Software developer, cyclist, photographer, hiker, reader.I work for the Library of Congress but all opinions are my own.Email:
5157 stories

Eric Cantor Re-Emerges To Burn Trump On Immigration Policy


Former House Majority Leader Eric Cantor (R-VA) took a swipe at Donald Trump Thursday on Twitter over his lack of a cohesive immigration policy.

Trump was quick to mock Cantor as a loser when he endorsed former Florida Gov. Jeb Bush in the GOP primary in 2015. Almost a year to the day later, Cantor got a chance to respond:

When Cantor lost his 2014 primary to political novice Dave Brat in a stunning upset, tea partiers were quick to jump on the majority leader's ousting as a "repudiation" of his position on immigration reform, which they characterized as favoring amnesty.

Trump's waffling on his own hardline immigration stances, which include mass deportation, has put conservative extremists on the defensive this week as they try to rationalize their support for a candidate who appears to be crowdsourcing his as-yet unspecified policy.

Read the whole story
2 hours ago
Washington, DC
Share this story

Can Software Make You Less Racist?

3 Comments and 7 Shares

I don't think we computer geeks appreciate how profoundly the rise of the smartphone, and Facebook, has changed the Internet audience. It's something that really only happened in the last five years, as smartphones and data plans dropped radically in price and became accessible – and addictive – to huge segments of the population.

People may have regularly used computers in 2007, sure, but that is a very different thing than having your computer in your pocket, 24/7, with you every step of every day, integrated into your life. As Jerry Seinfeld noted in 2014:

But I know you got your phone. Everybody here's got their phone. There's not one person here who doesn't have it. You better have it … you gotta have it. Because there is no safety, there is no comfort, there is no security for you in this life any more … unless when you're walking down the street you can feel a hard rectangle in your pants.

It's an addiction that is new to millions – but eerily familiar to us.

The good news is that, at this moment, every human being is far more connected to their fellow humans than any human has ever been in the entirety of recorded history.

Spoiler alert: that's also the bad news.

Nextdoor is a Facebook-alike focused on specific neighborhoods. The idea is that you and everyone else on your block would join, and you can privately discuss local events, block parties, and generally hang out like neighbors do. It's a good idea, and my wife started using it a fair amount in the last few years. We feel more connected to our neighbors through the service. But one unfortunate thing you'll find out when using Nextdoor is that your neighbors are probably a little bit racist.

I don't use Nextdoor myself, but I remember Betsy specifically complaining about the casual racism she saw there, and I've also seen it mentioned several times on Twitter by people I follow. They're not the only ones. It became so epidemic that Nextdoor got a reputation for being a racial profiling hub. Which is obviously not good.

Social networking historically trends young, with the early adopters. Facebook launched as a site for college students. But as those networks grow, they inevitably age. They begin to include older people. And those older people will, statistically speaking, be more racist. I apologize if this sounds ageist, but let me ask you something: do you consider your parents a little racist? I will personally admit that one of my parents is definitely someone I would label a little bit racist. It's … not awesome.

The older the person, the more likely they are to have these "old fashioned" notions that the mere presence of differently-colored people on your block is inherently suspicious, and marriage should probably be defined as between a man and a woman.

In one meta-analysis by Jeffrey Lax and Justin Phillips of Columbia University, a majority of 18–29 year old Americans in 38 states support same sex marriage while in only 6 states do less than 45% of 18–29 year olds support same-sex marriage. At the same time not a single state shows support for same-sex marriage greater than 35% amongst those 64 and older

The idea that regressive social opinions correlate with age isn't an opinion; it's a statistical fact.

Support for same-sex marriage in the U.S.

18 - 29 years old    65%
30 - 49 years old    54%
50 - 64 years old    45%
65+ years old        39%

Are there progressive septuagenarians? Sure there are. But not many.

To me, failure to support same-sex marriage is as inconceivable as failing to support interracial marriage. Which was not that long ago, to the tune of the late 60s and early 70s. If you want some truly hair-raising reading, try Loving v. Virginia on for size. Because Virginia is for lovers. Just not those kind of lovers, 49 years ago. In the interests of full disclosure, I am 45 years old, and I graduated from the University of Virginia.

With Nextdoor, you're more connected with your neighbors than ever before. But through that connection you may also find out some regressive things about your neighbors that you'd never have discovered in years of the traditional daily routine of polite waves, hellos from the driveway, and casual sidewalk conversations.

To their immense credit, rather than accepting this status quo, Nextdoor did what any self-respecting computer geek would do: they changed their software. Now, when you attempt to post about a crime or suspicious activity …

… you get smart, just in time nudges to think less about race, and more about behavior.

The results were striking:

Nextdoor claims this new multi-step system has, so far, reduced instances of racial profiling by 75%. It’s also decreased considerably the number of notes about crime and safety. During testing, the number of crime and safety issue reports abandoned before being published rose by 50%. “It’s a fairly significant dropoff,” said Tolia, “but we believe that, for Nextdoor, quality is more important than quantity.”

I'm a huge fan of designing software to help nudge people, at exactly the right time, to be their better selves. And this is a textbook example of doing it right.

Would using Nextdoor and encountering these dialogs make my aforementioned parent a little bit less racist? Probably not. But I like to think they would stop for at least a moment and consider the importance of focusing on the behavior that is problematic, rather than the individual person. This is a philosophy I promoted on Stack Overflow, I continue to promote with Discourse, and I reinforce daily with our three kids. You never, ever judge someone by what they look like. Look at what they do instead.

If you were getting excited about the prospect of validating Betteridge's Law yet again, I'm sorry to disappoint you. I truly do believe software, properly designed software, can not only help people be more civil to each other, but can also help people – maybe even people you love – behave a bit less like racists online.

[advertisement] At Stack Overflow, we help developers learn, share, and grow. Whether you’re looking for your next dream job or looking to build out your team, we've got your back.
Read the whole story
55 minutes ago
1. Just checked ND, and my neighbors are excellent about racial things, but man, they're unloading some ugly ass furniture.

2. Any chance we can roll out a version of this software to the police? They seem to need extra help in this area.
7 hours ago
Nextdoor is still pretty racist, though. I see stuff like, "black person wearing ____ and _____ parked on my street and walked away," at least once a week. And my neighborhood is fairly diverse.
5 minutes ago
Share this story
1 public comment
1 hour ago
They have a terrible reputation here for this kind of racist commentary. Maybe this will help…
Washington, DC

Welcome To The Food Wars: Shakshouka Edition

1 Comment and 2 Shares

Few things are the subject of fiercer fights than food. In our new series “Food Wars,” we’re going to the front lines of the dishes and debates that matter most. This week, GOOD writer Tasbeeh Herwees on how her Libyan family’s classic breakfast became the subject of a serious internet war. 


On Sunday mornings, my mom makes shakshouka. Six eggs, one for each of us, cooked in a thick bubbling bath of tomato sauce, peppers, onions, and spices. This is a Herwees family tradition of sorts, one of very few we have maintained over the years. For the longest time, I associated the smell of cooking tomatoes with the singular warmth of familial companionship.

Growing up, the only two places I ever ate shakshouka were family homes and back in Benghazi, Libya, where my parents are from. Lately, Benghazi has enjoyed notoriety for being a political scandal-turned-internet meme-turned-Michael Bay war movie. But back then, before uprising and war and political instability brought Benghazi into the forefront of public consciousness, it was just a homeland, the place we spent our listless summers. When I’d talk to people about Benghazi, I’d have to explain to people where it was, usually using Egypt—Libya’s popular older sister—as a reference point. Libya wasn’t exactly known for many contributions to global popular culture, aside from a cameo on Back to the Future.

These nationalist food claims are often proxy wars for power.

But we did have food. We had couscous and bazin, a cooked wheat flour dough. We had usban, a sausage made of sheep’s intestines and stuffed with rice and meat (I once had the misfortune of watching my uncle slaughter the sheep from whence these intestines came one summer on his farm in Benghazi). We had magrood, semolina cookies filled with date paste. And we had shakshouka.

A few years ago, shakshouka began appearing on the menus of fashionable brunch spots. In 2012, Tasting Table declared it a “food trend.” By 2015, Zagat had professed its love for its new “brunch obsession,” calling it “a spicy take on eggs in purgatory.” It was jarring to see my mother’s Sunday morning dish in food magazine spreads and artfully Instagrammed by my favorite food bloggers. It felt like seeing your family photos being used as placeholder images for expensive picture frames.

Soon, I began seeing shakshouka everywhere: In London, where it was marketed as a Turkish dish—mistaking it for Menemen, a similar dish in which the eggs are usually scrambled with the rest of the ingredients. In one Soho Square café, I had the distinct displeasure of eating a dish they called “Turkish eggs” with “hazelnut dukkah” (an nutty Egyptian spice mix usually made with peanuts). In Brooklyn and Los Angeles, my familial shakshouka was suddenly an exotic specialty at upscale dining establishments, and they were attributing the dish, instead, to Israel.

