Hacker News new | comments | show | ask | jobs | submit login

In what is surely one of the most astounding intelligence own goals in living memory, the CIA structured its classification regime such that for the most market valuable part of "Vault 7" — the CIA's weaponized malware (implants + zero days), Listening Posts (LP), and Command and Control (C2) systems — the agency has little legal recourse.

The CIA made these systems unclassified.

Why the CIA chose to make its cyberarsenal unclassified reveals how concepts developed for military use do not easily crossover to the 'battlefield' of cyber 'war'.

To attack its targets, the CIA usually requires that its implants communicate with their control programs over the internet. If CIA implants, Command & Control and Listening Post software were classified, then CIA officers could be prosecuted or dismissed for violating rules that prohibit placing classified information onto the Internet. Consequently the CIA has secretly made most of its cyber spying/war code unclassified. The U.S. government is not able to assert copyright either, due to restrictions in the U.S. Constitution. This means that cyber 'arms' manufactures and computer hackers can freely "pirate" these 'weapons' if they are obtained. The CIA has primarily had to rely on obfuscation to protect its malware secrets.

One of the more interesting passages. The arsenal must not be classified to protect those who deploy it from legal action. This cyberwarfare kit, which can just as easily be used to destroy the US as one of its enemies, is public domain software created and released at US taxpayer expense.

> Command & Control and Listening Post software were classified, then CIA officers could be prosecuted or dismissed for violating rules that prohibit placing classified information onto the Internet. Consequently the CIA has secretly made most of its cyber spying/war code unclassified.

This is almost hilarious.

Not that being classified would make any difference: cyber-"weapons" have something in common with biological weapons in that they're prone to leaking and blowing upwind, but also once used it's possible for the enemy to vaccinate against them.

Obviously there's a difference between cyber and conventional weapons, but imagine if the same rationale were extended to physical munitions: "We can't drop this bomb on the enemy, it contains classified technology"

While the weapon too secret to use sounds very Dr Strangelove, there have been slightly similar things with real weapons. The one I remember is when radar-triggered proximity shells were invented at the end of WW2 they were only issued for use on ships, so that undetonated shells would fall into the sea, so couldn't be recovered and investigated by the enemy.

Another case, also WWII:

"[U]naware of the opposing air force's knowledge of the chaff concept, planners felt that using it was even more dangerous than not, since, as soon as it was used, the enemy could easily duplicate it and use it against them... for over a year the curious situation arose where both sides of the conflict knew how to use chaff to jam the other side's radar, but refrained from doing so fearing that if they did so the other side would 'learn the trick' and use it against themselves."


Which makes perfect sense. Any weapon leaves some trace (even if only new theory as to what is possible), so its use against a party that does not have that technology but is capable of understanding the technology at some level will always give information to the enemy.

Using a modern missile against an indigenous people will only impart that you are capable of that type of attach.

Using a modern missile against WWII Germany would likely quickly result in refinements to their V2 Rocket program, given enough remains to study.

Using a modern missile against Vietnam era USA would likely result in advancements in miniaturization and computation, given enough remains (even if they did not have the resources/facilities to capitalize on some aspects of those for years, I think it's likely it would advance the fields by a least a few years).

One of the biggest advantages the Allies had in WWII was that they had cracked the "uncrackable" Axis encryption. Even though they were able to decipher enemy messages, they often didn't act on that information because that would tip their hand. The strategic value of reading the enemies messages is enormous when the enemy doesn't know you can do it, and much less so, and possibly even negative when they do know.

this is like the second law of thermodynamics as applied to warfare...

It's also along the lines of Sun Tzu-esque deception.

I suppose the modern example are the constant probing of air defenses by the attacker (i.e. the US and its array of electronic warfare suites), and the game theoretic calculation by the defender on whether to turn on their radars or not...

You don't just have to worry about the people you are attacking. Their allies can also reverse-engineer the tech. Pakistan and China come to mind. Pakistan has given China a lot of tech that it's recovered.

True, but this is somewhat covered by considering everyone not us an enemy of some degree or another, which is natural in game theory.

Well you mentioned the Native Americans, they had allies here too. Each major tribe was allied with a major power. So if you used it against them, even in that case someone could get a hold of that tech and it could come to bite you in the ass later. Interesting example is the fact that Native Americans in the US were very soon all very well armed by their allies in terms of guns and ammo, and they used the armaments given to them by their allies to attack each other. Life in general is more than capable of cooperating when it is not competing even with beings that have little to do with each other. This in the end is called the Red Queen's race https://en.wikipedia.org/wiki/Red_Queen's_race https://en.wikipedia.org/wiki/Red_Queen_hypothesis.

