Archive

Archive for the ‘spying’ Category

Man claims his Bose headphones intercept what he’s listening to

April 22, 2017 Leave a comment

Illinois man: My headphones transmit audio metadata to data miner Segment.io.

An Illinois man has accused Bose, the audio equipment manufacturer, of illegally wiretapping him via his Bose headphones.

According to a proposed class-action lawsuit filed in federal court in Chicago on Tuesday, Kyle Zak bought a $350 (£330) pair of Bose QuietComfort 35 wireless Bluetooth headphones in March 2017. Those headphones use an app, known as “Bose Connect,” to skip, pause, and perform other controls on them.

The civil complaint alleges that Bose collects “the names of any music and audio tracks” played through the headphones, along with the customer’s personally identifiable serial number. It also says the information gets sent to third parties, including “data miner Segment.io.”

Lawyers for Zak argue that this constitutes wiretapping. They further allege that this type of interception could have revealed a lot of personal information about consumers, depending on their music or podcasting listening habits. For example, someone listening to “The Greatest Generation,” like its hosts, might be a little bit embarrassed to admit to the world that they listen to a Star Trek podcast.

Neither Bose nor Segment.io, which is not a party to the lawsuit, immediately responded to Ars’ request for comment.

The lawsuit claims that several other headphone models send out this data, including the SoundSport Wireless, Sound Sport Pulse Wireless, QuietControl 30, SoundLink Around-Ear Wireless Headphones II, and SoundLink Color II.

Metadata vs. content

Zak and his lawyers from Edelson, a Chicago-based law firm that specializes in technology and privacy cases, will have to show that the interception of the audio metadata is the same thing as the content contemplated by federal wiretap law.

“We discovered the issue, as we do in many of our cases, through an investigation conducted by our in-house computer forensics lab,” Christopher Dore, one of the Edelson lawyers involved in the case, e-mailed Ars.

Bose lawyers likely will argue that while it may be sending out copies of the metadata (artist, song title, etc.), its actions do not constitute “contents of any wire, oral, or electronic communication” as defined under the relevant wiretap law. Therefore, it could argue, the company isn’t liable.

Edelson seems to have anticipated this line of argument and points out that the Bose products interact with consumer smartphones, which transmit “operational instructions regarding skipping and rewinding audio tracks and their corresponding titles.”

Police Confirm Amazon Echo Saves All Voice Data, Here’s How to Delete It

April 22, 2017 2 comments

The device also records everything in the room prior to you using the wake word. When you use the wake word, according to Amazon, the audio stream includes a fraction of a second of audio before the wake word, and closes once your question or request has been processed.

Amazon Echo

Amazon Echo is a hands-free smart speaker with voice control access. The device connects to the Alexa–an artificial intelligence personal assistant for playing music, provide information, news, sports and other activities.

However, privacy activists have sounded the alarm on this Amazon smart device for some time now. Activists suspected the United Sates government via its spy agencies have been using the device to spy on citizens.

To confirm that the device is being used as a spying tool, anti-government corruption investigators revealed that Amazon owner Jeff Bezos was awarded a contract by the Central Intelligence Agency (CIA) worth $600 million to build a private cloud for the agency to use for its data needs. This means Bezos is a friend of the CIA, and can grant the agency full access to his business ventures.

Amazon’s close CIA ties have made some consumers, who own an Echo device, more skeptical. Recently, we published an article of how a woman who owns an Amazon Echo decided to verify the links between the CIA and the device. She used the artificially intelligent Alexa to confirm her suspicions shortly after WikiLeaks began releasing their Vault 7 series.

The woman asked the smart device whether she would lie to her, to which Alexa responded that she would always “try” to be truthful. Alexa is then asked to give a definition of what the CIA is, which is answered with accuracy. It’s then followed by another question from its owner, “Are you connected to the CIA?”  Alexa, rather than answer, chooses to switch off, not once, but twice, when the owner of the device repeatedly asked the question.

