It isn't a "telemetry-/ad- surveillance dragnet". Kitenet's product is a "Private Data Network (PDN) to control, monitor, and secure data exchanged between people, machines, and systems across user collaboration, automated workflows, and enterprise AI".
It stands to reason that ex-cryptographers from Unit 8200 would use the expertise they gained to launch legitimate companies that provide cybersecurity solutions.
It's not inevitable. It's up to us in a shared world to decide how to govern ourselves and live our lives. Not to be at the whims of a small group of powerful strangers.
Is there any factual basis to this claim, or just your personal opinion?
It's like claiming Oracle's real business isn't a database, but rather stealing customers data which was stored in Oracle's databases. Or practically any other company that has access to customers data.
Please feel free to translate and read the Dutch version of this article. On the bottom, several security researchers found vulnerabilities in Zivver [1]
So Zivver created a product with security vulnerabilities, Kitenet bought Zivver (probably for their customer base), and it's all some sort of conspiracy to steal personal data?
We merely bought the honeypot, Your Honor! We didn't know what we were buying!
Perfect cover story /slowclap
Secret services use companies as cover all the time. Nothing new there.
The conspiracy is that it is a dragnet for the data, and given the data is first send plaintext to Zivver (see the Dutch FTM article I already linked), it isn't far-fetched.
Looking at the current geopolitical situation, it also isn't far-fetched. It even fits in the Israeli secret services' M.O.
Actually, anyone who uses Zivver can find these vulnerabilities. I was worried about this, and reported it to my former employer (while still employed), but alas I did not have a PoC and they had a lot of other security related incidents so this was low priority. Also, this was at a time when the company was still privately owned by the Dutch founders. My hypothesis is that someone working for such an organization passed it to the Israeli secret service, who then got motivated to buy this honeypot.
Chinese do something similar: release some piece of technology, never provide any meaningful updates to the product, and voila it is insecure as hell (yet 'we didn't know' provides plausible deniability). I saw this first-hand with KRACK vulnerability.
Also... Kiteworks [1] is the name of the company. Not sure why you keep calling it Kitenet.
What are you saying actually happened? It sounds like the concern is that in a certain context, messages are cloud hosted instead of client-side e2e encrypted? Did anyone even claim otherwise?
How is this different from suggesting Netflix was all a secret plot by Stanford to spy on Europeans' TV binging?
Two anonymous security researchers working at Dutch government found the data is send plaintext [1]. One independent security researcher was able to verify their claim.
This should be a concern if the company is owned by Dutch people, but more so if it is owned by a company with questionable jurisdiction. Which unfortunately the USA and Israel are these days.
Did they ever claim otherwise? They say "Zivver scans the content of every email" prominently on the front page. The flow seems to be TLS to Zivver first, scanning, then encryption.
If all it takes to convince us that a communication product was created as a front for spying operations is not having a strict e2e design like Signal's, then do you think virtually all of them are fronts for spying operations?
Listen, I am Dutch. I am loyal to the Dutch government, Dutch society, and therein lie my interests. This is also my potential bias.
> Did they ever claim otherwise? They say "Zivver scans the content of every email" prominently on the front page. The flow seems to be TLS to Zivver first, scanning, then encryption.
I worked at a government organization which used Zivver. This was around 2018. It was assumed to be E2E encrypted. I wrote about the issue in my security audit, but it had low priority for a myriad of reasons (they had worse issues at the time). Zivver is more akin to the Lavabit situation.
Proton's OpenPGP.js is slightly more secure than this implementation (it encrypts client-side), but because Proton can decide (and be forced) to serve a different OpenPGP.js, it suffers from a similar issue.
> If all it takes to convince us that a communication product was created as a front for spying operations is not having a strict e2e design like Signal's, then do you think virtually all of them are fronts for spying operations?
I never wrote it was created as a front. I don't believe anyone asserted that. The company was founded by a couple of Dutch people in 2015, it was a Dutch company. So they fell under Dutch jurisdiction. I honestly haven't looked them up.
Fast forward to June 2025 and this company got acquired by an American company where the higher echelons are ex-Israeli spies. This could be a front, I don't know. I very much question this sale should've been ACK'ed by the Dutch government. Because due to the CLOUD act, the data now falls under American jurisdiction. Around the time of the acquisition though, the Dutch government fell. responsible up to then was Dirk Beljaarts. Around that time (June 2025), Vincent Karremans took his place. Fast forward a couple of months later, we had the Nexperia crisis, where Karremans intervened. A fallout from a stopped acquisition due to national security is lower than Nexperia fallout though.
