I-TEAM: You may have a deadly device charger and not even know it – WRDW-TV
I-TEAM: You may have a deadly device charger and not even know it WRDW-TV
“Don’t Plug Your Phone into a Charger You Don’t Own” – read more
Tag Archive for: Even
Facebook’s Sues Israeli Malware Marketer With A Lawsuit That Aims To Make An Easily-Abused Law Even More Abusable
/in Internet SecurityFacebook is suing Israeli exploit developer NSO Group for utilizing WhatsApp to target 1,400 users with malware that allowed NSO’s clients to circumvent the chat app’s end-to-end encryption.
That NSO is being accused of helping bad people surveill good people is not news. NSO is not very selective when it comes to selling malware, putting its powerful tech in the hands of governments that seem just as likely to target NSO’s home country as they are to target local dissidents, journalists, and activists. NSO’s software and cavalier approach to sales have been exposed by multiple Citizen Lab investigations, which have outed NSO’s sales to blacklisted countries.
Facebook’s lawsuit [PDF] basically echoes the findings of Citizen Lab.
In a lawsuit filed in federal court in San Francisco, messaging service WhatsApp, which is owned by Facebook Inc (FB.O), accused NSO of facilitating government hacking sprees in 20 countries. Mexico, the United Arab Emirates and Bahrain were the only countries identified.
WhatsApp said in a statement that 100 civil society members had been targeted, and called it “an unmistakable pattern of abuse.”
Abusive it is, especially when you’re trying to tout the benefits of end-to-end encryption, only to have a malware developer show you how easy it is to route around these protections. NSO’s malware was spread using WhatsApp’s video chat feature, which apparently allowed government agencies to eavesdrop on communications and possibly access device contents.
This isn’t the only lawsuit NSO is facing.
NSO came under particularly harsh scrutiny over the allegation that its spyware played a role in the death of Washington Post journalist Jamal Khashoggi, who was murdered at the Saudi Consulate in Istanbul a little over a year ago.
Khashoggi’s friend Omar Abdulaziz is one of seven activists and journalists who have taken the spyware firm to court in Israel and Cyprus over allegations that their phones were compromised using NSO technology. Amnesty has also filed a lawsuit, demanding that the Israeli Ministry of Defense revoke NSO’s export license to “stop it profiting from state-sponsored repression.”
This matters enough to NSO for it to engage in a very limited charm offensive. It has promised to abide by UN guidelines on human rights abuses, which means it’s going to have to trim a few countries off its client list. It also claims to have saved the lives of “tens of thousands” of people. It’s a great claim to make, especially when no one really expects you to back up it up with evidence or data.
But the lawsuit Facebook is pursuing is questionable, if not a bit dangerous. Facebook likely doesn’t have a way to block NSO clients from accessing WhatsApp. It has permanently deleted the accounts of every employee of NSO Group it could find for “violating” Facebook’s terms of use. But it’s helpless to root out accounts used by NSO’s customers, since these aren’t nearly going to be as obvious as those belonging to people who list NSO as their employer.
That explains the lawsuit and Facebook’s desire to obtain a permanent injunction against NSO Group, blocking it from utilizing WhatsApp to spread malware. But the lawsuit is on pretty shaky legal ground. Worse, if Facebook somehow prevails, the much-abused CFAA will be rewritten in a way that’s going to harm plenty of people who’ve never sold malware to known human rights abusers.
Here’s Wired’s Andy Greenberg (and defense attorney Tor Ekeland) explaining just one of the problematic aspects of Facebook’s lawsuit.
To make that charge stick, WhatsApp will have to show that NSO obtained illegal access to WhatsApp’s own systems. Given that NSO’s targets were WhatsApp users rather than, say, WhatsApp’s servers, they’ll have to find an argument that they, as the plaintiff, were the victim. “The fundamental question is, what’s the unauthorized access?” says Ekeland. “You might be able to argue that NSO hacked WhatsApp and not just their users. Maybe they’re trying to make that argument. But they’re not being clear about it, and that lack of clarity is an attack vector for the defendant.”
Facebook’s on a clear path if it chooses to stick with the argument NSO violated its terms of service. Those terms specifically forbid reverse-engineering code or sending malware via the app. But even if it’s limited to that, the obvious solution is for Facebook to ban NSO from using its services. That may be close to impossible to do since Facebook doesn’t have access to its client list or their user accounts. Arguing past that point may cause problems, though.
While it may work out for Facebook to have the CFAA cover “uses of our stuff that we don’t like,” it’s going to harm a lot of other people. Security researchers, regular researchers, and anyone else who might use Facebook’s platform or apps in a way Facebook doesn’t like could be prosecuted or sued under this definition. While it’s plainly advantageous for Facebook to force all users to use its products only in a way it approves, the downside is a garden with higher walls that put users completely at the mercy of Facebook. Since terms of use can be rewritten on the fly and applied immediately, Facebook could go after “violators” who aren’t even aware they’ve actually violated anything.