I guess all dishes in the Middle East have now become officially ‘Israeli’.

Any regular reader of food blogs will tell you: nothing incites chaos in the comments section like assigning Israeli labels to Middle Eastern dishes. The reason is simple: Contestations over food origins are often rife with political implications. The Lebanese have struggled to wrest ownership of hummus from the hands of the Israelis for little under a decade. The debate over whether pasta was invented by the Chinese or the Italians has been a contentious one. These conflicts were parodied in a classic YouTube video “The True Origins of Pizza”, a mockumentary produced by Gum Shoe Pictures in which Korean historians take credit for the Italian dish.

These nationalist food claims are often proxy wars for power: it’s often people who speak from the margins lodging challenges to popularly held beliefs about who owns what dish. The Palestinian campaign to reclaim falafel from the Israelis, for example, is not about naming rights but about asserting identity. It’s foregrounded by a conflict that has already taken away their land, and their right to self-determination. So the appropriation of cuisine—even a fried chickpea fritter—feels like an extension of that injustice.

I found myself at the vanguard of one such maelstrom back in 2011, when shakshouka was mostly just a funny, unrecognizable word to most people. Deb Perelman of Smitten Kitchen, one of my favorite food bloggers, had featured a recipe for the dish.

“There are a lot of reasons to make shakshouka, an Israeli dish of eggs poached in a spicy tomato sauce,” she wrote. “It sounds like the name of a comic book hero. Or some kind of fierce, long-forgotten martial art.”

Deb probably did not anticipate the deluge of comments that would follow—over 650 of them. I was the first to express my objection to the way she classified the dish. Here is what I wrote, in my best impression of a reasonable person:

A commenter named Hanna was far more hostile about the claim. “This dish is LIBYAN,” she wrote. “Get your facts straight please.”

Only a few minutes later, another commenter named Lily offered up her insight: “Oops! Shakshouka is Libyan, my friend,” she wrote, in an effort towards diplomacy. “I believe, as some have posted before me, that the Jewish Libyans brought the dish with them to Israel.”

Vanessa, another dissenter, was the one who provoked a response from Deb. “I grew up on this dish in Egypt,” she commented. “I thought it was a North African dish. I guess all dishes in the Middle East have now become officially ‘Israeli’. Regardless, absolutely delicious!”

Deb responded the next morning, after the conversational fire had been raging for several hours: 

During the course of the comments section war, Deb amended her post, striking through the word “Israeli.” She replaced it with Tunisian, a friendly concession to her angry protesters.

I looked it up later, searching desperately for some kind of evidence I could use to link it, indelibly, to Libya. But I couldn’t find anything. Every source I found attributed it to a vague North African culture. After all, Libya, as the country we know it today, didn’t really exist until 1911. The people who populated the regions we now call “Libya” and “Tunisia” moved fluidly across those lands. It could have been “us” or it could have been “them”—but those distinctions didn’t really exist until very recently.

So I’ve forgiven Deb. In fact, I’ve actually used Deb’s recipe, because my mother’s instructions are usually just a vague listing of ingredients. Deb makes her shakshouka, however, much like my mother makes ours: tomatoes, parsley, garlic, eggs, peppers, cumin. I made it for friends the first time, in my friend’s apartment in Brooklyn, and we gathered over the hot cast iron pan on a cold winter afternoon for brunch. When I was a kid, shakshuka was always an expression of my mother’s love—an attempt at bringing us together around the table at least once that week. Now I use it to bring my friends around the table. It still tastes like home, even with the addition of feta, an extravagance my mother didn’t include.

Read the whole story
5 hours ago
Washington, DC
Share this story
1 public comment
1 hour ago
Washington, DC

The Pain Of Police Killings Can Last Decades

1 Share

Roman Ducksworth in uniform. The Army Corporal was shot to death by a white Mississippi police officer in 1962.

Courtesy of Cordero Ducksworth and the Syracuse Cold Case Justice Initiative

In recent months, the nation has witnessed how questionable police shootings of African Americans can spark anger and unrest across a community. But long after the demonstrations end, the streets go quiet and the cameras leave, families of those killed have to find ways to cope with their loss. And that's a private struggle that can last for decades and across generations.

Cordero Ducksworth has lived that struggle. He was 5 years old in 1962, when his father, Army Corporal Roman Ducksworth, Jr., was shot to death by William Kelly, a white Taylorsville, Miss. police officer.

Ducksworth was stationed at Fort Ritchie, Md. in the spring of 1962 when he was traveling home by bus. His wife Melva was at a local hospital due to severe complications late in her pregnancy with their sixth child.

By the time the bus arrived on the night of April 9, Roman had fallen asleep and the driver called Officer William Kelly onto the bus to rouse him. Kelly instead arrested the serviceman for drunkenness, and directed him to a patrol car across the street.

That's when things became violent. Once Ducksworth and Kelly were off the bus, they started to tussle, and the officer drew his gun and fired twice — once into the ground and once through Ducksworth's chest. Corporal Roman Ducksworth, Jr., was pronounced dead on the scene. He was just 27 years old.

Jackson Daily News, April 12, 1962, "Sheriff Denies Soldier Slain 'In Cold Blood.'"

Records of the National Association for the Advancement of Colored People, Manuscript Division, Library of Congress, Washington, D.C.

Roman's sister-in-law, Vera Ducksworth, and her son Odell had been at the station to pick him up. Instead, Odell held his uncle in the street as he died. The crowd dispersed, leaving Odell and Vera to watch over Roman's body until an ambulance from a local black funeral home could get there. Roman died without knowing that Melva had given birth to a healthy baby girl.

Less than 24 hours later, a grand jury called the death "justifiable homicide," and town officials would go on to tell local and national reporters that Ducksworth reached for Kelly's gun. The allegation was repeated in official accounts up until the present, but was never corroborated in any witness statements to Military Police criminal investigators. There were additional investigations by the FBI and NAACP. But what led Kelly to arrest Ducksworth in the first place, who started the fight, and what moved Kelly to draw his gun and fire it twice have never been clearly established.

Lost Memories

As the eldest child, Cordero was the only one of his siblings to attend the military funeral held for his father at the Cherry Grove Baptist Church cemetery in Taylorsville. "The only thing that I remember about that is the gun fire," Cordero said, recounting the 16-gun salute given to his father. "I didn't know what was going on or why we were even there... It was just scary."

As an integrated honor guard from Fort Rucker, Ala. buried Cpl. Ducksworth, two thousand mourners reportedly attended the funeral — mostly black, but some white — from Taylorsville and surrounding towns. The family had been widely known and respected in the area. Roman's father, Rome Ducksworth, owned hundreds of acres of land in Cherry Grove and was one of only 12 blacks who were registered to vote in Smith County.

But history is much of what Cordero knows of his father; his childhood memories are of times when Roman came home from his military posts for holidays and summer visits. "The only thing I do remember about my father is the gifts he would send home for Christmas," Cordero said. "He sent home a pop gun. It had a cork on the end of it with a string attached to it. It was like a little rifle." Roman also bought his kids a swing. "I used to have pictures of us playing on the swing set," said Cordero.

He doesn't remember his father's voice or how it felt to be hugged by him or what his parents were like together, as a couple.

A Family Secret, A Father's Absence

Cordero Ducksworth, April 2010 at the Syracuse University Cold Case Justice Initiative's It's Never Too Late for Justice conference.

Syracuse University Cold Case Justice Initiative

In 1963, Melva Ducksworth moved her family from Taylorsville to Joliet, Illinois, where Melva lived until her death in 2010. Cordero still lives there today, in the duplex unit his mother bought at the end of the 1960s.

Throughout their childhood, Cordero and his siblings made regular visits to Taylorsville, but were never told the truth. Melva had made the extended family swear to keep the way their father had died a secret. "We'd been to the graveyard, the church," Cordero recalled. "No one had once came to us and even asked us about our father and why he was killed or how he was killed ... He was killed in the service, that's what I thought."

Life as a single mom was hard on Melva. She worked two jobs to support her family, a day shift as a nurse's aide at a nursing home in nearby Naperville, and a night shift making bombshells at the Joliet Army Ammunition Plant. "My mother is one of those type of ladies that [says] I can do anything a man can do," Cordero said. "So naturally she was working on hardest part." Family responsibilities increasingly fell to Cordero. "She relied on me to get my brothers and sisters up in the morning for school and dressed and everything," he said. Then, after school, "she depended on me and my brother next to me to come home and help get things squared away with the family."

After 15 years of that grueling schedule, Melva badly injured her back in the late 1970s. She lost her ability to work and had to get by on disability benefits and Roman's military pension. Even with all the difficulties, she rarely mentioned Roman's absence. "My mother kept us in activities, kept us going," he said. "We didn't have time to think about where was the other parent?"

