Vault 7

Ker bo v nasprotnem debata okoli razkritij Wikiliksa v novici na prvi strani slej ko prej zamrla, odpiram tukaj novo temo z isto tematiko. Wikiliks pravi, da je razkril s tem prvim paketom manj kot 1% informacij o CII.
https://slo-tech.com/novice/t695702/0


1. Nekaj odzivov na razkritje: http://www.bbc.com/news/technology-3920...

2. Pa še o tajni CIA bazi v Frankfurtu:
http://www.dw.com/en/frankfurt-used-as-...

3. Posledica:

Germany's chief federal prosecutor has announced examination of U.S. hacking activities at the Frankfurt 'Consulate' and may prosecute.

4. Microsoft želi digitalno Ženevsko konvencijo:
https://blogs.microsoft.com/on-the-issu...

Vsekakor me preseneča kakšen odziv je to "razkritje" doživelo. Nisem pričakoval tako burnega odziva. Veseli me, da je tak.

Sicer nisem šel skozi dokumente, tisti ki so pa pravijo, da gre pri poročanju v veliki meri za paranojo.

https://twitter.com/pwnallthethings

Interesting how effective the "here's loads of docs, and my summary. Go go go" is at getting journos to publish the summary nearly verbatim. The demand on journos to report out quickly forces the narrative which then never gets shaken, regardless of later careful analysis. It's actually exactly the same reason why zero-context tweeting by POTUS / unembargoed releases gives WH a narrative setting advantage

http://blog.erratasec.com/2017/03/some-...

The CIA didn't remotely hack a TV. The docs are clear that they can update the software running on the TV using a USB drive. There's no evidence of them doing so remotely over the Internet. If you aren't afraid of the CIA breaking in an installing a listening device, then you should't be afraid of the CIA installing listening software.

The CIA didn't defeat Signal/WhatsApp encryption. The CIA has some exploits for Android/iPhone. If they can get on your phone, then of course they can record audio and screenshots. Technically, this bypasses/defeats encryption -- but such phrases used by Wikileaks are highly misleading, since nothing related to Signal/WhatsApp is happening.

There's no false flags. In several places, the CIA talks about making sure that what they do isn't so unique, so it can't be attributed to them. However, Wikileaks's press release hints that the "UMBRAGE" program is deliberately stealing techniques from Russia to use as a false-flag operation. This is nonsense. For example, the DNC hack attribution was live command-and-control servers simultaneously used against different Russian targets -- not a few snippets of code.

Verjamem, da se bo zadnja točka v bližnji prihodnosti še močno lajnala.

Avtorji Signala:

https://twitter.com/whispersystems/stat...

The CIA/Wikileaks story today is about getting malware onto phones, none of the exploits are in Signal or break Signal Protocol encryption. The story isn't about Signal or WhatsApp, but to the extent that it is, we see it as confirmation that what we're doing is working. Ubiquitous e2e encryption is pushing intelligence agencies from undetectable mass surveillance to expensive, high-risk, targeted attacks.

https://twitter.com/SwiftOnSecurity

This is the ticket. You want a conclusion? CIA has to work to target devices, they can't just dial-in or tap a wire. This is the company that develops Signal, and whose technology is licensed in WhatsApp. You're worried about mass, indiscriminate, undetectable invasion of privacy? Your work has paid off, and you have the proof. This is a win for the 99.997%. Except for the people murdered by the other percent because the CIA couldn't listen, of course. :(

Fact that the CIA doesn't need a cornucopia of 0day/crypto breaks reinforces that the security weakness isn't the app. The weakness is you. Security isn't an impossible goal reserved for some elite with $2000 phones. It's choices. It's education. It's designing for people.

The fact that "#Vault7" was released is proof it's worth far more as a political talking point than as any kind of technical weapon. Who analyzed #Vault7? Who wrote the summary, whose insinuative talking points you see repeated verbatim on the news in a publicity blitz?

Every headline about the CIA hacking Signal/WhatsApp was written by Wikileaks in their summary, based on nothing. Does it matter what the truth is, when WikiLeaks can write the headlines, and days later no one can find what they were talking about? It's like the security community are only ones who remember Wikileaks pulling the SAME SHIT every single time. At least you got the clicks.

This was a lie. There is literally nothing about any of those apps in any of the documents. How's it feel to be a sucker?

By spreading lies about secure communication methods, Wikileaks pureposely instills fear, uncertainty, and doubt in the most vulnerable.

https://twitter.com/zeynep/

Look, if the NSA or the CIA is after you personally, with sufficient interest, my money is on them. That's very different. But it's also not true that everything is equally compromised, hopeless. That's Wikileaks playing on journalists' gullibility, as they do..

This will go on all week, I presume. Journalists; please team up with information security people to report on this. Work with Wikileaks, and you'll get cheering Alex Jones fans & confused journos instead of debate on "democratic control of cyberweapons". These are important issues; deserve discussion, consideration, reporting with proper context and explanation, etc. Hah, right? Instead, we have timing to play with particular "deep state" narrative, and scare journalists from investigative reporting. ¯\_(ツ)_/¯

Update software; enable two-factor on everything; use a security key ($17.99 on Amazon, blue); iPhone, not Android, open attachments in a Chromebook or Gdocs or iOs (never in Word or Adobe)—copy the text as plaintext to notepad to work with—etc. Now, if you're a journo investigating an intelligence agency on head of a nation-state, well. Don't get advice on Twitter. Contact EFF, etc.

Misinformation is the new censorship. If we see evidence Signal hacked, it is noteworthy. Not in this dump.

Reporters; if you want to report accurately on Wikileaks dump, I'll connect you to cryptographers & infosec experts. Anti-surveillance ones.

Androids phones do not get timely updates; the only acceptable android is Google's own Nexus etc. phones; but iPhone even better.

E2E solid—revelation. Nation-states try to hack phones—no revelation. CIA can't keep (oldish) hoard safe—revelation.

Amazing how outlets regurgitate a Wikileaks press release & NGOs whose job is to inform uncritically pass it along. Seeing a few corrections but the misinformation is out there—goal of confusion accomplished. The CIA dump doesn't show what is reported. Internet connected devices are notoriously insecure. Iphones are toughest. Non-Google android phones are a joke. Encryption appers unbroken. All known issues; but even those don't mean it's all remotely doable. Dump doesn't mention Signal/Whatsapp. Straight up WL misinformation.

Reporters kept parroting their "press releases" in rush to scoop. Still haven't learned. They are not reliable. That someone released a CIA dump now is newsworthy. The intel agency collects ways to hack. Technically, no surprises yet. Misleading PR. CIA methods dumped are not distinguishable, as far as I have seen yet, from stuff shown at regular open conferences. No oh wow magic yet. IP device insecurity & state surveillance are important. I write about it all the time. But reporting the opposite of truth isn't conducive.

And this is the truth. Update your software; use two factor. Phishing is what actually gets used.