WikiLeaks Won't Tell Tech Companies How To Patch CIA Zero-Days Until Demands Are Met (fortune.com) 228
"WikiLeaks has made initial contact with us via secure@microsoft.com," a Microsoft spokesperson told Motherboard -- but then things apparently stalled. An anonymous reader quotes Fortune:
Wikileaks this week contacted major tech companies including Apple and Google, and required them to assent to a set of conditions before receiving leaked information about security "zero days" and other surveillance methods in the possession of the Central Intelligence Agency... Wikileaks' demands remain largely unknown, but may include a 90-day deadline for fixing any disclosed security vulnerabilities. According to Motherboard's sources, at least some of the involved companies are still in the process of evaluating the legal ramifications of the conditions.
Julian Assange announced Friday that Mozilla had already received information after agreeing to their "industry standard responsible disclosure plan," then added that "most of these lagging companies have conflicts of interest due to their classified work for U.S. government agencies... such associations limit industry staff with U.S. security clearances from fixing security holes based on leaked information from the CIA." Assange suggested users "may prefer organizations such as Mozilla or European companies that prioritize their users over government contracts. Should these companies continue to drag their feet we will create a league table comparing company responsiveness and government entanglements so users can decided for themselves."
Julian Assange announced Friday that Mozilla had already received information after agreeing to their "industry standard responsible disclosure plan," then added that "most of these lagging companies have conflicts of interest due to their classified work for U.S. government agencies... such associations limit industry staff with U.S. security clearances from fixing security holes based on leaked information from the CIA." Assange suggested users "may prefer organizations such as Mozilla or European companies that prioritize their users over government contracts. Should these companies continue to drag their feet we will create a league table comparing company responsiveness and government entanglements so users can decided for themselves."
This is extortion (Score:5, Informative)
This is extortion. It's one thing to disclose leaked information to expose corruption, which is something good journalists do. However, journalism doesn't involve using leaked information as leverage to make demands. That is called extortion or blackmail. Wikileaks has shown that, at best, it's a criminal organization. I'm dismayed that so many people at Slashdot always rush to defend Wikileaks and Julian Assange in articles like these. It says a lot about the complete lack of character of most of the users on this site, which is also why there is so much tech-related crime. All of you should he ashamed of yourselves.
Re:This is extortion (Score:5, Insightful)
Depends what the agreement is.
It could simply have been, we'll disclose this to you, if you promise not to sue us for posting it publicly after 90 days. That would be quite reasonable.
You'r rushing to judge them without all the facts. But that's in vogue these days.
Re:This is extortion (Score:5, Interesting)
I wonder why wikileaks doesn't leak the agreement terms?
Re: (Score:2, Insightful)
Why don't the tech companies that received the emails do it? The sources from the stories obviously are employees from the companies contacted and spoke to the journalist. Why don't they leak the agreement terms?
Re: (Score:2)
Pure BS. No way he's trying to extort money from them. Someone would have posted the terms by now. Not like Mozilla is going to pay up, either.
Re: This is extortion (Score:5, Interesting)
Has any software vendor of note tried to sue people for public disclosure of security flaws? If so, what was the outcome?
I struggle to see a good-faith reason for WikiLeaks to require agreement to any terms before they tell vendors about these flaws. It gives the impression that they want the bugs to stay open and/or have a political stick to beat the vendors with.
Re: This is extortion (Score:5, Insightful)
They are doing it to find out which vendors are in bed with the CIA. If they won't agree to fix the bug in 90 days up front, chances are it's because they don't want to commit to fixing something that the CIA might be using with their knowledge/support.
Re: This is extortion (Score:5, Insightful)
Equally plausible: They're doing it because they're a front for the Kremlin.
Re: (Score:3)
Either way, it's of massive benefit to us.
Re: (Score:2)
Please clarify. Do you mean that keeping the details of exploitable bugs away from the people who can fix them or thwart attacks is a "massive benefit to us"? Do you think that the Kremlin has the best interests of Americans at heart? Does the Kremlin pay you as a propagandist?
