#I believe there’s also an archive google doc circulating on here
Explore tagged Tumblr posts
Visit Tumblr Blog
Explore Tumblr blogs with no restrictions, modern design and the best experience.
Last Seen Tumblr Blogs
Fun Fact
Tumblr has been providing a Korean-language service since 2013.
Note
Where can I watch the pwhl? I don’t really watch any sports rn but want to start. Is it on espn? (sorry im kinda clueless)
HELLO NEW FRIEND!!!
If you want to watch the last season, the condensed games are all on YouTube (condensed by clipping out the bits where they pause the play, usually because YouTube gets weird about the music being played in the background). There’s a playlist with all the games.
For the upcoming season, they should be streaming live on YouTube, and then based on your region you may be able to catch them on TV also. I think they should have some broadcast announcements coming before the season starts. (They have yet to post the upcoming season schedule so we’re kinda in the dark about all that). Hoping for end of Nov/beginning of Dec.
Hope you have fun here, let me know if you have more questions !
#pwhl#ask tag#we are happy to have you !#I believe there’s also an archive google doc circulating on here
13 notes
·
View notes
Text
Kpopblr Content Creator Tags Masterdoc
Hello kpopblr!
Some of you may already know but I have started a giant google doc that contains as many network, source, hourly, and individual blog tags as I could muster, along with the help of some other folks and mutuals I know to create an important resource that I think will be useful to all of kpopblr as a whole!
I know that I have a hard time remembering tags, and while I've had my own little notes app of some tags to go off of, I am in a lot of fandoms and I miss things sometimes and I know this happens to my mutuals too! I've gotten asked a couple of times to give some tags to help a new creator out which is what sparked this idea of mine, and after sitting on my ass for 3 months I finally decided to make it!!!!
I think this resource can be super useful to all of kpopblr, as there are multiple fandoms as well as other useful tags included. I believe I have created a perfect system that not only outlines networks, sources, hourly blogs, as well as other tag blogs not kpop related that reblog and boost kpop content. I have also decided to include individual blog tags and label them accordingly and create warnings for certain tags, as I know some of y'alls tags are private and for mutuals only. I did my very best to be as thorough and sensitive with this doc as possible so we can have an effective yet simple resource.
The reason I am now making a post is because this doc will be added onto for months to come I'm sure, so I thought it be a good idea to circulate the doc to as many fandoms and creators as possible so we can continue to update the doc! It is an open doc where everyone can edit and I have added all rules and a more in depth synosis of the doc inside, so please take a peak at it and if you can, please add your tag and any network tags not already on there!
THIS IS FOR GIFS, GRAPHICS, GFX, ETC CREATORS ONLY, NO WRITING OR NSFW
I already have a bunch of mutuals working on the doc, but here it is for your viewing pleasure:
I kindly ask that everyone who sees this please boost this on all of your kpop blogs and spread it as much as possible! I feel like this is a very important resource that we can all utilize so the more creators who know, the better!
Tagging mutual blogs to spread the word:
@woosansang @jjongho @applejongho @seokmins @seokmingming @hwanswerland @woozi @woozification @awek-s @injunnies @djxiao @taetheists @freyarchive @97chwe @hwanwooyoung @jeonwonwoo @smingi @baekwin @smilesflower @charmerz @veriverys @kyubins @joshuas @myungho @wonwooridul @xuseokgyu @moriiyun @blueberrysan @caratonce @hansolz @junranghae @seungkwan-s @junmail @2h0gi @shuashong @sanhwaiting @yukuz @strhwaberries @song-mingi @hwichanis @98linerz @kangyeosaang @minzbins
networks: @nctinc @atzsource @woosaninc @kpopcontentcreatorsclub @kpopggs @kflops the only reason i tagged networks is because this is for their creators, they gain a lot from this doc seeing as it is mostly network tags!
#please boost if you see this#this is super important and helpful!#i hope lol#what if this flops#more tags for me ig lmaooooo#ateez#seventeen#exo#nct#wayv#astro#got7#twice#itzy#enhypen#stray kids#aespa#le sserafim
213 notes
·
View notes
Text
What happened with i-am-a-fish? A compilation:
A lot of people are confused about what happened with Tumblr user i-am-a-fish (who I'll refer to as Fish from here on out for the sake of readability), and a lot of rumor, misinformation and hyperbole is circulating. With this post I hope to compile the claims and evidence against him, examine their validity, and hopefully bring everyone up to speed.
Let's get the main thing out of the way first:
Veggiefact is a Twitter account with over 270k followers.
The callout post it references is this one: https://ratsofftoya.tumblr.com/post/189087352976/this-is-a-repost-since-just-making-an-addition-to. A second call-out is making the rounds too, from bubblegumlopunny, and it’s a Google doc: https://docs.google.com/document/d/1Gv0ixX_jw9geWxFc07b9En--AGHcTqVBO1E6TLGLhHI/edit
Both callouts share about 90% of the same information. Bubblegum’s callout includes accusations of racism and lesbophobia as well, and more incendiary language and questionable charges than the Tumblr post, but in this post I’ll only focus on the accusations that Fish is a pedophile.
The child porn accounts on Twitter
The “child porn accounts” it refers to are @krskiii, @Karbuitt and @kamawanu__. The last one is actually safe for work, provided you work at a place that’s cool with you being on Twitter, and the second-to-last one sort-of is, depending how your boss feels about suggestive pin-ups and sex jokes.
Kamawanu posts fanart of various fandoms, but mostly fanart of Rick & Morty and Into the Spider-Verse. Kamawanu is an incest shipper, although they keep that content to a separate, adult-only and locked account. Karbuitt posts artwork of various Nintendo characters, but in particular Viridi from Kid Icarus. Neither of these accounts can be argued to be "dedicated to child porn" in any capacity.
Although some Tumblr users would argue in earnest this is child porn as well.
Krskiii is the only account to have posted questionable content. While the vast majority of their feed is cute, safe for work anime art, they posted lolicon back in januari this year. Both callouts include a second screenshot from a tweet made in 2016 as well.
Was this something Fish reasonably could’ve known about? According to the callout in the Google doc:
This is straight-up untrue.
Not only is it perfectly possible to follow Twitters without checking them first (and many follow-for-follow Twitters operate this way) but even if you do vet accounts, there is no archive or tags like Tumblr has to conveniently show you what kind of content you can expect. You have to manually scroll through a person’s timeline or media tab to see what they post.
You’d only see their most recent tweets, not ones they made almost a damn year ago.
Fish followed this account in a follow-spree that had him hit the follow limit for the day on November 12th, almost a whole year after it was made. Fish's claim that he didn't know about these pictures is not only perfectly believable; it’s unlikely that he would’ve even known about it unles he'd dug through this person's media tab quite far.
This is not the behaviour of someone who curated their following list and carefully vetted everyone on it.
Was this irresponsible behaviour of him, towards both himself and his followers? Sure, you can make that argument. But it’s not evidence for anything more sinister than that.
The Pornhub joke
If you’re still on Tumblr in 2019, you were probably around for the porn purge of 2018, the one that had everyone scrambling for a new online home. With how few alternatives there are of social media sites that allow NSFW content, people started discussing, mostly as a joke, the possibility of moving to Pornhub. It was enough of a Thing that Pornhub's social media department caught wind of it.
I-am-a-fish decided to get in on the joke and created a Pornhub account and posted about “relocating” on Twitter and Tumblr:
How zany! A goldfish on a porn site!
People voiced discomfort over it, so Fish deleted the links from Tumblr and the Twitter bio, but didn't delete the tweet. The Pornhub account itself seems to have never been used.
The sex joke
Part of the callout post is the claim Fish “deliberately exposes minors to porn”, this + the Pornhub thing is what they're referring to.
At some point in late 2018 or early 2019 Fish decided this wasn't the direction he wanted to take his blog into, changed the original post, deleted the reblogs, and hasn't posted nsfw content since.
Also this happened a year ago.
The Discord server
Fish briefly ran a Discord server with a strict no-bullying policy that applied to everyone. This is not a political stance, but it was turned into one. This counts as “believing in reverse oppression”:
Most of the mods were adults, which is supposedly creepy:
One of them thought shipping characters who have been aged-up into adulthood isn't paedophilia:
Someone on the server thought “pedophilia” is a sexuality:
One thing to note here is that none of these actually involve Fish's own thoughts or actions, just those of people he's vaguely associated with (is Mother Allspite a close friend? An acquintance? Someone who volunteered to help moderate the chat?), as well as complete strangers. He's being associated with statements people have made who have no connection to him whatsoever.
Here are the claims I’ve seen making the rounds about the Discord server of which I’ve seen no evidence:
That the mods supported pedophilia
That the mods themselves were pedophiles
That pedophilia was treated as a sexuality you could tag yourself with
That the server was full of pedophiles
The claim that the server mixed minors with adults and didn’t section off nsfw content/discussion is at least a believable one, so I’m not including it here. It’s not proof of anyone being a pedophile, however. It just means the Discord server was poorly managed.
What to make of this?
There is no proof that Fish is anything worse than a young adult (despite the callout posts all making a huge deal out of him being an adult, he's still only 19 years old) who got too popular too fast and didn’t understand the responsibility that came with that. Even for his “worst” offenses there is no proof of ill intent behind them. At worst there is poor judgment, irresponsibility, and impulsiveness. There is certainly no proof that he is attracted to children, much less that he ever acted on it.
