[WikiLeaks] 'Vault 7' CIA Hacking Tools Revealed

[Anonymous Bosch]

Another major disclosure from WikiLeaks:

Today, Tuesday 7 March 2017, WikiLeaks begins its new series of leaks on the U.S. Central Intelligence Agency. Code-named "Vault 7" by WikiLeaks, it is the largest ever publication of confidential documents on the agency.

The first full part of the series, "Year Zero", comprises 8,761 documents and files from an isolated, high-security network situated inside the CIA's Center for Cyber Intelligence in Langley, Virgina. It follows an introductory disclosure last month of CIA targeting French political parties and candidates in the lead up to the 2012 presidential election.

Recently, the CIA lost control of the majority of its hacking arsenal including malware, viruses, trojans, weaponized "zero day" exploits, malware remote control systems and associated documentation. This extraordinary collection, which amounts to more than several hundred million lines of code, gives its possessor the entire hacking capacity of the CIA. The archive appears to have been circulated among former U.S. government hackers and contractors in an unauthorized manner, one of whom has provided WikiLeaks with portions of the archive.

"Year Zero" introduces the scope and direction of the CIA's global covert hacking program, its malware arsenal and dozens of "zero day" weaponized exploits against a wide range of U.S. and European company products, include Apple's iPhone, Google's Android and Microsoft's Windows and even Samsung TVs, which are turned into covert microphones.

Since 2001 the CIA has gained political and budgetary preeminence over the U.S. National Security Agency (NSA). The CIA found itself building not just its now infamous drone fleet, but a very different type of covert, globe-spanning force — its own substantial fleet of hackers. The agency's hacking division freed it from having to disclose its often controversial operations to the NSA (its primary bureaucratic rival) in order to draw on the NSA's hacking capacities.

By the end of 2016, the CIA's hacking division, which formally falls under the agency's Center for Cyber Intelligence (CCI), had over 5000 registered users and had produced more than a thousand hacking systems, trojans, viruses, and other "weaponized" malware. Such is the scale of the CIA's undertaking that by 2016, its hackers had utilized more code than that used to run Facebook. The CIA had created, in effect, its "own NSA" with even less accountability and without publicly answering the question as to whether such a massive budgetary spend on duplicating the capacities of a rival agency could be justified.

In a statement to WikiLeaks the source details policy questions that they say urgently need to be debated in public, including whether the CIA's hacking capabilities exceed its mandated powers and the problem of public oversight of the agency. The source wishes to initiate a public debate about the security, creation, use, proliferation and democratic control of cyberweapons.

[El Guapo]

I don't really doubt that this merits public discussion, and I think it very likely that there are abuses here. At the same time, I would note that it is interesting that Wikileaks's next big target is another prominent opponent / obstacle to Putin and Trump.

[Remus West]

Yep. No trust for Wikileaks here. To me they simply represent the propaganda arm of the Putin government in his take over of America. They are clearly his puppet. Whether or not what they publish has merit it is forever tainted by their past actions that brought us to the place we now are.

[Holman]

And let's note that this isn't just an attempt to sow distrust of the intelligence community generally.

It's about hacking and listening in--"wire tapps," if you will.

And, there you go: it took me five seconds to find a random Twitter user declaring that all the talk of Russian hacking was a false flag to allow Obama to spy on Trump (however that was supposed to work).

[Kraken]

The CIA called their program of using our Samsung TVs to spy on us "Weeping Angel" because the TVs were most dangerous when nobody was watching. Dr Who fans nod in approval.

[Holman]

I'm seeing various levels of outrage about this online. Is there any indication these tools are being nefariously used against innocents or domestic targets? Or are they just an obvious and expected part of the clandestine arms race that began with the first lockpick?

The CIA has had exploding cigars for a long time, but the issue is who gets to enjoy them.

[Paingod]

Or are they just an obvious and expected part of the clandestine arms race that began with the first lockpick?

