Why is this interesting? - The Hacking Edition

Colin here. Press freedom is a huge issue, and as we pointed out with The Last Column project earlier this year, violence against journalists is an extreme form of censorship. While that message is starting to break through, particularly after the death of Jamal Khashoggi, one story that hasn’t gotten sufficient play is the hacking and digital intimidation that is regularly taking place towards people who are reporting sensitive stories.

A particularly important recent example comes from software made by the Israeli company NSO Group, a firm that contracts itself to governments ostensibly to combat terror threats. Its corporate purpose touts global security and stability, but their tools are being retro-fitted for repression and harassment. NSO developed technology called Pegasus to co-opt WhatsApp, a popular and otherwise secure messaging platform. WhatsApp traffic is encrypted, meaning that even if it is intercepted in transit it is of little use—which is why nefarious actors, state intelligence agencies, and others are working to get inside phones to read the messages after they are deciphered.

The FT writes:

Since 2012, NSO has devised various ways to deliver Pegasus to targeted phones — sometimes as a malicious link in a text message, or a redirected website that infected the device. But by May this year, the FT reported, NSO had developed a new method by weaponising a vulnerability in WhatsApp, used by 1.5bn people globally, to deliver Pegasus completely surreptitiously. The user did not even have to answer the phone but once delivered, the software instantly used flaws in the device’s operating system to turn it into a secret eavesdropping tool.
WhatsApp quickly closed the vulnerability and launched a six-month investigation into the abuse of its platforms.

So, rather than needing to click a malicious link or open an attachment, all that was required to infect a phone was to simply receive a phone call. The software could be ported over the air to any target, anywhere. A subsequent investigation by Whatsapp found 1,400 people targeted across 20 countries and included a wide spectrum of journalists as well as activists, religious leaders, dissidents, human rights activists, and others.

Why is this interesting?

NSO group purports to only sell and license this software to governments that fit its ethical guidelines, but the Committee to Protect Journalists has asked to see these and they haven’t been disclosed. And it begs the question: What will happen when a journalist is painted with the enemy of the state or “terror” brush?

This is only the tip of the iceberg. If NSO Group’s software can do this, just imagine the stuff we aren’t hearing about. In fact, it has been documented that a lot of recent US foreign policy has shockingly been carried out via WhatsApp. Jared Kushner is known to have a message-based relationship with MBS, and Rudy Giuliani has been known to conduct diplomacy over open cell lines and—you guessed it—WhatsApp.

If people in senior (or pseudo senior) government roles can be targeted and/or compromised, you can bet the writers, reporters, and columnists investigating issues are also fair game too.

Which gets at a critical point: It is not just physical threats of harm that can intimidate or prevent a reporter from doing their job. The silent intimidation that comes from hacking personal devices can be equally, if not more, disruptive. The fear of exposing sources or the very personal information that we all constantly carry in our pockets can act as a powerful tool to silence consenting voices. Fortunately, journalists have been taking more protections by using apps like the private messenger Signal, switching phones on a regular basis, and ensuring they don’t lose track of their devices at checkpoints and borders. CPJ has launched a digital safety kit for this reason.

As technology grows more sophisticated, the cat and mouse game will continue, and might even revert to more analog ways of communicating or keeping track of information. Turns out the idea of tradecraft out of a John Le Carre novel will be sadly important to reporters going forward. (CJN)

Photo of the Day:

Taken 180 years ago this month, this is the first known American portrait photograph. From the Library of Congress description: “Daguerre announced his invention of a photographic method to the French Academy of Sciences in August 1839. That October, a young Philadelphian, Robert Cornelius, working out of doors to take advantage of the light, made this head-and-shoulders self-portrait using a box fitted with a lens from an opera glass. In the portrait, Cornelius stands slightly off-center with hair askew, in the yard behind his family's lamp and chandelier store, peering uncertainly into the camera. Early daguerreotypy required a long exposure time, ranging from three to fifteen minutes, making the process nearly impractical for portraiture.” (NRB)

Quick Links:

Very excited that WITI contributor Rex Sorgatz has brought back his list of best of lists to celebrate the decade’s end. (NRB)
Good Twitter thread on building tech for user needs, Sun Microsystems, and Google Stadia (NRB)
This WSJ article about colleges buying names of SAT underperforms to target them with advertising in an effort to boost their rejection numbers is infuriating. “The top 10% of universities don’t need to do this. They are buying some students’ names who don’t have a great chance of getting in … Then the kids say, ‘well why did you recruit me if you weren’t going to let me in?’ They do it to increase the number of applications; you’ve got to keep getting your denominator up for your admit rate.” (NRB)

Thanks for reading,

Noah (NRB) & Colin (CJN)

Why is this interesting? is a daily email from Noah Brier & Colin Nagy (and friends!) about interesting things. If you’ve enjoyed this edition, please consider forwarding it to a friend. If you’re reading it for the first time, consider subscribing (it’s free!).