********************  POSTING RULES & NOTES  ********************
#1 YOU MUST clip all extraneous text when replying to a message.
#2 This mail-list, like most, is publicly & permanently archived.
#3 Subscribe and post under an alias if #2 is a concern.

Wouldn't we trust Snowden more on this?

Yes I would. I wasn't eager to reply concerning the article by Zeynep Tufekci which Louis posted, because I felt a political agreement with him about Wikileaks, from what I could gather. More on that below.

But on technical matters, I believe he's wrong. Or more specifically he's wrong about what is being claimed. He displays that misunderstanding where he says: "this turned out to be misleading. Neither Signal nor WhatsApp, for example, appears by name in any of the alleged C.I.A. files"

But he later shows that he does understand the underlying technical issue: "techniques for hacking into individual phones. That way, they could see the encrypted communications just as individual users of the apps would...... That is about the vulnerability of your device. It has nothing to do with the security of the apps."

This is exactly right: the alleged (probably true) malware did exactly that: it wormed its way into the device deeply enough that it could observe any data within it. That would include whatever was input into the keyboard, microphone, or videocamera, and whatever was received (and decoded by the secure application!) destined for the screen, keyboard, or saved on the harddrive. FOR THAT REASON, there was no reason to mention any specific application that had been compromised, because it didn't involve any application and didn't break any encryption. It snoops from inside the device. That makes it the optimum way for an attacker to spy WHEN POSSIBLE.

Zeynep Tufekci points out that snooping of this sort is not at all new. It is one reason that people (in addition to normal security measures) would want to cover their portable device's camera and microphone (the latter being difficult) when not using them. But although such malware has existed (last time, I heard that the Chinese government was using such malware against enemies in the west), the hard part is placing the malware on the device, and that ability is what was being alleged about the CIA. To install malware you have to employ one of 3 vulnerabilities:

- A physical vulnerability; breaking into your house (etc.) and tampering with your computer without leaving a noticeable trace.

- A vulnerability in another trusted program, especially part of the operating system. But these are the sorts of things that are discovered and then quickly repaired by the annoying "updates" your computer frequently undergoes.

- A human vulnerability: in recent years this has proven to be the weakest link, and is why people are constantly warned (but not sufficiently in all cases!) not to install applications from untrusted sources, to make sure the URL of the trusted website they are connected to shows it is really the one it claims to be, and not to respond to "phishing" emails where people are tricked into giving up their passwords.

Again, Zeynep Tufekci seems to understand that but is wrong where he starts about "If the C.I.A. goes after your specific phone and hacks it...." but that's where he might be mistaken. He seems to be suggesting a PERSON at the CIA had to "go after" someone's computer. But no, it could as well be a "bot", a computer program, told to try to install this on every device it can find connected to the internet. And the CIA could have a hundred such computers working at the same time. Even worse is a true "virus": it knows how to replicate so that when it takes over a computer it spreads itself to others, through one or another means (including human vulnerability, sending a dangerous email to the person's contact list). In either case, the CIA could spread the malware without making demands on their poor overworked staff.

Now on the political side, though, it appears that the Wikileaks disclosure may have about the same motives that Assange has shown himself to be generally pursuing. Taking attention off of Trump, and directing it on the CIA which Trump has a (somewhat) antagonistic relationship to. Trump isn't at all implicated in anything the CIA has been doing before he took power (which is when this capability was developed), so he isn't affected. Glen Greenwald was interviewed on BBC, lauding Wikileaks for the revelation. The interviewer, somewhat antagonistically asked him though something like: "But Wikileaks has now released the CIA's computer code they hacked, and now ANY ENEMY of ours [US, UK, etc.] can just use it to spy on US TOO!!" Greenwald's response? I almost puked. Greenwald assured the reporter that Wikileaks is RESPONSIBLE and wouldn't just give this to "our enemies." Greenwald pointed out that Wikileaks had very responsibly NOT released the actual code, so that, don't worry, no "enemies" will get a chance to use it.

In other words, Wikileaks acted in the interest of Trump regarding his internal disputes, but carefully avoided endangering the country Trump presides over. :-(

- Jeff

Full posting guidelines at: http://www.marxmail.org/sub.htm
Set your options at: 

Reply via email to