
Wikileaks is offering tech firms CIA files first - marksomnian
http://www.bbc.co.uk/news/technology-39221421
======
ttctciyf
From the BBC:

> He claimed that an anti-virus expert, who was not named, had come forward to
> say that he believed sophisticated malware that he had previously attributed
> to Iran, Russia and China, now looked like something that the CIA had
> developed.

That sounds very like something I read on Robert Graham's Mar 7 comments[1] on
the leak:

> Already, one AV researcher has told me that a virus they once suspected came
> from the Russians or Chinese can now be attributed to the CIA, as it matches
> the description perfectly to something in the leak.

1: [http://blog.erratasec.com/2017/03/some-comments-on-
wikileaks...](http://blog.erratasec.com/2017/03/some-comments-on-wikileaks-
ciavault7.html)

~~~
mikeyouse
The post you link directly contradicts this:

> _There 's no false flags. In several places, the CIA talks about making sure
> that what they do isn't so unique, so it can't be attributed to them.
> However, Wikileaks's press release hints that the "UMBRAGE" program is
> deliberately stealing techniques from Russia to use as a false-flag
> operation. This is nonsense. For example, the DNC hack attribution was live
> command-and-control servers simultaneously used against different Russian
> targets -- not a few snippets of code._

~~~
problems
Nothing about "active command and control servers" is strongly attributable.

They aren't signing them with Russian government certificates or running them
from Russian government IPs.

They're buying servers or VPN connections on public providers. The notion of
"strong attribution" in and of itself is basically impossible in the field of
malware unless someone steps up and shows you the source. Those are things
anyone can do. They're only doing a probabilistic analysis assuming no one
else knows them, which makes many very large assumptions - like no one else
wanting to fake Russian malware.

He comes off quite partisan in my opinion - his Twitter pretty much confirms
it as he compares Wired to Brietbart. I wouldn't listen to a word this guy
says on the topic.

~~~
mikeyouse
> They're buying servers or VPN connections on public providers. The notion of
> "strong attribution" in and of itself is basically impossible in the field
> of malware unless someone steps up and shows you the source. Those are
> things anyone can do. They're only doing a probabilistic analysis assuming
> no one else knows them, which makes many very large assumptions - like no
> one else wanting to fake Russian malware.

Strong Attribution is definitely a difficult task and unless someone admits
guilt, you'll have to rely on probabilities but the combined CrowdStrike,
SecureWorks, and ThreatConnect reports give a fairly strong basis of where to
place blame for the DNC servers. I'd imagine our intelligence agencies have
their own methods of attribution that we won't learn of for a long time.

As for Rob, this feels like a pretty balanced opinion:

> _The DNC hacks have strong evidence pointing to Russia. Not only does all
> the malware check out, but also other, harder to "false flag" bits, like
> active command-and-control servers. A serious operator could still false-
> flag this in theory, if only by bribing people in Russia, but nothing in the
> CIA dump hints at this._

> _The Sony hacks have weak evidence pointing to North Korea. One of the items
> was the use of the RawDisk driver, used both in malware attributed to North
> Korea and the Sony attacks. This was described as "flimsy" at the time [_].
> The CIA dump [ _] demonstrates that indeed it 's flimsy -- as apparently CIA
> malware also uses the RawDisk code._

> _In the coming days, biased partisans are going to seize on the CIA leaks as
> proof of "false flag" operations, calling into question Russian hacks. No,
> this isn't valid. We experts in the industry criticized "malware techniques"
> as flimsy attribution, long before the Sony attack, and long before the DNC
> hacks. All the CIA leaks do is prove we were right. On the other hand, the
> DNC hack attribution is based on more than just this, so nothing in the CIA
> leaks calls into question that attribution._

[https://www.threatconnect.com/blog/tapping-into-
democratic-n...](https://www.threatconnect.com/blog/tapping-into-democratic-
national-committee/)

[https://www.secureworks.com/research/threat-
group-4127-targe...](https://www.secureworks.com/research/threat-
group-4127-targets-hillary-clinton-presidential-campaign)

[https://www.crowdstrike.com/blog/bears-midst-intrusion-
democ...](https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-
national-committee/)

~~~
problems
> Strong Attribution is definitely a difficult task and unless someone admits
> guilt, you'll have to rely on probabilities but the combined CrowdStrike,
> SecureWorks, and ThreatConnect reports give a fairly strong basis of where
> to place blame for the DNC servers.

That's the thing though - you can place that blame whereever you want simply
by making it look that way - buying servers from the right providers,
modifying existing malware to suit your purposes via reverse engineering, etc.
It's fairly straightforward stuff for someone in the know to do.

The probabilistic analysis does not and cannot account for fakery of this sort
- the posts you linked do not attempt to account for this at all, instead
assuming blindly that "hey, this looks vaguely like this russian attack
group". I read his posting there - it seemed sketchy to me - then I read his
Twitter account and it explained why it seemed sketchy. He's a blatant
partisan, looking only to prove his side.

I'm not saying it's not possible it's Russia. It's quite possibly Russia.
Probable even. Just that I don't trust the only possible analysis methods at a
deep level such that I don't feel blame can be reliably laid in such a case.

------
Aqueous
Once you admit that keeping secret and controlling the release of sensitive
information has some 'harm minimization effect' \- and therefore that
releasing information in the wrong way or to the wrong people is potentially
harmful - exactly where does that take the philosophy of 'radical
transparency?'

~~~
0xfeba
> He added that while Wikileaks maintained a neutral position on most of its
> leaks, in this case it did take a strong stance.

Uh huh. After the US Election debacle, I'm not so sure of that.

~~~
xienze
How quickly we forget that Wikileaks was the darling of the left when all
those Iraq War documents were released several years ago.

~~~
brainfire
They've always seen support and revulsion on both sides of the aisle. Your
partisan retcon is dishonest and shameful.

------
sand500
Pretty standard practice when a exploit is found right? Alert companies and
publicize after they patch it.

~~~
therealmarv
The standard practice for Wikileaks was once to publish everything no matter
what. I'm happy they have changed.

~~~
problems
Not really... the biggest example of this was probably the leak that happened
from Manning - but it in large part wasn't really WikiLeaks fault, they gave
an AES 'insurance' key to a journalist who released it without really
understanding the consequences. WikiLeaks generally tries their best to
release responsibly, but it's a challenge when you get governments unwilling
to accept leakers and journalists who don't know how to handle leaks.

~~~
cmac2992
Wikileaks has a terrible record on vetting releases and be "truly
transparent". See the timing of the dnc and podesta emails...

There were social security #'s in those releases.

They try and play both sides of the fence: -we dont "editorialize", redact or
make decisions on what is and isn't released -release specific info with
sensational headlines timed for optimal impact

~~~
problems
What's wrong with that? They simply optimized for impact.

If they were to dump all the releases months before the election no one would
have remembered them, no matter how significant.

They've done partial releases and released over time with many other leaks
too. I don't see how that conflicts with transparency or impartiality.

Put yourself in their shoes - how would you have solved it differently?

> There were social security #'s in those releases.

When you're working with data in the volumes that they are and you have
limited review staff, sometimes mistakes happen. If you'd like to help prevent
it, I believe they do accept reviewers if you've got appropriate credentials.

~~~
cmac2992
I have no problem with them optimizing for impact. But they refuse to admit
that is what they are doing. It disingenuous at the very least.

It's not "mistake" if PII is revealed in every single release. It is
incompetence or they are acting in bad faith. There are dozens of other
organizations that have strong records on this. wikileaks is not one of them.

~~~
problems
> I have no problem with them optimizing for impact. But they refuse to admit
> that is what they are doing. It disingenuous at the very least.

They've stated that's exactly what they're doing in several pieces.

> It's not "mistake" if PII is revealed in every single release. There are
> dozens of other organizations that have strong records on this. wikileaks is
> not one of them.

Likely because those "dozens of other organizations" don't publish many leaks
and especially not in anything approaching raw form - every single leak I've
seen in a major paper has been heavily filtered down and distilled into a
specific narrative. WikiLeaks just publishes with minimal editing - any
narrative from them is completely separated from the leaks. That rawness is
what makes them better than other approaches for getting real information out,
but it's also what makes them worse at censoring that information.

~~~
cmac2992
I'm not sure how we can square, "we are neutral", "we are optimizing for
impact", "our goal is to create conflict within the government".

>WikiLeaks just publishes with minimal editing - any narrative from them is
completely separated from the leaks

Wikileaks in king of clickbait and creating false impressions of what data
they are and aren't releasing. Just look at their twitter account. There are
even reports of withholding entire data sets when it doesn't fit their
narrative.

I am on board for the premise of WikiLeaks is trying to do, but they have
flatly failed in the execution.

