Loading summary
A
Hello, everyone. This is Tom Uren and I'm here with the gruk for, well, the first recording of 2025. G'day, Grok. How are you?
B
Good day, Tom. Good. And yourself?
A
I'm well. This week's episode of between two Nerds is brought to you by Resourcely. Resourcely makes it easy and safe to deploy cloud infrastructure. Check them out@resourcely IO so today I wrote a little bit about Paragon, which is a spyware company, Israeli indigenous spyware company that was actually bought by an American private equity firm.
B
Hang on, let me guess. It was started by some 8,200 veterans and a VC in Israel.
A
So way back a couple of years ago, I wrote about Paragon as a compare and contrast with NSO Group. NSO Group got into a lot of trouble because it was selling to whoever who was using, like, different countries. And I mean, is whoever with very loose standards about targeting people, and they were using that spyware abusively for human rights abuses to, you know, perpetuate regimes, stomp on advocates or human rights advocates, that kind of thing. Now, Paragon, at the time, the perception was that it had taken entirely opposite approach.
B
Right.
A
And it was deliberately trying to stay on the US Government's good side.
B
Yeah. That they were doing, like, a threat assessment and they were vetting their customers to make sure that, you know, they were not. They weren't selling to, like, the devil who just happened to have $10 million and wanted to buy it. You know, they were taking some effort. That was the. That was the impression, at least.
A
Yeah. I quoted the Financial Times and the. I'll just read from that quote. The company sought a list of allied nations that the US wouldn't object to seeing deploy Paragon's product, which is called graphite. People with knowledge of the matter suggested 35 countries are on that list, although the exact nations could not be determined. Most were in the EU and some in Asia.
B
So I'm going to guess that it was like the eu, Singapore, Taiwan, India.
A
I've never seen a list. But what's happened in the last couple of weeks is that WhatsApp has announced it's disrupted a Paragon hacking campaign. So there's lots of questions in my mind about what's been going on. And so we thought we'd talk about a couple of them. Now, coincidentally, you sent me a tweet, a very long tweet in Hebrew that we'll talk about as well, that contains some like.
B
It seems to have insider info.
A
I don't know if they're True or not. Yeah, it could be. I don't know.
B
It's certainly plausible. And it's even. Even if it's wrong, it's worth talking about because they're interesting points, I think.
A
Yeah. So how should we kick this off?
B
So one of the things I think is interesting is how apparently it was sold to. So, like, they sold to the Singaporean Intelligence Agency, but they sold to American intelligence agencies. Right. And so that's sort of like. That's kind of one of the interesting things about the US is that the intelligence community, the IC, has got, you know, like 18 agencies or something, and they're each like their own thing. So if you're selling one, like one copy to nsa, CIA is going to want one as well, and then DIA is going to get their own one, and the FBI is not going to be left out. So you're able to sell the same technology over and over again to essentially the same client.
A
Yeah. So that's, I guess, part of the strategic decision, like, do we keep our noses clean and we have the US Market, or do we forego that and try and get a lot of money from less savory countries?
B
So I think, in a way, like, there aren't 18 countries that will buy as willingly as there are 18 agencies in the U.S. right.
A
Yeah.
B
You know, because they're obviously much richer than most of these other countries as well.
A
Yeah.
B
So, yeah, it makes very strong economic sense to just focus on the US and maybe a few European countries.
A
Right. So that makes me wonder how you hold countries to a standard. Right. When you're selling a spyware product. So NSO Group, in its defense, said, yeah, well, we had terms of service that said that countries shouldn't do this.
B
It seems like that's pretty ironclad right there. I don't.
A
Well, yeah, exactly. That's the problem. Right. But Paragon has also said we have terms of service that prevent that. And so I was thinking about it and I was going, well, terms of service are not that strong, but then you've got customer selection, so they've got that. Like the Financial Times talked about an allow list of 35 countries that you could sell to. So presumably trustworthy. I'll use air quotes, because how do you trust a country?
B
I wouldn't say trustworthy so much as it's less trustworthy in that the US doesn't categorically object.
A
Right. Yeah.
B
Right. Like, they're not, like, you can't say, like, DPRK is trustworthy, for example.
A
Well, you can absolutely trust them.
B
Hypothetically, you could absolutely trust them to abide by terms of service, however.
A
Well, I mean, you can trust them to do whatever's in their interest and if the terms of service align perfectly with their interests, you've got no problem.
B
This may only be used for stealing cryptocurrency. That's right.
A
So I guess another way of thinking about it is that that list is in a way, a one time get out of jail free card for Paragon where they can say they were on the list. So we thought it was okay, we'll never sell to them again.
B
Yeah, it's that he's your friend. You introduced me.
A
Yeah.
B
Like, you can't blame me for something he did. You know, I'm not going to do anything with him again, like, I've learned my lesson.
A
Yeah. So it seems like to me terms of service combined with the list has an effect for Paragon.
B
Right. So I mean, I think there's a sense of, you know, making fun of just the terms of service thing. Right. Like, yeah, you've got a piece of paper that says you're not allowed to do it. Ha ha ha. That's going to stop a spy agency. How? But I don't think that's the full view. I think that there is actually weight behind that. Right. Because if you're, if you're a spy agency and you're spending, you know, $10 million to buy a license for something, you're not doing it for three months.
A
Yeah.
B
Like that's still.
A
Intelligence requirements are enduring. They don't go away just because you can get onto someone's smartphone.
B
Yeah. Like you need to get those, like you need to get that information this week, you need to get it next month, and you need to get it next year and the year after that. Right. So when you're buying a capability that's offering access to a smartphone or access to an instant messenger account.
A
Well, magic, really.
B
Right, right. You want that. Right.
A
And you don't want the magic to go away.
B
Yeah. Like they have continuing requirements, like it's never going away. They don't want the magic to go away either. They're going to abide by the terms of service because it's going to keep the magic happening. I think is.
A
And that only changes once it, like political masters override that. So it's almost, it's, it's almost against their better judgment, perhaps.
B
Yeah, we'd like to think. Right. But it's absolutely correct. You could say, yeah, we've evaluated all this stuff. We shouldn't be Going after these targets. And when the boss says, but I want it. Yep. You know, like, yeah, what are you supposed to do?
A
Hello, everyone. I just wanted to jump in at this point and say that almost immediately after Grak and I had finished this discussion, news broke that Paragon had actually ended its relationship with Italy for breaking its terms of service. Anyway, back to the show. Yeah, so I guess the terms of service and the list is a mechanism for Paragon to be able to sell. And it's, it's, you know, if it works with a particular country, that's great, and if it doesn't, well, they just say goodbye and move on. Anyway, let's move on to that tweet. So it's a very long tweet. It's in Hebrew. Like, the thing I found most interesting about it is that there's this section in the middle which talks about the technical details of what's going on. So I'll read out some of that, then we can talk about, like, can we actually trust a random tweet in a foreign language that's machine translated? So there's some strong caveats on this. I just thought it was very interesting. So the translation Paragon, unlike most offensive cyber firms, does not install spyware on devices. Instead, its capability relies on exploring vulnerabilities in instant messaging applications, allowing them to breach WhatsApp Telegram and Signal using only the target's phone number. Rather than infecting the device with spyware, like most market solutions, they effectively steal unique identifiers akin to usernames and passwords. With these identifiers, they exploit a vulnerability in WhatsApp's main servers, impersonating the target device to intercept all incoming messages. Think of it as a sophisticated version of WhatsApp web that secretly connects to a target's account without their knowledge or consent.
B
So that sounds very plausible to me. It also sounds like a clever way of doing things in that, like, you're not leaving anything on the device. Right. Like, if, if someone says, I think I've been hacked and they hand their device over, it can be examined, you know, forever, and there's just nothing there to find. I mean, there's going to be some traces of the exploit for some short amount of time, but that's going to get erased.
A
Again, many caveats here. I was thinking that surely this has got to be one of the ways that WhatsApp engineers would think things could go wrong, like cloning a device.
B
I mean, they've built in workflows for that to happen. Linking a device to your account. So it's, it's a thing that they obviously support. The question is sort of do they trigger on, you know, Israel showing up for the same IP for like, you know, 100 different accounts?
A
Now the other thing I thought was fascinating is that this is basically kind of like what the, a couple of people from GCHQ proposed and as a lawful intercept sort of workaround for the proliferation of end to end encryption, is that companies like Apple, WhatsApp Signal, you know, if they were served a lawful warrant, would silently add another participant to a conversation. And perhaps I like that because, you.
B
Know, I want to have more friends. So the more people that join the better. I need someone to read my messages.
A
A practical implementation of that, presumably. What's the word? Inadvertent is the word I'm looking for.
B
I mean to me one of the things that stands out is he says like WhatsApp signal. Right. And then it's sort of never mentioned again. That does make me a bit nervous that they weren't exclusively targeting WhatsApp. Has Signal done an audit to see if this is showing up, which I think would probably show up as new accounts being added or new devices being added to accounts that are connecting from VPN endpoints in Signal.
A
If you're using the web version and a device, it'll give you linked devices. But I was thinking that this was know in a way like cloning a device so it wouldn't appear as a separate one. I mean one of the things they mentioned was Telegram, where. Yes, this is a thing where you, you can log on to Telegram but because it's not actually end to end encrypted.
B
Right. I mean it is except that one of the ends is a cloud server and the other end is your device.
A
Yeah, yeah, yeah. So to me this is like if this was true, it would be very interesting. I don't know if it's true. And the question I asked you when we were talking about how much trust should we put in this tweet?
B
Yeah. Who are you going to believe? A random anonymous, automatically translated tweet from an account that no one knows about?
A
Well, I mean it is an issue statement and it's an Israeli company. So you know, there's that.
B
I mean the thing is like there's so much like this vitriol of like someone is genuinely upset. It's, I don't know, like 2,000 words long or something. It's huge.
A
It feels a bit personal like because it's, you know, why is someone not doing something about this. These famous people are making money out of it. They're not doing the right thing.
B
These are all the things that this guy is doing wrong. Why isn't the Ministry of Defense doing anything about it? Like, it feels personal. I think you're right. Like it's. This is probably, this is probably the guy who tried to get a job at Paragon and was told it was a culture fit issue or something.
A
And it seems strange to just make up that stuff because it, it seems like a bizarre, like what's, what's the point?
B
So, and it's internally consistent. Right. Like if it was someone just making things up, it would be like it would have points that don't make any sense or it would be sort of completely weird. But all of it seems internally consistent.
A
Yeah. So here's a good example. One of the founders, I think was Ehud Schneerson. And so later on he said Paragon believed their software would be nearly impossible to detect since it wasn't installed on the device itself until they were exposed. As usual, Schneerson's characteristic arrogance played a role.
B
You know, that's exactly what I was thinking.
A
So yes, it's an example of it being kind of personally very.
B
It's someone who, it seems like insider knowledge rather than.
A
So yeah, like kind of this dissection of it makes you think more plausible than not.
B
Yeah, like the level of detail it goes into as well I find very interesting. I mean particularly some, like some of the anecdotes. Like they've got this one which like it cracks me up. So one of the ways that an intelligence agency does operations is they will create a test environment that mimics that sort of like that perfectly replicates the target environment. And they will test their stuff in that environment to make sure that it works, to see what artifacts does it leave behind, how reliable is it, all these different various things. So they set up this test environment, they tried it against an iPhone, presumably they decided it was functional, whatever. And then shortly afterwards they get a message from Apple on that iPhone saying device has been targeted by a nation state attack.
A
That part sounds very plausible. I can, oh my.
B
Yeah, like I can see that happening. So, you know, and like it seems too real, like to not be true. That's just, it's too funny to be fake. That's my stance.
A
The funny thing is, at least in the translation, it's not written in a funny way. We think it's funny, but it's like pretty straightforward down the line.
B
They play it straight and they're outraged. Absolutely outraged.
A
Yeah. There's another section where it talks about how Sheerson is a former Unit 8200 commander. So 8200 is Israel's kind of signals intelligence and cyber espionage unit, is my understanding. And it basically, the tweet complains about him luring away so many staff that it's dismantled one of the unit's most critical divisions. So that's the sort of bitterness of someone who's potentially been left behind.
B
Exactly.
A
Because that money, in the end materialized, it says.
B
Yeah, right. He lures everyone away with the promise of riches and they got rich. Bastard. I mean, it feels personal. It really does. Like there's some, like, he got left behind, or he's a competitor who has not had the same success with sales or. I mean, there's a real sense of, like, personal investment in the story or a really, really good author that should, you know.
A
Yeah. So I keep on going back to the. Well, you know, surely this is something that you would really try and make sure didn't happen, like. Like that kind of vulnerability from a WhatsApp engineering point of view. But I guess there's been, like, similarly amazing vulnerabilities that shouldn't exist, like, you know, opening lock screens and stuff like that.
B
Yeah, well, like, there's actually. There's an amazing vulnerability that just got patched where a renderer process in Chrome can move the mouse and make it send clicks. And so you can literally have an exe and you can have it click the exe and run it. So, I mean, you can use the mouse to do the human interaction part.