I copied the title of the article verbatim. The Dutch article has a different title, and is IMO of better quality. The title of that article calls it a strategic blunder. I very much agree with that, but not because the top of Kiteworks is Israeli and ex-Unit 8200. That is just a cherry on top, worse case scenario a red herring. No, because of the current geopolitical situation with regards to Trump and the CLOUD act. Can you blame them for trying, given the situation and stakes? The acquisition occurred at a perfect timing.
The TL;DR is not that a American or Israeli entity supposedly succeeded. It is that the Dutch government failed. And while Zivver is heavily in use in The Netherlands, it also is within EU. So we failed to serve the best interests of EU here as well.
Thanks for the added context, that sounds reasonable to have wanted the product to continue under Dutch ownership.
> I never wrote it was created as a front. I don't believe anyone asserted that.
There seem to be vague insinuations of a conspiracy floating around, rather than an explicit conspiracy theory, so I may have mischaracterized it. But for example, you mentioned elsewhere that "Mossad's way of operating is aggressive". Could you clarify what you're insinuating, if anything?
Hmm, from EU PoV, given many other EU countries rely on it, I believe NL is a reasonable host, but other EU countries could be as well.
I'm no expert on that subject, just following Hubert's assessment that it falls in their M.O. (already linked), following Modderkolk's recent assessment on how Mossad operates [1]. Look at all the flak I get in this thread while I just went with HN rule of 1:1 using title. Problem is all these sources are in my native language. And finally, yes my suspicion is on high alert ever since the Maccabi riots in Amsterdam [2], to which Modderkolk also refers to.
And yes, I am well aware every Israeli adult is ex-military [3]. If it were up to me, we'd restart this practice here in NL.
There’s really nothing concrete in this “article”. It’s basically vague insinuations and conjecture and conspiracy theory, all in support of putting out content with something nefarious implied about all Israelis. In other words, it’s propaganda.
It is an obvious and recurring phenomenon to anyone minimally following cybersecurity topics. This isn't the first time, nor the second, nor the third, nor the last.
This is the same as claiming that water isn't wet until someone here on HN brings you 10 articles and news proving otherwise. This particular topic was never really denied, nor even by the authors themselves as you can read on the article.
This framing is a cheap rhetorical trick. Restated this leads to the statement “all companies by default are in the business of capturing customer data, all other claims about their product and smoke screens to hide that.”
Which is something you can believe but it falls into the extraordinary claims, extraordinary evidence category. But by claiming it about Oracle or Israeli cyber firms or whatever you swap the evidence burden to the person who has the not extraordinary claim, that most businesses are doing what it claims on the tin.
It's not just a rhetorical trick. Amazon collects most of their data in Virginia, right at the doorsteps of a well known "intelligence" org in the USA. These companies that handle data all around the world are authorized to exist for some reason...
Oracle gets its name from a codename of a 1977 project for the Central Intelligence Agency, Oracle's first customer.
In 2004, then-United States Attorney General John Ashcroft sued Oracle Corporation to prevent it from acquiring a multibillion-dollar intelligence contract. After Ashcroft's resignation from government, he founded a lobbying firm, The Ashcroft Group, which Oracle hired in 2005. With the group's help, Oracle went on to acquire the contract.
Following the beginning of the Gaza war in 2023, Oracle’s top executives, including Safra Catz and Larry Ellison, publicly aligned the company with Israel’s military operations. They issued statements of solidarity, paid double salaries to Israeli employees, and donated to organizations connected to Israel’s wartime response.
See. Thats a good comment. “Your use of Oracle is a bad counter factual because…”
Switching to that is commenting in good faith. It educates and argues the point and makes it clear that you aren’t in fact claiming that all companies are surveillance state apparatus. Note that other commenters ran with the “but they are actually argument” because the door was opened.
might not change your mind, but you’re likely to end up realizing customer data hovering is more of a driver of modern business decisions than you realize. To say nothing of the assets such activities provide the intelligence communities.
This is happening. Please don’t dismiss it as conspiracy theory.
We have this problem in Haifa, Israel too. The city borders on natural woodland, and the boars go into the neighborhoods looking for food in the trash.
Very nostalgic for someone who grew up with an Atari 800XL!