Re: (Score:2)
It is of great benefit to know what the exploits are and to know which companies don't want to fix them.
Re: (Score:2)
So why does Wikileaks want to keep the bugs secret from the companies that can fix them?
Re: (Score:2)
I didn't make such an accusation (various US security pundits have). I only said it was as plausible an explanation (for Wikileaks making demands in exchange for details about security bugs) as "Wikileaks is stupid enough to think that companies who don't agree to its terms must be in cahoots with the CIA". As I said in a comment elsewhere in this chain, I don't think either explanation is very convincing.
Re: (Score:3)
Another useful idiot self-identifies.
I do not think either hypothesis is convincing -- but they are basically equally plausible.
Any person or company with a US security clearance can lose it if they solicit the unauthorized disclosure of classified information. If they agree to Wikileaks' terms, that would probably qualify as a serious security violation; even talking with Wikileaks about the subject might qualify. That doesn't mean they are "in bed with" the CIA, only that they d
Re: (Score:2)
You read what I just wrote. I gave that as only one example of a reason that companies would not accept terms from Wikileaks.
There is also a very big difference between "doing classified work for the government", which I described, and "keeping products buggy because of CIA money", which the apparent Kremlin stooge suggested was the motive. Someone could work on an unclassified system where certain details are classified; for example, a land mine and IED detection system, where the details of how well it
Re: (Score:2)
How do you suggest that Wikileaks (or the Kremlin) would dump all the information in this archive while withholding the details of the exploits?
The Kremlin presumably would not have known about all, or perhaps many, of the bugs before the leak. They gain from keeping the bugs open.
The Kremlin would love to undermine public trust in major US companies, either directly because of security problems, or indirectly by painting them as CIA pawns.
The Kremlin would love to be able to focus attention on US covert a
Re: (Score:3, Insightful)
Wow, tinfoil hat much?
The more likely solution is that companies aren't willing to agree to fix a set of bugs within 90 days without even knowing what that set of bugs is. I think it would be incredibly irresponsible for someone to agree to do a set of work in a set timeframe without even knowing what that work is.
Re: (Score:2)
Has any software vendor of note tried to sue people for public disclosure of security flaws? If so, what was the outcome?
I struggle to see a good-faith reason for WikiLeaks to require agreement to any terms before they tell vendors about these flaws. It gives the impression that they want the bugs to stay open and/or have a political stick to beat the vendors with.
They've done worse than that. They've had the prosecuted as criminals.
Re: (Score:2)
[citation needed]
Also: Companies do not decide what makes a crime, and do not (as far as I know of, in civilized countries) have the power to prosecute crimes.
How to Google? (Score:4, Informative)
https://it.slashdot.org/story/16/12/13/053243/pwc-sends-legal-threats-to-researchers-who-found-critical-security-flaw [slashdot.org]
https://it.slashdot.org/story/11/10/14/2129228/security-researcher-threatened-with-vulnerability-repair-bill [slashdot.org]
https://yro.slashdot.org/story/05/01/11/0129228/security-researcher-faces-jail-for-finding-bugs [slashdot.org]
https://it.slashdot.org/story/15/05/05/2335223/cyberlock-lawyers-threaten-security-researcher-over-vulnerability-disclosure [slashdot.org]
Seriously, man, it took me like 4 seconds to type "security researcher sued site:slashdot.org" into Google.
Re: How to Google? (Score:2)
Exactly one of those was a software company, and that company was European and pretty insignificant. That doesn't excuse keeping the details from the major vendors that most people care about.
Re: (Score:2)
Plenty of large software companies have done it, some have been american and some have been _very_ large. I'm aware of a couple of cases where a superinjunction was sought (and granted) - a superinjunction means that you can't even drop hints that there's a court case.
Personal opinion: Given the exploits are in use by greyhats (spy agencies), then blackhats probably have them anyway and rapid disclosure is the prudent path so that whitehats can man the barricades.
MS and others used to be notorious for not f
Re: (Score:2)
My cousin's best friend's college roommate's neighbor has an Internet GED in law, and she said that this has never _ever_ happened. So I'm going to just have to not take your utterly unsubstantiated word for it.
