This is a letter I sent to a local TV reporter to explain Vault 7.
A little about my background. I designed and built my first computer in 1971 before the microprocessor was invented. My first real computer was in 1979 and now I am a one man spam filtering company. I was also the first system admin for the Electronic Frontier Foundation 2001 – 2003. I’m also versed in law, self taught. Think of me as Snowden lite.
The CIA and intel community portrays this as tools to break into the bad guys computers, as if there tactics were somehow legit. Nothing is further from the truth.
I’ll try to simplify a very technical issue.
You keep your front door locked so no one can get in – especially the bad guys. Suppose the government wanted you to keep a key under the doormat so they can get into your home for any reason under the idea that they can protect you better. And this key will open any door. The assure you that only they will use the key for legit law enforcement purposes.
The reason this is a bad idea is that once the bad guys get a copy of the keys then they can break in anywhere and steal anything from anyone. And that is what happened here. The CIA created a key and they were sloppy and now the bad guys have the key.
Although the intel community has been pushing for keys and back doors, companies have been resisting. (Remember the Apple story who wouldn’t help break into iPhone)
Sometimes computers have flaws in their software where someone discovers the flaw and can break in. These are called “exploits” and when the company finds put about them they send out patches to close the vulnerability. But the CIA has found multiple vulnerabilities in many devices and – instead of alerting the vendors – they kept it to themselves. Thus creating the “key under the doormat”.
CIA ignores that other countries, Russians, Chinese, ISIS, hackers, etc, often find these same exploits. If an exploit isn’t generally known it is called a 0 day exploit. (Today is day 0 in the computer world.) In other words – there is no know defense to it. If the CIA had alerted companies (Google, MSFT, Apple, Cisco) about these exploits then we could protect our infrastructure against these threats.
But instead ….
The CIA imagines they are the only one’s that know this so they create a spy tool that they think is exclusive to them leaving these systems vulnerable.
But what has happened is that the CIA is sloppy and they left code on targeted machines that the bad guys now have. The CIA is trying to save face here because what they are doing is embarrassing in the light of day. The reality is – they are technically competent, but not seeing the big picture.
So – we are all left vulnerable to the bad guys.
Vault7 might be a good thing because it might expose these exploits so that we the people can patch the vulnerabilities so that ISIS can’t take down society through the internet. The average person has no idea how vulnerable we are and how dependent we are on the internet. Imagine the power is shut down, no internet, no cell phones, no land lines, nothing. Not power to pump the gas to fill your tanks. That’s is what we are now exposed to.
What Bush and Obama never understood is that encryption that is unbreakable is necessary for society and the price we pay for our security is that the bad guys get secure communication too. If we can break into their stuff, they can break into our stuff.
The NSA and CIA and intelligence community has created a single point of failure for all society. Whoever hacks the NSA has the power of the NSA. They can break into anything. They can push code into the operating systems of IOS, Windows, Android, Linux, everything. So one person can wipe out the world’s computing infrastructure. A 15 year old genius who is getting bullied could take America down.
Edward Snowden, Assange, McAffee, and the Electronic Frontier Foundation are 100% right about these issues. I recommend that you verify what I’m saying with the good people at EFF and you’ll see I’m right about this.