Amazon Echo

This incident was recorded and posted on Twitter. When the video started trending, Amazon responded that the incident was nothing but a minor programming error.

However, recent evidence has emerged to back the existing suspicion that Amazon Echo is indeed a spy tool used by the US government.

In December 2016, Arkansas police in the city of Bentonville filed search warrants with Amazon, requesting for the recordings made on a man’s Echo device between November 21 and November 22, 2015. The recordings belong to James A. Bates, who was charged with murder after a man was strangled to death in a hot tub in his home.

CNET reports that during the investigation, police noticed the Echo in the kitchen and pointed out that the music playing in the home could have been voice activated through the device. While the Echo records only after hearing the wake word, police hoped that ambient noise or background chatter could have accidentally triggered the device, leading to more clues in the murder case.

Amazon Echo

“It is believed that these records are retained by Amazon.com and that they are evidence related to the case under investigation,” police wrote in the search warrant to Amazon.

When the warrant was delivered to Amazon, the company was reluctant to give the recordings out. Investigators then issued a statement warning that whether Amazon complies with the warrant or not, they could tap into the Echo’s hardware, which could potentially include time stamps, audio files and other data.

Apart from Bates’ Echo, investigators also attempted to break into his phone, but were unsuccessful due to his password. In response to the delay in investigation caused by Amazon not sending the recordings and the phone password, the police department issued the following ominous response within the warrant: “Our agency now has the ability to utilize data extraction methods that negate the need for passcodes and efforts to search Victor and Bates’ devices will continue upon issuance of this warrant.”

Amazon Echo

The police are right. They can seize access to the device without difficulty. According to Amazon, when Amazon Echo or Echo Dot detect the wake word, when you press the action button on top of the devices, or when you press and hold your remote’s microphone button, the light ring around the top of your Amazon Echo turns blue, indicating that Amazon Echo is streaming audio to the Cloud.

All of the audio in the room is recorded and stored, not just the question you’re asking Echo.

The device also records everything in the room prior to you using the wake word. When you use the wake word, according to Amazon, the audio stream includes a fraction of a second of audio before the wake word, and closes once your question or request has been processed.

When you go inside the Settings menu in your Alexa app on your phone, you can listen to every one of your requests by selecting History.

Just as the police noted in their murder investigation, there are times that Alexa randomly starts recording without the wake word being issued.

Luckily, deleting this audio is simple. Just follow these instructions:

In the History menu of the mobile Alexa app, you can delete specific entries one by one by selecting them and tapping the delete button. However, if you want to wipe your entire history, you’ll need to do so at the Manage Your Content and Devices page at www.amazon.com/mycd.

Amazon Echo

Once logged in, you’ll see the page, Manage Your Content and Devices. From here, click on Your Devices. Select the device from which you want to delete the audio, and a sub-menu will appear under it. Click on Manage Voice Recordings, and then click delete. Before deleting, Amazon presents you with a warning.

Once you click delete, a brief popup comes up letting you know that “Your deletion request has been received.”

You can then check the mobile app and all voice recordings from that device will be immediately removed.

We acknowledge sourcing part of the article from the Free Thought Project

Obama Spying Even Worse Than Trump Claimed

April 2, 2017 Leave a comment

(WND.com) The spying by the Obama administration on then-presidential candidate Donald Trump reportedly was even worse than what he has alleged.

64 Ways Obama is Sabotaging Trump

And it had nothing to do with Russia but everything to do with politics.

Sources in the intelligence community claim the potentially illegal revealing of names, or unmasking, of people in the Trump camp who were under surveillance was done purely “for political purposes” to “hurt and embarrass (candidate) Trump and his team.”

The bombshell revelations come from rank and file members of the intelligence community who are fighting back against a stonewall by the leaders at the nation’s spy agencies, according to Fox News.

Reporter Adam Housley said the sources are “not Trump” people but are “frustrated with the politics that is taking place in these (intelligence) agencies.”

And what they have revealed is amazing. Here is what they told Fox:

1) Surveillance targeting the Trump team during the Obama administration began months ago, even before the president had become the GOP nominee in July.

2) The spying on the Trump team had nothing to do with the collection of foreign intelligence or an investigation into Russia election interference.

3) The spying was done purely “for political purposes” that “have nothing to do with national security and everything to do with hurting and embarrassing Trump and his team.”

4) The person who did the unmasking was someone “very well known, very high up, very senior in the intelligence world, and is not in the FBI.”

5) Congressional investigators know the name of at least one person who was unmasking names.

6) The initial surveillance on the Trump team led to “a number of names” being unmasked.

7) House Intelligence Committee chairman Rep. Devin Nunes, R-Calif., has known about the unmasking since January.

8) Two sources in the intelligence community told Nunes who did the unmasking and told him at least one of the names of someone in the Trump team who was unmasked. The sources also gave Nunes the serial numbers of the classified reports that documented the unmasking.

9) It took Nunes a number of weeks to figure out how to see those intelligence reports because the intelligence agencies were stonewalling him, and not allowing the chairman or other people to see them.

10) There were only two places Nunes could have seen the information: where the sources work, which would have blown their cover; and the Eisenhower Executive Office building on the White House grounds, which houses the National Security Council and has computers linked to the secure system containing the reports he sought.

11) Nunes got access to that system on March 21 with the help of two Trump administration officials, but he said they were not the sources of any information.

The Wall Street Journal’s Kimberly Strassel reported that the documents Nunes saw confirming the Obama administration spied on the Trump team for months “aren’t easily obtainable, since they aren’t the ‘finished’ intelligence products that Congress gets to see.”

She said there were “dozens of documents with information about Trump officials.”

Strassel also reported there was a stonewall against the Intelligence committee chairman because, “for weeks Mr. Nunes has been demanding intelligence agencies turn over said documents—with no luck, so far.”

She also learned that, along with former National Security Adviser Michael Flynn, one other Trump official was unmasked.

(Flynn resigned after his unmasking was leaked to the press as part of reports that he spoke on the phone with the Russian ambassador before the new administration took office. President Trump said the two discussed nothing inappropriate and Flynn was just doing his job, but the president asked for the aide’s resignation because he was not completely honest in his initial account of the conversation.)

But even the reports that did not unmask identities “were written in ways that made clear which Trump officials were being discussed.”

And, importantly, the documents were “circulated at the highest levels of government.”

Strassel concluded, “To sum up, Team Obama was spying broadly on the incoming administration.”

Fox also reports that the Senate Judiciary Committee is looking into whether leaks of information targeting the Trump team could have come from the FBI, because it requested Foreign Intelligence Surveillance Act, or FISA, warrants that led to the acquisition of some of the foreign surveillance.

Nunes has said the FBI has not responded to his requests for information, and a source told Fox the agency is refusing to cooperate with the House investigation.

Fox also reported the Senate Judiciary Committee is looking into “whether the FBI wrongly included political opposition research from Trump’s opponents in its probe.”

And whether the FBI paid a former British spy who wrote a sensational and discredited report alleging wild improprieties by Trump and his aides.

On Friday, Press Secretary Sean Spicer noted the day before the president tweeted his accusation that Obama had spied on him, comments were made by “a senior administration official, foreign policy expert, Dr. Evelyn Farkas, (which) together with previous reports that have been out, raised serious concerns on whether or not there was an organized and widespread effort by the Obama administration to use and leak highly sensitive intelligence information for political purposes.”

As WND reported in depth, Farkas appeared to have inadvertently confirmed the former president’s administration spied on then President-elect Trump’s transition team for political purposes.

Speaking on MSNBC March 2, she confirmed that not only was the previous administration collecting intelligence on the Trump team, it was attempting to share it as far and wide as possible.

Farkas claimed the information was about Russian collusion with the Trump campaign, but just days later, intelligence chiefs who had seen the classified information in question, including Obama’s own former Director of National Intelligence James Clapper as well as former acting CIA Director Michael Morell, said they have seen no evidence of collusion between the Trump team and the Russian government.

That would appear to indicate the real reason the Obama administration was feverishly collecting and sharing the classified information was not for national security purposes, but for political reasons.

On Friday, Spicer said, “Dr. Farkas’s admissions alone are devastating.”

And that, “[I]n the ordinary course of their work, NSC – National Security Council – staff discovered information that may support the questions raised by the President and Dr. Farkas’s claim. These are serious issues. They raise serious concerns. And if true, the issues would be devastating.”

Spicer then lectured reporters for ignoring the Farkas story and growing evidence that Obama did indeed spy on the Trump team, scolding them, “[I]f everyone was treating the President and the administration fairly, you’d ask a series of much different questions.”

Republished with permission from WND.com via iCopyright license.

WikiLeaks Vault 7 Leak Claims CIA Bugs ‘Factory Fresh’ iPhones

March 23, 2017 Leave a comment

wikileaks vault 7 iphones, NightSkies iphone cia

A new WikiLeaks Vault 7 leak titled “Dark Matter” claims, with unreleased documents, that the Central Intelligence Agency has been bugging “factory fresh” iPhones since at least 2008. WikiLeaks further claims that the CIA has the capability to permanently bug iPhones, even if their operating systems are deleted or replaced.

The documents are expected to be released in the next 24-hours. The announced was made after a “press briefing” that WikiLeaks promoted on its Twitter.

Watch a playback of the Assange-led livestream here.

A summary of the documents has been released on the WikiLeaks website. It reads:

Today, March 23rd 2017, WikiLeaks releases Vault 7 “Dark Matter”, which contains documentation for several CIA projects that infect Apple Mac Computer firmware (meaning the infection persists even if the operating system is re-installed) developed by the CIA’s Embedded Development Branch (EDB). These documents explain the techniques used by CIA to gain ‘persistence’ on Apple Mac devices, including Macs and iPhones and demonstrate their use of EFI/UEFI and firmware malware.

Among others, these documents reveal the “Sonic Screwdriver” project which, as explained by the CIA, is a “mechanism for executing code on peripheral devices while a Mac laptop or desktop is booting” allowing an attacker to boot its attack software for example from a USB stick “even when a firmware password is enabled”. The CIA’s “Sonic Screwdriver” infector is stored on the modified firmware of an Apple Thunderbolt-to-Ethernet adapter.

“DarkSeaSkies” is “an implant that persists in the EFI firmware of an Apple MacBook Air computer” and consists of “DarkMatter”, “SeaPea” and “NightSkies”, respectively EFI, kernel-space and user-space implants.

Documents on the “Triton” MacOSX malware, its infector “Dark Mallet” and its EFI-persistent version “DerStake” are also included in this release. While the DerStake1.4 manual released today dates to 2013, other Vault 7 documents show that as of 2016 the CIA continues to rely on and update these systems and is working on the production of DerStarke2.0.

Also included in this release is the manual for the CIA’s “NightSkies 1.2” a “beacon/loader/implant tool” for the Apple iPhone. Noteworthy is that NightSkies had reached 1.2 by 2008, and is expressly designed to be physically installed onto factory fresh iPhones. i.e the CIA has been infecting the iPhone supply chain of its targets since at least 2008.

While CIA assets are sometimes used to physically infect systems in the custody of a target it is likely that many CIA physical access attacks have infected the targeted organization’s supply chain including by interdicting mail orders and other shipments (opening, infecting, and resending) leaving the United States or otherwise.

Smart Dust: Cameras ‘Smaller Than Sand’ Can Now Film Your Every Move

March 19, 2017 Leave a comment

Researchers at the Univerisy of Stuttgart have developed a new type of 'smart dust' miniature camera smaller than the size of a grain of sand.

Researchers at the Univerisy of Stuttgart have developed a new type of ‘smart dust’ miniature camera smaller than the size of a grain of sand. 

Experts say the German camera, created using new 3D printing techniques, will allow scientists to see humans in the most intricate detail than ever before.

Newstarget.com reports: Experts say the ingenious technique provides sub-micrometer accuracy that enables users to 3D print optical systems containing four lenses. The resulting multi-lens system provides an opportunity to help correct aberration, a condition where lenses fail to bring all wavelengths of color to a single focal point, which in turn may facilitate higher quality imaging from smaller devices, researchers added.

The researchers developed the 3D lenses by blasting a light-sensitive material onto a glass substrate with a femtosecond laser, which has pulse durations shorter than 100 femtoseconds. The material then absorbed two photons that exposed it and crosslinked polymers within the material. The unexposed material was washed using a solvent, leaving the hardened, crosslinked polymer that will then serve as the optical element.

The resulting lens’ diameter measures about 120 millionths of a meter, which makes it easily as small as a grain of table salt. The lenses can go from wide to narrow and may provide low to high image resolutions. Each of the lenses has a specific line of sight – clear at the center, blurry at the sides – capped by a curvature at the end. This mechanism mimics how the fovea, the small depression in the middle of the retina, collects light, and how the brain connects images from both eyes to come up with a single, distinct picture.

The innovative method will enable a variety of designs to undergo testing to come up with high-quality images. Researchers also noted that because it is printed in one piece the lens is easier to configure. Any configuration that was designed on a computer can be readily printed and used, researchers stated. The lens can also be printed onto image sensors aside from fiber optics.

The imaging method allowed researchers to print components for optical microscopes measuring 125 micrometers, and attach them to a 1.7m thin optical fiber. The camera at the end of this small endoscope has the capacity to focus on images from a distance of 0.12 in. The entire imaging system fits perfectly inside a syringe needle, which opens possibilities for direct delivery to various organs including the brain. Researchers said future uses of this highly miniaturized camera system may include less-invasive body imaging.

Experts cite initial limitations of the camera

To further assess the various applications of the lens, the developers also printed it onto a CMOS image chip in order to come up with a tiny sensor. Researchers noted that the manufacturing mechanism was fast, and may eventually translate into smaller camera drones. “The time from the idea, the optics design, a CAD model, to the finished, 3D-printed micro-objectives is going to be less than a day. We are going to open potentials just like computer-aided design and computer-integrated manufacturing did in mechanical engineering a few years ago,” said Professor Harald Giessen, from the University of Stuttgart’s 4th Physics Institute.

“Further improvements would include antireflection coatings on the lenses, either by coatings or by nanostructuring; the use of triplets or more lens elements for aberration correction; and the inclusion of absorbing aperture stops. With fabrication times of 1 to 2 hours for one objective lens, cheap high-volume manufacturing is difficult at the moment. However, printing just the shell and a lamellar supporting frame and direct ultraviolet curing can reduce the fabrication time… ” researchers added.

The research was published in the Nature Photonics journal.

List Of Android Devices Found Containing CIA Malware

March 16, 2017 1 comment

List of Android devices found containing CIA malware released

A list of malware infected Android devices has been released, after a commercial scanner found instances of malware preinstalled on 38 devices. 

 

The find comes just days after WikiLeaks revealed that the CIA routinely hacked smartphones, infecting them with Malware in order to spy on the American public.

According to a blog published on Friday by Check Point Software Technologies, malicious code was found preinstalled on various Android devices that had not be put there by the original phone manufacturers.

Marygreeley.com reports:

In six of the cases, the malware was installed to the ROM using system privileges, a technique that requires the firmware to be completely reinstalled for the phone to be disinfected.

“This finding proves that, even if a user is extremely careful, never clicks a malicious link, or downloads a fishy app, he can still be infected by malware without even knowing it,” Check Point Mobile Threat Researcher Daniel Padon told Ars. “This should be a concern for all mobile users.”