Wow! I heard that when the UK began using radar to down enemy planes at night during WWII, the gov't claimed the pilots had been "eating a lot of carrots."

Yep, there's still a common belief in the UK that eating carrots gives you good night-vision, entirely because of that cover story.

On that note here's an image of a badge from Detachment 4 of the 18th Intelligence squadron based out of Feltwell Norfolk. Note the Carrot: https://en.wikipedia.org/wiki/18th_Intelligence_Squadron#/me...

And elsewhere in the world

IIRC there was a claim that the shells with the proximity fuses were also used, likely by Patton's forces, in the Battle of the Bulge. Supposedly having the shells explode at a carefully determined distance above the ground made the shells especially effective against German ground troops.

IIRC the proximity fuses were developed at the Johns Hopkins University Applied Physics Laboratory (JHU/APL); that is the story I got when I worked there.

IIRC, the shells were also especially effective as anti-aircraft artillery.

> having the shells explode at a carefully determined distance above the ground made the shells especially effective against German ground troops

It does. WWII tanks' armor is mostly concentrated to the front and sides, because those tanks are designed to force enemy lines against ground-bursting shells, field pieces, and other tanks, all of which fire mostly on low trajectories; what's on top is much thinner, because no one expects to need to withstand a lot of damage there. Bursting a shell above ground level throws a lot of fragments at that weak armor, where a ground burst mostly wastes them against armor designed to withstand direct hits from much more powerful weapons. For infantry, it's even worse; the whole point of a trench or a foxhole is to put a thick layer of earth between you and all the metal that's flying around at ground level. When an airburst can send fragments right down into the hole with you, that earth doesn't help one bit.

Fun fact: "daisy cutter" bombs work the same way. Up until Vietnam at least, their proximity fuse was on the end of a rod protruding a few feet from the nose of the bomb. Low-tech compared to a radar proximity fuse, but fearsomely effective; probably the only reason you wouldn't find it on a shell is that, unlike an air-dropped bomb, a shell has to withstand the force of being fired from a gun, and I doubt any such expedient could. (That's also why bombs tend to be so much more effective than shells, even when no more accurate. When the strongest force involved is 1g, you can spend a lot less mass on structure, and a lot more on explosive.)

The Swedish military has a lovely man portable anti-tank weapon built on this principle.

The sight is arranged so that if you aim at the tank, the weapon is actually aiming above it. Then the round will detonate as it pass over the target, sending a molten metal shaped charge right down.

The Germans in WWII could have brought the British to their knees with magnetic mines alone, but one German aircrew dropped their mine intact on mud flats instead of into the water, allowing the British to recover the mine intact and develop countermeasures.

This in fact has happened in real life : e.g. in WWII proximity fuse antiaircraft shells were not used in the European theater for fear unexploded examples would be reverse engineered by the enemy. They were used in the Pacific where it was reasoned they would fall into the ocean where they would be unlikely to reach enemy hands.

This is certainly a big headache not just for munitions but lots of military equipment. A famous recent example was the Navy Seals blowing up one of their (experimental) Stealth Black Hawks when it was damaged while landing during the Bin Laden raid.


scuttle; (verb):

sink (one's own ship) deliberately by holing it or opening its seacocks to let water in

Scuttling isn't just for the sake of classified technology (which usually has been separately rigged to be easily destroyed without destroying its carrier.)

The more important role of scuttling—at least during wartime—is to prevent the ship you just abandoned getting hauled into the enemy's shipyard as a "prize" and restored to service with its guns pointed back toward you.

This is also more toward what is meant by Naval captains "going down with the ship" during battle: they stick around to act as a guard (and proximity fuse) for the scuttling charges, so that whoever just disabled the vessel can't just hop on-board and drive her home. (And, just maybe, catch a large enemy marine contingent in a grand old explosion if they try.)

After WWI the German fleet was scuttled (by the Germans) in Scapa Flow to prevent the Allies from using them. Notable quote from British Admiral Wemyss:

> I look upon the sinking of the German fleet as a real blessing. It disposes, once and for all, the thorny question of the redistribution of these ships.

Also of note - in WWI ships had been deliberately scuttled ('the Blockships') to secure the smaller entry ways into Scapa Flow, by WWII these (and the anti-submarine netting in the larger channels) were shown to be inadequate when U-47 sunk the HMS Royal Oak. This attack led to the building of the Churchill Barriers without which I doubt we would have anywhere near as strong a community as we currently have in the Orkney Isles.

