Re: [Marxism] The Truth About the WikiLeaks C.I.A. Cache
POSTING RULES & NOTES #1 YOU MUST clip all extraneous text when replying to a message. #2 This mail-list, like most, is publicly & permanently archived. #3 Subscribe and post under an alias if #2 is a concern. * Wouldn't we trust Snowden more on this? Yes I would. I wasn't eager to reply concerning the article by Zeynep Tufekci which Louis posted, because I felt a political agreement with him about Wikileaks, from what I could gather. More on that below. But on technical matters, I believe he's wrong. Or more specifically he's wrong about what is being claimed. He displays that misunderstanding where he says: "this turned out to be misleading. Neither Signal nor WhatsApp, for example, appears by name in any of the alleged C.I.A. files" But he later shows that he does understand the underlying technical issue: "techniques for hacking into individual phones. That way, they could see the encrypted communications just as individual users of the apps would.. That is about the vulnerability of your device. It has nothing to do with the security of the apps." This is exactly right: the alleged (probably true) malware did exactly that: it wormed its way into the device deeply enough that it could observe any data within it. That would include whatever was input into the keyboard, microphone, or videocamera, and whatever was received (and decoded by the secure application!) destined for the screen, keyboard, or saved on the harddrive. FOR THAT REASON, there was no reason to mention any specific application that had been compromised, because it didn't involve any application and didn't break any encryption. It snoops from inside the device. That makes it the optimum way for an attacker to spy WHEN POSSIBLE. Zeynep Tufekci points out that snooping of this sort is not at all new. It is one reason that people (in addition to normal security measures) would want to cover their portable device's camera and microphone (the latter being difficult) when not using them. But although such malware has existed (last time, I heard that the Chinese government was using such malware against enemies in the west), the hard part is placing the malware on the device, and that ability is what was being alleged about the CIA. To install malware you have to employ one of 3 vulnerabilities: - A physical vulnerability; breaking into your house (etc.) and tampering with your computer without leaving a noticeable trace. - A vulnerability in another trusted program, especially part of the operating system. But these are the sorts of things that are discovered and then quickly repaired by the annoying "updates" your computer frequently undergoes. - A human vulnerability: in recent years this has proven to be the weakest link, and is why people are constantly warned (but not sufficiently in all cases!) not to install applications from untrusted sources, to make sure the URL of the trusted website they are connected to shows it is really the one it claims to be, and not to respond to "phishing" emails where people are tricked into giving up their passwords. Again, Zeynep Tufekci seems to understand that but is wrong where he starts about "If the C.I.A. goes after your specific phone and hacks it" but that's where he might be mistaken. He seems to be suggesting a PERSON at the CIA had to "go after" someone's computer. But no, it could as well be a "bot", a computer program, told to try to install this on every device it can find connected to the internet. And the CIA could have a hundred such computers working at the same time. Even worse is a true "virus": it knows how to replicate so that when it takes over a computer it spreads itself to others, through one or another means (including human vulnerability, sending a dangerous email to the person's contact list). In either case, the CIA could spread the malware without making demands on their poor overworked staff. Now on the political side, though, it appears that the Wikileaks disclosure may have about the same motives that Assange has shown himself to be generally pursuing. Taking attention off of Trump, and directing it on the CIA which Trump has a (somewhat) antagonistic relationship to. Trump isn't at all implicated in anything the CIA has been doing before he took power (which is when this capability was developed), so he isn't affected. Glen Greenwald was interviewed on BBC, lauding Wikileaks for the revelation. The interviewer, somewhat antagonistically asked him though something like: "But Wikileaks has now released the CIA's computer code they hacked, and now ANY ENEMY of ours [US, UK, etc.] can just use it to spy on US TOO!!" Greenwald's response? I almost puked. Greenwald assured the reporter that Wikileaks is RESPONSIBLE and wouldn't just give this to "our enemies." Greenwald poin
Re: [Marxism] The Truth About the WikiLeaks C.I.A. Cache
POSTING RULES & NOTES #1 YOU MUST clip all extraneous text when replying to a message. #2 This mail-list, like most, is publicly & permanently archived. #3 Subscribe and post under an alias if #2 is a concern. * > Wouldn't we trust Snowden more on this? Yes, and no. Both can be true. I had a similar issue with the headlines that the NYTimes article is talking about, but wouldn't take it as far as the article to act like it encompasses the actual information contained in the leaks. The headlines made it sound like Signal and others were compromised. This isn't the case, the phones are compromised. There is actually another NYTimes article that sort of explains this, https://www.nytimes.com/aponline/2017/03/11/technology/ap-us-tec-wikileaks-cia-tech-encryption.html It is important both to not claim such methods "break Signal" or to give the false sense of security that you are 100% safe just by using Signal. Tristan _ Full posting guidelines at: http://www.marxmail.org/sub.htm Set your options at: http://lists.csbs.utah.edu/options/marxism/archive%40mail-archive.com
Re: [Marxism] The Truth About the WikiLeaks C.I.A. Cache
POSTING RULES & NOTES #1 YOU MUST clip all extraneous text when replying to a message. #2 This mail-list, like most, is publicly & permanently archived. #3 Subscribe and post under an alias if #2 is a concern. * On 2017/03/10 01:46 PM, Louis Proyect via Marxism wrote: NY Times Op-Ed, Mar. 10 2017 The Truth About the WikiLeaks C.I.A. Cache by Zeynep Tufekci ..Security experts I spoke with, however, stressed that these techniques appear to be mostly known methods — some of them learned from academic and other open conferences — and that there were no big surprises or unexpected wizardry. ... WikiLeaks seems to have a playbook for its disinformation campaigns. Wouldn't we trust Snowden more on this? http://www.commondreams.org/news/2017/03/07/snowden-calls-trove-alleged-cia-hacking-tools-published-wikileaks-big-deal _ Full posting guidelines at: http://www.marxmail.org/sub.htm Set your options at: http://lists.csbs.utah.edu/options/marxism/archive%40mail-archive.com
Re: [Marxism] The Truth About the WikiLeaks C.I.A. Cache
POSTING RULES & NOTES #1 YOU MUST clip all extraneous text when replying to a message. #2 This mail-list, like most, is publicly & permanently archived. #3 Subscribe and post under an alias if #2 is a concern. * Very amusing that media tends to boil this down to defending the much maligned but trustworthy CIA against "WikiLeaks’ misinformation campaign." The problem seems to be the utterly corrupted memory chip. And that's not a problem susceptible to a simple technological fix. ML _ Full posting guidelines at: http://www.marxmail.org/sub.htm Set your options at: http://lists.csbs.utah.edu/options/marxism/archive%40mail-archive.com
[Marxism] The Truth About the WikiLeaks C.I.A. Cache
POSTING RULES & NOTES #1 YOU MUST clip all extraneous text when replying to a message. #2 This mail-list, like most, is publicly & permanently archived. #3 Subscribe and post under an alias if #2 is a concern. * (Co-moderator of mailing list that spawned Marxmail debunks Julian Assange.) NY Times Op-Ed, Mar. 10 2017 The Truth About the WikiLeaks C.I.A. Cache by Zeynep Tufekci On Tuesday morning, WikiLeaks released an enormous cache of documents that it claimed detailed “C.I.A. hacking tools.” Immediately afterward, it posted two startling tweets asserting that “C.I.A. hacker malware” posed a threat to journalists and others who require secure communication by infecting iPhone and Android devices and “bypassing” encrypted message apps such as Signal and WhatsApp. This appeared to be a bombshell. Signal is considered the gold standard for secure communication. WhatsApp has a billion users. The C.I.A., it seemed, had the capacity to conduct sweeping surveillance on what we had previously assumed were our safest and most private digital conversations. In their haste to post articles about the release, almost all the leading news organizations took the WikiLeaks tweets at face value. Their initial accounts mentioned Signal, WhatsApp and other encrypted apps by name, and described them as “bypassed” or otherwise compromised by the C.I.A.’s cyberspying tools. Yet on closer inspection, this turned out to be misleading. Neither Signal nor WhatsApp, for example, appears by name in any of the alleged C.I.A. files in the cache. (Using automated tools to search the whole database, as security researchers subsequently did, turned up no hits.) More important, the hacking methods described in the documents do not, in fact, include the ability to bypass such encrypted apps — at least not in the sense of “bypass” that had seemed so alarming. Indeed, if anything, the C.I.A. documents in the cache confirm the strength of encryption technologies. What had gone wrong? There were two culprits: an honest (if careless) misunderstanding about technology on the part of the press; and yet another shrewd misinformation campaign orchestrated by WikiLeaks. Let’s start with the technology. In the aftermath of Edward J. Snowden’s revelations about potential mass surveillance, there has been a sharp increase in the use of these “end to end” encryption apps, which render even the company that owns the app or phone essentially unable to read or hear the communications between the two “end” users. Given that entities like Signal and WhatsApp cannot get access to the content of these conversations, even in response to a warrant — WhatsApp keeps logs of who talked to whom, Signal doesn’t do even that — intelligence agencies have been looking to develop techniques for hacking into individual phones. That way, they could see the encrypted communications just as individual users of the apps would. These techniques are what the leaked cache revealed. Security experts I spoke with, however, stressed that these techniques appear to be mostly known methods — some of them learned from academic and other open conferences — and that there were no big surprises or unexpected wizardry. In other words, the cache reminds us that if your phone is hacked, the Signal or WhatsApp messages on it are not secure. This should not come as a surprise. If an intelligence agency, or a nosy sibling, can get you to install, say, a “key logger” on your phone, either one can bypass the encrypted communication app. But so can someone looking over your shoulder while you use your phone. That is about the vulnerability of your device. It has nothing to do with the security of the apps. If anything in the WikiLeaks revelations is a bombshell, it is just how strong these encrypted apps appear to be. Since it doesn’t have a means of easy mass surveillance of such apps, the C.I.A. seems to have had to turn its attention to the harder and often high-risk task of breaking into individual devices one by one. Which brings us to WikiLeaks’ misinformation campaign. An accurate tweet accompanying the cache would have said something like, “If the C.I.A. goes after your specific phone and hacks it, the agency can look at its content.” But that, of course, wouldn’t have caused alarm and defeatism about the prospects of secure conversations. We’ve seen WikiLeaks do this before. Last July, right after the attempted coup in Turkey, WikiLeaks promised, with much fanfare, to release emails belonging to Turkey’s ruling Justice and Development Party. What WikiLeaks ultimately released, however, was nothing but mundane mailing lists of tens of thousands of ordinary people who discussed politics online. Back then, too, the ruse worked: Many Western journalists had hyped these non-leaks. WikiLeaks seems to have a