March 7, 2017

"WikiLeaks on Tuesday released thousands of documents that it said described sophisticated software tools used by the Central Intelligence Agency to break into smartphones, computers and even Internet-connected televisions."

The NYT reports:
Among other disclosures that, if confirmed, would rock the technology world, the WikiLeaks release said that the C.I.A. and allied intelligence services had managed to bypass encryption on popular phone and messaging services such as Signal, WhatsApp and Telegram. According to the statement from WikiLeaks, government hackers can penetrate Android phones and collect “audio and message traffic before encryption is applied.”...

WikiLeaks said the source, in a statement, set out policy questions that “urgently need to be debated in public, including whether the C.I.A.’s hacking capabilities exceed its mandated powers and the problem of public oversight of the agency.” The source, the group said, “wishes to initiate a public debate about the security, creation, use, proliferation and democratic control of cyberweapons.”

72 comments:

exhelodrvr1 said...

All of this happened since Jan 20, right?

David Begley said...

And one thing that was revealed today is that the CIA can disguise its hacking to look like Russian hacking according to Wikileaks.

traditionalguy said...

And the Leak includes the info that the CIA long ago stole the Russian's Mal-ware so they can use it when sending out stuff made to look like the Russian's sent it.

Whom to trust? Paper notes sent by Currier. Bicycle curriers are back in DC.

Darrell said...

We call those "tapps."

David Begley said...

"The CIA's Remote Devices Branch's UMBRAGE group collects and maintains a substantial library of attack techniques 'stolen' from malware produced in other states including the Russian Federation.

With UMBRAGE and related projects the CIA cannot only increase its total number of attack types but also misdirect attribution by leaving behind the "fingerprints" of the groups that the attack techniques were stolen from.

UMBRAGE components cover keyloggers, password collection, webcam capture, data destruction, persistence, privilege escalation, stealth, anti-virus (PSP) avoidance and survey techniques.

Everyone knew it. Now we have proof.
"Fingerprints" are meaningless.

It's now clear that the CIA is able to "pose" as "Russian hackers" whenever it so chooses."

Source: Russia-Insider.

Mike said...

But Obama would never spy on Americans, right?

AReasonableMan said...

Three cheers for wikileaks. Me and Sean Hannity always knew they were the good guys.

Michael Brand said...

Information is power. For those in the CIA looking to climb the power ladder, wouldn't it be perfectly reasonable to pass some of that info along in service to your preferred political tribe?

rhhardin said...

It sounds like an ordinary hack, not encryption-breaking.

Take over the machine and get the stuff before it's encrypted.

Taking over the machine is ordinary hacking.

As a tester, I could always break the security of test systems just by thinking of stuff they probably overlooked.

Probe to see how things fail and try to exploit the failure. They will not have thought of that.

Richard Dolan said...

Of course, if the CIA can do it to "bypass encryption on popular phone and messaging services such as Signal, WhatsApp and Telegram," others will figure out how to do it to bypass whatever protections the CIA or other spy agencies have in place. But there seems no need for those others even to go to that trouble, given the ability of Wikileaks to find insiders looking to earn their own little bit of Snowdenian fame by spilling the beans.

Greg Hlatky said...

Intelligence agencies will assure us that such tools will only be used against the enemies of the United States. Like, say, Donald Trump.

The Bergall said...

A spy agency spying? Who knew?

madAsHell said...

...but Obamacare is just a broken web site?

Unknown said...
This comment has been removed by the author.
Unknown said...

"It's now clear that the CIA is able to "pose" as "Russian hackers" whenever it so chooses."

Source: Russia-Insider".
--------------
Pro Russia publications are reporting this as fact. Wikileaks is leaking it as if it is a fact. The fact is that both can lie and make up "alternate facts."

Roughcoat said...

Whom to trust? Paper notes sent by Currier. Bicycle curriers are back in DC.

Ives is also trustworthy. Colorful, too.

Robert Cook said...

"But Obama would never spy on Americans, right?"

Of course he did, as all Presidents do. This was revealed by Snowden years ago.

AprilApple said...