Cordero sometimes felt his father's absence at school. "You're an athlete, everybody else's dads were there. I'm the most valuable player, and you're sitting there, and everybody else's mothers and fathers are there watching them and congratulating them. Here's my mom, and suddenly, you start thinking about where's your dad?"

A Surprising Honor, A Shocking Truth

Cordero and his siblings didn't learn how their father died until more than 25 years after the fact, when they were adults, with families of their own.

In 1989, Melva Ducksworth and each of her children received letters at their homes from the Southern Poverty Law Center. The civil rights organization wished to commemorate Roman Ducksworth as a civil rights martyr on a memorial to be designed by Maya Lin, famed creator of the Vietnam Veterans Memorial in Washington, D.C.

Cordero was 33 at the time he received the letter. "I immediately called my mom," he recalled. "'Some people want to celebrate my father?'" Cordero asked. "'For what? What did he do?'" He went to his mother's house and she brought out an April 1962 Jet magazine that told the story and had a photo of his father on the undertaker's table.

Roman Ducksworth's grave at the Cherry Grove Baptist Church, Taylorsville, Miss.

Ben Greenberg

"Why didn't we know about this?" he asked. "There was nothing really to tell you," Cordero recalls his mother saying. She feared that any inkling of the truth about what happened to Roman would infect her children with racial hatred, and she explained that she did not want them to distrust whites who had no part in their father's death.

"But what about the person who shot him?" Cordero demanded.

William Kelly was still alive, Melva confessed, but Cordero and his siblings were not to go back to Taylorsville to find him. She was afraid they'd seek revenge and get hurt or killed or that they could end up causing problems for family members still living in Mississippi.

Cordero was angry but his problem was not with white people, he insists. "I had hatred in my heart because of what happened and the people that allowed [Kelly] to get away with it," he said. "I had hatred for the system itself." He was also skeptical of the idea that his father should be honored. "He didn't do anything but get shot," said Cordero. "That's what makes him a hero?"

A Search For Answers

Nonetheless, Cordero and his brother Greg went down to Mississippi soon after the revelation, and questioned their aunts and uncles about their silence. The relatives just repeated what Melva had said: they wanted to keep the children safe, and that the best way was to keep the family secret.

"That's a big secret," Cordero reflected. "It's like we were robbed of the story. Maybe we could have gotten involved with the FBI or trying to pursue the matter had we known when we were younger what happened."

Cordero and Greg asked a relative to take them to see officer Kelly. "We just want to see the guy who shot my father," the brothers said. "We couldn't go down there and ask questions because that would start trouble," Cordero recalled. "The rest of the family wouldn't tell us either, wouldn't tell us who he was or let us go down there and see him." Cordero and his siblings never saw or met William Kelly. The former police officer died in 2004.

Odell Ducksworth, Heidelberg, Miss., June 20, 2016. He held his dying uncle, Roman Ducksworth, moments after the shooting. He still helped keep the incident a secret from Roman Ducksworth's children.

Ben Greenberg

Despite their best efforts, the extended family did have to deal with the fallout from the killing. Within a couple of days of the slaying, Odell Ducksworth had lost his job pressing clothes at a local laundry. But that was just the beginning.

"One night we got up, we seen a bright light," he recalled. "Cross was burning down the street." Odell's father moved him and his new wife to another town 30 miles away. Before the year was out, the family moved to Chicago, where Odell worked for Montgomery Ward for 25 years.

Odell and his wife did move back to Mississippi to retire in the 1990s, but not to Taylorsville. "I don't go that way at all," he said. "Memories come out. I go around Taylorsville."

Cordero doesn't have the kind of memories that haunt his cousin, but he remains troubled by the years of failed efforts to find justice in his father's death. In 2008, the FBI reopened its previous probe of the Ducksworth case, along with 112 other racial slayings from that time under the Emmett Till Unsolved Civil Rights Crime Act, which was designed to investigate race-related murders from the 1950s and 60s. The Bureau dropped the case in 2010, once it established that William Kelly had died.

But prosecuting Kelly was never the point for Cordero. "I wanted to get it overturned because it was not a justified killing," he said. "I wanted the state of Mississippi or the county where it happened to be penalized for it." Part of the irony was rooted in his mother Melva's success in insulating her children from the dangers that pervaded black life in Mississippi.

Cordero says that southern racial turmoil was something they only "knew" from watching TV. "Then you find out so many years later that you actually are a part of that."

Copyright 2016 NPR. To see more, visit NPR.
Read the whole story
Share this story

John Horace McFarland: Unsung Hero of the National Park Service

1 Share

This is a joint post by Yvonne Dooley with contributions by Angel Vu.

John Horace McFarland, circa 1900. Credit: Courtesy of the Pennsylvania State Archives.

John Horace McFarland, circa 1900. Courtesy of the Pennsylvania State Archives.

Since August 25, 2016 marks the 100th birthday of the National Park Service, it seems appropriate to pay tribute to one of its lesser known heroes, Mr. John Horace McFarland – a successful businessman and civic leader who helped usher in the legislation giving birth to this relatively young agency.

Before J. Horace McFarland added civic reformer to his repertoire of activities, he ran a successful printing business in the 1890’s where he carved out a niche market within the horticulture industry. His biographer, Ernest Morrison, described the keys to his success as “single-minded perseverance…, personal integrity, and the ability to find the right individual” for the job at hand. He believed in paying his employees based on the quality of their work, not the quantity, offering superior health benefits, and supporting women in the workplace. His progressive nature didn’t stop there either; he continually incorporated technological advances into his printing operation resulting in the production of what may have been the country’s first color photographs featured in his exquisite gardening catalogs.

Panoramic photograph of Hetch Hetchy Valley, within Yosemite National Park. The damming of the Hetch Hetchy Valley helped justify the creation of the National Park Service in 1916 by raising public awareness about the importance of preserving nature. Library of Congress Prints and Photographs Division, Washington, D.C.

Panoramic photograph of Hetch Hetchy Valley, within Yosemite National Park. The damming of the Hetch Hetchy Valley helped justify the creation of the National Park Service in 1916 by raising public awareness about the importance of preserving nature. Library of Congress Prints and Photographs Division, Washington, D.C.

Advertisement used during McFarland’s campaign against power companies’ development of Niagara Falls.

Reproduction of 1906 ad sponsored by the American Civic Association to save Niagara Falls from being diverted for production of commercial power.

His introduction to civic duty came in 1902 as president of the American League for Civic Improvement, which later merged with the American Park and Outdoor Art Association in 1903 to form the American Civic Association (ACA). J. Horace was then elected ACA’s first president and held the title for twenty years. During that time he traveled the country advocating for the beautification of cities and the preservation of national treasures, such as Niagara Falls and Yosemite’s Hetch Hetchy Valley.

In an address on May 14, 1908 to the White House Governor’s Conference on Conservation, J. Horace argued that “[it] is the love of country that lights and keeps glowing the holy fire of patriotism. And this love is excited primarily by the beauty of the country.” He went on to paint the following picture for his audience, which included President Theodore Roosevelt, James R. Garfield, Gifford Pinchot, and Andrew Carnegie:

“We can not destroy the scenery of our broad land, but we can utterly change its beneficial relation to our lives, and remove its stirring effect upon our love of country…Shall we gaze on the smiling beauty of our island-dotted rivers, or look in disgust on great open sewers, lined with careless commercial filth, and alternating between disastrous flood and painful drouth? Is the Grand Canyon of the Colorado to be really held as Nature’s great temple of scenic color, or must we see that temple punctuated and profaned by trolley poles? Shall the White Mountains be for us a great natural sanitarium, or shall they stand as a greater monument to our folly and neglect?”

Print showing view of Niagara Falls from river below. McFarland successfully defended Niagara Falls from power company interest resulting in a resolution signed by President William Howard Taft on May 4, 1910. Library of Congress Prints and Photographs Division, Washington, D.C.

Print showing view of Niagara Falls from river below. McFarland successfully defended Niagara Falls from power company interest resulting in a resolution signed by President William Howard Taft on May 4, 1910. Library of Congress Prints and Photographs Division, Washington, D.C.

The drive to establish the National Park Service began in 1910 and was finally won six years and three secretaries of the Interior later. In testimony before the House Committee on Public Lands on April 5, 1916, J. Horace provided the following statement:

“In my own town, with 900 acres of parks, we manage to use quite a number of desks, and the time of three capable persons the year around to promote the interest of our people in our parks. If in this particular case it can not be found that 7,000 square miles of territory, unmatched anywhere else on the face of the globe, is worthy of efficient handling, and is worthy not only of one desk but as many desks and as many people and at whatever cost as may be necessary to give the people a chance to have these great national wonders preserved, then I should think that the United States ought to go out of business…

The American Civic Association is made up of a Nation-wide membership, and of people who feel what they believe with considerable intensity. These people want a national park service. In reporting this bill in such fashion as may seem best to insure its final passage, you will, I am sure, be following the desires of a very large majority of your fellow citizens.”

Although McFarland faced strong opposition, he was finally able to gain enough support to get the act passed on August 25, 1916. As we celebrate the National Park Service’s 100th birthday this year, let us sing the praises of leaders like John Horace McFarland that were willing to fight and win the political battles necessary to ensure the natural wonders of this great land would endure throughout the ages.

References/further reading:

Albright, Horace M. The Birth of the National Park Service: The Founding Years, 1913-33, Horace M. Albright as told to Robert Cahn, Howe Brothers, 1985.

Dock, Mira Lloyd. Mira Lloyd Dock Papers, 1814-1951 (bulk 1899-1945), Manuscript Division, Library of Congress, Washington, D.C. Includes correspondence with John Horace McFarland.

McFarland, J. Horace. Memoirs of a Rose Man; Tales from Breeze Hill, Rodale Press, 1949.

Miller, E. Lynn. “McFarland, J. Horace.” Pioneers of American Landscape Design, edited by Charles A. Birnbaum and Robin Karson, McGraw-Hill, 2000: 249-251.

Morrison, Ernest. J. Horace McFarland: A Thorn for Beauty. Pennsylvania Historical and Museum Commission, 1995.

Morrison, Ernest. “McFarland, J. Horace.” American National Biography , edited by John A. Garraty and Mark C. Carnes, vol. 15, Oxford University Press, 1999: 38-39.

Read the whole story
Share this story

The Million Dollar Dissident: NSO Group's iPhone Zero-Days used against a UAE Human Rights Defender

1 Share

Authors: Bill Marczak and John Scott-Railton,  Senior Researchers at the Citizen Lab, with the assistance of the research team at Lookout Security.

Media coverage: The New York Times, Motherboard, Gizmodo, Wired, Washington Post, ZDNet.

This report describes how a government targeted an internationally recognized human rights defender, Ahmed Mansoor, with the Trident, a chain of zero-day exploits designed to infect his iPhone with sophisticated commercial spyware.

Ahmed Mansoor is an internationally recognized human rights defender, based in the United Arab Emirates (UAE), and recipient of the Martin Ennals Award (sometimes referred to as a “Nobel Prize for human rights”).  On August 10 and 11, 2016, Mansoor received SMS text messages on his iPhone promising “new secrets” about detainees tortured in UAE jails if he clicked on an included link. Instead of clicking, Mansoor sent the messages to Citizen Lab researchers.  We recognized the links as belonging to an exploit infrastructure connected to NSO Group, an Israel-based “cyber war” company that sells Pegasus, a government-exclusive “lawful intercept” spyware product.  NSO Group is reportedly owned by an American venture capital firm, Francisco Partners Management.

The ensuing investigation, a collaboration between researchers from Citizen Lab and from Lookout Security, determined that the links led to a chain of zero-day exploits (“zero-days”) that would have remotely jailbroken Mansoor’s stock iPhone 6 and installed sophisticated spyware.  We are calling this exploit chain Trident.  Once infected, Mansoor’s phone would have become a digital spy in his pocket, capable of employing his iPhone’s camera and microphone to snoop on activity in the vicinity of the device, recording his WhatsApp and Viber calls, logging messages sent in mobile chat apps, and tracking his movements.  

We are not aware of any previous instance of an iPhone remote jailbreak used in the wild as part of a targeted attack campaign, making this a rare find.

The Trident Exploit Chain:

  • CVE-2016-4657: Visiting a maliciously crafted website may lead to arbitrary code execution
  • CVE-2016-4655: An application may be able to disclose kernel memory
  • CVE-2016-4656: An application may be able to execute arbitrary code with kernel privileges

Once we confirmed the presence of what appeared to be iOS zero-days, Citizen Lab and Lookout quickly initiated a responsible disclosure process by notifying Apple and sharing our findings. Apple responded promptly, and notified us that they would be addressing the vulnerabilities. We are releasing this report to coincide with the availability of the iOS 9.3.5 patch, which blocks the Trident exploit chain by closing the vulnerabilities that NSO Group appears to have exploited and sold to remotely compromise iPhones.

Recent Citizen Lab research has shown that many state-sponsored spyware campaigns against civil society groups and human rights defenders use “just enough” technical sophistication, coupled with carefully planned deception. This case demonstrates that not all threats follow this pattern.  The iPhone has a well-deserved reputation for security.  As the iPhone platform is tightly controlled by Apple, technically sophisticated exploits are often required to enable the remote installation and operation of iPhone monitoring tools. These exploits are rare and expensive. Firms that specialize in acquiring zero-days often pay handsomely for iPhone exploits.  One such firm, Zerodium, acquired an exploit chain similar to the Trident for one million dollars in November 2015.

The high cost of iPhone zero-days, the apparent use of NSO Group’s government-exclusive Pegasus product, and prior known targeting of Mansoor by the UAE government provide indicators that point to the UAE government as the likely operator behind the targeting.

Remarkably, this case marks the third commercial “lawful intercept” spyware suite employed in attempts to compromise Mansoor.  In 2011, he was targeted with FinFisher’s FinSpy spyware, and in 2012 he was targeted with Hacking Team’s Remote Control System.  Both Hacking Team and FinFisher have been the object of several years of revelations highlighting the misuse of spyware to compromise civil society groups, journalists, and human rights workers.

Figure 1: Ahmed Mansoor, the “Million Dollar Dissident.”

The attack on Mansoor is further evidence that “lawful intercept” spyware has significant abuse potential, and that some governments cannot resist the temptation to use such tools against political opponents, journalists, and human rights defenders. Our findings also highlight the continuing lack of effective human rights policies and due diligence at spyware companies, and the continuing lack of incentives to address abuses of “lawful intercept” spyware.

Our report proceeds as follows:

  • Section 2 provides an overview of the attack against Ahmed Mansoor.
  • Section 3 details NSO Group’s tradecraft, gleaned from what appears to be a copy of NSO Group documentation leaked in the Hacking Team emails.
  • Section 4 summarizes our technical analysis of the attack against Mansoor (in collaboration with Lookout).
  • Section 5 describes how we found what appears to be the NSO Group’s mobile attack infrastructure while working on our previous Stealth Falcon report.
  • Section 6 links the spyware used in the attack on Mansoor to NSO Group.
  • Section 7 outlines evidence of other individuals targeted with the infrastructure that we linked to NSO Group, including Mexican journalist Rafael Cabrera.
  • Section 8 explains how the attack on Mansoor fits into the context of ongoing attacks on UAE dissidents.
  • Section 9 concludes the report.

Ahmed Mansoor is an internationally recognized human rights defender, blogger, and member of Human Rights Watch’s advisory committee.  Mansoor, who is based in the UAE, was jailed for eight months in 2011 along with four other activists for supporting a pro-democracy petition.  After he was released, Mansoor’s passport was confiscated, his car was stolen, and $140,000 disappeared from his bank account.  Mansoor is banned from traveling overseas, and his work continues to attract significant harassment and punishment

On the morning of August 10, 2016, Mansoor received an SMS text message that appeared suspicious. The next day he received a second, similar text. The messages promised “new secrets” about detainees tortured in UAE prisons, and contained a hyperlink to an unfamiliar website. The messages arrived on Mansoor’s stock iPhone 6 running iOS 9.3.3.

Figure 2: Ahmed Mansoor received suspicious text messages in August 2016.  Credit: Martin Ennals Foundation.

Mansoor quickly forwarded the messages to Citizen Lab researchers for investigation.  He has good reason to be concerned about unsolicited messages: every year since 2011, Mansoor has been targeted with spyware attacks, including with FinFisher spyware in 2011 and Hacking Team spyware in 2012 (see Section 8: Ahmed Mansoor and Previous UAE Attacks).

image00 image13
Figure 3: SMS text messages received by Mansoor (English: “New secrets about torture of Emiratis in state prisons”).  The sender’s phone numbers are spoofed.

When Mansoor’s messages reached us, we recognized the links: the domain name belongs to a network of domains that we believe to be part of an exploit infrastructure provided by the spyware company NSO Group (see Section 6: Linking NSO Group Products to the Attack on Mansoor).  We had first come across the NSO Group infrastructure during the course of our earlier research into Stealth Falcon, a UAE-based threat actor (see Section 5: Tracking a Mobile Attack Infrastructure).  

When we first found the infrastructure and connected it to NSO Group, we hypothesized that operators of the NSO Group spyware would target a user by sending them an infection link containing one of the exploit infrastructure domain names.  Though we had previously found several public occurrences of links involving these domains on Twitter (see Section 7: Evidence of Other Targets), none of the links we found seemed to be active (i.e., none produced an infection when we tested them).  In other exploit infrastructures with which we are familiar (e.g., Hacking Team’s exploit infrastructure), we had noted that operators prefer to deactivate such links after a single click, or after a short period of time, perhaps in order to prevent the disclosure of the exploit to security researchers.

We accessed the link Mansoor provided us on our own stock factory-reset iPhone 5 (Mansoor had an iPhone 6) with iOS 9.3.3 (the same version as Mansoor).  When we clicked the link, we saw that it was indeed active, and watched as unknown software was remotely implanted on our phone.  This suggested that the link contained a zero-day iPhone remote jailbreak: a chain of heretofore unknown exploits used to remotely circumvent iPhone security measures.  To verify our observations, we shared our findings with Lookout Security.  Both research teams determined that Mansoor was targeted with a zero-day iPhone remote jailbreak. The chain of exploits, which we are calling the Trident, included the following (see Section 4: The Trident iOS Exploit Chain and Payload for more details):

  • CVE-2016-4657: An exploit for WebKit, which allows execution of the initial shellcode
  • CVE-2016-4655: A Kernel Address Space Layout Randomization (KASLR) bypass exploit to find the base address of the kernel
  • CVE-2016-4656: 32 and 64 bit iOS kernel exploits that allow execution of code in the kernel, used to jailbreak the phone and allow software installation

The implant installed by the Trident exploit chain would have turned Mansoor’s iPhone into a digital spy in his pocket. The spyware, which appears to be NSO’s Pegasus spyware solution, was capable of employing his iPhone’s camera and microphone to eavesdrop on activity in the vicinity of the device, recording his WhatsApp and Viber calls, logging messages sent in mobile chat apps, and tracking his movements.

The attack on Mansoor appears to have used Pegasus, a remote monitoring solution sold by NSO Group Technologies Ltd (see Section 6: Linking NSO Group Products to the Attack on Mansoor).  NSO Group, based in Herzelia, Israel (CR# 514395409), develops and sells mobile phone surveillance software to governments around the world.  The company describes itself as a “leader” in “mobile and cellular Cyber Warfare,” and has been operating for more than six years since its founding in 2010.

NSO Group appears to be owned by a private equity firm with headquarters in San Francisco: Francisco Partners Management LLC, which reportedly acquired it in 2014 after approval from the Israeli Defense Ministry.  However, as of November 2015, Francisco Partners was reportedly exploring selling NSO Group, with a stated valuation of up to $1 billion. Interestingly, Francisco Partners previously invested in Blue Coat, a company selling network filtering and monitoring solutions, whose technology has been used by repressive regimes according to previous Citizen Lab research.

Figure 4: Image from an NSO Group brochure posted on SIBAT (The International Defense Cooperation Directorate of the Israel Ministry of Defense).

NSO Group has largely avoided the kind of high profile media attention that companies like Hacking Team and FinFisher have sometimes courted. The company maintains no website, there is little concrete information about NSO Group’s Pegasus product available online, and we know of no prior technical analysis of NSO Group’s products or infrastructure.

Some previous media reports have linked NSO Group and Pegasus to a scandal involving potential illegal eavesdropping in Panama, and possible sales to Mexico.  Other reports have suggested that NSO Group’s activities have aroused concern within the United States intelligence community.

Two of NSO Group’s three co-founders, Shalev Hulio and Omri Lavie, are also co-founders of mobile security company Kaymera, which promises a “Multi Layered Cyber Defense Approach” to clients.  On Kaymera’s website, the company reprints a Bloomberg article pointing out that they “play both sides of the cyber wars.”  The article also quotes NSO Group’s CEO, who suggests that they entered the defense business when potential clients saw the capabilities of NSO Group’s tools.

Figure 5: Kaymera’s website promises comprehensive mobile security

3.1. Pegasus Documents in Hacking Team Leak

Much of the publicly available information about Pegasus seems to be rumor, conjecture, or unverifiable claims made to media about capabilities. However, when we examined the Hacking Team emails leaked online after a 2015 breach, we found several instances of Hacking Team clients or resellers sharing what appeared to be NSO Group’s product documentation and sales pitches.

For instance, in December 2014, a reseller of surveillance technologies to the Mexican government forwarded a PDF document containing detailed technical specifications of NSO Group’s Pegasus system to Hacking Team.  According to the document’s metadata, it appears to have been created in December 2013 by Guy Molho, who is listed on LinkedIn as the Director of Product Management at NSO Group.

3.2. Device Infection

According to the purported 2013 NSO Group Pegasus documentation found in the Hacking Team materials, NSO Group offers two remote installation vectors for spyware onto a target’s device: a zero-click vector, and a one-click vector.  The one-click vector involves sending the target a normal SMS text message with a link to a malicious website.  The malicious website contains an exploit for the web browser on the target’s device, and any other required exploits to implant the spyware. In the attack against Mansoor, the Trident exploit chain was used.

To use NSO Group’s zero-click vector, an operator instead sends the same link via a special type of SMS message, like a WAP Push Service Loading (SL) message.  A WAP Push SL message causes a phone to automatically open a link in a web browser instance, eliminating the need for a user to click on the link to become infected. Many newer models of phones have started ignoring or restricting WAP Push messages.  Mobile network providers may also decide to block these messages.

Figure 6: Diagram from purported NSO Group Pegasus documentation showing the sequence through which the spyware (“Agent”) is installed on a target’s mobile device.  Source: Hacking Team Emails.

The documentation refers to a malicious website employed in installation of the spyware (“Agent”) as an Anonymizer, which communicates with a Pegasus Installation Server located on the operator’s premises.  When a target visits a malicious link from their device, the Anonymizer forwards the request to the Pegasus Installation Server, which examines the target device’s User-Agent header to determine if Pegasus has an exploit chain, such as the Trident, that supports the device.

If the device is supported, the Pegasus Installation Server returns the appropriate exploit to the target device through the Anonymizer and attempts an infection.  If infection fails for any reason, the target’s web browser will redirect to a legitimate website specified by the Pegasus operator, in order to avoid arousing the target’s suspicion.

In the operation targeting Mansoor, the one-click vector was used, with anonymizer (see Section 4: The Trident iOS Exploit Chain and Payload for more details).

3.3. Data Collection

According to the purported NSO Group documentation, once successfully implanted on a phone using an exploit chain like the Trident, Pegasus can actively record or passively gather a variety of different data about the device.  By giving full access to the phone’s files, messages, microphone and video camera, the operator is able to turn the device into a silent digital spy in the target’s pocket.

Figure 7: Diagram from purported NSO Group Pegasus documentation showing the range of information gathered from a device infected with Pegasus.  Source: Hacking Team Emails.

In the spyware used in targeting Mansoor, we confirmed many elements of this functionality, and observed indications that the collection of the following types of data was supported, among others (see Section 4.2: The Payload for more details):

  • Calls made by phone, WhatsApp and Viber,
  • SMS messages, as well as messages and other data from popular apps like Gmail, WhatsApp, Skype, Facebook, KakaoTalk, Telegram, and others,
  • A wide range of personal data, such as calendar data and contact lists, as well as passwords, including Wi-Fi passwords.

3.4. Exfiltration

According to the purported NSO Group documentation, an infected device transmits collected information back to a Pegasus Data Server at the operator’s premises, via the PATN (Pegasus Anonymizing Transmission Network).  The PATN appears to be a proxy chain system similar to Hacking Team’s anonymizers and FinFisher’s relays. The chain is intended to obfuscate the identity of the government client associated with a particular operation.  Once the collected information arrives on the Pegasus Data Server, an operator may visualize the information on a Pegasus Working Station.

Figure 8: A purported screenshot of NSO Group’s Pegasus Working Station software, which visualizes location data collected from infected devices (as of March 2012).  Source: Hacking Team Emails.

The implant in the attack targeting Mansoor communicated with two PATN nodes: and <a href="" rel="nofollow"></a>.  The first of these,, appears to be a lookalike domain for the legitimate, a Gulf-based satellite television channel (see Section 5.2 for more details on lookalike domains observed in apparent NSO Group infrastructure).

3.5. Prioritizing Stealth

One interesting design decision of NSO Group’s Pegasus system, according to the purported NSO Group documentation, is that it emphasizes stealth above almost all else.  As the documentation states:

In general, we understand that it is more important that the source will not be exposed and the target will suspect nothing than keeping the agent alive and working.

Certain Pegasus features are only enabled when the device is idle and the screen is off, such as “environmental sound recording” (hot mic) and “photo taking.”  The documentation also states that the spyware implements a “self-destruct mechanism,” which may be activated automatically “in cases where a great probability of exposing the agent exists.”  However, the documentation claims that sometimes Pegasus removal can result in an infected device rebooting immediately after removal.

