[Veserv]

The NSA does have an organization devoted to developing these sorts of attacks that make the NSO group look like a bunch of kindergarteners as evidenced by the Snowden leaks. The CIA also, independently of the NSA, has an organization that develops these sorts of attacks that make the NSO group also look like a bunch of kindergarteners as evidenced by the Vault 7 leaks. Almost without a doubt, the FBI, DHS, US Navy, US Army, and US Air Force all also have their own independent organizations that each make the NSO group looks like a bunch of kindergarteners given that developing a capability that makes NSO look like kindergarteners only costs on the order of ~$100M (i.e. less than a single jet fighter). There is absolutely nothing special about the NSO other than that they got caught and brought under the limelight.

The most likely reasons the FBI paid for access to Pegasus are: 1. It is another tool that frankly does not cost very much if you are the FBI. 2. The part of the FBI that bought it likely does not have authorization or possibly even knowledge of the other tools and contracted with NSO to gain those capabilities at the cost of just some money. This is like how a developer team in large stodgy old mega corporation might not be able to get IT to setup their servers so they just get a budget that they spend on AWS to do an end-run around their own IT organization.

The zero days are likely occasionally being discovered and fixed, but buying a zero-click zero day for Android/iPhone on the black market only costs on the order of $1-2M at retail. If you have your own competent team you can reasonably expect to find a zero-click zero day with only a few person-months of effort which, even at US wages, is only a few 100k per zero day. At those prices, you could keep a dozen or so stockpiled for less than the cost of starting a McDonalds franchise, so they likely did maintain a dozen or so at any one time, so if one was discovered they could just switch over to a different one and write off the old one as a cost of doing business.

They absolutely do have competition. One high profile example is Hacking Team. In terms of overall competition, I do not have any hard information, but given the size of the vulnerability markets there are probably at least a couple dozen to a few hundred organizations similar in scope to the NSO group. We do not hear about them because they mostly sell to governments.

[rotrot]

As someone who has worked Vulnerability Research/Exploit Dev for US based companies I'd consider this a bit misguided and is likely coming from someone not in the Vulnerability Research/Exploit Dev industry. I'm guessing you're getting these numbers from just reading Zerodium:

""" The zero days are likely occasionally being discovered and fixed, but buying a zero-click zero day for Android/iPhone on the black market only costs on the order of $1-2M at retail """

In reality the final packaged product is worth exponentially more.

Also, Israel produces some of the best security research talent on the planet due to their national focus on cybersecurity, and funneling some of the most talented students in the country directly to 8200 starting in high school, and some of them end up going to NSO group after. None of the vulnerabilities/exploits in the Vault 7 leaks come close to the sophistication of the FORCEDENTRY exploit. I'm not saying the US doesn't have better capabilities and the NSA most certainly does because they have suppliers like Azimuth, but a lot of what you've stated is based in fantasy.

[drzaiusapelord]

These are great points.

I dont see why the FBI wouldn't buy Pegasus. Does the above poster think the FBI can just call the NSA and tell it to decrypt a bunch of stuff? The NSA has its own mission and its based on national security interests, not solving the everyday crime the FBI works on. The government isn't just one big club. I'm guessing its likely the NSA isn't going to offer up its best tools to catch someone providing abortion access in Texas or "stealing" academic papers from JSTOR or "pirating" comic book movies. Not only is it a waste of their resources but every time a tool like this is used, the detection of that tool is possible, and with that detection Apple or whomever would figure out what the exploit is doing and patch against it. Now that tool is wasted because some FBI boss wanted a promotion thinking if he impersonated an Associated Press journalist to hack a teenager again like they did in 2007 it would impress some authoritarian higher up.

They can't waste these precious exploits on some culture war, IP enforcement thuggery, leftist organizers, unions, and mid-range drug dealers the FBI regularly beats up, murders (think Filiberto Ojeda Rios), harasses, and spies on. Even the NSA is low-key ACAB. So they just say no and tell the FBI to just let NSO potentially burn their exploits. The NSA and military intelligence has better things to spend it on (think Stuxnet-like scenarios).

tldr; the FBI operates on a level far below these other organizations and are far less important than any of them in the grand scheme of things. They're just well funded cops with all the problems cops bring. They're not getting NSA tools because they don't need them the same way your county sheriff doesn't need MRAPs to drive around in.

