Larger lesson of today’s trove of (alleged) CIA hacking tools? Large software systems often have exploitable bugs, as everyone already knew.
Security nuance alert: All sorts misleading reporting about implications of CIA hacking tools today. (1/)
First, this appears to be about tools that target selected end users by compromising their phones, not that break the crypto generally. (2/)
Apps (like Signal) depend not only on their own code for security, but on the platforms they run on (like iOS or Android). (3/)
A weakness in EITHER the app itself OR the platform may be sufficient for an adversary to target a user and get their messages. (4/)
Which means that if the CIA finds exploitable flaws in iOS/Android, ANY app (like Signal) running there might be able to be compromised (5/)
The trove released today seems to be mostly about exploiting platforms. That’s both bad news and good news for users. (6/)
The bad news is that platform exploits are very powerful. The good news is that they have to target you in order to read your messages. (7/)
These kinds of exploits don’t just let them read everyone’s traffic over the ‘net at the push of a button. (8/)
What can you do as a user to defend? Boring stuff. Keep your software up to date. Don’t run unneeded apps. Don’t become a CIA target. (9/9).
You can yell at me all you want, but I still don't know how to reliably defend a modern phone against a state-level adversary.
Also, what does this tell us about open- vs. closed- source?
It tells us nothing. Neither is panacea. Software security is just hard.