Adding to Facebook’s hurdles is a recent Ninth Circuit Court of Appeals ruling (this lawsuit is filed in the Ninth Circuit) that says scraping a site for data — even when forbidden by the terms of use — isn’t necessarily a violation of the CFAA. Making this tougher for Facebook is there’s no evidence it ever gave NSO prior notice its abuse of WhatsApp was forbidden. The lack of notice makes it a bit more difficult for Facebook to claim NSO knowingly violated the terms by using WhatsApp to distribute malware. It will be tough to prove NSO clients had unauthorized access, especially since Facebook didn’t get around to permabanning anyone until after it filed its lawsuit.
I’m no fan of NSO and its client list, but I’m no fan of Facebook’s lawsuit, either. An opinion finding using internet services in a way their developers don’t like is not the precedent we need — not if we’re going to keep pushing for a safer internet for everyone. It will allow dominant players to establish rules that benefit the platforms and stave off competition from third-party offerings that attempt to address shortcomings major platforms refuse to correct. It will also prevent researchers from making online services safer or better, which will be a net loss for all platform users, even if it prevents a handful of authoritarians from exploiting a single service to target the people they think need more surveilling.
There’s a lot at stake here but Facebook can’t see past its immediate (and somewhat convenient, given its recent rakings over Congressional coal) desire to appear to be the good guy for once.
Permalink | Comments | Email This Story
Techdirt.
How Facebook helps an abusive ex-partner find out your new identity, even after you’ve blocked them
/in Computer SecurityImagine you’re in an abusive relationship, and things have turned violent.
You leave him, block his Facebook account, and update the name on your profile to hide your identity.
Would you expect your ex-partner to be able to see what your new name is?
TV Network Declares IPTV Tool Copyright Infringing, Even Though It’s Just A Tool
/in Internet SecurityTo a certain segment of the population, just mentioning IPTV is enough to get them frothing at the mouth and shouting “copyright infringement” at anyone who will listen. This isn’t entirely without cause, of course, as IPTV is a technology that can be used to infringe by streaming copyrighted TV shows and films. There are entire sites out there that list such infringing content, as well. But the fact remains that IPTV is a tool, not content that infringes copyright itself. As such, there are plenty of IPTV-related tools and uses out there that are perfectly legit.
Like Perfect Player, for instance. Perfect Player is an android app that allows the user to choose what IPTV playlists from 3rd party providers can be played. In other words, it’s essentially a media player for IPTV streams. Upon installation, it does not come with infringing playlists to stream. What is watched on the player is entirely the choice of the end user. Despite all of this, one unnamed major pay-TV company filed a copyright complaint against the app with Google, arguing that because end users can use Perfect Player to infringe on copyright, the app itself was infringing. Google, frustratingly, complied and has delisted the app from the Play Store.
This week, however, the software – which has in excess of a million downloads from Google Play – was removed by Google because of a copyright complaint. It was filed by a major pay-TV provider, the name of which we’ve agreed not to publish while the complaint is ongoing.
It states that the software allows users to watch channels from unauthorized sources and is therefore illegal. However, there appears to be a considerable flaw in the pay-TV company’s arguments.
In common with the developers behind various torrent clients, Perfect Player’s developer doesn’t dictate how the software is used because no control can be exercised over that. Just like Windows Media Player, uTorrent, or even VLC (which has similar capabilities), it can be used for entirely legal purposes – or not, depending on the choice of the user.
In other words, it’s a tool. Now, the entertainment industry has a long and storied history of pretending that tools that have perfectly legitimate uses are the world’s greatest devils and somehow themselves infringe copyright. This goes back to the Betamax, and likely before that. But this particular case is one that ought to have the attention of a great many software providers out there, if not hardware providers as well. As the TorrentFreak post notes, if Perfect Player is infringing, why isn’t Windows Media Player? They have the exact same capabilities. And, taken a step further, if Perfect Player is infringing because users can use it to infringe copyright, then why aren’t android phones themselves infringing?
Is that line of thought extreme and ridiculous? Of course it is, but it’s built off of the same ridiculous line of thinking as whoever complained about Perfect Player. TorrentFreak is rather charitable in positing that perhaps this TV company came across a version of Perfect Player that had already been loaded with pirate IPTV streams and is simply confused.
Giving the TV company the benefit of the doubt for a moment, it’s not beyond the realms of possibility that it acquired a ready-configured copy of Perfect Player from a third-party that already contained a URL for a ‘pirate’ service. That could give the impression it’s a dedicated pirate app.
That being said, downloading a copy from Google Play would’ve highlighted the important differences between a non-configured player and one set up for piracy. That’s impossible now, of course, because Google has taken Perfect Player down.
The latest at the time of this writing is that Perfect Player will be filing a DMCA counternotice, having retained a lawyer. One hopes that some simple facts about what this app is and how it operates out of the box will be all that Google needs to get it relisted quickly. And maybe, just maybe, one TV industry player will learn a lesson about firing off DMCA notices without actually knowing what its talking about.
Permalink | Comments | Email This Story
Techdirt.