Dem Super-Lobbyist Podesta Got $170K to End US Sanctions On Russian Bank

does not fit the big fake hack media narrative! oh no!


Susan said...

In Soviet Amerikkka your Smart T.V. streams YOU!

khesanh0802 said...

@ARM I don't often agree with you completely, but this "surveillance state" business needs to be thoroughly aired and gotten back under some kind of control. Do you have any idea how many Federal organizations have the ability to tap into all our communications? I don't. I tend to think only of the NSA, but then you think a bit more and you come up with CIA, DIA, FBI and I'll bet there are another half dozen alphabet agencies with little weenies running around hacking everything they can.

Makes me happy I generally of the Luddite persuasion.

khesanh0802 said...

Trump once again blows up the swamp with "no evidence". I love it!

Robert Cook said...

"A spy agency spying? Who knew?"


To the degree American spy agencies are considered necessary and are permitted to operate, it is not assumed (and supposedly is not permitted) that they spy on Americans.

Of course, no one can be naive enough to believe they would not and do not spy on us.

Matthew Sablan said...

Well, I'm ready for both sides to flip-flop on their love/hate of Wikileaks.

Robert Cook said...

"Well, I'm ready for both sides to flip-flop on their love/hate of Wikileaks.

How so, and why?

JPS said...

This is nothing. The Onion has the real scoop:

http://tinyurl.com/qagcncb

AReasonableMan said...

khesanh0802 said...
@ARM I don't often agree with you completely, but this "surveillance state" business needs to be thoroughly aired and gotten back under some kind of control.


You are probably aware of this but if not you should read Glen Greenwald on this topic. I don't blame any individual or entity, it is technology that drives this and I don't think that there is any way to put the genie back in the bottle. Every action, every transaction, every movement is now recorded by someone somewhere because it is so cheap and with big data tools it is now very easy to sort through that data pile to retrieve the information.

The thing that was revealing to me was the 2005 London bombings, where they were able to reconstruct every movement of the terrorists up to the bombing. They have a vast number of security cameras in the UK but they are becoming increasingly common here. Traffic cameras record your license plate number, you have to use EasyPass or some equivalent to go anywhere. Cameras record your face on public transport. It is a dystopia that came upon us unexpectedly, due largely to the availability of incredibly cheap digital storage.

Guildofcannonballs said...

--Wikileaks is leaking it as if it is a fact. The fact is that both can lie and make up "alternate facts."--

Ha! Geneva Condensions require Wikileaks to ALWAYS ALWAYS ALWAYS tell the truth, so they cannot therefore lie, they are indeed incapable of even the notion 'twere possible.

Ha ha ha ha ha I laugh AT you!

Neighbors are looking out their cave openings at me as though I am nuts for the volume and sound level of the laughter generated so far, and I have yet to even begin my laughter in earnest!

Matthew Sablan said...

Robert Cook: The right prefers not to release classified/secret/information about the CIA, but are fine with the Hillary leaks; likewise, the left normally praises these sorts of leaks for various reasons, but did not like the Hillary leaks. So, I expect the vast majority of people will flip-flop, as they have done as usual.

Unknown said...

"Well, I'm ready for both sides to flip-flop on their love/hate of Wikileaks"
-----------
Trump said he loved Wikileaks. Odd how Wikileaks seem to come to the "rescue" of Trump time after time.

"GOP presidential nominee Donald Trump on Monday praised WikiLeaks for publishing Democratic rival Hillary Clinton’s hacked emails.

“I love WikiLeaks,” he told listeners during a campaign rally in Wilkes-Barre, Pa., prompting prolonged “Lock her up!” chants from his audience. “It’s amazing how nothing is secret today when you talk about the Internet.”"

Unknown said...
This comment has been removed by the author.
Unknown said...
This comment has been removed by the author.
David53 said...

Why is this news? If you didn't assume the government had the ability to "break into" your electronic devices for at least the last 10 years you haven't been paying attention. Wikileaks has information about software tools the CIA uses? Yawn.

YoungHegelian said...

...audio and message traffic before encryption is applied.....

Nope. I don't think this is possible, unless the transmitting application is poorly written. Which it well may be.

