1. 56
  1.  

  2. 13

    So ostensibly the entire world has access to the hacking capabilities of the CIA (ಠ ὡ ಠ )/

    If you needed another reason to never buy a ‘smart’ device, I guess this is a big one.

    Well, at least we got a pretty good repository of Japanese kaomoji in the process (。◕‿‿◕。)

    1. 16

      If you needed another reason to never buy a ‘smart’ device, I guess this is a big one.

      This is really bad advice. ‘Dumb’ phones communicate exclusively over PSTN or SMS, which are easily traceable/subpoena-able/intercepted by any middleman. In addition the phone company has your metadata, which Verizon (at the very least) has been more than happy to send wholesale to the NSA.

      The only thing this dump revealed about encryption apps is if you hack the mobile phone that’s running Signal or Whatsapp, you can read all of the messages that are on it, and the CIA has several techniques for compromising phones that have previously been reported on. Signal and Whatsapp still offer excellent end-to-end encryption, especially compared with a dumb phone.

      I mean yes. If the CIA wants to target you specifically I’d bet on them over your security practices. But it’s no excuse for the rest of us to just abandon secure communication and encryption

      1. 9

        I guess I should have been more explicit; I meant IoT devices, not smart phones. I definitely agree with you there.

        The other point was that these programs have been leaked, which means it’s not just the CIA, but any random script kiddie who might want access to your smart TV or toaster or whatever.

        1. 3

          Ah. Yes, that’s right.

        2. 2

          The only thing this dump revealed about encryption apps is if you hack the mobile phone that’s running Signal or Whatsapp, you can read all of the messages that are on it, and the CIA has several techniques for compromising phones that have previously been reported on. Signal and Whatsapp still offer excellent end-to-end encryption, especially compared with a dumb phone.

          Totally agreed.

          I don’t exactly know how these 0days are exploited, but let’s assume it’s over an airgap. The big question then becomes can anything be exploited from a cell site simulator, or in bulk from some other briefcase sized device (or smaller)? And if so, is the smart phone of every protester in America already pwned by law enforcement?

          (Edit: And, is there anyway to detect that these devices have been exploited?)

        3. 11

          (\/) (°,,°) (\/) WOOPwoopwowopwoopwoopwoop!

          I particularly like the annotations on this one.

          1. 3

            Zoidberg?

            1. 3
              1. 1

                Is that somehow related to Lobsters being named Lobsters? @_@

          2. 5

            Hacking tools are all over the web. 0days get patched quickly after suck leaks. I believe the biggest consequence of those leaks is attribution. If your organisation has been attacked, you can now possibly link the tool used to the CIA. Things can get quite nasty, especially since they used tools like: “With UMBRAGE and related projects the CIA cannot only increase its total number of attack types but also misdirect attribution by leaving behind the "fingerprints” of the groups that the attack techniques were stolen from.“.

            1. 1

              The other consequence of not disclosing 0days is that if the bad guys receive the leak from the CIA (Via key logging on home/work computers, or just simple threats and blackmail) instead of wikileaks then they can exploit it until the public finds out. So any agency not disclosing 0days to vendors and/or the public in a timely (Less than a month) manner is putting everyone’s safety at risk, not just the other bad guys'.

            2. 4

              I downloaded the 7z file and noticed a lot of out of place pages and files including some reaction-style gifs. very weird.

              1. 2

                Any stenography in those gifs?

                1. 2

                  To me it feels more like some random person’s junk drawer. There are PDFs of file lists of possibly more interesting systems.

              2. 2

                What cell phones do people in the CIA use?

                1. 3

                  Probably not android 4.

                  1. 2

                    Agreed. I’m just wondering, though. If all the major phone OS are hackable by the CIA, clearly the CIA can’t just be using a regular android phone … or they’d be open to hacking themselves.

                    If they are running android, then the CIA is patching android to avoid the zero-days they know about? Pretty impressive.

                    1. 2

                      Well, some of this appears to be not zero day material. Like a jailbreak for iOS 8 with no passcode or whatever. So I think there’s two assumptions to question: 1. if it’s for a phone that’s entirely up to date. 2. how much they care about reciprocity. (My very loose, very casual understanding is that the CIA does not spend much time worrying about defense. That’s not their department.)

                      1. 1

                        I started googling and found out they use dead rats, instead of cell phones :)

                        http://www.earthtouchnews.com/wtf/wtf/forget-cellphones-cia-agents-use-dead-rats-to-stay-in-touch

                        1. 1

                          Oh, I did forget about the time they were caught using phones.

                          http://articles.chicagotribune.com/2005-12-25/news/0512250380_1_abu-omar-robert-seldon-lady-cia-operatives

                          There’s also some speculation based on location tracing of burner phones in the Greek affair.

                          https://badcyber.com/the-great-greek-wiretapping-affair/

                  2. 2

                    The one every other person in the CIA uses, after all, you don’t want everybody else to think that you have SOMETHING TO HIDE.

                2. 11

                  The dump is mostly junk from some contractor’s home directory, no code or exploits, but lots of PDFs of file lists for possibly interesting stuff. I can’t help but feel like this is a distraction from the Russia story to discredit one of the agencies that has a painful relationship with Trump. I’m generally in favor of fairly radical transparency efforts, but I’m suspicious that the intention of whoever gave this material to WL was to distract, rather than illuminate.

                  1. 16

                    WL seems to be primarily operating as a Russian infowar asset these days, wittingly or not.

                    1. 4

                      And yet, they’ve never been shown to publish falsehoods.

                      1. 13

                        So? Lying is certainly not necessary to pursue an agenda.

                    2. 6
                      1. 3

                        Unit Tests! The CIA’s secret NOFORN weapon!

                        https://wikileaks.org/ciav7p1/cms/page_11629048.html

                        1. 2

                          There’s also a PDF in the dump… vault7/cms/files/Why-Most-Unit-Testing-is-Waste.pdf

                          1. 4

                            Eh. The James Coplien rant that went by awhile back.

                            Of course, it occurs to me there are all these documents in a trove of documents from a bunch who are world class experts in exploiting bugs in document readers to infect systems….

                            I do sort of wonder whether we haven’t been epically trolled by the CIA…

                        2. 2

                          Well, it’s a hell of a distraction.

                        3. 1

                          https://www.reddit.com/r/IAmA/comments/5n58sm/i_am_julian_assange_founder_of_wikileaks_ask_me/dc8pgqr/

                          It’s possible that Assange is no longer in control. It’s possible that someone is trying to control the narrative.