CIA Vault 7

[mojo84]

The issue isn't so much that it is a "surprise". It's that we are now seeing confirmation of what is we suspected and thought we knew.

Glad you have such confidence that surveillance doesn't happen without the proper warrants. Keep in mind, not all regular citizens have the resources and expertise that some of your clients have.

With regard to your comment about leaving TV's and phones on unattended, how is one to know that their phone or TV isn't in the "game off" mode and are actually turned off? So you unplug your TV or remove your phones battery every time you aren't using it?

Again, Do you believe the CIA and other government servers are encrypted?

[Beiruty]

Check the "device" in Batman the Dark Knight, It is possible and the near future with the explosion of IoT (Internet of everything), we are bugging our world by ourselves. Big Brother loves us all. The Big Eye watching you all.

http://www.criticalcommons.org/Members/ ... e.mov/view

[mojo84]

Even the IRS has been breached. http://www.cbsnews.com/news/irs-identit ... ranscript/

Amazon's Echo has been used to snoop.

If it was all as secure and locked down as some would like us to believe this stuff would not be happening.

http://www.databreachtoday.com/breaches-c-318

[SRVVR]

Waiting for someone to start talking about chemtrails next.

This thread might prove to be a nice entertaining break from the day.

[ScottDLS]

The issue isn't so much that it is a "surprise". It's that we are now seeing confirmation of what is we suspected and thought we knew.

Glad you have such confidence that surveillance doesn't happen without the proper warrants. Keep in mind, not all regular citizens have the resources and expertise that some of your clients have.

With regard to your comment about leaving TV's and phones on unattended, how is one to know that their phone or TV isn't in the "game off" mode and are actually turned off? So you unplug your TV or remove your phones battery every time you aren't using it?

Again, Do you believe the CIA and other government servers are encrypted?

Of course they're encrypted. But they also have much better physical and other technical security than the average company or individual. If you are being monitored without a warrant by the FBI or LE Agencies, then what are they going to do with the information? It can't be used in court without them admitting to illegal activity and your lawyer getting the evidence suppressed. If they are breaking the law to get it in the first place, what makes you think you're safe from them breaking the law to throw you in jail or kill you if they really really want to? US hasn't taken out Snowden or Assange yet, though they are undoubtedly physically capable of flying a drone in the window of the Equadorian Embassy in London, or bombing Moscow. They want them a lot more than they want me...or the other Tea Party troublemakers.

The confirmation that the CIA is using these techniques worries me less about what they (CIA) are going to do (to me) with it... than that it means hostile intelligence services and criminals (identity thieves, etc.) likely have access to the same techniques now.

I don't have a recent model TV in my home, and I personally patch and set up my WiFi routers with care. However, if I were very concerned about my security being compromised by an organization with the resources of US GOV. I would not use WiFi at all...nor would I have an Amazon Alexa device in my house which could potentially be used to bug my home. I also would not have my data cables from the ONT to my router OUTSIDE my house like the Verizon guy did 10 years ago. I do have a cell/wireless monitored alarm with a battery backup, but if the FBI was intent on bugging my house and wiretapping me (with or without a warrant), I would have to take more extraordinary measures. High security pick resistant locks, reinforced doors, dedicated encryption hardware on my wired communications, RF proofing of the house, sweep for bugs, etc.

The amount of effort you put into protecting your security has to be determined by your personal assessment of the threat. I'm much less concerned about the CIA spying on me than I am the FBI or IRS or local LE or the mafia or zombies. I protect myself against rogue LEO's, mafia, and Zombies, not the Soviet Army or KGB, GRU.

[ScottDLS]

ScottDLS <----- Mutters to himself about chem trails, microwaves beaming at brain, people watching from street corner (causing much consternation among work colleagues, who are already wondering what he's typing on CHL Forum)....

[The Annoyed Man]

The big problem for me is that the CIA was directed by Obama to NOT "hoard" Zero Day vulnerabilities when it finds them, and to pass them on directly to the manufacturers of the affected commercial products so that they can mitigate the vulnerability before it is taken advantage of by bad people. The Wikileaks dump appears to show that, in fact, the CIA has disobeyed a direct presidential order, and has in fact hoarded these Zero Day vulnerabilities without notifying the affected manufacturers, so that the CIA can exploit them at will.

Of course, the net effect of their entirely rogue policy is that everyone's affected devices are LESS secure to ALL such penetration, not just the CIA's devices, and not just the nation's enemies' devices. The CIA does not employ the only talented hackers out there. And if the CIA can find these vulnerabilities, so can the Chinese, and ISIS, and anyone else who applies themselves to the task. Adding to the problem, it's not just the digital devices belonging to private citizens that are exposed to exploitation. Gov't employees in positions of responsibility ALSO use these devices. Just ask Hillary Clinton.

Hackers are part of the digital landscape, just like the Flu virus is part of the biological landscape. You can't make people stop being immoral, but you can stay one step ahead of them by using the information you have about them to act in a positive and responsible manner to mitigate the effects of their immorality. The moral equivalent of what the CIA is doing would be their discovery of a deadly disease for which there isn't YET a known cure, and then refusing to notify the medical/pharmaceutical community so that they can begin to develop a vaccine against it......AFTER having been explicitly ordered by the sitting president to NOT hoard such information, and to instead immediately release it to the stakeholders who will be called on to develop the vaccine. You can't develop a vaccine against a disease you don't know exists.

[ScottDLS]

...
Of course, the net effect of their entirely rogue policy is that everyone's affected devices are LESS secure to ALL such penetration, not just the CIA's devices, and not just the nation's enemies' devices. The CIA does not employ the only talented hackers out there. And if the CIA can find these vulnerabilities, so can the Chinese, and ISIS, and anyone else who applies themselves to the task. Adding to the problem, it's not just the digital devices belonging to private citizens that are exposed to exploitation. Gov't employees in positions of responsibility ALSO use these devices. Just ask Hillary Clinton.
...

