Julian Assange Press Conference March 23, 2017
Transcript from the Live Streamed Audio Press Conference: Second tranche of DarkMatter released
Julian Assange and Embassy Cat / Twitter His children gave him a kitten (now a cat) to help him be less lonely, who is Embassy Cat.
DarkMatter
Speaker: Julian Assange from Ecuadorian Embassy in London, UK over Periscope
Note: The original livestream on Periscope was very jerky with long pauses and skips. Conspiracy theorists puzzled whether the feed was being interfered with by those against the release of this information. — The Youtube link at the bottom of this page has a good audio. The transcript is my best efforts for a large section of the audio (first 25 minutes) that covers the release.
“Audio check 1 2 1 2. Audio check 1 2 1 2. Reports on some people saying there are audio problems….”
Welcome to the Wikileaks Press conference on CIA Vault 7 DarkMatter and associated issues, which we will get to in the questions.
Today March 23rd, 2017 Wikileaks releases CIA Vault 7 Dark Matter which contains documentations for several CIA projects including of that name that infect Apple Macintosh computer firmware, meaning the infection persists even if the operating system is reinstalled. Developed by the CIA’s Embedded Development Branch (EDB). These documents explain the techniques used by the Central Intelligence Agency to gain “persistence” on Apple Macintosh devices including Macs and some iPhones, and demonstrate the use of EFI / UEFI and firmware malware.
What does that mean? That means this is a malware technique developed by the CIA to insert its malware and viruses into people’s computer systems – MacIntosh computer systems – which doesn’t store itself on the regular hard drive that people use so that even if you throw away your hard drive and reinstall your operating system the malware persists.
In fact, the development notes that the more recent versions of this malware show that the CIA believes that the malware will even persist across “sonic screwdriver” infector is stored on modified firmware of an Apple Thunderbolt to ethernet connector. That is a device made by Apple to produce – it is like a USB dongle – a dangerous dongle in this case – to connect to the ethernet. The CIA has modified that to use it to take over the computer system at boot time before the Mac firmware password is demanded.
DarkSeaSkies
Another CIA project that we have published today DarkSeaSkies is according to the CIA “an implant that persists in the EFI firmware of an Apple MacBook Air computer and consists of DarkMatter, SeaPea, and NightSkies. These are respectively EFI, kernel-space, and user-space implants.”
What does that mean? That means that you shouldn’t think of CIA malware as simply one program that is one little virus that connects to a system and does one job. In fact there is effectively a malware ecology that is being developed by the Central Intelligence Agency over the last decade with many different interacting components to persist to more embed itself into a Macintosh device so that it couldn’t be cleaned out and so that it could hide from antivirus products. Even if you did have an antivirus product that detected it that you might suspect that there is a problem and reinstall the operating system, but by using this EFI method the CIA is able to keep Triton embedded into Apple Macintoshes across upgrades.
While the Dark State manual released today is from 2013, other Wikileaks Vault 7 documents – which we have linked to in our press release – show that as of 2016 the CIA continues to rely on and update these systems and is working on the production of Dark State 2.0 which includes advancements on some of these methods. The efforts there are documented in one of the CIA Wiki development pages which we released last Tuesday but which has not been remarked upon.
NightSkies
Also included in this release is the manual for the CIA’s NightSkies which is a “beacon / loader / implant tool for the Apple iPhone”. What’s a beacon? It’s a system used by intelligence agencies starting back in the 1950s where you would put a bug say in someone’s car and it would give off radio signals and through that you could track it. Well modern beacons infest things like iPhones, and they report back over the internet where the iPhone is and other stats on the iPhone back to the CIA saying “here I am, here I am, I’m awaiting instructions, give me more instructions”. Noteworthy is that Night Skies had reached version 1.2 by 2008, so that means it had been in the process of development for some time by 2008, but it is expressly designed to be physically installed onto factory fresh iPhones. Not an iPhone that has been stolen from you by a CIA asset and then implanted with this material, but in an iPhone before you even get it. Reading these documents other interdiction methods which is say, for example, if the CIA has an asset maybe who will give one of these phones to its asset. Or give to the asset to give to someone else.
OK, so that’s the new release for today. I want to put it into some political context. I find this very important. There’s a lot of good technical publications like Wired, Motherboard, and so on and these technical publications concentrate on the technology, and they are all a bit in love with the technology, and these publications are in fact very easy to – unfortunately – politically fool through the use of euphemistic code words which [glitch] perceived to be funny. For example there were several Japanese smilies in the publications we produced on Tuesday. But because they are technical publications they specialize in technical aspects not looking at how those technical aspects connect to the institutional, political and geopolitical components that of course involve any large organization like the Central Intelligence Agency which has to fight for budget and depends on particular alliances within the state and out-of-state and between states to do its work.
