On Wed, 8 Mar 2017 05:12:18 PM Glenn McIntosh wrote:
On 08/03/17 14:14, Russell Coker wrote:
True. I think I've done my share of work in securing Linux systems both directly through working on SE Linux and indirectly through finding bugs in various daemons and applications (often due to SE Linux policy revealing inappropriate things).
You'll be pleased to see that selinux gets a few mentions in the CIA leaks :-), particularly in the Android context (eg that it prevents normal installation of their 'RoidRage' malware, and how they get around it).
That's good to hear. Even if they managed to get around it in some cases that still means more work for them and a greater probability that in other cases it will be impossible or too difficult to justify the effort. A recent report on FBI work in cracking phones during criminal investigations suggests that some of the less popular phones can be more secure in practice because the FBI doesn't devote the resources to cracking a phone unless they are going to see it frequently. In cases like this SE Linux increases the work for attackers and reduces the frequency of their attacks.
It is a very different leak to the NSA ones. The NSA ones gave a big picture view of the scope and magnitude of US surveillance, which provided evidence that these agencies were not well regulated (at least in a democratic context). The CIA leaks have the character of random documentation about tools and processes; probably not of as much import in a political sense, but of some interest to people working to secure commonly used platforms.
If there are specific 0day exploits in that collection then that would be useful to fix them. But I doubt that it will turn up anything of long term importance. We know how systems are compromised, the vast majority of people who do such things don't work for secretive government agencies and most of them give exploits away or sell them to other people. It could start a political discussion about what US taxpayers want to pay the CIA to do. But we all know of lots of things that they do that most taxpayers wouldn't support. Due to inertia of large government agencies and political parties spending all their time fighting nothing gets done in that regard. Also the fact that it's revealed in a partisan way doesn't help things, it would be better if it was part of a larger discussion about the things that many governments do (including the Russian government). When organisations like the CIA make accumulating vulnerabilities a priority for offensive use instead of reporting the bugs it helps other countries like North Korea and Russia in their attacks. The US has more to lose from computer attacks than any other countries, their focus should really be on defense.
What is interesting is that different agencies are independently working on ways of attacking computing infrastructure. I guess duplication of effort is the nature of a large bureaucracy.
It's not surprising that they are working independently. They have different missions and as you note there are issues of bureaucracy. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/