US judge finds NSO Group liable for hacking journalists via WhatsApp

Original Article ↗ Hacker News Discussion ↗

Scope of the Ruling

  • Several commenters note the plaintiffs are WhatsApp/Meta, not the hacked journalists; the decision is about “exceeding authorization” on WhatsApp’s systems, not directly about violations against users.
  • The ruling is framed under the CFAA: NSO allegedly used an unauthorized, scripted client to send messages and gather device info in ways normal clients can’t.
  • Some worry this broad “exceeds authorization = ToS violation” reading could endanger benign alternative clients; others argue malicious intent (malware delivery, bypassing controls) is the key distinction.
  • Multiple people say the CFAA is vague and ripe for reform, but still a useful tool against obviously abusive behavior.

Software Quality, Security, and Tradeoffs

  • Strong thread on “build better software” vs “ship fast”: many agree quality matters, but debate how far to push it given cost/benefit and iteration needs.
  • Security experts stress that simply “trying harder” isn’t enough; serious defense against nation-state malware requires specialized expertise, not just craftsmanship.
  • Discussion of specific attack vectors: buffer overflows in VoIP/WebRTC stacks, execution prior to call answer, media/link preview parsing as large attack surface.
  • Repeated calls to move away from memory-unsafe languages; others note RCE remains possible and legacy code is hard to replace.

Surveillance, E2EE, and Trust

  • Distinction between illegal spyware use and “legal spying” via warrants and wiretaps; cynical view that platforms want exclusive access to user data.
  • Debate over whether proprietary E2EE apps can secretly implement client-side interception; some argue lack of evidence, others say targeted updates could hide it.
  • WhatsApp vs SMS for 2FA: many recommend authenticator apps or passkeys; some note WhatsApp’s specific bug was patched.

NSO Group, States, and Ethics

  • Strong condemnation of NSO as akin to ransomware gangs or “assassins for hire,” with calls for long prison terms for executives.
  • Others argue shutting NSO doesn’t remove demand; other firms or states would simply fill the gap.
  • Long subthread on Israel, US protection, extrajudicial killings, terrorism labels, and double standards in international law and sanctions.

Meta / HN Meta

  • Some note the irony of Meta being the “good guy,” framing its motives as PR and platform control rather than pure defense of users.
  • Complaints that the story was briefly flagged off the HN front page, with suspicions of coordinated downvoting.