A
Right.
B
Which is, you know, you'd think, why. Why is that allowed? And I think. I think maybe the other thing to bring up as well is, like, it is a vulnerability. Like, they didn't intend for this to happen. They just had an oversight where they didn't prevent it. Right. Or they, you know, it. Like, it is.
A
Assuming the tweet is correct.
B
Right, Assuming the tweet is correct. And I mean, the thing is, the. The technical details that have come out from other sources, they don't preclude thin on the ground.
A
Yeah, yeah. So I actually went and looked and, like, what other sources were saying. So no one else has reported that this is the way it works. They've said that there's an implant called graphite. So let me just read out what WhatsApp said. So this is from TechCrunch. WhatsApp said it had disrupted a hacking campaign. WhatsApp said that the hacking campaign used malicious PDFs sent via WhatsApp groups to compromise targets and said it had pushed a fix to prevent this mechanism. The hack did not require any action by the targets, according to the company. So that to me doesn't, doesn't spell it out either way. And so this is a paraphrasing by TechCrunch, WhatsApp. I've not found a public statement about it on anywhere. So I think they reached out to media outlets. And so, you know, it's sort of Chinese whispers. Right. I doubt that WhatsApp would say, oh yeah, people can have their conversations mystically stolen with no interaction from you, don't worry about it. And also from a paragon point of view, it makes perfect sense that they would say, oh yeah, we have an implant like everyone else and it works the same way as everyone else's, except.
B
Ours is invisible and you'll never find it because it's that much better. We leave no trace behind.
A
So it's. Having an implant is a very good cover story if you have that capability.
B
If you have that capability and if that's the only capability you have. Because if you're a one trick pony like this, when WhatsApp catches on and fixes it, you're done.
A
Yeah. And if it works in signal, they'll tell. Signal.
B
Yeah, that's it.
A
You'll still have Telegram.
B
No matter what. We'll always have Telegram. Yeah. So I don't know how much you can trust a random tweet from essentially an anonymous account that's been machine translated from another language, but nothing stands out as being untrustworthy.
A
You want to believe, don't you?
B
Yeah, I'm just, I'm going to tell that anecdote from now on as if it's true.
A
So, you know, thanks a lot, Brock.
B
Thanks a lot, Tom.
Risky Bulletin Podcast Summary
Episode: Between Two Nerds: A Paragon of Virtue
Release Date: February 10, 2025
Host: Risky.biz
In the February 10, 2025 episode of Risky Bulletin, hosts Tom Uren (A) and Gruk (B) delve into the intricate world of cybersecurity espionage, focusing on Paragon—a prominent Israeli spyware company acquired by an American private equity firm. Tom sets the stage by referencing his previous comparison between Paragon and the notorious NSO Group, highlighting Paragon's initially perceived ethical stance.
Tom Uren [00:14]: "I'm well. This week's episode of Between Two Nerds is brought to you by Resourcely..."
While the advertisement is noted, the discussion swiftly transitions to Paragon's operations and market positioning.
Tom contrasts Paragon with NSO Group, which has faced significant backlash for selling spyware to regimes with dubious human rights records.
Tom Uren [00:44]: "Paragon was deliberately trying to stay on the US Government's good side."
Gruk concurs, emphasizing Paragon's efforts to vet customers meticulously to avoid misuse.
Gruk [01:37]: "They were taking some effort. That was the impression, at least."
A critical aspect of Paragon’s strategy involves selecting only certain nations as customers. The Financial Times is cited, revealing that Paragon maintains an "allow list" of approximately 35 countries, predominantly in the EU and Asia.
Tom Uren [02:00]: "The company sought a list of allied nations that the US wouldn't object to seeing deploy Paragon's product, which is called Graphite."
Gruk speculates on the possible countries, suggesting nations like Singapore, Taiwan, and India may be included.
Gruk [02:28]: "I'm going to guess that it was like the EU, Singapore, Taiwan, India."
The conversation shifts to Paragon's strategic focus on the US intelligence community, which comprises numerous agencies each requiring their own spyware solutions.
Gruk [03:26]: "They sold to American intelligence agencies... there are 18 agencies in the U.S."
Tom acknowledges the economic rationale behind focusing on the affluent and multifaceted US market.
Tom Uren [04:15]: "Do we keep our noses clean and have the US Market, or do we forego that and try to get a lot of money from less savory countries?"
