi-arabia-hacked-jeff-bezos-phone-technical-report

Despite all this — attacks on the powerful and the powerless, grisly deaths and farce-comedy entrapment attempts — NSO Group plowed on, raking in millions while undermining the security of the devices that billions of us rely on for our own safety.

Until now.

Something about the Pegasus Project shifted the narrative. Maybe it’s the ransomware epidemic, shutting down hospitals, energy infrastructure, and governments — or maybe it’s the changing tide that has turned on elite profiteers. Whatever it is, people are pissed.

Finally.

I mean, when Edward Snowden calls for the owners of a cybercrime company to be arrested, people sit up and pay attention. But Snowden’s condemnation of NSO and its industry are just for openers.

https://edwardsnowden.substack.com/p/ns-oh-god-how-is-this-legal

Snowden describes NSO as part of an “Insecurity Industry” that owes its existence to critical vulnerabilities in digital devices in widespread use. They spend huge sums discovering these vulns — and then, rather than reporting them so they can be fixed, they weaponize them.

As Snowden points out, this is not merely a private sector pathology. Governments — notably the US government, through the NSA’s Tailor Access Operations Group — engage in the same conduct.

Indeed, as with all digital surveillance, there’s no meaningful difference between private and public spying. Governments rely on tech and telecoms giants for data (which they buy, commandeer, or steal, depending on circumstances).

This, in turn, creates powerful security/public safety advocates for unlimited commercial surveillance, to ensure low-cost, high-reliability access to our private data. Those agencies stand ready to quietly scuttle comprehensive commercial privacy legislation.

This private-public partnership from hell extends into the malware industry: the NSA and CIA can’t, on their own, create enough cyber-weapons to satisfy all government agencies’ demand, so they rely on (and thus protect) the Insecurity Industry.

But as Snowden points out, none of this would be possible were it not for the vast, looming, grotesque tech-security debt that the IT industry has created for us. Everything we use is insecure, and it’s built atop more insecure foundations.

We live in an information society with catastrophic information security. If our society was a house, the walls would all be made of flaking asbestos and the attic would be stuffed with oily rags.

It’s hard to overstate just how much risk we face right now, and while the Insecurity Industry didn’t create that risk, they’re actively trying to increase it — finding every weak spot and widening it as far as possible, rather than shoring it up.

It’s a cliche: “Security is a team sport.” But I like how Snowden puts it: security is a public health matter. “To protect anyone, we must protect everyone.”

Step one is “to ban the commercial trade in intrusion software” for the same reason we “do not permit a market in biological infections-as-a-service.”

We should punish the cyber-arms dealers — but also use international courts to target the state actors who pay them.

But this fight will be a tough one. The huge sums that governments funnel to cyber arms-dealers allows them to silence their critics — I’ve been forced to remove some of my own coverage thanks to baseless threats I couldn’t afford to fight.

Writing in today’s Guardian (who also removed unfavorable coverage of NSO Group following legal threats), Arundhati Roy demolishes the company’s claims of clean hands.

https://www.theguardian.com/commentisfree/2021/jul/27/spying-pegasus-project-states-arundhati-roy

After all, NSO charges a 17% “system maintenance fee” that gives them oversight and insight into how their tools are being used by the demagogues and dictators who shower them with money.

https://www.thecitizen.in/index.php/en/newsdetail/index/9/20672/pegasus-hack-how-much-did-it-cost-to-spy-on-citizens

“There has to be something treasonous about a foreign corporation servicing and maintaining a spy network that is monitoring a country’s private citizens on behalf of that country’s government.” -Roy

The NSO Group claims that the human rights abuses it abets are exceptions that slip through the cracks, but the reality is, it has no business model without state terror — without powerful thugs who demand weapons to help jail, torture and kill their critics.

NSO, more than anyone, should know this. But as Upton Sinclair wrote, “It is difficult to get a man to understand something when his salary depends upon his not understanding it.”

#pluralistic

171 notes · View notes

beardycarrot · 3 years

Text

Nintendo Direct tonight. We’re finally, finally getting getting a title and release date for the sequel to Breath of the Wild. My money’s on fall, but before the holidays... Maybe as early as September? Still considering Reach Through the Ages to be the perfect title until we get more details proving there isn’t time travel. Which we won’t because THERE WILL TOTALLY BE TIME TRAVEL.

There’s a chance we’ll also see the next mainline Pokemon game... but considering Pokemon Day is just a few weeks away, I’m betting we’ll get a proper Pokemon Direct at the end of the month. Either way, I feel like we can expect some DLC courses to be announced for New Pokemon Snap pretty soon. Possibly Hisui-centric?

METROID PRIME 4 BAYBEE. It’s time. I can feel it. It’s been so long since the game was announced, so long even since they scrapped what they had and restarted production at Retro, and Metroid Dread made a huge splash. Now is the time to show off the game, and I am BEYOND excited. What will the game feature? No idea! Maybe it’ll be like Prime 3 with the ability to travel between planets whenever you want, and also allow you to stop be Samus’ Space Condo to just chill out for a while. Maybe, despite being a Prime game, it won’t be in the same time period as the others, and will also be post-Fusion. Maybe! You’ll actually be able to take on bounties! And actually work as a bounty hunter! I’d like that.

There have also been a lot of rumors of a Metroid Prime remake... that would be cool, but the original game still looks and controls great, and I can play it on my Gamecube or Wii U. It would be interesting if Nintendo decided to add Gamecube games to NSO, and alongside the Prime remake they also launched the original version on the service, but I dunno, that seems unlikely.

Is it finally time for Mario Kart 9? Have MK8′s sales slowed enough to convince Nintendo to move on?

...Nope!

It is time for a remake of the original Golden Sun, though. With as disastrous as Golden Sun: Dark Dawn was (I mean, that was genuinely a bad way to continue the series), they’re unlikely to do a follow-up on its cliffhanger ending without first establishing that it’s something people want. To test the waters... remake the old games that people actually like! Makes sense to me, anyway.

Luigi’s Mansion 3 was another big hit, so they’re definitely working on the next game in that series. Maybe we’ll see it at E3?

Also at E3, we should see an in-depth look at Super Mario Odyssey 2... with our first peek coming today! Yep, calling it. It’ll be just a small taste, the thing they end the show with, but we’re going to see Luigi with a bowler cap ghost, and Peach is going to be playable, and uhh... Bowser and Tatanga kidnap Daisy? Yeah. And we’ll see Delfino Isle, and the Chai Kingdom from Super Mario Land, which will be re-imagined as a monochromatic Chinese horror-themed level. Also Mario will have a Link costume. Oh, and a Subcon level. Snakes and vases. And a Yoshi’s Island level. Man, this game is gonna have a lot of kingdoms, if four of them are pulled from older games.

Mario + Rabbids is a thing we’ll see. I guess. Rabbid Waluigi is going to be horrifying.

Know what? Ring Fit Adventure 2. Sure, why not. Nintendo usually announces things that involve proprietary hardware outside of Directs, but I’m going wild with speculation, so WHY NOT. Ring Fit sold over eleven million copies before seeing a price drop for the holidays last year, making Nintendo nearly a billion dollars, so they’re definitely going to be looking to do it again.

Haven’t heard anything about Fire Emblem for a while. Probably getting a new Fire Emblem at some point.

Untitled Goose Game sequel?

SPLATOON 3! I... don’t actually know what they could show off, other than some minor new mechanics and a release date. I’m still holding out hope that the desert area the game’s campaign seems to take place in is open-world to some extent, but I’m not entirely sure how that would work out.

We’re long, long overdue for Pikmin 4... and hey, I wouldn’t turn my nose up at an Arms 2. Xenoblade Chronicles 3 was supposedly meant to be shown last year but was pushed back, so we could see that... I really need to play Xenoblade 2, I received it as a gift a couple years ago and haven’t gotten around to it.

Dragon Quest.

Will a new Dragon Quest, Dragon Quest XII, be announced in a Nintendo Direct? Absolutely not. However, we could see a Dragon Quest Builders 3, enhanced ports of the 3DS remakes, and ports/remakes of the Slime Mori Mori games. Which I desperately want, because only the second game in the series came out here, and I never got to play the others.

So. There’s my list of demands. Now we just have to wait six hours for all my hopes and dreams to be smashed to bits by the cold hand of reality.

Except for BotW2. Gettin’ that title and release date today, and I am PUMPED!

#nintendo #nintendo direct #botw2

7 notes · View notes

johnvazhathara · 3 years

Text

The hacking of Indian democracyNational security is important, but it can have an impact on human rights and civil liberties

03/08/2021

The Pegasus revelations reflect an attack on Indian democracy and Indian citizens. Was the government directly responsible for the surveillance of a select group of Indian activists, politicians and journalists and others? Or was the surveillance at the instance of a private player? With the government in denial, a commission of inquiry by a sitting Supreme Court judge can alone unravel the mystery.

National security is important, but it can have an impact on human rights and civil liberties. The use of surveillance has serious implications for privacy. But the list of people targeted prima facie shows that national security is a pretext to suppress political and societal dissent in India.

Acting according to conscience

Pegasus is a technology sold to governments to fight terrorism. The Israeli Supreme Court, in September 1999, said in Public Committee Against Torture in Israel v. Israel that shaking, waiting in the ‘Shabach’ position, the frog crouch, excessively tight handcuffs and sleep deprivation were illegal. It held that they granted General Security Service investigators “the authority to apply physical force during interrogation of suspects suspected in involvement of... terrorist activities, thereby harming suspects’ dignity and liberty”. This, it said, “raises basic questions of law and society, of ethics and policy and of the rule of law and security.”

