🎵 🎵It's ringing, so I ripped it off the wall🎵 🎵I cut myself while shaving, now I can't make a cut🎵 🎵We couldn't get much worse, but if they could they would🎵 🎵Bum-diddly-bum for the best, expect the worst🎵 🎵I hope that's understood, bum-diddly-bum🎵 🎵 🎵 Apologies to everybody for the repeating problems we keep having connecting to WBAI. I don't know what the technical issues are, and apparently nobody else does either. Again, apologies. Five minutes late. Hopefully we can go five minutes later and not have to get off the air at 55 after. Yeah, I'm really sorry. I don't know what's going on here. I'm sorry. Go ahead, blame me. It's so frustrating. It's so incredibly frustrating. I'll take the blame and try. Just so people know, the show before us goes right up to the hour. We're told to get off the air at 55 after. This week, let's make an exception. Otherwise, I'll be in a bad mood for a full week. And you don't want that. You don't want that. Alright, it's off the hook. On the air. At long last. Hallelujah. Emmanuel here. Kyle over there. Yeah, I was speaking earlier. Yes, but I am here. Thank you for all the work you just put in getting us going. It's very mysterious. Rob T. Firefly is joining us as well. Hang on a second. I've got to bring this button up. Good evening. And I believe we have Gila as well. Greetings and salutations. And we're supposed to have a guest. I don't see a guest. We do have a guest. It's an invisible guest. Rafael Sater from Reuters, I believe, is joining us. Yeah, hi. Thanks for having me. Great. Welcome to the show. We're going to be talking about some very interesting things with you concerning Pegasus. If you haven't heard about Pegasus, boy, this is a story. A lot of new developments in the last couple of weeks. And Rafael is going to help us understand some of them at least. But I want to start off with something on a more personal level. And you guys are free to jump in or not jump in as you wish. But this involves a friend of mine. This involves a story that we reported on a couple of years ago. A couple of years ago is when this started. My friend Virgil Griffith, who many of you know, many of you have heard, has been on the radio. He's been at our conferences. He's written articles for us. Amazing guy. Amazing hacker. Somebody that epitomizes what the hacker spirit is all about. He has been facing legal issues because he did something that many of us would do and have done. He went to North Korea. Yeah, he went to North Korea and disobeyed Donald Trump's decree that Americans will no longer be allowed to go to North Korea. Didn't so much just disobey, but didn't think it would be a huge deal. Because so many of us have already gone over. I went over there, I guess about 10 years ago, more than 10 years ago. Reported there from North Korea to this radio show. Had all kinds of interesting encounters and experiences and things like that. And that's basically what he wanted to do as well. I'll tell you the story. I'll tell you more. But first, I have to give you the update because the update is why we're talking about this. The update is what's so disturbing about this whole chain of events. He has been basically living in hell since 2019. Well, actually, that's not entirely fair. He's been living with his parents in Alabama. Which I guess maybe some people would think of as living in hell. But no, it's better than being locked up because he basically wasn't able to go back to where he lived. He lived in Singapore. He wasn't able to be free. He couldn't go on the Internet, all these things. This is a guy who's so into technology, so into figuring things out, so into sharing information. And that is what did him in, the sharing of the information, the trusting. So many of us in the hacker world trust too much. And we'll get to that as well. Basically, in the last couple of weeks, they took him from his home and they threw him into prison. And why did they do this exactly? They did this because he accessed, or he was alleged to have accessed his cryptocurrency account. Now, a lot of this story centers on cryptocurrency and how the U.S. government fears cryptocurrency. And the interesting thing with Virgil is that he worked for the Ethereum Foundation and was very knowledgeable about what cryptocurrency was all about, how to make it better, how to explain it to people. And he wanted to pay his lawyer's bills. His lawyer said it was okay for him to have his parents check to see what the balance was in his cryptocurrency account. And somehow the U.S. government got wind of this. I believe Coinbase told them. And even though he wasn't the person actually typing the words, I'm not exactly sure what happened because I'm not privy to the information, but he basically lived up to the terms of his house confinement. He didn't actually go on the Internet himself for this. He had his parents simply check the balance to see if it had gone up enough where he could actually afford to pay his lawyers. And his lawyers said this was okay. They said that. And the U.S. government said, no, no, it's not okay. And they basically just came and threw him into prison. And that's where he is right now for something as ridiculous as checking cryptocurrency balance. And that's what this case has been like pretty much the whole time is lack of understanding, lack of knowledge as far as what the technology is all about. Now, his lawyers have filed a motion to get him out of prison. I'll read you part of it. Mr. Griffith has been out of custody residing with his parents in their Tuscaloosa home. During that time, he has made all court appearances, has recently traveled to Los Angeles twice for critical trial preparation meetings. His lawyers are in Los Angeles. And I was with the court's approval. All these trips have occurred without incident, including his return to Tuscaloosa on July 10th. Given the impending trial date, which is in mid-September, I believe, Mr. Griffith may need to sell certain assets to fund his legal defense. He consults closely with his family on financial matters and did so even prior to his arrest. In connection with their strategy to assess and access necessary resources to fund his defense, and after consulting counsel, his mother made an online request to access a U.S.