A significant portion of the episode examines a recent hacking campaign disrupted by WhatsApp, allegedly involving Paragon's spyware, Graphite. This raises questions about Paragon's current operations and effectiveness.
Tom Uren [02:28]: "What's happened in the last couple of weeks is that WhatsApp has announced it's disrupted a Paragon hacking campaign."
Tom introduces a substantial piece of information from a Hebrew tweet, purportedly containing insider details about Paragon's technical methods. The hosts explore the plausibility and implications of these claims.
Tom Uren [10:35]: "Paragon... exploits a vulnerability in WhatsApp's main servers, impersonating the target device to intercept all incoming messages."
Gruk finds the described method both plausible and sophisticated, noting its stealthy nature.
Gruk [11:03]: "It sounds very plausible to me. It also sounds like a clever way of doing things..."
The hosts debate the reliability of the Hebrew tweet, considering factors like translation accuracy and the source's anonymity. They weigh the detailed technical descriptions against the potential for misinformation.
Gruk [13:30]: "Who are you going to believe? A random anonymous, automatically translated tweet from an account that no one knows about?"
Despite reservations, Tom believes the internal consistency and specific anecdotes lend credibility to the tweet's claims.
Tom Uren [15:02]: "It's someone who, it seems like insider knowledge rather than... purely fabricated."
The episode touches on internal strife within Paragon, particularly criticisms aimed at founder Ehud Schneerson. The discussion highlights allegations of Schneerson's arrogance and potential destabilization of critical divisions within Unit 8200, Israel's elite cyber intelligence unit.
Gruk [17:01]: "He lures everyone away with the promise of riches and they got rich. Bastard."
Tom narrates how Schneerson's leadership is perceived as having a detrimental impact on Unit 8200.
Tom Uren [17:55]: "Paragon... luring away so many staff that it's dismantled one of the unit's most critical divisions."
Further analysis is provided on the technical vulnerabilities Paragon may exploit, including sophisticated methods like device cloning without leaving traces. The conversation also references recent Chrome vulnerabilities, drawing parallels with Paragon's alleged techniques.
Gruk [16:46]: "That part sounds very plausible. I can see that happening."
The hosts discuss the broader implications for cybersecurity, emphasizing the challenges in detecting and mitigating such advanced spyware.
Tom contrasts WhatsApp's official statement on the disrupted hacking campaign with the claims made in the Hebrew tweet. WhatsApp acknowledges the use of malicious PDFs and the deployment of security patches but remains vague on the specifics.
Tom Uren [19:47]: "WhatsApp said... the hacking campaign used malicious PDFs sent via WhatsApp groups to compromise targets..."
Gruk interprets WhatsApp's response as an attempt to mask the sophisticated nature of Paragon's Graphite.
Gruk [21:17]: "Having an implant is a very good cover story if you have that capability."
In wrapping up, the hosts reflect on the continuous cat-and-mouse game between cybersecurity firms and intelligence agencies. They underscore the importance of vigilance and the need for robust security measures to counteract increasingly sophisticated spyware like Paragon's Graphite.
Gruk [22:15]: "I'm just, I'm going to tell that anecdote from now on as if it's true."
Tom and Gruk conclude with a sense of caution, acknowledging the evolving landscape of cybersecurity threats and the critical role of informed discourse in addressing these challenges.
Notable Quotes:
Gruk [06:20]: "This may only be used for stealing cryptocurrency."
Tom Uren [15:29]: "Paragon believed their software would be nearly impossible to detect since it wasn't installed on the device itself until they were exposed."
Gruk [18:54]: "There's an amazing vulnerability that just got patched where a renderer process in Chrome can move the mouse and make it send clicks."
Key Takeaways:
Paragon's Strategic Positioning: Unlike NSO Group, Paragon emphasizes ethical customer vetting, primarily targeting allied nations within a predefined allow list.
Technical Sophistication: Paragon's Graphite spyware allegedly employs advanced techniques that bypass traditional detection methods, raising significant cybersecurity concerns.
Insider Criticism: Allegations against Paragon's founder suggest internal conflicts that may impact the company's operations and reputation.
Industry Vigilance Needed: The episode underscores the necessity for continuous monitoring and robust security protocols to counteract evolving spyware threats.
This comprehensive summary encapsulates the critical discussions of the episode, providing listeners and non-listeners alike with a thorough understanding of Paragon's operations, the associated cybersecurity implications, and the broader context of espionage technology.