Encrypted network packets have only their encapsulated data encrypted. If the header information was encrypted, the internet could not route it since it would be trying to route gibberish information in the packet header (see diagram here.). The data portion of a packet is encrypted locally on the computer, then encapsulated in a TCP/IP packet, given "headers", & then transmitted over the network to the internet. The receiving system then decrypts the encapsulated data using its "shared key".

Encryption & decryption is done internally by an operating system. Unless there is a piece of malware installed locally that grabs a packet before it is transmitted, what this article describes can't be happening.

Michael K said...

Unknown, as usual, misses the implications.

It is a dystopia that came upon us unexpectedly, due largely to the availability of incredibly cheap digital storage.

Yes and now DNA makes it almost infinite.

When I was programming an IBM 650, we had 2000 ten digit words of storage. That was 58 years ago. The data was all on Hollerith cards. The programs sometimes had to be modified to fit.

It's a new world and security will require we go back to pen and paper. No voting machines. I don't know about ATM machines.

The Cracker Emcee said...

"Pro Russia publications are reporting this as fact. Wikileaks is leaking it as if it is a fact. The fact is that both can lie and make up "alternate facts."

Of all the bizarre things that have characterized this silliest of political seasons, the Leftist absolute hysteria over all things Russian has to be the most bizarre.

madAsHell said...

what this article describes can't be happening.

Agreed. I haven't dug into this, but there are a lot of wild assertions, and very weak evidence. It could very well be misinformation targeted for some very gullible adversary.

Drago said...

Cookie: "Of course he did, as all Presidents do. This was revealed by Snowden years ago."

Of course he did, as all Leaders and their administrations have done. It was revealed by common sense about 5,000 years ago.

Robert Cook said...

"Every action, every transaction, every movement is now recorded by someone somewhere because it is so cheap and with big data tools it is now very easy to sort through that data pile to retrieve the information.

"The thing that was revealing to me was the 2005 London bombings, where they were able to reconstruct every movement of the terrorists up to the bombing. They have a vast number of security cameras in the UK but they are becoming increasingly common here."


I saw terrific movie years ago with Sean Connery called THE ANDERSON TAPES that dramatized this, even before the age of home computers and the internet.

Drago said...

Apparently we are supposed to go to war with Russia now because Hillary didn't remember to campaign in Wisconsin.

Drago said...

Wikileaks is the "JV" team of cyber-warfare.

Robert Cook said...

"Robert Cook: The right prefers not to release classified/secret/information about the CIA, but are fine with the Hillary leaks; likewise, the left normally praises these sorts of leaks for various reasons, but did not like the Hillary leaks. So, I expect the vast majority of people will flip-flop, as they have done as usual."

Then they're all fools.

Robert Cook said...

"what this article describes can't be happening."

Why not? You should accept that it is.

The Cracker Emcee said...

"Of course, no one can be naive enough to believe they would not and do not spy on us."

Why would anyone ever have thought otherwise? From the very beginning of the Internet in workplaces it was understood that the IT department would be monitoring where you went on the Web. Why not outsiders? Perhaps older people are too ignorant and younger people too comfortable to ever have internalized this understanding. Where I work sensitive information is passed by hand in sealed envelopes. It's not difficult.

Drago said...

Cook: "Why not? You should accept that it is."

Cook is actually correct here. Assume "they" can and act accordingly.

Scott McGlasson said...

Pro Russia publications are reporting this as fact. Wikileaks is leaking it as if it is a fact. The fact is that both can lie and make up "alternate facts."

Logic and instinct also point to this being true, don't you think?

Yancey Ward said...

Drago wrote:

"Apparently we are supposed to go to war with Russia now because Hillary didn't remember to campaign in Wisconsin."

The Russians hacked her campaign schedule and sent her to California on the days she was supposed to be in Wisconsin, Pennsylvania, and Michigan.

Scott McGlasson said...

Of all the bizarre things that have characterized this silliest of political seasons, the Leftist absolute hysteria over all things Russian has to be the most bizarre.

Kinda casts Obama's comment to Romney during the 2012 in an odd light, certainly.

