1. Exquisite Tweets from @mattblaze

    PreoccupationsCollected by Preoccupations

    Larger lesson of today’s trove of (alleged) CIA hacking tools? Large software systems often have exploitable bugs, as everyone already knew.

    Reply Retweet Like

    mattblaze

    matt blaze

    Security nuance alert: All sorts misleading reporting about implications of CIA hacking tools today. (1/)

    Reply Retweet Like

    mattblaze

    matt blaze

    First, this appears to be about tools that target selected end users by compromising their phones, not that break the crypto generally. (2/)

    Reply Retweet Like

    mattblaze

    matt blaze

    Apps (like Signal) depend not only on their own code for security, but on the platforms they run on (like iOS or Android). (3/)

    Reply Retweet Like

    mattblaze

    matt blaze

    A weakness in EITHER the app itself OR the platform may be sufficient for an adversary to target a user and get their messages. (4/)

    Reply Retweet Like

    mattblaze

    matt blaze

    Which means that if the CIA finds exploitable flaws in iOS/Android, ANY app (like Signal) running there might be able to be compromised (5/)

    Reply Retweet Like

    mattblaze

    matt blaze

    The trove released today seems to be mostly about exploiting platforms. That’s both bad news and good news for users. (6/)

    Reply Retweet Like

    mattblaze

    matt blaze

    The bad news is that platform exploits are very powerful. The good news is that they have to target you in order to read your messages. (7/)

    Reply Retweet Like

    mattblaze

    matt blaze

    These kinds of exploits don’t just let them read everyone’s traffic over the ‘net at the push of a button. (8/)

    Reply Retweet Like

    mattblaze

    matt blaze

    What can you do as a user to defend? Boring stuff. Keep your software up to date. Don’t run unneeded apps. Don’t become a CIA target. (9/9).

    Reply Retweet Like

    mattblaze

    matt blaze

    You can yell at me all you want, but I still don't know how to reliably defend a modern phone against a state-level adversary.

    Reply Retweet Like

    mattblaze

    matt blaze

    Also, what does this tell us about open- vs. closed- source?

    It tells us nothing. Neither is panacea. Software security is just hard.

    Reply Retweet Like

    mattblaze

    matt blaze

    (Unsatisfying) bottom line: you can't be reliably secure against a state adversary, but it's still possible to improve security in practice.

    Reply Retweet Like

    mattblaze

    matt blaze