1. 24
  1.  

  2. 5

    This seems slightly silly.

    I mean, I certainly agree with the EFF in principle. But the CIA’s mandate is essentially to hack foreign powers. It goes directly against that if they dig up and then report zero-days. Telling the CIA they should stop doing their job is not going to be effective no matter how persuasively you frame it. The change the EFF is arguing for here has to happen at a higher level, and the US government has never shown any particular concern for the privacy or security of its citizens (and right now it’s certainly at a low ebb even by the usual mediocre standard).

    1. 3

      You make a good point about the role of the CIA, and I wonder if it’s the globalization of software and hardware that is going to make such jurisdiction roles like the FBI, CIA, DHS, NSA much more confusing moving forward. Say the CIA in their efforts to gather intelegence on enemies of the state, discover something that can affect both the homeland and the enemy, what responsibilities are there for the CIA? Ethically, we should try to defend our citizens, but that’s not really the role of the CIA. Reporting it and getting the issue fixed could strengthen the defenses of the US and its citizens but then reduce our ability to attack or learn. Should the NSA try to strengthen our defenses, and in the process let the CIA know of any vulnerabilities it can take advantage of to eavesdrop on enemies?

      1. 1

        Yeah,

        I think it would be better that the CIA didn’t exist, that it’s very existence fundamentally undermines democracy.

        That said, if the CIA is going to exist, them fighting out a sort-of equal battle with the black hats in the realm of target surveillance seems far preferable to the various NSA programs that involuntarily enlist corporations and individuals in a program of mass surveillance.

        If the CIA suppressed a civilian agency or private company’s discovery of these things, it would be bad. But otherwise, this is doing the research that expect happens in “black hat” labs and foreign agencies.

        On the other hand, EFF pretty much has to wag its finger at every misdeed. Their position prevents them from saying “oh but this is OK, I guess” since doing so would result in someone arguing something much “worse” would result

        1. 1

          Did you miss the reference to the Vulnerabilities Equities Process?

          1. 3

            What about it? The equities process is a joke; it’s actually a little insulting to everyone’s intelligence. You can’t use a bug for a few months to compromise high-profile targets and then disclose it; the act of disclosing it stands a very good chance of alerting those targets that you compromised them, and how you did it.

        2. 3

          Here’s a question: does the CIA hack smart TVs over the internet, or does somebody go into the target house and update the firmware with a USB stick? Does this affect how safe we all are?

          1. 5

            Regardless of what the CIA does, we know that smart TV manufacturers are selling your information to advertisers out-of-the-box (or if you have an older model, with a firmware update).

            1. 2

              But that’s neither here or there? How does that release to the CIA making people unsafe or yesterday’s release? You could have said exactly the same a year ago.

              1. 4

                I guess my concern is that “someone” is tuning into my home, regardless of who they are. The CIA leak just brings more attention to that issue.

                1. 5

                  I guess it seems the CIA leak is an all purpose hobby horse which can be used to support any argument if you don’t look too closely at what was actually leaked.

                  1. 2

                    Re: Your original question, it doesn’t look as though TVs can be infected from the internet. Weeping Angel might have been developed as a hackathon project or as a proof of concept.

            2. 3

              From the looks of it, that hack was merely a thing someone developed and proposed for use. It doesn’t appear to be weaponized or non-attribution level stealthy.

              The TV in question isn’t known to be remotely exploitable. It’s quite hard to hack a TV in someone’s house, not the least due to NAT. Unless the TV opens a port via UPnP, which I think was not the case here.

              TL;DR: They weren’t hacking TVs and if they wanted to they’d need to have physical access and plug in a USB drive to the device.

              1. 1

                For some reason, the CIA are less-than-forthcoming about their abilities.

                I’d be surprised if they couldn’t hack a TV via the net, but I doubt they’d risk losing that capability (by a target intercepting the malware) when they could send someone in person.