reid/write



home // about
shitbloggin with reid scoggin


thoughts on the wikileaks cia malware dump

Published:

this morning, wikileaks posted a summary and partial release of a very large dump of internal cia programs related to their offensive cyber capabilities (nyt writeup, if you prefer). this kind of thing is like christmas to me – i’ve been fascinated by ‘forbidden knowledge’ since i was a kid, downloading anarchist cookbook .rtf’s on kazaa in middle school. to me, whistleblower doc dumps are like finding a new favorite author now, a rare treat where i’m handed a corpus of information to mull over and incorporate into my thinking.

there’s nothing truly shocking in the documents, besides the fact that this appears to be burning the cia’s entire cyber apparatus like a sheet of flash-paper – a few people in langley are having a very bad day right now. besides that though, the nuts and bolts of their ops are basically what one would expect from what we already know about state actor APTs – sophisticated multi-platform malware, including for routers, as well as ios and android exploits that circumvent encrypted chat clients (eg, signal or whatsapp) ‘left of crypto’ – that is, before the encryption is applied. all the curve25519 in the world won’t help you if your iphone is rooted.

a very interesting bit of trivia contained in the summary is that the cia malware and c2 servers are not technically classified, in order to avoid regulation – they’re instead simply obfuscated. servers must be certified to handle classified information in order to face the public internet, but instead the cia has sidestepped this, meaning it probably isn’t technically illegal to hand off those particular files – not that it would ever fly if the leaker is caught. as prior whistleblower cases demonstrated, the IC is willing to (attempt to) retroactively classify documents, or ground diplomatic flights in order to nail ‘traitors’.

the UMBRAGE program described is essentially a trove of techniques and malware attributable to other actors – one would assume russia, china, and probably iran are on the list. this is meant to conceal, mislead, or obfuscate among other evidence anything that could point to an operation being perpetrated by the US. i’ve already seen this used by partisans to throw suspicion on the dnc hack, but i don’t find this very convincing. i should write a separate post about my thoughts on that entire topic, but for now this link covers most of what i would bring up.

what you see in the files is – if you’re like me – some really thrilling scraps of highly sophisticated state actor methods, vectors, and practices. smart tv malware that keeps the tv in a false ‘off’ mode in order to surreptitiously record and upload audio is probably the sexiest, tentative interest in hacking the computers in newer models of cars the most frightening (one is reminded of the questionable circumstances surrounding the death of a particular journalist).

what you won’t see in the dump is information about programs targeting terrorists. this isn’t a result of redaction on wikileaks’ part, as far as i can tell – but this points to a fact that’s little discussed when US IC spy programs are that the bulk of them are focused on diplomatic spying.

Among the list of possible targets of the collection are ‘Asset’, ‘Liason Asset’, ‘System Administrator’, ‘Foreign Information Operations’, ‘Foreign Intelligence Agencies’ and ‘Foreign Government Entities’. Notably absent is any reference to extremists or transnational criminals.

to make my position clear, i believe spying programs should be restricted by outright burdensome regulation if there’s even the possibility of incidental collection from americans. i don’t trust the good faith of the IC, and frankly i think anyone who does is a sucker or a fed. i’m an earnest fan of snowden and a paranoiac with regards to personal infosec practices. but i almost never see it emphasized that diplomatic spying is a necessary function of any government, even as i see calls for the abolition of the entire apparatus.

there are two primary camps you’ll find in online discussions of the IC, apologists and critics. critics are the loudest, and i count myself among them, but their motivations push them to emphasize the dragnet nature of the publicly known programs (almost always nsa sigint, since that’s what we’ve known about up till now). apologists, on the other hand, will almost universally default to the necessity of preventing terrorism. what these documents, and the above excerpt, illustrate is that spying on foreign governments is still bread and butter, at least for cia cyber ops. if i were to offer a word of advice to apologists, it would be to emphasize that this is the way the game works – all governments spy on each other, and one is at an unspeakable disadvantage if one doesn’t play the game. many (yours truly included) are poisonously cynical about the terrorism justification.

it’s going to take a while to go through these, but i’m one of the people who manually pores over every classified document that gets released when these things happen. everyone has hobbies 😛

as an aside, i’ve been running a tumblr blog for the last few years with interesting or ‘cute’ excerpts from snowden documents and other sources related to IC classified programs. if you’re interested in that kind of thing, you might check it out.