The CIA, WikiLeaks and Spy vs Spy
As pretty much anyone already knows, WikiLeaks has dropped a trove of about 8700 secret documents that purport to cover a range of CIA plans and technologies for snooping over the Internet -- everything from cracking encrypted communication products to turning Samsung smart TVs into listening devices against their owners.
Two questions immediately arise: 1) are these documents legit (they appear to be), and; 2) WTF does it mean for people like us, who aren’t spies, public officials, or soldiers of fortune? This latter answer requires a longer explanation but suffice it to say this news is generally not good for anyone, not even for spies unless they have been recently unemployed. But for some companies it will open up significant new business opportunities.
Nobody forges 8700 documents totaling a million pages or more. It’s too hard to do and forgeries are too easy to detect. So the only way to make this mess at all benign for the beleaguered CIA is to point out that at least some of these documents -- especially the foreign ones from outfits like GCHQ (the UK equivalent of our NSA) might be part of a sort of cracking library. If you employed hundreds of programmers working to crack foreign communications or protecting U.S. communications, having a library of proven attack examples makes perfect sense. But these documents aren’t all just examples by any means.
Nobody cracks TVs just for the fun of it. Even Mr. Robot is driven by paranoia.
If you work in this area for one of the 17 U.S. intelligence agencies, these WikiLeaks are terrible news… unless it’s really old news, which it might well be. Maybe these techniques were already well known to all parties in this game of cat and mouse. Remember the backstory that goes with these docs is that they’ve been floating for months around the Dark Web and came to light just now as much because of hacker boredom as anything else. But if they aren’t old news or old tech and instead represent state of the art for electronic snooping, well that means there’s suddenly going to be a LOT of work patching vulnerabilities and finding new ones.
I’ve only just scanned the docs but there sure seems to be a lot about cracking consumer electronics on a grand scale which means all of us are vulnerable. And we can’t hide behind the idea that U.S. intelligence agencies are ostensibly prohibited from spying on U.S. citizens. Edward Snowden showed there’s a quid pro quo among western spy agencies that have in the past allowed the UK or Australia to intercept communications of U.S. citizens just as the NSA can intercept UK private communications and send it on to GCHQ. There are no innocents in this CIA story.
So what’s to be done about this document theft? From a defensive standpoint it has become an issue of patching versus supplanting. I’m sure it’s possible to come up with patches to seal piecemeal most of these vulnerabilities, but if we are talking about thousands or tens of thousands of bugs, that’s going to take months. Until then we are vulnerable and a lot of programmers will be working overtime.
The other approach to solving this problem isn’t by patching holes but by building walls. If a new security technology -- a whole new layer -- can be added upstream of the current vulnerability, then maybe fixing that vulnerability isn’t so important anymore.
I suspect we’ll be seeing at least a few such new approaches appearing shortly because that’s the only way to improve the practical situation quickly. Next week I’ll talk about a couple very specific new security approaches that embody what I mean.
That’s if the black helicopters don’t get me first.