Also shows how much creativity is possible even within severe constraints - there are many fonts there that have real "character" (pun intended).
You seem to come at this useful tool with a very negative mindset.
- The scanned documents are stored in the filesystem in PDF format, so you can certainly access them without going through the web application.
- OCR doesn't have to be perfect, because it's just being used to locate a specific document when you need it. So if you have 1788 documents and you want to find your apartment lease, you search for "lease" and there's a very good chance that word will be found in the correct document. That's the whole point - storing documents with a low amount of manual effort, in a way that makes it very easy to find them when you need them.
Building paper airplane models was a very popular hobby in Israel (and probably other countries) during the 1960's. Each issue of the Israeli Air Force Journal came with a model which you would painstakingly cut and glue.
Here are some examples of what these models looked like: http://starry-side.com/wpe/wordpress/index.php/2019/08/08/ol...
Of course, this guy is on a whole different level of detail and dedication (plus he designs everything himself). Amazing work.
Was also very popular in communist era Poland, including people extending the paper models to be capable of self-propelled taxiing and certain set of "moveable" features implemented as extras.
Same thing in Bulgaria. One good side of "communism" was free modeling clubs for kids like me, so we've got rocket modelling (made 2, even 3 phase rockets while 3rd-4th grade), plane modelling (balsa wood, rice paper, etc.) - all for free - you pay for neither materials, nor courses, later it was computers (that's how I got into them). Before that also slot cars racing, ship modelling, there was even knot-making club (our city is on the black sea, so makes sense - future sailors!)
I mean, even if communism is evil, there were some good things - way overpay, or pay anything for clubs that should've been free to begin with and get kids into them... It doesn't take much to support them compared to many other things...
Czech Republic, reporting in! I'm too young to remember much of communism but I remember the balsa and rice paper gliders I built with my grandpa very fondly. There's something so fantastic about the fragile beauty of those planes with their skeletons visible beneath that translucent skin.
There's a magazine in the Czech Rep. called ABC which always had plans for some sort of papercraft model in the back. I used to love them as a kid.
I also had a book about techniques to use when building planes from such cut outs, and it included a chapter on "extras" like putting lights, small electric engines, etc. into the plane which sometimes allowed enough power that they would taxii on the table :)
Is there any country that doesn't have a bad human rights track record? Sure, some are worse than others. But where do you draw the line, and how far back into history are you willing to look?
This is a decent source: https://www.cato.org/human-freedom-index-new
There are 16 countries with personal freedom ranking above 9 (out of 10). US is ranked 26 with a score of 8.72, which intuitively makes sense.
Morocco is 135th with a score of 5.68, which pretty obviously indicates, that there is more than one thing wrong about offering hacking tools to the government
I was recently offered a job by NSO, didn't take it due to their terrible reputation. I won't be surprised if some countries start denying entry to NSO employees. Even Facebook suspended accounts of NSO employees after NSO hacked Whatsapp - https://www.vice.com/en_us/article/7x5nnz/nso-employees-take... .
On the other hand, their product is just a tool which can be used for good (stopping terrorists) or evil (spying on human rights activists). Just like a kitchen knife can be used for good (cooking a meal) or evil (stabbing people). So I find it hard to find the moral justification for the actions you suggest. The problem is not the tool or the tool's manufacturer, it's how it gets used.
I’ll play the opposite side of this argument, for the sake of discussion. You point to knifes having a good use: cooking. It’s by far the dominant use of knifes, and no doubt it makes cooking sunstantially easier.
But hacking tools: to what extent are they actually being used for good? Stuxnet is the clearest example I know of these tools almost certainly decreasing a threat to US citizens (at least for the time before it was found out). But beyond that, there’s very little publicly accessible information demonstrating that these tools are actually effective at stopping or decreasing terrorism. Moreover, even if they turn out to be effective at that, their use in this manner comes with other questionable effects on law and personal rights. I don’t think the knife is a good analogy because while everyone agrees that a knife can be put to either good or bad effect, there’s not consensus on whether hacking tools can even be used for any good.
When I was in the Israeli army, I personally saw a phone being hacked, info being pulled and the info being used to stop a terrorist attack targeting civilians. I was not involved in the hack (I served in the navy).
In that particular case (but not the majority of cases) the target of the hack was an Israeli citizen who was practicing terrorism (against the Arab minority). After their info was intercepted they were arrested and the situation was de-escalated.
