
The CIA Campaign to Steal Apple's Secrets (2015) - colinprince
https://theintercept.com/2015/03/10/ispy-cia-campaign-steal-apples-secrets/
======
tgragnato
> The security researchers also claimed they had created a modified version of
> Apple’s proprietary software development tool, Xcode, which could sneak
> surveillance backdoors into any apps or programs created using the tool.
> Xcode, which is distributed by Apple to hundreds of thousands of developers,
> is used to create apps that are sold through Apple’s App Store.

> The modified version of Xcode, the researchers claimed, could enable spies
> to steal passwords and grab messages on infected devices. Researchers also
> claimed the modified Xcode could “force all iOS applications to send
> embedded data to a listening post.” It remains unclear how intelligence
> agencies would get developers to use the poisoned version of Xcode.

Sounds suspiciously like XCodeGhost:
[https://en.wikipedia.org/wiki/XcodeGhost](https://en.wikipedia.org/wiki/XcodeGhost).

This is probably worth a reference to Ken Thompson's "Reflections on Trusting
Trust".

------
nickelcitymario
Nothing in this article is surprising. I mean, honestly, if you don't think
the CIA is actively trying to gain access to your devices, WTF do you think
they do all day?

I'd be more concerned if the intelligence agencies of the world WEREN'T doing
this. It's their purpose. It's what we pay them for with our taxes.

Of course we should also always root for tech companies to stay one step
ahead. But infosec is an arms race, and I sure hope my own country's
intelligence agencies (CSIS and the CSE in Canada) are doing their best to
stay ahead of, say, North Korea or Russia.

(Please note: I'm not saying violating our privacy is OK, any more than I'm
saying it's cool to launch nuclear weapons. But if anyone's going to have the
ability to hack my phone or launch a nuke, I want it to be the people on my
own team. This seems like basic self-interest and survival strategy.)

~~~
whatshisface
> _WTF do you think they do all day?_

One would hope that they were trying to gain access to someone else's devices,
as opposed to turning the guns towards their own citizens and economy. If a
soldier showed up at my door and pointed their gun at me, my reaction wouldn't
be "of course you're doing that, your job is to point guns."

~~~
dictum
I'm yet to see a clear explanation for citizens not being as much of a risk
as, say, a random foreigner located far away from your country.

If anything, a citizen is more capable of carrying out a terrorist attack, or
just doing any action some foreign power wants to perform in that country.

The exception for domestic citizens seems to be just a concession for the
masses and their representatives, not a pragmatic choice.

Edit: a pragmatic reasoning could be compartmentalization — keeping citizens
under the watch of a separate entity (e.g. FBI) but it doesn't explain why
domestic mass surveillance should be ruled out.

~~~
marnett
The American revolution was started because citizens did not want the
government in their homes.

~~~
nickelcitymario
I don't think that's historically accurate. Please correct me if I'm wrong,
but wasn't the battle cry of the revolution "no taxation without
representation"? It wasn't about privacy, it was about wanting to be more than
just a backwater colony.

~~~
max76
"No Soldier shall, in time of peace be quartered in any house, without the
consent of the Owner, nor in time of war, but in a manner to be prescribed by
law." \-- The 3rd Amendment

The early revolutionary war history overly simplified is something like this.
Britain increases taxes on America. America stops paying taxes. Britain
increases military presence to force America to pay taxes. America fought
against the British military.

During the increased British military presence in America the British
goverment did terrible things, including living in civilians homes and eating
their food. This is what the parent comment meant when he said "The American
revolution was started because citizens did not want the government in their
homes." Ultimately, the British goverment was in American homes to help the
tax collection effort, so your idea of early Americans caring a lot about
taxation is also true.

~~~
HeWhoLurksLate
Also, bootleggers who made money by smuggling stuff for cheap and selling it
right below the full tariff price and weren't happy about the British _ending_
their tariffs and making them lose money.

Also, the whole _trial by jury of peers_ was really great for those like John
Hancock (the guy who signed his name really big on the Constitution) who got
in trouble with the British for smuggling and then would be invariably found
not guilty _by his employees_. When military trials came into place, Hancock
and his distributor buddies started getting jail time.

Also, by the way, Hancock shipping basically had a mob, who were responsible
for a bunch of the rioting in Boston and likely the related Tea Party.

Just wanted to point out that America wasn't exactly formed out of _ideology_.

