Hacker News new | comments | show | ask | jobs | submit login
Notepad++ V 7.3.3 – Fix CIA Hacking Notepad++ Issue (notepad-plus-plus.org)
1101 points by infogulch 197 days ago | hide | past | web | 283 comments | favorite



I know it's annoying to hear this, but I'm going to keep saying it: this stuff is silly. The DLL injection stuff in the CIA leaks should embarrass the CIA. If you're calibrating your defenses based on the idea that application programs on Windows and OS X can defend against malware, you're playing to lose.

Here's the rootkits track from Black Hat 2008 --- keep in mind that this is almost a decade old and that it's public work:

* Deeper Door: Exploiting NIC Chipsets

* A New Breed of Rootkit: The System Management Mode Rootkit

* Insane Detection of Insane Rootkits

* Crafting OS X Kernel Rootkits

* Viral Infections on Cisco IOS

* Detecting And Preventing Xen Hypervisor Subversions

* Bluepilling (implementing a hypervisor rootkit) The Xen Hypervisor

This is just one year's work. If you summed all of it together, you're talking ~2.5 FTEs across 7 different research projects which we will very generously assume took a full year to develop (spoiler: no, none of them did). People who can write hypervisor rootkits command a pretty decent salary, but it's not 2x the prevailing SFBA senior salary. So this is at most mid-single-digit millions worth of work.

I don't know why the CIA has this team of people bumbling around with DLL injectors and AV bypasses. Maybe it's some weird turf thing they're doing against NSA? But the stuff in the CIA leaks is not the standard you need to be protecting yourself against.


The CIA probably isn't stupid. Why would they waste attacks like the ones you listed if the silly stuff simply works for most targets. Also those "silly stuff" things are perfect because anybody could have developed them and not necessarily a nation state actor.

Also just because some information got leaked, doesn't mean that there aren't more units / projects at the CIA where maybe the more skilled people are working and where the "good" attacks don't get leaked.

This looks to be the kind of stuff for the day in, day out operations.


Not only is there the difficulty to think about, there's also risk management for discovery of your exploits.

Creating antibiotic-resistant bacteria is a bad idea. Don't use linezolid when you could use vancomycin.

Don't use your fancy rootkit if the boring DLL injector you give the contractors works just as well.


Why not just use an off-the-shelf rootkit with off-the-shelf obfuscator + whatever exploits they discovered? None of the code has to be extremely valuable.

If I were CIA in the current political climate, I would simply slightly modify a Russian exploit toolchain and exfiltrate data to CIA controlled C&C. One dev can do the work and with a couple of days of effort it would get past all major AVs.


Might not want to do that in case the Russian's backdoored theeir exploit toolchain somehow and you didn't notice.

Creating this sort of malware isn't expensive, so why not do it.


I think this crowd tends to vastly underestimate the ease of deploying and testing this stuff in a targeted and useful way.

There's a big difference between broadband spray and pray malware, and malware you actually want to hit a target with.

If you know average tools won't detect it, then why get fancy when you have something that's proven reliable and if discovered is unlikely to have your victim substantially improve their processes?


If it's public the vulnerability might be patched. The whole point of these is that they were secret (though the concepts may or may not be novel).


love the medical analogy


The lower level / juniors / new hires probably cut their teeth on the simple exploits, and as they gain experience move on to the more advanced.

Also, the hextuple-agent in me wants to think the simple exploits were leaked intentionally to distract from the whatever-else-it-is-they-don't-want-you-to-know.


I doubt it, I think they hired out of some no name information security firm. These people probably are not the group developing the exploits either. I know if I was in their shoes I wouldn't waste my time using anything fancy, but this whole thing reads like some mid level member trying to create documentation to move up the corporate ladder.

I don't want to rush to judge them because not everyone can be at the top and if it works it works. If I can pop a box using powershell, it's way easier than having to develop some kernel level hack. Additionally when anyones 'private' conversations get leaked they always look like a fool because it shows us being vulnerable and asking dumb questions, but a lot of the posts really do remind me more of the sysadmin who learned some python instead of the cutting edge of private industry.


This might be true for things like exploits, where every time you use them you stand a chance of burning them, so you're incentivized to keep using whatever's working. But it's not true of rootkit and implant techniques; in fact, the opposite is true: the dumber your implants, the more likely it is that your target will discover you compromised them.


The more likely it is that your target will discover someone compromised them, yes. But finding a DLL injection exploit only says "hacked by someone", whereas finding a microcode-level rootkit in the CPU pretty much says "hacked by a state actor". Which, sometimes is what you want to say (see e.g. Stuxnet), but often not. If you know the first has a 99% chance of going undetected, and the second a 99.9% chance, do you always want to risk the one that pretty much acts like a calling card?


> microcode-level rootkit

There's two ways microcode goes on Intel CPUs. The first is when it gets flashed in at the factory onto an OTP ROM. The second is when it gets uploaded to a block of internal RAM by your computer, every time it boots. That's why packages like this one (https://www.archlinux.org/packages/extra/any/intel-ucode/) exist.

One is set at the factory, one is set by your computer every time, once at boot, before the completion of boot. Also, it's very carefully signed, so even if you managed to put a bootkit before the OS boot, you would need to steal Intel's microcode key.

Microcode is not targetable. Few things at that level are. (A decent example of something that might be more targetable at that level is a hard drive controller. Less difficult but still not easy.) The amount of engineering needed to pull off an exploit that is "99.9% chance" unnoticeable, but still persistent, is much more than that of a "99% chance".

(I know nothing of AMD's CPUs and their microcode, but I'm guessing it's much of the same.)


First of all, thanks for writing this, since I did find the technical details quite interesting. But I don't think this puts microcode rootkits beyond the reach of a state actor. It puts them beyond the reach of a normal criminal attacker, which is actually my point.

Scenario 1: Supply chain interdiction. You don't need to target the CPU only after it has been manufactured and put into whatever you want to hack, you can start way earlier, including at the factory.

Scenario 2: Getting the signing keys from hardware manufacturers, including Intel, seems quite feasible for state actors. You don't even need hacking (I assume Intel's keys are kept air-gapped) or relying on secret court orders, plain old spycraft would probably do the trick.

That said, my argument can be rephrased to consider the hard-drive controller or other peripheral firmware rootkits instead, if you prefer and care only about scenarios where the rootkit must be delivered over the network to a clean system without attacking the CPU manufacturer.


Knowing the NSA got to the SIM cards manufacturer master keys, I wouldn't be surprised if they had Intel's key to forge microcode updates...


The CIA took control of the SIM card manufacturer company through in-q-tel years before and willingly sold their shares just before the keys got stolen by NSA/GHCQ.

It was a big deal at the time known as "l'affaire gemplus" and it prompted the french government to set up the "Fonds stratégique d'investissement" or strategic investment fund, sort of a french in-q-tel.

Intel being a US company it is probable the US agencies have their ways with them.


I wouldn't be surprised if the NSA worked with Intel to design their microcode update mechanism (selecting algorithms with advisements against classified breaches; generating key material and sharing between themselves; etc.) That would serve the NSA's interests in both their SIGINT and COMSEC roles at once.


As an attacker, you have a decent shot at doing UEFI/BIOS level exploits or even going after the Intel Management Engine.

This is why I run libreboot and I neutralized the IME by flashing my BIOS using SOIC-8 chip clips and a Bus Pirate.

I guess I'm paranoid.


Did you really "neutralize" the IME?

I guess you refer to a procedure as described in

https://hardenedlinux.github.io/firmware/2016/11/17/neutrali...

I would say what you did is to "neutralize" the ME firmware part in the flash BIOS. But this is only firmware that the ME loads additionally to load applications like e.g. AMT. The ME has it's own internal ROM containing it's very own firmware which is inaccessible and can not be modified.

So what you have is libreboot running on top of a still functional IME. All you gained is, that you got your BIOS of choice installed, and to remove some ME apps from the flash image. Correct me if I am wrong.


In Ptacek's defense (heh), I'm willing to wager those hypothetical detection rates are far off the mark by orders of magnitude.

I'd expect a microcode-level rootkit to run a five-nines success rate evading detection unless used against someone who's paranoid enough to have _something_ in place to detect it, and I'd venture further that the 3LAs of the world are smart enough not to target the infosec-paranoids of the world.


I am sure the numbers are way off, but not sure only the microcode one is. My suspicion is that against most non-intelligence targets, the DLL injection approach is quite unlikely to be found out either, at least once the initial intrusion has been accomplished. In both cases, the implants will likely only be detected if the machine in question is used to stage another attack or exfiltrate data over the network, in which case the level of the rootkit running on the host will matter very little for detection.

Admittedly, the best rootkits probably target the network equipment as well as the host.

At the host level, most organizations wouldn't be able to detect an unmasked trojan running as its own separate user process unless its signature was already known or its behavior caught by a blacklist-based IDS.


The problem doing DLL injections is you are dropping things directly to the disk which is a great way to get AVs attention. Heuristics based detection can be a pain in the ass here and you want your rootkit to be able to be 'unique' for every installation if possible.

Also rootkits are way overrated. What you do when you compromise an organization is you open a connection to your C&C on a few machines to keep your foothold if any reboot. If you need to get in you just connect to one of those boxes and just continue on. You never have to drop anything on the hard disk which makes it much stealthier.


I don't doubt your expertise, but I think you're making a lot of declarative and slightly inflammatory statements without supporting them with concrete evidence. Is there publicly available evidence that you could refer to?


> the more likely it is that your target will discover you compromised them

fair enough, but the like the person above said, it can be very important to hide/obfuscate the identity of the snooper. Stuxnet would have been more effective if experts could not immediately point to US/Israel.


According to a recent Wikileaks tweet, this leak is only 1% of the files that they have on the CIA. So most likely, they have many more exploits that are more significant.


