Revelations from Wikileaks have far deeper implications than have been covered by the media as yet. The CIA has lost control of not only a trove of documents about the organization’s cyber warfare capabilities. It’s lost control of the weapons themselves.
WikiLeaks has dropped a bomb on the CIA
In digital warfare, there exists the concept of a zero-day exploit. In hacker/information security parlance, a zero-day is an undisclosed vulnerability in software that has been discovered. Ordinarily, watchdog groups and the organizations that produce software have procedures in place to discuss vulnerabilities and issue patches before releasing details of exploits to the general public. Only in the extreme circumstance of an organization deliberately ignoring reports by security researchers of exploitable weaknesses do ethical hackers resort to releasing details of the attack to the general public. The obvious ramification of knowledge being openly available before a patch is released is that anyone can use it prior to patching.
There is the obvious issue, raised by Wikileaks itself, that the CIA has duplicated the functions of the NSA, but very likely with even less oversight for the use of their arsenal. This is not only a waste of taxpayers’ money, but possibly a revelation that unconstitutional attacks on the privacy of American citizens may be taking place by more than one government agency. If that is the case, it is a clear violation of the CIA’s mission, as laid out by Congress.
The ultimate effect of losing this digital arsenal, which may now be in the hands of anyone, is that literally any digital evidence may be called into question. The scope of who may have access to it is completely unknown, and this genie cannot be put back into its bottle. The evidentiary value of criminal activity stored on computers could be disclaimed as planted evidence. This has wide-ranging implications not only for cases under consideration, but for future cases which may be brought.
The CIA now has an obligation to the American people to disclose all of the methods of its infiltration to software developers in advance of the coming storm. It must shatter the weapons it created and, if Congress deems it necessary, it may rebuild a new arsenal.
Furthermore, Congress must probe the agency deeply and potentially reform the country’s spying agencies completely. There is evidently far too much overlap for which the taxpayer is expected to foot the bill. It is also evident that there is too little civilian oversight and too much delegation of powers in the name of national security, a long-standing problem which has now become an emergency. Ethical considerations of spying on foreign powers aside, this lapse has made it clear that our own spying agencies are as much a danger to our own citizens as they are to the rest of the world.
Before someone feels the need to say it: of course this piece is hyperbolic. You didn’t think you could get away with blaming the CIA’s cyber warfare arsenal being in the wild for any digital evidence incriminating you, did you? No, that privilege will be reserved for the ruling elites. If you thought countries’ electorates couldn’t hold their leadership responsible for anything before, you haven’t seen anything yet. “Russia did it” isn’t just for attacking one’s political opponents anymore. Here’s hoping that WikiLeaks has all of the code and will be working responsibly with software vendors to get everything patched. Reports are already coming in from some vendors that the descriptions of the vulnerabilities contained within Vault 7 already released have enabled them to find and fix the flaws they’re exploiting.
The problem isn’t so much software, as application specific integrated circuits (ASICs) and device firmware. If someone builds an exploit that specifically targets a feature of a hardware device – say, an ethernet ASIC built and used by Foxconn, they can siphon data out at that point independent of how well patched your OS is. Indeed, as many of you might remember, there’s considerable concern that the chicoms have done this (although IIRC, it wasn’t Foxconn that was implicated).
Hence, the flaws may not be ‘fixable’ except by replacing (sometimes embedded) hardware, and given the ubiquity nowadays of some manufacturers’ components, (ethernet chips being a good example, but hard drive and USB driver chips are equally implicated), it may be impossible to turn a compromised system into a ‘probably clean’ system.
Those kinds of exploits are virtually impossible to prevent completely. Too many opaque binary blobs in that stuff to go through and not enough people skilled enough to do the work who aren’t already employed by the government.
However, the CIA didn’t invest a significant amount of money and time in developing this stuff without a reason. Low-hanging fruit exploits are much easier and cheaper to implement. They can be proliferated more easily and take less technical expertise to use. There are only so many experts one can employ doing the kind of work you mention and they have to be focused well. The market can’t create people with aptitude for the work from nothing, after all.
Maybe it’s time to go the FSO route and replace those high-tech doohickies with pens and typewriters.
Somewhat related: http://www.breitbart.com/tech/2017/03/08/cia-keeps-database-of-japanese-style-faces-emoticons-to-use-tn-online-forums/
So the CIA is infiltrating reddit?
According to Alexa, Reddit is ranked at the 7th most popular site in the US. No doubt it would be on their radar for intelligence ops.
