Now governments have sovereign immunity in most matters under international law. Mercenaries, not so much (IANAL, talk to yours).
But certainly suppliers of weapons to a government wouldn't be held liable if they are used against another nation, right? 2/
That's what NSO is arguing - they are just a provider of weapons. The problem is that NSO went far beyond "just providing the exploit." It appears that in most (if not all) cases they delivered the exploit and managed collection from targets as well. 3/
If you're going to call an exploit a "cyber weapon" (and I think the courts are pretty clearly going to), then operating the weapon makes NSO less of an arms supplier than a mercenary.
Fun fact: mercenaries are not entitled to POW protections and many other legal protections. 4/
I'll table the discussion of whether you should be able to sell exploits to governments (or whoever) for another day. While the amicus signers would clearly seek to limit that, their argument is unquestionably biased. The self-interest is obvious. 5/
Now the original case involves the use of the WhatsApp servers. In order to deliver the exploit (which NSO did on behalf of its customers), they had to agree to the terms of service for the WhatsApp. But then they violated the ToS by delivering exploits over the service. 6/
This creates another interesting question of contract law. While Facebook likely would not be able to sue the Government of Mexico for violating WhatsApp ToS (sovereign immunity and all), NSO seems a valid legal target for this violation of contract law. 7/
There are a LOT of moving pieces to this case. While I understand the reasons that Google, Microsoft, etc. filed the amicus, it is overly broad and focuses FAR beyond the facts of the case. I suspect the courts will see this as the overreach that it is. 8/ blogs.microsoft.com/wp-content/upl…
The amicus brief seems intent on establishing liability for those who create and sell exploits. But the facts in the case absolutely revolve around the fact that NSO *operated* the exploit it created, not merely that it was created. 9/ media.business-humanrights.org/media/document…
Make no mistake about it: this case was brought by Facebook specifically because the exploit required the use of the WhatsApp service *and* NSO operated as a mercenary. Whatever the outcome, we should not broadly assume the results will apply to other exploit brokers. /FIN
• • •
Missing some Tweet in this thread? You can try to
force a refresh
Twas the night before Christmas and all over the ‘net,
Not a creature was stirring except a few cyber threats
The firewalls were configured at the egress with care,
But that wouldn’t stop us from being hit by ransomware. 1/
The children were nestled all snug in their beds,
While attackers hit the web server and established a beachhead
Mama with her EDR and I with my IDS
Were ready to tackle this hot infosec mess. /2
Down in the SOC there arose such a clatter,
I logged into my dashboard to see what was the matter.
This thing had better work, it cost so much cash.
How in 2020 can this thing STILL require Flash?! 3/
There’s an additional aspect to this particular government shutdown: these disruptions are favorable operating conditions for cyber adversaries. I hear we’re in the middle of investigating a fairly large breach...
A shutdown now will ABSOLUTELY harm our ability to remediate. 1/
Yes, I know “essential personnel” will still report to work. But as a former fed myself (who was always considered essential), I can tell you that things obviously don’t function as normal, even for your “mission essential” activities. 2/
And some of the damage is already done. Managers are already preparing for shutdowns, distracting them from focusing on where they need to be placing effort on breach investigation and response. The damage will be so much worse if the shutdown starts though. 3/
Got this in my mail today and it’s some next level BS. Shame on these people for trying to threaten people into voting.
That’s right “Club for Growth” - I’m getting your message out there, but perhaps not in the way you hoped...
I'm not saying that you should sign up for Club For Growth's email updates, but if you had the desire to do so using, oh I don't know, any email address, here's the link to do so: clubforgrowth.org/user-registrat…
On today’s #dogWalkingThread, let’s talk about the recently disclosed abuse of SAML by attackers to “bypass” MFA.
For those not familiar with the concept, SAML allows the separation of identity providers (IDP) and service providers (SP). Why the separation? 1/
Suppose you want to access a service, and the service needs to authenticate you, but you really don’t want the service ever having your credentials (EVER). As long as the SP trusts the IDP, this is no problem. You authenticate with the IDP and the IDP tells the SP “trust them” 2/
Let’s consider passports as an analogue. I’ve traveled to many countries I wouldn’t want to have all my identity data, but the State Department serves as my identity provider. Because the country I’m entering trusts the US State Department, the passport is enough. 3/
I’ve had multiple people (mostly executive leadership) ask me whether they should be concerned about destructive cyberattacks in the #SolarWinds incident. Two have cited elevated concerns because of attribution to Russia and the history of NotPetya. 1/
Obviously predictions in cyber age REALLY poorly, so evaluate this as lower quality as time marches on.
That said, I define a threat as the intersection of intent, opportunity, and capability. Let’s discuss each of these in the context of what we know about this threat actor. 2/
Capability: there’s no question that this very capable threat actor has the capability to perform destructive cyberattacks. Ignoring the fact that almost everyone does, Russia has demonstrated the ability with NotPetya and even against critical infrastructure with LightsOut. 3/
For laypeople demanding evidence that Russia is responsible for the #SolarWinds breach (and subsequent operations), be patient, it will come.
As an analogue, prosecutors typically don’t discuss specifics of ongoing investigations. This is because the target may interfere. 1/
This analogy unfortunately breaks down precipitously. First, this is less like a robbery than a set of ongoing hostage situations. The problem is that we don’t know how many hostage situations we have yet. Every piece of evidence we discuss publicly can hurt us. 2/
With the release of every indicator of compromise, we always must balance the value of helping victims with the risk that the attacker will change their tradecraft to prevent future detection.
This adversary has shown that they practice counterintelligence and WILL change. 3/