CIA's Shrugtastic Response To Hacking Apple Security: 'It Is What It Is' And 'That's What We Do'
from the meh dept
We just had a story based on the Intercept breaking the fact that the CIA holds an annual hackathon (the CIA calls it a “Jamboree”) to come up with new ways to hack secure systems, inviting in various contractors and government agencies. Much of the work is focused on hacking Apple’s security, inserting backdoors and generally degrading security and encryption for everyone.
The CIA refused to comment on the Intercept’s original story, but the reporters got former FTC official Steven Bellovin to sum it up as:
?Spies gonna spy,? says Steven Bellovin, a former chief technologist for the U.S. Federal Trade Commission and current professor at Columbia University. ?I?m never surprised by what intelligence agencies do to get information. They?re going to go where the info is, and as it moves, they?ll adjust their tactics. Their attitude is basically amoral: whatever works is OK.?
Now, “unnamed” anonymous CIA officials seem to be picking up where that shrugging comment left off. Talking to CNBC reporters, the CIA folks give similarly “meh” kinds of responses:
“That’s what we do,” the official said. “CIA collects information overseas, and this is focused on our adversaries, whether they be terrorists or other adversaries.”
Except, of course, they don’t just spy overseas. The CIA has done domestic spying as well, and the descriptions of the projects don’t just impact people overseas. And then there’s this one:
“There’s a whole world of devices out there, and that’s what we’re going to do,” the official said. “It is what it is.”
It is what it is. That’s someone who clearly doesn’t care one bit about the negative consequences of attacking security and inserting backdoors that can harm everyone, just so long as they can also spy on people they don’t like. You know, like the US Senate.
Filed Under: backdoors, cia, encryption, hackathon, jamboree, privacy, spying, surveillance
Companies: apple
Comments on “CIA's Shrugtastic Response To Hacking Apple Security: 'It Is What It Is' And 'That's What We Do'”
“It’s just what we do” is the worst possible justification for what you do.
Serial killers just “do what they do” and that doesn’t make their murders right.
Re: Re:
Obligatory Godwin remark here
Ahem. People don’t learn it seems.
Re: Re:
I’m no fan of the CIA or our government spying on all of us, but that IS what they do. They told the truth and you don’t like it. They tell a lie and you don’t like it.
Who they do it to seems to be the issue here, right? That’s also what all the hackers do at Black Hat and other yearly events, isn’t it?
If it can be hacked, then it needs work. Simple as that.
You want secure? Make it. There are numerous examples of companies attacked by hackers to prove the point that the security isn’t good enough. This is just another example.
The difference that seems important here is that it’s sponsored by our government. I think they should have the tools to protect our interests. Abusing them, however, is another story.
Re: Re: Re:
The problem is that the government, one and all, has utterly and completely poisoned the well when it comes to public opinion on their involvement with computer security. They’ve been caught out on so many lies, and had so many bad actions exposed, that everyone automatically assumes the worst these days, and rightly so I’d say.
As their words and actions have shown, their definition of ‘protection’ tends to involve sabotaging and intentionally weakening security used by millions of people, all for no apparent good, as despite all the damage they cause, they always seem to get tongue-tied when it comes to presenting the benefits resulting from their actions, and when they do try and trot out examples to justify their actions, those examples pretty much without fail show that their actions were unnecessary and/or caused more damage than they prevented.
As they, and multiple other government agencies have shown, while they may be all for protecting their interests, their security and their powers, they don’t seem to extend that same fervor to the public’s interests and security, so it’s hardly surprising that a ‘lets find or create as many security flaws as we can’ event like this isn’t well received.
They’ve lost the trust of anyone paying even the slightest bit of attention, so backlash against even things that may have been acceptable before is to be expected, and they have only themselves to blame for it.
Re: Re: Re: Re:
I agree 100%. They have zero credibility. But then again, how many people have EVER trusted the government? It has been the joke for my entire 48 years, “Trust me, I’m with the Government.” or the ever popular oxymoron, “Military Intelligence.” And I am ex military.
So when it comes to who is watching the watchers, I like to refer to an old Goldie Hawn movie, Protocol. In the final scene, she is testifying before a senate panel and says the following after resigning from the state department, “So now that I’m Sunny Davis, private citizen again, you’re gonna have to watch out for me. Because I’m gonna be watching all of you… like a hawk.”
We are the watchers… if we keep putting the wrong people in office, we have no one but ourselves to blame.
Re: Re: Re:2 Re:
And when those people in office lie, mislead, and do their best to hide what they are doing? When the ‘committees’ and ‘courts’ meant to keep them in check are instead run by those who’s sole intention is to assist in the lies and hiding of the truth? When those that are meant to enforce and uphold the law instead chose to ignore it and look the other way when it’s another government agency bending and breaking it? When the government makes it abundantly clear that if you expose it’s actions they will crush you, making it incredibly risky for those with a functioning moral code and sense of ethics to come forward? How much blame do you think the public should bear then?
The public has a good amount of responsibility towards the government, but a large chunk of that demands transparency, demands that the people know what is being done, and who is doing it, and the government has been doing everything within it’s power, even if it has to make up laws and rules in the process, to avoid that transparency and the informed public that results from it.
As such you’ll have to excuse me when I don’t buy the ‘you get the government you deserve’ and/or ‘if the government is out of control, it’s the public’s fault for not reigning it in’ arguments. The public deserves some of the blame, but the side lying, misleading, and hiding their actions from those they theoretically are supposed to serve shoulders most of it.
Re: Re: Re:3 Re:
Vote them out. Start local and it grows. simple answer.
Re: Re: Re:2 Re:
@ anon cow-
1. i propose this to you: what if (and it isn’t an ‘if’, it is a definite), ‘our’ computer-based voting systems are NOT secure (they are not) ?
then the ONLY method we have for ‘holding them accountable’ is borked…
2. but, let’s be stupid and assume the voting systems are valid: when the two hydra heads of the SAME korporate money party have the system on lock down, HOW in dog’s name do we EFFECTIVELY get any other 3rd party candidates any traction ? we don’t…
3. HOW do we actually DO our due diligence and oversight when it is kept super duper top secret EVEN FROM OUR DULY ELECTED officials supposedly providing oversight ? how can WE “OWNERS” of democracy provide any oversight of things kept (PURPOSEFULLY/ILLEGALLY) out of sight that we have NO knowledge of being done in our names with our monies ? ? ?
4. lastly, the warm and fuzzy anecdote (BASED ON A MOVIE) is sweet and all; but when the media is bought and paid for to NOT do any such investigative reporting, HOW is a mere citizen supposed to put the fear of dog in our ‘superiors’ ? ? ? not going to happen to any significant degree, just not going to, i don’t care how many pairs of rose-colored glasses you have on…
Re: Re: Re:3 Re:
If you don’t like it, vote a different person in… The problem with America is our memories are too short.
We have demanded instant gratification for almost every part of our lives… this includes politics and policy. How else do you explain the Patriot act and Obamacare?
We always root for the underdog. How many of our sports icons or celebrities have had comebacks after a drug addiction or illegal activity and we cheer them on? The same holds true for our politicians.
Why do you think this email issue with Clinton is coming out now? It wasn’t the republicans that exposed it. Will it still be in the news in a year and a half when the elections roll around or will it be long lost and forgotten in the smoke of so many other scandals and outrages?
How much recent news has there been concerning Ferguson? How long ago was it?
We as a people need to begin to have a longer memory, so that when those in charge don’t do what they were elected to do, we vote them out… or we get the rules changed to put term limits on all offices.
Our elected offices were originally meant to be part time gigs, more like jury duty than a career.
To blame the game and not the players is wrong on every level. The players are what make the game great or not.
We are all playing the game. so instead of raging against the machine, jump in and drive it.
Re: Re: Re:
Means and methods are not the important thing. Worse, debates over means and methods are a dangerous distraction from the truly important over-arching issue: Who Watches the Watchers, and who pulls them up short when they overstep?
Re: Re: Re:
“That’s also what all the hackers do at Black Hat and other yearly events, isn’t it?”
A really HUGE difference is that the Black Hat is all about actually revealing the security flaws so that they can be fixed.
The CIA does no such thing. Until a a vulnerability is revealed, it can’t be fixed (you can’t fix something when you don’t know it’s broken).
I’m not saying the CIA is doing wrong. I’m saying that comparing the hacker community to the CIA is like comparing apples to oatmeal.
Re: Re: Re: Re:
Kind of like comparing a serial killer to a government agency?
Re: Re: Re:2 Re:
Who knows where all the war criminals and terrorists hang out but government workers can be in such massive violation of the law that they are no different than a serial killer legally. I’m not talking about the CIA necessarily either.
Re: Re: Re: Re:
I’m saying that comparing the hacker community to the CIA is like comparing apples to oatmeal.
Sounds good, what is the cinnamon in this analogy?
Canada Has A solution for This
Luckily, in Canada, private individuals can fill criminal charges. We can not prosecute, but at least it goes up in front of a judge for consideration.
In the spirit of reciprocity, private citizens are going to do what they do to secure their privacy.
And “it is what it is” means exactly nothing as no new information is received from such a statement.
Isn’t there supposed to be an oversight committee? Well there is an “overlook” committee…
> Their attitude is basically amoral: whatever works is OK.
I think it’s worse than that. They do whatever DOESN’T work, too (See: torture).
Uh...
I’m probably missing something here. It sounds like this jamboree is about presenting and describing security faults with existing products. Isn’t disclosing these faults good? Most of the time companies won’t patch until disclosure occurs.
Re: Uh...
Exposing the flaws is good.
But who said that the CIA published them?
Re: Uh...
The part you’re missing is that there’s no disclosure. They have a coordinated hack-fest, and the results of that get quietly deployed as part of their arsenal, without alerting the manufacturers or customers depending on this stuff to work.
The end result is that the only people who gain anything from this are the CIA and those watching the CIA’s actions — other governments and malicious operatives.
One example of this was in VLC — for years, there was a VLC attack that was effective against OS X, Windows and Linux, and could be triggered just by opening a specially crafted file in VLC (the expected action would still perform too). As I understand it, this was used by the CIA, and eventually some companies like VUPEN noticed what was happening and added it to their arsenal. It took someone who used these products AND was concerned about product security in open source software to flag the issue up.
watch lists and linux/BSD-related websites
There were a couple of articles last year, I think, claiming that commenting on a Linux or BSD related site would get you on a watch list. That makes sense, given that much of the OS development concerns security. Since improving security undermines the CIA’s and NSA’s efforts to undermine security, being concerned about how secure your system might be would effectively be having an interest counter to that of our government.
"other adversaries" = ordinary citizens
“That’s what we do,” the official said. “CIA collects information overseas, and this is focused on our adversaries, whether they be terrorists or other adversaries.”
So the CIA collects information “overseas” — i.e., on U.S. citizens using the other Four Eyes.
After the recent dustup between the Senate and the CIA, why am I not sleeping better at night ?
Corporate Personhood
So here’s a thought…
In the US, corporations are legally people, which they claim grants them rights enjoyed by legal human citizens (rights which are being misused – I’m looking at you, ISPs who claim 1st Amendment means they have a right to censor or modify people’s data on their networks). So from a perspective (not necessarily correct but analogous for our purposes), US companies are US citizens.
So then how come hosting a jamboree to hack into an American company’s stuff is more acceptable than hacking into John Doe’s computer for the same reason? Now, you can say that they bought Apple hardware and hacked that, which is “okay”* because at that point they owned the hardware and not Apple. But if (haha if) they instead actually hacked into servers and stuff owned by Apple, Apple should be screaming massive 4th Amendment violations (corporate personhood and all, right?), just like John Doe would – and the government can’t claim lack of standing on this one.
This is all bullshit. Either companies are people, or they aren’t** – the government doesn’t get to pick and choose based on how it feels and what it thinks it can get away with, but right now the citizens are getting the short ends of both sticks.
*As an aside, lots of companies are claiming that modifying stuff is illegal – phone unlocking, jailbreaking, modding, etc. There’s been a decade or more of fighting over our rights to make harmless modifications (jailbreaking doesn’t encourage piracy anymore than encryption encourages terrorism) to our devices. Yet while lobbyists/the government is trying to make stuff like device modification effectively illegal (‘without permission’ or whatever red herring platitude they insert), they themselves are doing exactly that – only their modifications are far from harmless. The government is once more not applying the same standards to itself as it does its citizens, just like when all those copyright maximalists were caught using copyrighted material or pirated software.
**I’m inclined towards the latter, seeing as corporate personhood is pretty much a uniquely American thing. There are better tools to accomplish the same goals; corporate personhood isn’t necessary..
Re: Corporate Personhood
The fourth amendment has been damaged so much that your argument falls apart, not because there’s a double standard, but because this is legal to do against people.
Small Title Correction
The quote in the title “It is what is” is missing an “it”.
They sound like a fucking bunch of frat boys, so arrogant they don’t feel the need to justify their behaviour in any way.
Makes sense
“It’s what we do” is the response of someone who has never stopped to think about the broader context of their job. That makes sense, since the last thing the intelligence community wants is another employee who starts asking why what they do is legal or how it’s useful.
Re: Makes sense
Smart but gullible, that’s the way they like it. Smart enough to do your job, stupid or gullible enough to not ask questions about it while you do it.
Sorry folks
There still happen to be laws. And since you are a government agency, this pesky bill of rights, too. Those are boundary conditions for your job. Exceed them, and you have failed your job, your country, and your oath.
Re: Sorry folks
s
Well, we completely changed the constitution because 9/11 and so now, all of your so-called rights and laws are what we say they are, when we say they are, and according to OUR latest re-interpretation of the laws of the USA, we have not exceeded any legal boudaries, or broken any laws.
Sincerely,
NSA, your National Surveillance Agency
PS
eat out shorts 🙂
/s
Anyone else see the marketing potential in that for the CIA?
Torture: It is what it is, and that’s what we do!
Spying on you, the US Citizen: It is what it is, and that’s what we do!
Super catchy.
Unconstitutionally Redundant
CIA’s hacking efforts are redundant as NSA already unconstitutionally collects and stores every last bit and byte of data transmitted in the world.
The cretins at CIA are simply looking to protect their rice bowl.
“It is what it is” and what it is is lawfully illegal according to your LAWFULL constitution, where the main purpose of such an event is to create tools that WILL be used, unlawfully, to violate the fourth
So you breaking the constitution, law, legal, policy, whatever the fuck you should call it depending on your blaze mood, you breaking these that you enforce by force on others is most assuredly not a bullshit fucking response of
“It is what its”
No.its.fuckin.not…………or are you implying that laws are meaningless, that nobody should bother following them, and your authority go up in smoke with it……..thats seems to be about the same amount of respect you are showing to the law of the land with
“It is what it is”……..god, …….cant we have a tsa scanner that identifies bad fucking representation, at least tsa would do SOME good against the damage of their existance……and……and…….no more bad fuc..ing representation
He characterized 'em as what again?
“Amoral”? Perhaps Professor Bellovin was intending to use a more neutral word like “agnostic.” “Amoral” is an ugly adjective & not something to be proud of.
Re: He characterized 'em as what again?
“Amoral” is an ugly adjective & not something to be proud of.
What makes you think he views it as something to be proud of?
Amoral
I don’t think Steven Bellovin — a computer networking and security researcher at Columbia — was shrugging off the CIA hacking Apple products. I think he was expressing a complete lack of surprise by it, because who would be surprised by the CIA’s or NSA’s tactics these days, but still condemning the CIA’s activities as amoral.
ALL SOLUTIONS !
Get a hold of (302) 365-0294 for all hack solutions …social networks , emails , i tunes, i cloud instagram, whatsapp, We-chat and others to make sure they’re not getting into trouble? Whatever it is, Ranging from Bank Jobs, Flipping cash, Criminal records, DMV, Taxes, Name it, We can get the job done..services like NONE !