Nevertheless,
(I have no idea where the “20+ Twitters dedicated to child porn” claim comes from and found no evidence whatsoever to support it)
16K notes
·
View notes
Text
What happened with i-am-a-fish? A compilation:
A lot of people are confused about what happened with Tumblr user i-am-a-fish (who I'll refer to as Fish from here on out for the sake of readability), and a lot of rumor, misinformation and hyperbole is circulating. With this post I hope to compile the claims and evidence against him, examine their validity, and hopefully bring everyone up to speed.
Let's get the main thing out of the way first:
Veggiefact is a Twitter account with over 270k followers.
The callout post it references is this one: https://ratsofftoya.tumblr.com/post/189087352976/this-is-a-repost-since-just-making-an-addition-to. A second call-out is making the rounds too, from bubblegumlopunny, and it’s a Google doc: https://docs.google.com/document/d/1Gv0ixX_jw9geWxFc07b9En--AGHcTqVBO1E6TLGLhHI/edit
Both callouts share about 90% of the same information. Bubblegum’s callout includes accusations of racism and lesbophobia as well, and more incendiary language and questionable charges than the Tumblr post, but in this post I’ll only focus on the accusations that Fish is a pedophile.
The child porn accounts on Twitter
The “child porn accounts” it refers to are @krskiii, @Karbuitt and @kamawanu__. The last one is actually safe for work, provided you work at a place that’s cool with you being on Twitter, and the second-to-last one sort-of is, depending how your boss feels about suggestive pin-ups and sex jokes.
Kamawanu posts fanart of various fandoms, but mostly fanart of Rick & Morty and Into the Spider-Verse. Kamawanu is an incest shipper, although they keep that content to a separate, adult-only and locked account. Karbuitt posts artwork of various Nintendo characters, but in particular Viridi from Kid Icarus. Neither of these accounts can be argued to be "dedicated to child porn" in any capacity.
Although some Tumblr users would argue in earnest this is child porn as well.
Krskiii is the only account to have posted questionable content. While the vast majority of their feed is cute, safe for work anime art, they posted lolicon back in january this year. Both callouts include a second screenshot from a tweet made in 2016 as well.
Was this something Fish reasonably could’ve known about? According to the callout in the Google doc:
This is straight-up untrue.
Not only is it perfectly possible to follow Twitters without checking them first (and many follow-for-follow Twitters operate this way) but even if you do vet accounts, there is no archive page or tags like Tumblr has to conveniently show you what kind of content you can expect. You have to manually scroll through a person’s timeline or media tab to see what they post.
You’d only see their most recent tweets, not ones they made almost a damn year ago.
Fish followed this account in a follow-spree that had him hit the follow limit for the day on November 12th, almost a whole year after it was made. Fish's claim that he didn't know about these pictures is not only perfectly believable; it’s unlikely that he would’ve even known about it unles he'd dug through this person's media tab quite far.
This is not the behaviour of someone who curated their following list and carefully vetted everyone on it.
Was this irresponsible behaviour of him, towards both himself and his followers? Sure, you can make that argument. But it’s not evidence for anything more sinister than that.
The Pornhub joke
If you’re still on Tumblr in 2019, you were probably around for the porn purge of 2018, the one that had everyone scrambling for a new online home. With how few alternatives there are of social media sites that allow NSFW content, people started discussing, mostly as a joke, the possibility of moving to Pornhub. It was enough of a Thing that Pornhub's social media department caught wind of it.
I-am-a-fish decided to get in on the joke and created a Pornhub account and posted about “relocating” on Twitter and Tumblr:
How zany! A goldfish on a porn site!
People voiced discomfort over it, so Fish deleted the links from Tumblr and the Twitter bio, but didn't delete the tweet. The Pornhub account itself seems to have never been used.
The sex joke
Part of the callout post is the claim Fish “deliberately exposes minors to porn”, this + the Pornhub thing is what they're referring to.
At some point in late 2018 or early 2019 Fish decided this wasn't the direction he wanted to take his blog into, changed the original post, deleted the reblogs, and hasn't posted nsfw content since.
Also this happened a year ago.
The Discord server
Fish briefly ran a Discord server with a strict no-bullying policy that applied to everyone. This is not a political stance, but it was turned into one. This counts as “believing in reverse oppression”:
Most of the mods were adults, which is supposedly creepy:
One of them thought shipping characters who have been aged-up into adulthood isn't paedophilia:
Someone on the server thought “pedophilia” is a sexuality:
One thing to note here is that none of these actually involve Fish's own thoughts or actions, just those of people he's vaguely associated with (is Mother Allspite a close friend? An acquintance? Someone who volunteered to help moderate the chat?), as well as complete strangers. He's being associated with statements people have made who have no connection to him whatsoever.
Here are the claims I’ve seen making the rounds about the Discord server of which I’ve seen no evidence:
That the mods supported pedophilia
That the mods themselves were pedophiles
That pedophilia was treated as a sexuality you could tag yourself with
That the server was full of pedophiles
The claim that the server mixed minors with adults and didn’t section off nsfw content/discussion is at least a believable one, so I’m not including it here. It’s not proof of anyone being a pedophile, however. It just means the Discord server was poorly managed.
What to make of this?
There is no proof that Fish is anything more than a young adult (despite the callout posts all making a huge deal out of him being an adult, he's still only 19 years old) who got too popular too fast and didn’t understand the responsibility that came with that. Even for his “worst” offenses there is no proof of ill intent behind them. At worst there is poor judgment, irresponsibility, and impulsiveness. There is certainly no proof that he is attracted to children, much less that he ever acted on it.
Nevertheless,
(I have no idea where the “20+ Twitters dedicated to child porn” claim comes from and found no evidence whatsoever to support it)
149 notes
·
View notes
Text
WikiLeaks Dumps Docs on CIA’s Hacking Tools
WikiLeaks on Tuesday dropped one of its most explosive word bombs ever: A secret trove of documents apparently stolen from the U.S. Central Intelligence Agency (CIA) detailing methods of hacking everything from smart phones and TVs to compromising Internet routers and computers. KrebsOnSecurity is still digesting much of this fascinating data cache, but here are some first impressions based on what I’ve seen so far.
First, to quickly recap what happened: In a post on its site, WikiLeaks said the release — dubbed “Vault 7” — was the largest-ever publication of confidential documents on the agency. WikiLeaks is promising a series of these document caches; this first one includes more than 8,700 files allegedly taken from a high-security network inside CIA’s Center for Cyber Intelligence in Langley, Va.
The home page for the CIA’s “Weeping Angel��� project, which sought to exploit flaws that could turn certain 2013-model Samsung “smart” TVs into remote listening posts.
“Recently, the CIA lost control of the majority of its hacking arsenal including malware, viruses, trojans, weaponized ‘zero day’ exploits, malware remote control systems and associated documentation,” WikiLeaks wrote. “This extraordinary collection, which amounts to more than several hundred million lines of code, gives its possessor the entire hacking capacity of the CIA. The archive appears to have been circulated among former U.S. government hackers and contractors in an unauthorized manner, one of whom has provided WikiLeaks with portions of the archive.”
Wikileaks said it was calling attention to the CIA’s global covert hacking program, its malware arsenal and dozens of weaponized exploits against “a wide range of U.S. and European company products, include Apple’s iPhone, Google’s Android and Microsoft’s Windows and even Samsung TVs, which are turned into covert microphones.”
The documents for the most part don’t appear to include the computer code needed to exploit previously unknown flaws in these products, although WikiLeaks says that stuff may show up in a future dump. This collection is probably best thought of as an internal corporate wiki used by multiple CIA researchers who methodically found and documented weaknesses in a variety of popular commercial and consumer electronics.
For example, the data dump lists a number of exploit “modules” available to compromise various models of consumer routers made by companies like Linksys, Microtik and Zyxel, to name a few. CIA researchers also collated several pages worth of probing and testing weaknesses in business-class devices from Cisco, whose powerful routers carry a decent portion of the Internet’s traffic on any given day. Craig Dods, a researcher with Cisco’s rival Juniper, delves into greater detail on the Cisco bugs for anyone interested (Dods says he found no exploits for Juniper products in the cache, yet).
WHILE MY SMART TV GENTLY WEEPS
Some of the exploits discussed in these leaked CIA documents appear to reference full-on, remote access vulnerabilities. However, a great many of the documents I’ve looked at seem to refer to attack concepts or half-finished exploits that demand more work and that may be limited by very specific requirements — such as physical access to the targeted device.
The “Weeping Angel” project’s page from 2014 is a prime example: It discusses ways to turn certain 2013-model Samsung “smart TVs” into remote listening devices; methods for disabling the LED lights that indicate the TV is on; and suggestions for fixing a problem with the exploit in which the WiFi interface on the TV is disabled when the exploit is run.
ToDo / Future Work: Build a console cable
Turn on or leave WiFi turned on in Fake-Off mode
Parse unencrypted audio collection Clean-up the file format of saved audio. Add encryption??
According to the documentation, Weeping Angel worked as long as the target hadn’t upgraded the firmware on the Samsung TVs, and that the firmware upgrade eliminated the “current installation method,” which apparently required the insertion of a booby-trapped USB device into the TV.
