And you can hardly blame governments for buying these services in the age of end-to-end encryption in the hands of every criminal and terrorist. There's obviously money to be made from selling offensive cybersecurity tools to governments. These guys still operate under the name "Memento Labs". Would you have said the same about HackingTeam and the Italian Government? They were featured on citizen lab a LOT a few of years ago.
![six guns hacked six guns hacked](https://i.pinimg.com/originals/6c/3f/65/6c3f6550f8eeb5bb39f8236f936fbe8d.jpg)
Now the real question? I’m not sure I know what we can do, actionably. It’s pretty bad to tip off “all the people who we find important enough to 0-day” if that assumption holds. How can we continue to allow orgs like NSO Group to exist if they surely can’t keep something like their entire target list safe? Even if we assume of the targets are legitimate threats (which, again, requires enough suspension of disbelief to hold a small army at this point), why would we want that list leakable? If they’re all the most legitimate targets, then that list is essentially 50k people who can now discover this fact and change their patterns to hide. If the list is obtainable, then what else is? Are their exploit toolkits just as leakable? Are the internal controls not sufficient to stop these leaks? Its security and system architecture should be decentralized enough that a list of all targets should be extremely difficult to obtain. To frame it differently: NSO Group sells tools to governments that are apparently trustworthy. I suppose that broadly, the takeaway here (and in all of this) that I’ve missed is that fundamentally, this list of phones that were targeted shouldn’t exist, or shouldn’t be leakable in this way, if we want to believe that NSO Group is targeting the most genuine targets.