Flaws are more troubling than surveillance
We shouldn’t be surprised that organisations like the CIA are using technology to monitor people of interest to them, but the weaknesses they knowingly leave behind are a big concern.
This week, along with other students at the SANS Cyber Retraining Academy, I completed two capture the flag challenges. I worked as part of a team to probe a network and find weaknesses in both Windows and Linux systems that allowed for data to be extracted.
At the same time, news was breaking about compromises of a different kind. Documents published by WikiLeaks purported to detail an arsenal of malware and exploits used by the CIA to access computers, mobile devices, and even smart TVs – often to gain control of their cameras and microphones to listen in on their owners’ conversations.
First off, should we be surprised by this? In short, the answer is no. Following the Snowden revelations a few years ago, it was clear that governments and intelligence agencies work on these kinds of exploits. As I wrote last week: If I’m able to take a screenshot on a flawed system after just a few weeks’ training, one can only wonder what the world’s top hackers can do.
In fact, as one commenter on the Washington Post’s report pointed out, this could actually be a step in a positive direction. These kinds of attacks target individuals, and may mark a move away from the mass data analysis that came to light following Snowden’s leaks.
What is more worrying is that the CIA chooses to keep these zero-day vulnerabilities secret rather than disclosing them to manufacturers and developers like Apple and Microsoft. Much like the encryption backdoors detailed in the UK’s Snooper’s Charter, these flaws are not government-only – if they remain unpatched they can be used by malicious actors, too.
The solutions to the capture the flag exercises I completed this week centred around poor encryption, vulnerable software and other weaknesses that let our team slip through the cracks to access data on – and ultimately take control of – the target computers.
If our governments and their agencies deliberately keep defences weak, they could be leaving the door open to people much more dangerous than a bunch of cyber security students.
Photo © Sarah Joy (CC BY-SA 2.0). Cropped.
Field notes // A monthly newsletter on tech and design
No spam - just thought-provoking articles and useful tidbits
📓 |
Field Notes newsletter |
Thoughtful monthly insights on tech and business, without the clickbait and noise
No spam. Unsubscribe anytime.
Other posts
- Endpoint detection and response (EDR) - setting the record straight
- Quality products begin with detail-obsessed leaders
- Bluesky's nearly there, but it won't replace X just yet
- When you travel, the real journey isn't photographed
- Staying productive when everything feels urgent
- AI chatbots are kicking journalism while it's down
- Agentic AI could be the catalyst for safer autonomy
- Take note: How to waste less time on the internet
- A reminder that you can just do things... kind of
- Death Stranding: The journeys lost to life on demand
- Amazon Kindle review: I wish I'd bought one years ago
- Humanising AI encourages intellectual lethargy
- New York City: Observations and recommendations