I don't find any of it surprising and completely expect something like this on every side of every table when it comes to agencies like the CIA or the FSB. Anyone who's outraged is simply naive and likely ignorant of how the technological backend of the world works. So many ways to exploit so many devices and no good way to secure them. I would probably say that at least it's not just Russia that's able to get this level of intel, right? I'd only be outraged if the CIA was shown to be abusing this domestically and illegally.

If you want someone to blame, look to manufacturers and retailers who don't keep their stuff updated and leave in security holes - as well as end-users who don't bother to keep themselves secure.

Use long & strong passphrases, encrypt your drives, put electrical tape over cameras not in use, and look for driver/firmware updates for all of your electronics periodically. If it can connect to the internet in any way, shape, or form - it's vulnerable.

[El Guapo]

Or are they just an obvious and expected part of the clandestine arms race that began with the first lockpick?

I don't find any of it surprising and completely expect something like this on every side of every table when it comes to agencies like the CIA or the FSB. Anyone who's outraged is simply naive and likely ignorant of how the technological backend of the world works. So many ways to exploit so many devices and no good way to secure them. I would probably say that at least it's not just Russia that's able to get this level of intel, right? I'd only be outraged if the CIA was shown to be abusing this domestically and illegally.

If you want someone to blame, look to manufacturers and retailers who don't keep their stuff updated and leave in security holes - as well as end-users who don't bother to keep themselves secure.

Use long & strong passphrases, encrypt your drives, put electrical tape over cameras not in use, and look for driver/firmware updates for all of your electronics periodically. If it can connect to the internet in any way, shape, or form - it's vulnerable.

Is there any indication that this stuff is being used domestically, targeting U.S. citizens? That's really the line, I think.

[Max Peck]

The dump also contains a list of millions of prime factors, a 0-day Tamagotchi exploit, and a technique for getting gcc and bash to execute arbitrary code.

[Isgrimnur]

If it can connect to the internet in any way, shape, or form - it's vulnerable.

Especially if it's Western Digital:

Western Digital Corporation network-attached storage owners were warned of critical flaws in the company’s My Cloud line of hardware that exposed data stored on the devices to attack. The flaws impact a dozen Western Digital drives that could allow remote adversaries to bypass logins, insert commands, upload files without permission, and gain control of devices.
...
SCVL researchers notified Western Digital of the vulnerabilities on Jan. 18, 2016 and publicly disclosed the flaw Tuesday. Additionally, security firm Exploitee.rs simultaneously identified the flaws and publicly disclosed the bugs over the weekend.

The vulnerabilities were discovered on Western Digital’s My Cloud PR4100 NAS device. However, the flaws are also present across WD’s portfolio of MyCloud NAS devices such as: DL4100, EX4, EX2 Ultra and PR2100. A full list of impacted products is available online.

[Paingod]

General Michael Hayden would like to assure us that Obama could not wiretap anyone, and that the CIA is not spying on US citizens but instead on "bad people" ... ... so what you can instead be thankful for is that it's Russian intelligence, not the CIA, that are spying on you through your TV.

[ImLawBoy]

Or are they just an obvious and expected part of the clandestine arms race that began with the first lockpick?

I don't find any of it surprising and completely expect something like this on every side of every table when it comes to agencies like the CIA or the FSB. Anyone who's outraged is simply naive and likely ignorant of how the technological backend of the world works. So many ways to exploit so many devices and no good way to secure them. I would probably say that at least it's not just Russia that's able to get this level of intel, right? I'd only be outraged if the CIA was shown to be abusing this domestically and illegally.

If you want someone to blame, look to manufacturers and retailers who don't keep their stuff updated and leave in security holes - as well as end-users who don't bother to keep themselves secure.

Use long & strong passphrases, encrypt your drives, put electrical tape over cameras not in use, and look for driver/firmware updates for all of your electronics periodically. If it can connect to the internet in any way, shape, or form - it's vulnerable.

Is there any indication that this stuff is being used domestically, targeting U.S. citizens? That's really the line, I think.