Give a government virtually unlimited funding for “national security” and they’re likely to try a lot of crazy ideas as well as stupid ones too. To some degree it does make sense. A popular communication platform is going to draw those who would seek to radicalize suggestible people. There has been a lot of press about that, and it’s not terribly controversial to try to stop it. There is also the consideration of finding more people connected to terrorist networks by analyzing who they communicate with, who is issuing orders and who executes them, etc.
There may be significant overlap in the weeb/terrorist communities. We must be vigilant.
Maybe. But we can confirm the CIA has been infiltrated by WEEBS.
I’m trying to envision how someone would write that job listing. Anyone here good at translating goofy job requirements to HR speak?
“Expertise in the practical expressions of Japanese popular culture among the targetted demographics a must.”
“Familiarity with Japanese cultural and sub-cultural media, with a particular focus on animation, art and pornographic material. Fluency in Japanese is an asset.
Body pillow enthusiasts need not apply.”
She’s a loose end UnCivil, we can’t have our agents get too attached.
*Laser sight trails over to the center of body pillow anime girl’s forehead*
Filthy Otaku Scum
Degenerate gaijin breakfasts don’t get to have an opinion on grorious Nippon culture.
*double-tap to the back of Titor’s head*
Xenophile. I knew I smelled a mole.
Hilariously, the first place on the internet that I ever really spent any time was on theotaku.com. There was a chatroom where everyone talked about anime all the time–and it was glorious to young Riven who lived in a town of ~2000 people, none of whom besides her cousin had any interest in “them Japanese cartoons.”
What’s up, guys? I heard there are some kewl hacks around here. What are you lookin’ at? ¯\_(ツ)_/¯
¬_¬
lolwut.
Get off my LAN!
For the last time, you can’t use token ring here.
No puff puff pass allowed?
Breitbart keeps a resident anime expert on hand? Talk about having your bases covered.
I think that translates as “I went over to the guy in the office who watches this stuff and ran it past him”
:old man voice: I was the original conceptual artist for Evangelion and then became a hardcore right-winger!
Wasn’t that the show where the writer went “I don’t know how to end this – lets just go all trippy and let people read too much into it”?
Yeah but there were some movies afterward that showed what was happening “in the real world” during the final episodes. They’re aight.
They ran out of money really fast, and the writer was going through depression or something. It shows.
*opera applause*
I look forward to reading your article in The Guardian.
This a pretty intelligent and evolved primate.
Yeah, but it kind of has multiple personalities.
DICKS OUT FOR
HARAMBEGUEST AUTHOR!Uh, no.
The absolute worst takes on this I’ve read, and they’re depressingly common, is, “Pull your head out of your ass and quit being naive – of course the CIA spies on you through your electronics. Privacy in the digital age is a stupid antiquated concept and you need to get over it. The real problem here is that now THE TERRORISTS!!! (or sometimes THE RUSSIANS!!!) now know how we do this.”
One guy here thought this heralded an increase in the number of hack attacks.
I told him I found it unlikely that it would cause people who had not previously been doing so to start. The question was whether it provided any capacity that the hackers in the wild did not already have. I personally doubt it.
There’s the difference between hackers and script kiddies. Hackers will find other methods of attack, but giving them a plethora of zero-days to fall back on any time something gets fixed is obviously a threat. Professional work will also educate and inform others, leading to greater competency at finding and exploiting vulnerabilities.
Script kiddies require a toolkit, they simply can’t operate without them. It probably won’t make their numbers proliferate, but gaining access to proven methods will improve their success at it. It takes a long time to roll out security fixes in large organizations because they have to be thoroughly tested to ensure that they don’t unduly affect operations. That is what makes zero-days so dangerous. If you’re thinking of it from a home computer who can always run the latest updated software because you’re savvy, you might neglect that grandma never updates anything until you come to visit, universities or corporations may only do so every three months, and lots of government offices apply them just about as often as grandma does.
Back when I was first developing online criminal justice clearinghouses for state governments (among the first of their kind), I learned all kinds of things I found rather distasteful about government operations. One thing that still stands out to me: the BOLO (be on the lookout) systems were still running on fucking teletype machines.
I’m amazed that they’re that up-to-date.
/State IT Professional
You forgot “and anyway, if you’re not doing anything wrong, what have you got to hide?”
Do you think they saw me jerking it just now?
Nobody watches your cam show, Playa.
Wikileaks is offering tech firms CIA files first
Well, how about that? WikiLeaks is being responsible in the wake of Vault 7 where our own government is not.
