We’ve been asked numerous questions about WikiLeaks’ March 7th CIA document dump.
Did the news surprise you?
No. Spies spy. And that spies use hacking tools… is expected. (“Q” does cyber these days.)
Does this mean that the CIA will have to start over and rebuild a completely new set of tools? Does it need to start from scratch? Is everything “burned”?
The CIA’s developers would probably need to retool anyway. OS’s get major updates annually. There’s always churn, and thus, tools to be rebuilt or created anew. A vulnerability analyst and exploit developer is always busy.
Do you think the documents are real?
What are the documents about?
The documents appear to have come from an internal wiki of some sort. They look like notes written by a developer.
Where did they come from?
A (very plausible) theory we’ve heard: former Booz Allen Hamilton contractor Harold Martin’s cache of documents.
F-Secure was mentioned in the documents. What do they mean by “annoying troublemakers” and “lower-tier”?
Don’t know, ask them. (Not sure we care.) Sounds cool though.
How is F-Secure Labs reacting to the alleged “by-pass” documented in the leak?
Very seriously. Investigations began immediately. Notes don’t equal a good bug report however, so it will take time to be thorough.
How do you normally handle vulnerabilities?
Via our own bug bounty program.
Will you be paying a bug bounty to the CIA? (Seriously, we’ve been asked this.)
Do you handle vulnerabilities often?
A fact of life: all software has bugs. End-point protection software is a popular target of university researchers. And that’s a good thing, bug hunting makes for better software.
Any other thoughts?
Cyber security companies are frequently asked if they add backdoors to their products for the benefit of law enforcement and/or nation states. We think these documents conclusively dispel that theory (at least on our part). As you can see, nation state adversaries need to make an effort to bypass our products, just like cyber criminals.