CIA Vault 7

[mojo84]

It appears virtually no one is immune from Big Brother's spying. Even Linux and VPN's do not protect you from BB.

That smart TV that is connected to the internet, just may be the bug you didn't know you have.

https://wikileaks.com/ciav7p1/

[Alf]

"Can the people on TV see me or am I just paranoid?"

[ScottDLS]

Anyone interested in technical aspects of this subject should read Applied Cryptography by Bruce Schneier and his later books and Weblogs. He now works for IBM and the Electronic Frontier Foundation. Some of his work depends on mathematical theory developed by Prof. Martin Hellman of Stanford, one of the pioneers in public key cryptography.

I also suspect that many of the techniques described in the leaks are exploitable bugs in software rather than actual cracks of the underlying crypto.

Also if you work for the government or a big secure contractor, don't click on the Wikileaks websites or you put your clearance at risk...or so i've heard....

[jason812]

That smart TV that is connected to the internet, just may be the bug you didn't know you have.

I've read that book by George Orwell. It didn't have a happy ending.

[G.A. Heath]

I know a lot of talking heads are saying that that the crypto in apps like whatsapp and such do not appear to be affected, but here's a few things to consider. What has wikileaks not published? How can they be certain that the information isn't being harvested before or after decryption by these apps? If you control the device's operating system then you have direct access to the hardware and that means you can compromise anything that is sent or received by the hardware itself.

[Papacub]

A tweet today from Wikileaks says they have released less than 1% of the files they have!

[SRVVR]

So far, WikiLeaks has provided nothing that shows the cryptography is compromised. They are also known to puff up and use FUD techniques to generate buzz around their releases, and the headlines they are using are nothing more than misleading click bait. What they have shared is nothing new in the way exploits work, a compromised host does not compromise the encryption because it doesn't have to, it has direct access to the unencrypted data. Currently, saying anything else is irresponsible and a lie.

Please stop propagating misinformation.

[nonleg]

. What they have shared is nothing new in the way exploits work, a compromised host does not compromise the encryption because it doesn't have to, it has direct access to the unencrypted data. Currently, saying anything else is irresponsible and a lie.

Please stop propagating misinformation.

[Liberty]

So far, WikiLeaks has provided nothing that shows the cryptography is compromised. They are also known to puff up and use FUD techniques to generate buzz around their releases, and the headlines they are using are nothing more than misleading click bait. What they have shared is nothing new in the way exploits work, a compromised host does not compromise the encryption because it doesn't have to, it has direct access to the unencrypted data. Currently, saying anything else is irresponsible and a lie.

Please stop propagating misinformation.

Believing that modern encryption is impenetrable is irresponsible. Software can be exploited. That is a fact. Whether a particular installation has been or is capable of being compromised is what is unknown.

[ScottDLS]

So far, WikiLeaks has provided nothing that shows the cryptography is compromised. They are also known to puff up and use FUD techniques to generate buzz around their releases, and the headlines they are using are nothing more than misleading click bait. What they have shared is nothing new in the way exploits work, a compromised host does not compromise the encryption because it doesn't have to, it has direct access to the unencrypted data. Currently, saying anything else is irresponsible and a lie.

Please stop propagating misinformation.

The mathematics behind the encryption is well known and constantly worked on by published mathematicians and computer scientists. So far the published "hacks" of VPN's and secure apps have been due to bad execution/holes in the implementation of the encryption not it's basic security. One of the early cracks of the https protocol was due to a bad random number generator for the symmetric keypair in the Netscape Browser.

[ScottDLS]

So far, WikiLeaks has provided nothing that shows the cryptography is compromised. They are also known to puff up and use FUD techniques to generate buzz around their releases, and the headlines they are using are nothing more than misleading click bait. What they have shared is nothing new in the way exploits work, a compromised host does not compromise the encryption because it doesn't have to, it has direct access to the unencrypted data. Currently, saying anything else is irresponsible and a lie.

Please stop propagating misinformation.

Believing that modern encryption is impenetrable is irresponsible. Software can be exploited. That is a fact.

There are no known penetrations/solutions of modern encryption other than brute force attacks. This is not to suggest that it is impenetrable, but there is a high probability of it being so with current technology. The software exploits are sloppy implementations, not problems with the basic mathematics. It is assumed that the US GOV/NSA uses the same mathematics as commercial applications, however they pay much closer attention to physical and technical security around the implementations.

[Syntyr]

How can they be certain that the information isn't being harvested before or after decryption by these apps?

That is exactly what is happening. The are cracking the phone itself and siphoning the data before it hits the apps encryption. Much easier to exploit the phone itself using a zero day or other bug than to break the encryption. Once they have an exploit they can do it over and over and over. If you are trying to crack the encryption it s a unique effort every time.

[Liberty]

[quote="ScottDLS"

There are no known penetrations/solutions of modern encryption other than brute force attacks. This is not to suggest that it is impenetrable, but there is a high probability of it being so with current technology. The software exploits are sloppy implementations, not problems with the basic mathematics. It is assumed that the US GOV/NSA uses the same mathematics as commercial applications, however they pay much closer attention to physical and technical security around the implementations.[/quote]
We don't know what we don't know. We only know the current state of quantum computing that is out in public. If the government can keep a project as massive as the Manhatten Project secret. It doesn't take much imagination to believe they could keep something so modest as a Quantum computer under wraps. We keep hearing about TrueCrypt having exploits and we are told to abandon weak keys. 256 RSA was once considered military strength.

I haven't kept up with the state of encryption since the early PGP days, although I do have encrypted mail capabilities for my email .. I haven't used it.

[mojo84]

I'm sure glad you some of you fellas have all the answers and know encryption is keeping us all safe and protected from prying eyes and ears.

Let me ask some questions so I can better understand. Are CIA's servers encrypted? Does your encryption prevent your computer cameras and microphones from being accessed and controlled remotely? Are your emails and all data you transmit 100% secure? Has the government ever turned their techniques designed to spy on foreign bad guys ever been turned on American Citizens? Are you invisible to the NSA? Are your operating systems 100% secure and impervious?

I think blindly assuming encryption is the answer is irresponsible. Data that is supposedly encrypted somehow gets compromised often. Breaking the encryption code is not the only way to compromise data and privacy.

[ScottDLS]

I'm sure glad you some of you fellas have all the answers and know encryption is keeping us all safe and protected from prying eyes and ears.

Let me ask some questions so I can better understand. Are CIA's servers encrypted? Does your encryption prevent your computer cameras and microphones from being accessed and controlled remotely? Are your emails and all data you transmit 100% secure? Has the government ever turned their techniques designed to spy on foreign bad guys ever been turned on American Citizens? Are you invisible to the NSA? Are your operating systems 100% secure and impervious?

I think blindly assuming encryption is the answer is irresponsible. Data that is supposedly encrypted somehow gets compromised often. Breaking the encryption code is not the only way to compromise data and privacy.

As I mentioned in earlier posts, the 'devil is in the details' of the implementation of technical tools and applications. Much onsumer/commercial electronics and software is not engineered with security in mind, as people have other priorities...ease of use, price, compatibility.

It all depends on the amount of concern you have with your privacy and the consequences (financial, reputational) of your data/communications being hacked. There is quite a bit of security in being one among billions of people communicating and generating electronic data. Even if you are engaging in potentially illegal activity, the legal protections against wiretapping prevent its use against you without a warrant. So the question is how much do you "care" to protect your activity. If the CIA is "illegally" spying on citizens domestically, what are they going to do with the data? I guess they can send in a "black ops" team to "render" you to GITMO to be interrogated... Then the solution will be to significantly enhance your physical security to make it hard for them...that's why I have a LTC.

If you are worried about the FBI, SEC, IRS, etc. monitoring your communications (with or without) a warrant, then there are significant steps you can take with commercially available tools to make it extremely difficult for them to do so. These steps involve technical security (encryption, firewalls, antivirus, anti surveillance software ) and physical security...don't leave your doors unlocked, routers unpatched, TV's and phones on/unattended, etc.

I consult for companies in IT field that have fantastic technical security around their severs, data, communications, but you can walk in their data center with a hammer and smash their server...or the janitor can plant a bug in the server room. On the other hand I've worked with government and defense contractors where their physical security is commensurate with the sensitivity of the data they are protecting.

The Wikileaks info about the CIA hacks is interesting, but the techniques should not be surprising to people in the security field. I mean the leaks themselves probably came from an insider....how do you protect against that? The Intel Community has their ways, the Mafia has theirs , and the you have to decide what effort to put into your own counterintel.