Re: (Score:2)
Yeah, a few companies have threatened to sue. The Clinton campaign didn't sue Wikileaks. The US hasn't sued them, but Microsoft or Google will? Seriously, get a clue.
Re: (Score:3)
Read about Weev. He was sued and got jail time. He didn't even publish the flaw itself, just gave proof it existed to journalists. This would be much more serious.
On getting a clue, the Wikileaks "secret" indictment is common knowledge. Everybody knew about it for years when Google informed some people about the seizure of their emails because of that investigation. US officials routinely reply to questions about Wikileaks saying they can't discuss it because of an ongoing investigation. Assange is not atta
Re: (Score:2)
It's wikileaks fault all the facts aren't out. They have all the cards, and are only showing some, so fuck them.
Re: (Score:2, Insightful)
So when Wikileaks releases raw dumps of leaked data, they get criticized because the data wasn't "curated" and personal information like cc numbers, phone numbers and addresses, social security, etc. are exposed. But when Wikileaks holds back information because the information contains sensitive and potentially harmful data , they get criticized. Wish you critics would make up your fucking mind.
Re:This is extortion (Score:5, Interesting)
Wish you critics would make up your fucking mind.
You expect the CIA to not have professional complainers on the Internet? Cute. Look above and you have a guy who admits he does work for the "Navy" calling Wikileaks extortionists already (that word does not mean what he thinks it means).
We can be quite sure Wikileaks isn't asking for anything for themselves for the disclosure (because they never have) - it seems like they must be asking for something for the users in return or they could just do a Project Zero type of disclosure.
MoFo obviously didn't have a problem with the terms, so it's not going to be something against user freedom (say what you want about Rust and WebExtensions, they get the freedom part mostly right). But MoFo doesn't have an ongoing private relationship with intelligence agencies, and that's what they claim the issue is about, so it passes the smell test. n.b. Wikileaks is apparently leveraging one disclosure for another disclosure.
Re: (Score:2)
We can be quite sure Wikileaks isn't asking for anything for themselves for the disclosure (because they never have)
Your honor, you can be quite sure I never killed that guy, because I never have.
Re: (Score:2)
Oh, boo hoo. Poor wikileaks put itself in a difficult position, then waffles on that position, then gets criticized for waffling.
Fuck them.
Re: (Score:2)
"It could simply have been, we'll disclose this to you, if you promise not to sue us for posting it publicly after 90 days. That would be quite reasonable."
lol Not a chance in hell. There's no case to sue if they go public with the vulnerabilities. They want something else.
Re: (Score:1)
Did you not read the part where it says that nobody really knows what demands are being met? Given the past abuses of the CFAA, this could be something as simple as "you will not hold wikileaks responsible for the contents or means of finding the vulnerability information, nor will we be held accountable for the illegal means in which the information was gathered by the CIA". IANAL, but I'd guess that including such a clause would be wise, given the aggressive application of judicial power used against wi
Re: (Score:2)
I agree, looks like we are starting to see Julian's true colours. He lost my support around the US election for bullshit like this. I am ashamed of you Mr. Ashange
Re:This is extortion (Score:4, Interesting)
This is extortion.
No, it isn't. Extortion is defined as the use of force or threat to achieve a gain of some sort for the party threatening the use of force (i.e., I put a gun to your head and say "I won't shoot you if you give me $100, otherwise I will").
It also isn't blackmail unless Wikileaks is attempting to achieve some sort of gain for themselves by threatening to release the information publicly unless these companies fail to pay them.
In other words, if wikileaks isn't gaining anything (money etc) from this, it isn't extortion or blackmail. It's Wikileaks allowing the tech companies to fix the holes the CIA created before they release information about those holes to the general public - thereby possibly allowing the tech companies to save face. That makes sense, since it's quite possible that it's no fault of any of these companies that the CIA decided to completely trash their products in the name of spying on everyone. The damage is already done, in other words, and there's really nothing stopping Wikileaks from just telling the world what the damage is. It's kind of nice of them to give Microsoft etc some breathing room first, so that when they do release details on the damage done, they can also include information that shows these tech companies have already fixed the problems.
Re: (Score:2)
Uhh, did you actually read as far as the second paragraph of the article you're commenting on?
"most of these lagging companies have conflicts of interest due to their classified work for U.S. government agencies... such associations limit industry staff with U.S. security clearances from fixing security holes based on leaked information from the CIA."
The information that Wikileaks has made available is still classified, even if it's public. If you work for an organisation that handles government contracts, and some of your employees have security clearances, then you can't receive classified information to help you fix an 0day, even if the classified information is now public. It was the same with the Snowden stuff, if someone had wanted to DoS everyone in th
Re:This is extortion: nope! (Score:2)
Nope, this is not extortion nor blackmail, it is really trying to get a fix quickly and not letting companies screw their costumers, either by being lazy or by security agencies pressure
If a company gets the bug report and then do not do anything for one year, what wikileaks can do ? release the info before the fix or wait more? either way, it is already too much time for a security bug that is being abused and in the end the info will be public with no one protected and in the end, it will always be wikile
Re: (Score:2)
Actually it is quite possible to be critical about Wikileaks having demands. In principle at least. In practice Wikileaks is being smeared and attacked all day long and if they do not correspond to the highest standards they are regarded as evil. That is not realistic,Wikileaks can be very valuable even if it is very flawed. There are plenty of flaws around with the other pl
Re: (Score:2)
AFAIK, that info is a rumor, probably spread to make wikileaks look bad
yes, they released docs with names, they said they should have been more careful, but i never saw any real news about that money, only random forum posts
Bullshit (Score:2)
Re:This is extortion (Score:4, Insightful)
Regardless, what of it? Extortion is wrong. Period. The fact that someone else extorted first doesn't make your extortion of others right.
Re:This is extortion (Score:5, Informative)
Regardless, what of it? Extortion is wrong. Period. The fact that someone else extorted first doesn't make your extortion of others right.
Regardless of what world you may personally live in, be aware that people of integrity follow certain protocols. In this case, Assange did not even need to ask and could have simply released the material. However, he put it to a public vote as to what should happen.
The public voted that the material should be released to the technology companies. As part of that, there are certain conditions that a company is expected to follow, such as ensuring that the bug is patched within 90 days. Now, Anubus IV, why do you think that might be? I'll tell you, as it obviously flew over your head. The reason they have the 90-day window is so that WikiLeaks can release the material after that window has passed, and know that what is being released won't cause a metric tonne of exploits to suddenly be available to every machiavellian individual on the planet.
Is that extortion? No, that is prudence and not being a dick.
For the record, I voted against it being reported to the technology companies, as I know they are the problem. That Microsoft is framing matters the way they are, only serves to prove my point; they have chosen to be dicks, and invariably that is what they do.
Re: (Score:2, Insightful)
It seems you took my comment as an implicit affirmation that I think this is extortion, but that's not the case. I was merely pointing out the moral flaw in the previous poster's comment. Whether or not this is extortion is being discussed elsewhere, but at least from what I know of the situation, I don't think it is.
Re: (Score:2)
It's pedantic to constrain my comment to the specific topic I wanted to address? I don't think so. I kept my comment to the exact issue I wanted to discuss. That someone else jumped to a conclusion based on what I said is unsurprising, but I didn't want to dilute my original comment by addressing all angles of this situation. I wanted to make it very clear that I was taking issue with their "two wrongs make a right" mentality.
Re:This is extortion (Score:5, Interesting)
How can anyone say this is extortion? Why did Mozzila sign the honesty form ("industry standard responsible disclosure plan,")? Maybe because they are more honest than MS? Maybe because they have nothing to hide? This is an attempt to shame the cowardly tech giants that have been in on this crap from the beginning. Sign the form, fix the holes!
Re:This is extortion (Score:5, Insightful)
Wikileaks: I need guarantees that you will use this information to the benefit of your users rather than the government
Microsoft: We'll get back to you on that
Media: Wikileaks isn't helping Microsoft unless demands are met
Media Consumers: WTF I HATE WIKILEAKS
Re: (Score:2)
Maybe. Or maybe not. If the conditions are such reasonable, industry standard ones, why isn't wikileaks disclosing what they are? Given Assange's history, he has zero credibility in my book. For an organization that's supposedly dedicated to public disclosure, they're awfully fond of keeping things secret. I mean really, they won't tell us what conditions they're asking the companies to agree to? Then I certainly won't assume they're as reasonable as he wants us to think they are.
Re: (Score:2)
You can not "Extort" someone when you merely require him to honor "Fitness for use intended".
That you have to twist his arm to get him to comply with contract law is a sick note on how little enforcement there is against criminal capitalism.
Re: (Score:2)
Wrong.
Re-read my comment and you'll see that I constrained it to the moral failing of the previous poster, rather than addressing the broader issue of whether or not this is extortion. If you think I'm wrong in saying that two wrongs don't make a right, I'm happy to discuss the matter further, but with regards to whether this is extortion, I've already said elsewhere that I don't think it is.
Re: (Score:2)
Re: (Score:2)
The problem is that time and again when given a deadline to fix, vendors have gone to court to try and prevent the exploits being published.
The only way to prevent that is to set a deadman switch on the release of data.
A "don't sue" clause seems prudent.
Re: (Score:2)
Why not search within page there for the word vengeance and see what turns up. You don't get to selectively choose on
I have read quite a few bibles actually. The topic of vengeance and revenge hidden under the title of retribution is what originally made me adverse to being a member of religion.
I think the beauty of religion is that we all have our own interpretations of it. I spent 13 years of my life praying to a god that he will come down and take vengeance on
Re: (Score:2)
Well, in the past it was cash [zdnet.com]. And back then it was aid agencies and human rights agencies he was extorting.
Or maybe he's wanting them to sign some sort of absurd contract like the insane NDAs [wired.com] he used to make Wikileaks members sign.
Re: This is extortion (Score:2)
Until we have the exact demands they're making of companies involved, we don't know that. We need to know exactly what the terms they are asking for are. Full stop. Someone should get them from Mozilla.
Sounds reasonable to me (Score:1)
n/t
Re: (Score:2, Insightful)
There are no good guys in this scenario. Wikileaks is so focused on their little crusade for openness that they've adopted the same "the end justifies the means" approach as the CIA and NSA.
Re: (Score:2)
This isn't a crusade about openness, this is a crusade to hurt the US. Notice how Wikileaks doesn't leak anything about Russia? Or China? Or ...
Re: (Score:2)
Is there any evidence WikiLeaks has received Russian or Chinese leaks and then not published them? WikiLeaks is not the only game in town. If Russians or Chinese were sending info to WikiLeaks that they were sitting on because WikiLeaks is somehow pro-Russia or pro-China, then those leakers would send the info to the NY Times (or self-publish somewhere) along with the bombshell that WikiLeaks refuses to publish their shit.
Hmmm. You know, SwashbucklingCowboy hasn't released any dirt on Russia or China either
Re: Sounds reasonable to me (Score:2)
I don't believe WikiLeaks has anything to do with openness anymore. Not since they openly held back and released things during the US election timed specifically to harm a candidate. They're in it for something more now, and the only question is who benefits. It's not any of us, except maybe the remaining Putin shills.
Re: (Score:3)
The point is that it doesn't matter what the ends are if the means are the problem.
Re: (Score:2)
But withholding info on vulnerabilities is not an ethical position. I'm not really bashing them though, just pointing out that they've made the same mistake the CIA has made. They've so focused on their goals that they've abandoned the high road.
Re: (Score:2)
But withholding info on vulnerabilities is not an ethical position.
It depends on the circumstances, doesn't it? If you release a vulnerability that the vendor has no intention of fixing and people can't fix themselves, you just made it known to more bad guys and put more people at risk. And if you don't play the media right then no one pays any attention so you may not even get public pressure on the vendor to fix their shit.