-based and regulated cryptocurrency exchange, Coinbase. Defense counsel reasonably believed that Mr. Griffith's parents accessing an account on his behalf for this purpose would not violate any provision of the bond order. Mr. Griffith and his parents therefore acted consistently with their understanding of the conditions of the bond as informed by what they understood pretrial services permitted, and after Mr. Griffith consulted counsel. The matter has no connection to any risk of flight. It's just so incredible, so crazy that this kind of thing happens, that somebody is imprisoned because he followed his lawyer's advice, because he was trying to pay his lawyer. So that's the craziness that's happening right now. The craziness that led to all of this occurred back in 2019. I'll read you part of the story that came out in January of 2020. Dr. Virgil Griffith, a longtime hacker characterized as the Internet Man of Mystery, has been indicted and will stand trial for traveling to North Korea to teach cryptocurrency and blockchain. After his arrest on Thanksgiving Day in Los Angeles, and here's another thing, they arrested him while he was on his way to his parents for Thanksgiving. They didn't arrest him while he was trying to leave the country. No, they arrested him while he entered the country on Thanksgiving. Unbelievable. He now faces a trial that highlights what will go down in history as an immense technological disruption of the 21st century. Basically, the world's economic leaders face a disruption that is a game changer in the world economic stage, and that is cryptocurrency, or currencies that exist only in digital form and powered by a decentralized form of trust, where transactions can be verified anywhere in the world and are no longer reliant on a central intermediary such as a bank. For countries like the US and China, cryptocurrencies pose major threats to their current position as world superpowers. And for North Korea, this technology presents an opportunity to advance its ambitions towards maybe becoming a superpower. As to the potential for cryptocurrency to be disruptive, 2019 definitely proved how serious policymakers in the US view this threat. The uproar surrounding the Facebook Libra hearings in Congress with Mark Zuckerberg, the president's tweets, President Trump, that is, describing Bitcoin as coming out of thin air. And finally, the Secretary of State Mnuchin characterization of cryptocurrency as a national security threat indicated there was a high level of concern how cryptocurrency might be a danger to the United States. I'm playing the stage for all the ignorance that's out there, and all the panic that greets somebody who might understand this, who might be able to tell people how it works and make things inconvenient for those who want the status quo to stay as it is. Continuing, indeed, the idea that Bitcoin, Libra, or any other cryptocurrency might become enough of a valuable digital currency that poses a threat against the greatest weapon the US has of handling foreign affairs, the potential to undercut economic sanctions. The dominance of the US dollar around the world creates the opportunity that should the US impose sanctions on another country, such as North Korea, the impact is real and painful. That's what this is really all about. The interesting thing about Virgil, I want to read part of a letter dated January 8th, before his bail hearings in 2020. The US Attorney's Office in the Southern District of New York showed how concerned they were that he was a flight risk. However, it's pointed out by the defense, although Virgil Griffith has been involved with Tor, the onion router, another thing that a lot of people fear and are misinformed on, a way that you can communicate anonymously and securely, for the most part. And browse. And browse. Other parts of the web. Go to our SecureDrop location, things like that. Regardless, that's another show. He's been involved with Tor, which is a way of using the dark web and a way of learning about the many things that are there. Some good, some bad. He ended up, Virgil that is, ended up supporting Interpol to help capture illegal activities. And that resulted in him being fired from Tor. How about that? Virgil is not the kind of person that commits crimes. He's the kind of person that basically figures things out and tells everybody about it. And that is the mistake that he made. I remember when he was in New York. It was actually before one of our shows. And he had gotten a call from the FBI to talk to them about his trip to North Korea. Now, Virgil had asked permission to go to North Korea before he went. He wasn't trying to hide it. And I think he was a bit surprised when it was turned down. This was after Trump's decree saying that Americans can't go to North Korea anymore. The only country in the world that Americans weren't allowed to go to at the time. We were even allowed to go to Cuba at that time. So he was surprised. He lived in Singapore. So he didn't take it as seriously as he should have. And he admitted that. Right off the bat, he admitted, yeah, I did that. He never tried to hide. Probably could have. Probably could have easily covered it up, but no. He did something. He owned up to it. Now, when he visited the FBI, he went against my advice without a lawyer and with full trust in his heart that he would just explain things to them. They would understand. And I saw him later that day after he had met with them. And he was convinced that it was a friendly conversation. They understood. He gave them copies of North Korean newspapers that he brought back, pictures that he took. He told them everything that happened over there. Everything that has come about from this case is because Virgil told them. That's the kind of person he is. That's the kind of person he has always been. I'm not that trusting. I told him, don't trust these people. They will lay some kind of trap for you. I don't know how they're going to do that exactly, but they will. I also warned him against going to North Korea, saying that could be potentially dangerous. I was warning him about the dangers of North Korea, but I should have warned him more about the dangers of America, unfortunately. Virgil wrote A Hacker Perspective for 2600 back in the spring of 2019. I just want to read you a couple of things from that so you can understand something about his character. I love the ingenuity that goes into trying to think of the most perverse things you can do within the game. This slowly extended into writing scripts within games to perform common tasks more quickly. Hacking has a certain mystique, but it was the search for the most advanced, insidious ways to get an edge on the online competition that brought me to the security mindset, and soon I was noticing compromising blemishes in all sorts of social and technological systems. I subscribed to 2600 Magazine, and at every issue I understood two or three articles well enough to reimplement them or clean up any minor defects in their technique. At 17, I attended my first hacker conference, H2K, in New York. I understood almost none of the talks, but I made up for it by taking page after page of useless notes. In my senior year of high school, I was inspired by an article in this very magazine entitled Campus Wide, Wide Open by Asidis, a sophomore at Georgia Tech. It was about flaws in the Blackboard transaction system, the card access system used at most college campuses nationwide. This article made complete sense to me, and I felt it could have deep ramifications. Later that year, I graduated high school, enrolled at the University of Alabama, and met Asidis, a.k.a. Billy Hoffman, at a local hacker conference in Atlanta. We started up a collaboration to fully flesh out and implement the ideas in his paper. Seven months later, in April 2003, I was excited to give a security talk together, my very first. But hours before our talk, we were served a temporary restraining order from Blackboard, Inc., the maker of the Campus Card System. This was followed by a civil lawsuit two days later stating that our investigating the flaws in their system was, in fact, illegal. The suit didn't go so well. I feel we were completely in the right, but legal courts do not favor who is right. Oftentimes, they don't even favor who is on the right side of the law. They favor the prepared. We were woefully unprepared, and we settled out of court under sealed terms. Hopefully, you all can learn from this. Talk to a lawyer before you get too deep into your project. Boy, I wish he had listened to this. Although, judging from the recent history of hacker cases, it's unlikely you'll go to jail for trying to do a good deed. But unless your case is legally unassailable, the company will outspend you, successfully stop you, and your case will simply become yet another one of the many cases that fail to establish any useful precedent. Anyway, at this point, administrators at both of our universities were more than pissed at us for causing a ruckus. Throughout my sophomore year, I was politely encouraged to leave. So I did. I wound up in Indiana. And while there, I somehow convinced one of the professors at Indiana University's School of Informatics to give me a job doing computer security research. I did a cute data-mining project that cross-referenced birth and marriage records across the state of Texas to automatically discover mothers' maiden names. As far as I can tell, not even bank employees know why that's still used as a security question. I called it messing with Texas. Yeah, I could read this whole thing. But basically, Virgil was involved in WikiScanner. He invented WikiScanner, basically took two databases, a database of all of Wikipedia edits, and another database which listed the registered owner for a given IP address. And users could then type in a company and see every anonymous edit that company had made from their offices. It was, as he described it, a bountiful harvest of public relations disasters for disinformers across the globe. Let me conclude with his definition of what self-described hackers have, or who they are. The investigative journalists of the online world. Playful jokesters. People whose mastery of technology has given them disproportionate influence on the internets. People for whom almost every social problem has an engineering solution. Chaotic good, but occasionally chaotic neutral. Vigilantes, to the extent allowed by law, empowering the good and punishing the bad. And people with balls of steel. You know, he gave me credit in that for helping to raise an entire generation of disruptive technologists. So I guess I kind of feel that there's some kind of responsibility here. And I need to make sure the case is known. That people know what is happening here. Now, earlier, I believe this was in 2020. Less than a year ago. They tried to get the case dismissed. Saying that he had no intention of helping North Korea develop cryptocurrency or get around sanctions or anything like that. And the US government referred to his argument as absurd. I did a little digging to find out what they meant by that. And here's what they said. A simple hypothetical lays bare the absurdity of Griffith's position. By his logic, the North Korea sanctions regulations would permit an American physicist to travel to the DPRK and explain the science behind nuclear weapons to a conference of North Korean physicists so long as the science could be found on the internet. And he received no fee. And the regime's desire to build nuclear weapons was not economic in nature. Well, apart from trying to scare us with nukes, this doesn't really hold water. Because North Korea already knows how to make nuclear bombs. They've proven that over and over again. They don't need help in that. And I fail to see the difference in looking something up on the internet, learning it that way, or talking to somebody, learning it that way. Maybe you'll learn something that will prevent you from doing something disastrous that would hurt many, many others. What Virgil did in North Korea was attend a conference that North Korea was holding on cryptocurrency. Did not give them any secret information. It was a way to go to North Korea. It was a way to explore, learn, communicate. But certainly was not conspiring in any way. The U.S. government has tried to make it sound as if he was intent on disabling the sanctions. He was intent on figuring out the security holes that would allow that to happen. And as was demonstrated in his trip to New York to the FBI, he would tell everything that he learned to people who simply asked. And he assumed that that was enough. Yeah, he was naive. There's no question about that. This is somebody that is not really that astute in how the legal world and the governmental world works. And you know, I just saw this story too, which might defeat my entire point here. North Korea has amassed $670 million in Bitcoin and other currencies through hacking. Oh my goodness, Virgil, what has happened here? North Korea has amassed upwards of $670 million worth of Bitcoin. That's according to a panel of experts reporting to the U.N. Security Council in March of 2019. That's before he ever even went over there. They already knew how to do this. They didn't need Virgil. This had nothing to do with fraud, had nothing to do with getting past sanctions. What this is, is ignorance. Ignorance on the part of the U.S. government and torture. Throwing somebody in prison, pretty much a guarantee of getting COVID-19, and having them face upwards of 20 years in prison for the simple act of visiting a place that so many of us have gone to and exploring something that every hacker would be interested in. If there's a crime here, it's that. And I know there are a lot of questions, and people are welcome to write in to us, oth26.com, ask the questions, or call us while we do overtime at 8 o'clock on YouTube, and we'll talk directly. But I just wanted to make sure that story got out there, because it's like Kevin Mitnick all over again, except worse. Because Virgil didn't even think for a second that he was doing something that would arouse the ire of the powers that be so much, and has always appeared where he was supposed to be, has followed all the rules, and it's tragic. It's tragic what's happening here. One of the great minds of the hacker world, being silenced like this. Sure, he made mistakes. Sure, he did a couple of things that he shouldn't have done, not the least of which was talk to the FBI without a lawyer. But we need to do everything we can to make sure this doesn't end tragically. And September is a trial, he's in prison right now, he needs to get out of prison, he didn't do anything wrong. And that's all I'm going to say on the subject right now. Sorry for taking up a half hour of the show. And I want to talk about the Pegasus spyware. And for that we have our special guest from the Reuters News Agency joining us. And thank you very much, Rafael Sattler, for joining us here on WBAI. Some of us have heard about Pegasus for the first time, but it's actually been known about for about five years or so. Can you give us a basic outline of what the Pegasus spyware is, and who the NSO group is? Yeah, that's my pleasure. And thank you for having me. I first caught Pegasus in 2016 when Citizen Lab, which is a research group based out of the University of Toronto, had found a phone belonging to an Emirati dissident. And they, along with another cybersecurity company called Lookout, started digging into this phone, and they discovered this extraordinarily stealthy, very powerful piece of spyware that was planted on it. And that was the world's first big glimpse of NSO's capabilities. And you're right, that was about five years ago. Since then, Citizen Lab has come out with report after report after report, and there is a big section of the cybersecurity community that has followed those reports really closely. And Citizen Lab has outlined kind of the global spread of this malware, particularly in Mexico and the Middle East. And it's shown over the past few years how this spyware has been turned against reporters and human rights workers, and in the case of Mexico, for example, even academics and people who are campaigning for a soda tax. And that picture that they've painted is completely at odds with what NSO says it does, which is that they say that they sell hacking tools to governments to fight the worst of the worst. So terrorists, child molesters, that kind of thing. And that brings us to, I guess, the past two weeks, where all of a sudden we have seen a cascade of new revelations about how NSO spyware is actually used. And it has not been particularly flattering as far as the Israeli company is concerned. In fact, it's been so unflattering that they announced, I believe it was the middle of last week, that they would no longer be taking any questions from the press, which was the first one for me. I've never heard of a company that says publicly, that's it, no more questions, we're out of here. Especially a company facing a scandal like this. You'd think you'd be eager to get your point of view across. And oddly enough, that hasn't really happened. For those of us who followed Pegasus from the beginning, this has been an extraordinary story. But even for those of us who are just kind of waking up to it now in the past couple of weeks, it has been full of revelations. Heads of state targeted by the spyware, right? Prime ministers, cabinet ministers, ambassadors, military figures, intelligence figures, on top of your usual bevy of human rights workers and journalists. So it's been fascinating. I'm looking at how it gets installed into phones. It used to be that you had to connect to something. You'd get an SMS message and you'd be tricked into clicking on something. But now, apparently, you can have this installed on your phone by doing nothing, by simply having... I don't even know if they have to call you or if it just somehow gets installed. Do you know how simple it's gotten at this point? Terrifyingly simple, right? I think that all of us have been habituated, especially in the hacker community, you sort of think that if somebody gets hacked, they made a mistake somewhere, right? They clicked on something that they weren't supposed to click on. They opened a file that they shouldn't have trusted. And what makes the Pegasus revelations so terrifying is that this technology doesn't require any kind of interaction from the end user. You're just walking down the street in New York or in Mexico City or on vacation or wherever you are. As long as your phone is on and they know your phone number, you are vulnerable. So you've got two choices, right? You either throw the phone in the lake or you don't give your phone number out to anybody. But, you know, it sort of defeats the purpose of the phone, I suppose. Exactly. Yeah, I mean, it is a... I think that's the scariest part of this, this no-click interaction where you will never know that you've been targeted. You'll never know that you've been hacked. And the only hint that something might be wrong is when you get thrown into prison by some dictatorship somewhere or when somebody approaches you and knows a lot more about your life than they should have. So it's scary stuff. I had a quick question about the traceability. It's sort of related. I know there are some efforts to figure out where and what types and who may or may not have it in a forensic way. And part of that is actually that the software, once it's loaded and the capabilities of your phone are sort of at its disposal, it can then disappear in that it is installing in memory, like something that would be erased upon like a reboot. That was something else. Do you know anything more about that? Yeah, so that's... I think the nature of the implant has changed over the years. When I first spoke to Mike Murray at Lookout about this back in 2016, I remember his description of Pegasus at the time. He said that it was one of the most fiendishly evasive pieces of software that he'd ever encountered. He described hair-trigger self-destruct mechanisms where the software that would exist on your phone was keenly aware. And I'm sorry, I'm going to glaze over the technical details because it's five years ago now. I think this is normally described as counter-analysis techniques, right? So if the software figures out that it's being booted in a virtual machine, boom, it deletes itself, right? If it figures out that maybe it's being man-billed or something, then same thing. It's really, really evasive. I'll say. I'm seeing all kinds of conflicting stories from the company. I know they're trying to gain control of the narrative. But according to this TechDirt article, their statements and responses have raised more questions than they've answered. NSO claims it has nothing to do with the list of 50,000 potential target phone numbers seen by journalists, which contains nearly 200 journalist phone numbers. And by the way, Raphael, I have to ask, do you know if your number wasn't one of them? I don't believe so. Amnesty and Forbidden Stories have said now, I believe publicly, that they have contacted all the journalists who they have seen on the long list of targets. You bring up this list. I think that it's really good to bring it up because the heart of the most recent set of stories has been a list of 50,000-odd phone numbers that Amnesty International and Forbidden Stories have gotten their hands on. There's a lot of debate, and some of it fed, frankly, by ambiguity, from Amnesty and Forbidden Stories, about what this list represents. As a journalist, I fully understand this ambiguity because they have commitments to their sources, I'm sure, and so they want to be a little bit coy about where this comes from. That's perfectly understandable. But into that ambiguity has crept room for denial and legitimate questions. So you've got this big list of phone numbers, and Amnesty has determined that a lot of the numbers that are added to that list get Pegasus on their phones within seconds sometimes, or I believe minutes, of being added to the list. So there's some form of correlation between the numbers that are on the list and the phones that get infected. The way that it's been described by various journalists is that this is a kind of long list, right? In the same way that there might be a short list for the Oscars, right? This is the long list, right? So this is the long list for targeting. And it's a kind of perspective list for clients of NSO. And we're going now into the realm of what analysts have described as this is a list of kind of like a pre-targeting list, if you will. And then within that list are the targets themselves. And Amnesty and other groups, including Citizen Lab, which has done a lot of the peer review on this one, have confirmed that, like, look, a lot of numbers on this list. We've looked at the phones, and the numbers have Pegasus. And the phones have traces of Pegasus on them. Now, in some cases, so for example, one of the targets was the French president. One of the alleged targets, I should say, was the French president, Emmanuel Macron. Well, you know, Forbidden Stories asked if they could see his phone. And Macron did not make his phone available. Not a surprise. Yeah, yeah. Big surprise here, right? So, you know, they're laboring under certain constraints here. But, you know, one thing to keep in mind, because NSO has said, A, this list has nothing to do with us, and B, that number is way too high. You know, our clients only are allowed to infect a certain number of people every year, and that 55,000 or that 50,000 figure is way out of control. You know, okay, maybe. But just two years ago, WhatsApp said that over a two-week period, 1,400 devices were targeted with NSO software. That's over a two-week period two years ago. You know, extrapolate that over a couple years. I don't know. But that 50,000 figure, you know, sounds within the realm of possibility. Absolutely. You know, something else that kind of puzzles me here, and I'm sure it's mystifying a lot of people, but NSO claims they have, quote, no visibility, unquote, on their, how the customers use their malware. And they also claim they cut off governments who abuse the product to target journalists, religious leaders, government officials. How can they do that if they don't have any visibility over how they're using it? They're conflicting with each other. Yeah, it seems a little bit contradictory, doesn't it? A bit, yeah. I mean, someone didn't run that sentence by a proofreader, but yeah, how can they know? You know, the other thing, we're talking about malware here. You know, in our culture here right now, we're kind of taught that if you spread malware around, you're doing something bad. It's illegal. How is this company doing this legally? That's a really good question. Those are both really good questions. I'll tackle your first one first, because I think it's one that I may be a little bit more familiar with. So you have to see it from a, let's forget about NSO for a second, and let's talk about spyware vendors more generally, right? Spyware vendors face a bit of a conundrum, right? Because their clients are intelligence agencies, and intelligence agencies don't like the idea of a company, especially a company based in a different country like Israel or the United States or Italy or what have you, looking over their shoulder as they're spying on people. You know, they'd rather have privacy while they surveil people. On the other hand, surveillance companies that want to make it big and that want to earn a lot of money, they either need to go public or they need to be bought out by some big hedge fund. And in order for that to happen, well, they need to have, you know, they need to abide by the basics of, you know, public accountability and scrutiny and that kind of thing. And some of them do it to a more or less degree. And NSO, I think, is one of several companies that's sort of caught in that vice, right? I think that on the one hand, there's a lot of pressure from their clients to get a guarantee that like, hey, you're not spying on us while we spy on other people, are you? On the other hand, there's a lot of pressure from investors and just the public at large to say, hey, you know, you guys are monitoring your software, aren't you? You're not just like giving, let's put it in quotation marks, cyber weapons to, you know, various random governments and then letting them do whatever, right? You guys are monitoring this stuff. So they're kind of caught between two chairs where on the one hand, they want to reassure people that, hey, don't worry, we're looking, you know, we're monitoring, we're babysitting, we're seeing what these people are doing and if they do bad stuff, we cut them off. On the other hand, they sort of have to tell, I guess, the kids that they're babysitting that like, don't worry, we're not actually monitoring, we're not looking at you that closely and that may, and I emphasize may, be behind some of these contradictory statements that you're seeing from the company. You know, on the one hand, oh, no, no, we can't see anything. On the other hand, oh, no, no, we're keeping an eye out, right? And it's very hard for both of those things to be true at the same time. It's impossible. It's not possible for them to be true. Well, look, let's play devil's advocate here and this is the latest language that they have come up with is that Shalev Julio, who is the S in NSO, has said that they cannot monitor their customers live but retrospectively, if an issue is flagged, they can go back through the logs and try to piece together what happened, right? So that's, I think that that is, that's their latest explanation of, you know, the degree of oversight that they have over their clients. They should have led with that but I guess that's some good repair. Rob, go ahead. Rafael, the question I had was like, I am really curious now, having followed the story a bit, about NSO themselves. I mean, like, it's a very generic name. Like, you wouldn't necessarily pull someone off the street and ask them if they know who NSO is. Who are NSO? Like, what is this company that's doing this? I know you've been following what they've been doing for a while. Sure, so it's an Israeli company and up until 2016 or so, when Citizen Lab outed them, they were operating, you know, deep beneath the radar. They, in fact, I believe, well, they changed names several times. At one point, they were known as Q-Cyber, for example. They have various front companies. And by the way, this is not unusual for spyware vendors or even software vendors more generally. It's nothing necessarily nefarious. In the U.S., for example, their reseller is called, their reseller or subsidiary, there's some debate over that, is called Westbridge Technologies. The Luxembourg holding company is called OSY. They're owned by a British private equity fund called Novolpina. So, you know, like, a lot of these companies have very complex corporate structures, right? And, but at its core, NSO is these three people. Omri Lavi, he's the O in NSO. Shalev Julio, who's the S in NSO. And then a third person whose name escapes me, but he's the N in NSO. And these three guys came together in the early 2010s. And the story that's been reported in the press is that, you know, they tried various business ideas and then they hit on this idea of kind of