That's the practical line, but not the emotional one. Decades of government mistrust and a steady diet of conspiracy theories (both the loony flat earther type and the type promulgated by a lot of popular entertainment (e.g., X-Files) have conditioned a lot of folks to assume that if the government has the tools to surveil us, they're going to surveil us. (Lack of concrete evidence only shows how far the conspiracy goes.) People freaking out a bit about this is not an unreasonable response in that light, even if the reality is much less nefarious than their imaginations and Wikileaks would like them to believe.

FWIW, Colbert had the former head of the CIA and NSA on last night, and he tried to be reassuring about how this type of surveillance is used (and about how Trump's accusations about wire tapppppps were absurd). He even mentioned that he doesn't put anything in front of the camera on his laptop! [edit]What Paingod just posted, basically.[/edit]

[Anonymous Bosch]

Or are they just an obvious and expected part of the clandestine arms race that began with the first lockpick?

I don't find any of it surprising and completely expect something like this on every side of every table when it comes to agencies like the CIA or the FSB. Anyone who's outraged is simply naive and likely ignorant of how the technological backend of the world works. So many ways to exploit so many devices and no good way to secure them. I would probably say that at least it's not just Russia that's able to get this level of intel, right? I'd only be outraged if the CIA was shown to be abusing this domestically and illegally.

If you want someone to blame, look to manufacturers and retailers who don't keep their stuff updated and leave in security holes - as well as end-users who don't bother to keep themselves secure.

Use long & strong passphrases, encrypt your drives, put electrical tape over cameras not in use, and look for driver/firmware updates for all of your electronics periodically. If it can connect to the internet in any way, shape, or form - it's vulnerable.

Is there any indication that this stuff is being used domestically, targeting U.S. citizens? That's really the line, I think.

It's certainly one line, but likely beside the point at this stage (NB. points #1 and #3 below). Reason.com summarises several of the current main takeaways:

1. The CIA developed malware for iPhone and Android, as well as Windows, OSx, Linux, and internet servers.

According to Wikileaks, the documents show the CIA has a specialized unit specifically for stealing data from Apple products like the iPhone and the iPad, and another unit for Google's Android mobile operating system. These units create malware based on "zero day" exploits that the companies that develop the compromised systems are not aware of. While after the Edward Snowden disclosures the Obama administration promised to share such exploits when agencies like the National Security Agency discovered them, Wikileaks says the documents it released show that has not been the case. Such "hoarding," as is noted by Wikileaks and has been long noted by critics of cyberwar tactics, can exacerbate security risks—any exploit the CIA can use to compromise a U.S. system foreign powers can also.

The malware the CIA has developed for iPhones and Android phones allow, according to Wikileaks, "the CIA to bypass the encryption of WhatsApp, Signal, Telegram, Wiebo, Confide and Cloackman by hacking the 'smart' phones that they run on and collecting audio and message traffic before encryption is applied." This doesn't mean the CIA has cracked the encryption of any specific application, but rather that it has made such encryption obsolete for phones it is able to compromise with its malware. According to Wikileaks, other CIA efforts target Microsoft Windows, Linux, and internet infrastructure and webservers. Wikileaks also details efforts by the CIA to develop a "Fake Off" mode to use on Samsung smart televisions in order to turn them into effective surveillance devices, as well as conceptual efforts toward taking remote control of "smart" vehicles.

2. The CIA has a "menu" of hacking tools for its assets to use, as well as "fingerprints" of other states.

A questionnaire under the program "Fine Dining" allows CIA case officers to identify their specific needs and receive hacking tools tailored to them. The list of possible targets includes asset, liaison asset, system administrator, foreign information operations, foreign intelligence agencies and foreign government entities. "Notably absent," Wikileaks points out, "is any reference to extremists or transnational criminals."

The CIA's UMBRAGE group also keeps a "substantial library of attack techniques 'stolen' from malware produced in other states," Wikileaks notes, helpfully adding that that includes Russia. Such a library of digital fingerprints, which Wikileaks compares to a distinctive knife wound, could help "misdirect attribution." Questions over just how Russia-specific purported Russia-specific telltale signs in the DNC hacks were fuel much of the suspicion about the certainty of the accusations against Russia.

3. The archive Wikileaks released was likely passed around among former U.S. hackers and contractors.

Wikileaks warns that the "CIA lost control of the majority of its hacking arsenal including malware, viruses, trojans, weaponized "zero day" exploits, malware remote control systems and associated documentation," and that the documents it was publishing it had received from a former U.S. government hacker or contractor, a community within which the documents had been previously circulation.

"There is an extreme proliferation risk in the development of cyber 'weapons,'" Wikileaks noted in its press release. "Comparisons can be drawn between the uncontrolled proliferation of such 'weapons', which results from the inability to contain them combined with their high market value, and the global arms trade." According to Wikileaks, the documents it released were not considered classified information because the nature of malware requires code to be left on target computers—handling classified information in such a way is prohibited.

4. The CIA appears to have duplicated the NSA's cyberwarfare efforts to avoid information sharing.

According to Wikileaks, for years the CIA has been developing "its own substantial fleet of hackers," one that has "freed it from having to disclose its often controversial operations to the NSA (its primary bureaucratic rival) in order to draw on the NSA's hacking capacities."

The CIA, Wikileaks explains, "had created, in effect, its 'own NSA' with even less accountability and without publicly answering the question as to whether such a massive budgetary spend on duplicating the capacities of a rival agency could be justified."

It calls to mind the quote from the 1996 film Contact: "First rule in government spending: why build one when you can have two at twice the price?" Especially if it's secret!

[Anonymous Bosch]

If you want someone to blame, look to manufacturers and retailers who don't keep their stuff updated and leave in security holes - as well as end-users who don't bother to keep themselves secure.

That overlooks one of the primary issues raised by the leak though, i.e.:

“The CIA reports show the USG [U.S. government] developing vulnerabilities in U.S. products, then intentionally keeping the holes open,” tweeted Edward Snowden, the former NSA contractor who in 2013 released documents about widespread government surveillance. “Reckless beyond words.”

One of the documents shows that the CIA purchased some of its tools to exploit flaws, and some were bought by the NSA and shared with the CIA.

Under the Obama-era policy, an agency buying information about a flaw must agree to submit it to the vulnerabilities review, Daniel said. But if an agency has bought a hacking tool without the rights to the underlying flaw, it may not be able to do so, he said.

A case in point involved the FBI, which last year paid hundreds of thousands of dollars for a solution to crack an iPhone that had been used by a terrorist in the San Bernardino, Calif., mass shootings in 2015.

“As long as the CIA keeps these vulnerabilities concealed from Apple and Google (who make the phones), they will not be fixed, and the phones will remain hackable,” WikiLeaks said in a news release.

On Tuesday, technology firms were scrambling to review the documents to determine which, if any, of the security flaws mentioned might still exist. Apple spokesman Fred Sainz said in a statement, “While our initial analysis indicates that many of the issues leaked today were already patched in the latest iOS, we will continue work to rapidly address any identified vulnerabilities.”

The CIA data dump, coming on the heels of a massive breach of NSA hacking tools last year, underscores the importance of the vulnerabilities review process in a new administration, said Ross Schulman, senior counsel at New America’s Open Technology Institute, a think tank. He noted that the review policy “existed by the grace of the Obama administration.”

Trump cyber officials have indicated that it will continue, he said. But there’s no law requiring the review, and critics have said it could have stronger transparency requirements.

“Congress ought to pass a law saying that something like the [Vulnerabilities Equities Process] ought to exist,” Schulman said.

[hepcat]

I have to say, this has Barron's fingerprints all over it.

[Moliere]

The conclusion seems to be that whether it's the NSA, FBI, or the CIA, I have no expectation of privacy. My phone, TV, and computer are all bugged and there is little I can do to stop them.

[NickAragua]

Well, at least it's more efficient this way. Used to be you'd have a bunch of sweaty guys camped out in an "repair van" across the street from your house. Look, fellas, even if it's the comcast guy, it doesn't take him three weeks to fix the wires on a single power pole. And they're unionized so they're not going to be working on it 24/7. That, and the fifty thousand high-gain antennae and radio dishes sticking out from the van don't really help.

I almost feel sorry for the scrub that has to look through the footage of what I do at my computer. Almost, because, hey, you knew what you signed up for, buddy.

[gilraen]

I almost feel sorry for the scrub that has to look through the footage of what I do at my computer. Almost, because, hey, you knew what you signed up for, buddy.

That's been pretty much my mindset about this for years now

[hepcat]

The conclusion seems to be that whether it's the NSA, FBI, or the CIA, I have no expectation of privacy. My phone, TV, and computer are all bugged and there is little I can do to stop them.

I'm pretty sure that's been the case since they were invented.

[Holman]

In the absence of Snowden-like revelations that the CIA has used these tools on Americans, the basic fact is that our CIA was hacked and that Wikileaks has exposed and thus weakened tools that allow us to find, investigate, and thwart our enemies. That's what the spies are there for.

People across the political spectrum are starting to notice that the WH and the GOP have allowed this to go completely unremarked. They haven't even issued basic statements.

[El Guapo]

In the absence of Snowden-like revelations that the CIA has used these tools on Americans, the basic fact is that our CIA was hacked and that Wikileaks has exposed and thus weakened tools that allow us to find, investigate, and thwart our enemies. That's what the spies are there for.

People across the political spectrum are starting to notice that the WH and the GOP have allowed this to go completely unremarked. They haven't even issued basic statements.

The sad thing is that I am mildly surprised that Trump hasn't released a statement praising WikiLeaks for this.

[Fitzy]

I'm seeing on right-wing sites the UMBRAGE portion coming. The accusation is that the CIA was able to fake an attack from another group. Including Russia. Therefore the CIA faked the Russian connection to the election.

I hope I'm being pessimistic, but I foresee this being the end of any chance the Russia investigations reveal the truth (short of a true smoking gun). It's just going to be too easy to say the CIA faked the whole story.

[Anonymous Bosch]

In the absence of Snowden-like revelations that the CIA has used these tools on Americans, the basic fact is that our CIA was hacked and that Wikileaks has exposed and thus weakened tools that allow us to find, investigate, and thwart our enemies. That's what the spies are there for.

To reiterate, the 'Vault 7' WikiLeaks report does not allege that the CIA was actively conducting listening operations upon Americans, but instead highlights the broken promises of the Obama administration for not reporting the vulnerabilities to high-tech American companies so that they could be rectified. In fact, as Snowden observed, they intentionally kept the vulnerabilities open, and subsequently lost control of the majority of their hacking arsenal (meaning ne'er-do-wells of any and all stripes have been able to unleash them upon Americans, and anyone else for that matter). Which is, and was, "Reckless beyond words." To quote WikiLeaks:

“In the wake of Edward Snowden’s leaks about the NSA, the U.S. technology industry secured a commitment from the Obama administration that the executive would disclose on an ongoing basis — rather than hoard — serious vulnerabilities, exploits, bugs or ‘zero days’ to Apple, Google, Microsoft, and other US-based manufacturers,” WikiLeaks wrote yesterday.

“Serious vulnerabilities not disclosed to the manufacturers places huge swathes of the population and critical infrastructure at risk to foreign intelligence or cyber criminals who independently discover or hear rumors of the vulnerability. If the CIA can discover such vulnerabilities, so can others.”

[Holman]

I'm seeing on right-wing sites the UMBRAGE portion coming. The accusation is that the CIA was able to fake an attack from another group. Including Russia. Therefore the CIA faked the Russian connection to the election.

Breitbart, specifically, is pushing the implication that Trump was "set up" by the CIA and that the whole Russian influence story is thus a false flag.

And Breitbart means Bannon, of course.

I hope I'm being pessimistic, but I foresee this being the end of any chance the Russia investigations reveal the truth (short of a true smoking gun). It's just going to be too easy to say the CIA faked the whole story.

I don't think it will be that easy. At least I pray it isn't.

Surely there are enough Republicans willing to put country over party when it comes to collusion with hostile foreign powers... right?

[Paingod]

The sad thing is that I am mildly surprised that Trump hasn't released a statement praising WikiLeaks for this.

Has Fox & Friends told him how to feel about it yet?

[hepcat]

[Max Peck]

https://twitter.com/MaxBoot/status/839863294315868160

https://twitter.com/MaxBoot/status/840022914409799680

[gameoverman]

The FBI used Geek Squad employees as spies on people who brought their computers in to have work done. I'd be shocked if the CIA or other organizations didn't have people in all these tech companies working for them. They hack from the outside while their assets on the inside make sure things remain hackable. We know companies like AT&T allow these agencies to build access points to communications data, why wouldn't Facebook/Google/Apple/etc have handed over at least indirect lines of access as well?

It would be similar to how the East Germans had spies in all walks of civilian life, so they could stay on top of things, except this is the high tech way of doing it.

[LordMortis]

As far as the cyber, I agree to parts of what Secretary Clinton said. We should be better than anybody else, and perhaps we're not. I don't think anybody knows it was Russia that broke into the DNC. She's saying Russia, Russia, Russia, but I don't — maybe it was. I mean, it could be Russia, but it could also be China. It could also be lots of other people. It also could be somebody sitting on their bed that weighs 400 pounds, okay? ... We came in with the Internet, we came up with the Internet, and I think Secretary Clinton and myself would agree very much, when you look at what [the Islamic State] is doing with the Internet, they're beating us at our own game. ISIS.

So we have to get very, very tough on cyber and cyber warfare. It is — it is a huge problem. I have a son. He's 10 years old. He has computers. He is so good with these computers, it's unbelievable. The security aspect of cyber is very, very tough. And maybe it's hardly doable. But I will say, we are not doing the job we should be doing. But that's true throughout our whole governmental society. We have so many things that we have to do better, Lester, and certainly cyber is one of them.

Policy guidance on the cyber at its... its... its something.

I'm a little put off this morning at how Assange is being compared to Snowden. Especially when as far as I can tell Trump is sending an envoy to work with Assange and Snowden is an enemy of the state. While it shouldn't surprise me, https://www.google.com/#q=Nigel+Farage+julian+assange totally did. We became a constitutionally banana republic so quickly and without voilence it would be impressive if it weren't so terrifying.

[Holman]

Has anyone heard more about whether this is the real deal?

The popular intelligence community wonks and journalists on Twitter are talking up a new report claiming to show that the FSB knew about Edward Snowden's plans before he acted. The evidence is communications that suggest the FSB was already making plans to collect Snowden and his information before he ever stole his first document and well before he says he contacted anyone about his information.

If this is real, it blows the Snowden whistleblower narrative to pieces and colors him a Russian asset from the beginning. Is it true?

Louise Mensch (@LouiseMensch), whose reputation seems to be solid, is spearheading this story.

[gilraen]

Louise Mensch (@LouiseMensch), whose reputation seems to be solid, is spearheading this story.

Unless we have multiple confirmations that her sources are legit, her reputation doesn't matter - she could be acting in good faith, but her sources may not.

[Zarathud]

Assange is like a modern Bond villain come to life.

[Fretmute]

Assange is like a modern Bond villain come to life.

I say this all the time, about Putin. Assange is a henchman.

[LordMortis]

Assange is like a modern Bond villain come to life.

I say this all the time, about Putin. Assange is a henchman.

QFT

[ImLawBoy]

Assange is like a modern Bond villain come to life.

I say this all the time, about Putin. Assange is a henchman.

Putin is Connery Bond villain.

Assange is a Dalton Bond villain.

[Holman]

Haven't you heard? In Trump/Putin's world, Bond is the villain.

[Anonymous Bosch]

Leaked NSA Malware Threatens Windows Users Around the World:

The ShadowBrokers, an entity previously confirmed by The Intercept to have leaked authentic malware used by the NSA to attack computers around the world, today released another cache of what appears to be extremely potent (and previously unknown) software capable of breaking into systems running Windows. The software could give nearly anyone with sufficient technical knowledge the ability to wreak havoc on millions of Microsoft users.

The leak includes a litany of typically codenamed software “implants” with names like ODDJOB, ZIPPYBEER, and ESTEEMAUDIT, capable of breaking into — and in some cases seizing control of — computers running version of the Windows operating system earlier than the most recent Windows 10. The vulnerable Windows versions ran more than 65 percent of desktop computers surfing the web last month, according to estimates from the tracking firm Net Market Share.

The crown jewel of the implant collection appears to be a program named FUZZBUNCH, which essentially automates the deployment of NSA malware, and would allow a member of agency’s Tailored Access Operations group to more easily infect a target from their desk.

According to security researcher and hacker Matthew Hickey, co-founder of Hacker House, the significance of what’s now publicly available, including “zero day” attacks on previously undisclosed vulnerabilities, cannot be overstated: “I don’t think I have ever seen so much exploits and 0day [exploits] released at one time in my entire life,” he told The Intercept via Twitter DM, “and I have been involved in computer hacking and security for 20 years.” Affected computers will remain vulnerable until Microsoft releases patches for the zero-day vulnerabilities and, more crucially, until their owners then apply those patches.

“This is as big as it gets,” Hickey said. “Nation-state attack tools are now in the hands of anyone who cares to download them…it’s literally a cyberweapon for hacking into computers…people will be using these attacks for years to come.”

Hickey provided The Intercept with a video of FUZZBUNCH being used to compromise a virtual computer running Windows Server 2008–an industry survey from 2016 cited this operating system as the most widely used of its kind.

[Freyland]

Boy, this sure is a lot for Microsoft to go through to get people to upgrade to Windows 10!

[Max Peck]

Microsoft patched 'NSA hack' Windows flaws before leak

Microsoft says it had already fixed software flaws linked to an alleged breach of the global banking system before they were exposed last week.

On Friday, a group called the Shadow Brokers published details of several hacking tools, indicating they had been used by the US National Security Agency (NSA) to spy on money transfers.

Reports suggested Microsoft's Windows operating system remained vulnerable.

But the firm revealed it had in fact addressed the problem in March.

"Customers have expressed concerns around the risk [Shadow Brokers'] disclosure potentially creates," it said in a security update.

"Our engineers have investigated the disclosed exploits, and most of the exploits are already patched."

The company has not, however, revealed how it became aware of the flaws.

Microsoft normally acknowledges third parties who tip it off to problems, but has not done so in this case.

The Reuters news agency reported that the company had told it that neither the NSA nor any other part of the US government had informed it of the hacking tools' existence.

That calls into question how Microsoft learned of the issue - tech blog Ars Technica commented it was "highly unlikely" that the patch and leak would both have occurred so close together by coincidence.

[Max Peck]

Former CIA engineer who sent 'Vault 7' secrets to Wikileaks sentenced to 40 years

A former CIA software engineer was sentenced to 40 years in prison on Thursday after his convictions for what the government described as the biggest theft of classified information in CIA history and for possession of child sexual abuse images and videos.

The bulk of the sentence imposed on Joshua Schulte, 35, in Manhattan federal court came for an embarrassing public release of a trove of CIA secrets by WikiLeaks in 2017. He has been jailed since 2018.

"We will likely never know the full extent of the damage, but I have no doubt it was massive," Judge Jesse M. Furman said as he announced the sentence.

The so-called Vault 7 leak revealed how the CIA hacked Apple and Android smartphones in overseas spying operations, and efforts to turn internet-connected televisions into listening devices. Prior to his arrest, Schulte had helped create the hacking tools as a coder at the agency's headquarters in Langley, Virginia.

Immediately afterward, the judge criticized some of Schulte's half-hour of remarks, saying he was "blown away" by Schulte's "complete lack of remorse and acceptance of responsibility."

The judge said Schulte was "not driven by any sense of altruism," but instead was "motivated by anger, spite and perceived grievance" against others at the agency who he believed had ignored his complaints about the work environment.

Furman said Schulte continued his crimes from behind bars by trying to leak more classified materials and by creating a hidden file on his computer that contained 2,400 images of child sexual abuse that he continued to view from jail.