Drago said...

Scott McGlasson: "Kinda casts Obama's comment to Romney during the 2012 in an odd light, certainly."

Nonsense! The Light-Bringer was right in 2012 against Romney and was even "right-er" in 2016/17 when he flipped to the other side.

Lefty/"lifelong republican" Rule of Thumb: The Earth-bound Messiah, even out of office, is Always Correct. Facts will be modified to support "todays" conclusion.

Timeforchange said...

A couple of months go I was looking for a flashlight and repeatedly asked my wife if she knew where the flashlight was.This went on for about tem minutes, without finding a flashlight. Then I looked at my phone and behold there was an add to download a flashlight. Where did the phone get the info for my need for a flashlight, maybe it came from our Samsung Smart TV that I understand even if you hit the off button it is still listening to you. Kind of scary!

johns said...

So where are we now in the MSM narrative? Trump "lied" because Obama "couldn't" "order" a tap on Trump's phone, and Sessions was talking with the Russians, but the CIA could make any hack look like it came from Russia, and the Justice Department asked the FISA court for permission to surveil the Trump campaign, so I guess that means that Justice and CIA were listening to each other?

Susan said...

I wonder how or if the "hacking" attempts on various states election offices by the former administration are related?

Scott said...

Alinsky Rule #1: "Power is not only what you have, but what the enemy thinks you have."

So what if, hypothetically, the CIA fed a truckload of garbage to WikiLeaks in order to make it look like their capabilities were far greater than they actually were? Such a strategy is not without precedent. The Strategic Defense Initiative or "Star Wars" under Reagan was a huge bluff to push the Soviet Union to capitulation and collapse.

Maybe Big Brother isn't watching you 24/7. But if you think he is, it would make you more tractable. Just sayin'.

damikesc said...

This stuff is why I'm OK with Wikileaks. This needs to be made public and they are doing yeoman's work in doing so.

And one thing that was revealed today is that the CIA can disguise its hacking to look like Russian hacking according to Wikileaks.

Good lord. Is there ANYTHING to remotely tie Russia AT ALL to the election?

Mind you, several of us --- including me --- were mentioning that malware developed in Russia can be acquired elsewhere. It being made in Russia did not mean Russia did it.



Bob Loblaw said...

According to the statement from WikiLeaks, government hackers can penetrate Android phones and collect “audio and message traffic before encryption is applied.”...

That's the way I would have done it.

Security is only as strong as its weakest link. People get these encryption programs and think they're safe from snoopers, but the phone can be hacked, and if it couldn't be hacked electronics are so cheap these days if the government is after you they can bug everyplace you're likely to be.

Achilles said...

Welcome to the party all. We were spying on everyone's phone conversations years ago. I guess it is no longer we. And since I got out Obama turned that apparatus to his true enemies, the American people.

I have hope that Trump will look at what is going on and be the one that outs what our government is doing. But that hope is fading. It will come out one way or another anyways.

And they don't need to get around encryption. The telecommunication companies are giving it to them for free. They don't even need interpreters here.

Achilles said...

And one thing that was revealed today is that the CIA can disguise its hacking to look like Russian hacking according to Wikileaks.

People are pretending that IP spoofing is a new thing? Are they serious?

StephenFearby said...

WikiLeaks said the source...set out policy questions that “urgently need to be debated in public, including whether the C.I.A.’s hacking capabilities exceed its mandated powers and the problem of public oversight of the agency.” The source...[also] “wishes to initiate a public debate about the security, creation, use, proliferation and democratic control of cyberweapons.”

Very likely a precious snowflake working in the CIA that was hired by the Obama Administration. Could well have been an IT guy, like Snowden.

I suspect (and hope) they will catch him.

Obviously there is a trade off in using technology of this type to apprehend or kill ISIS or
Al Qaeda terrorists. (Bin Laden famously refused to use a cell phone.)

Human nature being what it is, there is always the potential to use these tools to hack your spouse's phone to find out if are cheating on you. The Cannibal Cop improperly used a NYC police database to check out women to fantasize about who he should cook that night.