remote management of phones. And, you know, there's not a huge difference, or at least there wasn't at the time, between remote management of phones and remote, quote unquote, management of phones. And, you know, before too long, intelligence agencies and police forces came knocking because as phones, as the encryption that protected, you know, the communications between different devices became stronger and stronger, there began to be more and more of an incentive just to hack into the device and, you know, get it from the endpoint. And by many accounts, they made quite a success of it, you know, at least up until now. I was curious what has been looked into as far as countermeasures other than the forensic stuff. I know the list, as you've described, is still sort of this thing that is, it's uncertain what it exactly is defining, whether it's a customer list or a compromise list that's been sort of gathered in various ways. And there is very helpful stuff, I believe, for Forbidden Films and Amnesty International are implementing as far as tools. And I'm curious, are older phones, are obscure operating systems, are they helpful in any way? Or, for instance, hotspots, if you're a journalist and you need to communicate, but maybe you divert your communications to something that does not have as many sensors and cameras and so forth. I'll tackle that first part of the question first. I think that a lot of your listeners have probably seen The Wire. And at some point, you know, if you really want to have a safe conversation, you take out that, you know, 115-year-old Nokia brick and you power it up and you make that phone call and then you toss the Nokia in the trash, right? Yeah, I was thinking, people forget that Sims are portable. You can move them around. It's very common with travel. There's even dual-SIM phones. Right, right, right. Well, look, this is beyond the scope of the Pegasus and the NSO stories. But I will share an anecdote that an Israeli who's in a position to know told me about a, maybe it was a year and a half ago, over drinks. And we were talking about NSO and we were talking about this very issue. And I asked him about the safety of, you know, taking out that old Nokia and, you know, is that actually safe, is that actually going to be safer than using your iPhone or your Android? And he laughed. And bear in mind, this is just the anecdote, right? You know, no evidence for this necessarily. But he said that, you know, before BlackBerrys came around, that was the golden age of phone hacking. That's how he described it. It used to be so easy to break into those old-fashioned phones that you basically couldn't make a business out of it because everybody knew how to do it. And you could just send a single silent phone call or a single silent text and you'd get rude on the phone. You know, like a single malformed text or something like that. And you'd completely own the device. So I get the attraction and there's a kind of romanticism to using that old phone, you know, and thinking like, you know, this is really going to protect me. I'm skeptical. Just, you know, just based on the conversations I had. And there was a second part of the conversation that you asked about countermeasures, maybe using a hotspot, that kind of thing. I'm the wrong person to take security advice from. I think that you want to, you know, you want to chat with real security folks for an answer to that question. But I think that in general, the more hops that exist between your device and the wider network, the better. I think that that's just as a rule of thumb. And I know some people who are very security conscious who'd never take that plane off airplane, who'd never take that phone off airplane. Yeah, I appreciate your comments. Certainly it just seemed to me that the mainstream, of course, the OS that everyone's using, that itself becomes a target. And I didn't want to romanticize too much the older stuff. I wouldn't want to give people the false sense that those are not something that could be vulnerable. I'm just saying it would eliminate the amount of information, e.g. sensors like GPS, etc., etc., make it a little bit more obscure. Who knows, of course, some of that technology is set to expire next year. And it's interesting you mentioned BlackBerry. I do think there are some real virtues to the QNX model and the operating systems that are implemented with that. Well, you know, BlackBerry has reinvented itself as a security company. And I'm sure that their customers are asking them all kinds of questions right now. I mean, there's always some virtue, although it's poo-pooed, to security through obscurity. And it's true that if you use a totally exotic model of a phone, let's say that you're one of the seven people who bought a Windows phone back in the day, there probably won't be much energy devoted to developing exploits from it because nobody's going to bother hacking the seven people in the world who use the Windows phone. There's a much bigger surface area for Android and for iOS. So to a certain degree, what you're saying is correct. I think that if you're cracking out the old phone, there are still some old exploits for Symbian OS out there that NSO can just go back through their back catalog and say, oh, look what this bozo's using. Let's just hack him using that old... Certainly. Yeah, they'll pick their favorite one just to troll you in the process. But I also would point out that a lot of the... I mean, the QNX model, it's cool with the BlackBerry 10 and all that, but it's emulating Android. And in a way to sort of allow you to run WhatsApp or allow you to run other things. So that in and of itself kind of defeats what ordinarily might be a more obscure choice. What's wrong with a good old-fashioned landline? We didn't have these problems back then. I'm thinking of digging into the history of phone hacking, and I was looking through some accounts from the 1940s and 1950s of early phone