This isn't the first of these takes regarding Israel by that poster, where they present themselves as 'not supportive of Israel, just presenting a balanced perspective' (while wildly distorting reality).
Since tptacek likes to present themselves as an authority on this kind of stuff, and does indeed have a reputation here, I feel it's important to point out that this isn't the first time they've carried water for Israel like this.
Examples: Calling Israel's exploding pagers war crime "surgical" [0] - which it absolutely was not, or, saying that Hamas should've taken the ceasefire deal they were offered [1] (rightly called out in the replies).
It's absurd to try and claim that Israel is 'no better or worse' than other nations in the 'spying on journalists phones' department. Especially when you look at why.
This is one of the many pitfalls of sharing a collective identity, whether in politics, technology, or even outright jingoist nationalism. You see it on HN all the time; people respond to the tone of a piece rather than what the actual contents are. It's pretty obvious when someone posts a message imbued with that insecurity; it's always about "the other side" and trying to create relative morality. Hasbara, in the Hebrew vernacular. Or "mansplaining" if you're a jaded progressive.
American surveillance is a pretty good example. "Lawful" intercept, geofence tracking, dragnet collection, commercial de-anonymization, America leads the way in a deeply unethical field. Yet, criticize Palantir et. al and people will find ways to argue it's necessary. Usually they create a boogeyman; "we're the good guys because we fight human traffickers and thieves" type of stuff. You don't have to look very closely at the marketing materials for these companies, they're very clear about using it on the "bad guys" to assuage the average insecurity. It's like the dog-and-pony we always see when iOS vs Android security is brought up; "it's not about my phone, it's the relative security of theirs!" When in reality, neither company is ethical or sells a secure product. They're excuses not to think, instead of logical arguments against the claim.
This isn't even a politics issue, either. These comments are a mirror reflection of one's character and their internal (often irrational) justification for an illogical stance. Often these comments aren't even rooted in a form of rhetoric, they just want to deflect the blow a little bit to cover their own ass emotionally. In the tech industry, I've noticed this happen a lot when people are embarrassed by their own work being discovered "in the wild" by peers.
There is a reason I won't name them --- the ones I know about, a fraction of the total market --- it's not interesting, and I'm not going to get into it.
I'm interested, and I'm sure I'm not alone. This isn't easily researched information, and it would be nice to have a list of organisations to put on my boycott list. These companies should be named and shamed. They have no positive influence on the world. If they disclosed instead of exploited the vulnerabilities they have knowledge of, they would improve the security of most of the world's population. Instead, they profit from the insecurity of the population. This is criminal behaviour and should be treated as such.
You'd boycott these companies, that you don't know who they are? It's not much of a boycott to stop doing business with companies you already aren't doing business with.
How do I know if I'm doing business with them if I don't know what services they offer. Years ago I ended up providing services to a company that was involved in morally questionable activities. When I discovered the extent of those activities I stopped providing services. That company was the GEO group.
See, once again, that's interesting. Especially how you can be so sure of that.
I hate to tell you, but companies like the ones you allude to are incredibly interesting. They're also probably very immoral, and should be known by people who have an interest in infosec.
The companies that sell this kind of product aren’t doing it as a side hustle. It’s not like “oh, well yea, Atlassian mostly sell Jira but also they have a team farming viable iPhone data extraction vulns.”
If you were working with one of these companies, you’d know it because it’s their primary/only product/focus.
Which is still interesting. I'm not sure why people won't name these companies. tptacek says it's not interesting, but that's pretty obviously not true. Why won't people name these companies? If they're so insulated from normal commerce, and so specialised that they only provide these services, it shouldn't really matter if anyone knew who they were. They're companies. Unless they're obviously engaged in actually illegal activities (which they may well be, but it's currently not possible for me to determine that) they shouldn't be taboo to discuss. I find it weird that people want to claim "oh yeah, they definitely exist, trust me bro, they're all really secretive, but also totally legit" but they won't mention any names.
I can only assume that there are actually some industry or professional repercussions for disclosing any specifics, because otherwise the only other logical explanation for such tight lipped discussion is that people are somewhat afraid to talk about these companies.
Also, Google, Apple, Microsoft, Meta probably have some of the most respected vulnerability research labs in the world. They, despite their many and varied other flaws, tend not to weaponise and profit from said research. I mean, they might, but they also do a pretty good job of actively and responsibly publishing this research.
