Vault 7 and the protection of America

For those who have spent the last month under a big stone:

Wikileaks recently published a lot of information about a set of malware, created by FBI and nicknamed “Vault 7”. There were specimens in it, able to break into and take control over mostly any kind of CPU-based device – smartphones running iOS or Android, PCs running Windows, MacOS or Linux, etc. FBI declared that this publication is a breach of the national security, and that this exposure made USA less secure.

I beg to differ.

What makes USA less secure is the existence of this trove. More specifically, the fact that FBI knew about the software vulnerabilities its malware exploits, but never notified the software manufacturers about these. Consequently, the disclosure of these vulnerabilities makes USA more secure. In this particular case, what is bad for FBI might be good for USA.

Why so?

First, let’s put a big question aside. Let’s assume that FBI would absolutely never use these tools to spy, unless that spying is benevolent and only protects USA. Further, let’s assume that FBI will never collect any information other than what it needs to protect USA. Also, that it will never use this information to any other goal than protecting USA. (For example, that a Watergate-style spying is impossible in principle.) And that every single FBI member is a white knight who will never betray their agency and never use its activities for personal gain. (If you have more ideas how to make FBI even more benevolent, use them here.)

Even this all will not change the fact that hiding these vulnerabilities was a harm to USA, bigger than any gain FBI could have made by exploiting them.

There are no FBI-specific software vulnerabilities. Every vulnerability is open for exploiting by anyone who knows about it. The mentality “we are the best, only we will know about it” is one of the most tested and proven nonsenses to exist. The entities who make a living from constantly seeking for software vulnerabilities are probably in the hundreds. All big intelligence services are into this, including these of most countries that are usually up to no good. And hundreds of cybercriminal gangs are into it too. Those two kinds of players together employ far more people and consequently far more talent than FBI. It would be a miracle if they don’t find most, if not all of the vulnerabilities FBI has found.

The similarity ends here. Even if not perfect, FBI is still a generally benevolent entity, trying to mostly limit their activities to protecting their country. They have a mostly responsible approach to acquiring information and protecting that information. These things however are true neither for the intelligence services of the authoritarian and aggressive countries, nor for the cyber criminals. Neither of these is benevolent or responsible to any degree, at least towards USA. Both kinds will happily eavesdrop on, or attack any American – the first because of the principle enmity of the dictators for the democracies, the second because the Americans tend to be richer than most other peoples.

By not telling the software manufacturers about these vulnerabilities, FBI exposed the American citizens at the mercy of tens of the intelligence services of authoritarian governments who hate USA, and of hundreds of cyber criminals who would happily empty the Americans’ pockets, blackmail them or even disrupt important activities for fun and power demonstration. It is true that in this way FBI also gives itself the opportunity to obtain info that can protect the Americans to some extent. However, the losses are bigger than the gains by magnitudes.

To sum it all: in this particular case FBI exposed America to harm, and Wikileaks helped prevent that harm for the future.

Whether FBI or Wikileaks are happy with the roles they played in that is another topic.

10 Responses to 'Vault 7 and the protection of America'

  1. Иван Says:

    WTF?

    Why are you talking about FBI, instead of CIA?

    Nobody who have checked the original source of the news could have made such monumental mistake.

    Vault 7: CIA Hacking Tools Revealed

  2. Григор Says:

    @Иван: The news source I used (an article on either BBC or CNN) never mentioned CIA. All references were about FBI. I decided that their info would be reliable. Obviously not.

    The problem is, changing one three-letter organization with another changes nothing on the topic of this post.

  3. dido Says:

    Grigor, as you know, there is a simple principle “Garbage In – Garbage Out” …
    It is good to check your sources, and when you are lied, to distrust the liar.

  4. Григор Says:

    @dido: I was able to find that article again later. It was fixed, and there was note in the bottom about the corrected mistake. As it is not essential – it changes nothing about the article topic, which was also whether it has been a good idea – I would believe that it has been just a mistake.

  5. Иван Says:

    I’d like to see that article and that note by myself.

    It’s great that you have found it again, now you can’t say that you’ve lost it and you don’t have time to look for it again. 😉

    Still, if you knew what CIA, FBI, EPA, NSA are doing… you also would have been very suspicious toward your news source.
    I’ve told you before to check our sources before publishing something. It also best to check the original source if possible, because many “news” cite thing wrongly or misrepresent things. The worst examples are of course science and medicine articles in mass media.

    FYI, there is FBI Records: The Valut that contains huge number of Freedom of Information Act documents. Just to make things a lot more confusing. 😀

  6. Григор Says:

    @Иван: Will try to find it again. (I usually don’t care to record or remember sources, so I can’t recall it.) It was published in either BBC or CNN, about a week ago. To my impression, they are usually trustworthy sources (they sometimes make mistakes – everybody does – but at least haven’t seen them so far publishing intentionally fake news).

  7. Иван Says:

    You will never provide your source, because the source you describe does not exist.

    It’s quite transparent lie. You repeat verbatim your claim that the news article source has been BBC or CNN. You do that after you have (allegedly) looked it up for a second time. If you had really done so you would have known for sure if it is BBC or CNN.
    Just like you are going to remember where your keys were, after you turn your home upside down to find them.

    Initially I thought that you might have read an article in (native) Bulgarian or Russian language, where they might have used a broad term like “The American Agency” and you simply assumed the wrong agency.
    Now I’m more inclined to think it might have been in Russian. Basically a source you should never trust for anything.

    I find it quite worrisome, that you not only refuse to admit doing a mistake, fabricate a lie about somebody else misleading you, but that you proudly refuse to fix your mistake…

  8. Григор Says:

    @Иван: You appear very convinced that your skill in finding info is absolute – if you can’t find it, then it doesn’t exist.

    Unhappily for you, nobody but story freaks cares to remember the exact source of every story they read, and I read a lot – dozens of news per day. It is only natural that I won’t remember the exact place of the story. And I couldn’t care less what conclusions you will make out of this. The problem is 100% yours.

    Also, I didn’t looked up the story – just stumbled upon it when I saw it for a second time. Such a thing happens when you read news.

  9. Иван Says:

    You still do not provide the link you promised.
    You never will.

    Came on, prove me wrong.

  10. Григор Says:

    @Иван: You were explained all that before. You learned nothing. And nobody pays me to help you fix your problems. That is yours, and yours only task.

Leave a Reply