Aside:

NYC's 'cannibal cop' back in the dating game, says women are hungry to date him

http://www.foxnews.com/world/2016/09/19/nyc-cannibal-cop-back-in-dating-game-says-women-are-hungry-to-date-him.html

Most organizations (including the CIA) would do well to see how their prospective new hires in important positions score on the Uncritical Inference Test (of reasoning).

Back in the day I took one (there are several) and successfully disputed the answer to a question with the author, Professor William V. Haney. Which he corrected in the next edition of the test. (That accomplishment and a token (now metrocardcard swipe) still gets me a ride on the subway.)

Haney wrote this about the tests:

"...Among organizations which have used the tests for their own internal training activities are General Electric, Boeing..., numerous police departments and state mental institutions (for therapy and training), a penitentiary, the Treasury Department,the Internal Revenue Service. the Department of Defense....and, rather interestingly, the Park Rangers at Glacier National Park.

Undoubtedly these groups have varying objectives and aspirations in their use of the test, but I should think the most ambitious goal was expressed by the president of a nation-wide small-loan corporation who was convinced that the test would help his personnel spot bad loan risks."

Add to that the security risk of hiring precious snowflakes.

http://www.generalsemantics.org/oldsite/gsb/articles/gsb28-haney.pdf

Che Dolf said...

Back in 2013, a former FBI counterterrorism agent told CNN the US government records (or has access to recordings) of all domestic telephone conversations. Apart from Glenn Greenwald's reporting, this produced almost no reaction in the press. It amazes me that we acquiesce to this.

khesanh0802 said...

I don't think we can get away from the technology and we can't get away from the hackers. What I hope comes from this is an inventory of exactly how many government people/organizations are currently "listening in" and a winnowing thereof.

The essence of some of the comments above is that we really have no idea who, exactly, is listening in. Listeners can disguise themselves as anyone. Then there is the argument that this can't be true for some technical reasons that the commenters may understand but are well beyond my understanding. Until someone shows me a step by step illustration that this kind of hack is impossible I will continue to believe the worst.

I am beginning to think that I would like to see Homeland Security dismantled so we could go back to individual alphabet agencies held responsible for their transgressions.

mockturtle said...

“urgently need to be debated in public, including whether the C.I.A.’s hacking capabilities exceed its mandated powers and the problem of public oversight of the agency.”

I found this naive. What ARE the CIA's mandated powers? What kind of oversight DOES exist? When you have an organization with a classified budget and the power to topple heads of state, one wonders what limitations really exist?

mockturtle said...

We could be looking at a post-technology age in the not-too-distant future.

khesanh0802 said...

@Mockturtle As someone said: back tp pencils and paper!

To really promote conspiracy theories: Does anyone think Trump knew this WikiLeaks thing was coming when he made his Tweet on Saturday?

Scott said...

"Back in 2013, a former FBI counterterrorism agent told CNN the US government records (or has access to recordings) of all domestic telephone conversations."

If you lie to a cop, it's a felony. If a cop lies to you, it's just another day at the office.

n.n said...

Technological mysticism to accompany scientific mysticism that seem to prevail in liberal societies.

Ben Zipperer said...

YoungHegelian said...


.......audio and message traffic before encryption is applied


...Nope. I don't think this is possible, unless the transmitting application is poorly written. Which it well may be.



Isn't it possible they are using a baseband exploit to access memory at will?


Ben Zipperer said...

YoungHegelian said...


.......audio and message traffic before encryption is applied


...Nope. I don't think this is possible, unless the transmitting application is poorly written. Which it well may be.



Isn't it possible they are using a baseband exploit to access memory at will?


YoungHegelian said...

@Ben,

Isn't it possible they are using a baseband exploit to access memory at will?

Yes, but I'd consider that a variety of malware, since the hackers are in that case using a hackable weakness in the baseband stacks of the smartphone OS. Also think about how easy such an exploit would be to detect with even a cursory scoping of the cell phone's transmissions. There would be double the amount of traffic needed, and it would be being transmitted as clear text/encrypted, clear text/encrypted, clear text/encrypted for the same data. It would stick out like a sore thumb.

