Hacking Team emails are helpful in the open

A bit ago, Italian surveillance privateer, Hacking Team, was itself hacked. I haven’t had the time or bandwidth these last couple of weeks to download the Hacking Team torrent files, so had to live the ensuing data-mining lollapalooza vicariously through Twitter. The emails alone are full of little gems, though, Now searchable via Wikileaks.

Perusing these have been fascinating, and even a little useful. Example: A couple of years back I’d read a great article about all the network security shortfalls that allowed Edward Snowden to walk out the door with a huge pile of classified NSA files. I couldn’t remember the title or the author, and all my Google searches of likely terms threw up too many of the wrong results. That’s because the article was eventually pay-walled.

But the whole thing was copy pasted into one of Hacking Team CEO David Vincenzetti’s emails to lists@hackingteam.it. So now I have the complete text of The NSA and Snowden: Securing the All-Seeing Eye, By Bob Toxen. Fab!

There’s another interesting exchange between David and the company’s chief marketing officer, Eric Rabe,  that shows how Hacking Team deals with a journalist’s interview requests. For one response to the report, Eric suggested saying “For the record, Syria is not now and has never been a client of Hacking Team for the very reasons described in our Customer Policy.” David thought this should be deleted: “I’d avoid to clearly comment on a single country — even in the case of Syria. Why? Simply because we expose us to further question and request of confirmation regarding Ethiopia, Morocco, UAE, Uzbekistan, and all the others mentioned in the report.”

This would seem to indicate the company’s got some problematic business in those places. And while it may be that no business transpired in Syria, it wasn’t for lack of trying. FirstLook cited Mostapha Maana, Hacking Team’s account manager for the Middle East (translated from Italian): “The Syrian person from Lattakia telephoned me and I explained our product a bit. … He told me that the situation in Syria is calm and advised me to go and see him this week. He said that the product could be very interesting especially after the mess that’s happened lately.” This was in April, 2011, just after the uprising kicked off. The above linked to email was in 2014, so Hacking Team’s been having to distance itself from that sales pitch for some time, now.

What’s also educational is how the company used questions from Human Rights Watch as a way of testing out what kind of responses they’d make in an actual government inquiry. Eric Rabe writes: “Both Fred and I agree these are the questions from Human Rights Watch are just sort of questions we are likely to get from a possible government inquiry, and so it is worth working together to develop a response even if we decide not to send HRW more than our existing statement. The Ethiopian government has flatly denied that they have purchased HT software, so, this complicates matters.”

It was kind of surprising how few PGP encrypted emails I came across so far in a casual skim of emails. And even in those cases, the recipients often replied to them unencrypted, defeating the whole purpose of it. I’d expected better practices, there. These are, after all, people who know just how hackable computers can be. If the hacker had grabed all their emails only to find a bunch of pgp messages, the damage control would have been paltry, and it might have even worked in their benefit.

The relationship between Hacking Team and Nice Systems, an Israel-based reseller, is fascinating. At times its very tense, with angry feedback that Hacking Team isn’t able to customise their software enough for an Israeli client.  In others, they help handle sales of spy tech in Nigeria and Honduras, so their reach is pretty far.

Hacking Team is just one private contractor helping governments obtain data on their own citizens without oversight. Whomever has pulled this off, did the public a valuable service. And if it turns out to be an inside job, then there’s still hope that others elsewhere will catch on. Data never stays contained. Hacking Team should have predicted that, because that’s its business model.