[Veserv]

The sophistication of individual exploits is largely uninteresting, a bullet and a cruise missile both go through a piece of cardboard. Even quantity per target is largely uninteresting past the first couple in much the same way that having 23 snipers trained on a person is not so different than 8. It is the breadth of attacks in the Vault 7 leak that make the NSO group look like nothing. Maybe the NSO group could redirect their ~$250M/yr revenue and equalize in breadth with the CIA, but currently, from a strategic perspective, the CIA's programs are far more terrifying from a "what can they do" perspective. And, with high probability, there are at least a half dozen equivalent programs running in parallel just in the US government. That is how absurdly easy this all is, they do not even need to band together, each and every one can individually exploit a significant fraction of devices.

You are correct, I do not work in exploit development. My numbers are based on quotes vulnerability brokers have given for their inventory of zero-click iOS vulnerabilities (and other OS and application vulnerabilities) to some of my coworkers over the years. I have heard they have increased in price recently, though due to increased demand rather than increased difficulty of discovery, but I doubt the price of a raw exploit has breached the $10M mark yet. I have no knowledge as to the pricing on a final packaged consumer-friendly UI product.

[rotrot]

.

[Veserv]

Okay. Since you say I am underestimating according to your experience can you supply a, in your opinion, 68% confidence interval estimate for the cost or effort required to purchase or develop a zero click iOS exploit (i.e. give a general range for the median case).

Reasonable forms for a sufficiently quantified answer include, but are not limited to:

1. A numerical value to purchase from a broker.

2. A numerical value for the budget a competent organization (such as NSO) might allocate to a team to restock their hoard at a profitable return.

3. The number, skill, likely salary, and time/person-months a competent organization might allocate to restock their hoard at a profitable return.

4. The estimated return on a vulnerability. Giving an estimate of the expenditure bound to maintain profitability.

5. The estimated number of vulnerabilities NSO is finding per year given their budget.

6. The estimated number of vulnerabilities NSO has currently hoarded given their budget. Giving an estimate of the embodied expenditures to date.

7. The estimated amount of time for a NSO vulnerability to be burned allowing the estimation of required replenishment rate.

This is not an exhaustive list of reasonable quantifications, but I think at least something along these lines should provide an adequate quantification to demonstrate the degree to which I am underestimating the state of affairs.

[rotrot]

.

[Veserv]

Thank you for the reply. I was actually only expecting an answer to 1 or 2 of them rather than all of them. 2 and 3 were more questions on the business side of (expenditure on staff finding exploits / expected number to find per year) rather than raw expenses and 4 was more a monetary return rather than a ROI, but thank you for all the answers nonetheless.

Just for clarification, am I correctly understanding your answer to 1b as the price of a zero-click iOS exploit being ~$4M in contrast to my stated $1-2M? If so, I will not openly contest that claim here and thank you for your time. Anybody reading to this point can substitute my earlier claims for $4M if so.

[lossolo]

Anyone has copy of the answers? Seems that it was interesting but was edited.

[petre]

Israel did not need bullets or cruise missiles to shut down Iran's centrifiges twice. But I generally agree that the US 3 letter agencies are better funded and have more sophisticated cyberwarfare tooklits.

[saagarjha]

> The CIA also, independently of the NSA, has an organization that develops these sorts of attacks that make the NSO group also look like a bunch of kindergarteners as evidenced by the Vault 7 leaks.

Have you actually looked at the Vault 7 leaks? There’s nothing there far beyond the capabilities of a NSO-type actor. NSO is at the level of a nation state, but so are all the nation states. It’s easy to think that funneling infinite money at something will just make you that much better at something, but this isn’t true at all. Otherwise Apple and Google and Microsoft would just be unimaginably distanced from every other smaller company, and I’m sure you agree that they are not ;)

[jmnicolas]

My hunch is that size is harming MS and Google. I bet smaller companies, more focused and with the same budget would achieve more.

[rosndo]

> The CIA also, independently of the NSA, has an organization that develops these sorts of attacks that make the NSO group also look like a bunch of kindergarteners as evidenced by the Vault 7 leaks

Anyone even vaguely familiar with the Vault 7 leaks knows that they made the CIA look like a bunch of kindergarteners.

There’s no doubt about the NSAs capabilities, but the Vault 7 crowd was clearly playing in the same league as most NSO group customers.

[dillondoyle]

The FBI comment in this article is interesting in they give an offhand excuse that it could be for evaluating foreign software and threats. holds water. But so to does them buying it to use it

[MichaelMoser123]

wow, the word kindergarten is repeated four times, that doesn't communicate an abundance of confidence...