Amnesty International (AI) and Forbidden Stories’ claims challenged by several leading international experts.A week after the revelations made by Amnesty International and the consortium of journalists, also known as “Forbidden Stories” accusing Morocco of using the Pegasus software – designed by the Israeli company NSO – to spy on journalists, activists but also high ranking foreign personalities, the refutations are increasing from journalists, experts in cyber security and computer researchers.
For American investigative journalist Kim Zetter, known for her investigations into enigmatic issues related to cyber security and national security since 1999, and author of several books on the subject, “this NSO story is getting a little crazy,” she says.
It would be great if the media behind this story could provide more information on how they were able to verify that this was a list of NSO targets or potential targets, not a list of something else,” she adds.
The US expert also points out that if the list was obtained via hacking, it would be good to have more information on the origin of the list, depending on who leaked it. “Did the media get it from a data broker or from someone who got it from a data broker? Was the list given to them by a hacker?” she asks.
According to journalist Kim Zetter, Amnesty International, investigative journalists and the media they work with have made it clear from the outset that this is “a list of phone numbers marked as numbers of interest to NSO customers” – meaning they are the kind of people NSO customers might like to spy on, she notes.
For his part, IT expert “Aimable N.” notes that no data on the “targets” had been published, wondering “where is the data.”
“So, will these media companies share the raw Pegasus Project data with the security community for analysis? Or will it be a series of sensational headlines until we find out there wasn’t much juice after all,” he writes.
In full agreement with the experts, Norwegian computer security expert Runa Sandvik, who made her name at Forbes before becoming the New York Times’ computer security boss, notes the inconsistency of the accusations reported by the “Forbiden Stories” media. She tweeted ten excerpts from articles published by various media outlets, pointing out the contradictions in the sources cited.
Another expert who is also throwing a wrench in the works of the Pegasus Project and “Forbiden Stories” is the Lebanese researcher in computer science and applied cryptography, Nadim Kobeissi.
In this series of tweets, the expert points out how easily he can fabricate evidence of Pegasus hacking “in 30 seconds.” The evidence from Amnesty and Forbidden Stories is, in his opinion, extremely weak, as it is based on simple self-signed SSL/TLS certificates that anyone can produce and insert into a dataset.
After a careful analysis of the publications on alleged espionage, Kobeissi describes the expertise of “Amnesty and Citizen Lab” as smoke and mirrors.
“The smoke and mirrors of Amnesty and Citizen Lab’s software malicious hunt is appalling. The total lack of verification by dozens of media outlets is clear evidence of incompetence. And the lack of critical thinking on the part of the security research community is shameful,” he writes in a tweet.
He had previously accused Amnesty of falsifying and fabricating evidence to conduct their witch-hunt against NSO.
The Grugq, a cyber security expert who has been quoted repeatedly in articles in The New York Times, The Washington Post, Forbes and BBC News, speculates that the list in question may not be NSO’s, but that of Circles, which is another Israeli spy programme.
The expert concludes that these could be Circles’ lists and therefore points to a lead from Cyprus.
The expert also criticizes the doubtful figures presented by Amnesty and Forbidden Stories, the silence on the data and the bungling of Amnesty, he also questions the whole mess.
As a reminder, Morocco has decided to sue Amnesty and Forbidden Stories before the Paris Correctional Court.
Last Wednesday, the Moroccan government initiated legal proceedings against anyone accusing Rabat of having used the Pegasus spying software, denouncing a “massive, misleading and malicious media campaign.”
The kingdom has categorically rejected these “false” and “unfounded” allegations, and challenges their peddlers, including Amnesty International and the “Forbidden Stories” consortium, as well as their supporters and protégés, to provide any tangible and material evidence in support of their surreal stories, the government says in a statement.