The one part of the above where I'm not sure...

I think the zero day hacks and other backdoors are probably not in the devices that NSA develops (and shares with the rest of DoD and IC), they are in the commercially available devices, that the rest of us mere mortals use. The Wikileaks revelations are unlikely to show vulnerabilities in DoD and Intelligence hardware, because the specs for such, and availability of such is extremely limited. I've "heard" that the only people with the known technical ability to intercept US encrypted communications are the NSA itself and even that they don't give their best hardware to the rest of the Intelligence Community.

[The Annoyed Man]

...
Of course, the net effect of their entirely rogue policy is that everyone's affected devices are LESS secure to ALL such penetration, not just the CIA's devices, and not just the nation's enemies' devices. The CIA does not employ the only talented hackers out there. And if the CIA can find these vulnerabilities, so can the Chinese, and ISIS, and anyone else who applies themselves to the task. Adding to the problem, it's not just the digital devices belonging to private citizens that are exposed to exploitation. Gov't employees in positions of responsibility ALSO use these devices. Just ask Hillary Clinton.
...

The one part of the above where I'm not sure...

I think the zero day hacks and other backdoors are probably not in the devices that NSA develops (and shares with the rest of DoD and IC), they are in the commercially available devices, that the rest of us mere mortals use. The Wikileaks revelations are unlikely to show vulnerabilities in DoD and Intelligence hardware, because the specs for such, and availability of such is extremely limited. I've "heard" that the only people with the known technical ability to intercept US encrypted communications are the NSA itself and even that they don't give their best hardware to the rest of the Intelligence Community.

You may well be right in that part, but it still doesn't mean that highly placed gov't employees who have access to very sensitive information aren't at risk. HRC and her minions used iPhones, and they refused to use the SCIF when using those iPhones to handle sensitive information. If CIA didn't hoard iOS Zero Day hacks, maybe those phones would be more secure.......assuming they actually kept up with updates, etc.

In all probability - at least for now - no American intelligence agency is likely interested in me, so I'm probably not at risk of a hack from that vector. But that doesn't mean that as long as CIA (and/or other US intelligence agencies) hoard zero day hacks, my iOS device isn't vulnerable to non-state-sponsored hacking.......despite the fact that Apple releases patches as soon as they discover vulnerabilities, and despite the fact that I update my devices as soon as the patches become available.

[TexasJohnBoy]

We know our government has this (well, we already did, in all honesty), and we know that areas within our government will leak sensitive information when it suits them, so we know there are at least areas of the government that can't be trusted and will flout policy/laws when it suits them. Do you feel warm and fuzzy yet? About that tinfoil hat...



How many more of these - http://heartbleed.com/ - are out there that we just don't know about? How many things like this have the NSA or CIA or whoever found and haven't published because they want to exploit it?
Our law enforcement heads are saying now (and have been for a while, although not quite as directly as Comey) that we really have no expectation of privacy anywhere in our lives. Just strike the 4th amendment then, I guess.

And the argument of "If you've got nothing to hide, then what are you worried about" holds absolutely no water at all. That is a blatant surrender of our basic liberties as human beings and as Americans.

[SRVVR]

Must have more of these posts, they are great, please keep them coming.

[suthdj]

I guess if your really worried, move out in the country with no technology and be careful of what you speak in the open. There problem solved.

[anygunanywhere]

Just because I'm paranoid they're out to get me doesn't mean they aren't.

[treadlightly]

I don't understand why all those idiots in various government agencies - like the state department - don't use endpoint encryption. If your messages are stored in plaintext, you should be willing to shout them from the rooftops.

It also pains me that so many people seem to think a web site accessed via https (encrypted) connections is a secure server.

It might be, it might not be. Https just means the connection is secure. The data in flight to the server is pretty secure. Once its stored on the remote server it may be completely public. You just don't know.

As far as crypto that's completely uncrackable, even by the CIA, no problem - but you can't have ultimate convenience and ultimate security.

The CIA can't break a one time pad. You just have to communicate the pad separately from the ciphertext. Not convenient.

And don't get me started on election security. None of the right questions are being addressed.

[ScottDLS]

....
You may well be right in that part, but it still doesn't mean that highly placed gov't employees who have access to very sensitive information aren't at risk. HRC and her minions used iPhones, and they refused to use the SCIF when using those iPhones to handle sensitive information. If CIA didn't hoard iOS Zero Day hacks, maybe those phones would be more secure.......assuming they actually kept up with updates, etc.
....


In all probability - at least for now - no American intelligence agency is likely interested in me, so I'm probably not at risk of a hack from that vector. But that doesn't mean that as long as CIA (and/or other US intelligence agencies) hoard zero day hacks, my iOS device isn't vulnerable to non-state-sponsored hacking.......despite the fact that Apple releases patches as soon as they discover vulnerabilities, and despite the fact that I update my devices as soon as the patches become available.

And therein (RED) lies the problem and is why HRC should have been prosecuted. The best technical security can be ruined by sloppy procedures, which is why the government has the laws regarding handling of classified information.

However, I'm not sure that CIA (really NSA) should share all their tools and exploits with the equipment vendors publicly. Some of them are designed/manufactured in hostile nations (ChiComms) and in theory we want them unpatched for the CIA and other US agencies to exploit. If you want to protect yourself personally from highly skilled bad actors, you should take additional actions that Defense firms and government agencies take with regards to security. I'd rather not depend on the nice guys at the CIA to share ALL their best stuff. As I said earlier, the rumor is that the NSA doesn't even share its best tricks with the broader US Intelligence Community.