Posts Tagged ‘wikileaks’

WikiLeaks Vault7

Wednesday, March 8th, 2017

WikiLeaks dropped a trove of information about hacking tools from the CIA this week. It’s available via BitTorrent, in an encrypted archive, whose password is SplinterItIntoAThousandPiecesAndScatterItIntoTheWinds. That’s amusing, I suppose.

So what’s in the archive and what does it mean?

First, the archive appears to be a dump of an Intranet portal at the CIA, where staff share information about hacking tools. It’s missing a bunch of stuff – images and documents – so the download appears to have been incomplete. Moreover, this is information about the tools, rather than the tools themselves, though those were apparently leaked
earlier in a separate incident.

There are tools here to hack every common operating system – Windows, MacOSX, Linux, Android and iOS. There are also tools for various other platforms, including some Samsung TVs.

There has been a bunch of wild and wooly press coverage about this leak, but no, the CIA does not appear to have tools to compromise encryption in popular messaging system. It’s simply the case that if you can compromise either end of the conversation, then encryption between the two ends of the conversation is irrelevant. They can’t magically turn your TV into a spy device (without first breaking into your house) and they can’t (yet?) cause your car to suddenly crash. All of these things are plausible, and even discussed in the leaked documents, but not described as current capabilities.

Many of the tools discussed in the leak require physical access. i.e., if you are some “bad guy” that the CIA is interested in, and they can touch your phone or PC or TV, then they can install malware on that device to help them spy on you. Clearly, that doesn’t matter much to most people.

Some of the tools work over the network, and obviously that’s more serious, especially if they get into the hands of criminals or other adversaries that the average business or consumer might be more worried about than the CIA.

Also of note is that some of the tools leverage security vulnerabilities in popular products that the vendors and security researchers were not previously aware of. For the US government to discover such bugs and not work with vendors to close them leaves the public at risk and represents quite dubious ethics.

So is it time to panic? Hardly. We already knew that every large and complex piece of software has bugs (they are written by human beings after all) and that some of those bugs can be used to compromise security. We also already knew that all advanced government spy agencies work to compromise device security to either collect information about their adversaries or to disrupt their operations. That the CIA is doing this is only vaguely surprising, in the sense that it really should be the job of their sister agency, the NSA.

Everyone should already be aware that a smart phone is a perfect surveillance device, incorporating network connectivity, a GPS receiver, plus microphones and cameras. It’s obvious that spy agencies would work to hack into these things to monitor people, and would at least sometimes succeed.

So what’s interesting here?

Well, someone at the CIA obviously dislikes their employer enough to leak this information. That’s a serious crime.

The US government does not disclose all zero-day exploits it finds to vendors. That’s morally compromised.

WikiLeaks is more interested in the (fairly mundane) behaviour of the US government than that of various dictatorships, such as Iran and Russia. That makes WikiLeaks and Julian Asange look quite bad, actually. They are pretty much a puppet of the Russian state at this point.

The involvement of both WikiLeaks and Russian intelligence services in the recent US presidential election should be alarming to everyone in the West. There is no reason to believe this kind of interference will stop there — it’ll continue into the future and in other Western countries. This data dump is really just a side show compared to Russian cyber
warfare efforts.

Latest WikiLeaks: watermarks and IAM?

Thursday, December 2nd, 2010

The main buzz around the latest dispatch from WikiLeaks is about the content – and I have to agree with most people who have commented on it – the response amounts to “Yawn, really, that’s what all the fuss is about?”

The process of the leak itself is more interesting. This was a mass download of a bunch of data that various US government agencies were intentionally sharing. Sharing is good, especially for low-risk data such as this. On the other hand, the US government didn’t actually want the data to leak outside of itself, and given the thousands of people with access, that’s a tall order.

So how do you share something with thousands of people while still minimizing the chances that one of them will release it?

Well …. first, you should change the access method to be “one document at a time” rather than “all at once.” I have to assume they actually did do that – but someone scripted a bulk download of these documents.

The second step is to impose some sort of economic cost on anyone considering a breach of protocol by releasing the content. This is where some people jump up and yell “Digital Rights Management!” and where I claim “No! DRM Sucks!” 😉 Actually, I think a much more benign solution is to apply a hard-to-detect, hard-to-remove watermark to individual documents downloaded from this sort of database. Basically, if I download a file from this database, the file should be marked up in some way to indicate that it was me who downloaded it. Anyone can read it – but at least people in authority should be able to figure out that it is my download they are reading.

That’s watermarking, and it has lots of applications. I think Apple is using this approach when they offer unencrypted MP3 downloads on their music store – you can download an MP3 and play it on any device, but somewhere in the data stream is an indicatino that it was you who downloaded it. If they find the same MP3 on BitTorrent later, they know that you shared it. If you know that they will know that, you are much more likely to violate their terms of use, because you bear some legal and possibly financial liability.

Same thing with the WikiLeaks documents – if the feds had used a file format that allows for watermarking and had marked up downloaded documents, then legitimate users, including whoever actually leaked the content, wouldn’t have been so eager to let the cat out of the bag.

Technologically, you need some sort of watermarking system and, of course, an identity and access system — users have to identify themselves and authenticate before they can download this stuff, else the central server wouldn’t know what to put in the watermark.

In fact, this raises another question – don’t they log who downloads content? If they don’t, then they deserve the outcome they got. If they do log, then they should already know who downloaded all this content.

That’s my $0.02 for today.

— Idan

the unpleasant intersection of government, security and privacy

Sunday, August 22nd, 2010

A couple of unrelated but similarly themed stories making the rounds:

  • Seems that someone is trying to intimidate Julian Asange (of wikileaks fame) by fabricating and quickly withdrawing criminal charges: skunkpost.com.
  • Seems like the Elections Commission of India is trying to muzzle a security researcher who pointed out that their electronic voting machines are vulnerable to tampering: indianevm.com and usenix.org

In both cases, the uncomfortable theme is that governments can use their coercive power to try to silence critics, and that especially includes critics who try to shed light on uncomfortable truths…