> He claimed that an anti-virus expert, who was not named, had come forward to say that he believed sophisticated malware that he had previously attributed to Iran, Russia and China, now looked like something that the CIA had developed.
That sounds very like something I read on Robert Graham's Mar 7 comments[1] on the leak:
> Already, one AV researcher has told me that a virus they once suspected came from the Russians or Chinese can now be attributed to the CIA, as it matches the description perfectly to something in the leak.
> There's no false flags. In several places, the CIA talks about making sure that what they do isn't so unique, so it can't be attributed to them. However, Wikileaks's press release hints that the "UMBRAGE" program is deliberately stealing techniques from Russia to use as a false-flag operation. This is nonsense. For example, the DNC hack attribution was live command-and-control servers simultaneously used against different Russian targets -- not a few snippets of code.
Nothing about "active command and control servers" is strongly attributable.
They aren't signing them with Russian government certificates or running them from Russian government IPs.
They're buying servers or VPN connections on public providers. The notion of "strong attribution" in and of itself is basically impossible in the field of malware unless someone steps up and shows you the source. Those are things anyone can do. They're only doing a probabilistic analysis assuming no one else knows them, which makes many very large assumptions - like no one else wanting to fake Russian malware.
He comes off quite partisan in my opinion - his Twitter pretty much confirms it as he compares Wired to Brietbart. I wouldn't listen to a word this guy says on the topic.
> They're buying servers or VPN connections on public providers. The notion of "strong attribution" in and of itself is basically impossible in the field of malware unless someone steps up and shows you the source. Those are things anyone can do. They're only doing a probabilistic analysis assuming no one else knows them, which makes many very large assumptions - like no one else wanting to fake Russian malware.
Strong Attribution is definitely a difficult task and unless someone admits guilt, you'll have to rely on probabilities but the combined CrowdStrike, SecureWorks, and ThreatConnect reports give a fairly strong basis of where to place blame for the DNC servers. I'd imagine our intelligence agencies have their own methods of attribution that we won't learn of for a long time.
As for Rob, this feels like a pretty balanced opinion:
> The DNC hacks have strong evidence pointing to Russia. Not only does all the malware check out, but also other, harder to "false flag" bits, like active command-and-control servers. A serious operator could still false-flag this in theory, if only by bribing people in Russia, but nothing in the CIA dump hints at this.
> The Sony hacks have weak evidence pointing to North Korea. One of the items was the use of the RawDisk driver, used both in malware attributed to North Korea and the Sony attacks. This was described as "flimsy" at the time []. The CIA dump [] demonstrates that indeed it's flimsy -- as apparently CIA malware also uses the RawDisk code.
> In the coming days, biased partisans are going to seize on the CIA leaks as proof of "false flag" operations, calling into question Russian hacks. No, this isn't valid. We experts in the industry criticized "malware techniques" as flimsy attribution, long before the Sony attack, and long before the DNC hacks. All the CIA leaks do is prove we were right. On the other hand, the DNC hack attribution is based on more than just this, so nothing in the CIA leaks calls into question that attribution.
> Strong Attribution is definitely a difficult task and unless someone admits guilt, you'll have to rely on probabilities but the combined CrowdStrike, SecureWorks, and ThreatConnect reports give a fairly strong basis of where to place blame for the DNC servers.
That's the thing though - you can place that blame whereever you want simply by making it look that way - buying servers from the right providers, modifying existing malware to suit your purposes via reverse engineering, etc. It's fairly straightforward stuff for someone in the know to do.
The probabilistic analysis does not and cannot account for fakery of this sort - the posts you linked do not attempt to account for this at all, instead assuming blindly that "hey, this looks vaguely like this russian attack group". I read his posting there - it seemed sketchy to me - then I read his Twitter account and it explained why it seemed sketchy. He's a blatant partisan, looking only to prove his side.
I'm not saying it's not possible it's Russia. It's quite possibly Russia. Probable even. Just that I don't trust the only possible analysis methods at a deep level such that I don't feel blame can be reliably laid in such a case.
It literally contains the excerpt I quoted from it. I don't think the section you quote contradicts that. Graham is also fairly critical of a number of other assertions in the WL press release.
It wouldn't surprise me - a lot of the stuff they use to identify a malware source just isn't that accurate. Anyone can buy a server from the other side of the world, anyone can put strings in another language into malware and anyone can target a source country starting from a specific provider or VPN.
Once you admit that keeping secret and controlling the release of sensitive information has some 'harm minimization effect' - and therefore that releasing information in the wrong way or to the wrong people is potentially harmful - exactly where does that take the philosophy of 'radical transparency?'
They're advocating for radical transparency of governments and corporations, not individuals - there's a significant difference. Releasing these exploits as is would result in harm to individuals who are unrelated entirely to the CIA or government.
They didn't seem to advocate for that when they released family, medical and financial information of rape victims, homosexuals and mental health patients in Saudi Arabia.
As others said, that's a bit of a stretch, at least to say that was their intent. It's also worth noting that the Saudi release in question occurred in 2015, but the outrage stories didn't appear until shortly before Wikileaks released the Podesta emails — which suggests the hackers had been pitching them to mainstream news outlets, who rejected the story and instead looked for a preemptive shoot-the-messenger angle on the outlet that did [they assumed?] agree to publish them, Wikileaks.
They don't seem to contradict each other, am I missing something? The article says WikiLeaks released government information that contained alot of personal information. The tweet says that they released government info and did not give info to the government.
> They're advocating for radical transparency of governments and corporations, not individuals
I can think of at least one instance where they targeted individuals: publishing the names and addresses of members of the extreme-right British National Party. Of course that is OTOH hard to square with the narrative that they're right-wing Trumpists.
If he had had some "goods" on Trump (e.g. a video in which Trump had said some rude things) I'm sure he would have released that too. Fortunately for Trump his henchpeople were smart enough not to get phished.
I think you are being naive if you believe that everything that has been hacked has been leaked or that the leaks are motivated be an ideology of transparency rather than political objectives.
At your link, we hear Comey say: "We did not develop any evidence that the Trump campaign or the current RNC was successfully hacked."
I probably am naive, but at least I'm not so naive as to hear anything from Comey other than CYA over his own "election-affecting" but now-forgotten Clintonian email releases.
He uses the terms "old" and "current" to describe the hacks. The "old" RNC was hacked. The "current" RNC was not. We have no idea what those terms mean or why the data collected from the "old" RNC wasn't leaked.
In my ignorance, I assumed those words meant the same thing they mean in everyday English language conversation. If one had to guess, the "old" RNC might have been the one that never imagined Trump would kick their asses to the curb, while the "current" one might be the one that Trump hired after he did that? Which would be more likely to have dirt on Trump?
As I said above, however, we're really in the dark when we're reading tea leaves of nuance in testimony about an open investigation, by an effectively independent civil servant who has given directly-misleading testimony within the last year.
>It's entirely possible that either they failed to break in
Comey disputes that in the linked article.
>or that they failed to get any significant information.
Or maybe it is possible that they got more significant information and it was never leaked because it is more valuable as blackmail material. Neither of us know which one of those theories is right.
What we do know is that both sides were hacked, probably by the Russians, and data from only one side was released. By wide consensus those releases were timed in order to maximize the damage they did to Clinton. That is exactly the type of action you would expect from someone motivated by politics.
>> "We did not develop any evidence that the Trump campaign or the current RNC was successfully hacked." - Linked Article
Seems pretty contradictory to me. Maybe a previous admin's RNC or something, but not the current one...
Honestly, these intelligence agencies are pretty clueless. They use the same tactics to identify malware sources that they use to thwart their own identification as a malware source. I wouldn't believe anything they say about the source of malware - or anything anyone says. It's far too easy to make it look like someone else did it - use their or nearby providers, use their malware or slightly modified versions of it, copy their strings, etc. It's pretty easy stuff to do if you've got a bit of assembly skill too.
> By wide consensus those releases were timed in order to maximize the damage they did to Clinton. That is exactly the type of action you would expect from someone motivated by politics.
Or you know, just someone motivated to make impactful leaks. Despite these emails not being in my political favor, I wouldn't have done anything differently in their shoes. Would you have? and if you would have, would you honestly say that your actions weren't politically motivated?
I think _not_ releasing in this case or avoiding impact would have been more clearly politically motivated.
>Seems pretty contradictory to me. Maybe a previous admin's RNC or something, but not the current one
I mentioned this in my other post. The RNC was hacked, but we don't know the timeline due to Comey's vague terminology.
>Honestly, these intelligence agencies are pretty clueless.
This is incredibly patronizing. They have a much greater expertise on these things than two doofuses like us debating on the Internet.
>Or you know, just someone motivated to make impactful leaks. Despite these emails not being in my political favor, I wouldn't have done anything differently in their shoes. Would you have?
It isn't just the timing of the leaks, go back and read what they were saying about them. They stoked the flames of Pizzagate. Assange was quoted as saying the leaks would guarantee Clinton's arrest. Those aren't the actions of someone who is politically neutral.
> Fortunately for Trump his henchpeople were smart enough not to get phished.
While there was no similar mass disclosure (most likely because of the political goals of those conducting the operation), Republican groups, not just Democrats, were compromised by the same actors behind the DNC attack.
Assume I believe that... what horrible skulduggery did such compromises uncover? What did we not know about Trump that these anonymous hackers decided not to release, which had it been released would have thrown the election the other way?
> Fortunately for Trump his henchpeople were smart enough
Not so much that — we have ample evidence to the contrary — but more conventional media outlets like the NYT, WaPo, CNN and so on are more than happy to publish unredacted leaks themselves, if they embarrass Trump. Wikileaks is whom you bring your story to when nobody else will publish it.
I don't think that's true - many companies have stricter policies about this or simply block it via technical means. No outside emails with attachments or links for example, screening phone calls and strict training.
You don't see leaks from 3-letter agencies because someone phished them - while it's definitely possible to contact them.
You can do a lot with training - simply frequently attempting phishing on your own employees can do a lot.
Harmful to whom may be the important question here. I thought the underlying premise of radical transparency was to make it sufficiently difficult to maintain state and corporate secrets that they either give up trying to keep secrets entirely or at least learn to avoid conducting truly shady activities because secrecy is no longer a guaranteed. If that's true then I'd say that admission is a strong endorsement that the practice is at least on sound theoretical ground.
And Trump, Palin, Hannity have all done the same. Called for practically drone striking Assange during the Bush era, but now that he's released Clinton's emails, they've literally apologized [1] and done 180s.
Wikileaks did take a strong stance because they "want to secure communications technology because, without it, journalists aren't able to hold the state to account". (one paragraph below your original quote)
Having documents on both sides and releasing one and not the other would be a break with impartiality. Having personal political opinions has nothing to do with Wikileaks impartiality.
No, not publish. Assange has repeatedly criticized Clinton and yet there's not a peep about Trump.
And funnily enough, those who called for death warrants against Assange have literally apologized (Palin) and done a complete 180 (Trump, Hannity) and praise him.
Clinton held public office for years, she's a career politician so it only makes sense he'd scrutinize and criticize her considering how corrupt she is. As for Trump, Assange has stated many times that if anyone has anything to provide that Wikileaks would share it. Maybe wait a few months or years ?
I don't understand this "Clinton is corrupt" thing. You imply that career politicians are corrupt. Ok, I accept that. But how is Hillary, specifically, any worse than other politician? And how is Trump not any worse than Hillary when he spouts nonsense and blatant falsehoods on a daily basis?
