Latest WikiLeaks on encryption bypass

KAC · 2017-03-07 22:19:46 UTC

Latest installment from the WA Post:
"A statement from WikiLeaks indicated that it planned to post nearly 9,000 files describing code developed in secret by the CIA to steal data from targets overseas and turn ordinary devices including cellphones, computers and even television sets into surveillance tools."

KAC · 2017-03-07 22:36:03 UTC

Here's the essence of the Post piece, if you don't want to read the whole thing. If this is accurate, I think WikiLeaks crossed the line by releasing this material:
WikiLeaks said the trove comprised tools — including malware, viruses, trojans and weaponized “zero day” exploits — developed by a CIA entity known as the Engineering Development Group, part of a sprawling cyber directorate created in recent years as the agency shifted resources and attention to online espionage.

The digital files are designed to exploit vulnerabilities in consumer devices including Apple’s iPhone, Google’s Android software and Samsung television sets, according to WikiLeaks, which labeled the trove “Year Zero.”

In its news release, WikiLeaks said the files enable the agency to bypass popular encryption-enabled applications — including WhatsApp, Signal and Telegram — used by millions of people to safeguard their communications.

ethannorth · 2017-03-08 00:20:46 UTC

Adam Langley is responsible for Google's TLS infrastructure. He also wrote Pond, an asynchronous messenger with OTR-style forward secrecy with strong sender-receiver un-linkability (basically Pond is highly resistant to traffic analysis). It was a side project of his and is sadly no longer maintained.

Morgan works for the Intercept, yeah.

Joanna Rutkowska is another personal hero of mine. She's done awesome work.

Thanks for your kind thoughts, but my assessment of my software engineering ability isn't meant to be false modesty. I know where I stand in relation to many friends and colleagues. The only remarkable part of my background is my activist past. Otherwise, I am profoundly ordinary/mediocre as a programmer and systems person. I have an upward learning trajectory, but I am not even a journeyman engineer, yet.

KAC · 2017-03-08 01:18:40 UTC

Ethan,
I suspect you underestimate your skills. Thanks for the info on Joanna and Adam.

Here's what "The Intercept" wrote on the topic. It's quite similar to the demolition of The Guardian's claims re: the presumed "WhatsApp breach and it's also essentially what you wrote here earlier today:

KAC · 2017-03-08 17:09:07 UTC

Here's an interesting follow-up on the topic:

KAC · 2017-03-24 04:40:20 UTC

Comments on this? I've seen one claim that this software is "routinely" installed on iPhones:

Today, March 23rd 2017, WikiLeaks released Vault 7 “Dark Matter”, which contains documentation for several CIA projects that infect Apple Mac Computer firmware (meaning the infection persists even if the operating system is re-installed) developed by the CIA’s Embedded Development Branch (EDB). These documents explain the techniques used by CIA to gain ‘persistence’ on Apple Mac devices, including Macs and iPhones and demonstrate their use of EFI/UEFI and firmware malware.

More here:

olope · 2017-03-24 23:26:41 UTC

Hmm ... not sure what "routinely" would mean, since installing any of this stuff requires physical access to the device. Can you say where you saw that claim? I would think installing any of this modified firmware would be done in a targeted way, or it doesn't strike me as very scalable. Unless of course, it was installed on all Apple devices in the factory or something, which I don't think is the claim.

Just my 2c.

Physical access to devices is very important. At my job (in the tech world) we are constantly reminded by our security people to never leave our devices unattended or accessible, even if they're off or locked. The stuff described here is but one reason why ...

One general observation I have about our normal human reaction to security news like this is that we tend to focus on the exotic (remote exploits, CIA programs, putting tape over our cameras, etc.) a bit more than the basics -- custody of devices, basic account security, password rotation, 2FA, understanding of encryption ... in my experience working with many news organizations, it's these basic things that actually end up causing the actual, real-life sorts of problems in terms of data theft and unauthorized access.

KAC · 2017-03-24 23:40:12 UTC

I saw the "routine" claim in an online comment posted yesterday on "The Intercept" in response to Sam Biddle's article but I couldn't find confirmation anyplace else. Just today though, Biddle posted another article on the same topic: