The published "leak" doesn't really contain anything interesting, just a bunch of text messages and a few PDFs. No libraries, binaries or sources are included.
I looked into a few of these messages and some of them made me really believe they were written by some business economist since no "spy" or "coder" could be that stupid.
A few examples:
- The registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Run was classified as "secret" and "don't share with foreign nationals" in the year 2014. It's not like that was public information worldwide for 20 years...
- SHA384 must be used without truncating. I have no idea how SHA384 is supposed to do that since it is truncated per definition.
- AES must be used with at least 256 bit. AES is only specified with a maximum of 256 bit. And what should we use as a key? A non-truncated SHA384?
- Coders should use secure random number generators. If that is not possible, coders should use SHA256 on that weak random number in order to make it a secure random number. Did they get that information from the tabloids?
- If some covert US spy enters a country and customs asks him what he's doing there, he should answer "I'm an engineer, I'm here for engineering stuff". No comment on that...
- The CIA has a 3-user WinHex 16.1 license. If somebody gets access to a newer license they should share it in the CIA wiki. Seriously... ? (no WinHex license in the leak, don't ask)
- Don't compile malware binaries in US business hours since the timestamp would allow to trace them back to the US. I'm wondering if paying for all that overtime is cheaper than telling the coders about SetFileTime.
- In order to update their iPhone/iPad operating systems the employees must fill out a form so an admin can activate internet access for that device from the secret CIA network which isn't connected to the internet. And they're really wondering how things "leak" to the public?