NSA has direct access to tech giants' systems for user data, secret files reveal

If you scroll down to the bottom of this page there is an interesting video called, "The Assange Agenda".

http://www.news.com.au/technology/o...e/news-story/ff6f10729a3a73d9057a2469f710981f

Sadly, I think you need Flash Player to watch it. Not so! Flash Player is not needed to watch the video. My mistake.

 

@Krusty -- That is hilarious But dark-humor Easter Egg seems more likely than poorly hidden CIA connection.

 

CIA Reviews Of Antivirus Software Among Purported Wikileaks Document Dump

 

I wonder what a comprehensive analysis of the dump would reveal.

But then, this is old data. Leakers are too lazy

 

Yes, it seems rather dated.

 

This affair is just a big smokescreen to me, obsolete infos, methods everybody a bit knowledgeable in computing would know. Nothing sensitive or life threatening revealed.
Looked like a big bait and the hungry fish fell for it.

 

Maybe they posted only info that is no longer valuable to them.

 

Right. And this is a leak of a leak. So maybe the hacker only gave WikiLeaks old stuff.

 

From what I've seen so far, the technical details of the exploits are the least interesting thing about the dump, even if they are all patched, it doesn't give a person any confidence that similar recent exploits are not also there - inevitably they will be.

The more useful aspects of it are the public exposure & confirmation of troubling policy problems, particularly the structural weakness of the major operating systems (that includes you, Linux), the continued prioritisation of attack over defence (and the inadequacy of the vulnerabilities equities process), the absence of principled oversight and policy for what is being done, the public money being paid into exploit software and its inevitable dissemination into the wild, and the possibility that attack tools come from the "competition" and are even used to obfuscate attribution; finally, the inability to maintain secret information because it's over-stored and available to too many (similar to the case with mass surveillance).

 

... Or maybe WikiLeaks has so far only released [to the public] old stuff? Weren't they going to work with vendors before full disclosure?

 

Yeah, they did say that. So

 

Basic take-home for the CIA: trusting contractors is a dicey thing

 

"WikiLeaks plans to share CIA hacking details, but can companies use it?

The White House is reminding companies that accepting classified information is illegal..."

http://www.computerworld.com/articl...hacking-details-but-can-companies-use-it.html

 

FWIW: You be The Judge:

"18 U.S. Code § 798 - Disclosure of classified information

(a) Whoever knowingly and willfully communicates, furnishes, transmits, or otherwise makes available to an unauthorized person, or publishes, or uses in any manner prejudicial to the safety or interest of the United States or for the benefit of any foreign government to the detriment of the United States any classified information—

(1) concerning the nature, preparation, or use of any code, cipher, or cryptographic system of the United States or any foreign government; or
(2) concerning the design, construction, use, maintenance, or repair of any device, apparatus, or appliance used or prepared or planned for use by the United States or any foreign government for cryptographic or communication intelligence purposes; or
(3) concerning the communication intelligence activities of the United States or any foreign government; or
(4) obtained by the processes of communication intelligence from the communications of any foreign government, knowing the same to have been obtained by such processes—
Shall be fined under this title or imprisoned not more than ten years, or both.
(b) As used in subsection (a) of this section—

The term “classified information” means information which, at the time of a violation of this section, is, for reasons of national security, specifically designated by a United States Government Agency for limited or restricted dissemination or distribution;

The terms “code,” “cipher,” and “cryptographic system” include in their meanings, in addition to their usual meanings, any method of secret writing and any mechanical or electrical device or method used for the purpose of disguising or concealing the contents, significance, or meanings of communications;"

https://www.law.cornell.edu/uscode/text/18/798

A bit of a "Sticky Wicket."

 

Catch 22, as they say.

I guess companies can not get the information from the Government either. Sorry, it is classified !

 

True. All companies responded with something similar to "It's already patched with latest version". Like - you don't have to worry, we got everything under control. I wonder how they would react if suddenly active exploits would come to light.
As long as attackers pay more for exploits than companies through bug bounties things won't change.

 

@hawki - I thought one of the specific issues of this case was that the vast majority of the material WAS declassified (to avoid possible liability for prosecution of staff actually doing their duty).

Also quite hard to argue in the case where they've been "acquiring" other people's code.

 

@deBoetie

That would make sense. I have found one source that states:

"According to Wikileaks, the documents it released were not considered classified information because the nature of malware requires code to be left on target computers—handling classified information in such a way is prohibited. "

http://reason.com/blog/2017/03/07/4-takeaways-from-the-wikileaks-vault-7-c

I can not vouch for that website, but it stands to reason. Most websites, including the network news sites, seem to be less precise and loosley throw around the idea that the Vault 7 trove contains "classified" materials. President Trump's Press Secretary may have added to the confusion by his admonishment of yesterday warning, in reference to the Wikileaks dump, that classified materials remain classified even after a leak and public exposure.

doh -- Yes that has to be right that malware that was deployed is not classified:

reductio ad absurdum:

If the malware was and remained classifed, under Federal Law, The CIA would be obligated to retrieve/remove it from infected devices. I am not aware that the CIA has a Support Line for guaranteed malware removal

 

"Google, Microsoft Still Waiting On Wikileaks To Deliver CIA Hacking Tools..."

"...Google did not offer official comment, but two sources close to the company's security staff said there had been no contact. One said there was now concern Wikileaks had duped the public with a PR move of little to no substance, though on Thursday one external Android security expert who'd reviewed the CIA files said it appeared there were multiple vulnerabilities Google would need to address..."

https://www.forbes.com/sites/thomas...iting-on-wikileaks-cia-exploits/#15693af554c9

 

The reporting around the messaging apps and so on has been poor, starting with WL and downstream. However, the claim that the applications are "safe" is also irresponsible - it makes no difference whether the crypto or the client is owned from the user's perspective, the communication is unsafe if the device is owned. It's generally unsafe as opposed to the individual applications being broken.

You'd have thought that this would make it more important to have grown up discussions about the policy and oversight of these extraordinarily and evidentially damaging hacks, but that seems to be inconvenient, so you get the smokescreens.

 

You mean my Androids are NOT really safe at the foundation level? ----- LOL!! I called Verizon about my joining their network using a fully unlocked and rooted Samsung (factory) and they told me NO way. I have been with them for some time and yet their statement to me was no unlocked Androids on their network. A policy move like that really makes a person wonder about ALL this stuff, doesn't it? I only wanted to do it as a learning thing because I KNOW an Android that is locked is quite insecure. Not sure about using an unlocked, encrypted at full ROOT, etc...... Android. I was going to play and learn but no dice. Don't want to attempt to "over power" them with a hacked phone so to speak. My Androids are "real name" use only.

 

@Palancar - is there any facility for interfering with the radio aspects from an unlocked Android? They would have a legit problem with that from their network pov.

 

Not sure about that. I have always heard that Verizon wants the bloatware because its a money maker for them. I have truly never gone deep under the hood on an Android. I keep fighting the urge to start because it will start a new "addiction" for me. I was willing to dabble with a factory unlocked and rooted phone. Reading through some encryption stuff it appears that encryption on non-rooted phones is only a fraction of what it could be. Again, only reporting what I read since I haven't been inside on one yet anyway.

 

https://www.theregister.co.uk/2017/03/13/wikileaks_cia_vault_7_microsoft/