SocraticGadfly: Wikileaks, the CIA and cybersecurity (updated)

March 07, 2017

Wikileaks, the CIA and cybersecurity (updated)

Julian Assange
Folks like Mark Ames and Yasha Levine are way ahead of me on their take on Wikileaks' new revelation  (NYT) of CIA hacking into various consumer devices, including but not limited to cell phones, means. Tim Shorrock is also weighing in on some connected issues.

Basically, it means we need to have some concerns over these government-funded, national-security sector funded, online communications security applications, and indirectly, the operational systems running them. It also means we need to keep tabs on all the private agencies to whom the government has contracted more and more of its mushroomed national security operations.

Yes, technically, it wasn't the devices themselves, and it wasn't hacking — it was keeping open holes to bypass encryption on apps like Signal. Apps that, per Yasha Levine:
Snowden has touted, both directly and through intermediaries such as Glenn Greenwald.

Snowden, after spinning the language of whether or not it's a hack, and software vs. hardware, does repeated spinning of his own, in Tweets like this:
You'll never find "NSA," for whom Snowden used to work as a contractor, in those Tweets.

Nor will you likely find any admission that he had heard of such holes when he was an NSA contractor.

Speaking of, speculation — reasonably informed speculation — is high that it was a CIA contractor that was behind this dump. They, like NSA contractors, generally have lower standards of security, especially in the actual enforcement of said standards, than the Agency's own direct employees do. Snowden probably doesn't want to comment on that, either.

Related to that is the fact that the last two presidencies and the eternal? "War on Terra" have insisted on a large national security establishment, and both Obama and Bush have held fast to the idea that the private sector can do many national security functions more cheaply than the CIA.

The reality is that the private sector usually both costs more and delivers worse work. The fact that Dear Leader didn't overturn this, as part of not overturn other elements of the War on Terra he inherited from Bush, is yet another reason for real "progressives" or left-liberals or beyond to #DemExit.

Tim Shorrock has more on this at the Washington Post. Key takeaway? A full 70 cents on each government dollar of intelligence spending goes to the private sector.

Key takeaway No. 2? Nobody within the government-sector base of the intelligence world seems to want to admit this is a problem. It sounds like that would mean admitting some mix of oversight failure on their part and limitations on oversight controls that they can't fix. The fact that problems at Booz Allen persisted after Snowden's flight show it IS a problem, whatever the cause.

Now, back to our main narrative.

On the former, surely the NSA is using those same holes. (And, probably, in a Mad magazine Spy vs. Spy angle, NSA and CIA are trying to steal each other's hacking tools.) On the latter, if you believe he knew nothing, I'll sell you Snowden's Putin-provided Crimean dacha.

To the degree The Intercept is discussing this, they do mention the CIA developed this in conjunction with the British, which also means that there's another reason the NSA has had possibility to hear about it — or to do its own work in the same area, that we don't know about yet, or so it would seem to me.

That said, let's go straight to Wikileaks' cyber-presser, specifically, this:
As an example, specific CIA malware revealed in "Year Zero" is able to penetrate, infest and control both the Android phone and iPhone software that runs or has run presidential Twitter accounts. The CIA attacks this software by using undisclosed security vulnerabilities ("zero days") possessed by the CIA but if the CIA can hack these phones then so can everyone else who has obtained or discovered the vulnerability. As long as the CIA keeps these vulnerabilities concealed from Apple and Google (who make the phones) they will not be fixed, and the phones will remain hackable.
So, on paper, at least, the CIA could hack at least @realDonaldTrump, if not also @POTUS?

First of all, this update, per Reuters.
Stuart McClure, CEO of Cylance, an Irvine, California, cyber security firm, said that one of the most significant disclosures shows how CIA hackers cover their tracks by leaving electronic trails suggesting they are from Russia, China and Iran rather than the United States.
This is directly relevant to Cozy Bear, Fancy Bear, Schmaltzy Bear, etc. Yes, those attacks MAY well be by Russian intelligence services. (If so, whether they were deliberate on the DNC at first, or just general fishing expeditions, and even after they eventually became deliberate at some point, how high the knowledge trail went within Russian intelligence circles are yet other questions.)

This section immediately above has sure aged well NOT! Given everything from the Mueller Investigation on, there seems to be good reason to believe that Fancy Bear is real, even if CrowdStrike has oversold some things.

Also, given that GOP Congresscritter Mike McCaul admitted the RNC had computers hacked just like the DNC (before the RNC apparently hauled him on the carpet), and that Comey talked about that, Yasha Levine's semi-breathless claims about RNC emails being stolen like DNC ones were is breathless at best and comes off looking like a conspiracy at worst, as not even Assange proposed a version of an Assange-fronting Seth Rich character working at the RNC.

Levine is undercut by the facts that the RNC had better security, and thus few computers were hacked, and these older ones didn't have big information.

That said, national security establishment "eggs" claiming that Russian intelligence was incompetent here and there and with Guccifer 2.0 as well, when he was alleged to be a Russian agent? What if those were CIA bread crumbs instead? Not likely, but officially now not disprovable. 

A couple of other things to note.

First, Wikileaks noted, in the dump, that other countries may have similar potential to exploit these holes. Russia was mentioned by name. For those who think Assange butters up Russia, you're again proven wrong.

Second, let's see if Snowden mentions Russia at some point in the future.

Third, speaking of Levine, he's got a must-read at the Baffler on what's behind Cozy Bear, et al, from last year's Russian snooping and hacking.

Fourth, Levine notes — presumably as a counter to Snowden — that Signal is not a "chat app." He calls it a social network based on telephone numbers. Wiki calls it an app but does note the phone number backbone.

Fifth, yes, OpenWhisper has received government funding for Signal development. That may, or may not, have been contingent on government knowledge of coding for it or whatever.

Now, what about Assange? Nobody caped crusader? Willing partner of Putin? Somewhat unaware co-opted agent of Vlad? Willful individualist, still with hacker's blood in his veins, who runs Wikileaks on a whim?

Per this piece from Moscow Times, which reinforced Daniel Domscheit-Berg's old book on Assange and Wikileaks, reviewed by me here, it's primarily the latter. It's probably about 70 percent this and 10 percent each of the other three.

No comments: