WikiLeaks Releases Trove of Alleged C.I.A. Hacking Documents

Main discussion at <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=13810015" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=13810015</a>.

This headline is extremely dangerous. The phone itself was owned. No encryption was harmed by capturing the keystrokes and audio before it reaches the application. NYTimes should be ashamed of themselves for basically lying about the nature of the hacks.

And people wonder why I am only lukewarm about encryption and opsec. I use both for myself, but I&#x27;ve given up evangelizing other people years ago because (as I&#x27;ve said here on HN many times):<p>For regular people, the effort of encrypting things is simply not worth it because they&#x27;re powerless against a really determined attacker. It&#x27;s rational to protect against casual attacks from spammers and scammers, but protecting oneself against state-level attackers is futile unless you make a full-time job out of it.<p>Someone usually pipes up at this point saying &#x27;we need to limit the powers of the state&#x27;, like some sternly-worded law is going to undo the existence of the technology or take away the vast economic and political incentives to deploy it. Get real folks, technology doesn&#x27;t get un-invented, and powerful organizations are just like powerful organisms; they&#x27;re opportunist, they maximize their own chances of survival, and when they do collapse the resulting power vacuum is filled as rapidly as any other vacuum would be. One can certainly seek to govern the behavior of a state or state organ, but attempting to limit its technical ability is naive, for the same reason that you&#x27;d be naive to try to fix police brutality by legislating about the design parameters of police batons.

&gt; WikiLeaks, which has sometimes been accused of recklessly leaking information that could do harm<p>Nice passive voice there, NYT.

We really need Qualcomm and others to <i>document</i> their hardware interfaces for modems, baseboards, and SoCs so that open firmware and drivers can be developed for these devices.

This headline is false and misleading, and does not reflect the headline on the article (WikiLeaks Releases Trove of Alleged C.I.A. Hacking Documents)

You should consider the assumption that your security IS compromised at any given point in time (bypassed or whatever) then you could foresee and prevent some worst case scenarios which usually come from hubris nonetheless (&quot;hey, our app is 100% secure and tested by the top security experts - not like other apps on the market&quot;).

&gt; According to the statement from WikiLeaks, government hackers can penetrate Android phones and collect “audio and message traffic before encryption is applied.”<p>This a perfectly useless bit of information in that it says nothing about how this penetration could occur. Pretty much anything can be cracked with a trojan. Something like a currently valid remove exploit would be a much bigger deal.<p>I could say that all the secure apps are broken because I can stand behind you and look over your shoulder while listening to anything you might say.

To me this is much more worrying:<p>&gt; As of October 2014 the CIA was also looking at infecting the vehicle control systems used by modern cars and trucks. The purpose of such control is not specified, but it would permit the CIA to engage in nearly undetectable assassinations.<p><a href="https:&#x2F;&#x2F;wikileaks.org&#x2F;ciav7p1&#x2F;" rel="nofollow">https:&#x2F;&#x2F;wikileaks.org&#x2F;ciav7p1&#x2F;</a><p>Given the fact that car makers don&#x27;t even have &quot;PC age&quot; security in their cars, things are looking pretty bad for self-driving cars in general.

<p><pre><code> According to the statement from WikiLeaks, government hackers can penetrate Android phones and collect “audio and message traffic before encryption is applied.” </code></pre> How is that possible? Isn&#x27;t the data encrypted before it&#x27;s sent over the wire?

Edit: deleted, for very valid criticism. Next time I won&#x27;t post in a rush during work hours.

CIA Android Exploits<p><a href="https:&#x2F;&#x2F;wikileaks.org&#x2F;ciav7p1&#x2F;cms&#x2F;page_11629096.html" rel="nofollow">https:&#x2F;&#x2F;wikileaks.org&#x2F;ciav7p1&#x2F;cms&#x2F;page_11629096.html</a><p>As you can see they pretty much all reference very old versions of Android (v4) and Chrome.

I thought they were already compromised since both these services use SMS authentication; since the defaults AFAIK aren&#x27;t particularly concerned about a change in the public key, it&#x27;s broken for anything secure anyway.<p>Tox on the other hand seems much more secure... though I guess if you&#x27;re phone is compromised you&#x27;re pretty much screwed to start with (which is not too hard with all the bloatware one needs these days).

Given the other revelations of the last few weeks, I have to wonder if these exploits are getting installed on every phone that the CBP demands people unlock. Seems like the obvious thing to do. Best not to trust your phone or any software on it at least without a factory reset, and preferably a software update, after it&#x27;s been in CBP custody for any time.

Besides the initial titlegore, these tools really aren&#x27;t that surprising. I&#x27;ve always operated under the assumption that if the NSA, CIA, etc are in your threat model you&#x27;ve already lost.

Lol at NYT, it says that when jack into an android phone they are able to route the messages to a third party before it gets encrypted

This is why we should not rely on encrypted apps running on top of some other platform.<p>disclosure: working on an open source alternative for messaging

This just in: man looking over your shoulder bypasses strongest Signal encryption!

I found none of these revelations surprising. In this era, you have to assume that someone is monitoring you. You&#x27;re naive if you think otherwise.