Hacker News new | ask | show | jobs
by sanityUnbounded 3382 days ago
After the initial Vault 7 release, and even after Snowden in 2013, this is barely news. Our devices are not secure.

Apple portrayed itself as a guardian angel for keeping the FBI of our devices for the past two years, while conveniently forgetting to mention that it has been installing iPhone backdoors for the CIA since 2008. edit: I misread the release, it is possible that they are installed after the fact, and apple is not complicit

The fact that to most of us this isn't "news" suggests there is a very deep and intangible flaw in our society. For the people paying attention, government hacking is the number one flaw in our democracy. It suggests that we aren't in a democracy at all.

Right now I am sitting in a classroom with 63 other students. Half of them are "taking notes" on their laptops while the other half are using a notebook or sleeping. Each student has a cell phone, each cell phone has a microphone and two cameras. In this room there are 63 microphones, 126 cameras, and approximately 30 open laptops, each with their own camera and microphone.

The CIA is collecting data from these devices as I am writing this. But it is hard to find anyone that actually cares. The narrative that is being pushed by traditional media and social media is that this is standard.

Just ordinary national security. To keep us safe.

Don't pay attention to wikileaks. They are a threat.

This three letter agency is much different from that three letter agency, so that three letter government agency can't do this, but this three letter agency can.

Also, Russia.
10 comments
Chaebixi 3382 days ago
>> Also included in this release is the manual for the CIA's "NightSkies 1.2" a "beacon/loader/implant tool" for the Apple iPhone. Noteworthy is that NightSkies had reached 1.2 by 2008, and is expressly designed to be physically installed onto factory fresh iPhones. i.e the CIA has been infecting the iPhone supply chain of its targets since at least 2008.

> Apple portrayed itself as a guardian angel for keeping the FBI of our devices for the past two years, while conveniently forgetting to mention that it has been installing iPhone backdoors for the CIA since 2008 [emphasis mine].

I think that's a misreading. The article only mentions "factory fresh" iPhones, which probably means ones that have not yet been unboxed, not necessarily ones still in the factory. IIRC, the NSA was intercepting packages in transit to install implants, and I'd imagine the CIA followed a similar process. So they had the cooperation of the shipping companies (e.g. USPS or UPS), not the manufactures like Apple or Dell.

I mean, it might be possible that manufactures were working with them as well (or perhaps just individual employees), but I haven't seen the evidence. Keeping some distance from the manufacturer would make some sense, if they wanted to keep the vulnerabilities secret.

link
sanityUnbounded 3382 days ago
Yes you are right. My mistake, although I'd be very interested for wikileaks to reveal which shipping companies are complicit, whether it be USPS, UPS, or the packages are intercepted in China before they even reach the states.
link
Chaebixi 3382 days ago
Now that I think of it, it might not even be the shippers doing the diversion, but Customs and Boarder Patrol:

http://www.joc.com/regulation-policy/customs-regulations/us-...:

> Tarek Morsi can almost set his calendar by the notices he gets from Customs when the agency selects a couple of his export containers for what it calls random inspections of their contents.

> HTS [Morsi's company] itself can’t perform the unpacking and repacking of its customers’ containers for inspections, because Customs picks the bonded warehouses it uses for its Customs Examination Stations.

> Another Los Angeles broker who asked not to be identified said Customs has confirmed to him that it is targeting export containers containing household goods, computers and peripherals, and used vehicles. “They are looking for illegal arms exports,” he said. Customs also may be targeting containers bound for Africa and the Middle East;

link
jerf 3382 days ago
"barely news...."

"hard to find anyone that actually cares...."

What Wikileaks is changing, and what has had a real effect even here on HN let alone out in the normal world, is that we didn't quite know that the government was doing all these things. We very very very much expected that they were doing these things, but we were never faced with cold hard evidence. And a great deal of the rest of the populace sort of vaguely expected that the government was collecting stuff, but when faced with concrete evidence of this fact, it became real. Even those who strongly suspected only suspected in very vague terms, but now we have details, which is qualitatively different.

If you want people to care, it seems you need this concrete evidence, not just very well-sourced supposition. I say "it seems" because I am not theorizing about this; I am observing the reality on the ground. It doesn't matter how true it may be theoretically that we shouldn't have needed this information, how we should have theoretically had all the info we needed to care, because I observe that we in fact we didn't have enough information to care, because largely, we didn't. If you want to counter that, please provide me with the observations that I'm wrong and people had enough to care, not just theory. (Though that will require you to contradict your own point that people don't care.)