Speaking for the Court, President A. Barak declared, “This decision opened with a description of difficult reality in which Israel finds herself... We are aware that this decision does make it easier to deal with that reality. This is the destiny of a democracy... A democracy must sometimes fight with one hand tied behind its back. Even so, a democracy has the upper hand. The rule of law and the liberty of an individual constitute important components in its understanding of security.” He concluded, “We are aware of the harsh reality of terrorism in which we are, at times, immersed. The possibility that this decision will hamper the ability to... deal with terrorist and terrorism disturbs us. We are, however, judges... in deciding the law we must act according to our purest conscience.”

NSO Group and the Indian government must be reminded of these words. In the name of fighting terrorism, democracy cannot be undermined. Indian democracy is founded with the cherished ideals enshrined in the Constitution. It belongs to the people and not to political parties. The surveillance of the target group raises doubts about the functioning of democracy in India. The chilling effect, if the government were to succeed, would be to turn democracy into a dictatorship. The government has a constitutional duty to protect the fundamental and human rights of its citizens, irrespective of who they are. Even if the government is not complicit in the surveillance, it has miserably failed in discharging this duty. There is clear evidence that the rule of law has been undermined. More evidently, this reflects extremely poor governance. The Intelligence Bureau, the Research and Analysis Wing, and the National Security Council Secretariat should have forewarned the government and citizens against such surveillance seriously violating privacy and fundamental rights. Their silence speaks volumes about either complicity or poor governance. This being the case, an inquiry at the highest level under the supervision of the judiciary is a constitutional necessity. If this does not take place, India will cease to call itself a democracy.

The Supreme Court, in K.S. Puttaswamy v. Union of India (2017), declared privacy a constitutionally protected value. The right to privacy is not absolute and its curtailment can take place only under a law which is just, reasonable and fair and subject to constitutional safeguards.

India is a signatory to the Universal Declaration of Human Rights. Article 12 provides that “No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.” The International Covenant on Civil and Political Rights, also signed by India, in Article 17 states, “No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.” In K.S. Puttaswamy, the Supreme Court noted India’s commitments under international law and held that by virtue of Article 51 of the Constitution, India has to endeavour to “foster respect for international law and treaty obligations...” The Protection of Human Rights Act, 1993 is a fallout of this commitment.

Recommendations of UNHCHR

The annual report of the United Nations High Commissioner for Human Rights (UNHCHR) in 2014 made fundamental observations and recommendations on “digital communications technologies”. It said, “by amplifying the voices of human rights defenders and providing them with new tools to document and expose abuses, these powerful technologies offer the promise of improved enjoyment of human rights.” But “communications technologies also have enhanced the capacity of Governments, enterprises and individuals to conduct surveillance, interception and data collection....”

Earlier, due to concerns of member states, the General Assembly adopted Resolution 68/167 affirming that rights held by people offline must also be protected online and called upon all states to respect and protect the right to privacy, including in digital communication.

The UNHCHR report also stated, “Judicial involvement that meets international standards relating to independence, impartiality and transparency can help to make it more likely that the overall statutory regime will meet the minimum standards that international human rights law requires. At the same time, judicial involvement in oversight should not be viewed as a panacea...” It recommended an independent oversight body to keep checks and stated, “The International Covenant on Civil and Political Rights requires states parties to ensure that victims of violations of the Covenant have an effective remedy....” The report also dealt with the role of businesses and stated that when a state requires that an information and communications technology company provide user data, it can only supply it in respect of legitimate reasons.

Surprisingly, NSO, in its Transparency and Responsibility Report 2021, informed interested parties that it “strives to guarantee that our products are used... safely, effectively and ethically.” If described options available if one of its customers “has acted in bad faith, or used one of our tools to target the electronic communications of someone who falls outside the prescribed target scope.” It outlined the range of options available to it if this happened, including “completely ending a customer’s access to our systems, as a situation may warrant.” It stated, “We very much see today’s release as a newly added necessity to the complex, ongoing international debate over electronic surveillance. We are opening our own processes to even deeper scrutiny...” Was this report prepared fearing the worst in the wake of the ongoing international debate?

Indians have a right to call upon NSO to terminate the agreement, if any, with the Indian government or any private player and to cooperate with citizens to unravel the truth.

Dushyant Dave is a Senior Advocate and former President of the Supreme Court Bar Association

0 notes

newstfionline · 7 years

Text

Spyware Sold to Mexican Government Targeted International Officials

By Azam Ahmed, NY Times, July 10, 2017

MEXICO CITY--A team of international investigators brought to Mexico to unravel one of the nation’s gravest human rights atrocities was targeted with sophisticated surveillance technology sold to the Mexican government to spy on criminals and terrorists.

The spying took place during what the investigators call a broad campaign of harassment and interference that prevented them from solving the haunting case of 43 students who disappeared after clashing with the police nearly three years ago.

Appointed by an international commission that polices human rights in the Americas, the investigators say they were quickly met with stonewalling by the Mexican government, a refusal to turn over documents or grant vital interviews, and even a retaliatory criminal investigation.

Now, forensic evidence shows that the international investigators were being targeted by advanced surveillance technology as well.

The main contact person for the group of investigators received text messages laced with spyware known as Pegasus, a cyberweapon that the government of Mexico spent tens of millions of dollars to acquire, according to an independent analysis. The coordinator’s phone was used by nearly all members of the group, often serving as a nexus of communication among the investigators, their sources, the international commission that appointed them and the Mexican government.

Beyond that, the investigators say they received identical text messages on their own phones, too, luring them to click on links that secretly unlock a target’s smartphone and turn it into a powerful surveillance device. Calls, emails, text messages, calendars and contacts can all be monitored that way. Encrypted messages become worthless. Even the microphone and camera on a smartphone can be used against its owner.

The effort to spy on international officials adds to a sweeping espionage offensive in Mexico, where some of the country’s most prominent journalists, human rights lawyers and anticorruption activists have been the targets of the same surveillance technology. But the new evidence shows that the spying campaign went beyond the nation’s domestic critics.

It also swept up international officials who had been granted a status akin to diplomatic immunity as well as unprecedented access to investigate a case that has come to define the nation’s broken rule of law--and the legacy of its president, Enrique Peña Nieto.

Surveillance under Mexican law can be conducted only with the authorization of a federal judge, and only if the government can show cause to do so. But the kind of diplomatic immunity the investigators received meant that it was extremely unlikely that a federal judge would have been allowed to sign off on such a warrant, the investigators said.

“You are not just hacking anyone’s phone, you are hacking the phone of someone who has been granted immunity,” said Francisco Cox, one of the investigators and a prominent Chilean lawyer. “They couldn’t even search my bags in the airport.”

“If this can happen to an independent body that has immunity and that is invited by the government, it is a bit scary to think of what could happen to a common citizen in Mexico,” he said.

Since 2011, Mexico has purchased at least $80 million worth of the spyware, which is sold exclusively to governments, and only on the condition that it be used against terrorists and criminals. But an investigation by The New York Times and forensic cyberanalysts in recent weeks determined that the software had been used against some of the country’s most influential academics, lawyers, journalists and their family members, including a teenage boy.

The government has denied responsibility for the espionage, adding that there is no ironclad proof because the spyware does not leave behind the hacker’s individual fingerprints. It has promised a thorough investigation, vowing to call on specialists from the United Nations and the F.B.I. for help. One of the surveillance targets, the forensic analysis showed, was a United States lawyer representing victims of sexual assault by the Mexican police.

“This case just on its face--and presuming the veracity of the allegations--is serious enough to warrant the creation of an international commission,” said James L. Cavallaro, a commissioner on the Inter-American Commission on Human Rights, which appointed the group of experts. “The commission shares the concerns of others: How can the government be trusted to investigate its own alleged violation of citizen rights given its track record in this matter?”

Another commissioner, Esmeralda Arosemena de Troitiño, backed the idea of an independent inquiry. “This investigation should find both the material and intellectual authors of the alleged spying,” she said.

Top officials from the nation’s main opposition party have come forward to say that they, too, have been targeted, raising the pressure on the government. The head of the National Action Party, Ricardo Anaya, says his party is pushing for a congressional committee to conduct its own inquiry and will also formally demand an international investigation into the spying.

“The grand tragedy of Mexico is impunity. Horrible things occur, and nothing happens,” he said. “This time, we will not let that happen.”

The disappearance of the students in September 2014 ignited an enormous outcry in Mexico. Hundreds of thousands poured into the streets to protest a case that, to many, represented all that afflicts Mexico, a nation where about 30,000 people have disappeared and more than 100,000 have been killed in the decade-long churn of the drug war.

The anger also focused on Mr. Peña Nieto, whose determination to change the narrative of his country from one of desperate violence to economic promise was suddenly, and permanently, upended. The outrage has been matched only by the disbelief that, almost three years later, nearly all of the 43 students are still missing. The remains of one have been discovered. Fragments of another may also have been identified. The rest of the students, whether dead or alive, have not been found.

Many Mexicans believed that their best chance of finding out what really happened to the students lay with the international investigators, who were appointed by the Inter-American Commission on Human Rights, a regional body based in Washington that monitors countries and can refer cases to court. But the investigators said the government essentially obstructed their inquiry and then cast them out by refusing to extend their mandate--evidence, they said, that the government simply did not want the case solved.

Still, it is hard to prove who ordered the spying. Even the manufacturer of the spyware, an Israeli cyberarms manufacturer called the NSO Group, says it cannot determine who, precisely, is behind specific hacking attempts using its technology.

