26 comments

[ 3.9 ms ] story [ 49.9 ms ] thread
This was all released many years ago in the Vault 7 drop. What's new here?
1. This news site is analogous to a tabloid. They're just rehashing info from K's appearance in a LADBible video: https://www.youtube.com/watch?v=BXtDH2IXKY8

2. While I don't even dislike the guy, let alone hate him, Kiriakou tends to make grandiose and controversial claims that get discredited.

3. Kiriakou hasn't been privvy to CIA tech since roughly 2004. Yes, before the era of modern smartphones, all devices were pwned. He's been doing the rounds on any podcast that will take him where he elaborates on these claims further and it's pretty clear that he doesn't have decent subject matter knowledge.

Can a lot of phones and TVs and cars be exploited? Yes. Keep your devices patched. And, don't do things that attract the CIA's attention enough that they're putting in the significant effort it takes to pwn your TV or car.

tl;dr: If you're in a position where the CIA is targeting you, worry.

Just buy a range rover. Nobody can operate it. Not even the mechanic who is currently looking into it, again.
I get the joke, but LRs/RRs had the top theft rates in Canada, for shipping overseas.

Like, 4% theft rate per year nationwide. 1 in every 25 jacked in a year: https://www.equiteassociation.com/top-10-archives/top-10-mos...

And pushed 7% in Ontario: https://www.equiteassociation.com/top-10-archives/top-10-mos...

(And not those stupid “Honda Civic is the most stolen car” publications that fail to control for popularity. When you do, Civics are middle of the pack).

Of course the industry only published the frequency rates for a few years because it probably didn’t instil the fear factor that journalists failed to point out in their slop.

https://www.equiteassociation.com/top-10-most-stolen-vehicle...

These three agencies are opposed to the public having access to appropriate cybersecurity: NSA, NIST, CIA. The goal of government should have been to boost the citizen's cybersecurity, but it is the opposite. Americans are worse off as a result.
I am a security researcher and three letter agencies have talked to me more than a couple times about their interest in my work.

I got a used manual transmission easy to repair vehicle with no internet, no cell phone, I only use cash IRL, and the only device I travel with is a QubesOS laptop.

If the CIA wants to track me, they are going to have to work for it. I hope to waste as much of their time as possible.

Well, these measures are a bit outdated. To be tracked now you don't need to access someone's personal devices. You can be tracked with flock cams, ring cams, or any other thousands of cams out there that are already recording you and logging your car and your details. That grocery store you went to yesterday? Yep, you are logged from the moment you are in the parking lot till you leave. Oh, you used paid parking a day later? Your car is logged too, same goes with bus/trains tickets. Neighbors cams or building CCTV? That too. Your home address is also logged through many ways but primarily your tax filing and driver's license. Your home internet can be logged one way or another too, at router level (think of the many exploits against that). What about your laptop hardware? Definitely it isn't open source. Plus, have you checked your hardware if it's bugged? I personally know someone who ordered a laptop and an XYZ agency bugged his laptop (man in the middle) before it was delivered. A new laptop you order online and your bank info will trigger someone to intercept it and alter it in the middle. And many more details, like, are you sure someone won't stick an AirTag somewhere in/beneath your car to track you? FBI and DEA already used modified AirTags that won't notify anyone with an iPhone around to track drug dealers precisely. What about personal connections like friends and family or work that could be a weak link? and many ways without going into further details. So while your measures might work against some random internet attack or random stalker, against a surveillance state it won't. If they want to track you, they have all the resources (technical, legal, etc.) needed to do so.
I am a nobody who had a mental health breakdown following an ugly divorce and even though I settled my case - 380 days in solitary, Plea Bargain for Class A Misdemeanor - last month I was cuffed and interrogated in one county simply because I visited downtown and my plates were picked up in a different county when I was trying to navigate family law related obligations.

To put it another way, I'm on a legal-to-harass-list probably for the rest of my life and likely can't do a damn thing about it...beyond the obvious, which I've chosen, which is to enjoy a low-key, crime free, introspective creative sabbatical as much as possible on the fringes of society. Last thing I'm interested in is...whatever they accused me of this time...

A former NSA guy worked with me seventeen years ago. He had been retired for five years from the agency at that point we worked together.

He did not own a mobile phone or any internet connected device. Was staunchly against it. This attitude was based on what he knew were the surveillance capabilities in 2003. Ended up retiring to a mountain cabin that was off grid.

Maybe he was crazy, but he never seemed like the prepper type. Just very very sober and serious about avoiding electronic communications.

How do you handle contact-less payment only scenarios, or purchasing items online?
I think the only way to avoid surveillance is to not use their system that enables that.

No baseband modem, no arbitrary blobs, no OS that sends data. And should be obvious: no messenger apps that can't be verified.

The problem though is not your phone if you set it up right: it's your contacts. Your opsec is worth a shit if any (and I mean _any_) of your friends uses iOS or not Graphene or LineageOS. And this _any_ also means _any_ security bug that is unfixed which alone by itself is not guaranteeable.

Humans are bad at time awareness, and that's the strength of surveillance systems.

I'm currently working on porting Mobian (or Nix, haven't decided yet) with Plasma to the Hackberry Pi device. In my opinion that's the first untrackable device due to it relying solely on Wi-Fi. Combined with an Atheros Wi-Fi USB stick this has the potential to avoid surveillance altogether, well, given the right tools for enforced randomization, tunneling, scattering etc.

[1] (not ready yet) https://github.com/rogueberry

[2] (there's more alternative versions) https://github.com/ZitaoTech/HackberryPiCM5

I'd be very interested to know what this community's view on Mr Kiriakou is

He shows up on Youtube a lot, and is always a great watch, but is he full of shit or what?

He has been invited to speak at HOPE and I'd like to think there is some level of standards applied to vetting talks there: https://www.youtube.com/watch?v=k3tKmaylRrY

He does repeat the same saga of his time in Pakistan a lot (or maybe im watching too many of his talks expecting something new).

He plead to a crime, which must’ve cut him off from most government work.

He seems to be on a PR tour now, I guess to try and get other work. Some people blast every connection on LinkedIn, he seems to take a different approach and guest on every testosterone fueled and non-fact checked podcast.

My 1971 Ford truck accepts the challenge.
I'm skeptical of some of this guy's stories.

In one interview he says that after being surveilled overseas for a while by an obvious amateur, he told the station chief who then gave him the OK to kill the guy.

Surely they would try evasion, counter-surveillance, or maybe even sending a team to grab the guy off the street to figure out who he is?

He claims the only reason he didn't kill the guy is because for some reason he randomly decided to mention it to a general in the local intelligence service, and then suddenly the tail vanished.

https://youtu.be/BXtDH2IXKY8?t=650

I also want to takeover my phone, TV, and even my car.
is this post trying to bait us? has anyone seen through the history of this guy s claims? have they been like debunked anywhere?
I always comment when people say how TV shows make hacking look so easy, that I think they're not too far off when the "hackers" are state-sponsored. Part of the benefit of compartmentalizing things like tool/exploit-dev from ops is you get good tooling that you just point and shoot and it mostly works.

With enterprise/corporate red-teaming you have to work for it a lot, update your tooling, attacks, etc... do a lot of recon. But even then, even in companies that take security seriously and pay for it too, experienced pros spend a few days and get domain-admin (or equivalent) half the time. And I'm talking about in 2025 with everyone and their mom running EDR that have only gotten better over time (in my opinion).

The CIA's tools probably don't have flashy graphics, but even the ones that were leaked a while ago give a good insight into things.

https://github.com/secoba/CIA-Hacking-Tools

I can imagine an experienced operator automating things quite a bit, and when you give them a target, they'll just run a few commands, wait a some time and get a shell with lots of powerful capabilities.

Matter of fact, I think they don't show enough "easy hacking" in the movies, where you take over hospitals, government agents, courts ,etc.. in a matter of minutes and start snooping around, or just wipe them out. That would feel unbelievable to movie/tv audiences so they lave it out.

Top comments in this thread have a serious “my hands are registered as deadly weapons” energy to them. Nonsensical LARPing.