I found this an interesting discussion, albeit kinda hard core.

@RC,

what this article describes can't be happening."

Why not? You should accept that it is.


See technical explanation above. If that makes no sense to you, then let it go.

Communications protocols & operating systems are not infinitely malleable things. Every little byte is in its place & has data within the correct parameters or things stop working right quick.

Now, if someone wants to claim that the CIA & NSA have back doors to the common encryption protocols, I most certainly believe that. As rhhardin also says above, it sounds like a standard hack. But the way the exploit is described in the article makes no sense to me. I also don't trust most reporters to get that level of technical detail right.

Bruce Hayden said...

Interesting stuff.

First takeaway so far is that the meme of "Russia hacked the election" to help Trump, etc., is now dead, if it wasn't dead from the claim of Trump being wiretapped. If the CIA can effectively pretend that they are Russians (and, the Russian govt), then who else can do the same? Surely, the Israelis. Likely the Chicoms. Maybe Iranians. Plus some of our NATO allies. How did they know that it was the Russians doing the hacking? Because the tools left Russian fingerprints - that the CIA apparently routinely duplicates.

Secondly, I was vindicated when I refused to buy a "smart" TV recently. I knew that they were hacked, but not as badly as they apparently are.

Thirdly, the CIA apparently really can turn on your cell phones, and turn on the cameras and microphones on your PC, smartphone, and tablet. My impression, so far, is that Androids are much more hacked than iPhones, which is one reason to stick with Apple handheld devices (despite my extreme dislike for the company).

Bruce Hayden said...

I belong to the communications policy group of a large engineering society (that also provides many of the standards used for communications). One thing that we may be proposing to Congress in the next while is legislation to hold the presidents/CEOs of companies that allow their electronic devices to turn on microphones and cameras without a visible notice to the consumer criminally liable for any misuse of their products. The guy proposing the legislation comes from the auto industry, where safety really was improved by imposing criminal liability for intentional safety malfeasance. My idea had been to provide tort liability for invasion of privacy, but his response was that the electronic devices invariably have shrinkwrap licenses that pretty much disclaim any liability for anything, and despite clearly being violative of UCC II, these shrinkwrap licenses have been routinely upheld over the last decade or so. We do need to do something there.

mockturtle said...

We do need to do something there.

You are right, Bruce, but how?

Rusty said...

So. The Russians didn't hack the election , but Lynch authorized wiretapping Trumps phone?
That about right?

Bruce Hayden said...

So. The Russians didn't hack the election , but Lynch authorized wiretapping Trumps phone?
That about right?


We actually don't know either one. As to the first (Russian hacking), the problem is that the CIA has very sophisticated tools that allow them to look like anyone else, when hacking. And, apparently, those hacking tools are apparently not classified, probably so that they can be moved around more easily, and have gotten out of the agency into private hands. So, merely finding Russian fingerprints on the hacking of the Dems' emails could tell us that the Russians did it, Russian hackers with no control by the Kremlin did it, the CIA did it, or someone else entirely did it, possibly with the CIA hacking tools. It could easily have been the ChiComs, the Iranians, the Israelis, Pakistanis, or even the RNC. Or, maybe even the Trump campaign. We just don't have any real knowledge of who did the hacking - just that it was done, thanks WikiLeaks, and to the Dem party in general, and Crooked Hillary campaign manager Podesta in particular, ignoring computer security.

The problem with the wiretapping right now is that there is a chance that the story about the three warrant applications for Trump Towers is fake news, or that maybe saner heads prevailed, and, even with a FISA warrant in hand, no wiretapping was done. I think that it is maybe more likely that at least the data there, and maybe some of the voice communications there were recorded, than the hacking was Russian, we just don't know. The difference though is that there are Congressional investigations going on that will, ultimately, with the assistance of (instead of obstruction by) the DoJ, will likely get to the bottom of what was done, in terms of wiretapping of Trump, and maybe more generally by the Obama Administration. We may never find out, for sure, who did what in terms of the supposed Russian hacking, since it likely wasn't done by our govt, that Congress supposedly has oversight over. We shall see.