Most of the malicious apps were info stealers and programs that displayed ads on the phones. One malicious ad-display app, dubbed “Loki,” gains powerful system privileges on the devices it infects. Another app was a mobile ransomware title known as “Slocker,” which uses Tor to conceal the identity of its operators.

The infected devices included:

  • Galaxy Note 2
  • LG G4
  • Galaxy S7
  • Galaxy S4
  • Galaxy Note 4
  • Galaxy Note 5
  • Galaxy Note 8
  • Xiaomi Mi 4i
  • Galaxy A5
  • ZTE x500
  • Galaxy Note 3
  • Galaxy Note Edge
  • Galaxy Tab S2
  • Galaxy Tab 2
  • Oppo N3
  • vivo X6 plus
  • Asus Zenfone 2
  • LenovoS90
  • OppoR7 plus
  • Xiaomi Redmi
  • Lenovo A850

Check Point didn’t disclose the names of the companies that owned the infected phones. Update: Monday, 3/13/2017, 6:16 Pacific Time: An earlier version of the Check Point blog post included Nexus 5 and Nexus 5x, but those models were removed without explanation in an update made over the weekend.

Padon said it’s not clear if the two companies were specifically targeted or if the infections were part of a broader, more opportunistic campaign. The presence of ransomware and other easy-to-detect malware seems to suggest the latter. Check Point also doesn’t know where the infected phones were obtained. One of the affected parties was a “large telecommunications company” and the other was a “multinational technology company.”

Here we go again

This isn’t the first time Android phones have been shipped preinstalled with apps that can surreptitiously siphon sensitive user data to unknown parties. In November, researchers found a secret backdoor installed on hundreds of thousands of Android devices manufactured by BLU. A few days later, a separate research team uncovered a different backdoor on more than 3 million Android devices from BLU and other manufacturers. In those cases, however, the backdoors were previously unknown, and, in the latter case, they were intended to deliver legitimate over-the-air updates.

Friday’s report shows why it’s never a bad idea to scan a new Android device for malware, especially if the device is obtained through low-cost channels. Reputable malware scanners such as those from Lookout, Check Point, or Malwarebytes are all suitable. Most such apps can be used to scan a phone without having to pay a subscription. Although who sold or supplied the 38 phones Check Point found infected is unknown, another general rule is to avoid low-cost resellers. Instead, buy from a trusted store or website.

Good News From CIA Leak: Encryption Works!

March 14, 2017 Leave a comment

Good News From CIA Leak: Encryption Works!

The media have spun the recent story about CIA-developed hacking tools by claiming either that there’s nothing to worry about, or that the problem is so severe that it is no longer possible to protect our privacy through encryption. In reality, privacy is under attack, but encryption still works.

 

With WikiLeaks’ recent disclosure of the CIA’s secret hacking program, many are left wondering how deep the rabbit hole goes. How secure are the devices and softwares that people all over the world use and depend on every day? While the mainstream media have reported on this either as if there is nothing to it or it’s the end of both privacy and encryption, the truth is that encryption can still be used effectively to protect privacy.

As The New American has reported in previous articles, the tools (read: cyber weapons) developed by the CIA are scarily invasive. Any hacker who is worth his weight in silicon — and who also has access to these tools — has the ability to remotely access and control devices — such as computers, mobile devices, and SmartTVs — to watch and listen to targets, as well as the theoretical (if not actual) ability to hack and control cars and trucks to disable or override steering, brakes, acceleration, and airbag controls. And thanks to the haphazard way the cyber-weapon files and documents were circulated within the CIA and its contractor companies, that could be a lot of hackers.

And despite the pooh-poohing by the intelligence community and many in the mainstream media, recent statements by the CIA and White House, coupled with the FBI’s investigation into the source of the leaked CIA documents, serve as admissions that the disclosures are genuine. So regarding both the existence of the cyber weapons and the fact that the CIA lost control of them, it is really is as bad as it looks.

But that is also very good news.