I suggest to you that you meditate on where you got the idea that Wikileaks is a "threat" for releasing this information, which seems like it ought to help you towards your goal of getting people to care about these things, but which somehow you've talked yourself into trying to downplay and ignore. Who's the source of that idea, and who's pushing it? Are you sure you want to absorb the idea from those sources?

You don't have to "like" Wikileaks to use this information, nor do you have to trust their motives beyond ensuring that the provenance of the files are correct. I do suggest keeping in mind that they may still be filtering the flow (they are certainly modulating it, as they themselves say, so this is no accusation or anything), but you can still do correct logic on the information that is provided (assuming it is accurate). You just shouldn't do any logic based on what is missing. (However, I can't say I'm seeing very many people making that mistake.)

link
3131s 3382 days ago
GP is lamenting the fact that this is "barely news" and the bit about Wikileaks being a threat was sarcasm.
link
SomeStupidPoint 3382 days ago
Why should I care a spy agency has spy tools? (Which is all these leaks show.)

I mean, the CIA could always have broken in to my house undetected and set up tiny microphones -- why should I worry now that they use computers as part of that, but not then when it was bugs transmitting radio?

The reason people don't care now is why they didn't care then: so what? Do you really believe the CIA gives a shit about what you have to say?

link
belorn 3382 days ago
There is this old joke that one should think like ones neighbor: its not me they want, its the neighbor.

Joke a side, so long you are not political active, don't run a company, are not a doctor, a lawyer, or a priest, vote for the right political party, have friends with any of the above, or have children or spouse that are friends with any of the above, then it is likely that they don't care what you say. Just make sure you got a high enough citizen score.

link
1001101 3382 days ago
> Do you really believe the CIA gives a shit about what you have to say?

As we learned from the Snowden leaks, surveillance is being conducted on a massive scale under the purview of a secret court that rubber stamps whatever comes across its desk, and not in a targeted manner as in your bug argument.

I still have a right and desire for privacy, which is not a function of whether or not the CIA, or anyone, cares what I say or do.

This level of clairvoyance is too much power for any one person or group to have, and is of what Orwell and others have rightly warned us.

link
SomeStupidPoint 3382 days ago
I'm sorry to be blunt, but you seem uninformed.

All of the information we saw from the Snowden leaks was passive interception of lines they had a legitimate need to tap. What they did, which I dont agree with, was intercept all the data and analyze it to deduce likely targets, rather than explicitly targeting data to capture. That was the entirety of the Snowden leaks: they're overly broad in their selection criteria because they wanted to run targeting filters instead of having to pick targets before intercept.

That's a whole different sport from pretending they tap every computer in the world with spy tools. Legally, ethically, and practically.

So I think you (and sibling comments) are simply uninformed, delusional, and making up wild, unreasonable accusations based on emotion, not rational thought.

link
3131s 3382 days ago
> That was the entirety of the Snowden leaks

Is that so? So the NSA did not secretly collect all data from the unencrypted fiber between Google and Yahoo's data centers? And the NSA never paid RSA Security 10 million dollars to back Dual_EC_DRBG as part of the broader program Bullrun intended to subvert and weaken cryptographic protocols that underlie our national security and critical online infrastructure? You are aware that the Snowden documents discuss intelligence agencies outside the US as well, and detail our coordination with these agencies? What about spying on allied foreign world leaders? Gag orders placed on the largest companies on earth? Parallel construction?

I am almost skeptical that you are intentionally understating the significance of what the Snowden documents revealed.

link
willstrafach 3382 days ago
He appears to be correct. Much was editorialized, so legit issues got mixed up with false statements.

> So the NSA did not secretly collect all data from the unencrypted fiber between Google and Yahoo's data centers?

I recall mentions of this, but do you have a source for your "all" claim here? As that would be a bit different than passively watching for specifically tasked IPs (or other selectors).

> And the NSA never paid RSA Security 10 million dollars to back Dual_EC_DRBG as part of the broader program Bullrun intended to subvert and weaken cryptographic protocols that underlie our national security and critical online infrastructure?

I believe this was theorized based on something that did look legitimately concerning in a Classification guidance document, but this was not substantiated within the leaks. Did new material come out which substantiated this claim?

> You are aware that the Snowden documents discuss intelligence agencies outside the US as well, and detail our coordination with these agencies?

We definitely partner with agencies outside of the US, this is not a secret.

> What about spying on allied foreign world leaders?

This was also certainly in the leaks. Countries gather intelligence on other countries, whether that is for nonproliferation reasons, understanding military intentions, or other reasons. People are free to believe that this shouldn't happen, but again, not much of a secret.