CIA – What are they doing?
So let’s pull back. Yes, the Central Intelligence Agency has produced methods of infecting Apple MacIntoshes, which are used all around the world, and iPhones, and it has a very considerable effort to do that through its Embedded Development Branch but also other branches and there’s a lot more material on that to come. What we have released today on Dark Matter is a small example. But the Central Intelligence Agency is the largest intelligence agency in the world. Now, it’s an organization with tens of thousands of people. There’s many good people in there. There are internal divisions about some of their unethical practices that have been conducted and every country that wants to be independent and determine its own [glitch] CIA should be broken into a thousand pieces and splintered to the wind because it had gotten so out of control. This lack of control comes about in a very obvious manner. You have a secretive agency and secrecy, of course, breeds corruption normally, but you have an agency which trains its people to lie and to engage in cover ups and clandestine activities. So already you have an agency whose staff receive values and expertise that make them very hard to manage and very hard for there to be internal accountability.
And then, because the CIA crept from being an agency which reports on what is going on in the world, potentially a positive thing to understand the world and produce comprehensible reports about what is occurring, to an agency which reports on the world and then commits actions [glitch] to overthrow governments, to influence elections. The Cornell University report from last year says that the Central Intelligence Agency and associated agencies in the United States since 1949 have interfered in more than 81 elections around the world – not including coups. It then became an agency which reported on its own activities in the world and it recommended what activities to conduct. So this means, that the [glitch] CIA is more known because it is more directly involved in political action, but the National Security Agency was doing vastly more electronic spying and as a result it had a larger budget and it could fight for its place at the budgetary table.
Since 9/11 the Central Intelligence Agency has overtaken the National Security Agency as the budgetary dominant agency in the United States. Its budget is now about 1.5 times that of the National Security Agency, so the position has been reversed. As a result of that tax largesse, the Central Intelligence Agency has increased its institutionalized ambitions to the point where it is rivaling the Air Force now by commanding its own world-wide drone fleet. It is in some ways rivaling the FBI – not so much internally in the United States where it does provide support to internal operations, but by being an armed force outside the United States conducting interrogations, renditions, torture at least for a period. Applications iPhone last September – That information has come out. You can find it if you search for it hard on the “dark side”.
It’s a very interesting question whose done that – I speculate probably Ukrainian intelligence agency, but it is not entirely clear who has done it. But it does show just how invasive it is because people now put nearly all their lives – not all of their lives – a substantial fraction of their life to the most intimate communications with others where they are, their thoughts as they search for things into one device – their smart phone. If a person’s smart phone is hacked – not only can they be hacked – but once they are hacked because of the unification of chat, systems communications, etc. of video into one smart phone the large extent of one’s life is exposed.
Informing affected companies
Okay let’s move to questions. Thomas Fox Brewster, security reporter from Fox News, says “You made demands of tech firms before handing over CIA exploits. What were those demands and has the info been handed over?
Well, I think “demands” is a bit of a strange word to use. This is a serious business. These exploits that have been produced by the CIA can affect millions and millions of people. So it has to be done cautiously, and there have to be security channels involved, and there has to be agreements that the vendors will in fact be responsive and will produce security fixes. WikiLeaks has no obligation. We are a publisher. We specialize in investigating and publishing and fighting to secure our sources and for the right of journalists and others to freely express themselves. We have security people who work for us. It is my view that the security teams are actually very responsive in doing a good job at the major organizations. In some, there has been a holdup at the legal end and possibly the political end.
Time line
I’ll just go through a chronology:
On March the 12th we contacted Mozilla, Google, Apple and Microsoft.
Cisco was also very proactive and one of their lead security engineers contacted us proactively. Some of you will have noticed that they put out an advisory the day before yesterday on one of the CIA exploits which affects more than 300 types of CISCO routers. That has permitted CISCO to alert its users so they can disable that service, telnet, which has the hole which the CIA or anyone else can use to, in theory, exploit to get into these systems. We didn’t publish the exploit itself, but a description of it. That description was enough for CISCO to work out what it was.
The same day March 12, Mozilla replied agreeing to our terms. What were the terms? Nothing surprising there. Industry standard 90 day response plan.
So within the computer industry there has been a debate over the years about what happens when someone finds a zero day security weakness in a computer system that we use to underpin modern life, many people use. Should we just give it to the manufacturer and say nothing and wait? Or should you just publish it straight away, so that everyone is aware of the problem and can take steps to deal with it? Well, the problem is … if you publish it straight away to everyone – and there is actually lot to be said for that – the problem is that all the good guys get it at the same time as all the bad guys get it. And therefore you have a race condition between the good guys and the bad guys. So now large organizations have dedicated computer security teams and they can respond quickly and effectively to such notifications about vulnerabilities and they do it all the time. But smaller organizations don’t, so they can be ignorant or they just aren’t aware or they don’t know what to do. They have to wait for some fix from the manufacturer. Okay, well, what about if you just give it to the manufacturer. You give notification of the vulnerability that you found. What happens then? And you just wait for a fix. What if they don’t fix it? That has been the long experience of people, security consultants, who have found these things. They just don’t fix it. Why? Because of the operation to do it costs money, its embarrassing, etc. So over time the industry has evolved to [glitch] and we are responsive.
