CIA's Shrugtastic Response To Hacking Apple Security: 'It Is What It Is' And 'That's What We Do'

from the meh dept

Wed, Mar 11th 2015 8:13am — Mike Masnick

We just had a story based on the Intercept breaking the fact that the CIA holds an annual hackathon (the CIA calls it a "Jamboree") to come up with new ways to hack secure systems, inviting in various contractors and government agencies. Much of the work is focused on hacking Apple's security, inserting backdoors and generally degrading security and encryption for everyone.

The CIA refused to comment on the Intercept's original story, but the reporters got former FTC official Steven Bellovin to sum it up as:

“Spies gonna spy,” says Steven Bellovin, a former chief technologist for the U.S. Federal Trade Commission and current professor at Columbia University. “I’m never surprised by what intelligence agencies do to get information. They’re going to go where the info is, and as it moves, they’ll adjust their tactics. Their attitude is basically amoral: whatever works is OK.”

Now, "unnamed" anonymous CIA officials seem to be picking up where that shrugging comment left off. Talking to CNBC reporters, the CIA folks give similarly "meh" kinds of responses:

"That's what we do," the official said. "CIA collects information overseas, and this is focused on our adversaries, whether they be terrorists or other adversaries."

Except, of course, they don't just spy overseas. The CIA has done domestic spying as well, and the descriptions of the projects don't just impact people overseas. And then there's this one:

"There's a whole world of devices out there, and that's what we're going to do," the official said. "It is what it is."

It is what it is. That's someone who clearly doesn't care one bit about the negative consequences of attacking security and inserting backdoors that can harm everyone, just so long as they can also spy on people they don't like. You know, like the US Senate.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: backdoors, cia, encryption, hackathon, jamboree, privacy, spying, surveillance
Companies: apple

38 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Anonymous Coward, 11 Mar 2015 @ 8:22am

"It's just what we do" is the worst possible justification for what you do.
Serial killers just "do what they do" and that doesn't make their murders right.
[ link to this | view in chronology ]
- Ninja (profile), 11 Mar 2015 @ 8:57am
  
  Re:
  *Obligatory Godwin remark here*
  
  Ahem. People don't learn it seems.
  [ link to this | view in chronology ]
- Anonymous Coward, 11 Mar 2015 @ 9:11am
  
  Re:
  I'm no fan of the CIA or our government spying on all of us, but that IS what they do. They told the truth and you don't like it. They tell a lie and you don't like it.
  Who they do it to seems to be the issue here, right? That's also what all the hackers do at Black Hat and other yearly events, isn't it?
  
  If it can be hacked, then it needs work. Simple as that.
  
  You want secure? Make it. There are numerous examples of companies attacked by hackers to prove the point that the security isn't good enough. This is just another example.
  
  The difference that seems important here is that it's sponsored by our government. I think they should have the tools to protect our interests. Abusing them, however, is another story.
  [ link to this | view in chronology ]
  - That One Guy (profile), 11 Mar 2015 @ 9:51am
    
    Re: Re:
    The problem is that the government, one and all, has utterly and completely poisoned the well when it comes to public opinion on their involvement with computer security. They've been caught out on so many lies, and had so many bad actions exposed, that everyone automatically assumes the worst these days, and rightly so I'd say.
    
    As their words and actions have shown, their definition of 'protection' tends to involve sabotaging and intentionally weakening security used by millions of people, all for no apparent good, as despite all the damage they cause, they always seem to get tongue-tied when it comes to presenting the benefits resulting from their actions, and when they do try and trot out examples to justify their actions, those examples pretty much without fail show that their actions were unnecessary and/or caused more damage than they prevented.
    
    As they, and multiple other government agencies have shown, while they may be all for protecting their interests, their security and their powers, they don't seem to extend that same fervor to the public's interests and security, so it's hardly surprising that a 'lets find or create as many security flaws as we can' event like this isn't well received.
    