> Gag orders placed on the largest companies on earth?

What are you referring to here? Collection for FISA targets, or something else? Not very clear (We probably do agree with it being problematic).

> Parallel construction?

This was in articles about the leaks, but I do not believe there was any material in the leaks which indicated that this was a known practice (versus a theory of what might happen).

link
sanityUnbounded 3382 days ago
The logistics of breaking into a house undetected to set up tiny microphones suggests a lot of manpower, and to do that to each house in the United States would be near impossible without raising suspicion.

The reason to care now is because it likely wasn't happening then.

Also, whether the CIA "gives a shit" is irrelevant. It is still happening regardless, and you cannot know for certain what the CIA does and does not "give a shit" about.

If you have documents showing what this data is being used for, do the world a service and release them.

link
aestetix 3382 days ago
I partly agree with you. I think that some of this technology is intrusive, and that there isn't nearly enough transparency around what the "intelligence" agencies do.

That said, I'd like to see a lot more attention to data brokers like Axciom, Transunion, and Equifax. While having an enemy like the NSA is sharp and simple to understand, having loan applications and other things mysteriously denied is far more menacing to me. That and the fact that unlike the intelligence agencies, there is almost no data privacy protection for people around data brokers.

link
tgragnato 3382 days ago
The current state of affairs led me to believe that there's no big difference between data brokers and intelligence agencies from a citizen/sw_user perspective: they use shading techniques to extort and intercept data about people, from people, giving them to other people, for unclear and/or deplorable aims.

Terrorism and marketing are two reasons looking for a question, the reality is that who's doing this wants the power that comes with knowledge, and there's absolutely no difference between an intelligence agency and a data broker in this.

link
NietTim 3382 days ago
Are you kidding me? Wikileaks is giving is proof against conspiracy nuts that we have never had before. Just because people in your bubble don't care, doesn't mean that this isn't effective. Releases like this spark discussion and give people fuel to fight the fire.

Can I get a source on this?

> while conveniently forgetting to mention that it has been installing iPhone backdoors for the CIA since 2008.

I'm more inclined to believe a company then someone who clearly has a nack against Wikileaks.

link
pikzen 3382 days ago
I believe his post was awkwardly worded and that "Don't believe Wikileaks, they are a threat" is just a jab at how the media is portraying Assange and Wikileaks.
link
sanityUnbounded 3382 days ago
Yes, maybe I could have written that better. My attention is stuck between wikileaks and my professor talking about binary trees.

Typical 21st century bs.

link
imron 3382 days ago
> who clearly has a nack against Wikileaks.

Maybe not as clearly as you think.

The 'wikileaks is a threat' was part of the false narrative that the parent post says is being presented to the masses.

link
sigmar 3382 days ago
>it has been installing iPhone backdoors for the CIA since 2008.

[Citation needed]

Also a bit interesting that this account was created the same minute that this comment was posted.

link
ominous 3382 days ago
And this one was aged for a while before showing up. What is your point?
link
emilga 3382 days ago
> In this room there are 63 microphones, 126 cameras, and approximately 30 open laptops, each with their own camera and microphone.

Would it not be possible to also use the loud-speakers as microphones?

link
rfrank 3382 days ago
Before leaks, "Thinking the government is monitoring everyone online and using their mobile devices to spy on them is insane, you conspiracy theorist."

After leaks, "This is barely news, everyone knew this already."

Every. Single. Time.

link
willstrafach 3382 days ago
Similar to the first "Vault 7" release, this is guidance related to spy tools. No mass surveillance or anything which appears to be unjust. These all require close-access exploitation, they are not remote, in fact most of the guidance specifically relates to these being designed for devices which are to be gifted to the targets.
link
rfrank 3382 days ago
Yeah, that cache of zero days and all those DLLs aren't for mass surveillance. Ok. That's super duper believable.
link
willstrafach 3382 days ago
I do not understand your response. You have not refuted my comment at all.

By design, a zero day cannot be reasonably used for mass surveillance. Every endpoint targeted increases the chance of discovery. This is how many would probably prefer to see a spy agency be operating; Focus on their specific targets instead of dragnet surveillance.