But the company says that it sells its surveillance tools only to governments, and that stringent safeguards prevent them from being used by anyone outside of the government agencies that purchase the technology.

Moreover, once a person’s phone is targeted, researchers can verify that the spyware has been deployed by examining the text message to determine whether it points to a server running NSO’s technology. They have confirmed at least 19 cases in Mexico involving human rights lawyers, anticorruption activists, journalists and, now, international officials.

“Citizen Lab and our partners are finding people targeted with NSO spyware almost wherever we look in Mexico,” said John Scott-Railton, a senior researcher at Citizen Lab at the Munk School of Global Affairs at the University of Toronto, which has worked with the digital rights group R3D in Mexico to identify the spyware on the phones of targeted activists and officials.

“I have never seen anything that matches the scale and scope of this case,” he said of the surveillance campaign in Mexico.

#Mexico #spyware in Mexico #Pegasus spyware #surveillance in Mexico

0 notes

newstfionline · 7 years

Text

Using Texts as Lures, Government Spyware Targets Mexican Activists and Their Families

By Azam Ahmed and Nicole Perlroth, NY Times, June 19, 2017

MEXICO CITY--Mexico’s most prominent human rights lawyers, journalists and anti-corruption activists have been targeted by advanced spyware sold to the Mexican government on the condition that it be used only to investigate criminals and terrorists.

The targets include lawyers looking into the mass disappearance of 43 students, a highly respected academic who helped write anti-corruption legislation, two of Mexico’s most influential journalists and an American representing victims of sexual abuse by the police. The spying even swept up family members, including a teenage boy.

Since 2011, at least three Mexican federal agencies have purchased about $80 million worth of spyware created by an Israeli cyberarms manufacturer. The software, known as Pegasus, infiltrates smartphones to monitor every detail of a person’s cellular life--calls, texts, email, contacts and calendars. It can even use the microphone and camera on phones for surveillance, turning a target’s smartphone into a personal bug.

The company that makes the software, the NSO Group, says it sells the tool exclusively to governments, with an explicit agreement that it be used only to battle terrorists or the drug cartels and criminal groups that have long kidnapped and killed Mexicans.

But according to dozens of messages examined by The New York Times and independent forensic analysts, the software has been used against some of the government’s most outspoken critics and their families, in what many view as an unprecedented effort to thwart the fight against the corruption infecting every limb of Mexican society.

“We are the new enemies of the state,” said Juan E. Pardinas, the general director of the Mexican Institute for Competitiveness, who has pushed anti-corruption legislation. His iPhone, along with his wife’s, was targeted by the software, according to an independent analysis. “Ours is a society where democracy has been eroded,” he said.

The deployment of sophisticated cyberweaponry against citizens is a snapshot of the struggle for Mexico itself, raising profound legal and ethical questions for a government already facing severe criticism for its human rights record. Under Mexican law, only a federal judge can authorize the surveillance of private communications, and only when officials can demonstrate a sound basis for the request.

It is highly unlikely that the government received judicial approval to hack the phones, according to several former Mexican intelligence officials. Instead, they said, illegal surveillance is standard practice.

“Mexican security agencies wouldn’t ask for a court order, because they know they wouldn’t get one,” said Eduardo Guerrero, a former analyst at the Center for Investigation and National Security, Mexico’s intelligence agency and one of the government agencies that use the Pegasus spyware. “I mean, how could a judge authorize surveillance of someone dedicated to the protection of human rights?”

“There, of course, is no basis for that intervention, but that is besides the point,” he added. “No one in Mexico ever asks for permission to do so.”

The hacking attempts were highly personalized, striking critics with messages designed to inspire fear--and get them to click on a link that would provide unfettered access to their cellphones.

Carmen Aristegui, one of Mexico’s most famous journalists, was targeted by a spyware operator posing as the United States Embassy in Mexico, instructing her to click on a link to resolve an issue with her visa. The wife of Mr. Pardinas, the anti-corruption activist, was targeted with a message claiming to offer proof that he was having an extramarital affair.

For others, imminent danger was the entry point, like a message warning that a truck filled with armed men was parked outside Mr. Pardinas’s home.

“I think that any company that sells a product like this to a government would be horrified by the targets, of course, which don’t seem to fall into the traditional role of criminality,” said John Scott-Railton, a senior researcher at Citizen Lab at the Munk School of Global Affairs at the University of Toronto, which examined the hacking attempts.

The Mexican government acknowledges gathering intelligence against legitimate suspects in accordance with the law. “As in any democratic government, to combat crime and threats against national security the Mexican government carries out intelligence operations,” it said in a statement.

But the government “categorically denies that any of its members engages in surveillance or communications operations against defenders of human rights, journalists, anti-corruption activists or any other person without prior judicial authorization.”

The Mexican government’s deployment of spyware has come under suspicion before, including hacking attempts on political opponents and activists fighting corporate interests in Mexico.

Still, there is no ironclad proof that the Mexican government is responsible. The Pegasus software does not leave behind the hacker’s individual fingerprints. Even the software maker, the NSO Group, says it cannot determine who, exactly, is behind specific hacking attempts.

But cyberexperts can verify when the software has been used on a target’s phone, leaving them with few doubts that the Mexican government, or some rogue actor within it, was involved.

“This is pretty much as good as it gets,” said Bill Marczak, another senior researcher at Citizen Lab, who confirmed the presence of NSO code on several phones belonging to Mexican journalists and activists.

Moreover, it is extremely unlikely that cybercriminals somehow got their hands on the software, the NSO Group says, because the technology can be used only by the government agency where it is installed.

The company is part of a growing number of digital spying businesses that operate in a loosely regulated space. The market has picked up in recent years, particularly as companies like Apple and Facebook start encrypting their customers’ communications, making it harder for government agencies to conduct surveillance.

Increasingly, governments have found that the only way to monitor mobile phones is by using private businesses like the NSO Group that exploit little-known vulnerabilities in smartphone software.

Before selling to governments, the NSO Group says, it vets their human rights records. But once the company licenses the software and installs its hardware inside intelligence and law enforcement agencies, the company says, it has no way of knowing how its spy tools are used--or whom they are used against.

The company simply bills governments based on the total number of surveillance targets. To spy on 10 iPhone users, for example, the company charges $650,000 on top of a flat $500,000 installation fee, according to NSO marketing proposals reviewed by The New York Times.

Even when the NSO Group learns that its software has been abused, there is only so much it can do, the company says, arguing that it cannot simply march into intelligence agencies, remove its hardware and take back its spyware.

“When you’re selling AK-47s, you can’t control how they’ll be used once they leave the loading docks,” said Kevin Mahaffey, chief technology officer at Lookout, a mobile security company.

Rather, the NSO Group relies on its customers to cooperate in a review, then turns over the findings to the appropriate governmental authority--in effect, leaving governments to police themselves.

Typically, the company’s only recourse is to slowly cut off a government’s access to the spy tools over the course of months, or even years, by ceasing to provide new software patches, features and updates. But in the case of Mexico, the NSO Group has not condemned or even acknowledged any abuse, despite repeated evidence that its spy tools have been deployed against ordinary citizens and their families.

Journalists, human rights defenders and anti-corruption campaigners have long faced enormous risks in Mexico. For decades, they have been followed, harassed, threatened and even killed for their work, occupational hazards more common in authoritarian states than in countries in good standing with the Organization for Economic Cooperation and Development, as Mexico is.

But when President Enrique Peña Nieto came into office in 2012, promising to lift Mexico to its rightful place on the world stage, there was an inkling of hope that the nation’s democracy was coming into its own.

His party passed a list of badly needed changes, taking aim at the failing education system and moving to enhance the transparency of Mexico’s bureaucracy. Competition in some core industries, like telecommunications, has increased.

But by 2014, much of the early promise of the Peña Nieto administration was dashed by the crises subsuming it, including the mysterious disappearance of 43 teaching students after a clash with the police, and accusations that the president and his wife got a special deal on a multimillion-dollar home from a government contractor.

The scandals have left an enduring mark on the president’s reputation. After a stunning rise built on a perfectly crafted image--a young, energetic president working across party lines, the embodiment of a new Mexico--Mr. Peña Nieto was suddenly recast as an out-of-touch, corrupt politician with abysmal approval ratings.

In no small part, that fall was thanks to the Mexican journalists who broke news of the scandals, as well as the lawyers and activists who refused to let the country forget about them.

“You have to remember this was a government that went from setting the agenda to being entirely reactive,” said Carlos Loret de Mola, a news anchor for Televisa who has some of the best sources inside the Mexican government.

Mr. Loret de Mola, who received at least eight messages laced with NSO software, added, “They looked at journalists and thought, ‘They are bringing these things out and embarrassing us, so it’s better if we spy on them.’”

Mexico is still a far cry from Turkey, which jails more journalists than any other nation in the world. It is hardly China, an authoritarian state where critics are silenced and a Western-style free press has been cast as a political peril by the government. But Mexico is in crisis on these fronts all the same.

More journalists were killed in Mexico last year than during any other year this century, and 2017 is off to an even worse start. Government critics are routinely harassed and threatened, and now they are being targeted with incredibly sophisticated software.

“The fact that the government is using high-tech surveillance against human rights defenders and journalists exposing corruption, instead of those responsible for those abuses, says a lot about who the government works for,” said Luis Fernando García, the executive director of R3D, a digital rights group in Mexico that has helped identify multiple abuses of Pegasus in Mexico. “It’s definitely not for the people.”

Perhaps no journalist in Mexico has done as much to damage the reputation of the president than Carmen Aristegui. And few have paid as dearly for it.

In 2014, she and her team broke the scandal of the so-called Casa Blanca, or White House, a story of real estate intrigue that involved a special deal handed to Mexico’s first lady, Angélica Rivera, by a major government contractor close to the president.

The story reached a worldwide audience and forced the president’s wife to surrender the house, presenting the Mexican government with the sort of ethical quandary that in a different country might result in a congressional inquiry or the appointment of an independent prosecutor.

Instead, the president was cleared of wrongdoing by a prosecutor who had worked closely with his campaign team, while Ms. Aristegui lost her job. That moment marked the beginning of a sustained campaign of harassment and defamation against her: lawsuits, break-ins at her offices, threats to her safety and the monitoring of her movements.

“It’s been about getting revenge for the piece,” she said. “There’s really no other way to see it.”

So when she began receiving text messages in 2015 from unknown numbers, instructing her to click on a link, she was suspicious. One message asked for her help in locating a missing child. Another alerted her to sudden charge on her credit card. And she received a text message purportedly from the American Embassy about a problem with her visa. Impersonating an American government official is a possible violation of United States law.

When the messages failed to entice her to click on the links and inadvertently download the software, they grew increasingly strident, including one warning that she could be imprisoned. Several came from the same phone number, leaving a record of the spyware operator’s sloppiness.

Still, the spyware operators pressed on. Starting as early as March, they began targeting Ms. Aristegui’s then-16-year-old son, Emilio, who was living in the United States at the time. Some of the texts were similar to the ones she had received. Others were made-up headlines about Ms. Aristegui, sent from what appeared to be a news agency.

“The only reason they could be going after my son is in the hopes of finding something against me, to damage me,” she said.

Ms. Aristegui is the embodiment of the hope--and the crushing limitations--for a free media in Mexico. Though she was fired over what her employer called internal disagreements, she continued publishing on her own, eventually drawing enough of an audience to sustain a team of reporters.

But the work has taken its toll. In one lawsuit, filed by the president of her former employer, a judge cited Ms. Aristegui last November for her “excessive use of freedom of speech.”

Her website, Aristegui Noticias, has been hacked numerous times, including on the eve of publishing a major investigation into the massacre of more than a dozen civilians by the federal police.

And her offices were broken into last November. So brazen were the assailants that they didn’t bother wearing masks. Nor did they steal much--one computer, a watch and a bag hanging from the back of a chair. Their faces and fingerprints were captured on cameras in the office. Still, no one has been caught.

The threats, harassment, even the spying, all of it she channels into work.

“For me, I have opted to believe that my public work is what will best protect me,” she said. “The great challenge for journalists and citizens is that the fear serve us, and not conquer us.”

It was Dec. 21, 2015, and Mr. Pardinas was at the beach with his family, trying to enjoy the start of his Christmas vacation. But his phone kept buzzing, at first with calls from lawyers, and then with an odd text message.

It had been a long few months in an even longer campaign: to pass an unprecedented law forcing Mexico’s public servants to disclose their financial conflicts of interest.

In November, he had presented a study on the costs of corruption in Mexico, confirming with facts and figures something that nearly all Mexicans knew in their hearts--that corruption was crippling the country.

He followed it up with media interviews, poking fun at the Mexican government’s embarrassing response to corruption. He joked that it probably spent more money on coffee and cookies than on the office in charge of prosecuting graft.

The study, the interviews, a seemingly endless gantlet of meetings with politicians--it all laid the groundwork for the new law, which Mr. Pardinas, a private citizen directing a public policy group, was helping to write.

So even as Christmas approached and his family relaxed in the coastal town of Puerto Vallarta, Mr. Pardinas was busily consulting lawyers on the final draft, which he had just over a month to submit.

And then a message: “My father died at dawn, we are devastated, I’m sending you the details of the wake, I hope you can come.” Attached was a link.

Mr. Pardinas thought it odd that whoever had sent such a personal text was not even among the contacts in his phone. He showed his wife the message, and decided to ignore it.

Things only picked up from there, both on his proposed law and the odd messages. The government roundly ignored his bill, until he and others gathered more than 630,000 signatures supporting it.

Mr. Pardinas’s tone grew bolder. He told one radio host that “for the government of Mexico, anti-corruption measures are like garlic to a vampire.”

Then came another text message. This one appeared to be from the news outlet Uno TV, which sends daily news headlines to cellphone users across the country. The headline struck him: “The History of Corruption Within the Mexican Institute for Competitiveness.” It was particularly alarming because that was his organization.

He declined once more to click on the link, suspecting foul play. More text messages came, including the next day. Only this time, having failed with Mr. Pardinas, they tried his wife.

The message, sent from the same news headline service, said that leaked videos showed Mr. Pardinas having sexual relations with a member of his staff. It was also sent to a colleague.

Mr. Pardinas called his wife, telling her that she appeared to be part of a broader harassment effort. “Oh, it’s these people again,” she responded.