Today the wrecks of both the German Fleet and the Blockships are excellent shallow dive sites in slightly chilly water. If you dive I strongly recommend going to Orkney.



I believe this also occurred during the recent raid in Yemen. Seems our secret helicopters are one time use only...

I don't think the difference is so obvious even that far in the future, or even right now. If you targeted an attack correctly, I'm pretty sure you could achieve a statistical range of casualties. Does it matter that you used data instead of bombs?

The US chemical weapons program is downright frightening. Unlike these exploits which you can just leave in an office and never use (and which con subsequently go stale as people find and patch exploits), chemical weapons were stored in massive US facilities and many of them have started leaking over the years:


> The US chemical weapons program is downright frightening.

Was: they committed to destroying those weapons, and have been doing so for 24 years. They were 89.75% complete in 2012. The video you linked was from 1973.


Just like they committed to revealing exploits to the tech industry instead of hoarding them?

> Just like they committed to revealing exploits to the tech industry instead of hoarding them?

I think you're letting your cynicism get in the way of truth and understanding.

The US has signed and ratified a treaty committing to destroy all chemical weapons and never produce them again [1], and it has built the infrastructure to do so [2] [3].

It's conspiracy-nut territory to think the US is simultaneously stockpiling chemical weapons in some super-secret program without good evidence for it.

[1] https://en.wikipedia.org/wiki/Chemical_Weapons_Convention

[2] https://www.youtube.com/watch?v=7u-ACe1CBfA

[3] https://www.youtube.com/watch?v=wftLydix0Nw

Mass surveillance was conspiracy nut territory.

Wide spread market fixing, libor, gold, silver was conspiracy nut territory.

The US engaging in blscksites and systematic torture was conspiracy nut territory.

But criticizing your pro Government apologia only results in comments being banned and removed -- perhaps just more conspiracy nut territory?

So where's your evidence that the US is secretly stockpiling chemical weapons? Note: a cynical claim that "they're all liars." is not evidence.

Or am I supposed to trust a stopped clock [the nuts] since it was shown to be right twice a day?

There's a bit of difference between mass surveillance and the infrastructure necessary for a viable chemical weapons program. Assuming a major nation state would even want to, considering their rather limited tactical value on the modern battlefield.

Anyhow, the Organization for the Prohibition of Chemical Weapons out of The Hague oversees compliance with the Chemical Weapons Convention. That includes verifying the destruction of stockpiles and weapons facilities as well as industry inspections that closely monitor precursors, as well as investigating cases of alleged production or usage. As of last October, 93% of declared stockpiles has been destroyed and independently verified by the OPCW. You don't have to take the US government's word for their numbers.

I am taking issue with this. This was not conspiracy wing nut theory. As far back as 2004 cybersecurity (for lack of a better term) experts were reporting repeatedly that governments (not just the USA) were exponentially using exploits, as were other unknown or non-govt actors, and other techniques for malicious reasons, from spying on citizens to hacking infrastructure. Here's just a nice litmus of that:




here is even a hertiage foundation report talking about sharing privacy keeping technologies with the government in the name of 'fighting terrorism'



and here is the ACLU sounding the alarm in August of 2004:


Ironically, its around the same time the NSA purported to have their own 'rules' in how they gather, which were obtained here:


and of course, not more than a few years later we have these reports:



It was never a wing nut conspiracy theory. Its just nobody was looking close enough to care.

It was the scale of this kind of thing that was considered conspiracy theory.

It's not even that. Reading through the ample material I have cited it's clear that the scale was well defined. The ACLU even cited it as one of their primary concerns and even in the PBS doc they mention that it's a atrial evolution and that was in 2001.

I'm not convinced in any way this couldn't be foreseen if people would've paid more attention

How can one not have a whole giant mountain of cynicism with all we've become aware of in the last few years? We could just as easily turn the tables and call you irresponsibly naive.

While I get where you're coming from with cynicism, any deployment of chemical weapons by a belligerent is almost certainly a war crime under several international accords, most notably the Geneva Protocol[0]. As someone upthread pointed out, their production is also the subject of several more. All the NSA/CIA disclosures we've seen thus far are not, themselves, war crimes. The international community, with some exceptions, came to the consensus that chemical weapons are not a good thing about a century ago, while offensive hacking is a much more recent development (obviously) and basically the wild west right now. Comparing chemical weapons to offensive hacking simply because they're both big government naughties is disingenuous, to say the least.

My bar of cynicism is a little higher when you're talking about the United States discretely stockpiling mustard gas versus taking down a smartphone, you know? (Maybe I, too, am irresponsibly naive.)

[0]: https://en.wikipedia.org/wiki/Geneva_Protocol

Ah, yes, war crimes. The US definitely fears those, and would absolutely never shoot on POWs, rape civilians, commit mass murder, drop chemical weapons on fighters and civilians indiscriminately, use multiple atomic bombs on civilians, torture, etc. (https://en.wikipedia.org/wiki/United_States_war_crimes)

They are so terribly afraid of committing war crimes they do not recognize the International Crime Court and are reading to invade any country trying an american soldier.

Surely the US would never do that!

All I said was my cynicism bar is a little higher for war crimes as opposed to hacking a phone, or capturing email. That's it. Not trying to argue or state any position or claim beyond that.

> It's conspiracy-nut territory

While I agree, it was also considered conspiracy-nut territory to have believed most of the stuff in this leak. Look at how the wider tech community treats people like McAffee and Stallman.

What's that Sincliar quote people like to throw around on here again? Oh yeah, "It is difficult to get a man to understand something, when his salary depends upon his not understanding it!"

> McAfee

Yeah, why won't people respect the opinions of a meth-cooking, bath-salt abusing, murderer who lived in Belize with underage 'girlfriends'?

A few things that were considered conspiracy nut territory have been revealed to be true over the last few years. It might be time to stop throwing that dismissive pejorative around when talking about (at the very least) our western governments.

More importantly, it's a bit stupid/outdated to stockpile dangerous stuff when you have the facilities to produce it if/when it is actually needed.

I think the idea of it was that if a war happened the facilities to create it would be bombed.

It sounds like you're just saying this without doing any kind of real comparison between the probably very different scenarios.

The official policy is to use the VEP. https://epic.org/privacy/cybersecurity/vep/

I did not watch you link, but many modern chemical weapons are binary compounds. Meaning the two compounds has to be mixed to get the final weapon. This makes leaking etc, not as big problem as leaking of actual chemical weapons...


Once things start leaking you're a very small step away from them mixing accidentally.

Unless containment has been set up in such a way that this is a geographical impossibility (for instance, on two sides of the Rocky mountains to stop accidental mixing in groundwater).

That is one of the saddest 30 minutes of video I have seen up to date.

>once used it's possible for the enemy to vaccinate against them.

So think long term...

Is this an innoculation game >10 years out????

Classified or not, works of the federal government are all in the public domain. And classification is not legally relevant to anyone except to those entrusted with protecting classified data.

This is often overlooked, but very correct.

"Classification" only pertains to how the material should be treated within the government.

Once its out, the only penalty can fall on the person who let it out into the wild.

A person with a clearance can get in trouble for knowingly accessing or spreading the data, even after it is already released in the wild. The data is still considered classified, even after the leak. So those who are entrusted with a clearance still have to fulfill their duties to protect it.

But, yes a random citizen has no responsibility or rules they most follow.

I would be careful also if you think you might need to get a clearance in the future. I was in college during the initial Wikileaks Manning dump and I remember getting a email from the DoD forwarded through the Physics department that viewing or sharing classified wikileaks info could prevent us from getting a clearance in the future even of we did not have a clearance at the time.

And that's when you laugh and cite https://www.law.cornell.edu/uscode/text/18/793 subsection (e) wherein you have never transmitted nor believed the documents in question to be harmful to the defense of the United States.

Especially in this case as these are all offensive tools.

The other commenter is right. The government can deny a clearance for more or less any reason they choose. With that being said I did laugh and read the news articles anyway. Never caused me any problems but who knows maybe this comment will.

Then they laugh and deny you clearance because they can.

Are you implying that offensive tools cannot be useful for defense? Really?

That's typical damage control though, not really legally binding; you'd have to prove that x or y viewed/shared said content. Proving/knowing this is either going to be nigh impossible or downright obvious, thereby placing you in the category of an activist (deemed "anti-state" or at least subversive) which would be the real reason to refuse clearance.

However, this is not the case for information that is defined as "Restricted Data" under the Atomic Energy Act - you can get life in prison for passing that on to someone.


That is the fun part, attacking with a virus is basically the same as releasing the code (modulo IDA pro). So a US government official can not use a classified virus, while everybody else can.

is this why we hear about "state-sponsored actors" and the distinction between them and the state itself?