As for this specific release, it requires physical access (and a very outdated OS).

link
rfrank 3382 days ago
Why should I believe the CIA isn't using its "targeted" tools on say, American ISPs or carriers, giving them access to a dragnet level of data through a single "targeted" attack? The CIA is not staffed by reasonable people, and I have 0 reason to trust they operate in good faith or with the best interest of anyone but their own organization in mind. Which they like to demonstrate by being consistently Caught In the Act influencing foreign elections, trafficking drugs, etc. Any tool they have will be abused.
link
willstrafach 3382 days ago
I definitely am not trying to make you believe anything, nor am I defending any past actions of the CIA (I don't know enough about all that to have an opinion). My comment is only based on my own review of all documents released so far in Vault 7. All indications show that these tools are made for use on specific targets, applied on devices by a human operator or asset.
link
mimi89999 3382 days ago
Infection of device on a supply chain isn't? Many people that aren't suspected of anything could end up with a backdoored device.
link
willstrafach 3382 days ago
That is a very fair point, but I think WikiLeaks actually misunderstood that. I assume you are referencing this:

> Also included in this release is the manual for the CIA's "NightSkies 1.2" a "beacon/loader/implant tool" for the Apple iPhone. Noteworthy is that NightSkies had reached 1.2 by 2008, and is expressly designed to be physically installed onto factory fresh iPhones. i.e the CIA has been infecting the iPhone supply chain of its targets since at least 2008.

It seems that WikiLeaks has misunderstood the meaning of "factory fresh" in the manual. This simply means it is a new device. If you look at all the source documents, it appears that NightSkies was built under the user requirement that a CIA agent is in a position to gift a device to their target, pre-infected. Regardless of how one might feel about that practice, I think it is a big difference with regards to the "supply chain" phrasing because they mistakenly indicate that the infection would literally occur at the factory, and that is definitely not indicated in any of the documents.

link
jaredhansen 3382 days ago
Yes, but that's not as crazy as it sounds.

I think many folks draw an (implicit, often subconscious) distinction between invasions of privacy that they care about, vs those they don't, and the former ties closely to the presence of a human mind on the other end of the wire. For most people it seems, the whole concept is linked much more closely to the fear of shame (e.g., your slightly bizarre kink will be outed to friends or family who might look at you differently) than to the fear that the regime will find out you are a threat to it, and will come after you.

In other words: because the CIA's computers don't care if I am a furry and are never going to tell what they hear, I don't have to care that they're listening.

People (rightfully) dismiss as insane the notion that some weird dude is sitting in the basement of the NSA listening to the details of your life, in particular (the NSA's basement and budget are not big enough to house enough weird dudes to listen to make the chance of your life being monitored any more than vanishingly small). But it's been pretty common knowledge for a very long time that if Power really wants to know something (whether it's about you or anything else), it has a pretty good chance of learning it.

link
rfrank 3382 days ago
> ...and are never going to tell what they hear, I don't have to care that they're listening.

Why do you think this is the case?

Has the government sufficient ability to secure data that the very fact they possess databases of information on US citizens isn't fundamentally problematic? Based on only the last year of breaches, I'd argue no.

> People (rightfully) dismiss as insane the notion that some weird dude is sitting in the basement of the NSA listening to the details of your life

That is not a claim that any rational critic of bulk surveillance makes. And, ya know, machine learning exists. They won't (or don't) need humans to analyze the data they collect.

> ...the whole concept is linked much more closely to the fear of shame...

Embedded journalists, activists, people with sensitive medical information.

link
tgragnato 3382 days ago
> Embedded journalists, activists, people with sensitive medical information.

This reference sample is very small if compared to the possibilities.

Everybody has something private that can be used to extort informations, to gain privileges or what-else.

The US is not in the position to assure the current surveillance infrastructure (and so the confidentiality of the data) will endure the centuries.

An example ? ...

When you read [https://byparker.com/blog/2016/tim-cook-s-privacy-battle-is-...],

knowing that back during the cold war the stasi used to target `a certain kind of people` (with romeos and wiretapping),

knowing that the stasi lost control of what are called "the pink files" and that we currently have no idea of whoever is benefiting from them,

you start to realise that what currently can be considered a non-issue may in the future be something very dangerous.

link
rfrank 3382 days ago
> Embedded journalists, activists, people with sensitive medical information.

And? At risk populations are always minorities.

Journey Into the Whirlwind by Eugenia Ginzburg is a book you'd probably enjoy.

https://www.amazon.com/Journey-into-Whirlwind-Eugenia-Ginzbu...

link
tgragnato 3382 days ago
Minorities are the most exposed and I perfectly agree, but with the new capabilities (big data analysis in particular) I believe that ANYONE can be a target, not only minorities.

Edit: the book seems great, I'm gonna buy it, thank you for the hint.

link
mnm1 3382 days ago
It doesn't matter if there is someone actually looking at the information or not. The violation comes in collection. If they collect, I will self-censor. Free speech cannot exist without privacy because speaking to myself is not actually speaking and speaking to anyone else freely becomes impossible. But you're right about one thing: most people are indeed too stupid to realize why they should care. The government doesn't care about people who are furry ... until furries do something that the government doesn't like. Then they'll care. Then they'll care a lot. Too bad it'll be too late by then to do anything but watch the furries get executed.
link
berntb 3382 days ago
Frankly, I trust the US government more than my local ones, to have this information.

What I don't trust is the neutrality regarding company sensitive information and competitors. (I still trust the US government more than I would trust most any other than that, but still not much.)

link
SomeStupidPoint 3382 days ago
> The CIA is collecting data from these devices as I am writing this.

Citation needed.

The CIA is almost certainly ignoring all of that data. [Ed: Since this was unclear, by "ignoring", I meant not interested in and not capturing it. As in, they're "ignoring" the information stream by not tapping it.]

If anyone is collecting it, which is largely doubtful, it would be Facebook collecting microphone noise or Google collecting location data (or other apps doing similarly). Of course, people have volunteered that data themselves, and you should be annoyed at your classmates for recording you.

The CIA (and other letter boys) can gain access to the data stored by these commercial companies after the fact, as part of their chartered duties.

You have some kind of voyeuristic fantasy that just because spy tools exist at a spy agency, they're somehow -- ZOMG! muh democracy! -- breaking their charter in a massive way by domestically spying on a bunch of students sitting around in class.

No. That's paranoid fantasy. There are real issues with the CIA, but that they own computer spy tools (and your fantasy of being watched hundreds of times right now) isn't one of them.

link
3131s 3382 days ago
> breaking their charter in a massive way by domestically spying on a bunch of students sitting around in class.

You are aware that the CIA has done exactly that already, right?

https://en.wikipedia.org/wiki/Project_RESISTANCE

https://en.wikipedia.org/wiki/Operation_CHAOS

link
SomeStupidPoint 3382 days ago
Uh, that second link isn't like the first.

Foreign PSYOPs exploiting local minority (or other) groups is a standard way to undermine a government. It's a tactic at least thousands of years old.

I would say it's literally the CIAs job to keep an eye on that kind of activity.

Circling back to your first link, which is an issue, Im still not 100% convinced they acted inappropriately. You notice how it says they compiled a database of people who might cause property damage using the opinions of independent people on the ground, and not thay they put bugs in random student's dorm rooms?

That, given its relation to the appropriate tracking of foreign influence, might've been okay.

In either case, neither of your links is anything like the allegation they're massively and indiscriminately spying on random students.

So... Citation needed.

link
3131s 3382 days ago
> Foreign PSYOPs exploiting local minority (or other) groups is a standard way to undermine a government. It's a tactic at least thousands of years old.

> I would say it's literally the CIAs job to keep an eye on that kind of activity.

Ok, and they did so by spying on Students for a Democratic Society, which is mentioned in the second link. I fail to see your point.

link
imron 3382 days ago
> The CIA is almost certainly ignoring all of that data.

I guess that makes it all ok then. Nothing to see here folks. Move along.

link
sanityUnbounded 3382 days ago
> The CIA is almost certainly ignoring all of that data

Citation needed.

Do you suggest that the data is destroyed after it is deemed unimportant?

If not, that suggests a far more terrifying scenario in which the data is collected and stored in the event that it would need to be brought up at a later date.

link
SomeStupidPoint 3382 days ago
I'm suggesting it's not collected in the first place, no bugs exist on any if those computers or phones, etc.

That's what ignoring it means: it only exists in whatever fleeting capacity the local devices capture it, and the CIA has no interest in capturing or analyzing it.

link
baakss 3382 days ago
"They can use the system to go back in time and scrutinize every decision you've ever made, every friend you've ever discussed something with, and attack you on that basis to sort of derive suspicion from an innocent life and paint anyone in the context of a wrongdoer." -Edward Snowden

Sorry, but I don't buy that they aren't in the business of data collection. I'll buy that they don't have the time to analyze everything if there's not a compelling need, but the data does exist and is readily available to be abused at any time.

link
baq 3382 days ago
just a note: the fact that wikileaks is most likely putin's work doesn't make it less valuable; it's just that you'll never see anything about russia of relevance, and if you do, it's probably fake. you can be quite sure that leaks from the west are pristine.
link
anonbanker 3382 days ago
Can you provide an example of Wikileaks reporting something that was fake?
link