But yes, now that Trump is a politician, I imagine it's only a matter of time.
It tells you that the person advocating that philosophy has given themselves license to wield all of that enormous power you're describing, without check or balance.
Wikileaks stopped being about 'radical transparency' when Julian Assange felt personally threatened by Hillary Clinton and Google. Since then the Wikileaks agenda appears to be more about attacking and undermining US policy and standing wherever it can.
The article does not mention specific exploits. I'll change my mind if they actually close vulnerabilities because of this, but as of now, it seems like a PR move without much substance.
Of course the NSA looks for software vulnerabilities, and it's a vital part of both their core missions. And of course they don't neutralize their offensive capabilities by immediately revealing all of them to software makers. There's a balance that is struck between offensive and defensive missions with respect to each vulnerability.
1. It is about CIA, not NSA.
2. What CIA did goes against the promise previous administration had made after Snowden leaks, where they promised that agencies will be immediately disclosing discovered vulnerabilities to the affected US tech companies.
1. It's the CIA and the NSA, as well as a host of friendly non-US intelligence agencies. They develop vulnerabilities, share them, and release them when the improvement to the defensive advantage the release provides outweighs the hindrance to the offensive advantage they provide over adversarial intelligence agencies.
2. Not only was such a promise never made, but it's well outside of the realm of reason. Of all the vulnerabilities out there (and the way the market works, there are more shipped every day), only small disjoint fractions have been discovered by intelligence agencies both friendly and hostile to the USIC, and hence there is absolutely no reason for them to disclose NOBUS vulns: https://en.wikipedia.org/wiki/NOBUS
How do you know the CIA found these vulns, and that they weren't shared from IC partners?
You are, at best, advocating a policy which would lead to an absolutely disastrous disadvantage to the USICs SIGINT capabilities in relation to its adversaries.
Yeah, it'll be interesting here though - they potentially have some pretty major remote exploits and tech firms might be resistant to even patch as those who are unpatched will be left vulnerable to attack. The standard route then is to threaten to publish anyways... This will involve very careful treading on the parts of both wikileaks and the firms involved.
Not really... the biggest example of this was probably the leak that happened from Manning - but it in large part wasn't really WikiLeaks fault, they gave an AES 'insurance' key to a journalist who released it without really understanding the consequences. WikiLeaks generally tries their best to release responsibly, but it's a challenge when you get governments unwilling to accept leakers and journalists who don't know how to handle leaks.
Wikileaks has a terrible record on vetting releases and be "truly transparent". See the timing of the dnc and podesta emails...
There were social security #'s in those releases.
They try and play both sides of the fence:
-we dont "editorialize", redact or make decisions on what is and isn't released
-release specific info with sensational headlines timed for optimal impact
What's wrong with that? They simply optimized for impact.
If they were to dump all the releases months before the election no one would have remembered them, no matter how significant.
They've done partial releases and released over time with many other leaks too. I don't see how that conflicts with transparency or impartiality.
Put yourself in their shoes - how would you have solved it differently?
> There were social security #'s in those releases.
When you're working with data in the volumes that they are and you have limited review staff, sometimes mistakes happen. If you'd like to help prevent it, I believe they do accept reviewers if you've got appropriate credentials.
I have no problem with them optimizing for impact. But they refuse to admit that is what they are doing. It disingenuous at the very least.
It's not "mistake" if PII is revealed in every single release. It is incompetence or they are acting in bad faith. There are dozens of other organizations that have strong records on this. wikileaks is not one of them.
> I have no problem with them optimizing for impact. But they refuse to admit that is what they are doing. It disingenuous at the very least.
They've stated that's exactly what they're doing in several pieces.
> It's not "mistake" if PII is revealed in every single release. There are dozens of other organizations that have strong records on this. wikileaks is not one of them.