So yet another thing Wikileaks (Assange) wants us to take their (his) word for.


Well, they also published those papers you see now.

On the other side, there's an organization that by definition asks you to take them on their word that everything they good is for your own good...


They published the papers with a heavy dose of spin. Remember how the headline contained FUD about Signal and WhatsApp? The released documents have nothing about sidestepping Signal and WhatsApp. That was pure conjecture and editorializing.

Of course WikiLeaks wants ordinary people to be vaguely afraid of using Signal and WhatsApp. End-to-end encryption is very much counter to their goals.


Wasn't whatsapp all over the news for its "replace the encryption key transparently without notifying the user" feature ? Also facebook.

I don't trust signal, a centralized that requires a phone number while pretending to be secure and providing some anonymity is flawed by design and begging to be exploited.


The reporting you're talking about has been widely denounced by actual security experts, with 70 of them signing a letter asking the Guardian to retract its inaccurate story. Your position is about as responsible as saying "I don't trust vaccines, they kill people".

http://technosociology.org/?page_id=1687

Get off the FUD brigade.


It's not FUD: it's just a threat model WhatsApp and those experts do not care for, or alternatively think is a worthy the UI/UX trade-off.

FWIW, I strongly disagree with this stance: if the recipient's key changes while the message is in-flight, that message should never be resent/delivered without the sender's explicit approval. Imagine that Bob is a political activist planning a protest. Bob is wondering why his IMs to a co-conspirator Alice aren't being delivered; Bob's wonder turns to fear when he hears on the news that Alice has been detained. Fear turns into terror when Bob sees his messages subsequently get two blue ticks as WhatsApp happily delivers his IMs to a new phone belonging to the secret police. Only afterwards does WhatsApp notify Bob that Alice's key has changed


OWS never claim that Signal provides anonymity. The word they use is privacy which sometimes involves being anonymous, but not necessarily so.

> Wasn't whatsapp all over the news for its "replace the encryption key transparently without notifying the user" feature ? Also facebook.

Which was a conscious design decision. Not doing that (even for people that had turned on "notify on key changes"), would let whatsapp know which users could be securely MITM'd. Neither is a very good choice, but an understandable trade-off when it comes to security vs usability.


I haven't read overly deep into the documents, but if they have rootkits for the main devices (iPhone, android, linux, OSX, windows) that you are using E2E encryption on they can easily sit between the decryption layer and the user.


Yes, and they can also hypothetically send nude pictures of you to all your friends and family, but that wasn't the headline for some reason.

You can do lots of things when you've owned someone's phone. The big news is that they're targeting phones instead of services.

Given that, it's very peculiar to focus on the services WikiLeaks wants you to be afraid of anyway, when they're mentioned nowhere in the documents.


> End-to-end encryption is very much counter to their goals.

What would those goals be?


Yeah, Assange can go get stuffed. He has lost all credibility with this drips and drabs bullshit in an attempt to keep himself some kind of "celebrity".

Release it and let people figure it out or shut the fuck up.

Snowden is a hero. Assange is an asshat.


Snowden coordinated with Greenwald et al. for years on their "drips and drabs" strategy. Rightly so! The point of leaking is to have a political effect. Those effects are multiplied when leaks are well-timed. I'm glad, because had the leaks that have many people most upset not been so effective, USA would probably be at war in Syria right now.

https://theintercept.com/2016/05/16/the-intercept-is-broaden...


Funny that the snowden leaked document have been released drips and drabs to the point that only a portion has been made public yet but for some reason you fail to take it into account.

Also Assange would be Poitras/Greenwald here not Snowden.


Are you implying that he did something dishonest? I can't recall one example even. Although, I do recall a handful of politicians and news stories claiming the DKIM verified emails were likely fake. For example, I remember when Donna Brazile said that it wasn't her who sent the email leaking debate questions. Russians probably broke DKIM, and Brazile was probably coerced into admitting she's a liar.


What exactly are you suggesting? That they defeated modern cryptography or compromised Google to unprecedented degree?


The last sentence was sarcastic.


Sorry! You’ve run into Poe’s law.[1]

[1] https://en.wikipedia.org/wiki/Poe%27s_law


How much of that "99% unreleased" is represented by the stub files:

    ::: THIS ARCHIVE FILE IS STILL BEING EXAMINED BY WIKILEAKS. :::
    ::: IT MAY BE RELEASED IN THE NEAR FUTURE. WHAT FOLLOWS IS :::
    ::: AN AUTOMATICALLY GENERATED LIST OF ITS CONTENTS: :::


You're extrapolating from Wikileaks hyping itself in a tweet and calling the result "most likely".

Find a better justification for your beliefs.


Add to the fact that many systems around the world are woefully unpatched, so the "silly stuff" still works against them. I've done a lot of work outside the U.S., especially in 3rd world countries, and it's astounding how outdated much of the IT infrastructure is. We're talking entire networks still running pirated Windows XP and Vista.


Definitely correct, they are not stupid. These tools are more of a "keep it around in case we need it" type of thing.

The CIA works abroad, not on American soil, so none of these tools are being used against the American people anyway (thats the NSA's job). I imagine this is part of a network or "library" of exploits they have, in case they encounter say a North Korean laptop with Windows 98 and they need something in a pinch.

>doesn't mean that there aren't more units

Exactly, thats why they call it a "leak" and not a "turn the hose on full blast."


"The CIA probably isn't stupid."

I don't think you can underestimate how stupid these big bureaucracies can be.


Perhaps, probably, etc.

But never underestimate your opponent, and all that...


> Also just because some information got leaked, doesn't mean that there aren't more units / projects at the CIA where maybe the more skilled people are working and where the "good" attacks don't get leaked.

Actually the vault7 leak is the first in a series and it is clearly stated that this is only a portion of the CIA tools:

> Recently, the CIA lost control of the majority of its hacking arsenal including malware, viruses, trojans, weaponized "zero day" exploits, malware remote control systems and associated documentation. (..) The archive appears to have been circulated among former U.S. government hackers and contractors in an unauthorized manner, one of whom has provided WikiLeaks with portions of the archive.


Can anyone confirm if 'the CIA lost control' refers to the August 2016 Shadow Brokers / Equation Group auction? At the time I recall the tools being attributed to the NSA however it seems to fit the timeline ...


May be the simple DLL can be installed without privilege elevation. Simple to use.


Technically, there is absolutely nothing impressive whatsoever, in the archive released yesterday; I went through the entire thing. Relative to the Snowden leaks, the CIA tools look benign. The biggest difference between the two sets of leaks(and subsequent NSA revelations) however, is scale & automation. NSA's tools are built almost entirely by contractors. The 'hacking' tools are integrated with deployment tools, as well as data collection. For example, say I work for the NSA and I want to see Bob's desktop wallpaper. I already have some generic social network information, as well as ISP info on bob, and he has already been assigned a 'selector,' which I use to query Bob's information, which was gathered from all sorts of sources. Assuming I don't already have a RAT or similar installed on Bob's computer, a further step is required. The NSA has many redundant attacks entirely automated, and most of the massively successful attacks, require some sort of MITM attack. Schneier released a video(on October 26th 2016, I think - if not real close to that date,) of some sort of intelligence meeting he spoke at, with just a handful of people, where he claimed he was going to bring something to light that had not previously been revealed anywhere in public. He revealed that the majority of home routers in the U.S.(commonly believed to be the ones provided by ISP, which run a custom Linux distro, with half a dozen internal subnets, mine runs on Arris hardware, has full busy-box, and used to contain a root pivot script that was previously accessible via ssh, on an accidentally unsecured network interface, within an obscure IP range, whos shell login turned out to be the commonly available Arris rolling code('arris pw of the day?'). The embedded Linux running on the device is based on the "RDK project" as is the DVR's and modem/router combos from a variety of other ISP's. Supposedly this is patched(for arris) but I haven't attempted any further investigation since August 2016. I believe the backdoor was simply a poorly designed interface between the router and the technician GUI software.) Sorry for the unnecessary details, but I've already typed it out now. Schneier revealed that these routers(HE never specified which, but said they are everywhere), referred to by the NSA internally as 'diodes'. The diodes are used(automatically) to provide better proximity to other users, not necessarily the target, where the plethora of attacks are then executed from. The initial development costs are immensely greater than those of the CIA's, much easier and cheaper to use, by the lay person, and are more carefully controlled/depend on the system hosted by the NSA. While proximity attacks are not the only method of intrusion/full control, the next best, or perhaps better alternative is Acidfox, which is often delivered via email/browser, and requires user intervention. Clearly the NSA is leaps and bounds ahead of CIA in terms of sophistication, as well as control/oversight, as you can't just walk out the door with an archive containing 75% of their tools(they depend on infrastructure.) The CIA attacks depicted in the Wikileaks archive, almost all require manual intervention, are less reliable, and 'janky' as hell. The CIA has a record of using their tools for less than honorable/legal purposes(which may be further elaborated on, depending on what goes down with the Trump wiretaps,) either way, the CIA hacks seem like a waste of time and money (5000 employees at the consulate in Germany) and redundant. The CIA must be able to utilize the NSA's vastly superior technology/information after receiving a warrant, which makes the motives and means all the more suspicious. Who knows what will come out, but one thing is for certain, there will be a lot more information revealed pertaining to the illegal, unwarranted, for personal gain, sharing of their tools with ex employees and contractors, in the coming weeks. I could go on for ages on this stuff, but I usually just get instantly downvoted, and I'm not providing sources(as it's all from memory[pro memory,] but it's all easily duckduckgo-able [or google.]) There are certainly more sophisticated employees and programs at the CIA(obviously), but I have a feeling that the shindig over in Germany consists mostly of this sort of thing, cheaper, younger, less experienced kids, copy & pasting junk together, customized and deployed on a case by case basis. I also have a feeling that the reasons Obama set that up, is going to be an interesting narrative which we will soon watch unfold. (hint: 7th floor group; aka 'shadow government') P.S. I refuse to go back and grammar check this monstrosity.

Edit: Maybe someone can answer this question for me.. So from the Snowden leaks, we know the extent of the NSA toolkits and the requirements which need to be met to utilize them. Now we know some of the CIA's capabilities, and after Apple refused to unlock the San Bernardino Shooter's iPhone, we found out the FBI was playing some sort of politics, by claiming that justice might not be served without Apple's intervention, and proceeded to publicly shame the ethical position Apple took. So why on earth was Obama trying to force Apple's hand in that matter? Soon as Apple said no, the FBI somehow found the single magical person willing and able to defeat the privately enhanced security of the shooter's 5S? Makes no sense to me.


Thanks for sharing. Consider breaking it up into a few paragraphs to make it easier to parse.

The most interesting tool I found in the leaks was the bug that jumps airgap to make Nero burn trojaned binaries. If we see more tools like this come out of the woodwork, it shows that the CIA is at least in some ways keeping their teeth sharp.

I believe that the FBI and Obama both played politics for a few reasons, namely:

- Obama and the FBI probably withheld a reasonable amount of information from each other regarding the case

- This was all a charade to bring the topic into the public sphere. It backfired, but the aim was to allow future high-profile cases on which concurrent evidence trails are harder to establish. Once it backfired, Comey came out with a public letter admonishing the American people, comparing us to children. He stated that with Rule 41 coming into effect, the FBI would use its expanded powers to collect information for the following year. They would then use that information in an upcoming "adult conversation" the FBI wishes to have with the public about the future of open, libre encryption.

We should be expecting that "conversation" to take place this year. And I don't expect it to be much of a dialogue so much as a monologue. I expect the FBI to either directly or indirectly (thru Wikileaks, etc) release information that "proves" that backdoored encryption and its inherent reduced security is necessary for public safety. There is a saying we all know and love about the merits of this particular trade-off

I'm certain the FBI always had that contact on standby. They probably received multiple unprompted bids from various hacking companies during the public run of the case. They wanted to flex how much pull they had over a giant like Apple. Even though they seemingly failed, they came out with a huge data point: The American people need further brainwashing and ideological shifting before attempting a full coup over libre encryption in America.

I hope that things make a little more sense now.


I don't think they wanted to flex muscle over Apple, I think they were trying to build case law for situations like this. Also breaking into a phone with an exploit like this is expensive and if they have an exploit, they might not want to publish that they have it in the future so having the backdoor provides deniability even if it's fundamentally dumb.

/puts on tinfoil hat

There is also the other option which is that trust in American tech companies has been sketchy at best following the NSA leaks and this was a chance for the Obama administration to allow companies to reestablish some legitimacy when it came to security by making the US government look evil but having the corporations 'prove' that they are not backdoored by the NSA. They can still break in the covert way, but it makes it look tech companies are not as compromised as the NSA leaks would suggest.


/puts tinfoil hat

they might also used the whole stunt as a way to inform the public that they have the capability so that next time around at the interview goes "look kid, we do have the capability to unlock the phone, but it's costly, nasty, annoying for everyone involved and will put your refusal in a very very bad light in front of the judge and jury, why you don't just give the code and we tell the judge you cooperated?"


To be frank, the whole concept of "plea bargaining" in US law is a vulnerability, broadening the attack surface for many otherwise less harmful vulnerabilities.


Yeah! If only we could make the courts and the wider legal system cheaper.


Interesting, hadn't thought of this, nor the previous comment's theory.


Hadn't thought about it like that. Interesting. Was too late to edit when I saw your comment. Unrelated: Most interesting thing to me, of this nature(was from the snowden leaks) is known as 'RAGEMASTER;' an RF retro-reflector built into a vga cable(deployed by intercepted packages between computer supplier and target I believe) which allows NSA to observe the contents of a vga signal remotely, using radar, and subsequent re-modulation and sync of the signal.. Totally bizarre.

Edit: https://leaksource.files.wordpress.com/2013/12/nsa-ant-ragem...


This comment with paragraphs:

http://pastebin.com/raw/EgaH3WSh


Thank-you. That wall of text was impossible to read.


This is just the exploits that contractors were given. There's probably another set of more carefully guarded and important 0 days. Given how easily these were passed around this was most likely a cache of common exploits used every day on regular operations. Huge deal if compromised, but not all the keys in the kingdom.


I'm 1000% sure that's the case (though I'm not sure CIA is the group that has them).

The FBI --- our domestic intelligence agency --- has been doing kernel keyloggers since at least 2003.


Name the groups?


I won't name them, but you can filter their names by regex: /^[A-Z]{3}$/


I suspect the CIA is doing these primitive basic attacks for one reason: they work a lot of the time. CIA likely doesn't use ONLY these attacks (and the more intricate ones are probably run by a different group), but I mean, c'mon, buffer overflows and SQL injection are STILL effective venues of attack. Why give up on something that works just because there are other, stronger, tools? This lets you reduce risk of your involved attacks being caught - use them less often. Meanwhile, you can get 80% (made up number) of your targets with "silly" stuff, and only bring out the big guns on the 20%.

All speculation, of course.


If it's stupid and it works, it's not stupid.

Simple attacks are often (sadly;still) the most effective.


This is literally exactly what they want you to think. The CIA is smarter than you, and they have a lot to gain by misleading you otherwise.

Some of the most talented software engineers in the world work intelligence, and they can write better than you, exploit faster than you, debug more thoroughly than you, etc.

State intelligence is especially dangerous and devious. The average security researcher doesn't stand a chance, much less the average basement hacker.

Understanding what the CIA does and why they do it is designed to be more or less impossible from the outside. It's the nature of intelligence really, to be incomprehensible from outside the sphere.


Lol. I'm sure that there are people at the CIA / NSA that are much better at software than me, but I highly doubt it's pervasive.

I read the Snowden leaks. I know what type of tools they're using. I know the type of holes that their public facing infrastructure has. I know the type of holes that their government officials that they're supposed to be protecting have. I know how fucked the security environment is right now. The CIA doesn't even use HSTS or CSP headers for fucks sakes (lol, they get an F on observatory.mozilla.org) so we are not dealing with an organization of godlike power.

These people work in a bureaucracy. Some of them are geniuses that write stuxnet or break HTTPS ciphers, most are not. Most are dll or SQL injection kiddies. Or they use grep to filter emails.


Do you think they let contractors like snowden just cat whatever they want? I'm not saying he didn't go digging, but I'm sure it's just the top of their iceberg.

I didn't mean to insult your prowess or whatever, but people gotta understand the level that they operate at. It's insane


The CIA is just a collection of people. People that make mistakes. People that have emotions and whims. People that have families and children. People that want to go home at night, take sick days, and go on vacation. There is a natural limit to what the CIA can do simply because they need humans to do it.

I don't think there's much more to the CIA than what's in these leaks. To do anything more, you'd need tens of thousands of people and huge server farms. You can't hide that stuff.


>Some of the most talented software engineers in the world work intelligence

I truly doubt this for a multitude of reasons, but pay alone suggests otherwise.


Some of the most talented work intelligence but not necessarily for intelligence agency. AFAIK those guys come up with 0 days and put them for sale on the open market where all kind of bad guys buy them, not only the intelligence agencies (who are bad guys themselves).


Somebody needs to go to the library and rent Legacy of Ashes.

http://www.nytimes.com/2007/07/22/books/review/Thomas-t.html


> 2017

> new cuck times

Hell no.

I'm very familiar with business intelligence, and I'm somewhat familiar with govt intelligence though I've never actually filled a contract or anything, I've spoken with plenty who have, and have worked with a few as well.

The intelligence universe is completely parallel to the rest of the world. People just don't get it.


The CIA may just not need that much for 80% of their targets. We aren't talking about top-level security experts. The CIA might use these tools on very low-tech focused threats. The mere fact that they focus on Samsung smart tvs tell us something about their targets. What person serious about security would have a TV that even had a chance of recording their conversations if it was hacked?

For the other 20% of targets who are serious about security (High-level government actors in countries that can invest a lot of money into serious computer security.) The CIA probably has a bunch of high-level tools that were not leaked.


Why would they use more sophisticated tools than required? There are no style points to be had.


It's not about style, it's about ease of detection and circumvention. The marginal cost of using tools that don't have the flaws of a userland DLL injector is zero.


It's not. Every time you use a tool its an opportunity for it to be detected and if you are going to lose one it would be better for it to be one that you don't care about that much.


One must not cast a bigger bet but a better one.


Maybe the higher quality work just hasn't been leaked (yet)?


It's government work. It's probably a lot more fun to work in the private sector, which surely results in some skill discrepancy. It takes a lot of effort to get secret clearances, too. So I'm not sure there is higher quality work, at least in the CIA. All the talented hackers with inclinations to become a blackhat probably want to work for the NSA.


There are aspects of information security that I think the government is behind the private sector on, but there are others where they are way ahead. There are whole classes of technology that are fun to work on for which there is basically no private sector market, because very few companies need those sorts of things, but for which there is a thriving government market.


Certainly. I just meant that the CIA seems less likely to have that than the NSA or the FBI. But admittedly it's an uneducated guess.

Could you expand on why you feel the CIA in particular would have high-quality remote exploitation capabilities? Assume a talented hacker wants to join the government. Why would they choose to work for the CIA and not the NSA or the FBI?

I'm not saying the CIA does second-rate work in general, but perhaps their remote access work is second-rate in comparison to the NSA/FBI and to the very talented echelons of the private sector.


Or the CIA is intentionally leaking obsolete techniques to deflect attention from the good stuff...


Or maybe they really are incompetent. The whole dump reads like a group of sysadmins trying to wrap their head around the basics. Their targets probably don't need anything on the cutting edge either so anything good they can just hold onto until they need to blow it on an Iranian nuclear reactor.