------
devy
> "a whole section of the CIA is working on Umbrage, a system that attempts to
> trick people into thinking that they had been hacked by other groups or
> countries by collecting malware from other nation states, such as Russia."

What do you think of Umbrage?

~~~
mikeyouse
Wikileaks is dramatically misrepresenting what Umbrage is. There are
descriptive documents that explain exactly what it is and how it's meant to be
used that were also leaked. Even the Intercept, who aren't exactly friendly to
intelligence sources took umbrage (ha) with WL's characterization:

> _It would be possible to leave such fingerprints if the CIA were re-using
> unique source code written by other actors to intentionally implicate them
> in CIA hacks, but the published CIA documents don’t say this. Instead they
> indicate the UMBRAGE group is doing something much less nefarious._

> _They say UMBRAGE is borrowing hacking “techniques” developed or used by
> other actors to use in CIA hacking projects. This is intended to save the
> CIA time and energy by copying methods already proven successful. If the CIA
> were actually re-using source code unique to a specific hacking group this
> could lead forensic investigators to mis-attribute CIA attacks to the
> original creators of the code. But the documents appear to say the UMBRAGE
> group is writing snippets of code that mimic the functionality of other
> hacking tools and placing it in a library for CIA developers to draw on when
> designing custom CIA tools._

[https://theintercept.com/2017/03/08/wikileaks-files-show-
the...](https://theintercept.com/2017/03/08/wikileaks-files-show-the-cia-
repurposing-foreign-hacking-code-to-save-time-not-to-frame-russia/)

------
swalsh
I wonder if firms are going to start using these fixes to search for people
who have touched the files in order to find... patriots...

~~~
rfrank
Almost certainly.

------
celticninja
The CIA pretending to be China, or China pretending to be the CIA, or someone
else entirely pretending to be China pretending to be the CIA, or vice versa.

~~~
ikeyany
If I had money/power, I would assume every device and account I have is
compromised in some way.

Back to pen and paper we go, until that can be compromised too.

------
plandis
I must be the only person to think it's weird that intelligence leaks are
never from China or Russia.

It's probably just a coincidence.

~~~
mickronome
So what are you implying with that ambigous and opaque statement ?

Some possible reasons: * They comparmentalise information better? * They don't
use private contractors ? * It's more dangerous to leak material in those
countries ? * ... * ... * ...

------
dguido
Don't believe anything from Assange until it's confirmed by the tech companies
themselves. Ask the security teams at each of these companies if they received
any information from Wikileaks. From the people I know at the affected
companies, no one has heard anything yet. Assange should not get the benefit
of our trust.

~~~
Karunamon
"Assange" the person may not be trustworthy, but Wikileaks the organization he
created is, so far, beyond reproach. They have never released false data.

~~~
SomeStupidPoint
You can mislead and shape narrative with editorialized releases. It's the goal
of most propaganda efforts to only use true statements.

I find it troubling that people conclude they're "beyond reproach" just
because the _facts_ are true.

That doesn't make them non-biased, mean they're not intending to distract or
mislead, say anything about their framing, analysis, or editorial content,
etc.

Like here: a suspiciously timed leak of sensitive US documents which largely
seem to be intended to scare and distract, not show legitimate wrong-doing.

~~~
Karunamon
Misleading implies falsehood of some sort, but they're releasing the actual
paperwork absent anything other than an introductory statement about the
collection of as a whole, which does not equate to "framing, analysis, or
editorial content" in my mind.

Negligence counts as wrong-doing to me. The leaks prove that the CIA has lost
control of their malware cache. And on the positive side, it gives the
affected parties the means to patch their code.

------
WillyOnWheels
My biggest gripe is the word 'wiki' in the name of the Wikileaks organization.

~~~
greenyoda
Their site did apparently start out as a wiki. Wikipedia (another site whose
name derives from their use of a wiki) says:

 _" WikiLeaks was originally established with a "wiki" communal publication
method..."_

[https://en.wikipedia.org/wiki/WikiLeaks#Staff.2C_name_and_fo...](https://en.wikipedia.org/wiki/WikiLeaks#Staff.2C_name_and_founding)

------
pinaceae
Still waiting for a leak from China or Russia. A bit weird that Wikileaks only
targets the US.

~~~
dglass
They can only leak what is given to them. There are plenty of leaks that are
not US related.

[https://wikileaks.org/-Leaks-.html](https://wikileaks.org/-Leaks-.html)