Likely because those "dozens of other organizations" don't publish many leaks and especially not in anything approaching raw form - every single leak I've seen in a major paper has been heavily filtered down and distilled into a specific narrative. WikiLeaks just publishes with minimal editing - any narrative from them is completely separated from the leaks. That rawness is what makes them better than other approaches for getting real information out, but it's also what makes them worse at censoring that information.
I'm not sure how we can square, "we are neutral", "we are optimizing for impact", "our goal is to create conflict within the government".
>WikiLeaks just publishes with minimal editing - any narrative from them is completely separated from the leaks
Wikileaks in king of clickbait and creating false impressions of what data they are and aren't releasing. Just look at their twitter account. There are even reports of withholding entire data sets when it doesn't fit their narrative.
I am on board for the premise of WikiLeaks is trying to do, but they have flatly failed in the execution.
Software already exists to indentify common PII like credit card numbers and social security numbers (need it for HIPAA requirements) and besides probably any freshman programmer could build a simple regex to find simple PII. So the most likely excuses are either complete incompetence or utter apathy to protect that info, not lack of manpower.
We're not talking credit card numbers, SIN numbers are just a series of a few numbers which may match many, many unrelated things. I'd have to see the specific case to really say yes or no to that one. Many of the leaks they get are not in text format at all, they're in PDF images, OCR can sometimes do the job, but not always with high accuracy.
If you'd like to volunteer that skill, they may be open to accepting it. It's entirely possible they just don't have developers with such abilities in their arsenal. You might try their IRC channels and such if you'd consider it.
I see many people here who accept this as generic wisdom but I don't remember them releasing non-redacted documents (outside the cablegate shitstorm). Are there precedents? Are there sources where they say this is their philosophy?
> "a whole section of the CIA is working on Umbrage, a system that attempts to trick people into thinking that they had been hacked by other groups or countries by collecting malware from other nation states, such as Russia."
Wikileaks is dramatically misrepresenting what Umbrage is. There are descriptive documents that explain exactly what it is and how it's meant to be used that were also leaked. Even the Intercept, who aren't exactly friendly to intelligence sources took umbrage (ha) with WL's characterization:
> It would be possible to leave such fingerprints if the CIA were re-using unique source code written by other actors to intentionally implicate them in CIA hacks, but the published CIA documents don’t say this. Instead they indicate the UMBRAGE group is doing something much less nefarious.
> They say UMBRAGE is borrowing hacking “techniques” developed or used by other actors to use in CIA hacking projects. This is intended to save the CIA time and energy by copying methods already proven successful. If the CIA were actually re-using source code unique to a specific hacking group this could lead forensic investigators to mis-attribute CIA attacks to the original creators of the code. But the documents appear to say the UMBRAGE group is writing snippets of code that mimic the functionality of other hacking tools and placing it in a library for CIA developers to draw on when designing custom CIA tools.
I think it's going to be severely abused politically.
I've already seen a few people on the right saying it means the DNC hack was 100% fake.
And I've already seen a security researcher on the left saying it has nothing to do with the results because "they found running C&C servers in that case", like you can't buy C&C servers anywhere in the world that you want.
Neither claim makes any verifiable sense. Hacking attribution is somewhere between hard and impossible if your opponent doesn't want to be found or wants you to find someone else instead.
It's a legitimately interesting program and something to consider when these claims get made. But don't listen the politics of it. It'll be a nightmare.
The CIA pretending to be China, or China pretending to be the CIA, or someone else entirely pretending to be China pretending to be the CIA, or vice versa.
So what are you implying with that ambigous and opaque statement ?
Some possible reasons:
* They comparmentalise information better?
* They don't use private contractors ?
* It's more dangerous to leak material in those countries ?
* ...
* ...
* ...
Likely has a lot to do with the countries themselves. Russia and China have much stricter governments and the values on freedom and privacy aren't as widely respected - so not as many leakers pop up.
Definitely a coincidence that it was within a week of Sessions being taken to task over his involvement with Russia and a Trump adviser being told by the SSCI to retain information about contact with Russia.