Tech like this saved lives that day. I don't think it justifies the freedom cost, but let's not forget real lives are saved by tools like Pegasus.
> Tech like this saved lives that day. I don't think it justifies the freedom cost, but let's not forget real lives are saved by tools like Pegasus.
Additionally, even if the tools are developed and used only by governments that are deemed democratic today (e.g. USA, Israel, Germany) and under strict independent and parliamentary oversight, who can guarantee that future governments of these country will be democratic (obvious recent cases Brazil, Poland, Hungary, but one might also ask that question about the US)?
These are tools of the Regime, and some regimes will wield them against minorities (like Uyghurs in China), journalists (in Mexico and Jamal Khashoggi in Saudi Arabia) and protesters (in Belarus).
One good user case doesn't justify selling this tool to autocratic and totalitarian countries, or countries involved in systematic oppression of minorities.
One’s autocratic country is someone else’s ideal of social organization.
Should we stop selling steel to the US because it could be used to put migrant kids in cages, or weapons because it could be used to invade random countries? I’m not saying the answer is obvious, I’m saying the problem is complex and multifaceted.
Take Morocco: not the best government (somewhat theocratic, absolutist monarchy, big on unaccountable and torture-oriented secret police), but overall more peaceful and stable than its neighbors. Do “we” help continuing this state of thing, or do “we” let malcontent bubble up and risk turning it into a failed state and civil war? It’s shades of grey all around, sadly.
I think the question, although genuine, has a flaw, that is, reasoning in terms of "good or bad".
"Good or bad" for whom? Is something that is "not good" inherently "bad" and viceversa?
Is something "good" only because is "decreasing a threat to US citizens"? What about the consequences of "decreasing a threat"? Like Guantanamo Bay, Patriot Act, this poor guy (https://news.ycombinator.com/item?id=23625215), bombing a country thousands of miles away?
"Good or bad" is relative, just like right or wrong. It's difficult to correctly grasp a concept or conceal an idea by just defining it as "good or bad".
I agree with you, and believe it or not I did try to go out of my way to avoid calling stuxnet itself good or bad: I kept those words out of the sentence which mentions stuxnet
> Stuxnet is the clearest example I know of these tools almost certainly decreasing a threat to US citizens...
However, you still have to make value judgements at some point when organizing a society. It’s literally impossible to do so otherwise. Even if you make a conscious effort to not organize socially — I.e. to embrace anarchy — you’ve made at least an implicit value judgment that governance isn’t worth the limitations it requires of the people (I.e. limitation of individual freedom is “bad”).
“good” and “bad” are messy things to deal in, but they still have their place. Any answer to “should we allow NSO group to operate” has to make a value judgement at some point. I think it actually helps to make that explicit — for example my point should still stand in most other value systems precisely because it refers to “good” and “bad” — which vary across value systems — without prescribing what is good or bad.
I could have been more clear about separating an example (stuxnet — the thing which brings in a value system) out of the argument itself. But I couldn’t find a way to do it without sacrificing brevity or readability. Such are the limitations of communication, particularly written :|
"to what extent are they actually being used for good? Stuxnet is the clearest example I know of these tools almost certainly decreasing a threat to US citizens"
By this logic an equally good use would be to sabotage American military-industrial complex thus reducing threat to the citizens of many countries around the world.
> But beyond that, there’s very little publicly accessible information demonstrating that these tools are actually effective at stopping or decreasing terrorism.
Absence of evidence is not evidence of absence, particularly in this context where the actors involved are highly incentivized to keep success stories well-hidden and well-guarded.
You'll never know about all of the terrorist attacks that didn't happen.
> On the other hand, their product is just a tool which can be used for good (stopping terrorists) or evil (spying on human rights activists).
That applies to lots of technology things though. With the NSO group specifically though, wouldn't their tech have Sales people that need to actively court and sell it to potential customers?
> Just like a kitchen knife can be used for good (cooking a meal) or evil (stabbing people).
NSO knowingly sells tools to repressive regimes that use them to violate human rights. If you sell a knife to someone you know is going use it for murder then you're culpable and your behavior is immoral.
Is it bad for their reputation really? A oil company gets bad rep for the environment, a mill gets bad rep for deforestation. This doesn't matter the slightest to their customers, they "understand" what they're buying.
It stands to reason that ex-cryptographers from Unit 8200 would use the expertise they gained to launch legitimate companies that provide cybersecurity solutions.
reply