> This means that cyber 'arms' manufactures and computer hackers can freely "pirate" these 'weapons' if they are obtained.

Does the author really think that if the tools were exposed then people who wanted to use these tools actually wouldn't simply because they were labelled "classified" somewhere?

The bigger issue I think is when the prosecution of the CIA leakers happens. If the material is unclassified, they're just distributing materials that are public domain and definitely in the interest of the public. If it's classified, it's a breach and they should be punished in some way.

From the article it says that the files were circulating in the wild, so if this was not leaked to Wikileaks then "the bad guys" would continue using this and the public would not know.

I think that's referring to people who want to sell them, like the people who supply cracking tools to questionable governments.

Lol like anyone in this field cares about copyrights. It is like suggesting that North Korea cannot build nuclear bombs because doing so would infringe US patents. Some things are above IP rules.

Think about it. Having the code copyrighted, would leave a paper trail.

Not really; copyright is mostly implicit. If US law made all code developed for the purposes of the CIA automatically copyrighted, the code would be copyrighted. Right now the law says it isn't, so it isn't.

Having code be copyrighted does not require any explicit registration.

Yes and no. The law says that works of federal government employees arent to be protected. But it is unclear whether this only applies within the US or whether the US governmemt can assert those copyrights against non-us entities. It's a constitutional question never clearly addressed. Also, these tools could easily be the work of contractors rather than government employees. The fed can own/purchase/assert copyrights in such works. We do not have enough facts to say they are surely public domain.

Perhaps what parent meant was that exclusive use of the code by agency would lead to easy post attack origin analysis, so by leaking the code in obfuscated form a few other people inevitably stumble on it and use it which generates a form of cover traffic for the original agents.

And "pirating" copyrighted code doesn't either, so they'd have no way of knowing anyway. Basically, anyone who would use this would likely wouldn't care if its classified or not and copyrighted or not.

This is TOTALLY wrong.... All code developed by US Governement is PUBLIC DOMAIN.

The correct part is a work does not have to be registered to have copyright protection. You are also correct that works created by the U.S. federal government do not have copyright protection, they're in the public domain. However, and I think the post you're responding implies this, copyright protected work may be licensed by the federal government without losing its copyright and I think in at least some circumstances works can by created by contract for the federal government and retain copyright protection.

I don't think I've followed the larger point, I don't see how copyright is relevant to the production or dissemination of malware.

Copyright is an intrinsic property of a work in every legislation I have ever heard of.

What's the mechanism for that?

Why do they make such monumentally short-sighted, clearly bad decisions? Is it weak technical leadership (weak political or just old fashioned weak)? What is the internal logic these people use to justify pure folly that's probably done more harm than good even to their own interests and goals? Baffling.

Nobody makes "decisions" like this in an organization with the level of complexity and bureaucracy that the CIA has. A lot of these decisions can be seen more as emergent behavior, subject to politics, short-term immediate incentives, and the pragmatic observation that any attempt to make significant changes (i.e. "change the laws around classification of documents") has such a high time horizon that it's better to bypass the law than try to fix it.

All of this makes more sense when I imagine smaller groups within the bureaucracy with narrow objectives and severe myopia trying to "solve" immediate problems to achieve short-term objectives. It makes my skin crawl to contemplate but the truth is that human beings do this sort of thing all the time.

I think you're right as if you look at behaviors as the result of a rational decision-making process, it seems the sort of "decision" only an insanely self-destructive person or organization would make

That passage is just dumb. Copyright would not stop hackers from using the tool once it is leaked.

I think what it's trying to convey is that there's absolutely no legal recourse in any capacity for the CIA at this point to try and do any sort of damage control.

I am bemused by the naivete that they would care about legal recourse and not just blackbag you and Gitmo2.0 your posteriors if they felt like it.

That's difficult when a large company like Google or Microsoft use the tools as part of their development process to make their software more secure. These are organizations with a very large megaphone if the CIA did that to their employees.

What exactly can Google or Microsoft do to a state actor like CIA that's decided their employees are fair game. Not much.

So then there would be no justifiable reason to reject a FOIA request for the source code.

I’m going to assume that the response would be that there are no such thing as Vault 7, a digital capability or even the CIA.

No, it will be the Glomar defense or nothing at all.

"classified" is not the only reason FOIA requests are denied.

I honestly think this makes sense, based on how government bureaucracy is. Obviously everything else about it, is classified.

> The CIA has primarily had to rely on obfuscation to protect its malware secrets.


Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact