The week’s big International news is focused on the massive leak of CIA surveillance documents at WikiLeaks. A lot has already been written about the tools used by the CIA: They bug smart TVs, mobile devices and desktops to feed them information and audio.
Frankly, isn’t this exactly what spies are supposed to be doing: spying? Of more interest to us here at SD Times is what these documents say about the CIA and its software development practices.
Diving into the documents, it would appear that this is a set of web pages scraped from the CIA’s intake and developer onboarding sites. Within, we can learn a lot about their development processes and practices.
(Related: New Docker feature keeps “secrets”)
Firstly, we can see that they have a multi-platform approach. This is exemplified by the various types of tips and tricks we see in their files. In one section, the developers wonder aloud how to best update their DerStarke macOS spyware to the then newest version of macOS Mavericks.
Elsewhere, they’ve accumulated some tips and tricks for dealing with Windows. Specifically, on the Programming Gotchas page, the CIA documents list a few common Windows headaches. For example, there is the difficulty of determining if a process is running as an admin. Elsewhere, they ruminate on the difficulty in differentiating Windows 8.1 from Windows 8.
The CIA is also using Lockheed Martin’s Dynamic Automated Range Technology (DART) to help with its testing of software. This seems to be coupled with JIRA and Git to flesh out the larger part of the software development life cycle inside the CIA.
The teams at the CIA must also be fairly agile, or else they wouldn’t need Bamboo. They’re also using TDD, as evidenced by the extensive links containing information on how to properly write unit tests.
Perhaps the best way to get your mind around the CIA’s development processes is to start at the beginning with their developer onboarding page. This includes information on setting up Visual Studio, getting acquainted with Git, and going down the rabbit hole of unit testing.
One area where there’s not enough information to determine exactly what the CIA means is in Tradecraft. This mysterious heading seems to insinuate that it’s focused on coding practices and CIA-specific development techniques. They provide no details, however. Instead, we’re given this cryptic message and little more:
“Tradecraft plays a critical role within our tool development cycle. If a tool is sloppy its [sic] life is much shorter, and worse, the lifespans of the tools it is [sic] deployed with are also at risk. If we’re going through the trouble of coming up with some cool stuff, we’d rather not get beat on something silly.”
According to the WikiLeaks analysis of these as-yet unreleased documents, Tradecraft refers to the work done by CIA developers to obfuscate their code and hide it from antivirus programs. One could consider this to be their style guide, of sorts.
As interesting as this information is, it should be noted that it all appears to be about two to three years old. We can expect the CIA has changed some of its tools and practices in that time.
The CIA does not have a monopoly on well-honed development practices and open-source tooling within the government. The NSA was the original impetus for the creation of the Apache NiFi project, which gives developers a graphical flowchart design tool for creating streaming data process flows.
The information on the CIA’s hacking tools included in the leaks have been analyzed by WikiLeaks itself at. Evidently, the tools are uncopyrighted and unclassified so as not to indemnify agents who have installed these tools on unsecured devices, like the laptops of bad guys.