March 13 Google acknowledged receipt of our initial approach, but didn’t address the terms. We didn’t demand money from these organizations, etc. All that is in our terms is the standard industry terms. You have 90 days. We need a secure point of contact, encryption keys to make sure that when we communicate this information to you other people can’t get at it. This is a high security very delicate business. It’s not something that involves just throwing out emails to random parties within an organization.
March 15 Mikrotik contacted us. Mikrotik makes a controller that is widely used in Voice over IP systems, which the CIA targets.
March 17 Mozilla provided first feedback to us and asked for more files.
March 18 We told Mozilla that we were looking for them.
March 20 Was the first contact from Microsoft. Not agreeing to the standard terms, but pointing to their standard procedures and a PGP email. Same day Google replies pointing to their standard procedures and a PGP email. It’s a bit coincidental that an 8 day delay and on both Google and Microsoft.
That both holdups have been at the legal and perhaps political level. Why is that? Well, my belief is that – and has been argued by others – is that Microsoft, Apple, Google etc. have a number of contracts with the US government. In fact, Google has declared to be a part of a member of the defense industrial base. I’ve written about that in a book about Google. You can search for “Google, it’s not what it seems” (extract of book) for that essay.
And the kind of computer security people who you need to understand this are frequently involved in a revolving door with military and intelligence contractors. So they often have security clearances and a bizarre and frankly counter productive standard has arisen in the United States which makes it hard for security workers and some people in security agencies to look at and share published information where there is a claim that the information derives from classified US government documents. It’s been enormously counter productive and we’ve seen it in several of our publications and it is used also for political reasons to tell intelligence agency workers and contractors involved in the US intelligence community that they’re not allowed to read WikiLeaks. They are not allowed to read “The New York Times” when it publishes information about abuses that are occurring in intelligence agencies derived from our material or independently sourced.
So it’s a dual purpose. It’s used to prevent people in the US intelligence community from having intellectual exposure to arguments about why their organizations doing poorly. And at the same time security flaws in their products that can be pervasive and affect everyone. They have systems to turn those around very quickly – sometimes a matter of days. Other times they get lazy or distracted or the security flaw affects a system that is involved in many other systems and therefore requires extensive testing before the patch is sent out because you could have a security flaw in your security flaw. That has happened in the past. You can have a security flaw in your fix to the security flaw and that has happened and so those can take a few weeks, but we are giving them 90 days which tends to be on the upper end of the disclosure time line. Of course, in a particular case if a manufacturer writes to us and says for this particular flaw, this particular vulnerability, the CIA is exploiting is extremely difficult to fix in practice – extremely difficult to create a patch for – and they need more time to test it and roll it out, etc. then that is a dialogue we can have.
Lame question
Jeff Pegues from CBS News – Why did you release the documents on Tuesday? Could you comment on the timing?
That’s clearly referring to Vault 7 Part 1, our first release of the CIA documents which you can find at http://www.wikileaks.org/ciav7p1
Well, I mean, this question unfortunately is like many questions that I feel are politicized. Instead of looking into what information has been released, which is extensive. More than 8,000 documents, in this case from the Central Intelligence Agency. And what that implies and who it might affect and what people can do about it to re-mediate it and what does it say about where these kind of intelligence exploits are going. It tries to erect, what seems to me, to be a conspiracy theory about the timing to distract from the content. I think that is unfortunate. In the initial press release we document exactly why we released [glitch] the largest intelligence publication in history.
Are you secure?
So how these things go is you do a survey of the material you have and then you concentrate on more in-depth surveys of particular parts. You try to understand who in the world has the best expertise for understanding that can they be trusted to keep the material confidential during the research phase. Do they have the necessary opsec, the necessary operational security. Essentially can they secure themselves while they do this research. That’s a really hard problem because look at what we are publishing. It is about not only the Central Intelligence Agency, but that precise section (at least at the moment) of the CIA which is involved in hacking people. So how are journalists going to securely receive information from us? How are they going to securely work on it? How are they going to securely coordinate? While we have answers to those questions for people that we are very used to working with – we build up a way – encrypted contacts and so on – it is quite hard for many journalists to understand how to research a topic like this and keep themselves secure.
