← Back to team overview

ubuntu-phone team mailing list archive

Re: Is ubuntu phone resistant to vault 7 attacks?


On 7 March 2017 at 16:15, Melvin Carvalho <melvincarvalho@xxxxxxxxx> wrote:
Recently, the CIA lost control of the majority of its hacking arsenal
including malware, viruses, trojans, weaponized "zero day" exploits,
malware remote control systems and associated documentation. This
extraordinary collection, which amounts to more than several hundred
million lines of code, gives its possessor the entire hacking capacity of
the CIA

Asking if Ubuntu Touch is secure from CIA is like asking if it's safe to
eat a polar bear. The best answer I can provide is that it's probably
safe…  unless the bear is onto you, in which case you best go south in a
hurry, because the bear will kill you much more easily than you kill a fly.

I would be extremely surprised if CIA had spent resources finding
weaknesses in Ubuntu Touch or infiltrate it in order to insert weaknesses.
On the other hand, if they do have such a project going – of which I still
haven't seen any evidence – then they would certainly have attacked Linux
and WebKit, etc, which we do use.

Open ports are not the main concern as long as people are constantly
downloading data that must be interpreted by complex code. It's not the
secret code in the USB controller that gets you, but the bugs in the
automatic thumbnailer. There is a good reason why porn is used to spread
malware and that's simply because you're not rational at the time, so it's
more likely that you'll do something stupid, in which case system security
is no longer a concern.

I don't understand what's special about the CIA, except the Hollywood
factor. If the FSB wants all my secrets, then they'll have them for a few
bottles of Real Russian Vodka, a few boxes of caviar and a selfie with a
real Russian spy. I'm much more easily bribed than I am hacked, because my
enemy is the criminal who wants to take my money.

Many years ago, leaders of the Shin Bet (Israeli intelligence) told us in
public that the terrorists had stopped using phones and computers because
they knew there was no way of knowing that the technology was safe from any
dedicated APT.

If you're afraid of the intelligence agencies, then first ask yourself if
you're really worthy of international intelligence and if you still think
you are, then use secret computers and the SneakerNet technology, which in
the Sovjet era was known as the Samizdat network.

But if you're using Ubuntu Touch, the CIA probably isn't out to get you and
as a consequence, yes, Ubuntu Touch is probably safe from the CIA.

Follow ups