> The whole dump reads like a group of sysadmins trying to wrap their head around the basics.

That was exactly the vibe I got from the leak as well. I don't know why people are going crazy over this, thinking Notepad++ or all Samsung SmartTVs are backdoored.

Who knows, maybe LD_PRELOAD is also an amazing method to hack programs?


There is a case to be made that you only need to be good enough to get in. I myself am not nearly at the level where I could write a hypervisor exploit even though I have been in the industry for a while. However I feel pretty confident in my ability to break into almost any company if I set my mind to it. Fancy exploits are just things that take time to create and if your super great payload gets flagged by fireeye down the line you might have just wasted a ton of time for no other reason than showing off if powershell would suffice. So I guess I am torn on this because I don't want to flame the sysadmin's turned security people for not being a top speaker at blackhat or CCC because I myself come from that background, but on the other hand I think I should expect more quality work out of the CIA than what comes out of infosecinstitute. If this is the average of the CIA I really think NCC group might have more capability than the intelligence agency of the US government which is kind of crazy to think about. I am sure they have some really great zero days that they save for very important projects, but I doubt we will get to see the same level of capability that we saw out of the NSA leaks.


This is a very real possibility. The CIA has admitted to Congress that they have operatives in US magazines, and refused to answer if they have operatives in TV:

https://youtu.be/U1Qt6a-vaNM?t=2h30m35s


Or leaking the ones they know other nations are using.


Exactly, they could be doing some kind of hacking tools rotation by burning all the ones which are most likely to get patch shortly because they have been reported and thrown in with a mix of obsolete tools which have been already been replaced by more efficient attack vectors and at the same time burning a big bag of tricks for all the other nations already using these vectors or in the process of developping such techniques/tools.


That's my point.


apparently, the first leak represents less then one percent of what they have... so they probably didn't leak the most damaging stuff in the first leak.


>I don't know why the CIA has this team of people bumbling around with DLL injectors and AV bypasses.

Got to have something to spend the budget on to ask for more next year?

Maybe they are just trawling and they have more skilled people pick out the wheat from the chaff or combine exploits. It would make sense if there are some bigger picture people directing the contractors. A library of low-level shit might be useful if you're building entire frameworks.


Strong currents push to classify work. Structures like jetties and piers oppose declassification.

Silt builds up at classification boundaries. You should expect to see a bunch of S crap that can't get to the TS tools, TS crap that can't get the compartments needed for the great tools---all in service of not devaluing the tech.

This was the U silt pile.


This leak does contain classified content, it seems.


Doesn't that suggest that there are other attacks and exploits that the CIA potentially has that weren't leaked?


WikiLeaks claims to have leaked less than 1% of their material.


Yes. That's my point.


And you seem like the last person who should make the all or nothing security fallacy. Just because fancy rootkits exist doesn't mean we shouldn't protect ourselves against the easy stuff. Isn't your argument basically either turn your threat mitigation up to 11 (nation state bad assery) or give up.


Those topics you list make for cool presentations, but at the end of the day some poor schmuck does have to write that "capture the phone calls from Skype" and "exfiltrate the IM messages" code. That super-meta rootkit certainly isn't doing it on its own. It's boring, there is probably XML involved, but so is that CRUD web app that is rewritten thousand times over on every continent of this planet.

DLL injection seems like a perfectly fine hammer in the toolbox for that purpose. Nobody is claiming that they are using it for anything more than targeting specific applications once they have already gained system access. How they got that access might make for more interesting documents.

The CIA is in the business of obtaining information, not malware research.


Would you say that Black Hat talks are representative of the state-of-the-art of malware? Or is it likely that commercial spyware/malware/rootkit authors know "more" than what's presented at Black Hat (or a similar conference)?


Isn't the main difference complexity and sophistication? You mostly see POC type work at conferences. What organizations can do better is integrate multiple exploits and relevant intelligence to architecture a targeted cyber weapon.

What's impressive about things like Stuxnet is the amount of work and coordination it must have took to make it. The actual techniques were rather unremarkable.


In my opinion, typical PoC academic work tends to underestimate the actual effort required to execute an exploit, and sometimes even describes exploits that can only ever occur under very stringent conditions.

Didn't Stuxnet involve backdooring Siemens PLCs? I find that pretty remarkable. In general, extremely sophisticated exploits that target critical infrastructure require attacks that haven't already been considered, be it for delivery or execution.


Good point - just because people aren't talking about it doesn't mean it's not happening


It could be disinformation.


That's my bet also.


> I know it's annoying to hear this, but I'm going to keep saying it: this stuff is silly. The DLL injection stuff in the CIA leaks should embarrass the CIA.

Are you calling Notepad++ or the CIA silly, here?

If the first case (which I assume) you're comically missing the point yourself, which is a big middle finger to a hostile government agency. This is an international Open Source software, used worldwide, that has taken a stance against US politics before (export restrictions).

So yeah maybe it is to embarrass the CIA, but not quite in the way you describe.

By publicly releasing this "fix", they're making a noise calling out LOOK WHAT THE CIA IS DOING PEOPLE, instead of shrugging "eh, is that all, I sure hope they got better exploits from my tax money" and "gosh I wonder why whoever released all this is angry with the US or something, I bet it's cause they're biased".

Now there's a public post on their site, on record, being shared everywhere that says BUGFIX BECAUSE THE CIA ACTIVELY TARGETED OUR SOFTWARE, so that people know this is no longer some "'They' could potentially do X and Y" but that it's actually happening and in this particular case "They" are the CIA.

I think you understand perfectly well how this sends a very different message to a very different (broader) audience than the (admittedly much more serious) revelations at Blackhat conferences. You remember that all these serious capabilities have been around for a long time, but the public didn't really take it seriously because many people believe "they wouldn't really" or the attacks were surely theoretical or otherwise we'd hear more about it, right? Or even when the capabilities have been right there, clear as day, for a decade, to actually assume "They" are really listening on your Samsung Smart TV's microphones (or you name it), has been flat out conspiracy nut territory or at best you could say "surely they only deploy these capabilities on a very small, targeted scale, responsibly".

And now they're not. We know it's happening. New proof of new scandalous breaches of privacy of individual indiscriminate members of the public comes out every other month or so. The whole world knows that the US/UK surveillance apparatus has spiralled out of control and is surveilling, spying and collecting data on everyone, everywhere. To say now, let's not make a big deal out of this because it just confirms what everybody could have known all along, is an idea that should have its motives questioned (by which I mean, you should maybe ask yourself, not that you're doing it deliberately).

Does Notepad++ really believe that with this fix they've successfully defended their software against CIA (or other gov.actor) exploits? Of course not. But they do get to make a big fuss out of it. And that's important too. If the police beat you up, is that something to make a big fuss out of and try to fix and make sure they don't get away with, even if it doesn't help with them still getting away with actually shooting people dead elsewhere? You can argue about that, but I wouldn't call it "silly".

Are there now people who will think "phew at least now Notepad++ is protected against CIA hacks"--well, probably, quite a few. But you're not addressing or helping those people by talking about Blackhat and hypervisor rootkits.

(... and if it's the second case, "silly" is a bit of an understatement given what these people have been up to the past half century or so--it's not actually quite as funny as in the film Burn after reading)


It may be silly, but people need to keep hearing that that CIA is doing an end-around the Bill of Rights.


AFAIK, Wikileaks hasn't asserted that the CIA is using these exploits against American citizens, as surveillance of American citizens is not the CIA's mission. Moreover, it is not illegal for the U.S. government to use exploits for surveillance of citizens. The FBI has been tapping phones for a very long time now.


Are they? If so, we may have finally reached the point where the Bill of Rights (as fantastic as it is) no longer can adequately address modern abuses and communication patterns. Remember that the American agencies aren't the only intelligence agencies in the world.

Sticking with the CIA, though, let's say we apply the bill of rights in its most stringent interpretation; then the CIA can't hack into anything that any American might use to communicate to, without an American warrant. That would be totally unrealistic, and the result would be no tech toys for the CIA. They would be at a significant disadvantage compared to other intelligence and manipulation agencies around the world.

Or perhaps another spin on it... does the Bill of Rights apply in the case where an ISIS combatant is firing on a US Marine, where the combatant happens to be an American? The Marine won't know that, and will treat them as a combatant. The Bill of Rights doesn't seem to apply in this case. Given that to be the case, then should the Bill of Rights apply where the CIA is hacking into equipment that a non-American is using and might use to communicate with an American?


Perhaps this really shows the inherent problems in the assumption that human rights are contingent on citizenship.


> Remember that the American agencies aren't the only intelligence agencies in the world.

But they (US+UK) are, agencies that have been allowed natural access to the infrastructure and resources required to implement surveillance on such a global scale. So much so that other intelligence agencies are making deals to get access via them. So, say, the Dutch AIVD, they don't have the majority of Internet data flowing through their territory (with nearly all large tech companies being US, clouds, browsers, software etc) so they can't directly abuse this access, because their scope is limited, unfortunately they can still trade for it because we have two nice big ports with transatlantic Internet cable connections (unless we already traded US access to those for something else, I don't know). So sure, they're being bad, but they're also limited, and they're not the root of the problem.

The US and the UK are in a very unique position for global Internet surveillance.


But that's a social problem, and there are no (purely) technical solutions to social problems. The tree of liberty does not need to be refreshed from time to time with stricter DLL search paths.

If Notepad++ wants to push an update that fixes DLL search paths purely for symbolic reasons, so that all their users are aware of what the CIA is doing by seeing the changelog, that's another thing entirely, and yes, I agree that's useful.


> If Notepad++ wants to push an update that fixes DLL search paths purely for symbolic reasons, so that all their users are aware of what the CIA is doing by seeing the changelog, that's another thing entirely, and yes, I agree that's useful.

Of course it is. Notepad++ is an international project and these reasons are exactly why I upvoted this story.

(I'm honestly a bit confused as to what other reason one could come up with that is not an insult to Notepad++ developers' intelligence--"There, we fixed the DLL inject-y thing, finally now our users will be safe from CIA hacks"??)


Nah, the simple reason is a straightforward, almost-apolitical "Someone found a bug. We were doing something wrong. So we fixed it."


But that's not what happened (the release note's text was boldly political), I'm not sure what your point is any more :) I think we're in agreement anyway.


The cynic in me would assume this is a well played game. Look at us, we can't even use Vi properly, and we use these unsophisticated attacks to break your defenses. Nothing to fear from us, don't worry...


We have ot agreed on many a topic... but I just want to say; I love you and keep doing what you're doing (PROVIDED youre not perpetuating the Deep State) - but yeah, youre sound and I will still keep calling you 'Patrick'


>Here's the rootkits track from Black Hat 2008 --- keep in mind that this is almost a decade old and that it's public work

So, yeah, we're fucked, yes?


> Just like knowing the lock is useless for people who are willing to go into my house, I still shut the door and lock it every morning when I leave home. We are in a fking corrupted world, unfortunately.

He fucking nailed it. This is what all of us are feeling. It's almost like, we are collectively being punished by trying to make shit more secure. It makes me dysphoric with hopelessness.

I can no longer proudly claim the West is free. We are living in a surveillance state. It's going to be hard to point fingers at other authoritative regimes around the world using the same tools.

I sometimes feel as if the West is a giant hypocrisy because of the double standards it upholds but relatively better than it's counterparts. Lesser evils.


I can no longer proudly claim the West is free. We are living in a surveillance state.

That's a little disrespectful to those who actually lived in surveillance states. Is your neighbor watching you, ready to report you to the state for suspected subversive activities?

Even if you were engaged in actual subversive activities, like reading and publishing terrorist propaganda or selling drugs at scale, Tor makes it possible to do this with relatively little risk to yourself. It's still risky, but nothing like it used to be. And even if the government knows that you do these things, how much of a threat do you need to pose before they'll act against you in particular? The governments of old would routinely act against large numbers of their population for far less.

I'm not arguing for complacency, but it's important to keep perspective.


"If you see something, say something" is an actual campaign run during the last administration. It wasn't taken as seriously as what you mention, but the same spirit was/is there.


This is the slogan of a post-9/11 (and ongoing) MTA campaign that's been borrowed by the Department of Homeland Security and many other agencies around the country and the world since.

I believe the original intent was mostly about reporting unattended bags that could contain bombs, not reporting your neighbor for hosting a socialist book club or whatever. Obviously it's vague and broad enough that it could be bent to more sinister purposes though.


No need for the neighbors to report subversive activity when everyone is already self-reporting all this information online, both publicly and in not-so-private private communications.


>"If you see something, say something"

Perhaps a slightly different context but I have heard this almost verbatim a few days ago on buses and trains in Birmingham, UK.

If I'm not mistaken too, I believe that "If you have nothing to hide, you have nothing to fear" is also something the Govt used a few years ago.


"See it, say it, sorted" is the current British Transport Police campaign:

http://www.btp.police.uk/latest_news/see_it_say_it_sorted_ne...


I think the current "If you see something, say something." is specifically targeted at child abuse. At least, that's how all the adverts make it sound.


Australia ran one of these campaigns recently: https://www.youtube.com/watch?v=FXxgclr7J9g

The content of the ad includes someone looking at someones trash, seeing some common chemicals and assuming they are making a bomb.


..and you still see this exact phrase on trains and buses in both the US and UK.


"If you see something, say nothing, and drink to forget"


"Is your neighbor watching you, ready to report you to the state for suspected subversive activities?", No! Because there is no need for them ( three letter agencies ) to hire your neighbor when they can "hire" your smart TV.


Exactly. Your neighbor doesn't need to report on you, because you do it yourself with the bug in your pocket that records every word you say and every move you make.


"That's a little disrespectful to those who actually lived in surveillance states."

No it's not, and I highly resent this argument. It inevitably ends up with, but it's not at stasi levels... yet... When in truth what we have now would have made the Stasi have wet dreams! So stop it with this variation of affective fallacy already. Even if it was, somehow, disrespectful, which I don't think it is, even it was, who cares? It doesn't and shouldn't change the conversation whatsover. We are having a discussion about the current state of our mass modern surveillance engine, not about any other time in history (though they might be relevant to learn from).

Also, at this stage, if we don't talk about the potential before it gets too bad, we won't be able to stop it. Binney and Drake both refer to the current state as the "turn-key totalitarian state", and Drake for example got his start spying on east Germany during the cold war! As a matter of fact, if anything, I would find it to be highly respectful, for we are trying to prevent a similar fate those before us have failed to prevent.

"Tor makes it possible to do this with relatively little risk to yourself."

Nope, when they own enough fiber backbone nodes owning the tor network becomes much less non-trivial. Also, targeting tor-browser 0days, along with, as we can see from the NSA and CIA leaks, direct comprimise of machine, make tor not nearly as useful as a tool of anonymity as you seem to think. (Still useful, don't hate me J Appelbaum...)

"how much of a threat do you need to pose before they'll act against you in particular?"

Easy, all you need is to be effective and credible. It's been seen time and time again, since COINTELPRO and on. If you are just ranting and raving, maybe doing a protest or two, no one gives a fuck (other than to enter your name into a database somewhere). The second your protest actually starts doing something, or your dissident political campaign affects change in some way, thats when you become a target.

"The governments of old would routinely act against large numbers of their population for far less."

What's your point? First of all, with the surveillance engine storage, there is nothing to prevent the sudden repeal of ex post facto and suddenly they start walking the cat backwards 5 years, enmasse, against any potential dissidents. Remember there are over 1.1 million Americans on the "Terror Watch List", with no transparency of how they got there or any recourse to get off.

You say you aren't arguing for complacency, only for perspective, but your rhetoric does not match your claim.


There's a big difference between "we are living in a surveillance state" and "we are on a slippery slope to a surveillance state". A huge obstacle in getting more of the populace to care is the fact that many people who do care (and especially those who write and talk most often about it) seem to think every millimeter of hyperbole and lies in the "right direction" furthers the cause. Ask the Democratic party how that strategy works out in the end.

Internet manifestos like yours or ones that end with "I can no longer proudly claim the West is free. We are living in a surveillance state." empirically don't do shit except help convince people on the sidelines that people who care about the formation of a surveillance state seem to be kind of paranoid.

Actually want to get people to care? Talk about very well substantiated examples that touch things most people are familiar with. It's not like Snowden failed to give us a wide selection. Even if COINTELPRO's soul sequel is in place, you're better off going with a soft sell that hits closer to home than a hard sell that fewer people will identify with.


> There's a big difference between "we are living in a surveillance state" and "we are on a slippery slope to a surveillance state".

Indeed. The first is the state of matter and has been for quite a while, the second is wishful thinking.


As long as you can post that without any worry of jackbooted thugs kicking down your door, there's a very real distinction whatever terms you want to use. Keep up that virtue signaling though, I'm sure it'll help even though it hasn't before.


What does "jackbooted thugs kicking down your door" have to do with "surveillance state"?


Because if it were a real surveillance state, there would be jackbooted thugs, and the fact that I can say this proves that I'm not Scottish.


>but it's not at stasi levels... yet...

Totally agreed. This kind argument is almost always provided in exasperated language that invokes the No True Scotsman fallacy.

Do we really need to wait until it 'x bad' before it's ok to say we have a problem? And if so, who gets to define 'x'?


> No it's not, and I highly resent this argument.

Take a step back before exploding in rage at what should be a polite discussion on the internet.


@sillysaurus, it also saddens me when Westerners schrilly dismiss their countries as corrupt or undemocratic when if the just looked around at the rest of the word and see how much they have, which they ought be proud of and protect. But their are two caveats:

First, the west is freer than the rest because it is more able to criticize even the little things.

Second, electronic surveillance is not longer even one of the little things. It happens out of sight, and mostly out of mind, so authorities now act without the kinds of restraint usual in the west. And rich western governments are actually more capable of this sort of thing that most others.


Fact is Western countries are not democracies or even close to being democratic, never were (switzerland has some democratic components) and western governments are increasingly corrupt as it is a part of the end of the life cycle of empires and civilizations[1] as shown by history.

[1]: The fate of empires and the search for survival by Sir John Glubb


Phew lad. You're a bit far gone aren't you.


> Is your neighbor watching you, ready to report you to the state for suspected subversive activities?

This is possible and more probable than it used to be a couple decades ago. But it's more under the guise of "terrorism" than subversion nowadays.

And it's not neighbor but the middle man between you and people you interact online with that is doing the surveillance (ever heard of facebook ? google ?). It's been a little while now since we've entered the surveillance capitalism society and it is dealing with subversion through behavioral prediction and modification.

It's already in use, one example is police in California.


> That's a little disrespectful to those who actually lived in surveillance states. Is your neighbor watching you, ready to report you to the state for suspected subversive activities? Surveillance state comes in a spectrum. Not being on the worse end doesn't means you can't complain.

That's the argument surveillance states use "sure we do these things, but it's not like we are full-on like <insert worse country here>"


I feel it's the same fallacy as saying to a child "eat because others elsewhere starves".

Also Don Ho (NPP's author) is from China. (Studied and lived most of his life in France though, so in my books he's French)


Is Facebook your neighbor?

Are you sure? How long do you spend talking to your neighbor each day?


It's always been true that you have to watch what you say when you're in public. Even still, you're free to criticize the government as much as you want on Facebook. Not so in a surveillance state.


But if you're effective in that criticism you'll get harassed or attacked.

See Jacob Applebaum, Laura Poitras, Glenn Greenwald among others. Journalists, filmmakers, programmers, doesn't matter. The point is that if you don't move enough, you won't really notice the chains.


You got your definition of a surveillance state wrong.

> A surveillance state is a country where the government engages in pervasive surveillance of large numbers of its citizens and visitors. https://en.wikipedia.org/wiki/Mass_surveillance#Surveillance...

Ever heard of Snowden instantly stopping the conspiracy theory accusation by releasing internal document showing it was actually happening ?

Surveillance state is not about what you are able to post on facebook. The modern surveillance state welcomes this kind of public posting, it provides data for behavior control through behavioral prediction and modification.


Not true. US citizens may criticize the US government, but it is illegal for work visa holders (such as H1B holders) to protest or criticize the US government.

Thus, an H1B holder in the US may need to remove from Facebook any friends who become protestors in case they are asked to hand over their phone at a border crossing.

This represents a material loss to Americans in the Facebook context.


Not true. US citizens may criticize the US government, but it is illegal for work visa holders (such as H1B holders) to protest or criticize the US government.

That is absolutely 100% false. There is no law or regulation that prohibits anyone, including work visa holders, from criticizing the government. I'm floored someone would even think that.

I'm honestly curious what led you to believe that?


Because until recently I was an H1B holder and was specifically ordered to not take part in any protest as part of the fine print in the visa. One of the luxuries granted to a green card holder is the privilege to protest (and fund politicians.). Also, immigrants (green card or not) may not "undermine the US government", whatever that means. This is attested to during the immigration interviews.


There is a big difference between sedition (undermining the govt), and not being able to "criticize the government." Perhaps there is some nuance there that confuses H1Bs for whom English isn't their first language.


The point is that the interpretation is up for significant abuse.


There need not be a law. The simple fact that US CBP can (and did) ask you to open your social media accounts and browse through implies that what you post on social media can act against you.


We are not talking about Customs and Border protection, we are talking about speech rights for legal residents already in the US. Citizens and non-citizens can get screwed entering the country.


I don't know about this matter in the US, but it seems to me there is no need for law a regulation to revoke a visa arbitrarily. There are countless reports of this kind of thing happening at the border, some have even been confronted to screenshots of their private facebook messaging.


I don't recall this particular rule. Not saying that you are not correct, but sources would be helpful. I wouldn't be surprised if that were there, there are all sorts of silly rules for visas, specially work-related ones.

Now, even if it's not illegal, I'd say it's _unwise_. Leave the protesting to US citizens, as they are afforded more protections.


> That's a little disrespectful to those who actually lived in surveillance states. Is your neighbor watching you, ready to report you to the state for suspected subversive activities?

No really disrespectful. It is a valid concern that what other had to suffer could be a real future potential, realized through technological mean. The human reporter is taking away from the equation. But I get where your are coming from having experienced this second hand.


>Is your neighbor watching you, ready to report you to the state for suspected subversive activities?

Maybe not to the state, but neighbors are absolutely watching neighbors ready to report to the court of social justice for suspected undesirable opinions. This has led to people losing their families and careers for views that other people disagreed with.

Remember it's not the judge that decides if you're guilty; it's the jury.


> That's a little disrespectful to those who actually lived in surveillance states. Is your neighbor watching you, ready to report you to the state for suspected subversive activities?

What's worse, if your neighbour consented to watching you and is actively reporting, or if the surveillance state doesn't even need your neighbour's consent to watch you because these neighbours (and family, friends, partner, etc) are all on Facebook, voluntarily carrying GPS-tracked recording devices everywhere they go, even into your bedroom--thereby making any defensive choice you can make for yourself useless, not joining Facebook, taking care what happens to your phone, etc.

Certainly you can argue it's more disheartening and chilling if, through propaganda, your neighbour voluntarily chooses to report you to the state.

On the other hand, the part where the state doesn't even need consent, that they can watch you much more closely and accurately, all the while your neighbours believe everything is fine--that's also pretty bad.

I'm all for perspective, but can we agree that it's just different? Maybe they don't carry people off to secret prisons quite as often any more. But the level and depth of surveillance is a lot worse, they know a lot more about everybody. And the propaganda, they don't need it to convince your neighbours to spy on you to make sure you're not doing anything subversive, no they control the Facebook feeds and the media's narrative to attack the concept of "subversive" itself.

> And even if the government knows that you do these things, how much of a threat do you need to pose before they'll act against you in particular? The governments of old would routinely act against large numbers of their population for far less.

But what if today, for the governments it is easier to not just act against you in particular, they defuse the whole threat on a much wider scale, the "terrorist propaganda" with a truckload of "fake news" (already there, just a little nudge into the spotlight).

I suppose that yes, if you carefully add all the pros and cons together, these old surveillance states were in fact worse. Given that I believe torture is one of the worst possible things you can do to a person, and that happened on a much larger scale, if you're keeping score that really makes it worse. On the other hand what we have now in the West is also pretty bad. And the level and depth of surveillance and control is worse now. Just because something that was worse was called a "surveillance state", doesn't mean we are also living in one now, and that it's doing bad things to our freedoms.

(granted your last line pretty much tried to say this, I felt like I needed to add some words)


>Is your neighbor watching you, ready to report you to the state for suspected subversive activities?

Yes. They are actively encouraged to do so by the government: https://www.youtube.com/watch?v=FENOAIrHSl8


It's been that way. I mean you might be realizing it now, but we've been in a propaganda state since even before WW2.

For people who still think we aren't, ask yourself why Americans think of breakfast when you say "Bacon and Eggs." That was an advertising campaign by Edward Bernays (Freud's nephew). He also helped the tobacco industry increase the number of women who smoked cigarettes (lookup "Torches of Freedom").

You might not think that product advertising relates to propaganda, but Bernays was the father of "Public Relations." The first public relations department was for the US government, and he chose that term because Propaganda had a bad connotation to it. Public Relations is literally a weasel word/phrase to replace Propaganda.

These are important things to consider when you think about voting and "free will." Advertising has been used to make people think quality diamonds are rare (they're not), bacon and eggs are a standard breakfast and that tobacco is a symbol of womens' liberation. If you acknowledge that, you also have to realize advertising has convinced much of America there are only two political parties worth voting for, and that they're different (even thought they universally enact the same foreign policy. Bush Jr = 2 wars, Obama = 5 wars, Trump/Hillary = both will/would bring more war. I ask you, when has a war protest or congress ever stopped any of these wars from happening?)

Finally, the CIA has admitted to having operatives in US magazines for decades, and they refuse to answer if they have operatives in US television (https://youtu.be/U1Qt6a-vaNM?t=2h30m35s).

We've been in 1984 for decades prior to 1984.


A little clarification, after world war I Bernays wanted to use war propaganda during peacetime to manipulate people and opinions which he thought were irrational and dangerous, and coined the name public relations to avoid the stigma propaganda had due its use by Germans during the war.

He's also the guy behind "engineering of consent", the use of press releases, fear of communism during cold war, and much much more.

I'm not so sure we've been in 1984, there is a valid case[1] for us living in a brave new world or at least a mix of both 1984 and a brave new world.

[1]: https://biblioklept.files.wordpress.com/2010/12/huxley-orwel... http://ritholtz.com/wp-content/uploads/2011/11/rrxW1.png


We don't just live in a surveillance state, it's also an oligarchy.

Don't fret though - the security state has been building for a long time: http://www.huppi.com/kangaroo/CIAtimeline.html


The West, or the United States? I feel like many Western nations wouldn't do this crap if the Americans didn't just politically strongarm them.


You mean the West who are in the Five Eyes intelligence collective[0]? Alright, I get it, German may not be doing this and a few Nordic countries, but overall The West is waist high in this type of stuff.

[0] https://en.wikipedia.org/wiki/Five_Eyes


The west.

See UKUSA agreement [1] and echelon [2] for a primer on how global surveillance[3] started mid 20th century.

[1]: https://en.wikipedia.org/wiki/UKUSA_Agreement [2]: https://en.wikipedia.org/wiki/ECHELON [3]: https://en.wikipedia.org/wiki/Global_surveillance


The more people read Culture&Empire (free: https://www.gitbook.com/book/hintjens/culture-empire/) the better! Even though a few parts might (!) be lightly exagerated, overall we should read and fight!


For what its worth I still hold the glimmer of hope in seeing people believe (or try to believe) and fight towards free societies. We still have a spirit that has been smothered in other authoritarian states.

You will know it's really over when everyone simply gives up their liberties in exchange of security, economy or national pride.


> I can no longer proudly claim the West is free. We are living in a surveillance state.

Anarchy is the only true freedom. Any social contract (i.e. government) limits freedom.

Still, saying the west is not free is disingenuous. One can still have many freedoms in a surveillance state. For example, I can criticize Trump without fear of being sent to a labor camp in a surveillance state. I can attempt to spread my religious beliefs without being randomly kidnapped.


> Anarchy is the only true freedom. Any social contract (i.e. government) limits freedom.

Limits on freedom does not always translate into less free. Limits on owning nuclear bombs can be seen as an increase in freedom for those who don't own them.


> Limits on owning nuclear bombs can be seen as an increase in freedom for those who don't own them.

I would disagree here, limits on owning nuclear weapons is sort of capping the decrease of freedom for those who don't. A strict ban of nuclear weapons is required not to impact freedom of others.

So your analogy fails as a ban on freedom always translate into less free.

Actually I fails to see how putting limits on freedom would not limit freedom. Arguing otherwise does not make much sense.

Having the freedom to do something does not imply that this freedom will be used. Pretty much anybody is free to commit suicide, but does not.


Not at all. To say that less limits always translates into more freedom is very simplistic idea that I proved wrong.

If the freedom exists, it will be used by someone, because people do commit suicide.

Less limits can lead to more freedom, but some restrictions of freedom can also increase freedom.

For instance by having conscription a lesser evil government can protect itself against bigger evil government.

Case in point, Finland against Soviet Union during World War 2. By forcing Fins to serve in the Finnish army, Finland kept their independence from a totalitarian communistic rule and evolved themselves to one of the most free countries in the world.


You can criticize the devil all you want in medieval europe, too. You can attempt to spread your religious beliefs without being kidnapped so long as your king and your bishop share the same beliefs.

Try copypasting a few lines from 4chan's /pol/ in other mediums and see how far your freedom gets you.


Trump is the worst president ever and I hope he gets impeached.

Are jack-booted federal thugs going to kick in my door tonight and kidnap me now? Tell me more about my lack of freedom as I shoot my glock out my car window while spinning donuts on my property.

In Iran you go to prison for criticizing the president. In Malaysia (and other Muslim countries) you get kidnapped for trying to spread Christianity. In China you disappear if you start agitating for dissension on any medium. Someone merely observing you isn't taking away your freedom to say or do things.


Criticising Trump on HN is like criticizing US imperialism in China or criticizing Israeli settlements in Iran. It is a safe subject. Everybody agrees with you, including those who pays the people in jackboots. Obviously nobody will kick your door in.

What happens to people with the unpopular opinions? Well, Berkeley.


No, that's where you are fundamentally wrong. There is no comparison because we have more freedom than China or Iran. We can criticize the president. People in China and Iran can't - at least not without high risk.

I can say things in America that people deeply disagree with, including the government, and I still will won't go to jail. I can join the KKK or Neo-Nazis without repercussion. I can call for genocide or revolution on facebook or twitter, and the government will ignore me. That is the freedom we have in the USA.


You can criticise the president because it's a safe subject.

If you join the neo-nazis (or any similarly unpopular group) and posts that on facebook, you will lose your job, your customers will shun you, and if you are sufficiently famous the media will make sure it stays on your record forever. You will also have no platform and no way to gather like-minded people. Whatever social media you use will ban you or seek to limit your voice constantly and in imaginative ways (cf shadowban). Whatever hosting service you use to communicate with your group will shut you down unannounced when you are of sufficient size, forcing you to move, bleeding members all the while. Paypal will refuse to process your donations.

At some point somebody will dig through your past writings/interviews and misconstrue you as a pedophile.

At the end of the day you will be just another destitute crackpot that nobody pays attention to. Why bother with the jackboots?


There's a difference between those two things. The first one is protected under the First Amendment: the government cannot attack you for it. The second one has nothing to do with the government. Such a person may feel oppressed, but that's just being socially ostracized for having an unpopular opinion. People aren't entitled to being treated a certain way by their peers as long as they don't stray from the law.

To be fair, doxing is a problem and -- especially as a group -- people can get awfully close to that line of the law. This does need to be addressed, though I'm not sure how.


If the chilling effect is the same and the curbs to your freedom is the same and at the end of the day you still cannot say what you want for fear of reprisal, does it matter whether the coercion comes from someone directly on state payroll?

If the government outsources the jackbooting to private sector, does it stamp your face less hard? What if I design a governing structure that's distributed between a small elected 'government' branch and a large, permanent network of corporations?


So what would you have done? Make it so people can't say mean things about you? Nullify the right for people to choose who to do business with? (Sorry, Anti-Discrimination laws don't protect against discriminating against hate speech.)


I understand the need to defend unpopular speech, but this is such a weird hill to die on when so many other things have unjustified stigmas attached to them. It'd be nice to hear people yelling about how it's supposed to be a free country when a gay or trans person has offended someone by existing.

Richard Spencer is still on Twitter, and still definitely has an audience—though the video of him being attacked is now very well known. Alex Jones has the President's ear. Steve Bannon is an advisor to the President with access to classified information. The President is, well, the President, despite plenty of material that could be and was used to accuse him as a pedophile. (I realize this is pedantically incorrect—I also realize the general public doesn't really care.)

Milo fared less well, but apparently appearing to advocate pederasty was a bridge too far even for many of his fans. Directing a harassment mob towards a celebrity was a bridge too far for Twitter, despite years of spewing the same not-exacty-PC views.

And espousing supposedly PC views isn't exactly safe either. Remember that time Anita Sarkeesian received multiple bomb threats for threatening to say unpopular words in public? What was THAT about, and why weren't the freedom lovers jumping to her defense in droves?


Do you suppose these weapons are only useable against people you don't like? Do you suppose 'the other side' is powerless to retaliate, using the exact same tools? Trump is the president now, as you have said. Half of America voted for him, and I'm sure many of them wouldn't be sad for people on your side of the trench to suffer the same treatment.

On a tangential note, this constant demand to focus on other causes whenever somebody points out something's wrong is a big part why most activism fail. Every cause gets piggybacked on by a hundred 'greater' causes that it has to expend all its resources to support. Every member has to agree with all one hundred or they can gtfo. At the end of the day nobody gets anything done, but at least you can show your friends on Facebook how virtuous you are.


Nothing makes people more interested in freedom of speech than the fear their own ideas will be suppressed. Precious few people are willing to defend both Milo and Anita's right to speak freely. Don't you think that's strange?

It's almost as if hardly anyone cares about free speech beyond using it as a shield against meaningful opposition.

> At the end of the day nobody gets anything done, but at least you can show your friends on Facebook how virtuous you are.

For such a useless and thus non-threatening group, they sure get a lot of blowback. Let's be real—I couldn't have possibly cared less what Alex Jones had to say until people started parroting his unsubstantiated conspiracy theories en masse.

And there's something way deeper going on with fierce opposition to social justice movements than a burning desire to prevent people from continuing to be wrong on the Internet.


So what's your point? Are you trying to argue the USA has the same level of freedom as China or Iran?


I'm arguing that it's a more sophisticated and on the whole more humane system of suppressing dissent, but we shouldn't deny that it exists and serves the same functions.


Is it even possible to have a society that doesn't suppress dissent to some degree? And would such a state even be desirable?


What you're describing is usually called "sociology of deviance" [1] by scholars. Formally,

> In sociology, deviance describes an action or behavior that violates social norms, including a formally enacted rule (e.g., crime), as well as informal violations of social norms (e.g., rejecting folkways and mores). [...] Norms are rules and expectations by which members of society are conventionally guided. Deviance is an absence of conformity to these norms. Social norms differ from culture to culture. [...]

Note that the opposite of deviance in this context would be "normality", the Gaussian bell.

Howard S. Becker [2] is one key contributor to this topic. His outstanding book "Outsiders" (1963) is one of the best food for thought I've ever read.

Deviance being such a key concept in pretty much every human group/society/civilization and even fictional stories, it's generally agreed upon that it's a characteristic of our species' social interactions (whether biological or psychological or both), more innate than acquired (since we all evolved towards these behaviors, probably back in immemorial times when it had a survival purpose).

Moving on to political science, specifically law-making and state 'architecture' (i.e. Constitutional Law, that which creates Institutions and ultimately defines a Regime such as Democracy or Dictatorship), most schools of thought in 'free'/'democratic' countries are very conscious of the intricacies of protecting minorities and their opinions/rights. It is an integral part of the praxis of making law and you will find such fail-safe mechanisms even in authoritarian regimes (notoriously in China where, believe it or not, citizens have much local power on paper). Obviously in the real world, politics and corruption shift all of this, from the netherland of 'toxic deviance' to the promised land of 'hot-buzz-bait cause'.

Where I personally think political science is mistaken is precisely in labelling regimes into 3-4-5 neat categories; imho every country has some of each kind and should be rated on a scale for each kind of regime. It's the idea that democracy is never an absolute but a freaking wide spectrum, and that you can live in a 'weak state of democracy' combined with a 'normally high state of surveillance or authoritarianism'. And maybe a 'touch of dictatorship' emanating from the top exec office (usually PM, President) or top spiritual order (e.g. theocracy). Currently in the West, given the oligarchic configuration of the elite and the relatively high degree of corruption and low level of public debate, I wouldn't rate our countries very high on the democratic scale (the People has little power if any); freedom still is at an all-time high in the grander movement of history; however the development of surveillance technologies opens a wide door towards authoritarianism (also unlocked by an oligarchic rule).

I have one faith in the fact that big data is also possibly the solution to aggregating public opinion in ways that previous generations could only dream of (if we care to make the machine intelligence necessary for that), and that we also now (well, soon) have the capability to tailor a regime to each and every individual if need be (there's something to be said about a huge victory for freedom if we ever get to that, basically "make your own --pizza-- regime").

There is still the matter of circle-jerking once we're all free to group with like-minded individuals; but that one may prove to be a hard problem for humans.

[1] https://en.wikipedia.org/wiki/Deviance_(sociology)

[2] https://en.wikipedia.org/wiki/Howard_S._Becker#Sociology_of_...


You can publish copyright protected movies on public websites in China and won't get arrested. In the US you can get arrested for that.

Different countries have different freedoms. If you think political speech is the most important freedom, then good for you, but some people think being free to have whatever they want without paying is even better.

You can't call for genocide in the US if you're too specific. That's part of what's not counted as free speech. Nor can you publish information like what Snowden and Manning did, nor information protected by an NDA, nor threaten to kill someone. There's a long list of what you're not allowed to say in America. Sure it's largely a subset of what you're not allowed to say in China or Iran, but it's not exactly a subset.

In short, you're defining free speech to be the specific and narrow meaning that has evolved over hundreds of years of US politics and law. That's only one arbitrary way to define it.

Even worse. In America in the '60's and 70's, civilians were forced to fight in the Vietnam war! You would be imprisoned if you didn't go to war. That's the extreme opposite of freedom. Today, there's a huge amount of unjustified imprisonment of innocent people. Again, that's the opposite of freedom.


> Different countries have different freedoms.

I'm not sure what you are trying to argue. In parts of Africa you are "free" to loot villages and rape women. Convincing me that America is just as free as China or Iran (just in different ways) is a hard sell because I value different freedoms with different weights. The freedom to steal people's IP and profit from it is not a freedom that is very beneficial for humanity.

> Today, there's a huge amount of unjustified imprisonment of innocent people

Do you have any evidence that the imprisoned people are innocent? Or are you referring to drug arrests? In those cases the people are definitely guilty of the crime (possession, using drugs). Sure, you may disagree with current drug laws/punishment, but law enforcement doesn't arrest literally innocent people and throw them in jail except on extremely rare and unusual occasions.


You lose your job, family, future, if you join these groups. Just like in oppressive regimes. During the Soviet United it was same. I know because I come from there, they didn't send you directly to Siberia for everything, but no university excepted you, you couldn't work in positions that you wanted, because I you were the event of state, etc. Just like you can't work in SV when you support Trump. Unless you have money and are Thiel, if course.


So we aren't free until I'm required to do business with neo-nazis and the KKK?


They probably said something similar 50 years ago.


It seems to me you are confused about freedom. Either you have freedom or you don't, there's no "more freedom than" except to convince yourself that you are free when you are not.

Flint tap water being more drinkable than ammonia does not make it potable.


Freedom is binary?


> In Malaysia (and other Muslim countries) you get kidnapped for trying to spread Christianity.

As a Malaysian, there's plenty to criticize about my country, but this is the first time I've heard of this. Got a source?



A bit early to speculate about the motive, no?


Possibly, yes. I just assume it's the government because from the articles I've read, they have the most motive (they want to pass some sharia law corporal punishment bills, and this Christian pastor dude was influential and opposed to it).


So your point is Iran, Malaysia and China have more freedom to put people in prison, kidnap and disappear people ?

If the US didn't have one of the worst prison record of the world, been known for kidnapping, assassinating and disappearing people all over the world you may have a point. Right now you're just looking like a fool boasting about not being black, muslim and having the privileges of not having been the target of what the US government has been known for doing for decades.


There is no such thing as a perfect country. The United States comes out looking very bad in incarceration per capita rates. China and Iran comes out looking bad in execution rate per capita. Malaysia still retains caning, a concept many in the West find barbaric. "Who is worse" will depend on your focus.

Regarding freedom of speech, the United States does have the concept more strongly encoded in law than the other 3. China's Constitution has Article 35, but apparently there is little enforcement of these rights (http://www.rfa.org/english/news/china/constitution-day-prote...), so such is toothless. I am not aware of a freedom of speech law in Iran, nor I was able to Google one.

Malaysia does have freedom of speech protections with Article 10. Having said that, the legalese is not as strong as the US's Amendment 1 -- the Sedition Act overrules Article 10, for instance. So criticizing the leader in Malaysia could bring you into legal trouble, unlike in the United States.

The First Amendment is not completely unbounded either, but unless you can demonstrate a US equivalent to Malaysia's Sedition Act (Malaysia being the country with the strongest freedom of speech protections of the three being compared), well, I think the OP has a point.


NPP still starts on my pc -I am kind of insulted that I am not important enough for the NSA to replace my .dll files.

I mean I know I am not that important but it would have boosted my ego. Way to go NSA. Thanks for nothing.


Your password is hunter2, what did you expect?


You have lost me there.


It's a joke reference to an old IRC exchange [1] about passwords.

[1] http://www.bash.org/?244321



This only means the CIA hasn't hacked you. The NSA has much more sophisticated methods, they're surely monitoring your every keystroke.


The message stated that after 7.3.3 it will check, you might have an earlier version. Im equally unimportant.


This is a useless change. There was no issue in Notepad++. The attack involving scilexer.dll just happened to be a convenient way to inject code GIVEN you already have root access to write to the program directory. There are an endless number of other ways they could have done it in those circumstances.


It says so right in the release notes..


The release notes make some analogy about "locking your door" which is just ridiculous. This change doesn't even give the semblance of increased security. It is totally just an excuse for the author to make this politically charged changelog entry.


Exactly. They could replace notepad++.exe or install a rootkit or do it in a zillion other ways. I think this change was made so that already wiretapped people could detect this and to "calm" the public since the CIA is `OMG hacking into everybody's notepad, nobody is safe'.


I wonder how many CIA agents pose as innocent HackerNews commenters?

If this world is corrupted then spies are among us here too


They don't even have to be spies; judging by the leak, which had a number of personal and informal comments, CIA employees appear to be people too. I wouldn't be surprised if those working on government malware frequent HN just like you and me.


Imagine if most popular comment threads were actually actively manipulated by the CIA - sophisticated social engineering applied here too. Most popular thread here is: CIA is pathetic they just use silly tech

(I miss John C. Dvorak)


He does a couple of really good podcasts that're worth checking out.


Kudos for your first OSS contribution CIA.


For v7.3.2, SHA1 for original SciLexer.dll:

x86: D7F9B9FD1459EDF6B417244E14EB5D734A973914

x64: 506F6CE3F09BFD1B0A982F2E6ECCBA397FD07BC2

1. Downloaded .bin.zip and .bin.x64.zip from https://notepad-plus-plus.org/download/v7.3.2.html

2. Verified sha1 against https://notepad-plus-plus.org/repository/7.x/7.3.2/npp.7.3.2... (for posterity: E32326B860815688302DF006C37395F13E24AABD and C81E940B04BAF11DE485068D9DCA4CD5CCE0E418)

3. Extracted SciLexer.dll from zips

4. Generated sha1 of SciLexer.dll

Note: The machine I tested this already had v7.3.2 installed. The hash of SciLexer.dll from my (x86) install matches the above, but independent verification is recommended over taking my word for it.


I'm curious to know whether virustotal detects the infected dll.

My tin foil hat thinks no.


This is for 7.3.3+


>This is for 7.3.3+

v7.3.2 is the latest version without the cert check, and is thus the latest possibly vulnerable version.


Don't use SHA1..


You'd rather I used MD5? Because those two are the only ones the NPP download manifest page provides.


Of course not.

But if (as in this case) we're trying to mitigate, broadly, against a threat with the resources[1] of the CIA, SHA1 should be considered completely inappropriate now, even though the recent SHA1 announcement was with respect to collisions rather than a preimage attack.

Surely requesting they post SHA256 hashes is the appropriate step?

[1] obviously after the leaks this specific attack is more likely to be coopted by many additional actors, but I don't think that's enough to explode my point.


> but I don't think that's enough to explode my point

No, however the part where they produced a collision and not a pre-image attack, is :)

We should be moving away from SHA1, but it's unlikely that they're hoarding a pre-image attack on SHA1 and have spent the (probably rather large) amount of resources to produce one for this DLL in particular.


That "fix" is kinda useless. But at least he admits it in the release notes.


Yep.

> This solution only prevents from Notepad++ loading a CIA homemade DLL. It doesn't prevent your original notepad++.exe from being replaced by modified notepad++.exe while the CIA is controlling your PC.

The CIA attack is an application directory attack, and the application directory is a trusted location on Windows. See: https://blogs.msdn.microsoft.com/oldnewthing/20161013-00/?p=...

I guess the attack allowed them to inject code into a Notepad++ process without breaking the signature on notepad++.exe itself. There's probably some value to the CIA doing this, or they wouldn't have done it (...right?)


Thinking that the author of a text editor should be concerned about the espionage activities of a superpower "is not how things should be".

Useless, yes. Nobody thinks he should solve the problems of the world, that's just a message.


I suppose this could help anyone that is currently being targeted. Once they update it should be obvious that the dll is compromised. Maybe some will come out of the woodwork and show it.


Well theoretically if you had a secure, verified boot chain this would plug a hole in it.

However in practice we don't have a full signed and verified stack.


>> The DLL injection stuff in the CIA leaks should embarrass the CIA.

Haha, nice try.

No, it should embarrass the entire US public.

CIA is not some autonomous entity, its actions directly relate to the will and wants of the US government. People are not going to stand by and clap as their text editors are wiretapped. Note: I noticed the homing behavior when using it in wine, so I switched to PSPad.


It's not every day you make a "fix CIA bug" commit. Kudos! lol


"I can no longer proudly claim the West is free. We are living in a surveillance state."

This has been the case for a very long time.

Nothing is new under the sun - but now lots of people are seeing things for what they are.


The problem is that it isn't only our state or other states that are surveilled. It's the entire internet.


The problem is that the majority of people simply don't care.


Cringy nonsense.


I wonder if they just check that WinVerifyTrust() returns OK or if they bother to also check the cert thumbprint.

Because if it's the former, it's trivial to just sign dll with any key and add it to the local trusted store (if needed).


Looks like they check to see if the cert issuer is a trusted root CA and then they check that the subject name is "Notepad++"

https://github.com/notepad-plus-plus/notepad-plus-plus/commi...


Yeah, that's trivial to bypass on a compromised machine without touching their binaries or hijacking system APIs.


To be fair, most things are trivial to bypass on a compromised machine. In fact what would even be the point of loading arbitrary code into Notepad++ on an already compromised machine?


The author of Notepad++ even said it, "It doesn't prevent your original notepad++.exe from being replaced by modified notepad++.exe while the CIA is controlling your PC."

If CIA is already on your compromised machine and they want to target user of Notepad++, then they would just patched Notepad++ itself.


Are the permissions necessary to add a key to the local trusted store significantly less powerful than the permissions necessary to modify kernel memory?

For instance, can adding a key to the local trusted store allow someone to forge a windows update?


Does anyone know where I can find the best summary/analysis of the CIA leaks?

Is there someone I can follow on Twitter that's doing great analysis?



@josephfcox and @pwnallthethings have been covering the leaks well


What is the actual attack vector? The leak document just lists a dll that could be replaced to do nefarious things. How are these dlls getting replaced?


Microsoft provided backdoor into windows ?

More

Applications are open for YC Winter 2018

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: