FOR IMMEDIATE RELEASE: WIKILEAKS, Vault 7: CIA Hacking Tools Revealed
Hi Everyone, Urgent call to keyboard arms! Shocking new revelations of CIA hacking tools in software used by everyone, including us Free Software folk. Please share this information with everyone who will listen, we really need to bring the threat to our Privacy and the need for Free Software that is heavily audited into the public consciousness. This is not surprising, however it is really disappointing that what we had feared is true. CIA malware targets iPhone, Android, smart TVs. Already suspected that this method would be used for hacking devices that use end to end encryption, now we have more proof that it is. "These techniques permit the CIA to bypass the encryption of WhatsApp, Signal, Telegram, Weibo, Confide and Cloackman by hacking the "smart" phones that they run on and collecting audio and message traffic before encryption is applied." Hacking smartphones is just the tip of the iceberg. Please take a look at the full article here: https://wikileaks.org/ciav7p1/ If you are on Twitter, I highly urge you share at least 1 tweet from the @wikileaks release. It is vital that we discuss this. Kind Regards, -- Andri Effendi <fusionman133@gmx.de> Organiser of The Free Software Movement in Sydney www.freesoftware.org.au/ GPG fingerprint: 8438 138D ECDA 05E0 591F F2B4 4721 0F03 AC24 DF73 Confidentiality cannot be guaranteed on emails sent or received unencrypted.
This isn't really news. After Snowden's information this is something most people expected. https://www.theatlantic.com/politics/archive/2017/01/assange-man-in-the-news... Also remember that Assange seems to be a Russian agent. -- Sent from my Nexus 6P with K-9 Mail.
Also remember that Assange seems to be a Russian agent. Oh, really?
So you say: * it doesn't matter we know how you can be spied on or that you can be "serendipitous" killed by a truck or that your "secure" apps that should guarantee your privacy are got around. And it still doesn't matter an organization that should look after the american public interest chooses to hoard zero-days instead of disclosing/plugging them (thus letting the public vulnerable against others). * but it does matter Assange is human (thus imperfect). Quite a twisted logic IMHO, I hope you don't mind if I'm not accepting it. Adrian On Wed, Mar 8, 2017 at 12:23 PM, Russell Coker <russell@coker.com.au> wrote:
This isn't really news. After Snowden's information this is something most people expected.
https://www.theatlantic.com/politics/archive/2017/01/ assange-man-in-the-news/512243/
Also remember that Assange seems to be a Russian agent. -- Sent from my Nexus 6P with K-9 Mail. _______________________________________________ Free-software-melb mailing list Free-software-melb@lists.softwarefreedom.com.au http://lists.softwarefreedom.com.au/cgi-bin/mailman/ listinfo/free-software-melb
Free Software Melbourne home page: http://www.freesoftware.asn.au/melb/
I think people who dismiss Assange or Snowden as "Russian Agent(s)" are bonkers and have been manipulated by the MSM. I can't believe that such critical information that should be released to the public as part of being a so called "democracy" is seen as making them foreign agents. Vulnerabilities in the software that hundreds of millions (if not billions) use every day must be exposed and patched ASAP. We can't let this Anti-Russia scare nonsense affect critically judging our government. When wrong doing is exposed, IT must be the center of attention, NOT who revealed it. Its about the movement, NOT the man. Scape goating and saying "it's all russia's fault" without proof is just going to alienate people and will be 100% counter productive. It goes way beyond the US Election. So remember, always think critically of those who are speaking in Canberra, Ottawa, Washinton DC, Wellington, West minister, Berlin or any government relevant to you. Don't take "it's russia's fault" with a grain of salt, especially nowadays when it is just being used as a distraction. Adrian Colomitchi:
Also remember that Assange seems to be a Russian agent. Oh, really?
So you say: * it doesn't matter we know how you can be spied on or that you can be "serendipitous" killed by a truck or that your "secure" apps that should guarantee your privacy are got around. And it still doesn't matter an organization that should look after the american public interest chooses to hoard zero-days instead of disclosing/plugging them (thus letting the public vulnerable against others). * but it does matter Assange is human (thus imperfect).
Quite a twisted logic IMHO, I hope you don't mind if I'm not accepting it.
Adrian
On Wed, Mar 8, 2017 at 12:23 PM, Russell Coker <russell@coker.com.au> wrote:
This isn't really news. After Snowden's information this is something most people expected.
https://www.theatlantic.com/politics/archive/2017/01/ assange-man-in-the-news/512243/
Also remember that Assange seems to be a Russian agent. -- Sent from my Nexus 6P with K-9 Mail. _______________________________________________ Free-software-melb mailing list Free-software-melb@lists.softwarefreedom.com.au http://lists.softwarefreedom.com.au/cgi-bin/mailman/ listinfo/free-software-melb
Free Software Melbourne home page: http://www.freesoftware.asn.au/melb/
Kind Regards, -- Andri Effendi <fusionman133@gmx.de> Organiser of The Free Software Movement in Sydney www.freesoftware.org.au/ GPG fingerprint: 8438 138D ECDA 05E0 591F F2B4 4721 0F03 AC24 DF73 Confidentiality cannot be guaranteed on emails sent or received unencrypted.
On Wed, 8 Mar 2017 01:46:00 PM Andri Effendi wrote:
I think people who dismiss Assange or Snowden as "Russian Agent(s)" are bonkers and have been manipulated by the MSM.
I have never suggested that Snowden is a Russian agent. He merely resides in Russia, there is no evidence of him favoring the Russian government. He only released information about the NSA because that's all he had access to.
I can't believe that such critical information that should be released to the public as part of being a so called "democracy" is seen as making them foreign agents.
I doubt that anyone outside a few of the more extreme members of Congress think that releasing such information makes them Russian agents. Claiming that Russia has a free press is however good evidence of being a Russian agent.
Vulnerabilities in the software that hundreds of millions (if not billions) use every day must be exposed and patched ASAP.
True. I think I've done my share of work in securing Linux systems both directly through working on SE Linux and indirectly through finding bugs in various daemons and applications (often due to SE Linux policy revealing inappropriate things). http://www.itwire.com/business-it-news/open-source/73441-appelbaum-banned- from-debian-events-after-sexual-misconduct-charges.html Could you please give us a summary of some of your contributions to Linux security? A quick Google search only turned up the above.
We can't let this Anti-Russia scare nonsense affect critically judging our government.
When wrong doing is exposed, IT must be the center of attention, NOT who revealed it.
Edward Snowden revealed wrong-doing, I and others took it seriously. Since the Snowden revelations lots of things have been done to improve security, including a massive increase in the use of HTTPS and TOR. This latest release by Assange is simply more of the same. Evidence that the CIA is doing things on Android that the NSA was known to do on other platforms years ago is not particularly interesting and doesn't change anything. I think that everyone who read about the Snowden leaks inferred that such things were being done.
Scape goating and saying "it's all russia's fault" without proof is just going to alienate people and will be 100% counter productive.
It's a good thing that I never said it's Russia's fault. But then studiously ignoring what Russia might be doing is also a bad thing. I think it's reasonable to believe that the Russian government has greater capabilities than the North Korean government and therefore they can do more than hack Sony. There are more than a few people who are happy to have the US government monitor them. Convince those people that Russia isn't a threat and they won't be particularly interested in doing anything about such problems.
Don't take "it's russia's fault" with a grain of salt, especially nowadays when it is just being used as a distraction.
That's something that Trump or Palin might say. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/
On 08/03/17 14:14, Russell Coker wrote:
True. I think I've done my share of work in securing Linux systems both directly through working on SE Linux and indirectly through finding bugs in various daemons and applications (often due to SE Linux policy revealing inappropriate things).
You'll be pleased to see that selinux gets a few mentions in the CIA leaks :-), particularly in the Android context (eg that it prevents normal installation of their 'RoidRage' malware, and how they get around it). It is a very different leak to the NSA ones. The NSA ones gave a big picture view of the scope and magnitude of US surveillance, which provided evidence that these agencies were not well regulated (at least in a democratic context). The CIA leaks have the character of random documentation about tools and processes; probably not of as much import in a political sense, but of some interest to people working to secure commonly used platforms. What is interesting is that different agencies are independently working on ways of attacking computing infrastructure. I guess duplication of effort is the nature of a large bureaucracy. Glenn -- pgp: 833A 67F6 1966 EF5F 7AF1 DFF6 75B7 5621 6D65 6D65
On Wed, 8 Mar 2017 05:12:18 PM Glenn McIntosh wrote:
On 08/03/17 14:14, Russell Coker wrote:
True. I think I've done my share of work in securing Linux systems both directly through working on SE Linux and indirectly through finding bugs in various daemons and applications (often due to SE Linux policy revealing inappropriate things).
You'll be pleased to see that selinux gets a few mentions in the CIA leaks :-), particularly in the Android context (eg that it prevents normal installation of their 'RoidRage' malware, and how they get around it).
That's good to hear. Even if they managed to get around it in some cases that still means more work for them and a greater probability that in other cases it will be impossible or too difficult to justify the effort. A recent report on FBI work in cracking phones during criminal investigations suggests that some of the less popular phones can be more secure in practice because the FBI doesn't devote the resources to cracking a phone unless they are going to see it frequently. In cases like this SE Linux increases the work for attackers and reduces the frequency of their attacks.
It is a very different leak to the NSA ones. The NSA ones gave a big picture view of the scope and magnitude of US surveillance, which provided evidence that these agencies were not well regulated (at least in a democratic context). The CIA leaks have the character of random documentation about tools and processes; probably not of as much import in a political sense, but of some interest to people working to secure commonly used platforms.
If there are specific 0day exploits in that collection then that would be useful to fix them. But I doubt that it will turn up anything of long term importance. We know how systems are compromised, the vast majority of people who do such things don't work for secretive government agencies and most of them give exploits away or sell them to other people. It could start a political discussion about what US taxpayers want to pay the CIA to do. But we all know of lots of things that they do that most taxpayers wouldn't support. Due to inertia of large government agencies and political parties spending all their time fighting nothing gets done in that regard. Also the fact that it's revealed in a partisan way doesn't help things, it would be better if it was part of a larger discussion about the things that many governments do (including the Russian government). When organisations like the CIA make accumulating vulnerabilities a priority for offensive use instead of reporting the bugs it helps other countries like North Korea and Russia in their attacks. The US has more to lose from computer attacks than any other countries, their focus should really be on defense.
What is interesting is that different agencies are independently working on ways of attacking computing infrastructure. I guess duplication of effort is the nature of a large bureaucracy.
It's not surprising that they are working independently. They have different missions and as you note there are issues of bureaucracy. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/
On Wed, Mar 08, 2017 at 05:12:18PM +1100, Glenn McIntosh wrote:
You'll be pleased to see that selinux gets a few mentions in the CIA leaks :-), particularly in the Android context (eg that it prevents normal installation of their 'RoidRage' malware, and how they get around it).
It is a very different leak to the NSA ones. The NSA ones gave a big picture view of the scope and magnitude of US surveillance, which provided evidence that these agencies were not well regulated (at least in a democratic context). The CIA leaks have the character of random documentation about tools and processes; probably not of as much import in a political sense, but of some interest to people working to secure commonly used platforms.
What is interesting is that different agencies are independently working on ways of attacking computing infrastructure. I guess duplication of effort is the nature of a large bureaucracy.
Glenn -- pgp: 833A 67F6 1966 EF5F 7AF1 DFF6 75B7 5621 6D65 6D65
Just popping in to the less political side of the thread, it's nice to see that SELinux gets a few mentions. I still haven't put much effort in to secure my desktop how I'd like it to be done but it might be a good time to do some more messing around to get something I can feel somewhat safe with. Regarding the leaks: There's really not much there unless I missed a huge block of information. It's annoying that some pages are empty but subpages aren't. A few things struck out at me on my brief read throughout the day: - Most of it is aimed towards end-user devices, such as Windows or Android. - Most issues come from proprietary and/or popular software. - There's no talk of defeating crypto. Some things that interested me: - Win32 programming is top secret. https://wikileaks.org/ciav7p1/cms/page_11629041.html LOL - EFI seems to be a really interesting attack vector. https://wikileaks.org/ciav7p1/cms/page_3375460.html We all know how terrible EFI is, and if you're not running some version of coreboot on your machine then you should be a little worried about this. - Ricky Bobby malware?! https://wikileaks.org/ciav7p1/cms/page_16385046.html https://wikileaks.org/ciav7p1/cms/page_16385073.html https://wikileaks.org/ciav7p1/cms/page_15728810.html https://wikileaks.org/ciav7p1/cms/page_15729131.html https://wikileaks.org/ciav7p1/cms/page_15729066.html https://wikileaks.org/ciav7p1/cms/page_20251107.html (Sorry for the list, I advise skimming them) It looks like typical botnet malware, but it's interesting seeing this side since the malware is used by agents to collect data. It also hides information in filesystem metadata or THROUGH STEGANOGRAPHY! Leveraging existing applications seems to be through DLL hijacking existing applications that would seem in place at work. Worth noting that s - CD-ROM based air gap jumping. https://wikileaks.org/ciav7p1/cms/page_17072172.html Truth be told I haven't actually seen a CD ROM drive for a while now, but it's fascinating that Nero was infected this way. - Proprietary drivers exploited on Android https://wikileaks.org/ciav7p1/cms/page_11629096.html There's not much to read, but it's VERY interesting in that a lot of the exploits are related to proprietary drivers and firmware that projects like Replicant seek to remove. For instance, GPU drivers like Adreno or Broadcom's Wi-Fi drivers. These are things people can't update. Night people, Jookia.
On Wed, 8 Mar 2017 10:28:33 PM Jookia wrote:
Just popping in to the less political side of the thread, it's nice to see that SELinux gets a few mentions. I still haven't put much effort in to secure my desktop how I'd like it to be done but it might be a good time to do some more messing around to get something I can feel somewhat safe with.
I could give a talk and/or training session on SE Linux as a FSM meeting if there is interest.
Regarding the leaks: There's really not much there unless I missed a huge block of information. It's annoying that some pages are empty but subpages aren't. A few things struck out at me on my brief read throughout the day:
- Most of it is aimed towards end-user devices, such as Windows or Android.
Which is easier to crack? Hundreds of millions of old Android devices that don't get security updatess because the manufacturers make more money selling newer devices, or Google's servers? Also who is more likely to notice a compromise, Google's security team or random Android users? As an aside I don't have root on my Android devices and wouldn't necessarily notice a compromise.
- Most issues come from proprietary and/or popular software. - There's no talk of defeating crypto.
The general consensus of opinion is that defeating crypto isn't a winning move. If you crack an algorithm you get fame and maybe a job teaching number theory at a university. If you crack an implementation you can commit some crimes.
Some things that interested me:
- Win32 programming is top secret. https://wikileaks.org/ciav7p1/cms/page_11629041.html
LOL
Over-classification is an ongoing issue with government security. The punishments for under-classifying data are more serious, it's easier to increase classification level than decrease it, and writing highly classified documents can make you feel important.
- EFI seems to be a really interesting attack vector. https://wikileaks.org/ciav7p1/cms/page_3375460.html
Interesting that they named a device NyanCat.
We all know how terrible EFI is, and if you're not running some version of coreboot on your machine then you should be a little worried about this.
If they gain physical access to your system they can mess with you in other ways, like sniffing the hardware on your keyboard. I think that for everyone here, if the CIA becomes so interested in you that they want to do an EFI based attack you have bigger problems than you can deal with. Making your system resistant to a low-priority drive-by attack or a widespread malware attack is a reasonable goal. Being resistant to a full- scale CIA attack isn't something you can expect to succeed in, at least not if you want to keep using computers in anything like a normal way. Any organisation that can make people disappear is not one that you can fight head on. One thing that works in our favor is that 0day attacks are very valuable. Every time a 0day is used there is a risk of it being discovered and fixed. I expect that no-one here is important enough that the CIA would risk losing a 0day on them. Making your PC resistant to a full scale CIA attack is like making your home resistant to a tank attack. But it's probably more difficult to do.
- CD-ROM based air gap jumping. https://wikileaks.org/ciav7p1/cms/page_17072172.html
It's been a standard thing since MS-DOS days that you should never trust an executable from a system that might be infected.
- Proprietary drivers exploited on Android https://wikileaks.org/ciav7p1/cms/page_11629096.html
There's not much to read, but it's VERY interesting in that a lot of the exploits are related to proprietary drivers and firmware that projects like Replicant seek to remove. For instance, GPU drivers like Adreno or Broadcom's Wi-Fi drivers. These are things people can't update.
http://laforge.gnumonks.org/blog/20160920-openmoko_10years/ This is worth reading. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/
On Wed, Mar 08, 2017 at 11:42:25PM +1100, Russell Coker wrote:
If they gain physical access to your system they can mess with you in other ways, like sniffing the hardware on your keyboard.
I think that for everyone here, if the CIA becomes so interested in you that they want to do an EFI based attack you have bigger problems than you can deal with. Making your system resistant to a low-priority drive-by attack or a widespread malware attack is a reasonable goal. Being resistant to a full- scale CIA attack isn't something you can expect to succeed in, at least not if you want to keep using computers in anything like a normal way.
Any organisation that can make people disappear is not one that you can fight head on.
One thing that works in our favor is that 0day attacks are very valuable. Every time a 0day is used there is a risk of it being discovered and fixed. I expect that no-one here is important enough that the CIA would risk losing a 0day on them.
Making your PC resistant to a full scale CIA attack is like making your home resistant to a tank attack. But it's probably more difficult to do.
I don't plan to make my system resistant to a full-scale CIA attack, but I do like having a BIOS that isn't a complete and buggy operating system in itself. I think reducing the attack surface is always a worthy goal.
http://laforge.gnumonks.org/blog/20160920-openmoko_10years/
This is worth reading.
Yeah, the state of things is really bad. I did the initial port of Replicant 6 to the i9100 last year, so I'm running that on my phone. It works well enough but I still use the compromised wi-fi blobs out of convenience. It's such a headache that at this point I'm considering avoiding using a phone for things other than calls and messages. Jookia.
On Thu, 9 Mar 2017 07:41:37 AM Jookia wrote:
I don't plan to make my system resistant to a full-scale CIA attack, but I do like having a BIOS that isn't a complete and buggy operating system in itself. I think reducing the attack surface is always a worthy goal.
I agree that reducing the attack surface is good, but I doubt that dealing with BIOS bugs actually achieves that goal. To get to the BIOS an attacker has to either compromise the kernel/acpid or gain physical access to the system. It's well known that there are a variety of ways of intercepting key presses that an attacker could use to get the passphrase to your encrypted filesystems, GPG key, etc after they made a copy of your disk. It's easy to imagine how EFI attacks could be useful in attacking a corporate desktop PC standard running Windows with signed kernel etc. But I can't imagine how it could be the most effective attack against the typical people who are involved in groups like this.
http://laforge.gnumonks.org/blog/20160920-openmoko_10years/
This is worth reading.
Yeah, the state of things is really bad. I did the initial port of Replicant 6 to the i9100 last year, so I'm running that on my phone. It works well enough but I still use the compromised wi-fi blobs out of convenience. It's such a headache that at this point I'm considering avoiding using a phone for things other than calls and messages.
It seems to me that one of the biggest factors in developing free software on PCs is the ability to change floppy disks and hard drives between systems. If you mess up the configuration of Linux on a PC you can install that hard drive in another PC to fix it. Phones have images that are specific to the CPU and chipset, you can't boot an image for your Nexus 7 in a Nexus 5 for test purposes. The images are loaded in storage soldered to the motherboard so you can't switch images. If you convinced me that some new Linux distribution was worth trying I could easily install a spare hard drive in one of my PCs and test it out. I can't install a SD card in one of my phones for testing a different Android build. Android is theoretically free software (ignoring the binary driver issue) via the AOSP. But in practice it's too difficult for me to install one of the other versions, and I was using Linux in 1992! -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/
On Thu, Mar 09, 2017 at 06:41:00PM +1100, Russell Coker wrote:
I agree that reducing the attack surface is good, but I doubt that dealing with BIOS bugs actually achieves that goal. To get to the BIOS an attacker has to either compromise the kernel/acpid or gain physical access to the system. It's well known that there are a variety of ways of intercepting key presses that an attacker could use to get the passphrase to your encrypted filesystems, GPG key, etc after they made a copy of your disk.
It's easy to imagine how EFI attacks could be useful in attacking a corporate desktop PC standard running Windows with signed kernel etc. But I can't imagine how it could be the most effective attack against the typical people who are involved in groups like this.
I look at it more as investing time and effort than threat models. It took me maybe a week or two to set coreboot up on my T400, and now it's much less exposed than its previous BIOS. In addition I've removed ME, so I have a mostly free boot system running.
Android is theoretically free software (ignoring the binary driver issue) via the AOSP. But in practice it's too difficult for me to install one of the other versions, and I was using Linux in 1992!
You tend to have to get the phone that you know will work with a ROM.
Hi Russell Coker, "The Debian GNU/Linux project says that former Tor developer Jacob Appelbaum is no longer welcome at its events, after charges of sexual misconduct were levelled against him" The article you are looking at isn't factually accurate. The Title of the Article says that there were 'charges' leveled against Jacob Appelbaum which never happened. There were NEVER any CHARGES laid against Jacob Appelbaum, heck the accusations posted on the "anonymous" blog were never even reported to police. Nor did they ever see the light of day in a court of law. I don't know about you, but I believe in fighting for everyone's rights, not just my own. I don't know what you are getting at here, whether you're trying to sum up my entire contribution to "linux security" by pointing to a miss leading blog written by someone else, who only quotes the written equivalent of sound bites and can't even get the title of his story inline with actual facts. Are you trying to commit character assassination? I don't see how this particular attempt to assassinate my character or credibility is relevant to the original post which was about "WIKILEAKS, Vault 7: CIA Hacking Tools Revealed". I have dedicated hours of my spare time to the Free Software movement and advocating for Privacy and other Human Rights? I have dedicated unpaid volunteer hours spent to provide people with knowledge of how to better protect their privacy online, preserve their documents by switching to Free/Open formats, advocacy against DRM and many other contributions. What gives you the right to demand me to justify my right to speak, by questioning how I contribute to the Free Software community? That is a very low place to go madam or sir. Prove your Russia conspiracy theories. I think that is way more relevant.
I think it's reasonable to believe that the Russian government has greater capabilities than the North Korean government and therefore they can > do more than hack Sony.
You don't have to be an expert to know a state sponsored attack was not necessary for the Sony Leak. Also, that you would never be able to truly pin point the location of such an attack anyway since carrying out an attack using compromised hardware scattered across the globe can mask the origin of the true mastermind. No Proof was ever produced that it was Russia or North Korea. The Sony Hack could have easily been an employee who was not satisfied about their time at sony. It could even be a staged false flag attack from within the US to be used as a pretext for a declaration of war against either of the states you have mentioned "Russia or North Korea". Personally, I would not want to start a war with either Russia or North Korea because of un-proven theories that they were responsible for hacking Sony. The same goes for the DNC leaks, which the western mainstream media and also some western politicians has purported as fact (without proof) that "it was the russians" who leaked the emails. Not only is this ridiculous, but the source of the information is only a distraction from the incriminating evidence of the DNC rigging the primaries against Bernie Sanders. This could have easily been a DNC insider, which Assange has not outright said that it was, but has eluded not only to that conclusion, but also that that person was assassinated. And in fact there was someone in a position to leak such information has actually died not long ago. Julian Assange has eluded to this in an interview. I am not saying that I believe it as fact, because I am a man of my word, I believe in Innocence till Proven Guilty. This will be my last response to you Russell Coker, as I have dedicated my time to promoting software freedom and not responding to trolls who are pulling out the "russia" card whenever they want to distract from incriminating revelations about the US government or our own. Russell Coker:
On Wed, 8 Mar 2017 01:46:00 PM Andri Effendi wrote:
I think people who dismiss Assange or Snowden as "Russian Agent(s)" are bonkers and have been manipulated by the MSM.
I have never suggested that Snowden is a Russian agent. He merely resides in Russia, there is no evidence of him favoring the Russian government. He only released information about the NSA because that's all he had access to.
I can't believe that such critical information that should be released to the public as part of being a so called "democracy" is seen as making them foreign agents.
I doubt that anyone outside a few of the more extreme members of Congress think that releasing such information makes them Russian agents. Claiming that Russia has a free press is however good evidence of being a Russian agent.
Vulnerabilities in the software that hundreds of millions (if not billions) use every day must be exposed and patched ASAP.
True. I think I've done my share of work in securing Linux systems both directly through working on SE Linux and indirectly through finding bugs in various daemons and applications (often due to SE Linux policy revealing inappropriate things).
http://www.itwire.com/business-it-news/open-source/73441-appelbaum-banned- from-debian-events-after-sexual-misconduct-charges.html
Could you please give us a summary of some of your contributions to Linux security? A quick Google search only turned up the above.
We can't let this Anti-Russia scare nonsense affect critically judging our government.
When wrong doing is exposed, IT must be the center of attention, NOT who revealed it.
Edward Snowden revealed wrong-doing, I and others took it seriously. Since the Snowden revelations lots of things have been done to improve security, including a massive increase in the use of HTTPS and TOR.
This latest release by Assange is simply more of the same. Evidence that the CIA is doing things on Android that the NSA was known to do on other platforms years ago is not particularly interesting and doesn't change anything. I think that everyone who read about the Snowden leaks inferred that such things were being done.
Scape goating and saying "it's all russia's fault" without proof is just going to alienate people and will be 100% counter productive.
It's a good thing that I never said it's Russia's fault.
But then studiously ignoring what Russia might be doing is also a bad thing. I think it's reasonable to believe that the Russian government has greater capabilities than the North Korean government and therefore they can do more than hack Sony.
There are more than a few people who are happy to have the US government monitor them. Convince those people that Russia isn't a threat and they won't be particularly interested in doing anything about such problems.
Don't take "it's russia's fault" with a grain of salt, especially nowadays when it is just being used as a distraction.
That's something that Trump or Palin might say.
Kind Regards, -- Andri Effendi <fusionman133@gmx.de> Organiser of The Free Software Movement in Sydney www.freesoftware.org.au/ GPG fingerprint: 8438 138D ECDA 05E0 591F F2B4 4721 0F03 AC24 DF73 Confidentiality cannot be guaranteed on emails sent or received unencrypted.
On Thu, 9 Mar 2017 02:27:00 AM Andri Effendi wrote:
"The Debian GNU/Linux project says that former Tor developer Jacob Appelbaum is no longer welcome at its events, after charges of sexual misconduct were levelled against him"
The article you are looking at isn't factually accurate.
The Title of the Article says that there were 'charges' leveled against Jacob Appelbaum which never happened.
There were NEVER any CHARGES laid against Jacob Appelbaum, heck the accusations posted on the "anonymous" blog were never even reported to police.
The word "charge" has many meanings in English. In the context of a court case it can mean an official accusation (among other things). But it also has other meanings. 8. An accusation of a wrong of offense; allegation; indictment; specification of something alleged. [1913 Webster] Above is one of the definitions which probably best corresponds to Sam's use. Sam has a great command of the English language and uses it precisely.
Nor did they ever see the light of day in a court of law.
I don't know about you, but I believe in fighting for everyone's rights, not just my own.
Yes, that's why I want Jacob excluded from Debian, LCA, and every other source of victims. Some of the people who accused him are people I know IRL and some are people I know from Internet correspondence.
I don't know what you are getting at here, whether you're trying to sum up my entire contribution to "linux security" by pointing to a miss leading blog written by someone else, who only quotes the written equivalent of sound bites and can't even get the title of his story inline with actual facts.
https://medium.com/@violetblue/but-he-does-good-work-6710df9d9029#.ci5xlnvrc You are a conspiracy theorist. You claim that Jacob was framed, while the more reasonable assumption is that he did what he was accused of. Until I read the above article I didn't realise it was possible for someone to be such a creep that a BDSM gay porn company had to sack them, but apparently Jacob achieved that. http://earthfirstjournal.org/newswire/2014/04/26/notes-on-david-furcas-dont- let-police-infiltrators-distrupt-our-movements/ Now there is a history of police infiltrators sexually abusing members of political organisations, the above URL is one of many documenting that. We should consider whether Jacobs situation is more similar to an activist being targeted by the authorities (who have not arrested him as you note) or an infiltrator attacking political organisations. As an aside when we discussed evicting him from Debian people tried the "but what about the work he did" thing. But it turned out he had contributed little to Debian and nothing for several years, it was just another group he had joined for reasons other than contributing.
Are you trying to commit character assassination?
I'll let your conspiracy theories and defence of the indefensible speak for itself.
I don't see how this particular attempt to assassinate my character or credibility is relevant to the original post which was about "WIKILEAKS, Vault 7: CIA Hacking Tools Revealed".
I have dedicated hours of my spare time to the Free Software movement and advocating for Privacy and other Human Rights?
I have dedicated unpaid volunteer hours spent to provide people with knowledge of how to better protect their privacy online, preserve their documents by switching to Free/Open formats, advocacy against DRM and many other contributions.
It's nice that you have spent hours doing that. I have spent 16 years working on SE Linux.
What gives you the right to demand me to justify my right to speak, by questioning how I contribute to the Free Software community?
What gives you the right to question all the victims of Jacob?
That is a very low place to go madam or sir.
You lack the knowledge of English needed to criticise Sam's writing.
Prove your Russia conspiracy theories. I think that is way more relevant.
I've shown that Assange defends Russia. If there is a reasonable explanation for that then offer it.
You don't have to be an expert to know a state sponsored attack was not necessary for the Sony Leak.
Also, that you would never be able to truly pin point the location of such an attack anyway since carrying out an attack using compromised hardware scattered across the globe can mask the origin of the true mastermind.
No Proof was ever produced that it was Russia or North Korea.
https://krebsonsecurity.com/2014/12/the-case-for-n-koreas-role-in-sony-hack/ https://www.schneier.com/blog/archives/2015/09/good_article_on.html Krebs and Schneier are convinced that North Korea was behind the Sony hack. While we may never have absolute proof I think that NK is the best theory to go with.
The Sony Hack could have easily been an employee who was not satisfied about their time at sony.
It could even be a staged false flag attack from within the US to be used as a pretext for a declaration of war against either of the states you have mentioned "Russia or North Korea".
https://en.wikipedia.org/wiki/Korean_Armistice_Agreement There is no possibility of a declaration of war against North Korea, there has been no "final peaceful settlement" of the last war, so the war hasn't ended. https://en.wikipedia.org/wiki/USS_Pueblo_(AGER-2) The US government has no desire to start hostilities with NK again. As they didn't respond with force to the Pueblo incident it seems unlikely that they will want to do anything now.
The same goes for the DNC leaks, which the western mainstream media and also some western politicians has purported as fact (without proof) that "it was the russians" who leaked the emails.
The CIA believe that Russia was behind it. Wikileaks is proven to be pro- Russia, so that seems plausible.
Not only is this ridiculous, but the source of the information is only a distraction from the incriminating evidence of the DNC rigging the primaries against Bernie Sanders.
No-one outside the US Democratic party cares much about whether they rigged their internal elections.
This could have easily been a DNC insider, which Assange has not outright said that it was, but has eluded not only to that conclusion, but also that that person was assassinated.
And in fact there was someone in a position to leak such information has actually died not long ago.
Recursive conspiracy theories.
Julian Assange has eluded to this in an interview.
I am not saying that I believe it as fact, because I am a man of my word, I believe in Innocence till Proven Guilty.
This will be my last response to you Russell Coker, as I have dedicated my time to promoting software freedom and not responding to trolls who are pulling out the "russia" card whenever they want to distract from incriminating revelations about the US government or our own.
Most people who say that don't last 24 hours. Most of the rest don't last a week. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/
In plain english: "WikiLeaks will provide technology companies with exclusive access to CIA hacking tools it possesses, allowing them to patch software flaws, founder Julian Assange says." Source: http://www.abc.net.au/news/2017-03-10/wikileaks-offers-cia-hack-information-... Q: does his motivations matter in this case? If so, why and, more importantly, how much do the mptovations matter in comparison with the (potential) vuln patching by their authors? Adrian On Thu, Mar 9, 2017 at 9:17 PM, Russell Coker <russell@coker.com.au> wrote:
On Thu, 9 Mar 2017 02:27:00 AM Andri Effendi wrote:
"The Debian GNU/Linux project says that former Tor developer Jacob Appelbaum is no longer welcome at its events, after charges of sexual misconduct were levelled against him"
The article you are looking at isn't factually accurate.
The Title of the Article says that there were 'charges' leveled against Jacob Appelbaum which never happened.
There were NEVER any CHARGES laid against Jacob Appelbaum, heck the accusations posted on the "anonymous" blog were never even reported to police.
The word "charge" has many meanings in English. In the context of a court case it can mean an official accusation (among other things). But it also has other meanings.
8. An accusation of a wrong of offense; allegation; indictment; specification of something alleged. [1913 Webster]
Above is one of the definitions which probably best corresponds to Sam's use. Sam has a great command of the English language and uses it precisely.
Nor did they ever see the light of day in a court of law.
I don't know about you, but I believe in fighting for everyone's rights, not just my own.
Yes, that's why I want Jacob excluded from Debian, LCA, and every other source of victims. Some of the people who accused him are people I know IRL and some are people I know from Internet correspondence.
I don't know what you are getting at here, whether you're trying to sum up my entire contribution to "linux security" by pointing to a miss leading blog written by someone else, who only quotes the written equivalent of sound bites and can't even get the title of his story inline with actual facts.
https://medium.com/@violetblue/but-he-does-good- work-6710df9d9029#.ci5xlnvrc
You are a conspiracy theorist. You claim that Jacob was framed, while the more reasonable assumption is that he did what he was accused of. Until I read the above article I didn't realise it was possible for someone to be such a creep that a BDSM gay porn company had to sack them, but apparently Jacob achieved that.
http://earthfirstjournal.org/newswire/2014/04/26/notes-on- david-furcas-dont- let-police-infiltrators-distrupt-our-movements/
Now there is a history of police infiltrators sexually abusing members of political organisations, the above URL is one of many documenting that. We should consider whether Jacobs situation is more similar to an activist being targeted by the authorities (who have not arrested him as you note) or an infiltrator attacking political organisations.
As an aside when we discussed evicting him from Debian people tried the "but what about the work he did" thing. But it turned out he had contributed little to Debian and nothing for several years, it was just another group he had joined for reasons other than contributing.
Are you trying to commit character assassination?
I'll let your conspiracy theories and defence of the indefensible speak for itself.
I don't see how this particular attempt to assassinate my character or credibility is relevant to the original post which was about "WIKILEAKS, Vault 7: CIA Hacking Tools Revealed".
I have dedicated hours of my spare time to the Free Software movement and advocating for Privacy and other Human Rights?
I have dedicated unpaid volunteer hours spent to provide people with knowledge of how to better protect their privacy online, preserve their documents by switching to Free/Open formats, advocacy against DRM and many other contributions.
It's nice that you have spent hours doing that. I have spent 16 years working on SE Linux.
What gives you the right to demand me to justify my right to speak, by questioning how I contribute to the Free Software community?
What gives you the right to question all the victims of Jacob?
That is a very low place to go madam or sir.
You lack the knowledge of English needed to criticise Sam's writing.
Prove your Russia conspiracy theories. I think that is way more relevant.
I've shown that Assange defends Russia. If there is a reasonable explanation for that then offer it.
You don't have to be an expert to know a state sponsored attack was not necessary for the Sony Leak.
Also, that you would never be able to truly pin point the location of such an attack anyway since carrying out an attack using compromised hardware scattered across the globe can mask the origin of the true mastermind.
No Proof was ever produced that it was Russia or North Korea.
https://krebsonsecurity.com/2014/12/the-case-for-n-koreas- role-in-sony-hack/ https://www.schneier.com/blog/archives/2015/09/good_article_on.html
Krebs and Schneier are convinced that North Korea was behind the Sony hack. While we may never have absolute proof I think that NK is the best theory to go with.
The Sony Hack could have easily been an employee who was not satisfied about their time at sony.
It could even be a staged false flag attack from within the US to be used as a pretext for a declaration of war against either of the states you have mentioned "Russia or North Korea".
https://en.wikipedia.org/wiki/Korean_Armistice_Agreement
There is no possibility of a declaration of war against North Korea, there has been no "final peaceful settlement" of the last war, so the war hasn't ended.
https://en.wikipedia.org/wiki/USS_Pueblo_(AGER-2)
The US government has no desire to start hostilities with NK again. As they didn't respond with force to the Pueblo incident it seems unlikely that they will want to do anything now.
The same goes for the DNC leaks, which the western mainstream media and also some western politicians has purported as fact (without proof) that "it was the russians" who leaked the emails.
The CIA believe that Russia was behind it. Wikileaks is proven to be pro- Russia, so that seems plausible.
Not only is this ridiculous, but the source of the information is only a distraction from the incriminating evidence of the DNC rigging the primaries against Bernie Sanders.
No-one outside the US Democratic party cares much about whether they rigged their internal elections.
This could have easily been a DNC insider, which Assange has not outright said that it was, but has eluded not only to that conclusion, but also that that person was assassinated.
And in fact there was someone in a position to leak such information has actually died not long ago.
Recursive conspiracy theories.
Julian Assange has eluded to this in an interview.
I am not saying that I believe it as fact, because I am a man of my word, I believe in Innocence till Proven Guilty.
This will be my last response to you Russell Coker, as I have dedicated my time to promoting software freedom and not responding to trolls who are pulling out the "russia" card whenever they want to distract from incriminating revelations about the US government or our own.
Most people who say that don't last 24 hours. Most of the rest don't last a week.
-- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/ _______________________________________________ Free-software-melb mailing list Free-software-melb@lists.softwarefreedom.com.au http://lists.softwarefreedom.com.au/cgi-bin/mailman/ listinfo/free-software-melb
Free Software Melbourne home page: http://www.freesoftware.asn.au/melb/
https://mobile.nytimes.com/2017/03/09/opinion/the-truth-about-the-wikileaks-cia-cache.html?smid=fb-nytimes&smtyp=cur&referer=http://m.facebook.com/ -- Sent from my Nexus 6P with K-9 Mail.
Assange is a public figure and can't be excised from responsibility or relevance over the things he does. The information is fascinating, but the timing is far more fascinating. Assange has spent a number of months releasing information that happens to benefit a particular political player in the most powerful country in the world. This release is no different. It's just a coincidence that he releases information about spying at a time when Trump happens to be claiming he was spied upon? If the information is the most important thing then he won't drip-feed it to the public at times when it most suits his political purpose. The fact that he is doing it that way means that he is using the information he has access to for his own personal benefit. That makes him no better than the governments he is "exposing". He's just one more person who is collecting information to use and using it for personal benefit. Dislike the "establishment" all you like. Assange is fast turning himself into simply an alternative establishment. If the information is all that matters, wikileaks will release all information it obtains as soon as practicable and will do all things possible to ensure that they do not release information at times that just happen to suit partisan political interests. ESPECIALLY when those partisan political interests also appear to align with the partisan interests of the media star of wikileaks. Jason Cleeland -----Original Message----- From: Free-software-melb [mailto:free-software-melb-bounces@lists.softwarefreedom.com.au] On Behalf Of Andri Effendi Sent: Wednesday, 8 March 2017 1:46 PM To: free-software-melb@lists.softwarefreedom.com.au Subject: Re: [free-software-melb] FOR IMMEDIATE RELEASE: WIKILEAKS, Vault 7: CIA Hacking Tools Revealed I think people who dismiss Assange or Snowden as "Russian Agent(s)" are bonkers and have been manipulated by the MSM. I can't believe that such critical information that should be released to the public as part of being a so called "democracy" is seen as making them foreign agents. Vulnerabilities in the software that hundreds of millions (if not billions) use every day must be exposed and patched ASAP. We can't let this Anti-Russia scare nonsense affect critically judging our government. When wrong doing is exposed, IT must be the center of attention, NOT who revealed it. Its about the movement, NOT the man. Scape goating and saying "it's all russia's fault" without proof is just going to alienate people and will be 100% counter productive. It goes way beyond the US Election. So remember, always think critically of those who are speaking in Canberra, Ottawa, Washinton DC, Wellington, West minister, Berlin or any government relevant to you. Don't take "it's russia's fault" with a grain of salt, especially nowadays when it is just being used as a distraction. Adrian Colomitchi:
Also remember that Assange seems to be a Russian agent. Oh, really?
So you say: * it doesn't matter we know how you can be spied on or that you can be "serendipitous" killed by a truck or that your "secure" apps that should guarantee your privacy are got around. And it still doesn't matter an organization that should look after the american public interest chooses to hoard zero-days instead of disclosing/plugging them (thus letting the public vulnerable against others). * but it does matter Assange is human (thus imperfect).
Quite a twisted logic IMHO, I hope you don't mind if I'm not accepting it.
Adrian
On Wed, Mar 8, 2017 at 12:23 PM, Russell Coker <russell@coker.com.au> wrote:
This isn't really news. After Snowden's information this is something most people expected.
https://www.theatlantic.com/politics/archive/2017/01/ assange-man-in-the-news/512243/
Also remember that Assange seems to be a Russian agent. -- Sent from my Nexus 6P with K-9 Mail. _______________________________________________ Free-software-melb mailing list Free-software-melb@lists.softwarefreedom.com.au http://lists.softwarefreedom.com.au/cgi-bin/mailman/ listinfo/free-software-melb
Free Software Melbourne home page: http://www.freesoftware.asn.au/melb/
Kind Regards, -- Andri Effendi <fusionman133@gmx.de> Organiser of The Free Software Movement in Sydney www.freesoftware.org.au/ GPG fingerprint: 8438 138D ECDA 05E0 591F F2B4 4721 0F03 AC24 DF73 Confidentiality cannot be guaranteed on emails sent or received unencrypted.
I fail to see how all the considerations about Assange's motivations and timing are more relevant than the certitude "CIA is doing it wholesale, and - at the present - doing it in *this* and *that* area. If you don't like it - for whatever reasons - prepare yourself". Adrian On Wed, Mar 8, 2017 at 2:39 PM, <jason@cleeland.org> wrote:
Assange is a public figure and can't be excised from responsibility or relevance over the things he does.
The information is fascinating, but the timing is far more fascinating.
Assange has spent a number of months releasing information that happens to benefit a particular political player in the most powerful country in the world. This release is no different.
It's just a coincidence that he releases information about spying at a time when Trump happens to be claiming he was spied upon?
If the information is the most important thing then he won't drip-feed it to the public at times when it most suits his political purpose.
The fact that he is doing it that way means that he is using the information he has access to for his own personal benefit. That makes him no better than the governments he is "exposing". He's just one more person who is collecting information to use and using it for personal benefit.
Dislike the "establishment" all you like. Assange is fast turning himself into simply an alternative establishment.
If the information is all that matters, wikileaks will release all information it obtains as soon as practicable and will do all things possible to ensure that they do not release information at times that just happen to suit partisan political interests. ESPECIALLY when those partisan political interests also appear to align with the partisan interests of the media star of wikileaks.
Jason Cleeland
-----Original Message----- From: Free-software-melb [mailto:free-software-melb- bounces@lists.softwarefreedom.com.au] On Behalf Of Andri Effendi Sent: Wednesday, 8 March 2017 1:46 PM To: free-software-melb@lists.softwarefreedom.com.au Subject: Re: [free-software-melb] FOR IMMEDIATE RELEASE: WIKILEAKS, Vault 7: CIA Hacking Tools Revealed
I think people who dismiss Assange or Snowden as "Russian Agent(s)" are bonkers and have been manipulated by the MSM.
I can't believe that such critical information that should be released to the public as part of being a so called "democracy" is seen as making them foreign agents.
Vulnerabilities in the software that hundreds of millions (if not billions) use every day must be exposed and patched ASAP.
We can't let this Anti-Russia scare nonsense affect critically judging our government.
When wrong doing is exposed, IT must be the center of attention, NOT who revealed it.
Its about the movement, NOT the man.
Scape goating and saying "it's all russia's fault" without proof is just going to alienate people and will be 100% counter productive.
It goes way beyond the US Election.
So remember, always think critically of those who are speaking in Canberra, Ottawa, Washinton DC, Wellington, West minister, Berlin or any government relevant to you.
Don't take "it's russia's fault" with a grain of salt, especially nowadays when it is just being used as a distraction.
Adrian Colomitchi:
Also remember that Assange seems to be a Russian agent. Oh, really?
So you say: * it doesn't matter we know how you can be spied on or that you can be "serendipitous" killed by a truck or that your "secure" apps that should guarantee your privacy are got around. And it still doesn't matter an organization that should look after the american public interest chooses to hoard zero-days instead of disclosing/plugging them (thus letting the public vulnerable against others). * but it does matter Assange is human (thus imperfect).
Quite a twisted logic IMHO, I hope you don't mind if I'm not accepting it.
Adrian
On Wed, Mar 8, 2017 at 12:23 PM, Russell Coker <russell@coker.com.au> wrote:
This isn't really news. After Snowden's information this is something most people expected.
https://www.theatlantic.com/politics/archive/2017/01/ assange-man-in-the-news/512243/
Also remember that Assange seems to be a Russian agent. -- Sent from my Nexus 6P with K-9 Mail. _______________________________________________ Free-software-melb mailing list Free-software-melb@lists.softwarefreedom.com.au http://lists.softwarefreedom.com.au/cgi-bin/mailman/ listinfo/free-software-melb
Free Software Melbourne home page: http://www.freesoftware.asn.au/melb/
Kind Regards, -- Andri Effendi <fusionman133@gmx.de> Organiser of The Free Software Movement in Sydney www.freesoftware.org.au/
GPG fingerprint: 8438 138D ECDA 05E0 591F F2B4 4721 0F03 AC24 DF73 Confidentiality cannot be guaranteed on emails sent or received unencrypted.
_______________________________________________ Free-software-melb mailing list Free-software-melb@lists.softwarefreedom.com.au http://lists.softwarefreedom.com.au/cgi-bin/mailman/ listinfo/free-software-melb
Free Software Melbourne home page: http://www.freesoftware.asn.au/melb/
On Wed, 8 Mar 2017 02:39:58 PM jason@cleeland.org wrote:
If the information is all that matters, wikileaks will release all information it obtains as soon as practicable and will do all things possible to ensure that they do not release information at times that just happen to suit partisan political interests. ESPECIALLY when those partisan political interests also appear to align with the partisan interests of the media star of wikileaks.
http://www.huffingtonpost.com/zeynep-tufekci/wikileaks-erdogan- emails_b_11158792.html Jason, your analysis is insightful and well written. But I disagree with this paragraph. The above article gives a clear example of the problems with a "release all information" approach. Releasing government information that has no relevance to security (EG the amount of money spent on coffee and biscuits for government employees) might be harmless, but releasing information on citizens can be dangerous. Releasing the addresses of most women in a country has an obvious risk of facilitating stalking and rapes. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/
On Wed, 8 Mar 2017 03:05:00 PM russell@coker.com.au wrote:
Jason, your analysis is insightful and well written. But I disagree with this paragraph. The above article gives a clear example of the problems with a "release all information" approach. Releasing government information that has no relevance to security (EG the amount of money spent on coffee and biscuits for government employees) might be harmless, but releasing information on citizens can be dangerous. Releasing the addresses of most women in a country has an obvious risk of facilitating stalking and rapes.
Russell, I don't disagree with the article about the dangers of releasing unfettered information. But the problem with having a secretive, unaccountable body deciding what is worth releasing to the public, and what isn't worth releasing to the public is that we have no idea what decisions are being made, why they are made, or what they are refusing to release. Which is kind of exactly the problem that wikileaks usually argue they are addressing. Governments are collecting information about us, and are then - in a secretive, unaccountable manner - deciding what information we may or may not have. Governments usually cite the argument, when they say they can't release some information, that by releasing the information they would be causing harm to the people they are supposed to be protecting. Strangely similar to the article you link to, and the argument about managing what is released. It's a legitimate point for governments to be making - except that we never find out what information governments happen to have chosen to keep from us for our own protection. And in that gap lies the problem wikileaks want to address. However we'll also never know what information wikileaks have chosen to keep from us for our own protection. So what's the difference? There is a slight difference. In a democracy, at least we have the thin veneer of an opportunity to influence our decision makers. And we have laws and systems designed to try and ameliorate the excesses of the dreaded establishment. Imperfect maybe. Let's face it, however crap they are, they all far exceed any public oversight or power we happen to have over wikileaks or Julian Assange. I'm not sure when the next election for the 'board' of wikileaks is happening, but I know for a fact that I don't get a vote. If we are replacing one flawed, failing, not-very transparent information overlord with another flawed, even less transparent overlord, we are really not doing ourselves any favours, no matter how beautiful the core idea behind wikileaks is. And when that organisation starts to play partisan politics with information it possesses, well it's turned into a monster that - if it isn't far worse than what it claims to be protecting us from - it's a least definitely no better. If wikileaks want to protect individuals by withholding some information, or holding it until they have vetted it - well great. We all support not hurting innocent people through thoughtless and rash actions. So do it "as soon as practicable". And if by releasing information two days after President Trump claims he was spied on by the CIA, then it makes wikileaks look like they are complicit with the new US administration, then wikileaks should wait a few weeks and do it at a time where it doesn't play into the hands of one political actor over another. As others have pointed out, it's not like anyone is astounded at this news. I know I'm not. Frankly, if the US government weren't doing exactly what the Chinese government, the Russian government, the French Government, the [insert any country's name] government is doing wouldn't we all be far more surprised? Anyway, that's all off topic. The point is, if wikileaks want to remain "above politics" then they have an obligation to do everything that they can to not only BE above politics, but also to APPEAR to be above politics. Jason Cleeland -----Original Message----- From: Russell Coker [mailto:russell@coker.com.au] Sent: Wednesday, 8 March 2017 3:05 PM To: free-software-melb@lists.softwarefreedom.com.au Cc: jason@cleeland.org Subject: Re: [free-software-melb] FOR IMMEDIATE RELEASE: WIKILEAKS, Vault 7: CIA Hacking Tools Revealed On Wed, 8 Mar 2017 02:39:58 PM jason@cleeland.org wrote:
If the information is all that matters, wikileaks will release all information it obtains as soon as practicable and will do all things possible to ensure that they do not release information at times that just happen to suit partisan political interests. ESPECIALLY when those partisan political interests also appear to align with the partisan interests of the media star of wikileaks.
http://www.huffingtonpost.com/zeynep-tufekci/wikileaks-erdogan- emails_b_11158792.html Jason, your analysis is insightful and well written. But I disagree with this paragraph. The above article gives a clear example of the problems with a "release all information" approach. Releasing government information that has no relevance to security (EG the amount of money spent on coffee and biscuits for government employees) might be harmless, but releasing information on citizens can be dangerous. Releasing the addresses of most women in a country has an obvious risk of facilitating stalking and rapes. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/
On Wed, 8 Mar 2017 03:43:10 PM jason@cleeland.org wrote:
On Wed, 8 Mar 2017 03:05:00 PM russell@coker.com.au wrote:
Jason, your analysis is insightful and well written. But I disagree with this paragraph. The above article gives a clear example of the problems with a "release all information" approach. Releasing government information that has no relevance to security (EG the amount of money spent on coffee and biscuits for government employees) might be harmless, but releasing information on citizens can be dangerous. Releasing the addresses of most women in a country has an obvious risk of facilitating stalking and rapes.
Russell, I don't disagree with the article about the dangers of releasing unfettered information. But the problem with having a secretive, unaccountable body deciding what is worth releasing to the public, and what isn't worth releasing to the public is that we have no idea what decisions are being made, why they are made, or what they are refusing to release.
Which is kind of exactly the problem that wikileaks usually argue they are addressing. Governments are collecting information about us, and are then - in a secretive, unaccountable manner - deciding what information we may or may not have.
Except that Wikileaks are part of the problem being a secretive unaccountable body without any legal oversight that decides what to release to the public.
Governments usually cite the argument, when they say they can't release some information, that by releasing the information they would be causing harm to the people they are supposed to be protecting. Strangely similar to the article you link to, and the argument about managing what is released. It's a legitimate point for governments to be making - except that we never find out what information governments happen to have chosen to keep from us for our own protection. And in that gap lies the problem wikileaks want to address.
The case that governments make is usually a lot weaker. For example the US government claims that releasing information on civilian deaths in war zones is bad for propaganda. That claim is based on the assumption that people don't already know about deaths in war zones, and I'm sure that friends and relatives of the deceased know it well. The case for releasing personal details on most women in a country is obviously bogus. There is nothing they could possibly all be doing wrong apart from voting for someone you don't like, and I hope we can all agree that persecuting people for voting for the wrong party is a bad idea. The risks of releasing personal data on women is rape and murder.
However we'll also never know what information wikileaks have chosen to keep from us for our own protection. So what's the difference?
There is a slight difference. In a democracy, at least we have the thin veneer of an opportunity to influence our decision makers. And we have laws and systems designed to try and ameliorate the excesses of the dreaded establishment. Imperfect maybe. Let's face it, however crap they are, they all far exceed any public oversight or power we happen to have over wikileaks or Julian Assange. I'm not sure when the next election for the 'board' of wikileaks is happening, but I know for a fact that I don't get a vote.
It's his personal project. He expells people who disagree.
If we are replacing one flawed, failing, not-very transparent information overlord with another flawed, even less transparent overlord, we are really not doing ourselves any favours, no matter how beautiful the core idea behind wikileaks is.
And when that organisation starts to play partisan politics with information it possesses, well it's turned into a monster that - if it isn't far worse than what it claims to be protecting us from - it's a least definitely no better.
If wikileaks want to protect individuals by withholding some information, or holding it until they have vetted it - well great. We all support not hurting innocent people through thoughtless and rash actions. So do it "as soon as practicable".
But they released the data on Turkish women without vetting it even though there is no conceivable reason for doing so. They have also released data about Saudi Arabia, so their excuse that lack of Russian language knowledge prevents them releasing data doesn't hold water.
And if by releasing information two days after President Trump claims he was spied on by the CIA, then it makes wikileaks look like they are complicit with the new US administration, then wikileaks should wait a few weeks and do it at a time where it doesn't play into the hands of one political actor over another. As others have pointed out, it's not like anyone is astounded at this news. I know I'm not. Frankly, if the US government weren't doing exactly what the Chinese government, the Russian government, the French Government, the [insert any country's name] government is doing wouldn't we all be far more surprised?
In terms of Android malware there's a lot of Chinese and Russian criminal enterprises doing that. People who believe that the US government only does good things should want better phone security to stop criminals.
Anyway, that's all off topic. The point is, if wikileaks want to remain "above politics" then they have an obligation to do everything that they can to not only BE above politics, but also to APPEAR to be above politics.
Yes, that means both actions and statements. If Assange said "I'd like to work with someone who knows Russian to get ready for Russian-language leaks" it would improve the public perception of him. When he says that there's no need for leaks from Russia he sounds like a Russian agent. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/
On Wed, 8 Mar 2017 01:12:16 PM Adrian Colomitchi wrote:
Also remember that Assange seems to be a Russian agent.
Oh, really?
Yes, anyone who claims that Russia has an open government is on the Russian side. For all the flaws of the US government it doesn't openly kill journalists that report bad things.
So you say: * it doesn't matter we know how you can be spied on or that you can be "serendipitous" killed by a truck or that your "secure" apps that should guarantee your privacy are got around. And it still doesn't matter an organization that should look after the american public interest chooses to hoard zero-days instead of disclosing/plugging them (thus letting the public vulnerable against others). * but it does matter Assange is human (thus imperfect).
Quite a twisted logic IMHO, I hope you don't mind if I'm not accepting it.
No I don't say anything like that. Please show your messages to someone reliable and get them to advise you. Seek a professional advisor if necessary. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/
This isn't really news. From the two messages: "Security by obscurity in these areas" vs "Assange is ..." - which one would you consider relevant for you?
The very page linked in the original poster: "The CIA made these systems unclassified. Why the CIA chose to make its cyberarsenal unclassified reveals how concepts developed for military use do not easily crossover to the 'battlefield' of cyber 'war'. To attack its targets, the CIA usually requires that its implants communicate with their control programs over the internet. If CIA implants, Command & Control and Listening Post software were classified, then CIA officers could be prosecuted or dismissed for violating rules that prohibit placing classified information onto the Internet. Consequently the CIA has secretly made most of its cyber spying/war code unclassified. The U.S. government is not able to assert copyright either, due to restrictions in the U.S. Constitution. This means that cyber 'arms' manufactures and computer hackers can freely "pirate" these 'weapons' if they are obtained. The CIA has primarily had to rely on obfuscation to protect its malware secrets." On Wed, Mar 8, 2017 at 12:23 PM, Russell Coker <russell@coker.com.au> wrote:
This isn't really news. After Snowden's information this is something most people expected.
https://www.theatlantic.com/politics/archive/2017/01/ assange-man-in-the-news/512243/
Also remember that Assange seems to be a Russian agent. -- Sent from my Nexus 6P with K-9 Mail. _______________________________________________ Free-software-melb mailing list Free-software-melb@lists.softwarefreedom.com.au http://lists.softwarefreedom.com.au/cgi-bin/mailman/ listinfo/free-software-melb
Free Software Melbourne home page: http://www.freesoftware.asn.au/melb/
On 08/03/17 12:23, Russell Coker wrote:
This isn't really news. After Snowden's information this is something most people expected.
https://www.theatlantic.com/politics/archive/2017/01/assange-man-in-the-news...
Also remember that Assange seems to be a Russian agent.
Hi Russell and Andri, I'm sorry I hadn't read this thread sooner. It's probably not my place to moderate this list any more, I'm going to chime in anyway. Russell, the above was unnecessarily dismissive of Andri's concerns about CIA hacking. I don't think it ever hurts to be passionate and outraged when privacy violations are revealed, and to use this to start a conversation about free software. We value your work as a security expert - thank you! :) That doesn't preclude others from having a say though. Questioning Andri's credentials and dragging the Jacob Abbelbaum issue was inappropriate. Andri, please don't ever lose your passion for free software! :) Do lean towards ignoring comments that you don't agree with rather than debating them and getting dragged off-topic. Don't be too quick to take things personally. Regards, Ben
participants (7)
-
Adrian Colomitchi -
Andri Effendi -
Ben Sturmfels -
Glenn McIntosh -
jason@cleeland.org -
Jookia -
Russell Coker