Don’t get me wrong: This is a serious leak of fairly sensitive information. And I sincerely hope Wikileaks decides to work with researchers and vendors to coordinate the patching of flaws leveraged by the as-yet unreleased exploit code archive that apparently accompanies this documentation from the CIA.
But in reading the media coverage of this leak, one might be led to believe that even if you are among the small minority of Americans who have chosen to migrate more of their communications to privacy-enhancing technologies like Signal or WhatsApp, it’s all futility because the CIA can break it anyway.
Perhaps a future cache of documents from this CIA division will change things on this front, but an admittedly cursory examination of these documents indicates that the CIA’s methods for weakening the privacy of these tools all seem to require attackers to first succeed in deeply subverting the security of the mobile device — either through a remote-access vulnerability in the underlying operating system or via physical access to the target’s phone.
As Bloomberg’s tech op-ed writer Leonid Bershidsky notes, the documentation released here shows that these attacks are “not about mass surveillance — something that should bother the vast majority of internet users — but about monitoring specific targets.”
By way of example, Bershidsky points to a tweet yesterday from Open Whisper Systems (the makers of the Signal private messaging app) which observes that, “The CIA/Wikileaks story today is about getting malware onto phones, none of the exploits are in Signal or break Signal Protocol encryption.”
The company went to say that because more online services are now using end-to-end encryption to prevent prying eyes from reading communications that are intercepted in-transit, intelligence agencies are being pushed “from undetectable mass surveillance to expensive, high-risk, targeted attacks.”
A tweet from Open Whisper Systems, the makers of the popular mobile privacy app Signal.
As limited as some of these exploits appear to be, the methodical approach of the countless CIA researchers who apparently collaborated to unearth these flaws is impressive and speaks to a key problem with most commercial hardware and software today: The vast majority of vendors would rather spend the time and money marketing their products than embark on the costly, frustrating, time-consuming and continuous process of stress-testing their own products and working with a range of researchers to find these types of vulnerabilities before the CIA or other nation-state-level hackers can.
Of course, not every company has a budget of hundreds of millions of dollars just to do basic security research. According to this NBC News report from October 2016, the CIA’s Center for Cyber Intelligence (the alleged source of the documents discussed in this story) has a staff of hundreds and a budget in the hundreds of millions: Documents leaked by NSA whistleblower Edward Snowden indicate the CIA requested $685.4 million for computer network operations in 2013, compared to $1 billion by the U.S. National Security Agency (NSA).
TURNABOUT IS FAIR PLAY?
NBC also reported that the CIA’s Center for Cyber Intelligence was tasked by the Obama administration last year to devise cyber attack strategies in response to Russia’s alleged involvement in the siphoning of emails from Democratic National Committee servers as well as from Hillary Clinton‘s campaign chief John Podesta. Those emails were ultimately published online by Wikileaks last summer.
NBC reported that the “wide-ranging ‘clandestine’ cyber operation designed to harass and ’embarrass’ the Kremlin leadership was being lead by the CIA’s Center for Cyber Intelligence.” Could this attack have been the Kremlin’s response to an action or actions by the CIA’s cyber center? Perhaps time (or future leaks) will tell.
Speaking of the NSA, the Wikileaks dump comes hot on the heels of a similar disclosure by The Shadow Brokers, a hacking group that said it stole malicious software from the Equation Group, a highly-skilled and advanced threat actor that has been closely tied to the NSA.
What’s interesting is this Wikileaks cache includes a longish discussion thread among CIA employees who openly discuss where the NSA erred in allowing experts to tie the NSA’s coders to malware produced by the Equation Group. As someone who spends a great deal of time unmasking cybercriminals who invariably leak their identity and/or location through poor operational security, I was utterly fascinated to read this exchange.
BUG BOUNTIES VS BUG STOCKPILES
Many are using this latest deluge from WikiLeaks to reopen the debate over whether there is enough oversight of the CIA’s hacking activities. The New York Times called yesterday’s WikiLeaks disclosure “the latest coup for the antisecrecy organization and a serious blow to the CIA, which uses its hacking abilities to carry out espionage against foreign targets.”
The WikiLeaks scandal also revisits the question of whether the U.S. government should instead of hoarding and stockpiling vulnerabilities be more open and transparent about its findings — or at least work privately with software vendors to get the bugs fixed for the greater good. After all, these advocates argue, the United States is perhaps the most technologically-dependent country on Earth: Surely we have the most to lose when (not if) these exploits get leaked? Wouldn’t it be better and cheaper if everyone who produced software sought to crowdsource the hardening of their products?
On that front, my email inbox was positively peppered Tuesday with emails from organizations that run “bug bounty” programs on behalf of corporations. These programs seek to discourage “full disclosure” approach — e.g., a researcher releasing exploit code for a previously unknown bug and giving the affected vendor exactly zero days to fix the problem before the public finds out how to exploit it (hence the term “zero-day” exploit). Rather, the bug bounties encourage security researchers to work closely and discreetly with software vendors to fix security vulnerabilities — sometimes in exchange for monetary reward and sometimes just for public recognition.
Casey Ellis, chief executive officer and founder of bug bounty program Bugcrowd, suggested the CIA WikiLeaks disclosure will help criminal groups and other adversaries, while leaving security teams scrambling.
“In this mix there are the targeted vendors who, before today, were likely unaware of the specific vulnerabilities these exploits were targeting,” Ellis said. “Right now, the security teams are pulling apart the Wikileaks dump, performing technical analysis, assessing and prioritizing the risk to their products and the people who use them, and instructing the engineering teams towards creating patches. The net outcome over the long-term is actually a good thing for Internet security — the vulnerabilities that were exploited by these tools will be patched, and the risk to consumers reduced as a result — but for now we are entering yet another Shadow Brokers, Stuxnet, Flame, Duqu, etc., a period of actively exploitable 0-day bouncing around in the wild.”
Ellis said that — in an ironic way, one could say that Wikileaks, the CIA, and the original exploit authors “have combined to provide the same knowledge as the ‘good old days’ of full disclosure — but with far less control and a great many more side-effects than if the vendors were to take the initiative themselves.”
“This, in part, is why the full disclosure approach evolved into the coordinated disclosure and bug bounty models becoming commonplace today,” Ellis said in a written statement. “Stories like that of Wikileaks today are less and less surprising and to some extent are starting to be normalized. It’s only when the pain of doing nothing exceeds the pain of change that the majority of organizations will shift to an proactive vulnerability discovery strategy and the vulnerabilities exploited by these toolkits — and the risk those vulnerabilities create for the Internet — will become less and less common.”
Many observers — including a number of cybersecurity professional friends of mine — have become somewhat inured to these disclosures, and argue that this is exactly the sort of thing you might expect an agency like the CIA to be doing day in and day out. Omer Schneider, CEO at a startup called CyberX, seems to fall into this camp.
“The main issue here is not that the CIA has its own hacking tools or has a cache of zero-day exploits,” Schneider said. “Most nation-states have similar hacking tools, and they’re being used all the time. What’s surprising is that the general public is still shocked by stories like these. Regardless of the motives for publishing this, our concern is that Vault7 makes it even easier for a crop of new cyber-actors get in the game.”
This almost certainly won’t be the last time KrebsOnSecurity cites this week’s big CIA WikiLeaks trove. But for now I’m interested to hear what you, Dear Readers, found most intriguing about it? Sound off in the comments below.
from https://krebsonsecurity.com/2017/03/wikileaks-dumps-docs-on-cias-hacking-tools/
0 notes
Text
WikiLeaks Dumps Docs on CIA’s Hacking Tools
WikiLeaks on Tuesday dropped one of its most explosive word bombs ever: A secret trove of documents apparently stolen from the U.S. Central Intelligence Agency (CIA) detailing methods of hacking everything from smart phones and TVs to compromising Internet routers and computers. KrebsOnSecurity is still digesting much of this fascinating data cache, but here are some first impressions based on what I’ve seen so far.
First, to quickly recap what happened: In a post on its site, WikiLeaks said the release — dubbed “Vault 7” — was the largest-ever publication of confidential documents on the agency. WikiLeaks is promising a series of these document caches; this first one includes more than 8,700 files allegedly taken from a high-security network inside CIA’s Center for Cyber Intelligence in Langley, Va.
The home page for the CIA’s “Weeping Angel” project, which sought to exploit flaws that could turn certain 2013-model Samsung “smart” TVs into remote listening posts.
“Recently, the CIA lost control of the majority of its hacking arsenal including malware, viruses, trojans, weaponized ‘zero day’ exploits, malware remote control systems and associated documentation,” WikiLeaks wrote. “This extraordinary collection, which amounts to more than several hundred million lines of code, gives its possessor the entire hacking capacity of the CIA. The archive appears to have been circulated among former U.S. government hackers and contractors in an unauthorized manner, one of whom has provided WikiLeaks with portions of the archive.”
Wikileaks said it was calling attention to the CIA’s global covert hacking program, its malware arsenal and dozens of weaponized exploits against “a wide range of U.S. and European company products, include Apple’s iPhone, Google’s Android and Microsoft’s Windows and even Samsung TVs, which are turned into covert microphones.”
The documents for the most part don’t appear to include the computer code needed to exploit previously unknown flaws in these products, although WikiLeaks says that stuff may show up in a future dump. This collection is probably best thought of as an internal corporate wiki used by multiple CIA researchers who methodically found and documented weaknesses in a variety of popular commercial and consumer electronics.
For example, the data dump lists a number of exploit “modules” available to compromise various models of consumer routers made by companies like Linksys, Microtik and Zyxel, to name a few. CIA researchers also collated several pages worth of probing and testing weaknesses in business-class devices from Cisco, whose powerful routers carry a decent portion of the Internet’s traffic on any given day. Craig Dods, a researcher with Cisco’s rival Juniper, delves into greater detail on the Cisco bugs for anyone interested (Dods says he found no exploits for Juniper products in the cache, yet).
WHILE MY SMART TV GENTLY WEEPS
Some of the exploits discussed in these leaked CIA documents appear to reference full-on, remote access vulnerabilities. However, a great many of the documents I’ve looked at seem to refer to attack concepts or half-finished exploits that demand more work and that may be limited by very specific requirements — such as physical access to the targeted device.
The “Weeping Angel” project’s page from 2014 is a prime example: It discusses ways to turn certain 2013-model Samsung “smart TVs” into remote listening devices; methods for disabling the LED lights that indicate the TV is on; and suggestions for fixing a problem with the exploit in which the WiFi interface on the TV is disabled when the exploit is run.
ToDo / Future Work: Build a console cable
Turn on or leave WiFi turned on in Fake-Off mode
Parse unencrypted audio collection Clean-up the file format of saved audio. Add encryption??
According to the documentation, Weeping Angel worked as long as the target hadn’t upgraded the firmware on the Samsung TVs, and that the firmware upgrade eliminated the “current installation method,” which apparently required the insertion of a booby-trapped USB device into the TV.
Don’t get me wrong: This is a serious leak of fairly sensitive information. And I sincerely hope Wikileaks decides to work with researchers and vendors to coordinate the patching of flaws leveraged by the as-yet unreleased exploit code archive that apparently accompanies this documentation from the CIA.
But in reading the media coverage of this leak, one might be led to believe that even if you are among the small minority of Americans who have chosen to migrate more of their communications to privacy-enhancing technologies like Signal or WhatsApp, it’s all futility because the CIA can break it anyway.
Perhaps a future cache of documents from this CIA division will change things on this front, but an admittedly cursory examination of these documents indicates that the CIA’s methods for weakening the privacy of these tools all seem to require attackers to first succeed in deeply subverting the security of the mobile device — either through a remote-access vulnerability in the underlying operating system or via physical access to the target’s phone.
As Bloomberg’s tech op-ed writer Leonid Bershidsky notes, the documentation released here shows that these attacks are “not about mass surveillance — something that should bother the vast majority of internet users — but about monitoring specific targets.”
By way of example, Bershidsky points to a tweet yesterday from Open Whisper Systems (the makers of the Signal private messaging app) which observes that, “The CIA/Wikileaks story today is about getting malware onto phones, none of the exploits are in Signal or break Signal Protocol encryption.”
The company went to say that because more online services are now using end-to-end encryption to prevent prying eyes from reading communications that are intercepted in-transit, intelligence agencies are being pushed “from undetectable mass surveillance to expensive, high-risk, targeted attacks.”
A tweet from Open Whisper Systems, the makers of the popular mobile privacy app Signal.
As limited as some of these exploits appear to be, the methodical approach of the countless CIA researchers who apparently collaborated to unearth these flaws is impressive and speaks to a key problem with most commercial hardware and software today: The vast majority of vendors would rather spend the time and money marketing their products than embark on the costly, frustrating, time-consuming and continuous process of stress-testing their own products and working with a range of researchers to find these types of vulnerabilities before the CIA or other nation-state-level hackers can.
Of course, not every company has a budget of hundreds of millions of dollars just to do basic security research. According to this NBC News report from October 2016, the CIA’s Center for Cyber Intelligence (the alleged source of the documents discussed in this story) has a staff of hundreds and a budget in the hundreds of millions: Documents leaked by NSA whistleblower Edward Snowden indicate the CIA requested $685.4 million for computer network operations in 2013, compared to $1 billion by the U.S. National Security Agency (NSA).
TURNABOUT IS FAIR PLAY?
NBC also reported that the CIA’s Center for Cyber Intelligence was tasked by the Obama administration last year to devise cyber attack strategies in response to Russia’s alleged involvement in the siphoning of emails from Democratic National Committee servers as well as from Hillary Clinton‘s campaign chief John Podesta. Those emails were ultimately published online by Wikileaks last summer.