I agree that WikiLeaks acts in the interests of WikiLeaks, but I don't think there's a one size fits all rule for the ethics of vulnerability disclosu
Re: (Score:2)
I really don't blame the CIA. They're spies and spies spy. It's what they do. The problem is they're not kept on a short leash lately and have been allowed to hunt on their own. The people that oversee them are to blame I believe. They can call them to heel anytime they get ready to if it suited them.
Re: (Score:2)
I would fully agree though the main issue with the CIA is keeping them on a short leash. But if you think the problem is recent, this offers a better starting date : https://mises.org/blog/truman-... [mises.org]
What the latest leak shows is that the CIA is diversifying more , increasing their reach, making them more independent. They don't have to ask the NSA for help, they've got their own departments. That is all about increasing power.
European companies prioritize their customers? (Score:1)
I was not aware that prioritizing customers over government contracts was a practice that only European companies were capable of. Doesn't having government contracts mean that the government is your customer? How exactly is that supposed to work? Maybe Assange meant to say "may prefer organizations such as Mozilla or European companies that prioritize their users over United States government contracts."
This just in (Score:2, Insightful)
Assange fighting to stay relevant by any means possible. News at 11.
Re:This just in (Score:5, Insightful)
More news is coming in;
Person complains that a small group of freedom fighters arent fighting hard enough to protect their interests, suggests they should try harder.
They further complain about having to get out of bed, suggesting someone else should do it for them.
Re:This just in (Score:4, Insightful)
Wait, are you saying Assange is a freedom fighter?
So why is he in bed with authoritarians like Putin, Farage, and has engaged in mutual praise with Trump? Even if you believe there's no official connection then Assange is a regular on Russia's state propaganda channel RT, has met up with Farage in the Ecuadorian embassy:
https://www.rt.com/tags/the-ju... [rt.com]
https://www.theguardian.com/co... [theguardian.com]
You have a funny definition of freedom if it means support and praise of people who back things like elimination of civil liberties, strict control of speech, elimination of equality, and convergence towards dictatorship.
Assange is the last person I'd want fighting for my freedom, because he doesn't believe in freedom, he believes in absolute rule by only those who he personally agrees with and is trying to support that using Wikileaks.
Re:This just in (Score:4, Interesting)
You have a funny definition of freedom yourself if you think that it means developing and collecting techniques to use your personal electronics as spies for the government. Whatever Assange's relation to the Kremlin may be: on this specific issue they are fighting for your and my freedom with much more impact than any soldier ever had in the past 70 years.
According to a 2011 interview with Forbes [forbes.com], Assange is some sort of libertarian. Now I tend more to what is called socialist in the US, and believe little in trickle-down economy and market shenanigans, but you are describing a fascist, which Assange has never given any reason to believe he is. On the other hand, the people who "believe in absolute rule" are also those who collect and use the hacking tricks used by the CIA. So what kind of fascist would ever disarm the brown shirts?
Re: (Score:2)
Anything that anyone does can be dismissed in this way.
I wonder how many of these 0-days are really new (Score:3)
For all we know, the CIA might have written deliberate vulnerabilities to be patched into production code. Either that, or maybe they bullied software companies into ignoring certain vulnerabilities that would otherwise be fixed. Considering how many tech companies have been enlisted by big-government and how many cover stories have been busted, nothing can surprise me anymore.
Re: (Score:2)
I see it this way. A vulnerability is found and an exploit is written. As time passes several things happen. The exploit gets distributed because of outsourcing and after a while there really are a lot of people who know about it. Other people also find out about the vulnerability. Some day software maker finds out and the bug is no longer zero day but the exploit will still work on unpatched systems so it sticks around until something much better replaces it.
As for the software company itself,I suspect mos
Re: (Score:2)
Say a budget range for a good exclusive deal per zero day for a new OS or device in the 100 of apps/code/access products?
Thats the positive side that still looks corporate. Its hard to tell who is buying in the mix of buyers globally.
A flood of gov/mil cash in the wild would stand out even with a lot of US/UK front companies every y ear doing the malware buying
After firing most of their QA team, Microsoft... (Score:5, Informative)
simply can't commit to timelines. Most of my friends that worked there have either been laid off or quit due to ridiculous hours or vacation inequality, so their best programmers are no longer there. They simply can't fix problems in a timely manner any longer.
Re: After firing most of their QA team, Microsoft. (Score:4, Interesting)
Heard this lie before from you dude. Why are you trying so hard?
Well, who do you think Microsoft is firing? [businessinsider.com]
Fuck Wikileaks (Score:5, Interesting)
Re:Fuck Wikileaks (Score:5, Insightful)
You might as well complain that the firefighters were assholes while they saved your house
If the firefighters are refusing to save my house from burning unless I commit to rebuilding it out of nonflammable materials within ninety days, then they are assholes.
Re: (Score:2)
I don't know? Maybe try building your house out of something other than flash paper and strike anywhere matches?
I would like to see the code demand nonflammable materials. I'm actually a renter, but I live in a wooden house in wildfire country. They have a hard-on for controlled burns around here but there have still been a couple of close calls. Whee! I want to build something out of stacked shipping containers (stacked in the orientation in which they are designed to be stacked, but with spacers) for a combination of seismic stability and fire resistance, to say nothing of material re-use.
Re: (Score:2)
If the government is refusing to cut you a check for your flooded-out home unless you commit to rebuilding it further away from the flood zone, they are being perfectly reasonable.
Yes, that would be great, but unfortunately that's not what they do. Instead, they just try to make it hard for you to get a check no matter what, but then they don't put any restrictions on where you can spend it and then people rebuild on the same floodplain all over again.
The least evil organization has already agreed to (Score:2)
Is receiving information a crime? (Score:2, Interesting)
Why secret? (Score:4, Interesting)
Prefer European companies, eh? (Score:2)
Or anyway those who don't have a simplistic, easily-probed agreement or other conflict of interest with classified U.S. three-letter agencies. This criteria changes exactly nothing.
Beware the false prophets. Ineffective activism is exactly equivalent to doing nothing at all.
Re:Wikileaks BAAD; CIA Goooood! (Score:5, Insightful)
The world will make a lot more sense when you realize it's possible for both sides to be bad. Comparative ethics is not a zero sum game.
Wikileaks' intent to provide an outlet for whistle blowers to uncover corruption in various governments and and corporations had a lot of merit. Unfortunately the very model of "we don't care where it came from, we just post it" is its undoing. It didn't take long for governments to figure out if you can destroy it, use it.
They thought they could turn over the chess board, but they're just another pawn.
Re:Wikileaks BAAD; CIA Goooood! (Score:5, Interesting)
I don't expect Wikileaks to be saintly and I think it's not necessary for them to be above all criticism in order to be valuable. Checks and balances are important because there is no good guy that you can trust with too much power. And Wikileaks both has value in it, and is one of the guys you can't trust with too much power.
That doesn't mean I believe the criticism about Wikileaks. That's just a giant and very successful FUD campaign.
For instance I disagree that they're being manipulated by Russia, there is no proof for it so why believe the claim?
The article above is just part of it. Wikileaks is asking the companies to sign something. That must be bad! Just look at all the posts on here. No, that doesn't have to be bad. It can be about wikileaks being paranoid about their action being used against them somehow. It can be about requiring the company to commit to actually fixing the bug within a certain period.It could be a mediocre decision by Wikileaks. That would still not be reason to make a big fuss about it.
Re:Wikileaks BAAD; CIA Goooood! (Score:5, Interesting)
If they're not they will be. It's bloody trivial for a government to gather damning info on another country, leak it to wikileaks and wait for them to get all the flak.
I never brought up Russia though I understand why you'd assume I was talking about them. The US, Russia, China, literally any country or any organization can selectively leak info on competitors if they haven't figured out they can do this (and I'm sure they have) then they will.
It's trivial to manipulate Wikileaks by only leaking the narrative you want told.