By the way- that big signature? Essentially the largest political middle
finger _ever_.

~~~
max76
I did say my history lesson was oversimplified. The question of _how_
Americans avoided paying taxes is always interesting, not just during this
time period.

------
CalChris
How is _pen testing_ of iPhones _stealing_ Apple's secrets? Does Apple know
these holes are there and they're keeping them secret?

I'll grant you that if the CIA broke into Apple and stole keys, that would
stealing along with breaking and entering or the cybercrime equivalent. But
that's not what the article says.

~~~
DINKDINK
>How is pen testing of iPhones stealing Apple's secrets?

Did you read the article? The CIA -- in addition to pentesting -- is trying to
exfiltrate GID keys of Apple devices. That is quite literally, trying to steal
Apple's secrets -- not checking which systems have vulnerabilities.

~~~
CalChris
Thank you, I did read the article. No, that's pen testing.

~~~
DINKDINK
I guess we disagree then. Pen testing to me is: "Can I steal your key? Here, I
have a proof that I can steal it." Actually exfiltrating (not necessary to
produce a proof that you were able to view it) so that you can produce
fraudulent signatures is completely orthogonal to exfiltration.

------
dang
Discussed at the time:
[https://news.ycombinator.com/item?id=9176538](https://news.ycombinator.com/item?id=9176538).

------
nickpsecurity
"“Apple led the way with secure coprocessors in phones, with fingerprint
sensors, with encrypted messages. If you can attack Apple, then you can
probably attack anyone.”"

They really didn't. There were cryptophones, such as Cryptophone, doing secure
messaging and stuff before Apple. Julian Assange used one IIRC. High-assurance
security did stuff like Sectera Edge with some side-channel shielding, too.
Then, there were companies like OK Labs building minimal, trusted, computing
bases into phones with stuff like Android sandboxed in user-mode. Sensitive
stuff ran outside. Then, Apple got into the game. They could still copy some
of these techniques for improved security on top of what they're doing
already.

[https://www.cryptophone.de/](https://www.cryptophone.de/)

[https://web.archive.org/web/20080408152145/http://www.gdc4s....](https://web.archive.org/web/20080408152145/http://www.gdc4s.com/content/detail.cfm?item=32640fd9-0213-4330-a742-55106fbaff32)

[https://web.archive.org/web/20110219075132/http://www.ok-
lab...](https://web.archive.org/web/20110219075132/http://www.ok-
labs.com/solutions/secure-hypercell-technology)

~~~
jasonvorhe
Apple still led the way: Because Apple did it, Android vendors followed suit.

Cryptophone and the other products were a niche market and no one really knows
if they are good enough to withstand a nation state attack or if they are just
good enough to provide better opsec for companies than regular phones did.

------
otakucode
>Brennan said the CIA reorganization will be modeled after the agency’s
Counterterrorism Center, which runs the U.S. targeted killing and drone
program.

I always like to remind people when this comes up - The CIA is a civilian
agency. They are not military. They have no legal right to engage in anything
remotely resembling military action. Their only legal behavior is to collect
international intelligence, though they seem to be capable only of doing
everything outside their mandate and not within it. Why they weren't disbanded
after the USSR imploded into bankruptcy 2 weeks after they had delivered a
report claiming that the USSR was 'not a paper tiger' and 'growing stronger
every day' and that they would continue to present the largest threat to the
US on the global stage for the foreseeable future I have no idea. Most
amateurs could have told you the USSR was on its last legs after years of
scientists and members of their military reporting not being paid for years at
a time. But the CIA was absolutely certain that they were doing great. And
they should know, they had devoted stupendous resources to their intelligence
work there. But, nope, they didn't see it coming at all.

------
_robbywashere
It’s funny because it appears, looking at the history of data leaks, security
breaches etc - our biggest threat appears to be our _insecurity_ Perhaps they
should work the other way, assisting people and entities of this country to be
MORE secure, not LESS.

------
jokoon
One thing is sure, is that the Snowden leaks really made me realize that
countries won't bother with morals to improve national security and advance
its capabilities, but in the end, it's just another debate that Machiavel has
answers for.

I think that communication technologies, and high speed internet becoming so
widespread, created a big new battlefield which is particular because it's not
so violent and ugly.

There aren't clear military laws about the internet like there is for other
battlefield like the geneva convention, and that's makes all of this so
interesting.

------
auslander
Apparently they had no problems with Android devices.

------
exabrial
Dear CIA:

I have information regarding top secret Apple swipe to unlock technology
patent.....

------
tgb29
I hope the CIA steals Apple's ability to innovate

~~~
C1sc0cat
_cough_ A12 _cough_

