This is a letter I sent to a local TV reporter to explain Vault 7.

A little about my background. I designed and built my first computer in 1971 before the microprocessor was invented. My first real computer was in 1979 and now I am a one man spam filtering company. I was also the first system admin for the Electronic Frontier Foundation 2001 – 2003. I’m also versed in law, self taught. Think of me as Snowden lite.

The CIA and intel community portrays this as tools to break into the bad guys computers, as if there tactics were somehow legit. Nothing is further from the truth.

I’ll try to simplify a very technical issue.

You keep your front door locked so no one can get in – especially the bad guys. Suppose the government wanted you to keep a key under the doormat so they can get into your home for any reason under the idea that they can protect you better. And this key will open any door. The assure you that only they will use the key for legit law enforcement purposes.

The reason this is a bad idea is that once the bad guys get a copy of the keys then they can break in anywhere and steal anything from anyone. And that is what happened here. The CIA created a key and they were sloppy and now the bad guys have the key.

Although the intel community has been pushing for keys and back doors, companies have been resisting. (Remember the Apple story who wouldn’t help break into iPhone)

Sometimes computers have flaws in their software where someone discovers the flaw and can break in. These are called “exploits” and when the company finds put about them they send out patches to close the vulnerability. But the CIA has found multiple vulnerabilities in many devices and – instead of alerting the vendors – they kept it to themselves. Thus creating the “key under the doormat”.

CIA ignores that other countries, Russians, Chinese, ISIS, hackers, etc, often find these same exploits. If an exploit isn’t generally known it is called a 0 day exploit. (Today is day 0 in the computer world.) In other words – there is no know defense to it. If the CIA had alerted companies (Google, MSFT, Apple, Cisco) about these exploits then we could protect our infrastructure against these threats.

But instead ….

The CIA imagines they are the only one’s that know this so they create a spy tool that they think is exclusive to them leaving these systems vulnerable.

But what has happened is that the CIA is sloppy and they left code on targeted machines that the bad guys now have. The CIA is trying to save face here because what they are doing is embarrassing in the light of day. The reality is – they are technically competent, but not seeing the big picture.

So – we are all left vulnerable to the bad guys.

Vault7 might be a good thing because it might expose these exploits so that we the people can patch the vulnerabilities so that ISIS can’t take down society through the internet. The average person has no idea how vulnerable we are and how dependent we are on the internet. Imagine the power is shut down, no internet, no cell phones, no land lines, nothing. Not power to pump the gas to fill your tanks. That’s is what we are now exposed to.

What Bush and Obama never understood is that encryption that is unbreakable is necessary for society and the price we pay for our security is that the bad guys get secure communication too. If we can break into their stuff, they can break into our stuff.

The NSA and CIA and intelligence community has created a single point of failure for all society. Whoever hacks the NSA has the power of the NSA. They can break into anything. They can push code into the operating systems of IOS, Windows, Android, Linux, everything. So one person can wipe out the world’s computing infrastructure. A 15 year old genius who is getting bullied could take America down.

Edward Snowden, Assange, McAffee, and the Electronic Frontier Foundation are 100% right about these issues. I recommend that you verify what I’m saying with the good people at EFF and you’ll see I’m right about this.



  1. NewFormatSux says:

    If you had sent letters like that last year explaining Hillary’s servers, she wouldn’t have been the nominee for Trump to be President. Trump thanks you for your service to his campaign.

    • Earl says:

      Ya’ did good Marc, real good.

    • NewFormatSux says:

      Hillary’s last campaign speech:
      “None of us, NONE OF US, wants to wake up Wednesday morning wishing we had done more. Years from now, when your kids and grandkids ask what you did in 2016, when it was all on the line…”

  2. jpfitz, Not a Ditto Head says:

    Very Good explanation for the general public Marc.

    Question, besides the alphabets and nefarious orgs having ways of gaining the data on cells, pc’s, IOS, and android, are the automobiles with systems like onstar and the like hack-able to take control of vehicle operations, also, if the CIA has this does local law enforcement have the same capability.

  3. Sister Mary Discipline says:

    Well Marc, this is a significant improvement over your recent posts. I only spotted 2 gramatical errors and one misspelling.

    My grade is an A for effort and a B+ for execution.

    Please see me after class.

  4. Uncle Sam says:

    Let’s also not forget that the CIA is a branch of the GOVERNMENT!!!

    Keeping that in mind, when was the last time you saw ANY branch of the government do a better job than you expected? And exactly how high are/were your expectations?!

    No sir! The answer is LESS GOVERNMENT !!!

    … and if that leaves me exposed to a bad guy taking pot shots at me, so be it. I still have my 2nd Amendment rights to do what I have/need to do in my own defense. It’s not like I (ever) really expected any of our law enforcement types to be there to protect me anyway — including the CIA.

    • jpfitz, Not a Ditto Head says:

      “LESS GOVERNMENT”?

      If so, then how does that 500Billion in Pentagon jibe with LESS?

      BTW, your second amendment most likely will not help you, for every one perp shot there are 34 innocents shot. Maybe the Pentagon will send the National Guard to save you from that perp, why do you need protection? Are you in a war zone or just a really really bad area.

      A Louisville slugger is a damn good head banger. There are many ways to be secure if needed. A guard dog. Bars on your windows, steel doors. On and On.

  5. Ah_Yea says:

    I’m gonna move to some place a bit more secure.

    I hear there is a shack in Montana that’s available.

  6. bobbo, we think with words and flower with ideas says:

    Good review….but hasn’t this been the whole point of Snowden right from the start?

    Vault 7 is not a breaking story…. just the latest wrinkle.

    It highlights the basics of security: if you don’t want anyone to know your secrets: don’t tell/involve anybody else and don’t make records of what you do. Assume that “all truths” will eventually come out that violate the first two rules.

    Security based on the bad guys not finding out about (whatever) is a fraud…. or a security system that will eventually be broken. I’d rather a breach of this kind rather than the false security of a breach happening and kept secret……….all things considered.

  7. Mr Diesel - Language says:

    Holy crap!! The big story is the Dvorak Blog had an actual tech article/discussion on it.

    • NewFormatSux says:

      Don’t encourage him. That article about his spam destroying filter that he will sell to Google for millions was embarrassing.

      I wouldn’t mind an update on SolarCity though.

      • Sunshine says:

        Yeah, when do we celebrate break even, ROI, back-spinning meters, etc.?

        What’s it cost to maintain?

        • NewFormatSux says:

          He hasn’t invested anything. I’m curious SolarCity cost in Texas. They don’t tell you on website.

  8. jpfitz, Not a Ditto Head says:

    Not one, well maybe one or two, comments of substance.
    SSDD

  9. jpfitz, Not a Ditto Head says:

    https://www.yahoo.com/tech/cia-thinks-antivirus-program-153301819.html

    “COMODO

    The CIA appears to give mixed praise to the anti-virus solution by Comodo, the self-described “global leader in cyber security solutions.” Just don’t upgrade to v.6

    KASPERSKY LAB

    This is one of the world’s leading providers of security protection. But it may not keep you safe from the CIA.

    AVIRA

    A CIA hacker appears to say that this German-engineered anti-virus product is “typically easy to evade.”

    AVG

    The CIA apparently had a trick to defeat AVG that was “totally sweet.”

    F-SECURE

    One CIA hacker appeared to be particularly scathing about this Finnish firm’s security software. It’s a “lower tier product that causes us minimal difficulty,” one apparent hacker said .

    BITDEFENDER

    The posts aren’t complete enough to say for sure, but Bitdefender, a Romanian anti-virus product, seemed to cause CIA hackers a lot of trouble.”

    Is this article for real? Or is this just a sales pitch for above software that gave the CIA problems?
    Opinions are now alt-facts and propaganda is prolific.

  10. ECA says:

    Im from the OLD DAYS..
    When there were SYSOPS and ADMINS…not automated systems watching the servers(STUPID)
    YES, lets teach our CORPS a lesson in Protection…
    1. If a person is Online to your server TO LONG…KNOW who they are, or CUT THE LINE.
    2. BACK TRACK..we used to call it, CALL BACK..you contact the server, it sends you a BOT. the BOT backtracks you and Identifies you..your computer, your location and so forth..ONLY if it matches WHAT is a KNOW person with Authorization…will you be let in..
    3. Special/important INFO..Names, addresses, CC#, and so forth…MAKE into MULTIPLE FILES, SPREAD across the computer, OR computers…that only 1 program can Decrypt, OPEN and JOIN..

    IMPORTANT SERVERS:
    for infrastructure SHOULD have special interfaces…That are NON STANDARD..THEN a PASSWORD, and BACK TRACK..
    AND a SYSOP at the location to KNOW who it is…NO FULL AUTOMATION..tell the person at the location WHAT TO DO..

    I really find it funny, that this is OLD HAT..the OLD ways have been forgotten…THEY WORKED, AND STILL WORK.. And its STUPID when I hear of a server being hacked/cracked or Data LOST..I LAUGH..its STUPID..

    WHy do these Agencies keep pointing fingers…ISIS did it..RUSSIA DID IT..MARS DID IT..
    TO ME, this sounds really Stupid.. Any one know about the DARK WEB?? lets just call it what it IS…THE OLD WEB.
    1. the only way to Trace someone is to have EVERY server sending you a Data track of 1 channel (or ALL) at 1 time..Every server along the way..1 break, 1 VPN, 1 anything can break the trace and LEAVE you in a satellite 20 miles up in the air..
    DO you reall y think EVER server farm in the WORLD has tracking based systems to track EVERY channel, at HAND and ready to isolate and track 1 channel?
    2. Back track, Ping back, reverse trace…What ever you wish to call it..is the EASIEST way, and scares the HELL out of them.
    3. the HIGH odds are saying that ANY hacker worth his time and weight, IS NOT using windows, unless it has been STRIPPED DOWN..And they Probably ARNT using a REGULAR browser..Anyone here KNOW what a HTML page looks like?? there is ALLOT to read and figure out..and you can do direct commands on most systems..

  11. Likes2LOL says:

    I’m waiting for Vault7.1 before I upgrade… 😉

  12. Scott says:

    I hate to sound like a grammar/spelling Nazi, but Marc, your typos are distracting from the content.

    • jpfitz, Not a Ditto Head says:

      You Nazi, jk. Isn’t that the phrase most tossed around today, and it’s not regarding grammar.


0

Bad Behavior has blocked 9388 access attempts in the last 7 days.