POSTING RULES & NOTES
#1 YOU MUST clip all extraneous text when replying to a message.
#2 This mail-list, like most, is publicly & permanently archived.
#3 Subscribe and post under an alias if #2 is a concern.
*
Wouldn't we trust Snowden more on this?
Yes I would. I wasn't eager to reply concerning the article by Zeynep
Tufekci which Louis posted, because I felt a political agreement with
him about Wikileaks, from what I could gather. More on that below.
But on technical matters, I believe he's wrong. Or more specifically
he's wrong about what is being claimed. He displays that
misunderstanding where he says:
"this turned out to be misleading. Neither Signal nor WhatsApp, for
example, appears by name in any of the alleged C.I.A. files"
But he later shows that he does understand the underlying technical
issue:
"techniques for hacking into individual phones. That way, they could
see the encrypted communications just as individual users of the apps
would.. That is about the vulnerability of your device. It has
nothing to do with the security of the apps."
This is exactly right: the alleged (probably true) malware did exactly
that: it wormed its way into the device deeply enough that it could
observe any data within it. That would include whatever was input into
the keyboard, microphone, or videocamera, and whatever was received (and
decoded by the secure application!) destined for the screen, keyboard,
or saved on the harddrive. FOR THAT REASON, there was no reason to
mention any specific application that had been compromised, because it
didn't involve any application and didn't break any encryption. It
snoops from inside the device. That makes it the optimum way for an
attacker to spy WHEN POSSIBLE.
Zeynep Tufekci points out that snooping of this sort is not at all new.
It is one reason that people (in addition to normal security measures)
would want to cover their portable device's camera and microphone (the
latter being difficult) when not using them. But although such malware
has existed (last time, I heard that the Chinese government was using
such malware against enemies in the west), the hard part is placing the
malware on the device, and that ability is what was being alleged about
the CIA. To install malware you have to employ one of 3 vulnerabilities:
- A physical vulnerability; breaking into your house (etc.) and
tampering with your computer without leaving a noticeable trace.
- A vulnerability in another trusted program, especially part of the
operating system. But these are the sorts of things that are discovered
and then quickly repaired by the annoying "updates" your computer
frequently undergoes.
- A human vulnerability: in recent years this has proven to be the
weakest link, and is why people are constantly warned (but not
sufficiently in all cases!) not to install applications from untrusted
sources, to make sure the URL of the trusted website they are connected
to shows it is really the one it claims to be, and not to respond to
"phishing" emails where people are tricked into giving up their
passwords.
Again, Zeynep Tufekci seems to understand that but is wrong where he
starts about "If the C.I.A. goes after your specific phone and hacks
it" but that's where he might be mistaken. He seems to be suggesting
a PERSON at the CIA had to "go after" someone's computer. But no, it
could as well be a "bot", a computer program, told to try to install
this on every device it can find connected to the internet. And the CIA
could have a hundred such computers working at the same time. Even worse
is a true "virus": it knows how to replicate so that when it takes over
a computer it spreads itself to others, through one or another means
(including human vulnerability, sending a dangerous email to the
person's contact list). In either case, the CIA could spread the malware
without making demands on their poor overworked staff.
Now on the political side, though, it appears that the Wikileaks
disclosure may have about the same motives that Assange has shown
himself to be generally pursuing. Taking attention off of Trump, and
directing it on the CIA which Trump has a (somewhat) antagonistic
relationship to. Trump isn't at all implicated in anything the CIA has
been doing before he took power (which is when this capability was
developed), so he isn't affected. Glen Greenwald was interviewed on BBC,
lauding Wikileaks for the revelation. The interviewer, somewhat
antagonistically asked him though something like: "But Wikileaks has now
released the CIA's computer code they hacked, and now ANY ENEMY of ours
[US, UK, etc.] can just use it to spy on US TOO!!" Greenwald's response?
I almost puked. Greenwald assured the reporter that Wikileaks is
RESPONSIBLE and wouldn't just give this to "our enemies." Greenwald
poin