We all know there's no chance this is smearing US intel agencies during an investigation.
Don't believe anything from Assange until it's confirmed by the tech companies themselves. Ask the security teams at each of these companies if they received any information from Wikileaks. From the people I know at the affected companies, no one has heard anything yet. Assange should not get the benefit of our trust.
Please make a list of firms which have provided these comments denying that Wikileaks has provided them with information while claiming to have done so. This way others are able to confirm your comment. Otherwise it's really hard to take your comment seriously.
I would ask the same in the opposite direction. Please make a list of companies that have positively confirmed they're receiving help from Assange. So far, there is no public evidence beyond a tweet from Wikileaks.
I know it's not normally a good idea to comment about voting and comment position, but there are a lot of people talking about this issue on HN and this comment is one of the few written by someone directly engaged with these issues. If Dan says he hasn't heard anything from any security team he's familiar with, that's not dispositive, but given how connected Dan is, it's certainly a real data point.
I say this because it would make sense to vote a comment like this down if it was just a random opinion. I agree: "don't trust Assange" is kind of a banal sentiment (I share it, but I wouldn't claim it was interesting enough to showcase). But that's not all Dan is saying.
(I haven't heard anything either but, I mean, I've only known about this for about 3 minutes now).
Very few people at these companies would have any idea about the vulnerabilities and even less would know where the reports came from. Big tech companies realize that they employee a lot of people and heavily restrict who can know about the reported vulnerabilities,me specially before they're patched. To think that those "privileged" people would tell you about it is asinine, especially regarding this very high profile event.
"Companies to get" implies future tense, not past. Thus it makes sense the companies have not received them yet. But I agree that confirmation from the companies once they receive would be very nice.
"Assange" the person may not be trustworthy, but Wikileaks the organization he created is, so far, beyond reproach. They have never released false data.
Yet every time there's a significant release, politics-as-team-sport morons conclude that since their team has been shown in a bad light, it's all a pack of lies. This is how the media can lead us around by the noses: our memories rarely span the last week.
You can mislead and shape narrative with editorialized releases. It's the goal of most propaganda efforts to only use true statements.
I find it troubling that people conclude they're "beyond reproach" just because the facts are true.
That doesn't make them non-biased, mean they're not intending to distract or mislead, say anything about their framing, analysis, or editorial content, etc.
Like here: a suspiciously timed leak of sensitive US documents which largely seem to be intended to scare and distract, not show legitimate wrong-doing.
Misleading implies falsehood of some sort, but they're releasing the actual paperwork absent anything other than an introductory statement about the collection of as a whole, which does not equate to "framing, analysis, or editorial content" in my mind.
Negligence counts as wrong-doing to me. The leaks prove that the CIA has lost control of their malware cache. And on the positive side, it gives the affected parties the means to patch their code.
'not releasing false data' doesn't make you beyond reproach. That's like saying some doxxer is beyond reproach because they never got someone's address wrong.
Apparently "beyond reproach" was the wrong wording above, but now I'm unable to edit it.
That said, given how often "trustworthiness" is used as a mental shortcut for "believing anything they publish", it's still a knee-jerk worth fighting against. None of Wikileaks' released documents in their history have proven to be false, and so they are still reliable as a source.
No argument there. But the response is typically not to what they publish, it's to the combination of the data and their added spin. It's not 'video from an already widely reported incident' it's 'Collateral murder'. And onwards.
> He claimed that an anti-virus expert, who was not named, had come forward to say that he believed sophisticated malware that he had previously attributed to Iran, Russia and China, now looked like something that the CIA had developed.
That sounds very like something I read on Robert Graham's Mar 7 comments[1] on the leak:
> Already, one AV researcher has told me that a virus they once suspected came from the Russians or Chinese can now be attributed to the CIA, as it matches the description perfectly to something in the leak.
1: http://blog.erratasec.com/2017/03/some-comments-on-wikileaks...