Vault 7's opened up a ton of secret CIA tools. I haven't looked through it yet, but the rumors say that they can basically turn any phone into a listening device.
Interesting how as soon as Trump gets in an argument with someone, Wikileaks releases something about that someone.
Not defending the CIA, of course. It's just that we won't really be safe until the last Republican is strangled with the entrails of the last CIA goon.
It's pretty common knowledge that state agencies collect zero-day vulnerabilities for exploitation. There is a whole cottage industry around it, with major security firms selling exploits.
Among the exploits themselves there aren't any huge surprises so far (although the TV hack is a sexy little move). Most of the hacks are at least along the lines of what you would see at
DEF CON, Blackhat or any number of similar conferences. Of course, given most people don't pay attention they might be surprised to hear about
hacking cars and
random IOT devices that have no reason to be online. Worryingly they might also not realise that the only thing stopping an older Android phone (version 4.4 or earlier for sure) being a hostile bugging device is a lack of interest in what you do every day and extremely good opsec. Most devices/programs never get a good security audit or attract enough attention to be worth an exploit, so there are millions of these sorts of zero-day vulnerabilities out there. Thousands more known and documented - even fully and publicly exploited - vulnerabilities can't or won't be patched due to a poor update channel or it just being impractical. Agencies like to keep them in their pocket in case they can come in useful at some point.
They haven't released the tools themselves, at least yet, and have seemingly done a reasonable job with redactions in what has been released so far. I'm hoping they are at least in touch with the providers of the vulnerable software and working with them to get the holes closed before they release more details. Some of the information released so far could probably lead to public exploits, but without the code it does give the maintainers a running chance at getting them patched before anyone can actually start hitting them. The bigger danger is the exploit code getting out before a patch.
It looks like the source of the hacks was a development board of some sort, which means we are extremely unlikely to know anything about how any of the exploits were used, if at all. Further, without a lot more than this initial dump, we probably won't know how many of the vulnerabilities were even leveraged into practical exploits. I doubt this will tell us much at all about CIA activities other than what a few groups of their programmers/hackers and associated external contractors and contacts have worked on.
Still going to be juicy bits to chew over in the pub chats this week.
Author
Topic: AmeriPol thread (Read 4460365 times)