Globalists want to take down WikiLeaks
So to summarize there is probably a year of publications, I would say [glitch] it’s included informants, it’s included flying FBI agents and prosecutors into Iceland, it’s included transnational payoffs to informants, it’s included getting people to wear wires, it’s a really outrageous investigation that most of it was conducted under the administration of Barack Obama… sadly. Now over time there has been some embarrassment about that continued investigation by the DOJ. It is why I have political asylum from Ecuador. The United Nations twice in the last twelve months has said that my ongoing detention is illegal under international law, the binding international law, that the UK is part of and Sweden, but formally it continues on. And there was a statement recently that that grand jury process has now been expanded to include this recent publication of Vault 7 material. It’s not clear whether that is concentrating on the alleged sources for the material or whether it is also going to look at the publisher and journalists involved.
(Julian Assange continues discussing his detention and situation, but I did not transcribe that portion.)
Questions at #AskWL (only 2 questions selected)
Following Youtube link has good audio of the complete press conference.
https://www.youtube.com/watch?v=UJdioGzBiY0
Summary information from Wikileaks Press Release March 23, 2017
“DarkSeaSkies” is “an implant that persists in the EFI firmware of an Apple MacBook Air computer” and consists of “DarkMatter“, “SeaPea” and “NightSkies“, respectively EFI, kernel-space and user-space implants.
Documents on the “Triton” MacOSX malware, its infector “Dark Mallet” and its EFI-persistent version “DerStarke” are also included in this release.
Also included in this release is the manual for the CIA’s “NightSkies 1.2” a “beacon/loader/implant tool” for the Apple iPhone.
“Sonic Screwdriver” project which, as explained by the CIA, is a “mechanism for executing code on peripheral devices while a Mac laptop or desktop is booting” allowing an attacker to boot its attack software for example from a USB stick “even when a firmware password is enabled”. The CIA’s “Sonic Screwdriver” infector is stored on the modified firmware of an Apple Thunderbolt-to-Ethernet adapter.
Vault 7 “Dark Matter”, which contains documentation for several CIA projects that infect Apple Mac firmware (meaning the infection persists even if the operating system is re-installed) developed by the CIA’s Embedded Development Branch (EDB). These documents explain the techniques used by CIA to gain ‘persistence’ on Apple Mac devices, including Macs and iPhones and demonstrate their use of EFI/UEFI and firmware malware.
Wikipedia: Malware
Wikipedia: Firmware
What is EFI?
Wikipedia: EFI / UEFI explained – Unified_Extensible_Firmware_Interface
Stackoverflow explains “What is the difference between the kernel-space and the user-space?”
Wikipedia: Julian Assange
Wikipedia: Central Intelligence Agency (CIA)
Wikipedia: History of CIA
History of the CIA (from the CIA’s view)
Slate magazine: History of CIA torture
Mapped: The 7 Governments the U.S. Has Overthrown
Salon.com: 35 countries where the U.S. has supported fascists, drug lords and terrorists
Wikipedia: CIA activities by country
Want to work for the Central Intelligence Agency on future exploits?
Careers at CIA: – Cyber Exploitation Officer (Washington DC Metropolitan Area)
Cyber Exploitation Officers use a holistic understanding of digital capabilities to evaluate and exploit digital and all source intelligence information to identify key adversaries and assess how they operate and interact. Cyber Exploitation Officers use strong critical thinking skills and a variety of digital analytic and/or forensics tools and methods to extract valuable information from digital data and create a range of products that explain their findings to inform operations, drive collection, and support customers.
Cyber Exploitation Officers triage, review, and identify items of intelligence and operational interest from technical collections and other datasets. They leverage advanced methods to exploit data sets, and create and refine capabilities to exploit large data sets quickly and accurately. They identify and prioritize intelligence gaps, determine the appropriate collection actions needed, and drive the collection process.
ALL POSITIONS REQUIRE RELOCATION TO THE WASHINGTON DC METROPOLITAN AREA.
All applicants must successfully complete a thorough medical and psychological exam, a polygraph interview and an extensive background investigation. US citizenship is required.
To be considered suitable for Agency employment, applicants must generally not have used illegal drugs within the last twelve months. The issue of illegal drug use prior to twelve months ago is carefully evaluated during the medical and security processing.
Minimum Qualifications:
- Bachelor’s degree, preferably in Computer Science, Digital/Computer/Network Forensics, Computer Engineering, Applied Mathematics, Information Security, Information Assurance, Telecommunications, Data Analysis/Analytics or equivalent studies
- GPA of at least 3.0 on a 4.0 scale
Desired Qualifications:
Important Notice: Friends, family, individuals, or organizations may be interested to learn that you are an applicant for or an employee of the CIA. Their interest, however, may not be benign or in your best interest. You cannot control whom they would tell. We therefore ask you to exercise discretion and good judgment in disclosing your interest in a position with the Agency. You will receive further guidance on this topic as you proceed through your CIA employment processing.