The campaign to pass the law continued, and the bill made it through Congress relatively unscathed. But the Senate decided to add an extra provision: Everyone who worked for a company that received government money would also have to disclose their interests and assets. That meant the bill would cover more than 30 million people.

The president vetoed the bill, saying it needed more discussion, essentially kicking the can down the road.

Mr. Pardinas continued his broadsides in interviews, naming obstructive lawmakers and well-connected companies that benefited from government money. Few activists go so far as to name names in interviews, but Mr. Pardinas, who holds a Ph.D. from the London School of Economics, plowed ahead anyway.

The initiative seemed doomed. Yet another message arrived, on Aug. 1, this one laced with menace: “Listen, outside of your house is a truck with two armed guys, I took their photo look at them and be careful.”

Mr. Pardinas, who was at work when this message came, once again declined to take the bait. But he did call his wife, again, asking her to look out their window to see if there was a truck parked outside. There was not.

“By the end, my wife had Olympic-style training in this hacking stuff,” Mr. Pardinas said.

Mario E. Patrón was on edge. The conference table was packed with fellow human rights defenders, including the United Nations commissioner for human rights in Mexico. Everyone was there to discuss the bombshell expected to drop.

An international panel brought to Mexico to investigate the haunting disappearance of 43 teaching students was releasing its final report the next day, at the end of April 2016. The findings, Mr. Patrón knew, were going to be brutal.

The government would be accused of negligence, incompetence, even malfeasance in its handling of the case. Like others in the room, Mr. Patrón, whose organization represents the parents of the missing students, was wondering how the government would respond.

His phone buzzed and he glanced at the screen. “THE GOVERNMENT OF MEXICO GETS OUT IN FRONT OF THE GIEI,” the text message read, using the acronym for the international panel. It seemed like the news he had been waiting for.

He showed the message to his colleague, then clicked on the link. But instead of an article or a news release, it simply redirected him to a blank page. Confused, he left the meeting and raced to his office to begin making calls to see what the government had in store.

And like that, he fell into their trap.

Mr. Patrón is the executive director of the Miguel Augustín Pro Juárez Human Rights Center, perhaps the most highly respected human rights group in Mexico. The group focuses on the nation’s most serious cases of human rights abuses, making it a nettlesome critic of the government.

In addition to Mr. Patrón, two other lawyers for the group were targeted with the software: Santiago Aguirre, the primary lawyer representing the families of the missing students, and Stephanie E. Brewer, a Harvard-educated American lawyer who has worked for the group since 2007.

“We have always suspected they spied on us and listened to us,” Mr. Patrón said. “But to have evidence that we are victims of actual surveillance--it confirms that we are under threat. And that the government is willing to use illegal measures to try and stop us.”

Beyond the missing students, Centro Prodh, as the group is called, is representing one of the few survivors of a military raid in 2014 in the town of Tlatlaya, where the army stormed a suspected cartel hide-out and killed 22 people.

While pursuing the case, the group unearthed a memorandum ordering the soldiers to kill suspected cartel members, strengthening the argument that the events did not unfold as a firefight, as the military claimed, but were instead extrajudicial executions carried out by the soldiers.

The organization’s clients also include the women of Atenco, a group of 11 university students, activists and market vendors who were arrested by the police more than 10 years ago during protests in the town of San Salvador Atenco and brutally sexually assaulted on the way to prison.

Aside from the grave abuse of power, the case was especially sensitive: The governor who ordered the crackdown on the protesters was Enrique Peña Nieto, now the president of Mexico.

From the very beginning, the case was an uphill battle. Arrested on trumped-up charges, some of the women spent more time in prison than the officers who raped them.

Finding no recourse in Mexico, Ms. Brewer and others appealed to the Inter-American Commission on Human Rights, a regional body outside the Mexican judicial system, to review the case. And they waited--for nearly seven years.

Finally, in 2015, the commission found in favor of the women, ordering the government to investigate the case all the way up the chain of command, a directive that would include Mr. Peña Nieto. Ultimately, the case was sent to the Inter-American Court, an independent judiciary with jurisdiction over Mexico, a major blow to the nation’s presidency.

One evening Ms. Brewer was at home, getting ready for bed when a text message arrived. The date practically coincided with the 10-year anniversary of the assaults on the women, an eerie bookend to their decade-long struggle for justice.

On her phone was a provocative question, a taunt even, asking whether anyone defended the soldiers and members of Mexico’s navy who also suffered abuse.

“And you guys that do human rights against this, what about the dignity of them …” The message contained a link, presumably to a news story or a tip.

Intrigued, Ms. Brewer clicked on it. She was directed to a broken link, a telltale sign of the malware.

“It’s just part of defending human rights in Mexico,” she said. “It comes with the territory.”

#Mexico #spyware in Mexico #Mexican activists #NSO Group #Pegasus spyware

0 notes