NBC reported that the “wide-ranging ‘clandestine’ cyber operation designed to harass and ’embarrass’ the Kremlin leadership was being lead by the CIA’s Center for Cyber Intelligence.” Could this attack have been the Kremlin’s response to an action or actions by the CIA’s cyber center? Perhaps time (or future leaks) will tell.
Speaking of the NSA, the Wikileaks dump comes hot on the heels of a similar disclosure by The Shadow Brokers, a hacking group that said it stole malicious software from the Equation Group, a highly-skilled and advanced threat actor that has been closely tied to the NSA.
What’s interesting is this Wikileaks cache includes a longish discussion thread among CIA employees who openly discuss where the NSA erred in allowing experts to tie the NSA’s coders to malware produced by the Equation Group. As someone who spends a great deal of time unmasking cybercriminals who invariably leak their identity and/or location through poor operational security, I was utterly fascinated to read this exchange.
BUG BOUNTIES VS BUG STOCKPILES
Many are using this latest deluge from WikiLeaks to reopen the debate over whether there is enough oversight of the CIA’s hacking activities. The New York Times called yesterday’s WikiLeaks disclosure “the latest coup for the antisecrecy organization and a serious blow to the CIA, which uses its hacking abilities to carry out espionage against foreign targets.”
The WikiLeaks scandal also revisits the question of whether the U.S. government should instead of hoarding and stockpiling vulnerabilities be more open and transparent about its findings — or at least work privately with software vendors to get the bugs fixed for the greater good. After all, these advocates argue, the United States is perhaps the most technologically-dependent country on Earth: Surely we have the most to lose when (not if) these exploits get leaked? Wouldn’t it be better and cheaper if everyone who produced software sought to crowdsource the hardening of their products?
On that front, my email inbox was positively peppered Tuesday with emails from organizations that run “bug bounty” programs on behalf of corporations. These programs seek to discourage “full disclosure” approach — e.g., a researcher releasing exploit code for a previously unknown bug and giving the affected vendor exactly zero days to fix the problem before the public finds out how to exploit it (hence the term “zero-day” exploit). Rather, the bug bounties encourage security researchers to work closely and discreetly with software vendors to fix security vulnerabilities — sometimes in exchange for monetary reward and sometimes just for public recognition.
Casey Ellis, chief executive officer and founder of bug bounty program Bugcrowd, suggested the CIA WikiLeaks disclosure will help criminal groups and other adversaries, while leaving security teams scrambling.
“In this mix there are the targeted vendors who, before today, were likely unaware of the specific vulnerabilities these exploits were targeting,” Ellis said. “Right now, the security teams are pulling apart the Wikileaks dump, performing technical analysis, assessing and prioritizing the risk to their products and the people who use them, and instructing the engineering teams towards creating patches. The net outcome over the long-term is actually a good thing for Internet security — the vulnerabilities that were exploited by these tools will be patched, and the risk to consumers reduced as a result — but for now we are entering yet another Shadow Brokers, Stuxnet, Flame, Duqu, etc., a period of actively exploitable 0-day bouncing around in the wild.”
Ellis said that — in an ironic way, one could say that Wikileaks, the CIA, and the original exploit authors “have combined to provide the same knowledge as the ‘good old days’ of full disclosure — but with far less control and a great many more side-effects than if the vendors were to take the initiative themselves.”
“This, in part, is why the full disclosure approach evolved into the coordinated disclosure and bug bounty models becoming commonplace today,” Ellis said in a written statement. “Stories like that of Wikileaks today are less and less surprising and to some extent are starting to be normalized. It’s only when the pain of doing nothing exceeds the pain of change that the majority of organizations will shift to an proactive vulnerability discovery strategy and the vulnerabilities exploited by these toolkits — and the risk those vulnerabilities create for the Internet — will become less and less common.”
Many observers — including a number of cybersecurity professional friends of mine — have become somewhat inured to these disclosures, and argue that this is exactly the sort of thing you might expect an agency like the CIA to be doing day in and day out. Omer Schneider, CEO at a startup called CyberX, seems to fall into this camp.
“The main issue here is not that the CIA has its own hacking tools or has a cache of zero-day exploits,” Schneider said. “Most nation-states have similar hacking tools, and they’re being used all the time. What’s surprising is that the general public is still shocked by stories like these. Regardless of the motives for publishing this, our concern is that Vault7 makes it even easier for a crop of new cyber-actors get in the game.”
This almost certainly won’t be the last time KrebsOnSecurity cites this week’s big CIA WikiLeaks trove. But for now I’m interested to hear what you, Dear Readers, found most intriguing about it? Sound off in the comments below.
from Amber Scott Technology News https://krebsonsecurity.com/2017/03/wikileaks-dumps-docs-on-cias-hacking-tools/
0 notes