hacking. And of course, no cell phones back then, so we're talking about landlines. At one point, the phones at the U.S. Embassy had received special signals that effectively disabled their ability to hang up. What it meant was that the phones were hot all the time. You'd put the receiver down, and you'd hear the kind of, you know, ping, which means that your call is over, in theory. But there's a caller who hasn't hung up and who basically will never hang up, and that recorder is running all the time. So even back in the 40s and 50s, with the landline, people were hacking those phones. I might know what that's called. That might be called backhold, and it's something that operators had the power to do. If you ever got an operator mad at you, she could basically make it impossible for you to hang up. I know, as an 8-year-old, that happened to me once and scared the crap out of me. But, you know, Rafael, I would love to know about these 1940s hacking stories you're finding out about, because, boy, that predates when I thought phone hacking began. Yeah, no, I mean, nothing new under the sun, right? And I think we get further enough back, we're going to look at, you know, telegraph hacking and eventually get to clay tablet hacking, you know. But this... But phone hacking now, you know, the difference between what was then and what was now is that that rogue operator who was mad at you because you were, you know, doing something naughty over a copper line, you know, at worst, they might catch you in a frank conversation near the phone with a family member or a friend, right? And that's a snippet that they're going to get. And sure enough, that could be enough to be damning, could be enough to find out who you are, could be enough to get you in trouble, right? But there's a limit to the damage that can be done. Now, our phones are our lives. Our phones are our souls, right? Baby pictures, family photos, sex photos, you know, your email, your WhatsApp, everything. Your brain is on that device. That gets hacked. Your soul, your mind gets hacked. That, to me, is what makes this era so exciting. That's why I'm increasingly believing that it's a mistake to have a phone become all those things. We see all the compromising constantly and we see the damage it does to us. There's got to be a better way to do this technologically so that everything isn't all in one place. It certainly makes the stakes much higher. Yeah, you have a single point of failure for your digital life, and it exists in your pocket. Yeah, that's exactly it. We tell people running computer systems, you know, always have backups. Never have a single point of failure. I think we should observe that advice ourselves. We've been talking with Rafael Sater from Reuters about the Pegasus scandal and all kinds of other things. And Rafael, you're welcome to join us in overtime. We continue conversation over on YouTube at 8 o'clock. You're all welcome to write to us, othat2600.com. That's our email address, and we'll be back with this radio program on WBAI next week. Stay tuned to WBAI for more terrific programming. I want to go out with the latest from Negative Land. This is called content. Participate. Content. Never forget the fact that we are all just content. That anything you put out there, you are content. We are all just potential content for someone else's needs. I think people are happy to participate. There's just hundreds of people rolling their dice, throwing their hat into the content-providing ring. Content forever. Make it mandatory. Content. You don't have to pay people to participate. You are content. You're forced to participate. My content. You're forced to participate. Content is eternal. Content. Content. Content. Content. Forever. Eternity. eternity. You don't need people anymore. Nothing you can do about it. Content. Nothing you can do. Content. You will be matched up, cut up, repackaged for someone else's needs. The world's largest hotel chain owns no hotels. Are we manipulable? The world's largest retailer has no inventory. Manipulable. What's, I can't talk. And the world's largest media company creates no content. We're not producing the content. We're allowing users to share. I hereby declare this to be an unlawful assembly. It's easy. You get all this user-generated content for free. You don't have to do anything. I don't create it. When I go to a big agency, I own it. I think people are happy to participate. It's expensive. Your content. You know what I mean? It's like the sounds that are used are not cheap. My content. They're very expensive sounding sounds. That sound, right? I just had to get used to it. It's the responsibility of the industry to figure out how to extract their value out of each generation. I want to know what they're talking about amongst themselves. And I want to spread that content to the people who aren't this content yet. Content. Content. Content. Content. Content. Content. Content. Content. Content. Content. Content. Content. Content. Content. Content. Content. Content. Content. Content. Content. Content. Content. Content. Content. Content. Content. Content. Content. Content. Content. Content. Content. Content. Content. Content. Content. Content. Content. Content. Content. Content. Content. Content. Content. Content. Content. Content. Content. Content. Content. Content. Content. Content. Content. Content. Content. Content. Content. Content. Content. Content. Content. Content. Content. Content. Content. Content. Content. Content. Content. Content. Content. Content. Content. Content. Content. Content. Content. Content. Content. Content. Content. Content. Content. Content. Content. Content. Content. Content. Content. Content. Content. Content. Content. Content. Content. Content. Content. Content. Content. Content. Content. Content. Content. Content. Content. Content. Content. Content. Content. Content Content. Content. Content. Content. Content. Content. Content. Content. I like being in the vortex.