Re: (Score:2)
I did indeed assume you were thinking of Russia.
It's not trivial to fool Wikileaks, but it's likely that it will happen to some extent(as in being fooled by the source but not by the data). Wikileaks is good at protecting the source but I'm not sure why someone who can defend himself wants to pass through wikileaks if the info is valid. Will it make a big difference compared to publishing through another channel?
The main worry of Wikileaks is that they get fed bad info in order to damage their credibility.
Re: (Score:2)
For instance I disagree that they're being manipulated by Russia, there is no proof for it so why believe the claim?
You're joking, right?
Re: (Score:2)
You can't blame people for being gullible either. What you're saying is what wikileaks is guilty of something until proven otherwise. That what they're doing is very suspicious because they're obviously bad guys. Wikileaks is communicating with many companies. Some of them collaborate with governments and deliberately leave security gaps open. It's a tricky environment to work in and there will be lawyers involved all the time. You can just as well say that if Wikileaks is doing something nasty some of the
Re: (Score:2)
And if there is a value in keeping them secret, then explain what the value is so randos on the internet don't have make up rationalizations for you.
I'll keep this simple.
An entity (WL, a security researcher, whatever) discovers major unpatched mainstream software/OS vulnerabilities. Should the entity simply release the details publicly and let the bad actors have a field day while the software makers scramble to push out a fix before more damage is done, or would it be more responsible to first try to get the software/OS makers to committing to patching the vulnerabilities before releasing the details publicly?
Seeing as this behavior (attempting to avo
Re: (Score:2)
If it is "industry standard" then why won't they publish it?
Reading comprehension, much?
From my post:
Seeing as this behavior (attempting to avoid damage from publicly releasing the vulnerability details before they're patched) regarding the WL proposed release aligns fairly closely with responsible vulnerability disclosure practices among network security experts...
*Not* releasing the vulnerabilities straight away without at least a good-faith attempt to allow those who can patch the vulnerabilities the opportunity to take action before the vulnerabilities are released is the standard.
Try reading *all* the way through a post you want to respond to. It will save you further embarrassment in the future.
Oh jesus, I feel like I am trapped in the middle of a fight between dueling conspiracy fantasists.
The old restrictions against US government use of propaganda domestically against US citizens no longer exists. That US TLAs use
Re: (Score:2)
...and Governments/People have now realised that Wikileaks will publish anything they are given no questions on sources asked, as long as they can verify it is real ...and Governments have huge resources to make things look genuine
Re: (Score:2, Funny)
3&4 letter agencies
NAMBLA is six letters.
Re: (Score:2)
what?!
so we have:
- one company that cares about the users and patch a security bug as fast as it can.
- another that knows about a hole, but as it being used by some security agency, they do nothing for months, so that those agencies can still exploit the bugs (and who knows who else is also abusing the holes) until the agency have another zero day hole and the company can finally fix that bug, while still keeping other bugs "open"
Security fixes delays is not about "regressions", is about how companies work,
Re: (Score:2)
The real question is, if Mozilla has "already received" this information, why would they not share it with the other browser developers in the name of security?
Is one of Wikileaks' terms that they not disclose "secret information"? That would be pretty fucking hypocritical...
Re: (Score:2)
Why would Mozilla tell other browser developers about problems with Mozilla?
Re: (Score:2)
Because it's open source?
Re: (Score:2)
How do you know? It's entirely possible that the same vulnerabilities exist in different software doing very similar things. How do you know it's in the rendering engine and not one of the common libraries they use, etc? You don't, because no one has made the exploits available to you.
Re: (Score:3)
There's a good chance you could count Firefox's market share percentage using the fingers on one hand.
That's hardly surprising, I can count to nearly a 1/3 market share with the fingers on one hand.
Re: (Score:2)
Did it hurt ? Did you lose some fingers? Try with the other hand, you'll get more finger marketshare !
For me, the fingers on one hand have 50% market share over all my fingers, regardless of which hand i use.
What. (Score:3)
What ?
Revealing security flaws in a responsible manner is extorsion ?