By Daniel Levi
About two weeks ago, former NSA whistleblower Edward Snowden revealed a new terrifying leak that he said is going to be “the story of the year.” Snowden sounded the alarm bell about the military-grade Pegasus spyware developed by an Israeli cybersecurity startup NSO Group.
As we first warned in 2018, The NSO Group spyware is used by government agencies and private companies to help the governments spy on citizens’ cellphones. The NSO Group’s Pegasus spyware is licensed to governments around the globe and can infect phones without a click.
“NSO Group develops mobile device surveillance software. It offers a variety of cyber solutions for government usage, and Pegasus- a software used to record conversations and gain access to photos, text messages, and websites viewed from a smartphone. NSO Group operates as a shadowy company and tries to keep such a low profile that it even changes its name on a regular basis. Its domain name, NSOGroup.com, currently does not resolve to a live website.”
Hidden Microphones in Your Phones
In less than two weeks, Snowden is now warning not just about the Pegasus spyware tools, but about the national security threat posed by the tech companies that claimed to be protecting us. In a blog post on SubStack, Snowden started out talking about the smartphones we use and how they have become the most “the most dangerous item” we possess. Snowden explained how he first removed the hidden microphones in his phone before he starts to use it.
“The first thing I do when I get a new phone is take it apart. I don’t do this to satisfy a tinkerer’s urge, or out of political principle, but simply because it is unsafe to operate. Fixing the hardware, which is to say surgically removing the two or three tiny microphones hidden inside, is only the first step of an arduous process, and yet even after days of these DIY security improvements, my smartphone will remain the most dangerous item I possess.”
Actual hidden microphones inside Snowden’s phone, prepped for surgery
Snowden then went on to explain that before the news of NSO Group made the headlines, “most smartphone manufacturers along with much of the world press collectively rolled their eyes at him whenever he publicly identified a fresh-out-of-the-box iPhone as a potentially lethal threat.”
Snowden added that the so-called smart phones exist in a state of perpetual insecurity, open to infection by anyone willing to put money in the hand of this new Insecurity Industry.
“The entirety of this Industry’s business involves cooking up new kinds of infections that will bypass the very latest digital vaccines—AKA security updates—and then selling them to countries that occupy the red-hot intersection of a Venn Diagram between “desperately craves the tools of oppression” and “sorely lacks the sophistication to produce them domestically. An Industry like this, whose sole purpose is the production of vulnerability, should be dismantled,” Snowden said.
The Greatest Crisis of Computer Security in Human History
Snowden didn’t stop there. Remember the OpenSSL Heartbleed security bug of 2015? OpenSSL is an open-source software developed by a group of volunteer software engineers. These group of well-intentioned developers later left the projects a few months before the bug became known to the public. It took a few weeks before the bug was fixed. This is of the other security issues that Snowden is warning about.
In the second part of his piece, Snowden examined the people creating the embedded software behind every device of any significance, including the people who help to make Apple, Google, Microsoft, the chipmakers who want to sell things, not fix things, and the well-intentioned Linux developers who want to fix things.
Snowden later opined that the vast majority of vulnerabilities that are later discovered and exploited by the Insecurity Industry “are introduced, for technical reasons related to how a computer keeps track of what it’s supposed to be doing, at the exact time the code is written, which makes choosing a safer language a crucial protection… and yet it’s one that few ever undertake.”
“If you want to see change, you need to incentivize change. For example, if you want to see Microsoft have a heart attack, talk about the idea of defining legal liability for bad code in a commercial product. If you want to give Facebook nightmares, talk about the idea of making it legally liable for any and all leaks of our personal records that a jury can be persuaded were unnecessarily collected. Imagine how quickly Mark Zuckerberg would start smashing the delete key.”
Snowden then argued that lack of software/hardware liability and accountability is what gave birth to the State-sponsored hacking we are facing today. Snowden said if hacking is not illegal when we do it, then it will not be illegal when they do it—and “they” is increasingly becoming the private sector.
In conclusion, Snowden warned that “If we don’t do anything to stop the sale of this technology, it’s not just going to be 50,000 targets: It’s going to be 50 million targets, and it’s going to happen much more quickly than any of us expect.”