In this section, we describe our technical analysis of the attack on Mansoor, including the Trident iOS Exploit chain and payload. Given the accelerated timeframe of this case, we are publishing the results of a preliminary analysis.

Recall that the investigation that led to the discovery of the Trident exploit chain began when UAE human rights activist Ahmed Mansoor forwarded to Citizen Lab two suspicious links that he received via SMS on his iPhone (Section 2).  Suspecting the links to be iPhone spyware associated with NSO Group (Section 6), we accessed them from our own stock factory-reset iPhone 5 running iOS 9.3.3.  Mansoor’s device is an iPhone 6, running iOS 9.3.3; we did not have an iPhone 6 available for testing.  Although the latest iOS version when Mansoor received the links was 9.3.4, this version had been released only one week beforehand.

We accessed the links by opening Safari on our iPhone, and manually transcribing the links from the screenshots that Mansoor sent.  After about ten seconds of navigating to the URL, which displayed a blank page, the Safari window closed, and we observed no further visual activity on the iPhone’s screen.  Meanwhile, we saw that the phone was served what appeared to be a Safari exploit, followed by intermediate files (final111), and a final payload (test111.tar). The first two payloads form the Trident exploit chain, and test111.tar is the payload.

Figure 9: Requests from our phone to as we clicked on the malicious link.  The first request is our click on the link.  The requests for ntf_bed.html, ntf_brc.html, and test111.tar are conducted by a stage2 binary (in final111).  All previous requests are conducted by Safari.

Suspecting what we had observed to be the work of a zero-day iPhone remote jailbreak, we shared the exploit and payloads with colleagues at Lookout Security, initiated a responsible disclosure process with Apple, and sent Apple the exploit and payloads.

4.1. The Trident Exploit Chain

This section provides a high-level overview of the Trident exploit chain used in the attack against Mansoor.  For further details, see Lookout’s report.

When a user opens the links sent to Mansoor on an iPhone, a stage1 containing obfuscated JavaScript is downloaded. The JavaScript downloads (via XMLHttpRequest) stage2 binaries for either 32-bit (iPhone 5 and earlier) or 64-bit (iPhone 5s and later), depending on the type of device.  The stage1 employs a previously undocumented memory corruption vulnerability in WebKit to execute this code within the context of the Safari browser (CVE-2016-4657).

The stage2 exploits a function that returns a kernel memory address, from which the base address of the kernel can be mapped (CVE-2016-4655).  The stage2 then employs a memory corruption vulnerability in the kernel (CVE-2016-4656).  This last vulnerability is employed to disable code signing enforcement, allowing the running of unsigned binaries.  The stage2 downloads and installs the stage3, which is the spyware payload.

4.2. The Payload

This section provides a high-level overview of the functionality of the spyware payload.  For more details, see Lookout’s report.

4.2.1. Persistence

The Trident is re-run locally on the phone at each boot, using the JavaScriptCore binary.  To facilitate persistence, the spyware disables Apple’s automatic updates, and detects and removes other jailbreaks.

4.2.2. Recording

The attack payload includes a renamed copy of Cydia Substrate, a third-party app developer framework, which it uses to help facilitate recording of messages and phone calls from targeted apps.  To record WhatsApp and Viber calls, the spyware injects WhatsApp and Viber using the Cydia Substrate, hooks various call status methods, and sends system-wide notifications when call events occur; the spyware listens for these notifications and starts or stops recording as appropriate.  It appears that the payload can spy on apps including: iMessage, Gmail, Viber, Facebook, WhatsApp, Telegram, Skype, Line, KakaoTalk, WeChat, Surespot,, Mail.Ru, Tango, VK, and Odnoklassniki.

The spyware also exfiltrates calendar and contact data, as well as passwords saved in the phone’s keychain, including Wi-Fi passwords and networks.

4.2.3. Exfiltration

The attack payload beacons back to command and control (C2) servers delivered in stage2 of the Trident, via HTTPS.  One of the binaries in the stage2 of the link sent to Mansoor contained the following string:


The Base64 string decodes to:

Your Google verification code is:5678429
<a href="" rel="nofollow"></a>

This appears designed to look like a text message from Google containing a two-factor authentication code, though legitimate Google messages of this type do not contain a link, and contain one fewer digit in the verification code.  Base64-decoding the “i” parameter of the URL yields:,

These are the C2 servers for the spyware sent to Mansoor: and <a href="" rel="nofollow"></a>.

A similar obfuscation appears to be used for exchange of information over SMS between an infected phone and the C2 Server.  In case the spyware’s C2 servers are disabled or unreachable, an operator may deliver updated C2 servers to an infection using this type of SMS, similar to FinFisher’s “emergency configuration update” functionality.

This section explains how we first identified what appeared to be a mobile attack infrastructure while tracking Stealth Falcon.  We then outline some basic observations about the infrastructure, including themes in the domain names used by the attackers.  We link the infrastructure we found to NSO Group in Section 6.

5.1. Stealth Falcon Leads Us to a Mobile Attack Infrastructure

A year or so before Ahmed Mansoor received his suspicious SMS messages, we were tracking Stealth Falcon, a threat actor targeting individuals critical of the UAE government at home and abroad, several of whom were later arrested. For full details on Stealth Falcon, read our May 2016 report.

In the course of our investigation, we traced Stealth Falcon’s spyware to dozens of different command and control (C2) domains. One server that matched our C2 fingerprint for Stealth Falcon’s custom spyware, <a href="" rel="nofollow"></a>, was connected to the email address <a href=""></a>, according to data in its DNS SOA record.  The same email address appeared in WHOIS records for the following three domains:

<a href="" rel="nofollow"></a>
<a href="" rel="nofollow"></a>

These domains did not match our Stealth Falcon fingerprint. As we examined the domains, however, we found that the index page on these domains contained an iframe pointing to the website <a href="" rel="nofollow"></a> (Asrar Arabiya, or “Arabian Secrets” in English), which appears to be a benign website that takes a critical view of the Arab World’s “dictatorships.”  The index page also contained a nearly invisible iframe pointing to an odd looking site, <a href="" rel="nofollow"></a>.

<iframe src="" width="1" height="1" border="0"></iframe>
<iframe src="" style="width:100%; height:1200px; position:absolute; top:-5px; left:-5px;" border="0"></iframe>

Figure 10: HTML content of the index page on the three fake “Asrar Arabiya” domains.

We suspect that the three domains we identified were attempting to mislead users into believing they were visiting the legitimate <a href="" rel="nofollow"></a> website.  Since we had linked the operation to Stealth Falcon, we suspected that the additional domain, <a href="" rel="nofollow"></a>, might be an attack domain.  We visited the URL in the iframe, <a href="" rel="nofollow"></a>, and were redirected to <a href="" rel="nofollow"></a>.

<html><head><meta http-equiv='refresh' content='0;url=' /><meta http-equiv='refresh' content='1;url=' /><title></title></head><body></body></html>

Figure 11: HTML content of <a href="" rel="nofollow"></a>.  The page tells the web browser to redirect the visitor to Google.

We devised a number of fingerprints for various behaviors of <a href="" rel="nofollow"></a>, checked Shodan and Censys, and conducted our own scanning with zmap to identify related servers.  We found 237 live IP addresses, and extracted their domain names from the SSL certificates returned by the each server.  The SSL certificates we found included *, <a href="" rel="nofollow"></a>, and, the three domains in the spyware attack sent to Mansoor.

We linked these IPs and domain names to what appears to be NSO Group exploit infrastructure.

5.2. Coding the Domain Names

We coded the domain names we found, and identified several common themes, perhaps indicating the type of bait content that targets would receive.  Interestingly, the most common theme among the domains we identified was “News Media,” perhaps indicating the use of fake news articles to trick targets into clicking on spyware links.  An example of one such attack in action is the targeting of Mexican journalist Rafael Cabrera (Section 7.1).

We also noted the prevalence of themes we had seen in other spearphishing attacks, e.g., online accounts, document sharing, shipment tracking, corporate account portals. Another common theme was ISPs, perhaps because a target may trust an SMS appearing to come from an ISP or Telco they subscribe to.

Figure 12: Most commonly recurring domain name themes.

Alarmingly, some of the names suggested a willingness on the part of the operators to impersonate governments and international organizations. For example, we found two domain names that appear intended to masquerade as an official site of the International Committee of the Red Cross (ICRC):  <a href="" rel="nofollow"></a> and <a href="" rel="nofollow"></a>.

We also identified the domain <a href="" rel="nofollow"></a> which may be a lookalike for, a website belonging to Teleperformance, a company that has managed UK visa application processing in many countries.

Figure 13: Screenshot from an article published by the UK Government on how to apply for a visa.

Visa applicants are required to visit the legitimate website as part of the online visa application process. We found similar evidence of government-themed sites hinting at Mexico and Kenya.

The following table provides further examples of themes found in the domain names.

Type Example Impersonating
News Media
<a href="" rel="nofollow"></a>
<a href="" rel="nofollow"></a>
Las Ultimas Noticias
Shipment Tracking <a href="" rel="nofollow"></a> FedEx
ISP / Telco
<a href="" rel="nofollow"></a>
Vodacom (Mozambique)
Iusacell (Mexico)
Sabafon (Yemen)
Popular Online Platforms
<a href="" rel="nofollow"></a>
<a href="" rel="nofollow"></a>
<a href="" rel="nofollow"></a>
Account Info. (Generic)
<a href="" rel="nofollow"></a>
Government Portals <a href="" rel="nofollow"></a>
<a href="" rel="nofollow"></a>
The Emirates Foundation
Teleperformance Visa Application Processing Portal for the UK (
Humanitarian organizations <a href="" rel="nofollow"></a>
<a href="" rel="nofollow"></a>
International Committee of the Red Cross
Airlines <a href="" rel="nofollow"></a>, Generic
Turkish Airlines
Pokemon <a href="" rel="nofollow"></a>
<a href="" rel="nofollow"></a>
The Pokemon Company

Figure 14: Examples of domain names and themes

We also examined the domain names for evidence of links to any specific country and found a range of countries.  Our criteria was whether the domain name contained the name of a telecom provider, ISP, local website, government service, geographic location, a country’s TLD, or the name of a country.

The UAE and Mexico dominate this list, although other countries are also worth noting, including: Turkey, Israel, Thailand, Qatar, Kenya, Uzbekistan, Mozambique, Morocco, Yemen, Hungary, Saudi Arabia, Nigeria, and Bahrain.

Figure 15: Country theme based on domain name.

Citizen Lab is refraining from publishing a full list of domain names at this time given the possibility that some domains may have been used in legitimate law enforcement operations.

In this section, we explain why we believe the attack on Ahmed Mansoor incorporated the use of NSO Group’s Pegasus product.  We explain how we connected the domain name in the link that Ahmed Mansoor received,, to a network of domain names that we had mapped out while working on the May 2016 Stealth Falcon report (Section 5). We also highlight links to the UAE.

6.1. Spyware Points to NSO Group’s Pegasus Solution

The final payload that we identified, test111.tar, contained several files, including libaudio.dylib, which appeared to be the base library for call recording, libimo.dylib, which appeared to be the library for recording chat messages from apps, and two libraries for WhatsApp and Viber call recording: libvbcalls.dylib, and libwacalls.dylib.  In each file, we found several hundred strings containing the text “_kPegasusProtocol,” the name of NSO Group’s solution.


Figure 16: “Pegasus” strings in the payload.

6.2. Historical Scanning Data Connects Mansoor Attack to NSO Group-linked Infrastructure

The links sent to Mansoor used the domain The network of 237 live IP addresses we mapped (Section 5) included, to which resolves, and which returns an SSL certificate for * The 237 IPs also included ( and (<a href="" rel="nofollow"></a>), which were the two C2 servers in the spyware used in targeting Mansoor.

However, the 237 IPs and related domain names that we mapped did not provide insight into the identity of the threat actor. The IP addresses all appeared to be associated with cloud VPS providers, which gave no clue as to the identities of the operators, and the WHOIS information was mostly private. We did note that several domain names had WHOIS registrants based in Israel (e.g.,, <a href="" rel="nofollow"></a>).

We examined historical scanning data to see whether we could attribute the 237 IPs to a threat actor.  We noted that at least 19 of these IPs had previously returned a different distinctive Google redirect in response to a “GET /”.

\xef\xbb\xbf<HTML><HEAD><META HTTP-EQUIV="refresh" CONTENT="0;URL=">\r\n<TITLE></TITLE></HEAD><BODY>\r\n</BODY></HTML>

Figure 17: Response to an HTTP GET exhibited by 19 IPs in historical scanning data (note that the first three bytes represent the unicode byte order mark — BOM).

These 19 IPs included an IP address that (later) resolved to <a href="" rel="nofollow"></a>, one of the C2 servers for the spyware sent to Mansoor.

We then searched the same historical data for other IP addresses that matched this same fingerprint.  Overall, between October 2013 and September 2014, we identified 83 IPs that matched the fingerprint.  We found several IPs of particular interest.  The IP address matched our fingerprint from October 2013 until April 2014.

HTTP/1.1 200 OK
Content-Type: text/html
Last-Modified: Tue, 04 Jun 2013 15:28:04 GMT
Accept-Ranges: bytes
ETag: "09a91b3861ce1:0"
Server: Microsoft-IIS/7.5
Date: Mon, 28 Oct 2013 21:23:12 GMT
Connection: close
Content-Length: 127
\xef\xbb\xbf<HTML><HEAD><META HTTP-EQUIV="refresh" CONTENT="0;URL=">

The domain name <a href="" rel="nofollow"></a> pointed to this IP address at the same time (from April 2013 to April 2016), according to DomainTools.  The registrant information for this domain is:

Registrant Street:         Medinat Hayehudim 85
Registrant City:           hertzliya
Registrant State/Province: central
Registrant Postal Code:    46766
Registrant Country:        IL
Registrant Phone:          972542228649
Registrant Email: <a href="mailto:"></a>

We also found two other IP addresses of interest that matched the fingerprint: and matched the fingerprint in March 2014.  The former was pointed to by <a href="" rel="nofollow"></a> from 2014-09-24 to 2015-05-06 (PassiveTotal), the latter was pointed to by <a href="" rel="nofollow"></a> from 2015-09-01 until present (DomainTools).  Both domains are registered to NSO Group.

Given these findings, we strongly suspected the network of domain names we uncovered was part of an exploit infrastructure for NSO Group’s mobile spyware.

6.3. Additional UAE Infrastructure

Recall that our first window into this infrastructure came from our Stealth Falcon research, when we identified the <a href="" rel="nofollow"></a> domain, fingerprinted it, and traced it to 237 live IP addresses that shared the same characteristics (Section 5.1).

Using PassiveTotal, we were able to further trace <a href="" rel="nofollow"></a> to seven other domains, indicating Stealth Falcon targeting that appeared to use NSO Group’s Pegasus solution in Qatar (<a href="" rel="nofollow"></a>), UAE (<a href="" rel="nofollow"></a>, which may be a fake mobile phone company based in the Emirate of Ajman), and Bahrain (  Based on our previously published research, we believe there is strong circumstantial evidence to support the conclusion that the operator of Stealth Falcon is connected to an entity within the UAE Government.

We also identified five .ae TLDs that all shared the same registrant name (“Gerald Binord”), which may have been used to target people in the UAE.  We further identified another group of domains including (“Daman Health” is a UAE-based health insurer) and, which also included a domain <a href="" rel="nofollow"></a>, suggesting an operator that is targeting both UAE and Turkey targets.

In two cases, Mexico and Kenya, we found evidence of other targets who may have been targeted with NSO Group’s Pegasus, based on messages they sent or received containing links that involve domain names we traced to what appears to be a mobile attack infrastructure associated with NSO Group’s Pegasus (see Section 5: Tracking a Mobile Attack Infrastructure).

7.1. Mexico: Politically Motivated Targeting?

In the case of Mexico, one target appears to be the journalist Rafael Cabrera, who recently reported on the Casa Blanca controversy, a reported conflict of interest involving the President and First Lady of Mexico.  On August 30, 2015 the journalist Cabrera tweeted that he had received suspicious messages purporting to come from Mexican television station UNO TV.  His tweet included screencaptures of the messages, which said that Mexico’s Presidency was considering defamation claims and imprisonment of reporters related to the Casa Blanca report that Cabrera had worked on.

Figure 18: Messages  purporting to come from UNO TV suggesting that a story he was linked to might result in defamation charges or incarceration. Image via Mexican journalist Rafael Cabrera’s tweet.

The English translations of the messages are as follows:



The links in the screenshots expand to <a href="" rel="nofollow"></a> and <a href="" rel="nofollow"></a>.  These match two domain names we linked to the apparent NSO Group infrastructure.  A director at UNO TV responded to Cabrera’s Tweet, saying that these were “…not our messages 100%.”

Figure 19:  A director from UNO TV states that the suspicious SMS messages sent to Cabrera were not from his company. Image via Twitter.

We were unable to achieve a successful infection from either link sent to Cabrera, presumably because the links were several months old when we found them, and had been clicked on either by Cabrera himself, or by other interested parties who saw Cabrera’s tweet.

Continuing our investigation, we made contact with Cabrera and learned that he had been recently targeted with an additional series of messages containing suspicious links.

