I admit, it’s surprising to hear offensive InfoSec folks talk about how they “accidentally” worked for or were in the process of being recruited by UAE intelligence.

I rejected ~$1mio worth of mobile exploitation training requests from the Middle East without a second thought.

None of the recently revealed practices of Middle Eastern intelligence is surprising. You don’t need to wait until a country is blacklisted before you consider not supplying them with offensive capabilities.

Do you really feel comfortable putting a price tag on your morals?

I even got requests from front companies that turned out to have connections to ME intelligence. At some point the effort of vetting these companies became to time consuming so I decided to use a whitelist approach for accepting requests and only work with established orgs.

I’m not saying there’s a universal rule for what’s morally wrong. You have to decide that for yourself. I know of folks who knowingly work with the UAE. That’s their choice.

But if you decide against entities that violate human-rights, don’t be naive and end up working for one.

“But I didn’t know that this Middle Eastern company founded by a prince would use offensive capabilities for practices I don’t support” — really?