Yeah, as opposed to you guys. Christ, what an asshole.
“Thank you Ms. Horniak, can you please tell us how the CIA maintained its integrity and truthful nature when it financed itself with the drug trade during the War on Drugs? The Bay of Pigs invasion? How about during the Iraqi WMD analysis or went it armed and trained Syrian jihadists?”
That there is what we call a non-denial denial. I don’t see anything that says “the leaked documents are fake.”
He made up bazillion pages of documents and code just for the lulz I guess?
wow, sometimes I wish I were a real journalist so I could slam some of these people.
But instead we have the dead tree NYT headline I saw yesterday which was something like “Some say Wikileaks info alleges CIA spying”. The main thing I took from it was being furious that they were repeating what “others say” instead of, you know, doing journalism and looking at the information themselves and reporting on it. No, newspaper, you’re not supposed to report what other people claim the contents are, you are supposed to LOOK AT THE CONTENTS.
jfc, these people live in this fantasy world that they’re the Watergate reporters, but then they just sit on their ass. it’s disgusting.
So much this.
The tech firms that “fix” this are probably the same ones that colluded with the CIA in the first place. Privacy is no more. *one hand typing is a gift*
I’m vague on the rules about off-topic posts, but here we go:
Trump isn’t Hitler but…we’re still going to allude to Hitler and the nazis a lot.
“When the phone started ringing, at about ten thirty on February 22, more than 150 students inside the Sandra E. Lerner Jewish Community Day School were well into their morning routines.
“A staff member answered. “In a short time,” the unidentified voice on the other end of the line said, “a large number of Jews are going to be slaughtered.”…
“The bomb-sniffing dogs that descended on Lerner that Wednesday morning didn’t find anything. But even after authorities gave the all-clear, Lerner canceled the remainder of the school day….
“In a trend characterized as disturbing by Jewish leaders, politicians, and social justice activists, more than a hundred bomb threats have been called in to seventy-two Jewish institutions across thirty states so far this year….(On Friday, federal agents charged Juan Thompson, a former journalist, with making bomb threats against at least eight Jewish centers as part of a bizarre campaign to harass a woman he’d previously dated; it’s unknown whether he’s suspected in similar cases such as the one at Lerner.)…
“On January 29, about a month before the Lerner bomb scare, [Rabbi Jen] Feldman was one of more than fifteen hundred people who converged on Raleigh-Durham International Airport to protest an executive order banning citizens of seven primarily Muslim countries from entering the U.S. (After federal courts struck down the original ban, the Trump administration issued a similar one on Monday.) She knew what it was like to be labeled “the other” and “the stranger,” so she decided to make her voice heard….
“”To see my eight-year-old holding up a sign and saying, ‘No ban. No wall. America is for us all,’ that’s how I deal with it,” Feldman says. “You show the strength. You show the power that we have together. You give them hope. You give them a voice. You teach them what’s right. Honestly, right after the election, I did ask myself, ‘How can I raise my children in this world?’ Now I know how.””
Now I feel sorry for the kid but at the same time want them to grow up to be the most staunch socon anti-immigrant activist in the world to spite the parent.
I really wonder how many of these are actual white nationalists doing this, how many are false flags, and how many are 4chan edgelords doing it for the lulz.
I’d guess 5%, 75% and 20% respectively.
I’m vague on the rules about off-topic posts,
I don’t think there are any rules about that, but there’s always the looming prospect of getting catassed.
Unfortunately this isn’t really funny. Here in Michigan our local JCC received one of these calls. And the Detroit area JCC is not only a place for meetings and such, it’s also a rec center with an old people’s home attached. So old folks getting physio and local black kids playing little league basketball were all turned out in the cold until the whole place could be swept.
Of course these are just threats, and it really doesn’t matter who’s doing them (there seems to be some evidence that at least some of them are coming from overseas)–you can’t just say ‘Fuck you’ and hang up. Do you want to bet your life on it? How about your grandmother’s?
That they write that with a (seemingly) straight face tells you all you need to know.
I watched a couple of NBC news clips this morning. There is nothing to worry about. The CIA isn’t spying on Americans, in America. That would be illegal, and wrong. They’re protecting us from the terrrrists.
Now, go back to sleep.
…and rest your head on this nice soft pillow that looks like a giant seed pod.
Does Microsoft own NBC? Or was MSNBC just a joint venture?
Speaking of digital monkeyshines, this is funny.
Botched. Try again:
Speaking of digital monkeyshines, this is funny.