Buried in the CIA documents (and WikiLeaks’ analysis of those documents) is the fact that there has been a shift in the way the surveillance state gathers information. In the wake of the Snowden revelations about mass surveillance almost four years ago, many — this writer included — began to implement ways to protect themselves against mass surveillance. The most effective tool for that is encryption. By encrypting data at rest (files and folders stored on a device), the owners of that data can be assured that it can only be accessed by someone with the encryption key or password. By encrypting data in motion (communications), the parties to those communications have the same assurances.

Apple introduced encryption by default for devices running newer versions of iOS; Google followed suit with encryption by default for all devices running newer versions of Android. Millions of people in the United States and worldwide began using encrypted communication applications. The surveillance hawks predicted the end of the world, claiming that terrorists were using those tools to “go dark.” The hawks demanded back doors into the encrypted devices and softwares.

Reports of recent revelations about the CIA hacking program focus on the fact that the vulnerabilities exploited by the CIA-developed cyber weapons allow the hackers to compromise the underlying operating systems (such as iOS, Android, Windows, MacOS, Linux, Solaris, and others) to capture the data before it is encrypted. As this writer noted in an earlier article:

Because the operating systems themselves would be compromised, all software running on those devices would be subject to corruption, as well. This would mean that privacy tools — such as those this writer uses on a regular basis — would be rendered useless. For instance, an application such as Signal — used for encrypting text messages and phone calls on mobile devices — would continue to encrypt the communications, leaving the user feeling secure. But since the keyboard would record (and report) all keystrokes before Signal could encrypt and send the text message, the communication could still be harvested by the hackers. Likewise, since the microphone itself could be activated, it would make no difference that the communication leaving the device would be encrypted; the hackers would still be able to capture the unencrypted voice recordings of both parties.

So, how is that good news? Put simply: it means that encryption works!

The surveillance state has had to change its game. As the New York Times reported recently:

The documents indicate that because of encryption, the agency must target an individual phone and then can intercept only the calls and messages that pass through that phone. Instead of casting a net for a big catch, in other words, C.I.A. spies essentially cast a single fishing line at a specific target, and do not try to troll an entire population.

“The difference between wholesale surveillance and targeted surveillance is huge,” said Dan Guido, a director at Hack/Secure, a cybersecurity investment firm. “Instead of sifting through a sea of information, they’re forced to look at devices one at a time.”

The New American reached out to several companies and organizations involved in promoting digital liberty to ask what the CIA revelations mean for the state of privacy. What we found shows that — for users who are willing to invest the time to keep their systems and programs up-to-date — the CIA hacking tools can be effectively blocked.

Dr. Andy Yen is the CEO and one of the founders of ProtonMail, an open-source, end-to-end encrypted, Zero-Knowledge e-mail service with its servers in Switzerland. Dr. Yen told The New American that the CIA revelations are “the biggest intelligence leak since Snowden in 2013 and the documents released so far appear to just be the tip of the iceberg.” When asked about the security of ProtonMail running on devices that may have been compromised by hackers (the government or otherwise) exploiting the devices’ vulnerabilities, Dr. Yen said, “From what we have seen so far, it is clear that ProtonMail’s cryptography is not compromised, so the email privacy of our users is still secure.” He added, “We are encouraging users to work to harden their endpoint devices, by actively patching all the software that they run.”

Part of that initiative to encourage users to “harden their endpoint devices” came in the form of a statement ProtonMail released the same day WikiLeaks dumped the CIA documents and files. Part of that statement says:

We can state unequivocally that there is nothing in the leaked CIA files which indicates any sort of crack of ProtonMail’s encryption. And despite claims to the contrary, there is also no evidence that Signal/Whatsapp end-to-end encryption has been breached. Here’s what we do know:

Over the past three years, the CIA has put together a formidable arsenal of cyberweapons specially designed to gain surveillance capabilities over end-user devices such as mobile phones and laptop/desktop computers. These advanced malwares enable the CIA to record actions such as keystrokes on a mobile device, allowing them to conduct surveillance without breaking encryption. Through this technique, US intelligence agencies can gain access to data before they have been encrypted. This is in fact the only way to achieve data access, because cracking the cryptography used in advanced secure communication services such as ProtonMail and Signal is still impractical with current technology.

In other words, the danger is in running old software, including operating systems that are missing the most recent updates. We asked Dr. Yen if a user running the most recent patches for their operating system and other software could be at risk using ProtonMail. He answered, “There can never be zero risk, so the way I would put it is, a user who has fully updated all his software would be at lowest risk of CIA hacking.”

That is because outdated operating systems (I’m looking at all of you who are still running Windows XP), software programs, and applications do not have the most up-to-date security patches. All software has vulnerabilities. As those vulnerabilities are discovered, the software developers issue updates to plug those vulnerabilities. Going over the list of the CIA’s notes on how to attack different devices, operating systems, and softwares, one common denominator shines through: they all depend on exploiting unpatched vulnerabilities.

In the quote above from one of this writer’s previous articles, there is a reference to Signal — an application for encrypted texts and phone calls. The company behind Signal is Open Whisper Systems. Signal has a list of endorsements from people — Ed Snowden, Laura Poitras, Bruce Schneier, and others — who have a real understanding of cryptography and the need for private communications. In a statement to The New American, Open Whisper Systems said:

These leaks are confirmation that ubiquitous encryption provided by WhatsApp and Signal are forcing intelligence agencies to use malware, pushing them from undetectable mass surveillance to high risk targeted attacks.

There again is the evidence that encryption works for those use it and keep their devices and software up-to-date.

Another open-source, end-to-end encrypted, Zero-Knowledge service is SpiderOak One, which offers an online backup service similar in function to DropBox with the distinction that everything built into SpiderOak One has the users’ privacy in mind. Since it is built on open-source software, there is no way for anything nefarious to be hidden in the code. Since it is end-to-end encrypted, even the administrators don’t have access to the users’ data. Since it is Zero-Knowledge, the administrators don’t know (or have any way to know) users’ passphrases. In a statement published on its website, SpiderOak said:

The latest leak of the Vault 7 files includes many exploits, but unlike previous leaks, initial analysis seems to indicate that they are entirely for attacks against endpoints.

This transition from network level to endpoint-focused attack is an interesting trend that points to an interesting hypothesis: Encryption is working.

Encryption – and particularly end-to-end encryption – fundamentally changes the cost of attacks. No longer can an adversary simply sniff network traffic, either locally or globally. To eavesdrop on communications they must take the more expensive and risky approach of compromising endpoints.

The take-away? Encryption works. At least for those willing to take the time and effort to make sure their endpoint devices (computers, mobile devices, routers, etc) are running up-to-date, reliable, trustworthy operating systems and software (which almost certainly excludes Microsoft Windows).

The answer to the question, “How can someone protect themselves from surveillance?” has not changed. Replace Windows with either Mac or (even better) Linux. Use open-source software and avoid proprietary software as much as you can. Encrypt everything you can, including your hard drive. Encrypt all communications, and encourage others to do the same. It’s simple to do with applications such as ProtonMail and Signal. Keep your operating system and other software up-to-date. Don’t store anything to an online backup service without first encrypting it — there is no cloud; it’s just someone else’s computer. And — most importantly — think about privacy and security. Make it a guiding principle in the way you use computers. Any chain is only as strong as its weakest link. The way you use computers — the choices you make, the programs and applications you use, and the ways you use them — are the biggest factors after following the above steps.

As for making a SmartTV secure, the best bet is to get rid of it. Period. The software is proprietary and the thing is designed as a spy tool.

Encryption has changed the game for the surveillance hawks. Now, instead of being able to conduct mass surveillance on scale, they are forced to compromise select and specific endpoint devices. If you are the specific target of a three-letter-agency, there is little you can do to avoid being spied on. For the rest of us, things are actually looking better.

%d bloggers like this: