He is Russian
He is Russian
Paid shill?
Actually an American the CIA has made to look Russian
The report references a lot of zero day tools/vulnerabilities...so no, not all of them have been in the hands of god knows who else. If they were that prevalent then they would no longer be zero days.
Honestly though, this entire dump just shows that the S in IoT totally stands for Security.
Assange giving long ass news conference on Vault 7 right now. They have decided to work with the individual companies on the zero days and the other exploits so they can fix them.
Fix all the zero days except the ones the Russians are using...LOVELY
I wonder if they are making the companies pay for the access.
Honestly, shouldn't the companies just be legally (and thus financially) responsible for putting out insecure products?
We need a secret court so that when our government finds zero days, it can sue the companies for negligence while also keeping the zero day secret.
You basically sign away a VAST majority of any possible litigation in the EULA/TOS.
EULAs/TOSs get rid of personal claims, but the government could still make laws that basically make tech companies vulnerable to suits from the government if they effectively do harm to our national security by putting out ridiculously insecure products that can't be updated (see all Gen1/2 "Smart" items).
Idk if this is going into tinfoil hat territory, but the government is probably not as interested in preventing these exploits from popping up as we would all like.
https://twitter.com/Snowden/status/839171129331830784
That's not tinfoil. They exploit all possible avenues. Also, if they know one's there, they can keep an eye on it to see who else is using it. Probably not though. I'm giving everyone way too much credit.
The Vault 7 press release linked to this article. (Looks like it has proper non anon sources) with a ton of info on that subject: https://jia.sipa.columbia.edu/online...uities_process
Yeah, I think reckless is the right way to describe that behavior, assuming they're smarter than any other group/agency doing this.
Sure, if they wanted to kill the industry and fuck over the consumers.
Pro tip: most consumers do not and should not care that their Smart TV can be hacked if a CIA Agent physically came to their home and tampered with it. At that point, what does it even matter?
Half or more of these things, if you look into it, still need physical access. And while you can argue about the moral absolution issues inherent in "if you have nothing to hide," that is functionally how many people operate.
I have no interest in paying a premium to secure my Echo or whatever. If some people do, they could theoretically spend the R&D costs to develop that model, for ex., but they won't, because it won't really sell.
Also, there is pretty much never going to be an invulnerable device in the public space.
Terms like negligence already imply discretion. Every exploit wouldn't necessarily have to be prosecuted. However, right now tech companies are fundamentally not responsible for the security of the products they sell and that is a problem in our increasingly networked world.
In a few years, if Al Quaeda discovers a hole in a car autodriver system and uses it + google maps to crash all affected cars into US utility stations, I'd at least like to see the car's manufacturer get demolished in court for it. If the CIA knew about the hole but wasn't telling anyone because it gave them an A/V feed of a few bad guys in their cars, I'd hope pretty much everyone involved in their tech program was fired.
If the CIA discovers said hole in advance and wants to make sure it's patched, they need some legal way to do that (like the one I proposed).
Should we mandate that homes only be sold if they have ADT?
Should we mandate that bikes only be sold if they come with bike locks?
Security is a personal responsibility. I categorically reject the notion that our government should play any role in mandating the industry in this fashion. The cost implications are astronomical. If you've spent so much as an hour looking into the types of measures that are necessary to ensure even nominal security, then you will know how disastrous this would be for digital products of almost any kind.
It's not like I'm saying a computer should come totally immune to viruses. That's just not reasonable. However, it also shouldn't come with a firmware/OS that can't be or isn't updated and has known vulnerabilities. Think of all the networked tech already in our lives. We've got computers, phones, routers, modems, smart TVs/lightbulbs/fridges/ovens, self-driving cars, personal assistant-bots like Alexa, etc. It's only going to get more prevalent, and we're outsourcing the continued security and maintenance of these networked devices to tech-incompetent endusers.
For instance, a lot of Android phones are locked (without rooting the phone) to the OEM's update schedule (never). Hardware incompatibilities sometimes make it difficult for OEMs to upgrade full OS versions, but I'm sure some upgrades and patches are possible. At the very least, phone users should be made aware when their phone has known vulnerabilities without having to stay current on tech news.
I'm not asking for a lot, just more than literally nothing.