    They've lost the trust of anyone paying even the slightest bit of attention, so backlash against even things that may have been acceptable before is to be expected, and they have only themselves to blame for it.
    [ link to this | view in chronology ]
    - Anonymous Coward, 11 Mar 2015 @ 11:14am
      
      Re: Re: Re:
      I agree 100%. They have zero credibility. But then again, how many people have EVER trusted the government? It has been the joke for my entire 48 years, "Trust me, I'm with the Government." or the ever popular oxymoron, "Military Intelligence." And I am ex military.
      
      So when it comes to who is watching the watchers, I like to refer to an old Goldie Hawn movie, Protocol. In the final scene, she is testifying before a senate panel and says the following after resigning from the state department, "So now that I'm Sunny Davis, private citizen again, you're gonna have to watch out for me. Because I'm gonna be watching all of you... like a hawk."
      
      We are the watchers... if we keep putting the wrong people in office, we have no one but ourselves to blame.
      [ link to this | view in chronology ]
      - That One Guy (profile), 11 Mar 2015 @ 11:28am
        
        Re: Re: Re: Re:
        And when those people in office lie, mislead, and do their best to hide what they are doing? When the 'committees' and 'courts' meant to keep them in check are instead run by those who's sole intention is to assist in the lies and hiding of the truth? When those that are meant to enforce and uphold the law instead chose to ignore it and look the other way when it's another government agency bending and breaking it? When the government makes it abundantly clear that if you expose it's actions they will crush you, making it incredibly risky for those with a functioning moral code and sense of ethics to come forward? How much blame do you think the public should bear then?
        
        The public has a good amount of responsibility towards the government, but a large chunk of that demands transparency, demands that the people know what is being done, and who is doing it, and the government has been doing everything within it's power, even if it has to make up laws and rules in the process, to avoid that transparency and the informed public that results from it.
        
        As such you'll have to excuse me when I don't buy the 'you get the government you deserve' and/or 'if the government is out of control, it's the public's fault for not reigning it in' arguments. The public deserves some of the blame, but the side lying, misleading, and hiding their actions from those they theoretically are supposed to serve shoulders most of it.
        [ link to this | view in chronology ]
        
        Anonymous Coward, 12 Mar 2015 @ 6:33am
        
        Re: Re: Re: Re: Re:
        Vote them out. Start local and it grows. simple answer.
        [ link to this | view in chronology ]
      - art guerrilla (profile), 11 Mar 2015 @ 2:22pm
        
        Re: Re: Re: Re:
        @ anon cow-
        1. i propose this to you: what if (and it isn't an 'if', it is a definite), 'our' computer-based voting systems are NOT secure (they are not) ?
        then the ONLY method we have for 'holding them accountable' is borked...
        
        2. but, let's be stupid and assume the voting systems are valid: when the two hydra heads of the SAME korporate money party have the system on lock down, HOW in dog's name do we EFFECTIVELY get any other 3rd party candidates any traction ? we don't...
        
        3. HOW do we actually DO our due diligence and oversight when it is kept super duper top secret EVEN FROM OUR DULY ELECTED officials *supposedly* providing oversight ? how can WE "OWNERS" of democracy provide any oversight of things kept (PURPOSEFULLY/ILLEGALLY) out of sight that we have NO knowledge of being done in our names with our monies ? ? ?
        
        4. lastly, the warm and fuzzy anecdote (BASED ON A MOVIE) is sweet and all; but when the media is bought and paid for to NOT do any such investigative reporting, HOW is a mere citizen supposed to put the fear of dog in our 'superiors' ? ? ? not going to happen to any significant degree, just not going to, i don't care how many pairs of rose-colored glasses you have on...
        [ link to this | view in chronology ]
        
        Anonymous Coward, 12 Mar 2015 @ 6:46am
        
        Re: Re: Re: Re: Re:
        If you don't like it, vote a different person in... The problem with America is our memories are too short.
        We have demanded instant gratification for almost every part of our lives... this includes politics and policy. How else do you explain the Patriot act and Obamacare?
        
        We always root for the underdog. How many of our sports icons or celebrities have had comebacks after a drug addiction or illegal activity and we cheer them on? The same holds true for our politicians.
        
        Why do you think this email issue with Clinton is coming out now? It wasn't the republicans that exposed it. Will it still be in the news in a year and a half when the elections roll around or will it be long lost and forgotten in the smoke of so many other scandals and outrages?
        
        How much recent news has there been concerning Ferguson? How long ago was it?
        
        We as a people need to begin to have a longer memory, so that when those in charge don't do what they were elected to do, we vote them out... or we get the rules changed to put term limits on all offices.
        
        Our elected offices were originally meant to be part time gigs, more like jury duty than a career.
        
        To blame the game and not the players is wrong on every level. The players are what make the game great or not.
        
        We are all playing the game. so instead of raging against the machine, jump in and drive it.
        [ link to this | view in chronology ]
  - Anonymous Coward, 11 Mar 2015 @ 9:56am
    
    Re: Re:
    Means and methods are not the important thing. Worse, debates over means and methods are a dangerous distraction from the truly important over-arching issue: Who Watches the Watchers, and who pulls them up short when they overstep?
    [ link to this | view in chronology ]
  - John Fenderson (profile), 11 Mar 2015 @ 10:48am
    
    Re: Re:
    "That's also what all the hackers do at Black Hat and other yearly events, isn't it?"
    
    A really HUGE difference is that the Black Hat is all about actually revealing the security flaws so that they can be fixed.
    
    The CIA does no such thing. Until a a vulnerability is revealed, it can't be fixed (you can't fix something when you don't know it's broken).
    
    I'm not saying the CIA is doing wrong. I'm saying that comparing the hacker community to the CIA is like comparing apples to oatmeal.
    [ link to this | view in chronology ]
    - Anonymous Coward, 11 Mar 2015 @ 11:04am
      
      Re: Re: Re:
      Kind of like comparing a serial killer to a government agency?
      [ link to this | view in chronology ]
      - Anonymous Coward, 11 Mar 2015 @ 11:58am
        
        Re: Re: Re: Re:
        Who knows where all the war criminals and terrorists hang out but government workers can be in such massive violation of the law that they are no different than a serial killer legally. I'm not talking about the CIA necessarily either.
        [ link to this | view in chronology ]
    - nasch (profile), 11 Mar 2015 @ 9:48pm
      
      Re: Re: Re:
      I'm saying that comparing the hacker community to the CIA is like comparing apples to oatmeal.
      
      Sounds good, what is the cinnamon in this analogy?
      [ link to this | view in chronology ]
Paul Clark, 11 Mar 2015 @ 8:34am

Canada Has A solution for This
Luckily, in Canada, private individuals can fill criminal charges. We can not prosecute, but at least it goes up in front of a judge for consideration.
[ link to this | view in chronology ]
Anonymous Coward, 11 Mar 2015 @ 8:35am

In the spirit of reciprocity, private citizens are going to do what they do to secure their privacy.

And "it is what it is" means exactly nothing as no new information is received from such a statement.
[ link to this | view in chronology ]
Pragmatic, 11 Mar 2015 @ 8:40am

Isn't there supposed to be an oversight committee? Well there is an "overlook" committee...
[ link to this | view in chronology ]
Anonymous Coward, 11 Mar 2015 @ 8:47am

> Their attitude is basically amoral: whatever works is OK.

I think it's worse than that. They do whatever DOESN'T work, too (See: torture).
[ link to this | view in chronology ]
TMC, 11 Mar 2015 @ 8:53am

Uh...
I'm probably missing something here. It sounds like this jamboree is about presenting and describing security faults with existing products. Isn't disclosing these faults good? Most of the time companies won't patch until disclosure occurs.
[ link to this | view in chronology ]
- twinsdad9901, 11 Mar 2015 @ 9:17am
  
  Re: Uh...
  Exposing the flaws is good.
  But who said that the CIA published them?
  [ link to this | view in chronology ]
- Anonymous Coward, 11 Mar 2015 @ 10:37am
  
  Re: Uh...
  The part you're missing is that there's no disclosure. They have a coordinated hack-fest, and the results of that get quietly deployed as part of their arsenal, without alerting the manufacturers or customers depending on this stuff to work.
  
  The end result is that the only people who gain anything from this are the CIA and those watching the CIA's actions -- other governments and malicious operatives.
  
  One example of this was in VLC -- for years, there was a VLC attack that was effective against OS X, Windows and Linux, and could be triggered just by opening a specially crafted file in VLC (the expected action would still perform too). As I understand it, this was used by the CIA, and eventually some companies like VUPEN noticed what was happening and added it to their arsenal. It took someone who used these products AND was concerned about product security in open source software to flag the issue up.
  [ link to this | view in chronology ]
mcinsand, 11 Mar 2015 @ 8:57am

watch lists and linux/BSD-related websites
There were a couple of articles last year, I think, claiming that commenting on a Linux or BSD related site would get you on a watch list. That makes sense, given that much of the OS development concerns security. Since improving security undermines the CIA's and NSA's efforts to undermine security, being concerned about how secure your system might be would effectively be having an interest counter to that of our government.
[ link to this | view in chronology ]
Anonymous Coward, 11 Mar 2015 @ 9:06am

"other adversaries" = ordinary citizens
"That's what we do," the official said. "CIA collects information overseas, and this is focused on our adversaries, whether they be terrorists or other adversaries."

So the CIA collects information "overseas" -- i.e., on U.S. citizens using the other Four Eyes.

After the recent dustup between the Senate and the CIA, why am I not sleeping better at night ?
[ link to this | view in chronology ]
KitKat, 11 Mar 2015 @ 9:25am

Corporate Personhood
So here's a thought...

In the US, corporations are legally people, which they claim grants them rights enjoyed by legal human citizens (rights which are being misused - I'm looking at you, ISPs who claim 1st Amendment means they have a right to censor or modify people's data on their networks). So from a perspective (not necessarily correct but analogous for our purposes), US companies are US citizens.

So then how come hosting a jamboree to hack into an American company's stuff is more acceptable than hacking into John Doe's computer for the same reason? Now, you can say that they bought Apple hardware and hacked that, which is "okay"* because at that point they owned the hardware and not Apple. But if (haha if) they instead actually hacked into servers and stuff owned by Apple, Apple should be screaming massive 4th Amendment violations (corporate personhood and all, right?), just like John Doe would - and the government can't claim lack of standing on this one.

This is all bullshit. Either companies are people, or they aren't** - the government doesn't get to pick and choose based on how it feels and what it thinks it can get away with, but right now the citizens are getting the short ends of both sticks.

*As an aside, lots of companies are claiming that modifying stuff is illegal - phone unlocking, jailbreaking, modding, etc. There's been a decade or more of fighting over our rights to make harmless modifications (jailbreaking doesn't encourage piracy anymore than encryption encourages terrorism) to our devices. Yet while lobbyists/the government is trying to make stuff like device modification effectively illegal ('without permission' or whatever red herring platitude they insert), they themselves are doing exactly that - only their modifications are far from harmless. The government is once more not applying the same standards to itself as it does its citizens, just like when all those copyright maximalists were caught using copyrighted material or pirated software.

**I'm inclined towards the latter, seeing as corporate personhood is pretty much a uniquely American thing. There are better tools to accomplish the same goals; corporate personhood isn't necessary..
[ link to this | view in chronology ]
- Anonymous Coward, 11 Mar 2015 @ 5:06pm
  
  Re: Corporate Personhood
  The fourth amendment has been damaged so much that your argument falls apart, not because there's a double standard, but because this is legal to do against people.
  [ link to this | view in chronology ]
rob frost, 11 Mar 2015 @ 9:27am

Small Title Correction
The quote in the title "It is what is" is missing an "it".
[ link to this | view in chronology ]
Anonymous Coward, 11 Mar 2015 @ 9:36am

They sound like a fucking bunch of frat boys, so arrogant they don't feel the need to justify their behaviour in any way.
[ link to this | view in chronology ]
Ambrellite, 11 Mar 2015 @ 9:41am