Figure 20: Additional SMS messages sent to Rafael Cabrera containing links to the exploit infrastructure. Screenshots courtesy of Rafael Cabrera.

The English translations of the messages are as follows (clockwise from top-left):

Facebook reports efforts to access the account of: Rafael Cabrara. Avoid account blockage, Verify at: [MALICIOUS LINK]



[CL Note: this message contains highly profane sexual taunts, followed by a malicious link]

The fourth message is most noteworthy, as it contained profane and personal sexual taunts, unlike the other messages.  Each of these messages contained a link that would have led, we believe, to the infection of his iPhone with NSO Group’s Pegasus spyware via the Trident exploit.

Similar SMS messages have also been reported in other online posts from Mexico.

7.2. Kenya: A Tweet Discussing the Opposition

In the case of Kenya, we found a past tweet containing a link to the NSO Group exploit infrastructure from June 3, 2015.  The tweet, sent by a “Senior Research Officer” in the Office of the Senate Minority Leader, references Moses Wetangula, who is the current Minority Leader of Kenya’s Senate.

Figure 21: A Kenya-related link to apparent NSO Group infrastructure.

In this section, we provide an overview of previous attacks we have documented against Ahmed Mansoor, and other UAE dissidents.  The technical sophistication of previous attacks we observed pales in comparison to the present attack.

Ahmed Mansoor has been a frequent target of past electronic attacks.  In March 2011, he was targeted with FinFisher spyware disguised as a PDF of a pro-democracy petition he had previously signed.  The spyware arrived in the form of an executable file inside a .rar file attached to an email.  Mansoor noticed that the file was an EXE file rather than a PDF, and did not open it.  Mansoor and four other activists (the “UAE Five”) were imprisoned in April 2011, and charged with insulting the leaders of the UAE.  Mansoor and the others were pardoned in November of the same year.

In July of 2012, Ahmed Mansoor’s laptop was infected with Hacking Team spyware delivered via a booby-trapped Microsoft Word document exploiting an old Microsoft Office vulnerability, CVE 2010-3333.  The spyware sent information from his computer to a UAE intelligence agency, apparently operating under the auspices of the office of Sheikh Tahnoon bin Zayed al-Nahyan, a son of the founder of the UAE, and now the UAE Deputy National Security Advisor.  Attackers broke into Mansoor’s email account shortly after the infection.  We assisted Mansoor in recovering from the attack.  Another UAE-based human rights activist, and a UAE-based journalist were also targeted in the same operation.

In early 2013, Mansoor was sent a link to a website that attempted to install spyware on his computer by exploiting a public Java vulnerability for which no patch had yet been issued.  He realized the link was suspicious and did not click on it.  Throughout 2013 and 2014, Mansoor was unsuccessfully targeted several times with spyware, mostly XTremeRAT, SpyNet RAT, and njRAT delivered as executable files in attachments or through Google Drive links.  In 2014, Mansoor’s Twitter account was hacked.

In a campaign stretching from 2012 until 2016, UAE dissidents at home and abroad were targeted by Stealth Falcon, an attacker likely linked to a UAE government agency.  Stealth Falcon sent out links involving a fake URL shortener that employed Javascript to profile targets’ computers, checked which antivirus programs they had installed, and attempted to deanonymize them if they were using Tor.  Stealth Falcon also sent out Microsoft Word documents containing custom spyware that was installed if a user enabled macros.  Targets included five dissidents who were later arrested or convicted in absentia, as well as Rori Donaghy, a UK-based journalist who had been publishing articles about leaked emails involving members of the UAE government.

In this report, we identify a highly technically sophisticated attack involving a zero-day iPhone remote jailbreak — Trident — which installs spyware on a phone whose user clicks just once on a malicious link.  We connected the attack to NSO Group’s Pegasus spyware suite, sold exclusively to government agencies by Israel-based NSO Group.  We made the connection based on our previous work tracing a group of servers that appeared to be part of an infrastructure for attacking mobile phones.  Long before Ahmed Mansoor had forwarded us any suspicious links he received, we had mapped out a set of 237 servers (Section 5), and linked this set to NSO Group (Section 6).  When Mansoor sent us screencaptures of the SMS messages containing the links, we immediately matched the links’ domain name to our list of suspected servers associated with NSO Group’s Pegasus.

We visited the links Mansoor sent us from a colleague’s factory-reset stock iPhone, and managed to capture the exploits and payload, as the phone was infected.  We shared these artifacts with Lookout to gain more insight into the technical capabilities of the exploits and spyware, and with Apple as part of a responsible disclosure process.  Apple has been highly responsive, and has worked very quickly to develop and issue a patch in the form of iOS 9.3.5, approximately 10 days after our initial report to them.  Once an iPhone is updated to this most recent version, it will be immediately protected against the Trident exploit chain used in this attack.  While we assume that NSO Group and others will continue to develop replacements for the Trident, we hope that our experience encourages other researchers to promptly and responsibly disclose such vulnerabilities to Apple and to other vendors.

What Can You Do?

All iPhone owners should update to the latest version of iOS (9.3.5) immediately. If you’re unsure what version you’re running, you can check it yourself by tapping Settings > General > About > Version.

Citizen Lab agrees with Apple that users should avoid opening or downloading items from messages and websites unless they are certain that they come from a legitimate, trusted source. If you uncertain about the source, you should not click the link or open the file. If you believe you have been the victim of a targeted attack, should consider sharing it with a trusted expert. If you suspect you have been the target of this attack, please contact the Citizen Lab at <a href=""></a>.

Zero-day exploits are expensive and rare, especially one-click remote jailbreak exploits for iPhones, like the Trident.  Such exploits can fetch hundreds of thousands or even a million dollars.  While Citizen Lab research has shown that many state-sponsored spyware campaigns against civil society groups and human rights defenders use “just enough” technical sophistication, coupled with carefully planned deception, the attack on Mansoor demonstrates that not all threats follow this pattern.

This is the third time Mansoor has been targeted with “lawful intercept” spyware; Mansoor was targeted in 2011 with spyware from FinFisher (based in Germany and the UK), in 2012 with spyware from Hacking Team (based in Italy), and now in 2016 with what appears to be spyware from NSO Group (based in Israel and reportedly owned by a US firm).  That the companies whose spyware was used to target Mansoor are all owned and operated from democracies speaks volumes about the lack of accountability and effective regulation in the cross-border commercial spyware trade.

While these spyware tools are developed in democracies, they continue to be sold to countries with notorious records of abusive targeting of human rights defenders. Such sales occur despite the existence of applicable export controls.  For example, Israel’s export regime incorporates the dual-use technology controls of the Wassenaar Arrangement, including those related to “intrusion software.” As such, NSO Group would presumably be required to obtain a license to export its products to the UAE.  If NSO Group did submit a license application, the human rights abuses perpetrated by the UAE, including the misuse of “lawful intercept” capabilities, must not have outweighed authorities’ other motivations to approve the export.

Clearly, additional legal and regulatory scrutiny of the the “lawful intercept” market, and of NSO Group’s activities in relation to the attacks we have described, is essential.  Citizen Lab and others have repeatedly demonstrated that advanced “lawful intercept” spyware enables some governments and agencies, especially those operating without strong oversight, to target and harass journalists, activists and human rights workers. If spyware companies are unwilling to recognize the role that their products play in undermining human rights, or address these urgent concerns, they will continue to strengthen the case for further intervention by governments and other stakeholders.

Special thanks to the team at Lookout that we collaborated with in our investigation, especially: Max Bazaliy, Andrew Blaich, Kristy Edwards, Michael Flossman, Seth Hardy, and Mike Murray.

Very special thanks to our talented Citizen Lab colleagues, especially: Ron Deibert, Sarah McKune, Claudio Guarnieri, Adam Senft, Irene Poetranto, and Masashi Nishihata.

Special thanks to the teams at Apple Inc. with whom we have been in contact for their prompt and forthright engagement during the disclosure and patching process.

Special thanks to Nicholas Weaver for supplying the iPhone that we infected in Section 4.  Special thanks to Zakir Durumeric.

Special thanks to TNG and others who provided invaluable assistance, including with translation, but requested to remain anonymous.

Thanks to PassiveTotal.

Citizen Lab’s research into targeted threats against civil society is supported by the John D and Catherine T MacArthur Foundation.  This material is also based upon work supported by the Center for Long Term Cybersecurity (CLTC) at UC Berkeley.

Citizen Lab researchers received the initial suspicious link on August 10th 2016, and, shortly thereafter, contacted Lookout Security.  After both teams confirmed the presence of a remote jailbreak we initiated a responsible disclosure process and contacted Apple on August 15th.

Teams from Citizen Lab and Lookout continued our analysis until the public release of iOS 9.3.5 by Apple, which closes the vulnerabilities that we disclosed.

Read the whole story
Share this story
Next Page of Stories