Theft of CIA's 'Vault 7' hacking tools in 2016 resulted from "woefully lax" security, new report says

Originally published at:

“Prepared by a CIA task force, the report was introduced as evidence in the trial of Joshua Schulte, a former employee of an agency hacking unit”

1 Like

well securing your own system is hard and boring compared to making tools or whatever you are doing for a job description and it cuts into the budget.


The patches 'n compliance side of IT gets treated as a buzzkill cost center even in places with much lower security requirements and vastly less knows-enough-to-be-dangerous staff; so it’s not a huge surprise that a department hired for their expertise in breaking things would have a deeply tepid security culture; and have probably intimidated or driven off anyone trying to reign in the fun.

(edit: on the other hand, there probably isn’t a use population that’s less likely to bug you for local admin access. Because it’s more fun when you struggle, not because they don’t want it; but still…)


Ed Snowden’s Permanent Record talked a lot about how the intel apparatus basically just handed the keys to anyone who could pretend to code after 9/11.

1 Like

I mean, we have all played games where we just try to strong arm a win, and neglect support or tanking elements.

“‘The best defense is a good offense.’ You know who said that? Mel, the cook on ‘Alice’.” - Tri-kwan Leap, The Frantics.


But on some topics, CIA is unquestionable truth.

The other side of the coin is that it is really hard to guard against data leaks from sophisticated insiders. This goes well beyond standard cybersecurity requirements. These guys were the ones building highly technical exploits, so if anybody can get data out of the agency its them.

The insider threat is the hardest to stop.


It’s a shame about the cobbler’s children’s shoes, but what’s really too bad is how stupid the cobbler is. And we pay him HOW MUCH?

1 Like


In all seriousness, yeah, it was this event that woke me up to just how bad things are, in terms of how effectively we’re guarding the crown jewels:

1 Like

If you’re despairing at staff sharing admin passwords, look on the bright side. That’s CIA-grade security

The CIA was so focused on developing whizzbang exploit code, it left any thought of basic computer security principles on the kitchen counter before dashing off to work each morning.
If you followed our coverage of the trial of Joshua Schulte, the CIA sysadmin accused of passing the files to WikiLeaks, this much will already be known to you. The fact the virtual machine that held all of the tools apparently used 123ABCdef as its password is perhaps all you need to know. Schutle’s trial ended with a hung jury, though he was found guilty of contempt and lying to FBI.

Wow, my passwords are better than the CIA’s. Maybe I should apply for a job at the BSI?


Not to worry- they’ve got the nukes locked up tight.



Is that different from “this data has likely been stolen by state adversaries, but our security is so bad that we can’t tell”?


…With Dolt 45 in charge of them.

I heard years ago that it was essentially known that it was China. Whoever it was (assume state actor, obviously) they have every record of all people with security clearances across all levels of the US government for many years, down to intimate details about every address they’ve lived at, every trip they’ve taken, every close acquaintance and reference, every job, every reported use of drugs, every potentially relevant detail about intimate health and other personal issues.

You know. All the shit, specifically, you’d want to know about all of your foreign adversary’s people with security clearances.

This hack was… not good.

This topic was automatically closed after 5 days. New replies are no longer allowed.