Makes sense
"It's what we do" is the response of someone who has never stopped to think about the broader context of their job. That makes sense, since the last thing the intelligence community wants is another employee who starts asking why what they do is legal or how it's useful.
[ link to this | view in chronology ]
- That One Guy (profile), 11 Mar 2015 @ 9:53am
  
  Re: Makes sense
  Smart but gullible, that's the way they like it. Smart enough to do your job, stupid or gullible enough to not ask questions about it while you do it.
  [ link to this | view in chronology ]
David, 11 Mar 2015 @ 11:24am

Sorry folks
There still happen to be laws. And since you are a government agency, this pesky bill of rights, too. Those are boundary conditions for your job. Exceed them, and you have failed your job, your country, and your oath.
[ link to this | view in chronology ]
- GEMont (profile), 14 Mar 2015 @ 1:21am
  
  Re: Sorry folks
  s
  
  Well, we completely changed the constitution because 9/11 and so now, all of your so-called rights and laws are what we say they are, when we say they are, and according to OUR latest re-interpretation of the laws of the USA, we have not exceeded any legal boudaries, or broken any laws.
  
  Sincerely,
  
  NSA, your National Surveillance Agency
  
  PS
  
  eat out shorts :)
  
  /s
  [ link to this | view in chronology ]
Anonymous Coward, 11 Mar 2015 @ 12:22pm

Anyone else see the marketing potential in that for the CIA?

Torture: It is what it is, and that's what we do!
Spying on you, the US Citizen: It is what it is, and that's what we do!

Super catchy.
[ link to this | view in chronology ]
Personanongrata, 11 Mar 2015 @ 1:15pm

Unconstitutionally Redundant
CIA's hacking efforts are redundant as NSA already unconstitutionally collects and stores every last bit and byte of data transmitted in the world.

The cretins at CIA are simply looking to protect their rice bowl.
[ link to this | view in chronology ]
Anonymous Coward, 11 Mar 2015 @ 2:49pm

"It is what it is" and what it is is lawfully illegal according to your LAWFULL constitution, where the main purpose of such an event is to create tools that WILL be used, unlawfully, to violate the fourth

So you breaking the constitution, law, legal, policy, whatever the fuck you should call it depending on your blaze mood, you breaking these that you enforce by force on others is most assuredly not a bullshit fucking response of

"It is what its"

No.its.fuckin.not............or are you implying that laws are meaningless, that nobody should bother following them, and your authority go up in smoke with it........thats seems to be about the same amount of respect you are showing to the law of the land with

"It is what it is"........god, .......cant we have a tsa scanner that identifies bad fucking representation, at least tsa would do SOME good against the damage of their existance......and......and.......no more bad fuc..ing representation
[ link to this | view in chronology ]
Giles Byles, 11 Mar 2015 @ 4:44pm

He characterized 'em as what again?
"Amoral"? Perhaps Professor Bellovin was intending to use a more neutral word like "agnostic." "Amoral" is an ugly adjective & not something to be proud of.
[ link to this | view in chronology ]
- nasch (profile), 11 Mar 2015 @ 9:51pm
  
  Re: He characterized 'em as what again?
  "Amoral" is an ugly adjective & not something to be proud of.
  
  What makes you think he views it as something to be proud of?
  [ link to this | view in chronology ]
Aaron (profile), 11 Mar 2015 @ 10:07pm

Amoral
I don't think Steven Bellovin -- a computer networking and security researcher at Columbia -- was shrugging off the CIA hacking Apple products. I think he was expressing a complete lack of surprise by it, because who would be surprised by the CIA's or NSA's tactics these days, but still condemning the CIA's activities as amoral.
[ link to this | view in chronology ]
Eric Robertson, 7 Sep 2015 @ 10:01am

ALL SOLUTIONS !
Get a hold of (302) 365-0294 for all hack solutions ...social networks , emails , i tunes, i cloud instagram, whatsapp, We-chat and others to make sure they’re not getting into trouble? Whatever it is, Ranging from Bank Jobs, Flipping cash, Criminal records, DMV, Taxes, Name it, We can get the job done..services like NONE !
[ link to this | view in chronology ]